Re[2]: Issues enabling SASL in Postfix
Finally it's working!. You where right. There was something interfering. Turns out that our cisco firewall had some smtp fix-up feature enabled. After disabling it i could telnet smtp from the outside as i did from the inside. cisco pix? FYI Question Background: I have a Cisco PIX firewall in place. I am trying to force SMTP authentication so that remote users can relay through my server without having to open my server up to true relay. The problem is, no one outside my firewall can use SMTPAuth. Why is this? Answer: This likely because your firewall is using the SMTP Fixup protocol. This is stopping the EHLO command sent by the clients being passed on to the server. As the EHLO command is rejected the clients then correctly go on to use HELO and thus can not authenticate. Disable fixup on your router and the clients will then be able to send the EHLO Command correctly. If your firewall is a Cisco PIX then you should be able to use the command: no fixup protocol smtp 25
test please ignore
.
Non-deliverable mail
Hello, I've set up a local mail server with Postfix 2.3.3 and Dovecot 1.0.7 on CentOS 5.2. This is the first time I've used Postfix. I can send and receive local mail which, for the moment, is fine. When I tried to send a mail to an external mail address, the delivery failed, but I did not get a mail from the server notifying me of that. Using mailq I can see that the mail is languishing there: (connect to alt1.gmail-smtp-in.l.google.com[209.85.163.27]: Connection timed out) I'd like to know why I didn't get notified. According to http://www.postfix.org/bounce.5.html: The Postfix bounce(8) server produces delivery status notification (DSN) messages for undeliverable mail, delayed mail, successful delivery or address verification requests. By default, these notifications are generated from built- in templates with message headers and message text. I'm presuming that means that, without adding anything to /etc/postfix/main.cf, that I should be getting some kind of notification about the mail problem from Postfix. Have I misunderstood this? If notifications are sent by default, I need to discover why I didn't get one. Any help would be much appreciated. I'd like to know within about 5 or 10 minutes if there is a problem with a mail I've sent. Thanks Ian Masters
Re: Non-deliverable mail
Hello, I've set up a local mail server with Postfix 2.3.3 and Dovecot 1.0.7 on CentOS 5.2. This is the first time I've used Postfix. I can send and receive local mail which, for the moment, is fine. When I tried to send a mail to an external mail address, the delivery failed, but I did not get a mail from the server notifying me of that. Using mailq I can see that the mail is languishing there: (connect to alt1.gmail-smtp-in.l.google.com[209.85.163.27]: Connection timed out) It seem's network problem
Re: Non-deliverable mail
Cc: Ian Masters [EMAIL PROTECTED] MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable - Original Message =0A From: Ian Masters [EMAIL PROTECTED]=0A To:= Sent: Friday, September 12, 2008 5:14:36 AM=0A Subject: Non-deliverable= mail=0A =0A Hello,=0A =0A I've set up a local mail server with Postfix= 2.3.3 and Dovecot 1.0.7 on=0A CentOS 5.2.=0A =0A This is the first time= I've used Postfix.=0A =0A I can send and receive local mail which, for t= he moment, is fine.=0A =0A When I tried to send a mail to an external mai= l address, the delivery=0A failed, but I did not get a mail from the serve= r notifying me of that.=0A =0A Using mailq I can see that the mail is l= anguishing there:=0A =0A (connect to alt1.gmail-smtp-in.l.google.com[209.= 85.163.27]: Connection=0A timed out)=0A =0A I'd like to know why I didn'= t get notified.=0A =0A According to http://www.postfix.org/bounce.5.html:= =0A The=A0 Postfix=A0 bounce(8)=A0 server=A0 produces=A0 delivery status= =0A =A0 =A0 =A0 notification=A0 (DSN)=A0 messages=A0 for=A0 undeliverable= =A0 mail,=0A =A0 =A0 =A0 delayed=A0 mail, successful delivery or address v= erification=0A =A0 =A0 =A0 requests.=0A =0A =A0 =A0 =A0 By default, thes= e notifications are generated from=A0 built-=0A =A0 =A0 =A0 in=A0 template= s with message headers and message text.=0A =0A I'm presuming that means= that, without adding anything to=0A /etc/postfix/main.cf, that I should b= e getting some kind of notification=0A about the mail problem from Postfix= .=0A =0A Have I misunderstood this?=0A =0A If notifications are sent by= default, I need to discover why I didn't=0A get one.=0A =0A Any help wo= uld be much appreciated.=0A =0A I'd like to know within about 5 or 10 min= utes if there is a problem with=0A a mail I've sent.=0A =0A Thanks=0A = =0A Ian Masters=0A=0AYou need to post the output of 'postconf -n' along wi= th any pertinent lo entries.=0A
Re: Non-deliverable mail
