postfix and mailman
Hello, I'm running a CentOS 5.4 machine and atempting to get postfix and mailman going on it. This was working prior to a complete system upgrade about 9 months ago, now it isn't, I'm getting an error 554 user unknown message when the user atempts to send back the confirmation email to join the mailing list in this case a test list called test4. I'm running postfix 2.3.3 and mailman 2.1.9 installed from rpms. I've got a virtual mailbox domain called for this purpose example.com which is working fine. I decided to have a separate domain called lists.example.com for mailman, when the error 554 comes in instead of being test4-requ...@lists.example.com which would work the address is test4-requ...@example.com which is nonexistent. How can i get this to work, I think this is something simple, but two days and i'm not seeing it. My config is below. Thanks. Dave. main.cf: address_verify_map = btree:/var/spool/postfix/verified_senders alias_database = hash:/etc/postfix/aliases alias_maps = hash:/etc/postfix/aliases, hash:/etc/mailman/aliases biff = no body_checks = regexp:/etc/postfix/body_checks bounce_template_file = /etc/postfix/bounce.cf broken_sasl_auth_clients = yes command_directory = /usr/sbin config_directory = /etc/postfix content_filter = amavis:[127.0.0.1]:10024 daemon_directory = /usr/libexec/postfix delay_warning_time = 4h disable_vrfy_command = yes header_checks = regexp:/etc/postfix/header_checks home_mailbox = Maildir/ html_directory = no inet_interfaces = 127.0.0.1, xxx.xxx.xxx.xxx invalid_hostname_reject_code = 554 mail_owner = postfix mailbox_size_limit = 104857600 mailq_path = /usr/bin/mailq.postfix manpage_directory = /usr/share/man message_size_limit = 20971520 mime_header_checks = regexp:/etc/postfix/mime_header_checks multi_recipient_bounce_reject_code = 554 mydestination = localhost mydomain = example.com myhostname = mail.example.com mynetworks = 127.0.0.0/8, xxx.xxx.xxx.xxx/32 myorigin = $mydomain newaliases_path = /usr/bin/newaliases.postfix non_fqdn_reject_code = 554 owner_request_special = no queue_directory = /var/spool/postfix readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES receive_override_options = no_address_mappings recipient_delimiter = + sample_directory = /usr/share/doc/postfix-2.3.3/samples sendmail_path = /usr/sbin/sendmail.postfix setgid_group = postdrop show_user_unknown_table_name = yes smtp_helo_timeout = 60s smtp_tls_CAfile = /etc/postfix/ssl/ca-bundle.crt smtp_tls_cert_file = /etc/postfix/ssl/smtp.crt smtp_tls_key_file = /etc/postfix/ssl/smtp.key smtp_tls_note_starttls_offer = yes smtp_tls_session_cache_database = btree:/var/spool/postfix/smtp_tls_cache smtp_use_tls = yes smtpd_banner = $myhostname ESMTP smtpd_data_restrictions = reject_unauth_pipelining smtpd_helo_required = yes smtpd_recipient_restrictions = permit_sasl_authenticated permit_mynetworks reject_unauth_destination reject_non_fqdn_hostname reject_invalid_hostname reject_non_fqdn_sender reject_non_fqdn_recipient reject_unknown_sender_domain reject_unknown_recipient_domain reject_unverified_recipient reject_multi_recipient_bounce check_client_access cidr:/etc/postfix/sinokorea.cidr check_helo_access pcre:/etc/postfix/helo_checks.pcre check_helo_access hash:/etc/postfix/helo_checks check_recipient_access pcre:/etc/postfix/recipient_checks.pcre check_sender_mx_access cidr:/etc/postfix/bogus_mx check_sender_access hash:/etc/postfix/common_spam_senderdomain check_sender_access regexp:/etc/postfix/common_spam_senderdomain_keywords check_sender_access hash:/etc/postfix/freemail_access, check_sender_access hash:/etc/postfix/greylist check_client_access hash:/etc/postfix/client_checks,reject_rbl_client zen.spamhaus.org, reject_rbl_client black.uribl.com, reject_rbl_client combined.rbl.msrbl.net, reject_rhsbl_sender dsn.rfc-ignorant.org smtpd_restriction_classes = from_freemail_host, greylist, smtpd_sasl_auth_enable = yes smtpd_sasl_local_domain = smtpd_sasl_path = private/auth smtpd_sasl_security_options = noanonymous smtpd_sasl_type = dovecot smtpd_tls_CAfile = /etc/postfix/ssl/ca-bundle.crt smtpd_tls_auth_only = yes smtpd_tls_cert_file = /etc/postfix/ssl/smtp.crt smtpd_tls_key_file = /etc/postfix/ssl/smtp.key smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes smtpd_tls_security_level = may smtpd_tls_session_cache_database = btree:/var/spool/postfix/smtpd_tls_cache smtpd_tls_session_cache_timeout = 3600s strict_rfc821_envelopes = yes tls_random_source = dev:/dev/urandom unknown_address_reject_code = 554 unknown_client_reject_code = 554 unknown_hostname_reject_code = 554 unknown_local_recipient_reject_code = 550 unknown_relay_recipient_reject_code = 554 unknown_virtual_alias_reject_code = 554 unknown_virtual_mailbox_reject_code = 554 unverified_recipient_reject_code = 554 unverified_sender_reject_code = 554 virtual_alias_domains = lists.$mydomain virtual_alias_maps = hash:/etc/mailman/virtual-mailman virtual_gid_maps = static:5000 virtual_mailbox_base = /home/vmail
postfix 2.8 virtual mailbox warning on .sent
Hello, I'm setting up a new email server. It's running on a CentOS Linux machine and using Postfix 2.8 from a custom compiled rpm. I've got virtual mailbox domains set up, and have sent an email to one of my users from an external account to test. It went through, was delivered just fine. During the process I got the following warning message from virtual(8). May 13 20:04:51 ohio postfix/virtual[14467]: warning: check_dir_size: cannot reopen directory: /var/mail/vhosts/domain.com/user//.Sent I checked the indicated path and there is a .Sent directory. I've not seen this warning before, is it significant? I'm not sure if this is relevant, but the box I'm running is not using any seLinux features. Thanks. Dave.
Re: postfix 2.8 virtual mailbox warning on .sent
Hello, Thanks. Checking that list revealed the issue. Somehow the permissions aren't being set right. I had to change the owner and group of the .Sent hidden folder to my vmail user and it is now working without the warning. Thanks. Dave. On 5/13/11, Wietse Venema wrote: > David Mehler: >> Hello, >> I'm setting up a new email server. It's running on a CentOS Linux >> machine and using Postfix 2.8 from a custom compiled rpm. I've got >> virtual mailbox domains set up, and have sent an email to one of my >> users from an external account to test. It went through, was delivered >> just fine. During the process I got the following warning message from >> virtual(8). >> >> May 13 20:04:51 ohio postfix/virtual[14467]: warning: check_dir_size: >> cannot reopen directory: /var/mail/vhosts/domain.com/user//.Sent > > That is a message from the third-party "VDA" quota patch. You may > have better results searching their mailing list. > > http://sourceforge.net/mailarchive/forum.php?forum_name=vda-users > > Wietse > >> I checked the indicated path and there is a .Sent directory. I've not >> seen this warning before, is it significant? I'm not sure if this is >> relevant, but the box I'm running is not using any seLinux features. >> >> Thanks. >> Dave. >> >> > >
Postfix Virtual Mailbox hosting Mysql System
Hello, I'm running an Arch Linux machine and a Postfix virtual mailbox hosting server with a Mysql backend. The software versions are: postfix 2.8.6-1 Mysql 5.5.17-1 Dovecot 2.0.15-1 The Dovecot I'm using for pop3s and imaps. Right now I have one domain I'll call example.com I've got one user that I've created in the mysql database called user1, that's working fine, his virtual mail storage location was created, mail can be sent and delivered properly. My problem is system accounts, root first, r...@example.com when I telnet to the host and try to deliver email to that user I get an error message user unknown in virtual mailbox table, great! The first problem is system utilities, anacron, when delivering mail to r...@example.com created the virtual mailbox area for the root user and delivers mail in to it, it was my understanding this was not suppose to happen. A little later in this message I will show my configs to see if I messed up somewhere. Two other accounts that do this are the webmaster and postmaster accounts, they get created and can have system mail delivered to them, but not external mail. I'm trying to forward webmaster, postmaster, and root to user1, in setting up these virtual forwardings can I give each account a unique subject such as (webmaster) to differentiate those messages? Here's a postconf -n output: alias_database = $alias_maps alias_maps = hash:/etc/postfix/aliases append_dot_mydomain = no biff = no bounce_template_file = /etc/postfix/bounce.cf.default broken_sasl_auth_clients = yes command_directory = /usr/sbin config_directory = /etc/postfix daemon_directory = /usr/lib/postfix data_directory = /var/lib/postfix disable_vrfy_command = yes home_mailbox = Maildir/ html_directory = no in_flow_delay = 1s inet_interfaces = all inet_protocols = all local_recipient_maps = mail_owner = postfix mailq_path = /usr/bin/mailq manpage_directory = /usr/share/man mydestination = localhost mydomain = example.com myhostname = mail.example.com mynetworks = hash:/etc/postfix/network_table myorigin = $mydomain newaliases_path = /usr/bin/newaliases queue_directory = /var/spool/postfix readme_directory = no recipient_delimiter = + sample_directory = /etc/postfix/sample sendmail_path = /usr/sbin/sendmail setgid_group = postdrop smtp_helo_timeout = 60s smtpd_banner = $myhostname ESMTP smtpd_data_restrictions = reject_unauth_pipelining smtpd_helo_required = yes smtpd_recipient_restrictions = permit_sasl_authenticated permit_mynetworks reject_unauth_destination smtpd_sasl_auth_enable = yes smtpd_sasl_authenticated_header = yes smtpd_sasl_local_domain = smtpd_sasl_path = private/auth smtpd_sasl_security_options = noanonymous smtpd_sasl_type = dovecot smtpd_tls_cert_file = /etc/ssl/certs/server.crt smtpd_tls_key_file = /etc/ssl/private/server.key smtpd_tls_received_header = yes smtpd_tls_security_level = may smtpd_use_tls = yes soft_bounce = no strict_rfc821_envelopes = yes unknown_local_recipient_reject_code = 550 virtual_alias_maps = proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, mysql:/etc/postfix/mysql-virtual_email2email.cf virtual_gid_maps = static:5000 virtual_mailbox_base = /var/mail/vmail virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf virtual_mailbox_limit = 262144000 virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf virtual_minimum_uid = 5000 virtual_transport = dovecot virtual_uid_maps = static:5000 Thanks. Dave.
Re: Postfix Virtual Mailbox hosting Mysql System
Hello, Thank you. I got the root working with virtual_aliases. My question is before I put in the virtual alias mapping mail anacron atempted to deliver to root should have bounced, I'm wondering why it didn't and also why the root virtual mailbox was created under the virtual mailbox store? For my virtual alias maps should I put them all under the mysql database or have them mixed? Thanks. Dave. On 11/13/11, Jeroen Geilman wrote: > On 2011-11-12 23:06, David Mehler wrote: >> Hello, >> >> I'm running an Arch Linux machine and a Postfix virtual mailbox >> hosting server with a Mysql backend. The software versions are: >> >> postfix 2.8.6-1 >> Mysql 5.5.17-1 >> Dovecot 2.0.15-1 >> >> The Dovecot I'm using for pop3s and imaps. >> >> Right now I have one domain I'll call example.com I've got one user >> that I've created in the mysql database called user1, that's working >> fine, his virtual mail storage location was created, mail can be sent >> and delivered properly. >> >> My problem is system accounts, root first, r...@example.com when I >> telnet to the host and try to deliver email to that user I get an >> error message user unknown in virtual mailbox table, great! The first >> problem is system utilities, anacron, when delivering mail to >> r...@example.com created the virtual mailbox area for the root user >> and delivers mail in to it, it was my understanding this was not >> suppose to happen. A little later in this message I will show my >> configs to see if I messed up somewhere. Two other accounts that do >> this are the webmaster and postmaster accounts, they get created and >> can have system mail delivered to them, but not external mail. >> >> I'm trying to forward webmaster, postmaster, and root to user1, in >> setting up these virtual forwardings can I give each account a unique >> subject such as (webmaster) to differentiate those messages? > > Hi, welcome to the postfix user mailing list! > > As documented, a setup where SOME accounts are LOCAL is achieved by > following the instructions in > http://www.postfix.org/STANDARD_CONFIGURATION_README.html#some_local > > > -- > J. > >
new server wanting to specify dnsbl's
Hello, Setting up a new server and wanting to know the current opinions on blacklisting services, spamcop, sorbs, and spamhaus for fighting spam. I'd like to get some user experiences with them, any false positives, or issues? Thanks. Dave.
openspf.org
Hello, I'm trying to get spf going on my arch postfix server. I'm wanting to get perl-policyd-spf going and am atempting to download the needed source. The issue is openspf.org appears down, anyone know why or if there's an alternative download available? Thanks. Dave.
postfix, dovecot, and virtual quotas
Hello, I've got a postfix system serving virtual mailbox domains. It's using Dovecot as an LDA, and I'm wanting to hook in quotas. My thinking is that I have to do this in the LDA, but I'm curious about the virtual_mailbox_limit parameter in main.cf? Is it used for quota or size limits when using dovecot as an LDA? Thanks. Dave.
multiple content filters, a sanity check
Hello, I'm running Postfix 2.8 and virtual mailbox domains with a mysql database. I've also got spf and dkim signatures going as well as clamsmtp as an smtp proxy for virus checking. I'd now like to add in dspam antispam capability so that user's can forward emails that are spam or not. My problem is the multiple content filters are mixing me up and I'm not sure I've got the most efficient setup. In master.cf if the smtpd process has a content_filter option on it does that go first in the chain before any content_filter directives in main.cf? My working main.cf and master.cf files are below this message, dspam addon lines are still commented out. If anyone has this setup going I'd appreciate a sanity check. Also, if there are any configuration errors that I've missed please let me know, this is the most complex configuration I've set up to date. Thanks. Dave. main.cf: vsoft_bounce = no queue_directory = /var/spool/postfix command_directory = /usr/sbin daemon_directory = /usr/lib/postfix data_directory = /var/lib/postfix mail_owner = postfix myhostname = mail.example.com mydomain = example.com myorigin = $mydomain inet_protocols = all inet_interfaces = all mydestination = localhost mynetworks = 127.0.0.0/8, xxx.xxx.xxx.xxx/32, [::1]/128, [fe80::]/10, [IPV6ADdress]/64 local_recipient_maps = unknown_local_recipient_reject_code = 550 in_flow_delay = 1s biff = no append_dot_mydomain = no recipient_delimiter = + smtpd_banner = $myhostname ESMTP sendmail_path = /usr/sbin/sendmail newaliases_path = /usr/bin/newaliases mailq_path = /usr/bin/mailq setgid_group = postdrop html_directory = no manpage_directory = /usr/share/man sample_directory = /etc/postfix/sample readme_directory = no bounce_template_file = /etc/postfix/bounce.cf.default delay_warning_time = 4h smtp_helo_timeout = 60s smtpd_soft_error_limit = 3 dovecot_destination_recipient_limit = 1 virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual-mailbox-domains.cf virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf virtual_alias_maps = proxy:mysql:/etc/postfix/mysql-virtual-alias-maps.cf, proxy:mysql:/etc/postfix/mysql-email2email.cf virtual_mailbox_base = /var/mail/vmail virtual_uid_maps = static:5000 virtual_gid_maps = static:5000 virtual_minimum_uid = 5000 # Increase the virtual mailbox limit from 51 mb to 250 mb (Not sure if needed since dovecot is handling quotas)^ virtual_mailbox_limit = 262144000 virtual_transport = dovecot smtpd_sasl_type = dovecot smtpd_sasl_path = private/auth smtpd_sasl_auth_enable = yes smtpd_sasl_local_domain = $mydomain smtpd_sasl_authenticated_header = yes strict_rfc821_envelopes = yes smtpd_helo_required = yes disable_vrfy_command = yes smtpd_reject_unlisted_sender = yes show_user_unknown_table_name = no unknown_address_reject_code = 554 unknown_hostname_reject_code = 554 unknown_client_reject_code = 554 smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination check_sender_access hash:/etc/postfix/auto-whtlst permit_dnswl_client list.dnswl.org=127.0.[2..14].[1..3] check_reverse_client_hostname_access pcre:/etc/postfix/fqrdns.pcre reject_unknown_reverse_client_hostname reject_non_fqdn_sender reject_non_fqdn_helo_hostname reject_invalid_helo_hostname reject_unknown_helo_hostname reject_unlisted_recipient reject_rbl_client zen.spamhaus.org reject_rhsbl_client dbl.spamhaus.org reject_rhsbl_sender dbl.spamhaus.org reject_rhsbl_helo dbl.spamhaus.org check_policy_service unix:private/policy-spf smtpd_data_restrictions = reject_unauth_pipelining smtpd_tls_security_level = may smtpd_tls_cert_file = /etc/ssl/certs/server.crt smtpd_tls_key_file = /etc/ssl/private/server.key spf-policyd_time_limit = 3600s milter_default_action = accept milter_protocol = 2 smtpd_milters = inet:localhost:8891 non_smtpd_milters = $smtpd_milters content_filter = scan:[127.0.0.1]:10026 receive_override_options = no_address_mappings master.cf: smtp inet n - n - - smtpd #-o content_filter = lmtp:unix:/var/run/dspam/dspam.sock submission inet n - n - - smtpd -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING pickupfifo n - n 60 1 pickup cleanup unix n - n - 0 cleanup qmgr fifo n - n 300 1 qmgr tlsmgrunix - - n 1000? 1 tlsmgr rewrite unix - - n - - trivial-rewrite bounceunix - - n - 0 bounce defer unix - - n - 0 bounce trace unix - - n - 0 bounce verifyunix - - n - 1 verify flush unix n - n 1000? 0 flush proxymap unix -
getting a pcre table right
Hello, I've got a postfix system running mysql virtual mailbox domains and dspam hooked in to it. I've got a test user called test1 and have hooked in dspam in to my setup. I'm having an issue with the alias addresses. To my database I've added: INSERT INTO `mail`.`virtual_aliases` ( `id`, `domain_id`, `source`, `destination` ) VALUES ( '19', '1', 'spam-test1', 'test1' ); and the same for notspam-test1 with an increased ID. In my smtpd_recipient_restrictions after permit_mynetworks, permit_sasl_authenicated, and reject_unauth_destination I've got these two lines: check_recipient_access pcre:/etc/postfix/dspam_check_aliases check_sender_access pcre:/etc/postfix/dspam_check_aliases so that only user's on mynetworks or authenticated via sasl can use the spam and notspam addresses. An externally sent email to notspam-te...@domain.com went through. I'm assuming I have an error in my pcre table. Here it is: /^.*(spam|notspam)@.*$/ REJECT I thought the * was suppose to catch everything after it. Any suggestions on the fix to this line I'd appreciate. Thanks. Dave.
clamsmtp or clamav-milter for antivirus with postfix 2.9?
Hello, This might be off topic, but I was wondering I am using Postfix 2.9.x and am wanting to integrate antivirus capabilities. What are the differences between clamsmtp and clamav-milter? I'm wondering which one would be better for an antivirus setup? Thanks. Dave.
IPV6 and SPF
Hello, Does anyone publish SPF records for IPV6 in DNS? The reason I ask is my mail server has both an IPV4 and an IPV6 address and when connecting to it via webmail that goes to localhost, it seems as if the outgoing connection is either IPV4 or IPV6 depending on whether that localhost connection got the v4 or v6 address first. I've got an IPV4 SPF record which works fine and validates. On the IPV6 side that one doesn't and when reading headers it says so. I'd like to fix this. Thanks. Dave.
Postfix and DSpam
Hello,
Do we have any users of Postfix and DSpam here? If so, can you write
me privately? I'm having a few issues fine tuning my configuration.
I'm running FC20, Postfix 2.10, and DSpam 3.10. Authentication is done
via a Mysql database. I'm using DSpam as a content filter, this part
is working fine with a question mark.
When I get an email Postfix hands it off to DSpam and DSpam does it's
analysis, then reinjects it back to Postfix on localhost 10026, which
then hands it to Dovecot for delivery.
The first problem is occurring if I get a false positive, I want to
send that email to an alias address nots...@example.com which will
then retrain DSpam. This is not working and I'm getting from DSpam the
error that it can't find a valid signature in the database for the
message, it's failing with an error -5 and the message is dropped and
not retrained.
If I move a message from inbox to Spam folder the Dovecot antispam
plugin works and that message is retrained.
What I'm wanting to figure out is why forwarding messages to
nots...@example.com isn't working and also why sending a message to
s...@example.com is also not working.
If anyone can help please email me.
Below are my relevant lines of configuration.
Thanks.
Dave.
