Re: Convert from basic to virtual
On 10/15/2012 6:06 AM, Dominique wrote:
Hi list(s),
You asked this last week; the answer is still the same.
http://www.mailinglistarchive.com/html/postfix-users@postfix.org/2012-10/msg00283.html
-- Noel Jones
A few years ago we setup a simple postfix+Cyrus Mail server in the
office (running on Ubuntu server). Across the years, we configured it to
send and access our mails from various sources (in the office with tb,
on the road though webgui, and recently through smartphones). All is
well in the best of worlds. It is really basic configuration with its
own certificate with a single domain name.
Recently, we purchased two new domain names for a new project and wanted
to include them to our mail server. I went on reading the postfix doc
for virtual domains and got lost. Our mail users are independant from
the linux users (virtual users) and I found a configuration description
that looked like what I wanted. It seems the way to go, especially if we
want to continue to add more domains in the future. However, I am not
sure how to convert from our basic setup to a virtual domain setup,
especially since I cannot find where and how to configure certificates
per domain on a server with a single public IP.
Does anyone have experience in converting from one to the other, and
willing to give me pointers in my conversion process. Downtime is not a
problem, but not losing the mailboxes is.
I am cross posting on both Postfix and Cyrus list, since I am not sure
where to get the answer from.
My current configuration is as follow:
Postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
broken_sasl_auth_clients = yes
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
disable_vrfy_command = yes
inet_interfaces = all
mailbox_size_limit = 0
mailbox_transport = lmtp:unix:/var/run/cyrus/socket/lmtp
message_size_limit = 2048
mydestination = mail.solipym.com, solipym, localhost.localdomain, localhost
myhostname = mail.solipym.com
mynetworks = 127.0.0.0/8 [:::127.0.0.0]/104 [::1]/128,192.168.1.0/24
myorigin = /etc/mailname
policyd-spf_time_limit = 3600
readme_directory = no
recipient_delimiter = +
relayhost = smtp.movistar.es
sender_canonical_maps = mysql:/etc/postfix/mysql-canonical.cf
smtp_cname_overrides_servername = no
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_sasl_type = cyrus
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
smtpd_client_restrictions = permit_mynetworks,
permit_sasl_authenticated, check_client_access hash:/etc/postfix/access
smtpd_delay_reject = yes
smtpd_error_sleep_time = 15s
smtpd_hard_error_limit = 20
smtpd_helo_required = yes
smtpd_recipient_restrictions = permit_sasl_authenticated,
permit_mynetworks, reject_unauth_destination, reject_invalid_hostname,
reject_non_fqdn_hostname, reject_non_fqdn_sender,
reject_non_fqdn_recipient, reject_unknown_sender_domain,
reject_unknown_recipient_domain, reject_unauth_pipelining,
reject_rbl_client bl.spamcop.net, reject_rbl_client zen.spamhaus.org,
reject_rbl_client blackholes.easynet.nl, reject_rbl_client
dnsbl.njabl.org, reject_rbl_client dul.dnsbl.sorbs.net,
check_policy_service unix:private/policyd-spf
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = smtpd
smtpd_sender_restrictions = reject_non_fqdn_sender, check_sender_access
hash:/etc/postfix/access, check_sender_mx_access hash:/etc/postfix/access
smtpd_soft_error_limit = 10
smtpd_tls_CAfile = /etc/ssl/certs/root.crt
smtpd_tls_cert_file = /etc/ssl/certs/server_mail_solipym_com.pem
smtpd_tls_key_file = /etc/ssl/private/server.key
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
virtual_alias_maps = mysql:/etc/postfix/mysql-virtual.cf
virtual_mailbox_domains = mysql:/etc/postfix/mysql-mydestination.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual.cf
virtual_transport = lmtp:unix:/var/run/cyrus/socket/lmtp
Thanks for your help,
Dominique
Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
To Unsubscribe:
https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: stat=queue and /var/spool/clientmqueue
Il 18/10/2012 17:45, Ralf Hildebrandt ha scritto: * Simone Felici s.fel...@mclink.eu: That's sendmail, not postfix. I know this settings shoud be referred to sendmail and shouldn't have nothing to do with this issue. BTW I'm asking here infos on how manage correctly these mails to postfix. I'm not 100% sure the problem is on /bin/mail, or if postfix simply could be configured to look on this queue too. Maybe you have postfix and sendmail installed side by side and /bin/mail is using the sendmail's sendmail command Hi again, I've found the issue. /bin/mail is by default set-up to use sendmail. I've installed everywhere postfix but on some servers I've the issue the server is logging an outgoing mail with sendmail process, then sent out by postfix. In case of delays sendmail uses it's own queue, not known by postfix. The sendmail binary is a sym-link to /etc/alternatives/mta and this is another sym-link to /usr/sbin/sendmail.sendmail for the servers where I'm registering the issue. On the other servers it links to /usr/sbin/sendmail.postfix. Changink the sym-link now I'm logging postfix/pickup instead sendmail process. In case this could help someone in the future :) Bye Simon
