Re: check_recipient_mx_access issues. Don't know how to fix this
Am 2021-06-10 20:57, schrieb Viktor Dukhovni: On Thu, Jun 10, 2021 at 04:30:11PM +0200, Michael Storz wrote: The next possibility would be to split the email into emails with recipients from the same domain. Unfortunately, Postfix (currently) has no way of configuring a relay host and specifying that the email should be split according to the same recipient domain. A socketmap(5) or tcp_table(5) transport(5) table can map each recipient domain (e.g., some.domain.example) into a common parent with a wildcard A record: # Domain part of key# Returned result some.domain.example smtp:[some.domain.example.wild.local]:10025 [ The code performing this mapping should validate the domain syntax, returning no result for unexpected input syntax. ] The local nameserver would be authoritative for "wild.local" zone, which apart from any zone apex SOA and NS RRs would have: *.wild.local. IN A 127.0.0.1 In a multi-instance configuration, the input instance could use such a transport table to split the envelope of every message before handing it off to the output instance. Ah, I see: the mapping triggers the normal domain based splitting for emails routed via MX-/A-records and the wildcard A-record simulates the relay host. Great idea, a little bit tricky, but it should work. Thanks Viktor. The last option is to split the email into single recipient emails. Then there is no need to differentiate. You can use either single-instance or multi-instance Postfix installations to do this. We use single instance. Postfix has the TRANSPORT_destination_recipient_limit option (replace TRANSPORT with the name of the transport you are using) to split an email according to the number of recipients. If set to 1, you will receive single recipient emails. Worth noting that concurrency limits are then applied per-recipient, not per-domain.
Clarification request for mua_*_restrictions
Hi, What are the $mua_helo_restrictions and $mua_sender_restrictions in the master.cf and how are they supposed to be used ? How do they affect the restrictions for the submission if left commented ? Thanks
Re: Clarification request for mua_*_restrictions
> What are the $mua_helo_restrictions and $mua_sender_restrictions in the > master.cf http://www.postfix.org/master.5.html -o name=value (short form) Override the named main.cf configuration parameter. The parameter value can refer to other parameters as $name etc., just like in main.cf. See postconf(5) for syntax. ``smtpd_sender_restrictions`` and other options may be different for public SMTPD and smtpd used by clients (mua) So, you specify variable "mua_helo_restrictions" in your ``main.cf`` and provide it as an option to the smtps. > How do they affect the restrictions for the submission if left commented ? Smtpd server uses ``smtpd_sender_restrictions`` and other options. See : http://www.postfix.org/postconf.5.html#smtpd_sender_restrictions But if you add ``-o smtpd_sender_restrictions=$my_fancy_new_restrictions`` it will use value of this variable instead of ``smtpd_sender_restrictions`` If you have several SMTPD servers (the public one and the one used for submission) you may want them to have different settings.
Re: Clarification request for mua_*_restrictions
On 11.06.21 13:46, Togan Muftuoglu wrote: What are the $mua_helo_restrictions and $mua_sender_restrictions in the master.cf and how are they supposed to be used ? no default values. You can set defaults if you nees to set up the same restrictions to ports 465 and 587. How do they affect the restrictions for the submission if left commented ? not at all. I have set up mua_client_restrictions according to: https://marc.info/?l=postfix-users&m=162255499200716&w=2 - authentication is must there mua_helo_restrictions set empty - helo is irelevant and didn't set nor uncomment: # smtpd_sender_restrictions=$mua_sender_restrictions - sender/recipient restrictions are the same for all clients All just to provide proper error messsages to those clients, after I noticed that unauthenticated client get rejection message for invalid EHLO/HELO. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Saving Private Ryan... Private Ryan exists. Overwrite? (Y/N)
Unable to get Postfix to respond on port 465
Hi everyone. I hope all of you are well. I have a server running Ubuntu 20.04 and I'm working on setting up iRedMail on it. Everything is good so far, but I'm having an issue getting Postfix to respond on port 465. I know that by default, this is not enabled in the master.cf file. I did a lot of research and tried different configurations for 465 and nothing works. Here are the configs I tried... This is the config suggested by iRedMail... 465 inet n - n - - smtpd -o syslog_name=postfix/smtps -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o content_filter=smtp-amavis:[127.0.0.1]:10026 This is the config suggested by the LinixBabe website... smtps inet n - y - - smtpd -o syslog_name=postfix/smtps -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject -o content_filter=smtp-amavis:[127.0.0.1]:10026 I tried the above and different variations of those. I even tried removing all of the -o lines and just using the simple first line, but no good. Additional info... I watched the firewall when I tried to telnet to it on port 465 and: * telnet did not say that the packet was rejected * the firewall showed packets being accepted by the rule to accept packets from my location After making the changes to the master.cf I restarted Postfix 3 different ways because I heard that sometimes some of the commands don't reload the changes made to the master.cf. I reloaded using... postfix reload service postfix restart sudo /etc/init.d/postfix restart It seems like something is going wrong in Postfix or the device itself; and it's not completing the tcp handshake. When I go to 465 the packet isn't rejected-- but the connection never goes through -- so something is interfering with the handshake on that port... I think? Here is the log snip from a telnet I did from the machine itself (telnet 127.0.0.1 465) Jun 11 15:08:19 localhost postfix/smtps/smtpd[211305]: connect from localhost[127.0.0.1] Jun 11 15:08:26 localhost postfix/smtps/smtpd[211305]: SSL_accept error from localhost[127.0.0.1]: -1 Jun 11 15:08:26 localhost postfix/smtps/smtpd[211305]: warning: TLS library problem: error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../ssl/record/ssl3_record.c:331: Jun 11 15:08:26 localhost postfix/smtps/smtpd[211305]: lost connection after CONNECT from localhost[127.0.0.1] Jun 11 15:08:26 localhost postfix/smtps/smtpd[211305]: disconnect from localhost[127.0.0.1] commands=0/0 Please pardon my ignorance, but is it the TLS library issue causing my problem? If yes, I will research how to resolve it. I just wanted to reach out here with hopes that one of you kind folks would point me in the right direction. Any help at all would be appreciated. Thank you in advance!
