Re: Postfix plain text authentication with SASL
You MUST use a backend for sasl Auth Envoyé de mon iPhone Le 9 juin 2011 à 07:56, Suresh Kumar Prajapati er.sureshprajap...@gmail.com a écrit : Hi, found anything. On Thu, Jun 9, 2011 at 10:59 AM, Suresh Kumar Prajapati er.sureshprajap...@gmail.com wrote: Hi, I just want to setup postfix SASL based authentication and then relay mails through this server. On Thu, Jun 9, 2011 at 10:52 AM, Frank Bonnet f.bon...@esiee.fr wrote: Which backend are you using ? ldap radius nis ? Le 09/06/2011 07:03, Suresh Kumar Prajapati a écrit : Hi all, No one is there to help me On Wed, Jun 8, 2011 at 12:49 PM, Suresh Kumar Prajapati er.sureshprajap...@gmail.com wrote: Hi, Can anyone help me setting postfix plain authentication with SASL. I've spent a complete week on this already. Any help appreciated. -- Best Regards, Suresh Kumar Prajapati Linux Security Admin E-mail: er.sureshprajap...@gmail.com Pencils could be made with erasers at both ends, but what would be the point? -- Best Regards, Suresh Kumar Prajapati Linux Security Admin E-mail: er.sureshprajap...@gmail.com Pencils could be made with erasers at both ends, but what would be the point? -- Best Regards, Suresh Kumar Prajapati Linux Security Admin E-mail: er.sureshprajap...@gmail.com Pencils could be made with erasers at both ends, but what would be the point?
Re: Postfix plain text authentication with SASL
* Suresh Kumar Prajapati er.sureshprajap...@gmail.com: No one is there to help me You started your thread ignoring the list policy which tells how to ask for help. When I asked you to follow the rules you replied to me offlist. I looked at your configuration and replied to the list. You replied offlist again. You did only partially answer the questions I had asked, but you took some extra time to tell me you were in a hurry. I am not going to lay a Mouse in a cat`s mouth. Consider me out unless you are willing to do your part of the work in this free support. p@rick -- All technical questions asked privately will be automatically answered on the list and archived for public access unless privacy is explicitely required and justified. saslfinger (debugging SMTP AUTH): http://postfix.state-of-mind.de/patrick.koetter/saslfinger/
Re: Postfix plain text authentication with SASL
Hi, Sorry for this. I am sending you the saslfinger output Usage: saslfinger [-chs] Use saslfinger -h to find out what the options mean. [root@quranmail postfix]# saslfinger -s saslfinger - postfix Cyrus sasl configuration Thu Jun 9 11:24:25 MSD 2011 version: 1.0.2 mode: server-side SMTP AUTH -- basics -- Postfix: 2.3.3 System: CentOS release 5.6 (Final) -- smtpd is linked to -- libsasl2.so.2 = /usr/lib/libsasl2.so.2 (0x009ad000) -- active SMTP AUTH and TLS parameters for smtpd -- broken_sasl_auth_clients = yes smtpd_sasl_auth_enable = yes smtpd_sasl_local_domain = domain.com -- listing of /usr/lib/sasl -- total 28 drwxr-xr-x 2 root root 4096 Jun 7 14:43 . drwxr-xr-x 36 root root 20480 Jun 7 14:43 .. -rw-r--r-- 1 root root47 May 31 20:34 smtpd.conf -- listing of /usr/lib/sasl2 -- total 3064 drwxr-xr-x 2 root root 4096 Jun 9 08:07 . drwxr-xr-x 36 root root 20480 Jun 7 14:43 .. -rwxr-xr-x 1 root root884 Mar 17 2010 libanonymous.la -rwxr-xr-x 1 root root 14372 Mar 17 2010 libanonymous.so -rwxr-xr-x 1 root root 14372 Mar 17 2010 libanonymous.so.2 -rwxr-xr-x 1 root root 14372 Mar 17 2010 libanonymous.so.2.0.22 -rwxr-xr-x 1 root root870 Mar 17 2010 libcrammd5.la -rwxr-xr-x 1 root root 16832 Mar 17 2010 libcrammd5.so -rwxr-xr-x 1 root root 16832 Mar 17 2010 libcrammd5.so.2 -rwxr-xr-x 1 root root 16832 Mar 17 2010 libcrammd5.so.2.0.22 -rwxr-xr-x 1 root root893 Mar 17 2010 libdigestmd5.la -rwxr-xr-x 1 root root 47172 Mar 17 2010 libdigestmd5.so -rwxr-xr-x 1 root root 47172 Mar 17 2010 libdigestmd5.so.2 -rwxr-xr-x 1 root root 47172 Mar 17 2010 libdigestmd5.so.2.0.22 -rwxr-xr-x 1 root root856 Mar 17 2010 liblogin.la -rwxr-xr-x 1 root root 14752 Mar 17 2010 liblogin.so -rwxr-xr-x 1 root root 14752 Mar 17 2010 liblogin.so.2 -rwxr-xr-x 1 root root 14752 Mar 17 2010 liblogin.so.2.0.22 -rwxr-xr-x 1 root root856 Mar 17 2010 libplain.la -rwxr-xr-x 1 root root 14848 Mar 17 2010 libplain.so -rwxr-xr-x 1 root root 14848 Mar 17 2010 libplain.so.2 -rwxr-xr-x 1 root root 14848 Mar 17 2010 libplain.so.2.0.22 -rwxr-xr-x 1 root root930 Mar 17 2010 libsasldb.la -rwxr-xr-x 1 root root 905200 Mar 17 2010 libsasldb.so -rwxr-xr-x 1 root root 905200 Mar 17 2010 libsasldb.so.2 -rwxr-xr-x 1 root root 905200 Mar 17 2010 libsasldb.so.2.0.22 -rw-r--r-- 1 root root 25 Mar 31 2010 Sendmail.conf -- listing of /var/lib/sasl2 -- total 8 drwxr-xr-x 2 root root 4096 Jun 9 08:07 . drwxr-xr-x 18 root root 4096 Jun 9 10:54 .. -- listing of /etc/sasl2 -- total 16 drwxr-xr-x 2 root root4096 Jun 9 08:09 . drwxr-xr-x 54 root postfix 4096 Jun 9 10:54 .. -rw-r--r-- 1 root root 49 Jun 9 08:09 smtpd.conf -rw-r--r-- 1 root root 99 Jun 7 10:10 smtpd.conf.bak -- content of /usr/lib/sasl/smtpd.conf -- pwcheck_method: saslauthd saslauthd_version: 2 -- content of /etc/sasl2/smtpd.conf -- pwcheck_method: saslauthd mech_list: plain login -- active services in /etc/postfix/master.cf -- # service type private unpriv chroot wakeup maxproc command + args # (yes) (yes) (yes) (never) (100) 21 inet n - n - - smtpd pickupfifo n - n 60 1 pickup cleanup unix n - n - 0 cleanup qmgr fifo n - n 300 1 qmgr tlsmgrunix - - n 1000? 1 tlsmgr rewrite unix - - n - - trivial-rewrite bounceunix - - n - 0 bounce defer unix - - n - 0 bounce trace unix - - n - 0 bounce verifyunix - - n - 1 verify flush unix n - n 1000? 0 flush proxymap unix - - n - - proxymap smtp unix - - n - - smtp relay unix - - n - - smtp -o fallback_relay= showq unix n - n - - showq error unix - - n - - error discard unix - - n - - discard local unix - n n - - local virtual unix - n n - - virtual lmtp unix - - n - - lmtp anvil unix - - n - 1 anvil scache unix--n-1scache maildrop unix - n n - - pipe flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient} old-cyrus unix - n n - - pipe flags=R user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -m ${extension} ${user} cyrus unix - n n - - pipe user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -r ${sender} -m ${extension} ${user} uucp unix -
Re: Postfix plain text authentication with SASL
On Thu, Jun 9, 2011 at 12:16 AM, Suresh Kumar Prajapati er.sureshprajap...@gmail.com wrote: Hi, and i dont find any saslauthd.conf file here is the /etc/sasl2/smtpd.conf pwcheck_method: saslauthd mech_list: plain login That's a problem. In that file (/etc/sasl2/smtpd.conf) you are specifying that you want to use saslauthd as the method to check passwords, and you also say that you want to do that using only plain and login mechanisms, yet you don't have any backend configured to perform this function. You should read up on sasl more to know how to do this. I would suggest http://www.postfix.org/SASL_README.html to get you started. Steve
Re: Postfix plain text authentication with SASL
Hi, I;ve gone through this and setup the things according to the config there. please let me know if I'm wrong anywhere. On Thu, Jun 9, 2011 at 12:57 PM, Stephen Ingram sbing...@gmail.com wrote: On Thu, Jun 9, 2011 at 12:16 AM, Suresh Kumar Prajapati er.sureshprajap...@gmail.com wrote: Hi, and i dont find any saslauthd.conf file here is the /etc/sasl2/smtpd.conf pwcheck_method: saslauthd mech_list: plain login That's a problem. In that file (/etc/sasl2/smtpd.conf) you are specifying that you want to use saslauthd as the method to check passwords, and you also say that you want to do that using only plain and login mechanisms, yet you don't have any backend configured to perform this function. You should read up on sasl more to know how to do this. I would suggest http://www.postfix.org/SASL_README.html to get you started. Steve -- Best Regards, Suresh Kumar Prajapati Linux Security Admin E-mail: er.sureshprajap...@gmail.com Pencils could be made with erasers at both ends, but what would be the point?