Fwd: Re: Fwd: Re: MX vs A records (SOLVED)
On 18/10/2012 14:41, Noel Jones wrote: On 10/18/2012 5:04 AM, Tom Kinghorn wrote: DO NOT send debug log files unless specifically requested. Normal log files are sufficient. And a friendly reminder that splitting required troubleshooting info up between multiple messages greatly reduces the chance of getting help. -- Noel Jones Hi List. Just to let you know that i had a typo in the main.cf which is why this was not working. Thanks to all who replied. Regards Tom
Re: MX vs A records (SOLVED)
Am 22.10.2012 15:29, schrieb Tom Kinghorn: On 18/10/2012 14:41, Noel Jones wrote: On 10/18/2012 5:04 AM, Tom Kinghorn wrote: DO NOT send debug log files unless specifically requested. Normal log files are sufficient. And a friendly reminder that splitting required troubleshooting info up between multiple messages greatly reduces the chance of getting help. -- Noel Jones Hi List. Just to let you know that i had a typo in the main.cf which is why this was not working. Thanks to all who replied. it would be nice having at the end of the thread the example config with corrected typo to help others which finding this in the archives! signature.asc Description: OpenPGP digital signature
Re: MX vs A records (SOLVED)
On 22/10/2012 15:32, Reindl Harald wrote: Am 22.10.2012 15:29, schrieb Tom Kinghorn: On 18/10/2012 14:41, Noel Jones wrote: On 10/18/2012 5:04 AM, Tom Kinghorn wrote: DO NOT send debug log files unless specifically requested. Normal log files are sufficient. And a friendly reminder that splitting required troubleshooting info up between multiple messages greatly reduces the chance of getting help. -- Noel Jones Hi List. Just to let you know that i had a typo in the main.cf which is why this was not working. Thanks to all who replied. it would be nice having at the end of the thread the example config with corrected typo to help others which finding this in the archives! apologies. snip smtpd_recipient_restrictions = check_recipient_ns_access hash:/etc/postfix/recipient_nameserver_host, check_recipient_access hash:/etc/postfix/recipient_access_whitelist, check_recipient_access hash:/etc/postfix/recipient_access_blacklist, snip I checked the config and found that the lines did not end with a comma. As soon as I added it, the access rule started working and mails were redirected (i changed REJECT to REDIRECT) Regards Tom
Re: MX vs A records (SOLVED)
Tom Kinghorn: it would be nice having at the end of the thread the example config with corrected typo to help others which finding this in the archives! apologies. snip smtpd_recipient_restrictions = check_recipient_ns_access hash:/etc/postfix/recipient_nameserver_host, check_recipient_access hash:/etc/postfix/recipient_access_whitelist, check_recipient_access hash:/etc/postfix/recipient_access_blacklist, snip I checked the config and found that the lines did not end with a comma. As soon as I added it, the access rule started working and mails were redirected (i changed REJECT to REDIRECT) What program are you using to edit main.cf? Wietse
Re: MX vs A records (SOLVED)
On 10/22/2012 8:39 AM, Tom Kinghorn wrote: On 22/10/2012 15:32, Reindl Harald wrote: Am 22.10.2012 15:29, schrieb Tom Kinghorn: On 18/10/2012 14:41, Noel Jones wrote: On 10/18/2012 5:04 AM, Tom Kinghorn wrote: DO NOT send debug log files unless specifically requested. Normal log files are sufficient. And a friendly reminder that splitting required troubleshooting info up between multiple messages greatly reduces the chance of getting help. -- Noel Jones Hi List. Just to let you know that i had a typo in the main.cf which is why this was not working. Thanks to all who replied. it would be nice having at the end of the thread the example config with corrected typo to help others which finding this in the archives! apologies. snip smtpd_recipient_restrictions = check_recipient_ns_access hash:/etc/postfix/recipient_nameserver_host, check_recipient_access hash:/etc/postfix/recipient_access_whitelist, check_recipient_access hash:/etc/postfix/recipient_access_blacklist, snip I checked the config and found that the lines did not end with a comma. As soon as I added it, the access rule started working and mails were redirected (i changed REJECT to REDIRECT) FALSE. The commas are not required; adding them should have no effect. Maybe there was some garbage in the file that got removed when you edited it, or maybe you're using some non-text editor that screws up the line endings. -- Noel Jones
