Hi Thomas, Daniel and everyone else. I’ve set up a new mail server and mail seems to flow properly. Everything seems good. The only thing is that because ASSP is not the destination for submission (Postfix is) I can’t use the ‘Resend’ button in Block Reports. I also had to create the assp-block, assp-spam and assp-notspam email addresses otherwise Postfix would reject them as unknown users.
Ie now I can’t send an email to rsbm_spamx2fxlastx5fxchancex5fxsavex5fxupx5fxtox5fx80x5fxonx5fxdrobox5fxforx5fxyourx5fxnewx5fxwox2dxx2dx558....@bordo.com.au <mailto:rsbm_spamx2fxlastx5fxchancex5fxsavex5fxupx5fxtox5fx80x5fxonx5fxdrobox5fxforx5fxyourx5fxnewx5fxwox2dxx2dx558....@bordo.com.au> to get my blocked email sent to me. The email client gets back: The server response was: <rsbm_spamx2fxlastx5fxchancex5fxsavex5fxupx5fxtox5fx80x5fxonx5fxdrobox5fxforx5fxyourx5fxnewx5fxwox2dxx2dx558....@bordo.com.au <mailto:rsbm_spamx2fxlastx5fxchancex5fxsavex5fxupx5fxtox5fx80x5fxonx5fxdrobox5fxforx5fxyourx5fxnewx5fxwox2dxx2dx558....@bordo.com.au>>: Temporary lookup failure ASSP Startup: Jan-25-19 18:38:46 [init] Listening for SMTP connections on [::]:25 , 0.0.0.0:25 Jan-25-19 18:38:46 [init] Listening for admin HTTP connections on [::]:55555 , 0.0.0.0:55555 Jan-25-19 18:38:46 [init] Listening for stat HTTP connections on [::]:55553 , 0.0.0.0:55553 Jan-25-19 18:38:46 [init] Listening for SMTP relay connections on 127.0.0.1:10025 ASSP Config: listenPort is: 25 smtpDestination is: 127.0.0.1:10026 smtpDestinationSSL is: SSL:127.0.0.1:126 listenPortSSL is: listenPort2 is: relayHost is: 127.0.0.1:10026 relayPort is: 127.0.0.1:10025 Postfix’s master.cf has: 127.0.0.1:10026 inet n - n - - smtpd 127.0.0.1:126 inet n - n - - smtpd -o syslog_name=assptls -o smtpd_tls_wrappermode=yes -o smtpd_proxy_filter= -o myhostname=mail.bordo.com.au <http://mail.bordo.com.au/> 465 inet n - n - 20 smtpd -o smtpd_sasl_auth_enable=yes -o smtpd_tls_wrappermode=yes -o smtpd_proxy_filter=127.0.0.1:10025 -o smtpd_client_connection_count_limit=100 587 inet n - n - 20 smtpd -o smtpd_sasl_auth_enable=yes -o smtpd_tls_wrappermode=yes -o smtpd_proxy_filter=127.0.0.1:10025 -o smtpd_client_connection_count_limit=100 So I now no longer have the SSL client requires a read first errors in ASSP, as it is not handling submissions, but ASSP’s email interface won’t work. Any suggestions? Thanks, James. > On 17 Dec 2018, at 1:12 pm, Daniel Miller <dmil...@amfes.com > <mailto:dmil...@amfes.com>> wrote: > > Couple things I notice: > > In ASSP - you have set: > > listenPort:=25 > smtpDestination:=127.0.0.1:10026 > listenPortSSL:= > smtpDestinationSSL:=127.0.0.1:126 > listenPort2:= > smtpAuthServer:=SSL:127.0.0.1:126 > relayHost:=127.0.0.1:10026 > relayPort:=127.0.0.1:10025 > So - ASSP is globally listening on port 25, and will forward any connection > to 10026. In the clear. > > You have an override for explicit SSL connections to port 126. > > And an authenticated connection target of 10026 - exclusively SSL. However - > you don't declare listenPort2. So ASSP isn't explicitly listening for > authentication and, unless I'm quite wrong (which is always a strong > possibility), the smtpAuthServer setting won't be used. > > ASSP is listening for connections from Postfix on 10025 and will forward > those connections back to port 10026. > > So - my initial ASSP summary: > > ASSP listens openly on port 25, will forward clear connections to 10026 and > SSL connections to 126. However - the SSL connection to Postfix is not > "forced". Also the communication from & back to Postfix for relay is not > forced SSL either. > > Next...Postfix: > > > 127.0.0.1:10026 inet n - n - - smtpd > -o smtpd_sasl_auth_enable=yes > 127.0.0.1:126 inet n - n - - smtpd > -o syslog_name=assptls > -o smtpd_tls_wrappermode=yes > -o smtpd_proxy_filter= > -o myhostname=mail.bordo.com.au <http://mail.bordo.com.au/> > 465 inet n - n - 20 smtpd > -o smtpd_proxy_filter=127.0.0.1:10025 > -o smtpd_client_connection_count_limit=100 > > Postfix is listening for authentication on port 10026 - without requiring SSL > (though it will support STARTTLS). > > Postfix is listening for "forced" SSL connections on port 126. > > And listening on port 465 where it will forward to port 10025. Again without > requiring SSL. > > So... > > I'm guessing your Mail.app is using STARTTLS - it connects to Postfix on port > 465, which accepts the connection, forwards to ASSP on 10025, which returns > to Postfix at 10026 - at which time Postfix checks for authentication - and > then it continues on its way. > > Thunderbird is probably trying to do "forced" SSL - which isn't being > listened for. > > My initial recommendations: > > * Move the "-o smtpd_sasl_auth_enable=yes" to your port 465 stanza. This is > where the authentication should be. > > * Add (don't move) the "-o smtpd_tls_wrappermode=yes" to the port 465 stanza. > This will enable "forced" SSL. > > * Change ASSP's "smtpDestinationSSL" to "SSL:127.0.0.1:126" (note the prefix > of "SSL:") > > * The smtpAuthServer setting should be cleared so it's not confusing. > > The new flow - port 25 continues as it was. Which means both cleartext and > STARTTLS support (but NOT "forced" SSL). Port 465 is now a dedicated SSL > listener which requires authentication before it passes Postfix - which then > forwards to ASSP via port 10025. ASSP will forward that via port 10026. > > I think after you do that...things might be a little better, although now > your Mail.app may need to be adjusted! There may be something else we need > to adjust in Postfix but this should be close. > > A purist might insist on adding SSL to ports 10025 & 10026 - but let's leave > that for later when everything else is working if you really want it. > > > Daniel > > On 12/14/2018 8:28 AM, Daniel Miller via Assp-test wrote: >> Ok - so you have Postfix listening. There's a few different choices >> available to have Postfix forward to ASSP. I would recommend using >> Postfix's before-queue content filter method. >> >> The entries you've setup in master.cf already are for mail that has been >> processed by ASSP and now needs delivery. Again - before proceeding further >> you need to verify things work - clients can connect and authenticate and >> send via your existing ASSP/Postfix/Dovecot chain. >> >> Now in master.cf: >> >> 465 inet n - n - 20 smtpd >> -o smtpd_proxy_filter >> <http://www.postfix.org/postconf.5.html#smtpd_proxy_filter>=127.0.0.1:10025 >> -o smtpd_client_connection_count_limit >> <http://www.postfix.org/postconf.5.html#smtpd_client_connection_count_limit>=10 >> Note the above address/port are arbitrary - pick what you want though the >> localhost address is appropriate given your setup. The >> "smtpd_client_connection_count_limit" may be adjusted as needed. It is also >> up to you whether or not to have additional validation checks in this >> Postfix listener (you should - let Postfix block out whatever it can before >> it touches ASSP otherwise there's not much point in this approach). >> >> The "smtpd_proxy_filter" tells Postfix to forward mail to another server for >> processing prior to delivery. So ASSP needs to be listening for that >> connection. You can use the primary listeners listenPort, listenPort2, and >> listenPortSSL but probably a better choice is to configure ASSP with: >> >> relayPort=127.0.0.1:10025 >> That matches the setting in master.cf above - and that should do it. To >> make it SSL - for the master.cf entry above for 465 add >> >> -o smtpd_tls_wrappermode=yes >> and in ASSP make it >> >> relayPort=SSL:127.0.0.1:10025 >> Daniel >> >> On 12/13/2018 7:13 PM, James Brown wrote: >>>> On 13 Dec 2018, at 5:39 am, Daniel Miller <dmil...@amfes.com >>>> <mailto:dmil...@amfes.com>> wrote: >>>> >>>> The "lsof -i" is a lower-case i (just confirming if it got auto-corrected >>>> by email spellcheck). >>>> >>>> If "lsof" (or other tools) can't confirm an open port we've got other >>>> problems. Need to get that part first. What is expected: >>>> >>>> # lsof -i :126 >>>> COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME >>>> master 1260 root 104u IPv4 33860 0t0 TCP >>>> localhost.localdomain:126 (LISTEN) >>>> >>>> Daniel >>> Yes, Daniel, it was auto-correct in my email. >>> >>> The reason I got nothing returned is because I did not run in sudo mode. >>> Now I get: >>> >>> $ sudo lsof -i :10026 >>> Password: >>> COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME >>> master 89692 root 85u IPv4 0x1117b83fdbb9d20b 0t0 TCP >>> localhost:10026 (LISTEN) >>> >>> $ sudo lsof -i :126 >>> COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME >>> perl 32559 root 25u IPv4 0x1117b83fd26de50b 0t0 TCP >>> localhost:49213->localhost:nxedit (CLOSE_WAIT) >>> master 89692 root 88u IPv4 0x1117b83fdbb9e50b 0t0 TCP >>> localhost:nxedit (LISTEN) >>> >>> James. >> >> >> >> _______________________________________________ >> Assp-test mailing list >> Assp-test@lists.sourceforge.net <mailto:Assp-test@lists.sourceforge.net> >> https://lists.sourceforge.net/lists/listinfo/assp-test >> <https://lists.sourceforge.net/lists/listinfo/assp-test>
_______________________________________________ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test