Re: Licensing question
>From: owner-postfix-us...@postfix.org > >Paolo Schiro: >> Hallo everybody, >> >> I've wrote a postfix toolkit to report and act on the queue in a sharp way. >> I would like to release it under GPL or some other free license. >> To handle queue efficently i rewrote the rec_get sub in perl (I discovered >> it was already present in qshape too late) >> In my understanding about the IBM Public License Version 1 I need to release >> the toolkit under IBM license or at least place the sub in a specific file >> and distribute it under IBM license and the rest in any license i wish. >> >> Can anyone confirm I understood correctly ? > >If you re-implement rec_get() under GPL then no-one will come after you. More than re-implemented I've "translated" from an older version of record.c I don't think change licensing is applicable anyway. >On the other hand, if you read or write Postfix queue files, then >your program is not supported, that is, it will break when changes >are made to the queue file details. I always provide backwards >compatibiliity for Postfix programs, but never for other programs. One more reason to replace my read function with rec_get() from qshape.pl, mantaining future version will be easier for me. Seems to be more convenient for this project copy the function and inherit IBMPL Thanks your Paolo
Licensing question
Hallo everybody, I've wrote a postfix toolkit to report and act on the queue in a sharp way. I would like to release it under GPL or some other free license. To handle queue efficently i rewrote the rec_get sub in perl (I discovered it was already present in qshape too late) In my understanding about the IBM Public License Version 1 I need to release the toolkit under IBM license or at least place the sub in a specific file and distribute it under IBM license and the rest in any license i wish. Can anyone confirm I understood correctly ? Thanks in advance
Re: RESTRICTION_CLASS_README
I'm pretty shure you can group restrictions in classes for example: restrictive2 = reject_unknown_sender_domain,reject_unknown_client_hostname But I'm not shure they will be all applicable in the rcpt to stage. Messaggio Originale Da: post...@ptld.com Inviato: Sat Jul 10 01:34:36 GMT+02:00 2021 A: postfix-users@postfix.org Oggetto: RESTRICTION_CLASS_README End goal is to have different smtpd_*_restrictions per recipient. I see restriction classes might solve this. Can you supply more than one class in the access table? smtpd_restriction_classes = permissive, restrictive1, restrictive2, restrictive3 permissive = permit restrictive1 = reject_unknown_sender_domain restrictive2 = reject_unknown_client_hostname restrictive3 = reject_unknown_helo_hostname smtpd_recipient_restrictions = check_recipient_access hash:/etc/postfix/recipient_access /etc/postfix/recipient_access: joe@my.domain permissive jane@my.domain restrictive1 restrictive2 restrictive3 I would do this with sql instead of a flat file table and assume it would translate over the same. If this isn't the answer is there another way to go about this?
RE: Get MUA from Logs?
Hallo Asai,MUA informations are not passed trough POP or IMAP protocol therefore there is no way to get it recorded into logs as I know.SMTP is almost the same but MUAs are known to insert a range of different mime headers and values into generated messages.In theory you may try to log them using an header_checks rule resulting into a warning (or at least i recall something similar).Anyway it's a journey i don't suggest because you will likely result in an endless chasing of MUAs list their behaviors and obviously exceptions. Paolo
problem with postfix and outlook365
Hi, I'm writing to ask for help with the following problem. I cannot use outlook365 as a relay host for Postfix. I'm using postfix 2.6 I receive the following error: Apr 1 17:12:19 elrng-backup postfix/smtp[10780]: warning: SASL authentication failure: No worthy mechs found Apr 1 17:12:19 elrng-backup postfix/smtp[10780]: 428BC2C1699: SASL authentication failed; cannot authenticate to server smtp.office365.com[132.245.194.242]: no mechanism available I've followed all the guidelines here: http://secopsmonkey.com/mail-relaying-postfix-through-office-365.html with no results. I've also installed cyrus-sasl-plain, and restarted postfix after that, but I still get the same error. This is the output of postconf -n on my server: alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases command_directory = /usr/sbin config_directory = /etc/postfix daemon_directory = /usr/libexec/postfix data_directory = /var/lib/postfix debug_peer_level = 2 html_directory = no inet_interfaces = localhost inet_protocols = ipv4 mail_owner = postfix mailq_path = /usr/bin/mailq.postfix manpage_directory = /usr/share/man mydestination = $myhostname, localhost.$mydomain, localhost newaliases_path = /usr/bin/newaliases.postfix queue_directory = /var/spool/postfix readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES relayhost = [smtp.office365.com]:587 sample_directory = /usr/share/doc/postfix-2.6.6/samples sendmail_path = /usr/sbin/sendmail.postfix setgid_group = postdrop smtp_generic_maps = hash:/etc/postfix/generic smtp_sasl_auth_enable = yes smtp_sasl_password_maps = hash:/etc/postfix/sasl-passwords smtp_tls_CAfile = /etc/postfix/ssl/postfix_default.pem smtp_tls_security_level = may smtpd_sasl_security_options = noanonymous unknown_local_recipient_reject_code = 550 Can anyone help me please? Thank you very much in advance.
