Hi Thomas, Daniel and everyone else. 

I’ve set up a new mail server and mail seems to flow properly. Everything seems 
good. The only thing is that because ASSP is not the destination for submission 
(Postfix is) I can’t use the ‘Resend’ button in Block Reports. I also had to 
create the assp-block, assp-spam and assp-notspam email addresses otherwise 
Postfix would reject them as unknown users.

Ie now I can’t send an email to 
rsbm_spamx2fxlastx5fxchancex5fxsavex5fxupx5fxtox5fx80x5fxonx5fxdrobox5fxforx5fxyourx5fxnewx5fxwox2dxx2dx558....@bordo.com.au
 
<mailto:rsbm_spamx2fxlastx5fxchancex5fxsavex5fxupx5fxtox5fx80x5fxonx5fxdrobox5fxforx5fxyourx5fxnewx5fxwox2dxx2dx558....@bordo.com.au>
 to get my blocked email sent to me.

The email client gets back:

The server response was: 
<rsbm_spamx2fxlastx5fxchancex5fxsavex5fxupx5fxtox5fx80x5fxonx5fxdrobox5fxforx5fxyourx5fxnewx5fxwox2dxx2dx558....@bordo.com.au
 
<mailto:rsbm_spamx2fxlastx5fxchancex5fxsavex5fxupx5fxtox5fx80x5fxonx5fxdrobox5fxforx5fxyourx5fxnewx5fxwox2dxx2dx558....@bordo.com.au>>:
 Temporary lookup failure

ASSP Startup:

Jan-25-19 18:38:46 [init] Listening for SMTP connections on [::]:25 , 0.0.0.0:25
Jan-25-19 18:38:46 [init] Listening for admin HTTP connections on [::]:55555 , 
0.0.0.0:55555
Jan-25-19 18:38:46 [init] Listening for stat HTTP connections on [::]:55553 , 
0.0.0.0:55553
Jan-25-19 18:38:46 [init] Listening for SMTP relay connections on 
127.0.0.1:10025

ASSP Config:

listenPort is: 25
smtpDestination is: 127.0.0.1:10026
smtpDestinationSSL is: SSL:127.0.0.1:126
listenPortSSL is:
listenPort2 is:
relayHost is: 127.0.0.1:10026
relayPort is: 127.0.0.1:10025

Postfix’s master.cf has:

127.0.0.1:10026    inet  n       -       n       -       -       smtpd
127.0.0.1:126      inet  n       -       n       -       -       smtpd
  -o syslog_name=assptls
  -o smtpd_tls_wrappermode=yes
  -o smtpd_proxy_filter=
  -o myhostname=mail.bordo.com.au <http://mail.bordo.com.au/>
465    inet  n       -       n       -       20       smtpd
        -o smtpd_sasl_auth_enable=yes
        -o smtpd_tls_wrappermode=yes
        -o smtpd_proxy_filter=127.0.0.1:10025
        -o smtpd_client_connection_count_limit=100
587    inet  n       -       n       -       20       smtpd
        -o smtpd_sasl_auth_enable=yes
        -o smtpd_tls_wrappermode=yes
        -o smtpd_proxy_filter=127.0.0.1:10025
        -o smtpd_client_connection_count_limit=100

So I now no longer have the SSL client requires a read first errors in ASSP, as 
it is not handling submissions, but ASSP’s email interface won’t work.

Any suggestions?

Thanks,

James.

