Questions about SSL for outgoing emails
Hello, smtpd_tls_security_level = encrypt smtp_tls_security_level = encrypt I configured postfix to use encryption for incoming and outgoing emails. but incase the receipt has untrusted certificate or self signed certificate, postfix still deliver the email. How to enforce postfix not to send the email incase the receipt certificate is untrusted or self signed? Many thanks Michael Peter
Question about smtp_tls_CAfile
Hello, I have configured postfix to check CAfile which contains only Godaddy root certificate as follow smtp_tls_CAfile = /etc/certs/go-daddy-root-ca.crt my surpirse that still postfix trust the server certificates when email is sent to Yahoo or Gmail.. although the CAfile contains only the godaddy root certificate... i am confused how postix could verify Yahoo and Gmail certificates although only godaddy root certificate existed in the CA file So i have removed smtp_tls_CAfile which contained only godaady root certificate from main.cf, now postfix is not trusting Yahoo or Gmail when sending emails to them. This makes me more confused.. Please advise your opinion.. Many thanks Michael Peter
Re: Question about smtp_tls_CAfile
> Michael Peter: >> This makes me more confused.. >> Please advise your opinion.. > Please post your configration as requested in the welcome message. > wietse I have posted my configuration as per your request.. and i summarize my questions again as follow I have configured postfix to check CAfile which contains only Godaddy root certificate as follow for outgoing emails. smtp_tls_CAfile = /etc/certs/go-daddy-root-ca.crt my surprise that still postfix trust the server certificates when email is sent to Yahoo or Gmail.. (although they are using different provider for SSL certificate than goaddy) although the CAfile contains only the godaddy root certificate. I am confused how postix could verify Yahoo and Gmail certificates although only godaddy root certificate existed in the CA file So i have removed smtp_tls_CAfile which contained only godaady root certificate from main.cf, now postfix is not trusting Yahoo or Gmail when sending emails to them. This makes me more confused.. My configuration when smtp_tls_CAfile is configured to only to godaddy-root certificate is as follow alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases command_directory = /usr/sbin config_directory = /etc/postfix daemon_directory = /usr/libexec/postfix data_directory = /var/lib/postfix debug_peer_level = 2 html_directory = no inet_interfaces = localhost, $myhostname inet_protocols = all mail_owner = postfix mailbox_delivery_lock = fcntl mailbox_size_limit = 15000 mailq_path = /usr/bin/mailq.postfix manpage_directory = /usr/share/man message_size_limit = 2500 mydestination = $myhostname, localhost.$mydomain, localhost myhostname = hidden-for-security.COM mynetworks = 127.0.0.1, 127.0.0.0/8 newaliases_path = /usr/bin/newaliases.postfix queue_directory = /var/spool/postfix readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES sample_directory = /usr/share/doc/postfix-2.6.6/samples sendmail_path = /usr/sbin/sendmail.postfix setgid_group = postdrop smtp_tls_CAfile = /etc/ssl/certs/godaddy-root.crt smtp_tls_loglevel = 2 smtp_tls_security_level = may smtpd_discard_ehlo_keywords = silent-discard, dsn smtpd_recipient_restrictions = check_sender_access hash:/etc/postfix/blocksender check_recipient_access hash:/etc/postfix/blockr reject_sender_login_mismatch permit_sasl_authenticated check_sender_access hash:/etc/postfix/blockforged reject_unauth_destination reject_invalid_helo_hostname reject_rbl_client zen.spamhaus.org smtpd_sasl_auth_enable = yes smtpd_sasl_path = private/auth smtpd_sasl_type = dovecot smtpd_sender_login_maps = hash:/etc/postfix/saslcheck smtpd_tls_cert_file = /etc/postfix/postfix.pem smtpd_tls_key_file = /etc/postfix/postfixkey.pem smtpd_tls_loglevel = 1 smtpd_tls_security_level = may unknown_local_recipient_reject_code = 550 virtual_alias_maps = hash:/etc/postfix/virtual virtual_mailbox_lock = fcntl with the above configuration and although smtp_tls_CAfile is configured only to use godady root certificate, but still postfix when sending emails to yahoo and gmail, the postfix log confirms that the certificate is trusted.. this is weird because postfix should only trust godaddy certificates and not any other certificates issued by different than Godaddy based on my configuration Now i have removed smtp_tls_CA from the configuration.. now postfix is not trusting gmail and