Ian Masters skrev: Hello, I've set up a local mail server with Postfix 2.3.3 and Dovecot 1.0.7 on CentOS 5.2. This is the first time I've used Postfix. I can send and receive local mail which, for the moment, is fine. When I tried to send a mail to an external mail address, the delivery failed, but I did not get a mail from the server notifying me of that. Using mailq I can see that the mail is languishing there: (connect to alt1.gmail-smtp-in.l.google.com[209.85.163.27]: Connection timed out) I'd like to know why I didn't get notified. According to http://www.postfix.org/bounce.5.html: The Postfix bounce(8) server produces delivery status notification (DSN) messages for undeliverable mail, delayed mail, successful delivery or address verification requests. By default, these notifications are generated from built- in templates with message headers and message text. I'm presuming that means that, without adding anything to /etc/postfix/main.cf, that I should be getting some kind of notification about the mail problem from Postfix. Have I misunderstood this? If notifications are sent by default, I need to discover why I didn't get one. Any help would be much appreciated. I'd like to know within about 5 or 10 minutes if there is a problem with a mail I've sent. Thanks Ian Masters Set delay_warning_time to 5m or 10m delay_warning_time (default: 0h) The time after which the sender receives the message headers of mail that is still queued. To enable this feature, specify a non-zero time value (an integral value plus an optional one-letter suffix that specifies the time unit). Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). The default time unit is h (hours). /Max
Re: Non-deliverable mail
Ian Masters: Hello, I've set up a local mail server with Postfix 2.3.3 and Dovecot 1.0.7 on CentOS 5.2. This is the first time I've used Postfix. I can send and receive local mail which, for the moment, is fine. When I tried to send a mail to an external mail address, the delivery failed, but I did not get a mail from the server notifying me of that. The delivery did not fail. The conection timed out. Postfix tries again every so often until it gives up. You get notification when postfix gives up. By default, Postfix gives up after four days ($maximal_queue_lifetime) You can also get notification when Postfix hasn't given up, but that will be sent only once ($delay_warning_time). Using mailq I can see that the mail is languishing there: (connect to alt1.gmail-smtp-in.l.google.com[209.85.163.27]: Connection timed out) This shows that Postfix has not yet given up. I'd like to know why I didn't get notified. You really don't want notification of every mail delivery attempt every five minutes or so. According to http://www.postfix.org/bounce.5.html: The Postfix bounce(8) server produces delivery status notification (DSN) messages for undeliverable mail, delayed mail, successful delivery or address verification requests. Your mail is not undeliverable, that is why it is still in the queue. It becomes undeliverable when the destination rejects it, or when Postfix gives up retrying. Wietse
Re: new to postfix
On Fri, Sep 12, 2008 at 7:59 AM, David Ballano [EMAIL PROTECTED] wrote: Hello people, I'm new Here, and I have a lot of questions for you, thanks in advance :) I'm configuring a postfix 2.3 server in a debian etch, I'ts my first time so I would like to do a simple configuration. First you need to do the following: Add this to your /etc/apt/source.list deb http://ftp.us.debian.org/debian/ etch main deb-src http://ftp.us.debian.org/debian/ etch main deb http://security.debian.org/ etch/updates main contrib deb-src http://security.debian.org/ etch/updates main contrib deb http://www.backports.org/debian etch-backports main contrib non-free deb http://volatile.debian.org/debian-volatile etch/volatile main contrib non-free This adds backports and volatile repos which have the latest versions of Postfix and ClamAV. # apt-get clean # apt-get update # apt-get dist-upgrade That will leave you with a Postfix 2.5 installation rather than the dated 2.3 you have installed from Etch repos.
Re: new to postfix
Hello people, I'm new Here, and I have a lot of questions for you, thanks in advance :) I'm configuring a postfix 2.3 server in a debian etch, I'ts my first time so I would like to do a simple configuration. I've been reading de documentation of postfix.org, believe me. That is what I've done 1- Installed Postfix that's my main.cf file (I'm following the Postfix virtual MAILBOX example: separate domains, non-UNIX accountsconf from postfix.org, so I added some things) smtpd_sasl_path = smtpd smtpd_sasl_auth_enable = yes smtpd_sasl_security_options = noanonymous smtpd_sasl_local_domain = $myhostname broken_sasl_auth_clients = yes smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, check_relay_domains myhostname = orion.ballano.net alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases myorigin = /etc/mailname mydestination = ballano.net, orion.ballano.net, localhost.ballano.net, localhost relayhost = mynetworks = 127.0.0.0/8 mailbox_size_limit = 0 recipient_delimiter = + inet_interfaces = all virtual_mailbox_domains = ballano.net virtual_mailbox_base = /var/mail/vhosts virtual_mailbox_maps = hash:/etc/postfix/vmailbox virtual_minimun_uid = 100 virtual_uid_maps = static:5000 virtual_gid_maps = static:5000 My questions are, how can I secure the access to the smtp? I've been reading abous sasl2 so I Installed sasl2 and saslauth demon, (is in the same packet I think ??) saslauth is running ps wax | grep saslauthd 19707 ?Ss 0:00 /usr/sbin/saslauthd -a pam -c -n 5 19708 ?S 0:00 /usr/sbin/saslauthd -a pam -c -n 5 19709 ?S 0:00 /usr/sbin/saslauthd -a pam -c -n 5 19710 ?S 0:00 /usr/sbin/saslauthd -a pam -c -n 5 auth with pam?? I'dont wont to creat UNIX users. Show output # saslauthd -v /usr/local/lib/sasl2/smtpd.conf pwcheck_method: auxprop auxprop_plugin: sasldb mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5 I also create a sasldb2 database but I don't know how to paste the whole thing... # cat /usr/lib/sasl2/smtpd.conf pwcheck_method: auxprop auxprop_plugin: sasldb mech_list: plain login I want to autenticate my client with a secure layer, you know I don't want to send the pass and user in plain text. and the problem is that I'm not sure if this is the correct way to do it. Use ssl/tls http://www.postfix.org/TLS_README.html