Re: Postfix plain text authentication with SASL
* Suresh Kumar Prajapati er.sureshprajap...@gmail.com: [root@quranmail postfix]# saslfinger -s saslfinger - postfix Cyrus sasl configuration Thu Jun 9 11:24:25 MSD 2011 version: 1.0.2 mode: server-side SMTP AUTH -- basics -- Postfix: 2.3.3 System: CentOS release 5.6 (Final) -- smtpd is linked to -- libsasl2.so.2 = /usr/lib/libsasl2.so.2 (0x009ad000) -- active SMTP AUTH and TLS parameters for smtpd -- broken_sasl_auth_clients = yes smtpd_sasl_auth_enable = yes smtpd_sasl_local_domain = domain.com -- listing of /usr/lib/sasl -- total 28 drwxr-xr-x 2 root root 4096 Jun 7 14:43 . drwxr-xr-x 36 root root 20480 Jun 7 14:43 .. -rw-r--r-- 1 root root47 May 31 20:34 smtpd.conf Please remove /usr/lib/sasl/smtpd.conf. Cyrus SASL 2 will not use it. -- listing of /usr/lib/sasl2 -- total 3064 drwxr-xr-x 2 root root 4096 Jun 9 08:07 . drwxr-xr-x 36 root root 20480 Jun 7 14:43 .. -rwxr-xr-x 1 root root884 Mar 17 2010 libanonymous.la -rwxr-xr-x 1 root root 14372 Mar 17 2010 libanonymous.so -rwxr-xr-x 1 root root 14372 Mar 17 2010 libanonymous.so.2 -rwxr-xr-x 1 root root 14372 Mar 17 2010 libanonymous.so.2.0.22 -rwxr-xr-x 1 root root870 Mar 17 2010 libcrammd5.la -rwxr-xr-x 1 root root 16832 Mar 17 2010 libcrammd5.so -rwxr-xr-x 1 root root 16832 Mar 17 2010 libcrammd5.so.2 -rwxr-xr-x 1 root root 16832 Mar 17 2010 libcrammd5.so.2.0.22 -rwxr-xr-x 1 root root893 Mar 17 2010 libdigestmd5.la -rwxr-xr-x 1 root root 47172 Mar 17 2010 libdigestmd5.so -rwxr-xr-x 1 root root 47172 Mar 17 2010 libdigestmd5.so.2 -rwxr-xr-x 1 root root 47172 Mar 17 2010 libdigestmd5.so.2.0.22 -rwxr-xr-x 1 root root856 Mar 17 2010 liblogin.la -rwxr-xr-x 1 root root 14752 Mar 17 2010 liblogin.so -rwxr-xr-x 1 root root 14752 Mar 17 2010 liblogin.so.2 -rwxr-xr-x 1 root root 14752 Mar 17 2010 liblogin.so.2.0.22 -rwxr-xr-x 1 root root856 Mar 17 2010 libplain.la -rwxr-xr-x 1 root root 14848 Mar 17 2010 libplain.so -rwxr-xr-x 1 root root 14848 Mar 17 2010 libplain.so.2 -rwxr-xr-x 1 root root 14848 Mar 17 2010 libplain.so.2.0.22 -rwxr-xr-x 1 root root930 Mar 17 2010 libsasldb.la -rwxr-xr-x 1 root root 905200 Mar 17 2010 libsasldb.so -rwxr-xr-x 1 root root 905200 Mar 17 2010 libsasldb.so.2 -rwxr-xr-x 1 root root 905200 Mar 17 2010 libsasldb.so.2.0.22 -rw-r--r-- 1 root root 25 Mar 31 2010 Sendmail.conf -- listing of /var/lib/sasl2 -- total 8 drwxr-xr-x 2 root root 4096 Jun 9 08:07 . drwxr-xr-x 18 root root 4096 Jun 9 10:54 .. -- listing of /etc/sasl2 -- total 16 drwxr-xr-x 2 root root4096 Jun 9 08:09 . drwxr-xr-x 54 root postfix 4096 Jun 9 10:54 .. -rw-r--r-- 1 root root 49 Jun 9 08:09 smtpd.conf -rw-r--r-- 1 root root 99 Jun 7 10:10 smtpd.conf.bak -- content of /usr/lib/sasl/smtpd.conf -- pwcheck_method: saslauthd saslauthd_version: 2 -- content of /etc/sasl2/smtpd.conf -- pwcheck_method: saslauthd mech_list: plain login OK. Did you check for whitespace? There must be no trailing whitespace. -- active services in /etc/postfix/master.cf -- # service type private unpriv chroot wakeup maxproc command + args # (yes) (yes) (yes) (never) (100) 21 inet n - n - - smtpd I leave it up to you to run the Postfix smtpd server on a different port. For the moment please disable the line above and follow the standard: smtp inet n - n - - smtpd -- mechanisms on localhost -- -- end of saslfinger output -- Please let me know if anything else is required. Can you test if authenication works without Postfix? Use the testsaslauthd command to prove it works: % testsaslauthd -u username -p password If that doesn't work we need to fix more than only Postfix configuration. p@rick -- All technical questions asked privately will be automatically answered on the list and archived for public access unless privacy is explicitely required and justified. saslfinger (debugging SMTP AUTH): http://postfix.state-of-mind.de/patrick.koetter/saslfinger/
Re: Postfix plain text authentication with SASL
Hi, Here is the interactive session output [root@quranmail postfix]# telnet 217.23.4.146 25 Trying 217.23.4.146... Connected to 217.23.4.146. Escape character is '^]'. 220 domain.com ESMTP ehlo google.com 250-domain.com 250-PIPELINING 250-SIZE 10485760 250-VRFY 250-ETRN 250-AUTH LOGIN PLAIN 250-AUTH=LOGIN PLAIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN auth loginm 535 5.7.0 Error: authentication failed: no mechanism available auth login 334 VXNlcm5hbWU6 usern...@domain.com 334 UGFzc3dvcmQ6 password 535 5.7.0 Error: authentication failed: authentication failure On Thu, Jun 9, 2011 at 1:17 PM, Suresh Kumar Prajapati er.sureshprajap...@gmail.com wrote: Hi, I've follow all the info you have give and the command show the following output [root@hostname postfix]# testsaslauthd -u tom -p redhat 0: NO authentication failed On Thu, Jun 9, 2011 at 1:03 PM, Patrick Ben Koetter p...@state-of-mind.dewrote: * Suresh Kumar Prajapati er.sureshprajap...@gmail.com: [root@quranmail postfix]# saslfinger -s saslfinger - postfix Cyrus sasl configuration Thu Jun 9 11:24:25 MSD 2011 version: 1.0.2 mode: server-side SMTP AUTH -- basics -- Postfix: 2.3.3 System: CentOS release 5.6 (Final) -- smtpd is linked to -- libsasl2.so.2 = /usr/lib/libsasl2.so.2 (0x009ad000) -- active SMTP AUTH and TLS parameters for smtpd -- broken_sasl_auth_clients = yes smtpd_sasl_auth_enable = yes smtpd_sasl_local_domain = domain.com -- listing of /usr/lib/sasl -- total 28 drwxr-xr-x 2 root root 4096 Jun 7 14:43 . drwxr-xr-x 36 root root 20480 Jun 7 14:43 .. -rw-r--r-- 1 root root47 May 31 20:34 smtpd.conf Please remove /usr/lib/sasl/smtpd.conf. Cyrus SASL 2 will not use it. -- listing of /usr/lib/sasl2 -- total 3064 drwxr-xr-x 2 root root 4096 Jun 9 08:07 . drwxr-xr-x 36 root root 20480 Jun 7 14:43 .. -rwxr-xr-x 1 root root884 Mar 17 2010 libanonymous.la -rwxr-xr-x 1 root root 14372 Mar 17 2010 libanonymous.so -rwxr-xr-x 1 root root 14372 Mar 17 2010 libanonymous.so.2 -rwxr-xr-x 1 root root 14372 Mar 17 2010 libanonymous.so.2.0.22 -rwxr-xr-x 1 root root870 Mar 17 2010 libcrammd5.la -rwxr-xr-x 1 root root 16832 Mar 17 2010 libcrammd5.so -rwxr-xr-x 1 root root 16832 Mar 17 2010 libcrammd5.so.2 -rwxr-xr-x 1 root root 16832 Mar 17 2010 libcrammd5.so.2.0.22 -rwxr-xr-x 1 root root893 Mar 17 2010 libdigestmd5.la -rwxr-xr-x 1 root root 47172 Mar 17 2010 libdigestmd5.so -rwxr-xr-x 1 root root 47172 Mar 17 2010 libdigestmd5.so.2 -rwxr-xr-x 1 root root 47172 Mar 17 2010 libdigestmd5.so.2.0.22 -rwxr-xr-x 1 root root856 Mar 17 2010 liblogin.la -rwxr-xr-x 1 root root 14752 Mar 17 2010 liblogin.so -rwxr-xr-x 1 root root 14752 Mar 17 2010 liblogin.so.2 -rwxr-xr-x 1 root root 14752 Mar 17 2010 liblogin.so.2.0.22 -rwxr-xr-x 1 root root856 Mar 17 2010 libplain.la -rwxr-xr-x 1 root root 14848 Mar 17 2010 libplain.so -rwxr-xr-x 1 root root 14848 Mar 17 2010 libplain.so.2 -rwxr-xr-x 1 root root 14848 Mar 17 2010 libplain.so.2.0.22 -rwxr-xr-x 1 root root930 Mar 17 2010 libsasldb.la -rwxr-xr-x 