Re: MX vs A records (SOLVED)
On 22/10/2012 15:51, Wietse Venema wrote: Tom Kinghorn: it would be nice having at the end of the thread the example config with corrected typo to help others which finding this in the archives! apologies. snip smtpd_recipient_restrictions = check_recipient_ns_access hash:/etc/postfix/recipient_nameserver_host, check_recipient_access hash:/etc/postfix/recipient_access_whitelist, check_recipient_access hash:/etc/postfix/recipient_access_blacklist, snip I checked the config and found that the lines did not end with a comma. As soon as I added it, the access rule started working and mails were redirected (i changed REJECT to REDIRECT) What program are you using to edit main.cf? Wietse Hi Wietse. This was an inherited system as the previous admin was laid-off. As far as I know, they used VI (as do i, however i used vim) thx Tom
Re: MX vs A records (SOLVED)
On 22/10/2012 15:55, Noel Jones wrote: On 10/22/2012 8:39 AM, Tom Kinghorn wrote: On 22/10/2012 15:32, Reindl Harald wrote: Am 22.10.2012 15:29, schrieb Tom Kinghorn: On 18/10/2012 14:41, Noel Jones wrote: On 10/18/2012 5:04 AM, Tom Kinghorn wrote: DO NOT send debug log files unless specifically requested. Normal log files are sufficient. And a friendly reminder that splitting required troubleshooting info up between multiple messages greatly reduces the chance of getting help. -- Noel Jones Hi List. Just to let you know that i had a typo in the main.cf which is why this was not working. Thanks to all who replied. it would be nice having at the end of the thread the example config with corrected typo to help others which finding this in the archives! apologies. snip smtpd_recipient_restrictions = check_recipient_ns_access hash:/etc/postfix/recipient_nameserver_host, check_recipient_access hash:/etc/postfix/recipient_access_whitelist, check_recipient_access hash:/etc/postfix/recipient_access_blacklist, snip I checked the config and found that the lines did not end with a comma. As soon as I added it, the access rule started working and mails were redirected (i changed REJECT to REDIRECT) FALSE. The commas are not required; adding them should have no effect. Maybe there was some garbage in the file that got removed when you edited it, or maybe you're using some non-text editor that screws up the line endings. -- Noel Jones Thanks for the info. I merely posted what was done and the result. I am grateful to know they are not required,
Re: MX vs A records (SOLVED)
Tom Kinghorn: I checked the config and found that the lines did not end with a comma. As soon as I added it, the access rule started working and mails were redirected (i changed REJECT to REDIRECT) What program are you using to edit main.cf? Hi Wietse. This was an inherited system as the previous admin was laid-off. As far as I know, they used VI (as do i, however i used vim) I suspect there was garbage at the end of lines. Postfix logs warnings in the maillog file when smtpd_xxx_restrictions contains unrecognized content. Wietse
Re: MX vs A records (SOLVED)
On 22/10/2012 16:09, Wietse Venema wrote: Tom Kinghorn: I suspect there was garbage at the end of lines. Postfix logs warnings in the maillog file when smtpd_xxx_restrictions contains unrecognized content. Wietse Thanks for the response Wietse. Thanks to all who helped. regards Tom
Latest package for RHEL6
Hi all! does anyone know where I can find the latest postfix release (2.9.x) for RHEL 6 x86_64 from some 'trusted' source? unfortunately Simon Mudd didn't post any package for this platform yet. Thanks in advance. LU
Re: Alert of unusually large queue
I'm not sure, if sending an e-mail about a full mailqueue-condition is the best way to go ;-) depends if you have no bulk-mail on your server it will tak enot too long to find a good value to adjust the 50 and as example if i have 500 queued messages i like to look if there is soemthing going wrong What I meant was, that there is a good chance, that you will not receive this notification, because whatever condition causes your mails to stuck in the queue could stop that notification, too ;-) As mentioned by other posters you should set up a real monitoring system, that periodically checks your queue or generates an alert (e.g. snmp trap) on the server which does not rely on the mechanism that you are trying to monitor (here smtp). cheers, jpk
Re: Latest package for RHEL6
On 22.10.2012 16:40, Lima Union wrote: Hi all! does anyone know where I can find the latest postfix release (2.9.x) for RHEL 6 x86_64 from some 'trusted' source? unfortunately Simon Mudd didn't post any package for this platform yet. Thanks in advance. LU Hi, I have backported Postfix 2.9.x for my company and I am also package maintainer for Fedora. Here are my latest builds for el6: http://mstevens.fedorapeople.org/el6/postfix/ Best regards, Morten
