Re: Compiler error on 3.4. Mac Mojave (3.3.2)

[Robert Chalmers]

1 more error.

This error persists across 3.3.1, 3.3.2, and now 3.4. Obviously I’m doing 
something wrong but cant find what it is about the Berkeley db thing.

dict_db.c:768:2: error: "Unsupported Berkeley DB version"
#error "Unsupported Berkeley DB version"
 ^
1 error generated.
make: *** [dict_db.o] Error 1
make: *** [update] Error 1
make: *** [update] Error 2

The only way I could get past it was with the CCARGS=‘-DNO_DB’ switch. Kind of 
defeats my needs, because I use hash tables.

If I point to /usr/local/opt/berkeley-db@18/ for example, it still breaks. 
That's the latest available Berkeley-db


This build script…
set -- '-DUSE_TLS -I/usr/local/Cellar/openssl@1.1/1.1.1/include'
set -- "$@" '-I/usr/local/opt/icu4c/include'
set -- "$@" '-DHAS_MYSQL -I/usr/local/include/mysql'
set -- "$@" '-DHAS_PCRE -I/usr/local/include'
set -- "$@" '-DUSE_SASL_AUTH -DUSE_CYRUS_SASL 
-DDEF_SERVER_SASL_TYPE=\"dovecot\" 
-I/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX.sdk/usr/include/sasl'
CCARGS="$@"

set -- '-lsasl2'
set -- "$@" '-L/usr/local/Cellar/openssl@1.1/1.1.1/lib -lssl -lcrypto'
set -- "$@" '-L/usr/local/lib -ldb'
set -- "$@" '-L/usr/lib -lsasl2'
set -- "$@" '-L/usr/local/opt/icu4c/lib -licuuc'
set -- "$@" '-L/usr/local/opt/berkeley-db@18/lib -ldb'
AUXLIBS="$@"


make -f Makefile.init shared=yes dynamicmaps=yes \
   config_directory=/usr/local/etc/postfix \
   command_directory=/usr/local/sbin \
   daemon_directory=/usr/local/libexec/postfix \
   queue_directory=/var/spool/postfix \
   data_directory=/var/lib/postfix \
   html_directory=/usr/share/doc/postfix/html \
   manpage_directory=/usr/local/man \
   readme_directory=/usr/share/doc/postfix \
   mailq_path=/usr/local/bin/mailq \
   newaliases_path=/usr/local/bin/newaliases \
   sendmail_path=/usr/local/sbin/sendmail \
   "CCARGS=${CCARGS}" \
   "AUXLIBS=${AUXLIBS}" \
   'AUXLIBS_MYSQL=-L/usr/local/lib -lmysqlclient -lz -lm' \
   'AUXLIBS_PCRE=-L/usr/local/lib -lpcre'

Any ideas where to turn...


> On 27 Nov 2018, at 19:25, Wietse Venema  wrote:
> 
> rachalmers:
>> I'm now trying 3.3.2 and running into a mess of compile errors again.
>> 
>> Firstly -
>> Had to add this patch; referenced elsewhere, but known about.
>> src/global/dict_mysql.c (postfix 3.2.0-5, 3.3.0 and current) to allow
>> build against MySQL 8.x
>> 
>> Then had to add this define to dict_mysql.c
>> 
>> #define MYSQL_OPT_SSL_VERIFY_SERVER_CERT 0
>> 
>> Because the compiler was complaining that it wasn't declared. Compiles fine
> 
> This is what we have in Postfix 3.4 development release:
> 
> /* MySQL 8.x API change */
> 
> #if defined(MARIADB_BASE_VERSION) && MYSQL_VERSION_ID >= 50023
> #define DICT_MYSQL_SSL_VERIFY_SERVER_CERT MYSQL_OPT_SSL_VERIFY_SERVER_CERT
> #elif MYSQL_VERSION_ID >= 8
> #define DICT_MYSQL_SSL_VERIFY_SERVER_CERT MYSQL_OPT_SSL_MODE
> #endif
> 
>   Wietse

Robert Chalmers
https://robert-chalmers.uk
aut...@robert-chalmers.uk
@R_A_Chalmers

Re: Installing LetsEncrypt For Postfix and Dovecot

[Matus UHLAR - fantomas]

On 27.11.18 10:52, Asai wrote:

With Mozilla recently dropping support for all Symantec certs, our security
cert now throws errors on Thunderbird clients.  We’d like to install
certbot on Centos 6, but I’m not sure if it’s going to interfere with
Postfix (2.11) or Dovecot (2.2.18).  Does anybody have experience with
this?


I have no problem with Let's Encrypt certificates and postfix/whatever.
I'm just not sure if iphones have the root CA (DST Root CA X3) installed -
just yesterday noticed a complaint.

But I prefer dehydrated over bloated certbot.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
I don't have lysdexia. The Dog wouldn't allow that.

Re: hostnames in postscreen_access_list

[Matus UHLAR - fantomas]

On 27.11.18 21:48, John Fawcett wrote:

The reason the ip changes frequently is because it's an xDSL line with a
dynamic ip. Some devices on the network need to send emails to my mail
server which can go out over this connection. My ISP correctly lists the
dynamic ips in PBL. I use zen.spamhaus.org list on my mail server which
includes PBL so I am blacklisting email arriving from the xDSL line. I
wanted to make an exception by whitelisting my own ips. For my fixed ips
there is no problem I just list them in an access file. For my dynamic
ip I could not do that easily. I could just use the email relay of my
ISP on these devices, but the the thing is they don't use the xDSL
exclusively. Therefore the only solution I see is to use an
authenticated connection to the mail server.


connection to alternative ports wher authentication is required and
postscreen and blacklists are not used it exactly what is needed in these
cases. Those ports were even designed for this purpose...

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
  One OS to rule them all, One OS to find them, 
One OS to bring them all and into darkness bind them 

Re: Installing LetsEncrypt For Postfix and Dovecot

[Doug Hardie]

> On 28 November 2018, at 01:03, Matus UHLAR - fantomas  
> wrote:
> 
> On 27.11.18 10:52, Asai wrote:
>> With Mozilla recently dropping support for all Symantec certs, our security
>> cert now throws errors on Thunderbird clients.  We’d like to install
>> certbot on Centos 6, but I’m not sure if it’s going to interfere with
>> Postfix (2.11) or Dovecot (2.2.18).  Does anybody have experience with
>> this?
> 
> I have no problem with Let's Encrypt certificates and postfix/whatever.
> I'm just not sure if iphones have the root CA (DST Root CA X3) installed -
> just yesterday noticed a complaint.
> 

The latest version of iOS have the proper root certificate.  I am using Let's 
Encrypt certificates for dovecot and postfix.  I access and send mail 
frequently using an iPhone and iPad.

If you are dealing with an older version, the user can accept the certificate 
and that will also work.

Compile error on Mojave (Postfix 3.3.2): 'openssl/opensslv.h' file not found

[James Brown]

I have installed OpenSSL v1.1.1 via Homebrew. I’m trying to install Postfix 
3.3.2 but it always ends with:

cc -I. -I../../include -DUSE_TLS -DUSE_SASL_AUTH 
-DDEF_SERVER_SASL_TYPE=\"dovecot\" -DDEF_COMMAND_DIR=\"/usr/local/sbin\" 
-DDEF_CONFIG_DIR=\"/usr/local/etc/postfix\" 
-DDEF_DAEMON_DIR=\"/usr/local/libexec/postfix\" -DHAS_PCRE 
-I/usr/local/opt//include -DHAS_SSL 
-I/usr/local/Cellar/openssl@1.1/1.1.1/include/openssl -DHAS_MYSQL 
-I/usr/local/opt/mysql@5.7/include/mysql -DBIND_8_COMPAT -DNO_NETINFO 
-DRESOLVE_H_NEEDS_ARPA_NAMESER_COMPAT_H -DNO_EAI -DDEF_SMTPUTF8_ENABLE=\"no\" 
-DHAS_DEV_URANDOM -DDEF_MAILQ_PATH=\"/usr/local/bin/mailq\" 
-DDEF_NEWALIAS_PATH=\"/usr/local/bin/newaliases\" 
-DDEF_SENDMAIL_PATH=\"/usr/local/sbin/sendmail\" -UUSE_DYNAMIC_LIBS 
-DDEF_SHLIB_DIR=\"no\" -UUSE_DYNAMIC_MAPS -Wmissing-prototypes -Wformat 
-Wno-comment  -g -O -I. -I../../include -DMACOSX -c abounce.c
In file included from abounce.c:187:
./mail_params.h:20:10: fatal error: 'openssl/opensslv.h' file not found
#include/* OPENSSL_VERSION_NUMBER */
 ^~~~
1 error generated.
make: *** [abounce.o] Error 1

opensslv.h is at:

$ locate opensslv.h
/usr/local/Cellar/openssl/1.0.2p/include/openssl/opensslv.h
/usr/local/Cellar/openssl/1.0.2q/include/openssl/opensslv.h
/usr/local/Cellar/openssl@1.1/1.1.1/include/openssl/opensslv.h
/usr/local/Cellar/openssl@1.1/1.1.1a/include/openssl/opensslv.h

My Make script is:

$ make -f Makefile.init makefiles CCARGS='-DUSE_TLS -DUSE_SASL_AUTH \
-DDEF_SERVER_SASL_TYPE=\"dovecot\" \
-DDEF_COMMAND_DIR=\"/usr/local/sbin\" \
-DDEF_CONFIG_DIR=\"/usr/local/etc/postfix\" \
-DDEF_DAEMON_DIR=\"/usr/local/libexec/postfix\" \
-DHAS_PCRE -I/usr/local/opt//include \
-DHAS_SSL -I/usr/local/opt/openssl@1.1/1.1.1/include \
-DHAS_MYSQL -I/usr/local/opt/mysql@5.7/include/mysql' AUXLIBS='-L/usr/local/lib 
-lpcre -lssl -lcrypto -L/usr/local/opt/mysql@5.7/lib \
-lmysqlclient -lz -lm'  sendmail_path=/usr/local/sbin/sendmail 
newaliases_path=/usr/local/bin/newaliases mailq_path=/usr/local/bin/mail

I’ve change the DHAS_SSL a few times but keep getting the exact same error. I’m 
sure it’s a simple thing to fix, but can’t get it to work.

Any ideas?

Thanks,

James.

Re: a lot of spam or something?

[Matus UHLAR - fantomas]

On 26.11.18 08:11, Poliman - Serwis wrote:

I have found some useful commands:
mailq
postcat -q 

Using second one I examined one of suspicious messages and what I got:
www-d...@allegro.pl sends email with information about some payment


a spam probably...


and
this mail is probably redirected or something to another mailbox.


user setting probably


Redirection to private mailbox set by user on my server. But - probably -
there is some missing or wrong letter in mailbox name so all bounced emails
stuck in queue with error:
Diagnostic-Code: smtp; 511 sorry, no mailbox here by that name / skrzynka
pocztowa odbiorcy nie istnieje (#5.1.1 - vuser)
And these origins from my server, from mailer daemon. I am not 100% sure I
understood properly whole log about specific message but if you would like
to help I can paste headers.


pastebin probably, if the error message itself does not explain what's
happening.