/etc/postfix/master.cf:
smtp inet n - n - - smtpd
# DSPAM Specific Configuration#
## DSPAM CONTENT FILTER BEGIN
#dspam inet n - n - - smtpd
-o content_filter=lmtp:unix:/var/run/dspam/dspam.sock
## DSPAM ->POSTFIX => REINJECTION
localhost:10026 inet n - n - -smtpd
-o content_filter=
-o
receive_override_options=no_address_mappings,no_unknown_recipient_checks,no_header_body_checks
-o smtpd_helo_restrictions=
-o smtpd_client_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks=127.0.0.0/8
-o smtpd_authorized_xforward_hosts=127.0.0.0/8
## DSPAM CONTENT FILTER END
## DSPAM RETRAIN BEGIN
#handle dspam retrain
## This path is used when a user sends in a piece of mail and
## wants to classify it as SPAM
dspam-spam unix - n n - - pipe
flags=Rhq user=dspam argv=/usr/bin/dspam --mode=toe --user dspam
--class=spam --client --source=error ${sender} --deliver=spam
## This path is used when a user sends in a piece of mail and
## wants to classify it as INNOCENT
dspam-notspamunix - n n - - pipe
flags=Rhq user=dspam argv=/usr/bin/dspam --mode=toe --user dspam
--class=innocent --client --source=error ${sender} --deliver=innocent
dovecot unix - n n - - pipe
flags=DRhu user=vmail:vmail argv=/usr/libexec/dovecot/deliver -f
${sender} -d ${recipient}
/etc/postfix/main.cf:
# Transport for dspam
transport_maps = hash:/etc/postfix/transport
virtual_mailbox_maps =
proxy:mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf,
hash:/etc/postfix/dspam_aliases
dovecot_destination_recipient_limit = 1
/etc/postfix/transport:
s...@example.com dspam-spam:{$1}
nots...@example.com dspam-notspam:{$1}
/etc/postfix/dspam_aliases:
s...@example.com 2
nots...@example.com 6
Postfix DSpam retrain aliases and error 555 user does not exist
Hello,
I'm using Postfix 2.10 and DSpam 3.10 on an FC20 system.
I'm trying to set up the DSpam aliases for retraining, s...@domain.com
and nots...@domain.com and I keep getting an error 555 from Postfix,
user does not exist. I thought this was because I was trying to
forward an email to the notspam address from my webmail client, but I
tried it locally and got the same error.
Here's my config for postfix, can anyone spot my error?
/etc/postfix/main.cf:
# Transport for dspam
transport_maps = hash:/etc/postfix/transport
virtual_mailbox_maps =
proxy:mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf,
hash:/etc/postfix/dspam_aliases
/etc/postfix/transport
s...@example.com dspam-retrain:spam
nots...@example.com dspam-retrain:innocent
/etc/postfix/dspam_aliases
# for dspam training
s...@example.com 2
nots...@example.com 6
/etc/postfix/master.cf:
dspam-retrain unix- n n - - pipe
flags=Rhq user=dspam argv=/usr/bin/dspamc --client --mode=teft
--class=${nexthop} --source=error --user ${sender}
Once these aliases are working is it possible to protect them? I don't
want anyone just sending email to them?
Thanks.
Dave.
Follow up to my Postfix and DSpam issue
Hello, This is a short follow up to my message on Postfix and DSpam integration specifically dealing with the spam and notspam aliases. I still have not found out what the problem is, but I know what it isn't. It's definitely not postfix. I removed the content_filter option and kept everything else, also changed in master.cff /usr/bin/dspamc to /usr/bin/dspam and forwarding to the spam and notspam addresses worked fine, locked them down with a sender and recipient check and that also worked. Adding back in the content_filter option and they return error 555 invalid user. Thanks. Dave.
postscreen fine tuning
Hello,
I'm running postscreen and I'm wondering about a setting. For
postscreen_dnsbl_action, and postscreen_greet_action I've got them set
to enforce. My problem is while it works I get clients that are repeat
customers after they've already been dealt with. Should I change these
to drop?
# For postscreen
postscreen_access_list = permit_mynetworks,
cidr:/etc/postfix/postscreen_access.cidr
postscreen_dnsbl_threshold = 2
postscreen_dnsbl_sites = zen.spamhaus.org*2
bl.spamcop.net*2
b.barracudacentral.org*3
postscreen_dnsbl_action = enforce
postscreen_greet_action = enforce
postscreen_cache_map = proxy:btree:${data_directory}/postscreen_cache
postscreen_cache_cleanup_interval = 0
Thanks.
Dave.
Re: TLS and Android clients
Hello, Not sure if this will help with anything, but about a year back I was having issues getting my at the time s7 phone to connect to postfix. The solution was to determine that the connecting key was an ed-384 bit key. At that time android only supported ed-256 keys so I had to redo my key and it worked. I've now got an s20 so don't know if this information is still valid. Hth Dave. On 12/18/21, Matthias Andree wrote: > Am 15.12.21 um 23:35 schrieb Benny Pedersen: >> On 2021-12-15 23:04, raf wrote: >> How could I get an Android client and a Postfix server work together please? >> >>> It's just a guess, but maybe the problem is ECDSA. >>> If you add an RSA key as well, it might work. >>> Does that sound plausible? >> >> or simply try smtps if submission fails on android >> >> i use aquamail on android with succes smtps / imaps (ssl not tls) > > Benny, > > Please do not confuse protocol versions with how TLS > handshake/negotiation is introduced. > > SSL is the obsolete and unsafe predecessor to TLS but that or the TLS > version has NOTHING to do with > whether you either: use dedicated SSL-wrapped = TLS-wrapped = Implicit > TLS ports for TCP, > or: start a vulnerable clear-text connection that starts at application > level, then proceeds through STARTTLS or STLS to negotiate TLS, > and when many applications forget to reset their state[1 below] > > Standing recommendations are to use TLS v1.2 or newer. Obsolete clients > may want to talk TLS v1.1 or v1.0 though but should be upgraded or > phased out. > > If you want to make a distinction between negotiation, i. e., whether > the TCP session starts with TLS handshake right away (called "Implicit > TLS" or "TLS-wrapped on dedicated "...s" ports smtps/imaps/pop3s on > 465/993/995) or cleartext initial conversation that negotiates TLS > in-band (STARTTLS for SMTP and IMAP, STLS for POP3 on ports 25/587, 143, > 110, respectively), then make that clear. Anything else is coincidental > and adds to the confusion. > > Thank you. > > [1] After the Poddebniak et al. paper&presentation earlier this year, > Implicit TLS would get my preference, it is also cleaner and does not > mix application and security layers in ways that require special attention. > https://www.usenix.org/conference/usenixsecurity21/presentation/poddebniak > >
anyone getting live bounce messages?
Hello, Is anyone getting bounce messages from live.com? I'm emailing a friend and got confirmation that he is seeing the messages, but I'm getting a bounce message that is ending up in spam. Any ideas? Thanks. Dave.
Re: anyone getting live bounce messages?
Hello, At first I thought the message wasn't going through at all, then my friend wrote me back. He's definitely getting them, but each time I send a message I get a bounce message showing up in junk mail. Thanks. Dave. On 4/2/20, Tessa Plum wrote: > MS's email systems always sucks. They even put the messages sent by MS > itself to the junk folder. Any new domain sending messages to > outlook/live is a nightmare. > > Thanks. > > > > David Mehler wrote: >> Is anyone getting bounce messages from live.com? I'm emailing a friend >> and got confirmation that he is seeing the messages, but I'm getting a >> bounce message that is ending up in spam. Any ideas? >
MTA-STS?
Hello, I just heard about this and started reading on it. Is MTA-STS something Postfix works with? Thanks. Dave.
Postfix Helo reverse Exception
Hello,
I'm needing to set up an helo exception for a single host.
Mar 20 18:19:11 mail postfix/smtpd[53636]: connect from
xxx.xxx.xxx[xxx.xxx.xxx.xxx]
Mar 20 18:19:11 mail postfix/smtpd[53636]: Anonymous TLS connection
established from xxx.xxx.xxx[xxx.xxx.xxx.xxx]: TLSv1.2 with cipher
ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)
Mar 20 18:19:12 mail postfix/smtpd[53636]: NOQUEUE: reject: RCPT from
xxx.xxx.xxx.xxx[xxx.xxx.xxx.xxx]: 550 5.7.1 : Helo
command rejected: Host not found; from= to=
proto=ESMTP helo=
Mar 20 18:19:12 mail postfix/smtpd[53636]: disconnect from
xxx.xxx.xxx[xxx.xxx.xxx.xxx] ehlo=2 starttls=1 mail=1 rcpt=0/1
data=0/1 rset=1 quit=1 commands=6/8
Googling brought me to an issue where this was discussed pointing to
reject_unknown_helo_hostname as the likely culprit since the mail
server a and ptr records are working fine, but the helo it's sending
doesn't reverse ptr. The fix was a suggestion of commenting out
reject_unknown_helo_hostname checking:
https://serverfault.com/questions/922935/why-does-postfix-say-helo-command-rejected-host-not-found-when-dig-finds-the
http://www.postfix.org/postconf.5.html#reject_invalid_helo_hostname
I don't want to blanket disable reject_unknown_helo_hostname is there
a way I can set a helo exception for this one host/sender?
My helo section is below with the commented out option:
# helo restrictions
smtpd_helo_required = yes
smtpd_helo_restrictions =
permit_mynetworks
permit_sasl_authenticated
reject_invalid_helo_hostname
reject_non_fqdn_helo_hostname
#reject_unknown_helo_hostname
check_helo_access hash:/usr/local/etc/postfix/helo_access,
and my complete postconf -n output
#postconf -n
allow_percent_hack = no
append_dot_mydomain = no
biff = no
bounce_queue_lifetime = 1h
bounce_template_file = /usr/local/etc/postfix/bounce.cf
broken_sasl_auth_clients = no
command_directory = /usr/local/sbin
compatibility_level = 2
daemon_directory = /usr/local/libexec/postfix
data_directory = /var/db/postfix
delay_warning_time = 4h
disable_vrfy_command = yes
header_checks = regexp:/usr/local/etc/postfix/phish419.regexp
html_directory = no
in_flow_delay = 1s
inet_interfaces = xxx.xxx.xxx.xxx
inet_protocols = ipv4
lmtp_tls_mandatory_protocols = $smtpd_tls_mandatory_protocols
lmtp_tls_protocols = $smtpd_tls_protocols
local_recipient_maps = $virtual_mailbox_maps
mail_owner = postfix
mailbox_size_limit = 0
mailq_path = /usr/local/bin/mailq
manpage_directory = /usr/local/man
maximal_backoff_time = 15m
maximal_queue_lifetime = 1h
message_size_limit = 52428800
meta_directory = /usr/local/libexec/postfix
milter_default_action = accept
milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen}
milter_protocol = 6
mime_header_checks = regexp:/usr/local/etc/postfix/mime_header_checks
minimal_backoff_time = 5m
mydestination = mail.example.com
mydomain = example.com
myhostname = mail.example.com
mynetworks = $config_directory/mynetworks
myorigin = $mydomain
newaliases_path = /usr/local/bin/newaliases
non_smtpd_milters = $smtpd_milters
postscreen_access_list = permit_mynetworks,
cidr:/usr/local/etc/postfix/postscreen_access.cidr,
cidr:/usr/local/etc/postfix/postscreen_spf_whitelist.cidr
postscreen_bare_newline_action = enforce
postscreen_bare_newline_enable = yes
postscreen_blacklist_action = drop
postscreen_cache_cleanup_interval = 0
postscreen_cache_map = proxy:btree:${data_directory}/postscreen_cache
postscreen_dnsbl_action = enforce
postscreen_dnsbl_reply_map =
pcre:$config_directory/postscreen_dnsbl_reply_map.pcre
postscreen_dnsbl_sites = zen.spamhaus.org*3 b.barracudacentral.org*2
bl.spameatingmonkey.net*2 bl.spamcop.net dnsbl.sorbs.net
psbl.surriel.com bl.mailspike.net
list.dnswl.org=127.[0..255].[0..255].0*-2
list.dnswl.org=127.[0..255].[0..255].1*-3
list.dnswl.org=127.[0..255].[0..255].[2..255]*-4
postscreen_dnsbl_threshold = 3
postscreen_dnsbl_whitelist_threshold = -1
postscreen_greet_action = enforce
postscreen_non_smtp_command_enable = yes
postscreen_pipelining_enable = yes
queue_directory = /var/spool/postfix
queue_run_delay = 5m
readme_directory = no
recipient_delimiter = +
sample_directory = /usr/local/etc/postfix
sendmail_path = /usr/local/sbin/sendmail
setgid_group = maildrop
shlib_directory = /usr/local/lib/postfix
show_user_unknown_table_name = no
smtp_helo_timeout = 60s
smtp_tls_CApath = $smtpd_tls_CApath
smtp_tls_ciphers = high
smtp_tls_loglevel = 1
smtp_tls_mandatory_ciphers = medium
smtp_tls_mandatory_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4,
MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5,
CBC3-SHA
smtp_tls_mandatory_protocols = $smtpd_tls_mandatory_protocols
smtp_tls_protocols = $smtpd_tls_protocols
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_use_tls = yes
smtpd_banner = $myhostname ESMTP
smtpd_client_restrictions = permit_sasl_authenticated
reject_unknown_reverse_client_hostname check_client_access
cidr:/usr/local/etc/postfix/spamfarms c
Re: Postfix Helo reverse Exception
Hello Wietse and everyone, Thank you all for your suggestions. I've kept the reject_unknown_helo_hostname commented and things are working just fine. Thanks. Dave. On 3/21/21, ludic...@gmail.com wrote: > I tried to work with reject_unknown_helo_hostname time and time again. > But way too many regular servers don't comply. > It does not seem as there is much progress. > > OTOH, reject_invalid_helo_hostname does a good job in my realm of mail > traffic. > I have yet to see a complaint about turning these away. > > Greets, > Ludi > > > > > > -Ursprüngliche Nachricht- > Von: owner-postfix-us...@postfix.org Im > Auftrag von Phil Stracchino > Gesendet: Sonntag, 21. März 2021 02:21 > An: postfix-users@postfix.org > Betreff: Re: Postfix Helo reverse Exception > > On 3/20/21 8:23 PM, Wietse Venema wrote: >> But it is better to stop using reject_unknown_helo_hostname because >> the are many misconfigured servers that send legitimat mail. > > That is an interesting piece of advice. > > > -- > Phil Stracchino > Babylon Communications > ph...@caerllewys.net > p...@co.ordinate.org > Landline: +1.603.293.8485 > Mobile: +1.603.998.6958 > >
Issue with postfix-policyd-spf-perl
Hello,
I'm running Postfix 3.6, I just upgraded. I do not know if this issue
occurred because of the upgrade or prior to it as I hadn't sent any
mail through this account lately.
I'm having an issue with spf, error log below, if I comment out check
policy for spf under recipient_restrictions things work fine, turn it
back on and this is the log that I get, addresses obfuscated.
May 12 12:26:40 mail postfix/submission/smtpd[90536]: connect from
xxx-xxx-xxx-xxx.xxx.xxx.xxx.xxx[xxx.xxx.xxx]
May 12 12:26:40 mail postfix/submission/smtpd[90536]: Anonymous TLS
connection established from
xxx-xxx-xxx-xxx.xxx.xxx.xxx.xxx[xxx.xxx.xxx.xxx]: TLSv1.3 with cipher
TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519
server-signature ECDSA (P-256) server-digest SHA256
* May 12 12:26:43 mail postfix/policy-spf[90924]: Policy action=550
Please see
http://www.openspf.net/Why?s=mfrom;id=xxx%40xxx.xxx;ip=xxx.xxx.xxx.xxx;r=mail.xxx.xxx
May 12 12:26:43 mail postfix/submission/smtpd[90536]: NOQUEUE: reject:
RCPT from xxx-xxx-xxx-xxx.xxx.xxx.xxx.xxx[xxx.xxx.xxx.xxx]: 550 5.7.1
: Recipient address rejected: Please see
http://www.openspf.net/Why?s=mfrom;id=xxx%40xxx.xxx;ip=xxx.xxx.xxx.xxx;r=xxx.xxx.xxx;
from= to= proto=ESMTP
helo=<[192.168.15.8]>
May 12 12:27:06 mail postfix/submission/smtpd[90536]: disconnect from
xxx-xxx-xxx-xxx.xxx.xxx.xxx.xxx[xxx.xxx.xxx.xxx] ehlo=2 starttls=1
auth=1 mail=1 rcpt=0/1 quit=1 commands=6/7
Here's my postconf -n output any suggestions as to why this is
happening appreciated, I went to the web site indicated in the error
log, but was told that site didn't exist.
Thanks.
Dave.
# postconf -n
allow_percent_hack = no
biff = no
bounce_queue_lifetime = 1h
bounce_template_file = /usr/local/etc/postfix/bounce.cf
broken_sasl_auth_clients = no
command_directory = /usr/local/sbin
compatibility_level =
daemon_directory = /usr/local/libexec/postfix
data_directory = /var/db/postfix
delay_warning_time = 4h
disable_vrfy_command = yes
header_checks = regexp:/usr/local/etc/postfix/phish419.regexp
html_directory = no
in_flow_delay = 1s
inet_interfaces = xxx.xxx.xxx.xxx
inet_protocols = ipv4
lmtp_tls_mandatory_protocols = $smtpd_tls_mandatory_protocols
lmtp_tls_protocols = $smtpd_tls_protocols
local_recipient_maps = $virtual_mailbox_maps
mail_owner = postfix
mailbox_size_limit = 0
mailq_path = /usr/local/bin/mailq
manpage_directory = /usr/local/man
maximal_backoff_time = 15m
maximal_queue_lifetime = 1h
message_size_limit = 52428800
meta_directory = /usr/local/libexec/postfix
milter_default_action = accept
milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen}
milter_protocol = 6
mime_header_checks = regexp:/usr/local/etc/postfix/mime_header_checks
minimal_backoff_time = 5m
mydestination = localhost, xxx.xxx.xxx
mydomain = xxx.xxx
myhostname = xxx.xxx.xxx
mynetworks = $config_directory/mynetworks
myorigin = $mydomain
newaliases_path = /usr/local/bin/newaliases
non_smtpd_milters = $smtpd_milters
postscreen_access_list = permit_mynetworks,
cidr:/usr/local/etc/postfix/postscreen_access.cidr,
cidr:/usr/local/etc/postfix/postscreen_spf_whitelist.cidr
postscreen_bare_newline_action = enforce
postscreen_bare_newline_enable = yes
postscreen_blacklist_action = drop
postscreen_cache_cleanup_interval = 0
postscreen_cache_map = proxy:btree:${data_directory}/postscreen_cache
postscreen_dnsbl_action = enforce
postscreen_dnsbl_reply_map =
pcre:$config_directory/postscreen_dnsbl_reply_map.pcre
postscreen_dnsbl_sites = zen.spamhaus.org*3 b.barracudacentral.org*2
bl.spameatingmonkey.net*2 bl.spamcop.net dnsbl.sorbs.net
psbl.surriel.com bl.mailspike.net
list.dnswl.org=127.[0..255].[0..255].0*-2
list.dnswl.org=127.[0..255].[0..255].1*-3
list.dnswl.org=127.[0..255].[0..255].[2..255]*-4
postscreen_dnsbl_threshold = 3
postscreen_dnsbl_whitelist_threshold = -1
postscreen_greet_action = enforce
postscreen_non_smtp_command_enable = yes
postscreen_pipelining_enable = yes
queue_directory = /var/spool/postfix
queue_run_delay = 5m
readme_directory = no
recipient_delimiter = +
sample_directory = /usr/local/etc/postfix
sendmail_path = /usr/local/sbin/sendmail
setgid_group = maildrop
shlib_directory = /usr/local/lib/postfix
show_user_unknown_table_name = no
smtp_helo_timeout = 60s
smtp_tls_CApath = $smtpd_tls_CApath
smtp_tls_ciphers = high
smtp_tls_loglevel = 1
smtp_tls_mandatory_ciphers = medium
smtp_tls_mandatory_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4,
MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5,
CBC3-SHA
smtp_tls_mandatory_protocols = $smtpd_tls_mandatory_protocols
smtp_tls_protocols = $smtpd_tls_protocols
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_use_tls = yes
smtpd_banner = $myhostname ESMTP
smtpd_client_restrictions = permit_sasl_authenticated
reject_unknown_reverse_client_hostname check_client_access
cidr:/usr/local/etc/postfix/spamfarms check_client_access
cidr:/usr/local/etc/postfix/sinokorea.cidr check_clien
Re: Issue with postfix-policyd-spf-perl
Hello, Thanks. Here's my master.cf submission entry: submission inet n - n - - smtpd -o syslog_name=postfix/submission -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING -o tls_preempt_cipherlist=yes -o smtpd_sender_login_maps=mysql:/usr/local/etc/postfix/db/sender-login-maps.cf What do I need to add? With openspf.net being down what do you recommend for an spf service upgrade? Thanks. Dave. On 5/12/21, Noel Jones wrote: > > On 5/12/2021 12:26 PM, David Mehler wrote: >> Hello, >> >> I'm running Postfix 3.6, I just upgraded. I do not know if this issue >> occurred because of the upgrade or prior to it as I hadn't sent any >> mail through this account lately. >> >> I'm having an issue with spf, error log below, if I comment out check >> policy for spf under recipient_restrictions things work fine, turn it >> back on and this is the log that I get, addresses obfuscated. >> >> May 12 12:26:40 mail postfix/submission/smtpd[90536]: connect from >> xxx-xxx-xxx-xxx.xxx.xxx.xxx.xxx[xxx.xxx.xxx] > >> May 12 12:26:43 mail postfix/submission/smtpd[90536]: NOQUEUE: reject: >> RCPT from xxx-xxx-xxx-xxx.xxx.xxx.xxx.xxx[xxx.xxx.xxx.xxx]: 550 5.7.1 >> : Recipient address rejected: Please see >> http://www.openspf.net/Why?s=mfrom;id=xxx%40xxx.xxx;ip=xxx.xxx.xxx.xxx;r=xxx.xxx.xxx; >> from= to= proto=ESMTP >> helo=<[192.168.15.8]> > >> >> Here's my postconf -n output any suggestions as to why this is >> happening appreciated, I went to the web site indicated in the error >> log, but was told that site didn't exist. >> > > Don't use SPF on the submission interface. The local IP submitting > the mail is very unlikely to be listed in the SPF allowed list. > > This is unrelated to your postfix upgrade. > > To fix this, use overrides in the master.cf submission entry to > disable all but the required entries. There should be a basic > example included in the default master.cf > > > I don't think the openspf.net website is active anymore. While that > won't break your SPF check, it does make the error response > confusing. Maybe time to update your SPF service too. > > > >-- Noel Jones >
postfix tls error on port 587
Hello, I'm running a FreeBSD 10.2 system, postfix 2.11.6, Openssl 1.0.1P. I'm working on setting up a webmail client to my existing Postfix/Dovecot/Mysql setup. I've tried two webmail clients both are giving me the below errors when the webmail client (postfix dovecot mysql the web server are all running on the same machine), atempts to send mail through port 587. I am using port 587 because I've got postscreen running on port 25. I am using self-signed certificates via my own CA if that matters. Here's the error: Oct 30 12:12:01 ohio postfix/submission/smtpd[4795]: connect from localhost[::1] Oct 30 12:12:01 ohio postfix/submission/smtpd[4795]: SSL_accept error from localhost[::1]: 0 Oct 30 12:12:01 ohio postfix/submission/smtpd[4795]: warning: TLS library problem: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s3_pkt.c:1300:SSL alert number 48: Oct 30 12:12:01 ohio postfix/submission/smtpd[4795]: lost connection after STARTTLS from localhost[::1] Oct 30 12:12:01 ohio postfix/submission/smtpd[4795]: disconnect from localhost[::1] I'm not sure the CA it's refering to. I do have my CA's public certificate defined in smtpd_tls_CAfile and have the smtp client defining smtp_tls_CAfile as the same file as the smtpd server. Again not sure if this matters I'm running Apache 2.4 and Php 5.6. I'd appreciate any suggestions. Thanks. Dave.