Re: new to postfix
David Ballano wrote: Hello people, I'm new Here, and I have a lot of questions for you, thanks in advance :) I'm configuring a postfix 2.3 server in a debian etch, I'ts my first time so I would like to do a simple configuration. I've been reading de documentation of postfix.org, believe me. That is what I've done 1- Installed Postfix that's my main.cf file (I'm following the Postfix virtual MAILBOX example: separate domains, non-UNIX accountsconf from postfix.org, so I added some things) Next time, please show 'postconf -n'. Your eyes can play tricks on you vs. what Postfix sees. smtpd_sasl_path = smtpd smtpd_sasl_auth_enable = yes smtpd_sasl_security_options = noanonymous smtpd_sasl_local_domain = $myhostname broken_sasl_auth_clients = yes smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, check_relay_domains This is totally wrong.. you need to have reject_unauth_destination after permit_sasl_authenticated. myhostname = orion.ballano.net alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases myorigin = /etc/mailname mydestination = ballano.net, orion.ballano.net, localhost.ballano.net, localhost relayhost = mynetworks = 127.0.0.0/8 mailbox_size_limit = 0 recipient_delimiter = + inet_interfaces = all virtual_mailbox_domains = ballano.net Do *not* list a domain in virtual_(mailbox|alias)_domains AND mydestination. Doing so will cause issues and postfix will complain and possibly hand off to the wrong delivery agent. virtual_mailbox_base = /var/mail/vhosts virtual_mailbox_maps = hash:/etc/postfix/vmailbox virtual_minimun_uid = 100 virtual_uid_maps = static:5000 virtual_gid_maps = static:5000 My questions are, how can I secure the access to the smtp? I've been reading abous sasl2 so I Installed sasl2 and saslauth demon, (is in the same packet I think ??) saslauth is running ps wax | grep saslauthd 19707 ?Ss 0:00 /usr/sbin/saslauthd -a pam -c -n 5 19708 ?S 0:00 /usr/sbin/saslauthd -a pam -c -n 5 19709 ?S 0:00 /usr/sbin/saslauthd -a pam -c -n 5 19710 ?S 0:00 /usr/sbin/saslauthd -a pam -c -n 5 auth with pam?? I'dont wont to creat UNIX users. /usr/local/lib/sasl2/smtpd.conf pwcheck_method: auxprop auxprop_plugin: sasldb mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5 I also create a sasldb2 database but I don't know how to paste the whole thing... I want to autenticate my client with a secure layer, you know I don't want to send the pass and user in plain text. and the problem is that I'm not sure if this is the correct way to do it. Experiment with setting: smtpd_tls_security_level = may and smtpd_tls_auth_only = yes. This forces clients to use TLS in order to AUTH and TLS is like OpenSSL for a connection. Make sure to read http://www.postfix.org/SASL_README.html#server_cyrus and the documentation for Cyrus SASL. If this is a private submission port, you can set smtpd_tls_security_level = encrypt, but this should NOT be on the smtp port of an MX. Brian
Confusing DSN behavior (Postfix 2.2.10)
Hello list, our mail gateways seem to support DSN although the used version of postfix should actually not support DSN (RFC3184). And so we don't want to send DSN An external recipient received a DSN from our internal MS Exchange 2003 server. First some information on our postfix mailsystem os: RHEL 4 Update 7 postfix version: 2.2.10 -- $ rpm -qi postfix Name: postfix Relocations: (not relocatable) Version : 2.2.10Vendor: Red Hat, Inc. Release : 1.1.el4 Build Date: Thu 25 Jan 2007 09:00:30 AM CET Install Date: Mon 07 May 2007 01:47:06 PM CEST Build Host: hs20-bc1-7.build.redhat.com Group : System Environment/DaemonsSource RPM: postfix-2.2.10-1.1.el4.src.rpm Size: 7013562 License: IBM Public License Signature : DSA/SHA1, Mon 12 Feb 2007 07:27:15 PM CET, Key ID 219180cddb42a60e Packager: Red Hat, Inc. http://bugzilla.redhat.com/bugzilla URL : http://www.postfix.org Summary : Postfix Mail Transport Agent Description : Postfix is a Mail Transport Agent (MTA), supporting LDAP, SMTP AUTH (SASL), TLS and running in a chroot environment. -- sandwich-config: postfix-recv - amavisd-new - postfix-send in /etc/postfix-recv/main.cf we added the following line (though the version does not officially support DSN) smtpd_discard_ehlo_keywords = silent-discard, dsn Following the header of the mail which requested a DSN Microsoft Mail Internet Headers Version 2.0 Received: from mx1010.internal.dom ([192.168.9.12]) by MX0032.internal.dom with Microsoft SMTPSVC(6.0.3790.3959); Fri, 12 Sep 2008 13:34:06 +0200 Received: from intmx0001.internal.dom ([10.99.1.1]) by mx1010.internal.dom with Microsoft