Re: Alert of unusually large queue
Jan P. Kessler: As mentioned by other posters you should set up a real monitoring system, that periodically checks your queue or generates an alert (e.g. snmp trap) on the server which does not rely on the mechanism that you are trying to monitor (here smtp). To monitor an SMTP server, try to send a test message into it, and raise an alarm if that test message is not delivered to mailbox or smtp within some deadline. Wietse
Re: Latest package for RHEL6
On 10/22/2012 04:56 PM, Morten Stevens wrote: [snip] I have backported Postfix 2.9.x for my company and I am also package maintainer for Fedora. Here are my latest builds for el6: http://mstevens.fedorapeople.org/el6/postfix/ Would you mind making the SRPM also available? Regards, Patrick
Re: Latest package for RHEL6
On 10/22/2012 05:29 PM, Patrick Lists wrote: On 10/22/2012 04:56 PM, Morten Stevens wrote: [snip] I have backported Postfix 2.9.x for my company and I am also package maintainer for Fedora. Here are my latest builds for el6: http://mstevens.fedorapeople.org/el6/postfix/ Would you mind making the SRPM also available? Please ignore. The SRPM lives in the x86_64 directory while I was looking for the SRPM directory at the i386 x86_64 level. Regards, Patrick
Re: Latest package for RHEL6
On Mon, Oct 22, 2012 at 11:56 AM, Morten Stevens mstev...@imt-systems.com wrote: On 22.10.2012 16:40, Lima Union wrote: Hi all! does anyone know where I can find the latest postfix release (2.9.x) for RHEL 6 x86_64 from some 'trusted' source? unfortunately Simon Mudd didn't post any package for this platform yet. Thanks in advance. LU Hi, I have backported Postfix 2.9.x for my company and I am also package maintainer for Fedora. Here are my latest builds for el6: http://mstevens.fedorapeople.org/el6/postfix/ Best regards, Morten cool!! thank you so much!
RE: Alert of unusually large queue
-Original Message- From: owner-postfix-us...@postfix.org [mailto:owner-postfix- us...@postfix.org] On Behalf Of Jan P. Kessler Sent: 22 October 2012 15:44 To: postfix-users@postfix.org Subject: Re: Alert of unusually large queue I'm not sure, if sending an e-mail about a full mailqueue-condition is the best way to go ;-) depends if you have no bulk-mail on your server it will tak enot too long to find a good value to adjust the 50 and as example if i have 500 queued messages i like to look if there is soemthing going wrong What I meant was, that there is a good chance, that you will not receive this notification, because whatever condition causes your mails to stuck in the queue could stop that notification, too ;-) As mentioned by other posters you should set up a real monitoring system, that periodically checks your queue or generates an alert (e.g. snmp trap) on the server which does not rely on the mechanism that you are trying to monitor (here smtp). cheers, jpk That's a good point, it might be worthwhile looking into something like a php script that interfaces with an SMS API. I've seen that done in the past. Kind regards, James Day (IT Engineer)
Re: Any best practices for stacking filters?
Quanah Gibson-Mount: wie...@porcupine.org wrote: It's much easier to tell people not to use Milters before a proxy filter... If you use the milter after the proxy server, which is what I'm currently doing, then I result in the following problem: You just confirmed the limitation that I explained at length, so I won't repeat that diatribe. One suggestion I can make is to avoid mixing mail streams from outside with mail streams from inside, before your mail is signed. For example, - Use before-queue filters for mail from outside so that you can reject mail before it hits the queue. - Use after-queue filters for mail from inside. Then, your mail from inside is not affected by the limitation. You can sign it with dkim-milter and the like. I suspect that you could feed both mail streams into the same Amavis content filter. Wietse
ESMTP: keys and passwords
Hello, I'm trying to configure ESMTP using this guide [1]. $ touch smtpd.key $ chmod 600 smtpd.key $ openssl genrsa 4096 smtpd.key $ openssl req -new -key smtpd.key -x509 -days 730 -out smtpd.crt ... If you enter '.', the field will be left blank. - Country Name (2 letter code) [AU]:. State or Province Name (full name) [Some-State]:. Locality Name (eg, city) []:. Organization Name (eg, company) [Internet Widgits Pty Ltd]:. Organizational Unit Name (eg, section) []:. Common Name (eg, YOUR name) []:mail.example.com Email Address []:ad...@example.com (I'm using example.com as a placeholder.) $ openssl req -new -x509 -extensions v3_ca -keyout cakey.pem \ -out cacert.pem -days 730 ... - Country Name (2 letter code) [AU]:. State or Province Name (full name) [Some-State]:. Locality Name (eg, city) []:. Organization Name (eg, company) [Internet Widgits Pty Ltd]:. Organizational Unit Name (eg, section) []:. Common Name (eg, YOUR name) []:mail.example.com Email Address []:ad...