Re: Unable to get Postfix to respond on port 465
On Fri, Jun 11, 2021 at 10:15:58AM -0500, Linda Pagillo wrote: > > It seems like something is going wrong in Postfix or the device itself; and > it's not completing the tcp handshake. When I go to 465 the packet isn't > rejected-- but the connection never goes through -- so something is > interfering with the handshake on that port... I think? > > Here is the log snip from a telnet I did from the machine itself (telnet > 127.0.0.1 465) Port 465 requires enrypted connection. Try 'openssl s_client -connect 127.0.0.1:465' instead. -- Herbert
Re: Unable to get Postfix to respond on port 465
Thank you Herbert! I will give that a try. However... I'm trying to test connecting to port 465 over SSL from my Outlook mail client and it will not connect. Any ideas why not? I can connect to 993 and 995 from Outlook. On Fri, Jun 11, 2021 at 10:30 AM Herbert J. Skuhra wrote: > On Fri, Jun 11, 2021 at 10:15:58AM -0500, Linda Pagillo wrote: > > > > It seems like something is going wrong in Postfix or the device itself; > and > > it's not completing the tcp handshake. When I go to 465 the packet isn't > > rejected-- but the connection never goes through -- so something is > > interfering with the handshake on that port... I think? > > > > Here is the log snip from a telnet I did from the machine itself (telnet > > 127.0.0.1 465) > > Port 465 requires enrypted connection. > Try 'openssl s_client -connect 127.0.0.1:465' instead. > > -- > Herbert >
Re: Unable to get Postfix to respond on port 465
On Fri, Jun 11, 2021 at 10:32:38AM -0500, Linda Pagillo wrote: > > Thank you Herbert! I will give that a try. However... I'm trying to test > connecting to port 465 over SSL from my Outlook mail client and it will not > connect. Any ideas why not? I can connect to 993 and 995 from Outlook. What error message do you get? What does postfix log? -- Herbert
Re: Unable to get Postfix to respond on port 465
On Fri, Jun 11, 2021 at 10:32:38AM -0500, Linda Pagillo wrote: > Thank you Herbert! I will give that a try. However... I'm trying to test > connecting to port 465 over SSL from my Outlook mail client and it will not > connect. Any ideas why not? I can connect to 993 and 995 from Outlook. Test one thing at a time. First get it working for interactive connections via: $ (sleep 2; printf "QUIT\r\n") | openssl s_client -noservername -brief -connect 127.0.0.1:465 from which I see output of the form: CONNECTION ESTABLISHED Protocol version: TLSv1.3 Ciphersuite: TLS_AES_256_GCM_SHA384 Peer certificate: CN = amnesiac.local Hash used: SHA256 Signature type: RSA-PSS Verification: OK Server Temp Key: X25519, 253 bits 220 amnesiac.local ESMTP Postfix DONE showing a working TLS handshake. Once that works, proceeed to testing Outlook, and looking at the Postfix logs for relevant diagnostic messages. It some mail clients' SMTP configuration, IIRC "SSL" refers to port 465 implicit SSL, and "TLS" refers to port 587 "STARTTLS", make sure you're configuring the client to use implicit TLS. The Postfix source distribution includes a stock master.cf file, which has a commented out sample "submissions" (port 465) entry: #submissions inet n - n - - smtpd # -o syslog_name=postfix/submissions # -o smtpd_tls_wrappermode=yes # -o smtpd_sasl_auth_enable=yes # -o smtpd_reject_unlisted_recipient=no # Instead of specifying complex smtpd__restrictions here, # specify "smtpd__restrictions=$mua__restrictions" # here, and specify mua__restrictions in main.cf (where # "" is "client", "helo", "sender", "relay", or "recipient"). # -o smtpd_client_restrictions= # -o smtpd_helo_restrictions= # -o smtpd_sender_restrictions= # -o smtpd_relay_restrictions= # -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING You should start with: 465 inet n - n - - smtpd -o syslog_name=postfix/submissions -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes -o smtpd_reject_unlisted_recipient=no -o smtpd_client_restrictions= -o smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o smtpd_relay_restrictions= -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING and change as little as possible to meet your needs. If you end up needing more complex rules, heed the advice in: Instead of specifying complex smtpd__restrictions here, specify "smtpd__restrictions=$mua__restrictions" here, and specify mua__restrictions in main.cf (where "" is "client", "helo", "sender", "relay", or "recipient"). -- Viktor.
