Couple of config questions

2011-12-01 Thread Philip Prindeville
Sorry about the noob questions, but it's been 12 years or more since I stared at Postfix... First, is there a way to get an out-of-the-box (in my case, Postfix 2.6.6 compiled for Centos6/EPEL6) to get $mydomain and $myhostname from the canonicalized hostname? I.e. to do a: gethostname(buf);

Re: Couple of config questions

2011-12-01 Thread Philip Prindeville
On 12/1/11 1:45 PM, Philip Prindeville wrote: > Also, smtpd seems to silently ignore: > > submission ... smtpd ... -o inet_interfaces=127.0.0.1 in master.cf > > I was hoping to be able to use this to get it to listen for submissions only > on 127.0.0.1:587... but as I said,

Using postfix w/ mimedefang's Unix socket

2011-12-02 Thread Philip Prindeville
I tried to set up Postfix (2.6.6) on a Centos6 system (yes, I've filed a bug for them to bump to something 2.8.x-ish)... as: Dec 1 20:26:05 localhost postfix/smtpd[7743]: warning: connect to Milter service unix:/var/spool/MIMEDefang/mimedefang.sock: Permission denied # ls -ld /var/spool/MIMEDe

Re: Using postfix w/ mimedefang's Unix socket

2011-12-02 Thread Philip Prindeville
On 12/2/11 2:19 PM, Wietse Venema wrote: > Philip Prindeville: >> Would it make sense to add a parameter of additional gid's that >> you want smtpd to retain? > > Perhaps you can use a class "inet" socket on 127.0.0.1. That > will have less impact on the Po

Re: Using postfix w/ mimedefang's Unix socket

2011-12-02 Thread Philip Prindeville
On 12/2/11 8:23 PM, Philip Prindeville wrote: > On 12/2/11 2:19 PM, Wietse Venema wrote: >> Philip Prindeville: >>> Would it make sense to add a parameter of additional gid's that >>> you want smtpd to retain? >> >> Perhaps you can use a class "

Re: Using postfix w/ mimedefang's Unix socket

2011-12-03 Thread Philip Prindeville
On 12/3/11 7:15 AM, Wietse Venema wrote: > Philip Prindeville: >> Dec 2 20:32:54 localhost postfix/smtpd[9440]: warning: connect >> to Milter service unix:/var/spool/MIMEDefang/mimedefang.sock: >> Permission denied > > Does the error go away if you turn off SeLinux? &g

Re: Switching to 587 submission

2011-12-07 Thread Philip Prindeville
Just a point of clarification... port 465 isn't "deprecated" because it was never formerly assigned by IANA. It was highjacked by some mailer (I forget which) and when 587 was assigned, it was agreed to stop using the former port. As for one of your questions, it's assumed that 465 comes up wit

Re: Switching to 587 submission

2011-12-08 Thread Philip Prindeville
On 12/8/11 8:46 AM, Grant wrote: >>> I don't see why local Squirrelmail won't send mail over 587, >>> but remote Thunderbird will. Squirrelmail also won't send mail over >>> port 25, but it will send mail over 465. >> >> >> Do you have a new-enough SquirrelMail? From the looks of it, the only >> v

Re: Switching to 587 submission

2011-12-08 Thread Philip Prindeville
On 12/8/11 1:06 PM, Grant wrote: >> I don't think you're really getting the significance of port 587 vs. port 25. > > I think you're right. > >> 587 can be used encrypted or unencrypted, authenticated (preferably) or >> not... you could for instance just limit 587 connections from a particular

Re: Switching to 587 submission

2011-12-08 Thread Philip Prindeville
On 12/8/11 1:49 PM, Grant wrote: 25 is used by your MTA to receive *incoming* messages from other administrative domains (organizations). >>> >>> Port 25 is never used to submit outbound messages? If not, I'm >>> confused as to why Squirrelmail describes its "SMTP Port" setting this >>>

Re: Switching to 587 submission

2011-12-08 Thread Philip Prindeville
On 12/8/11 4:29 PM, Grant wrote: >>> Is it alright to send on port 25 from Squirrelmail when it's on the >>> same machine as postfix? That way I can make 587 require TLS and >>> authentication but not require that local Squirrelmail encrypt or >>> authenticate. >> >> No, I'd do exactly what I sai

Re: Switching to 587 submission

2011-12-08 Thread Philip Prindeville
On 12/8/11 5:33 PM, Reindl Harald wrote: > >> Got it. I misunderstood you before. May I ask why using 465 for >> Thunderbird and Squirrelmail would be better than 587 for Thunderbird >> and 25 for Squirrelmail talking to localhost? > > there is no better > configure a server as YOU need > Wel

Re: Switching to 587 submission

2011-12-09 Thread Philip Prindeville
On 12/9/11 8:07 AM, Grant wrote: > I should add that I took Noel's advice and Thunderbird is connecting > remotely to 587 and Squirrelmail is connecting locally to 587 without > encryption or authentication. The above config pertains to that > arrangement. > > - Grant Now whenever you upgrade

Re: Switching to 587 submission

2011-12-09 Thread Philip Prindeville
On 12/9/11 2:26 AM, Reindl Harald wrote: > well, as long thunderbird offers STARTTLS or SSL and for SSL 465 as > default and as long 465 does not eat anybodys children It kicked my dog once...