SMTPSVC(6.0.3790.3959); Fri, 12 Sep 2008 13:34:06 +0200 Received: from mgate.official.tld ([a.b.c.d]) by intmx0002.official.tld with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2658.3) id RNJFHZP5; Fri, 12 Sep 2008 13:33:57 +0200 Return-Receipt-To: external.sender [EMAIL PROTECTED] MIME-Version: 1.0 Content-Type: multipart/mixed; boundary=_=_NextPart_001_01C914CB.71630080 Received: from vscan.official.tld (vscan.official.tld [a.b.c.e]) by mgate.official.tld (Postfix) with ESMTP id 2C45C238117 for [EMAIL PROTECTED]; Fri, 12 Sep 2008 13:33:57 +0200 (CEST) X-MimeOLE: Produced By Microsoft Exchange V6.5 Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.183]) by mgate.official.tld (Postfix) with ESMTP id 50DEC5A8058 for [EMAIL PROTECTED] Received: from brian.sender.dom (frnk-590ed5a3.pool.einsundeins.de [89.14.213.1]) by mrelayeu.kundenserver.de (node=mrelayeu5) with ESMTP (Nemesis) id 0ML25U-1Ke6uK2kQw-0006GL; Fri, 12 Sep 2008 13:33:48 +0200 Received: from localhost (localhost [127.0.0.1]) by brian.sender.dom (Postfix) with ESMTP id 273E462C352 for [EMAIL PROTECTED] Received: from brian.sender.dom ([127.0.0.1]) by localhost (brian.sender.dom [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4Ni8vRE-NtCt for [EMAIL PROTECTED] Received: from fetchmailusershome.no-ip.org (localhost [127.0.0.1]) by brian.sender.dom (Postfix) with ESMTP id 99C1862C0CD for [EMAIL PROTECTED] ; Fri, 12 Sep 2008 13:33:45 +0200 (CEST) Received: from a.b.c.g (proxying for unknown) (SquirrelMail authenticated user fetchmailuser)by fetchmailusershome.no-ip.org with HTTP;Fri, 12 Sep 2008 13:33:45 +0200 (CEST) x-spam-score: -1.366 x-provags-id: V01U2FsdGVkX1+EAxuf62McDjd3aXmdK4dKS0teIQdC3AK027l gdsLwUixulnxgEF6dhx0Rs+/fJIk1s58E/TkCKVIbja8Zti57J EekBJaqAhAvY+DmZBfheLVGX+UEO6GR x-virus-scanned: amavisd-new at sender.dom x-spam-level: x-spam-status: No, score=-1.366 tagged_above=- required=5 tests=[AWL=-0.986, BAYES_00=-2.599, TVD_SPACE_RATIO=2.219] user-agent: SquirrelMail/1.4.9a x-spam-flag: NO Content-class: urn:content-classes:message Subject: dsn test Date: Fri, 12 Sep 2008 13:33:45 +0200 Message-ID: [EMAIL PROTECTED] X-MS-Has-Attach: X-MS-TNEF-Correlator: [EMAIL PROTECTED] Thread-Topic: dsn test Thread-Index: AckUy3GGuC7o9V0XQeql1y8GSb5kYw== From: external.sender [EMAIL PROTECTED] To: [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Return-Path: [EMAIL PROTECTED] X-OriginalArrivalTime: 12 Sep 2008 11:34:06.0902 (UTC) FILETIME=[7749ED60:01C914CB] --_=_NextPart_001_01C914CB.71630080 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable --_=_NextPart_001_01C914CB.71630080 Content-Type: application/ms-tnef; name=winmail.dat Content-Transfer-Encoding: base64 --_=_NextPart_001_01C914CB.71630080-- ## And here the corresponding headers of the DSN ## Return-Path: X-Original-To: [EMAIL PROTECTED] Delivered-To: [EMAIL PROTECTED] Received: from localhost (localhost [127.0.0.1]) by brian.sender.dom (Postfix) with ESMTP id 5D2B362C367 for ; Fri, 12 Sep 2008 13:35:15 +0200 (CEST) X-Virus-Scanned: amavisd-new at
Re: Confusing DSN behavior (Postfix 2.2.10)
Bayer, Marko wrote: Hello list, our mail gateways seem to support DSN although the used version of postfix should actually not support DSN (RFC3184). And so we don't want to send DSN An external recipient received a DSN from our internal MS Exchange 2003 server. and this has something to do with postfix? do you know the difference between a DSN and an MDN? [snip] Return-Receipt-To: external.sender [EMAIL PROTECTED] so they asked for a receipt. [snip] And here the corresponding headers of the DSN (snip] Received: from MX0032.internal.dom ([192.168.8.115]) by intmx0003.internal.dom with Microsoft SMTPSVC(6.0.3790.3959); Fri, 12 Sep 2008 13:34:11 +0200 and 192.168.8.115 sent them a receipt. do you have a postfix question?
user disable sending mails outside domain
Hello all. I have got a situation where a user is autenticated against SASL to let him send mails. Now we want that this user is able to send only mails to our domain and don't let him to send an email to a diferent doamin than ours. is it posible ? thanks.
Re: user disable sending mails outside domain
[EMAIL PROTECTED] schrieb: Hello all. I have got a situation where a user is autenticated against SASL to let him send mails. Now we want that this user is able to send only mails to our domain and don't let him to send an email to a diferent doamin than ours. is it posible ? thanks. simple disable or change his sasl password or/and use an access map to reject by mailadress, ip whatever seems best fitting -- Best Regards MfG Robert Schetterer Germany/Munich/Bavaria
Re: user disable sending mails outside domain
[EMAIL PROTECTED] wrote: Hello all. I have got a situation where a user is autenticated against SASL to let him send mails. Now we want that this user is able to send only mails to our domain and don't let him to send an email to a diferent doamin than ours. is it posible ? yes. As already said, the simplest approach is to remove his login/pass. if you can't (because his MUA asks for login:pass), and if you check for sender-login mismatch, then you can use check_sender_access to retur reject_unauth_destination. if this doesn't answer your question, please describe your setup as precisely as possible.