1 root root 905200 Mar 17 2010 libsasldb.so -rwxr-xr-x 1 root root 905200 Mar 17 2010 libsasldb.so.2 -rwxr-xr-x 1 root root 905200 Mar 17 2010 libsasldb.so.2.0.22 -rw-r--r-- 1 root root 25 Mar 31 2010 Sendmail.conf -- listing of /var/lib/sasl2 -- total 8 drwxr-xr-x 2 root root 4096 Jun 9 08:07 . drwxr-xr-x 18 root root 4096 Jun 9 10:54 .. -- listing of /etc/sasl2 -- total 16 drwxr-xr-x 2 root root4096 Jun 9 08:09 . drwxr-xr-x 54 root postfix 4096 Jun 9 10:54 .. -rw-r--r-- 1 root root 49 Jun 9 08:09 smtpd.conf -rw-r--r-- 1 root root 99 Jun 7 10:10 smtpd.conf.bak -- content of /usr/lib/sasl/smtpd.conf -- pwcheck_method: saslauthd saslauthd_version: 2 -- content of /etc/sasl2/smtpd.conf -- pwcheck_method: saslauthd mech_list: plain login OK. Did you check for whitespace? There must be no trailing whitespace. -- active services in /etc/postfix/master.cf -- # service type private unpriv chroot wakeup maxproc command + args # (yes) (yes) (yes) (never) (100) 21 inet n - n - - smtpd I leave it up to you to run the Postfix smtpd server on a different port. For the moment please disable the line above and follow the standard: smtp inet n - n - - smtpd -- mechanisms on localhost -- -- end of saslfinger output -- Please let me know if anything else is required. Can you test if authenication works without Postfix? Use the testsaslauthd command to prove it works: % testsaslauthd -u username -p password If that doesn't work we need to fix more than only Postfix configuration. p@rick -- All technical questions asked privately will be automatically answered
Re: virtual aliases and unlisted email addresses
On 8 juin 2011, at 18:15, Victor Duchovni wrote: On Wed, Jun 08, 2011 at 11:33:48AM +0200, Patrick Proniewski wrote: After the period of double delivery is over, we will deliver emails only to Google servers. So the virtual aliases map is to look like: public-addr...@univ-lyon2.frpublic-addr...@univ-lyon2.fr some-al...@univ-lyon2.frpublic-addr...@univ-lyon2.fr ... The first line looks pretty silly to me. Is there any way to tell that addresses not listed in virtual aliases map are to be forwarded as is ? Your gateway needs a table of valid recipients, the domain in question is presumably configured as a relay domain by being listed in $relay_domains. In fact I've tried this. But this domain being already in virtual_alias_domains, it looks like it's not a good idea to put it also in relay_domains: postfix complains about this for every email passing thru: Jun 7 15:24:18 ru postfix-mailgw/trivial-rewrite[64375]: warning: do not list domain univ-lyon2.fr in BOTH virtual_alias_domains and relay_domains Jun 7 15:24:18 ru postfix-mailgw/trivial-rewrite[64375]: warning: do not list domain univ-lyon2.fr in BOTH virtual_alias_domains and relay_domains Jun 7 15:24:19 ru postfix-mailgw/trivial-rewrite[64375]: warning: do not list domain univ-lyon2.fr in BOTH virtual_alias_domains and relay_domains If you don't want to have identity mappings in virtual_alias_maps, you need to add entries to relay_recipient_maps: main.cf: # Use cdb if you have it. default_database_type = hash indexed = ${default_database_type}:${config_directory}/ relay_recipient_maps = ${indexed}relay_rcpts relay_rcpts: public-addr...@univ-lyon2.frvalid ... where the word valid on the right hand side of the table can be replaced by any non-empty value that makes sense to you. Postfix only needs the lookup key to map to a non-empty result. I'm using this on MX, so that my servers are not acting as backscatters: only valid recipients are accepted by MX and transfered to MailGW. But as postfix won't accept using both virtual_alias_domains and relay_domains, I think this won't do the trick. This said, the identity virtual_alias_maps mappings are a fine way to achieve the same result. The lookup will be done anyway, and you already have a virtual alias table, so it may in fact be simpler to keep using the identity mappings, but you MUST make sure that relay_recipient_maps (assuming the domain is a relay domain) is set to some table (be it one with no entries). Ok Thank you Viktor. Patrick PRONIEWSKI -- Administrateur Système - DSI - Université Lumière Lyon 2 smime.p7s Description: S/MIME cryptographic signature
Re: Postfix plain text authentication with SASL
* Suresh Kumar Prajapati er.sureshprajap...@gmail.com: Here is the interactive session output [root@quranmail postfix]# telnet 217.23.4.146 25 Trying 217.23.4.146... Connected to 217.23.4.146. Escape character is '^]'. 220 domain.com ESMTP ehlo google.com 250-domain.com 250-PIPELINING 250-SIZE 10485760 250-VRFY 250-ETRN 250-AUTH LOGIN PLAIN 250-AUTH=LOGIN PLAIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN auth loginm 535 5.7.0 Error: authentication failed: no mechanism available auth login 334 VXNlcm5hbWU6 usern...@domain.com 334 UGFzc3dvcmQ6 password 535 5.7.0 Error: authentication failed: authentication failure Yep. We need to fix the backend first. When we're done with the backend we will return to the SMTP session. p@rick -- All technical questions asked privately will be automatically answered on the list and archived for public access unless privacy is explicitely required and justified. saslfinger (debugging SMTP AUTH): http://postfix.state-of-mind.de/patrick.koetter/saslfinger/
Re: Postfix plain text authentication with SASL
Hi following is the output from the command you have [root@domain.com ~]# testsaslauthd -s pam -u tom -p redhat 0: NO authentication failed and then i change /etc/sysconfig/saslauthd fiel MECH=shadow and then run the following command [root@domain.com ~]# testsaslauthd -s shadow -u tom -p redhat 0: OK Success. On Thu, Jun 9, 2011 at 1:44 PM, Patrick Ben Koetter p...@state-of-mind.dewrote: * Suresh Kumar Prajapati er.sureshprajap...@gmail.com: Here is the interactive session output [root@quranmail postfix]# telnet 217.23.4.146 25 Trying 217.23.4.146... Connected to 217.23.4.146. Escape character is '^]'. 220 domain.com ESMTP ehlo google.com 250-domain.com 250-PIPELINING 250-SIZE 10485760 250-VRFY 250-ETRN 250-AUTH LOGIN PLAIN 250-AUTH=LOGIN PLAIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN auth loginm 535 5.7.0 Error: authentication failed: no mechanism available auth login 334 VXNlcm5hbWU6 usern...@domain.com 334 UGFzc3dvcmQ6 password 535 5.7.0 Error: authentication failed: authentication failure Yep. We need to fix the backend first. When we're done with the backend we will return to the SMTP session. p@rick -- All technical questions asked privately will be automatically answered on the list and archived for public access unless privacy is explicitely required and justified. saslfinger (debugging SMTP AUTH): http://postfix.state-of-mind.de/patrick.koetter/saslfinger/ -- Best Regards, Suresh Kumar Prajapati Linux Security Admin E-mail: er.sureshprajap...@gmail.com Pencils could be made with erasers at both ends, but what would be the point?
