smtp client and aliased addresses

[Postfix User]

I'm having an issue getting the smtp client to bind to an aliased IP
address.

mail_version = 2.5.7

I've tried to no avail to have the smtp client use a aliased IP to
deliver mail but it insists on using the address of the interface the
aliased address is assigned to.

#  ifconfig eth2 && ifconfig eth2:1

eth2  Link encap:Ethernet  HWaddr 00:15:17:6f:e6:1e  
  inet addr:142.22.75.146  Bcast:142.22.75.151  Mask:255.255.255.248
  UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
  RX packets:38366130 errors:0 dropped:0 overruns:0 frame:0
  TX packets:32267506 errors:0 dropped:0 overruns:0 carrier:0
  collisions:535231 txqueuelen:100 
  RX bytes:10481726082 (9.7 GiB)  TX bytes:33812562876 (31.4 GiB)
  Base address:0xece0 Memory:fc7e-fc80 

eth2:1Link encap:Ethernet  HWaddr 00:15:17:6f:e6:1e  
  inet addr:142.22.75.147  Bcast:142.22.75.151  Mask:255.255.255.248
  UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
  Base address:0xece0 Memory:fc7e-fc80 


I've tried the following in main.cf ...

smtp_bind_address = 142.22.75.147

I've also tried the following in master.cf ...

smtp  unix  -   -   n   -   -   smtp
   -o smtp_bind_address=142.22.75.147

Reading a correlation between smtp_bind_address and inet_interfaces in
the docs I've also tried the following in main.cf ...

inet_interfaces = $myhostname, localhost

With the later netstat shows master binding to the aliased address
142.22.75.147 and 127.0.0.1 and the smtpd server receives mail fine on
the aliased address however the smtp client persists in using
142.22.75.146 to deliver mail to other hosts.

tcp0  0 127.0.0.1:250.0.0.0:*   LISTEN 
27605/master
tcp0  0 142.22.75.147:250.0.0.0:*   LISTEN 
27605/master   


What am I missing?

Thanks
--

Re: smtp client and aliased addresses

[Postfix User]

On Tue, 2009-09-29 at 14:28 +0530, ram wrote:
> On Tue, 2009-09-29 at 00:58 -0300, Postfix User wrote:
> > I'm having an issue getting the smtp client to bind to an aliased IP
> > address.
> > 
> > mail_version = 2.5.7
> > 
> > I've tried to no avail to have the smtp client use a aliased IP to
> > deliver mail but it insists on using the address of the interface the
> > aliased address is assigned to.
> > 
> > #  ifconfig eth2 && ifconfig eth2:1
> > 
> > eth2  Link encap:Ethernet  HWaddr 00:15:17:6f:e6:1e  
> >   inet addr:142.22.75.146  Bcast:142.22.75.151  Mask:255.255.255.248
> >   UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
> >   RX packets:38366130 errors:0 dropped:0 overruns:0 frame:0
> >   TX packets:32267506 errors:0 dropped:0 overruns:0 carrier:0
> >   collisions:535231 txqueuelen:100 
> >   RX bytes:10481726082 (9.7 GiB)  TX bytes:33812562876 (31.4 GiB)
> >   Base address:0xece0 Memory:fc7e-fc80 
> > 
> > eth2:1Link encap:Ethernet  HWaddr 00:15:17:6f:e6:1e  
> >   inet addr:142.22.75.147  Bcast:142.22.75.151  Mask:255.255.255.248
> >   UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
> >   Base address:0xece0 Memory:fc7e-fc80 
> > 
> > 
> > I've tried the following in main.cf ...
> > 
> > smtp_bind_address = 142.22.75.147
> > 
> > I've also tried the following in master.cf ...
> > 
> > smtp  unix  -   -   n   -   -   smtp
> >-o smtp_bind_address=142.22.75.147
> > 
> > Reading a correlation between smtp_bind_address and inet_interfaces in
> > the docs I've also tried the following in main.cf ...
> > 
> > inet_interfaces = $myhostname, localhost
> > 
> > With the later netstat shows master binding to the aliased address
> > 142.22.75.147 and 127.0.0.1 and the smtpd server receives mail fine on
> > the aliased address however the smtp client persists in using
> > 142.22.75.146 to deliver mail to other hosts.
> > 
> How can you say that ? The way of checking is send a mail to any other
> server. And check the full headers for the ip used. Dont use netstat.
> The smtp connection will not last too long for your inspection.
> 

Indeed, I've confirmed it by checking both headers and logs. Sorry about
that, I thought that a little too obvious to mention.  

> 
> > tcp0  0 127.0.0.1:250.0.0.0:*   LISTEN  
> >27605/master
> > tcp0  0 142.22.75.147:250.0.0.0:*   LISTEN  
> >27605/master   
> > 
> > 
> No this is not smtp client , this indicates smtpd listening for incoming
> messages. Dont confuse smtpd with smtp 
> 

I'm aware of that and it was mentioned, I showed the netstat output to
show that postfix was using inet_interfaces as expected. FWIW I also
tried this with just the aliased IP address.
 
> > What am I missing?
> 
> I dont think there is anything. You are probably already meeting your
> requirement
> 

As I've confirmed that it's not, any other suggestions?


Thanks
--

Re: smtp client and aliased addresses

[Postfix User]

On Tue, 2009-09-29 at 07:51 -0400, John Peach wrote:
> On Tue, 29 Sep 2009 07:57:54 -0300
> Postfix User  wrote:
> [snip]
> > 
> > As I've confirmed that it's not, any other suggestions?
> 
> Postfix does not decide which interface to use for sending mail. That
> is handled by your routing tables.

What's the intended use of smtp_bind_address for then?

Re: smtp client and aliased addresses

[Postfix User]

On Tue, 2009-09-29 at 19:10 +0530, ram wrote:
> On Tue, 2009-09-29 at 07:57 -0300, Postfix User wrote:
> > On Tue, 2009-09-29 at 14:28 +0530, ram wrote:
> > > On Tue, 2009-09-29 at 00:58 -0300, Postfix User wrote:
> > > > I'm having an issue getting the smtp client to bind to an aliased IP
> > > > address.
> > > > 
> >  
> > > > What am I missing?
> > > 
> > > I dont think there is anything. You are probably already meeting your
> > > requirement
> > > 
> > 
> > As I've confirmed that it's not, any other suggestions?
> > 
> smtp bind works fine. 
> Trace the mail in the logs. Probably enable verbose logging for smtp
> Did you see any error line that says could not bind to  

First thing I did was an egrep '(warning|error|fatal|panic):' on the
mail logs, nothing relevant seen.

I'll try turning on verbose logging and look for clues. 

I've since implemented an iptables SNAT rule as a temporary workaround
as I really needed this working this morning. I doubt this will
interfere with the verbose logging output. What exactly is it I should
be looking for? 

-- 

Re: smtp client and aliased addresses

[Postfix User]

> 2009/9/30 Postfix User :
> 
> > I've since implemented an iptables SNAT rule as a temporary workaround
> > as I really needed this working this morning. I doubt this will
> > interfere with the verbose logging output. What exactly is it I should
> > be looking for?
> 
> Can you show us some proof that it's not working? Eg. send mail via
> that machine and show the headers that appear on the receiving end.
> 

> If you really want to use iptables, I'd use it for logging first. Just
> some trivial rules.
> 
> iptables -I OUTPUT -s 142.22.75.146 -p tcp --dport smtp -m state --state NEW
> iptables -I OUTPUT -s 142.22.75.147 -p tcp --dport smtp -m state --state NEW
> 

Bingo, good thinking Barney.

I removed my SNAT rule and sent a couple of emails and this shed some
light on it as the second rule was the only one to increment so postfix
was working as expected yet email headers and logs on the receiving MTA
showed delivery using 142.22.75.146 so I dropped the firewall sent
another email and the results were as expected on the receiving end, ie
142.22.75.147 was used. Wadding through the firewall rules I spotted the
culprit rule. The rules are not my handy work and they certainly need
peer review as looking deeper I see a few others I had to cock an eye
at. 

Anyhow, *perceived* problem solved, thank you very much for the help
guys and sorry for wasting everyones time.

-- 

Re: Attachments with email from command line?

[Postfix User]

On Fri, 2008-10-10 at 08:42 +0200, mouss wrote:
> Uwe Dippel a écrit :
> > mouss wrote:
> >
> >> or use Perl.
> >>
> >> use MIME::Lite;
> >>
> >> my $msg = MIME::Lite->new(
> >> From=> '[EMAIL PROTECTED]',
> >> To  => '[EMAIL PROTECTED]',
> >> Cc  => '[EMAIL PROTECTED], [EMAIL PROTECTED]',
> >> Subject => 'blah blah',
> >> Type=> 'multipart/mixed'
> >> );
> >>
> >> $msg->attach(
> >> Type => 'TEXT',
> >> Data => "blah blah blah blah"
> >> );
> >>
> >> $msg->attach(
> >> Type => '|application/vnd.ms-excel|',
> >> Path => '/path/to/foo.xls',
> >> Filename => 'foo.xls',
> >> Disposition => 'attachment'
> >> );
> >>
> >> $msg->send;
> >>
> >>
> >
> > Thanks,
> >
> > you were faster than me, I was already starting to devise some in
> > shell script.
> >
> > Aside of hacks, I *think* that it might make sense to have a
> > non-hacked solution. As system administrators, we, at least I, send
> > quite a number of items with mail (cronjobs).
> > Therefore, IMHVHO, a tool distributed with *nix or *fix (wrapping
> > around mail) might be useful?
> >
> 
> There are already: mutt, mpack, metamail, ...
> 
> 
> (That said, perl and perl modules are available as packages on many
> systems :)
> 
> 

or just bash and coreutils, http://linuxnet.ca/postfix/attachment

--

Pass the environment variable to the smtpd daemon

[postfix-user]

Hi all.
Can you please tell me how to pass an environment variable (like 
SSLKEYLOGFILE) to the smtpd daemon ? Maybe as an alternative, if the 
master process can't allow this, there are examples of running smtpd 
directly from systemd ?

Thank you.

Re: Pass the environment variable to the smtpd daemon

[postfix-user]

https://www.postfix.org/postconf.5.html#import_environment

Be sure to augment rather than replace the default set of variables:

# postconf -e "import_environment = $(postconf -dh import_environment) 
SSLKEYLOGFILE=/some/where"

you can also update just the smtpd(8) service in master.cf:

# postconf -e "smtpd_impenv = $(postconf -dh import_environment) 
SSLKEYLOGFILE=/some/where"
# postconf -Pe 'smtp/inet/import_environment=$smtpd_impenv'
# postfix reload

Use double and single quotes as indicated.
See the postconf(1) manpage, and if you prefer edit the config files by hand.


Thank yoy !