I guess you got all you really need to handle the problem.
- fix invalid forward/redirect

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Posli tento mail 100 svojim znamim - nech vidia aky si idiot
Send this email to 100 your friends - let them see what an idiot you are

Re: Compile error on Mojave (Postfix 3.3.2): 'openssl/opensslv.h' file not found

[Herbert J. Skuhra]

On Wed, Nov 28, 2018 at 09:55:02PM +1100, James Brown wrote:
> I have installed OpenSSL v1.1.1 via Homebrew. I’m trying to install Postfix 
> 3.3.2 but it always ends with:
> 
> cc -I. -I../../include -DUSE_TLS -DUSE_SASL_AUTH 
> -DDEF_SERVER_SASL_TYPE=\"dovecot\" -DDEF_COMMAND_DIR=\"/usr/local/sbin\" 
> -DDEF_CONFIG_DIR=\"/usr/local/etc/postfix\" 
> -DDEF_DAEMON_DIR=\"/usr/local/libexec/postfix\" -DHAS_PCRE 
> -I/usr/local/opt//include -DHAS_SSL 
> -I/usr/local/Cellar/openssl@1.1/1.1.1/include/openssl -DHAS_MYSQL 
> -I/usr/local/opt/mysql@5.7/include/mysql -DBIND_8_COMPAT -DNO_NETINFO 
> -DRESOLVE_H_NEEDS_ARPA_NAMESER_COMPAT_H -DNO_EAI -DDEF_SMTPUTF8_ENABLE=\"no\" 
> -DHAS_DEV_URANDOM -DDEF_MAILQ_PATH=\"/usr/local/bin/mailq\" 
> -DDEF_NEWALIAS_PATH=\"/usr/local/bin/newaliases\" 
> -DDEF_SENDMAIL_PATH=\"/usr/local/sbin/sendmail\" -UUSE_DYNAMIC_LIBS 
> -DDEF_SHLIB_DIR=\"no\" -UUSE_DYNAMIC_MAPS -Wmissing-prototypes -Wformat 
> -Wno-comment  -g -O -I. -I../../include -DMACOSX -c abounce.c
> In file included from abounce.c:187:
> ./mail_params.h:20:10: fatal error: 'openssl/opensslv.h' file not found
> #include/* OPENSSL_VERSION_NUMBER */
>  ^~~~
> 1 error generated.
> make: *** [abounce.o] Error 1
> 
> opensslv.h is at:
> 
> $ locate opensslv.h
> /usr/local/Cellar/openssl/1.0.2p/include/openssl/opensslv.h
> /usr/local/Cellar/openssl/1.0.2q/include/openssl/opensslv.h
> /usr/local/Cellar/openssl@1.1/1.1.1/include/openssl/opensslv.h
> /usr/local/Cellar/openssl@1.1/1.1.1a/include/openssl/opensslv.h
> 
> My Make script is:
> 
> $ make -f Makefile.init makefiles CCARGS='-DUSE_TLS -DUSE_SASL_AUTH \
> -DDEF_SERVER_SASL_TYPE=\"dovecot\" \
> -DDEF_COMMAND_DIR=\"/usr/local/sbin\" \
> -DDEF_CONFIG_DIR=\"/usr/local/etc/postfix\" \
> -DDEF_DAEMON_DIR=\"/usr/local/libexec/postfix\" \
> -DHAS_PCRE -I/usr/local/opt//include \
> -DHAS_SSL -I/usr/local/opt/openssl@1.1/1.1.1/include \
> -DHAS_MYSQL -I/usr/local/opt/mysql@5.7/include/mysql' 
> AUXLIBS='-L/usr/local/lib -lpcre -lssl -lcrypto 
> -L/usr/local/opt/mysql@5.7/lib \
> -lmysqlclient -lz -lm'  sendmail_path=/usr/local/sbin/sendmail 
> newaliases_path=/usr/local/bin/newaliases mailq_path=/usr/local/bin/mail
> 
> I’ve change the DHAS_SSL a few times but keep getting the exact same error. 
> I’m sure it’s a simple thing to fix, but can’t get it to work.
> 
> Any ideas?

Have you really tried -I/usr/local/Cellar/openssl@1.1/1.1.1/include/ ?
The build log shows -I/usr/local/Cellar/openssl@1.1/1.1.1/include/openssl.

And why do you have multiple versions of openssl (1.0.2p vs 1.0.2q and
1.1.1 vs. 1.1.1a) installed?

-- 
Herbert

Relay access denied

[wp.rauchholz]

All goolging has not helped. I hope to find here the solution.
Thanks in advance for your help.

Wolfgang

* Background:
Getting error message: Relay access denied
The following command works fine: telenet localhost 25
The following command cretes above mentioned error message when entering
"rcpt to: email_address"

* Setup:
CENTOS 7.5 home server. Letsencrypt certificates
postfix-2.10.1-6.el7.x86_64


* Maillog:
Nov 28 12:22:15 home postfix/smtpd[12253]: disconnect from
localhost[127.0.0.1]
Nov 28 12:22:20 home postfix/smtps/smtpd[12360]: connect from
localhost[127.0.0.1]
Nov 28 12:22:40 home postfix/smtps/smtpd[12360]: NOQUEUE: reject: RCPT from
localhost[127.0.0.1]: 554 5.7.1 : Relay access
denied; from= to=
proto=SMTP

* ehlo localhost
[root@home postfix]# telnet localhost 465
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 host ESMTP Sendmail 2.1
ehlo localhost
250-home.wo-lar.com
250-PIPELINING
250-SIZE 1024
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN


* postconf -n
content_filter = amavisfeed:[127.0.0.1]:10024
home_mailbox = Maildir/
inet_interfaces = all
inet_protocols = all
mail_owner = postfix
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
mydomain = 
myhostname = 
mynetworks = 127.0.0.0/8 [:::127.0.0.0]/104 [::1]/128 
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
smtp_tls_ciphers = high
smtp_tls_mandatory_ciphers = high
smtp_use_tls = yes
smtpd_banner = host ESMTP Sendmail 2.1
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/letsencrypt/live//fullchain.pem
smtpd_tls_ciphers = high
smtpd_tls_key_file = /etc/letsencrypt/live//privkey.pem
smtpd_tls_mandatory_ciphers = high
smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
smtpd_tls_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
tls_high_cipherlist =
ECDH+aRSA+AES256:ECDH+aRSA+AES128:AES256-SHA:AES128+EECDH:AES128+EDH
tls_preempt_cipherlist = yes
unknown_local_recipient_reject_code = 550




--
Sent from: http://postfix.1071664.n5.nabble.com/Postfix-Users-f2.html

Re: Compile error on Mojave (Postfix 3.3.2): 'openssl/opensslv.h' file not found

[James Brown]

> On 28 Nov 2018, at 10:38 pm, Herbert J. Skuhra  > wrote:
> 
> On Wed, Nov 28, 2018 at 09:55:02PM +1100, James Brown wrote:
>> I have installed OpenSSL v1.1.1 via Homebrew. I’m trying to install Postfix 
>> 3.3.2 but it always ends with:
>> 
>> cc -I. -I../../include -DUSE_TLS -DUSE_SASL_AUTH 
>> -DDEF_SERVER_SASL_TYPE=\"dovecot\" -DDEF_COMMAND_DIR=\"/usr/local/sbin\" 
>> -DDEF_CONFIG_DIR=\"/usr/local/etc/postfix\" 
>> -DDEF_DAEMON_DIR=\"/usr/local/libexec/postfix\" -DHAS_PCRE 
>> -I/usr/local/opt//include -DHAS_SSL 
>> -I/usr/local/Cellar/openssl@1.1/1.1.1/include/openssl -DHAS_MYSQL 
>> -I/usr/local/opt/mysql@5.7/include/mysql -DBIND_8_COMPAT -DNO_NETINFO 
>> -DRESOLVE_H_NEEDS_ARPA_NAMESER_COMPAT_H -DNO_EAI 
>> -DDEF_SMTPUTF8_ENABLE=\"no\" -DHAS_DEV_URANDOM 
>> -DDEF_MAILQ_PATH=\"/usr/local/bin/mailq\" 
>> -DDEF_NEWALIAS_PATH=\"/usr/local/bin/newaliases\" 
>> -DDEF_SENDMAIL_PATH=\"/usr/local/sbin/sendmail\" -UUSE_DYNAMIC_LIBS 
>> -DDEF_SHLIB_DIR=\"no\" -UUSE_DYNAMIC_MAPS -Wmissing-prototypes -Wformat 
>> -Wno-comment  -g -O -I. -I../../include -DMACOSX -c abounce.c
>> In file included from abounce.c:187:
>> ./mail_params.h:20:10: fatal error: 'openssl/opensslv.h' file not found
>> #include/* OPENSSL_VERSION_NUMBER */
>> ^~~~
>> 1 error generated.
>> make: *** [abounce.o] Error 1
>> 
>> opensslv.h is at:
>> 
>> $ locate opensslv.h
>> /usr/local/Cellar/openssl/1.0.2p/include/openssl/opensslv.h
>> /usr/local/Cellar/openssl/1.0.2q/include/openssl/opensslv.h
>> /usr/local/Cellar/openssl@1.1/1.1.1/include/openssl/opensslv.h
>> /usr/local/Cellar/openssl@1.1/1.1.1a/include/openssl/opensslv.h
>> 
>> My Make script is:
>> 
>> $ make -f Makefile.init makefiles CCARGS='-DUSE_TLS -DUSE_SASL_AUTH \
>> -DDEF_SERVER_SASL_TYPE=\"dovecot\" \
>> -DDEF_COMMAND_DIR=\"/usr/local/sbin\" \
>> -DDEF_CONFIG_DIR=\"/usr/local/etc/postfix\" \
>> -DDEF_DAEMON_DIR=\"/usr/local/libexec/postfix\" \
>> -DHAS_PCRE -I/usr/local/opt//include \
>> -DHAS_SSL -I/usr/local/opt/openssl@1.1/1.1.1/include \
>> -DHAS_MYSQL -I/usr/local/opt/mysql@5.7/include/mysql' 
>> AUXLIBS='-L/usr/local/lib -lpcre -lssl -lcrypto 
>> -L/usr/local/opt/mysql@5.7/lib \
>> -lmysqlclient -lz -lm'  sendmail_path=/usr/local/sbin/sendmail 
>> newaliases_path=/usr/local/bin/newaliases mailq_path=/usr/local/bin/mail
>> 
>> I’ve change the DHAS_SSL a few times but keep getting the exact same error. 
>> I’m sure it’s a simple thing to fix, but can’t get it to work.
>> 
>> Any ideas?
> 
> Have you really tried -I/usr/local/Cellar/openssl@1.1/1.1.1/include/ ?
> The build log shows -I/usr/local/Cellar/openssl@1.1/1.1.1/include/openssl.
> 
> And why do you have multiple versions of openssl (1.0.2p vs 1.0.2q and
> 1.1.1 vs. 1.1.1a) installed?

Thanks Herbert.

Well, I thought that’s what I was using, but I’ve tried so many variations. 
Removed the ‘/openssl’ and now I get:

c/postfix\" -DHAS_PCRE -I/usr/local/opt//include -DHAS_SSL 
-I/usr/local/Cellar/openssl@1.1/1.1.1/include -DHAS_MYSQL 
-I/usr/local/opt/mysql@5.7/include/mysql -DBIND_8_COMPAT -DNO_NETINFO 
-DRESOLVE_H_NEEDS_ARPA_NAMESER_COMPAT_H -DNO_EAI -DDEF_SMTPUTF8_ENABLE=\"no\" 
-DHAS_DEV_URANDOM -DDEF_MAILQ_PATH=\"/usr/local/bin/mailq\" 
-DDEF_NEWALIAS_PATH=\"/usr/local/bin/newaliases\" 
-DDEF_SENDMAIL_PATH=\"/usr/local/sbin/sendmail\" -UUSE_DYNAMIC_LIBS 
-DDEF_SHLIB_DIR=\"no\" -UUSE_DYNAMIC_MAPS -Wmissing-prototypes -Wformat 
-Wno-comment -g -O -I. -I../../include -DMACOSX  -o master master.o 
master_conf.o master_ent.o master_sig.o master_avail.o master_spawn.o 
master_service.o master_status.o master_listen.o master_vars.o master_wakeup.o 
master_watch.o master_flow.o master_monitor.o ../../lib/libglobal.a 
../../lib/libutil.a -L/usr/local/lib -lpcre -lssl -lcrypto 
-L/usr/local/opt/mysql@5.7/lib -lmysqlclient -lz -lm -flat_namespace -lresolv 
ld: library not found for -lssl
clang: error: linker command failed with exit code 1 (use -v to see invocation)
make: *** [master] Error 1

Homebrew installed openssl 1.0.2 when I installed either stunnel or MySQL@5.7 
as Homebrew won’t let me uninstall that version as they are using it. Suppose 
I’ll have to work out how to have Homebrew install them with OpenSSL@1.1.1 
somehow.

James.

Re: Compile error on Mojave (Postfix 3.3.2): 'openssl/opensslv.h' file not found

[Herbert J. Skuhra]

