How to tell postfix to be more verbose on the smtp port?
Hi, I have a probably unusual request. For pedagogical reasons (teaching "network"), I would like the postfix server of my classroom to be as much verbose as possible on its smtp port (i.e. like sendmail use to be) I mean: comprehensive help messages on the "help" command, explicit errors messages on malformed smtp commands, etc. (I know that such behaviour is generally unwanted for world-wide servers, for security reasons. But compromises for security will be discussed later, after presenting functionalities. I'm sure you understand my point.) Well.. so, my question is: how to configure postfix to be more verbose? (not in the log files, but on the smtp connexions) Best regards Christophe
Filtering MAIL FROM for autenticated users
Hi I need to limit the domains in "mail from" for autenticated users to prevent sending emails with a "third party" domain. I have read the documentation and did not reached any conclusion. My best guess is that is some configuration that may be passed as an option to submission and smtps. What is the proper way to do something like that? Thanks
Re: Filtering MAIL FROM for autenticated users
Hi, did you already ctrl+f for 'reject_sender_login_mismatch' and 'smtpd_sender_login_maps' in http://www.postfix.org/postconf.5.html ? regards, Max On 28/09/2021 13:36, João Silva wrote: Hi I need to limit the domains in "mail from" for autenticated users to prevent sending emails with a "third party" domain. I have read the documentation and did not reached any conclusion. My best guess is that is some configuration that may be passed as an option to submission and smtps. What is the proper way to do something like that? Thanks
Re: How to tell postfix to be more verbose on the smtp port?
On 2021-09-28 at 03:50:11 UTC-0400 (Tue, 28 Sep 2021 09:50:11 +0200) Christophe Lohr is rumored to have said: Hi, I have a probably unusual request. For pedagogical reasons (teaching "network"), I would like the postfix server of my classroom to be as much verbose as possible on its smtp port (i.e. like sendmail use to be) I mean: comprehensive help messages on the "help" command, explicit errors messages on malformed smtp commands, etc. (I know that such behaviour is generally unwanted for world-wide servers, for security reasons. But compromises for security will be discussed later, after presenting functionalities. I'm sure you understand my point.) Well.. so, my question is: how to configure postfix to be more verbose? There's no way to do that. Someone would need to write the greater verbosity first. -- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo and many *@billmail.scconsult.com addresses) Not Currently Available For Hire
Re: Filtering MAIL FROM for autenticated users
I have been reading the documentation for smtpd_sender_login_maps and for what i understood I must create a db of the form @domain user1,user2 From the docs: "In all cases the result of table lookup must be either "not found" or a list of SASL login names separated by comma and/or whitespace" Thats not manageble in some scenarios. Since that list could be a LDAP lookup I'm going to research that option. On 28/09/2021 12:46, Max-Julian Pogner wrote: Hi, did you already ctrl+f for 'reject_sender_login_mismatch' and 'smtpd_sender_login_maps' in http://www.postfix.org/postconf.5.html ? regards, Max On 28/09/2021 13:36, João Silva wrote: Hi I need to limit the domains in "mail from" for autenticated users to prevent sending emails with a "third party" domain. I have read the documentation and did not reached any conclusion. My best guess is that is some configuration that may be passed as an option to submission and smtps. What is the proper way to do something like that? Thanks
Re: Filtering MAIL FROM for autenticated users
I have been reading the documentation for smtpd_sender_login_maps and for what i understood I must create a db of the form @domain user1,user2 From the docs: "In all cases the result of table lookup must be either "not found" or a list of SASL login names separated by comma and/or whitespace" Thats not manageble in some scenarios. Since that list could be a LDAP lookup I'm going to research that option. @domain user1,user2 I don't believe this is valid format. It would be more like user1@domain,user2@domain or user1,user2 or user1@domain,user2,@domain Since that list could be a LDAP lookup I'm going to research that option. Yes, you don't have to use flat files. It works for any "lookup table" such as CDB Berkeley DB LDAP LMDB Memcache MySql / MariaDB PCRE PostgreSQL SQLite http://www.postfix.org/DATABASE_README.html
Re: Filtering MAIL FROM for autenticated users
On 28/09/2021 14:41, post...@ptld.com wrote: I have been reading the documentation for smtpd_sender_login_maps and for what i understood I must create a db of the form @domain user1,user2 From the docs: "In all cases the result of table lookup must be either "not found" or a list of SASL login names separated by comma and/or whitespace" Thats not manageble in some scenarios. Since that list could be a LDAP lookup I'm going to research that option. @domain user1,user2 I don't believe this is valid format. It would be more like I used the ... as example for list of users user1@domain,user2@domain or user1,user2 or user1@domain,user2,@domain Since that list could be a LDAP lookup I'm going to research that option. Yes, you don't have to use flat files. It works for any "lookup table" such as CDB Berkeley DB LDAP LMDB Memcache MySql / MariaDB PCRE PostgreSQL SQLite SQLite is a good idea. Since I use both alias and usernames I think that I can hack something with it. From what I read in the meantime for LDAP queries I possibly had the alter the LDAP tree and that is out of question. Thanks for the help. http://www.postfix.org/DATABASE_README.html
Re: How to tell postfix to be more verbose on the smtp port?
