[pfx] Re: {Disarmed} Error when I try send a e-mail using my postfix server using the "New Outlook"
Wietse Venema via Postfix-users: > giuliano--- via Postfix-users: > > Hi everyone, > > I hope this message finds you well. > > > > I'm having problems with the "new outlook" the default version in > > Windows 11. > > > > When I connect to my account in the "new outlook", the IMAP connection > > works fine, I can see all the e-mails, but when I try to send a new > > e-mail a receive a e-mail with error. > > > > We couldn't deliver your message. > > > > Original message details > > Created date: 10/31/2024 5:53:03 PM > > Sender address: giuli...@hospedaqui.com.br > > Recipient addresses: *@gmail.com > > Subject: teste > > > > Technical details > > SmtpSubmissionPermanent5XXException: Smtp submission failed. Server > > 'smtp.hospedaqui.com.br' Port '587'. --> Unexpected SMTP server > > response. Expected: 334, actual: 535, whole response: 535 5.7.8 Error: > > authentication failed: Invalid authentication mechanism > > And Postfix logging: > > > Oct 31 17:54:08 host01 postfix/submission/smtpd[467495]: warning: > > unknown[2603:1056:c03:1c16::5]: SASL LOGIN authentication failed: > > Invalid authentication mechanism > > As answered in off-list email, this is an error message from the > Postfix Dovecot SASL client. > > You need to turn on one extra level of logging to see which AUTH > mechanism names Dovecot and Postfix expect, and which AUTH mechanism > name the remote SMTP client sends. > > main.cf: > debug_peer_list = 143.198.0.0/16 > debug_peer_level = 1 > > IMPORTANT: If you include this logging in follow-up email, be sure > to censor the base64 text in the AUTH command because that may > contain a password. My example was based on the logging your earlier message. You' need to add something like 2603:1056:c03:1c16:/64": main.cf: debug_peer_list = 143.198.0.0/16, 2603:1056:c03:1c16::/64 debug_peer_level = 1 Alternatively you could temporarily increase the logging level for all submission clients in master.cf with: master.cf: submission . smtpd # Execute "postfix reload" after changing master.cf. -o debug_peer_list=static:all -o debug_peer_level=1 ...other -o overrides... But that would log everyone's password. Wietse ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: {Disarmed} Error when I try send a e-mail using my postfix server using the "New Outlook"
giuliano--- via Postfix-users: > Hi everyone, > I hope this message finds you well. > > I'm having problems with the "new outlook" the default version in > Windows 11. > > When I connect to my account in the "new outlook", the IMAP connection > works fine, I can see all the e-mails, but when I try to send a new > e-mail a receive a e-mail with error. > > We couldn't deliver your message. > > Original message details > Created date: 10/31/2024 5:53:03 PM > Sender address: giuli...@hospedaqui.com.br > Recipient addresses: *@gmail.com > Subject: teste > > Technical details > SmtpSubmissionPermanent5XXException: Smtp submission failed. Server > 'smtp.hospedaqui.com.br' Port '587'. --> Unexpected SMTP server > response. Expected: 334, actual: 535, whole response: 535 5.7.8 Error: > authentication failed: Invalid authentication mechanism And Postfix logging: > Oct 31 17:54:08 host01 postfix/submission/smtpd[467495]: warning: > unknown[2603:1056:c03:1c16::5]: SASL LOGIN authentication failed: > Invalid authentication mechanism As answered in off-list email, this is an error message from the Postfix Dovecot SASL client. You need to turn on one extra level of logging to see which AUTH mechanism names Dovecot and Postfix expect, and which AUTH mechanism name the remote SMTP client sends. main.cf: debug_peer_list = 143.198.0.0/16 debug_peer_level = 1 IMPORTANT: If you include this logging in follow-up email, be sure to censor the base64 text in the AUTH command because that may contain a password. Wietse ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] {Disarmed} Error when I try send a e-mail using my postfix server using the "New Outlook"
Hi everyone, I hope this message finds you well. I'm having problems with the "new outlook" the default version in Windows 11. When I connect to my account in the "new outlook", the IMAP connection works fine, I can see all the e-mails, but when I try to send a new e-mail a receive a e-mail with error. We couldn't deliver your message. Original message details Created date: 10/31/2024 5:53:03 PM Sender address: giuli...