yahoo certificates when sending email to them... i am confused because the in the previous configuration smtp_tls_CAfile was pointing only to godaddy root certificate... please find my revised configuration as follow alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases command_directory = /usr/sbin config_directory = /etc/postfix daemon_directory = /usr/libexec/postfix data_directory = /var/lib/postfix debug_peer_level = 2 html_directory = no inet_interfaces = localhost, $myhostname inet_protocols = all mail_owner = postfix mailbox_delivery_lock = fcntl mailbox_size_limit = 15000 mailq_path = /usr/bin/mailq.postfix manpage_directory = /usr/share/man message_size_limit = 2500 mydestination = $myhostname, localhost.$mydomain, localhost myhostname = hidden-for-security.COM mynetworks = 127.0.0.1, 127.0.0.0/8 newaliases_path = /usr/bin/newaliases.postfix queue_directory = /var/spool/postfix readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES sample_directory = /usr/share/doc/postfix-2.6.6/samples sendmail_path = /usr/sbin/sendmail.postfix setgid_group = postdrop smtp_tls_loglevel = 1 smtp_tls_security_level = may smtpd_discard_ehlo_keywords = silent-discard, dsn smtpd_recipient_restrictions = check_sender_access hash:/etc/postfix/blocksender check_recipient_access hash:/etc/postfix/blockr reject_sender_login_mismatch permit_sasl_authenticated check_sender_access hash:/etc/postfix/blockforged reject_unauth_destination reject_invalid_helo_hostname reject_rbl_client zen.spamhaus.org smtpd_s
Re: Question about smtp_tls_CAfile
> On Fri, Sep 25, 2015 at 06:16:10PM +0300, Michael Peter wrote: > >> I have configured postfix to check CAfile which contains only Godaddy >> root >> certificate as follow for outgoing emails. >> >> smtp_tls_CAfile = /etc/certs/go-daddy-root-ca.crt > > Which certificates are in that file? Report the output of: > > openssl crl2pkcs7 -nocrl -certfile /etc/certs/go-daddy-root-ca.crt | > openssl pkcs7 -print_certs -noout subject=/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./CN=Go Daddy Root Certificate Authority - G2 issuer=/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./CN=Go Daddy Root Certificate Authority - G2 > >> my surprise that still postfix trust the server certificates when email >> is >> sent to Yahoo or Gmail.. > > Post the relevant logs. Do you use the same transport for Google > and Yahoo as for mail to GoDaddy? If not, are there are any > master.cf overrides for the transports in question. all emails use the same default transport.. my transport file is empty.. so all use same transport incase smtp_tls_CAfile not exist in main.cf: (ca file has goddady root certificate only) postfix/smtp[30874]: certificate verification failed for mta6.am0.yahoodns.net[98.138.112.32]:25: untrusted issuer /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority incase smtp_tls_CAfile exist in main.cf:(ca file has goddady root certificate only) postfix/smtp[30107]: Trusted TLS connection established to mta5.am0.yahoodns.net[66.196.118.37]:25: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits) > >> So i have removed smtp_tls_CAfile which contained only godaady root >> certificate from main.cf, now postfix is not trusting Yahoo or Gmail >> when >> sending emails to them. > posted above > Also post logs for this outcome. > >> smtp_tls_CAfile = /etc/ssl/certs/godaddy-root.crt >> smtp_tls_loglevel = 2 > > Too verbose, 1 is enough. confirmed. > > What version of Postfix are you using? postfix/master[7500]: reload -- version 2.6.6, configuration /etc/postfix > > -- > Viktor. >
Re: Question about smtp_tls_CAfile
> On Fri, Sep 25, 2015 at 07:21:32PM +0300, Michael Peter wrote: > >> > What version of Postfix are you using? >> >> postfix/master[7500]: reload -- version 2.6.6, configuration >> /etc/postfix > > That's nearly seven years old. When you enable the Web PKI by > setting smtp_tls_CAfile, that version of Postfix will also drag > in all the default system certificate files. > > You can if you wish set: > > # postconf -e "import_environment = $(postconf -h import_environment) > SSL_CERT_FILE=/etc/postfix/certfile SSL_CERT_DIR=/etc/postfix/certdir" > > and create a corresponding empty file and empty directory. That > will hide the system default locations while you're preparing to > upgrade to something less ancient. This explains every thing is detail. Just for info, How can i know the default locations for default system certificates which postfix drag when setting smtp_tls_CAfile ? Thanks again. Michael Peter