On Tue, Sep 28, 2021 at 09:50:11AM +0200, Christophe Lohr wrote: > Well.. so, my question is: how to configure postfix to be more verbose? > (not in the log files, but on the smtp connexions) This would be a programming exercise. The relevant source files are: src/smtpd/smtpd.c - Protocol engine src/smtpd/smtpd_state.c - Connection state structure and methods src/smtpd/smtpd_chat.c - Request/Response logic You may need to record additional data in the state structure, and then emit appropriate messages when responding to the client. Most likely it is easier to just write a Perl or Python script, or Haskell or Go program that is an ESMTP server that emits detailed error messages. Choose a language in which it is easy to write a parser that emits detailed error diagnostics. It is not clear why Postfix would be a compelling choice of an an SMTP server for students new to network protocols looking for verbose error messages. -- Viktor.
Re: Filtering MAIL FROM for autenticated users
On 28.09.21 14:31, João Silva wrote: I have been reading the documentation for smtpd_sender_login_maps and for what i understood I must create a db of the form @domain user1,user2 From the docs: "In all cases the result of table lookup must be either "not found" or a list of SASL login names separated by comma and/or whitespace" Thats not manageble in some scenarios. Since that list could be a LDAP lookup I'm going to research that option. note that postfix compares envelope senders to those in database, so you must make sure that the envelope sender matches address in From: On 28/09/2021 12:46, Max-Julian Pogner wrote: did you already ctrl+f for 'reject_sender_login_mismatch' and 'smtpd_sender_login_maps' in http://www.postfix.org/postconf.5.html ? On 28/09/2021 13:36, João Silva wrote: I need to limit the domains in "mail from" for autenticated users to prevent sending emails with a "third party" domain. I have read the documentation and did not reached any conclusion. My best guess is that is some configuration that may be passed as an option to submission and smtps. What is the proper way to do something like that? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. The 3 biggets disasters: Hiroshima 45, Tschernobyl 86, Windows 95
Re: How to tell postfix to be more verbose on the smtp port?
Viktor Dukhovni: > Most likely it is easier to just write a Perl or Python script, or > Haskell or Go program that is an ESMTP server that emits detailed error > messages. Choose a language in which it is easy to write a parser that > emits detailed error diagnostics. I would suggest using a stateful proxy between the client and Postfix. The proxy implements the help functionality, and looks at the conversation between the client and Postfix, so that it knows the history of an SMTP session. Wietse
Re: Filtering MAIL FROM for autenticated users
On 28/09/2021 15:42, Matus UHLAR - fantomas wrote: On 28.09.21 14:31, João Silva wrote: I have been reading the documentation for smtpd_sender_login_maps and for what i understood I must create a db of the form @domain user1,user2 From the docs: "In all cases the result of table lookup must be either "not found" or a list of SASL login names separated by comma and/or whitespace" Thats not manageble in some scenarios. Since that list could be a LDAP lookup I'm going to research that option. note that postfix compares envelope senders to those in database, so you must make sure that the envelope sender matches address in From: I'm using one alias file. I'm going to parse that to get the possible From: fields and work from there, after that I can get the rest of the cases with a getent passwd. That way I can build a hash table and don't need to mess with LDAP. It would be nice to have a option to specify a list of allowed domains. On 28/09/2021 12:46, Max-Julian Pogner wrote: did you already ctrl+f for 'reject_sender_login_mismatch' and 'smtpd_sender_login_maps' in http://www.postfix.org/postconf.5.html ? On 28/09/2021 13:36, João Silva wrote: I need to limit the domains in "mail from" for autenticated users to prevent sending emails with a "third party" domain. I have read the documentation and did not reached any conclusion. My best guess is that is some configuration that may be passed as an option to submission and smtps. What is the proper way to do something like that?