Re: user disable sending mails outside domain
[EMAIL PROTECTED] schrieb: Hi all I can't reset his sals password. What we want is let him send to our domain (he is phisicaly out of the office), and let him to send outside (but all mails coming from this person and goes to a diferent domain get defer) So the user thinks he still can send outside mails, but those mails never get deliver. (we've got some nasty user doing nasty things) I know i can achive this situation playing whit smtp_sender_restrictions but it isn't to much clear to me right now. thanks to all On Fri, Sep 12, 2008 at 5:17 PM, Robert Schetterer [EMAIL PROTECTED] wrote: [EMAIL PROTECTED] schrieb: Hello all. I have got a situation where a user is autenticated against SASL to let him send mails. Now we want that this user is able to send only mails to our domain and don't let him to send an email to a diferent doamin than ours. is it posible ? thanks. simple disable or change his sasl password or/and use an access map to reject by mailadress, ip whatever seems best fitting -- Best Regards MfG Robert Schetterer Germany/Munich/Bavaria you may need advanced setup for that first matching his mailaddress ( make sure with sasl that he only can use the one he is allowed to ) like this smtpd_sender_restrictions = reject_unknown_sender_domain, reject_non_fqdn_sender, reject_unlisted_sender, permit_mynetworks, reject_authenticated_sender_login_mismatch, permit_sasl_authenticated, you need a additional table smtpd_sender_login_maps = hash:/etc/postfix/sender_login_maps /etc/postfix/sender_login_maps [EMAIL PROTECTED] sasl_username or if you want a sasl user may use all adresses from a domain @address.de sasl_username ( but this is not what you want in this case but you might need it with other users, as you need to have a match for all existing sasl users by using the rule above ) after making sure this way that the sasl user cant only send with specific mail from adresses you create a table like this matching this address smtpd_recipient_restrictions = ... check_sender_access hash:/etc/postfix/filterted_sender_access, reject_unauth_destination, ... with /etc/postfix/filterted_sender_access [EMAIL PROTECTED] smtpd_restriction_class i.e [EMAIL PROTECTED] filtered_sender_to_our_domain_only then in main cf smtpd_restriction_class = filtered_sender_to_our_domain_only filtered_sender_to_our_domain_only = check_recipient_access hash:/etc/postfix/recipient_access_to_our_domain_only, check_recipient_access regexp:/etc/postfix/discard_all_mail.regexp, permit with /etc/postfix/recipient_access_to_our_domain_only ourdomain.de OK and /etc/postfix/discard_all_mail.regexp /^/ DISCARD i am not sure about discarding all the restmails maybe a filter to/or redirect the mails would be better to have a look what your ugly user does/mail , and i may have bugs in this so some others from the list may have a more easy solutuion or correct me please next time use the list to progagate exactly what you trying to setup -- Best Regards MfG Robert Schetterer Germany/Munich/Bavaria
Re: new to postfix
2008/9/12 Brian Evans - Postfix List [EMAIL PROTECTED]:
David Ballano wrote:
Hello people,
I'm new Here, and I have a lot of questions for you, thanks in advance :)
I'm configuring a postfix 2.3 server in a debian etch, I'ts my first
time so I would like to do a simple configuration.
I've been reading de documentation of postfix.org, believe me.
That is what I've done
1- Installed Postfix
that's my main.cf file (I'm following the Postfix virtual MAILBOX
example: separate domains, non-UNIX accountsconf from postfix.org, so
I added some things)
Next time, please show 'postconf -n'. Your eyes can play tricks on you
vs. what Postfix sees.
That's my postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
broken_sasl_auth_clients = yes
config_directory = /etc/postfix
inet_interfaces = all
mailbox_size_limit = 0
mydestination = $mydomain, orion.ballano.net, localhost.ballano.net, localhost
mydomain = ballano.net
myhostname = orion.ballano.net
mynetworks = 127.0.0.0/8
myorigin = /etc/mailname
recipient_delimiter = +
relayhost =
smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP (Microsoft Exchange)
smtpd_recipient_restrictions = permit_mynetworks,
permit_sasl_authenticated, reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_path = smtpd
smtpd_sasl_security_options = noanonymous
smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
smtpd_use_tls = yes
virtual_alias_maps = hash:/etc/postfix/virtual
virtual_gid_maps = static:5000
virtual_mailbox_base = /var/mail/vhosts
virtual_mailbox_domains = $mydomain
virtual_mailbox_maps = hash:/etc/postfix/vmailbox
virtual_uid_maps = static:5000
smtpd_sasl_path = smtpd
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $myhostname
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = permit_mynetworks,
permit_sasl_authenticated, check_relay_domains
This is totally wrong.. you need to have reject_unauth_destination after
permit_sasl_authenticated.
ok I modified
myhostname = orion.ballano.net
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = ballano.net, orion.ballano.net, localhost.ballano.net,
localhost
relayhost =
mynetworks = 127.0.0.0/8
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
virtual_mailbox_domains = ballano.net
Do *not* list a domain in virtual_(mailbox|alias)_domains AND mydestination.
