cyrus sasl2 and authentication [LONG]
OK, first question is will I be able to setup smtpd.conf so that it will support MULTIPLE authentication methods (sql and PAM)? But first, to get it working. I am running on a custom port right now to avoid mucking with 587 until everything is working: 2525 inet n - n - - smtpd -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject -o syslog_name=submit-tls If I authenticate against users in the sasldb file, with a smtpd.conf of: $ cat /usr/local/lib/sasl2/smtpd.conf pwcheck_method: auxprop mech_list: PLAIN LOGIN everything works fine. I authenticate and maillog shows the authentication. No problem at all. If I change smtpd.conf to : pwcheck_method: auxprop mech_list: PLAIN LOGIN auxprop_plugin: sql sql_verbose: yes sql_engine: mysql sql_hostnames: localhost sql_user: *user* sql_passwd: *passwd* sql_database: postfix sql_select: select password from mailbox where username = '%u' authdaemon_path=/var/run/authdaemond/socket $ ls -ls /var/run/authdaemond/socket 0 srwxrwxrwx 1 root courier 0 Mar 17 01:49 /var/run/authdaemond/ socket authentication fails: submit-tls/smtpd[31779]: initializing the server-side TLS engine submit-tls/smtpd[31779]: connect from c-67-164-162-51.hsd1.co.comcast.net[67.164.162.51] submit-tls/smtpd[31779]: setting up TLS connection from c-67-164-162-51.hsd1.co.comcast.net[67.164.162.51] submit-tls/smtpd[31779]: c-67-164-162-51.hsd1.co.comcast.net[67.164.162.51]: TLS cipher list ALL:+RC4:@STRENGTH submit-tls/smtpd[31779]: SSL_accept:before/accept initialization submit-tls/smtpd[31779]: SSL_accept:SSLv3 read client hello B submit-tls/smtpd[31779]: SSL_accept:SSLv3 write server hello A submit-tls/smtpd[31779]: SSL_accept:SSLv3 write certificate A submit-tls/smtpd[31779]: SSL_accept:SSLv3 write server done A submit-tls/smtpd[31779]: SSL_accept:SSLv3 flush data submit-tls/smtpd[31779]: SSL_accept:SSLv3 read client key exchange A submit-tls/smtpd[31779]: SSL_accept:SSLv3 read finished A submit-tls/smtpd[31779]: SSL_accept:SSLv3 write change cipher spec A submit-tls/smtpd[31779]: SSL_accept:SSLv3 write finished A submit-tls/smtpd[31779]: SSL_accept:SSLv3 flush data submit-tls/smtpd[31779]: c-67-164-162-51.hsd1.co.comcast.net[67.164.162.51]: save session 7EDABA540FC825A33F40BEC39254E374881EE12B0285025A20F73AF83FB2F4E5 s=2525 to smtpd cache submit-tls/smtpd[31779]: Anonymous TLS connection established from c-67-164-162-51.hsd1.co.comcast.net[67.164.162.51]: TLSv1 with cipher AES128-SHA (128/128 bits) submit-tls/smtpd[31779]: warning: SASL authentication failure: Password verification failed submit-tls/smtpd[31779]: warning: c-67-164-162-51.hsd1.co.comcast.net[67.164.162.51]: SASL PLAIN authentication failed: authentication failure submit-tls/smtpd[31779]: disconnect from c-67-164-162-51.hsd1.co.comcast.net[67.164.162.51] this is what my MUA logs: 220 mail.covisp.net ESMTP Postfix 2.5.6 EHLO cerebus.hsd1.co.comcast.net 250-mail.covisp.net 250-PIPELINING 250-SIZE 15728640 250-ETRN 250-STARTTLS 250-AUTH LOGIN PLAIN 250-AUTH=LOGIN PLAIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN STARTTLS 220 2.0.0 Ready to start TLS EHLO cerebus.hsd1.co.comcast.net 250-mail.covisp.net 250-PIPELINING 250-SIZE 15728640 250-ETRN 250-AUTH LOGIN PLAIN 250-AUTH=LOGIN PLAIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN *** 535 5.7.8 Error: authentication failed: authentication failure QUIT Manually, I cannot get that far: $ telnet mail 2525 Trying 75.148.117.93... Connected to akane. Escape character is '^]'. 220 mail.covisp.net ESMTP Postfix 2.5.6 EHLO cerebus.hsd1.co.comcast.net 250-mail.covisp.net 250-PIPELINING 250-SIZE 15728640 250-ETRN 250-STARTTLS 250-AUTH LOGIN PLAIN 250-AUTH=LOGIN PLAIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN STARTTLS 220 2.0.0 Ready to start TLS EHLO cerebus.hsd1.co.comcast.net Connection closed by foreign host. I rebuilt cyrus-sasl2 so I'd be sure of exactly what configuration options were used: configure: running /bin/sh './configure' --prefix=/usr/local '-- sysconfdir=/usr/local/etc' '--with-configdir=/usr/local/lib/sasl2:/usr/ local/etc/sasl2' '--with-plugindir=/usr/local/lib/sasl2' '--with- dbpath=/usr/local/etc/sasldb2' '--includedir=/usr/local/include' '-- enable-static' '--enable-auth-sasldb' '--with-rc4=openssl' '--with- saslauthd=/var/run/saslauthd' '--with-dblib=berkeley' '--with-bdb- libdir=/usr/local/lib' '--with-bdb-incdir=/usr/local/include/db41' '-- with-bdb=db41' '--with-mysql=/usr/local' '--without-pgsql' '--without- sqlite' '--enable-sql' '--with-authdaemond=/var/run/authdaemond/ socket' '--enable-login' '--enable-ntlm' '--enable-gssapi' '--disable- krb4' '--with-openssl=/usr/local' '--prefix=/usr/local' '--mandir=/usr/ local/man' '--infodir=/usr/local/info/' '--build=i386-portbld- freebsd6.2' 'CC=cc' 'CFLAGS=-O2 -fno-strict-aliasing -pipe -
Re: cyrus sasl2 and authentication [LONG]
* LuKreme krem...@kreme.com: OK, first question is will I be able to setup smtpd.conf so that it will support MULTIPLE authentication methods (sql and PAM)? But first, to get it working. I am running on a custom port right now to avoid mucking with 587 until everything is working: 2525 inet n - n - - smtpd -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject -o syslog_name=submit-tls If I authenticate against users in the sasldb file, with a smtpd.conf of: $ cat /usr/local/lib/sasl2/smtpd.conf Path MUST be /usr/lib/sasl2/smtpd.conf. Create a symlink. Authentication works, because sasldb is the default and fallback method. If libsasl can't find a smtpd.conf it will fall back to sasldb. pwcheck_method: auxprop mech_list: PLAIN LOGIN everything works fine. I authenticate and maillog shows the authentication. No problem at all. If I change smtpd.conf to : pwcheck_method: auxprop mech_list: PLAIN LOGIN auxprop_plugin: sql sql_verbose: yes sql_engine: mysql sql_hostnames: localhost sql_user: *user* sql_passwd: *passwd* sql_database: postfix sql_select: select password from mailbox where username = '%u' authdaemon_path=/var/run/authdaemond/socket $ ls -ls /var/run/authdaemond/socket 0 srwxrwxrwx 1 root courier 0 Mar 17 01:49 /var/run/authdaemond/ socket Which do you want authdaemond or sql? p...@rick -- The Book of Postfix http://www.postfix-book.com saslfinger (debugging SMTP AUTH): http://postfix.state-of-mind.de/patrick.koetter/saslfinger/
Re: cyrus sasl2 and authentication [LONG]
On 17-Mar-2009, at 03:15, Patrick Ben Koetter wrote: * LuKreme krem...@kreme.com: OK, first question is will I be able to setup smtpd.conf so that it will support MULTIPLE authentication methods (sql and PAM)? But first, to get it working. I am running on a custom port right now to avoid mucking with 587 until everything is working: 2525 inet n - n - - smtpd -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject -o syslog_name=submit-tls If I authenticate against users in the sasldb file, with a smtpd.conf of: $ cat /usr/local/lib/sasl2/smtpd.conf Path MUST be /usr/lib/sasl2/smtpd.conf. Create a symlink. Authentication works, because sasldb is the default and fallback method. If libsasl can't find a smtpd.conf it will fall back to sasldb. Ok, but then why does it stop working if I change the contents of /usr/ local/lib/sasl2/smtpd.conf? And why are the compile directives set to: --with-configdir=/usr/local/lib/sasl2:/usr/local/etc/sasl2' '--with- plugindir=/usr/local/lib/sasl2' '--with-dbpath=/usr/local/etc/sasldb2' I've made sure that /var/run/saslauthd/ is owned by root:postfix (it was root:mail) and have removed the authdaemon_path line and am trying again. Hopefully this was it. Oh, and since I forgot to mention, Courier-imapd-ssl works fine, it is only the SMTP authentication that is proving cumbersome. pwcheck_method: auxprop mech_list: PLAIN LOGIN everything works fine. I authenticate and maillog shows the authentication. No problem at all. If I change smtpd.conf to : pwcheck_method: auxprop mech_list: PLAIN LOGIN auxprop_plugin: sql sql_verbose: yes sql_engine: mysql sql_hostnames: localhost sql_user: *user* sql_passwd: *passwd* sql_database: postfix sql_select: select password from mailbox where username = '%u' authdaemon_path=/var/run/authdaemond/socket $ ls -ls /var/run/authdaemond/socket 0 srwxrwxrwx 1 root courier 0 Mar 17 01:49 /var/run/authdaemond/ socket Which do you want authdaemond or sql? That's a good question. These were the instructions given with postfixadmin, but I did try this without the authdaemon_path line as well. Still, made a few changes and am giving it another go. -- This story shall the good man teach his son; And Crispin Crispian shal ne'er go by, From this day to the ending of the world, But we in it shall be remember'd;
address rewriting with pcre?