Re: Postfix plain text authentication with SASL
* Suresh Kumar Prajapati er.sureshprajap...@gmail.com: Hi following is the output from the command you have [root@domain.com ~]# testsaslauthd -s pam -u tom -p redhat 0: NO authentication failed and then i change /etc/sysconfig/saslauthd fiel MECH=shadow and then run the following command [root@domain.com ~]# testsaslauthd -s shadow -u tom -p redhat 0: OK Success. Great. We're one step further. Where do you store the identities mail senders should use to authenticate? Are all your senders system accounts? Are they in a database? p@rick -- All technical questions asked privately will be automatically answered on the list and archived for public access unless privacy is explicitely required and justified. saslfinger (debugging SMTP AUTH): http://postfix.state-of-mind.de/patrick.koetter/saslfinger/
Re: Postfix plain text authentication with SASL
* Suresh Kumar Prajapati er.sureshprajap...@gmail.com: Both are system users and I've assigned password to them using passwd user_name command as well saslpasswd2 user_name So we have two ways to go: system accounts or separate mail user database. I recommend using the separate database, because compromised accounts would only affect your mail service but not the system (if you use different usernames and passwords...). Which way do you want to go? p@rick On Thu, Jun 9, 2011 at 2:12 PM, Patrick Ben Koetter p...@state-of-mind.dewrote: * Suresh Kumar Prajapati er.sureshprajap...@gmail.com: Hi following is the output from the command you have [root@domain.com ~]# testsaslauthd -s pam -u tom -p redhat 0: NO authentication failed and then i change /etc/sysconfig/saslauthd fiel MECH=shadow and then run the following command [root@domain.com ~]# testsaslauthd -s shadow -u tom -p redhat 0: OK Success. Great. We're one step further. Where do you store the identities mail senders should use to authenticate? Are all your senders system accounts? Are they in a database? p@rick -- All technical questions asked privately will be automatically answered on the list and archived for public access unless privacy is explicitely required and justified. saslfinger (debugging SMTP AUTH): http://postfix.state-of-mind.de/patrick.koetter/saslfinger/ -- Best Regards, Suresh Kumar Prajapati Linux Security Admin E-mail: er.sureshprajap...@gmail.com Pencils could be made with erasers at both ends, but what would be the point? -- state of mind () Digitale Kommunikation http://www.state-of-mind.de Franziskanerstraße 15 Telefon +49 89 3090 4664 81669 München Telefax +49 89 3090 4666 Amtsgericht MünchenPartnerschaftsregister PR 563
Re: Postfix plain text authentication with SASL
Hi, For the time being I just want to go with system accounts,once this is set , I can catch up with second option. On Thu, Jun 9, 2011 at 2:23 PM, Patrick Ben Koetter p...@state-of-mind.dewrote: * Suresh Kumar Prajapati er.sureshprajap...@gmail.com: Both are system users and I've assigned password to them using passwd user_name command as well saslpasswd2 user_name So we have two ways to go: system accounts or separate mail user database. I recommend using the separate database, because compromised accounts would only affect your mail service but not the system (if you use different usernames and passwords...). Which way do you want to go? p@rick On Thu, Jun 9, 2011 at 2:12 PM, Patrick Ben Koetter p...@state-of-mind.de wrote: * Suresh Kumar Prajapati er.sureshprajap...@gmail.com: Hi following is the output from the command you have [root@domain.com ~]# testsaslauthd -s pam -u tom -p redhat 0: NO authentication failed and then i change /etc/sysconfig/saslauthd fiel MECH=shadow and then run the following command [root@domain.com ~]# testsaslauthd -s shadow -u tom -p redhat 0: OK Success. Great. We're one step further. Where do you store the identities mail senders should use to authenticate? Are all your senders system accounts? Are they in a database? p@rick -- All technical questions asked privately will be automatically answered on the list and archived for public access unless privacy is explicitely required and justified. saslfinger (debugging SMTP AUTH): http://postfix.state-of-mind.de/patrick.koetter/saslfinger/ -- Best Regards, Suresh Kumar Prajapati Linux Security Admin E-mail: er.sureshprajap...@gmail.com Pencils could be made with erasers at both ends, but what would be the point? -- state of mind () Digitale Kommunikation http://www.state-of-mind.de Franziskanerstraße 15 Telefon +49 89 3090 4664 81669 München Telefax +49 89 3090 4666 Amtsgericht MünchenPartnerschaftsregister PR 563 -- Best Regards, Suresh Kumar Prajapati Linux Security Admin E-mail: er.sureshprajap...@gmail.com Pencils could be made with erasers at both ends, but what would be the point?
Re: Postfix plain text authentication with SASL
* Suresh Kumar Prajapati er.sureshprajap...@gmail.com: For the time being I just want to go with system accounts,once this is set , I can catch up with second option. Fine. Run saslauthd with -a shadow. Run testsaslauthd and verify you have a user for whom authenication works. Drop smtpd_sasl_local_domain in main.cf. Reload postfix. Download http://jetmore.org/john/code/gen-auth, make it executable and run it like this: % ./gen-auth plain username password Auth String: AGZvbwBiYXI= Use the Auth String: (here: AGZvbwBiYXI=) in a telnet session. Do not use LOGIN as in your previous test. Send PLAIN like this: AUTH PLAIN AGZvbwBiYXI= It *should* work... p@rick On Thu, Jun 9, 2011 at 2:23 PM, Patrick Ben Koetter p...@state-of-mind.dewrote: * Suresh Kumar Prajapati er.sureshprajap...@gmail.com: Both are system users and I've assigned password to them using passwd user_name command as well saslpasswd2 user_name So we have two ways to go: system accounts or separate mail user database. I recommend using the separate database, because compromised accounts would only affect your mail service but not the system (if you use different usernames and passwords...). Which way do you want to go? p@rick On Thu, Jun 9, 2011 at 2:12 PM, Patrick Ben Koetter p...@state-of-mind.de wrote: * Suresh Kumar Prajapati er.sureshprajap...@gmail.com: Hi following is the output from the command you have [root@domain.com ~]# testsaslauthd -s pam -u tom -p redhat 0: NO authentication failed and then i change /etc/sysconfig/saslauthd fiel MECH=shadow and then run the following command [root@domain.com ~]# testsaslauthd -s shadow -u tom -p redhat 0: OK Success. Great. We're one step further. Where do you store the identities mail senders should use to authenticate? Are all your senders system accounts? Are they in a database? p@rick -- All technical questions asked privately will be automatically answered on the list and archived for public access unless privacy is explicitely required and justified. saslfinger (debugging SMTP AUTH): http://postfix.state-of-mind.de/patrick.koetter/saslfinger/ -- Best Regards, Suresh Kumar Prajapati Linux Security Admin E-mail: er.sureshprajap...@gmail.com Pencils could be made with erasers at both ends, but what would be the point? -- state of mind () Digitale Kommunikation http://www.state-of-mind.de Franziskanerstraße 15 Telefon +49 89 3090 4664 81669 München Telefax +49 89 3090 4666 Amtsgericht MünchenPartnerschaftsregister PR 563 -- Best Regards, Suresh Kumar Prajapati Linux Security Admin E-mail: er.sureshprajap...@gmail.com Pencils could be made with erasers at both ends, but what would be the point? -- All technical questions asked privately will be automatically answered on the list and archived for public access unless privacy is explicitely required and justified. saslfinger (debugging SMTP AUTH): http://postfix.state-of-mind.de/patrick.koetter/saslfinger/
Re: Postfix plain text authentication with SASL