Re: postfix tls error on port 587
Hello, Thank you. I apologize, let me clarify my statement. I have created my own CA on an offline machine which I use to sign all of my certificates. When you say the client doesn't trust the server certificate, that's not the webmail, that's the submission service not trusting the postfix ServerCertificate, ServerKey, and ServerCAfile options? Thanks. Dave. On 10/31/15, Viktor Dukhovni wrote: > On Sat, Oct 31, 2015 at 12:05:29PM -0400, David Mehler wrote: > >> I am using self-signed certificates via my own CA if that matters. > > A certificate is either self-signed, or issued by a CA. Which is it? > >> Oct 30 12:12:01 ohio postfix/submission/smtpd[4795]: SSL_accept error from >> localhost[::1]: 0 >> Oct 30 12:12:01 ohio postfix/submission/smtpd[4795]: warning: TLS library >> problem: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown >> ca:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s3_pkt.c:1300:SSL >> alert number 48: > > TLS "alerts" are messages from the remote TLS stack to the local > TLS stack. It is the client does not trust the server certificate > and hangs up. The server just logs the client's reason for aborting > the connection. > >> I'm not sure the CA it's refering to. > > The issuer of the server certificate. > >> I do have my CA's public >> certificate defined in smtpd_tls_CAfile and have the smtp client >> defining smtp_tls_CAfile as the same file as the smtpd server. > > The client does not trust the server certificate. > > -- > Viktor. >
Re: postfix tls error on port 587
Hello,
Still stuck. I've got the below not sure if it helps, it does show
that on 143 and 587 client wise no peer is being sent or verified.
openssl s_client -starttls smtp -connect localhost:587
CONNECTED(0003)
34379270664:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown
protocol:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s23_clnt.c:782:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 220 bytes and written 332 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---
openssl s_client -starttls smtp -connect localhost:587e :143
CONNECTED(0003)
didn't found starttls in server response, try anyway...
34379270664:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown
protocol:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s23_clnt.c:782:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 238 bytes and written 332 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---
Here's my postfix tls and sasl configuration:
main.cf:
# Dovecot sasl authentication
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $mydomain
broken_sasl_auth_clients = yes
smtpd_sasl_security_options = noanonymous, noplaintext
smtpd_sasl_tls_security_options = noanonymous
#smtpd_sasl_authenticated_header = yes
smtpd_recipient_restrictions =
permit_mynetworks
permit_sasl_authenticated
reject_unauth_destination
check_sender_access hash:/usr/local/etc/postfix/safe_addresses
check_sender_access hash:/usr/local/etc/postfix/auto-whtlst
check_client_access cidr:/usr/local/etc/postfix/spamfarms
check_client_access cidr:/usr/local/etc/postfix/sinokorea.cidr
permit_dnswl_client list.dnswl.org=127.0.[2..14].[1..3]
check_reverse_client_hostname_access
pcre:/usr/local/etc/postfix/fqrdns.pcre
reject_unknown_reverse_client_hostname
reject_non_fqdn_sender
reject_non_fqdn_helo_hostname
reject_invalid_helo_hostname
reject_unknown_helo_hostname
reject_unlisted_recipient
reject_rbl_client b.barracudacentral.org
reject_rbl_client zen.spamhaus.org
reject_rbl_client psbl.surriel.com
reject_rbl_client bl.spamcop.net
reject_rbl_client cbl.abuseat.org
reject_rhsbl_client dbl.spamhaus.org
reject_rhsbl_sender dbl.spamhaus.org
reject_rhsbl_helo dbl.spamhaus.org
check_policy_service unix:private/spf-policy
# Postfix Quota status service
check_policy_service inet:127.0.0.1:12345
smtpd_data_restrictions = reject_unauth_pipelining
# TLS parameters
smtpd_tls_auth_only = yes
smtpd_tls_mandatory_ciphers = high
smtpd_tls_mandatory_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4,
MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5,
CBC3-SHA
smtpd_tls_eecdh_grade = strong
# Offer opportunistic TLS (STARTTLS) to connections to this mail server.
#smtpd_tls_security_level = may
smtpd_tls_security_level = encrypt
smtpd_tls_cert_file = /etc/ssl/certs/server.crt
smtpd_tls_key_file = /etc/ssl/private/server.key
smtpd_tls_CAfile = /etc/ssl/certs/cacert.crt
# for smtpd pfs
smtpd_tls_dh1024_param_file = ${config_directory}/dh2048.pem
smtpd_tls_dh512_param_file = ${config_directory}/dh512.pem
smtpd_tls_loglevel = 1
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_tls_received_header = yes
# Use opportunistic TLS (STARTTLS) for outgoing mail if the remote
server supports it.
#smtp_tls_security_level = may
smtp_tls_security_level = encrypt
smtp_tls_mandatory_ciphers = high
smtp_tls_mandatory_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4,
MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5,
CBC3-SHA
smtp_tls_loglevel = 1
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_tls_CAfile = /etc/ssl/certs/cacert.crt
Any help appreciated.
Thanks.
Dave.
On 10/31/15, Viktor Dukhovni wrote:
> On Sat, Oct 31, 2015 at 03:35:14PM -0400, David Mehler wrote:
>
>> Thank you. I apologize, let me clarify my statement. I have created my
>> own CA on an offline machine which I use to sign all of my
>> certificates.
>
> Good, that removes ambiguity.
>
>> When you say the client doesn't trust the server certificate, that's
>> not the webmail, that's the submission service not trusting the
>> postfix ServerCertificate, ServerKey, and ServerCAfile options?
>
> Whatever connects to your port 587 submission service is what's
> not trusting the certificate, and sending an alert to that effect,
> which the server logs.
>
>> >> Oct 30 12:12:01 ohio postfix/submission/smtpd[4795]: SSL_accept error
>> >> from
>> >> localhost[::1]: 0
>> >> Oct 30 12:12:01 ohio postfix/submission/
Re: postfix tls error on port 587
Hi, Thanks. The only thing I have in the maillog is a connection made, tls established, then the connection is dropped. Thanks. Dave. On 11/1/15, Viktor Dukhovni wrote: > On Sun, Nov 01, 2015 at 02:49:20PM -0500, David Mehler wrote: > >> Still stuck. I've got the below not sure if it helps, it does show >> that on 143 and 587 client wise no peer is being sent or verified. >> >> openssl s_client -starttls smtp -connect localhost:587 >> CONNECTED(0003) >> 34379270664:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown >> protocol:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s23_clnt.c:782: > > The thing on port 587 is not speaking any recognizable form of TLS. > Logs from the peer would be quite useful in this context. > >> openssl s_client -starttls smtp -connect localhost:143 >> CONNECTED(0003) > > Well, port 143 speaks IMAP not SMTP so "starttls smtp" is not > likely to get far for that port. > >> # TLS parameters >> smtpd_tls_auth_only = yes >> smtpd_tls_mandatory_ciphers = high >> smtpd_tls_mandatory_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, >> MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5, >> CBC3-SHA > > That looks rather like a random hodge-podge. Try: > > smtpd_tls_ciphers = medium > > instead. > >> smtp_tls_mandatory_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, >> MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5, >> CBC3-SHA > > Ditto. > >> Any help appreciated. > > Logs. > > -- > Viktor. >
Re: postfix tls error on port 587
Hello, Thanks. Don't ask me how, but flipping the tls protocols from the list I had to high and now the 587 works. Imap on 143 still won't, but that's not for this list. The point is for the moment it is working. Thanks for all your help. Thanks. Dave. On 11/1/15, Viktor Dukhovni wrote: > On Sun, Nov 01, 2015 at 07:06:42PM -0500, David Mehler wrote: > >> Thanks. The only thing I have in the maillog is a connection made, tls >> established, then the connection is dropped. > > Not possible. Those logs don't match the report of a failed SSL > connection on the client side. > > -- > Viktor. >
Am I overdoing my configuration?
Hello,
I'm running Postfix 2.11.6 on a FreeBSD 10 system. I'm wondering if
I'm making my Postfix work to hard? I've got postscreen checking
various rbl lists to check for spammers then doing checks in my
smtpd_recipient_restrictions. Here's my config I'd appreciate any
comments on it? In particular can I eliminate the rbl checks in
smtpd_recipient_restrictions since they're going in the postscreen
setup?
Thanks.
Dave.
smtpd_recipient_restrictions =
permit_mynetworks
permit_sasl_authenticated
reject_unauth_destination
check_sender_access hash:/usr/local/etc/postfix/safe_addresses
check_sender_access hash:/usr/local/etc/postfix/auto-whtlst
check_client_access cidr:/usr/local/etc/postfix/spamfarms
check_client_access cidr:/usr/local/etc/postfix/sinokorea.cidr
permit_dnswl_client list.dnswl.org=127.0.[2..14].[1..3]
check_reverse_client_hostname_access
pcre:/usr/local/etc/postfix/fqrdns.pcre
reject_unknown_reverse_client_hostname
reject_non_fqdn_sender
reject_non_fqdn_helo_hostname
reject_invalid_helo_hostname
reject_unknown_helo_hostname
reject_unlisted_recipient
reject_rbl_client b.barracudacentral.org
reject_rbl_client zen.spamhaus.org
reject_rbl_client psbl.surriel.com
reject_rbl_client bl.spamcop.net
reject_rbl_client cbl.abuseat.org
reject_rhsbl_client dbl.spamhaus.org
reject_rhsbl_sender dbl.spamhaus.org
reject_rhsbl_helo dbl.spamhaus.org
check_policy_service unix:private/spf-policy
# Postfix Quota status service
check_policy_service inet:127.0.0.1:12345
# postscreen(8) settings
### Before-220 tests
postscreen_access_list = permit_mynetworks,
cidr:/usr/local/etc/postfix/postscreen_access.cidr
postscreen_blacklist_action = drop
postscreen_dnsbl_action = enforce
postscreen_dnsbl_reply_map =
pcre:/usr/local/etc/postfix/postscreen_dnsbl_reply_map.pcre
postscreen_dnsbl_sites = zen.spamhaus.org*3
b.barracudacentral.org*2
bl.spameatingmonkey.net*2
dnsbl.ahbl.org*2
bl.spamcop.net
dnsbl.sorbs.net
psbl.surriel.com
bl.mailspike.net
swl.spamhaus.org*-4
list.dnswl.org=127.[0..255].[0..255].0*-2
list.dnswl.org=127.[0..255].[0..255].1*-3
list.dnswl.org=127.[0..255].[0..255].[2..255]*-4
postscreen_dnsbl_threshold = 3
postscreen_greet_action = enforce
### End of before-220 tests
### After-220 tests
### WARNING -- See "Tests after the 220 SMTP server greeting" in the
### Postscreen Howto and *UNDERSTAND* it *BEFORE* you enable the
### following tests!
#postscreen_bare_newline_action = drop
#postscreen_bare_newline_enable = yes
#postscreen_non_smtp_command_action = drop
#postscreen_non_smtp_command_enable = yes
#postscreen_pipelining_enable = yes
#postscreen_pipelining_action = drop
### ADDENDUM: Any one of the foregoing three *_enable settings may cause
### significant and annoying mail delays.
# For sharing a tempoary whitelist of addresses
postscreen_cache_map = proxy:btree:${data_directory}/postscreen_cache
postscreen_cache_cleanup_interval = 0
Postfix migration 2.11 to 3.1, Thunderbird, and antispam questions
Hello, I'm running a FreeBSD 10.3 AMD64 system. I just upgraded Postfix from 2.11 to 3.1. I'm using Dovecot for Sasl authentication via mysql and email storage via maildir. The system can receive emails from the internet via port 25, (running postscreen), and store them on disk using dovecot, no p roblem. I'm using Thunderbird 31.7.0 to connect remotely to my server and retrieve and send email. Retrieval again goes fine, port 993, sending through the system does not, I get a message from thunderbird can not send message because the connection to the server timed out. On the server side of things the submission/smtpd service gets the incoming connection and then just hangs until it eventually does indeed time out. I'm also wanting to know if my current configuration, included below, which was brought from 2.11 now running in 3.1, is current in terms of antispam techniques from the postfix perspective? Lastly, related to antispam, currently I'm running MailScanner, but to be honest I'm really liking it, it did the job, but it was slow. An example, sent a single message, postfix got it, passed it to MailScanner, which then took 3 to 5 minutes to process it, and send it back to postfix, which then picked it up and sent it on to dovecot for normal delivery. I've also used Amavisd-new in the past and noted the same slowness, wondering if this is a Spamassassin thing? So, I'm thinking about going to rspamd and if anyone is using this i'd appreciate some pro conn feedback. I'd appreciate any suggestions on any of these issues. Thanks. Dave. main.cf: soft_bounce = no queue_directory = /var/spool/postfix command_directory = /usr/local/sbin daemon_directory = /usr/local/libexec/postfix data_directory = /var/db/postfix mail_owner = postfix myhostname = mail.example.com mydomain = example.com myorigin = $mydomain inet_interfaces = xxx.xxx.xxx.xxx, 127.0.0.1 mydestination = localhost local_recipient_maps = unknown_local_recipient_reject_code = 550 mynetworks = 127.0.0.0/8, 192.168.0.0/24, xxx.xxx.xxx.xxx/32, [::1]/128, [fe80::]/10 in_flow_delay = 1s recipient_delimiter = + smtpd_banner = $myhostname ESMTP sendmail_path = /usr/local/sbin/sendmail newaliases_path = /usr/local/bin/newaliases mailq_path = /usr/local/bin/mailq setgid_group = maildrop html_directory = /usr/local/share/doc/postfix manpage_directory = /usr/local/man sample_directory = /usr/local/etc/postfix readme_directory = /usr/local/share/doc/postfix # Misc options biff = no # The next was originally uncommented #append_dot_mydomain = no bounce_template_file = /usr/local/etc/postfix/bounce.cf smtp_helo_timeout = 60s smtpd_soft_error_limit = 3 header_checks = regexp:/usr/local/etc/postfix/mailscanner_header_checks, pcre:/usr/local/etc/postfix/header_checks, regexp:/usr/local/etc/postfix/phish419.regexp mime_header_checks = regexp:/usr/local/etc/postfix/mime_header_checks hash_queue_depth = 2 hash_queue_names = incoming, hold defer deferred # Virtual mailbox domains virtual_mailbox_domains = proxy:mysql:/usr/local/etc/postfix/mysql-virtual-mailbox-domains.cf virtual_mailbox_maps = proxy:mysql:/usr/local/etc/postfix/mysql-virtual-mailbox-maps.cf virtual_alias_maps = proxy:mysql:/usr/local/etc/postfix/mysql-virtual-alias-maps.cf, proxy:mysql:/usr/local/etc/postfix/mysql-virtual-email2email.cf virtual_mailbox_base = /home/vmail virtual_uid_maps = static:999 virtual_gid_maps = static:999 virtual_minimum_uid = 999 # Increase the virtual mailbox limit from 51 mb to 250 mb virtual_mailbox_limit = 262144000 virtual_transport = dovecot dovecot_destination_recipient_limit = 1 # For users who have moved #relocated_maps = mysql:/usr/local/etc/postfix/mysql_relocated.cf # Dovecot sasl authentication smtpd_sasl_type = dovecot smtpd_sasl_path = private/auth smtpd_sasl_auth_enable = yes smtpd_sasl_local_domain = $mydomain broken_sasl_auth_clients = no smtpd_sasl_security_options = noanonymous, noplaintext smtpd_sasl_tls_security_options = noanonymous # Shows to everyone the sasl authenticated username #smtpd_sasl_authenticated_header = yes # uce strict_rfc821_envelopes = yes smtpd_helo_required = yes disable_vrfy_command = yes smtpd_reject_unlisted_sender = yes show_user_unknown_table_name = no unknown_address_reject_code = 554 unknown_hostname_reject_code = 554 unknown_client_reject_code = 554 smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination check_sender_access hash:/usr/local/etc/postfix/safe_addresses check_sender_access hash:/usr/local/etc/postfix/auto-whtlst check_client_access cidr:/usr/local/etc/postfix/spamfarms check_client_access cidr:/usr/local/etc/postfix/sinokorea.cidr permit_dnswl_client list.dnswl.org=127.0.[2..14].[1..3] check_reverse_client_hostname_access pcre:/usr/local/etc/postfix/fqrdns.pcre reject_unknown_reverse_client_hostname reject_non_fqdn_sender reject_non_fqdn_helo_hostname reject_invalid_helo_hostname reject_unknown_helo_hostname reject_unlisted_r
Autoresponder
Hello, I'm looking for an autoresponder, free, and one that does not rely on postfixadmin. I saw one featured in a howtoforge article called Autoresponse 1.6.3 but that has been taken down, which is unfortunate, because how it worked, sending an email to an address sounded great for my needs. If anyone has this, or has any suggestions i'd appreciate them. I have looked on the postfix page and the autoresponders there are paid products, and the one that isn't uses an LDAP format which I am not using. Thanks. Dave.
Re: Autoresponder
Hi, Thanks, but doesn't that require a shell account for users to configure vacation? If so, that's a deal braker for me, I don't want to give virtual users access to the system. Thanks. Dave. On 4/15/16, Dirk Stöcker wrote: > On Fri, 15 Apr 2016, David Mehler wrote: > >> I'm looking for an autoresponder, free, and one that does not rely on >> postfixadmin. >> >> I saw one featured in a howtoforge article called Autoresponse 1.6.3 >> but that has been taken down, which is unfortunate, because how it >> worked, sending an email to an address sounded great for my needs. >> >> If anyone has this, or has any suggestions i'd appreciate them. I have >> looked on the postfix page and the autoresponders there are paid >> products, and the one that isn't uses an LDAP format which I am not >> using. > > Although I dislike autoresponders it is part of the sieve filter for > dovecot: > > http://wiki2.dovecot.org/Pigeonhole/Sieve/Examples#Vacation_auto-reply > > If you use dovecot already e.g. for IMAP, then you can switch local > delivery to dovecot and the vacation filter of dovecot-sieve can take over > the auto-response. As far as I have read the docs the auto-responder of > dovecot/sieve minimizes the negative effects of auto-responders (sending > single mail only, ignoring mailinglists and bulk email, ...). > > Setup: http://wiki.dovecot.org/LDA/Postfix > > Major benefit is the server side mail filtering in my eyes which was > the major motivation for me to install it :-) > > Configuration of the sieve filter is done in user directory > (.dovecot.sieve), so mail users can individually configure the > autoresponder (when in vacation) without the admin. > > Ciao > -- > http://www.dstoecker.eu/ (PGP key available) >
Postfix with Postscreen and Fail2ban
Hello, Is anyone running Postfix 2.11 on an f21 machine? I'm using it and am using postscreen which I really like. The system firewall is FirewallD and I'm using fail2ban 0.9.1 to block brute force bot hits on the machine. I've got the jail Fail2ban for Postfix enabled, but the regexp don't appear to be catching the logs of attempted postscreen connections. I'm assuming here that anything postscreen rejects is a spammer and would like them rejected out of hand. If anyone has this working I'd appreciate knowing how you did it. Thanks. Dave.
smtpd not announcing sasl capabilities
Hello,
I'm running Postfix 3.1. A telnet connection to port 25 and another to
port 587, does not announce the sasl auth capabilities.
I'd appreciate a sanity check of my configuration done with postconf -n.
Thanks.