Hi, I've looked at Postfix Address Rewriting doc, but am struggling to see the best way to do this. We have virtual mail recipients via mysql. Some of these use + addressing, however not everywhere will accept an email address with a + in. So, what I'd like to do if it's possible, is rewrite f...@bar.example.com to bar+...@example.com. Is this possible? Where would be the best place to do this? Regards, Rob
Re: address rewriting with pcre?
On 17-Mar-2009, at 04:24, Robert Brooks wrote: So, what I'd like to do if it's possible, is rewrite f...@bar.example.com to bar+...@example.com. I rewrite foo_...@example.com to foo+...@example.com virtaul.pcre: /^(.*)_(.*)@example.com$/${1}+$...@example.com virtual_alias_maps = hash:$config_directory/virtual pcre:$config_directory/virtual.pcre, mysql:$config_directory/mysql_virtual_alias_maps.cf your line would look like /^(.*)@(.*)\.example.com$/${1}+$...@example.com In fact, I like that idea, I might implement it. -- Beware of the Leopard!
Re: address rewriting with pcre?
LuKreme wrote: I rewrite foo_...@example.com to foo+...@example.com virtaul.pcre: /^(.*)_(.*)@example.com$/${1}+$...@example.com virtual_alias_maps = hash:$config_directory/virtual pcre:$config_directory/virtual.pcre, mysql:$config_directory/mysql_virtual_alias_maps.cf your line would look like /^(.*)@(.*)\.example.com$/${1}+$...@example.com In fact, I like that idea, I might implement it. ah yes, I should have seen that. Looks perfect, many thanks. I think I will go with your _ prce, because now I think about it using sub-domains could make a dictionary attack painful. Cheers, Rob
DSN success issue caused by pipe process and virtual alias
Hi, I setup a Postfix based plateform whith DSN enabled to support success NOTIFY as described below : 1) Mails are forwarded to Cyrus through LMTP (delivered action is fixed since thread LMTP delivery and DSN action value for success) 2) mailboxes on Cyrus are internal addresses, virtual alias makes mapping between external address and internal address 3) antispam and antivirus processing is done by pipe based content filter I have a first issue when mapping address with virtual alias, address is notified expanded even if 1 to 1 mapping. I found the following thread : Re: DSN chain broken by virtual alias map I know the current behaviour is acceptable by rfc3461, and I know that specifying multiple addresses in virtual map is possible and would call for current handling. Still, it would be nice to pass NOTIFY=SUCCESS to the next MTA if virtual alias maps is used purely for 1-to-1 recipient address transformations. You will find the same behavior with local(8) aliasing, and dot-forward files, again in conformance with the RFC it will propagate all DSN options except for the NOTIFY SUCCESS option. If someone wants one-to-one expansions to be treated special then they will have to write code for virtual alias, local alias, and dot-forward files. It is either all three or nothing. I will not accept inconsistenct behavior. I am voluntary to write such code for local alias and dot-forward files too if always OK I have a second issue with pipe process that don't manage DSN options. I started a patch to manage such options. I propose to open 2 threads in postfix-devel mailing list for these two patches if everybody is OK Thanks, Sébastien Ce message et les pièces jointes sont confidentiels et réservés à l'usage exclusif de ses destinataires. Il peut également être protégé par le secret professionnel. Si vous recevez ce message par erreur, merci d'en avertir immédiatement l'expéditeur et de le détruire. L'intégrité du message ne pouvant être assurée sur Internet, la responsabilité du groupe Atos Origin ne pourra être recherchée quant au contenu de ce message. Bien que les meilleurs efforts soient faits pour maintenir cette transmission exempte de tout virus, l'expéditeur ne donne aucune garantie à cet égard et sa responsabilité ne saurait être recherchée pour tout dommage résultant d'un virus transmis. This e-mail and the documents attached are confidential and intended solely for the addressee; it may also be privileged. If you receive this e-mail in error, please notify the sender immediately and destroy it. As its integrity cannot be secured on the Internet, the Atos Origin group liability cannot be triggered for the message content. Although the sender endeavours to maintain a computer virus-free network, the sender does not warrant that this transmission is virus-free and will not be liable for any damages resulting from any virus transmitted.
Re: address rewriting with pcre?
On 3/17/2009 6:47 AM, LuKreme wrote: I rewrite foo_...@example.com to foo+...@example.com virtaul.pcre: /^(.*)_(.*)@example.com$/${1}+$...@example.com virtual_alias_maps = hash:$config_directory/virtual pcre:$config_directory/virtual.pcre, mysql:$config_directory/mysql_virtual_alias_maps.cf your line would look like /^(.*)@(.*)\.example.com$/${1}+$...@example.com In fact, I like that idea, I might implement it. I like this idea, since I have encountered some sites that don't allow plus addressing when signing up for things... The only obvious issue is to make sure you don't have any users with underscores as part of their local username. I know you could just add a new line for each additional character you wanted to allow for, but could it be done on one line? E.g., if I wanted to also be able to use a '.' (dot), change this line: /^(.*)_(.*)@example.com$/ to something like: /^(.*)_|.(.*)@example.com$/ (not sure if using the 'or' vertical bar will work as expected here) -- Best regards, Charles
Re: cyrus sasl2 and authentication [LONG]
* LuKreme krem...@kreme.com: On 17-Mar-2009, at 03:15, Patrick Ben Koetter wrote: * LuKreme krem...@kreme.com: OK, first question is will I be able to setup smtpd.conf so that it will support MULTIPLE authentication methods (sql and PAM)? But first, to get it working. I am running on a custom port right now to avoid mucking with 587 until everything is working: 2525 inet n - n - - smtpd -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject -o syslog_name=submit-tls If I authenticate against users in the sasldb file, with a smtpd.conf of: $ cat /usr/local/lib/sasl2/smtpd.conf Path MUST be /usr/lib/sasl2/smtpd.conf. Create a symlink. Authentication works, because sasldb is the default and fallback method. If libsasl can't find a smtpd.conf it will fall back to sasldb. Ok, but then why does it stop working if I change the contents of /usr/ local/lib/sasl2/smtpd.conf? And why are the compile directives set to: --with-configdir=/usr/local/lib/sasl2:/usr/local/etc/sasl2' '--with- plugindir=/usr/local/lib/sasl2' '--with-dbpath=/usr/local/etc/sasldb2' My fault. I've overlooked that. In your case /usr/local/lib/sasl2 is the correct place to store Cyrus SASL config files. I've made sure that /var/run/saslauthd/ is owned by root:postfix (it was root:mail) and have removed the authdaemon_path line and am trying again. Hopefully this was it. Oh, and since I forgot to mention, Courier-imapd-ssl works fine, it is only the SMTP authentication that is proving cumbersome. pwcheck_method: auxprop mech_list: PLAIN LOGIN everything works fine. I authenticate and maillog shows the authentication. No problem at all. If I change smtpd.conf to : pwcheck_method: auxprop mech_list: PLAIN LOGIN auxprop_plugin: sql sql_verbose: yes sql_engine: mysql sql_hostnames: localhost sql_user: *user* sql_passwd: *passwd* sql_database: postfix sql_select: select password from mailbox where username = '%u' authdaemon_path=/var/run/authdaemond/socket $ ls -ls /var/run/authdaemond/socket 0 srwxrwxrwx 1 root courier 0 Mar 17 01:49 /var/run/authdaemond/ socket Which do you want authdaemond or sql? That's a good question. These were the instructions given with postfixadmin, but I did try this without the authdaemon_path line as well. Still, made a few changes and am giving it another go. I haven't used postfixadmin, so I don't know what it has on its mind. The question is: Where are the passwords stored and are they plaintext or crypted? p...@rick -- The Book of Postfix http://www.postfix-book.com saslfinger (debugging SMTP AUTH): http://postfix.state-of-mind.de/patrick.koetter/saslfinger/
Re: address rewriting with pcre?