@example.com The above generated a 1024 bit RSA private key. How to create a 4096 bit key? I'm going to send messages via Gnus. My .gnus.el: (setq message-send-mail-function 'smtpmail-send it) (setq smtpmail-starttls-credentials '((mail.example.com 25 nil nil))) (setq smtpmail-auth-credentioals '((mail.example.com 25 admin nil))) (setq smtpmail-default-smtp-server mail.example.com) (setq smtpmail-smtp-service 25) (setq starttls-use-gnutls t) Docs say that I'll be prompted for a password. Which one should I use? Should I specify the one for the RSA private key ($ openssl req \ -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem \ -days 730)? [1] https://help.ubuntu.com/community/Postfix
Re: ESMTP: keys and passwords
Am 22.10.2012 21:45, schrieb thorso...@lavabit.com: Hello, The above generated a 1024 bit RSA private key. How to create a 4096 bit key? the following is for 2048 bit replace 2048 by whatever you want alter the template for your needs (partly german) this is a script/remplate i am using since xears for any http/mail-cert regardless if it is used as self signed o the csr submitted to thawte [root@buildserver:/buildserver/ssl-cert]$ cat generate-cert.sh #!/bin/bash WORKING_DIR=/buildserver/ssl-cert OUT_DIR=$WORKING_DIR/$1 mkdir $OUT_DIR 2 /dev/null chmod 700 $OUT_DIR if [ $1 == ]; then echo MISSING SERVERNAME echo exit fi rm -f $OUT_DIR/$1.key rm -f $OUT_DIR/$1.csr rm -f $OUT_DIR/$1.crt rm -f $OUT_DIR/$1.pem sed s/my_common_name/$1/g $WORKING_DIR/openssl.conf.template $WORKING_DIR/openssl.conf openssl genrsa -out $OUT_DIR/$1.key 2048 openssl req -config $WORKING_DIR/openssl.conf -new -key $OUT_DIR/$1.key -out $OUT_DIR/$1.csr openssl x509 -req -days 3650 -in $OUT_DIR/$1.csr -signkey $OUT_DIR/$1.key -out $OUT_DIR/$1.crt cat $OUT_DIR/$1.crt $OUT_DIR/$1.key $OUT_DIR/$1.pem [root@buildserver:/buildserver/ssl-cert]$ cat openssl.conf.template [ req ] prompt = yes default_bits= 1024 distinguished_name = req_DN string_mask = nombstr [ req_DN ] countryName = 1. Landeskennung countryName_default = AT countryName_min = 2 countryName_max = 2 stateOrProvinceName = 2. Bundesland stateOrProvinceName_default = your_province localityName= 3. Stadt localityName_default= your_city 0.organizationName = 4. Firmenname 0.organizationName_default = your_comapny organizationalUnitName = 5. Abteilung organizationalUnitName_default = your_department commonName = 6. Server-Name commonName_max = 64 commonName_default = my_common_name emailAddress= 7. Mail-Adresse emailAddress_max= 40 emailAddress_default= your_email Docs say that I'll be prompted for a password. Which one should I use? Should I specify the one for the RSA private key ($ openssl req \ -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem \ -days 730)? you do NOt really want a pssword how sould it be entered in the boot-process? waht sense would it make if it is stored in cleartext on the server? signature.asc Description: OpenPGP digital signature
Re: Any best practices for stacking filters?
--On Monday, October 22, 2012 3:33 PM -0400 Wietse Venema
wie...@porcupine.org wrote:
One suggestion I can make is to avoid mixing mail streams from
outside with mail streams from inside, before your mail is signed.
For example,
- Use before-queue filters for mail from outside so that you can
reject mail before it hits the queue.
- Use after-queue filters for mail from inside. Then, your mail
from inside is not affected by the limitation. You can sign it
with dkim-milter and the like.
Hi Wieste,
As I noted in my original mail, I already use the filters to separate out
the streams:
smtpd_sender_restrictions = check_sender_access
regexp:/opt/zimbra/postfix/conf/tag_as_originating.re, permit_mynetworks,
permit_sasl_authenticated, permit_tls_clientcerts, check_sender_access
regexp:/opt/zimbra/postfix/conf/tag_as_foreign.re
zimbra@zre-ldap002:~/postfix/conf$ cat tag_as_originating.re
/^/ FILTER smtp-amavis:[127.0.0.1]:10026
zimbra@zre-ldap002:~/postfix/conf$ cat tag_as_foreign.re
/^/ FILTER smtp-amavis:[127.0.0.1]:10024
So I believe I am already, as you said, diverting the mail into different
streams. Both of which go to Amavis. I.e., originating mail gets directed
to amavis on port 10026. Foreign mail goes to amavis on port 10024. Which
gets me into the entire problem I'm having now. Or am I misunderstanding
what you said?
Mail gets re-injected from Amavis to Postfix on port 10025. Then it is
signed. The problem is, at that point, Amavis is already done with the
mail. So again, I think I'm doing what you suggest, but I can't figure out
how to get it to sign the mail via OpenDKIM prior to Amavis processing.