[no subject]
Hello, At our office, We are trying to BCC all emails comes from specific domain or its subdomains by configuring postifx as follow we add main.cf sender_bcc_maps = hash:/etc/postfix/sender_bcc then at /etc/postfix/sender_bcc we add @domain.com manager But we notice that the emails comes from domain.com is bcc to "manger" but all emails comes from subdomain ie (sub.domain.com) is not forwarded to "manager" how can we configure postix to sender_bcc emails from domain and its subdomain as well ? Any ideas? Michael Peter
Question about permit_mynetworks option
Hi, I have couple of questions regarding the permit_mynetworks option. 1- is the permit_mynetworks must be added to allow bounces emails from postfix? or postfix can still send bounces or undelivered email notifications without need to add permit_mynetworks in the smtpd_recipient_restrictions? 2- Is the permit_mynetworks must be added so the postfix can work properly handling the emails ? anyway our users uses sasl authenticate that's why we want to remove permit_mynetworks, but we are afraid that this might break some thing in postfix, that's why we want to be double sure. ? - Also our last question, In case of different case that the mail server is secondary mail server , it relays back the email to the primary server when it is back. 3- do we have to add permit_mynetworks in smtpd_recipient_restrictions? so the secondary server can send the emails to the primary server (when the primary server was down) ? or still the secondary server can send the pending emails to the primary server even if permit_mynetworks in not written in the smtpd_recipient_restrictions? Thanks Michael Peter
Question about postfix logfile
Hi, I have question about postfix logfile (/var/log/maillog), Does The log mention the "from email header" or the "return-path email header" in the log file ? Jun 16 16:17:43 mailhost postfix/qmgr[12095]: CB992123F1B1: from=, size=2639, nrcpt=1 (queue active) Example: Return-Path: From: Because it seems that some times the "from address" mentioned in the log file is different that the from header which is actually in the email itself. Thank you. Peter Michael
Re: Question about permit_mynetworks option
> On 6/16/2015 10:16 AM, Michael Peter wrote: >> Hi, >> >> I have couple of questions regarding the permit_mynetworks option. > > It's generally better to control the scope of mynetworks rather than > removing permit_mynetworks. Rather than the entire network, just > list localhost and maybe trusted internal hosts that don't AUTH. > >> >> 1- is the permit_mynetworks must be added to allow bounces emails from >> postfix? or postfix can still send bounces or undelivered email >> notifications without need to add permit_mynetworks in the >> smtpd_recipient_restrictions? > > Bounce notices generated internally by postfix are not subjected to > any restrictions. > > If the bounce is generated by a separate host, that host will need > to be listed in mynetworks and permit_mynetworks is required. you mean by separte host is secondary MX bounce message to main MX ? Am i correct? > >> >> 2- Is the permit_mynetworks must be added so the postfix can work >> properly >> handling the emails ? anyway our users uses sasl authenticate that's why >> we want to remove permit_mynetworks, but we are afraid that this might >> break some thing in postfix, that's why we want to be double sure. ? >> > > If all users must authenticate, it's common to set main.cf > mynetworks = 127.0.0.1, [::1] > so that local processes can submit mail. It's up to you to determine > if local processes require submission on your server. If not > required in you environment, set mynetworks empty. > mynetworks = what local processes can submit mail ?? can you please give me an example of local processes that use mail ? normally local processes send mail using /bin/sendmail and are not subjected to any restrictions. ? > >> - >> >> Also our last question, In case of different case that the mail server >> is >> secondary mail server , it relays back the email to the primary server >> when it is back. >> >> 3- do we have to add permit_mynetworks in smtpd_recipient_restrictions? >> so >> the secondary server can send the emails to the primary server (when the >> primary server was down) ? or still the secondary server can send the >> pending emails to the primary server even if permit_mynetworks in not >> written in the smtpd_recipient_restrictions? > > If this is a secondary MX delivering to an internal mailstore, > generally it is not required to be listed in mynetworks, and > permit_mynetworks is not required. the secondary MX is on totally different network than the main MX, so do i need to add permit_mynetworks in main.cf ? and why ? > > > > > -- Noel Jones >