On Tue, Mar 17, 2009 at 12:01:13PM CET, Charles Marcus cmar...@media-brokers.com said: On 3/17/2009 6:47 AM, LuKreme wrote: I rewrite foo_...@example.com to foo+...@example.com virtaul.pcre: /^(.*)_(.*)@example.com$/${1}+$...@example.com virtual_alias_maps = hash:$config_directory/virtual pcre:$config_directory/virtual.pcre, mysql:$config_directory/mysql_virtual_alias_maps.cf your line would look like /^(.*)@(.*)\.example.com$/${1}+$...@example.com In fact, I like that idea, I might implement it. I like this idea, since I have encountered some sites that don't allow plus addressing when signing up for things... The only obvious issue is to make sure you don't have any users with underscores as part of their local username. I would fear it breaks recipient validation, accepting mail for eavery address with a _ as valid. -- Erwan
opinion about my configuration
Hello to all. I want some opinion about the SECURITY of my configuration. It's safe to having postfix running with this config? Thanks alot. Stacker main.cf === mynetworks = 127.0.0.0/8, 192.0.0.0/8, 10.0.0.0/8, 172.0.0.0/8 alias_maps = hash:/etc/postfix/aliases alias_database = hash:/etc/postfix/aliases virtual_maps = hash:/etc/postfix/virtual smtpd_banner = netserver.domain.com home_mailbox= mail_spool_directory = /var/mail myhostname = netserver.domain.com mydomain = domain.com inet_interfaces = all default_transport=smtp defer_transports=hold transport_maps = hash:/etc/postfix/transport myorigin = domain.com mydestination = domain.com relayhost = mail.domain.com mailbox_size_limit = 102400 message_size_limit = 102400 qmgr_message_active_limit = 102400 qmgr_message_recipient_limit = 102400 smtpd_sasl_path = smtpd smtp_sasl_auth_enable = yes smtp_sasl_security_options = noanonymous smtpd_sasl_auth_enable = yes smtpd_sasl_security_options = noanonymous smtpd_sasl_local_domain = $myhostname broken_sasl_auth_clients = yes smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination smtp_sasl_password_maps = hash:/etc/postfix/saslpass readme_directory = no sample_directory = /etc/postfix sendmail_path = /usr/sbin/sendmail html_directory = no setgid_group = postdrop command_directory = /usr/sbin manpage_directory = /usr/local/man daemon_directory = /usr/libexec/postfix newaliases_path = /usr/bin/newaliases mailq_path = /usr/bin/mailq queue_directory = /var/spool/postfix mail_owner = postfix unknown_local_recipient_reject_code = 450 header_checks = regexp:/etc/postfix/header_checks
Re: address rewriting with pcre?
On 17-Mar-2009, at 05:01, Charles Marcus wrote: (not sure if using the 'or' vertical bar will work as expected here) It's a PCRE. As long as the PCRE is valid it should work. -- RTFM replies are great, but please specify exactly which FM to R
Re: opinion about my configuration - correct main.cf
Stacker Hush wrote: main.cf === mynetworks = 127.0.0.0/8, 192.0.0.0/8, 10.0.0.0/8, 172.0.0.0/8 ^^ Are you sure, that you want to do this? At least I suggest mynetworks = 127.0.0.0/8, 192.168.0.0/16, 10.0.0.0/8, 172.16.0.0/12 Because your declaration includes public networks so that you can be abused as an openrelay by those hosts. The rest seems to be ok. Kind regards, Marcel
Re: opinion about my configuration - correct main.cf
On Mar 17, 2009, at 8:29 AM, Stacker Hush stackerh...@gmail.com wrote: Hello to all. I'm sending again because the first email was truncated. Show 'postconf -n' output as Charles suggested. I want some opinion about the SECURITY of my configuration. It's safe to having postfix running with this config? Thanks alot. Stacker main.cf === mynetworks = 127.0.0.0/8, 192.0.0.0/8, 10.0.0.0/8, 172.0.0.0/8 alias_maps = hash:/etc/postfix/aliases alias_database = hash:/etc/postfix/aliases virtual_maps = hash:/etc/postfix/virtual smtpd_banner = netserver.domain.com Do you really not want to support ESMTP? home_mailbox= mail_spool_directory = /var/mail myhostname = netserver.domain.com mydomain = domain.com inet_interfaces = all default_transport=smtp This is already the default; why redefine it? defer_transports=hold transport_maps = hash:/etc/postfix/transport myorigin = domain.com mydestination = domain.com relayhost = mail.domain.com mailbox_size_limit = 102400 message_size_limit = 102400 qmgr_message_active_limit = 102400 qmgr_message_recipient_limit = 102400 #qmgr_message_recipient_minimum = 10 #---AUTH- smtpd_sasl_path = smtpd smtp_sasl_auth_enable = yes smtp_sasl_security_options = noanonymous smtpd_sasl_auth_enable = yes smtpd_sasl_security_options = noanonymous smtpd_sasl_local_domain = $myhostname broken_sasl_auth_clients = yes smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination smtp_sasl_password_maps = hash:/etc/postfix/saslpass Consider TLS as well. #--- readme_directory = no sample_directory = /etc/postfix sendmail_path = /usr/sbin/sendmail html_directory = no setgid_group = postdrop command_directory = /usr/sbin manpage_directory = /usr/local/man daemon_directory = /usr/libexec/postfix newaliases_path = /usr/bin/newaliases mailq_path = /usr/bin/mailq queue_directory = /var/spool/postfix mail_owner = postfix unknown_local_recipient_reject_code = 450 -- Sahil Tandon sa...@tandon.net
Re: Relocate queue directory
Thanks for the link. I followed those steps and it worked. I wasn't stopping postfix before I copied the existing queue. Everything works now. Thanks again. - Original Message - From: Sahil Tandon sa...@tandon.net To: postfix-users@postfix.org Sent: Monday, March 16, 2009 11:46 PM Subject: Re: Relocate queue directory On Mon, 16 Mar 2009, Brandon Hilkert wrote: I'm looking to move the postfix directory from /var/spool/postfix to another array. When I specify the setting in main.cf as: queue_directory = /opt/postfix Did you stop Postfix before making this change to main.cf? In your follow-up, include the output of 'postconf -n'. I reload and postfix will no longer send mail. All the subfolders are created underneath the /opt/postfix directory with the proper permissions and ownership, but it's not actively working. This is an insufficient problem description; please show relevant logs. After relocating, I tried: /etc/postfix/post-install create-missing but still didn't work. I got a public/maildrop missing or something. or something? Logs. It seems there should be an easy way to do this. So what is the easiest way to relocate the queue directory? http://article.gmane.org/gmane.mail.postfix.user/189169 -- Sahil Tandon sa...@tandon.net
Re: Postfix, mysql, virtual users
Thanks for response, In the meantime I've got emails delivered to vboxes (cleaning up and set up new main.cf helps) You have few questions and I am not finish yet so I allow myself to anoy you a bit more ;) The reason why I choose mysql is CRM. We use one build for us and I want to connect mail and CRM to get email account when new employee joins the team. (New account in CRM = new working email adress with the same pass). In DB users we got cells I could use : LOGIN | EMAIL | PASS. So, heres my questions : I already got emails delivered to CRM accounts (email2email - select email from users where email=). Got another DB with forwardings (select destination where source =) to get aliases info@ will reach my boss. I all works fine but I don't know if I could connect (AND HOW?) another DB ? Will it be ok to set up : virtual_alias_maps=mysql:/etc/postfix/mysql-virtual-alias-maps.cf,mysql:/etc/postfix/mysql-email2email.cf ,mysql:/etc/postfix/ANOTHER-EMAIL2EMAIL.cf ?? Thanks once more Magnus, hope got a bit more of patience for me :) PS sorry for my english, haven't use it for a long time Magnus Bäck pisze: On Monday, March 16, 2009 at 12:36 CET, Sebastian Chociwski wrote: I've some problems setting up my postfix server to deliver mails to virtual users. As I understand it works that way : I send an email to my serwer to u...@virtual-domain.com which is redirected in mysql to user_login. Problem 1 : postfix tryes to add domain and send mail to : user_lo...@my_domain.com - no such user. Correct, Postfix qualifies domain-less addresses with @$myorigin. I tryed another way : u...@virtual-domain.com - u...@virtual-domain.com and get NO SUCH USER as well. What's the point in mapping an address to itself? I've already created : groupadd -g 5000 vmail useradd -g vmail -u 5000 vmail -d /home/vmail -m and from my userstanding the virtual users maildir should be created by postfix ? You seem to be confusing virtual ALIAS domains with virtual MAILBOX domains. Virtual aliases translate addresses to other addresses, which isn't what you want here. Implement virtual_mailbox_maps so that it returns the path to each user's mailbox. If you want aliases for the users, implement virtual_alias_maps (but DO NOT list the domain in virtual_alias_domains) to map e.g. firstname.lastn...@example.com to loginn...@example.com. -- best regards, Sebastian Chociwski
Re: address rewriting with pcre?
