Server-to-server TLS

2011-03-08 Thread Raven 
Hi guys.
I would like to implement server-to-server TLS encryption between two
postfix instances I manage. One of the servers already has
TLS-capabilities but they are only used for SASL-AUTH clients.

Where do I start to have the entire stream between the servers to be
encrypted?

Thanks.
-RV

Re: Server-to-server TLS

2011-03-09 Thread Raven 
On Tue, 2011-03-08 at 08:30 -0500, Victor Duchovni wrote:
> On Tue, Mar 08, 2011 at 01:38:28PM +0100, Raven wrote:
> 
> > I would like to implement server-to-server TLS encryption between two
> > postfix instances I manage. One of the servers already has
> > TLS-capabilities but they are only used for SASL-AUTH clients.
> > 
> > Where do I start to have the entire stream between the servers to be
> > encrypted?
> 
> http://www.postfix.org/TLS_README.html#client_tls
> http://www.postfix.org/TLS_README.html#client_tls_limits
> http://www.postfix.org/TLS_README.html#client_tls_levels
> http://www.postfix.org/TLS_README.html#client_tls_encrypt
> http://www.postfix.org/TLS_README.html#client_tls_secure
> http://www.postfix.org/TLS_README.html#client_tls_policy
> 
> main.cf:
>   indexed = ${default_database_type}:${config_directory}/
>   dynamic = btree:${data_directory}/
>   transport_maps = ${indexed}transport
>   smtp_tls_policy_maps = ${indexed}tls-policy
>   # Opportunistic TLS by default
>   smtp_tls_security_level = may
>   smtp_tls_session_cache_database = ${dynamic}smtp_tls_scache
> 
> transport:
>   example.com smtp:[mail.example.com]
>   example.org smtp:example.net
>   example.gov smtp:example.net
> 
> tls-policy:
>   # transport nexthop gateway for example.com mail
>   [mail.example.com]  secure match=nexthop
> 
>   # transport nexthop domain for example.org and example.gov
>   example.net secure
> 
>   # Domain routed via MX hosts to servers believed to support TLS
>   # with verifiable certificates
>   example.edu secure
> 


Thanks.
How can I apply this to $relayhost without having to list all local
domains in the transport map (as they are already listed in
$virtual_mailbox_domains)?

-RV

Re: Server-to-server TLS

2011-03-19 Thread Raven 
On Wed, 2011-03-09 at 12:23 -0500, Victor Duchovni wrote: 
> On Wed, Mar 09, 2011 at 01:36:46PM +0100, Raven wrote:
> 
> > How can I apply this to $relayhost without having to list all local
> > domains in the transport map (as they are already listed in
> > $virtual_mailbox_domains)?
> 
> Why are you using virtual_mailbox_domains for addresses that are relayed
> to another host?
> As for TLS, the security policy and certficate verification are tied to
> the nexthop destination, not the recipient domain, if the two differ,
> it is the nexthop destination that is used. This is documented, please
> read the documentation carefully.
> 

I've had it up and running for some time now and it seems to be working
fine.

I'm just wondering, how do I make postfix (client) trust the server's
certificate? It's self generated, but I'd still like it to be trusted:

Mar 19 15:33:18 dellsrv3 postfix/smtp[29357]: Untrusted TLS connection
established to relay.example.org[xxx.xxx.xxx.xxx]:587: TLSv1 with cipher
ADH-AES256-SHA (256/256 bits)


-RV

Re: Tuning queue life time against some retry errors.

2011-03-20 Thread Raven 
On Sat, 2011-03-19 at 20:57 +0100, Reindl Harald wrote:
> Am 19.03.2011 19:32, schrieb Ralf Hildebrandt:
> > * David Touzeau :
> > 
> >> Thanks for this procedure but this is not a bug/error request but an
> >> howto request.
> > 
> > What I'm doing is this (just a few examples):
> > 
> > alo.com error:5.1.2 You probably meant aol.com, 
> > not alo.com
> > aoll.comerror:5.1.2 You probably meant aol.com, 
> > not aoll.com
> > aaol.comerror:5.1.2 You probably meant aol.com, 
> > not aaol.com
> > aiol.comerror:5.1.2 You probably meant aol.com, 
> > not aiol.com
> > aol.com.de  error:5.1.2 You probably meant aol.com, 
> > not aol.com.de
> 
> this is a cool solution i will implement tonight in our dbmail/postfix-backend
> with a seperate sql-table and an extended view for the transport-query
> 
> there are not much mistype-domains and a direct reject for some is much better
> than any delay and side-effects for working domains
> 
> thank you for the idea!
> 
> 

Hi guys.
This seems like a great idea. I would like to implement the same thing
and store the domain typos in a mysql table.