On Wed, Nov 28, 2018 at 11:00:33PM +1100, James Brown wrote:
> > On 28 Nov 2018, at 10:38 pm, Herbert J. Skuhra wrote:
> > 
> > On Wed, Nov 28, 2018 at 09:55:02PM +1100, James Brown wrote:
> >> I have installed OpenSSL v1.1.1 via Homebrew. I’m trying to install 
> >> Postfix 3.3.2 but it always ends with:
> >> 
> >> cc -I. -I../../include -DUSE_TLS -DUSE_SASL_AUTH 
> >> -DDEF_SERVER_SASL_TYPE=\"dovecot\" -DDEF_COMMAND_DIR=\"/usr/local/sbin\" 
> >> -DDEF_CONFIG_DIR=\"/usr/local/etc/postfix\" 
> >> -DDEF_DAEMON_DIR=\"/usr/local/libexec/postfix\" -DHAS_PCRE 
> >> -I/usr/local/opt//include -DHAS_SSL 
> >> -I/usr/local/Cellar/openssl@1.1/1.1.1/include/openssl -DHAS_MYSQL 
> >> -I/usr/local/opt/mysql@5.7/include/mysql -DBIND_8_COMPAT -DNO_NETINFO 
> >> -DRESOLVE_H_NEEDS_ARPA_NAMESER_COMPAT_H -DNO_EAI 
> >> -DDEF_SMTPUTF8_ENABLE=\"no\" -DHAS_DEV_URANDOM 
> >> -DDEF_MAILQ_PATH=\"/usr/local/bin/mailq\" 
> >> -DDEF_NEWALIAS_PATH=\"/usr/local/bin/newaliases\" 
> >> -DDEF_SENDMAIL_PATH=\"/usr/local/sbin/sendmail\" -UUSE_DYNAMIC_LIBS 
> >> -DDEF_SHLIB_DIR=\"no\" -UUSE_DYNAMIC_MAPS -Wmissing-prototypes -Wformat 
> >> -Wno-comment  -g -O -I. -I../../include -DMACOSX -c abounce.c
> >> In file included from abounce.c:187:
> >> ./mail_params.h:20:10: fatal error: 'openssl/opensslv.h' file not found
> >> #include/* OPENSSL_VERSION_NUMBER */
> >> ^~~~
> >> 1 error generated.
> >> make: *** [abounce.o] Error 1
> >> 
> >> opensslv.h is at:
> >> 
> >> $ locate opensslv.h
> >> /usr/local/Cellar/openssl/1.0.2p/include/openssl/opensslv.h
> >> /usr/local/Cellar/openssl/1.0.2q/include/openssl/opensslv.h
> >> /usr/local/Cellar/openssl@1.1/1.1.1/include/openssl/opensslv.h
> >> /usr/local/Cellar/openssl@1.1/1.1.1a/include/openssl/opensslv.h
> >> 
> >> My Make script is:
> >> 
> >> $ make -f Makefile.init makefiles CCARGS='-DUSE_TLS -DUSE_SASL_AUTH \
> >> -DDEF_SERVER_SASL_TYPE=\"dovecot\" \
> >> -DDEF_COMMAND_DIR=\"/usr/local/sbin\" \
> >> -DDEF_CONFIG_DIR=\"/usr/local/etc/postfix\" \
> >> -DDEF_DAEMON_DIR=\"/usr/local/libexec/postfix\" \
> >> -DHAS_PCRE -I/usr/local/opt//include \
> >> -DHAS_SSL -I/usr/local/opt/openssl@1.1/1.1.1/include \
> >> -DHAS_MYSQL -I/usr/local/opt/mysql@5.7/include/mysql' 
> >> AUXLIBS='-L/usr/local/lib -lpcre -lssl -lcrypto 
> >> -L/usr/local/opt/mysql@5.7/lib \
> >> -lmysqlclient -lz -lm'  sendmail_path=/usr/local/sbin/sendmail 
> >> newaliases_path=/usr/local/bin/newaliases mailq_path=/usr/local/bin/mail
> >> 
> >> I’ve change the DHAS_SSL a few times but keep getting the exact same 
> >> error. I’m sure it’s a simple thing to fix, but can’t get it to work.
> >> 
> >> Any ideas?
> > 
> > Have you really tried -I/usr/local/Cellar/openssl@1.1/1.1.1/include/ ?
> > The build log shows -I/usr/local/Cellar/openssl@1.1/1.1.1/include/openssl.
> > 
> > And why do you have multiple versions of openssl (1.0.2p vs 1.0.2q and
> > 1.1.1 vs. 1.1.1a) installed?
> 
> Thanks Herbert.
> 
> Well, I thought that’s what I was using, but I’ve tried so many variations. 
> Removed the ‘/openssl’ and now I get:
> 
> c/postfix\" -DHAS_PCRE -I/usr/local/opt//include -DHAS_SSL 
> -I/usr/local/Cellar/openssl@1.1/1.1.1/include -DHAS_MYSQL 
> -I/usr/local/opt/mysql@5.7/include/mysql -DBIND_8_COMPAT -DNO_NETINFO 
> -DRESOLVE_H_NEEDS_ARPA_NAMESER_COMPAT_H -DNO_EAI -DDEF_SMTPUTF8_ENABLE=\"no\" 
> -DHAS_DEV_URANDOM -DDEF_MAILQ_PATH=\"/usr/local/bin/mailq\" 
> -DDEF_NEWALIAS_PATH=\"/usr/local/bin/newaliases\" 
> -DDEF_SENDMAIL_PATH=\"/usr/local/sbin/sendmail\" -UUSE_DYNAMIC_LIBS 
> -DDEF_SHLIB_DIR=\"no\" -UUSE_DYNAMIC_MAPS -Wmissing-prototypes -Wformat 
> -Wno-comment -g -O -I. -I../../include -DMACOSX  -o master master.o 
> master_conf.o master_ent.o master_sig.o master_avail.o master_spawn.o 
> master_service.o master_status.o master_listen.o master_vars.o 
> master_wakeup.o master_watch.o master_flow.o master_monitor.o 
> ../../lib/libglobal.a ../../lib/libutil.a -L/usr/local/lib -lpcre -lssl 
> -lcrypto -L/usr/local/opt/mysql@5.7/lib -lmysqlclient -lz -lm -flat_namespace 
> -lresolv 
> ld: library not found for -lssl
> clang: error: linker command failed with exit code 1 (use -v to see 
> invocation)
> make: *** [master] Error 1
> 
> Homebrew installed openssl 1.0.2 when I installed either stunnel or MySQL@5.7 
> as Homebrew won’t let me uninstall that version as they are using it. Suppose 
> I’ll have to work out how to have Homebrew install them with OpenSSL@1.1.1 
> somehow.

You also have to add -L/usr/local/Cellar/openssl@1.1/1.1.1/lib
(in front of -lssl -lcrypto).

You probably should use Openssl 1.1.1a (instead of 1.1.1) because it includes 
fixes
for known vulnerabilities.

-- 
Herbert

queue "manipulation"

[Barbara M.]

Hi,

  I have a little mailserver (MailMan).
It works fine, except for yahoo subscribers.

While the almost totallity of subscribers receive their messages in less 
then a hour, in my queue remains (often until expire of queue_lifetime), 
with this messages:


(host mx-eu.mail.am0.yahoodns.net[188.125.73.87] said: 452 Too many recipients 
(in reply to RCPT TO command))
  . . .

(host mx-eu.mail.am0.yahoodns.net[188.125.73.87] said: 451 Message temporarily 
deferred - Abaca (in reply to end of DATA command))

Is there a way to say Postfix to resend messages in the queue (for this 
destination), few recipients at the time (or one by one)?


N.B.: tried to play with default_destination_recipient_limit, 
smtp_destination_concurrency_limit anfd other parameters but the only 
result was to block mailman delivery.


Thanks, B.

Re: Compile error on Mojave (Postfix 3.3.2): 'openssl/opensslv.h' file not found

[Robert Chalmers]

@James, 

this is my Make directive set for 3.3.2, and it builds.

I did have to make a couple of patches though first. 
Added this:
Then had to add this define to dict_mysql.c
#define MYSQL_OPT_SSL_VERIFY_SERVER_CERT 0

and this patch.

This is the DB fix. Do it by prompt after all.
sed "s:DB_VERSION_MAJOR == 5:DB_VERSION_MAJOR == 6 || &:" -i src/util/dict_db.c


My make directives. I have a number of openssls installed … but only use one of 
course

set -- '-DUSE_TLS -I/usr/local/Cellar/openssl@1.1/1.1.1/include'
set -- "$@" '-I/usr/local/opt/icu4c/include'
set -- "$@" '-DHAS_MYSQL -I/usr/local/include/mysql'
set -- "$@" '-DHAS_PCRE -I/usr/local/include'
set -- "$@" '-DUSE_SASL_AUTH -DUSE_CYRUS_SASL 
-DDEF_SERVER_SASL_TYPE=\"dovecot\" 
-I/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX.sdk/usr/include/sasl'
CCARGS="$@"

set -- '-lsasl2'
set -- "$@" '-L/usr/local/Cellar/openssl@1.1/1.1.1/lib -lssl -lcrypto'
set -- "$@" '-L/usr/lib -lsasl2'
set -- "$@" '-L/usr/local/opt/icu4c/lib -licuuc'
set -- "$@" '-L/usr/local/Cellar/berkeley-db@4/4.8.30/lib -ldb'
AUXLIBS="$@"


make -f Makefile.init shared=yes dynamicmaps=yes \
   config_directory=/usr/local/etc/postfix \
   command_directory=/usr/local/sbin \
   daemon_directory=/usr/local/libexec/postfix \
   queue_directory=/var/spool/postfix \
   data_directory=/var/lib/postfix \
   html_directory=/usr/share/doc/postfix/html \
   manpage_directory=/usr/local/man \
   readme_directory=/usr/share/doc/postfix \
   mailq_path=/usr/local/bin/mailq \
   newaliases_path=/usr/local/bin/newaliases \
   sendmail_path=/usr/local/sbin/sendmail \
   "CCARGS=${CCARGS}" \
   "AUXLIBS=${AUXLIBS}" \
   'AUXLIBS_MYSQL=-L/usr/local/lib -lmysqlclient -lz -lm' \
   'AUXLIBS_PCRE=-L/usr/local/lib -lpcre’



my brew list … You will see the openssl there 

zeus:postfix-3.3.2 robert$ brew list
adnsclamav  freetypegradle  lame
libksba libvo-aacencnetcdf  pkg-config  sdl2
unrar
argtablecmake   gcc hdf5ldns
libmicrohttpd   libvorbis   nettle  protobufsnappy  
uthash
augeas  cocoapods   gd  hidapi  leveldb 
libmpc  libvpx  ngircd  pth sox 
webp
autoconfcoreutils   gdbmhiredis libassuan   
libogg  little-cms2 nodepython  speex   
wget
automakecryptoppgettext icecast libevent
libopendkim llvmnpthpython@2sphinx-doc  
wine
awscli  curlghostscript icu4c   libffi  
libpng  llvm37  openjpegqrencodesqlite  
winetricks
berkeley-db d-bus   gmp imagemagick libgcrypt   
libsodium   llvm@3.7openssl qt  swftools
x264
berkeley-db@4   dbusgnu-sed imap-uw libgpg-error
libtasn1mad openssl@1.1 qt5 szip
x265
bfgminerdialog  gnupg   isl libgphoto2  
libtiff makedepend  opusre2ctelnet  
xmrig
boost   dirmngr gnupg2  jansson libicns 
libtool miniupnpc   p11-kit readlinetelnetd 
xvid
cabextract  faacgnutls  jasper  libident
libunistringmpfrp7zip   redis   texi2html   
xz
cdo ffmpeg  go  jbig2declibidn  
libusb  mysql   pcresamba   theora  
yarn
certbot flacgperftools  jpeglibidn2 
libusb-compat   nasmperlsane-backends   tnftp   
yasm
cgminer fontconfig  gpg-agent   jsoncpp libjson-rpc-cpp 
libuv   net-snmppinentrysdl unbound


Robert

> On 28 Nov 2018, at 12:00, James Brown  wrote:
> 
>> On 28 Nov 2018, at 10:38 pm, Herbert J. Skuhra  wrote:
>> 
>> On Wed, Nov 28, 2018 at 09:55:02PM +1100, James Brown wrote:
>>> I have installed OpenSSL v1.1.1 via Homebrew. I’m trying to install Postfix 
>>> 3.3.2 but it always ends with:
>>> 
>>> cc -I. -I../../include -DUSE_TLS -DUSE_SASL_AUTH 
>>> -DDEF_SERVER_SASL_TYPE=\"dovecot\" -DDEF_COMMAND_DIR=\"/usr/local/sbin\" 
>>> -DDEF_CONFIG_DIR=\"/usr/local/etc/postfix\" 
>>> -DDEF_DAEMON_DIR=\"/usr/local/libexec/postfix\" -DHAS_PCRE 
>>> -I/usr/local/opt//include -DHAS_SSL 
>>> -I/usr/local/Cellar/openssl@1.1/1.1.1/include/openssl -DHAS_MYSQL 
>>> -I/usr/local/opt/mysql@5.7/include/mysql -DBIND_8_C

Re: queue "manipulation"

[Wietse Venema]

Barbara M.:
> 
> Hi,
> 
>I have a little mailserver (MailMan).
> It works fine, except for yahoo subscribers.
> 
> While the almost totallity of subscribers receive their messages in less 
> then a hour, in my queue remains (often until expire of queue_lifetime), 
> with this messages:
> 
> (host mx-eu.mail.am0.yahoodns.net[188.125.73.87] said: 452 Too many 
> recipients (in reply to RCPT TO command))
>. . .
> 
> (host mx-eu.mail.am0.yahoodns.net[188.125.73.87] said: 451 Message 
> temporarily deferred - Abaca (in reply to end of DATA command))
> 
> Is there a way to say Postfix to resend messages in the queue (for this 
> destination), few recipients at the time (or one by one)?
> 
> N.B.: tried to play with default_destination_recipient_limit, 

This is the parameter that limits the number of recipients per mail
delivery transaction. 

However, it is possible that Yahoo is rejecting the TOTAL number
of recipients per unit of time, not the number per mail delivery
transaction. There is an example for 'slow' deliveries that in the
transport(5) manpage.

Wietse

Re: Installing LetsEncrypt For Postfix and Dovecot

[Admin Beckspaced]

Am 28-Nov-18 um 10:03 schrieb Matus UHLAR - fantomas:

On 27.11.18 10:52, Asai wrote:
With Mozilla recently dropping support for all Symantec certs, our 
security

cert now throws errors on Thunderbird clients.  We’d like to install
certbot on Centos 6, but I’m not sure if it’s going to interfere with
Postfix (2.11) or Dovecot (2.2.18).  Does anybody have experience with
this?


I have no problem with Let's Encrypt certificates and postfix/whatever.
I'm just not sure if iphones have the root CA (DST Root CA X3) 
installed -

just yesterday noticed a complaint.