On 17-Mar-2009, at 06:09, Erwan David wrote: I would fear it breaks recipient validation, accepting mail for eavery address with a _ as valid. That is a drawback. The other choice is to change the delimiter in postfix to _ and rewrite it to accept all '+' addresses to '_'. The trouble is the huge mass of ignorant websites that refuse to accept a '+' and don't even care that they are wrong. And since we've been using plus addressing for over 10 years, simply switching to '_' (or '.' which at least one IMAP server uses) is just not realistic. The good thing is, it hasn't been much of a problem. In the last 30 days I've gotten exactly one address that was invalid and had a '_' in it, and I'm pretty sure that was a spoof address that the domain owner handed out. It appears that, at least now, '_' is not in the spammer's lexicon of addresses to try. but yeah, this needs to be monitored as it can be a backscatter source: Mar 17 07:21:22 mail postfix/smtpd[40467]: C3B7D118B9B7: client=c-67-164-162-51.hsd1.co.comcast.net[67.164.162.51] Mar 17 07:21:22 mail postfix/cleanup[40775]: C3B7D118B9B7: message-id=040e794f-40e7-4c23-ac4b-001d5cf24...@kreme.com Mar 17 07:21:22 mail postfix/qmgr[31772]: C3B7D118B9B7: from=krem...@kreme.com , size=815, nrcpt=1 (queue active) Mar 17 07:21:23 mail postfix/error[41241]: C3B7D118B9B7: to=ziggy+t...@kreme.com , orig_to=ziggy_t...@kreme.com, relay=none, delay=0.3, delays=0.09/0.14/0/0.07, dsn=5.0.0, status=bounced (User unknown) Mar 17 07:21:23 mail postfix/bounce[41242]: C3B7D118B9B7: sender non- delivery notification: 14A1A118BA5C Mar 17 07:21:23 mail postfix/qmgr[31772]: C3B7D118B9B7: removed Maybe we'll get support for multiple delimiters in postfix someday? recipient_mutli_delimiters = {+,_.} where everything between {} is a valid delimiter? Not holding my breath though. -- You and me Sunday driving Not arriving
Re: address rewriting with pcre?
On 3/17/2009, LuKreme (krem...@kreme.com) wrote: On 17-Mar-2009, at 06:09, Erwan David wrote: I would fear it breaks recipient validation, accepting mail for eavery address with a _ as valid. That is a drawback. Oh... well, if it does indeed do what Erwan said, it isn't just a drawback, it is unacceptable. Proper recipient validation is an absolute requirement. So, is there no way to rewrite the recipient and *then* validate it? -- Best regards, Charles
Re: address rewriting with pcre?
On 17-Mar-2009, at 07:30, Charles Marcus wrote: So, is there no way to rewrite the recipient and *then* validate it? Sure, but not until after you've accepted the message. It's not like ziggy_test gets delivered to some random user. It's just that it generates a bounce instead of a reject. -- Fairy Tales are more than true; not because they tell us that dragons exist, but because they tell us that dragons can be beaten.
Re: address rewriting with pcre?
On 3/17/2009, LuKreme (krem...@kreme.com) wrote: On 17-Mar-2009, at 07:30, Charles Marcus wrote: So, is there no way to rewrite the recipient and *then* validate it? Sure, but not until after you've accepted the message. Ummm... WRONG. Recipient VALIDATION, by DEFINITION, must occur BEFORE a message is accepted. It's not like ziggy_test gets delivered to some random user. It's just that it generates a bounce instead of a reject. Like I said, this is unacceptable (makes you a backscatter source). Oh well, it was a nice idea... -- Best regards, Charles
Re: address rewriting with pcre?
On 17-Mar-2009, at 07:39, Charles Marcus wrote: On 3/17/2009, LuKreme (krem...@kreme.com) wrote: It's not like ziggy_test gets delivered to some random user. It's just that it generates a bounce instead of a reject. Like I said, this is unacceptable (makes you a backscatter source). Then you have to wait and see if FuturePostfix supports multiple delimiters. -- My mind is going. There is no question about it. I can feel it. I can feel it. I can feel it. I'm... afraid.
Re: address rewriting with pcre?
On Tue, Mar 17, 2009 at 02:39:08PM CET, Charles Marcus cmar...@media-brokers.com said: On 3/17/2009, LuKreme (krem...@kreme.com) wrote: On 17-Mar-2009, at 07:30, Charles Marcus wrote: So, is there no way to rewrite the recipient and *then* validate it? Sure, but not until after you've accepted the message. Ummm... WRONG. Recipient VALIDATION, by DEFINITION, must occur BEFORE a message is accepted. It's not like ziggy_test gets delivered to some random user. It's just that it generates a bounce instead of a reject. Like I said, this is unacceptable (makes you a backscatter source). Oh well, it was a nice idea... You may generate the pcre file with a line /recipient_([...@_]+)@localdomain/recipient+$...@localdomain for each valid recipient. This would preserve the validation of recipient at RCPT TO stage. -- Erwan
Re: opinion about my configuration - correct main.cf
On 17-Mar-2009, at 06:29, Stacker Hush wrote: mynetworks = 127.0.0.0/8, 192.0.0.0/8, 10.0.0.0/8, 172.0.0.0/8 That does not mean what I think you think it means. The only class A private IP space is 10/8 and 127/8. The others are 192.168/15 and I think 172.16.0.0/12? However, even this is not a good idea unless you are actually using all of those private IP spaces and your LAN accesses the server from those addresses. For example, even though there is a LAN on the same connection as my servers, the LAN clients access the mailserver via its real IP, so I have none of those CIDR blocks in mynetworks. unknown_local_recipient_reject_code = 450 Why would an unknown local user be a temp fail? -- If I were you boys, I wouldn't talk or even think about women. T'aint good for your health.
Re: cyrus sasl2 and authentication [LONG]
On Tue, Mar 17, 2009 at 12:09:40PM +0100, Patrick Ben Koetter wrote: My fault. I've overlooked that. In your case /usr/local/lib/sasl2 is the correct place to store Cyrus SASL config files. I prefer to not mix application configuration files in the same directory with system software libraries. Rather, I use and recommend: cyrus_sasl_config_path = ${config_directory} OR cyrus_sasl_config_path = /etc/sasl2 or a similar directory where configuration related to Postfix or SASL are kept. The first variant makes more sense in a multi-instance Postfix configuration if more than one instance implements SASL. This setting requires a non-ancient SASL library. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
RES: opinion about my configuration - correct main.cf
You are right. I Will fix this. -Mensagem original- De: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] Em nome de Marcel Straub Enviada em: terça-feira, 17 de março de 2009 09:45 Para: postfix-users@postfix.org Assunto: Re: opinion about my configuration - correct main.cf Stacker Hush wrote: main.cf === mynetworks = 127.0.0.0/8, 192.0.0.0/8, 10.0.0.0/8, 172.0.0.0/8 ^^ Are you sure, that you want to do this? At least I suggest mynetworks = 127.0.0.0/8, 192.168.0.0/16, 10.0.0.0/8, 172.16.0.0/12 Because your declaration includes public networks so that you can be abused as an openrelay by those hosts. The rest seems to be ok. Kind regards, Marcel
Re: address rewriting with pcre?
On 3/17/2009 9:43 AM, Erwan David wrote: You may generate the pcre file with a line /recipient_([...@_]+)@localdomain/recipient+$...@localdomain for each valid recipient. This would preserve the validation of recipient at RCPT TO stage. Interesting... and maybe a good candidate for my first usable scripting attempt. Thanks Erwan, -- Best regards, Charles
Re: address rewriting with pcre?