Re: problem with postfix and outlook365
Sorry, forget about this mail. I've solved it myself. Thanks anyway. On 04/01/2016 05:20 PM, Paolo Mioni wrote: Hi, I'm writing to ask for help with the following problem. I cannot use outlook365 as a relay host for Postfix. I'm using postfix 2.6 I receive the following error: Apr 1 17:12:19 elrng-backup postfix/smtp[10780]: warning: SASL authentication failure: No worthy mechs found Apr 1 17:12:19 elrng-backup postfix/smtp[10780]: 428BC2C1699: SASL authentication failed; cannot authenticate to server smtp.office365.com[132.245.194.242]: no mechanism available I've followed all the guidelines here: http://secopsmonkey.com/mail-relaying-postfix-through-office-365.html with no results. I've also installed cyrus-sasl-plain, and restarted postfix after that, but I still get the same error. This is the output of postconf -n on my server: alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases command_directory = /usr/sbin config_directory = /etc/postfix daemon_directory = /usr/libexec/postfix data_directory = /var/lib/postfix debug_peer_level = 2 html_directory = no inet_interfaces = localhost inet_protocols = ipv4 mail_owner = postfix mailq_path = /usr/bin/mailq.postfix manpage_directory = /usr/share/man mydestination = $myhostname, localhost.$mydomain, localhost newaliases_path = /usr/bin/newaliases.postfix queue_directory = /var/spool/postfix readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES relayhost = [smtp.office365.com]:587 sample_directory = /usr/share/doc/postfix-2.6.6/samples sendmail_path = /usr/sbin/sendmail.postfix setgid_group = postdrop smtp_generic_maps = hash:/etc/postfix/generic smtp_sasl_auth_enable = yes smtp_sasl_password_maps = hash:/etc/postfix/sasl-passwords smtp_tls_CAfile = /etc/postfix/ssl/postfix_default.pem smtp_tls_security_level = may smtpd_sasl_security_options = noanonymous unknown_local_recipient_reject_code = 550 Can anyone help me please? Thank you very much in advance. -- Dott. Paolo Mioni Socio - HCE s.r.l. SEDE DI TEOLO/ABANO: via Delle Rose 62 Teolo (PD) - Italy +39 049 667608 http://www.hce.it/
smtpd_recipient_restrictions with ldap
Hi. I’m using following rules in main.cf smtpd_recipient_restrictions = permit_mynetworks,check_recipient_access regexp:/opt/trend/imss/postfix/etc/postfix/access,reject_unauth_pipelining, reject_non_fqdn_recipient,reject_unknown_recipient_domain, reject_unauth_destination, ldap:ldaprfx, reject where ldaprfx is configured with ldaprfx_server_host = xx ldaprfx_search_base = dc=cgprouter ldaprfx_query_filter = mail=%s ldaprfx_result_attribute = mail ldaprfx_result_scope = one ldaprfx_result_format = OK %s ldaprfx_version = 3 I see not existent mail correctly denied with 451, but an error is logged in maillog Apr 3 15:23:04 mail2 postfix/smtpd[11180]: warning: dict_ldap_lookup: ldaprfx: Search base 'dc=cgprouter' not found: 32: No such object Apr 3 15:23:04 mail2 postfix/smtpd[11180]: warning: ldap:ldaprfx: table lookup problem Apr 3 15:23:04 mail2 postfix/smtpd[11180]: NOQUEUE: reject: RCPT from unknown[xxx: 451 4.3.5 : Recipient address rejected: Server configuration error; from= to= proto=ESMTP helo= Is there a way to avoid ldap warnings ? Is it expected to see logging "Server configuration error" ? Here what ldapsearch returns: ldapsearch -v -LLL -h -b"dc=cgprouter" -x -s one 'mail=notexist@xx' ldap_initialize( ldap://xxx) filter: mail=notexist@xxx requesting: All userApplication attributes No such object (32) Additional information: unknown user account Thanks for any hints . Regards, Paolo. ---- Paolo Barbato Consorzio RFX corso Stati Uniti,4 35127 Padova - Italy Network Administrator phone: +39 049 8295097 fax: +39 049 8700718
Re: smtpd_recipient_restrictions with ldap
Hi Brett, yes 4.3.5 is really an error, but when a valid user is found no error is returned. Such problem arise since ldap return 32: No such object. [root@mail2 openldap]# postmap -q barb...@igi.cnr.it ldap:/opt/trend/imss/OpenLDAP/etc/openldap/myBad.cf OK barb...@igi.cnr.it [root@mail2 openldap]# postmap -q bar...@igi.cnr.it ldap:/opt/trend/imss/OpenLDAP/etc/openldap/myBad.cf postmap: warning: dict_ldap_lookup: /opt/trend/imss/OpenLDAP/etc/openldap/myBad.cf: Search base 'dc=cgprouter' not found: 32: No such object Regards, Paolo. > On 4 Apr 2017, at 10:35, Brett Maxfield wrote: > > This is not a warning, it is an error, your base might be wrong. your > ldapsearch test would return the same result even if the base was wrong.. try > searching for something that exists.. open yourldap with a ldap gui and cut > and paste the base, or better test your search config file with postmap -q as > that does what postfix does > > server configuration error means the ldap query is failing entirely, not that > the email is not found, so its something that caused the query to fail, a > successful query succeeds but return 0 results, not an error, which is what > you are getting.. > > Cheers > Brett > >> On 4 Apr 2017, at 4:48 pm, Paolo Barbato wrote: >> >> Hi. >> >> I’m using following rules in main.cf >> >> smtpd_recipient_restrictions = permit_mynetworks,check_recipient_access >> regexp:/opt/trend/imss/postfix/etc/postfix/access, >> reject_unauth_pipelining,reject_non_fqdn_recipient, >> reject_unknown_recipient_domain,reject_unauth_destination, ldap:ldaprfx, >> reject >> >> where ldaprfx is configured with >> >> ldaprfx_server_host = xx >> ldaprfx_search_base = dc=cgprouter >> ldaprfx_query_filter = mail=%s >> ldaprfx_result_attribute = mail >> ldaprfx_result_scope = one >> ldaprfx_result_format = OK %s >> ldaprfx_version = 3 >> >> I see not existent mail correctly denied with 451, but an error is logged in >> maillog >> >> Apr 3 15:23:04 mail2 postfix/smtpd[11180]: warning: dict_ldap_lookup: >> ldaprfx: Search base 'dc=cgprouter' not found: 32: No such object >> Apr 3 15:23:04 mail2 postfix/smtpd[11180]: warning: ldap:ldaprfx: table >> lookup problem >> Apr 3 15:23:04 mail2 postfix/smtpd[11180]: NOQUEUE: reject: RCPT from >> unknown[xxx: 451 4.3.5 : Recipient address rejected: Server >> configuration error; from= to= proto=ESMTP helo= >> >> Is there a way to avoid ldap warnings ? >> >> Is it expected to see logging "Server configuration error" ? >> >> >> Here what ldapsearch returns: >> >> ldapsearch -v -LLL -h -b"dc=cgprouter" -x -s one 'mail=notexist@xx' >> ldap_initialize( ldap://xxx) >> filter: mail=notexist@xxx >> requesting: All userApplication attributes >> No such object (32) >> Additional information: unknown user account >> >> Thanks for any hints . >> >> >> Regards, >> Paolo. >> >> >> >> Paolo Barbato >> >> Consorzio RFX >> corso Stati Uniti,4 >> 35127 Padova - Italy >> Network Administrator >> phone: +39 049 8295097 fax: +39 049 8700718 >> >> Paolo Barbato Consorzio RFX corso Stati Uniti,4 35127 Padova - Italy Network Administrator phone: +39 049 8295097 fax: +39 049 8700718
Re: smtpd_recipient_restrictions with ldap
I use CommuniGate as mailer and they allow a “virtual" ldap tree (very useful in my specific situation) that use dc=cgprouter as base search. http://www.communigate.com/CommuniGatePro/LDAP.html#RouterDN <http://www.communigate.com/CommuniGatePro/LDAP.html#RouterDN> Trouble arise since ldap search returns "No object found” error that broke postfix when the user doesn/t exist. If I search on another provisioned ldap search base (that unfortunately doesn’t include all objects I’m looking for) no problem arise. [root@mail2 openldap]# ldapsearch -v -LLL -hmail1.igi.cnr.it <http://hmail1.igi.cnr.it/> -b"cn=igi.cnr.it <http://igi.cnr.it/>,o=Consorzio RFX" -x uid=barbat ldap_initialize( ldap://mail1.igi.cnr.it <ldap://mail1.igi.cnr.it> ) filter: uid=barbat requesting: All userApplication attributes [root@mail2 openldap]# ldapsearch -v -LLL -hmail1.igi.cnr.it <http://hmail1.igi.cnr.it/> -b"dc=cgprouter" -x uid=barbat ldap_initialize( ldap://mail1.igi.cnr.it <ldap://mail1.igi.cnr.it> ) filter: uid=barbat requesting: All userApplication attributes No such object (32) Additional information: unknown user account The latter broke postfix . I’ve notified them about this, but I guess if can workaround it in postfix…. it seems not. Regards, Paolo. > On 4 Apr 2017, at 12:22, Michael Ströder wrote: > > Paolo Barbato wrote: >> postmap: warning: dict_ldap_lookup: >> /opt/trend/imss/OpenLDAP/etc/openldap/myBad.cf: >> Search base 'dc=cgprouter' not found: 32: No such object > > As Brett already said: Most likely this configuration line is wrong: > > ldaprfx_search_base = dc=cgprouter > > Make sure to put the right search base served by your LDAP server there (full > DN of > database root entry). > > Ciao, Michael. > Paolo Barbato Consorzio RFX <https://www.igi.cnr.it/>corso Stati Uniti,4 35127 Padova - Italy Network Administrator phone: +39 049 8295097 fax: +39 049 8700718
Re: smtpd_recipient_restrictions with ldap
> On 4 Apr 2017, at 13:16, Brett Maxfield wrote: > > The documentation on that link says dc=cgprouter is virtual, which means it > literally wont exist in ldap (wont be found), maybe its an error in the way > the mapping is configured, it only rewrites children of that virtual domain > to the matching ldap.. so maybe you need to ask the developers of the ldap > mapping product ? > I’ve suggested to CommuniGate developers to return empty result and not an error 32, if "object” (mail, alias, forwarder, ...) doesn’t exist, since this the only way to grant interoperability with postfix, but I believe with other MTA. Regards, Paolo. > have you tried try omitting the base and simply searching base "" on the > virtual ldap ? or adding a mapping option that allows a search at that > virtual base to apparently succeed, so it does not throw a not found on that > base when there is nothing matched ? > > On 4 Apr 2017, at 8:35 pm, Paolo Barbato <mailto:paolo.barb...@igi.cnr.it>> wrote: > >> I use CommuniGate as mailer and they allow a “virtual" ldap tree (very >> useful in my specific situation) that use dc=cgprouter as base search. >> >> http://www.communigate.com/CommuniGatePro/LDAP.html#RouterDN >> <http://www.communigate.com/CommuniGatePro/LDAP.html#RouterDN> >> >> Trouble arise since ldap search returns "No object found” error that broke >> postfix when the user doesn/t exist. >> >> If I search on another provisioned ldap search base (that unfortunately >> doesn’t include all objects I’m looking for) no problem arise. >> >> [root@mail2 openldap]# ldapsearch -v -LLL -hmail1.igi.cnr.it >> <http://hmail1.igi.cnr.it/> -b"cn=igi.cnr.it >> <http://igi.cnr.it/>,o=Consorzio RFX" -x uid=barbat >> ldap_initialize( ldap://mail1.igi.cnr.it <ldap://mail1.igi.cnr.it> ) >> filter: uid=barbat >> requesting: All userApplication attributes >> >> [root@mail2 openldap]# ldapsearch -v -LLL -hmail1.igi.cnr.it >> <http://hmail1.igi.cnr.it/> -b"dc=cgprouter" -x uid=barbat >> ldap_initialize( ldap://mail1.igi.cnr.it <ldap://mail1.igi.cnr.it> ) >> filter: uid=barbat >> requesting: All userApplication attributes >> No such object (32) >> Additional information: unknown user account >> >> >> The latter broke postfix . >> >> I’ve notified them about this, but I guess if can workaround it in postfix…. >> it seems not. >> >> Regards, >> Paolo. >> >>> On 4 Apr 2017, at 12:22, Michael Ströder >> <mailto:mich...