[pfx] Re: Relaying from firewall to internal server with authentication
On Sat, Nov 02, 2024 at 06:53:56PM -0400, Wietse Venema via Postfix-users wrote:
> example.com relay:[inside-gateway.example.com]:port
>
> The port can be numeric (465, 587) or symbolic (smtps, submissions,
> submission).
With port 465 (a.k.a. "smtps"), don't forget to use a dedicated clone of
the "relay" transport, whose master.cf entry includes:
-o { smtp_tls_wrappermode = yes }
-o { smtp_tls_security_level = secure }
-o { smtp_tls_CAfile = /path/to/trusted-CAs.pem }
Otherwise, without "wrapper mode", it will attempt to use "STARTTLS"
over initially cleartext SMTP, which won't work with "implicit TLS" on
port 465.
The remaining options are equally application to 587 ("submission"):
You'll need to configure trust in a suitable list of trust-anchor CAs
that might be expected to (perhaps indirectly via subsidiary "issuer"
CAs) be the issuers of the certificate for the internal mailhub.
If verifying the authenticity of the connection is ETOOHARD, change the
security-level to "encrypt" (if you have DNSSEC and well-maintained and
monitored TLSA records for the internal hub, you could use "dane-only").
--
Viktor.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: mydestination shared domains?
David Chmelik via Postfix-users: > I followed 'www.postfix.org/VIRTUAL_README.html : As simple as can be: > shared domains, UNIX system accounts' to set style like 'mydestination = > $myhostname localhost.$mydomain ... example.com' for a few domains (except > example has no commas like main.cf). Regardless of $myhostname, $mydomain > (also tested default/unset) it defers mail, saying $mydomain loops back to > myself. > > I read an article saying that documentation is wrong: can't add extra > domains to $mydestination or not only do they loop back to $mydomain, but > apparently doesn't set properly rather than loops back from itself to > literally itself. This is false (assuming that you didn't mess with the local_transport setting (default: "local_transport = local:$myhostname"). > I did have $mydomain working alone without 'looping back to itself'. See example 2 in https://www.postfix.org/BASIC_CONFIGURATION_README.html#mydestination Wietse ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: mydestination shared domains?
On 2024-11-03 at 01:51:50 UTC-0400 (Sun, 3 Nov 2024 05:51:50 - (UTC)) David Chmelik via Postfix-users is rumored to have said: I followed 'www.postfix.org/VIRTUAL_README.html : As simple as can be: That's the actual official documentation. [...] I read an article saying that documentation is wrong: can't add extra That is NOT the actual official documentation. I have no idea what it is, but the odds of it being correct where the real docs are wrong is exceedingly low. Postfix documentation is extremely well-reviewed and well-maintained. Which article/instructions are correct, The one written by the author of Postfix and critiqued/edited in detail by him and the members of this mailing list over the past 2 decades. and should I check/post configuration, DNS, logs here or on a 'paste bin'? These days I avoid mentioning my domains, but might be okay on Gmane (I'd rather write 'example.com')... Usually the relevant log entries and postconf output will fit just fine in a message here. If you choose to redact your domain specifics, do so using example.com in a consistent way that preserves distinctions and commonalities existing between the actual original names. One problem that can arise from posting through GMane (or any pretty MUA) is that it may attempt to re-wrap the strict text structure of logs and configs. If you are not sure that your MUA will preserve the fixed formatting of log and config data, use a pastebin-like site. -- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo@toad.social and many *@billmail.scconsult.com addresses) Not Currently Available For Hire ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: ldap lookup result case problem
Guntis Bumburs via Postfix-users: > Hello, > > Is there a way to convert ldap lookup result to lowercase? There has been no need for this in the past 26 years, so, no. > I am using this config: > > # cat ldap_relay_recipient_maps.cf > server_host = 192.168.1.1 > search_base = OU=Users,OU=Domain,DC=abc,DC=local > > bind_dn = abc\abc > bind_pw = abc > query_filter = (proxyAddresses=smtp:%s) > result_attribute = mail > > # cat main.cf > ... > local_recipient_maps = > ldap:/usr/local/etc/postfix/ldap_relay_recipient_maps.cf > ... > > Testing with postmap > # postmap -q supp...@abc.com > ldap:/usr/local/etc/postfix/ldap_relay_recipient_maps.cf > supp...@abc.com > > # postmap -q suppo...@abc.com > ldap:/usr/local/etc/postfix/ldap_relay_recipient_maps.cf > suppo...@abc.com > > Response is not converted to lowercase. It is returned in exact form as > it is in directory resulting in lookup mismatch. What technology is rejecting upper-case recipients? Is this a commercial product? Wietse ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] ldap lookup result case problem
Hello, Is there a way to convert ldap lookup result to lowercase? I am using this config: # cat ldap_relay_recipient_maps.cf server_host = 192.168.1.1 search_base = OU=Users,OU=Domain,DC=abc,DC=local bind_dn = abc\abc bind_pw = abc query_filter = (proxyAddresses=smtp:%s) result_attribute = mail # cat main.cf ... local_recipient_maps = ldap:/usr/local/etc/postfix/ldap_relay_recipient_maps.cf ... Testing with postmap # postmap -q supp...@abc.com ldap:/usr/local/etc/postfix/ldap_relay_recipient_maps.cf supp...@abc.com # postmap -q suppo...@abc.com ldap:/usr/local/etc/postfix/ldap_relay_recipient_maps.cf suppo...@abc.com Response is not converted to lowercase. It is returned in exact form as it is in directory resulting in lookup mismatch. $ postconf mail_version mail_version = 3.9 BR, Guntis ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: mydestination shared domains?