Re: Unable to get Postfix to respond on port 465
On 2021-06-11 17:15, Linda Pagillo wrote: Any help at all would be appreciated. postconf -nf openssl --version is needed to help without this info i can only guess, that your client only have ssl2/ssl3,tls1,tls1.1, but postfix only have tls1.2,tls1.3 is could also be usefull to know postconf -Mf no more info, no problem
Re: Unable to get Postfix to respond on port 465
On 2021-06-11 17:32, Linda Pagillo wrote: Thank you Herbert! I will give that a try. However... I'm trying to test connecting to port 465 over SSL from my Outlook mail client and it will not connect. Any ideas why not? I can connect to 993 and 995 from Outlook. windows 7 ?
Re: Unable to get Postfix to respond on port 465
Here is the Outlook error when testing using port 465 over SSL... [image: image.png] As for the Postfix log there is no entry for this test. It seems like the connection attempt is not even happening or something. However, the firewall does not seem to be the issue I don;t think. On Fri, Jun 11, 2021 at 10:45 AM Herbert J. Skuhra wrote: > On Fri, Jun 11, 2021 at 10:32:38AM -0500, Linda Pagillo wrote: > > > > Thank you Herbert! I will give that a try. However... I'm trying to test > > connecting to port 465 over SSL from my Outlook mail client and it will > not > > connect. Any ideas why not? I can connect to 993 and 995 from Outlook. > > What error message do you get? What does postfix log? > > -- > Herbert >
Re: Unable to get Postfix to respond on port 465
Just to jump in quick, did you first confirm postfix fires up submission, is binding to the port and listening? netstat -nlp46 | grep master
Re: Unable to get Postfix to respond on port 465
Just to jump in quick, did you first confirm postfix fires up submission, is binding to the port and listening? netstat -nlp46 | grep master Sorry, i typed faster than my brain. I know its not submission, but just confirm its listening on 465 and on the public IP? Maybe its only listening on local loop back, etc.
Re: Unable to get Postfix to respond on port 465
Hi Victor and Benny. To answer your questions... Victor... *>>Test one thing at a time. First get it working for interactive *connections via $ (sleep 2; printf "QUIT\r\n") | openssl s_client -noservername -brief -connect 127.0.0.1:465 I did this just now and all looks correct. I see the handshake.No errors. *>>Once that works, proceed to testing Outlook, and looking at the Postfix logs for relevant diagnostic messages.* I tested Outlook and received an error in outlook which I have already posted to this thread. As for Postfix, there is nothing at all showing in the log for my test. *>>You should start with:** 465 ine*t * n - n - - smtpd* I tried the configuration you gave me and same thing..*. Outlook error, nothing in the Postfix log.* Benny * postconf -nf* See attached. * openssl --version * OpenSSL 1.1.1f 31 Mar 2020 * postconf -Mf * See attached. *Windows 7 ? * No, Windows 10 Pro Thanks! On Fri, Jun 11, 2021 at 11:13 AM Linda Pagillo wrote: > Here is the Outlook error when testing using port 465 over SSL... > > [image: image.png] > As for the Postfix log there is no entry for this test. It seems like the > connection attempt is not even happening or something. However, the > firewall does not seem to be the issue I don;t think. > > > > On Fri, Jun 11, 2021 at 10:45 AM Herbert J. Skuhra > wrote: > >> On Fri, Jun 11, 2021 at 10:32:38AM -0500, Linda Pagillo wrote: >> > >> > Thank you Herbert! I will give that a try. However... I'm trying to test >> > connecting to port 465 over SSL from my Outlook mail client and it will >> not >> > connect. Any ideas why not? I can connect to 993 and 995 from Outlook. >> >> What error message do you get? What does postfix log? >> >> -- >> Herbert >> > alias_database = hash:/etc/postfix/aliases alias_maps = hash:/etc/postfix/aliases allow_min_user = no allow_percent_hack = no biff = no body_checks = pcre:/etc/postfix/body_checks.pcre command_directory = /usr/sbin compatibility_level = 2 