If the table has two columns, eg. MISSTYPEDDOMAIN and RESPONSE, how
would I go about to configure $smtpd_recipient_restrictions with the
appropriate SQL query?

Thanks.

-RV

Re: Tuning queue life time against some retry errors.

2011-03-20 Thread Raven 
On Sun, 2011-03-20 at 21:24 +0100, Reindl Harald wrote:
> 
> Am 20.03.2011 21:02, schrieb Raven:
> > On Sat, 2011-03-19 at 20:57 +0100, Reindl Harald wrote:
> >> Am 19.03.2011 19:32, schrieb Ralf Hildebrandt:
> >>> * David Touzeau :
> >>>
> >>>> Thanks for this procedure but this is not a bug/error request but an
> >>>> howto request.
> >>>
> >>> What I'm doing is this (just a few examples):
> >>>
> >>> alo.com error:5.1.2 You probably meant 
> >>> aol.com, not alo.com
> >>> aoll.comerror:5.1.2 You probably meant 
> >>> aol.com, not aoll.com
> >>> aaol.comerror:5.1.2 You probably meant 
> >>> aol.com, not aaol.com
> >>> aiol.comerror:5.1.2 You probably meant 
> >>> aol.com, not aiol.com
> >>> aol.com.de  error:5.1.2 You probably meant 
> >>> aol.com, not aol.com.de
> >>
> >> this is a cool solution i will implement tonight in our 
> >> dbmail/postfix-backend
> >> with a seperate sql-table and an extended view for the transport-query
> >>
> >> there are not much mistype-domains and a direct reject for some is much 
> >> better
> >> than any delay and side-effects for working domains
> >>
> >> thank you for the idea!
> >>
> >>
> > 
> > Hi guys.
> > This seems like a great idea. I would like to implement the same thing
> > and store the domain typos in a mysql table.
> > 
> > If the table has two columns, eg. MISSTYPEDDOMAIN and RESPONSE, how
> > would I go about to configure $smtpd_recipient_restrictions with the
> > appropriate SQL query?
> 
> you are wrong!
> we are speaking from outgoing-messages, a little difference
> because you will not get misstyped domains to your MTA

Indeed :)
Although it's 9PM on a Sunday night here..guess I can be forgiven! And
it's only been 3 days since St Paddy's

> 
> CREATE TABLE IF NOT EXISTS `dbma_mta` (
>   `mydestination` varchar(35) NOT NULL DEFAULT '',
>   `transport` varchar(128) NOT NULL DEFAULT '',
>   PRIMARY KEY (`mydestination`)) ENGINE=InnoDB DEFAULT CHARSET=utf8 
> ROW_FORMAT=COMPRESSED;
> 
> CREATE TABLE IF NOT EXISTS `dbma_transports_error` (
> 
>   `mydestination` varchar(35) NOT NULL DEFAULT '',
>   `transport` varchar(128) NOT NULL DEFAULT '',
>   PRIMARY KEY (`mydestination`)) ENGINE=InnoDB DEFAULT CHARSET=utf8 
> ROW_FORMAT=COMPRESSED;
> 
> CREATE VIEW `dbma_transports` AS
>  SELECT mydestination,transport
>  FROM `dbma_mta`
>  UNION (select mydestination,transport from `dbma_transports_error`);
> 
> 
> transport_maps = mysql:/etc/postfix/mysql-transport.cf
> 
> [root@mail:~]$ cat /etc/postfix/mysql-transport.cf
> user  = dbmailro
> password  = ***
> dbname= dbmail
> hosts = unix:/var/lib/mysql/mysql.sock inet:10.0.0.120:3307
> query = select transport from dbma_transports where 
> mydestination='%s' or mydestination='%d' order by
> transport desc limit 1;
> 
> 
> In "dbma_mta" i have the real transports (in our case 
> dbmail-lmtp:127.0.0.1:24)
> and in "dbma_transports_error" the error-domains because i would never mix 
> this
> to get not confused sooner or later
> 

Thanks for the tip.
Best,

-RV

recipient_bcc double emails

2012-03-26 Thread Raven 
Hi all.
I am using both sender_bcc and recipient_bcc maps on a postfix server in
order to back-up messages off-site. A few months ago we moved the server
to a new machine and migrated from courier to dovecot.

