Re: Different SMTP AUTH options and credentials for different clients

2016-06-24 Thread Viktor Dukhovni
On Fri, Jun 24, 2016 at 04:10:40PM +0100, Rob Maidment wrote: > I could set smtpd_tls_security_level to "may" instead and then verify > that TLS has been used where it is required (e.g. using a policy > service), however that means Postfix will not validate the client > certificate right? (because

Re: 4.6.0 Alias expansion error / unreasonable virtual_alias_maps map nesting

2016-06-24 Thread francis picabia
On Fri, Jun 24, 2016 at 11:44 AM, francis picabia wrote: > > I saw one discussion on this error from back in 2013, but didn't > learn anything from it that resolves my error. > > We have an MX pointing to O365. It sends any email it can't > match to a mailbox to our "smarthost", which runs Postf

Re: 4.6.0 Alias expansion error / unreasonable virtual_alias_maps map nesting

2016-06-24 Thread Noel Jones
On 6/24/2016 9:44 AM, francis picabia wrote: > > I saw one discussion on this error from back in 2013, but didn't > learn anything from it that resolves my error. > > We have an MX pointing to O365. It sends any email it can't > match to a mailbox to our "smarthost", which runs Postfix 3.0.2-201

Re: postscreen_upstream_proxy_protocol with both proxied and unproxied clients

2016-06-24 Thread Quanah Gibson-Mount
--On Friday, June 24, 2016 12:26 PM -0400 Wietse Venema wrote: I suppose that one could configure a namaddr_list (and use IP address patterns only) that skips the haproxy protocol handshake. Ok, the problem is I have no way of knowing what clients will come in via the haproxy or not. ;) I t

Re: postscreen_upstream_proxy_protocol with both proxied and unproxied clients

2016-06-24 Thread Wietse Venema
Wietse Venema: > Quanah Gibson-Mount: > > We recently deployed into AWS, and were following > > . > > > > However, we found that if we set postscreen_upstream_proxy_protocol=haproxy > > we are then no longer able to conne

Re: postscreen_upstream_proxy_protocol with both proxied and unproxied clients

2016-06-24 Thread Wietse Venema
Quanah Gibson-Mount: > We recently deployed into AWS, and were following > . > > However, we found that if we set postscreen_upstream_proxy_protocol=haproxy > we are then no longer able to connect directly to the MTAs to

Re: Different SMTP AUTH options and credentials for different clients

2016-06-24 Thread Rob Maidment
On 24 June 2016 at 14:59, Wietse Venema wrote: >> I need to ensure TLS is used (and client certificates are verified) >> for some clients but not offered to others. What happens if I use >> smtpd_discard_ehlo_keyword_address_maps to strip the STARTTLS keyword >> but smtpd_tls_security_level is se

postscreen_upstream_proxy_protocol with both proxied and unproxied clients

2016-06-24 Thread Quanah Gibson-Mount
We recently deployed into AWS, and were following . However, we found that if we set postscreen_upstream_proxy_protocol=haproxy we are then no longer able to connect directly to the MTAs to send mail. Is there any abili

4.6.0 Alias expansion error / unreasonable virtual_alias_maps map nesting

2016-06-24 Thread francis picabia
I saw one discussion on this error from back in 2013, but didn't learn anything from it that resolves my error. We have an MX pointing to O365. It sends any email it can't match to a mailbox to our "smarthost", which runs Postfix 3.0.2-20150720 On the Postfix smarthost we have: virtual_alias_ma

Re: Different SMTP AUTH options and credentials for different clients

2016-06-24 Thread Wietse Venema
Rob Maidment: > On 23 June 2016 at 18:05, Wietse Venema wrote: > > I don't see that happen. > > > > I don't think that postscreen is viable if it has to wait for DNS > > lookup with EVERY SMTP CONNECTION. > > Ok I understand, but it wouldn't be on every connection, only the ones > postscreen deci

Re: Different SMTP AUTH options and credentials for different clients

2016-06-24 Thread Rob Maidment
On 23 June 2016 at 18:05, Wietse Venema wrote: > I don't see that happen. > > I don't think that postscreen is viable if it has to wait for DNS > lookup with EVERY SMTP CONNECTION. Ok I understand, but it wouldn't be on every connection, only the ones postscreen decided to pass through. And once

RE: thousands of "lost connection after AUTH"

2016-06-24 Thread L . P . H . van Belle
The are after username/passwords. And when that happend they will user your server als relay. Happend on one of my servers also. One of my users used his email and pass in facebook and linkedin. And the same as on the server.. :-/ About 60.000 mails where tried to send over my server. Wha

thousands of "lost connection after AUTH"

2016-06-24 Thread Thomas Keller
This is not a real problem, but I am curious to understand what is happening here. I am running a small postfix server for personal use. One thing that I observe over and over again is thousands of "lost connection after AUTH" connections, such as these: 08:23:19 postfix/smtpd[4925]: connect fr