@hospedaqui.com.br Recipient addresses: *@gmail.com Subject: teste Technical details SmtpSubmissionPermanent5XXException: Smtp submission failed. Server 'smtp.hospedaqui.com.br' Port '587'. --> Unexpected SMTP server response. Expected: 334, actual: 535, whole response: 535 5.7.8 Error: authentication failed: Invalid authentication mechanism Failure code: b2d1 So I access my server and access the mail.log, and notice the following messages: Oct 31 17:54:08 host01 postfix/submission/smtpd[467495]: connect from unknown[2603:1056:c03:1c16::5] Oct 31 17:54:08 host01 postfix/submission/smtpd[467495]: warning: unknown[2603:1056:c03:1c16::5]: SASL LOGIN authentication failed: Invalid authentication mechanism Oct 31 17:54:08 host01 postfix/submission/smtpd[467495]: lost connection after AUTH from unknown[2603:1056:c03:1c16::5] Oct 31 17:54:08 host01 postfix/submission/smtpd[467495]: disconnect from unknown[2603:1056:c03:1c16::5] ehlo=2 starttls=1 auth=0/1 commands=3/4 2603:1056:c03:1c16::5 -> Microsoft Corporation The "new outlook" seems to use a Microsoft Cloud service in the middle, so it's no direct connection to my server. These problem is just in the "new outlook", the classic outlook, mobile outlook, web version works fine. I don't know if this is a miss configuration or something else. Using the virtual_transport = dovecot. Postix main.conf (mail_version = 3.6.4) queue_directory = /var/spool/postfix command_directory = /usr/sbin daemon_directory = /usr/lib/postfix/sbin data_directory = /var/lib/postfix mail_owner = postfix inet_protocols = all mydestination = localhost, localhost.localdomain unknown_local_recipient_reject_code = 550 alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases debug_peer_level = 2 debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5 sendmail_path = /usr/sbin/sendmail.postfix newaliases_path = /usr/bin/newaliases.postfix mailq_path = /usr/bin/mailq.postfix setgid_group = postdrop html_directory = no manpage_directory = /usr/share/man sample_directory = /usr/share/doc/postfix-2.10.1/samples readme_directory = /usr/share/doc/postfix-2.10.1/README_FILES myhostname = host01.farm03.hospedaqui.net.br mynetworks = 127.0.0.0/8 message_size_limit = 251658240 header_size_limit = 4096000 virtual_alias_domains = virtual_alias_maps = proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, mysql:/etc/postfix/mysql-virtual_email2email.cf virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf virtual_mailbox_base = /home/vmail virtual_uid_maps = static:5000 virtual_gid_maps = static:5000 smtpd_sasl_type = dovecot smtpd_sasl_path = private/auth smtpd_sasl_auth_enable = yes broken_sasl_auth_clients = yes smtpd_sasl_authenticated_header = yes smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination smtpd_use_tls = yes smtpd_tls_cert_file = /etc/pki/dovecot/certs/dovecot.pem smtpd_tls_key_file = /etc/pki/dovecot/private/dovecot.pem virtual_create_maildirsize = yes virtual_maildir_extended = yes proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $virtual_mailbox_limit_maps virtual_transport = dovecot dovecot_destination_recipient_limit = 1 inet_interfaces = all disable_vrfy_command = yes smtpd_milters = inet:127.0.0.1:8891 non_smtpd_milters = $smtpd_milters milter_default_action = accept tls_server_sni_maps = hash:/etc/postfix/vmail_ssl.map smtp_sender_dependent_authentication = yes sender_dependent_relayhost_maps = hash:/etc/postfix/sender_relay smtp_sasl_auth_enable = yes smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd smtp_sasl_security_options = noanonymous smtp_sasl_tls_security_options = noanonymous smtp_tls_security_level = encrypt smtpd_data_restrictions = check_policy_service unix:/var/log/policyServerSocket smtpd_policy_service_default_action = DUNNO header_checks = regexp:/etc/postfix/header_checks enable_original_recipient = no smtpd_data_restrictions = check_policy_service unix:/var/log/policyServerSocket smtpd_policy_service_default_action = DUNNO relayhost = [email-smtp.us-east-2.amazonaws.com]:587 smtpd_data_restrictio
[pfx] Re: OT: k8s network presentation
Nico Schottelius via Postfix-users: Checking application/pgp-signature: FAILURE -- Start of PGP signed section. > > Hello postfix users, > > I know I am probably not the most conventional guy moving postfix into > IPv6 only kubernetes stacks, but there are good reasons for it. > > To explain a bit the background of all this "nonsense", I wanted to > point to a presentation I will be giving in the RIPE IPv6 working group > on 31st of October, 0900 UTC+1 [0]. > [0] https://ripe89.ripe.net/programme/meeting-plan/ipv6-wg/ And there is now a link to the PDF of the content. Wietse ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Suggestion: Add lifecycle events / pipe each logfile entry to external command
I need to find out if an outgoing message was successfully delivered or not. I know this can be achieved by setting up some filesystem watcher for the logfile, and/or by having a cronjob searching through the logfile for the line containing `status=`. But it would be so much nicer if Postfix would support this out of the box :-) Adding a full-blown events layer with user-configurable commands for each event, is probably not so easy ;-) But what about extending the built-in logging mechanism? When a setting like `pipe_log_to_command=` is given, then (additionally to writing them to a file) send the logfile entries to that command. Are you aware of rsyslog omprog? You write a script that runs as a service and rsyslog pipes log lines to the script which the script can do anything with. Run commands, save to a db, etc. It can be your postfix `pipe_log_to_command=` API layer. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: `postfix-pgsql`: Issues with expansion parameters `%s`, `%u` and `%d`, and some minor bugs(?)