Doing so will cause issues and postfix will complain and possibly hand
off to the wrong delivery agent.
I put mydomain variable instead, I think that is ok, isn't it?
virtual_mailbox_base = /var/mail/vhosts
virtual_mailbox_maps = hash:/etc/postfix/vmailbox
virtual_minimun_uid = 100
virtual_uid_maps = static:5000
virtual_gid_maps = static:5000
My questions are, how can I secure the access to the smtp? I've been
reading abous sasl2 so I Installed sasl2 and saslauth demon, (is in
the same packet I think ??)
saslauth is running
ps wax | grep saslauthd
19707 ?Ss 0:00 /usr/sbin/saslauthd -a pam -c -n 5
19708 ?S 0:00 /usr/sbin/saslauthd -a pam -c -n 5
19709 ?S 0:00 /usr/sbin/saslauthd -a pam -c -n 5
19710 ?S 0:00 /usr/sbin/saslauthd -a pam -c -n 5
auth with pam?? I'dont wont to creat UNIX users.
/usr/local/lib/sasl2/smtpd.conf
pwcheck_method: auxprop
auxprop_plugin: sasldb
mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5
I also create a sasldb2 database but I don't know how to paste the
whole thing...
I want to autenticate my client with a secure layer, you know I don't
want to send the pass and user in plain text. and the problem is that
I'm not sure if this is the correct way to do it.
Experiment with setting: smtpd_tls_security_level = may and
smtpd_tls_auth_only = yes.
This forces clients to use TLS in order to AUTH and TLS is like OpenSSL
for a connection.
Make sure to read http://www.postfix.org/SASL_README.html#server_cyrus
and the documentation for Cyrus SASL.
for know, I think all configuration are the same as docs, I added a
user to the sasldb with the command saslpasswd2,
sasldblistusers2
[EMAIL PROTECTED]: userPassword
cat /etc/postfix/vmailbox
[EMAIL PROTECTED] ballano.net/david/
cat /usr/local/lib/sasl2/smtpd.conf
pwcheck_method: auxprop
auxprop_plugin: sasldb
mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5
I don't know what to put in mech_list for sasl to auth secured, that
is what I saw for Internet, probably wrong...
and the last thing is de saslaut daemon, which I imagine is the most
important for sasl because do the authentication, but if I do a ps
ps -ef | grep saslauth
root 11840 7526
Recommendation for setting Amavisd-new spam destiny for post-queue
Hi, all. I was curious what best practices are nowadays for those who use post-queue filtering if they elect not to keep spam/virused/bad-attachment-laden messages, something which I found myself having to do owing to my previous message (there's no way to selectively disable pre-queueing on a per-connection basis based on connecting IP or whether the remote party has authenticated itself). After having moved from pre-queue-filtering to condition-based post-queue filtering, that leaves me with a problem based on my present Amavsid policy of rejecting any questionable messages (spam/virus/banned attachments) to kill messages dead in their tracks during the SMTP sesssion. As such, I will have to change to something like D_DISCARD so I can keep my mail queue clean. Any thoughts? Thanks! --Ian. -- Ian R. Justman UNIX hacker. Anime fan. Any questions? ianj (at) ian-justman.com
Re: Recommendation for setting Amavisd-new spam destiny for post-queue
Ian R. Justman wrote: Hi, all. I was curious what best practices are nowadays for those who use post-queue filtering if they elect not to keep spam/virused/bad-attachment-laden messages, something which I found myself having to do owing to my previous message (there's no way to selectively disable pre-queueing on a per-connection basis based on connecting IP or whether the remote party has authenticated itself). After having moved from pre-queue-filtering to condition-based post-queue filtering, that leaves me with a problem based on my present Amavsid policy of rejecting any questionable messages (spam/virus/banned attachments) to kill messages dead in their tracks during the SMTP sesssion. As such, I will have to change to something like D_DISCARD so I can keep my mail queue clean. Any thoughts? My theory: The only reasonable choices for a post-queue spam/virus filter are discard (and optionally quarantine), or tag+pass and let the mail client classify based on the tags. Rejecting spam/viruses post-queue will send a bounce to the likely-forged sender address, annoying some innocent party. Do this enough and you'll get blacklisted. Ditto for sending your mail was blocked due to spam/virus notices to the sender. Those should never be sent anymore. For banned files, the choice isn't so clear. IME most banned files are sent by real users, so a bounce (or a sender notification) is returned to the actual sender; this is good. However, if you ban executables you will occasionally block an unknown virus. Those bounces will probably go to an innocent party, creating some backscatter. Viruses should probably not be tagged+passed; too much risk of clients disregarding the virus tag. So the options with viruses are to either discard, or to separate virus scanning from spam scanning by using clamav-milter or similar to reject viruses pre-queue. Practice: Actual implementation will depend on your size and business model. Here (private network with ~1000 users), we tag+pass spam up to some SA score, higher scoring spam is discarded. Viruses are always discarded. Discarded mail is saved in an admin-access-only quarantine for a few days, then removed by a cron job. We rarely need to release something from quarantine - maybe once every 3 or 4 months - but management likes to know it's there. -- Noel Jones
Re: Re[2]: Issues enabling SASL in Postfix
2008/9/12 Алексей Доморадов [EMAIL PROTECTED]: Finally it's working!. You where right. There was something interfering. Turns out that our cisco firewall had some smtp fix-up feature enabled. After disabling it i could telnet smtp from the outside as i did from the inside. cisco pix? FYI Question Background: I have a Cisco PIX firewall in place. I am trying to force SMTP authentication so that remote users can relay through my server without having to open my server up to true relay. The problem is, no one outside my firewall can use SMTPAuth. Why is this? Answer: This likely because your firewall is using the SMTP Fixup protocol. This is stopping the EHLO command sent by the clients being passed on to the server. As the EHLO command is rejected the clients then correctly go on to use HELO and thus can not authenticate. Disable fixup on your router and the clients will then be able to send the EHLO Command correctly. If your firewall is a Cisco PIX then you should be able to use the command: no fixup protocol smtp 25 Thanks for that. Yes, it´s a Cisco PIX 501 firewall and yes, the ehlo command was not working from the outside only helo thus i couldn´t authenticate. I still don´t know what is the purpose of this fixup thing, segurity messure i guess but not sure. Anyways, that´s off-topic. Thanks.