content_filter = smtp-amavis:[127.0.0.1]:10024 daemon_directory = /usr/lib/postfix/sbin data_directory = /var/lib/postfix debug_peer_level = 2 debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5 disable_vrfy_command = yes dovecot_destination_recipient_limit = 1 enable_long_queue_ids = yes enable_original_recipient = no header_checks = pcre:/etc/postfix/header_checks inet_interfaces = all inet_protocols = all lmtp_tls_mandatory_protocols = !SSLv2 !SSLv3 lmtp_tls_protocols = !SSLv2 !SSLv3 mail_owner = postfix mailq_path = /usr/bin/mailq message_size_limit = 15728640 mlmmj_destination_recipient_limit = 1 mydestination = $myhostname, localhost, localhost.localdomain mydomain = 0.transportania.net myhostname = 0.transportania.net mynetworks = 127.0.0.1 [::1] myorigin = 0.transportania.net newaliases_path = /usr/bin/newaliases postscreen_access_list = permit_mynetworks cidr:/etc/postfix/postscreen_access.cidr postscreen_blacklist_action = drop postscreen_dnsbl_action = drop postscreen_dnsbl_reply_map = texthash:/etc/postfix/postscreen_dnsbl_reply postscreen_dnsbl_sites = zen.spamhaus.org=127.0.0.[2..11]*3 b.barracudacentral.org=127.0.0.2*2 postscreen_dnsbl_threshold = 2 postscreen_dnsbl_whitelist_threshold = -2 postscreen_greet_action = drop proxy_read_maps = $canonical_maps $lmtp_generic_maps $local_recipient_maps $mydestination $mynetworks $recipient_bcc_maps $recipient_canonical_maps $relay_domains $relay_recipient_maps $relocated_maps $sender_bcc_maps $sender_canonical_maps $smtp_generic_maps $smtpd_sender_login_maps $transport_maps $virtual_alias_domains $virtual_alias_maps $virtual_mailbox_domains $virtual_mailbox_maps $smtpd_sender_restrictions $sender_dependent_relayhost_maps queue_directory = /var/spool/postfix recipient_bcc_maps = proxy:ldap:/etc/postfix/ldap/recipient_bcc_maps_user.cf proxy:ldap:/etc/postfix/ldap/recipient_bcc_maps_domain.cf recipient_delimiter = + relay_domains = $mydestination proxy:ldap:/etc/postfix/ldap/relay_domains.cf sender_bcc_maps = proxy:ldap:/etc/postfix/ldap/sender_bcc_maps_user.cf proxy:ldap:/etc/postfix/ldap/sender_bcc_maps_domain.cf sender_dependent_relayhost_maps = proxy:ldap:/etc/postfix/ldap/sender_dependent_relayhost_maps_user.cf proxy:ldap:/etc/postfix/ldap/sender_dependent_relayhost_maps_domain.cf sendmail_path = /usr/sbin/sendmail setgid_group = postdrop show_user_unknown_table_name = no smtp-amavis_destination_recipient_limit = 1 smtp_tls_CAfile = $smtpd_tls_CAfile smtp_tls_CApath = /etc/ssl/certs smtp_tls_loglevel = 1 smtp_tls_mandatory_protocols = !SSLv2 !SSLv3 smtp_tls_note_starttls_offer = yes smtp_tls_protocols = !SSLv2 !SSLv3 smtp_tls_security_level = may smtpd_command_filter = pcre:/etc/postfix/command_filter.pcre smtpd_data_restrictions = reject_unauth_pipelining smtpd_end_of_data_restrictions = check_policy_service inet:127.0.0.1: smtpd_helo_requi
Re: Unable to get Postfix to respond on port 465
Hi! Here is the output.. tcp0 0 127.0.0.1:10025 0.0.0.0:* LISTEN 216600/master tcp0 0 0.0.0.0:587 0.0.0.0:* LISTEN 216600/master tcp0 0 127.0.0.1:10028 0.0.0.0:* LISTEN 216600/master tcp0 0 127.0.0.1: 0.0.0.0:* LISTEN 706/php-fpm: master tcp0 0 0.0.0.0:80 0.0.0.0:* LISTEN 839/nginx: master p tcp0 0 0.0.0.0:465 0.0.0.0:* LISTEN 216600/master tcp0 0 0.0.0.0:25 0.0.0.0:* LISTEN 216600/master tcp0 0 0.0.0.0:443 0.0.0.0:* LISTEN 839/nginx: master p tcp6 0 0 :::587 :::*LISTEN 216600/master tcp6 0 0 :::80 :::*LISTEN 839/nginx: master p tcp6 0 0 :::465 :::*LISTEN 216600/master tcp6 0 0 :::25 :::*LISTEN 216600/master tcp6 0 0 :::443 :::*LISTEN 839/nginx: master p On Fri, Jun 11, 2021 at 11:33 AM wrote: > Just to jump in quick, did you first confirm postfix fires up > submission, is binding to the port and listening? > > netstat -nlp46 | grep master >
Re: Unable to get Postfix to respond on port 465
