On 12/10/2018 2:59 PM, James Brown via Assp-test wrote:
On 11 Dec 2018, at 8:55 am, Daniel Miller via Assp-test
<assp-test@lists.sourceforge.net
<mailto:assp-test@lists.sourceforge.net>> wrote:
On 12/10/2018 5:06 AM, James Brown via Assp-test wrote:
I’m trying to properly setup Postfix, ASSP, and Dovecot are on the
same machine. My problem is with users submitting emails.
I run exactly the setup above - with a totally different config. A
few things:
ASSP (as I understand it) should be setup as the "public" interface
for all SMTP connections - whether internet senders, authenticated
clients, or internal LAN. So ASSP generally listens on ports 25 &
587 - I don't use 465.
listenPort:=25
smtpDestination:=127.0.0.1:125
listenPort2:=587
smtpAuthServer:=SSL:127.0.0.1:126
NoAUTHlistenPorts:=25
There are a number of other ASSP settings you'll have to tweak of
course - but this are the basics to communicate. So unauthenticated
internet senders connect to port 25 which is forwarded to Postfix on
port 125. Authenticated senders on port 587, using SSL (and you may
want to wait to get SSL setup until the basic connections are
working), go to Postfix on port 126.
Postfix master.cf:
# Listeners for mail FROM assp. This is mail from the Internet
# destined for local delivery
#
127.0.0.1:125 inet n - y - - smtpd
-o syslog_name=assp
-o smtpd_proxy_filter=
-o myhostname=<your public hostname here>
# Listener for dedicated TLS/SSL mode. Historically intended for port
465 support.
# Non-TLS connections will not initiate.
# Functionally identical to previous listener - simply adds TLS line.
# Comment out the TLS Wrapper for initial setup.
127.0.0.1:126 inet n - y - - smtpd
-o syslog_name=assptls
-o smtpd_tls_wrappermode=yes
-o smtpd_proxy_filter=
-o myhostname=<your public hostname here>
At this point Dovecot has nothing to do with either ASSP or Postfix.
Dovecot should still be unrelated to ASSP - but if you want to use
Dovecot for local delivery (a good idea) or authentication (another
good idea) there's more to configure in Postfix, primarily in main.cf
See if the above gets you working SMTP connections - then take the
next step.
--
Daniel
Thanks Bob and Daniel.
This is similar to my current (old) mail server setup. I’m using 465
for submission as that seems to be the preferred way now ("The latter
port (465) was previously deprecated, but this changed with RFC 8314
<https://tools.ietf.org/html/rfc8314> and its use is now recommended
to ensure security.” - Simple Mail Transfer Protocol - Wikipedia
<https://en.wikipedia.org/wiki/Simple_Mail_Transfer_Protocol> ). With
ASSP handling the SSL on submissions I get ‘SSL wants a read first”
error at least once a day. I have to restart ASSP to allow the person
to send emails again.
Now with the new machine I’m setting up, I get this ‘SSL wants a read
first’ error for every message I try to send. When I asked Thomas
about this he said:
/remember "NEVER connect clients directly to ASSP" + "DO NOT use ASSP
as a client connector//”/
And he said:
/the recommended mail flow is
https://sourceforge.net/p/assp/wiki/ASSP_Advanced_Workflow/ /
/
/
Trying to implement this mail flow is where I came unstuck!
/
/
(My new server is running macOS Mojave, perl is 5.028, ASSP is 2.6.2
build 18339)
James.
James,
Try the setup I suggested previously. With the
"smtpd_tls_wrappermode=yes" set for Postfix it will require TLS for the
initial connection - no cleartext. With ASSP connecting to that port
via "smtpAuthServer:=SSL:127.0.0.1:126" - that should eliminate your issue.
Now, it's up to you whether or not ASSP listens publicly on port 465,
587, or anything else via listenPort2. Whether (LAN-side) clients
connect to Postfix first and then ASSP - I don't see the benefit given
that all internet traffic is the reverse. It's certainly possible to
have Postfix be the LAN-side listener - just adds another layer. Then
you can play with ASSP's relayHost & associated settings as well. I had
it once flowing back and forth between Postfix & ASSP - but what's the
point?
If ASSP is *supposed* to examine all mail that gets sent (for ham copy
purposes if nothing else) then I don't see a load reduction that would
benefit anything. However, if clients are either filtered out *prior*
to connecting to ASSP, or if there is other content-based filtering that
reduces the load on ASSP, then that would justify it.
--
Daniel
_______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test