Running A Mail Server
I'm currently running a mail server, for my own use, on a VPS (Postfix +Dovecot+Procmail on Gentoo). I've been toying with the idea of moving back to a shared host though, mostly because I'm not sure what level of skill is necessary to really run my own internet facing server, and if I have that level of skill (I don't really care if my website gets hacked; but I'd be rather disturbed if all my email suddenly became public information). I'm running on a VPS mostly because I wasn't happy with the email solutions being provided by any other providers, except for a few who wanted a bulk purchase at a price I couldn't justify. I am a fairly heavy mail user; but a fairly light user in pretty much all other services. (I barely get any hits on my websites) What are my chances, as a relative newbie? (I've run servers before, but usually behind a firewall and on a network administered by someone else.) At the moment, I haven't even put a webserver on the VPS because I'm afraid it will raise the risk profile to my server. =\ Any advice? What are your thoughts on this? Thanks, Neil. (While I know list etiquette is generally to send your replies to everyone; I have no objection to off-list replies if you prefer.)
Re: Re[2]: Issues enabling SASL in Postfix
This problem also happens with CISCO routers (ie. not only PIX firewalls). We had a similar problem with a CISCO 837 ADSL Router here. The firewall checks normal behaviour for SMTP traffic seems to interfere with ESMTP hence TLS etc. Procedure to resolve it on the router is the same command. Regards, Olivier -- Olivier MJ Crepin-Leblond, Ph.D. E-mail:[EMAIL PROTECTED] | http://www.gih.com/ocl.html - Original Message - From: Diego Ledesma [EMAIL PROTECTED] To: Алексей Доморадов [EMAIL PROTECTED] Cc: postfix-users@postfix.org Sent: Friday, September 12, 2008 8:51 PM Subject: Re: Re[2]: Issues enabling SASL in Postfix 2008/9/12 Алексей Доморадов [EMAIL PROTECTED]: Finally it's working!. You where right. There was something interfering. Turns out that our cisco firewall had some smtp fix-up feature enabled. After disabling it i could telnet smtp from the outside as i did from the inside. cisco pix? FYI Question Background: I have a Cisco PIX firewall in place. I am trying to force SMTP authentication so that remote users can relay through my server without having to open my server up to true relay. The problem is, no one outside my firewall can use SMTPAuth. Why is this? Answer: This likely because your firewall is using the SMTP Fixup protocol. This is stopping the EHLO command sent by the clients being passed on to the server. As the EHLO command is rejected the clients then correctly go on to use HELO and thus can not authenticate. Disable fixup on your router and the clients will then be able to send the EHLO Command correctly. If your firewall is a Cisco PIX then you should be able to use the command: no fixup protocol smtp 25 Thanks for that. Yes, it´s a Cisco PIX 501 firewall and yes, the ehlo command was not working from the outside only helo thus i couldn´t authenticate. I still don´t know what is the purpose of this fixup thing, segurity messure i guess but not sure. Anyways, that´s off-topic. Thanks.
can smtp from command line
hi everyone,
I have been trying to telnet from my linux laptop using the following
command
telnet 192.***.***.*** 25
and the host keeps shutting me down I know it is something to postfix
but I don't
know why? but if I telnet into port 143 or 22 I can get into to the
server. I thought I might be
the firewall but after flushing it will not work. The reason I am using
the ip address is that I have on setup
up a dns server. If I telnet localhost 25 after ssh into the server I
can access it fine.