Re: SMTPUTF8 usage

[Postfix User]

On Thu, 20 Aug 2015 19:01:48 +0200, Mark Martinec stated:

> Michael Ströder wrote:
> > Does anybody here have experience with current usage of SMTPUTF8?
> > I have a discussion whether that's already used in the wild or not.
> 
> Google does support SMTPUTF8 :
> 
> 
> $ host -t mx gmail.com
> gmail.com mail is handled by 20 alt2.gmail-smtp-in.l.google.com.
> gmail.com mail is handled by 5 gmail-smtp-in.l.google.com.
> gmail.com mail is handled by 10 alt1.gmail-smtp-in.l.google.com.
> gmail.com mail is handled by 40 alt4.gmail-smtp-in.l.google.com.
> gmail.com mail is handled by 30 alt3.gmail-smtp-in.l.google.com.
> 
> $ telnet gmail-smtp-in.l.google.com 25
> Trying 2a00:1450:400c:c04::1a...
> Connected to gmail-smtp-in.l.google.com.
> Escape character is '^]'.
> 220 mx.google.com ESMTP gk19si9434995wjc.187 - gsmtp
> ehlo test
> 250-mx.google.com at your service, [...]
> 250-SIZE 35882577
> 250-8BITMIME
> 250-STARTTLS
> 250-ENHANCEDSTATUSCODES
> 250-PIPELINING
> 250-CHUNKING
> 250 SMTPUTF8
> quit

"outlook.com" has no support.
250-BLU436-SMTP191.smtp.hotmail.com Hello [174.109.28.112]
250-TURN
250-SIZE 41943040
250-ETRN
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-8bitmime
250-BINARYMIME
250-CHUNKING
250-VRFY
250-TLS
250-STARTTLS
250 OK

-- 
Jerry

Re: "stopped working"

[Postfix User]

On Thu, 27 Aug 2015 07:39:48 +0200, Martin Skjöldebrand stated:

> After a lot of head scratching and despair, I *think* I got the  
> problem down to sasl authentication didn't authenticate. I can now  
> send from one account (this) but not my main address with the same  
> settings (w/ change of user/pw naturally). Looking further into this.
> 
> /Martin S

I assume you have read: http://www.postfix.org/DEBUG_README.html#mail

Specifically, if the problem is SASL related, consider including the output
from the saslfinger tool. This can be found at
http://postfix.state-of-mind.de/patrick.koetter/saslfinger/. 

-- 
Jerry

Re: master.cf - multi IPv6 bindings but single IPv4 fallback in mixedmode possible??

[Postfix User]

On Fri, 28 Aug 2015 12:30:48 +0200, dravion.sm...@gmx.net stated:

> really, idiot
> http://www.postfix.org/postconf.5.html#smtp_bind_address

smtp_bind_address (default: empty)  ≠ smtpd_bind_address

-- 
Jerry

SSL Problem with Postfix and WinZIP

[Postfix User]

I am using WinZip-19.5 on a Win 10 Pro machine. It has built in
configurations for different email site; Outlook, Gmail, Yahoo. You can also
configure your own server.

I configured it to use Postfix on my FreeBSD-10.1 machine. It fails. This is
from the Postfix logs:

Sep 13 11:22:41 scorpio postfix/submission/smtpd[18955]: connect from 
cpe-174-109-28-112.nc.res.rr.com[174.109.28.112]
Sep 13 11:22:41 scorpio postfix/submission/smtpd[18955]: SSL_accept error from 
cpe-174-109-28-112.nc.res.rr.com[174.109.28.112]: -1
Sep 13 11:22:41 scorpio postfix/submission/smtpd[18955]: warning: TLS library 
problem: error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared 
cipher:s3_srvr.c:1413:
Sep 13 11:22:41 scorpio postfix/submission/smtpd[18955]: lost connection after 
STARTTLS from cpe-174-109-28-112.nc.res.rr.com[174.109.28.112]
Sep 13 11:22:41 scorpio postfix/submission/smtpd[18955]: disconnect from 
cpe-174-109-28-112.nc.res.rr.com[174.109.28.112] starttls=0/1 commands=0/1

The connection, using TLS and port 587 works fine if I connect to Gmail, using 
a different account name and password obviously.

I am running Posfix 3.0.2

-- 
Jerry

Re: SSL Problem with Postfix and WinZIP

[Postfix User]

On Sun, 13 Sep 2015 15:54:45 +, Viktor Dukhovni stated:

> On Sun, Sep 13, 2015 at 11:37:07AM -0400, Postfix User wrote:
> 
> > Sep 13 11:22:41 scorpio postfix/submission/smtpd[18955]: warning: TLS
> > library problem: error:1408A0C1:SSL routines:ssl3_get_client_hello:no
> > shared cipher:s3_srvr.c:1413:
> 
> Your problem is that in your Postfix SMTP server you've disabled
> all the SSL/TLS ciphers supported by the SMTP client.  As Wietse
> noted, without any server configuration information, it is rather
> difficult to give a more detailed response.

Sorry Victor, I am an idiot. I fully meant to include all of that info, but I
simply forgot. Here it is. I used, I hope anyway, your recommendations for
what ciphers to allow.

$ postconf -nf
alias_maps = lmdb:/usr/local/etc/postfix/aliases
authorized_submit_users = !www, static:all
broken_sasl_auth_clients = yes
canonical_maps = lmdb:/usr/local/etc/postfix/canonical
command_directory = /usr/local/sbin
compatibility_level = 2
daemon_directory = /usr/local/libexec/postfix
data_directory = /var/db/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd
$daemon_directory/$process_name $process_id & sleep 5
default_database_type = lmdb
delay_warning_time = 12h
disable_vrfy_command = yes
dovecot_destination_recipient_limit = 1
enable_long_queue_ids = yes
html_directory = /usr/local/share/doc/postfix
inet_protocols = ipv4
mail_owner = postfix
mailq_path = /usr/local/bin/mailq
manpage_directory = /usr/local/man
message_size_limit = 26214400
milter_default_action = accept
msa_tls_ciphers = medium
msa_tls_dh1024_param_file = ${config_directory}/dh2048.pem
msa_tls_exclude_ciphers = MD5, RC4, 3DES
msa_tls_protocols = !SSLv2, !SSLv3
mydestination =
mydomain = seibercom.net
myhostname = scorpio.seibercom.net
mynetworks = lmdb:/usr/local/etc/postfix/my-networks
myorigin = $mydomain
newaliases_path = /usr/local/bin/newaliases
queue_directory = /var/spool/postfix
readme_directory = /usr/local/share/doc/postfix
sample_directory = /usr/local/etc/postfix
sender_dependent_relayhost_maps = lmdb:/usr/local/etc/postfix/sender_relay
sendmail_path = /usr/local/sbin/sendmail
setgid_group = maildrop
smtp_dns_support_level = dnssec
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = lmdb:/usr/local/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_sender_dependent_authentication = yes
smtp_tls_CAfile = /usr/local/etc/postfix/certs/cacert.pem
smtp_tls_CApath = /usr/local/etc/postfix/certs/
smtp_tls_ciphers = medium
smtp_tls_exclude_ciphers = MD5, SRP, PSK, aDSS, kECDH, kDH, SEED, IDEA, RC2, RC5
smtp_tls_loglevel = 1
smtp_tls_note_starttls_offer = yes
smtp_tls_policy_maps = lmdb:/usr/local/etc/postfix/tls_policy
smtp_tls_protocols = !SSLv2, !SSLv3
smtp_tls_security_level = dane
smtp_tls_session_cache_database = btree:/var/db/postfix/smtp_tls_session_cache
smtpd_authorized_verp_clients = $mynetworks
smtpd_client_restrictions = permit_mynetworks reject_unknown_client_hostname
reject_unauth_pipelining permit_sasl_authenticated
smtpd_milters = unix:/var/run/clamav/clmilter.sock
smtpd_recipient_restrictions = reject_unauth_pipelining,
permit_sasl_authenticated permit_mynetworks, reject_unauth_destination
reject_rbl_client bl.spamcop.net permit
smtpd_reject_footer = For assistance, please provide the following information
in your problem report: time ($localtime), client ($client_address) and
server ($server_name).
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated
reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = no
smtpd_sasl_local_domain = $mydomain
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous, noplaintext
smtpd_sasl_tls_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_tls_CAfile = /usr/local/etc/postfix/certs/cacert.pem
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /usr/local/etc/postfix/certs/Postfix-cert.pem
smtpd_tls_ciphers = medium
smtpd_tls_dh1024_param_file = /usr/local/etc/postfix/ssl/DHparams/dh2048.pem
smtpd_tls_dh512_param_file = /usr/local/etc/postfix/ssl/DHparams/dh512.pem
smtpd_tls_exclude_ciphers = EXPORT, LOW
smtpd_tls_key_file = /usr/local/etc/postfix/certs/Postfix-key.pem
smtpd_tls_loglevel = 1
smtpd_tls_protocols = !SSLv2, !SSLv3
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_database =
smtpd_use_tls = yes
tls_medium_cipherlist = AES128+EECDH:AES128+EDH
tls_random_source = dev:/dev/urandom
transport_maps = lmdb:/usr/local/etc/postfix/transport_maps
unknown_local_recipient_reject_code = 550
virtual_alias_maps = lmdb:/usr/local/etc/postfix/virtual_alias
virtual_gid_maps = static:1002
virtual_mailbox_base = /var/mail/vmail/
virtual_mailbox_domains = seibercom.net stemnc.org
virtual_mailbox_maps = lmdb:/usr/local/etc/postfix/vmailbox
virtual_minimum_uid = 100
virtual_transport = dovecot
virtual_uid_maps = static:1002


-- 
Jerry

Re: SSL Problem with Postfix and WinZIP

[Postfix User]

On Sun, 13 Sep 2015 16:35:42 +, Viktor Dukhovni stated:

> > tls_medium_cipherlist = AES128+EECDH:AES128+EDH  
> 
> Never mind all the above, BINGO!  Where did that come from? Certainly
> not anything I'd ever recommended to anyone.  Remove that setting
> with prejudice.

I have no idea where that came from. I usually comment everything I add or
delete, but that one was all by its lonesome. I removed it, and everything
works fine now. Strangely enough, it never caused a problem before.

Thanks Victor.

-- 
Jerry

Re: Postfix Mailman integration

[Postfix User]

On Sun, 25 Oct 2015 06:09:36 -0400, Ruben Safir stated:

> I have been running majordomo for a decade+ with postfix with no
> trouble but I resently turned over to mailman and it is taking
> 3 hours to turn over messages.  And I don't have this problem
> with normal email, just when I use mailman.  DNS is running on the same
> machine.
> 
> What can cause the list mail to hang for 3 hour or more?

With the old "crystal ball" out for repair, it is rather hard to say. You
might consider reading the documentation located at:
http://www.postfix.org/DEBUG_README.html#mail and following the directions.
Including log specific data is also a helpful endeavor.

By the way, have you considered asking this question on the Mailman forum?

-- 
Jerry

Postfix 3.0 also introduces inline:

[Postfix User]

Okay, I suppose I don't pay as close attention to release announcements as I
should. I noticed this is another post recently:

Postfix 3.0 also introduces inline: tables whose keys and values are stored
inside main.cf

I did not see any documentation on the Postfix site for that. Am I just
blind, or is it documented somewhere there?

Thanks!

-- 
Jerry

Limiting "clamav milter" to received mail only.

[Postfix User]

I apologize if this is not the correct place to ask this question.

I am using the "clamav milter" with Postfix. I assume it is checking
mail both coming and going. I want it to only filter mail I receive. Is
that possible in Postfix?

Thanks!

-- 
Jerry

“smtp_generic_maps” and “smtp_sender_dependent_authentication”

[Postfix User]

I have a question regarding “smtp_generic_maps” and
“smtp_sender_dependent_authentication” with
“sender_dependent_relayhost_maps”.

I have some users who have addresses in the form of:
“u...@localdomain.com” whose name should be rewritten to
u...@newdomain.com. The “new” name should then be looked up using the
setting in “sender_dependent_relayhost_maps”.

Will this actually work? I wanted to get some confirmation before I
actually tried it. Also, this should only act on addresses used when
sending email, not when email is received.

Thanks!