Re: Switching to 587 submission

2011-12-09 Thread Philip Prindeville
On 12/9/11 11:39 AM, Grant wrote: >>> I should add that I took Noel's advice and Thunderbird is connecting >>> remotely to 587 and Squirrelmail is connecting locally to 587 without >>> encryption or authentication. The above config pertains to that >>> arrangement. >>> >>> - Grant >> >> >> Now whe

Re: Switching to 587 submission

2011-12-09 Thread Philip Prindeville
On 12/9/11 1:36 PM, /dev/rob0 wrote: > On Friday 09 December 2011 14:23:01 Philip Prindeville wrote: >> On 12/9/11 11:39 AM, Grant wrote: > Philip: >>>> Now whenever you upgrade Squirrelmail to something current, >>>> you can pass your free time trying to

Aliases on local submissions only

2012-01-01 Thread Philip Prindeville
I have a 'border' postfix MTA that doesn't host any mailboxes, indeed it doesn't even know what the valid usernames are for the domain. It merely serves to check messages for viruses, and block DoS attacks. As such, I need it to perform aliasing *only* on messages generated locally by system se

Re: Aliases on local submissions only

2012-01-02 Thread Philip Prindeville
On 1/2/12 7:08 AM, Jeroen Geilman wrote: > On 01/02/2012 02:00 AM, Philip Prindeville wrote: >> I have a 'border' postfix MTA that doesn't host any mailboxes, indeed it >> doesn't even know what the valid usernames are for the domain. >> >> It m

Re: Aliases on local submissions only

2012-01-03 Thread Philip Prindeville
On 1/3/12 12:36 AM, Lorens Kockum wrote: > On Sun, Jan 01, 2012 at 06:00:46PM -0700, Philip Prindeville wrote: >> I have a 'border' postfix MTA that doesn't host any mailboxes, indeed it >> doesn't even know what the valid usernames are for the domain. >>

Re: Log the HELO/EHLO name?

2014-02-26 Thread Philip Prindeville
On Feb 25, 2014, at 3:44 AM, Eivind Olsen wrote: > Hello (or should that be EHLO? :)) > > It has been a while since I've had a need to change my Postfix > configuration, so I'm a bit rusty. I have searched, checked the > configuration, etc. No luck yet. > > Is it possible to get Postfix to log

Re: Why does EHLO [X.X.X.X] always pass helo restrictions?

2014-09-12 Thread Philip Prindeville
On Sep 5, 2014, at 2:36 PM, Edwin Marqe wrote: > Hi, > > I've been doing some tests recently regarding to the EHLO command, and > I was wondering whether the below detailed behavior is the expected > one or not. > > I have this in my Postfix config: > > smtpd_helo_restrictions = >permit_m

Re: Why does EHLO [X.X.X.X] always pass helo restrictions?

2014-09-13 Thread Philip Prindeville
On Sep 12, 2014, at 1:55 PM, li...@rhsoft.net wrote: > > Am 12.09.2014 um 21:49 schrieb Philip Prindeville: >>> However, any time I connect via telnet to this server and specify >>> *any* IP address in the form [X.X.X.X], the smtpd_helo_restrictions >>> won

Re: Why does EHLO [X.X.X.X] always pass helo restrictions?

2014-09-13 Thread Philip Prindeville
On Sep 13, 2014, at 7:35 AM, li...@rhsoft.net wrote: > > Am 13.09.2014 um 15:10 schrieb LuKreme: >> On 12 Sep 2014, at 13:55 , li...@rhsoft.net wrote: >>> Am 12.09.2014 um 21:49 schrieb Philip Prindeville: >>>>> However, any time I connect via telnet to th

Re: Why does EHLO [X.X.X.X] always pass helo restrictions?

2014-09-13 Thread Philip Prindeville
On Sep 13, 2014, at 7:59 PM, Wietse Venema wrote: > Philip Prindeville: >> Who says anything about mail servers? What if it's an MUA doing >> this? > > If the MUA connects to the MX service (port25) then it is an issue. > > If the MUA connects to port 587,

Re: Why does EHLO [X.X.X.X] always pass helo restrictions?

2014-09-16 Thread Philip Prindeville
On Sep 14, 2014, at 2:17 AM, li...@rhsoft.net wrote: > > > Am 14.09.2014 um 01:54 schrieb Philip Prindeville: >> On Sep 13, 2014, at 7:35 AM, li...@rhsoft.net wrote: >>> Am 13.09.2014 um 15:10 schrieb LuKreme: >>>> On 12 Sep 2014, at 13:55 , li...@rhsoft.net

Re: FYI: blocking attachment extensions

2014-09-16 Thread Philip Prindeville
MIMEDefang allows you to do all this, plus you can call Perl modules like File::Type on attachments to figure out if the file has been mistyped (i.e. the content-type disagrees with what the actual file header and/or file extension says it is). -Philip On Sep 16, 2014, at 12:04 PM, li...@rhso

Re: blocking attachment extensions

2014-09-17 Thread Philip Prindeville
On Sep 17, 2014, at 3:28 PM, Bill Cole wrote: > On 16 Sep 2014, at 18:18, Philip Prindeville wrote: > >> MIMEDefang allows you to do all this, plus you can call Perl modules like >> File::Type on attachments to figure out if the file has been mistyped (i.e. >> th

Re: FYI: blocking attachment extensions

2014-10-03 Thread Philip Prindeville
On Sep 18, 2014, at 7:45 AM, terrygalant.li...@fastest.cc wrote: > I've been reading the discussion here and the various approaches to blocking > extensions > > I'd gotten this from a friend awhile ago, and have been using it > > With > > postfix_header_checks = pcre:/path/to/custom_hea