Hi, Followed your steps and this is output warning: SASL authentication failure: Password verification failed Jun 9 13:12:26 domain.com postfix/smtpd[1391]: warning: fdsakjfhbdskj.fdsakjfhbdskj.com[ip_address]: SASL plain authentication failed: authentication failure testsaslauthd -s pam -u tom -p redhat 0: NO authentication failed testsaslauthd -s pam -u tom -p redhat 0: NO authentication failed On Thu, Jun 9, 2011 at 2:36 PM, Patrick Ben Koetter p...@state-of-mind.dewrote: * Suresh Kumar Prajapati er.sureshprajap...@gmail.com: For the time being I just want to go with system accounts,once this is set , I can catch up with second option. Fine. Run saslauthd with -a shadow. Run testsaslauthd and verify you have a user for whom authenication works. Drop smtpd_sasl_local_domain in main.cf. Reload postfix. Download http://jetmore.org/john/code/gen-auth, make it executable and run it like this: % ./gen-auth plain username password Auth String: AGZvbwBiYXI= Use the Auth String: (here: AGZvbwBiYXI=) in a telnet session. Do not use LOGIN as in your previous test. Send PLAIN like this: AUTH PLAIN AGZvbwBiYXI= It *should* work... p@rick On Thu, Jun 9, 2011 at 2:23 PM, Patrick Ben Koetter p...@state-of-mind.de wrote: * Suresh Kumar Prajapati er.sureshprajap...@gmail.com: Both are system users and I've assigned password to them using passwd user_name command as well saslpasswd2 user_name So we have two ways to go: system accounts or separate mail user database. I recommend using the separate database, because compromised accounts would only affect your mail service but not the system (if you use different usernames and passwords...). Which way do you want to go? p@rick On Thu, Jun 9, 2011 at 2:12 PM, Patrick Ben Koetter p...@state-of-mind.de wrote: * Suresh Kumar Prajapati er.sureshprajap...@gmail.com: Hi following is the output from the command you have [root@domain.com ~]# testsaslauthd -s pam -u tom -p redhat 0: NO authentication failed and then i change /etc/sysconfig/saslauthd fiel MECH=shadow and then run the following command [root@domain.com ~]# testsaslauthd -s shadow -u tom -p redhat 0: OK Success. Great. We're one step further. Where do you store the identities mail senders should use to authenticate? Are all your senders system accounts? Are they in a database? p@rick -- All technical questions asked privately will be automatically answered on the list and archived for public access unless privacy is explicitely required and justified. saslfinger (debugging SMTP AUTH): http://postfix.state-of-mind.de/patrick.koetter/saslfinger/ -- Best Regards, Suresh Kumar Prajapati Linux Security Admin E-mail: er.sureshprajap...@gmail.com Pencils could be made with erasers at both ends, but what would be the point? -- state of mind () Digitale Kommunikation http://www.state-of-mind.de Franziskanerstraße 15 Telefon +49 89 3090 4664 81669 München Telefax +49 89 3090 4666 Amtsgericht MünchenPartnerschaftsregister PR 563 -- Best Regards, Suresh Kumar Prajapati Linux Security Admin E-mail: er.sureshprajap...@gmail.com Pencils could be made with erasers at both ends, but what would be the point? -- All technical questions asked privately will be automatically answered on the list and archived for public access unless privacy is explicitely required and justified. saslfinger (debugging SMTP AUTH): http://postfix.state-of-mind.de/patrick.koetter/saslfinger/ -- Best Regards, Suresh Kumar Prajapati Linux Security Admin E-mail: er.sureshprajap...@gmail.com Pencils could be made with erasers at both ends, but what would be the point?
Re: fqrdns.regexp
Stan Hoeppner wrote: On 6/8/2011 7:35 AM, Бак Микаел wrote: Oh, thanks. The maintainer must have renamed it. Yes, I renamed it quite a long time ago (in internet time) when it was suggested running it through the pcre engine was more optimal. If memory serves me correctly, I made the change something like a year ago, or more, maybe much more. I see. I don't know if the author reads this, but I'd suggest a smallish change for the next release: Put only REJECT alone on each line instead of having custom text. This makes it easier for anyone to change that (using sed) to a custom restriction class. The custom text exists for the benefit of victims of false positives, and for easy log parsing/statistics generation. Changing it is trivial with sed, as Brian mentioned. Yep, Brian's sed hack solved my problem. Thanks for a nice contribution! Mikael
Re: Postfix plain text authentication with SASL
Hi, Can anyone help me... On Thu, Jun 9, 2011 at 2:45 PM, Suresh Kumar Prajapati er.sureshprajap...@gmail.com wrote: Hi, Followed your steps and this is output warning: SASL authentication failure: Password verification failed Jun 9 13:12:26 domain.com postfix/smtpd[1391]: warning: fdsakjfhbdskj.fdsakjfhbdskj.com[ip_address]: SASL plain authentication failed: authentication failure testsaslauthd -s pam -u tom -p redhat 0: NO authentication failed testsaslauthd -s pam -u tom -p redhat 0: NO authentication failed On Thu, Jun 9, 2011 at 2:36 PM, Patrick Ben Koetter p...@state-of-mind.dewrote: * Suresh Kumar Prajapati er.sureshprajap...@gmail.com: For the time being I just want to go with system accounts,once this is set , I can catch up with second option. Fine. Run saslauthd with -a shadow. Run testsaslauthd and verify you have a user for whom authenication works. Drop smtpd_sasl_local_domain in main.cf. Reload postfix. Download http://jetmore.org/john/code/gen-auth, make it executable and run it like this: % ./gen-auth plain username password Auth String: AGZvbwBiYXI= Use the Auth String: (here: AGZvbwBiYXI=) in a telnet session. Do not use LOGIN as in your previous test. Send PLAIN like this: AUTH PLAIN AGZvbwBiYXI= It *should* work... p@rick On Thu, Jun 9, 2011 at 2:23 PM, Patrick Ben Koetter p...@state-of-mind.de wrote: * Suresh Kumar Prajapati er.sureshprajap...@gmail.com: Both are system users and I've assigned password to them using passwd user_name command as well saslpasswd2 user_name So we have two ways to go: system accounts or separate mail user database. I recommend using the separate database, because compromised accounts would only affect your mail service but not the system (if you use different usernames and passwords...). Which way do you want to go? p@rick On Thu, Jun 9, 2011 at 2:12 PM, Patrick Ben Koetter p...@state-of-mind.de wrote: * Suresh Kumar Prajapati er.sureshprajap...@gmail.com: Hi following is the output from the command you have [root@domain.com ~]# testsaslauthd -s pam -u tom -p redhat 0: NO authentication failed and then i change /etc/sysconfig/saslauthd fiel MECH=shadow and then run the following command [root@domain.com ~]# testsaslauthd -s shadow -u tom -p redhat 0: OK Success. Great. We're one step further. Where do you store the identities mail senders should use to authenticate? Are all your senders system accounts? Are they in a database? p@rick -- All technical questions asked privately will be automatically answered on the list and archived for public access unless privacy is explicitely required and justified. saslfinger (debugging SMTP AUTH): http://postfix.state-of-mind.de/patrick.koetter/saslfinger/ -- Best Regards, Suresh Kumar Prajapati Linux Security Admin E-mail: er.sureshprajap...@gmail.com Pencils could be made with erasers at both ends, but what would be the point? -- state of mind () Digitale Kommunikation http://www.state-of-mind.de Franziskanerstraße 15 Telefon +49 89 3090 4664 81669 München Telefax +49 89 3090 4666 Amtsgericht MünchenPartnerschaftsregister PR 563 -- Best Regards, Suresh Kumar Prajapati Linux Security Admin E-mail: er.sureshprajap...@gmail.com Pencils could be made with erasers at both ends, but what would be the point? -- All technical questions asked privately will be automatically answered on the list and archived for public access unless privacy is explicitely required and justified. saslfinger (debugging SMTP AUTH): http://postfix.state-of-mind.de/patrick.koetter/saslfinger/ -- Best Regards, Suresh Kumar Prajapati Linux Security Admin E-mail: er.sureshprajap...@gmail.com Pencils could be made with erasers at both ends, but what would be the point? -- Best Regards, Suresh Kumar Prajapati Linux Security Admin E-mail: er.sureshprajap...@gmail.com Pencils could be made with erasers at both ends, but what would be the point?