Re: SPF option in Postfix 3

[Postfix User]

On Fri, 1 Jul 2016 11:01:00 +0200, Matthias Fechner stated:

>Am 30.06.2016 um 04:51 schrieb Noel Jones:
>> IIRC the FreeBSD ports postfix configuration SPF option will compile
>> postfix with a third-party SPF library patch, which is not
>> recommended.
>>
>> The recommended way to do SPF checking in postfix is with a policy
>> service plugin, which is what it looks as if you're doing already.
>>
>> So no, do not select the SPF option when installing the FreeBSD port.
>>  
>
>so if I have in master.cf:
># SPF check
>spf-policy  unix-   n   n   -   0   spawn
>  user=spfcheck argv=/usr/local/libexec/postfix-policyd-spf-perl
>
>and in main.cf:
>smtpd_recipient_restrictions =
>.
>check_policy_service unix:private/spf-policy,
>..
>
>spf-policy_time_limit = 3600
>
>I can remove the SPF compile flag in FreeBSD?
>
>Gruß
>Matthias

Just my 2 cents, but why don't you try contacting the port maintainer,
oha...@freebsd.org and asking him if he can clear this problem up?
Since compiling postfix with a third-party SPF library patch is
not recommended, the maintainer should do something to correct the
problem.

-- 
Jerry

Blocking "unknown"

[Postfix User]

Postfix-3.2-20160917 with FreeBSD-11.0 /64 bit

Lately, I have been finding the following entries in the maillog:

13643:Sep 30 02:00:40 scorpio postfix/smtpd[83056]: warning: hostname 
ip-address-pool-xxx.fpt.vn does not resolve to address 118.71.251.67: hostname 
nor servname provided, or not known
13822:Sep 30 02:00:40 scorpio postfix/smtpd[83056]: connect from 
unknown[118.71.251.67]
13904:Sep 30 02:00:41 scorpio postfix/smtpd[83056]: disconnect from 
unknown[118.71.251.67] helo=1 auth=0/1 quit=1 commands=2/3

While the IP, etcetera will change, the basic message is the same. I
thought I had postfix configured to block attempts like this. Obviously
not though. My config file is below. What am I missing?

~ $ postconf -nf
alias_maps = lmdb:/usr/local/etc/postfix/aliases
authorized_submit_users = !www, static:all
broken_sasl_auth_clients = yes
canonical_maps = lmdb:/usr/local/etc/postfix/canonical
command_directory = /usr/local/sbin
compatibility_level = 2
daemon_directory = /usr/local/libexec/postfix
data_directory = /var/db/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd
$daemon_directory/$process_name $process_id & sleep 5
default_database_type = lmdb
disable_vrfy_command = yes
dovecot_destination_recipient_limit = 1
enable_long_queue_ids = yes
html_directory = /usr/local/share/doc/postfix
inet_protocols = ipv4
mail_owner = postfix
mailbox_command = /usr/local/libexec/dovecot/dovecot-lda -f "$SENDER" -a
"$RECIPIENT"
mailbox_size_limit = 0
mailq_path = /usr/local/bin/mailq
manpage_directory = /usr/local/man
message_size_limit = 3000
meta_directory = /usr/local/libexec/postfix
milter_default_action = accept
msa_tls_ciphers = medium
msa_tls_dh1024_param_file = /usr/local/etc/postfix/ssl/DHparams/dh2048.pem
msa_tls_exclude_ciphers = MD5, RC4, 3DES
msa_tls_protocols = !SSLv2, !SSLv3
mydestination =
mydomain = seibercom.net
myhostname = scorpio.seibercom.net
mynetworks = lmdb:/usr/local/etc/postfix/my-networks
mynetworks_style = host
myorigin = $mydomain
newaliases_path = /usr/local/bin/newaliases
queue_directory = /var/spool/postfix
readme_directory = /usr/local/share/doc/postfix
sample_directory = /usr/local/etc/postfix
sender_dependent_relayhost_maps = lmdb:/usr/local/etc/postfix/sender_relay
sendmail_path = /usr/local/sbin/sendmail
setgid_group = maildrop
shlib_directory = /usr/local/lib/postfix
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = lmdb:/usr/local/etc/postfix/sasl_passwd
smtp_sasl_security_options = noplaintext, noanonymous
smtp_sasl_tls_security_options = noanonymous
smtp_sender_dependent_authentication = yes
smtp_tls_CAfile = /usr/local/etc/postfix/certs/cacert.pem
smtp_tls_ciphers = medium
smtp_tls_exclude_ciphers = MD5, SRP, PSK, aDSS, kECDH, kDH, SEED, IDEA, RC2,
RC5, aNULL
smtp_tls_loglevel = 1
smtp_tls_mandatory_ciphers = medium
smtp_tls_mandatory_exclude_ciphers = RC4, MD5
smtp_tls_note_starttls_offer = yes
smtp_tls_protocols = !SSLv2
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:/var/db/postfix/smtp_tls_session_cache
smtpd_milters = unix:/var/run/clamav/clmilter.sock
smtpd_reject_footer = For assistance, please provide the following information
in your problem report: time ($localtime), client ($client_address) and
server ($server_name).
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated
permit_tls_clientcerts reject_unknown_client_hostname
reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous, noplaintext
smtpd_sasl_tls_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_tls_CAfile = /usr/local/etc/postfix/certs/cacert.pem
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /usr/local/etc/postfix/certs/postfix-cert.pem
smtpd_tls_dh1024_param_file = /usr/local/etc/postfix/ssl/DHparams/dh2048.pem
smtpd_tls_dh512_param_file = /usr/local/etc/postfix/ssl/DHparams/dh512.pem
smtpd_tls_key_file = /usr/local/etc/postfix/certs/postfix-key.pem
smtpd_tls_loglevel = 1
smtpd_tls_mandatory_ciphers = high
smtpd_tls_mandatory_exclude_ciphers = aNULL, MD5
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:/var/db/postfix/smtpd_tls_session_cache
tls_random_source = dev:/dev/urandom
transport_maps = lmdb:/usr/local/etc/postfix/transport_maps
unknown_local_recipient_reject_code = 550
virtual_alias_maps = lmdb:/usr/local/etc/postfix/virtual_alias
virtual_gid_maps = static:1002
virtual_mailbox_base = /var/mail/vmail/
virtual_mailbox_domains = seibercom.net stemnc.org
virtual_mailbox_maps = lmdb:/usr/local/etc/postfix/vmailbox
virtual_minimum_uid = 100
virtual_transport = dovecot
virtual_uid_maps = static:1002

Re: Blocking "unknown"

[Postfix User]

On Fri, 30 Sep 2016 17:08:05 -0700, li...@lazygranch.com stated:

>This will pull these hackers off your maillog.
>bzgrep -e auth=0/1 maillog* | sed 's/.*\[\([^]]*\)\].*/\1/g' >iplist
>sort iplist | uniq

Great idea. I modified it slightly since the "sort" was not working
correctly here. I make a bash script.

IPLIST="/var/tmp/iplist.txt"
MAILLOG="/var/log/maillog"

if [[ -e ${IPLIST} ]]; then
   rm ${IPLIST} &> /dev/null
fi

bzgrep -e auth=0/1 ${MAILLOG} | sed 's/.*\[\([^]]*\)\].*/\1/g' | sort -V | uniq 
> ${IPLIST}

I think I will add the ability to create a table for IPFW also.

-- 
Jerry

Re: can't reload the configuration

[Postfix User]

On Thu, 6 Oct 2016 22:33:11 +0200, Geert Stappers stated:

>On Thu, Oct 06, 2016 at 09:53:10PM +0200, Gary Luck wrote:
>> Wietse Venema schrieb:  
>> >Gary Luck:
>> >[ Charset ISO-8859-15 converted... ]  
>> >> Hello,
>> >>I made some changes in the file /etc/postfix/recipient_access
>> >>and would like to tell postfix to use the new configuration.  
>> >
>> >Perhaps you should "postmap /etc/postfix/recipient_access".
>> >  
>> 
>> Hurray!! It finally works!
>> 
>> Thank you very much.
>> 
>> Do I have to run this command after every change of the
>> "recipient_access"-file?  
>
> man postmap
>
>
>> I didn't have to in the past.  
>
>Seems unlikely.

If you have several tables, it might be more convenient to create a
"Makefile" to handle the chore. There is an example on the
http://www.postfix.com/DATABASE_README.html page; "Updating Berkeley DB
files safely". It has certainly saved me a lot of work.

-- 
Jerry

Re: Documentation of virtual_alias_maps: Was: Re: Getting false unknown user errors

[Postfix User]

On Wed, 2 Nov 2016 03:17:14 -0600, @lbutlr stated:

>On Nov 1, 2016, at 5:20 PM, Wietse Venema  wrote:
>> That's what books like 'the Postfix book' were been written for.
>
>The which what? The only postfix book I know about is the O’Reilly one
>that is more than ten years old.


1) Postfix: The Definitive Guide: A Secure and Easy-to-Use MTA for
   UNIX Dec 25, 2003 by Kyle D. Dent

2) The Book of Postfix: State-of-the-Art Message Transport Mar 25, 2005
   by Ralf Hildebrandt and Patrick Koetter

3) Postfix 2008 by Patrick Ben Koetter Ralf Hildebrandt

4) Postfix May 25, 2001 by Richard Blum

5) The Definitive Guide to Postfix Mar 15, 2004
   by Alan Laudicina and Alan P. Laudicina

They, along with others, are prominently listed on Amazon. There are
others, but these are readily available, although I would not consider
them cheap. Obviously, the definition of "a few bucks" differs from
person to person. Also, I am not familiar with any book that deals with
the 3.x branch of Postfix, although I might well be in error.

You can also get tons of information on the Postfix site itself:
http://www.postfix.org/docs.html

Good luck :)

Missing/Broken link

[Postfix User]

On the "http://www.postfix.org/docs.html"; page, the link to "Postfix
Howtos by Matthias Andree"  is
apparently broken:

Not Found
The requested document was not found on this server.

Web Server at dt.e-technik.tu-dortmund.de 

There are also a few others that appear broken:

Simplifying Mailer Daemons and Associated Tools by Chuck S. Mead, Jr.


RedHat 7.3 laptop howto by Mark Frazer.


Multiple Postfix instances howto by Derrick Webber.


Adaptech Systems class AS220

Re: Interoperability problem - latest Postfix on Linux vs Exchange 2007 on Win2003

[Postfix User]

On Thu, 24 Nov 2016 22:04:41 +0100, Josh Good stated:

>Now, having said that, there is a gotcha: the URL for the hotfix offers
>a "Hotfix download available" button, which simply put does NOT work.
>Microsoft seems to have silently retired that hotfix from general
>availability. That is bad news for those of us who have to deal with
>customers "not easily amenable to paying for upgrades", if you know
>what I mean...

That button worked fine for me. I was led to a site that gave me
information on the HotFix, etcetera and how to down load it, which I
did.

Perhaps you have some firewall or whatever blocking the site.

-- 
Jerry

Re: Interoperability problem - latest Postfix on Linux vs Exchange 2007 on Win2003

[Postfix User]

On Fri, 25 Nov 2016 07:20:25 +0100, Josh Good stated:

>On 2016 Nov 24, 16:58, Postfix User wrote:
>> On Thu, 24 Nov 2016 22:04:41 +0100, Josh Good stated:
>>   
>> >Now, having said that, there is a gotcha: the URL for the hotfix
>> >offers a "Hotfix download available" button, which simply put does
>> >NOT work. Microsoft seems to have silently retired that hotfix from
>> >general availability. That is bad news for those of us who have to
>> >deal with customers "not easily amenable to paying for upgrades",
>> >if you know what I mean...  
>> 
>> That button worked fine for me. I was led to a site that gave me
>> information on the HotFix, etcetera and how to down load it, which I
>> did.
>> 
>> Perhaps you have some firewall or whatever blocking the site.  
>
>Yes, I could successfully "request" to Microsoft --at the hotfix' web
>page-- that they send to my email address the download link for the
>hotfix itself, but then I never received Microsoft email with the
>download link for the hotfix. I tried for several days, from different
>locations/IPs, with different browsers, etc. Never I got the email
>from Microsoft with the download link for that hotfix (but I could
>successfully get the Microsoft email with the link to download several
>other hotfixes, like the two SHA-2 hotfixes for Windows Server 2003,
>and the DES/3DES hotfix for the SMTP service of IIS 6.0 in Windows
>Server 2003, etc.).
>
>So you got the email from Microsoft with the download link for hotfix
>KB948963?