Anyway, the issue here is that for every incoming/outgoing email, two
copies are sent to the off-site backup:

Mar 26 09:03:00 srv postfix/smtpd[17585]: 0EAF017A8EFA:
client=localhost[127.0.0.1]
Mar 26 09:03:00 srv postfix/cleanup[17843]: 0EAF017A8EFA:
message-id=
Mar 26 09:03:00 srv postfix/qmgr[13675]: 0EAF017A8EFA: from=,
size=2111, nrcpt=1 (queue active)
Mar 26 09:03:00 srv postfix/smtpd[17585]: disconnect from
localhost[127.0.0.1]
Mar 26 09:03:00 srv postfix/smtpd[17585]: connect from
localhost[127.0.0.1]
Mar 26 09:03:00 srv postfix/smtpd[17585]: 1734717A8EFB:
client=localhost[127.0.0.1]
Mar 26 09:03:00 srv postfix/cleanup[17843]: 1734717A8EFB:
message-id=
Mar 26 09:03:00 srv postfix/smtpd[17585]: disconnect from
localhost[127.0.0.1]
Mar 26 09:03:00 srv postfix/qmgr[13675]: 1734717A8EFB: from=,
size=2281, nrcpt=2 (queue active)
Mar 26 09:03:00 srv amavis[9654]: (09654-16) Passed CLEAN,
[62.241.4.164] [62.241.4.164]  ->
,,
Message-ID: ,
mail_id: YihEhQ2jBCU1, Hits: -1.661, size: 1686, queued_as:
0EAF017A8EFA/1734717A8EFB, 1129 ms
Mar 26 09:03:00 srv postfix/smtp[17582]: CDAEF17A8EF8:
to=,
relay=127.0.0.1[127.0.0.1]:10024, delay=2, delays=0.83/0/0/1.1,
dsn=2.0.0, status=sent (250 2.0.0 Ok, id=09654-16, from
MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as 0EAF017A8EFA)
Mar 26 09:03:00 srv postfix/smtp[17582]: CDAEF17A8EF8:
to=, relay=127.0.0.1[127.0.0.1]:10024, delay=2,
delays=0.83/0/0/1.1, dsn=2.0.0, status=sent (250 2.0.0 Ok, id=09654-16,
from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as 0EAF017A8EFA)
Mar 26 09:03:00 srv postfix/qmgr[13675]: CDAEF17A8EF8: removed
Mar 26 09:03:00 srv dovecot: deliver(localu...@domain.com):
msgid=: saved mail
to INBOX
Mar 26 09:03:00 srv postfix/pipe[17847]: 1734717A8EFB:
to=, relay=dovecot, delay=0.09, delays=0/0/0/0.08,
dsn=2.0.0, status=sent (delivered via dovecot service)
Mar 26 09:03:00 srv postfix/qmgr[13675]: 7C88C17A8EF8: removed
Mar 26 09:03:02 srv postfix/smtp[17846]: 0EAF017A8EFA:
to=,
relay=172.16.0.10[172.16.0.10]:25, delay=2.7, delays=0.03/0.01/1.6/1,
dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as D0196400248)
Mar 26 09:03:02 srv postfix/qmgr[13675]: 0EAF017A8EFA: removed
Mar 26 09:03:02 srv postfix/smtp[17848]: 1734717A8EFB:
to=,
relay=172.16.0.10[172.16.0.10]:25, delay=2.9, delays=0/0.01/1.8/1,
dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 16D0840027F)
Mar 26 09:03:02 srv postfix/qmgr[13675]: 1734717A8EFB: removed


What's up with that?

Thanks.

-RV

Re: recipient_bcc double emails

2012-03-26 Thread Raven 
On Mon, 2012-03-26 at 08:33 -0400, Wietse Venema wrote:
> Read http://www.postfix.org/FILTER_README.html and look for 
> all uses of the "receive_override_options" parameter.
> 
>   Wietse

Thanks. "no_address_mappings" actually made the trick.
I'm wondering, since this double-BCC issue never occurred with Courier,
if it might be Dovecot and LDA's fault..