Right now we have the firewall set to block everything except our internal IP range while I'm testing. I'm connected to our VPN so I'm within the range. However, when i test from Outlook, I get the error I posted and nothing in the Postfix log. On Fri, Jun 11, 2021 at 11:37 AM Linda Pagillo wrote: > Hi! Here is the output.. > > tcp0 0 127.0.0.1:10025 0.0.0.0:* > LISTEN 216600/master > tcp0 0 0.0.0.0:587 0.0.0.0:* > LISTEN 216600/master > tcp0 0 127.0.0.1:10028 0.0.0.0:* > LISTEN 216600/master > tcp0 0 127.0.0.1: 0.0.0.0:* > LISTEN 706/php-fpm: master > tcp0 0 0.0.0.0:80 0.0.0.0:* > LISTEN 839/nginx: master p > tcp0 0 0.0.0.0:465 0.0.0.0:* > LISTEN 216600/master > tcp0 0 0.0.0.0:25 0.0.0.0:* > LISTEN 216600/master > tcp0 0 0.0.0.0:443 0.0.0.0:* > LISTEN 839/nginx: master p > tcp6 0 0 :::587 :::*LISTEN > 216600/master > tcp6 0 0 :::80 :::*LISTEN > 839/nginx: master p > tcp6 0 0 :::465 :::*LISTEN > 216600/master > tcp6 0 0 :::25 :::*LISTEN > 216600/master > tcp6 0 0 :::443 :::*LISTEN > 839/nginx: master p > > On Fri, Jun 11, 2021 at 11:33 AM wrote: > >> Just to jump in quick, did you first confirm postfix fires up >> submission, is binding to the port and listening? >> >> netstat -nlp46 | grep master >> >
Re: Unable to get Postfix to respond on port 465
On Fri, Jun 11, 2021 at 11:35:50AM -0500, Linda Pagillo wrote: >> Test one thing at a time. First get it working for interactive connections >> via: >> >> $ (sleep 2; printf "QUIT\r\n") | openssl s_client -noservername -brief >> -connect 127.0.0.1:465 > > I did this just now and all looks correct. I see the handshake.No errors. So the Postfix end is up and running. >>Once that works, proceed to testing Outlook, and looking at the >>Postfix logs for relevant diagnostic messages. > > I tested Outlook and received an error in outlook which I have already > posted to this thread. That picture contains no useful information. > As for Postfix, there is nothing at all showing in the log for my > test. In that case, the problem is on the client end, and it is either misconfigured or blocked by the firewall. Neither is a Postfix issues. Now you have to configure the client and firewall to actually complete a connection to the Postfix server on port 465 and perform an implicit TLS handshake prior to starting the SMTP protocol. Good luck. -- Viktor.
Re: Unable to get Postfix to respond on port 465
Thank you guys for your help. I appreciate it very much! On Fri, Jun 11, 2021 at 11:43 AM Viktor Dukhovni wrote: > On Fri, Jun 11, 2021 at 11:35:50AM -0500, Linda Pagillo wrote: > > >> Test one thing at a time. First get it working for interactive > connections via: > >> > >> $ (sleep 2; printf "QUIT\r\n") | openssl s_client -noservername -brief > -connect 127.0.0.1:465 > > > > I did this just now and all looks correct. I see the handshake.No errors. > > So the Postfix end is up and running. > > >>Once that works, proceed to testing Outlook, and looking at the > >>Postfix logs for relevant diagnostic messages. > > > > I tested Outlook and received an error in outlook which I have already > > posted to this thread. > > That picture contains no useful information. > > > As for Postfix, there is nothing at all showing in the log for my > > test. > > In that case, the problem is on the client end, and it is either > misconfigured or blocked by the firewall. Neither is a Postfix issues. > > Now you have to configure the client and firewall to actually complete a > connection to the Postfix server on port 465 and perform an implicit TLS > handshake prior to starting the SMTP protocol. Good luck. > > -- > Viktor. >
Re: Unable to get Postfix to respond on port 465
On 06-11-2021 12:37 pm, Linda Pagillo wrote: tcp0 0 0.0.0.0:465 0.0.0.0:* LISTEN 216600/master tcp6 0 0 :::465 :::* LISTEN 216600/master That's good, its listening to all, local/public. I would test firewall next to remove that from the trouble shooting check list. I have no idea what 2cents to offer having no idea about your firewall setup or rules. And i don't know if this is an option for you, but for me when in doubt it turn off the entire firewall just for 30 seconds to test a connection to see if anything happens. Then you know for sure if your issue is with firewall or not.