Yes, almost immediately after requesting it. You must have something
blocking it. This is the link I received:

KB Article Number(s): 948963
Language: English
Platform: x64
Location:
(http://hotfixv4.microsoft.com/Windows%20Server%202003/sp3/Fix192447/3790/free/351403_ENU_x64_zip.exe)

-- 
Jerry

Re: TLS issue

[Postfix User]

On Fri, 2 Dec 2016 14:16:20 -0500 (EST), Wietse Venema stated:

>With 'no shared ciphers' happening frequently, do we want to set
>up a TLS troubleshooting document, or is the decision tree too
>complex for such a document to be useful?

+1 for a "TLS Troubleshooting Document"

-- 
Jerry

Re: sendmail vs postfix : robustness, stability & vulnerabilities

[Postfix User]

On Sun, 25 Jan 2015 20:45:38 +0800, Roger Goh stated:

> Q4:
> Does Redhat support postfix (ie provide patches, troubleshooting of
> crashes, slowness)?
> 
> Q5:
> We are on SendMail version 3.3.4 & I think it's a commercially-added
> tool Flow Control version 2.1.7.
> Are these versions rather outdated?
> 
> I won't comment on the support.

The latest available version of sendmail
 is " Sendmail 8.15.1"; however, I
think you would be better served by installing the latest version of Postfix,
which I believe is "Postfix 2.11 Patchlevel 3". I believe, perhaps
incorrectly, that the next stable version of Postfix will be released
shortly, so perhaps you might want to wait for a short time.

Just my 2¢.

-- 
Jerry

Re: SMTP password authentication problem

[Postfix User]

On Sun, 1 Feb 2015 18:26:18 +0530, Vishal Agarwal stated:

> We are using zimbra 8.0. My postfix is allowing to send email without
> password authentication. Although this is for inter-domain but still it
> should ask for password.

1) Don't use HTML email. Gmail has an option for TEXT. Use it when posting.

2) Post the unedited output of "postconf -n". You can use "postconf -nf" for
Postfix 2.9 and later.

-- 
Jerry

Re: PATCH: PIE for Postfix 3.1

[Postfix User]

On Thu, 5 Feb 2015 09:57:00 -0500 (EST), Wietse Venema stated:

> We can adopt the current "pie=yes" support into Postfix 3.0 with a
> note that this was tested on a few recent BSD and Linux distributions
> (it solves 90% of the problem).  We can use the Postfix 3.1 cycle
> to make this idiot-proof for every OSX/BSD/Linux/Solaris/whatever
> release, if that is desirable.

Remember, nothing is truly idiot-proof to the sufficiently motivated idiot.

-- 
Jerry

Re: Message-Id header missing

[Postfix User]

On Sat, 14 Feb 2015 01:50:09 +0100, Benny Pedersen stated:

> since no one have crystall 
> balls here

Funny ... I think you meant, "Has a crystal ball here."

-- 
Jerry

Re: Rate limiting

[Postfix User]

On Tue, 24 Feb 2015 16:17:10 -0500, System Support stated:

> > $ pcregrep -v '^\s*#' /etc/postfix/master.cf  

I believe that postconf -Mf would display what postfix sees in your master.cf
file. It would supply a cleaner output too.

-- 
Jerry

corrupt files

[Postfix User]

FreeBSD-10.1 amd64

I recently had a power outage that resulted in a system shutdown. When I
rebooted the system, postfix elicited this massage:

postfix/postfix-script: warning: damaged message: corrupt/3ktB2X6JxNz3DljZ  
postfix/postfix-script: warning: damaged message: corrupt/3ktG0Z1PCPz3DlXm

I am wondering how to remove these files. I tried using "postsuper -d ALL" but
that failed. I even tried giving it the ID number but it still did not delete
the files. Is it okay to delete them manually?

Thanks

-- 
Jerry

Re: corrupt files

[Postfix User]

On Thu, 26 Feb 2015 11:24:51 -0500 (EST), Wietse Venema stated:

> Postfix User:
> > FreeBSD-10.1 amd64
> > 
> > I recently had a power outage that resulted in a system shutdown. When I
> > rebooted the system, postfix elicited this massage:
> > 
> > postfix/postfix-script: warning: damaged message: corrupt/3ktB2X6JxNz3DljZ
> > postfix/postfix-script: warning: damaged message: corrupt/3ktG0Z1PCPz3DlXm
> 
> When Postfix doesn't find the expected information in a queue file,
> it saves the message in the "corrupt" directory. 
> 
> This happens only with messages that were already accepted into the
> queue (and deleted from the sender's queue or from the maildrop
> queue), not with messages that were still in transit.
> 
> > I am wondering how to remove these files. I tried using "postsuper -d
> > ALL" but that failed. I even tried giving it the ID number but it still
> > did not delete the files. Is it okay to delete them manually?
> 
> The files are not part of the mail queue, and you can therefore
> delete them without affecting how Postfix works. Depending on the
> kind of damage the postcat command may be able to save the
> sender/recipient informantion and some of the content.
> 
>   Wietse


Thank you. The files were 0 length, so I just deleted them.

-rwx--   1 postfix  wheel 0B 2015-02-26 06:04:05 EST 3ktB2X6JxNz3DljZ*
-rwx--   1 postfix  wheel 0B 2015-02-26 09:02:41 EST 3ktG0Z1PCPz3DlXm*


-- 
Jerry

Re: corrupt files

[Postfix User]

On Thu, 26 Feb 2015 12:48:42 -0500 (EST), Wietse Venema stated:

> Postfix User:
> > Thank you. The files were 0 length, so I just deleted them.
> > 
> > -rwx--   1 postfix  wheel 0B 2015-02-26 06:04:05 EST
> > 3ktB2X6JxNz3DljZ* -rwx--   1 postfix  wheel 0B 2015-02-26
> > 09:02:41 EST 3ktG0Z1PCPz3DlXm*
> 
> Did you have multiple power failures, one at 06:04 and one at 09:02?
> 
> Postfix sets the execute bit and fsync()s the file. Only after
> fsync() returns successfully Postfix sends a "I've got the message"
> reply to the sender, so that the sender can delete its copy.
> 
> The above output suggests a system crash before fsync() completed.
> 
> But these files have time stamps spaced three hours apart. Did you
> have multiple power failures?
> 
>   Wietse


Yes, I did. The UPS apparently never kicked in. I have always had problems
getting them to work on a FreeBSD system. One of these days I hope to get it
working correctly.

-- 
Jerry

Re: How to allow each user on an Ubuntu server use his/her google email and password to send the email via google smtp?

[Postfix User]

On Wed, 18 Mar 2015 07:38:33 -0300, Fernando Maior stated:

> You also may try sendemail. Look
> at http://caspian.dotconf.net/menu/Software/SendEmail. I use it to send
> emails from scripts directly to gmail accounts I use for servers backup
> control. 

I use to use it too, but I began getting all sorts of TLS errors and finally
gave up. Maybe it have been fixed.

-- 
Jerry

TLS Error on local system

[Postfix User]

I have a problem and I am not really sure what it is. I use the utility
program "sendEmail" to relay mail in several different scripts I created. When
I send to "Yahoo", everything goes fine. If I try and send through Postfix on
my server, with the same configuration except for user name and password, it
fails.

The is the output from the "sendEmail" program:

Mar 18 16:57:29 scorpio sendEmail[29407]: SUCCESS => Received:  220 2.0.0 Ready 
to start TLS
Mar 18 16:57:29 scorpio sendEmail[29407]: ERROR => TLS setup failed: SSL 
connect attempt failed error:14090086:SSL 
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

This is the same event from the Postfix log:

Mar 18 16:57:29 scorpio postfix/submission/smtpd[29408]: connect from 
localhost[127.0.0.1]
Mar 18 16:57:29 scorpio postfix/submission/smtpd[29408]: SSL_accept error from 
localhost[127.0.0.1]: 0
Mar 18 16:57:29 scorpio postfix/submission/smtpd[29408]: warning: TLS library 
problem: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown 
ca:s3_pkt.c:1293:SSL alert number 48:

I am using port 587 with authentication when I sent either to Yahoo directly
or attempt to send through Postfix. I have also tried sending directly to
GMail, and it works flawlessly too. So why the problem with Postfix on my
server?

-- 
Jerry

Re: Goodbye IBM, Hello Google

[Postfix User]

On Tue, 24 Mar 2015 16:00:01 -0400 (EDT), Wietse Venema stated:

> After 18 years, including the best of my career, I decided that it
> was time to move on. I'll be working on security at Google NY.
> 
> Please, there is no reason to say negative things about my old
> employer (or my new one!).
> 
> Needless to say, I will continue to support Postfix.
> 
>   Wietse


Best of luck to you Wietse. In your spare time, perhaps you can fix their
insane IMAP implementation.

-- 
Jerry

Newer version of "The Book of Postfix"

[Postfix User]

I was considering purchasing "The Book of Postfix" by  Ralf Hildebrandt
and Patrick Koetter. The edition listed on Amazon is dated 2005. That is 10
years old which is ancient is software years. Is there a newer version
available?

Thanks

-- 
Jerry

Re: postfix-policyd-spf-perl and troubles with Amazon? [SOLVED]

[Postfix User]

On Wed, 06 May 2015 13:59:44 -0400, Scott Kitterman stated:

> Great.  Feel free to throw RFC 7208 Section 3.4 (Record Size) at them.  The 
> SHOULD fit in a UDP packet is there for a reason.

SHOULD ≠ MUST

-- 
Jerry

Re: Troll: using a simpler form than transport_maps...

[Postfix User]

On Tue, 19 May 2015 07:05:04 -0400 (EDT), Wietse Venema stated:

> The poster is a known querulant. In a post-mortem, I found that his
> choice of words is similar to that of a certain Richard who has
> pulled off similar stunts on this mailing list in the past. Note
> that this time, his submissions came through a TOR exit node.

A querulant (from the Latin querulus - "complaining") is a person who
obsessively feels wronged, particularly about minor causes of action. In
particular the term is used for those who repeatedly petition authorities or
pursue legal actions based on manifestly unfounded grounds. These
applications include in particular complaints about petty offenses.

Cool, I learned a new word today. Thanks Wietse.

-- 
Jerry

Re: Security & Compatibility

[Postfix User]

On Sat, 23 May 2015 12:13:33 -0500, Noel Jones stated:

>   # Avoid obsolete protocol versions
>   #
>   smtpd_tls_protocols = !SSLv2, !SSLv3
>   smtp_tls_protocols = !SSLv2, !SSLv3

Wouldn't the following be more secure:

smtpd_tls_protocols=!SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_protocols=!SSLv2, !SSLv3, !TLSv1, !TLSv1.1

I thought I saw that listed on this forum earlier this year.

-- 
Jerry

Re: Security & Compatibility

[Postfix User]

On Mon, 25 May 2015 13:52:07 +, Viktor Dukhovni stated:

>  -o smtpd_tls_dh1024_param_file=$msa_tls_dh1024_param_file

Is that correct? It doesn't look right.

-- 
Jerry

Re: Security & Compatibility

[Postfix User]

On Tue, 26 May 2015 08:14:43 +, Viktor Dukhovni stated:

> On Mon, May 25, 2015 at 03:49:09PM -0400, Postfix User wrote:
> 
> > On Mon, 25 May 2015 13:52:07 +, Viktor Dukhovni stated:
> > 
> > >  -o smtpd_tls_dh1024_param_file=$msa_tls_dh1024_param_file
> > 
> > Is that correct? It doesn't look right.
> 
> Looks OK to me, provided the RHS variable is set correctly in
> main.cf.
> 
> -- 
>   Viktor.