Wietse Venema via Postfix-users: > > But my point is: If somebody is configuring the database lookup at > > `local_recipient_maps`, they will not read those docs about virtual > > If the local_recipient_maps description is incomplete then that can > be fixed, just like the pgsql_table(5) text. Preliminary text about the generated queries can be found at http://www.porcupine.org/postfix-mirror/postconf.5.html#local_recipient_maps It should cover all the queries (and why those queries exist). To avoid duplication with existing text in LOCAL_RECIPIENT_README.html section "Local recipient table format", I may still decide to move the new text there, and link to that from posconf.5.html. Wietse ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: `postfix-pgsql`: Issues with expansion parameters `%s`, `%u` and `%d`, and some minor bugs(?)
Hi,
yeah, I think the docs about the connection are clearer now :-)
However, the "three queries behavior" is still undocumented IMO. I did
read https://www.postfix.org/virtual.5.html and it is nicely explained
there.
But my point is: If somebody is configuring the database lookup at
`local_recipient_maps`, they will not read those docs about virtual
tables! Why should they?
So I think this should be explained at other places too.
For my own setup, I have just one question:
I have two domains at `mydestination`, and I want a separate database
lookup for each, then pipe the mail to a separate external command.
The transport part works so nicely:
transport_maps = inline:{ foo.com=foo_handler, bar.com=bar_handler }
But for the recipients, I can't see a way of mapping the 2 domains to 2
lookup tables. So my current "workaround" looks something like this:
local_recipient_maps = pgsql:foo.cf pgsql:bar.cf
And then (since both queries will be run) in the SQL do something like:
query = SELECT id FROM table WHERE 'foo.com' = '%d' AND local_part = '%u'
... in order to prevent searching for foo.com's local_part in bar.com's
table.
This will certainly work, but I'm wondering if there's a more
straightforward way than the `'foo.com' = '%d'` hack.
Thanks!!
--
Cheers,
Thomas
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Suggestion: Add lifecycle events / pipe each logfile entry to external command
Hi, my use case: I need to find out if an outgoing message was successfully delivered or not. I know this can be achieved by setting up some filesystem watcher for the logfile, and/or by having a cronjob searching through the logfile for the line containing `status=`. But it would be so much nicer if Postfix would support this out of the box :-) Adding a full-blown events layer with user-configurable commands for each event, is probably not so easy ;-) But what about extending the built-in logging mechanism? When a setting like `pipe_log_to_command=` is given, then (additionally to writing them to a file) send the logfile entries to that command. Thanks! -- Cheers, Thomas ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: `postfix-pgsql`: Issues with expansion parameters `%s`, `%u` and `%d`, and some minor bugs(?)