On 17-Mar-2009, at 08:01, Charles Marcus wrote: On 3/17/2009 9:43 AM, Erwan David wrote: You may generate the pcre file with a line /recipient_([...@_]+)@localdomain/recipient+$...@localdomain for each valid recipient. This would preserve the validation of recipient at RCPT TO stage. Interesting... and maybe a good candidate for my first usable scripting attempt. Let us know what you come up with. -- Critics look at actresses one of two ways: you're either bankable or boinkable.
Understand smtpd_client_connection_rate_limit
Hi, all I read this: http://www.postfix.org/postconf.5.html#smtpd_client_connection_rate_limit *he maximal number of connection attempts any client is allowed to make to this service per time unit. * What does mean client? An address IP? An e-mail address like exam...@example.com? Or what? It isn't clear for me. []'s -- Eduardo Júnior GNU/Linux user #423272 :wq
Re: Understand smtpd_client_connection_rate_limit
2009/3/17 Eduardo Júnior ihtrau...@gmail.com: Hi, all I read this: http://www.postfix.org/postconf.5.html#smtpd_client_connection_rate_limit he maximal number of connection attempts any client is allowed to make to this service per time unit. What does mean client? IP address -- Reinaldo de Carvalho http://korreio.sf.net http://python-cyrus.sf.net
Re: address rewriting with pcre?
On Tue, Mar 17, 2009 at 10:01:53AM -0400, Charles Marcus wrote: On 3/17/2009 9:43 AM, Erwan David wrote: You may generate the pcre file with a line /recipient_([...@_]+)@localdomain/recipient+$...@localdomain for each valid recipient. This would preserve the validation of recipient at RCPT TO stage. Interesting... and maybe a good candidate for my first usable scripting attempt. Perl is the natural choice for this: $ echo u...@example.com | domain=example.com perl -lpe ' s{^(.*)\...@\q$env{domain}\e$} {/^\Q$1\E_(.*)\...@\q$env{domain}\e\$/ $1+\${...@$env{domain}}o;' /^user_(.*)@example\.com$/ user+$...@example.com In practice instead of echo ... | Perl would read a list of addresses from a file. The \Q...\E construct is the critical ingredient for quoting PCRE special characters in the address localpart and domain. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: Understand smtpd_client_connection_rate_limit
On Mar 17, 2009, at 10:26 AM, Eduardo Júnior ihtrau...@gmail.com wrote: Hi, all I read this: http://www.postfix.org/postconf.5.html#smtpd_client_connection_rate_limit he maximal number of connection attempts any client is allowed to make to this service per time unit. What does mean client? An address IP? An e-mail address like exam...@example.com? Or what? It isn't clear for me. The client is identified by its IP address.
Re: address rewriting with pcre?
On Tue, Mar 17, 2009 at 03:52:27PM CET, Victor Duchovni victor.ducho...@morganstanley.com said: On Tue, Mar 17, 2009 at 10:01:53AM -0400, Charles Marcus wrote: On 3/17/2009 9:43 AM, Erwan David wrote: You may generate the pcre file with a line /recipient_([...@_]+)@localdomain/recipient+$...@localdomain for each valid recipient. This would preserve the validation of recipient at RCPT TO stage. Interesting... and maybe a good candidate for my first usable scripting attempt. Perl is the natural choice for this: $ echo u...@example.com | domain=example.com perl -lpe ' s{^(.*)\...@\q$env{domain}\e$} {/^\Q$1\E_(.*)\...@\q$env{domain}\e\$/ $1+\${...@$env{domain}}o;' /^user_(.*)@example\.com$/ user+$...@example.com In practice instead of echo ... | Perl would read a list of addresses from a file. The \Q...\E construct is the critical ingredient for quoting PCRE special characters in the address localpart and domain. I would have used ruby, but it is equivalent modulo your knowledge of either language. -- Erwan
Re: Postfix, mysql, virtual users
On Tue, March 17, 2009 2:07 pm, Sebastian Chociwski said: [...] Will it be ok to set up : virtual_alias_maps=mysql:/etc/postfix/mysql-virtual-alias-maps.cf,mysql:/etc/postfix/mysql-email2email.cf ,mysql:/etc/postfix/ANOTHER-EMAIL2EMAIL.cf ?? Yes, this is fine. More or less all Postfix configuration parameters that accept one lookup table will accept multiple lookup tables. -- Magnus Bäck mag...@dsek.lth.se
Re: cyrus sasl2 and authentication [LONG]
On 17-Mar-2009, at 03:49, LuKreme wrote: I've made sure that /var/run/saslauthd/ is owned by root:postfix (it was root:mail) and have removed the authdaemon_path line and am trying again. Hopefully this was it. That wasn't it, and the ownership by root:mail shouldn't matter as the postfix user is part of the mail group. I think I've read everything twice, and am stumped. Should I just start over and install dovecot (cyrus was the only option way back in the day)? -- Rent a flat above a shop, cut your hair and get a job, smoke some fags and play some pool, pretend you never went to school and still you'll never get it right cuz when you're lay'n in bed at night watching roaches climb the wall if you called your dad he could stop it all.
Re: cyrus sasl2 and authentication [LONG]
On 17-Mar-2009, at 03:49, LuKreme wrote: I've made sure that /var/run/saslauthd/ is owned by root:postfix (it was root:mail) and have removed the authdaemon_path line and am trying again. Hopefully this was it. That wasn't it, and the ownership by root:mail shouldn't matter as the postfix user is part of the mail group. I think I've read everything twice, and am stumped. Should I just start over and install dovecot (cyrus was the only option way back in the day)? Did you check Patrick`s hint about the stored Passwords in your SQL-Server. Cyrus-SASL auxprop is bound to cleartext Passwords. If you have crypted Passwords, you have to patch Cyrus-SASL. -- Andreas
Re: cyrus sasl2 and authentication [LONG]
On Tue, Mar 17, 2009 at 11:37:39AM -0600, LuKreme wrote: On 17-Mar-2009, at 03:49, LuKreme wrote: I've made sure that /var/run/saslauthd/ is owned by root:postfix (it was root:mail) and have removed the authdaemon_path line and am trying again. Hopefully this was it. That wasn't it, and the ownership by root:mail shouldn't matter as the postfix user is part of the mail group. I think I've read everything twice, and am stumped. Postfix processes don't make use of secondary groups. The primary group of $mail_owner (typically postfix) needs to be permissioned for all resources with group-based access control. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: cyrus sasl2 and authentication [LONG]
Victor Duchovni: On Tue, Mar 17, 2009 at 11:37:39AM -0600, LuKreme wrote: On 17-Mar-2009, at 03:49, LuKreme wrote: I've made sure that /var/run/saslauthd/ is owned by root:postfix (it was root:mail) and have removed the authdaemon_path line and am trying again. Hopefully this was it. That wasn't it, and the ownership by root:mail shouldn't matter as the postfix user is part of the mail group. I think I've read everything twice, and am stumped. Postfix processes don't make use of secondary groups. The primary group of $mail_owner (typically postfix) needs to be permissioned for all resources with group-based access control. Yes and no. Postfix will use initgroups() when permanently changing privileges (smtpd(8), qmgr(8), etc.), but not when changing privileges temporarily (master(8), pipe(8), local(8), spawn(8)) or when forking off an external command. It's easy to make errors here. Wietse
Re: cyrus sasl2 and authentication [LONG]
On 17-Mar-2009, at 11:47, Andreas Winkelmann wrote: On 17-Mar-2009, at 03:49, LuKreme wrote: I've made sure that /var/run/saslauthd/ is owned by root:postfix (it was root:mail) and have removed the authdaemon_path line and am trying again. Hopefully this was it. That wasn't it, and the ownership by root:mail shouldn't matter as the postfix user is part of the mail group. I think I've read everything twice, and am stumped. Should I just start over and install dovecot (cyrus was the only option way back in the day)? Did you check Patrick`s hint about the stored Passwords in your SQL- Server. Cyrus-SASL auxprop is bound to cleartext Passwords. If you have crypted Passwords, you have to patch Cyrus-SASL. Ah... I must have missed that. looks back Oh, well, that must be it then. passwords from postfixadmin are stored in md5crypt. (they look like $1$a28cb10c$wzblsb81Kv.F7vnMtqlEf.) So, more on this patching of Cyrus-SASL? -- I believe you can joke about anything. -- George Carlin
Dropping rejected mail from a transport server
I have a Postfix server that sits in front of Exchange. Exchange has anti-spam software running that will reject what it deems as spam. This is creating a problem for Postfix, which accepts a message, and tries to send it to Exchange, who then rejects it. That leaves Postfix with an email it has to try to bounce to a (usually) non-legitimate sender. It'd be nice if Exchange accepted and then silently dropped, but that doesn't seem to be coming. So, on my part, what can I do with Postfix to drop messages that Exchange (defined through the transport file) rejects? Thanks, Chris