Obviously, I have an error. I continually receive this error message when
starting Postfix:

warning: /usr/local/etc/postfix/master.cf: undefined parameter: 
msa_tls_dh1024_param_file

I have this is the main.cf file:

smtpd_tls_dh1024_param_file = ${config_directory}/dh2048.pem

What am I doing wrong? Should I set the following in the main.cf file:

msa_tls_dh1024_param_file = ${config_directory}/dh2048.pem

I did not see that mentioned, so I am hesitant about doing it.

-- 
Jerry

unknown logging event

[Postfix User]

I hope this isn't too stupid of a question. I have been finding this event
logged in maillog for the past several days:

Jul 16 08:50:38 scorpio postfix/smtpd[69563]: connect from localhost[127.0.0.1]
Jul 16 08:50:38 scorpio postfix/smtpd[69563]: warning: Illegal address syntax 
from localhost[127.0.0.1] in MAIL command: 
Jul 16 08:50:38 scorpio postfix/smtpd[69571]: connect from localhost[127.0.0.1]
Jul 16 08:50:38 scorpio postfix/smtpd[69571]: warning: Illegal address syntax 
from localhost[127.0.0.1] in RCPT command: 
Jul 16 08:50:38 scorpio postfix/smtpd[69571]: disconnect from 
localhost[127.0.0.1] helo=1 mail=1 rcpt=0/1 quit=1 commands=3/4

I am trying to figure out how this is connecting to the localhost or what
is actually happening. Has my system been hacked or something? I don't believe
anything has actually been sent out.

-- 
Jerry

Re: check_policy_service not working - need a 4eye method or..

[Postfix User]

On Mon, 03 Aug 2015 14:52:33 +0200, Istvan Prosinger stated:

> Yeah when I took the server for audit, Postfix was dead and couldn't 
> start -the config file was (and stil is) in mess.
> 
> Nevertheless, accepting SMTP is not the issue at this moment.
> The issue is that it seems to be disregarding the policy check.
> I have even precompiled it from source yesterday, thinking that it might 
> be damaged, but no effect...

I assume you have read everything at


Might I suggest you provide output from the postfinger tool. This can be found
at http://ftp.wl0.org/SOURCES/postfinger.

-- 
Jerry

Re: postfix pdf

[Postfix User]

On Thu, 5 Jan 2017 17:11:15 -0500, Viktor Dukhovni stated:

>Perhaps we should add comments above internal core service entries in
>master.cf: "DO NOT REMOVE, DO NOT MODIFY, ..."

Personally, I believe it would be a waste of time Victor. Like the
saying, "Nothing is foolproof to the sufficiently motivated fool",
printing those warnings would probably make some individuals consider it
a challenge. On the other hand, if they are going to break it anyway,
what harm can it cause.

-- 
Gerard

Prevent Backscatter

[Postfix User]

Hello,

I am trying to reject instead of sending bounce message back when email
arrives to non existing account at domains hosted by my server.

This is my main.cf

smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no
append_dot_mydomain = no
readme_directory = no
smtpd_tls_cert_file=/etc/ssl/certs/domain.com.crt
smtpd_tls_CAfile=/etc/ssl/certs/domain.com.chain.crt
smtpd_tls_key_file=/etc/ssl/private/domain.com.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
#recipient_bcc_maps = mysql:/etc/postfix/sqlconf/recipient_bcc_maps.cf
virtual_alias_maps = mysql:/etc/postfix/sqlconf/virtual_mailbox_maps.cf
virtual_mailbox_domains = mysql:/etc/postfix/sqlconf/mydestination.cf
virtual_transport = dovecot
smtpd_relay_restrictions = 
permit_mynetworks, 
permit_sasl_authenticated, 
check_sender_access $virtual_alias_maps,
reject_unauth_destination
myhostname = domain.com
mydestination = localhost
relayhost = 
mynetworks = 127.0.0.0/8
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = ipv4
dovecot_destination_recipient_limit = 1
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = noanonymous
resolve_numeric_domain = yes
message_size_limit = 10240
milter_default_action = accept
milter_protocol = 2
smtpd_milters = inet:localhost:8891
non_smtpd_milters = inet:localhost:8891

/etc/postfix/sqlconf/virtual_mailbox_maps.cf

user= vmail
password= 123
dbname  = mails
query   = SELECT concat(u.username,'@',u.domain) FROM users u WHERE
u.username='%u' AND u.domain='%d' AND u.active='1' and u.type=0 UNION SELECT
n.address FROM users u LEFT JOIN next n ON n.id = u.id WHERE u.username='%u'
AND u.domain='%d' AND u.active='1';
hosts   = 127.0.0.1

I tried adding reject_unverified_recipient under
smtpd_recipient_restrictions, but after entering non existing username at
existing domain, there was 1 second delay, and I still get "250 2.1.5 Ok"
message.

Regards,
Robin



--
View this message in context: 
http://postfix.1071664.n5.nabble.com/Prevent-Backscatter-tp88359.html
Sent from the Postfix Users mailing list archive at Nabble.com.

Re: Prevent Backscatter

[Postfix User]

Thanks for the reply,

Just made the changes you suggested. I set relay_domains to empty, because
all domains are served by the same server. Again I sent a message to non
existing account, and I am still getting "250 2.1.5 Ok" instead of a reject
message.

This is my current main.cf

smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no
append_dot_mydomain = no
readme_directory = no
smtpd_tls_cert_file=/etc/ssl/certs/mailingdesk.com.crt
smtpd_tls_CAfile=/etc/ssl/certs/mailingdesk.com.chain.crt
smtpd_tls_key_file=/etc/ssl/private/mailingdesk.com.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
virtual_alias_maps = mysql:/etc/postfix/sqlconf/virtual_mailbox_maps.cf
virtual_mailbox_domains = mysql:/etc/postfix/sqlconf/mydestination.cf
virtual_alias_domains = mysql:/etc/postfix/sqlconf/mydestination.cf
virtual_transport = dovecot
relay_domains =
smtpd_relay_restrictions = 
permit_mynetworks, 
permit_sasl_authenticated, 
check_sender_access $virtual_alias_maps,
reject_unauth_destination,
reject_unverified_recipient
myhostname = mailingdesk.com
mydestination = localhost
relayhost = 
mynetworks = 127.0.0.0/8
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = ipv4
dovecot_destination_recipient_limit = 1
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = noanonymous
#smtpd_tls_auth_only = yes
resolve_numeric_domain = yes
message_size_limit = 10240
milter_default_action = accept
milter_protocol = 2
smtpd_milters = inet:localhost:8891
non_smtpd_milters = inet:localhost:8891



--
View this message in context: 
http://postfix.1071664.n5.nabble.com/Prevent-Backscatter-tp88359p88369.html
Sent from the Postfix Users mailing list archive at Nabble.com.

Re: Prevent Backscatter

[Postfix User]

My test procedure follows
telnet domain.com 25
ehlo me
mail from: 
rcpt to: 
At this point I get "Ok" message, and I can continue writing the body of the
e-mail. Because account doesn't exist, Postfix sends bounce notification
back to sender address. 

This is the output of postconf -n

append_dot_mydomain = no
biff = no
broken_sasl_auth_clients = yes
config_directory = /etc/postfix
dovecot_destination_recipient_limit = 1
inet_interfaces = all
inet_protocols = ipv4
mailbox_size_limit = 0
message_size_limit = 10240
milter_default_action = accept
milter_protocol = 2
mydestination = localhost
myhostname = domain.com
mynetworks = 127.0.0.0/8
non_smtpd_milters = inet:localhost:8891
readme_directory = no
recipient_delimiter = +
relayhost =
resolve_numeric_domain = yes
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
smtpd_milters = inet:localhost:8891
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated,
check_sender_access $virtual_alias_maps, reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_tls_CAfile = /etc/ssl/certs/domain.com.chain.crt
smtpd_tls_cert_file = /etc/ssl/certs/domain.com.crt
smtpd_tls_key_file = /etc/ssl/private/domain.com.key
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
virtual_alias_maps = mysql:/etc/postfix/sqlconf/virtual_mailbox_maps.cf
virtual_mailbox_domains = mysql:/etc/postfix/sqlconf/mydestination.cf
virtual_transport = dovecot



--
View this message in context: 
http://postfix.1071664.n5.nabble.com/Prevent-Backscatter-tp88359p88372.html
Sent from the Postfix Users mailing list archive at Nabble.com.

Re: Prevent Backscatter

[Postfix User]

Bastian Blank-3 wrote
> On Fri, Jan 20, 2017 at 02:01:27PM -0700, Postfix User wrote:
>> check_sender_access $virtual_alias_maps,
> 
> You are creating an open relay, don't do that.

Actually I am not creating an open relay, $virtual_alias_maps contains only
internal addresses. When I try sending e-mail from not authenticated
internal user to external address, or from external to another external
address, I get "554 5.7.1 : Relay access denied"



--
View this message in context: 
http://postfix.1071664.n5.nabble.com/Prevent-Backscatter-tp88359p88375.html
Sent from the Postfix Users mailing list archive at Nabble.com.

Re: Prevent Backscatter

[Postfix User]

Thanks for the tips Viktor,

For some reason the order of restrictions in smtpd_relay_restrictions
(Postfix 2.11.0) was wrong. Luckily expected check_sender_access values are
not valid email addresses. After I fix both problems I will post a new
postconf -n output.

Robin


Viktor Dukhovni wrote
> On Sat, Jan 21, 2017 at 04:38:57AM -0700, Postfix User wrote:
> 
>> Bastian Blank-3 wrote
>> > On Fri, Jan 20, 2017 at 02:01:27PM -0700, Postfix User wrote:
>> >> check_sender_access $virtual_alias_maps,
>> > 
>> > You are creating an open relay, don't do that.
>> 
>> Actually I am not creating an open relay,
> 
> Actually, if when a sender-address access(5) table appears before
> reject_unauth_destination in smtpd_relay_restrictions (Postfix >=
> 2.10) or in smtpd_recipient_restrictions (Postfix <= 2.9) then you
> would be creating an open-relay, since the attacker can forge any
> sender address of his choice.
> 
> However, more critically, the virtual(5) table is NOT an access(5)
> table.  The result associated with each lookup key in virtual(5)
> is an email address, not "OK", "REJECT", "DUNNO", which are in
> turn not especially valid email addresses.
> 
> Secondly if "$virtual_alias_maps" where to list contains multiple
> tables or no tables, you get unexpected results or syntax errors
> respectively.
> 
> Therefore, "check_sender_access $virtual_alias_maps" is rather
> wrong.
> 
> -- 
>   Viktor.





--
View this message in context: 
http://postfix.1071664.n5.nabble.com/Prevent-Backscatter-tp88359p88384.html
Sent from the Postfix Users mailing list archive at Nabble.com.

Re: Prevent Backscatter

[Postfix User]

You are right, there are no recipient restrictions, except
permit_sasl_authenticated restricting remote recipients for authenticated
clients only.



--
View this message in context: 
http://postfix.1071664.n5.nabble.com/Prevent-Backscatter-tp88359p88385.html
Sent from the Postfix Users mailing list archive at Nabble.com.

Re: Prevent Backscatter

[Postfix User]

Postfix User wrote
> After I fix both problems I will post a new postconf -n output.

I removed completely check_sender_access, it is not required anymore.


Wietse Venema wrote
> Is your server MX host for domains that are delivered to a different
> mail server?
> If not:
> Set relay_domains to empty.
> If yes:
> DO Specify ONLY THOSE DOMAINS in relay_domains
> DO specify ONLY THOSE recipients in relay_recipient_maps
> 
> DO NOT specify virtual (alias or mailbox) stuff in relay_domains
> 
> DO NOT specify virtual (alias or mailbox) stuff in relay_recipient_maps
> 
> DO specify virtual alias DOMAINS in virtual_alias_DOMAINS. 