Re: Unable to get Postfix to respond on port 465
Thanks! I'm going to check out the firewall again to see if I missed something. I'm guessing that is probably the issue since Postfix is now ruled out as the cause. On Fri, Jun 11, 2021 at 11:47 AM wrote: > > On 06-11-2021 12:37 pm, Linda Pagillo wrote: > > > > tcp0 0 0.0.0.0:465 0.0.0.0:* > > LISTEN 216600/master > > tcp6 0 0 :::465 :::* > > LISTEN 216600/master > > That's good, its listening to all, local/public. > I would test firewall next to remove that from the trouble shooting > check list. > I have no idea what 2cents to offer having no idea about your firewall > setup or rules. > > And i don't know if this is an option for you, but for me when in doubt > it turn off the entire firewall just for 30 seconds to test a connection > to see if anything happens. Then you know for sure if your issue is with > firewall or not. >
Re: Unable to get Postfix to respond on port 465
On 2021-06-11 at 12:42:31 UTC-0400 (Fri, 11 Jun 2021 12:42:31 -0400) Viktor Dukhovni is rumored to have said: On Fri, Jun 11, 2021 at 11:35:50AM -0500, Linda Pagillo wrote: [...] As for Postfix, there is nothing at all showing in the log for my test. In that case, the problem is on the client end, and it is either misconfigured or blocked by the firewall. Neither is a Postfix issues. Now you have to configure the client and firewall to actually complete a connection to the Postfix server on port 465 and perform an implicit TLS handshake prior to starting the SMTP protocol. Good luck. One other possibility is that the on-host firewall is not configured to allow inbound connections on port 465. -- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo and many *@billmail.scconsult.com addresses) Not Currently Available For Hire
Setting text for concurrency limit exceeded
Hi all, is there any Postfix configuration parameter to set the text Postfix shows to the sender when Connection concurrency limit is exceeded ??? Currently the sender (192.168.3.7) receives this: "421 4.7.0 labpot.local Error: too many connections from 192.168.3.7" any way to change the text "too many connections from 192.168.3.7" ??? Thanks for your help! PetePot
Trying to understand the postfix server process flow
This page: http://www.postfix.org/OVERVIEW.html provides an excellent “picture” of how a message is passed between server processes. What I cannot yet get my brain wrapped around is how the server process sequences are expressed and/or configured in the master.cf file. A clue or three for this clueless one, please ?
Re: Trying to understand the postfix server process flow
> On 11 Jun 2021, at 1:36 pm, Dan White wrote: > > This page: http://www.postfix.org/OVERVIEW.html > provides an excellent “picture” of how a message is passed between server > processes. > > What I cannot yet get my brain wrapped around is how the server process > sequences are expressed and/or configured in the master.cf file. The master.cf file neither defines nor expresses the processing sequence. It only defines the *set* of supported service endpoints. Communication between the services is driven by their own internal logic, which master(8) does not concern itself with. -- Viktor.
Re: Unable to get Postfix to respond on port 465
On 2021-06-11 18:35, Linda Pagillo wrote: No, Windows 10 Pro in main.cf: smtpd_tls_exclude_ciphers smtpd_tls_mandatory_protocols smtpd_tls_protocols try make them default with # in front of each line, if it still not working then post logs, not graphics :=) if all this does not help install seamonkey with have thunderbird that works on windows 10, i know that cat :) my own w10 is home 21h1
Re: Unable to get Postfix to respond on port 465
On 2021-06-11 18:51, Linda Pagillo wrote: Thanks! I'm going to check out the firewall again to see if I missed something. I'm guessing that is probably the issue since Postfix is now ruled out as the cause. postfix only need to listen on the vpn interface ips, no need to use :: or 0.0.0.0 if clients is only on vpn hope that rings a bill aswell
Re: Unable to get Postfix to respond on port 465
On 2021-06-11 19:04, Bill Cole wrote: One other possibility is that the on-host firewall is not configured to allow inbound connections on port 465. vpn client ip to postfix 0.0.0.0 or :: not needed
Re: [NON-HA] Re: Need help with response to HELO, 502 5.5.2 Error
> postfix/smtpd[8385]: vstream_buf_get_ready: fd 10 got 1 You're looking at logging from SMTP SERVER to diagnose OUTBOUND email deliveries by the SMTP CLIENT?? Read my email again. Wietse After the Postfix SMTP client sees the "220 ***..." greeting it logs a warning (you DID look in the logs?) and will by default disable ESMTP and send HELO instead of EHLO. This default setting is: smtp_pix_workarounds = disable_esmtp,delay_dotcrlf You can configure that to not disable ESMTP, so that Postfix will send EHLO instead: smtp_pix_workarounds = delay_dotcrlf That might get you past the HELO problem. Wietse
Re: Trying to understand the postfix server process flow
Viktor Dukhovni: > > On 11 Jun 2021, at 1:36 pm, Dan White wrote: > > > > This page: http://www.postfix.org/OVERVIEW.html > > provides an excellent ?picture? of how a message is passed between server > > processes. > > > > What I cannot yet get my brain wrapped around is how the server process > > sequences are expressed and/or configured in the master.cf file. > > The master.cf file neither defines nor expresses the processing > sequence. It only defines the *set* of supported service endpoints. > > Communication between the services is driven by their own internal > logic, which master(8) does not concern itself with. The flow is shown in http://www.postfix.org/OVERVIEW.html The output from the command "postconf -d | grep _service" shows the expected names of (UNIX-domain) services in master.cf. For example, the smtpd(8) process uses the rewrite_service_name valeue to connect to "rewrite" service, and ditto for the cleanup_service_name and other dependencies. Wietse