Re: Dropping rejected mail from a transport server
Chris Cameron wrote: I have a Postfix server that sits in front of Exchange. Exchange has anti-spam software running that will reject what it deems as spam. This is creating a problem for Postfix, which accepts a message, and tries to send it to Exchange, who then rejects it. That leaves Postfix with an email it has to try to bounce to a (usually) non-legitimate sender. It'd be nice if Exchange accepted and then silently dropped, but that doesn't seem to be coming. So, on my part, what can I do with Postfix to drop messages that Exchange (defined through the transport file) rejects? Exchange is accepting mail, then rejecting it, which is a problem with Exchange, not Postfix. Anything you do with Postfix to delete the rejected mail that Exchange as already accepted will also lose legitimate mail Exchange thinks is spam. The recipient will not get the mail and the sender will not get a reject notice, which breaks the integrity of the SMTP protocol and will really annoy a lot of people. My suggestion would be to: * Do the spam processing on or before the postfix box and turn it off on exchange, or * Configure Exchange to deliver spammy mail and just mark it as spam. Any solution that accepts mail and them bounces it later will make you a bounce-back spam source and get your servers blacklisted. Any solution that accepts mail and deletes it will have the users at your door with pitchforks and torches. Terry
Re: Dropping rejected mail from a transport server
On Tuesday, March 17, 2009 at 19:58 CET, Chris Cameron ch...@upnix.com wrote: I have a Postfix server that sits in front of Exchange. Exchange has anti-spam software running that will reject what it deems as spam. This is creating a problem for Postfix, which accepts a message, and tries to send it to Exchange, who then rejects it. That leaves Postfix with an email it has to try to bounce to a (usually) non-legitimate sender. It'd be nice if Exchange accepted and then silently dropped, but that doesn't seem to be coming. So, on my part, what can I do with Postfix to drop messages that Exchange (defined through the transport file) rejects? You could use restriction classes to discard messages from when the client is the Exchange server. The correct solution is of course to fix the broken Exchange server so that it stops rejecting spam. -- Magnus Bäck mag...@dsek.lth.se
Re: cyrus sasl2 and authentication [LONG]
* LuKreme krem...@kreme.com: On 17-Mar-2009, at 11:47, Andreas Winkelmann wrote: On 17-Mar-2009, at 03:49, LuKreme wrote: I've made sure that /var/run/saslauthd/ is owned by root:postfix (it was root:mail) and have removed the authdaemon_path line and am trying again. Hopefully this was it. That wasn't it, and the ownership by root:mail shouldn't matter as the postfix user is part of the mail group. I think I've read everything twice, and am stumped. Should I just start over and install dovecot (cyrus was the only option way back in the day)? Did you check Patrick`s hint about the stored Passwords in your SQL- Server. Cyrus-SASL auxprop is bound to cleartext Passwords. If you have crypted Passwords, you have to patch Cyrus-SASL. Ah... I must have missed that. looks back Oh, well, that must be it then. passwords from postfixadmin are stored in md5crypt. (they look like $1$a28cb10c$wzblsb81Kv.F7vnMtqlEf.) So, more on this patching of Cyrus-SASL? Dont use the patch. It's old and it braindamages Cyrus SASL. You can use crypted passwords with Cyrus SASL, if you set it up this way: Postfix - libsasl - saslauthd (PAM) - PAM mysql - Mysql DB That gives you plaintext mechanisms only on client to server communication, but that's okay as long as you required clients to establish a TLS session before they may authenticate. Set this to allow plaintext mechs during TLS only: smtpd_sasl_security_options = noplaintext, noanonymous smtpd_sasl_tls_security_options = noanonymous As for the PAM part in the sasl authentication, start saslauthd like this: saslauthd -a pam -m /path/to/the/socket In /etc/pam.d/smtp configure the PAM Mysql part (I haven't done so yet, so I can't be of any help). p...@rick -- All technical answers asked privately will be automatically answered on the list and archived for public access unless privacy is explicitely required and justified. saslfinger (debugging SMTP AUTH): http://postfix.state-of-mind.de/patrick.koetter/saslfinger/
Re: Dropping rejected mail from a transport server
If the exchange server is doing anti-spam analysis, then can't you setup the exchange server to be a before queue content filter? This will mean that your postfix server will still do all of the RBL and recipient checks, but the 5XX series block sent by postfix will be relayed via postfix to the upstream MTA. Of course, this means that you won't be queuing mail on your postfix server... On Tue, Mar 17, 2009 at 2:58 PM, Chris Cameron ch...@upnix.com wrote: I have a Postfix server that sits in front of Exchange. Exchange has anti-spam software running that will reject what it deems as spam. This is creating a problem for Postfix, which accepts a message, and tries to send it to Exchange, who then rejects it. That leaves Postfix with an email it has to try to bounce to a (usually) non-legitimate sender. It'd be nice if Exchange accepted and then silently dropped, but that doesn't seem to be coming. So, on my part, what can I do with Postfix to drop messages that Exchange (defined through the transport file) rejects? Thanks, Chris
Good Reading
I'm looking for a good one-stop guide for Postfix. I'm a newbie. Any suggested reading?
Re: Good Reading
+-- | On 2009-03-17 16:45:29, Jeff Bernier wrote: | | I'm looking for a good one-stop guide for Postfix. I'm a newbie. | | Any suggested reading? The Book of Postfix, Hildebrandt, Koetter http://nostarch.com/postfix.htm -- bda Cyberpunk is dead. Long live cyberpunk. http://mirrorshades.org
Re: Too strict?
MacShane, Tracy a écrit : -Original Message- From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] On Behalf Of Alberto Lepe Sent: Monday, 16 March 2009 4:18 PM To: postfix-users@postfix.org Subject: Too strict? Hello, and thank you in advance for your time! I have been setting up a mail server since more than a week and after reading several posts/articles and some pages of the Postfix manual, I'm a little confused about how to setup the security. The mail server is outside my LAN and it will be used to serve some domains, with maybe 10 users per domain. This is my main.cf (restrictions): smtpd_data_restrictions = reject_unauth_pipelining smtpd_recipient_restrictions = reject_non_fqdn_sender, reject_non_fqdn_recipient, permit_mynetworks, permit_sasl_authenticated, # reject_unknown_sender_domain, # reject_unknown_recipient_domain, reject_unauth_destination, reject_invalid_helo_hostname, reject_unlisted_recipient, reject_unlisted_sender, reject_invalid_hostname, # reject_non_fqdn_hostname, # reject_unknown_client_hostname, reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net, permit Leaving aside the other comments people have made, I have reject_unknown_sender_domain (AFTER reject_unauth_destination) and reject_non_fqdn_hostname configured. The latter check in particular rejects thousands of connections a day so I don't have to keep hitting the Zen lookups. No FPs that I've ever been made aware of. reject_unlisted_recipient is redundant, since it's yes by default (but no harm leaving it in). depending on the situation, I have seen reject_non_fqdn_helo_hostname block from 18% tp 45% of junk (compared to what is blocked at postfix time). The high numbers here are seen when this check is done soon. in particluar, before reject_unlisted_* and reject_rbl_client. if however you put the check after reject_unlisted_* and zen check, the ratio is a lot less than 1% here. so the check is only useful in few situations: - you don't use zen: you don't trust it, or you get too much mail to use zen for free, and you don't wanna pay for a feed. - you don't want to do recipient validation at this time. with postfix, this argument is a bit weak. on this server, today (at this time), among postfix rejections, 93.46% are rejected by safe checks: Recipient unknown: 55.47 % DNSBL zen.spamhaus.org: 23.28 % Sender unknown: 8.21 % Relay Attempt: 6.5 % (the few other checks are not really necessary. I have some snowshoe checks that I will convert into spamassassin checks) and judging from SA results, 1.68 % spam has not been blocked by postfix. In short, the set: reject_unauth_destination reject_unlisted_recipient reject_unlisted_sender reject_rbl_client zen.spamhaus.org is both safe and efficient.