Dave.
autoresponder_destination_recipient_limit = 1
biff = no
bounce_template_file = /usr/local/etc/postfix/bounce.cf
broken_sasl_auth_clients = no
command_directory = /usr/local/sbin
compatibility_level =
daemon_directory = /usr/local/libexec/postfix
data_directory = /var/db/postfix
disable_vrfy_command = yes
dovecot_destination_recipient_limit = 1
hash_queue_depth = 2
hash_queue_names = incoming, hold defer deferred
header_checks = pcre:/usr/local/etc/postfix/header_checks,
regexp:/usr/local/etc/postfix/phish419.regexp
html_directory = no
in_flow_delay = 1s
inet_interfaces = xxx.xxx.xxx.xxx, 127.0.0.1
inet_protocols = ipv4
local_recipient_maps =
mail_owner = postfix
mailq_path = /usr/local/bin/mailq
manpage_directory = /usr/local/man
meta_directory = /usr/local/libexec/postfix
milter_default_action = accept
milter_protocol = 6
mime_header_checks = regexp:/usr/local/etc/postfix/mime_header_checks
mydestination = localhost
mydomain = example.com
myhostname = mail.example.com
mynetworks = 127.0.0.0/8, xxx.xxx.xxx.xxx/32
myorigin = $mydomain
newaliases_path = /usr/local/bin/newaliases
non_smtpd_milters = $smtpd_milters
postscreen_access_list = permit_mynetworks,
cidr:/usr/local/etc/postfix/postscreen_access.cidr,
cidr:/usr/local/etc/postfix/postscreen_spf_whitelist.cidr
postscreen_blacklist_action = drop
postscreen_cache_cleanup_interval = 0
postscreen_cache_map = proxy:btree:${data_directory}/postscreen_cache
postscreen_dnsbl_action = enforce
postscreen_dnsbl_reply_map =
pcre:/usr/local/etc/postfix/postscreen_dnsbl_reply_map.pcre
postscreen_dnsbl_sites = zen.spamhaus.org*3 b.barracudacentral.org*2
bl.spameatingmonkey.net*2 dnsbl.ahbl.org*2 bl.spamcop.net
dnsbl.sorbs.net psbl.surriel.com bl.mailspike.net swl.spamhaus.org*-4
list.dnswl.org=127.[0..255].[0..255].0*-2
list.dnswl.org=127.[0..255].[0..255].1*-3
list.dnswl.org=127.[0..255].[0..255].[2..255]*-4
postscreen_dnsbl_threshold = 3
postscreen_greet_action = enforce
queue_directory = /var/spool/postfix
readme_directory = no
recipient_delimiter = +
sample_directory = /usr/local/etc/postfix
sendmail_path = /usr/local/sbin/sendmail
setgid_group = maildrop
shlib_directory = /usr/local/lib/postfix
show_user_unknown_table_name = no
smtp_helo_timeout = 60s
smtpd_banner = $myhostname ESMTP
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_helo_required = yes
smtpd_milters = inet:127.0.0.1:8891
smtpd_recipient_restrictions = permit_mynetworks
permit_sasl_authenticated reject_unauth_destination
check_sender_access hash:/usr/local/etc/postfix/safe_addresses
check_sender_access hash:/usr/local/etc/postfix/auto-whtlst
check_client_access cidr:/usr/local/etc/postfix/spamfarms
check_client_access cidr:/usr/local/etc/postfix/sinokorea.cidr
permit_dnswl_client list.dnswl.org=127.0.[2..14].[1..3]
check_reverse_client_hostname_access
pcre:/usr/local/etc/postfix/fqrdns.pcre
reject_unknown_reverse_client_hostname reject_non_fqdn_sender
reject_non_fqdn_helo_hostname reject_invalid_helo_hostname
reject_unknown_helo_hostname reject_unlisted_recipient
reject_rbl_client b.barracudacentral.org reject_rbl_client
zen.spamhaus.org reject_rbl_client psbl.surriel.com reject_rbl_client
bl.spamcop.net reject_rbl_client cbl.abuseat.org reject_rhsbl_client
dbl.spamhaus.org reject_rhsbl_sender dbl.spamhaus.org
reject_rhsbl_helo dbl.spamhaus.org check_policy_service
unix:private/spf-policy check_policy_service inet:127.0.0.1:12345
smtpd_reject_unlisted_sender = yes
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $mydomain
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_soft_error_limit = 3
smtpd_tls_CAfile = /etc/ssl/certs/cacert.crt
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/ssl/certs/server.crt
smtpd_tls_dh1024_param_file = ${config_directory}/dh2048.pem
smtpd_tls_dh512_param_file = ${config_directory}/dh512.pem
smtpd_tls_eecdh_grade = strong
smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK,
aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDB3-SHA, KRB5-DES, CBC3-SHA
smtpd_tls_key_file = /etc/ssl/private/server.key
smtpd_tls_loglevel = 1
smtpd_tls_mandatory_ciphers = medium
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_protocols = !SSLv2, !SSLv3
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
smtputf8_enable = no
soft_bounce = no
spf-policy_time_limit = 3600s
strict_rfc821_envelopes = yes
tls_preempt_cipherlist = yes
unknown_address_reject_code = 554
unknown_client_reject_code = 554
unknown_hostname_reject_code = 554
unknown_local_recipient_reject_code = 550
virtual_alias_maps =
proxy:mysql:/usr/local/etc/postfix/mysql
Postfix, Dmarc, and Dkim for multiple domains
Hello, I'm not sure if this is the right place to ask this question, but it is mail related. I've got Postfix 3.1, and two milter filters dkim (with OpenDKIM), and dmarc (with OpenDMARC). At the time of initial setup I had one virtual mailbox domain and things were working fine. Now I've added two more virtual mailbox domains and need to configure both opendkim and opendmarc to handle them. I believe I have this with OpenDKIM here's the config: AllowSHA1Only no AlwaysAddARHeader yes AuthservID hostname.example.com AutoRestart Yes AutoRestartRate 5/1h Canonicalizationrelaxed/simple ExternalIgnoreList refile:/usr/local/etc/mail/TrustedHosts InternalHosts refile:/usr/local/etc/mail/TrustedHosts KeyTable/usr/local/etc/mail/KeyTable MinimumKeyBits 2048 Modesv PidFile /var/run/milteropendkim/opendkim.pid SigningTable/usr/local/etc/mail/SigningTable Socket inet:8891@localhost SoftwareHeader yes SubDomains yes Syslog Yes SyslogSuccess yes UserID opendkim # OPENDKIM TRUSTED HOSTS 127.0.0.1 ::1 localhost host.example.com example.com host.example2.com example2.com host.example3.com example3.com # KeyTable selector._domainkey.example.com example.com:selector:/usr/local/etc/mail/keys/example.com/selector selector._domainkey.example2.com example2.com:selector:/usr/local/etc/mail/keys/example2.com/selector selector._domainkey.example3.com example3.com:selector:/usr/local/etc/mail/keys/example3.com/selector # SigningTable example.com selector._domainkey.example.com example2.com selector._domainkey.example2.com example3.com selector._domainkey.example3.com With regards dkim will having an AuthservID of hostname.example.com mess up dkim checks for any of the other virtual mailbox domains as they are all on the one server? I am not sure how to do this using opendmarc as I can't use a table. If anyone has this working with these filters please let me know. Thanks. Dave.
free email fax setup postfix integration
Hello, I am looking for a free email 2 fax system that integrates with postfix. I looked at faximum but that's very out of my range. Anyone know of any product comparable? Thanks. Dave.
Inserting a signature
Hello, I'm wanting to insert an email signature in all outgoing email messages. Is altermime still the best way of doing this or is there another path? Thanks. Dave.
Possibly o.t. Postfixadmin 3.x unable to log in
Hello, Not sure if this is the right place for this question. I have no previous experience with Postfixadmin for domain and user management with postfix as I usually do my configuration file editing manually. I've got a project where i'm needing to run it. I've got a postfix 2.11 and Postfixadmin 3.0 install in a virtual machine. The setup.php is complete, database connectivity works fine. I've generated the hash password and put that line in config.local.php and an admin email. I am told that the admin email was entered properly and I can log in. Checking the postfix mysql database shows this is so. The problem is I try to log in via a browser and nothing, no errors just back to the login screen. I am trying to do so over the internet and the vm is behind a primary box, both running apache, the primary box using the proxy module to reverse proxy the connection. Any ideas what might be going on or any information I can provide? Any assistance appreciated. Thanks. Dave.
gmail servers on blacklists?
Hello,
I'm starting to see blocks on my messages to my mail server. For some
reason postscreen is not letting any gmail servers send mail, it's
blocking them.
Has anyone got an idea or have you seen this?
Here's my postscreen setup:
# postscreen(8) settings
### Before-220 tests
postscreen_greet_action = enforce
postscreen_blacklist_action = enforce
postscreen_dnsbl_action = enforce
postscreen_access_list = permit_mynetworks
cidr:/usr/local/etc/postfix/postscreen_access.cidr
postscreen_dnsbl_reply_map =
pcre:/usr/local/etc/postfix/postscreen_dnsbl_reply_map.pcre
postscreen_dnsbl_sites = zen.spamhaus.org*3
b.barracudacentral.org*2
bl.spameatingmonkey.net*2
dnsbl.ahbl.org*2
bl.spamcop.net
dnsbl.sorbs.net
psbl.surriel.com
bl.mailspike.net
swl.spamhaus.org*-4
list.dnswl.org=127.[0..255].[0..255].0*-2
list.dnswl.org=127.[0..255].[0..255].1*-3
list.dnswl.org=127.[0..255].[0..255].[2..255]*-4
postscreen_dnsbl_threshold = 2
postscreen_dnsbl_whitelist_threshold = -2
### End of before-220 tests
### After-220 tests
### WARNING -- See "Tests after the 220 SMTP server greeting" in the
### Postscreen Howto and *UNDERSTAND* it *BEFORE* you enable the
### following tests!
#postscreen_bare_newline_action = drop
#postscreen_bare_newline_enable = yes
#postscreen_non_smtp_command_action = drop
#postscreen_non_smtp_command_enable = yes
#postscreen_pipelining_enable = yes
#postscreen_pipelining_action = drop
### ADDENDUM: Any one of the foregoing three *_enable settings may cause
### significant and annoying mail delays.
# For sharing a tempoary whitelist of addresses
postscreen_cache_map = proxy:btree:${data_directory}/postscreen_cache
postscreen_cache_cleanup_interval = 0
# Rules are evaluated in the order as specified.
# Blacklist 192.168.* except 192.168.0.1.
# /usr/local/etc/postfix/postscreen_access.cidr 2011-02-27
# A simple combined white/blacklist
# Only "permit", "reject" and "dunno" work on the RHS
# This is a CIDR table, so see cidr_table(5) for LHS syntax
# Permit local clients
127.0.0.0/8 permit
# 2011-05-17 brute force attack
# May 17 05:35:14 cardinal postfix/anvil[3667]: statistics: max
# connection count 47 for (smtpd:66.23.228.27) at May 17 05:31:38
66.23.228.27reject
# a lot from here including some DBL hits
108.62.112.160/29 reject
# 2011-08-09 eWayDirect whitelisted, but hitting spamtraps
# was having PREGREET protocol errors before today
207.45.161.0/24 reject
##
# 2011-11-22 brute force mail attacks, smtp and imap
61.175.253.59 reject
# 2012-09-23 spammer not in DNSBLs
66.7.197.45 reject
# 2012-11-19 hillapex.com spammer
184.173.107.11 reject
# Allow gmail server through
74.125.82.43permit
Any assistance appreciated.
Thanks.
Dave.
Re: gmail servers on blacklists?
Hi, Much thanks. Lost ahbl, and glad to see it go. Thanks. Dave. On 3/17/17, /dev/rob0 wrote: > On Fri, Mar 17, 2017 at 05:12:07PM -0400, David Mehler wrote: >> I'm starting to see blocks on my messages to my mail server. For some >> reason postscreen is not letting any gmail servers send mail, it's >> blocking them. >> >> Has anyone got an idea or have you seen this? > > Typically you would SHOW LOGS of the blocking when asking for help, > but in your case it's pretty obvious. > >> Here's my postscreen setup: >> >> # postscreen(8) settings >> ### Before-220 tests >> postscreen_greet_action = enforce >> postscreen_blacklist_action = enforce >> postscreen_dnsbl_action = enforce >> postscreen_access_list = permit_mynetworks >> cidr:/usr/local/etc/postfix/postscreen_access.cidr >> postscreen_dnsbl_reply_map = >> pcre:/usr/local/etc/postfix/postscreen_dnsbl_reply_map.pcre >> postscreen_dnsbl_sites = zen.spamhaus.org*3 >> b.barracudacentral.org*2 >> bl.spameatingmonkey.net*2 >> dnsbl.ahbl.org*2 > > Closed as of 2015-01-01 when it began flagging EVERYTHING by means of > a DNS wildcard. > > Read: > http://www.ahbl.org/ (click through to the main page) and > http://rob0.nodns4.us/postscreen.html > > In the latter start with the BIG FAT WARNING and then take special > note of what it says about AHBL in the "Last Changes" section. > >>bl.spamcop.net >> dnsbl.sorbs.net >> psbl.surriel.com >> bl.mailspike.net >> swl.spamhaus.org*-4 >> list.dnswl.org=127.[0..255].[0..255].0*-2 >> list.dnswl.org=127.[0..255].[0..255].1*-3 >> list.dnswl.org=127.[0..255].[0..255].[2..255]*-4 > > These are as I published them but they are wrong. Better: >list.dnswl.org=127.0.[2..15].0*-2 >list.dnswl.org=127.0.[2..15].1*-3 >list.dnswl.org=127.0.[2..15].[2..3]*-4 > This corresponds to DNSWL.org's own usage instructions. > >> postscreen_dnsbl_threshold = 2 >> postscreen_dnsbl_whitelist_threshold = -2 > > Looks familiar except you changed these two threshold values. Just > stick with what I have: > postscreen_dnsbl_threshold = 3 > postscreen_dnsbl_whitelist_threshold = -1 > > Your lower postscreen_dnsbl_threshold value caused every single AHBL > listing (which, in case you didn't understand, now includes the > entirety of the Internet) to be a rejection unless offset by a > whitelist entry. > > Your higher whitelist threshold makes it more difficult to avoid the > after-220 tests ... > >> ### End of before-220 tests >> ### After-220 tests >> ### WARNING -- See "Tests after the 220 SMTP server greeting" in the >> ### Postscreen Howto and *UNDERSTAND* it *BEFORE* you enable the >> ### following tests! >> #postscreen_bare_newline_action = drop >> #postscreen_bare_newline_enable = yes >> #postscreen_non_smtp_command_action = drop >> #postscreen_non_smtp_command_enable = yes >> #postscreen_pipelining_enable = yes >> #postscreen_pipelining_action = drop >> ### ADDENDUM: Any one of the foregoing three *_enable settings may cause >> ### significant and annoying mail delays. > > ... which in your case doesn't matter because you didn't enable them. > >> Any assistance appreciated. > > Lose AHBL. > -- > http://rob0.nodns4.us/ > Offlist GMX mail is seen only if "/dev/rob0" is in the Subject: >
bitdefender
Hello, I'm running a postfix mail server. One of it's components is antivirus. For that I'm running clamav. I'd like to have a second scanner as backup. Does anyone have any experience with bitdefender? If not any other suggestions? Thanks. Dave.
file attachments for the domain only, and virtual mailbox size
Hello,
I've got two issues. The first is I'm blocking file attachments in the
mime_headers file below. I'd like to allow those attachments but only
for hosts within the domain, so for example us...@example.com can send
us...@example.com a word document.
The second issue is I'm running virtual users out of a mysql database.
I'd like to ensure that each virtual user's mailbox is no larger than
250MB in size. I'm not sure if the settings below allow this?
Thanks.
Dave.
header_checks = pcre:/usr/local/etc/postfix/header_checks,
regexp:/usr/local/etc/postfix/phish419.regexp
mime_header_checks = regexp:/usr/local/etc/postfix/mime_header_checks
# Virtual mailbox domains
virtual_mailbox_domains =
proxy:mysql:/usr/local/etc/postfix/mysql-virtual-mailbox-domains.cf
virtual_mailbox_maps =
proxy:mysql:/usr/local/etc/postfix/mysql-virtual-mailbox-maps.cf
virtual_alias_maps =
proxy:mysql:/usr/local/etc/postfix/mysql-virtual-alias-maps.cf
virtual_mailbox_base = /home/vmail
virtual_uid_maps = static:999
virtual_gid_maps = static:999
virtual_minimum_uid = 999
# Increase the virtual mailbox limit from 51 mb to 250 mb
virtual_mailbox_limit = 262144000
virtual_transport = dovecot
dovecot_destination_recipient_limit = 1
message_size_limit = 52428800
mailbox_size_limit = 52428800
header_checks:
# Reject spam from compromised accounts/hosts
/HELO User/ DISCARD Compromised
host or account spam
/helo=User/ DISCARD Compromised
host or account spam
/Received: from User / DISCARD
Compromised host or account spam
/List-Id: / REJECT Spam
/Received: from 41(\.\d{1,3}){3}/ DISCARD Likely 419 spam
injection
#/Recieved: from .*\[41(\.\d{1,3}){3}\]/DISCARD Likely 419
spam injection
/Received: from .*[\[ ]41(\.\d{1,3}){3}[\]\)]/ DISCARD Likely 419
spam injection
#/Received: from .*(\[| )41(\.\d{1,3}){3}(\]|\))/ DISCARD Likely 419
spam injection
/Received: from .*82\.128\.[0-9]{1,3}\.[0-9]{1,3}]/ DISCARD Likely 419
spam injection
/Received: from .*\[202\.190\.[0-9]{1,3}\.[0-9]{1,3}]/ DISCARD Likely
419 spam injection
/Received: from .*aa([0-9]{1,3})msr\.fastwebnet\.it.*/ DISCARD Scam
/Received: from .*ebuy.*/ DISCARD Scam
/Received: from .*farm\.tech\.int\.digex\.com.*/DISCARD Spam
/Received: from .*cloud-ips\.com/ DISCARD Cloud spam
/Received: from .*213\.134\.6\.29/ REJECT Spam
/Received: from .*ec-messenger\.com/REJECT Spam
/Received: from .*63\.147\.29\.[0-9]{1,3}/ REJECT Spam source
/Received: from .*hostgator\.com/ DISCARD Likely Spam
/Received: from .*.aweber\.com/ DISCARD Likely spam
/X-Original-IP: .*\[41(\.\d{1,3}){3}\]/ DISCARD Likely 419 spam
injection
/X-Originating-IP: .*\[41(\.\d{1,3}){3}\]/ DISCARD Likely 419
spam injection
/X-OriginatingIP: .*\[41(\.\d{1,3}){3}\]/ DISCARD Likely 419 spam
injection
/X-OriginatingIP: 41\./ DISCARD Likely 419 spam
injection
/X-Originating-IP: .*\[81(\.\d{1,3}){3}\]/ DISCARD Likely
419 spam injection
/X-Originating-IP: .*\[123(\.\d{1,3}){3}\]/ DISCARD Likely scam
/X-Originating-IP: .*124\.13\.[0-9]{1,3}\.[0-9]{1,3}/ DISCARD Likely scam
/X-Originating-IP: .*74\.115\.[0-7]\.[0-9]{1,3}/DISCARD Likely scam
/X-Originating-IP: .*125\.45\.[0-9]{1,3\.[0-9]{1,3}/DISCARD Likely spam
/X-OriginatingIP: .*82\.128\.[0-9]{1,3}\.[0-9]{1,3}]/ DISCARD Likely Phish
/X-Originating-IP: .*82\.128\.[0-9]{1,3}\.[0-9]{1,3}]/ DISCARD Likely Phish
/X-Originating-Email: \[carmel...@hotmail.com\]/DISCARD Nitwit
/From: .*Noel Butler.*/ DISCARD Noel Butler
nitwit
/From: .*noel\.butler@ausics\.net.*/DISCARD Noel Butler
nitwit
/X-Envelope-Sender: noel\.butler@ausics\.net/ DISCARD Noel
Butler nitwit
/From: .*Nick Edwards.*/DISCARD Nick
Edwards nitwit
/From: .*nick\.z\.edwards@gmail\.com.*/ DISCARD Nick Edwards
nitwit
/From: .*Wells Fargo.*/ REJECT Probable phish
/From: .*chase online.*/REJECT Probable phish
/From: .*money.*/ DISCARD Scam
/From: Carmel / DISCARD Nitwit
/From: .*mail.ru/ DISCARD Likely Russian
spam
/From: .*lee@yun\.yagibdah\.de/ DISCARD Nitwit
/From: .*yahoogroups\.com/ REJECT Spam
/X-Barracuda-Connect: UNKNOWN/ DISCARD rDNS
required here
/X-Mailer: SmartSend\.2\./ DISCARD Scam
/Return-Path: .*hotmail\.it.*/ DISCARD Likely
Re: add header with postscreen score
Hi, This is something I would also find useful. Thanks. Dave. On 4/23/17, b...@bitrate.net wrote: > is there a way to add a postscreen score/summary header to accepted > messages? the logs are great, but this could be helpful in reviewing > messages and making improvements to the configuration.
virtual transport lmtp vs. dovecot lda?
Hello, I'm running a Postfix 3.1 setup with Dovecot 2.29 and Mysql 5.7. I am trying to track down an elusive problem. Previously I had my virtual_transport set to dovecot with a dovecot service in master.cf. I then enabled the lmtp service which uses a socket /var/spool/postfix/private/dovecot-lmtp I keep getting the error in the logs to many connections to the mysql database and stuff is deferred. Any ideas? Thanks. Dave.
Re: virtual transport lmtp vs. dovecot lda?