Re: How to tell postfix to be more verbose on the smtp port?
On 9/28/21 10:23 AM, Viktor Dukhovni wrote: On Tue, Sep 28, 2021 at 09:50:11AM +0200, Christophe Lohr wrote: Well.. so, my question is: how to configure postfix to be more verbose? (not in the log files, but on the smtp connexions) This would be a programming exercise. The relevant source files are: src/smtpd/smtpd.c - Protocol engine src/smtpd/smtpd_state.c - Connection state structure and methods src/smtpd/smtpd_chat.c - Request/Response logic You may need to record additional data in the state structure, and then emit appropriate messages when responding to the client. Most likely it is easier to just write a Perl or Python script, or Haskell or Go program that is an ESMTP server that emits detailed error messages. Choose a language in which it is easy to write a parser that emits detailed error diagnostics. It is not clear why Postfix would be a compelling choice of an an SMTP server for students new to network protocols looking for verbose error messages. I did a search and found this about custom bounce messages. https://www.howtoforge.com/configure-custom-postfix-bounce-messages Cheers, --Curtis
Re: Filtering MAIL FROM for autenticated users
On Tue, Sep 28, 2021 at 03:50:06PM +0100, João Silva wrote: > It would be nice to have a option to specify a list of allowed domains. This is not meaningful, because the lookup result is a list of SASL identities, which are just opaque octet strings, there's no notion of "domain" there. In fact, the identities are potentially mechanism-specific, and Postfix could pedantically distinguish between GSSAPI:user@REALM and PLAIN:user@REALM, as they may be semantically distinct, but that would be rather annoying, and not a problem in practice. [ Indeed the rabbit hole is deeper, because the meaning of a name may depend on the underlying GSSAPI mechanism, which IIRC is not exposed via SASL. ] Postfix allows you to specify which SASL logins have access to a given sender address. While the lookup key (sender address) has a domain part, that is not the case with the lookup result. The envelope sender address can be a domain suffix, but the list of authorised users cannot, because Postfix does not attempt to parse opaque SASL logins. env sender SASL login @domain user1, user2, ... -- Viktor.
Re: Filtering MAIL FROM for autenticated users
On 28/09/2021 16:39, Viktor Dukhovni wrote: On Tue, Sep 28, 2021 at 03:50:06PM +0100, João Silva wrote: It would be nice to have a option to specify a list of allowed domains. This is not meaningful, because the lookup result is a list of SASL identities, which are just opaque octet strings, there's no notion of "domain" there. In fact, the identities are potentially mechanism-specific, and Postfix could pedantically distinguish between GSSAPI:user@REALM and PLAIN:user@REALM, as they may be semantically distinct, but that would be rather annoying, and not a problem in practice. [ Indeed the rabbit hole is deeper, because the meaning of a name may depend on the underlying GSSAPI mechanism, which IIRC is not exposed via SASL. ] Postfix allows you to specify which SASL logins have access to a given sender address. While the lookup key (sender address) has a domain part, that is not the case with the lookup result. The envelope sender address can be a domain suffix, but the list of authorised users cannot, because Postfix does not attempt to parse opaque SASL logins. env sender SASL login @domain user1, user2, ... I understand that so I'm going tho verify the SASL logins tho verify that everything matches, A table with the format alias@domain alias_owner is allowed?