VERP Bounce Intercept
I'm at a loss why this is not working. I'm sending a VERP SMTP e-mail using the following script: ( echo EHLO $(uname -n) echo MAIL FROM:ch...@chrisdos.com XVERP echo RCPT TO:no-one-h...@chrisdos.com echo DATA echo From: ch...@chrisdos.com echo To: no-one-h...@chrisdos.com echo Subject: Testing VERP echo echo Testing 123 echo . echo QUIT ) | telnet localhost 25 I have this is my main.cf: default_verp_delimiters = += verp_delimiter_filter = -+= disable_verp_bounces = no smtpd_authorized_verp_clients = $mynetworks propagate_unmatched_extensions = canonical, virtual virtual_alias_maps = hash:/etc/postfix/virtual header_checks = regexp:/etc/postfix/header_checks.regexp nested_header_checks = regexp:/etc/postfix/header_checks.regexp My header_checks.regexp looks like this: /^.+\+.+\=...@.+\..+$/ DISCARD /^.+\+.+\=...@.+\..+$/ REDIRECTverpbounce I've tested the header check by using this: postmap -q chris+no-one-home=chrisdos@chrisdos.com regexp:header_checks.regexp and it comes back with a result of DISCARD. I can't even get the DISCARD to work yet, much less the redirect to a alias that calls a script. According to the log it's doing VERP, it gets bounced, but not discarded: Mar 17 15:30:22 mail-dr postfix/smtpd[4455]: connect from localhost[127.0.0.1] Mar 17 15:30:22 mail-dr postfix/smtpd[4455]: 4E36128CEDD: client=localhost[127.0.0.1] Mar 17 15:30:22 mail-dr postfix/cleanup[4461]: 4E36128CEDD: message-id=20090317213022.4e36128c...@mail-dr.sharperagent.com Mar 17 15:30:22 mail-dr postfix/qmgr[4432]: 4E36128CEDD: from=ch...@chrisdos.com, size=561, nrcpt=1 (queue active) Mar 17 15:30:22 mail-dr postfix/smtpd[4455]: lost connection after QUIT from localhost[127.0.0.1] Mar 17 15:30:22 mail-dr postfix/smtpd[4455]: disconnect from localhost[127.0.0.1] Mar 17 15:30:22 mail-dr postfix/smtp[4462]: 4E36128CEDD: to=no-one-h...@chrisdos.com, relay=mail.chrisdos.com[71.33.251.73]:25, delay=0.63, delays=0.06/0.01/0.19/0.37, dsn=5.1.1, status=bounced (host mail.chrisdos.com[71.33.251.73] said: 550 5.1.1 no-one-h...@chrisdos.com: Recipient address rejected: User unknown in local recipient table (in reply to RCPT TO command)) Mar 17 15:30:22 mail-dr postfix/cleanup[4461]: EC0FB290278: message-id=20090317213022.ec0fb290...@mail-dr.sharperagent.com Mar 17 15:30:22 mail-dr postfix/qmgr[4432]: EC0FB290278: from=, size=2830, nrcpt=1 (queue active) Mar 17 15:30:22 mail-dr postfix/bounce[4463]: 4E36128CEDD: sender non-delivery notification: EC0FB290278 Mar 17 15:30:22 mail-dr postfix/qmgr[4432]: 4E36128CEDD: removed Mar 17 15:30:23 mail-dr postfix/smtp[4462]: EC0FB290278: to=chris+no-one-home=chrisdos@chrisdos.com, relay=mail.chrisdos.com[71.33.251.73]:25, delay=0.19, delays=0.02/0/0.11/0.05, dsn=5.1.1, status=bounced (host mail.chrisdos.com[71.33.251.73] said: 550 5.1.1 chris+no-one-home=chrisdos@chrisdos.com: Recipient address rejected: User unknown in local recipient table (in reply to RCPT TO command)) Mar 17 15:30:23 mail-dr postfix/qmgr[4432]: EC0FB290278: removed Does anyone have any ideas about why this is not working? Chris
Re: RES: opinion about my configuration - correct main.cf
On Tue, 17 Mar 2009, Stacker Hush wrote: How i can change my setup to use TLS? Please do not top-post or reply off-list. http://www.postfix.org/TLS_README.html -- Sahil Tandon sa...@tandon.net
Re: smtpd_recipient_restrictions suddenly stopping mail
Noel Jones wrote, On 3/15/09 4:26 PM: Sahil Tandon wrote: On Sun, 15 Mar 2009, Wietse Venema wrote: Sahil Tandon: OpenDNS will not blindly redirect DNS queries that look like DNSBL requests. Notice the difference: % dig @resolver1.opendns.com www.abcdefghijklmnop12345.com +short 208.69.32.132 % dig @resolver1.opendns.com 40.30.20.10.www.abcdefghijklmnop12345.com +short % Note, this still breaks lookups of rfc-ignorant.org and other sites that blacklist domain names instead of IP addresses. FWIW, OpenDNS appears to work with rfc-ignorant.org, but that's only because they know about it: http://www.opendns.com/support/article/33 If you must run an MX host, use a real DNS server. Agreed! If you sign up for a free account at OpenDNS you can turn off their helpful typo-correction feature. Then OpenDNS works splendidly on an MX. They do have a clue. No volume or quality of clues can trump the hard limit of the speed of light... The hardest problem with using someone else's DNS server (i.e. one many miles away across multiple router hops) for an MX host is that it will come with higher hard query latency (i.e. ultimately 'c' bound) and with less easily predicted higher latencies relative to a local cache that is dedicated to the MX host(s), which would have higher cache hit rates.
modify incoming mail
Hi all, I need some help. I would like to modify incoming emails. I need to add a link at top of the incoming mail body, in order to allow employees that received their email to click on this link and connect directly to our data base to check the client's data. I need to add a link that will pass the client's email as parameters (should be something like http://192.168.0.2/client.php?client=em...@domaine.com). I was thinking to do this job with postfix body_checks features by using body rewritting but I can't find the way to do it because I can't find a way to identify the begining of the mail body. Any advise will help, I hope I have been clear enough in my explanation Thanks in advance Cedric
Re: VERP Bounce Intercept
Chris Dos: relay=mail.chrisdos.com[71.33.251.73]:25, delay=0.19, delays=0.02/0/0.11/0.05, dsn=5.1.1, status=bounced (host mail.chrisdos.com[71.33.251.73] said: 550 5.1.1 chris+no-one-home=chrisdos@chrisdos.com: Recipient address rejected: User unknown in local recipient table (in reply to RCPT TO command)) So VERP works, but you have no recipient_delimiter=+ set up. /^.+\+.+\=...@.+\..+$/ DISCARD Why do you believe that header addresses contain ONLY an email address? Wietse
Re: VERP Bounce Intercept
Wietse Venema wrote: Chris Dos: relay=mail.chrisdos.com[71.33.251.73]:25, delay=0.19, delays=0.02/0/0.11/0.05, dsn=5.1.1, status=bounced (host mail.chrisdos.com[71.33.251.73] said: 550 5.1.1 chris+no-one-home=chrisdos@chrisdos.com: Recipient address rejected: User unknown in local recipient table (in reply to RCPT TO command)) So VERP works, but you have no recipient_delimiter=+ set up. /^.+\+.+\=...@.+\..+$/ DISCARD Why do you believe that header addresses contain ONLY an email address? Wietse Sorry, I did have: recipient_delimiter = + in another part of my main.cf file. I don't believe that header addresses contain ONLY an e-mail address. There is a lot of other information there. But the regular expression should match a VERP modified e-mail address. Chris
Re: modify incoming mail
On Wed, 18 Mar 2009, Cedric Zeline wrote: I need some help. I would like to modify incoming emails. I need to add a link at top of the incoming mail body, in order to allow employees that received their email to click on this link and connect directly to our data base to check the client's data. I need to add a link that will pass the client's email as parameters (should be something like http://192.168.0.2/client.php?client=em...@domaine.com). I was thinking to do this job with postfix body_checks features by using body rewritting but I can't find the way to do it because I can't find a way to identify the begining of the mail body. http://archives.neohapsis.com/archives/postfix/2009-03/0452.html -- Sahil Tandon sa...@tandon.net
Re: cyrus sasl2 and authentication [LONG]
On 17-Mar-2009, at 13:45, Patrick Ben Koetter wrote: smtpd_sasl_security_options = noplaintext, noanonymous smtpd_sasl_tls_security_options = noanonymous As for the PAM part in the sasl authentication, start saslauthd like this: saslauthd -a pam -m /path/to/the/socket path to which socket there? $ ls -ls /var/run/saslauthd/ total 2 0 srwxrwxrwx 1 root postfix 0 Mar 17 03:52 mux 0 -rw--- 1 root postfix 0 Mar 17 03:52 mux.accept 2 -rw--- 1 root postfix 6 Mar 17 03:52 saslauthd.pid /var/run/saslauthd/mux ?? I found some info and came up with this in pam.d/smtp $ cat /etc/pam.d/smtp auth required pam_mysql.so user=postfix passwd=*** host=localhost \ db=postfix table=mailbox usercolumn=username passwdcolumn=password crypt=1 account sufficient pam_mysql.so user=postfix passwd=*** host=localhost \ db=postfix table=mailbox usercolumn=username passwdcolumn=password crypt=1 smtpd.conf is now simply: pwcheck_method: pam mech_list: plain login postfix/smtpd[66096]: initializing the server-side TLS engine postfix/smtpd[66096]: warning: xsasl_cyrus_server_get_mechanism_list: no applicable SASL mechanisms postfix/smtpd[66096]: fatal: no SASL authentication mechanisms -- ++?++ Out of Cheese Error. Redo From Start.