Hi, I'm not sure what to send. I've temporarily solved the problem by increasing the mysql max_connections setting from 256 to 300 and started working. Something is using up mysql processes when the lmtp socket is used. Dave. On 5/2/17, Viktor Dukhovni wrote: > >> On May 2, 2017, at 6:17 PM, David Mehler wrote: >> >> I keep getting the error in the logs to many connections to the mysql >> database and stuff is deferred. >> >> Any ideas? > > Nothing specific, while you remain reticent about sharing the actual log > entries and your server configuration. Generally, use "proxy:mysql:" > whenever you're otherwise tempted to use "mysql:". > > -- > Viktor. > >
Re: virtual transport lmtp vs. dovecot lda?
ons=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=
# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
#628 inet n - n - - qmqpd
pickupunix n - n 60 1 pickup
cleanup unix n - n - 0 cleanup
qmgr unix n - n 300 1 qmgr
#qmgr unix n - n 300 1 oqmgr
tlsmgrunix - - n 1000? 1 tlsmgr
rewrite unix - - n - - trivial-rewrite
bounceunix - - n - 0 bounce
defer unix - - n - 0 bounce
trace unix - - n - 0 bounce
verifyunix - - n - 1 verify
flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - n - - smtp
relay unix - - n - - smtp
# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq unix n - n - - showq
error unix - - n - - error
retry unix - - n - - error
discard unix - - n - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
scacheunix - - n - 1 scache
# Dovecot local delivery agent - allows us to use sieve filters for spam
dovecot unix - n n - - pipe
flags=DRhu user=vmail:vmail argv=/usr/local/libexec/dovecot/deliver
-f ${sender} -d ${recipient}
# for SPF support
spf-policy unix - n n - 0 spawn
user=vmail argv=/usr/local/bin/perl
/usr/local/libexec/postfix-policyd-spf-perl
autoresponder unix - n n - - pipe
flags=Fq user=autoresponse argv=/usr/local/sbin/autoresponse -s
${sender} -r ${recipient} -S ${sasl_username} -C ${client_address}
spamassassin unix - n n - - pipe
flags=R user=spamd argv=/usr/local/bin/spamc -e /usr/sbin/sendmail
-oi -f ${sender} ${recipient}
dfilt unix- n n - - pipe
flags=Rq user=filter argv=/usr/local/etc/postfix/disclaimer -f
${sender} -r ${recipient}
# scan service for clamsmtpd
scan unix - - n - 16 smtp
-o smtp_data_done_timeout=1200
-o smtp_send_xforward_command=yes
-o disable_dns_lookups=yes
127.0.0.1:10026 inet n - n - 16 smtpd
-o content_filter=
-o local_recipient_maps=
-o relay_recipient_maps=
-o smtpd_restriction_classes=
-o smtpd_client_restrictions=
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks_style=host
-o smtpd_authorized_xforward_hosts=127.0.0.0/8
On 5/3/17, Noel Jones wrote:
> On 5/2/2017 6:33 PM, David Mehler wrote:
>> Hi,
>>
>> I'm not sure what to send. I've temporarily solved the problem by
>> increasing the mysql max_connections setting from 256 to 300 and
>> started working. Something is using up mysql processes when the lmtp
>> socket is used.
>>
>> Dave.
>
> Postfix makes lots of mysql connections. This is normal and expected.
>
> As Viktor already suggested, the solution is to use the postfix
> proxymap service to consolidate the mysql connections. This will
> greatly reduce the number of connections postfix makes to mysql and
> usually improve performance too.
>
> Documentation for proxymap is here:
> http://www.postfix.org/proxymap.8.html
> http://www.postfix.org/postconf.5.html#proxy_read_maps
>
> Using the proxymap service is really easy. Generally, everywhere in
> main.cf you have mysql:... you replace with proxy:mysql:...
> In some cases you may need to alter the default value of
> proxy_read_maps. There will be warnings in the log to guide you if
> this is needed.
>
>
>
> -- Noel Jones
>
> ---
> This email has been checked for viruses by Avast antivirus software.
> https://www.avast.com/antivirus
>
>
aquamail connecting to postfix
Hello, Does anyone have Android's aquamail app successfully connecting to a Postfix server? If so, w hat settings did you use? I keep getting an authentication denied error. I've tried for authentication choose automatically, sasl plain, sasl login. For server security I've tried ssl strict check, ssl accept any (both on port 465), and starttls strict check and starttls accept any (port 587). Thanks. Dave.
Re: aquamail connecting to postfix
Hello, My thanks to those who suggested the debug document. While that wasn't it, the issue wasn't with postfix at all, it did get me looking at Dovecot. Postfix does Sasl authentication using Dovecot. Dovecot gets it's username and password from a MySQL database. The query Dovecot was sending was wrong and it only showed up on outgoing connections, incoming authentication worked fine. Again my thanks. Dave. On 2/11/18, Bill Cole wrote: > On 11 Feb 2018, at 18:12, David Mehler wrote: > >> Hello, >> >> Does anyone have Android's aquamail app successfully connecting to a >> Postfix server? If so, w hat settings did you use? I keep getting an >> authentication denied error. I've tried for authentication choose >> automatically, sasl plain, sasl login. For server security I've tried >> ssl strict check, ssl accept any (both on port 465), and starttls >> strict check and starttls accept any (port 587). > > This reads as if you haven't tried simply telling Postfix to not request > client certs at all. Unless you are using X.509 certs for user > authentication, it is best to leave smtpd_tls_CAfile and > smtpd_tls_CApath at their defaults (empty) and smtpd_tls_ask_ccert at > its default (no) > > > And as always: if you want detailed and specific Postfix help here, you > should follow the advice in the last section of the Postfix DEBUG_README > file. >
domain email autoconfiguration
Hello, If anyone has autoconfiguration going with their email domain please email me privately. I'd like to ask you some questions about your setup. What do you use? Thanks. Dave.
Re: domain email autoconfiguration
Hello, What I'm wanting to do is configure clients to get their account information automatically. I know this for Mozilla is called autoconfig and for Microsoft it's autodiscover, and apparently there's an srv record I just read about. If anyone has any of these three going with their postfix servers i'd appreciate knowing it. Thanks. Dave. On 3/31/18, Wietse Venema wrote: > David Mehler: >> Hello, >> >> If anyone has autoconfiguration going with their email domain please >> email me privately. I'd like to ask you some questions about your >> setup. What do you use? > > Perhaps you can explain what you mean. > Automatic configuration of Postfix to send mail through an ISP? > Automatic configuration of clients to send mail through Postfix? > > Wietse >
Re: domain email autoconfiguration
Hello Victor, Do you use autoconfig/autodiscover? Thanks. Dave. On 4/3/18, Viktor Dukhovni wrote: > > >> On Apr 3, 2018, at 8:08 PM, David Mehler wrote: >> >> What I'm wanting to do is configure clients to get their account >> information automatically. I know this for Mozilla is called >> autoconfig and for Microsoft it's autodiscover, and apparently there's >> an srv record I just read about. > > The relevant specification is RFC6186: > >https://tools.ietf.org/html/rfc6186 > > perhaps some MUAs support it. Without DNSSEC such auto-configuration > leaves important security decisions to the user (or just configures > insecurely), and since DNSSEC is often not done on end-user devices > even when the domain is signed, this technique carries some risk, but > once supported by the MUA, you're no safer if you don't use it, modulo > "training" users to accept insecurely obtained configuration options. > > -- > Viktor. > >
integrating p0f with postfix
Hello, Does anyone have p0f going with postfix? I'm wanting to add a header for email connecting OS. Thanks. Dave.
Re: integrating p0f with postfix
Hello, I was hoping to avoid something so heavy weight, are there any other options? Thanks. Dave. On 4/20/18, Matus UHLAR - fantomas wrote: > On 19.04.18 22:25, David Mehler wrote: >>Does anyone have p0f going with postfix? I'm wanting to add a header >>for email connecting OS. > > I think amavis supports p0f, so any way of integrating amavis into postfix > should allow this functionality (and many others). > -- > Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ > Warning: I wish NOT to receive e-mail advertising to this address. > Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. > There's a long-standing bug relating to the x86 architecture that > allows you to install Windows. -- Matthew D. Fuller >
automatic email account configuration, postfix pipelining restriction
Hello,
I'm atempting to configure email autoconfig and autodiscover services
for Mozilla and Microsoft clients. I'm using Postfix 3.3. At first I
thought I was dealing with either an Apache or Dovecot issue, now I'm
thinking it's an error with my Postfix configuration.
Whenever I atempt a connection I'm getting this in my postfix error log file:
Apr 20 14:37:00 hostname postfix/submission/smtpd[92360]: improper
command pipelining after EHLO from Connecting-Machine-Hostname-And-IP:
QUIT\r\n
Suggestions welcome.
Thanks.
Dave.
If it helps here's my postfix master.cf and main.cf files:
#cat master.cf
smtp inet n - n - - smtpd
#smtp inet n - n - 1 postscreen
#-o smtpd_sasl_auth_enable=no
#smtpd pass - - n - - smtpd
dnsblog unix - - n - 0 dnsblog
tlsproxy unix - - n - 0 tlsproxy
# Submission port 587 for client connection / sending mails from
authenticated users
submission inet n - n - - smtpd
-o syslog_name=postfix/submission
# for opportunistic smtpd
#-o smtpd_tls_security_level=may
# Encrypt by default
-o smtpd_tls_dh1024_param_file=/etc/ssl/dhparam.pem
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_sasl_type=dovecot
-o smtpd_sasl_path=private/auth
-o smtpd_sasl_security_options=noanonymous
-o smtpd_client_restrictions=$mua_client_restrictions
-o smtpd_sender_restrictions=$mua_sender_restrictions
-o smtpd_relay_restrictions=$mua_relay_restrictions
-o
smtpd_recipient_restrictions=reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated,reject
-o smtpd_sender_login_maps=mysql:/usr/local/etc/postfix/db/sender-login-maps.cf
-o tls_preempt_cipherlist=yes
#smtps inet n - n - - smtpd
#-o syslog_name=postfix/smtps
#-o smtpd_tls_wrappermode=yes
#-o smtpd_sasl_auth_enable=yes
#-o smtpd_reject_unlisted_recipient=no
#-o
smtpd_recipient_restrictions=permit_sasl_authenticated,permit_mynetworks,reject
#-o tls_preempt_cipherlist=yes
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=
# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
#628 inet n - n - - qmqpd
pickupunix n - n 60 1 pickup
cleanup unix n - n - 0 cleanup
qmgr unix n - n 300 1 qmgr
#qmgr unix n - n 300 1 oqmgr
tlsmgrunix - - n 1000? 1 tlsmgr
rewrite unix - - n - - trivial-rewrite
bounceunix - - n - 0 bounce
defer unix - - n - 0 bounce
trace unix - - n - 0 bounce
verifyunix - - n - 1 verify
flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - n - - smtp
relay unix - - n - - smtp
# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq unix n - n - - showq
error unix - - n - - error
retry unix - - n - - error
discard unix - - n - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
scacheunix - - n - 1 scache
# for SPF support
spf-policy unix - n n - 0 spawn
user=vmail argv=/usr/local/bin/perl
/usr/local/libexec/postfix-policyd-spf-perl
dfilt unix- n n - - pipe
flags=Rq user=filter argv=/usr/local/etc/postfix/disclaimer -f
${sender} -r ${recipient}
# scan service for clamsmtpd
scan unix - - n - 16 smtp
-o smtp_data_done_timeout=1200
-o smtp_send_xforward_command=yes
-o disable_dns_lookups=yes
127.0.0.1:10026 inet n - n - 16 smtpd
-o content_filter=
-o local_recipient_maps=
-o relay_recipient_maps=
-o smtpd_restriction_classes=
-o smtpd_client_restrictions=
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks_style=host
Re: automatic email account configuration, postfix pipelining restriction
Hi, It's Thunderbird 52.7. Is there a workaround to make this work? Thanks. Dave. On 4/20/18, Viktor Dukhovni wrote: > > >> On Apr 20, 2018, at 4:52 PM, David Mehler wrote: >> >> I'm atempting to configure email autoconfig and autodiscover services >> for Mozilla and Microsoft clients. I'm using Postfix 3.3. At first I >> thought I was dealing with either an Apache or Dovecot issue, now I'm >> thinking it's an error with my Postfix configuration. >> >> Whenever I atempt a connection I'm getting this in my postfix error log >> file: >> >> Apr 20 14:37:00 hostname postfix/submission/smtpd[92360]: improper >> command pipelining after EHLO from Connecting-Machine-Hostname-And-IP: >> QUIT\r\n > > This client does not implement SMTP correctly. There's nothing wrong > with the Postfix configuration. The client MUST wait for the EHLO > response *before* sending QUIT. > > -- > Viktor. > >
Re: automatic email account configuration, postfix pipelining restriction
Hello,
I am still trying to get this email sending with autodiscover working.
I've temporarily put Thunderbird aside as it looks like it has a long
standing compatibility issue with sending commands to early, and have
switched to outlook 2010. With it I am getting the following which I
do not know what unknown is.
Apr 21 04:22:38 hostname postfix/submission/smtpd[44179]: connect from
Connecting-Host-and-IP
Apr 21 04:22:39 hostname postfix/submission/smtpd[44179]: lost
connection after UNKNOWN from Connection-hostname-ip
I've tried adjusting broken_sasl_auth_clients no by default, set it to
yes, didn't change anything.
My current smtpd_restrictions:
main.cf:
# Conditions in which Postfix works as a relay. (for mail user clients)
smtpd_relay_restrictions =
reject_non_fqdn_recipient
reject_unknown_recipient_domain
permit_mynetworks
reject_unauth_destination
smtpd_recipient_restrictions =
permit_mynetworks
permit_sasl_authenticated
reject_unauth_destination
check_helo_access hash:/usr/local/etc/postfix/helo_access,
,check_helo_access pcre:/usr/local/etc/postfix/helo_checks
,check_sender_mx_access cidr:/usr/local/etc/postfix/bogus_mx
check_sender_access hash:/usr/local/etc/postfix/safe_addresses
check_sender_access hash:/usr/local/etc/postfix/auto-whtlst
check_client_access cidr:/usr/local/etc/postfix/spamfarms
check_client_access cidr:/usr/local/etc/postfix/sinokorea.cidr
check_recipient_access mysql:/usr/local/etc/postfix/db/recipient-access.cf
permit_dnswl_client list.dnswl.org=127.0.[2..14].[1..3]
check_reverse_client_hostname_access
pcre:/usr/local/etc/postfix/fqrdns.pcre
reject_unknown_reverse_client_hostname
reject_non_fqdn_sender
#reject_non_fqdn_helo_hostname
#reject_invalid_helo_hostname
#reject_unknown_helo_hostname
reject_unlisted_recipient
reject_rhsbl_client dbl.spamhaus.org
reject_rhsbl_sender dbl.spamhaus.org
reject_rhsbl_helo dbl.spamhaus.org
check_policy_service unix:private/spf-policy
# Postfix Quota status service
#check_policy_service inet:127.0.0.1:12345
check_policy_service unix:private/dovecot-quota
# Restrictions for all sending foreign servers ("SMTP clients")
smtpd_client_restrictions =
permit_mynetworks
#check_client_access hash:/usr/local/etc/postfix/without_ptr
#reject_unknown_client_hostname
smtpd_helo_required = yes
smtpd_helo_restrictions =
#permit_mynetworks
#reject_invalid_helo_hostname
#reject_non_fqdn_helo_hostname
#reject_unknown_helo_hostname
# Block clients, which start sending too early
#smtpd_data_restrictions = reject_unauth_pipelining
# Restrictions for MUAs
#mua_relay_restrictions =
reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_mynetworks,permit_sasl_authenticated,reject
#mua_sender_restrictions =
permit_mynetworks,reject_non_fqdn_sender,reject_sender_login_mismatch,permit_sasl_authenticated,reject
#mua_client_restrictions = permit_mynetworks,permit_sasl_authenticated,reject
and in master.cf:
submission inet n - n - - smtpd
-o syslog_name=postfix/submission
# for opportunistic smtpd
#-o smtpd_tls_security_level=may
# Encrypt by default
-o smtpd_tls_dh1024_param_file=/etc/ssl/dhparam.pem
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_sasl_type=dovecot
-o smtpd_sasl_path=private/auth
-o smtpd_sasl_security_options=noanonymous
-o
smtpd_recipient_restrictions=reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated,reject
#-o
smtpd_sender_login_maps=mysql:/usr/local/etc/postfix/db/sender-login-maps.cf
-o tls_preempt_cipherlist=yes
#-o cleanup_service_name=submission-header-cleanup
Are these restrictions right in main.cf and master.cf?
Thanks.
Dave.
On 4/20/18, Wietse Venema wrote:
> David Mehler:
>> Hi,
>>
>> It's Thunderbird 52.7. Is there a workaround to make this work?
>
> Yes, do nothing. In particular, do not use the Postfix
> reject_unauth_pipelining feature, because that would trigger
> a REJECT response.
>
> Wietse
>
>> On 4/20/18, Viktor Dukhovni wrote:
>> >
>> >
>> >> On Apr 20, 2018, at 4:52 PM, David Mehler
>> >> wrote:
>> >>
>> >> I'm atempting to configure email autoconfig and autodiscover services
>> >> for Mozilla and Microsoft clients. I'm using Postfix 3.3. At first I
>> >> thought I was dealing with either an Apache or Dovecot issue, now I'm
>> >> thinking it's an error with my Postfix configuration.
>> >>
>> >> Whenever I atempt a connection I'm getting this in my postfix error
>> >> log
>> >> file:
>> >>
>> >> Apr 20 14:37:00 hostname postfix/submission/smtpd[92360]: improper
>> >> command pipelining after EHLO from Connecting-Machine-Hostname-And-IP:
>> >> QUIT\r\n
>> >
>> > This client does not implement SMTP correctly. There's nothing wrong
>> > with the Postfix configuration. The client MUST wait for the EHLO
>> > response *before* sending QUIT.
>> >
>> > --
>> >Viktor.
>> >
>> >
>>
>
Re: automatic email account configuration, postfix pipelining restriction
, CBC3-SHA
smtpd_tls_ciphers = high
smtpd_tls_eecdh_grade = strong
smtpd_tls_security_level = may
# for smtpd pfs
smtpd_tls_dh1024_param_file = /etc/ssl/dhparam.pem
smtpd_tls_loglevel = 1
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_tls_received_header = yes
tls_preempt_cipherlist = yes
tls_high_cipherlist =
ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_tls_protocols=!SSLv2,!SSLv3, !TLSv1
smtp_tls_mandatory_protocols=!SSLv2,!SSLv3, !TLSv1
smtp_tls_mandatory_ciphers = medium
smtp_tls_mandatory_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4,
MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5,
CBC3-SHA
smtp_tls_ciphers = high
smtp_tls_cert_file = $smtpd_tls_cert_file
smtp_tls_key_file = $smtpd_tls_key_file
smtp_tls_loglevel = 1
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
# For SPF
spf-policy_time_limit = 3600s
# Spam filter and DKIM signatures via Rspamd
smtpd_milters = unix:/var/run/rspamd/milter.sock
#smtpd_milters = inet:127.0.0.1:8891,inet:127.0.0.1:8893,inet:127.0.0.1:8472
non_smtpd_milters = $smtpd_milters
milter_protocol = 6
milter_mail_macros="i {mail_addr} {client_addr} {client_name} {auth_authen}"
milter_default_action = accept
# postscreen(8) settings
### Before-220 tests
#postscreen_access_list = permit_mynetworks,
cidr:/usr/local/etc/postfix/postscreen_access.cidr,
cidr:/usr/local/etc/postfix/postscreen_spf_whitelist.cidr
#postscreen_blacklist_action = drop
#postscreen_dnsbl_action = drop
#postscreen_dnsbl_reply_map =
pcre:/usr/local/etc/postfix/postscreen_dnsbl_reply_map.pcre
#postscreen_dnsbl_sites = zen.spamhaus.org*3
#b.barracudacentral.org*2
#bl.spameatingmonkey.net*2
#bl.spamcop.net
#dnsbl.sorbs.net
#psbl.surriel.com
#bl.mailspike.net
#swl.spamhaus.org*-4
#list.dnswl.org=127.[0..255].[0..255].0*-2
#list.dnswl.org=127.[0..255].[0..255].1*-3
#list.dnswl.org=127.[0..255].[0..255].[2..255]*-4
#postscreen_dnsbl_threshold = 2
# Drop connections if other server is sending too quickly
#postscreen_greet_action = drop
#postscreen_dnsbl_whitelist_threshold = -1
### End of before-220 tests
### After-220 tests
### WARNING -- See "Tests after the 220 SMTP server greeting" in the
### Postscreen Howto and *UNDERSTAND* it *BEFORE* you enable the
### following tests!
#postscreen_bare_newline_action = drop
#postscreen_bare_newline_enable = yes
#postscreen_non_smtp_command_action = drop
#postscreen_non_smtp_command_enable = yes
#postscreen_pipelining_enable = yes
#postscreen_pipelining_action = drop
### ADDENDUM: Any one of the foregoing three *_enable settings may cause
### significant and annoying mail delays.
# For sharing a tempoary whitelist of addresses
#postscreen_cache_map = proxy:btree:${data_directory}/postscreen_cache
#postscreen_cache_cleanup_interval = 0
#
inet_protocols = ipv4
smtputf8_enable = yes
# require addresses of the form "u...@domain.tld"
allow_percent_hack = no
swap_bangpath = no
compatibility_level = 2
#autoresponder_destination_recipient_limit = 1
meta_directory = /usr/local/libexec/postfix
shlib_directory = /usr/local/lib/postfix
# Maximum size of inbound e-mails (50 MB)
message_size_limit = 52428800
# Maximum mailbox size (0=unlimited - is already limited by Dovecot quota)
mailbox_size_limit = 0
tls_ssl_options = no_ticket, no_compression
# Mail queue settings
maximal_queue_lifetime = 1h
bounce_queue_lifetime = 1h
maximal_backoff_time = 15m
minimal_backoff_time = 5m
queue_run_delay = 5m
# Users always have to provide full e-mail addresses
append_dot_mydomain = no
Thanks.
Dave.
On 4/21/18, Wietse Venema wrote:
> David Mehler:
>> Hello,
>>
>> I am still trying to get this email sending with autodiscover working.
>> I've temporarily put Thunderbird aside as it looks like it has a long
>> standing compatibility issue with sending commands to early, and have
>> switched to outlook 2010. With it I am getting the following which I
>> do not know what unknown is.