@stroeder.com>> wrote: >>> >>> Paolo Barbato wrote: >>>> postmap: warning: dict_ldap_lookup: >>>> /opt/trend/imss/OpenLDAP/etc/openldap/myBad.cf: >>>> Search base 'dc=cgprouter' not found: 32: No such object >>> >>> As Brett already said: Most likely this configuration line is wrong: >>> >>> ldaprfx_search_base = dc=cgprouter >>> >>> Make sure to put the right search base served by your LDAP server there >>> (full DN of >>> database root entry). >>> >>> Ciao, Michael. >>> >> >> ---- >> Paolo Barbato >> >> Consorzio RFX >> <https://www.igi.cnr.it/>corso Stati Uniti,4 >> >> 35127 Padova - Italy >> Network Administrator >> phone: +39 049 8295097 fax: +39 049 8700718 >> >> Paolo Barbato Consorzio RFX <https://www.igi.cnr.it/>corso Stati Uniti,4 35127 Padova - Italy Network Administrator phone: +39 049 8295097 fax: +39 049 8700718
Re: smtpd_recipient_restrictions with ldap
Hi Christian, the keyword can be omitted see http://postfix.1071664.n5.nabble.com/smtpd-recipient-restrictions-multiple-tables-in-check-recipient-access-td86603.html <http://postfix.1071664.n5.nabble.com/smtpd-recipient-restrictions-multiple-tables-in-check-recipient-access-td86603.html> Regards, Paolo. > On 4 Apr 2017, at 16:53, Christian Rößner > wrote: > > Hi, > >> Am 04.04.2017 um 08:48 schrieb Paolo Barbato : >> >> smtpd_recipient_restrictions = > ... >> ldap:ldaprfx, > ... > > Maybe I am wrong, but aren't you missing a keyword here? Something like > check_sender_access or check_recipient_access or vice versa? > > ... > check_XYZ_access ldap:ldaprfx, > ... > > Christian > -- > Erlenwiese 14, 36304 Alsfeld > T: +49 6631 78823400, F: +49 6631 78823409, M: +49 171 9905345 > ---- Paolo Barbato Consorzio RFX <https://www.igi.cnr.it/>corso Stati Uniti,4 35127 Padova - Italy Network Administrator phone: +39 049 8295097 fax: +39 049 8700718
Re: smtpd_recipient_restrictions with ldap
Hi Viktor, Il giorno 04/apr/2017, alle ore 18.02, Viktor Dukhovni ha scritto: > On Tue, Apr 04, 2017 at 08:48:33AM +0200, Paolo Barbato wrote: > >> I’m using following rules in main.cf >> >> smtpd_recipient_restrictions = >> permit_mynetworks, >> check_recipient_access >> regexp:/opt/trend/imss/postfix/etc/postfix/access, >> reject_unauth_pipelining, >> reject_non_fqdn_recipient, >> reject_unknown_recipient_domain, >> reject_unauth_destination, >> ldap:ldaprfx, >> reject > > Using access(5) to perform recipient validation is not the preferred > way to reject non-existent recipients. Instead, make sure each domain > appears in the appropriate address class (see ADDRESS_CLASS_README), > and configure the corresponding recipient vaidation tables. > on the edge I'm using TrendMicro IMSVA that bundle postix 2.7.x as MTA. Postfix configurations files are maintained via some web forms available on main IMSVA web console. It's possible to activate check on recipients against multiple ldap servers. A local openldap server is then put in place acting as local cache. In production main.cf file include an entry for ldap:ldapimsva. Since CGPro virtual search base dc=cgprouter is not directly configurable via IMSVA, now I understand why (error 32), I've tried to add a separate instance ldap:ldaprfx in main.cf manually. > For better performance, change "ldap:ldaprfx" to "proxy:ldap:ldaprfx", > and consider moving the table definition out of main.cf into a > ".cf" file. > Very effective suggestions, although if CGPro developers will accept my proposal, I'm confident that I'll be able to add CGPro virtual base directly using IMSVA web console. Regards, Paolo. >> ldaprfx_server_host = xx >> ldaprfx_search_base = dc=cgprouter >> ldaprfx_query_filter = mail=%s >> ldaprfx_result_attribute = mail >> ldaprfx_result_scope = one >> ldaprfx_result_format = OK %s >> ldaprfx_version = 3 >> >> I see not existent mail correctly denied with 451, but an error is logged in >> maillog >> >> Apr 3 15:23:04 mail2 postfix/smtpd[11180]: warning: dict_ldap_lookup: >> ldaprfx: Search base 'dc=cgprouter' not found: 32: No such object > > The LDAP server should not deny the existence of the search base. > >> Apr 3 15:23:04 mail2 postfix/smtpd[11180]: warning: ldap:ldaprfx: table >> lookup problem >> Apr 3 15:23:04 mail2 postfix/smtpd[11180]: NOQUEUE: reject: RCPT from >> unknown[xxx: 451 4.3.5 : Recipient address rejected: Server >> configuration error; from= to= proto=ESMTP helo= > > Then you'll be able to reject invalid recipients with a 5XX permanent > error, and avoid noisy warnings in the log. > >> Is it expected to see logging "Server configuration error" ? > > Yes, because your search base is invalid > >> Here what ldapsearch returns: >> >> ldapsearch -v -LLL -h -b"dc=cgprouter" -x -s one 'mail=notexist@xx' >> ldap_initialize( ldap://xxx) >> filter: mail=notexist@xxx >> requesting: All userApplication attributes >> No such object (32) > > The "No such object" error is undesirable, instead, this should > quietly return no result. > > Postfix ignores "no such object" only when the search base is > constructed dynamically via "%[sud]" expansions. > > What do the DNs of valid users look like? There's a slim chance > that you can interpolate part of the recipient address into the > search base, and thereby avoid the error. > > -- > Viktor. Paolo Barbato Consorzio RFX corso Stati Uniti,4 35127 Padova - Italy Network Administrator phone: +39 049 8295097 fax: +39 049 8700718