Here's my master.cf again as well:
smtp inet n - n - - smtpd
-o content_filter=scan:[127.0.0.1]:10029
465inet n - n - - smtpd
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o content_filter=scan:[127.0.0.1]:10029
submission inet n - n - - smtpd
-o smtpd_etrn_restrictions=reject
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o smtpd_tls_security_level=may
scan unix - - n - 10 smtp
-o smtp_send_xforward_command=yes
-o disable_mime_output_conversion=yes
-o smtp_generic_maps=
pickupfifo n - n 60 1 pickup
cleanup unix n - n - 0 cleanup
qmgr fifo n - n 300 1 qmgr
tlsmgrunix - - n 1000? 1 tlsmgr
rewrite unix - - n - - trivial-rewrite
bounceunix - - n - 0 bounce
defer unix - - n - 0 bounce
trace unix - - n - 0 bounce
verifyunix - - n - 1 verify
flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap
smtp unix - - n - - smtp
relay unix - - n - - smtp
showq unix n - n - - showq
error unix - - n - - error
retry unix - - n - - error
discard unix - - n - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
scacheunix - - n - 1 scache
maildrop unix - n n - - pipe
flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
old-cyrus unix - n n - - pipe
flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
cyrus unix - n n - - pipe
user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
uucp unix - n n - - pipe
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail
($recipient)
ifmailunix - n n - - pipe
flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe
flags=Fq. user=foo argv=/usr/local/sbin/bsmtp -f $sender $nexthop
$recipient
smtp-amavis unix - - n - 10 smtp
-o smtp_data_done_timeout=1200
-o smtp_send_xforward_command=yes
-o disable_dns_lookups=yes
-o max_use=20
127.0.0.1:10025 inet n - n - - smtpd
-o content_filter=
-o local_recipient_maps=
-o virtual_mailbox_maps=
-o virtual_alias_maps=
-o relay_recipient_maps=
-o smtpd_restriction_classes=
-o smtpd_delay_reject=no
-o
Re: Any best practices for stacking filters?
--On Monday, October 22, 2012 1:03 PM -0700 Quanah Gibson-Mount qua...@zimbra.com wrote: Hi Wieste, Wietse even. Sorry. ;) -- Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. Zimbra :: the leader in open source messaging and collaboration
Re: Any best practices for stacking filters?
Quanah Gibson-Mount: --On Monday, October 22, 2012 3:33 PM -0400 Wietse Venema wie...@porcupine.org wrote: One suggestion I can make is to avoid mixing mail streams from outside with mail streams from inside, before your mail is signed. For example, - Use before-queue filters for mail from outside so that you can reject mail before it hits the queue. - Use after-queue filters for mail from inside. Then, your mail from inside is not affected by the limitation. You can sign it with dkim-milter and the like. As I noted in my original mail, I already use the filters to separate out the streams: My example CAN sign mail with dkim-milter before it hits the Amavis filter. Your example CANNOT sign mail with dkim-milter before it hits the Amavis filter. Wietse
Re: Any best practices for stacking filters?
--On Monday, October 22, 2012 4:24 PM -0400 Wietse Venema wie...@porcupine.org wrote: My example CAN sign mail with dkim-milter before it hits the Amavis filter. Your example CANNOT sign mail with dkim-milter before it hits the Amavis filter. I believe what you are saying is that I should adjust my originating filter to go to another postfix agent, rather than amavis. That postfix agent triggers signing, and then passes the mail on to amavis on port 10026. Correct? --Quanah -- Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. Zimbra :: the leader in open source messaging and collaboration
Re: Any best practices for stacking filters?
