On 12/10/2018 2:59 PM, James Brown via Assp-test wrote:

On 11 Dec 2018, at 8:55 am, Daniel Miller via Assp-test <assp-test@lists.sourceforge.net <mailto:assp-test@lists.sourceforge.net>> wrote:

On 12/10/2018 5:06 AM, James Brown via Assp-test wrote:
I’m trying to properly setup Postfix, ASSP, and Dovecot are on the same machine. My problem is with users submitting emails.


I run exactly the setup above - with a totally different config.  A few things:

ASSP (as I understand it) should be setup as the "public" interface for all SMTP connections - whether internet senders, authenticated clients, or internal LAN.  So ASSP generally listens on ports 25 & 587 - I don't use 465.

listenPort:=25
smtpDestination:=127.0.0.1:125
listenPort2:=587
smtpAuthServer:=SSL:127.0.0.1:126
NoAUTHlistenPorts:=25

There are a number of other ASSP settings you'll have to tweak of course - but this are the basics to communicate.  So unauthenticated internet senders connect to port 25 which is forwarded to Postfix on port 125.  Authenticated senders on port 587, using SSL (and you may want to wait to get SSL setup until the basic connections are working), go to Postfix on port 126.

Postfix master.cf:

# Listeners for mail FROM assp. This is mail from the Internet
# destined for local delivery
#
127.0.0.1:125 inet n    -       y       - -       smtpd
  -o syslog_name=assp
  -o smtpd_proxy_filter=
  -o myhostname=<your public hostname here>

# Listener for dedicated TLS/SSL mode. Historically intended for port 465 support.
# Non-TLS connections will not initiate.
# Functionally identical to previous listener - simply adds TLS line.
# Comment out the TLS Wrapper for initial setup.
127.0.0.1:126 inet n    -       y       -       - smtpd
  -o syslog_name=assptls
  -o smtpd_tls_wrappermode=yes
  -o smtpd_proxy_filter=
  -o myhostname=<your public hostname here>

At this point Dovecot has nothing to do with either ASSP or Postfix.  Dovecot should still be unrelated to ASSP - but if you want to use Dovecot for local delivery (a good idea) or authentication (another good idea) there's more to configure in Postfix, primarily in main.cf

See if the above gets you working SMTP connections - then take the next step.

--
Daniel


Thanks Bob and Daniel.

This is similar to my current (old) mail server setup. I’m using 465 for submission as that seems to be the preferred way now ("The latter port (465) was previously deprecated, but this changed with RFC 8314 <https://tools.ietf.org/html/rfc8314> and its use is now recommended to ensure security.” - Simple Mail Transfer Protocol - Wikipedia <https://en.wikipedia.org/wiki/Simple_Mail_Transfer_Protocol> ). With ASSP handling the SSL on submissions I get ‘SSL wants a read first” error at least once a day. I have to restart ASSP to allow the person to send emails again.

Now with the new machine I’m setting up, I get this ‘SSL wants a read first’ error for every message I try to send. When I asked Thomas about this he said:

/remember "NEVER connect clients directly to ASSP" + "DO NOT use ASSP as a client connector//”/

And he said:

/the recommended mail flow is
https://sourceforge.net/p/assp/wiki/ASSP_Advanced_Workflow/ /
/
/
Trying to implement this mail flow is where I came unstuck!
/
/
(My new server is running macOS Mojave, perl is 5.028, ASSP is 2.6.2 build 18339)

James.

James,

Try the setup I suggested previously.  With the "smtpd_tls_wrappermode=yes" set for Postfix it will require TLS for the initial connection - no cleartext.  With ASSP connecting to that port via "smtpAuthServer:=SSL:127.0.0.1:126" - that should eliminate your issue.

Now, it's up to you whether or not ASSP listens publicly on port 465, 587, or anything else via listenPort2.  Whether (LAN-side) clients connect to Postfix first and then ASSP - I don't see the benefit given that all internet traffic is the reverse.  It's certainly possible to have Postfix be the LAN-side listener - just adds another layer.  Then you can play with ASSP's relayHost & associated settings as well.  I had it once flowing back and forth between Postfix & ASSP - but what's the point?

If ASSP is *supposed* to examine all mail that gets sent (for ham copy purposes if nothing else) then I don't see a load reduction that would benefit anything.  However, if clients are either filtered out *prior* to connecting to ASSP, or if there is other content-based filtering that reduces the load on ASSP, then that would justify it.

--
Daniel

_______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Reply via email to