>>
>> Apr 21 04:22:38 hostname postfix/submission/smtpd[44179]: connect from
>> Connecting-Host-and-IP
>> Apr 21 04:22:39 hostname postfix/submission/smtpd[44179]: lost
>> connection after UNKNOWN from Connection-hostname-ip
>
> Please do not remove crucial evidence.
>
> I suppose that you still have
>
> Apr 20 14:37:00 hostname postfix/submission/smtpd[92360]:
> improper command pipelining after EHLO from
> Connecting-Machine-Hostname-And-IP: QUIT\r\n.
>
> If you don't have this, what did you do to change the client's
> behavior?
>
> I suppose that you also have:
>
> disconnect from hostname[address] ehlo=1...
>
> What is the complete set of logfile records?
>
> Wietse
>
Re: automatic email account configuration, postfix pipelining restriction
Hello Viktor, Bingo! That did it. In the .xml file I changed ssl to encryption tls and it well got further than it did. I had some issues with smtpd* restrictions specifically helo restrictions, I commented them out. So outlook autodiscover is working, thunderbird autoconfig still is not. Going to start another thread about my smtpd* restrictions, but any other suggestions on thunderbird appreciated. Thanks for helping with outlook. Dave. On 4/21/18, Viktor Dukhovni wrote: > > >> On Apr 21, 2018, at 2:06 PM, David Mehler wrote: >> >> Thanks. I'm sorry I should probably have more completely clarified >> that. Different client entirely, the previous message I was attempting >> autoconfig with Thunderbird and getting those errors. >> >> This time I'm trying outlook 2010 with autodiscover and getting the >> errors in my last message. I thought to keep it under the same thread. >> >> For completeness and because I probably confused everyone, here's an >> outlook 2010 attempted connection and my current main.cf and master.cf >> files. >> >> Apr 21 13:52:54 hostname postfix/submission/smtpd[74637]: connect from >> Connecting-Host-And-IP >> Apr 21 13:52:54 hostname postfix/submission/smtpd[74637]: lost >> connection after UNKNOWN from Connecting-Host-And-IP >> Apr 21 13:52:54 hostname postfix/submission/smtpd[74637]: disconnect >> from Connecting-Host-And-IP unknown=0/1 commands=0/1 > > You've probably configured Outlook to do (implicit) SSL on port 587, > rather than STARTTLS. You should either direct its connections to > port 465 with "wrapper mode TLS", or configure it to do STARTTLS on > 587. > > -- > Viktor. > >
smtpd restrictions
Hello,
I'm running Postfix 3.3. I'm thinking I've got an issue with my smtpd*
restrictions, either doing double work or not ordered right, or just
not optimized. Can someone take a look and see if anything stands out
as being off?
Thanks.
Dave.
master.cf (service excerpt):
submission inet n - n - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_dh1024_param_file=/etc/ssl/dhparam.pem
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_sasl_type=dovecot
-o smtpd_sasl_path=private/auth
-o smtpd_sasl_security_options=noanonymous
-o
smtpd_recipient_restrictions=reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated,reject
-o smtpd_sender_login_maps=mysql:/usr/local/etc/postfix/db/sender-login-maps.cf
-o tls_preempt_cipherlist=yes
main.cf (smtpd* restrictions):
strict_rfc821_envelopes = yes
disable_vrfy_command = yes
smtpd_reject_unlisted_sender = yes
show_user_unknown_table_name = no
unknown_address_reject_code = 554
unknown_hostname_reject_code = 554
unknown_client_reject_code = 554
# Conditions in which Postfix works as a relay. (for mail user clients)
smtpd_relay_restrictions =
reject_non_fqdn_recipient
reject_unknown_recipient_domain
permit_mynetworks
reject_unauth_destination
smtpd_recipient_restrictions =
permit_mynetworks
permit_sasl_authenticated
reject_unauth_destination
check_helo_access hash:/usr/local/etc/postfix/helo_access,
,check_helo_access pcre:/usr/local/etc/postfix/helo_checks
,check_sender_mx_access cidr:/usr/local/etc/postfix/bogus_mx
check_sender_access hash:/usr/local/etc/postfix/safe_addresses
check_sender_access hash:/usr/local/etc/postfix/auto-whtlst
check_client_access cidr:/usr/local/etc/postfix/spamfarms
check_client_access cidr:/usr/local/etc/postfix/sinokorea.cidr
check_recipient_access mysql:/usr/local/etc/postfix/db/recipient-access.cf
permit_dnswl_client list.dnswl.org=127.0.[2..14].[1..3]
check_reverse_client_hostname_access
pcre:/usr/local/etc/postfix/fqrdns.pcre
reject_unknown_reverse_client_hostname
reject_non_fqdn_sender
# The below commented lines were commented to make outlook work
#reject_non_fqdn_helo_hostname
reject_invalid_helo_hostname
#reject_unknown_helo_hostname
reject_unlisted_recipient
reject_rhsbl_client dbl.spamhaus.org
reject_rhsbl_sender dbl.spamhaus.org
reject_rhsbl_helo dbl.spamhaus.org
check_policy_service unix:private/spf-policy
check_policy_service unix:private/dovecot-quota
# Restrictions for all sending foreign servers ("SMTP clients")
smtpd_client_restrictions =
permit_mynetworks
check_client_access hash:/usr/local/etc/postfix/without_ptr
reject_unknown_client_hostname
smtpd_helo_required = yes
smtpd_helo_restrictions =
permit_mynetworks
reject_invalid_helo_hostname
# The below lines were commented to make outlook work
#reject_non_fqdn_helo_hostname
#reject_unknown_helo_hostname
# Block clients, which start sending too early
smtpd_data_restrictions = reject_unauth_pipelining
# Restrictions for MUAs
#mua_relay_restrictions =
reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_mynetworks,permit_sasl_authenticated,reject
#mua_sender_restrictions =
permit_mynetworks,reject_non_fqdn_sender,reject_sender_login_mismatch,permit_sasl_authenticated,reject
#mua_client_restrictions = permit_mynetworks,permit_sasl_authenticated,reject
aquamail helo option
Hello, Is anyone using Android's Aquamail to send mail through postfix? If so, how do you have it configured? My postfix is rejecting mail from Aquamail because it's helo is: <[192.168.1.1]> basically it's internal ip. I do not want to remove my restrictions can I get around this with a map? Thanks. Dave.
Re: aquamail helo option
dns_lookups=yes 127.0.0.1:10026 inet n - n - 16 smtpd -o content_filter= -o local_recipient_maps= -o relay_recipient_maps= -o smtpd_restriction_classes= -o smtpd_client_restrictions= -o smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o mynetworks_style=host -o smtpd_authorized_xforward_hosts=127.0.0.0/8 p0f-policy unix - n n - - spawn user=p0f argv=/usr/local/bin/perl /usr/local/etc/postfix/p0f-policy.pl #cat postfix.log Apr 22 13:40:13 hostname postfix/submission/smtpd[34144]: connect from Connecting-Host-and-IP Apr 22 13:40:13 hostname postfix/submission/smtpd[34144]: Anonymous TLS connection established from Connecting-Host-and-IP: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits) Apr 22 13:40:13 hostname postfix/submission/smtpd[34144]: NOQUEUE: reject: RCPT from Connecting-Host-and-IP: 554 5.7.1 : Relay access denied; from= to= proto=ESMTP helo=<[192.168.1.107]> Apr 22 13:40:13 hostname postfix/submission/smtpd[34144]: disconnect from Connecting-Host-and-IP ehlo=2 starttls=1 auth=1 mail=1 rcpt=0/1 rset=1 quit=1 commands=7/8 On 4/22/18, /dev/rob0 wrote: > On Sun, Apr 22, 2018 at 07:24:42PM -0400, David Mehler wrote: >> Is anyone using Android's Aquamail to send mail through postfix? >> If so, how do you have it configured? >> >> My postfix is rejecting mail from Aquamail because it's helo is: >> >> <[192.168.1.1]> basically it's internal ip. > > What restriction do you have that is blocking this? Include > "postconf -nf ; postconf -Mf" and the entire non-verbose logs showing > the rejection. Perhaps you have a check_helo_access lookup; you > should also show us what is in that lookup. > > While you can, and I do, block such HELOs on port 25, you must not > apply such a restriction to submitting clients. A HELO like that is > perfectly valid per RFC. > > So perhaps the actual problem is that you're submitting on port 25, > and your fix is to require users to submit on submission[s], ports > 587 or 465, and don't accept submitted mail on 25. Your reply as > detailed above will show this. > >> I do not want to remove my restrictions can I get around this with >> a map? > > That would be a bad idea, and anyway, a question we couldn't answer > without knowing how you blocked it. The various Postfix HELO > restrictions, such as: > + reject_invalid_helo_hostname > + reject_non_fqdn_helo_hostname > + reject_unknown_helo_hostname > will NOT block that HELO string. > -- > http://rob0.nodns4.us/ > Offlist GMX mail is seen only if "/dev/rob0" is in the Subject: >
Re: aquamail helo option
Hello Viktor, Thank you for your reply. I do see the differences between the master.cf you reference and the one I've got. One thing do you have an upstream reference for main.cf in GitHub? I'd looking for the mua* definitions, my system does not have them. Thanks. Dave. On 4/22/18, Viktor Dukhovni wrote: > > >> On Apr 22, 2018, at 11:29 PM, David Mehler wrote: >> >> Thanks for your reply. My postconf -nf and postconf -Mf are below as >> is the relevant log portions. I'm suspecting that my various smtpd* >> restrictions are wrong. > > Start with the default upstream master.cf file template for submission: > > > https://github.com/vdukhovni/postfix/blob/master/postfix/conf/master.cf#L17 > > AVOID complex restrict definitions in master.cf, use the indirect approach > ($mua_client_restrictions, ...) from the stock master.cf file, with the > actual definitions in main.cf. > > Only the shortest/simplest overrides that will never change should be > explicitly defined in master.cf in. For example, and likely the > setting you're missing: > >-o smtpd_relay_restrictions=permit_sasl_authenticated,reject > > -- > Viktor. > >
Re: aquamail helo option
Hi, Thanks. So I can drop in master.cf upstream without inputting mua* parameters in my main.cf? I've got a few options in my master.cf file submission service that are not in the upstream file, are they still relevant in 3.3? smtp inet n - n - 1 postscreen -o smtpd_sasl_auth_enable=no dnsblogunix - - n - 0 dnsblog tlsproxy unix - - n - 0 tlsproxy and in submission: -o smtpd_tls_dh1024_param_file=/etc/ssl/dhparam.pem -o smtpd_sasl_type=dovecot -o smtpd_sasl_path=private/auth -o smtpd_sasl_security_options=noanonymous -o tls_preempt_cipherlist=yes Thanks. Dave. On 4/23/18, Viktor Dukhovni wrote: > > >> On Apr 23, 2018, at 12:10 AM, David Mehler wrote: >> >> Thank you for your reply. I do see the differences between the >> master.cf you reference and the one I've got. One thing do you have an >> upstream reference for main.cf in GitHub? I'd looking for the mua* >> definitions, my system does not have them. > > The default working configuration has empty values for the various > $mua_mumble parameters. Most sites don't need them, but if you do > need additional controls, you set them to fit your needs. The stock > main.cf file does not define these parameters: > > https://github.com/vdukhovni/postfix/blob/master/postfix/conf/main.cf > > -- > Viktor. > >
Re: aquamail helo option
Hello Viktor, Thank you again for your reply. I had to remove the mua* options in submission from the upstream master.cf that I loaded, otherwise it loaded fine. I'm not using them. I think I have it, the pfs that is. Can I get a postconf -nf and a postconf -Mf sanitized of your configuration? I'd like to compare it with mine. Thanks. Dave. On 4/23/18, Viktor Dukhovni wrote: > > >> On Apr 23, 2018, at 12:29 AM, David Mehler wrote: >> >> Thanks. So I can drop in master.cf upstream without inputting mua* >> parameters in my main.cf? > > Generally not the whole file, but you can use the stock file as a > starting template from which to borrow appropriate service definitions > or specific override settings. > >> I've got a few options in my master.cf file submission service that >> are not in the upstream file, are they still relevant in 3.3? >> >> smtp inet n - n - 1 postscreen >>-o smtpd_sasl_auth_enable=no > > That setting is the default, and if you don't set to "yes" in main.cf, > the override is not needed, but could be a harmless "safety net". > >> dnsblogunix - - n - 0 dnsblog >> tlsproxy unix - - n - 0 tlsproxy > > These are needed for postscreen support. You uncomment them in > the stock file as needed. > >> and in submission: >>-o smtpd_tls_dh1024_param_file=/etc/ssl/dhparam.pem > > See http://www.postfix.org/FORWARD_SECRECY_README.html#quick-start > Don't get hung up the literal file name, what matters is the content, > thus ideally a 2048-bit (Sophie Germain) prime group. > >>-o smtpd_sasl_type=dovecot >>-o smtpd_sasl_path=private/auth > > Whatever SASL backend works for you. > >>-o smtpd_sasl_security_options=noanonymous >>-o tls_preempt_cipherlist=yes > > These are fine. > > -- > Viktor. > >
Re: aquamail helo option
Hi, I don't have any mua* options set in main.cf. As for helo I'm going to post my restrictions and their corresponding files going to be a few hours, but I'm sure it's helo. Thanks. Dave. On 4/23/18, Matus UHLAR - fantomas wrote: >>> On Sun, Apr 22, 2018 at 07:24:42PM -0400, David Mehler wrote: >>>> Is anyone using Android's Aquamail to send mail through postfix? >>>> If so, how do you have it configured? >>>> >>>> My postfix is rejecting mail from Aquamail because it's helo is: >>>> >>>> <[192.168.1.1]> basically it's internal ip. > > how do you know it's because of HELO? > > On 22.04.18 23:29, David Mehler wrote: >>#cat postfix.log >>Apr 22 13:40:13 hostname postfix/submission/smtpd[34144]: connect from >>Connecting-Host-and-IP >>Apr 22 13:40:13 hostname postfix/submission/smtpd[34144]: Anonymous >>TLS connection established from Connecting-Host-and-IP: TLSv1.2 with >>cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits) >>Apr 22 13:40:13 hostname postfix/submission/smtpd[34144]: NOQUEUE: >>reject: RCPT from Connecting-Host-and-IP: 554 5.7.1 : >>Relay access denied; from= to= >>proto=ESMTP helo=<[192.168.1.107]> > > this does not look like HELO rejection. > Did you set up smtp authentication? did it work? > > -- > Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ > Warning: I wish NOT to receive e-mail advertising to this address. > Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. > One OS to rule them all, One OS to find them, > One OS to bring them all and into darkness bind them >
error when atempting to send a message
Hello,
I'm running Postfix 3.3.1 with rspamd as an antti-spam solution. I
started getting this error when atempting to connect remotely via my
android phone with aquamail pro as client, and do not know what it
means, any help appreciated, my postconf -n is below.
Jun 27 16:45:15 hostname postfix/cleanup[55220]: 136C413982:
milter-reject: END-OF-MESSAGE from
cpe-xxx-xxx-xxx-xxx..xxx.xxx.xxx[xxx.xxx.xxx.xxx]: 4.7.1 Try again
later; from= to=
proto=ESMTP helo=<[192.168.1.138]>
Thanks.
Dave.
#postconf -n
allow_percent_hack = no
append_dot_mydomain = no
biff = no
bounce_queue_lifetime = 1h
bounce_template_file = /usr/local/etc/postfix/bounce.cf
broken_sasl_auth_clients = no
command_directory = /usr/local/sbin
compatibility_level = 2
daemon_directory = /usr/local/libexec/postfix
data_directory = /var/db/postfix
delay_warning_time = 4h
disable_vrfy_command = yes
header_checks = pcre:/usr/local/etc/postfix/header_checks,
regexp:/usr/local/etc/postfix/phish419.regexp
html_directory = /usr/local/share/doc/postfix
in_flow_delay = 1s
inet_interfaces = xxx.xxx.xxx.xxx, 127.0.0.1
inet_protocols = ipv4
local_recipient_maps = $virtual_mailbox_maps
mail_owner = postfix
mailbox_size_limit = 0
mailq_path = /usr/local/bin/mailq
manpage_directory = /usr/local/man
maximal_backoff_time = 15m
maximal_queue_lifetime = 1h
message_size_limit = 52428800
meta_directory = /usr/local/libexec/postfix
milter_default_action = accept
milter_mail_macros = "i {mail_addr} {client_addr} {client_name} {auth_authen}"
milter_protocol = 6
mime_header_checks = regexp:/usr/local/etc/postfix/mime_header_checks
minimal_backoff_time = 5m
mydestination = localhost
mydomain = example.com
myhostname = mail.example.com
mynetworks = $config_directory/mynetworks
myorigin = $mydomain
newaliases_path = /usr/local/bin/newaliases
non_smtpd_milters = $smtpd_milters
postscreen_access_list = permit_mynetworks,
cidr:/usr/local/etc/postfix/postscreen_access.cidr,
cidr:/usr/local/etc/postfix/postscreen_spf_whitelist.cidr
postscreen_blacklist_action = drop
postscreen_dnsbl_action = drop
postscreen_dnsbl_reply_map =
pcre:/usr/local/etc/postfix/postscreen_dnsbl_reply_map.pcre
postscreen_dnsbl_sites = zen.spamhaus.org*3 b.barracudacentral.org*2
bl.spameatingmonkey.net*2 bl.spamcop.net dnsbl.sorbs.net
psbl.surriel.com bl.mailspike.net swl.spamhaus.org*-4
list.dnswl.org=127.[0..255].[0..255].0*-2
list.dnswl.org=127.[0..255].[0..255].1*-3
list.dnswl.org=127.[0..255].[0..255].[2..255]*-4
postscreen_dnsbl_threshold = 2
postscreen_dnsbl_whitelist_threshold = -1
postscreen_greet_action = drop
queue_directory = /var/spool/postfix
queue_run_delay = 5m
readme_directory = /usr/local/share/doc/postfix
recipient_delimiter = +
sample_directory = /usr/local/etc/postfix
sendmail_path = /usr/local/sbin/sendmail
setgid_group = maildrop
shlib_directory = /usr/local/lib/postfix
show_user_unknown_table_name = no
smtp_helo_timeout = 60s
smtp_tls_cert_file = $smtpd_tls_cert_file
smtp_tls_ciphers = high
smtp_tls_key_file = $smtpd_tls_key_file
smtp_tls_loglevel = 1
smtp_tls_mandatory_ciphers = medium
smtp_tls_mandatory_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4,
MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5,
CBC3-SHA
smtp_tls_mandatory_protocols = !SSLv2,!SSLv3, !TLSv1
smtp_tls_protocols = !SSLv2,!SSLv3, !TLSv1
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_use_tls = yes
smtpd_banner = $myhostname ESMTP
smtpd_client_restrictions = permit_mynetworks check_client_access
hash:/usr/local/etc/postfix/without_ptr reject_unknown_client_hostname
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks
reject_invalid_helo_hostname reject_non_fqdn_helo_hostname
reject_unknown_helo_hostname
smtpd_milters = unix:/var/run/rspamd/milter.sock,inet:127.0.0.1:8472
smtpd_recipient_restrictions = permit_mynetworks
permit_sasl_authenticated reject_unauth_destination check_helo_access
hash:/usr/local/etc/postfix/helo_access, ,check_sender_mx_access
cidr:/usr/local/etc/postfix/bogus_mx check_sender_access
hash:/usr/local/etc/postfix/safe_addresses check_sender_access
hash:/usr/local/etc/postfix/auto-whtlst check_client_access
cidr:/usr/local/etc/postfix/spamfarms check_client_access
cidr:/usr/local/etc/postfix/sinokorea.cidr check_recipient_access
mysql:/usr/local/etc/postfix/db/recipient-access.cf
permit_dnswl_client list.dnswl.org=127.0.[2..14].[1..3]
check_reverse_client_hostname_access
pcre:/usr/local/etc/postfix/fqrdns.pcre
reject_unknown_reverse_client_hostname reject_non_fqdn_sender
reject_non_fqdn_helo_hostname reject_invalid_helo_hostname
reject_unknown_helo_hostname reject_unlisted_recipient
reject_rhsbl_client dbl.spamhaus.org reject_rhsbl_sender
dbl.spamhaus.org reject_rhsbl_helo dbl.spamhaus.org
check_policy_service unix:private/dovecot-quota
smtpd_reject_unlisted_sender = yes
smtpd_relay_restrictions = reject_non_fqdn_recipient
reject_unknown_recip
Re: error when atempting to send a message
Hello, Thank you and sorry for the long delay in this. Can I get a look at your master.cf submission definition? I'd like to compare it with mine. In my setup in submission in master.cf should I comment out or remove the milter_macro_daemon line? Thanks. Dave. On 6/29/18, Matus UHLAR - fantomas wrote: > On 27.06.18 17:33, David Mehler wrote: >>I'm running Postfix 3.3.1 with rspamd as an antti-spam solution. I >>started getting this error when atempting to connect remotely via my >>android phone with aquamail pro as client, and do not know what it >>means, any help appreciated, my postconf -n is below. >> >>Jun 27 16:45:15 hostname postfix/cleanup[55220]: 136C413982: >>milter-reject: END-OF-MESSAGE from >>cpe-xxx-xxx-xxx-xxx..xxx.xxx.xxx[xxx.xxx.xxx.xxx]: 4.7.1 Try again >>later; from= to= >>proto=ESMTP helo=<[192.168.1.138]> > > your android client should connect ports 465 and 587, where milters aren't > usually used, but SMTP authentication is usually required. > >>smtpd_milters = unix:/var/run/rspamd/milter.sock,inet:127.0.0.1:8472 > > -- > Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ > Warning: I wish NOT to receive e-mail advertising to this address. > Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. > 10 GOTO 10 : REM (C) Bill Gates 1998, All Rights Reserved! >
postfix issue with ecc certificates
Hello,
I'm using Postfix 3.3. I am atempting to send mail from a remote
android phone running AquaMail Pro, which does support ECC
certificates of secp-256. So I got an ecc cert pair from letsencrypt
and installed it. Atempting to send an email gives me a handshake
error on the android client and the below log output, also my postconf
-n output.