Quanah Gibson-Mount: --On Monday, October 22, 2012 4:24 PM -0400 Wietse Venema wie...@porcupine.org wrote: My example CAN sign mail with dkim-milter before it hits the Amavis filter. Your example CANNOT sign mail with dkim-milter before it hits the Amavis filter. I believe what you are saying is that I should adjust my originating filter to go to another postfix agent, rather than amavis. That postfix agent triggers signing, and then passes the mail on to amavis on port 10026. Correct? 1) Use the before-queue filter for mail from outside: external clients - smtpd - Amavis ... 2) Use the after-queue filter for mail from inside: internal clients - smtpd - cleanup - queue - smtp - Amavis ... Wietse
Re: local_header_rewrite_clients behaving weird
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 But as a matter of fact, both test clients are covered by permit_inet_interfaces, the default for local_header_rewrite_cients. Plus, rewrites stopped working without changing Postfix version or config. OK, can it. I got it. http://www.postfix.org/postconf.5.html#local_header_rewrite_clients permit_inet_interfaces Append the domain name in $myorigin or $mydomain when the client IP address matches $inet_interfaces. This is enabled by default. This says everything. However, what happened to that system is a complete mystery to me. The problem began to show within the last two weeks and we sure as hell weren't using Postfix 2.2 before that. Oh well, never mind. - -nik -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iQJOBAEBAgA4BQJQhb6YMRpodHRwczovL3d3dy5kb21pbmlrLWdlb3JnZS5kZS9n cGctcG9saWN5LnR4dC5hc2MACgkQx86z/xVBKI4MGA//X9gz/q1g0izpQZPUSAGj TENUJEjCisv4F9pCCCkCE9Zs+c7pZQyi/okPhBEFEhWenA1LA1WkGFYZyJCamzfC 4kj9cnIHeKjf6itw7oS316fbO9hcU4gmhOjkM6twD7QKwv86xvopbd1qgXMIUUI4 sjNh/A6x4fhVghZsjG5V89WfH3Wu7ujYVm6uWzzUYqyJNWqduFejAqlymIQ8jbn7 AUcC6FCsdNqdZA0ks6IsE8RETxVxb3tMiawAkpIOmb7jy1bgRXS83KeYz50NjVTJ TmHou+YGaF4lFQgGlMo1AIz4xfrLDYRW5n0rN6aQTNtnc/1j605bL5ZClUSJzCqm bHOFfxN3kVV5OthaKILJdYzDA0y2dGLip/l/z4E5TCqBfuUi53J2ajWGtkYUuqXB 4t3L5fzScttY254Dcc+hHQD+DeDpVpucYy2moTdYmfYgIWWU0wzrT4WTT4/GeMG6 l68ccOW50HC5Q19/KJnakwdPj/gBD4HzxwVEzCFHNBCsb6+pbBdHd6rkO4bLq3QU uEnj4gxn4758SuHvb5TY/nY2/vHFAsqtgo5Ouu+luysdrZU7qqi6OBrZJVcPjE63 VpfaQQr1wRJSxeU94ueHSCTpp4gUXer+vTR4MWkl0PnPW0JfaimK7pA3wcKgfBKM SzzGspDcux/zgfL9WNEn4ik= =Yf40 -END PGP SIGNATURE-
Re: postfix SMTP AUTH
Hi Rob, thanks. I use the reserved adresses because I'm testing the box via local net (my laptop), I have everything setup straight through GoDaddy to my router I just forward the ports when I'm ready. I'll check out the smtpd_sasl_local_domain = $myhostname problem. By the way, do you know of any docs which list and explain the sasl and tls options? this is the result of saslfinger...I'm looking at it now but I forwarded it to you... code postfix start postfix/postfix-script: starting the Postfix mail system [root@messenger saslfinger-1.0.3]# saslfinger -s saslfinger - postfix Cyrus sasl configuration Mon Oct 22 17:45:14 EDT 2012 version: 1.0.2 mode: server-side SMTP AUTH -- basics -- Postfix: 2.9.4 System: Arch Linux \r (\l) -- smtpd is linked to -- libsasl2.so.2 = /usr/lib/libsasl2.so.2 (0xb7712000) -- active SMTP AUTH and TLS parameters for smtpd -- broken_sasl_auth_clients = yes smtpd_sasl_auth_enable = yes smtpd_sasl_local_domain = $myhostname smtpd_sasl_security_options = noanonymous smtpd_sasl_tls_security_options = $smtpd_sasl_security_options smtpd_sasl_type = cyrus smtpd_tls_CAfile = /etc/ssl/private/CA-Messenger-key.pem smtpd_tls_cert_file = /etc/postfix/smtpd.crt smtpd_tls_key_file = /etc/postfix/smtpdpub.key smtpd_tls_security_level = may -- listing of /usr/lib/sasl2 -- total 604 drwxr-xr-x 2 root root 4096 Oct 19 14:21 . drwxr-xr-x 52 root root 20480 Oct 19 14:14 .. -rwxr-xr-x 1 root root 17956 Jan 9 2012 libanonymous.so -rwxr-xr-x 1 root root 17956 Jan 9 2012 libanonymous.so.2 -rwxr-xr-x 1 root root 17956 Jan 9 