After specifying virtual_alias_domains, all messages sent from remote to
local addresses are answered with error bounce message "User unknown in
virtual alias table". I removed this line temporarily, and I set
relay_domains to empty.

At the moment all works like expected, except the backscatter problem. This
is latest postconf

append_dot_mydomain = no
biff = no
broken_sasl_auth_clients = yes
config_directory = /etc/postfix
dovecot_destination_recipient_limit = 1
inet_interfaces = all
inet_protocols = ipv4
mailbox_size_limit = 0
message_size_limit = 10240
milter_default_action = accept
milter_protocol = 2
mydestination = localhost
myhostname = domain.com
mynetworks = 127.0.0.0/8
non_smtpd_milters = inet:localhost:8891
readme_directory = no
recipient_delimiter = +
relay_domains =
relayhost =
resolve_numeric_domain = yes
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
smtpd_milters = inet:localhost:8891
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated,
reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_tls_CAfile = /etc/ssl/certs/domain.com.chain.crt
smtpd_tls_cert_file = /etc/ssl/certs/domain.com.crt
smtpd_tls_key_file = /etc/ssl/private/domain.com.key
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
virtual_alias_maps = mysql:/etc/postfix/sqlconf/virtual_mailbox_maps.cf
virtual_mailbox_domains = mysql:/etc/postfix/sqlconf/mydestination.cf
virtual_transport = dovecot



--
View this message in context: 
http://postfix.1071664.n5.nabble.com/Prevent-Backscatter-tp88359p88386.html
Sent from the Postfix Users mailing list archive at Nabble.com.

Re: Prevent Backscatter

[Postfix User]

Wietse Venema wrote
> This will be an open relay if all your SMTP mail is logged with the
> same client IP address, i.e. your SMTP mail comes from some box
> that is in mynetworks, and Postfix never sees the original SMTP
> client IP address.

I can remove permit_mynetworks, but only trusted people that have direct
access to the server or authenticated webmail users can send from localhost



--
View this message in context: 
http://postfix.1071664.n5.nabble.com/Prevent-Backscatter-tp88359p88388.html
Sent from the Postfix Users mailing list archive at Nabble.com.

Re: Prevent Backscatter

[Postfix User]

Wietse Venema wrote
> Wietse Venema:
>> Postfix User:
>> > smtpd_relay_restrictions = permit_mynetworks,
>> permit_sasl_authenticated,
>> > reject_unauth_destination
>> 
>> This will be an open relay if all your SMTP mail is logged with the
>> same client IP address, i.e. your SMTP mail comes from some box
>> that is in mynetworks, and Postfix never sees the original SMTP
>> client IP address.
> 
> Meh, that wasn't the problem.

Can you please be more specific about this problem? Do you think this will
be an 
open relay because I removed the check_sender_access restriction? I tested
this 
config, and it seems like it is an open relay for authenticated users, here
is 
the result :

Authenticated sender

Fromlocal address
To  any
Action  OK

Fromremote address
To  remote address
Action  OK ( this should be REJECT if authenticated user is not the
same with the from address )

Fromremote address
To  local address
Action  OK

Not authenticated sender

Fromremote address
To  local address
Action  OK

Fromremote address
To  remote address
Action  REJECT

To fix the open relay problem for authenticated sender address, I added 
check_sender_access parameter, but now it is not possible to send emails
from 
remote to local addresses, I get 554 5.7.1 : Sender address 
rejected: Access denied. This makes sense, because remote sender is not

permit_mynetworks   : in mynetworks
permit_sasl_authenticated   : authenticated
reject_unauth_destination   : rejected, but not permited either
check_sender_access : in allowed senders lookup table

postconf -n | grep smtpd_relay_restrictions

smtpd_relay_restrictions = permit_mynetworks,
permit_sasl_authenticated, reject_unauth_destination, check_sender_access
mysql:/etc/postfix/sqlconf/sender_access.cf

sender_access.cf

query   = SELECT if(count(*) = 0, "REJECT", "OK") FROM users
u WHERE u.username='%u' AND u.domain='%d' AND u.active='1';

To fix the 554 problem, I added permit_auth_destination restriction, and now
it 
is possible to receive emails from remote senders. The open relay problem
for 
authenticated users from remote to remote address is still there, because 
check_sender_access is after permit_sasl_authenticated

postconf -n | grep smtpd_relay_restrictions

smtpd_relay_restrictions = permit_mynetworks,
permit_sasl_authenticated, reject_unauth_destination,
permit_auth_destination, check_sender_access
/etc/postfix/sqlconf/sender_access.cf

Authenticated sender

Fromlocal address
To  any
Action  OK

Fromremote address
To  remote address
Action  OK ( this should be REJECT if authenticated user is not the
same with the from address )

Fromremote address
To  local address
Action  OK

Not authenticated sender

Fromany
To  local address
Action  OK

Fromremote address
To  remote address
Action  REJECT



--
View this message in context: 
http://postfix.1071664.n5.nabble.com/Prevent-Backscatter-tp88359p88390.html
Sent from the Postfix Users mailing list archive at Nabble.com.

Re: Prevent Backscatter

[Postfix User]

Wietse Venema wrote
> DO NOT specify virtual (alias or mailbox) stuff in relay_domains

relay_domains is empty

Wietse Venema wrote
> DO NOT specify virtual (alias or mailbox) stuff in relay_recipient_maps

relay_recipient_maps is empty

Wietse Venema wrote
> DO specify virtual alias DOMAINS in virtual_alias_DOMAINS.

I set a lookup table for virtual_alias_domains. Before it didn't work,
because I used $virtual_mailbox_domains, and it has different format

postconf -n | grep virtual_alias_domains

virtual_alias_domains =
mysql:/etc/postfix/sqlconf/virtual_alias_domains.cf

virtual_alias_domains.cf

query   = SELECT u.domain FROM users u WHERE u.username='%u'
AND u.domain='%d' AND u.active='1';



--
View this message in context: 
http://postfix.1071664.n5.nabble.com/Prevent-Backscatter-tp88359p88391.html
Sent from the Postfix Users mailing list archive at Nabble.com.

MySQL 8.0 with Postfix

[Postfix User]

This question has probably been answered somewhere before; however, I
cannot find it. I am going to rebuild my FreeBSD system from the ground
up. I was wondering if Postfix is compatible with the MySQL 8.0
verson release.

Thanks!

-- 
Postfix User

Re: Prevent Backscatter

[Postfix User]

Postfix User wrote
> I am trying to reject instead of sending bounce message back when email
> arrives to non existing account at domains hosted by my server.

Anyone having similar problem, check_recipient_access map fixed my problem

postconf -n | grep smtpd_relay_restrictions

smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated,
reject_unauth_destination, check_recipient_access
mysql:/etc/postfix/sqlconf/sender_access.cf

sender_access.cf
query   = SELECT if(count(*) = 0, "REJECT 'User doesn't exist'",
"OK") FROM users u WHERE u.username='%u' AND u.domain='%d' AND u.active='1';



--
View this message in context: 
http://postfix.1071664.n5.nabble.com/Prevent-Backscatter-tp88359p88404.html
Sent from the Postfix Users mailing list archive at Nabble.com.

Re: Prevent Backscatter

[Postfix User]

Wietse Venema wrote
> If anyone has a similar problem, don't set up check_recipient_access.
> Instead, study http://www.postfix.org/ADDRESS_CLASS_README.html and
> configure the valid recipient maps accordingly.

Give a man a fish, and you feed him for a day. Teach a man to fish, and you
feed him for a lifetime. 



--
View this message in context: 
http://postfix.1071664.n5.nabble.com/Prevent-Backscatter-tp88359p88413.html
Sent from the Postfix Users mailing list archive at Nabble.com.

Re: Using postconf to manage master.cf

[Postfix User]

On Tue, 7 Mar 2017 23:54:36 -0500, Robert Moskowitz stated:

>I am back to building a new mailserver.  I am using Centos7 which has 
>postfix 2.10.1
>
>Back some 4 years ago there was a thread here to add support to
>postconf to manage master.cf.  From
>
>http://www.postfix.org/postconf.1.html
>
>It seems that there are now options here for master.cf, but I cannot 
>find any guidance on using this.  My search foo is notoriously weak;
>my searching this list has not found any discussion on this since 1/13.
>
>I found one blog that uses 'postconf -P', but I see that the -P option 
>came out in postfix 2.11
>
>Is there guidance to using postconf to manage master.cf?
>
>thank you

According to the documentation located on
ftp://ftp.porcupine.org/mirrors/postfix-release/index.html
the 2.10.1 version is no longer supported. I know nothing about
Centos7; however, wouldn't it be possible to use a newer version of
Postfix, the latest being Postfix 3.2 I believe.

-- 
Jerry

dh settings

[Postfix User]

I am looking for a little guidance regarding deploying Diffie-Hellman
for TLS. According to this URL: https://www.weakdh.org/sysadmin.html,
the following are recommended settings for Postfix.

smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK,
aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CBC3-SHA, KRB5-DES, CBC3-SHA

I would just like to know if this is correct. Also, what are the
recommended settings for the postfix "smtp_tls_exclude_ciphers"
setting?

Thank you.

-- 
Postfix User

Broken Link

[Postfix User]

I am not really sure where the best place to report this is, so I will
just assume this will suffice.

On the http://www.postfix.org/docs.html page, the link
http://yocum.org/faqs/postfix-tls-sasl.html referring to Postfix SASL +
TLS + FreeBSD howto by Tim Yocum is broken.

Also, the http://home.pages.de/~mandree/postfix/ link referenced as
Postfix Howtos by Matthias Andree results in a 404 error.

Re: Migrating 2.11 to 3.2

[Postfix User]

On Thu, 27 Jul 2017 22:20:36 +1200, Peter stated:

>On 27/07/17 21:54, Nikolaos Milas wrote:
>> Hello,
>> 
>> We are moving to a new (virtual) server (from CentOS 5 with Postfix
>> 2.11.6 to CentOS 7 with Postfix 3.2.2).  
>
>Where did you get Postfix 3.2 from?
>
>
>Peter


You might try one of these URLs:

http://ghettoforge.org/index.php/Packages

ftp://ftp.reverse.net/pub/postfix/index.html

-- 
Jerry

Re: no response from postfix on submission port (or 465)

[Postfix User]

On Tue, 22 Aug 2017 10:14:11 +, Alef Veld stated:

>Now which clarifies things a lot. I'll probably keep 465 with wrapper mode to
>support outlook expresss or other clients which want it and put 587 without.

MS Outlook Express was depreciated in Windows 7, way back on Oct 2009. It has
been years since I have seen anyone actually use it. I removed wrapper mode 5
years ago and never looked back.

-- 
Jerry

Re: Can send but not receive

[Postfix User]

On Mon, 28 Aug 2017 08:06:39 -0500, Tom Browder stated:

>My remote postfix installation can send but not receive, and I'm sure
>I have a bad setting somewhere.  When sending to the remote server,
>from my personal gmail account I finally get a response from gmail as
>shown in the attached file.
>
>I can put my main.cf, master.cf in a github gist if there is any
>interest.  My mail logs are not interesting at all, at least to me,
>but I am happy to put one or more of them on github, too.

To report problems to Postfix, first read this:
http://www.postfix.com/DEBUG_README.html#mail

Specifically:

Command output from:

"postconf -n". Please do not send your main.cf file, or 1000+ lines of
postconf command output.

"postconf -Mf" (Postfix 2.9 or later).

Better, provide output from the postfinger tool. This can be found at
http://ftp.wl0.org/SOURCES/postfinger.