Re: smtpd_recipient_restrictions with ldap
Viktor, here new ldaprfx.cf server_host = 150.178.3.89:389 bind=no search_base = mail=%s,dc=cgprouter scope = base query_filter = mail=%s result_attribute = mail result_format = OK %s version = 3 here postmap check [root@mail2 postfix]# postmap -q bar...@igi.cnr.it ldap:/opt/trend/imss/postfix/etc/postfix/ldaprfx.cf [root@mail2 postfix]# [root@mail2 postfix]# postmap -q barb...@igi.cnr.it ldap:/opt/trend/imss/postfix/etc/postfix/ldaprfx.cf OK barb...@igi.cnr.it thats really fine. but after inserted ldap:/opt/trend/imss/postfix/etc/postfix/ldaprfx.cf in main.cf an new error come up "warning: dict_ldap_lookup: Search error 1: Operations error " and Server configuration error is there again. ? I've anyway just receive a feedback from CGPro developers that I share as promised: > For 6.2c3 (later this April): > LDAP: search for non-routable address under the dc=cgprouter base now returns > empty result rather than routing error. > > Th request with scope=base still returns error if the address can notbe > routed. Regards, Paolo Il giorno 04/apr/2017, alle ore 18.39, Viktor Dukhovni ha scritto: > >> On Apr 4, 2017, at 12:30 PM, Paolo Barbato wrote: >> >>> For better performance, change "ldap:ldaprfx" to "proxy:ldap:ldaprfx" >> >> Very effective suggestions, although if CGPro developers >> will accept my proposal, I'm confident that I'll be able >> to add CGPro virtual base directly using IMSVA web console. > > When using LDAP in the Postfix SMTP server (smtpd(8)), it > is important to use "proxy:ldap:..." instead of "ldap:..." > when defining LDAP tables. This significantly reduces the > number of concurrent connections seen by the LDAP server. > Many LDAP servers are not prepared to handle hundreds to > thousands of simultaneous connections. > > In some cases you may need to augment "proxy_read_maps" > with the tables you intend to use. > > Recent Postfix versions have a default settings of: > > $ postconf -fd proxy_read_maps > proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps >$virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains >$relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps >$recipient_canonical_maps $relocated_maps $transport_maps $mynetworks >$smtpd_sender_login_maps $sender_bcc_maps $recipient_bcc_maps >$smtp_generic_maps $lmtp_generic_maps $alias_maps > $smtpd_client_restrictions >$smtpd_helo_restrictions $smtpd_sender_restrictions >$smtpd_relay_restrictions $smtpd_recipient_restrictions > > which covers all the tables listed in the various restriction lists. > > -- > Viktor. > Paolo Barbato Consorzio RFX corso Stati Uniti,4 35127 Padova - Italy Network Administrator phone: +39 049 8295097 fax: +39 049 8700718
Re: smtpd_recipient_restrictions with ldap
> On 5 Apr 2017, at 01:08, Viktor Dukhovni wrote: > > >> On Apr 4, 2017, at 3:35 PM, Paolo Barbato wrote: >> >> here new ldaprfx.cf >> >> server_host = 150.178.3.89:389 >> bind=no >> search_base = mail=%s,dc=cgprouter >> scope = base >> query_filter = mail=%s >> result_attribute = mail >> result_format = OK %s >> version = 3 >> >> here postmap check >> [root@mail2 postfix]# postmap -q bar...@igi.cnr.it >> ldap:/opt/trend/imss/postfix/etc/postfix/ldaprfx.cf >> [root@mail2 postfix]# >> [root@mail2 postfix]# postmap -q barb...@igi.cnr.it >> ldap:/opt/trend/imss/postfix/etc/postfix/ldaprfx.cf >> OK barb...@igi.cnr.it >> >> >> thats really fine. >> >> but after inserted ldap:/opt/trend/imss/postfix/etc/postfix/ldaprfx.cf >> in main.cf an new error come up "warning: dict_ldap_lookup: Search error 1: >> Operations error " and Server configuration error is there again. > > And the reason you're not posting the "postconf -n" output showing the > new settings and the full error message (and any related log entries) > is …? I’ve tried before arranging an amend part, but good old majordomo explain that it posted for soem reasons.. here another try: Apr 4 20:51:41 mail2 postfix/smtpd[28942]: dict_ldap_debug: : 30 5a 02 01 01 63 55 04 22 6d 61 69 6c 3d 75 6d 0Z...cU."mail=um Apr 4 20:51:41 mail2 postfix/smtpd[28942]: dict_ldap_debug: 0010: 65 61 69 40 69 67 69 2e 63 6e 72 2e 69 74 2c 64 e...@igi.cnr.it <mailto:e...@igi.cnr.it>,d Apr 4 20:51:41 mail2 postfix/smtpd[28942]: dict_ldap_debug: 0020: 63 3d 63 67 70 72 6f 75 74 65 72 0a 01 00 0a 01 c=cgprouter. Apr 4 20:51:41 mail2 postfix/smtpd[28942]: dict_ldap_debug: 0030: 00 02 01 00 02 01 0a 01 01 00 a3 18 04 04 6d 61 ..ma Apr 4 20:51:41 mail2 postfix/smtpd[28942]: dict_ldap_debug: 0040: 69 6c 04 10 75 6d 65 61 69 40 69 67 69 2e 63 6e il..um...