Re: Unable to get Postfix to respond on port 465
On 2021-06-11 at 15:21:46 UTC-0400 (Fri, 11 Jun 2021 21:21:46 +0200) Benny Pedersen is rumored to have said: On 2021-06-11 19:04, Bill Cole wrote: One other possibility is that the on-host firewall is not configured to allow inbound connections on port 465. vpn client ip to postfix 0.0.0.0 or :: not needed My understanding is that the OP is connected to a VPN that puts her onto a privileged network and that she could see the SYN headed for port 465 on the Postfix server on "the firewall" which I understand to be a machine distinct from the Win10 client or the (Linux, most likely) Postfix server. However, most modern widely-used Linux distributions come with some on-host firewall, usually visible via iptables and maybe using some grander framework like firewalld. The common (and wise) defaults for such things do not usually allow connections from the outside (i.e. anything other than the loopback) by default for anything other than essential services (i.e. ssh.) Even when packaging systems try to be smart about enabling listening ports when installing servers that require them, that is likely to not be done for an MTA like Postfix, which in many cases is only used as a MSA to get mail from local accounts to other places. If one installs a Postfix package which does not have a port 465 service enabled by default, it almost certainly will also not include an iptables or firewall-cmd line in its install scripts to open up port 465. -- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo and many *@billmail.scconsult.com addresses) Not Currently Available For Hire
Re: Setting text for concurrency limit exceeded
pete...@yahoo.com: > > Hi all, > > is there any Postfix configuration parameter to set the text Postfix shows to > the sender when Connection concurrency limit is exceeded ??? > Currently the sender (192.168.3.7) receives this: > "421 4.7.0 labpot.local Error: too many connections from 192.168.3.7" > any way to change the text "too many connections from 192.168.3.7" ??? You mean DELETE the "421 4.7.0 labpot.local Error:" portion and only send "too many connections from 192.168.3.7"? That would not be a valid response. Wietse
RE: [NON-HA] Re: Need help with response to HELO, 502 5.5.2 Error
Yes, Application/Management Server -> ASA -> router -> PTP VPN to AWS -> AWS LB -> EC2 RHEL8 (postfix) Postfix is configured as a relay server. The security team informed me that our ASA does have SMTP inspection turned on globally. My testing jives with what's been said about this ASA inspection thing. So I'm waiting on network team to remove the global SMTP inspection rule. What is strange, a server behind the ASA, the application is configured to send mail to the relay port 25. Emails will never get sent. Doing the manual on same server, telnet test will get me a 200 ** BUT Somehow, this same server, a powershell command to send mail will get sent/DELIVERED. "Send-MailMessage -From -To -Subject "" -Body "" -SmtpServer -Port 25" I'm hoping the ASA rule is disabled and all relaying works. -Original Message- From: Wietse Venema Sent: Friday, June 11, 2021 9:53 AM To: Apelin, Eulogio Cc: postfix-users@postfix.org Subject: Re: [NON-HA] Re: Need help with response to HELO, 502 5.5.2 Error *** CAUTION: This email originated from outside the organization *** Do NOT click links or open attachments unless you recognize the sender and know the content is safe. > postfix/smtpd[8385]: vstream_buf_get_ready: fd 10 got 1 You're looking at logging from SMTP SERVER to diagnose OUTBOUND email deliveries by the SMTP CLIENT?? Read my email again. Wietse After the Postfix SMTP client sees the "220 ***..." greeting it logs a warning (you DID look in the logs?) and will by default disable ESMTP and send HELO instead of EHLO. This default setting is: smtp_pix_workarounds = disable_esmtp,delay_dotcrlf You can configure that to not disable ESMTP, so that Postfix will send EHLO instead: smtp_pix_workarounds = delay_dotcrlf That might get you past the HELO problem. Wietse
Sender Address Rewrite (dyamic mapping with variables)
Can I use a smtp_generic_map rewrite to do something like this?? @local.domain $user-$hostname@some.domain Where user (actual user who is sending mail) and hostname (short hostname of server) are substituted in the map? Most of the examples I looked at where doing static re-writing, and I would like to have a dynamic map. Thank You.
Re: Sender Address Rewrite (dyamic mapping with variables)
On Fri, Jun 11, 2021 at 02:47:40PM -0700, sru...@gemneye.org wrote:
> Can I use a smtp_generic_map rewrite to do something like this??
>
> @local.domain $user-$hostname@some.domain
I will make a bold guess that the real problem you're trying to solve
dealing with mail from "root" and similar system users, where in a
network of null-client hosts delivering all mail to a central mail hub,
you want the sender address to clearly reflect where the mail came from.
See: http://www.postfix.org/MULTI_INSTANCE_README.html#split for a walk-
through of how to configure such null-client instances.
If you really want to do this for arbitrary sender local parts, you'll
need a regexp or pcre table, and for bonus points some care to get it
right for quoted local-part addresses.
/^"(.*)"@local\.domain$/${1}-hostname@some.domain
/^(.*)@local\.domain$/${1}-hostname@some.domain
But, unless you have "-" as your recipient delimiter on the central
mailhub, the resulting sender address is invalid, which is best avoided.