I am at the final point before I go online and I am trying everything
out but I want to know if I can smtp inside the network before I go live
and look at the logs go over
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
config_directory = /etc/postfix
content_filter = scan:127.0.0.1:10026
inet_interfaces = all
inet_protocols = all
mailbox_command = procmail -a $EXTENSION
mailbox_size_limit = 0
mydestination = mta.ert.com, mta, localhost.localdomain, localhost
myhostname = mta
mynetworks = 127.0.0.0/8, 192.168.1.2/24
myorigin = /etc/mailname
readme_directory = no
receive_override_options = no_address_mappings
recipient_delimiter = +
relayhost =
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
virtual_alias_maps = mysql:/etc/postfix/mysql_virtual_alias_maps.cf
virtual_gid_maps = static:5000
virtual_mailbox_base = /home/vmail
virtual_mailbox_domains = mysql:/etc/postfix/mysql_virtual_domains_maps.cf
virtual_mailbox_limit = 5120
virtual_mailbox_maps = mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf
virtual_minimum_uid = 5000
virtual_transport = dovecot
virtual_uid_maps = static:5000
Re: can smtp from command line
gishaust: [ Charset ISO-8859-1 unsupported, converting... ] hi everyone, I have been trying to telnet from my linux laptop using the following command telnet 192.***.***.*** 25 and the host keeps shutting me down I know it is something to postfix but I don't know why? but if I telnet into port 143 or 22 I can get into to the server. I thought I might be See http://www.postfix.org/DEBUG_README.html#logging Wietse
Question on relay servers
I have set up two relay servers - relay1 and relay2 Relay1 or relay2 accepts the mail from clients and delivers it to the outside world.. What I actually want to do is this. From client1 relay1 --relay2 --- outside world. To make this work, I added relayhost = relay2.x.x.x to relay1 main.cf file. In other words, the mail sent from client first goes to relay1, then relay1 delievers to relay2 and then relay2 should deliver the mail When I try the above configuration, the relay1 servers /var/log/syslog has this error ep 12 17:18:02 rwns01 postfix/smtpd[10002]: [ID 197553 mail.info] connect from xxx.ecorp.gymboree.com[x.x.x.x] Sep 12 17:18:02 rwns01 postfix/smtpd[10002]: [ID 197553 mail.info] AADC138B5: client=xxx.ecorp.gymboree.com[x.x.x.x] Sep 12 17:18:02 rwns01 postfix/cleanup[10008]: [ID 197553 mail.info] AADC138B5: message-id=[EMAIL PROTECTED] mboree.com Sep 12 17:18:02 rwns01 postfix/qmgr[9986]: [ID 197553 mail.info] AADC138B5: from=[EMAIL PROTECTED], size=585, nrcpt=1 (queue ac tive) Sep 12 17:18:02 rwns01 postfix/smtpd[10002]: [ID 197553 mail.info] disconnect from xxx.ecorp.gymboree.com[x.x.x.x] Sep 12 17:18:02 rwns01 postfix/smtp[10010]: [ID 947731 mail.warning] warning: host relay2.ecorp.gymboree.com[y.y.y.y] greeted me wit h my own hostname gymboree.com Sep 12 17:18:02 rwns01 postfix/smtp[10010]: [ID 947731 mail.warning] warning: host relay2.ecorp.gymboree.com[y.y.y.y] replied to HEL O/EHLO with my own hostname gymboree.com Sep 12 17:18:02 rwns01 postfix/smtp[10010]: [ID 197553 mail.info] AADC138B5: to=[EMAIL PROTECTED], relay=relay2.ecorp.gymboree.com[ y.y.y.y], delay=0, status=bounced (mail for relay2.ecorp.gymboree.com loops back to myself) Sep 12 17:18:02 rwns01 postfix/cleanup[10008]: [ID 197553 mail.info] D928938B8: message-id=[EMAIL PROTECTED] Sep 12 17:18:02 rwns01 postfix/qmgr[9986]: [ID 197553 mail.info] D928938B8: from=, size=2237, nrcpt=1 (queue active) Sep 12 17:18:02 rwns01 postfix/qmgr[9986]: [ID 197553 mail.info] AADC138B5: removed Sep 12 17:18:02 rwns01 postfix/smtp[10010]: [ID 947731 mail.warning] warning: host relay2.ecorp.gymboree.com[y.y.y.y] greeted me wit h my own hostname gymboree.com Sep 12 17:18:02 rwns01 postfix/smtp[10010]: [ID 947731 mail.warning] warning: host relay2.ecorp.gymboree.com[y.y.y.y] replied to HEL O/EHLO with my own hostname gymboree.com Sep 12 17:18:02 rwns01 postfix/smtp[10010]: [ID 197553 mail.info] D928938B8: to=[EMAIL PROTECTED], relay=relay2.ecorp.gymboree. com[y.y.y.y], delay=0, status=bounced (mail for relay2.ecorp.gymboree.com loops back to myself) Sep 12 17:18:02 rwns01 postfix/qmgr[9986]: [ID 197553 mail.info] D928938B8: removed Any assistance is greatly appreciated. I will be more than happy to send the main.cf file from both the servers or any info experts on this list want. - padaki
Re: Recommendation for setting Amavisd-new spam destiny for post-queue
Noel Jones [EMAIL PROTECTED] wrote: [...] Practice: Actual implementation will depend on your size and business model. Here (private network with ~1000 users), we tag+pass spam up to some SA score, higher scoring spam is discarded. Viruses are always discarded. Discarded mail is saved in an admin-access-only quarantine for a few days, then removed by a cron job. We rarely need to release something from quarantine - maybe once every 3 or 4 months - but management likes to know it's there. +1 for this setup used here as well. -- Sahil Tandon [EMAIL PROTECTED]
Re: Question on relay servers
Padmanabh Padaki [EMAIL PROTECTED] wrote: [...] Any assistance is greatly appreciated. I will be more than happy to send the main.cf file from both the servers or any info experts on this list want. Refer to the instructions given to you when you joined this list. Or read the DEBUG_README on the web site and try again. -- Sahil Tandon [EMAIL PROTECTED]