@igi.cn <mailto:il..um...@igi.cn> Apr 4 20:51:41 mail2 postfix/smtpd[28942]: dict_ldap_debug: 0050: 72 2e 69 74 30 06 04 04 6d 61 69 6c r.it0...mail Apr 4 20:51:41 mail2 postfix/smtpd[28942]: dict_ldap_debug: ldap_write: want=92, written=92 Apr 4 20:51:41 mail2 postfix/smtpd[28942]: dict_ldap_debug: : 30 5a 02 01 01 63 55 04 22 6d 61 69 6c 3d 75 6d 0Z...cU."mail=um Apr 4 20:51:41 mail2 postfix/smtpd[28942]: dict_ldap_debug: 0010: 65 61 69 40 69 67 69 2e 63 6e 72 2e 69 74 2c 64 e...@igi.cnr.it <mailto:e...@igi.cnr.it>,d Apr 4 20:51:41 mail2 postfix/smtpd[28942]: dict_ldap_debug: 0020: 63 3d 63 67 70 72 6f 75 74 65 72 0a 01 00 0a 01 c=cgprouter. Apr 4 20:51:41 mail2 postfix/smtpd[28942]: dict_ldap_debug: 0030: 00 02 01 00 02 01 0a 01 01 00 a3 18 04 04 6d 61 ..ma Apr 4 20:51:41 mail2 postfix/smtpd[28942]: dict_ldap_debug: 0040: 69 6c 04 10 75 6d 65 61 69 40 69 67 69 2e 63 6e il..um...@igi.cn <mailto:il..um...@igi.cn> Apr 4 20:51:41 mail2 postfix/smtpd[28942]: dict_ldap_debug: 0050: 72 2e 69 74 30 06 04 04 6d 61 69 6c r.it0...mail Apr 4 20:51:41 mail2 postfix/smtpd[28942]: dict_ldap_debug: ldap_read: want=8, got=8 Apr 4 20:51:41 mail2 postfix/smtpd[28942]: dict_ldap_debug: : 30 20 02 01 01 65 1b 0a0 ...e.. Apr 4 20:51:41 mail2 postfix/smtpd[28942]: dict_ldap_debug: ldap_read: want=26, got=26 Apr 4 20:51:41 mail2 postfix/smtpd[28942]: dict_ldap_debug: : 01 20 04 00 04 14 75 6e 6b 6e 6f 77 6e 20 75 73 . unknown us Apr 4 20:51:41 mail2 postfix/smtpd[28942]: dict_ldap_debug: 0010: 65 72 20 61 63 63 6f 75 6e 74 er account Apr 4 20:51:41 mail2 postfix/smtpd[28942]: dict_ldap_debug: request done: ld 0x812ab00 msgid 1 Apr 4 20:51:41 mail2 postfix/smtpd[28942]: dict_ldap_debug: : 30 4e 02 01 02 63 49 04 1c 6d 61 69 6c 3d 69 67 0N...cI..mail=ig Apr 4 20:51:41 mail2 postfix/smtpd[28942]: dict_ldap_debug: 0010: 69 2e 63 6e 72 2e 69 74 2c 64 63 3d 63 67 70 72 i.cnr.it <http://i.cnr.it/>,dc=cgpr Apr 4 20:51:41 mail2 postfix/smtpd[28942]: dict_ldap_debug: 0020: 6f 75 74 65 72 0a 01 00 0a 01 00 02 01 00 02 01 outer... Apr 4 20:51:41 mail2 postfix/smtpd[28942]: dict_ldap_debug: 0030: 0a 01 01 00 a3 12 04 04 6d 61 69 6c 04 0a 69 67 mail..ig Apr 4 20:51:41 mail2 postfix/smtpd[28942]: dict_ldap_debug: 0040: 69 2e 63 6e 72 2e 69 74 30 06 04 04 6d 61 69 6c i.cnr.it0...mail Apr 4 20:51:41 mail2 postfix/smtpd[28942]: dict_ldap_debug: ldap_write: want=80, written=80 Apr 4 20:51:41 mail2 postfix/smtpd[28942]: dict_ldap_debug: : 30 4e 02 01 02 63 49 04 1c 6d 61 69 6c 3d 69 67 0N...cI..mail=ig Apr 4 20:51:41 mail2 postfix/smtpd[28942]: dict_ldap_debug: 0010: 69 2e 63 6e 7
Re: smtpd_recipient_restrictions with ldap
> On 5 Apr 2017, at 01:21, Brett @Google wrote: > > On Wed, Apr 5, 2017 at 5:35 AM, Paolo Barbato <mailto:paolo.barb...@igi.cnr.it>> wrote: > > I've anyway just receive a feedback from CGPro developers that I share as > promised: > >> For 6.2c3 (later this April): >> LDAP: search for non-routable address under the dc=cgprouter base now >> returns empty result rather than routing error. >> >> Th request with scope=base still returns error if the address can notbe >> routed. > > It's lucky they will fix it, i was about to suggest using openldap with the > meta backend instead as it seems an odd behavior for an ldap meant for > mailers. > sure > The answer to the following used a openldap server, with some shared entries, > with a meta backend to allow querying of several seperate servers as one : > > http://serverfault.com/questions/106869/how-can-i-proxy-multiple-ldap-servers-and-still-have-grouping-of-users-on-the-p > > <http://serverfault.com/questions/106869/how-can-i-proxy-multiple-ldap-servers-and-still-have-grouping-of-users-on-the-p> > > A similar setup, but with a different solution. Probably simpler to keep > using your same product, if they fix the empty base search. > I’ve different ldap sources and IMSVA TrendMicro does exactly this, take care of all of them and instruct postfix to connect only to a local openldap that proxies queries and cache results. Actually this fails with CGPro as ldap source, exactly for the unexpectedly returned “error 32” when searching on the virtual DN dc=cgprouter for not exixsting mail/alias/mailinglist, ecc. So they agree to change such behaviour (correctly only for search and not for record retrival) , and this make all possible sense. Have a nice day. Regards, Paolo. > Cheers > Brett Paolo Barbato Consorzio RFX <https://www.igi.cnr.it/>corso Stati Uniti,4 35127 Padova - Italy Network Administrator phone: +39 049 8295097 fax: +39 049 8700718
Re: smtpd_recipient_restrictions with ldap