Re: Postfix plain text authentication with SASL
* Suresh Kumar Prajapati er.sureshprajap...@gmail.com: Followed your steps and this is output warning: SASL authentication failure: Password verification failed Jun 9 13:12:26 domain.com postfix/smtpd[1391]: warning: fdsakjfhbdskj.fdsakjfhbdskj.com[ip_address]: SASL plain authentication failed: authentication failure testsaslauthd -s pam -u tom -p redhat 0: NO authentication failed testsaslauthd -s shadow -u tom -p redhat p@rick -- All technical questions asked privately will be automatically answered on the list and archived for public access unless privacy is explicitely required and justified. saslfinger (debugging SMTP AUTH): http://postfix.state-of-mind.de/patrick.koetter/saslfinger/
Sender dependent authentication issue
Hello I'm trying to achieve sender dependent authentication. Please find corresponding configuration files in attachment. Although the sender dependent authentication is configured,for some reason postfix don't follow those rules,but is checking virtual table instead and rejects the incoming email. Anybody can help what am I missing here ? Sincerely Jun 9 12:29:12 kanta postfix2/smtpd[11850]: connect from mail-fx0-f43.google.com[209.85.161.43] Jun 9 12:29:12 kanta postfix2/smtpd[11850]: NOQUEUE: reject: RCPT from mail-fx0-f43.google.com[209.85.161.43]: 550 5.1.1 38163632...@domain.net: Recipient address rejected: User unknown in local recipient table; from=zubacdra...@gmail.com to=38163632...@domain.net proto=ESMTP helo=mail-fx0-f43.google.com Jun 9 12:29:12 kanta postfix2/smtpd[11850]: disconnect from mail-fx0-f43.google.com[209.85.161.43] smtpd_banner = Welcome to A wasting time laboratory MTA biff = no append_dot_mydomain = no readme_directory = no myhostname = mail.domain.net alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases myorigin = /etc/mailname2 mydestination = domain.net,mail.domain.net mynetworks = 127.0.0.0/8 mailbox_command = procmail -a $EXTENSION mailbox_size_limit = 0 recipient_delimiter = + inet_interfaces = 5.5.5.5 virtual_alias_maps = hash:/etc/postfix2/virtual smtp_sender_dependent_authentication = yes sender_dependent_relayhost_maps = hash:/etc/postfix2/sender_relay smtp_sasl_auth_enable = yes smtp_sasl_password_maps = hash:/etc/postfix2/sasl_passwd alternate_config_directories = /etc/postfix syslog_name = postfix2 queue_directory = /var/spool/postfix2 data_directory = /var/lib/postfix2 smtp_bind_address = 5.5.5.5 smtp_host_lookup = dns, native # # Postfix master process configuration file. For details on the format # of the file, see the master(5) manual page (command: man 5 master). # # Do not forget to execute postfix reload after editing this file. # # == # service type private unpriv chroot wakeup maxproc command + args # (yes) (yes) (yes) (never) (100) # == 5.5.5.5:smtp inet n - - - - smtpd #submission inet n - - - - smtpd # -o smtpd_tls_security_level=encrypt # -o smtpd_sasl_auth_enable=yes # -o smtpd_client_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING #smtps inet n - - - - smtpd # -o smtpd_tls_wrappermode=yes # -o smtpd_sasl_auth_enable=yes # -o smtpd_client_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING #628 inet n - - - - qmqpd pickupfifo n - - 60 1 pickup cleanup unix n - - - 0 cleanup qmgr fifo n - n 300 1 qmgr #qmgr fifo n - - 300 1 oqmgr tlsmgrunix - - - 1000? 1 tlsmgr rewrite unix - - - - - trivial-rewrite bounceunix - - - - 0 bounce defer unix - - - - 0 bounce trace unix - - - - 0 bounce verifyunix - - - - 1 verify flush unix n - - 1000? 0 flush proxymap unix - - n - - proxymap proxywrite unix - - n - 1 proxymap smtp unix - - - - - smtp # When relaying mail as backup MX, disable fallback_relay to avoid MX loops relay unix - - - - - smtp -o smtp_fallback_relay= # -o smtp_helo_timeout=5 -o smtp_connect_timeout=5 showq unix n - - - - showq error unix - - - - - error retry unix - - - - - error discard unix - - - - - discard local unix - n n - - local virtual unix - n n - - virtual lmtp unix - - - - - lmtp anvil unix - - - - 1 anvil scacheunix - - - - 1 scache # # # Interfaces to non-Postfix software. Be sure to examine the manual # pages of the non-Postfix software to find out what options it wants. # # Many of the following services use the Postfix pipe(8) delivery # agent. See the pipe(8) man page for information about ${recipient} # and other message envelope options. # # # maildrop. See the
Re: Sender dependent authentication issue
On Thu, 09 Jun 2011 15:00:56 +0200 Dragan Zubac zubacdra...@gmail.com articulated: Hello I'm trying to achieve sender dependent authentication. Please find corresponding configuration files in attachment. Although the sender dependent authentication is configured,for some reason postfix don't follow those rules,but is checking virtual table instead and rejects the incoming email. That is not how to report a problem. Please read the documentation at: http://www.postfix.org/DEBUG_README.html#mail In particular: Output from postconf -n. Please do not send your main.cf file, or 500+ lines of postconf output. Better, provide output from the postfinger tool. This can be found at http://ftp.wl0.org/SOURCES/postfinger. -- Jerry ✌ postfix-u...@seibercom.net _ TO REPORT A PROBLEM see http://www.postfix.org/DEBUG_README.html#mail TO (UN)SUBSCRIBE see http://www.postfix.org/lists.html
Re: virtual aliases and unlisted email addresses
On Thu, Jun 09, 2011 at 10:12:17AM +0200, Patrick Proniewski wrote: On 8 juin 2011, at 18:15, Victor Duchovni wrote: On Wed, Jun 08, 2011 at 11:33:48AM +0200, Patrick Proniewski wrote: After the period of double delivery is over, we will deliver emails only to Google servers. So the virtual aliases map is to look like: public-addr...@univ-lyon2.frpublic-addr...@univ-lyon2.fr some-al...@univ-lyon2.frpublic-addr...@univ-lyon2.fr ... The first line looks pretty silly to me. Is there any way to tell that addresses not listed in virtual aliases map are to be forwarded as is ? Your gateway needs a table of valid recipients, the domain in question is presumably configured as a relay domain by being listed in $relay_domains. In fact I've tried this. But this domain being already in virtual_alias_domains, it looks like it's not a good idea to put it also in relay_domains: postfix complains about this for every email passing thru: You MUST remove the domain from the list of virtual alias domains. Jun 7 15:24:19 ru postfix-mailgw/trivial-rewrite[64375]: warning: do not list domain univ-lyon2.fr in BOTH virtual_alias_domains and relay_domains You MUST remove the domain from the list of virtual alias domains. Otherwise, addresses in this domain will not be deliverable as-is. If you don't want to have identity mappings in virtual_alias_maps, you need to add entries to relay_recipient_maps: main.cf: # Use cdb if you have it. default_database_type = hash indexed = ${default_database_type}:${config_directory}/ relay_recipient_maps = ${indexed}relay_rcpts relay_rcpts: public-addr...@univ-lyon2.frvalid ... where the word valid on the right hand side of the table can be replaced by any non-empty value that makes sense to you. Postfix only needs the lookup key to map to a non-empty result. I'm using this on MX, so that my servers are not acting as backscatters: only valid recipients are accepted by MX and transfered to MailGW. But as postfix won't accept using both virtual_alias_domains and relay_domains, I think this won't do the trick. You MUST remove the domain from the list of virtual alias domains. Note virtual alias mappings apply to all envelope recipient addresses, regardless of address class, so there is no need to declare your domain a virtual alias domain, unless it is truly just a set of alias mailboxes that always forward to a *different* domain. -- Viktor.