If the problem is SASL related, consider including the output from the
saslfinger tool. This can be found at
http://postfix.state-of-mind.de/patrick.koetter/saslfinger/.

-- 
Jerry

bind smtpd to UNIX socket

[postfix-user]

Hello everybody.
I want to start the another smtpd process, binded to a UNIX socket, and 
configure this smtpd with maximally relaxed policies.

I added a line to master.cf:
lsmtp unix n y n - - smtpd -o smtpd_tls_security_level=none -o 
mynetworks_style=host -o smtpd_relay_restrictions=permit_mynetworks

But when I try to send a mail, I get an error:
[root@vps3 ~]# socat UNIX:/var/spool/postfix/public/lsmtp -
220 vps3.xyz.com ESMTP Postfix
EHLO test
250-vps3.xyz.com
250-PIPELINING
250-SIZE 10
250-ETRN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
MAIL FROM:
250 2.1.0 Ok
RCPT TO:
454 4.7.1 : Relay access denied
quit
221 2.0.0 Bye
---
A question: how correctly to launch smtpd on the UNIX-socket so that it 
was possible to send mails through trivial SMTP-session? I would prefer 
to use the UNIX-socket. And anyway, the problem is in the policies 
regulated by the smtpd_relay_restrictions parameter? What is there to 
put the most relaxed permit_*?

Thank you.

Re: bind smtpd to UNIX socket

[postfix-user]

> I think this is not supported.
> Try using type 'inet', bound to 127.0.0.1.
Thank you.
I was able to run smtpd on a UNIX socket. The problem was in the 
policies smtpd_relay_restrictions and smtpd_recipient_restrictions, 
which can not be set as "permit".

Re: unable to send email to hotmail.com domain

[Postfix User]

On Thu, 26 Oct 2017 14:20:47 +0200, Poliman - Serwis stated:

>It's just unconditioned reaction. I also post this message to some forums,
>you know. I am affaird that hotmail.com / outlook.com and all microsoft
>email domains are configured to block emails from new/fresh domain and
>newly created email accounts, which have quite low reputation. I read that
>they created own system that filter "spam" emails. Of course it filters
>good emails. Even Google is not that hardcore.
>
>2017-10-26 14:13 GMT+02:00 Matus UHLAR - fantomas :
>
>> On 26.10.17 12:33, Poliman - Serwis wrote:
>>
>>> I have strange irritating problem. When I send emails from my server to
>>> any
>>> email address to any domain they reach the target without any problem. But
>>> when I try send to address in "hotmail.com" I got bounce:
>>> : host
>>>hotmail-com.olc.protection.outlook.com[104.47.40.33] said: 550 5.7.1
>>>Unfortunately, messages from [ip_of_my_server] weren't sent. Please
>>>
>>
>> I don't see reason for hiding this IP here. Everyone you send mail sees the
>> IP. And it's hard for us to help you if you hide it.
>>
>> --
>> Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
>> Warning: I wish NOT to receive e-mail advertising to this address.
>> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
>> - Have you got anything without Spam in it?
>> - Well, there's Spam egg sausage and Spam, that's not got much Spam in it.

You are also listed on " l2.apews.org", although I don't think that is the
source of your problem.

Re: ot: MySQL config/tuning advice

[Postfix User]

On Fri, 5 Jan 2018 21:13:36 -0500, Phil Stracchino stated:

>On 01/05/18 20:55, @lbutlr wrote:
>> On 4 Jan 2018, at 14:40, Phil Stracchino ph...@caerllewys.net> wrote:  
>>> The principal shortcoming of mysqldump is that it is a benightedly stupid
>>> tool that cannot walk and chew gum at the same time, or *correctly* dump
>>> both MyISAM and InnoDB tables in the same operation.
>> 
>> OK, I'll bite. I've been using mysql dump to backup my databases for at
>> least decade (via a cron job), and in that time have often used it to also
>> restore databases. So far, I'm never had an issue, but then again, I don't
>> want to have an issue in the future either.  
>
>
>I'll clarify the issue a little.
>
>InnoDB is a transactional storage engine, and should in most cases be
>backed up using --skip-lock-tables --single-transaction, to get a
>consistent snapshot of the database without locking it.  MyISAM,
>however, is non-transactional, and you cannot dump a MyISAM table
>without read-locking it, which means that to get a consistent dump of a
>database that contains MyISAM tables you MUST lock the database.
>
>Mysqldump can only do one or the other for an entire backup.  It cannot
>do anything table-by-table, and you have to tell it which of the two
>unsatisfactory options - lock everything, or lock nothing - you want it
>to use.
>
>The third-party tool I mentioned, mydumper, is smart enough to be
>storage-engine aware at the table level, so it gets a global read lock,
>holds it JUST long enough to dump all of the MyISAM tables first, then
>releases the read lock and dumps all of the InnoDB tables as a
>background transaction.  This gives a fully consistent dump with the
>shortest possible lock time and minimal impact to database access during
>the dump.
>
>You might want to give it a look.


I have never used that application. I have been using "mysqlbackup"
 for my MySQL databases. It
seems to work fine for me.

-- 
Jerry

Re: compile postfix 3.x from source on freebsd 11.x [patch]

[Postfix User]

On Sun, 4 Mar 2018 19:06:52 +0100, no@s...@mgedv.net stated:

>hi wietse & postfix-folks, thanks for the best MX out there - still!
>feel free to apply this patch if reqd.
>
>--- ./src/util/sys_defs.h.orig  2017-02-02 02:31:15.0 +0100
>+++ ./src/util/sys_defs.h   2017-04-03 15:57:19.205806000 +0200
>@@ -30,6 +30,7 @@
> #if defined(FREEBSD2) || defined(FREEBSD3) || defined(FREEBSD4) \
> || defined(FREEBSD5) || defined(FREEBSD6) || defined(FREEBSD7) \
> || defined(FREEBSD8) || defined(FREEBSD9) || defined(FREEBSD10) \
>+|| defined(FREEBSD11) \
> || defined(BSDI2) || defined(BSDI3) || defined(BSDI4) \
> || defined(OPENBSD2) || defined(OPENBSD3) || defined(OPENBSD4) \
> || defined(OPENBSD5) || defined(OPENBSD6) \
>--- makedefs.orig   2017-02-12 16:32:10.0 +0100
>+++ makedefs2017-04-03 15:56:15.710429000 +0200
>@@ -284,6 +284,15 @@
>: ${SHLIB_ENV="LD_LIBRARY_PATH=`pwd`/lib"}
>: ${PLUGIN_LD="${CC} -shared"}
>;;
>+  FreeBSD.11*) SYSTYPE=FREEBSD11
>+   : ${CC=cc}
>+   : ${SHLIB_SUFFIX=.so}
>+   : ${SHLIB_CFLAGS=-fPIC}
>+   : ${SHLIB_LD="${CC} -shared"' -Wl,-soname,${LIB}'}
>+   : ${SHLIB_RPATH='-Wl,-rpath,${SHLIB_DIR}'}
>+   : ${SHLIB_ENV="LD_LIBRARY_PATH=`pwd`/lib"}
>+   : ${PLUGIN_LD="${CC} -shared"}
>+   ;;
>  DragonFly.*)  SYSTYPE=DRAGONFLY
>;;
>   OpenBSD.2*)  SYSTYPE=OPENBSD2
>

Maybe I am missing something; however, I have been running Postfix
3.4-(whatever) on FreeBSD-11 and above since it was released.

Re: Keep Postfix running in the foreground

[Postfix User]

On Thu, 5 Apr 2018 07:07:06 -0400 (EDT), Wietse Venema stated:

>Bastian Blank:
>> On Wed, Apr 04, 2018 at 08:56:46PM -0400, Wietse Venema wrote:  
>> > That may be so, but why does the lame Linux kernel silently ignore
>> > the kill() call instead of properly returning an error.  
>> 
>> The signal is ignored the same way as if someone had called
>> | signal(SIGFOO, SIG_IGN)  
>
>Postfix code is (while handling SIGTERM)
>
>sigemptyset(&action.sa_mask);
>action.sa_flags = 0;
>action.sa_handler = SIG_DFL;
>if (sigaction(sig, &action, (struct sigaction *) 0) < 0)
>msg_fatal("%s: sigaction: %m", myname);
>if (kill(pid, sig) < 0)
>msg_fatal("%s: kill myself: %m", myname);
>
>So Linux also ignores sigaction with SIG_DFL without returning an
>error. Undocumented behavior -> Lame.
>
>   Wietse

Well, you could file a bug report; however, they would just ignore it.

-- 
Jerry

Re: new strangeness with O365 (THREAD CLOSED)

[Postfix User]

On Thu, 17 May 2018 20:05:16 -0400, Viktor Dukhovni stated:

>> On May 17, 2018, at 7:53 PM, Daniele Nicolodi  wrote:
>> 
>> Can you please elaborate on what are the "good security reasons" for
>> which that is a good idea and not simply a form of user tracking?  
>
>This is not a Postfix topic and should move to another list.
>
>[ FWIW, this type of indirection is used to protect users from
>  visiting malicious websites, the tecnique is somewhat effective ]

Thank you Victor. Informative responses as opposed to FUD are always welcomed.

-- 
Jerry

Re: Mail being delayed for 5 minutes in active queue before being relayed

[Postfix User]

On Sun, 20 May 2018 15:08:11 -0700 (MST), jmct stated:

>Hi there,
>
>I've set up a mail server that should be relaying messages to a different
>cluster of Postfix boxes. When I attempt to send a message to the first box,
>mail sits in the active queue for 5 minutes before being (successfully)
>relayed to the cluster of Postfix boxes. which is then delivered correctly.
>I'm trying to figure out why this is and have it relay immediately (as
>expected).
>
>*My box I'm attempting to relay FROM is on:
>*
>
>
>*Here's my (sanitized) postconf -n:*
>
>
>
>Thanks for your help.

I would suggest that you read this: http://www.postfix.com/DEBUG_README.html,
or better yet, this: http://www.postfix.com/DEBUG_README.html#mail

The "postfinger" tool mentioned in the previous URL is excellent.

-- 
Jerry

Re: "Recipient address rejected: User unknown in virtual mailbox table" and mydomain conf line

[Postfix User]

On Thu, 16 Aug 2018 07:08:29 +0200, Poliman - Serwis stated:

>1. To be honest I don't know what is top-posting. Could you explain? I will
>avoid it then. ;)

https://en.wikipedia.org/wiki/Posting_style

-- 
Jerry

Regenerating DHparams

[Postfix User]

Is there any recommended schedule for regenerating DHparams for Postfix? I
could not find anything specific about it.

-- 
Jerry

Re: Rethinking the Postfix release schedule

[Postfix User]

On Wed, 30 Jan 2019 21:14:07 -0500, Richard Damon stated:



FreeBSD users already have a choice of either the latest postfix
version, Postfix 3.3 stable release or the latest beta
version,Postfix 3.4 experimental release. I don't know if
there is a good reason to modify the release dates, at least not in my
case.

-- 
Postfix User

Re: Bug#924183: postfix: Trust anchor files (tafile=) in TLS policy break secure level email delivery

[Postfix User]

On Sun, 10 Mar 2019 11:11:15 -0400 (EDT), Wietse Venema stated:

>Scott Kitterman:
>> I received the bug report/patch below from a Debian user.  I'm
>> somewhat busy this weekend/week, so I decided to forward it without
>> evaluation rather than sit on it for a week until I could research
>> it.
>> 
>> I attempted to remove the distro specific noise from the report.  
>
>Sorry for making you the guinea pig.
>
>I am considering to withdraw Postfix 3.4 and do a proper Postfix
>3.5 release as planned later this year. We can't afford having a
>stable release with bug-of-the-week fixes like we have now.
>
>   Wietse


Wietse, the number of bugs found in stable releases of Postfix is
infinitesimal when compared to other vendors who release products under
the "fix it later" theory.