Hi, waiting for CGPro upcoming release with promised search fixing, I've sorted out the warning: dict_ldap_lookup: Search error 1: Operations error, adding a domain= list of my internal domains in ldaprfx.cf, and so stopping mail=%s expansion . In main.cf I’ve added proxy:ldap:/opt/trend/imss/postfix/etc/postfix/ldaprfx.cf. I noticed that this requires also to list explicitly proxy_read_maps: proxy_read_maps = proxy:ldap:/opt/trend/imss/postfix/etc/postfix/ldaprfx.cf ….. Many thanks help me on focusing on a solution and for the very useful tips. Regards, Paolo. > On 5 Apr 2017, at 08:15, Paolo Barbato <mailto:paolo.barb...@igi.cnr.it>> wrote: > > >> On 5 Apr 2017, at 01:08, Viktor Dukhovni > <mailto:postfix-us...@dukhovni.org>> wrote: >> >> >>> On Apr 4, 2017, at 3:35 PM, Paolo Barbato >> <mailto:paolo.barb...@igi.cnr.it>> wrote: >>> >>> here new ldaprfx.cf >>> >>> server_host = 150.178.3.89:389 >>> bind=no >>> search_base = mail=%s,dc=cgprouter >>> scope = base >>> query_filter = mail=%s >>> result_attribute = mail >>> result_format = OK %s >>> version = 3 >>> >>> here postmap check >>> [root@mail2 postfix]# postmap -q bar...@igi.cnr.it >>> <mailto:bar...@igi.cnr.it> >>> ldap:/opt/trend/imss/postfix/etc/postfix/ldaprfx.cf >>> [root@mail2 postfix]# >>> [root@mail2 postfix]# postmap -q barb...@igi.cnr.it >>> <mailto:barb...@igi.cnr.it> >>> ldap:/opt/trend/imss/postfix/etc/postfix/ldaprfx.cf >>> OK barb...@igi.cnr.it <mailto:barb...@igi.cnr.it> >>> >>> >>> thats really fine. >>> >>> but after inserted ldap:/opt/trend/imss/postfix/etc/postfix/ldaprfx.cf >>> in main.cf an new error come up "warning: dict_ldap_lookup: Search error >>> 1: Operations error " and Server configuration error is there again. >> >> And the reason you're not posting the "postconf -n" output showing the >> new settings and the full error message (and any related log entries) >> is …? > .. > Apr 4 20:51:41 mail2 postfix/smtpd[28942]: dict_ldap_debug: ldap_read: > want=30, got=30 > Apr 4 20:51:41 mail2 postfix/smtpd[28942]: dict_ldap_debug: : 01 01 > 04 00 04 18 69 6e 63 6f 72 72 65 63 74 20 ..incorrect > Apr 4 20:51:41 mail2 postfix/smtpd[28942]: dict_ldap_debug: 0010: 45 2d > 6d 61 69 6c 20 61 64 64 72 65 73 73 E-mail address > Apr 4 20:51:41 mail2 postfix/smtpd[28942]: dict_ldap_debug: request done: ld > 0x812ab00 msgid 5 > Apr 4 20:51:41 mail2 postfix/smtpd[28942]: warning: dict_ldap_lookup: Search > error 1: Operations error > Apr 4 20:51:41 mail2 postfix/smtpd[28942]: dict_ldap_debug: : 30 05 > 02 01 06 42 00 0B. > Apr 4 20:51:41 mail2 postfix/smtpd[28942]: dict_ldap_debug: ldap_write: > want=7, written=7 > Apr 4 20:51:41 mail2 postfix/smtpd[28942]: dict_ldap_debug: : 30 05 > 02 01 06 42 00 0B. > Apr 4 20:51:41 mail2 postfix/smtpd[28942]: warning: > ldap:/opt/trend/imss/postfix/etc/postfix/ldaprfx.cf: table lookup problem > Apr 4 20:51:41 mail2 postfix/smtpd[28942]: NOQUEUE: reject: RCPT from > unknown[201.165.255.9]: 451 4.3.5 <mailto:um...@igi.cnr.it>>: Recipient address rejected: Server configuration > error; from=mailto:geod...@mail2jane.com>> > to=mailto:um...@igi.cnr.it>> proto=ESMTP > helo= <http://customer-hmo-255-9.megared.net.mx/>> >> > > it seems that record retrival try multiple attempt before report the error > mentioned. > > > >> Do test making the query as a non-root user. Do check whether your >> SMTP server processes are chrooted and perhaps can't connect to LDAP >> servers as a result. >> >> -- >> Viktor. >> > > Paolo Barbato Consorzio RFX <https://www.igi.cnr.it/>corso Stati Uniti,4 35127 Padova - Italy Network Administrator phone: +39 049 8295097 fax: +39 049 8700718
Re: OT? - Blocking attachments
+1 > On 15 May 2017, at 06:32, Viktor Dukhovni wrote: > > >> On May 15, 2017, at 12:26 AM, Bill Cole >> wrote: >> >> If you want versatile, nuanced, precise, and accurate attachment handling, >> there is no >> better tool than MIMEDefang. > > The MIME normalizer I wrote in my early days as Morgan Stanley postmaster, > just before > Y2K New Years, was tasked with removing most "attachments" from email, > attachments were > replaced with a bit of text informing the user what was removed. (Never > released to > the public). > > It later evolved to be able to selectively remove Zip files from email based > on the > content inside the Zip file and the profile of the recipient. Preemptive > removal > of high-risk content that most users have no reason to receive is a fine > defensive > strategy. > > -- > Viktor. > Paolo Barbato Consorzio RFX <https://www.igi.cnr.it/>corso Stati Uniti,4 35127 Padova - Italy Network Administrator phone: +39 049 8295097 fax: +39 049 8700718
Re: Forwarded mail problem
Dear Enrico, it seems that your domain hasn't any SPF entry in DNS. dig txt cerm.unifi.it Fighting spammers is hard, so at least SPF have to be used to legitimate your IPs. DKIM and DMARC are other ways...somewhat more complex to implement. Regards, Paolo. > On 1 Feb 2019, at 15:41, Enrico Morelli wrote: > > Dear all, > > I having some problem forwarding some emails to Gmail addresses. > Sometime the emails are bounced cause: > > This message does not have authentication information or fails to pass > 550-5.7.1 authentication checks. To best protect our users from spam, > the 550-5.7.1 message has been blocked. Please visit 550-5.7.1 > https://support.google.com/mail/answer/81126#authentication for more > 550 5.7.1 information. k11si3359248wrp.39 - gsmtp (in reply to end of > DATA command)) > > I'm sure that these emails aren't spam. > > Someone can explain me why? Is there some misconfiguration in my mail > server? > > Thanks > > -- > --- > Enrico Morelli > System Administrator | Programmer | Web Developer > > CERM - Polo Scientifico > via Sacconi, 6 - 50019 Sesto Fiorentino (FI) - ITALY > ---- Paolo Barbato Consorzio RFX <https://www.igi.cnr.it/>corso Stati Uniti,4 35127 Padova - Italy Network Administrator phone: +39 049 8295097 fax: +39 049 8700718
spam detected in sending mail