But I prefer dehydrated over bloated certbot.

also been using Let's Encrypt certificates for apache, postfix, dovecot, 
etc ...

without any problems so far.

+1 for mentioning dehydrated client for signing certificates with an 
ACME-server (e.g. Let's Encrypt)


https://github.com/lukas2511/dehydrated

using light-weight dehydrated has been a pleasure so far ;)

Greetings
Becki

Re: Installing LetsEncrypt For Postfix and Dovecot

[Jim P.]

On Wed, 2018-11-28 at 10:03 +0100, Matus UHLAR - fantomas wrote:
> On 27.11.18 10:52, Asai wrote:
> > With Mozilla recently dropping support for all Symantec certs, our
> > security
> > cert now throws errors on Thunderbird clients.  We’d like to install
> > certbot on Centos 6, but I’m not sure if it’s going to interfere
> > with
> > Postfix (2.11) or Dovecot (2.2.18).  Does anybody have experience
> > with
> > this?
> 
> I have no problem with Let's Encrypt certificates and
> postfix/whatever.
> I'm just not sure if iphones have the root CA (DST Root CA X3)
> installed -
> just yesterday noticed a complaint.
> 
> But I prefer dehydrated over bloated certbot.

This comes up enough to warrant the following questions:

1) What do you do about restarting services after automatic cert
renewals in the middle of a holiday weekend?  (i.e. renew_hook in
/etc/letsencrypt/renewal/*.conf)

2) What do you do to list all certs to show revocation, expiration,
renewal status (e.g. certbot certificates)

-Jim P.

Re: Relay access denied

[Bill Cole]

On 28 Nov 2018, at 6:49, wp.rauchholz wrote:


[root@home postfix]# telnet localhost 465


That's abnormal. Port 465 is normally TLS-wrapped, so telnet should not 
work for testing it. That it seemingly DOES work (at least to connect 
and try mail...) means that you've done something unusual in master.cf.


Please provide the output of "postconf -Mf" so that we can see how that 
port is configured.


Tangentially: all those customized "hardening" smtpd_tls_* settings you 
have will result in your server receiving more mail over unencrypted 
sessions, because many sending systems won't be able to live up to your 
TLS standards and so will fall back to sending in the clear. This makes 
your mail flow in aggregate much LESS secure.

Re: Installing LetsEncrypt For Postfix and Dovecot

[Bill Cole]

On 28 Nov 2018, at 4:03, Matus UHLAR - fantomas wrote:


On 27.11.18 10:52, Asai wrote:
With Mozilla recently dropping support for all Symantec certs, our 
security
cert now throws errors on Thunderbird clients.  We’d like to 
install
certbot on Centos 6, but I’m not sure if it’s going to interfere 
with
Postfix (2.11) or Dovecot (2.2.18).  Does anybody have experience 
with

this?


I have no problem with Let's Encrypt certificates and 
postfix/whatever.
I'm just not sure if iphones have the root CA (DST Root CA X3) 
installed -

just yesterday noticed a complaint.

But I prefer dehydrated over bloated certbot.


I also can confirmation that LE certs work just fine, and that acme.sh 
(https://github.com/Neilpang/acme.sh) is another working alternative to 
certbot. If you use DNS verification, you may prefer its bundled 'hook 
scripts' for various DNS APIs over the dehydrated model of listing the 
many scripts written by 3rd parties.

Re: Compile error on Mojave (Postfix 3.3.2): 'openssl/opensslv.h' file not found

[Viktor Dukhovni]

> On Nov 28, 2018, at 5:55 AM, James Brown  wrote:
> 
> $ locate opensslv.h
> /usr/local/Cellar/openssl/1.0.2p/include/openssl/opensslv.h
> /usr/local/Cellar/openssl/1.0.2q/include/openssl/opensslv.h
> /usr/local/Cellar/openssl@1.1/1.1.1/include/openssl/opensslv.h
> /usr/local/Cellar/openssl@1.1/1.1.1a/include/openssl/opensslv.h

More coffee needed.  The above list "/usr/local/Cellar/...".

> My Make script is:
> 
> $ make -f Makefile.init makefiles CCARGS='-DUSE_TLS -DUSE_SASL_AUTH \
> -DDEF_SERVER_SASL_TYPE=\"dovecot\" \
> -DDEF_COMMAND_DIR=\"/usr/local/sbin\" \
> -DDEF_CONFIG_DIR=\"/usr/local/etc/postfix\" \
> -DDEF_DAEMON_DIR=\"/usr/local/libexec/postfix\" \
> -DHAS_PCRE -I/usr/local/opt//include \
> -DHAS_SSL -I/usr/local/opt/openssl@1.1/1.1.1/include \


Here, you have "/usr/local/opt/...".  One of these is not like the other...

> -DHAS_MYSQL -I/usr/local/opt/mysql@5.7/include/mysql' 
> AUXLIBS='-L/usr/local/lib -lpcre -lssl -lcrypto 
> -L/usr/local/opt/mysql@5.7/lib \
> -lmysqlclient -lz -lm'  sendmail_path=/usr/local/sbin/sendmail 
> newaliases_path=/usr/local/bin/newaliases mailq_path=/usr/local/bin/mail

-- 
Viktor.

ClamAV-milter

[@lbutlr]

Trying to configure clamav-milter with postfix-current-3.4.20181105,5 under 
FreeBSD 11.2-RELEASE, but I’ve missed something since no mail is actually 
getting processed by ClamAV-milter, including the EICAR test mails which sail 
through without triggering anything.

I’ve tried to provide everything that could be relevant (mostly in an effort to 
re-examine everything) but at this point I’m stumped.


smtpd_milters =
unix:/var/run/spamass-milter.sock,
unix:/var/run/clamav/clmilter.sock

 # sockstat | grep milter
root spamass-mi 24145 4  stream /var/run/spamass-milter.sock
clamav   clamav-mil 59293 3  stream /var/run/clamav/clmilter.sock

 # gnc /usr/local/etc/clamav-milter.conf
MilterSocket /var/run/clamav/clmilter.sock
FixStaleSocket yes
User clamav
PidFile /var/run/clamav/clamav-milter.pid
ClamdSocket unix:/var/run/clamav/clamd.sock
OnInfected Quarantine
LogFile /tmp/clamav-milter.log
LogFileUnlock yes
LogFileMaxSize 20M
LogTime yes
LogSyslog yes
LogFacility LOG_MAIL
LogVerbose yes

 # clamscan -I eicar.txt 
eicar.txt: Eicar-Test-Signature FOUND

 # psa clamav
clamav   56889   0.0 14.3 553736 505868  -  Is   Sun17   4:03.54 
/usr/local/sbin/clamd
clamav   57990   0.0  0.1  12268   5280  -  Is   Sun17   0:28.11 
/usr/local/bin/freshclam --daemon -p /var/run/clamav/freshclam.pid
clamav   59293   0.0  0.1  2   4540  -  Ss   Sun17   0:02.39 
/usr/local/sbin/clamav-milter -c /usr/local/etc/clamav-milter.conf

# ls -lsR /var/run/clamav/
total 48
8 drwxr-x---   3 clamav  postfix   512 Nov 28 08:57 .
8 drwxr-xr-x  15 rootwheel1024 Nov 28 09:11 ..
8 -rw-rw-r--  1 clamav  clamav6 Nov 25 17:44 clamav-milter.pid
8 -rw-rw-r--  1 clamav  clamav6 Nov 25 17:44 clamd.pid
0 srw-rw-rw-  1 clamav  clamav0 Nov 25 17:44 clamd.sock
0 srwxrwxrwx  1 clamav  clamav0 Nov 25 17:44 clmilter.sock
8 -rw-rw  1 clamav  clamav6 Nov 25 17:44 freshclam.pid
8 drwx--  2 clamav  clamav  512 Nov 24 11:57 quarantine

/var/run/clamav/quarantine:
total 0

 # tail clamav/clamd.log clamav/freshclam.log 
==> clamav/clamd.log <==
Wed Nov 28 07:47:29 2018 -> Database correctly reloaded (6722408 signatures)
Wed Nov 28 07:57:53 2018 -> SelfCheck: Database status OK.
Wed Nov 28 08:08:30 2018 -> SelfCheck: Database status OK.
Wed Nov 28 08:21:53 2018 -> SelfCheck: Database status OK.
Wed Nov 28 08:33:50 2018 -> SelfCheck: Database status OK.
Wed Nov 28 08:44:55 2018 -> SelfCheck: Database status OK.
Wed Nov 28 08:55:38 2018 -> SelfCheck: Database status OK.
Wed Nov 28 09:06:16 2018 -> SelfCheck: Database status OK.
Wed Nov 28 09:16:44 2018 -> SelfCheck: Database status OK.
Wed Nov 28 09:28:14 2018 -> SelfCheck: Database status OK.

==> clamav/freshclam.log <==
--
Received signal: wake up
ClamAV update process started at Wed Nov 28 07:47:03 2018
main.cvd is up to date (version: 58, sigs: 4566249, f-level: 60, builder: 
sigmgr)
Downloading daily-25161.cdiff [100%]
daily.cld updated (version: 25161, sigs: 2163162, f-level: 63, builder: neo)
bytecode.cld is up to date (version: 327, sigs: 91, f-level: 63, builder: neo)
Database updated (6729502 signatures) from database.clamav.net (IP: 
104.16.185.138)
Clamd successfully notified about the update.
———

There is nothing in any other logs about clamav.

So it seems like it is installed and running. Freshclam has updated 
successfully.

-- 
"How good bad music and bad reasons sound when we march against an
enemy." -  Friedrich Nietzsche

===
function psa () {
  ps auxww | grep -i $* | grep -v grep
}
alias gnc='grep -v "^\($\|#\|\/\)" '

Re: Installing LetsEncrypt For Postfix and Dovecot

[Viktor Dukhovni]

> On Nov 28, 2018, at 9:49 AM, Jim P.  wrote:
> 
> 1) What do you do about restarting services after automatic cert
> renewals in the middle of a holiday weekend?  (i.e. renew_hook in
> /etc/letsencrypt/renewal/*.conf)

There is no need to restart or even "reload" Postfix when certificates
change, unless you've left renewal too late, and are already or will
imminently be serving expired certificates.

Most Postfix service processes, in particular all the ones that
make use of private keys and certificates, run for a limited
amount of time and are automatically replaced with newer processes
that use the latest settings.

-- 
Viktor.

Re: Installing LetsEncrypt For Postfix and Dovecot

[Jim P.]

On Wed, 2018-11-28 at 12:25 -0500, Viktor Dukhovni wrote:
> > On Nov 28, 2018, at 9:49 AM, Jim P.  wrote:
> > 
> > 1) What do you do about restarting services after automatic cert
> > renewals in the middle of a holiday weekend?  (i.e. renew_hook in
> > /etc/letsencrypt/renewal/*.conf)
> 
> There is no need to restart or even "reload" Postfix when certificates
> change, unless you've left renewal too late, and are already or will
> imminently be serving expired certificates.
> 
> Most Postfix service processes, in particular all the ones that
> make use of private keys and certificates, run for a limited
> amount of time and are automatically replaced with newer processes
> that use the latest settings.

Thanks for that point, that makes good sense.

-Jim P.


signature.asc
Description: This is a digitally signed message part

Re: queue "manipulation"

[Barbara M.]

On Wed, 28 Nov 2018, Wietse Venema wrote:


. . .



Is there a way to say Postfix to resend messages in the queue (for this
destination), few recipients at the time (or one by one)?

N.B.: tried to play with default_destination_recipient_limit,


This is the parameter that limits the number of recipients per mail
delivery transaction.

However, it is possible that Yahoo is rejecting the TOTAL number
of recipients per unit of time, not the number per mail delivery
transaction. There is an example for 'slow' deliveries that in the
transport(5) manpage.


Thanks for replay.
The box is a standard "CentOS Linux release 7.5.1804 (Core)"
Postfix standard (RH): postfix-2.10.1-6.el7.x86_64

I inserted in master.cf (last row):

limitrecip  unix -   -   n   -   -   smtp -o 
default_destination_recipient_limit=3

and in transport:

yahoo.com   limitrecip:
yahoo.itlimitrecip:

postmap transport, restart postfix ...

Tried to flush a single message using postqueue -i B9899396281A   (message 
with 7 recipients).