-- 
Postfix User

Re: Bug#924183: postfix: Trust anchor files (tafile=) in TLS policy break secure level email delivery

[Postfix User]

On Sun, 10 Mar 2019 11:41:01 -0400, Scott Kitterman stated:

>On Sunday, March 10, 2019 11:11:15 AM Wietse Venema wrote:
>> Scott Kitterman:  
>> > I received the bug report/patch below from a Debian user.  I'm
>> > somewhat busy this weekend/week, so I decided to forward it
>> > without evaluation rather than sit on it for a week until I could
>> > research it.
>> > 
>> > I attempted to remove the distro specific noise from the report.  
>> 
>> Sorry for making you the guinea pig.
>> 
>> I am considering to withdraw Postfix 3.4 and do a proper Postfix
>> 3.5 release as planned later this year. We can't afford having a
>> stable release with bug-of-the-week fixes like we have now.  
>
>I knew I was taking a risk jumping to 3.4 late in our release cycle.
>
>A week from now when it hits Debian Testing, the user base will grow 
>significantly and we'll get more feedback.
>
>I guess there weren't enough testers for 3.4 before release.  I don't
>know that that situation will be better later in the year for 3.5.
>From my point of view (I don't know about other distros/OS), it would
>be somewhat painful to stay on 3.3 for the next release at this point,
>but it'll be a lot harder a week from now.
>
>My preference would be to press on with 3.4 (I don't mind packaging
>the bug fixes if you don't mind releasing them), but if you are going
>to withdraw 3.4, please do it before next Sunday so I can keep it out
>of the next Debian release.
>
>Although Debian doesn't normally allow it, I've gotten permission from
>the release team to update postfix based on your microreleases (thir
>digit) based on the good history with them fixing relevant bugs with
>minimal regression risk.  It's absolutely not a problem for me to stay
>on the 3.4 path if you're up for it.
>
>Scott K

FreeBSD is using Postfix 3.3 for its stable release and Postfix 3.4 for
its development (experimental) release.

-- 
Postfix User

postfix not resolving mDNS lookups (make it work in a LAN-without-internet)

[postfix-user-l...@cas.cat]

Hi!


Introduction
===


Few days ago I thought it would be a great idea to send emails to others
in the same LAN (each participant having their own postfix server) and
without reaching Internet. Applications of this is: a dynamic during a
conference, a workshop, emergency situation (where Internet or
centralized server in the LAN is not working), etc.

In my first attempt I thought mDNS [1] is very fine for this, to make it
work in debian you have to install avahi-daemon [2]. After that, your
hostname is appended with .local domain.

Mail clients thunderbird [3] and claws mail [4] allow using the
/var/mail/user localhost mailbox. The emails are managed very fine but
there is a problem trying to send email using postfix as a localhost
SMTP server to a mDNS host


Showing the config files and testing
==


When you install avahi-daemon, hosts line in /etc/nsswitch.conf looks like

    hosts:  files mdns4_minimal [NOTFOUND=return] dns myhostname

so it first tries to do "nsswitch resolution" with mDNS before
contacting dns thing

you can check it with command getent (getent - get entries from Name
Service Switch libraries), and I think this is equivalent to calling
getaddrinfo:

    $ getent hosts host1.local
    192.168.1.124  host1.local

from a default debian 10 stable postfix server version 3.4.5, in file
/etc/postfix/main.cf I added: (1) ability to run IPs (that works fine,
but is not as interesting as mDNS!) and (2) ability to query nsswitch.conf:

    # allow raw IPs -> src
https://serverfault.com/questions/373350/postfix-allow-sending-to-raw-ip-address
    resolve_numeric_domain = yes
   
    # http://www.postfix.org/postconf.5.html#smtp_host_lookup
    smtp_host_lookup = dns, native

In official postfix documentation for "smtp_host_lookup" says "native -
Use the native naming service only (nsswitch.conf, or equivalent
mechanism)". I thought that it included mDNS but I am pretty sure is not
working (and I think is very easy to replicate)

    : unable to look up host host1.local: Name
or service not known

for testing purposes, if I added an entry in /etc/hosts like:

    192.168.1.24    host1.local

and I restart postfix server, then works (interesting: If I quit
/etc/hosts entry still works until I restart postfix server again, looks
like postfix server only checks /etc/hosts in init time, not dynamically).

But /etc/hosts is not so interesting in this scenario because is so
static, and for the use case I said in the beginning, very boring.

I think the error I'm getting is coming from file src/smtp/smtp_addr.c
(sourcecode of postfix 3.4.5) [5]. Postfix is using getaddrinfo, and it
should be resolving mDNS lookups, but is not doing it and I don't
understand why.

I hope we can have this feature and that it does not harm other things


Thanks for your time!
Pedro


[1] https://en.wikipedia.org/wiki/Multicast_DNS
[2] https://wiki.debian.org/ZeroConf
[3] https://www.thunderbird.net/
[4] https://www.claws-mail.org/
[5]

    /*
 * Use the native name service which also looks in /etc/hosts.
 *
 * XXX A soft error dominates past and future hard errors. Therefore we
 * should not clobber a soft error text and status code.
 */
#define RETRY_AI_ERROR(e) \
    ((e) == EAI_AGAIN || (e) == EAI_MEMORY || (e) == EAI_SYSTEM)
#ifdef EAI_NODATA
#define DSN_NOHOST(e) \
    ((e) == EAI_AGAIN || (e) == EAI_NODATA || (e) == EAI_NONAME)
#else
#define DSN_NOHOST(e) \
    ((e) == EAI_AGAIN || (e) == EAI_NONAME)
#endif

    if (smtp_host_lookup_mask & SMTP_HOST_FLAG_NATIVE) {
    if ((aierr = hostname_to_sockaddr(host, (char *) 0, 0, &res0)) != 0) {
    dsb_simple(why, (SMTP_HAS_SOFT_DSN(why) || RETRY_AI_ERROR(aierr)) ?
   (DSN_NOHOST(aierr) ? "4.4.4" : "4.3.0") :
   (DSN_NOHOST(aierr) ? "5.4.4" : "5.3.0"),
   "unable to look up host %s: %s",
   host, MAI_STRERROR(aierr));






0xCF8ACB83E96003E3.asc
Description: application/pgp-keys


0xCF8ACB83E96003E3.asc
Description: application/pgp-keys


signature.asc
Description: OpenPGP digital signature

Re: postfix not resolving mDNS lookups (make it work in a LAN-without-internet)

[postfix-user-2019-8-26]

On 8/26/19 3:57 PM, Viktor Dukhovni wrote:
> Is smtp(8) using "chroot" in your master.cf file?  If so, the relevant
> nsswitch.conf is likely the one in the chroot jail, and the jail would
> also need to contain the relevant nss plugin modules.  Simpler may be
> to disable chroot.

That's it!!

I applied this patch (that disables chroot) and then it works [1]. Thank
you, Viktor!

With curiosity, I do not understand why the chroot of postfix is not
resolving through the nsswitch that includes and that is identical to the :

    cmp /var/spool/postfix/etc/nsswitch.conf  /etc/nsswitch.conf

(returns no output because it is equal and I see the same content)

The "relevant nss plugin modules" looks like they are there too:

 $ find /var/spool/postfix/lib | grep mdns
/var/spool/postfix/lib/x86_64-linux-gnu/libnss_mdns6_minimal.so.2
/var/spool/postfix/lib/x86_64-linux-gnu/libnss_mdns4.so.2
/var/spool/postfix/lib/x86_64-linux-gnu/libnss_mdns_minimal.so.2
/var/spool/postfix/lib/x86_64-linux-gnu/libnss_mdns6.so.2
/var/spool/postfix/lib/x86_64-linux-gnu/libnss_mdns4_minimal.so.2
/var/spool/postfix/lib/x86_64-linux-gnu/libnss_mdns.so.2

Cheers,
Pedro

[1] (I think is an untouched master for debian10, yes! it is in two places!)

# diff -u /etc/postfix/master.cf.orig /etc/postfix/master.cf
--- master.cf.orig    2019-08-26 16:49:09.231356916 +0200
+++ master.cf    2019-08-26 16:49:37.100024149 +0200
@@ -9,7 +9,7 @@
 # service type  private unpriv  chroot  wakeup  maxproc command + args
 #   (yes)   (yes)   (no)    (never) (100)
 #
==
-smtp  inet  n   -   y   -   -   smtpd
+smtp  inet  n   -   n   -   -   smtpd
 #smtp  inet  n   -   y   -   1   postscreen
 #smtpd pass  -   -   y   -   -   smtpd
 #dnsblog   unix  -   -   y   -   0   dnsblog
@@ -51,7 +51,7 @@
 flush unix  n   -   y   1000?   0   flush
 proxymap  unix  -   -   n   -   -   proxymap
 proxywrite unix -   -   n   -   1   proxymap
-smtp  unix  -   -   y   -   -   smtp
+smtp  unix  -   -   n   -   -   smtp
 relay unix  -   -   y   -   -   smtp
 -o syslog_name=postfix/$service_name
 #   -o smtp_helo_timeout=5 -o smtp_connect_timeout=5



0xCF8ACB83E96003E3.asc
Description: application/pgp-keys


signature.asc
Description: OpenPGP digital signature

Re: postfix not resolving mDNS lookups (make it work in a LAN-without-internet)

[postfix-user-2019-8-26]

On 8/26/19 5:18 PM, postfix-user-2019-8-26 wrote:
> That's it!!
>
> I applied this patch (that disables chroot) and then it works [1]. Thank
> you, Viktor!
>
> (...)
>
> [1] (I think is an untouched master for debian10, yes! it is in two places!)
>
> # diff -u /etc/postfix/master.cf.orig /etc/postfix/master.cf
> --- master.cf.orig    2019-08-26 16:49:09.231356916 +0200
> +++ master.cf    2019-08-26 16:49:37.100024149 +0200
> @@ -9,7 +9,7 @@
>  # service type  private unpriv  chroot  wakeup  maxproc command + args
>  #   (yes)   (yes)   (no)    (never) (100)
>  #
> ==
> -smtp  inet  n   -   y   -   -   smtpd
> +smtp  inet  n   -   n   -   -   smtpd
>  #smtp  inet  n   -   y   -   1   postscreen
>  #smtpd pass  -   -   y   -   -   smtpd
>  #dnsblog   unix  -   -   y   -   0   dnsblog
> @@ -51,7 +51,7 @@
>  flush unix  n   -   y   1000?   0   flush
>  proxymap  unix  -   -   n   -   -   proxymap
>  proxywrite unix -   -   n   -   1   proxymap
> -smtp  unix  -   -   y   -   -   smtp
> +smtp  unix  -   -   n   -   -   smtp
>  relay unix  -   -   y   -   -   smtp
>  -o syslog_name=postfix/$service_name
>  #   -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
>

Reviewing my config patch to make it work it is only needed to disable
chroot for the smtp client part:

# diff -u /etc/postfix/master.cf.orig /etc/postfix/master.cf
--- master.cf.orig    2019-08-26 16:49:09.231356916 +0200
+++ master.cf    2019-08-26 17:45:10.926390350 +0200
@@ -51,7 +51,7 @@
 flush unix  n   -   y   1000?   0   flush
 proxymap  unix  -   -   n   -   -   proxymap
 proxywrite unix -   -   n   -   1   proxymap
-smtp  unix  -   -   y   -   -   smtp
+smtp  unix  -   -   n   -   -   smtp
 relay unix  -   -   y   -   -   smtp
 -o syslog_name=postfix/$service_name
 #   -o smtp_helo_timeout=5 -o smtp_connect_timeout=5



0xCF8ACB83E96003E3.asc
Description: application/pgp-keys


signature.asc
Description: OpenPGP digital signature