Expansion limit issue with MSFT AD LDAP
On Thu, Jun 09, 2011 at 06:19:30AM -, ross.sysadm wrote: I have problems with expansion_limit. Postfix + Dovecot + AD + multiple email domains. What Postfix feature is the table below supposed to support? http://www.postfix.org/DEBUG_README.html#mail server_host = srv-ad.cn.energy search_base = dc=cn,dc=energy version = 3 bind = yes bind_dn = ldapmail@cn.energy bind_pw = passwd chase_referrals = no query_filter = ((objectCategory=person)(|(mail=%s)(proxyAddresses=%s))(!(userAccountControl=514))) Remove the proxyAddresses=%s clause from the query, it is useless. The values of proxyAddresses attribute in MSFT AD are not rfc822 addresses. Rather, these are protocol:protocol-specific-address type:value strings. No l result_attribute = mail, proxyAddresses Likewise, remove proxyAddresses from the result attribute list, its data type is different from mail, so you're returning apples and oranges. expansion_limit = 1 result_format = %d/%u Perhaps you're trying to build a virtual_mailbox_maps table, if so, indeed you need exactly one result. All the more reason to return just one attribute. Temporarily comment out the expansion_limit = 1 parameter, and repeat the postmap query. If multiple values are returned you have multiple objects in MSFT AD that satisfy the query, fix that, then go back to using expansion_limit = 1. postmap -v -q system@cn.energy ldap:/etc/postfix/ldap-users.cf postmap: dict_ldap_get_values[1]: Search found 1 match(es) postmap: warning: dict_ldap_get_values[1]: /etc/postfix/ldap-users.cf: Expansion limit exceeded for key: 'system@cn.energy' postmap: dict_ldap_get_values[1]: Leaving dict_ldap_get_values postmap: dict_ldap_lookup: Search returned oblr.cn.energy.gov.ua/simbios,cn.energy/system I not understand how resolve this situation. Please help me. -- Viktor.
Re: expensive checks first
Is there something that shows the expense associated with each check. I have looked through the documentation on the postfix site but could not find anything. John A -- All that is necessary for the triumph of evil is that good men do nothing. (Edmund Burke)
Re: expensive checks first
On Thu, Jun 09, 2011 at 12:59:53PM -0400, John wrote: Is there something that shows the expense associated with each check. I have looked through the documentation on the postfix site but could not find anything. Just common sense. Expense is mostly a question of latency and not over-using free remote RBLs. -- Viktor.
Re: Sender dependent authentication issue
Hello Sorry,I'll try to report a problem again following your instructions. Summary I'm trying to achieve the following : - email arrives - postfix checks the sender address - postfix looks up username/password and relay host for that sender address - postfix SMTP client connects to the appropriate relay using that username/password to forward that incoming email The problem is I think I configured postfix in proper manner,hence when I send an email with configured sender address,postfix rejects it with an error : Jun 9 12:29:12 kanta postfix2/smtpd[11850]: NOQUEUE: reject: RCPT from mail-fx0-f43.google.com[209.85.161.43]: 550 5.1.1 38163632...@domain.net: Recipient address rejected: User unknown in local recipient table; from=zubacdra...@gmail.com to=38163632...@domain.net proto=ESMTP helo=mail-fx0-f43.google.com The postconf -n output is : alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases alternate_config_directories = /etc/postfix append_dot_mydomain = no biff = no config_directory = /etc/postfix2/ data_directory = /var/lib/postfix2 inet_interfaces = 5.5.5.5 mailbox_command = procmail -a $EXTENSION mailbox_size_limit = 0 mydestination = domain.net,mail.domain.net myhostname = mail.domain.net mynetworks = 127.0.0.0/8 myorigin = /etc/mailname2 queue_directory = /var/spool/postfix2 readme_directory = no recipient_delimiter = + sender_dependent_relayhost_maps = hash:/etc/postfix2/sender_relay smtp_bind_address = 5.5.5.5 smtp_host_lookup = dns, native smtp_sasl_auth_enable = yes smtp_sasl_password_maps = hash:/etc/postfix2/sasl_passwd smtp_sasl_security_options = noanonymous smtp_sender_dependent_authentication = yes smtpd_banner = Welcome to A wasting time laboratory MTA syslog_name = postfix2 This is the output from postfinger tool : postfinger - postfix configuration on Thu Jun 9 20:54:06 BST 2011 version: 1.30 Warning: postfinger output may show private configuration information, such as ip addresses and/or domain names which you do not want to show to the public. If this is the case it is your responsibility to modify the output to hide this private information. [Remove this warning with the --nowarn option.] --System Parameters-- mail_version = 2.7.1 hostname = kanta uname = Linux kanta 2.6.32-5-amd64 #1 SMP Wed Jan 12 03:40:32 UTC 2011 x86_64 GNU/Linux --Packaging information-- looks like this postfix comes from deb package: postfix-2.7.1-1 --main.cf non-default parameters-- alias_maps = hash:/etc/aliases alternate_config_directories = /etc/postfix append_dot_mydomain = no biff = no config_directory = /etc/postfix2/ data_directory = /var/lib/postfix2 inet_interfaces = 5.5.5.5 mailbox_command = procmail -a $EXTENSION mailbox_size_limit = 0 mydestination = domain.net,mail.domain.net myhostname = mail.domain.net mynetworks = 127.0.0.0/8 myorigin = /etc/mailname2 queue_directory = /var/spool/postfix2 readme_directory = no recipient_delimiter = + sender_dependent_relayhost_maps = hash:/etc/postfix2/sender_relay smtp_bind_address = 5.5.5.5 smtp_host_lookup = dns, native smtp_sasl_auth_enable = yes smtp_sasl_password_maps = hash:/etc/postfix2/sasl_passwd smtp_sasl_security_options = noanonymous smtp_sender_dependent_authentication = yes smtpd_banner = Welcome to A wasting time laboratory MTA syslog_name = postfix2 --master.cf-- 5.5.5.5:smtp inet n - - - - smtpd pickupfifo n - - 60 1 pickup cleanup unix n - - - 0 cleanup qmgr fifo n - n 300 1 qmgr tlsmgrunix - - - 1000? 1 tlsmgr rewrite unix - - - - - trivial-rewrite bounceunix - - - - 0 bounce defer unix - - - - 0 bounce trace unix - - - - 0 bounce verifyunix - - - - 1 verify flush unix n - - 1000? 0 flush proxymap unix - - n - - proxymap proxywrite unix - - n - 1 proxymap smtp unix - - - - - smtp relay unix - - - - - smtp -o smtp_fallback_relay= showq unix n - - - - showq error unix - - - - - error retry unix - - - - - error discard unix - - - - - discard local unix - n n - - local virtual unix - n n - - virtual lmtp unix - - - - - lmtp anvil unix - - - - 1 anvil scacheunix - - - - 1 scache maildrop unix - n n - - pipe flags=DRhu user=vmail argv=/usr/bin/maildrop
Re: Sender dependent authentication issue
On 6/9/2011 4:09 PM, Dragan Zubac wrote: Hello Sorry,I'll try to report a problem again following your instructions. Summary I'm trying to achieve the following : - email arrives - postfix checks the sender address - postfix looks up username/password and relay host for that sender address - postfix SMTP client connects to the appropriate relay using that username/password to forward that incoming email The problem is I think I configured postfix in proper manner,hence when I send an email with configured sender address,postfix rejects it with an error : Jun 9 12:29:12 kanta postfix2/smtpd[11850]: NOQUEUE: reject: RCPT from mail-fx0-f43.google.com[209.85.161.43]: 550 5.1.1 38163632...@domain.net: Recipient address rejected: User unknown in local recipient table; from=zubacdra...@gmail.com to=38163632...@domain.net proto=ESMTP helo=mail-fx0-f43.google.com This log has nothing to do with sender dependent relayhost. The log says: 1. mail-fx0-f43.google.com wants to send a mail to 38163632...@domain.net 2. According to the postconf below, domain.net is in mynetworks. 3. However, 38163632914 is not a valid local user, so reject the email. Note: if you want to hide the domain in question, please use example.(net|org|com) as they are reserved for that purpose. Brian The postconf -n output is : alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases alternate_config_directories = /etc/postfix append_dot_mydomain = no biff = no config_directory = /etc/postfix2/ data_directory = /var/lib/postfix2 inet_interfaces = 5.5.5.5 mailbox_command = procmail -a $EXTENSION mailbox_size_limit = 0 mydestination = domain.net,mail.domain.net myhostname = mail.domain.net mynetworks = 127.0.0.0/8 myorigin = /etc/mailname2 queue_directory = /var/spool/postfix2 readme_directory = no recipient_delimiter = + sender_dependent_relayhost_maps = hash:/etc/postfix2/sender_relay smtp_bind_address = 5.5.5.5 smtp_host_lookup = dns, native smtp_sasl_auth_enable = yes smtp_sasl_password_maps = hash:/etc/postfix2/sasl_passwd smtp_sasl_security_options = noanonymous smtp_sender_dependent_authentication = yes smtpd_banner = Welcome to A wasting time laboratory MTA syslog_name = postfix2
Re: Sender dependent authentication issue
Hello Yes,I have two instances of postfix. One is in /etc/postfix and another one is in /etc/postfix2 and both works fine. The problem is with sender dependent authentication that is configured on the second instance and which seems inactive,meaning when second instance of postfix receives an email that should be processed according to those specific rules it does not for some reason. Sincerely On 06/09/11 23:03, Jeroen Geilman wrote: On 06/09/2011 11:00 PM, Dragan Zubac wrote: sender_dependent_relayhost_maps = hash:/etc/postfix2/sender_relay /etc/postfix2 seems to be from a separate instance.