I maillog I have:

Nov 28 18:29:13 ls postfix/qmgr[22329]: B9899396281A: 
from=, size=234000, nrcpt=50 (queue active)
Nov 28 18:29:14 ls postfix/smtp[22417]: B9899396281A: host mx-eu.mail.am0.yahoodns.net[188.125.73.87] said: 451 Message temporarily 
deferred - Abaca (in reply to end of DATA command)
Nov 28 18:29:15 ls postfix/smtp[22417]: B9899396281A: to=, 
relay=mx-eu.mail.am0.yahoodns.net[212.82.101.46]:25, delay=98481, delays=98480/0.02/0.75/0.39, dsn=4.0.0, status=deferred (host 
mx-eu.mail.am0.yahoodns.net[212.82.101.46] said: 451 Message temporarily 
deferred - Abaca (in reply to end of DATA command))
Nov 28 18:29:15 ls postfix/smtp[22417]: B9899396281A: to=, 
relay=mx-eu.mail.am0.yahoodns.net[212.82.101.46]:25, delay=98481, delays=98480/0.
02/0.75/0.39, dsn=4.0.0, status=deferred (host mx-eu.mail.am0.yahoodns.net[212.82.101.46] said: 451 Message temporarily 
deferred - Abaca (in reply to end of DATA command))
Nov 28 18:29:15 ls postfix/smtp[22417]: B9899396281A: to=, 
relay=mx-eu.mail.am0.yahoodns.net[212.82.101.46]:25, delay=98481, delays=98480/0.02
/0.75/0.39, dsn=4.0.0, status=deferred (host mx-eu.mail.am0.yahoodns.net[212.82.101.46] said: 451 Message temporarily 
deferred - Abaca (in reply to end of DATAcommand))
Nov 28 18:29:15 ls postfix/smtp[22417]: B9899396281A: to=, 
relay=mx-eu.mail.am0.yahoodns.net[212.82.101.46]:25, delay=98481, delays=98480/0.02/0.75/0.39, dsn=4.0.0, status=deferred (host 
mx-eu.mail.am0.yahoodns.net[212.82.101.46] said: 451 Message temporarily 
deferred - Abaca (in reply to end of DATA command))
Nov 28 18:29:15 ls postfix/smtp[22417]: B9899396281A: to=, 
relay=mx-eu.mail.am0.yahoodns.net[212.82.101.46]:25, delay=98481, delays=98480
/0.02/0.75/0.39, dsn=4.0.0, status=deferred (host mx-eu.mail.am0.yahoodns.net[212.82.101.46] said: 451 Message temporarily 
deferred - Abaca (in reply to end ofDATA command))
Nov 28 18:29:15 ls postfix/smtp[22417]: B9899396281A: to=, 
relay=mx-eu.mail.am0.yahoodns.net[212.82.101.46]:25, delay=98481, delays=98480/0.02/0.75/0.39, dsn=4.0.0, status=deferred (host 
mx-eu.mail.am0.yahoodns.net[212.82.101.46] said: 451 Message temporarily 
deferred - Abaca (in reply to end of DATA command))
Nov 28 18:29:15 ls postfix/smtp[22417]: B9899396281A: to=, 
relay=mx-eu.mail.am0.yahoodns.net[212.82.101.46]:25, delay=98481, delays=98480/0.02/0.75/0.39, dsn=4.0.0, status=deferred (host 
mx-eu.mail.am0.yahoodns.net[212.82.101.46] said: 451 Message temporarily 
deferred - Abaca (in reply to end of DATA command))



Despite the "3" that I inserted in the parameter 
default_destination_recipient_limit=3 postfix is trying to flush all the 7 
addresses.
Probably I am missing something trivial (I am not a full time mail 
administrator).


Any hints?

Thanks, B.

Re: queue "manipulation"

[Viktor Dukhovni]

> On Nov 28, 2018, at 1:14 PM, Barbara M.  wrote:
> 
> Thanks for replay.
> The box is a standard "CentOS Linux release 7.5.1804 (Core)"
> Postfix standard (RH): postfix-2.10.1-6.el7.x86_64
> 
> I inserted in master.cf (last row):
> 
> limitrecip  unix -   -   n   -   -   smtp -o 
> default_destination_recipient_limit=3


The "_destination_recipient_limit" parameters are qmgr(8)
parameters, NOT smtp(8) parameters.  The correct setting is:

   main.cf:
limitrecip_dsetination_recipient_limit = 3

then "postfix reload" to refresh the queue manager.

-- 
Viktor.

Re: Relay access denied

[Wolfgang Paul Rauchholz]

Thanks for the taking this up.
Concerning hardening TLS settings; can you recommend a read / web page that
is suitable for a home email server?
Thanks in advance

Here the podtconf -Mf output

smtp   inet  n   -   n   -   -   smtpd
amavisfeed unix  -   -   n   -   2   lmtp
-o lmtp_data_done_timeout=1200 -o lmtp_send_xforward_command=yes
-o disable_dns_lookups=yes -o max_use=20
submission inet  n   -   n   -   -   smtpd
-o syslog_name=postfix/submission -o smtpd_sasl_auth_enable=yes
-o
smtpd_recipient_restrictions=permit_sasl_authenticated,reject_unauth_destination
-o milter_macro_daemon_name=ORIGINATING
smtps  inet  n   -   n   -   -   smtpd
-o syslog_name=postfix/smtps -o smtpd_sasl_auth_enable=yes
-o
smtpd_recipient_restrictions=permit_sasl_authenticated,reject_unauth_destination
-o milter_macro_daemon_name=ORIGINATING
pickup unix  n   -   n   60  1   pickup
cleanupunix  n   -   n   -   0   cleanup
qmgr   unix  n   -   n   300 1   qmgr
tlsmgr unix  -   -   n   1000?   1   tlsmgr
rewriteunix  -   -   n   -   -   trivial-rewrite
bounce unix  -   -   n   -   0   bounce
defer  unix  -   -   n   -   0   bounce
trace  unix  -   -   n   -   0   bounce
verify unix  -   -   n   -   1   verify
flush  unix  n   -   n   1000?   0   flush
proxymap   unix  -   -   n   -   -   proxymap
proxywrite unix  -   -   n   -   1   proxymap
smtp   unix  -   -   n   -   -   smtp
relay  unix  -   -   n   -   -   smtp
showq  unix  n   -   n   -   -   showq
error  unix  -   -   n   -   -   error
retry  unix  -   -   n   -   -   error
discardunix  -   -   n   -   -   discard
local  unix  -   n   n   -   -   local
virtualunix  -   n   n   -   -   virtual
lmtp   unix  -   -   n   -   -   lmtp
anvil  unix  -   -   n   -   1   anvil
scache unix  -   -   n   -   1   scache
spamassassin unix -  n   n   -   -   pipe
flags=R user=spamd argv=/usr/bin/spamc -e /usr/sbin/sendmail -oi -f
${sender} ${recipient}
127.0.0.1:10025 inet n   -   n   -   -   smtpd
-o content_filter= -o smtpd_delay_reject=no
-o smtpd_client_restrictions=permit_mynetworks,reject
-o smtpd_helo_restrictions= -o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o smtpd_data_restrictions=reject_unauth_pipelining
-o smtpd_end_of_data_restrictions= -o smtpd_restriction_classes=
-o mynetworks=127.0.0.0/8 -o smtpd_error_sleep_time=0
-o smtpd_soft_error_limit=1001 -o smtpd_hard_error_limit=1000
-o smtpd_client_connection_count_limit=0
-o smtpd_client_connection_rate_limit=0
-o
receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters,no_address_mappings
-o local_header_rewrite_clients= -o smtpd_milters= -o
local_recipient_maps=

Thanks, Wolfgang


On Wed, Nov 28, 2018 at 4:55 PM Bill Cole <
postfixlists-070...@billmail.scconsult.com> wrote:

> On 28 Nov 2018, at 6:49, wp.rauchholz wrote:
>
> > [root@home postfix]# telnet localhost 465
>
> That's abnormal. Port 465 is normally TLS-wrapped, so telnet should not
> work for testing it. That it seemingly DOES work (at least to connect
> and try mail...) means that you've done something unusual in master.cf.
>
> Please provide the output of "postconf -Mf" so that we can see how that
> port is configured.
>
> Tangentially: all those customized "hardening" smtpd_tls_* settings you
> have will result in your server receiving more mail over unencrypted
> sessions, because many sending systems won't be able to live up to your
> TLS standards and so will fall back to sending in the clear. This makes
> your mail flow in aggregate much LESS secure.
>


-- 

Wolfgang Rauchholz

forwarding mail like before queue filtering to remote mta

[Stefan Bauer]

Hi,

is there a way to keep an smtp session open and do before queue filtering
AND final delivery to remote mta? do only sent 250 if we have already
received 250. if not send temp error.

we would like to only accept mails if we can deliver them at the same time.
a local queue is not wanted due to privacy reasons.

Stefan

Re: forwarding mail like before queue filtering to remote mta

[Wietse Venema]

Stefan Bauer:
> Hi,
> 
> is there a way to keep an smtp session open and do before queue filtering
> AND final delivery to remote mta? do only sent 250 if we have already
> received 250. if not send temp error.

How would that work when one message has more than one recipient?
In different domains? When one domain accepts the message, and the
other tempfails? What status would Postfix return to the SMTP client?

> we would like to only accept mails if we can deliver them at the same time.
> a local queue is not wanted due to privacy reasons.

Use a proxy that accepts one recipient at a time.

Wietse

RE: looking for any options to better deal with mail looping

[Fazzina, Angelo]

Hi, I am still lost with how this all works together, sadly.  Do you see 
obvious errors or am I misunderstanding the limits of what can be done ?

I am not sure yet what is relevant 
My current settings:
relay_recipient_maps = mysql:/etc/postfix/files/mysql_pn.cf
smtpd_recipient_restrictions =  reject_unknown_recipient_domain,  
check_recipient_access 
hash:/etc/postfix/files/sender_relay_domains, 
reject_unverified_recipient, 
permit_mynetworks, 
permit_sasl_authenticate
smtpd_relay_restrictions =  check_recipient_access 
hash:/etc/postfix/maps/block_to, permit_mynetworks, permit_sasl_authenticated, 
defer_unauth_destination

[root@mta5 files]# more sender_relay_domains
## -ALF This should allow Listerv addresses even though they are not in PerName 
DB
listserv.uconn.edu  DUNNO

[root@mta5 maps]# more transport
#  Domains *relayed*  by pn.uconn.edu and which map to the hosts' A record.
ad.uconn.edusmtp:[uconn-edu.mail.protection.outlook.com]
darwin.eeb.uconn.edusmtp:[darwin.eeb.uconn.edu]
listserv.uconn.edu  smtp:[listserv.uconn.edu]



My goal is to allow all mail TO  anyth...@listserv.uconn.edu but still check 
recipient for other domains like darwin.eeb.uconn.edu

MY testing:

Connected to localhost.
Escape character is '^]'.
220 mta5.uits.uconn.edu ESMTP Postfix (2.10.1)
ehlo uconn.edu
250-mta5.uits.uconn.edu
250-PIPELINING
250-SIZE 31457280
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
mail from:ang...@uconn.edu
250 2.1.0 Ok
rcpt to:b...@darwin.eeb.uconn.edu
450 4.1.1 : Recipient address rejected: unverified 
address: Address verification in progress
rcpt to:k...@darwin.eeb.uconn.edu
250 2.1.5 Ok
rcpt to:spa...@listserv.uconn.edu
450 4.1.1 : Recipient address rejected: unverified 
address: Address verification in progress
quit
221 2.0.0 Bye
Connection closed by foreign host.

-ANGELO FAZZINA

ITS Service Manager:
Spam and Virus Prevention
Mass Mailing
G Suite/Gmail

ang...@uconn.edu
University of Connecticut,  ITS, SSG, Server Systems
860-486-9075

-Original Message-
From: owner-postfix-us...@postfix.org  On 
Behalf Of Noel Jones
Sent: Friday, November 16, 2018 4:10 PM
To: postfix-users@postfix.org
Subject: Re: looking for any options to better deal with mail looping

On 11/16/2018 2:41 PM, Fazzina, Angelo wrote:
> Hi again,
> Even though my configuration does what I need it to do, it seems to have 
> broken something else that needs to still work.
> Did I forget something or just did this wrong ?
> Will this setting allow whitelisting something to help the issue 
> "smtpd_sender_restrictions"
> I maybe just confusing the processing Postfix does AFA  envelope TO and FROM 
> and header TO and FROM...?

The To: From: headers have no relation to postfix delivery. All
delivery is based on envelope addresses.


> 
> Here is the test showing what is broken:
>... 
> 250 2.1.0 Ok
> rcpt to:uconn_employee...@listserv.uconn.edu
> 450 4.1.1 : Recipient address rejected: 
> unverified address: Address verification in progress
>...

Nothing wrong here.  The address verification is in progress and the
client is free to retry delivery.  Presumably the verification
completed a few seconds later.  This will be noted in the log.

If you wish to exempt some recipient from verification, add a
check_recipient_access map before the reject_unverified_recipient


> Here is my current config in main.cf :
> smtpd_recipient_restrictions = reject_unknown_recipient_domain, 
> reject_unverified_recipient, permit_mynetworks, permit_sasl_authenticated, 
> reject_unauth_destination

Typically, reject_unverified_recipient would be after
reject_unauth_destination to prevent verifying random internet
recipients, or in a check_recipient_access map to limit the scope of
the checks.  Something like:

dontverif...@example.com  DUNNO
listserv.example.com  DUNNO
example.com  reject_unverified_recipient


> relay_recipient_maps = hash:/etc/postfix/files/sender_relay_domains,  
> mysql:/etc/postfix/files/mysql_pn.cf
>   [root@mta5 files]# more sender_relay_domains
>   @listserv.uconn.edu  OK

relay_recipient_maps does not exempt addresses from the
reject_unverified_recipient check.  See the above example for how to
exempt addresses from verification.