Re: Question about postfix logfile
> On 6/16/2015 10:21 AM, Michael Peter wrote: >> Hi, >> >> I have question about postfix logfile (/var/log/maillog), Does The log >> mention the "from email header" or the "return-path email header" in the >> log file ? >> >> Jun 16 16:17:43 mailhost postfix/qmgr[12095]: CB992123F1B1: >> from=, size=2639, nrcpt=1 (queue active) >> >> Example: >> Return-Path: >> From: >> >> Because it seems that some times the "from address" mentioned in the log >> file is different that the from header which is actually in the email >> itself. >> then why the from address in the email is different than the from address in the /var/log/maillog for the same email ? >> Thank you. >> >> Peter Michael >> > > > The log records the envelope sender as given in the MAIL FROM > command during the SMTP conversation. This is recorded before any > headers are transmitted by the client. > > > > -- Noel Jones >
Re: Question about postfix logfile
> On 6/16/2015 11:53 AM, Michael Peter wrote: >>> On 6/16/2015 10:21 AM, Michael Peter wrote: >>>> Hi, >>>> >>>> I have question about postfix logfile (/var/log/maillog), Does The log >>>> mention the "from email header" or the "return-path email header" in >>>> the >>>> log file ? >>>> >>>> Jun 16 16:17:43 mailhost postfix/qmgr[12095]: CB992123F1B1: >>>> from=, size=2639, nrcpt=1 (queue active) >>>> >>>> Example: >>>> Return-Path: >>>> From: >>>> >>>> Because it seems that some times the "from address" mentioned in the >>>> log >>>> file is different that the from header which is actually in the email >>>> itself. >>>> >> >> then why the from address in the email is different than the from >> address >> in the /var/log/maillog for the same email ? > > There is no requirement that the addresses are the same. Look at > this mail for an example. Thank you for your reply, but because i am trying to block spammers email address, i would be grateful if you can explain the following issue. how come sender email address mentioned in the postfix log file is different than the sender email address mentioned in the email ? if postix really log the envelope sender as given in the MAIL FROM command during the SMTP conversation and not "return-path email header" then how come i can see that the log file mentioned in a different sender email address than the email sender appears at outlook or webmail ? Sorry for rasing this subject, but i searching for answer to block spammers, as they use different email sender address than the orignally logged to posftix log file and the email it self. Thanks Peter Michael > > > > -- Noel Jones > > >> >>>> Thank you. >>>> >>>> Peter Michael >>>> >>> >>> >>> The log records the envelope sender as given in the MAIL FROM >>> command during the SMTP conversation. This is recorded before any >>> headers are transmitted by the client. >>> >>> >>> >>> -- Noel Jones >>> >> >> > >
Empty sender question
Hi, I understand that postfix send bounces or failed delivered notifications using empty sender. But does postfix accept empty sender emails during the MAIL FROM command during the SMTP conversation? because i think that postfix needs a valid email address ? if postfix reject empty sender emails during receiving of emails, so how come bounces and failed delivered notices are received from other email servers ? The reason i am asking for that in order to block some spam attacks on our email mail server that using empty email senders Thank you Peter Michael
Block mail servers with no reverse dns entries
Hi, How can force postfix to reject emails from mail servers which doesn't have a reverse dns entry ? and is this correct thing to do according to the standards? Thank you. Michael Peter
Question about DSN