Thomas Landauer via Postfix-users: > Hi, > > yeah, I think the docs about the connection are clearer now :-) > > However, the "three queries behavior" is still undocumented IMO. I did The three queries are documented in the virtual(5) text. Postfix has a layered architecture for table lookups. - Table-driven mechanisms such as SMTP server access maps, local recipient maps, canonical_maps, virtual_alias_maps, transport_maps. These can generate multiple requests for table lookup mechanisms. - Table lookup mechanisms such as hash, btree, pgsql and a ton of other ones. These know nothing about acces tables, local recipients and so on. > But my point is: If somebody is configuring the database lookup at > `local_recipient_maps`, they will not read those docs about virtual If the local_recipient_maps description is incomplete then that can be fixed, just like the pgsql_table(5) text. > For my own setup, I have just one question: > I have two domains at `mydestination`, and I want a separate database > lookup for each, then pipe the mail to a separate external command. Configure Postfix to query both databases, and give each Postfix pgsql file its unique "domain = whatever" setting. The queries will then hit only the relevant database, and they will never see those fragment queries for @domain and for the address localpart. Wietse ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Suggestion: Add lifecycle events / pipe each logfile entry to external command
Thomas Landauer via Postfix-users: > Hi, > > my use case: > I need to find out if an outgoing message was successfully delivered or not. > I know this can be achieved by setting up some filesystem watcher for > the logfile, and/or by having a cronjob searching through the logfile > for the line containing `status=`. > But it would be so much nicer if Postfix would support this out of the > box :-) Poatfix logs events with the queue ID of the corresponding mail transaction. The quueue ID is the primary grouping mechanism when searching for a specific message in the logs. > Adding a full-blown events layer with user-configurable commands for > each event, is probably not so easy ;-) > But what about extending the built-in logging mechanism? When a setting > like `pipe_log_to_command=` is given, then (additionally to writing them > to a file) send the logfile entries to that command. FIrst,, it is not hard to 'tail' a logfile (and skip to the next file after logfile rotation). Logfile watcher programs already do this. Second, logging to command is already available on Linux and non-Linux systems. 1) On Linux specify "|/path/to/fifo" as an additional destination in /etc/rsyslog.conf, and read the FIFO. 2) On non-Linux specify "|command" as an additional destination in /etc/syslog.conf. Caution: the command may run as root. For security reasons, individual Postfix daemons do not have the privilege to execute commands that run outside of Postfix. That leaves this: 3) Specify "maillog_file = /path/to/fifo" in Postfix main.cf., and read the FIFO. You'd be responsible for also writing this to a logfile, and rotating that file. This requires Postfix 3.4 or later. Wietse ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: rejection policy
I have policyd-spf and opendkim (as a milter) installed for postfix. How can I customize the policy that, if an incoming message has SPF failed AND has invalid DKIM then this message will be rejected? AFAIK google has this kind of rejection policy for their gmail. That is what DMARC does. There is also an OpenDMARC in most linux packages. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] rejection policy
Hello, I have policyd-spf and opendkim (as a milter) installed for postfix. How can I customize the policy that, if an incoming message has SPF failed AND has invalid DKIM then this message will be rejected? AFAIK google has this kind of rejection policy for their gmail. I know that in opendkim.conf and policyd-spf.conf I can setup the policy for rejection. But the two files are separated. Thanks. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: `postfix-pgsql`: Issues with expansion parameters `%s`, `%u` and `%d`, and some minor bugs(?)
On Thu, Oct 31, 2024 at 12:52:51PM +0100, Thomas Landauer via Postfix-users
wrote:
> Hi,
>
> yeah, I think the docs about the connection are clearer now :-)
>
> However, the "three queries behavior" is still undocumented IMO. I did read
> https://www.postfix.org/virtual.5.html and it is nicely explained there.
> But my point is: If somebody is configuring the database lookup at
> `local_recipient_maps`, they will not read those docs about virtual tables!
> Why should they?
> So I think this should be explained at other places too.
>
>
> For my own setup, I have just one question:
> I have two domains at `mydestination`, and I want a separate database lookup
> for each, then pipe the mail to a separate external command.
> The transport part works so nicely:
> > transport_maps = inline:{ foo.com=foo_handler, bar.com=bar_handler }
>
> But for the recipients, I can't see a way of mapping the 2 domains to 2
> lookup tables. So my current "workaround" looks something like this:
> > local_recipient_maps = pgsql:foo.cf pgsql:bar.cf
>
> And then (since both queries will be run) in the SQL do something like:
>
> > query = SELECT id FROM table WHERE 'foo.com' = '%d' AND local_part = '%u'
>
Simpler, and more efficient, since no SQL queries will be issued for
addresses that are not @foo.com:
domain = foo.com
query = SELECT id FROM table WHERE local_part = '%u'
This is documented:
domain (default: no domain list)
This is a list of domain names, paths to files, or
type:table databases. When specified, only fully qualified
search keys with a *non-empty* localpart and a matching
domain are eligible for lookup: user lookups, bare domain
lookups and @domain lookups are not performed. This can
significantly reduce the query load on the PostgreSQL
server.
domain = postfix.org, hash:/etc/postfix/searchdomains
It is best not to use SQL to store the domains eligible
for SQL lookups.
This parameter is available with Postfix 2.2 and later.
NOTE: DO NOT define this parameter for local(8) aliases,
because the input keys are always unqualified.
--
Viktor.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