Suggestions welcome.
Thanks.
Dave.
# tail -f /var/log/postfix.log
Aug 3 17:22:27 hostname postfix/submission/smtpd[65716]: connect from
xxx.xxx.xxx.xxx[xxx.xxx.xxx.xxx]
Aug 3 17:22:27 hostname postfix/submission/smtpd[65716]: SSL_accept
error from xxx.xxx.xxx.xxx[xxx.xxx.xxx.xxx]: -1
Aug 3 17:22:27 hostname postfix/submission/smtpd[65716]: warning: TLS
library problem: error:1408A0C1:SSL routines:ssl3_get_client_hello:no
shared cipher:s3_srvr.c:1427:
Aug 3 17:22:27 hostname postfix/submission/smtpd[65716]: lost
connection after STARTTLS from xxx.xxx.xxx.xxx[xxx.xxx.xxx.xxx]
Aug 3 17:22:27 hostname postfix/submission/smtpd[65716]: disconnect
from xxx.xxx.xxx.xxx[xxx.xxx.xxx.xxx] ehlo=1 starttls=0/1 commands=1/2
# postconf -n
allow_percent_hack = no
append_dot_mydomain = no
biff = no
bounce_queue_lifetime = 1h
bounce_template_file = /usr/local/etc/postfix/bounce.cf
broken_sasl_auth_clients = no
command_directory = /usr/local/sbin
compatibility_level = 2
daemon_directory = /usr/local/libexec/postfix
data_directory = /var/db/postfix
delay_warning_time = 4h
disable_vrfy_command = yes
header_checks = regexp:/usr/local/etc/postfix/phish419.regexp
html_directory = /usr/local/share/doc/postfix
in_flow_delay = 1s
inet_interfaces = xxx.xxx.xxx.xxx, 127.0.0.1
inet_protocols = ipv4
local_recipient_maps = $virtual_mailbox_maps
mail_owner = postfix
mailbox_size_limit = 0
mailq_path = /usr/local/bin/mailq
manpage_directory = /usr/local/man
maximal_backoff_time = 15m
maximal_queue_lifetime = 1h
message_size_limit = 52428800
meta_directory = /usr/local/libexec/postfix
milter_default_action = accept
milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen}
mime_header_checks = regexp:/usr/local/etc/postfix/mime_header_checks
minimal_backoff_time = 5m
mydestination = localhost
mydomain = example.com
myhostname = mail.example.com
mynetworks = $config_directory/mynetworks
myorigin = $mydomain
newaliases_path = /usr/local/bin/newaliases
non_smtpd_milters = $smtpd_milters
postscreen_access_list = permit_mynetworks,
cidr:/usr/local/etc/postfix/postscreen_access.cidr,
cidr:/usr/local/etc/postfix/postscreen_spf_whitelist.cidr
postscreen_blacklist_action = drop
postscreen_dnsbl_action = enforce
postscreen_dnsbl_reply_map =
pcre:/usr/local/etc/postfix/postscreen_dnsbl_reply_map.pcre
postscreen_dnsbl_sites = zen.spamhaus.org*3 b.barracudacentral.org*2
bl.spameatingmonkey.net*2 bl.spamcop.net dnsbl.sorbs.net
psbl.surriel.com bl.mailspike.net swl.spamhaus.org*-4
list.dnswl.org=127.[0..255].[0..255].0*-2
list.dnswl.org=127.[0..255].[0..255].1*-3
list.dnswl.org=127.[0..255].[0..255].[2..255]*-4
postscreen_dnsbl_threshold = 2
postscreen_dnsbl_whitelist_threshold = -1
postscreen_greet_action = enforce
queue_directory = /var/spool/postfix
queue_run_delay = 5m
readme_directory = /usr/local/share/doc/postfix
recipient_delimiter = +
sample_directory = /usr/local/etc/postfix
sendmail_path = /usr/local/sbin/sendmail
setgid_group = maildrop
shlib_directory = /usr/local/lib/postfix
show_user_unknown_table_name = no
smtp_helo_timeout = 60s
smtp_tls_cert_file = $smtpd_tls_cert_file
smtp_tls_ciphers = high
smtp_tls_key_file = $smtpd_tls_key_file
smtp_tls_loglevel = 1
smtp_tls_mandatory_ciphers = medium
smtp_tls_mandatory_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4,
MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5,
CBC3-SHA
smtp_tls_mandatory_protocols = !SSLv2,!SSLv3, !TLSv1
smtp_tls_protocols = !SSLv2,!SSLv3, !TLSv1
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_use_tls = yes
smtpd_banner = $myhostname ESMTP
smtpd_client_restrictions = permit_sasl_authenticated
reject_unknown_client_hostname check_client_access
cidr:/usr/local/etc/postfix/spamfarms check_client_access
cidr:/usr/local/etc/postfix/sinokorea.cidr
check_reverse_client_hostname_access
pcre:/usr/local/etc/postfix/fqrdns.pcre
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks permit_sasl_authenticated
reject_invalid_helo_hostname reject_non_fqdn_helo_hostname
reject_unknown_helo_hostname check_helo_access
hash:/usr/local/etc/postfix/helo_access,
smtpd_milters = unix:/var/run/rspamd/milter.sock,inet:127.0.0.1:8472
smtpd_recipient_restrictions = reject_non_fqdn_recipient
reject_unknown_recipient_domain reject_unauth_pipelining
check_recipient_access
mysql:/usr/local/etc/postfix/db/recipient-access.cf
permit_dnswl_client list.dnswl.org=127.0.[2..14].[1..3]
reject_unlisted_recipient check_policy_service
unix:private/dovecot-quota
smtpd_reject_unlisted_sender = yes
smtpd_relay_restrictions = permit_sasl_authenticated rej
Re: postfix issue with ecc certificates
Hello, Thanks Wietse and Victor, I commented out the smtp* lines and didn't fix it. What I then did was changed my ecc_grade from ultra to strong. Does this sound like the solution? Thanks. Dave. On 8/3/18, Viktor Dukhovni wrote: > > >> On Aug 3, 2018, at 6:09 PM, David Mehler wrote: >> >> smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1 !TLSv1.1 TLSv1.2 >> smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1 !TLSv1.1 TLSv1.2 > > This does not leave too many working options... :-) > > -- > Viktor. > >
Re: postfix issue with ecc certificates
Hi, Sorry, the parameter is smtpd_tls_eecdh_grade it was set to ultra I set it to strong. I don't know if that's what did it but clients can now send. If I'm getting what I'm reading ultra refers to p-384 bit ecc curves, while strong is p-256, that's what I've got. Thanks. Dave. On 8/4/18, Wietse Venema wrote: > David Mehler: >> Hello, >> >> Thanks Wietse and Victor, >> >> I commented out the smtp* lines and didn't fix it. What I then did was >> changed my ecc_grade from ultra to strong. Does this sound like the >> solution? > > $ postconf|grep ecc_grade > > [empty output] >
Re: postfix issue with ecc certificates
Hi, Thanks, that has done it. Thanks. Dave. On 8/4/18, Viktor Dukhovni wrote: > > >> On Aug 4, 2018, at 11:15 AM, David Mehler wrote: >> >> Sorry, the parameter is smtpd_tls_eecdh_grade it was set to ultra I >> set it to strong. I don't know if that's what did it but clients can >> now send. > > With recent Postfix releases, and OpenSSL >= 1.0.2, the best setting > for this parameter is "auto", which negotiates a mutually agreeable > group based on the client's list of supported curves. > > http://www.postfix.org/postconf.5.html#smtpd_tls_eecdh_grade > > Therefore (as with many other Postfix parameters) it is best to simply > NOT CHANGE the default value of this parameter. > > $ postconf -d mail_version smtpd_tls_eecdh_grade > mail_version = 3.3.1 > smtpd_tls_eecdh_grade = auto > >> If I'm getting what I'm reading ultra refers to p-384 bit ecc curves, >> while strong is p-256, that's what I've got. > > Let Postfix do the work for you, you don't have to lock down all the > settings. > > -- > Viktor. > >
5.7.1 issue relaying telnet, on same host
Hello,
I'm trying to get a new mail server going. It's running in a FreeBSD
12.0 jail and it's postfix 3.4.5, and dovecot 2.3.6. The machine's ip
is 172.16.21.3 i'm telnetting I'm on the host and telnetting to the
server on port 25 after rcpt I'm getting:
Jun 17 13:47:49 mail postfix/smtpd[29888]: NOQUEUE: reject: RCPT from
mail.example.local[172.16.21.3]: 554 5.7.1 : Relay
access denied; from= to= proto=ESMTP
helo=
I believe I've got a configuration issue with my *restrictions, i'd
appreciate any suggestions. I've got a full postconf -n later. All of
my users are virtual in a mysql database, the db communication is
working fine and returning the appropriate results.
Thanks.
Dave.
main.cf (snipet):
inet_interfaces = 172.16.21.3
mydestination = 172.16.21.3
mynetworks = $config_directory/mynetworks
# Dovecot sasl authentication
smtpd_sasl_auth_enable = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_local_domain = $mydomain
broken_sasl_auth_clients = no
smtpd_sasl_security_options = noanonymous
# but plaintext auth is fine when using TLS
smtpd_sasl_tls_security_options = noanonymous
# Restrictions for all sending foreign servers ("SMTP clients")
smtpd_client_restrictions =
permit_sasl_authenticated
reject_unknown_reverse_client_hostname
check_client_access cidr:/usr/local/etc/postfix/spamfarms
check_client_access cidr:/usr/local/etc/postfix/sinokorea.cidr
check_reverse_client_hostname_access
pcre:/usr/local/etc/postfix/fqrdns.pcre
# helo restrictions
smtpd_helo_required = yes
smtpd_helo_restrictions =
permit_mynetworks
permit_sasl_authenticated
reject_invalid_helo_hostname
reject_non_fqdn_helo_hostname
reject_unknown_helo_hostname
check_helo_access hash:/usr/local/etc/postfix/helo_access,
# sender restrictions
smtpd_sender_restrictions =
reject_non_fqdn_sender
reject_unknown_sender_domain
,check_sender_mx_access cidr:/usr/local/etc/postfix/bogus_mx
check_sender_access hash:/usr/local/etc/postfix/safe_addresses
check_sender_access hash:/usr/local/etc/postfix/auto-whtlst
smtpd_relay_restrictions =
permit_sasl_authenticated
reject_unauth_destination
smtpd_recipient_restrictions =
reject_non_fqdn_recipient
reject_unknown_recipient_domain
reject_unauth_pipelining
permit_dnswl_client list.dnswl.org=127.0.[2..14].[1..3]
reject_unlisted_recipient
# TLS parameters
smtp_use_tls = yes
smtpd_use_tls = yes
smtpd_tls_auth_only = no
smtpd_tls_eccert_file = /usr/local/etc/ssl/acme.sh/example.com/fullchain.crt
smtpd_tls_eckey_file =
/usr/local/etc/ssl/acme.sh/example.com/private/server-ec256.key
smtpd_tls_CAfile = /usr/local/etc/ssl/acme.sh/example.com/cacert.crt
smtpd_tls_eecdh_grade = ultra
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1 !TLSv1.1 TLSv1.2
smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1 !TLSv1.1 TLSv1.2
smtpd_tls_mandatory_ciphers = high
smtpd_tls_ciphers = high
smtpd_tls_mandatory_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4,
MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CBC3-SHA, KRB5-DES,
CBC3-SHA
smtpd_tls_exclude_ciphers = $smtpd_tls_mandatory_exclude_ciphers
smtpd_tls_security_level = may
smtpd_tls_dh1024_param_file = /usr/local/etc/postfix/dh.pem
smtpd_tls_loglevel = 1
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_tls_received_header = yes
tls_preempt_cipherlist = yes
tls_high_cipherlist =
ECDH+AESGCM:ECDH+CHACHA20:ECDH+AES256:ECDH+AES128:!aNULL:!SHA1
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_tls_ciphers = high
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_tls_protocols=!SSLv2,!SSLv3, !TLSv1
smtp_tls_mandatory_protocols=!SSLv2,!SSLv3, !TLSv1
smtp_tls_mandatory_ciphers = medium
smtp_tls_mandatory_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4,
MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5,
CBC3-SHA
smtp_tls_ciphers = high
smtp_tls_cert_file = $smtpd_tls_cert_file
smtp_tls_key_file = $smtpd_tls_key_file
smtp_tls_loglevel = 1
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
mua_relay_restrictions =
reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_mynetworks,permit_sasl_authenticated,reject
mua_sender_restrictions =
permit_mynetworks,reject_non_fqdn_sender,reject_sender_login_mismatch,permit_sasl_authenticated,reject
mua_client_restrictions = permit_mynetworks,permit_sasl_authenticated,reject
The Prefix Whois milter, with Postfix On FreeBSD?
Hello, Has anyone got the Prefix Whois milter going with Postfix on a FreeBSD system? I'm having compilation difficulties. If anyone has this going please let me know. Thanks. Dave.
Re: The Prefix Whois milter, with Postfix On FreeBSD?
Hello, Here is the complete run. Thanks. Dave. root@mail:~/pwhois_milter_1.4#make gmake[1]: Entering directory '/root/pwhois_milter_1.4' cc -pthread -Ofast -ggdb3 -Wall -Wextra pwhois_milter.c -c -I/usr/include -I/usr/local/include -o pwhois_milter.o cc -pthread pwhois_milter.o -o pwhois_milter -L/usr/lib/libmilter -L/usr/local/lib/libmilter -lrt -lmilter gmake[1]: Leaving directory '/root/pwhois_milter_1.4' root@mail:~/pwhois_milter_1.4#make install gmake[1]: Entering directory '/root/pwhois_milter_1.4' mkdir -p /usr/local/bin rm -vf /usr/local/bin/pwhois_milter.old mv -nv /usr/local/bin/pwhois_milter /usr/local/bin/pwhois_milter.old mv: rename /usr/local/bin/pwhois_milter to /usr/local/bin/pwhois_milter.old: No such file or directory gmake[1]: *** [Makefile:44: install] Error 1 gmake[1]: Leaving directory '/root/pwhois_milter_1.4' *** Error code 2 Stop. make: stopped in /root/pwhois_milter_1.4 On 6/25/19, Wietse Venema wrote: > David Mehler: >> Hello, >> >> Has anyone got the Prefix Whois milter going with Postfix on a FreeBSD >> system? I'm having compilation difficulties. If anyone has this going >> please let me know. > > What is the error message? >
Re: The Prefix Whois milter, with Postfix On FreeBSD?
Hello, Thanks, that did it. Thanks. Dave. On 6/25/19, Wietse Venema wrote: > David Mehler: >> Hello, >> >> Here is the complete run. >> >> Thanks. >> Dave. >> root@mail:~/pwhois_milter_1.4#make >> gmake[1]: Entering directory '/root/pwhois_milter_1.4' >> cc -pthread -Ofast -ggdb3 -Wall -Wextra pwhois_milter.c -c >> -I/usr/include -I/usr/local/include -o pwhois_milter.o >> cc -pthread pwhois_milter.o -o pwhois_milter -L/usr/lib/libmilter >> -L/usr/local/lib/libmilter -lrt -lmilter >> gmake[1]: Leaving directory '/root/pwhois_milter_1.4' >> root@mail:~/pwhois_milter_1.4#make install >> gmake[1]: Entering directory '/root/pwhois_milter_1.4' >> mkdir -p /usr/local/bin > > After the above, /usr/local/bin exists. > >> rm -vf /usr/local/bin/pwhois_milter.old > > The above removes /usr/local/bin/pwhois_milter.old if it exists, > otherwise it does nothing. > >> mv -nv /usr/local/bin/pwhois_milter /usr/local/bin/pwhois_milter.old >> mv: rename /usr/local/bin/pwhois_milter to >> /usr/local/bin/pwhois_milter.old: No such file or directory > > The above fails because /usr/local/bin/pwhois_milter does not exist. > > Try: > # touch /usr/local/bin/pwhois_milter > > Wietse >
postfix p0f milter
Hello, I hope this isn't to off topic, but hopefully someone will have more information on this than I do. I've got a postfix with virtual mail users system going. I'm needing to tighten my antispam setup.I'm wanting to integrate p0f in to my system, and am hoping there's a milter out there that will do it. My goal is I've got postfix going on port 25 for incoming connections, so I'm wanting the milter to passively scan that port and only if a client makes a successful connection, i.e. is able to deliver mail, p0f kicks off and scans the tcp/ip connection. As an example if it comes from a windows xp machine then a p0f header is placed in to that message with a spam probability value. Further down the line my rspamd looks for that header, finds it, reads the value, and since it's a high number from xp it immediately takes spam actions. If anyone has this working with a milter for postfix either shell, perl, python, or something similar i'd appreciate knowing it. Thanks. Dave.
untrusted tls connection to google
Hello, I'm running postfix 3.4.5 and email sending/receiving is working. I am however noticing an message: Jul 2 14:59:44 mail postfix/smtp[14345]: Untrusted TLS connection established to gmail-smtp-in.l.google.com[173.194.68.27]:25: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256 I've googled and i've checked for the options smtpd_tls_CApath and smtp_tls_CApath both of which are blank. My tls configuration is using letsencrypt-generated certificates. Is there a fix for this? Thanks. Dave.
postfix error in spf
Hello,
I've got a postfix virtual domain setup in a freebsd jail. A separate
jail holds the webmail server. This is version 3.4.5 of Postfix. I've
got spf, and am trying to send out a test email. This is what I'm
getting:
Jul 14 17:28:04 mail postfix/submission/smtpd[6855]: connect from
webserver.example.local[172.16.21.1]
Jul 14 17:28:04 mail postfix/submission/smtpd[6855]: Anonymous TLS
connection established from webserver.example.local[172.16.21.1]:
TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)
Jul 14 17:28:05 mail postfix/policy-spf[9379]: Policy action=550
Please see
http://www.openspf.net/Why?s=mfrom;id=user%40example.com;ip=172.16.21.1;r=mail.example.local
Jul 14 17:28:05 mail postfix/submission/smtpd[6855]: NOQUEUE: reject:
RCPT from webserver.example.local[172.16.21.1]: 550 5.7.1
: Recipient address rejected: Please see
http://www.openspf.net/Why?s=mfrom;id=user%40example.com;ip=172.16.21.1;r=mail.example.local;
from= to= proto=ESMTP
helo=
Jul 14 17:28:05 mail postfix/submission/smtpd[6855]: disconnect from
webserver.example.local[172.16.21.1] ehlo=2 starttls=1 auth=1 mail=1
rcpt=0/1 rset=1 quit=1 commands=7/8
Here's a postconf -n as well:
allow_percent_hack = no
append_dot_mydomain = no
biff = no
bounce_queue_lifetime = 1h
bounce_template_file = /usr/local/etc/postfix/bounce.cf
broken_sasl_auth_clients = no
command_directory = /usr/local/sbin
compatibility_level = 2
daemon_directory = /usr/local/libexec/postfix
data_directory = /var/db/postfix
delay_warning_time = 4h
disable_vrfy_command = yes
header_checks = regexp:/usr/local/etc/postfix/phish419.regexp
html_directory = no
in_flow_delay = 1s
inet_interfaces = 172.16.21.3
inet_protocols = ipv4
local_recipient_maps = $virtual_mailbox_maps
mail_owner = postfix
mailbox_size_limit = 0
mailq_path = /usr/local/bin/mailq
manpage_directory = /usr/local/man
maximal_backoff_time = 15m
maximal_queue_lifetime = 1h
message_size_limit = 52428800
meta_directory = /usr/local/libexec/postfix
milter_default_action = accept
milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen}
milter_protocol = 6
mime_header_checks = regexp:/usr/local/etc/postfix/mime_header_checks
minimal_backoff_time = 5m
mua_client_restrictions = permit_mynetworks,permit_sasl_authenticated,reject
mua_relay_restrictions =
reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_mynetworks,permit_sasl_authenticated,reject
mua_sender_restrictions =
permit_mynetworks,reject_non_fqdn_sender,reject_sender_login_mismatch,permit_sasl_authenticated,reject
mydestination = mail.example.local
mydomain = example.com
myhostname = mail.example.com
mynetworks = $config_directory/mynetworks
myorigin = $mydomain
newaliases_path = /usr/local/bin/newaliases
non_smtpd_milters = $smtpd_milters
postscreen_access_list = permit_mynetworks,
cidr:/usr/local/etc/postfix/postscreen_access.cidr,
cidr:/usr/local/etc/postfix/postscreen_spf_whitelist.cidr
postscreen_bare_newline_action = enforce
postscreen_bare_newline_enable = yes
postscreen_blacklist_action = drop
postscreen_cache_cleanup_interval = 0
postscreen_cache_map = proxy:btree:${data_directory}/postscreen_cache
postscreen_dnsbl_action = enforce
postscreen_dnsbl_reply_map =
pcre:$config_directory/postscreen_dnsbl_reply_map.pcre
postscreen_dnsbl_sites = zen.spamhaus.org*3 b.barracudacentral.org*2
bl.spameatingmonkey.net*2 bl.spamcop.net dnsbl.sorbs.net
psbl.surriel.com bl.mailspike.net
list.dnswl.org=127.[0..255].[0..255].0*-2
list.dnswl.org=127.[0..255].[0..255].1*-3
list.dnswl.org=127.[0..255].[0..255].[2..255]*-4
postscreen_dnsbl_threshold = 3
postscreen_dnsbl_whitelist_threshold = -1
postscreen_greet_action = enforce
postscreen_non_smtp_command_enable = yes
postscreen_pipelining_enable = yes
queue_directory = /var/spool/postfix
queue_run_delay = 5m
readme_directory = no
recipient_delimiter = +
sample_directory = /usr/local/etc/postfix
sendmail_path = /usr/local/sbin/sendmail
setgid_group = maildrop
shlib_directory = /usr/local/lib/postfix
show_user_unknown_table_name = no
smtp_helo_timeout = 60s
smtp_tls_CApath = $smtpd_tls_CApath
smtp_tls_cert_file = $smtpd_tls_cert_file
smtp_tls_ciphers = high
smtp_tls_key_file = $smtpd_tls_key_file
smtp_tls_loglevel = 1
smtp_tls_mandatory_ciphers = medium
smtp_tls_mandatory_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4,
MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5,
CBC3-SHA
smtp_tls_mandatory_protocols = !SSLv2,!SSLv3, !TLSv1
smtp_tls_protocols = !SSLv2,!SSLv3, !TLSv1
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_use_tls = yes
smtpd_banner = $myhostname ESMTP
smtpd_client_restrictions = permit_sasl_authenticated
reject_unknown_reverse_client_hostname check_client_access
cidr:/usr/local/etc/postfix/spamfarms check_client_access
cidr:/usr/local/etc/postfix/sinokorea.cidr
check_reverse_client_hostname_access
pcre:/usr/local/etc/postfix/fqrdns.pcre
smtpd_helo_required = yes
smtpd_helo_restri
Re: postfix error in spf
Hello Viktor, Thanks for your reply. Is my configuration overdoing it? Here's my submission snipet: submission inet n - n - - smtpd -o syslog_name=postfix/submission -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_sasl_type=dovecot -o smtpd_sasl_path=private/auth -o smtpd_sasl_security_options=noanonymous -o smtpd_client_restrictions=$mua_client_restrictions -o smtpd_sender_restrictions=$mua_sender_restrictions -o smtpd_relay_restrictions=$mua_relay_restrictions -o milter_macro_daemon_name=ORIGINATING -o tls_preempt_cipherlist=yes -o smtpd_sender_login_maps=mysql:/usr/local/etc/postfix/db/sender-login-maps.cf and a main.cf snipet: mua_relay_restrictions = reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_mynetworks,permit_sasl_authenticated,reject mua_sender_restrictions = permit_mynetworks,reject_non_fqdn_sender,reject_sender_login_mismatch,permit_sasl_authenticated,reject mua_client_restrictions = permit_mynetworks,permit_sasl_authenticated,reject Thanks. Dave. On 7/14/19, Viktor Dukhovni wrote: > On Sun, Jul 14, 2019 at 05:41:14PM -0400, David Mehler wrote: > >> I've got a postfix virtual domain setup in a freebsd jail. A separate >> jail holds the webmail server. This is version 3.4.5 of Postfix. I've >> got spf, and am trying to send out a test email. This is what I'm >> getting: >> >> Jul 14 17:28:04 mail postfix/submission/smtpd[6855]: connect from >> webserver.example.local[172.16.21.1] >> Jul 14 17:28:05 mail postfix/policy-spf[9379]: Policy action=550 >> Please see >> http://www.openspf.net/Why?s=mfrom;id=user%40example.com;ip=172.16.21.1;r=mail.example.local >> Jul 14 17:28:05 mail postfix/submission/smtpd[6855]: NOQUEUE: reject: >> RCPT from webserver.example.local[172.16.21.1]: 550 5.7.1 >> : Recipient address rejected: Please see >> http://www.openspf.net/Why?s=mfrom;id=user%40example.com;ip=172.16.21.1;r=mail.example.local; >> from= to= proto=ESMTP >> helo= >> Jul 14 17:28:05 mail postfix/submission/smtpd[6855]: disconnect from >> webserver.example.local[172.16.21.1] ehlo=2 starttls=1 auth=1 mail=1 >> rcpt=0/1 rset=1 quit=1 commands=7/8 > > DO NOT apply SPF checks to authenticated submission. Your master.cf > entry for submission should override all the standard restriction > lists with alternatives appropriate for submission (basically just > "permit_sasl_authenticated, reject"). > > -- > Viktor. >
Postfix 3.4.5, openssl 1.1.x, and TLS 1.3?