Re: modify incoming mail
On 17-Mar-2009, at 17:18, Cedric Zeline wrote: I need some help. I would like to modify incoming emails. I need to add a link at top of the incoming mail body, in order to allow employees that received their email to click on this link and connect directly to our data base to check the client's data. I need to add a link that will pass the client's email as parameters (should be something like http://192.168.0.2/client.php?client=em...@domaine.com) . I was thinking to do this job with postfix body_checks features by using body rewritting but I can't find the way to do it because I can't find a way to identify the begining of the mail body. I don't know if you can identify the beginning of the body reliably, but if you use a mail client for your employees that allows you to customise the headers that are displayed, you could do this with a prepend action in the headers. Still, *I* would do it with procmail. -- And the three men I admire most, the father son and the holly ghost they caught the last train for the coast...
reject_sender_login_mismatch
If I understand correctly the Postfix manual, reject_sender_login_mismatch is equivalent of adding these 2 rules instead: reject_unauthenticated_sender_login_mismatch reject_authenticated_sender_login_mismatch right? If I use SASL authentication, which one is recommended to use? for example, only reject_authenticated... or reject_unauthenticated... or reject_sender...? Thank you.
Re: reject_sender_login_mismatch
On Wed, 18 Mar 2009, Alberto Lepe wrote: If I understand correctly the Postfix manual, reject_sender_login_mismatch is equivalent of adding these 2 rules instead: reject_unauthenticated_sender_login_mismatch reject_authenticated_sender_login_mismatch right? If I use SASL authentication, which one is recommended to use? for example, only reject_authenticated... or reject_unauthenticated... or reject_sender...? This depends entirely on what you want to accomplish. Read about the differences and similarities between these three parameters in postconf(5), then choose which one is most suitable. -- Sahil Tandon sa...@tandon.net
RE: SSL/TLS for dummies
Yeah it was the key thing. Had to allow for use of key without a password. Solved one of my problems at least. Thanks! -Original Message- From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] On Behalf Of Barney Desmond Sent: Monday, March 16, 2009 10:00 PM To: postfix-users@postfix.org Subject: Re: SSL/TLS for dummies 2009/3/17 Security Admin (NetSec) secad...@netsecdesign.com: Someday (maybe today) I will WRITE DOWN the proper way to generate and export certificates. Getting this warning in my maillog: warning: cannot get private key from file /etc/postfix/privkey.pem Doesn't stop TLS from occurring, it is just annoying. TLS is used between postfix mail gateways and external Exchange server. If someone can give the correct steps to generate a certificate with the proper info much appreciated. It also could be an issue with my tls config in my main.cf (using Postfix 2.5.6): Show us some of the log lines around it as well? Is /etc/postfix/privkey.pem indeed a private key? Postfix can't use encrypted private keys, so make sure your key file isn't protected, you'll need to rely on OS access control to stop people stealing it. This is often enough the reason for postfix to complain about your key file (though I'm sure there's other ways to fail). Start of an encrypted key file: -BEGIN RSA PRIVATE KEY- Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,1BF5D6A192E33D3A vdJx0TUlh409tymW1P9NUAJlqAOZ1CE7RI344zrV5MJAKGL0p8mov8WOF40y8/qK siV136J26hKmB/FLC0vL8MaomyTfoQbhbVSqpVd0Xhelelm5JvOuCsq2orNdcstw Start of an unencrypted key file: -BEGIN RSA PRIVATE KEY- MIICXAIBAAKBgQDYZX2/mBFRZpjDMDb8umeUk1HDweXhVb5A5WnfFE10LqbO2xKL 20+dgmLWS5e/spfkzbWayKXz0zFq6VfAl3dTdxnu20c1nQX3dqEZGyrKdhtMxa0D If your key is encrypted, you need to know the passphrase to decrypt it: # openssl rsa -in encrypted_key -out unencrypted_key Did you use a guide to setup your TLS and postfix, etc? If so, chances are it's wrong or poorly written. Ubuntu's docs on postfix are correct for the key/cert stuff at least: https://help.ubuntu.com/community/Postfix -- This mail was scanned by BitDefender For more informations please visit http://www.bitdefender.com
Re: reject_sender_login_mismatch
On Wed, Mar 18, 2009 at 10:29:19AM +0900, Alberto Lepe wrote: If I understand correctly the Postfix manual, reject_sender_login_mismatch is equivalent of adding these 2 rules instead: reject_unauthenticated_sender_login_mismatch reject_authenticated_sender_login_mismatch right? If I use SASL authentication, which one is recommended to use? for example, only reject_authenticated... or reject_unauthenticated... or reject_sender...? Use neither unless you know what you want to achieve and how either or both in combination meet your goals. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
compile sasl + tls
Hello. I'm usign Centos5 and i compile normally postfix with SASL without problem (works fine) with this: make makefiles CCARGS=-DUSE_SASL_AUTH -DUSE_CYRUS_SASL -I/usr/include/sasl AUXLIBS=-L/usr/lib -lsasl2 Now i'm trying to compile sasl (for smtp-auth) and TLS. I'm using this: make makefiles CCARGS=-DUSE_SASL_AUTH -I/usr/include/sasl -DHAS_SSL -I/usr/include/openssl AUXLIBS=-L/usr/lib -R/usr/lib -lsasl2 -lssl -lcrypto when i try to send some message i have this error: postfix/master[23959]: daemon started -- version 2.5.6, configuration /etc/postfix postfix/smtpd[23962]: warning: unsupported SASL server implementation: cyrus postfix/smtpd[23962]: fatal: SASL per-process initialization failed postfix/master[23959]: warning: process /usr/libexec/postfix/smtpd pid 23962 exit status 1 postfix/master[23959]: warning: /usr/libexec/postfix/smtpd: bad command startup -- throttling Some idea to solve this? Thanks, Stacker
Re: compile sasl + tls
On Wed, Mar 18, 2009 at 01:12:13AM -0300, Stacker Hush wrote: Hello. I'm usign Centos5 and i compile normally postfix with SASL without problem (works fine) with this: make makefiles CCARGS=-DUSE_SASL_AUTH -DUSE_CYRUS_SASL -I/usr/include/sasl AUXLIBS=-L/usr/lib -lsasl2 Now i'm trying to compile sasl (for smtp-auth) and TLS. I'm using this: make makefiles CCARGS=-DUSE_SASL_AUTH -I/usr/include/sasl -DHAS_SSL -I/usr/include/openssl AUXLIBS=-L/usr/lib -R/usr/lib -lsasl2 -lssl -lcrypto Read carefully, and combine all the compiler and linker flags for SASL and TLS without using the wrong ones or leaving any out: http://www.postfix.org/SASL_README.html#build_postfix http://www.postfix.org/TLS_README.html#build_tls -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: compile sasl + tls
On Wed, 18 Mar 2009, Stacker Hush wrote: I'm usign Centos5 and i compile normally postfix with SASL without problem (works fine) with this: make makefiles CCARGS=-DUSE_SASL_AUTH -DUSE_CYRUS_SASL -I/usr/include/sasl AUXLIBS=-L/usr/lib -lsasl2 This has the DUSE_CYRUS_SASL flag. Now i'm trying to compile sasl (for smtp-auth) and TLS. I'm using this: make makefiles CCARGS=-DUSE_SASL_AUTH -I/usr/include/sasl -DHAS_SSL -I/usr/include/openssl AUXLIBS=-L/usr/lib -R/usr/lib -lsasl2 -lssl -lcrypto This does not have the DUSE_CYRUS_SASL flag. And there is no reference to TLS. when i try to send some message i have this error: postfix/master[23959]: daemon started -- version 2.5.6, configuration /etc/postfix postfix/smtpd[23962]: warning: unsupported SASL server implementation: cyrus postfix/smtpd[23962]: fatal: SASL per-process initialization failed postfix/master[23959]: warning: process /usr/libexec/postfix/smtpd pid 23962 exit status 1 postfix/master[23959]: warning: /usr/libexec/postfix/smtpd: bad command startup -- throttling Some idea to solve this? Follow instructions: http://www.postfix.org/SASL_README.html#build_postfix http://www.postfix.org/TLS_README.html#build_tls -- Sahil Tandon sa...@tandon.net