> On 17 Dec 2018, at 1:12 pm, Daniel Miller <dmil...@amfes.com 
> <mailto:dmil...@amfes.com>> wrote:
> 
> Couple things I notice:
> 
> In ASSP - you have set:
> 
> listenPort:=25
> smtpDestination:=127.0.0.1:10026
> listenPortSSL:=
> smtpDestinationSSL:=127.0.0.1:126
> listenPort2:=
> smtpAuthServer:=SSL:127.0.0.1:126
> relayHost:=127.0.0.1:10026
> relayPort:=127.0.0.1:10025
> So - ASSP is globally listening on port 25, and will forward any connection 
> to 10026.  In the clear.
> 
> You have an override for explicit SSL connections to port 126.
> 
> And an authenticated connection target of 10026 - exclusively SSL.  However - 
> you don't declare listenPort2.  So ASSP isn't explicitly listening for 
> authentication and, unless I'm quite wrong (which is always a strong 
> possibility), the smtpAuthServer setting won't be used.
> 
> ASSP is listening for connections from Postfix on 10025 and will forward 
> those connections back to port 10026.
> 
> So - my initial ASSP summary:
> 
> ASSP listens openly on port 25, will forward clear connections to 10026 and 
> SSL connections to 126.  However - the SSL connection to Postfix is not 
> "forced".  Also the communication from & back to Postfix for relay is not 
> forced SSL either.
> 
> Next...Postfix:
> 
> 
> 127.0.0.1:10026    inet  n       -       n       -       -       smtpd
>    -o smtpd_sasl_auth_enable=yes
> 127.0.0.1:126      inet  n       -       n       -       -       smtpd
>   -o syslog_name=assptls
>   -o smtpd_tls_wrappermode=yes
>   -o smtpd_proxy_filter=
>   -o myhostname=mail.bordo.com.au <http://mail.bordo.com.au/>
> 465    inet  n       -       n       -       20       smtpd
>         -o smtpd_proxy_filter=127.0.0.1:10025
>         -o smtpd_client_connection_count_limit=100
> 
> Postfix is listening for authentication on port 10026 - without requiring SSL 
> (though it will support STARTTLS).
> 
> Postfix is listening for "forced" SSL connections on port 126.
> 
> And listening on port 465 where it will forward to port 10025.  Again without 
> requiring SSL.
> 
> So...
> 
> I'm guessing your Mail.app is using STARTTLS - it connects to Postfix on port 
> 465, which accepts the connection, forwards to ASSP on 10025, which returns 
> to Postfix at 10026 - at which time Postfix checks for authentication - and 
> then it continues on its way.
> 
> Thunderbird is probably trying to do "forced" SSL - which isn't being 
> listened for.
> 
> My initial recommendations:
> 
> * Move the "-o smtpd_sasl_auth_enable=yes" to your port 465 stanza.  This is 
> where the authentication should be.  
> 
> * Add (don't move) the "-o smtpd_tls_wrappermode=yes" to the port 465 stanza. 
>  This will enable "forced" SSL.
> 
> * Change ASSP's "smtpDestinationSSL" to "SSL:127.0.0.1:126"  (note the prefix 
> of "SSL:")
> 
> * The smtpAuthServer setting should be cleared so it's not confusing.
> 
> The new flow - port 25 continues as it was.  Which means both cleartext and 
> STARTTLS support (but NOT "forced" SSL).  Port 465 is now a dedicated SSL 
> listener which requires authentication before it passes Postfix - which then 
> forwards to ASSP via port 10025.  ASSP will forward that via port 10026.
> 
> I think after you do that...things might be a little better, although now 
> your Mail.app may need to be adjusted!  There may be something else we need 
> to adjust in Postfix but this should be close.
> 
> A purist might insist on adding SSL to ports 10025 & 10026 - but let's leave 
> that for later when everything else is working if you really want it.
> 
> 
> Daniel
> 
> On 12/14/2018 8:28 AM, Daniel Miller via Assp-test wrote:
>> Ok - so you have Postfix listening.  There's a few different choices 
>> available to have Postfix forward to ASSP.  I would recommend using 
>> Postfix's before-queue content filter method.
>> 
>> The entries you've setup in master.cf already are for mail that has been 
>> processed by ASSP and now needs delivery.  Again - before proceeding further 
>> you need to verify things work - clients can connect and authenticate and 
>> send via your existing ASSP/Postfix/Dovecot chain.
>> 
>> Now in master.cf:
>> 
>> 465      inet  n       -       n       -       20      smtpd
>>         -o smtpd_proxy_filter 
>> <http://www.postfix.org/postconf.5.html#smtpd_proxy_filter>=127.0.0.1:10025
>>         -o smtpd_client_connection_count_limit 
>> <http://www.postfix.org/postconf.5.html#smtpd_client_connection_count_limit>=10
>> Note the above address/port are arbitrary - pick what you want though the 
>> localhost address is appropriate given your setup.  The 
>> "smtpd_client_connection_count_limit" may be adjusted as needed.  It is also 
>> up to you whether or not to have additional validation checks in this 
>> Postfix listener (you should - let Postfix block out whatever it can before 
>> it touches ASSP otherwise there's not much point in this approach).
>> 
>> The "smtpd_proxy_filter" tells Postfix to forward mail to another server for 
>> processing prior to delivery.  So ASSP needs to be listening for that 
>> connection.  You can use the primary listeners listenPort, listenPort2, and 
>> listenPortSSL but probably a better choice is to configure ASSP with:
>> 
>>     relayPort=127.0.0.1:10025
>> That matches the setting in master.cf above - and that should do it.  To 
>> make it SSL - for the master.cf entry above for 465 add
>> 
>>     -o smtpd_tls_wrappermode=yes
>> and in ASSP make it
>> 
>>     relayPort=SSL:127.0.0.1:10025
>> Daniel
>> 
>> On 12/13/2018 7:13 PM, James Brown wrote:
>>>> On 13 Dec 2018, at 5:39 am, Daniel Miller <dmil...@amfes.com 
>>>> <mailto:dmil...@amfes.com>> wrote:
>>>> 
>>>> The "lsof -i" is a lower-case i (just confirming if it got auto-corrected 
>>>> by email spellcheck).
>>>> 
>>>> If "lsof" (or other tools) can't confirm an open port we've got other 
>>>> problems.  Need to get that part first.  What is expected:
>>>> 
>>>> # lsof -i :126
>>>> COMMAND  PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
>>>> master  1260 root  104u  IPv4  33860      0t0  TCP 
>>>> localhost.localdomain:126 (LISTEN)
>>>> 
>>>> Daniel
>>> Yes, Daniel, it was auto-correct in my email.
>>> 
>>> The reason I got nothing returned is because I did not run in sudo mode. 
>>> Now I get:
>>> 
>>> $ sudo lsof -i :10026
>>> Password:
>>> COMMAND   PID USER   FD   TYPE             DEVICE SIZE/OFF NODE NAME
>>> master  89692 root   85u  IPv4 0x1117b83fdbb9d20b      0t0  TCP 
>>> localhost:10026 (LISTEN)
>>> 
>>> $ sudo lsof -i :126
>>> COMMAND   PID USER   FD   TYPE             DEVICE SIZE/OFF NODE NAME
>>> perl    32559 root   25u  IPv4 0x1117b83fd26de50b      0t0  TCP 
>>> localhost:49213->localhost:nxedit (CLOSE_WAIT)
>>> master  89692 root   88u  IPv4 0x1117b83fdbb9e50b      0t0  TCP 
>>> localhost:nxedit (LISTEN)
>>> 
>>> James.
>> 
>> 
>> 
>> _______________________________________________
>> Assp-test mailing list
>> Assp-test@lists.sourceforge.net <mailto:Assp-test@lists.sourceforge.net>
>> https://lists.sourceforge.net/lists/listinfo/assp-test 
>> <https://lists.sourceforge.net/lists/listinfo/assp-test>

_______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Reply via email to