Hi there, I configured a postfix version 2.11 on ubuntu 14.04 LTS x64 When I send an email to gmail account and other (like hotmail.it) the emails end up in the spam box (the IP domain is not blacklisted) I would know why. A normal user can send an email only with starttls authentication (I activated the ports 25 and 587) I also have configured the spf and dkim (I'm waiting the dns propagation for dkim) Not only, there is also amavis, spamassassin and clamav For instance, If I send an email to my gmail account and analyze the source, it seems strange (view attached file) If anyone wants I can to do see the main.cf file Anyone can help me please? Thanks in advance Regards Delivered-To: pa...@paolodemichele.it Received: by 10.70.103.102 with SMTP id fv6csp595072pdb; Wed, 26 Nov 2014 05:32:59 -0800 (PST) X-Received: by 10.194.241.194 with SMTP id wk2mr48546618wjc.132.1417008777291; Wed, 26 Nov 2014 05:32:57 -0800 (PST) Return-Path: Received: from mail.giokai.com (mail.giokai.com. [188.226.180.114]) by mx.google.com with ESMTP id bu3si7003361wjc.66.2014.11.26.05.32.56 for ; Wed, 26 Nov 2014 05:32:57 -0800 (PST) Received-SPF: pass (google.com: domain of pdemich...@giokai.com designates 188.226.180.114 as permitted sender) client-ip=188.226.180.114; Authentication-Results: mx.google.com; spf=pass (google.com: domain of pdemich...@giokai.com designates 188.226.180.114 as permitted sender) smtp.mail=pdemich...@giokai.com; dkim=temperror (no key for signature) header.i=@ Received: from localhost (localhost.localdomain [127.0.0.1]) by mail.giokai.com (Postfix) with ESMTP id 2BEF7237E7 for ; Wed, 26 Nov 2014 14:32:56 +0100 (CET) X-Virus-Scanned: Debian amavisd-new at mail.giokai.com Received: from mail.giokai.com ([127.0.0.1]) by localhost (mail.giokai.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jvq7jFDlIf8z for ; Wed, 26 Nov 2014 14:32:35 +0100 (CET) Received: from [172.16.2.153] (dynamic-adsl-78-15-215-90.clienti.tiscali.it [78.15.215.90]) (Authenticated sender: pdemich...@giokai.com) by mail.giokai.com (Postfix) with ESMTPSA id A3603237E6 for ; Wed, 26 Nov 2014 14:32:35 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=giokai.com; s=mail; t=1417008755; bh=g3zLYH4xKxcPrHOD18z9YfpQcnk/GaJedfustWU5uGs=; h=Date:From:To:Subject; b=eFVwV/etSOr7vNjzKRzRU1Pl0yaZPUxRjF5LN0luuTHYzgfIpJ5Va2x1IfwRshC/w zLlxZrM2jlkskxarPmuf/NaQpeN+3bvz63n1jmfqbOMCsYhgXZ15UJhbDBQNSYH4dT gAwgafHys892iBd0kOBwueCCjY+Bqqw4FseqPEjU= Message-ID: <5475d672.3030...@giokai.com> Date: Wed, 26 Nov 2014 14:32:34 +0100 From: Paolo De Michele User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.2.0 MIME-Version: 1.0 To: Paolo De Michele Subject: test Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit test
Re: spam detected in sending mail
On 26/11/14 15:03, Cristiano Deana wrote:
> On Wed, Nov 26, 2014 at 2:42 PM, Paolo De Michele
> wrote:
>
>> Anyone can help me please?
> Not enough details (log, domains, anything), but this
>
> Received: from [172.16.2.153]
> (dynamic-adsl-78-15-215-90.clienti.tiscali.it. [78.15.215.90])
>
> could be a good start point.
thanks for the reply
so, I already have the ptr record configured
the domain is giokai.com
if I send an email to an account by gmail I see this in the syslog file:
Nov 27 00:35:23 mail postfix/submission/smtpd[6140]: connect from
dynamic-adsl-78-15-215-90.clienti.tiscali.it[78.15.215.90]
Nov 27 00:35:24 mail postfix/submission/smtpd[6140]: 4670E237E6:
client=dynamic-adsl-78-15-215-90.clienti.tiscali.it[78.15.215.90],
sasl_method=PLAIN, sasl_username=pdemich...@giokai.com
Nov 27 00:35:24 mail postfix/cleanup[6147]: 4670E237E6:
message-id=<547663bb.7010...@giokai.com>
Nov 27 00:35:24 mail opendkim[5126]: 4670E237E6: DKIM-Signature field
added (s=mail, d=giokai.com)
Nov 27 00:35:24 mail postfix/qmgr[5007]: 4670E237E6:
from=, size=660, nrcpt=1 (queue active)
Nov 27 00:35:24 mail postfix/submission/smtpd[6140]: disconnect from
dynamic-adsl-78-15-215-90.clienti.tiscali.it[78.15.215.90]
Nov 27 00:35:26 mail postfix/smtpd[6156]: connect from
localhost.localdomain[127.0.0.1]
Nov 27 00:35:26 mail postfix/smtpd[6156]: 1D988237E7:
client=localhost.localdomain[127.0.0.1]
Nov 27 00:35:26 mail postfix/cleanup[6147]: 1D988237E7:
message-id=<547663bb.7010...@giokai.com>
Nov 27 00:35:26 mail postfix/qmgr[5007]: 1D988237E7:
from=, size=1468, nrcpt=1 (queue active)
Nov 27 00:35:26 mail postfix/smtpd[6156]: disconnect from
localhost.localdomain[127.0.0.1]
Nov 27 00:35:26 mail amavis[1475]: (01475-15) Passed CLEAN
{RelayedOpenRelay}, [78.15.215.90]:23136 [78.15.215.90]
-> , Queue-ID: 4670E237E6,
Message-ID: <547663bb.7010...@giokai.com>, mail_id: J2d3IMGLlH4o, Hits:
-0.89, size: 975, queued_as: 1D988237E7, 1700 ms
Nov 27 00:35:26 mail postfix/smtp[6148]: 4670E237E6:
to=, relay=127.0.0.1[127.0.0.1]:10024, delay=1.9,
delays=0.19/0/0.01/1.7, dsn=2.0.0, status=sent (250 2.0.0 from
MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 1D988237E7)
Nov 27 00:35:26 mail postfix/qmgr[5007]: 4670E237E6: removed
Nov 27 00:35:27 mail postfix/smtp[6158]: 1D988237E7:
to=, relay=aspmx.l.google.com[74.125.136.27]:25,
delay=1.2, delays=0.01/0/0.28/0.92, dsn=2.0.0, status=sent (250 2.0.0 OK
1417044927 lm8si8066483wjb.134 - gsmtp)
Nov 27 00:35:27 mail postfix/qmgr[5007]: 1D988237E7: removed
I am available to do a test
let me know, thanks in advance