> 
> Here is [most of] the headers of a real email that gets delivered to my 
> first.l...@uconn.edu address even though it does not appear anywhere in the 
> headers :

Headers are irrelevant for this discussion.  Postfix logs will show
what is happening.




  -- Noel Jones

Re: Relay access denied

[Viktor Dukhovni]

> On Nov 28, 2018, at 3:47 PM, Wolfgang Paul Rauchholz  
> wrote:
> 
> Thanks for the taking this up.
> Concerning hardening TLS settings; can you recommend a read / web page that
> is suitable for a home email server?

Run with default Postfix settings.  They are good enough, worst case
exclude a cipher type or two, but don't redefine the low-level
"tls_*_cipherlist" parameters.

-- 
Viktor.

Re: Relay access denied

[Bill Cole]

On 28 Nov 2018, at 15:47, Wolfgang Paul Rauchholz wrote:


Thanks for the taking this up.
Concerning hardening TLS settings; can you recommend a read / web page 
that

is suitable for a home email server?


The TLS "readme" files in the Postfix distribution (and at 
http://www.postfix.org/TLS_README.html and 
http://www.postfix.org/FORWARD_SECRECY_README.html) cover what you need 
to know.


The short version: Postfix default TLS cipher and protocol settings are 
fine, for releases after 2015. For older versions, you may need to set 
smtpd_tls_protocols and smtpd_tls_mandatory_protocols to "!SSLv2, 
!SSLv3" which is the default in currently supported versions.



Thanks in advance

Here the podtconf -Mf output

smtp   inet  n   -   n   -   -   smtpd
amavisfeed unix  -   -   n   -   2   lmtp
-o lmtp_data_done_timeout=1200 -o lmtp_send_xforward_command=yes
-o disable_dns_lookups=yes -o max_use=20
submission inet  n   -   n   -   -   smtpd
-o syslog_name=postfix/submission -o smtpd_sasl_auth_enable=yes
-o
smtpd_recipient_restrictions=permit_sasl_authenticated,reject_unauth_destination
-o milter_macro_daemon_name=ORIGINATING


That's the 'submission' (port 587) daemon, which opens connections in 
cleartext and supports the "STARTTLS" command to upgrade the connection 
to TLS encryption (because your main config includes 
"smtpd_tls_security_level = may"). To send mail through this daemon, you 
MUST either be sending to a domain that Postfix is configured to accept 
mail for (local, virtual, and relay domains) OR authenticate using SASL 
first. Because of "smtpd_tls_auth_only = yes" in your main config, you 
can only authenticate using SASL *after* using STARTTLS to negotiate a 
TLS session.



smtps  inet  n   -   n   -   -   smtpd
-o syslog_name=postfix/smtps -o smtpd_sasl_auth_enable=yes
-o
smtpd_recipient_restrictions=permit_sasl_authenticated,reject_unauth_destination
-o milter_macro_daemon_name=ORIGINATING


That's supposedly the 'smtps' (port 465) daemon, which *NORMALLY* would 
have an additional configuration  override directive:


-o smtpd_tls_wrappermode=yes

Which "wraps" the SMTP session in TLS encryption that is negotiated 
immediately at connect time, rather than having clients connect in the 
clear. As it stands, your 'submission' and 'smtps' daemons will behave 
identically, except for listening on different ports and using different 
syslog labels. There's no benefit in that, because any client using port 
465 will expect the smtps 'wrappermode' behavior and any using port 587 
will expect the configured cleartext/STARTTLS behavior.


Because you are overriding the default smtpd_recipient_restrictions with 
a restriction list which only permits mail from authenticated senders or 
to recipients in local and relay-authorized domains, your attempt to 
send mail to a gmail.com address was rejected.


You were able to send through port 25 because by default, 
smtpd_recipient_restrictions is empty (giving an implicit 'DUNNO' 
result) and smtpd_relay_restrictions starts with 'permit_mynetworks'. 
This lets the mail through because you are connection from the loopback, 
which is included in your mynetworks setting.


I hope this helps. Good luck!

--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Available For Hire: https://linkedin.com/in/billcole

smtp_fallback_relay TLS with authentication - possible?

[Andrey Repin]

Greetings, All!

I'm trying to set delivery on a new server, but hit a roadblock.

The premise is this:
1. All delivery should be handled directly, but…
2. Some of our clients are rejecting mail using particularly idiotic RBL,
however…
3. I have a relay server that usually works ok, although slower, but…
4. Relay server requires TLS and authentication.

Now, I've successfully configured dumb relayhost= with TLS and auth.
But I'm failing to mate it with either relay_transport= or
smtp_fallback_relay=

It either not using fallback relay, complain that it requires wrappermode=yes,
or says that there were timeout waiting for server greeting.

Any pointers?


-- 
With best regards,
Andrey Repin
Thursday, November 29, 2018 2:42:28

Sorry for my terrible english...

Re: queue "manipulation"

[Barbara M.]

On Wed, 28 Nov 2018, Viktor Dukhovni wrote:


Thanks for replay.
The box is a standard "CentOS Linux release 7.5.1804 (Core)"
Postfix standard (RH): postfix-2.10.1-6.el7.x86_64

I inserted in master.cf (last row):

limitrecip  unix -   -   n   -   -   smtp -o 
default_destination_recipient_limit=3



The "_destination_recipient_limit" parameters are qmgr(8)
parameters, NOT smtp(8) parameters.  The correct setting is:

  main.cf:
limitrecip_dsetination_recipient_limit = 3

then "postfix reload" to refresh the queue manager.



Same result (it tried to deliver all the 7 address of the message 
flushed for test).


# postconf |grep limitrec
limitrecip_delivery_slot_cost = $default_delivery_slot_cost
limitrecip_delivery_slot_discount = $default_delivery_slot_discount
limitrecip_delivery_slot_loan = $default_delivery_slot_loan
limitrecip_destination_concurrency_failed_cohort_limit = 
$default_destination_concurrency_failed_cohort_limit
limitrecip_destination_concurrency_limit = 
$default_destination_concurrency_limit
limitrecip_destination_concurrency_negative_feedback = 
$default_destination_concurrency_negative_feedback
limitrecip_destination_concurrency_positive_feedback = 
$default_destination_concurrency_positive_feedback
limitrecip_destination_rate_delay = $default_destination_rate_delay
limitrecip_destination_recipient_limit = 3
limitrecip_extra_recipient_limit = $default_extra_recipient_limit
limitrecip_initial_destination_concurrency = $initial_destination_concurrency
limitrecip_minimum_delivery_slots = $default_minimum_delivery_slots
limitrecip_recipient_limit = $default_recipient_limit
limitrecip_recipient_refill_delay = $default_recipient_refill_delay
limitrecip_recipient_refill_limit = $default_recipient_refill_limit


What are I missing?

Thanks, B.

Re: smtp_fallback_relay TLS with authentication - possible?

[Viktor Dukhovni]

On Thu, Nov 29, 2018 at 02:59:35AM +0300, Andrey Repin wrote:

> The premise is this:
> 1. All delivery should be handled directly, but...

#
relayhost =

> 2. Some of our clients are rejecting mail using particularly idiotic RBL,
>however...

Are the rejects 4XX or 5XX?

> 3. I have a relay server that usually works ok, although slower, but...

You really should be more precise here.  Is the relay server doing STARTTLS
(on either port 25 or 587) or implicit TLS (port 465)?

> 4. Relay server requires TLS and authentication.

What flavour of TLS?  STARTTLS (TLS after SMTP) or implicit TLS
(SMTP after TLS)?

> Now, I've successfully configured dumb relayhost= with TLS and auth.
> But I'm failing to mate it with either relay_transport= or
> smtp_fallback_relay=

If the failures are confined to a mostly stable set of domains and are
not infrequent, then you want to always route these domains to the
relay via:

main.cf:
indexed = ${default_database_type}:${config_directory}/
#
# Enable SASL, with plaintext passwords sent only
# to TLS authenticated servers.
#
smtp_sasl_auth_enable = yes
smtp_sasl_security_options = noplaintext, noanonymous
smtp_sasl_tls_security_options = $smtp_sasl_security_options
smtp_sasl_tls_verified_security_options = noanonymous
smtp_sasl_password_maps = ${indexed}sasl-passwd
#
# Some domains go to the relayhost
#
transport_maps = ${indexed}transport
#
# Per-destination security policy
#
smtp_tls_policy_maps = ${indexed}tls-policy
#
# Small fixed set of trusted CAs (5 or less, ideally one), if known
# applicable to the relayhost
#
tlsrelay_CAfile = ...
#
# Otherwise, one of the usual kitchen sink "bundles", but set
# empty if relayhost will not change CAs unexpectedly.
#
tlsrelay_CApath = ...

sasl-passwd:
[relayhost.example]:587 aladdin:open sesame

transport:
example.com tlsrelay:[relayhost.example]:587
example.org tlsrelay:[relayhost.example]:587
example.net tlsrelay:[relayhost.example]:587
...

tls-policy:
[relayhost.example]:587 secure

master.cf:
# 
==
# service type  private unpriv  chroot  wakeup  maxproc command + args
#   (yes)   (yes)   (no)(never) (100)
# 
==
tlsrelay  unix  -   -   n   -   -   smtp
-o smtp_tls_CApath=$tlsrelay_CApath
-o smtp_tls_CAfile=$tlsrelay_CAfile
...

> It either not using fallback relay, complain that it requires wrappermode=yes,
> or says that there were timeout waiting for server greeting.

If the set of problem destinations is dynamic, or the failure sporadic,
and a direct attempt makes sense, then:

main.cf:
indexed = ${default_database_type}:${config_directory}/
#
# Enable SASL, with plaintext passwords sent only
# to TLS authenticated servers.
#
smtp_sasl_auth_enable = yes
smtp_sasl_security_options = noplaintext, noanonymous
smtp_sasl_tls_security_options = $smtp_sasl_security_options
smtp_sasl_tls_verified_security_options = noanonymous
smtp_sasl_password_maps = ${indexed}sasl-passwd
#
# Per-destination security policy
#
smtp_tls_policy_maps = ${indexed}tls-policy
#
# Small fixed set of trusted CAs (5 or less, ideally one), if known
# applicable to the relayhost
#
smtp_tls_CAfile = ...
#
# Otherwise, one of the usual kitchen sink "bundles", but set
# empty if relayhost will not change CAs unexpectedly.
#
smtp_tls_CApath = ...

tls-policy:
[relayhost.example]:587 secure

master.cf:
# 
==
# service type  private unpriv  chroot  wakeup  maxproc command + args
#   (yes)   (yes)   (no)(never) (100)
# 
==
smtp  unix  -   -   n   -   -   smtp
-o smtp_fallback_relay=[relayhost.example]:587
#
# Last resort, soft bounce, if direct path rejects, but this also
# soft fails hard errors from the relay.
#
# Better: 
.
#
# -o soft_bounce=yes

-- 
Viktor.

Re: queue "manipulation"

[Viktor Dukhovni]

On Thu, Nov 29, 2018 at 01:14:55AM +0100, Barbara M. wrote:

> > then "postfix reload" to refresh the queue manager.
> 
> 
> Same result (it tried to deliver all the 7 address of the message 
> flushed for test).
> 
> # postconf |grep limitrec
> limitrecip_destination_recipient_limit = 3
>
> What are I missing?

* Evidence that the queue manager was reloaded.

* Evidence that the nexthop destination domain (not the MX host, but
  the envelope recipient domain) is routed to the "limitrecip" transport.

* Evidence the the transport table has been rebuilt (show "postmap -q"
  output).

* Evidence that nothing changed?  Show new logs.

Since the Postfix queue manager unquestionably supports the parameter
in question, one of the steps in the configuration must not have
been carried out correctly.

-- 
Viktor.

Re: forwarding mail like before queue filtering to remote mta

[Viktor Dukhovni]

On Wed, Nov 28, 2018 at 09:56:19PM +0100, Stefan Bauer wrote:

> Is there a way to keep an smtp session open and do before queue filtering
> AND final delivery to remote mta? do only sent 250 if we have already
> received 250. if not send temp error.

Only if there is a fixed remote MTA (smarthost), regardless of the
ultimate destination domain, and that MTA never selectively rejects
just a proper subset of the recipients.

Postfix can provide a non-queueing SMTP proxy, but only when the
fixed nexthop smarthost MTA accepts everything that Postfix accepts,
or else rejects the entire message, and it supports largely the
same ESMTP features (but you can configure which ESMTP features
Postfix will advertise to match).

If Postfix is to perform non-trivial message routing or address
rewriting, then the answer is "no".

-- 
Viktor.

Re: smtp_fallback_relay TLS with authentication - possible?

[Andrey Repin]

Greetings, Viktor Dukhovni!

> On Thu, Nov 29, 2018 at 02:59:35AM +0300, Andrey Repin wrote:

>> The premise is this:
>> 1. All delivery should be handled directly, but...

> #
> relayhost =

That's not directly, that's "through relay".