Re: Filtering MAIL FROM for autenticated users
Jo?o Silva: > A table with the format > > alias@domain alias_owner > > is allowed? You can stick anything in there, but for meaningful results, - alias@domain must be an envelope sender address, and - alias_owner must be a SASL login name. Wietse
Re: Filtering MAIL FROM for autenticated users
On 28/09/2021 17:24, Wietse Venema wrote: Jo?o Silva: A table with the format alias@domain alias_owner is allowed? You can stick anything in there, but for meaningful results, - alias@domain must be an envelope sender address, and - alias_owner must be a SASL login name. Wietse Exactly what I thougt but needed confirmation before production. Thanks
SpamC - connection refused
Sending to spamassassin group, and no answer will by appair, possible this are outdated? Please how I can fix this connection refused, disabling IPv6 also not help. Sep 28 15:11:22 nmail spamd[3826]: prefork: child states: II Sep 28 15:11:23 nmail spamc[4525]: connect to spamd on 127.0.0.1 failed, retrying (#1 of 3): Connection refused Sep 28 15:11:23 nmail spamc[4525]: connect to spamd on 127.0.0.1 failed, retrying (#2 of 3): Connection refused Sep 28 15:11:24 nmail spamc[4525]: connect to spamd on 127.0.0.1 failed, retrying (#3 of 3): Connection refused Sep 28 15:11:24 nmail spamc[4525]: connection attempt to spamd aborted after 3 retries Sep 28 15:11:24 nmail postfix/pickup[4386]: 2B9D240051: uid=116 from= -- >>ii spamc 3.4.2-1+deb10u3 amd64 Client for SpamAssassin spam filtering daemon >>ii postfix3.4.14-0+deb10u1 amd64 High-performance mail transport agent Meny switches like only ipv4 also no result /etc/default/spamsassassin OPTIONS="--nouser-config --create-prefs --max-children 5 --helper-home-dir /var/lib/spamassassin --username=debian-spamd --groupname=debian-spamd --siteconfigpath /etc/spamassassin -socketpath=/var/spool/postfix/spamass/spamd.sock --socketowner=debian-spamd --socketgroup=debian-spamd --socketmode=0660" Thanks Mauri
Re: SpamC - connection refused
Connection refused speaks to the socket not running. What does netstat -na report? -Dan > On Sep 28, 2021, at 11:38 AM, Maurizio Caloro wrote: > > Sending to spamassassin group, and no answer will by appair, possible this > are outdated? > Please how I can fix this connection refused, disabling IPv6 also not help. > > Sep 28 15:11:22 nmail spamd[3826]: prefork: child states: II > > Sep 28 15:11:23 nmail spamc[4525]: connect to spamd on 127.0.0.1 failed, > retrying (#1 of 3): Connection refused > Sep 28 15:11:23 nmail spamc[4525]: connect to spamd on 127.0.0.1 failed, > retrying (#2 of 3): Connection refused > Sep 28 15:11:24 nmail spamc[4525]: connect to spamd on 127.0.0.1 failed, > retrying (#3 of 3): Connection refused > > Sep 28 15:11:24 nmail spamc[4525]: connection attempt to spamd aborted after > 3 retries > Sep 28 15:11:24 nmail postfix/pickup[4386]: 2B9D240051: uid=116 > from= > -- > > >>ii spamc 3.4.2-1+deb10u3 amd64 Client for > >>SpamAssassin spam filtering daemon > >>ii postfix3.4.14-0+deb10u1 amd64 High-performance mail > >>transport agent > > Meny switches like only ipv4 also no result > > /etc/default/spamsassassin > OPTIONS="--nouser-config --create-prefs --max-children 5 --helper-home-dir > /var/lib/spamassassin --username=debian-spamd --groupname=debian-spamd > --siteconfigpath /etc/spamassassin > –socketpath=/var/spool/postfix/spamass/spamd.sock --socketowner=debian-spamd > --socketgroup=debian-spamd --socketmode=0660" > > Thanks > Mauri
Re: SpamC - connection refused
On Tue, Sep 28, 2021 at 08:38:33PM +0200, Maurizio Caloro wrote: > Sep 28 15:11:22 nmail spamd[3826]: prefork: child states: II The "spamd" server appears to be running... > Sep 28 15:11:23 nmail spamc[4525]: connect to spamd on 127.0.0.1 failed, > retrying (#1 of 3): Connection refused > Sep 28 15:11:24 nmail spamc[4525]: connection attempt to spamd aborted after > 3 retries The "spamc" client is unable to connect via "127.0.0.1" (via some port). > /etc/default/spamsassassin > > OPTIONS="--nouser-config --create-prefs --max-children 5 --helper-home-dir > /var/lib/spamassassin --username=debian-spamd --groupname=debian-spamd > --siteconfigpath /etc/spamassassin > -socketpath=/var/spool/postfix/spamass/spamd.sock --socketowner=debian-spamd > --socketgroup=debian-spamd --socketmode=0660" The server is is configured to listen on a unix-domain socket at: -socketpath=/var/spool/postfix/spamass/spamd.sock so perhaps not listening on 127.0.0.1 is not surprising. -- Viktor.
Re: SpamC - connection refused
Sep 28 15:11:23 nmail spamc[4525]: connect to spamd on 127.0.0.1 failed, retrying (#1 of 3): Connection refused Sep 28 15:11:23 nmail spamc[4525]: connect to spamd on 127.0.0.1 failed, retrying (#2 of 3): Connection refused Sep 28 15:11:24 nmail spamc[4525]: connect to spamd on 127.0.0.1 failed, retrying (#3 of 3): Connection refused Step one, is spamassasin running? `ps aufx` Step two, is it listening where you think it is and is the port it is listening on the port being tried? `netstat -nlp46` Step three, any odd firewall rules preventing connection? Highly unlikely considering localhost is nearly never blocked, but you never know. Which then leads to checking selinux rules next.