On Sun, Nov 03, 2024 at 06:43:31PM +0100, Jaroslaw Rafa via Postfix-users wrote:
> Make sure that you DON'T list domain names included in "mydestination"
> parameter elsewhere, for example in virtual alias file.
This warrants some clarification:
- The actual requirement is to not list the same domain in multiple
"address classes". So no membership overlap among:
- mydestination # "local" address class
- virtual_alias_domains # "virtual alias" address class
- virtual_mailbox_domains # "virtual mailbox" address class
- relay_domains # "relay" address class
- So the above quoted advice is somewhat inaccurate. However,
Postfix 2.0 introduced a default backwards-compatibility setting
with Postfix 1.0 and 1.1, that even some users who started with
Postix later may be relying on:
$ postconf -d virtual_alias_domains
virtual_alias_domains = $virtual_alias_maps
Therefore, with the above setting, (I generally recommend setting
virtual_alias_domains explicity either empty or some separate list
or table) don't list "bare" domains as keys in any tables used for
"virtual_alias_maps", when this is also the set of tables
defining "virtual_alias_domains".
When virtual_alias_domains is its separate list, it is OK to
list what look like "bare" domains as keys in
"virtual_alias_maps", but they are then just localparts of
email addresses from "local" domains (or $myorigin, or qualified
with address literals in $proxy_interfaces).
So if foo.example is a local domain, and foo.example is also a
local email address you might have:
main.cf:
# Explicit either empty value, or in any case does not
# include "foo.example" as a literal element or as a key
# in a table element.
#
virtual_alias_domains = ...
mydestination = foo.example, ...
virtual_alias_maps = inline:{ {foo.example = postmaster} }
and then there's no conflict, email to "foo.example@foo.example"
will be delivered to the postmaster, as specified.
--
Viktor.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: ldap lookup result case problem
Sorry my mistake, everything works as expected. On 03/11/2024 21:20, Guntis Bumburs via Postfix-users wrote: Hello, Is there a way to convert ldap lookup result to lowercase? I am using this config: # cat ldap_relay_recipient_maps.cf server_host = 192.168.1.1 search_base = OU=Users,OU=Domain,DC=abc,DC=local bind_dn = abc\abc bind_pw = abc query_filter = (proxyAddresses=smtp:%s) result_attribute = mail # cat main.cf ... local_recipient_maps = ldap:/usr/local/etc/postfix/ldap_relay_recipient_maps.cf ... Testing with postmap # postmap -q supp...@abc.com ldap:/usr/local/etc/postfix/ldap_relay_recipient_maps.cf supp...@abc.com # postmap -q suppo...@abc.com ldap:/usr/local/etc/postfix/ldap_relay_recipient_maps.cf suppo...@abc.com Response is not converted to lowercase. It is returned in exact form as it is in directory resulting in lookup mismatch. $ postconf mail_version mail_version = 3.9 BR, Guntis ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: mydestination shared domains?
Dnia 3.11.2024 o godz. 05:51:50 David Chmelik via Postfix-users pisze: > > I read an article saying that documentation is wrong: can't add extra > domains to $mydestination or not only do they loop back to $mydomain, but > apparently doesn't set properly rather than loops back from itself to > literally itself. No. I have 7 names in my "mydestination" parameter and they all work as intended (ie. mail sent to any "user@domainname" goes to the mailbox of user "user"). Make sure that you DON'T list domain names included in "mydestination" parameter elsewhere, for example in virtual alias file. You cannot use the same domain in both places; the domain can be either a local one (used in "mydestination" parameter) or a virtual one (used in virtual alias file), but not both. -- Regards, Jaroslaw Rafa r...@rafa.eu.org -- "In a million years, when kids go to school, they're gonna know: once there was a Hushpuppy, and she lived with her daddy in the Bathtub." ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: mydestination shared domains?
I followed 'www.postfix.org/VIRTUAL_README.html : As simple as can be: shared domains, UNIX system accounts' to set style like 'mydestination = $myhostname localhost.$mydomain ... example.com' for a few domains (except example has no commas like main.cf). Regardless of $myhostname, $mydomain (also tested default/unset) it defers mail, saying $mydomain loops back to myself. 'mydestination' should be used for the server's hostname/ptr domain. Additional domains you want to accept email for should be configured as virtual domains. I believe what the issue is, and i hope im wording this right. Let's say the server's hostname is example1.com and you have additionally added example2.com to 'mydestination'. Email comes in for u...@example2.com, domain matches mydestination, postfix accepts delivery. Postfix goes to stuff it in the inbox for u...@example2.com. Can't find that user. Can only find u...@example1.com, because this machine is for users of example1.com, because that is this servers hostname. Okay, so postfix will try to deliver the email to the server that has u...@example2.com, MX lookup, oh look, that's me. Loop back. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