>> 2. Some of our clients are rejecting mail using particularly idiotic RBL,
>>however...

> Are the rejects 4XX or 5XX?

220-relay6.hosting.reg.ru ESMTP Postfix
521 5.7.1 Service unavailable; client [213.134.200.30] blocked using 
b.barracudacentral.org

>> 3. I have a relay server that usually works ok, although slower, but...

> You really should be more precise here.  Is the relay server doing STARTTLS
> (on either port 25 or 587) or implicit TLS (port 465)?

>> 4. Relay server requires TLS and authentication.

> What flavour of TLS?  STARTTLS (TLS after SMTP) or implicit TLS
> (SMTP after TLS)?

TLS as in - explicit TLS (port 465).

>> Now, I've successfully configured dumb relayhost= with TLS and auth.
>> But I'm failing to mate it with either relay_transport= or
>> smtp_fallback_relay=

> If the failures are confined to a mostly stable set of domains and are
> not infrequent, then you want to always route these domains to the
> relay via:

> transport:
> example.com tlsrelay:[relayhost.example]:587
> example.org tlsrelay:[relayhost.example]:587
> example.net tlsrelay:[relayhost.example]:587
> ...

> master.cf:
> #
> ==
> # service type  private unpriv  chroot  wakeup  maxproc command + args
> #   (yes)   (yes)   (no)(never) (100)
> #
> ==
> tlsrelay  unix  -   -   n   -   -   smtp
> -o smtp_tls_CApath=$tlsrelay_CApath
> -o smtp_tls_CAfile=$tlsrelay_CAfile
> ...

Hm. I was near that solution, but you are right that it is only applicable to
a known set of domains.

>> It either not using fallback relay, complain that it requires 
>> wrappermode=yes,
>> or says that there were timeout waiting for server greeting.

> If the set of problem destinations is dynamic, or the failure sporadic,
> and a direct attempt makes sense, then:

> master.cf:
> #
> ==
> # service type  private unpriv  chroot  wakeup  maxproc command + args
> #   (yes)   (yes)   (no)(never) (100)
> #
> ==
> smtp  unix  -   -   n   -   -   smtp
> -o smtp_fallback_relay=[relayhost.example]:587

Should use 465...
Which requires wrappermode=yes.
Which subsequently break any direct delivery.


-- 
With best regards,
Andrey Repin
Thursday, November 29, 2018 4:01:41

Sorry for my terrible english...

Re: queue "manipulation"

[Barbara M.]

On Wed, 28 Nov 2018, Viktor Dukhovni wrote:


then "postfix reload" to refresh the queue manager.



Same result (it tried to deliver all the 7 address of the message
flushed for test).

# postconf |grep limitrec
limitrecip_destination_recipient_limit = 3

What are I missing?




Thanks for you patience ;-)
Hope I can replay as expected ...


   * Evidence that the queue manager was reloaded.


I did:   service postfix restart (and also postfix reload)


   * Evidence that the nexthop destination domain (not the MX host, but
 the envelope recipient domain) is routed to the "limitrecip" transport.


In transport file:

yahoo.com   limitrecip:
yahoo.itlimitrecip:
yahoodns.netlimitrecip:
mx-eu.mail.am0.yahoodns.net limitrecip:

The destination addresses are *@yahoo.it
Added also yahoodns.net and mx-eu.mail.am0.yahoodns.net (suppose already 
included from the yahoodns.net key).



   * Evidence the the transport table has been rebuilt (show "postmap -q"
 output).


# postmap -q yahoo.it transport
limitrecip:
# postmap -q yahoo.com transport
limitrecip:
# postmap -q yahoodns.net transport
limitrecip:
# postmap -q mx-eu.mail.am0.yahoodns.net transport
limitrecip:



   * Evidence that nothing changed?  Show new logs.



From mailq output:



B9899396281A   234000 Tue Nov 27 15:07:53 users-boun...@list.rfx.it
(host mx-eu.mail.am0.yahoodns.net[212.82.101.46] said: 451 Message 
temporarily deferred - Abaca (in reply to end of DATA command))

 us...@yahoo.it
 us...@yahoo.it
 us...@yahoo.it
 us...@yahoo.it
 us...@yahoo.it
 us...@yahoo.it
 us...@yahoo.it


# postqueue -i  B9899396281A

In maillog:

Nov 29 02:25:47 ls postfix/qmgr[2280]: B9899396281A: 
from=, size=234000, nrcpt=50 (queue active)
Nov 29 02:25:48 ls postfix/smtp[2567]: B9899396281A: host 
mx-eu.mail.am0.yahoodns.net[188.125.73.87] said: 451 Message temporarily 
deferred - Abaca (in reply to end of DATA command)
Nov 29 02:25:49 ls postfix/smtp[2567]: B9899396281A: 
to=, 
relay=mx-eu.mail.am0.yahoodns.net[212.82.101.46]:25, delay=127075, 
delays=127074/0/0.67/0.39, dsn=4.0.0, status=deferred (host 
mx-eu.mail.am0.yahoodns.net[212.82.101.46] said: 451 Message temporarily 
deferred - Abaca (in reply to end of DATA command))
Nov 29 02:25:49 ls postfix/smtp[2567]: B9899396281A: 
to=, 
relay=mx-eu.mail.am0.yahoodns.net[212.82.101.46]:25, delay=127075, 
delays=127074/0/0.67/0.39, dsn=4.0.0, status=deferred (host 
mx-eu.mail.am0.yahoodns.net[212.82.101.46] said: 451 Message temporarily 
deferred - Abaca (in reply to end of DATA command))
Nov 29 02:25:49 ls postfix/smtp[2567]: B9899396281A: 
to=, 
relay=mx-eu.mail.am0.yahoodns.net[212.82.101.46]:25, delay=127075, 
delays=127074/0/0.67/0.39, dsn=4.0.0, status=deferred (host 
mx-eu.mail.am0.yahoodns.net[212.82.101.46] said: 451

Message temporarily deferred - Abaca (in reply to end of DATA command))
Nov 29 02:25:49 ls postfix/smtp[2567]: B9899396281A: 
to=, 
relay=mx-eu.mail.am0.yahoodns.net[212.82.101.46]:25, delay=127075, 
delays=127074/0/0.67/0.39, dsn=4.0.0, status=deferred (host 
mx-eu.mail.am0.yahoodns.net[212.82.101.46] said: 451 Message temporarily 
deferred - Abaca (in reply to end of DATA command))
Nov 29 02:25:49 ls postfix/smtp[2567]: B9899396281A: 
to=, 
relay=mx-eu.mail.am0.yahoodns.net[212.82.101.46]:25, delay=127075, 
delays=127074/0/0.67/0.39, dsn=4.0.0, status=deferred (host 
mx-eu.mail.am0.yahoodns.net[212.82.101.46] said: 451 Message temporarily 
deferred - Abaca (in reply to end of DATA command))
Nov 29 02:25:49 ls postfix/smtp[2567]: B9899396281A: 
to=, 
relay=mx-eu.mail.am0.yahoodns.net[212.82.101.46]:25, delay=127075, 
delays=127074/0/0.67/0.39, dsn=4.0.0, status=deferred (host 
mx-eu.mail.am0.yahoodns.net[212.82.101.46] said: 451 Message temporarily 
deferred - Abaca (in reply to end of DATA command))
Nov 29 02:25:49 ls postfix/smtp[2567]: B9899396281A: 
to=, 
relay=mx-eu.mail.am0.yahoodns.net[212.82.101.46]:25, delay=127075, 
delays=127074/0/0.67/0.39, dsn=4.0.0, status=deferred (host 
mx-eu.mail.am0.yahoodns.net[212.82.101.46] said: 451 Message temporarily 
deferred - Abaca (in reply to end of DATA command))




Since the Postfix queue manager unquestionably supports the parameter
in question, one of the steps in the configuration must not have
been carried out correctly.


I know I am doing something in the wrong way, but I can't understand if it 
is a simple configuration error or an approach/logical error.

Thanks for your patience an time.

Thanks, B.

Re: smtp_fallback_relay TLS with authentication - possible?

[Viktor Dukhovni]

On Thu, Nov 29, 2018 at 04:21:44AM +0300, Andrey Repin wrote:

> >> 1. All delivery should be handled directly, but...
> 
> > #
> > relayhost =
> 
> That's not directly, that's "through relay".

By ensuring that "relayhost = " (empty), the initial delivery is
direct.

> > Are the rejects 4XX or 5XX?
> 
> 220-relay6.hosting.reg.ru ESMTP Postfix
> 521 5.7.1 Service unavailable; client [213.134.200.30] blocked using 
> b.barracudacentral.org

Well, the barracuda RBL is not generally considered particularly
aggressive.  If your MTA is routinely listed there, and you're not
spamming, you should work with Barracude to get de-listed.

> >> 4. Relay server requires TLS and authentication.
> 
> > What flavour of TLS?  STARTTLS (TLS after SMTP) or implicit TLS
> > (SMTP after TLS)?
> 
> TLS as in - explicit TLS (port 465).

That's actually called "implicit" TLS:

https://tools.ietf.org/html/rfc8314#section-3

> Hm. I was near that solution, but you are right that it is only applicable to
> a known set of domains.

Is that your case or do you see the issue with an unpredictable set
of destinations?

> > smtp  unix  -   -   n   -   -   smtp
> > -o smtp_fallback_relay=[relayhost.example]:587
> 
> Should use 465...

The "smtp_tls_wrapper_mode" setting in Postfix is per-transport
(via master.cf overrides), and has no per-destination analogue in
the TLS policy table.  Nor is this inferred from the port number.

So yes, you can't have wrapper mode for just the fallback relay.
Which means that your relayhost would have to suppor STARTTLS.

> Which requires wrappermode=yes.
> Which subsequently break any direct delivery.

Yes, good luck, assuming you're sending email users want and not
unsolicited bulk email.  If the latter, then Yahoo's refusal to
accept the email is eminently reasonable.

-- 
Viktor.

Re: queue "manipulation"

[Viktor Dukhovni]

On Thu, Nov 29, 2018 at 02:43:46AM +0100, Barbara M. wrote:

> >> # postconf |grep limitrec
> >> limitrecip_destination_recipient_limit = 3
> 
> >* Evidence that the nexthop destination domain (not the MX host, but
> >  the envelope recipient domain) is routed to the "limitrecip" transport.
> 
> In transport file:
> 
> yahoo.com   limitrecip:
> yahoo.itlimitrecip:
> yahoodns.netlimitrecip:
> mx-eu.mail.am0.yahoodns.net   limitrecip:

And how is Postfix configured to use this transport file?

> Nov 29 02:25:47 ls postfix/qmgr[2280]: B9899396281A: 
>   from=, size=234000, nrcpt=50 (queue active)
> Nov 29 02:25:48 ls postfix/smtp[2567]: B9899396281A: host 
>   mx-eu.mail.am0.yahoodns.net[188.125.73.87] said: 451 Message temporarily 
>   deferred - Abaca (in reply to end of DATA command)
> Nov 29 02:25:49 ls postfix/smtp[2567]: B9899396281A: 
>   to=, 
>   relay=mx-eu.mail.am0.yahoodns.net[212.82.101.46]:25, delay=127075, 
>   delays=127074/0/0.67/0.39, dsn=4.0.0, status=deferred (host 
>   mx-eu.mail.am0.yahoodns.net[212.82.101.46] said: 451 Message temporarily 
>   deferred - Abaca (in reply to end of DATA command))
> Nov 29 02:25:49 ls postfix/smtp[2567]: B9899396281A: 
>   to=, 
>   relay=mx-eu.mail.am0.yahoodns.net[212.82.101.46]:25, delay=127075, 
>   delays=127074/0/0.67/0.39, dsn=4.0.0, status=deferred (host 
>   mx-eu.mail.am0.yahoodns.net[212.82.101.46] said: 451 Message temporarily 
>   deferred - Abaca (in reply to end of DATA command))
> Nov 29 02:25:49 ls postfix/smtp[2567]: B9899396281A: 
>   to=, 
>   relay=mx-eu.mail.am0.yahoodns.net[212.82.101.46]:25, delay=127075, 
>   delays=127074/0/0.67/0.39, dsn=4.0.0, status=deferred (host 
>   mx-eu.mail.am0.yahoodns.net[212.82.101.46] said: 451
>   Message temporarily deferred - Abaca (in reply to end of DATA command))
> Nov 29 02:25:49 ls postfix/smtp[2567]: B9899396281A: 
>   to=, 
>   relay=mx-eu.mail.am0.yahoodns.net[212.82.101.46]:25, delay=127075, 
>   delays=127074/0/0.67/0.39, dsn=4.0.0, status=deferred (host 
>   mx-eu.mail.am0.yahoodns.net[212.82.101.46] said: 451 Message temporarily 
>   deferred - Abaca (in reply to end of DATA command))
> Nov 29 02:25:49 ls postfix/smtp[2567]: B9899396281A: 
>   to=, 
>   relay=mx-eu.mail.am0.yahoodns.net[212.82.101.46]:25, delay=127075, 
>   delays=127074/0/0.67/0.39, dsn=4.0.0, status=deferred (host 
>   mx-eu.mail.am0.yahoodns.net[212.82.101.46] said: 451 Message temporarily 
>   deferred - Abaca (in reply to end of DATA command))
> Nov 29 02:25:49 ls postfix/smtp[2567]: B9899396281A: 
>   to=, 
>   relay=mx-eu.mail.am0.yahoodns.net[212.82.101.46]:25, delay=127075, 
>   delays=127074/0/0.67/0.39, dsn=4.0.0, status=deferred (host 
>   mx-eu.mail.am0.yahoodns.net[212.82.101.46] said: 451 Message temporarily 
>   deferred - Abaca (in reply to end of DATA command))
> Nov 29 02:25:49 ls postfix/smtp[2567]: B9899396281A: 
>   to=, 
>   relay=mx-eu.mail.am0.yahoodns.net[212.82.101.46]:25, delay=127075, 
>   delays=127074/0/0.67/0.39, dsn=4.0.0, status=deferred (host 
>   mx-eu.mail.am0.yahoodns.net[212.82.101.46] said: 451 Message temporarily 
>   deferred - Abaca (in reply to end of DATA command))

Yes, all 7 recipients were in the same "envelope", so the recipient_limit
was not applied, which suggests that the transport settings were
not in effect.