--
Viktor.
Re: Sender Address Rewrite (dyamic mapping with variables)
On 2021-06-11 15:12, Viktor Dukhovni wrote:
I will make a bold guess that the real problem you're trying to solve
dealing with mail from "root" and similar system users, where in a
network of null-client hosts delivering all mail to a central mail hub,
you want the sender address to clearly reflect where the mail came
from.
See: http://www.postfix.org/MULTI_INSTANCE_README.html#split for a
walk-
through of how to configure such null-client instances.
Yes, I want null client per se, but not sure I need a multi-instance
setup. It looks overly complicated for what I am trying to accomplish.
Plus, in the example Makefile it still looked like a static map was
being set per user. I need users who login with AD credentials (who do
not have accounts in a passwd file), to be able to send mails, but as
you have guessed, I want to include the server name in the user section
of the FROM address instead of include hostname the @domain section
(project's requirement).
If you really want to do this for arbitrary sender local parts, you'll
need a regexp or pcre table, and for bonus points some care to get it
right for quoted local-part addresses.
/^"(.*)"@local\.domain$/${1}-hostname@some.domain
/^(.*)@local\.domain$/${1}-hostname@some.domain
But, unless you have "-" as your recipient delimiter on the central
mailhub, the resulting sender address is invalid, which is best
avoided.
I will use a different delimiter ("+"). Thank you for the tip.
If I am going to do PCRE table can I still use generic map, or do I need
to use something like smtp_header_checks?
Thank You.
Re: Sender Address Rewrite (dyamic mapping with variables)
On Fri, Jun 11, 2021 at 04:11:14PM -0700, sru...@gemneye.org wrote:
> On 2021-06-11 15:12, Viktor Dukhovni wrote:
> >
> > I will make a bold guess that the real problem you're trying to solve
> > dealing with mail from "root" and similar system users, where in a
> > network of null-client hosts delivering all mail to a central mail hub,
> > you want the sender address to clearly reflect where the mail came
> > from.
> >
> > See: http://www.postfix.org/MULTI_INSTANCE_README.html#split for a
> > walk-
> > through of how to configure such null-client instances.
> >
>
> Yes, I want null client per se, but not sure I need a multi-instance
> setup. It looks overly complicated for what I am trying to accomplish.
The null-client portion of the multi-instance tutorial is self-contained
and independent of the rest. You can configure just the null-client
"instance" on end-systems and run the "mta instance" on the shared mail
hub.
> Plus, in the example Makefile it still looked like a static map was
> being set per user.
The null client example shows how to deal with a few system accounts,
and assumes that for interactive user accounts the specific host is
should not be used to decorate the sender address.
You can adjust the recipe to your needs.
> I need users who login with AD credentials (who do not have accounts
> in a passwd file), to be able to send mails, but as you have guessed,
> I want to include the server name in the user section of the FROM
> address instead of include hostname the @domain section (project's
> requirement).
I've never seen a situation where I'd want such suffixes for mail from
interactive human users, but if that's what you need, go for it.
> > If you really want to do this for arbitrary sender local parts, you'll
> > need a regexp or pcre table, and for bonus points some care to get it
> > right for quoted local-part addresses.
> >
> > /^"(.*)"@local\.domain$/${1}-hostname@some.domain
> > /^(.*)@local\.domain$/${1}-hostname@some.domain
> >
> > But, unless you have "-" as your recipient delimiter on the central
> > mailhub, the resulting sender address is invalid, which is best
> > avoided.
>
> I will use a different delimiter ("+"). Thank you for the tip.
>
> If I am going to do PCRE table can I still use generic map, or do I need
> to use something like smtp_header_checks?
Unless stated otherwise, all Postfix features that support table lookups
work with all table drivers. In a few cases there are security
restrictions on the use of ${n} substitutions regexp/pcre tables, these
are documented.
When the documentation says "tabletype:tablename" (or similar) it means
*any* table type.
--
Viktor.
Re: Sender Address Rewrite (dyamic mapping with variables)
On 2021-06-11 16:23, Viktor Dukhovni wrote:
Unless stated otherwise, all Postfix features that support table
lookups
work with all table drivers. In a few cases there are security
restrictions on the use of ${n} substitutions regexp/pcre tables, these
are documented.
When the documentation says "tabletype:tablename" (or similar) it means
*any* table type.
Thank you for the response! Your suggestion works perfectly!!!
Timeout, bounce, duplicate mails
Hi all, I see a few occasions of this every day: plesk_virtual (total: 2) 2 Command time limit exceeded: "/usr/lib/plesk-9.0/postfix-local" It leads to particular mails to bounce, then be sent again, then having multiple copies of it in the mailbox. This happens with external senders and with server-local php mail scripts. Is this timeout somehow configurable for me? My guess is that it happens due to high load at times. The local mailboxes are handled by courier, which uses the qmail directory structure under plesk. Greets, Ludi