Re: SpamC - connection refused
Yup, either fix spamd so it listens on localhost (you'd see a LISTEN on port 783, which is missing), or correct your spamc flags to include -U /var/spool/postfix/spamass/spamd.sock -Dan > On Sep 28, 2021, at 11:45 AM, Viktor Dukhovni > wrote: > > On Tue, Sep 28, 2021 at 08:38:33PM +0200, Maurizio Caloro wrote: > >> Sep 28 15:11:22 nmail spamd[3826]: prefork: child states: II > > The "spamd" server appears to be running... > >> Sep 28 15:11:23 nmail spamc[4525]: connect to spamd on 127.0.0.1 failed, >> retrying (#1 of 3): Connection refused >> Sep 28 15:11:24 nmail spamc[4525]: connection attempt to spamd aborted after >> 3 retries > > The "spamc" client is unable to connect via "127.0.0.1" (via some port). > >> /etc/default/spamsassassin >> >> OPTIONS="--nouser-config --create-prefs --max-children 5 --helper-home-dir >> /var/lib/spamassassin --username=debian-spamd --groupname=debian-spamd >> --siteconfigpath /etc/spamassassin >> -socketpath=/var/spool/postfix/spamass/spamd.sock--socketowner=debian-spamd >> --socketgroup=debian-spamd --socketmode=0660" > > The server is is configured to listen on a unix-domain socket at: > >-socketpath=/var/spool/postfix/spamass/spamd.sock > > so perhaps not listening on 127.0.0.1 is not surprising. > > -- >Viktor.
Strange error when having hold as symlink
Hello, When creating /var/spool/postfix/hold as symlink to another folder I get the following error from Postfix : * "move to hold queue failed: No such file or directory" ...even when doing "chmod 777" on the target directory. Do you know if postfix is unable to work with "hold" as symlink or is there something that could be wrong ? Thanks in advance a lot for any help or advise... Denis
Re: Strange error when having hold as symlink
On Wed, Sep 29, 2021 at 01:49:39AM +0200, (lists) Denis BUCHER wrote: > When creating /var/spool/postfix/hold as symlink to another folder I get > the following error from Postfix : If any Postfix services are chrooted, the destination needs to be a subdirectory of the Postfix queue directory and in the same filesystem to support renames, so there's really no point in using symlinks inside the Postfix queue, and they're not supported. Recreate the hold queue as as a directory, and solve your problem in some other way. -- Viktor.
Re: Strange error when having hold as symlink
On Wed, Sep 29, 2021 at 01:49:39AM +0200, "(lists) Denis BUCHER" wrote: > Hello, > > When creating /var/spool/postfix/hold as symlink to another folder I get the > following error from Postfix : > > * "move to hold queue failed: No such file or directory" > > ...even when doing "chmod 777" on the target directory. > > Do you know if postfix is unable to work with "hold" as symlink or is there > something that could be wrong ? > > Thanks in advance a lot for any help or advise... > > Denis There's a good chance that the error came from a chrooted process, and the symlink target is outside the chroot location and so doesn't exist within the chroot environment. If you really have a problem that you think would be solved by relocating the hold queue, you could mount another file system over the hold queue directory. That might work. But it might a bad idea. Not sure. You could also stop chrooting the process that produced the error message by changing its chroot value in /etc/postfix/master.cf from "yes" to "no" (5th column). But I personally think that's definitely a bad idea. cheers, raf
Re: Strange error when having hold as symlink
On Wed, Sep 29, 2021 at 02:19:53PM +1000, raf wrote: > If you really have a problem that you think would be > solved by relocating the hold queue, you could mount > another file system over the hold queue directory. > That might work. But it might a bad idea. Not sure. Sorry, not possible. Postfix uses rename(2) to move message queue files between the various queue directories. The hold queue needs to be a sub-directory (in the same filesystem) as "incoming", "active", "deferred" and "corrupt" (if I'm not forgetting some). If the OP wants to periodically drain the hold queue of old messages into a long-term archive, the way to do that is to write and sync the copy file to its destination, then unlink the hold queue file. Best to use long queue ids when doing that sort of thing. -- Viktor.