-RV

Weird behavior

2012-04-14 Thread Raven 
Hi all.

I have a postfix instance which is top-priority MX for domain2.com
(domain2.com. 86400 IN MX 0 srv.domain.com.)
There also is an A record "mail.domain2.com" pointing at the postfix
server.

Today this happened:

Apr 14 06:37:20 srv postfix/smtpd[11880]: connect from
mail-ey0-f179.google.com[209.85.215.179]
Apr 14 06:37:21 srv postfix/smtpd[11880]: 3647717945E8:
client=mail-ey0-f179.google.com[209.85.215.179]
Apr 14 06:37:21 srv postfix/cleanup[7635]: 3647717945E8: message-id=
Apr 14 06:37:21 srv postfix/qmgr[14006]: 3647717945E8:
from=, size=1532, nrcpt=1 (queue active)
Apr 14 06:37:21 srv postfix/smtpd[7644]: connect from
localhost[127.0.0.1]
Apr 14 06:37:21 srv postfix/smtpd[7644]: DC8AA17945E9:
client=localhost[127.0.0.1]
Apr 14 06:37:21 srv postfix/cleanup[7635]: DC8AA17945E9: message-id=
Apr 14 06:37:21 srv postfix/qmgr[14006]: DC8AA17945E9:
from=, size=1989, nrcpt=1 (queue active)
Apr 14 06:37:21 srv postfix/smtpd[7644]: disconnect from
localhost[127.0.0.1]
Apr 14 06:37:21 srv amavis[5610]: (05610-06) Passed CLEAN,
[209.85.215.179] [209.85.215.179]  ->
, Message-ID: , mail_id: lNborMoObesQ,
Hits: 0.915, size: 1532, queued_as: DC8AA17945E9, dkim_id=@gmail.com,
428 ms
Apr 14 06:37:21 srv postfix/smtp[7636]: 3647717945E8:
to=, relay=127.0.0.1[127.0.0.1]:10024,
delay=1.1, delays=0.7/0/0/0.43, dsn=2.0.0, status=sent (250 2.0.0 Ok,
id=05610-06, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as
DC8AA17945E9)
Apr 14 06:37:21 srv postfix/qmgr[14006]: 3647717945E8: removed
Apr 14 06:37:22 srv postfix/smtp[13618]: setting up TLS connection to
out.domain.com[10.0.90.12]:587
Apr 14 06:37:22 srv postfix/smtp[13618]: Untrusted TLS connection
established to out.domain.com[10.0.90.12]:587: TLSv1 with cipher
ADH-AES256-SHA (256/256 bits)
Apr 14 06:37:23 srv postfix/smtp[13618]: DC8AA17945E9:
to=, relay=out.domain.com[10.0.90.12]:587,
delay=1.5, delays=0.01/0/1.1/0.34, dsn=2.0.0, status=sent (250 2.0.0 Ok:
queued as D42A8298052D)
Apr 14 06:37:23 srv postfix/qmgr[14006]: DC8AA17945E9: removed
Apr 14 06:37:24 srv postfix/smtpd[13623]: connect from
out.domain.com[10.0.90.12]
Apr 14 06:37:24 srv postfix/smtpd[13623]: NOQUEUE: reject: RCPT from
out.domain.com[10.0.90.12]: 554 5.7.1 :
Relay access denied; from=
to= proto=ESMTP helo=
Apr 14 06:37:25 srv postfix/smtpd[13623]: disconnect from
out.domain.com[10.0.90.12]


What I don't get is why was the message accepted for relay.
"virtual_mailbox_domains" only lists "domain2.com", definitely not
"mail.domain2.com". Also, "localu...@domain2.com" is valid but
"localu...@mail.domain2.com" isn't.