Hi, for postfix log file /var/log/maillog, we notice that following line 1198B1E111: to=, relay=mail.example.com[XXX.XXX.XXX.XXX]:25, delay=20, delays=4.3/0.01/1.8/14, dsn=2.6.0, status=sent (250 2.6.0 Queued mail for delivery) The DSN is 2.6.0 INSTEAD of 2.0.0, is DSN is 2.6.0 is considered successful delivery? because according to the rfc3463 rfc3463: 2.XXX.XXX Success Success specifies that the DSN is reporting a positive delivery action. Detail sub-codes may provide notification of transformations required for delivery. X.6.0 Other or undefined media error Something about the content of a message caused it to be considered undeliverable and the problem cannot be well expressed with any of the other provided detail codes. So this means that 2.XXX.XXX is considered delivered without problems.. but in the same RFC is says that 2.6.0 means undelivered error... So i am confused if DSN=2.6.0 means that the email is accepted without problems? and why the receipt mail server is giving 2.6.0INSTEAD of 2.0.0 ?? why receipt server would give DSN2.6.0 ? I appreciate your feedback. Thanks Michael Peter
Content filter then transport maps
Hi, I have question about transport maps and content filter In main.cf content_filter = trans:localhost:10025 so all emails has the next-hop to localhost:10025 and the transport agent is trans. But also we included in main.cf transport_maps = hash:/etc/postfix/transport will all the email go through content filter, then go through transport maps ? or in this case the email will go through content filter and ignore transport maps ? Thank you Michael Peter
Questions about reject_unknown_sender_domain
Hi, reject_unknown_sender_domain Reject the request when Postfix is not final destination for the sender address, i am confused that is the meaning "when postfix is not final destination for the sender address" ? so for example if the sender address is send...@example.com. and the receipt address rece...@example2.com does this means that for sender email send...@example.com , example.com must be in the virtual access list of my server (i mean that the example.com must be hosted on my email server?) so the email can pass and not rejected ? OR does it means that the receipts of the email (rec...@example2.com) must be included in the virtual access list of my server ? or the email will be rejected. Thank you Peter Michael
max connection for inbound/outbound smtp
Hi, master.cf smtp inet n - - - 100 smtpd I understand that the default concurrent simultaneous incoming smtp connections is 100? but what about outgoing smtp connections to remote smtpd servers? how many connections postfix can establish for outgoing emails to different mail servers simultaneously ? For example, can postfix connect to 120 different remote smtpd servers to for email delivery simultaneously ? and how to control this parameter ? does it count from the smtpd maxproc mentioned in the master.cf? or this is only for smtpd incoming connections (not outgoing) ? Thanks Peter Michael
Re: max connection for inbound/outbound smtp
Thank you very much for your reply, please find my comments below. > Michael Peter: > [ Charset ISO-8859-1 converted... ] >> Hi, >> >> master.cf >> smtp inet n - - - 100 smtpd >> >> I understand that the default concurrent simultaneous incoming smtp >> connections is 100? > > There is one connection per "smtpd" process. > >> but what about outgoing smtp connections to remote smtpd servers? how >> many >> connections postfix can establish for outgoing emails to different mail >> servers simultaneously ? Sorry, it is my mistake since i didn't ask my question correctly. What i meant to ask, is how many outbound processes to remote email servers can postfix handle simultaneously (in case sending emails to many different remove hosts and not 1 specific host) I understand that in case send to 1 host , then transport_destination_concurrency_limit will apply. But my question is that incase postfix is to send to 200 different remote smtpd hosts simultaneously , then how many outbound process postfix can handle simultaneously as default ? and how to increase its value ? Many thanks again. Peter Michael
Question about Postfix Stress
Hi, i have set on postfix that max process for SMTPD is 10 using master.cf So once simulations concurrent connections reached 10, Postfix started STRESS behaviour so the SMTPD using command stress=yes Now after the connections drooped from 10 till 5 , still postfix handle new connections with stress=yes although the current connections is 5 and did not reach yet again 10 so i understand from this behaviour than once stress behaviour is activated by postfix, it remains for some time (even if the current processes connections has decreased than the max process connections limit). My question is how long the time that the stress behaviour continue to be activated after current processes connections has decreased than the max process connections limit I have read he documentations and searched alot but i couldn't find an answer... Thank you. Michael Peter