unverified_recipient_tempfail_action = permit
Hi, I don't really know where to post feature ideas, but this seems the only viable option. I was setting up a fallback MX server with Postfix and was struggling with preventing backscatter mail. I thought I found a good solution, but it turned out to be an illegal option. Postfix has the ability to do recipient address verification. When postfix acts as a relay server, this prevents backscatter mail (bounces of messages because the server that is relayed to doesn't accept the user). Backscatter is usually caused by spam of course, because spam is sent to all kinds of users @example.com. I had in mind to use recipient address verification to avoid that and then set unverified_recipient_tempfail_action = permit. The idea behind this was: - Prevent backscatter mail when the primary host is up because every address is verified first. - Accept all mail when the primary host is down, so that incoming messages aren't deferred. But permit is not a valid option for unverified_recipient_tempfail_action. Would it be an idea to implement this? I know I can use permit_mx_backup and permit_mx_backup_networks, but I'd rather not have to maintain a list of networks on the fallback server, partly because I want to be a fallback server for servers that I don't maintain and of which I have no idea if the address changes. Regards, Wiebe
Re: unverified_recipient_tempfail_action = permit
On 2011-06-09 Wiebe Cazemier wrote: I was setting up a fallback MX server with Postfix and was struggling with preventing backscatter mail. I thought I found a good solution, but it turned out to be an illegal option. Postfix has the ability to do recipient address verification. When postfix acts as a relay server, this prevents backscatter mail (bounces of messages because the server that is relayed to doesn't accept the user). Backscatter is usually caused by spam of course, because spam is sent to all kinds of users @example.com. I had in mind to use recipient address verification to avoid that and then set unverified_recipient_tempfail_action = permit. The idea behind this was: - Prevent backscatter mail when the primary host is up because every address is verified first. - Accept all mail when the primary host is down, so that incoming messages aren't deferred. Why? What issue in particular do you see with simply doing recipient verification (and rejection of messages to invalid recipients) on bot MXs? Regards Ansgar Wiechers -- Abstractions save us time working, but they don't save us time learning. --Joel Spolsky
Re: Sender dependent authentication issue
Hello Just to make clear here,so postfix feature to 'route' emails based on the sender address is valid only for outgoing emails not for incoming ones ? Sincerely On 06/09/11 23:33, Noel Jones wrote: On 6/9/2011 4:22 PM, Dragan Zubac wrote: Hello Yes,I have two instances of postfix. One is in /etc/postfix and another one is in /etc/postfix2 and both works fine. The problem is with sender dependent authentication that is configured on the second instance and which seems inactive,meaning when second instance of postfix receives an email that should be processed according to those specific rules it does not for some reason. You seem to have missed the point that sender dependent relay is for sending mail. The log snippet you shared earlier shows postfix not receiving the mail, due to an invalid recipient. This has nothing to do with the sender. Fix the recipient first.
Re: Sender dependent authentication issue
Of course. It's a two-step process (well, really more, but we'll call it two here). 1. - mail is received. There are lots of controls for receiving mail based on recipient, originating network, or authentication. None of the decisions to accept mail are based on the sender (you can decide to REJECT mail based on the sender, but not accept). 2. - mail is delivered. There are lots of controls for where and how mail is delivered, a few of which depend on the sender. You're not getting past step 1. http://www.postfix.org/BASIC_CONFIGURATION_README.html On 6/9/2011 5:04 PM, Dragan Zubac wrote: Hello Just to make clear here,so postfix feature to 'route' emails based on the sender address is valid only for outgoing emails not for incoming ones ? Sincerely On 06/09/11 23:33, Noel Jones wrote: On 6/9/2011 4:22 PM, Dragan Zubac wrote: Hello Yes,I have two instances of postfix. One is in /etc/postfix and another one is in /etc/postfix2 and both works fine. The problem is with sender dependent authentication that is configured on the second instance and which seems inactive,meaning when second instance of postfix receives an email that should be processed according to those specific rules it does not for some reason. You seem to have missed the point that sender dependent relay is for sending mail. The log snippet you shared earlier shows postfix not receiving the mail, due to an invalid recipient. This has nothing to do with the sender. Fix the recipient first.
Re: unverified_recipient_tempfail_action = permit
Well, when the primar is down, all incoming messages on the fallback are deferred, because it can't do the verification. This means the result is the same as having no fallback at all. Ansgar Wiechers li...@planetcobalt.net wrote: On 2011-06-09 Wiebe Cazemier wrote: I was setting up a fallback MX server with Postfix and was struggling with preventing backscatter mail. I thought I found a good solution, but it turned out to be an illegal option. Postfix has the ability to do recipient address verification. When postfix acts as a relay server, this prevents backscatter mail (bounces of messages because the server that is relayed to doesn't accept the user). Backscatter is usually caused by spam of course, because spam is sent to all kinds of users @example.com. I had in mind to use recipient address verification to avoid that and then set unverified_recipient_tempfail_action = permit. The idea behind this was: - Prevent backscatter mail when the primary host is up because every address is verified first. - Accept all mail when the primary host is down, so that incoming messages aren't deferred. Why? What issue in particular do you see with simply doing recipient verification (and rejection of messages to invalid recipients) on bot MXs? Regards Ansgar Wiechers -- Abstractions save us time working, but they don't save us time learning. --Joel Spolsky
Re: unverified_recipient_tempfail_action = permit
On 2011-06-10 Wiebe Cazemier wrote: Ansgar Wiechers li...@planetcobalt.net wrote: On 2011-06-09 Wiebe Cazemier wrote: I was setting up a fallback MX server with Postfix and was struggling with preventing backscatter mail. I thought I found a good solution, but it turned out to be an illegal option. Postfix has the ability to do recipient address verification. When postfix acts as a relay server, this prevents backscatter mail (bounces of messages because the server that is relayed to doesn't accept the user). Backscatter is usually caused by spam of course, because spam is sent to all kinds of users @example.com. I had in mind to use recipient address verification to avoid that and then set unverified_recipient_tempfail_action = permit. The idea behind this was: - Prevent backscatter mail when the primary host is up because every address is verified first. - Accept all mail when the primary host is down, so that incoming messages aren't deferred. Why? What issue in particular do you see with simply doing recipient verification (and rejection of messages to invalid recipients) on bot MXs? Well, when the primar is down, all incoming messages on the fallback are deferred, because it can't do the verification. This means the result is the same as having no fallback at all. There's more than one way to do recipient verification. Use $relay_recipient_maps on the backup MX. And don't top-post. Regards Ansgar Wiechers -- Abstractions save us time working, but they don't save us time learning. --Joel Spolsky
Re: Sender dependent authentication issue
Hello Thank you,this clarify things a little bit. Sincerely On 06/10/11 00:25, Noel Jones wrote: Of course. It's a two-step process (well, really more, but we'll call it two here). 1. - mail is received. There are lots of controls for receiving mail based on recipient, originating network, or authentication. None of the decisions to accept mail are based on the sender (you can decide to REJECT mail based on the sender, but not accept). 2. - mail is delivered. There are lots of controls for where and how mail is delivered, a few of which depend on the sender. You're not getting past step 1. http://www.postfix.org/BASIC_CONFIGURATION_README.html On 6/9/2011 5:04 PM, Dragan Zubac wrote: Hello Just to make clear here,so postfix feature to 'route' emails based on the sender address is valid only for outgoing emails not for incoming ones ? Sincerely On 06/09/11 23:33, Noel Jones wrote: On 6/9/2011 4:22 PM, Dragan Zubac wrote: Hello Yes,I have two instances of postfix. One is in /etc/postfix and another one is in /etc/postfix2 and both works fine. The problem is with sender dependent authentication that is configured on the second instance and which seems inactive,meaning when second instance of postfix receives an email that should be processed according to those specific rules it does not for some reason. You seem to have missed the point that sender dependent relay is for sending mail. The log snippet you shared earlier shows postfix not receiving the mail, due to an invalid recipient. This has nothing to do with the sender. Fix the recipient first.
always_bcc for sepcific sender and recipient only
Hi All, i want only specific list of sender and specific list of recipient email need to archive how to achive with it where always_bcc will rediect all email . please any one can help me with syntax or exmaple . Regards, Kshitij