Any clues?


postconf -n:

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
broken_sasl_auth_clients = yes
config_directory = /etc/postfix
content_filter = amavis:[127.0.0.1]:10024
data_directory = /var/lib/postfix
header_checks = regexp:/etc/postfix/header_checks
html_directory = /usr/share/doc/postfix/html
inet_interfaces = all
inet_protocols = ipv4
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
maximal_queue_lifetime = 14d
message_size_limit = 0
milter_default_action = accept
mydestination = mail.domain.com, dsrv.domain.com, localhost.domain.com,
localhost, srv.domain.com
myhostname = srv.domain.com
mynetworks = [::1]/128, 127.0.0.0/8, 172.16.0.0/24, 10.0.88.0/23
myorigin = /etc/mailname
readme_directory = /usr/share/doc/postfix
recipient_bcc_maps = hash:/etc/postfix/recipient_bcc_map
recipient_delimiter = +
relay_domains = lists.domain.com
relayhost = [out.domain.com]:587
sender_bcc_maps = hash:/etc/postfix/sender_bcc_map
sender_dependent_relayhost_maps = hash:/etc/postfix/relay_map
smtp_tls_loglevel = 1
smtp_tls_policy_maps = hash:/etc/postfix/tls-policy
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name
smtpd_client_connection_count_limit = 150
smtpd_client_event_limit_exceptions
= .google.com, .stanford.edu, .nyu.edu
smtpd_client_restrictions = check_recipient_access
hash:/etc/postfix/classes,  permit_mynetworks,  
permit_sasl_authenticated,
check_client_access cidr:/etc/postfix/cidr_checks,  check_client_access
cidr:/etc/postfix/cidr_asia,check_client_access
pcre:/etc/postfix/fqrdns.regexp,reject_rbl_client
bl.mailspike.net,reject_rbl_client bl.spamcop.net,
reject_rbl_client dyna.spamrats.com,reject_rbl_client
noptr.spamrats.com,reject_rbl_client spam.spamrats.com,
reject_rbl_client zen.spamhaus.org, permit
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_helo_required = yes
smtpd_recipient_restrictions = permit_mynetworks,
permit_sasl_authenticated,check_client_access
cidr:/etc/postfix/cidr_checks,  check_recipient_access
regexp:/etc/postfix/accounts_regex,check_recipient_access
mysql:/etc/postfix/mysql-virtual_blocked.cf,check_policy_service
inet:127.0.0.1:2501,reject_unauth_destination,
reject_unlisted_recipien

Re: Weird behavior

2012-04-14 Thread Raven 
On Sat, 2012-04-14 at 12:17 -0500, Noel Jones wrote:
> On 4/14/2012 2:49 AM, Raven wrote:
> 
> > 
> > What I don't get is why was the message accepted for relay.
> > "virtual_mailbox_domains" only lists "domain2.com", definitely not
> > "mail.domain2.com". Also, "localu...@domain2.com" is valid but
> > "localu...@mail.domain2.com <mailto:localu...@mail.domain2.com>" isn't.
> > 
> > Any clues?
> > 
> > 
> > postconf -n:
> ...
> > smtpd_recipient_restrictions = permit_mynetworks,
> > permit_sasl_authenticated,   
> 
> reject_unauth_destination should go here unless you have a really
> good reason.
> http://www.postfix.org/SMTPD_ACCESS_README.html#danger
> 

Duly noted. Thanks.

> 
> > check_client_access
> > cidr:/etc/postfix/cidr_checks, check_recipient_access
> > regexp:/etc/postfix/accounts_regex,check_recipient_access
> > mysql:/etc/postfix/mysql-virtual_blocked.cf, check_policy_service
> > inet:127.0.0.1:2501, 
> 
> Maybe one of these maps OKed either the client or recipient.
> 

Spot on! Couple months ago I had whitelisted gmail's outbound ranges
after they ended up on some rbl, and they were still there

> > virtual_alias_maps = mysql:/etc/postfix/mysql-virtual_forwardings.cf
> > mysql:/etc/postfix/mysql-virtual_email2email.cf
> 
> Maybe one of these maps matched the recipient.
> 
> > virtual_mailbox_domains = mysql:/etc/postfix/mysql-virtual_domains.cf
> 
> Maybe this map inadvertently matched the recipient domain.
> 
> 
> 
> Test your maps with
> postmap -q u...@mail.example2.com  maptype:/path/to/map
> Check the documentation for the "search order" of each setting.
> Some settings may also automatically check just "user" or the parent
> domain "example2.com".
> http://www.postfix.org/documentation.html
> 
> 

Once again, thank you.

-RV