-- 
Viktor.

Re: smtp_fallback_relay TLS with authentication - possible?

[Andrey Repin]

Greetings, Viktor Dukhovni!

> On Thu, Nov 29, 2018 at 04:21:44AM +0300, Andrey Repin wrote:

>> >> 1. All delivery should be handled directly, but...
>> 
>> > #
>> > relayhost =
>> 
>> That's not directly, that's "through relay".

> By ensuring that "relayhost = " (empty), the initial delivery is
> direct.

Ah, right. Sorry for confusion.

>> > Are the rejects 4XX or 5XX?
>> 
>> 220-relay6.hosting.reg.ru ESMTP Postfix
>> 521 5.7.1 Service unavailable; client [213.134.200.30] blocked using 
>> b.barracudacentral.org

> Well, the barracuda RBL is not generally considered particularly
> aggressive.  If your MTA is routinely listed there, and you're not
> spamming, you should work with Barracude to get de-listed.

If only it was possible to "work with". They have no contacts whatsoever,
only a laggy "delisting" form that once in a blue moon show you some "tracking
ID" that you can't use for anything.
And the only reason I could come up with that my IP ended in it is that I have
had no mail sent to port 25 from this IP in eight years.

>> >> 4. Relay server requires TLS and authentication.
>> 
>> > What flavour of TLS?  STARTTLS (TLS after SMTP) or implicit TLS
>> > (SMTP after TLS)?
>> 
>> TLS as in - explicit TLS (port 465).

> That's actually called "implicit" TLS:

> https://tools.ietf.org/html/rfc8314#section-3

>> Hm. I was near that solution, but you are right that it is only applicable to
>> a known set of domains.

> Is that your case or do you see the issue with an unpredictable set
> of destinations?

I can't predict, which other destination would use that stupid RBL.

>> > smtp  unix  -   -   n   -   -   smtp
>> > -o smtp_fallback_relay=[relayhost.example]:587
>> 
>> Should use 465...

> The "smtp_tls_wrapper_mode" setting in Postfix is per-transport
> (via master.cf overrides), and has no per-destination analogue in
> the TLS policy table.  Nor is this inferred from the port number.

> So yes, you can't have wrapper mode for just the fallback relay.
> Which means that your relayhost would have to suppor STARTTLS.

It does not, I just double checked with the owner.

>> Which requires wrappermode=yes.
>> Which subsequently break any direct delivery.

> Yes, good luck, assuming you're sending email users want and not
> unsolicited bulk email.

I don't send unsolicited bulk email at all.
I didn't send any email at all to begin with, I only recently removed hard
outgoing block on port 25, and only for a single intranet host, where I'm
setting up the server. Lo and behold, my IP is in RBL with no way to get it
out of there.
All I've learned about RBL in the last decade is that they are all either
racket, ransom or worse.

> If the latter, then Yahoo's refusal to accept the email is eminently
> reasonable.

I don't know what Yahoo have to do with this problem, but I'll take your
word for it.


-- 
With best regards,
Andrey Repin
Thursday, November 29, 2018 5:16:04

Sorry for my terrible english...

Re: smtp_fallback_relay TLS with authentication - possible?

[Viktor Dukhovni]

> On Nov 28, 2018, at 9:25 PM, Andrey Repin  wrote:
> 
>> The "smtp_tls_wrapper_mode" setting in Postfix is per-transport
>> (via master.cf overrides), and has no per-destination analogue in
>> the TLS policy table.  Nor is this inferred from the port number.
> 
>> So yes, you can't have wrapper mode for just the fallback relay.
>> Which means that your relayhost would have to suppor STARTTLS.
> 
> It does not, I just double checked with the owner.

In that case, you'd need to configure stunnel or similar to listen
on a local loopback port and proxy it to port 465 on the remote
host, via an authenticated upstream TLS connection (avoid the legacy
"verify = 2", it is not secure).

With that, your fallback relay can be just cleartext SMTP to a local
port which stunnel will encrypt in transit.  You'd need to enable
plaintext auth without TLS, since Postfix won't know about stunnel
doing TLS on the wire.

Another alternative, avoiding stunnel is to forward the mail to
a fallback Postfix instance that then sends everything via the
relay (using wrapper_mode).

-- 
Viktor.

Re: smtp_fallback_relay TLS with authentication - possible?

[Andrey Repin]

Greetings, Viktor Dukhovni!

>> On Nov 28, 2018, at 9:25 PM, Andrey Repin  wrote:
>> 
>>> The "smtp_tls_wrapper_mode" setting in Postfix is per-transport
>>> (via master.cf overrides), and has no per-destination analogue in
>>> the TLS policy table.  Nor is this inferred from the port number.
>> 
>>> So yes, you can't have wrapper mode for just the fallback relay.
>>> Which means that your relayhost would have to suppor STARTTLS.
>> 
>> It does not, I just double checked with the owner.

> In that case, you'd need to configure stunnel or similar to listen
> on a local loopback port and proxy it to port 465 on the remote
> host, via an authenticated upstream TLS connection (avoid the legacy
> "verify = 2", it is not secure).

> With that, your fallback relay can be just cleartext SMTP to a local
> port which stunnel will encrypt in transit.  You'd need to enable
> plaintext auth without TLS, since Postfix won't know about stunnel
> doing TLS on the wire.

> Another alternative, avoiding stunnel is to forward the mail to
> a fallback Postfix instance that then sends everything via the
> relay (using wrapper_mode).

Yes, I came to the same conclusion. Not the most secure, but probably only
working solution without too much overhead.
Thanks for your help.


-- 
With best regards,
Andrey Repin
Thursday, November 29, 2018 5:57:10

Sorry for my terrible english...

Re: Compile error on Mojave (Postfix 3.3.2): 'openssl/opensslv.h' file not found

[James Brown]

> On 28 Nov 2018, at 11:20 pm, Herbert J. Skuhra  wrote:
> 
> On Wed, Nov 28, 2018 at 11:00:33PM +1100, James Brown wrote:
>> 
>> On Wed, Nov 28, 2018 at 09:55:02PM +1100, James Brown wrote:
>>> ...
>>> My Make script is:
>>> 
>>> $ make -f Makefile.init makefiles CCARGS='-DUSE_TLS -DUSE_SASL_AUTH \
>>> -DDEF_SERVER_SASL_TYPE=\"dovecot\" \
>>> -DDEF_COMMAND_DIR=\"/usr/local/sbin\" \
>>> -DDEF_CONFIG_DIR=\"/usr/local/etc/postfix\" \
>>> -DDEF_DAEMON_DIR=\"/usr/local/libexec/postfix\" \
>>> -DHAS_PCRE -I/usr/local/opt//include \
>>> -DHAS_SSL -I/usr/local/opt/openssl@1.1/1.1.1/include \
>>> -DHAS_MYSQL -I/usr/local/opt/mysql@5.7/include/mysql' 
>>> AUXLIBS='-L/usr/local/lib -lpcre -lssl -lcrypto 
>>> -L/usr/local/opt/mysql@5.7/lib \
>>> -lmysqlclient -lz -lm'  sendmail_path=/usr/local/sbin/sendmail 
>>> newaliases_path=/usr/local/bin/newaliases mailq_path=/usr/local/bin/mail
>>> 
>>> I’ve change the DHAS_SSL a few times but keep getting the exact same error. 
>>> I’m sure it’s a simple thing to fix, but can’t get it to work.
>>> 
>>> Any ideas?
>> 
>> ...
> 
>> Thanks Herbert.
>> 
>> Well, I thought that’s what I was using, but I’ve tried so many variations. 
>> Removed the ‘/openssl’ and now I get:
>> 
>> c/postfix\" -DHAS_PCRE -I/usr/local/opt//include -DHAS_SSL 
>> -I/usr/local/Cellar/openssl@1.1/1.1.1/include -DHAS_MYSQL 
>> -I/usr/local/opt/mysql@5.7/include/mysql -DBIND_8_COMPAT -DNO_NETINFO 
>> -DRESOLVE_H_NEEDS_ARPA_NAMESER_COMPAT_H -DNO_EAI 
>> -DDEF_SMTPUTF8_ENABLE=\"no\" -DHAS_DEV_URANDOM 
>> -DDEF_MAILQ_PATH=\"/usr/local/bin/mailq\" 
>> -DDEF_NEWALIAS_PATH=\"/usr/local/bin/newaliases\" 
>> -DDEF_SENDMAIL_PATH=\"/usr/local/sbin/sendmail\" -UUSE_DYNAMIC_LIBS 
>> -DDEF_SHLIB_DIR=\"no\" -UUSE_DYNAMIC_MAPS -Wmissing-prototypes -Wformat 
>> -Wno-comment -g -O -I. -I../../include -DMACOSX  -o master master.o 
>> master_conf.o master_ent.o master_sig.o master_avail.o master_spawn.o 
>> master_service.o master_status.o master_listen.o master_vars.o 
>> master_wakeup.o master_watch.o master_flow.o master_monitor.o 
>> ../../lib/libglobal.a ../../lib/libutil.a -L/usr/local/lib -lpcre -lssl 
>> -lcrypto -L/usr/local/opt/mysql@5.7/lib -lmysqlclient -lz -lm 
>> -flat_namespace -lresolv 
>> ld: library not found for -lssl
>> clang: error: linker command failed with exit code 1 (use -v to see 
>> invocation)
>> make: *** [master] Error 1
>> 
>> Homebrew installed openssl 1.0.2 when I installed either stunnel or 
>> MySQL@5.7 as Homebrew won’t let me uninstall that version as they are using 
>> it. Suppose I’ll have to work out how to have Homebrew install them with 
>> OpenSSL@1.1.1 somehow.
> 
> You also have to add -L/usr/local/Cellar/openssl@1.1/1.1.1/lib
> (in front of -lssl -lcrypto).
> 
> You probably should use Openssl 1.1.1a (instead of 1.1.1) because it includes 
> fixes
> for known vulnerabilities.
> 
> -- 
> Herbert
> 

Thanks Herbert, adding -L/usr/local/Cellar/openssl@1.1/1.1.1a/lib in front of 
-lssl worked! 

Changed 1.1.1 to 1.1.1a as well.  Pity it can’t just use the most recent one. 
Oh well, it works.

Huge relief to have this working - thanks Herbert.

James.

Re: forwarding mail like before queue filtering to remote mta

[Stefan Bauer]

The use case is only for mx service so there will be only incoming mail for
same domain in same smtp session.

I assume that remote mail servers will not combine mail delivery in same
smtp session when destination domains differ (even though they have same mx)

Stefan

Am Mittwoch, 28. November 2018 schrieb Wietse Venema :
> Stefan Bauer:
>> Hi,
>>
>> is there a way to keep an smtp session open and do before queue filtering
>> AND final delivery to remote mta? do only sent 250 if we have already
>> received 250. if not send temp error.
>
> How would that work when one message has more than one recipient?
> In different domains? When one domain accepts the message, and the
> other tempfails? What status would Postfix return to the SMTP client?
>
>> we would like to only accept mails if we can deliver them at the same
time.
>> a local queue is not wanted due to privacy reasons.
>
> Use a proxy that accepts one recipient at a time.
>
> Wietse
>

Re: forwarding mail like before queue filtering to remote mta

[Viktor Dukhovni]

> On Nov 28, 2018, at 11:43 PM, Stefan Bauer  wrote:
> 
> The use case is only for mx service so there will be only incoming mail for 
> same domain in same smtp session.
> 
> I assume that remote mail servers will not combine mail delivery in same smtp 
> session when destination domains differ (even though they have same mx)

The assumption is invalid.  Exim IIRC can deliver multiple recipients
in a single envelope, if there's a shared MX host.  So can Postfix,
if the destination MX is a statically configured nexthop.

You might also get more recipients in one envelope than will
be accepted downstream.

In any case, Postfix does not support routing without queueing.
If this is a hard requirement, you'll need a different MTA.

-- 
Viktor.