Hello, I'm wanting to ensure my postfix configuration will work with TLS 1.3. Any suggestions/howtos? Thanks. Dave.
[pfx] postfix database, aliases, permissions, configuration issue, help requested, perplexed
Hello, I'm trying to migrate to a new setup, Debian 12 with Postfix 3.7 and Dovecot 2.3 using virtual mailbox domains. There are no local everyone is virtual. The first problem I'm seeing is the Postfix process is exiting: #systemctl status postfix ? postfix.service - Postfix Mail Transport Agent Loaded: loaded (/lib/systemd/system/postfix.service; enabled; preset: e> Active: active (exited) since Wed 2023-07-19 15:02:03 EDT; 4s ago I suspect this is occurring because of this: 2023-07-19T15:19:58.474716-04:00 hostname postfix/master[41002]: warning: process /usr/lib/postfix/sbin/smtpd pid 41013 exit status 1 A few lines earlier: 2023-07-19T15:19:57.473608-04:00 hostname postfix/proxymap[41014]: warning: request for unapproved table: "unix:passwd.byname" 2023-07-19T15:19:57.473797-04:00 hostname postfix/proxymap[41014]: warning: to approve this table for read-only access, list proxy:unix:passwd.byname in main.cf:proxy_read_maps 2023-07-19T15:19:57.474399-04:00 hostname postfix/smtpd[41013]: fatal: proxymap service is not configured for table "unix:passwd.byname" I don't have that table listed in my proxy configuration. I'm also getting errors when atempting to access my sql aliases.cf configuration. That looks like this and it's looking like others: 2023-07-19T15:20:02.693395-04:00 hostname postfix/proxymap[41014]: error: open /etc/postfix/sql/aliases.cf: Permission denied 2023-07-19T15:20:02.700548-04:00 hostname postfix/proxymap[41014]: error: open /etc/postfix/sql/domains.cf: Permission denied 2023-07-19T15:20:02.701021-04:00 hostname postfix/proxymap[41014]: warning: mysql:/etc/postfix/sql/aliases.cf is unavailable. open /etc/postfix/sql/aliases.cf: Permission denied 2023-07-19T15:20:02.701791-04:00 hostname postfix/cleanup[41032]: warning: proxy:mysql:/etc/postfix/sql/aliases.cf lookup error for "r...@mail.example.com" I'm seeing issues with postfix local trying to get in to this whenever it does it tries to send to r...@mail.example.com. Given the above I would think anything wouldn't be working since domains.cf can't be found then receiving any email shouldn't work, sent a test message through and it does, if I send to a non-aliases address i.e. r...@domain.com does not work, yet u...@domain.com goes through just fine. Here's my master.cf file and a postconf -n output. Here's also a permissions of /etc/postfix/sql/*.cf. Any help appreciated. Thanks. Dave. #cat master.cf # # Postfix master process configuration file. For details on the format # of the file, see the master(5) manual page (command: "man 5 master" or # on-line: http://www.postfix.org/master.5.html). # # Do not forget to execute "postfix reload" after editing this file. # # == # service type private unpriv chroot wakeup maxproc command + args # (yes) (yes) (no)(never) (100) # == #smtp inet n - y - - smtpd smtp inet n - y - 1 postscreen smtpd pass - - y - - smtpd dnsblog unix - - y - 0 dnsblog tlsproxy unix - - y - 0 tlsproxy # Choose one: enable submission for loopback clients only, or for any client. #127.0.0.1:submission inet n - y - - smtpd submission inet n - y - - smtpd -o syslog_name=postfix/submission -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_tls_auth_only=yes -o smtpd_reject_unlisted_recipient=no # Instead of specifying complex smtpd__restrictions here, # specify "smtpd__restrictions=$mua__restrictions" # here, and specify mua__restrictions in main.cf (where # "" is "client", "helo", "sender", "relay", or "recipient"). -o smtpd_client_restrictions=$mua_client_restrictions -o smtpd_helo_restrictions= -o smtpd_sender_restrictions=$mua_sender_restrictions -o smtpd_relay_restrictions=$mua_relay_restrictions -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject -o cleanup_service_name=submission-header-cleanup -o milter_macro_daemon_name=ORIGINATING # Choose one: enable submissions for loopback clients only, or for any client. #127.0.0.1:submissions inet n - y - - smtpd #submissions inet n - y - - smtpd # -o syslog_name=postfix/submissions # -o smtpd_tls_wrappermode=yes # -o smtpd_sasl_auth_enable=yes # -o smtpd_reject_unlisted_recipient=no # Instead of specifying complex smtpd__restrictions here, # specify "smtpd__restrictions=$mua__restrictions" # here, and specify mua__restrictions in main.cf (where # "" is "client", "helo", "sender", "relay", or "recipient"). # -o smtpd_client_restrictions= # -o smtpd_helo_restrictions= # -o smtpd_sender_restrictions= # -o s
[pfx] Re: postfix database, aliases, permissions, configuration issue, help requested, perplexed
Hello, Thank you for your reply. My apologies, I thought these issues were all possibly interrelated. To the first issue the postfix process dying. I looked at the service startup definition on my debian 12 system that's in /lib/systemd/system/postfix.service I believe this is the section with the information you requested: [Service] Type=oneshot RemainAfterExit=yes ExecStart=/bin/true ExecReload=/bin/true I stopped and started postfix and used: systemctl --full --no-pager status postfix that didn't tell me more than I already knew: #systemctl --full --no-pager status postfix ? postfix.service - Postfix Mail Transport Agent Loaded: loaded (/lib/systemd/system/postfix.service; enabled; preset: enabled) Active: active (exited) since Thu 2023-07-20 08:31:16 EDT; 11s ago Docs: man:postfix(1) Process: 59286 ExecStart=/bin/true (code=exited, status=0/SUCCESS) Main PID: 59286 (code=exited, status=0/SUCCESS) Jul 20 08:31:16 hostname.example.com systemd[1]: Starting postfix.service - Postfix Mail Transport Agent... Jul 20 08:31:16 hostname.example.com systemd[1]: Finished postfix.service - Postfix Mail Transport Agent. I ran "postfix check" I get no warnings. I checked for both selinux and apparmor neither is installed. I ran "postfix set-permissions" again no warnings. I hope this information helps. Thanks. Dave. On 7/19/23, Viktor Dukhovni via Postfix-users wrote: > On Wed, Jul 19, 2023 at 06:03:17PM -0400, David Mehler via Postfix-users > wrote: > >> I'm trying to migrate to a new setup, Debian 12 with Postfix 3.7 and >> Dovecot 2.3 using virtual mailbox domains. There are no local everyone >> is virtual. The first problem I'm seeing is the Postfix process is >> exiting: > > You're packing too many problems into one post, which discourages > substantive help. Best to restart one problem at a time. > >> #systemctl status postfix >> ? postfix.service - Postfix Mail Transport Agent >> Loaded: loaded (/lib/systemd/system/postfix.service; enabled; preset: >> e> >> Active: active (exited) since Wed 2023-07-19 15:02:03 EDT; 4s ago > > This is likely because of a mismatch between the service defintion and > the actual Postfix start code it invokes. Is the (ultimately master(8)) > process actually expected to remain in the foreground? Or is the > "exited" actually normal here, because the service definition is > starting a "background" job? > > See the postfix(1) manpage about various ways to start Postfix, and > see what the service definition is trying to do. > >> I suspect this is occurring because of this: >> >> 2023-07-19T15:19:58.474716-04:00 hostname postfix/master[41002]: >> warning: process /usr/lib/postfix/sbin/smtpd pid 41013 exit status 1 > > No, because master(8) keeps running regardless of whether various > services are failing or not. Once the service startup issue is > put to bed (it is probably fine, but let's get that out of the way), > we can try to solve each of the remaining problems one at a time. > > Some of them suggest that perhaps you have SELinux or AppArmor, ... > refusing to allow various kinds of file access. > > Run "postfix check" and address any reported problems. If "postfix > set_permissions" does not fix the various file permission problems, > look to disable SELinux or AppArmor. > > -- > Viktor. > ___ > Postfix-users mailing list -- postfix-users@postfix.org > To unsubscribe send an email to postfix-users-le...@postfix.org > ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: postfix database, aliases, permissions, configuration issue, help requested, perplexed
Hello, Thanks everyone for the feedback. I've commented out proxy_read_maps which seems to have done it, postfix/local isn't trying to get in to things and aliases are working, though I'm not sure if the perms there are right, 755 root:root on /etc/postfix/sql and 644 root:root on the various .cf files. Thanks. Dave. On 7/20/23, Viktor Dukhovni via Postfix-users wrote: > On Thu, Jul 20, 2023 at 08:45:46AM -0400, David Mehler via Postfix-users > wrote: > >> Thank you for your reply. My apologies, I thought these issues were >> all possibly interrelated. >> >> To the first issue the postfix process dying. > > Quite possibly, the right formulation is "exiting as expected", rather > than "dying". > > If the master(8) process is still running, "Postfix" is running and not > "dead", but individual services listed in master.cf may be encountering > fatal problems. > > So the "exited" status may be a non-problem, and your problems are all > the file permission and related issues. If so, now move on to one of > the other problems. > > -- > Viktor. > ___ > Postfix-users mailing list -- postfix-users@postfix.org > To unsubscribe send an email to postfix-users-le...@postfix.org > ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Thunderbird 91, Postfix 3.7.x, Debian 12, Virtual Mailbox Users, TLS with Letsencrypt, error improper command pipelining after helo
Hello,
I've got a Debian 12.5 vps going, it's running Dovecot 2.3.x, Postfix
3.7.x, secured with letsencrypt. I've confirmed that my certificates are
valid and unexpired. I'm trying to connect via StartTLS to Dovecot 143,
for retrieving mail, and Postfix 587 submission to send it. I'm wanting
to utilize Thunderbird v91.x. I've tried configuring with both the
automatic configuration and the manual configuration, in both cases I am
getting an error in my maillog from submission/smtpd service stating
error improper command pipelining after helo. Googling showed this error
but in that case the solution was he was running Avast Antivirus, I am
not. In either case manual or automatic the configuration does not
complete. I'm wondering if anyone else has seen this with these versions
of Thunderbird and Postfix?
Do my *restrictions and tls configurations look good?
Here's my postconf -n output hope it helps.
Suggestions welcome.
Thanks.
Dave.
# postconf -n
append_dot_mydomain = no
biff = no
bounce_queue_lifetime = 1h
compatibility_level =
disable_vrfy_command = yes
inet_interfaces = 127.0.0.1, xxx.xxx.xxx.xxx
inet_protocols = ipv4
mailbox_size_limit = 0
maximal_backoff_time = 15m
maximal_queue_lifetime = 1h
message_size_limit = 52428800
minimal_backoff_time = 5m
mydomain = example.com
myhostname = mail.example.com
mynetworks = 127.0.0.0/8
myorigin = $mydomain
policyd-spf_time_limit = 3600
postscreen_access_list = permit_mynetworks
cidr:/etc/postfix/postscreen_access
postscreen_blacklist_action = drop
postscreen_dnsbl_action = drop
postscreen_dnsbl_sites = ix.dnsbl.manitu.net*2 zen.spamhaus.org*2
bl.spamcop.net*2
postscreen_dnsbl_threshold = 2
postscreen_greet_action = drop
queue_run_delay = 5m
recipient_delimiter = +
smtp_dns_support_level = dnssec
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
smtp_tls_ciphers = high
smtp_tls_mandatory_protocols = $smtpd_tls_mandatory_protocols
smtp_tls_policy_maps = proxy:mysql:/etc/postfix/sql/tls-policy.cf
smtp_tls_protocols = $smtpd_tls_mandatory_protocols
smtp_tls_security_level = dane
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP
smtpd_client_restrictions = permit_mynetworks,
permit_sasl_authenticated, reject_unknown_client_hostname
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated,
check_helo_access hash:/etc/postfix/helo_access,
reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname,
reject_unknown_helo_hostname
smtpd_recipient_restrictions = check_recipient_access
proxy:mysql:/etc/postfix/sql/recipient-access.cf, permit_mynetworks,
permit_sasl_authenticated, reject_invalid_hostname,
reject_unknown_client_hostname, reject_unknown_recipient_domain,
reject_non_fqdn_recipient, reject_unauth_destination,
reject_sender_access pcre:/etc/postfix/sender_access,
check_policy_service unix:private/dovecot-quota
smtpd_relay_restrictions = reject_non_fqdn_recipient
reject_unknown_recipient_domain permit_mynetworks
permit_sasl_authenticated reject_unauth_destination,
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/ssl/example.com/example.com.fullchain.crt
smtpd_tls_ciphers = high
smtpd_tls_dh1024_param_file = /etc/postfix/dhparams.pem
smtpd_tls_eecdh_grade = strong
smtpd_tls_key_file = /etc/ssl/example.com/example.com.key
smtpd_tls_mandatory_ciphers = high
smtpd_tls_mandatory_exclude_ciphers = aNULL
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_protocols = $smtpd_tls_mandatory_protocols
smtpd_tls_received_header = yes
smtpd_tls_security_level = encrypt
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
tls_high_cipherlist =
ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:
ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
tls_preempt_cipherlist = yes
tls_ssl_options = NO_COMPRESSION NO_RENEGOTIATION
virtual_alias_maps = proxy:mysql:/etc/postfix/sql/aliases.cf
virtual_gid_maps = static:992
virtual_mailbox_domains = proxy:mysql:/etc/postfix/sql/domains.cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/sql/accounts.cf
virtual_transport = lmtp:unix:private/dovecot-lmtp
virtual_uid_maps = static:999
#cat /etc/postfix/master.cf
#
# Postfix master process configuration file. For details on the format
# of the file, see the master(5) manual page (command: "man 5 master" or
# on-line: http://www.postfix.org/master.5.html).
#
# Do not forget to execute "postfix reload" after editing this file.
#
#
==
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (no) (never) (100)
#
==
#smtp inet n - n - - smtpd
smtp inet
[pfx] Re: Thunderbird 91, Postfix 3.7.x, Debian 12, Virtual Mailbox Users, TLS with Letsencrypt, error improper command pipelining after helo
Hello Wietse Thank you for your reply. > Thunderbird pipelining errors after helo? That is the problem yes. In my master.cf I do have smtpd_tls_wrappermode but it's in the commented out service for port 465, I'm using submission. I've checked with postconf and smtpd_tls_wrappermode is set to no. Is there any additional information I can provide? Please keep the suggestions coming. Thanks. Dave. On 4/1/2024 3:41 PM, Wietse Venema via Postfix-users wrote: David Mehler via Postfix-users: to utilize Thunderbird v91.x. I've tried configuring with both the automatic configuration and the manual configuration, in both cases I am getting an error in my maillog from submission/smtpd service stating error improper command pipelining after helo. Googling showed this error Thunderbird pipelining errors after helo? People sometimes have improper command pipelining errors after *connect*, when - The Postfix SMTP server is configured in master.cf with smtpd_tls_wrappermode turned off (this is the usual configuration for connect to the submission service a.k.a. port 587). - The SMTP client is configured with smtpd_tls_wrappermode turned on (this is the usual configuration for clients that connect to the submissions service a.k.a. port 465). The client then starts talking befor the server expects that to happen. Wietse ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org -- Sent from Mozilla Thunderbird 91.13.1 ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Thunderbird 91, Postfix 3.7.x, Debian 12, Virtual Mailbox Users, TLS with Letsencrypt, error improper command pipelining after helo
s/smtpd[1575]: input attribute value: 0 2024-04-02T09:49:26.016422-04:00 hostname postfix/smtps/smtpd[1575]: private/anvil: wanted attribute: (list terminator) 2024-04-02T09:49:26.016475-04:00 hostname postfix/smtps/smtpd[1575]: input attribute name: (end) 2024-04-02T09:49:26.016528-04:00 hostname postfix/smtps/smtpd[1575]: lost connection after CONNECT from xxx.xxx.xxx.xxx[xxx.xxx.xxx.xxx] 2024-04-02T09:49:26.016584-04:00 hostname postfix/smtps/smtpd[1575]: disconnect from xxx.xxx.xxx.xxx[xxx.xxx.xxx.xxx] commands=0/0 On 4/1/2024 4:17 PM, Viktor Dukhovni via Postfix-users wrote: On Mon, Apr 01, 2024 at 04:09:34PM -0400, David Mehler via Postfix-users wrote: In my master.cf I do have smtpd_tls_wrappermode but it's in the commented out service for port 465, I'm using submission. I've checked with postconf and smtpd_tls_wrappermode is set to no. Of course, but Thunderbird might be attempting wrapper-mode (implicit TLS), which could then be logged as a pipelining violation. Is there any additional information I can provide? Please keep the suggestions coming. The full unedited log entry has already been requested. For meaningful help, post the log entry. -- Sent from Mozilla Thunderbird 91.13.1 ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Mails ending up in spam when sending to gmail address
Hello, I'm not sure if this is a Postfix or an Rspamd problem or a Gmail problem, the first two I can do something about the third one not so sure. I'm running a personal E-mail server running on a VPS via a2hosting. I'm using Cloudflare for my DNS. I've got Postfix 3.7.11 and Rspamd 3.8.4 going. All appears well on my end, I've got dns MX, a PTR, SPF, DKIM, and DMARC with what I thought was abiding by Google's new email sending policy so I could get a message through. On my side the email is accepted from here, and relayed, Rspamd does sign it, and Postfix's last message in the log is a message sent delivered, and removed from my queue. I check my test Gmail account, and the message is indeed there, but Gmail has placed it in the spam folder. I check the headers of said message, an SPF and DKIM both pass. I am open to suggestions. Thanks. Dave. -- Sent from Mozilla Thunderbird 91.13.1 ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