2012 libanonymous.so.2.0.23 -rwxr-xr-x 1 root root 17956 Jan 9 2012 libcrammd5.so -rwxr-xr-x 1 root root 17956 Jan 9 2012 libcrammd5.so.2 -rwxr-xr-x 1 root root 17956 Jan 9 2012 libcrammd5.so.2.0.23 -rwxr-xr-x 1 root root 51012 Jan 9 2012 libdigestmd5.so -rwxr-xr-x 1 root root 51012 Jan 9 2012 libdigestmd5.so.2 -rwxr-xr-x 1 root root 51012 Jan 9 2012 libdigestmd5.so.2.0.23 -rwxr-xr-x 1 root root 17956 Jan 9 2012 liblogin.so -rwxr-xr-x 1 root root 17956 Jan 9 2012 liblogin.so.2 -rwxr-xr-x 1 root root 17956 Jan 9 2012 liblogin.so.2.0.23 -rwxr-xr-x 1 root root 34436 Jan 9 2012 libntlm.so -rwxr-xr-x 1 root root 34436 Jan 9 2012 libntlm.so.2 -rwxr-xr-x 1 root root 34436 Jan 9 2012 libntlm.so.2.0.23 -rwxr-xr-x 1 root root 17956 Jan 9 2012 libplain.so -rwxr-xr-x 1 root root 17956 Jan 9 2012 libplain.so.2 -rwxr-xr-x 1 root root 17956 Jan 9 2012 libplain.so.2.0.23 -rwxr-xr-x 1 root root 21940 Jan 9 2012 libsasldb.so -rwxr-xr-x 1 root root 21940 Jan 9 2012 libsasldb.so.2 -rwxr-xr-x 1 root root 21940 Jan 9 2012 libsasldb.so.2.0.23 -rw-r--r-- 1 root root 160 Oct 21 12:42 smtpd.conf -- content of /usr/lib/sasl2/smtpd.conf -- ##sasl authentication methods### pwcheck_method: auxprop #saslauthd_path: /var/run/saslauthd/mux mech_list: plain login auxprop_plugin: sasldb2 log_level: 7 -- active services in /etc/postfix/master.cf -- # service type private unpriv chroot wakeup maxproc command + args # (yes) (yes) (yes) (never) (100) smtp inet n - n - - smtpd -v pickupfifo n - n 60 1 pickup cleanup unix n - n - 0 cleanup qmgr fifo n - n 300 1 qmgr tlsmgrunix - - n 1000? 1 tlsmgr rewrite unix - - n - - trivial-rewrite bounceunix - - n - 0 bounce defer unix - - n - 0 bounce trace unix - - n - 0 bounce verifyunix - - n - 1 verify flush unix n - n 1000? 0 flush proxymap unix - - n - - proxymap proxywrite unix - - n - 1 proxymap smtp unix - - n - - smtp relay unix - - n - - smtp showq unix n - n - - showq error unix - - n - - error retry unix - - n - - error discard unix - - n - - discard local unix - n n - - local virtual unix - n n - - virtual lmtp unix - - n - - lmtp anvil unix - - n - 1 anvil scacheunix - - n - 1 scache -- mechanisms on localhost -- 250-AUTH PLAIN LOGIN 250-AUTH=PLAIN LOGIN -- end of saslfinger output -- [root@messenger saslfinger-1.0.3]# /code Thanks. On Sun, Oct 21, 2012 at 4:15 PM, /dev/rob0 r...@gmx.co.uk wrote: On Sun, Oct 21, 2012 at 03:51:13PM -0400, William Holt wrote: hi, new to the forum. I'm running arch and have postfix/cyrus. Generally I recommend
Re: Any best practices for stacking filters?
--On Monday, October 22, 2012 5:09 PM -0400 Wietse Venema wie...@porcupine.org wrote: 1) Use the before-queue filter for mail from outside: external clients - smtpd - Amavis ... 2) Use the after-queue filter for mail from inside: internal clients - smtpd - cleanup - queue - smtp - Amavis ... Wietse I'm going to assume you mean something like this then: smtp inet n - n - - smtpd -o smtpd_proxy_filter=[127.0.0.1]:10029 -o smtpd_client_connection_count_limit=10 -o smtpd_proxy_options=speed_adjust I already tried this, and it is not an acceptable solution, because postfix will not accept mail if OpenDKIM is not running. I need Postfix to accept and queue the email in that scenario, rather than reject it. Oct 22 14:54:35 zqa-398 postfix/smtpd[2854]: connect from zqa-398.eng.vmware.com[10.137.245.143] Oct 22 14:54:35 zqa-398 postfix/smtpd[2854]: warning: access table regexp:/opt/zimbra/postfix/conf/tag_as_originating.re: with smtpd_proxy_filter specified, action FILTER is unavailable Oct 22 14:54:35 zqa-398 postfix/smtpd[2854]: NOQUEUE: client=zqa-398.eng.vmware.com[10.137.245.143] Oct 22 14:54:35 zqa-398 postfix/smtpd[2857]: connect from localhost[127.0.0.1] Oct 22 14:54:35 zqa-398 postfix/smtpd[2857]: warning: connect to Milter service inet:localhost:8465: Connection refused Oct 22 14:54:35 zqa-398 postfix/smtpd[2857]: NOQUEUE: milter-reject: CONNECT from localhost[127.0.0.1]: 451 4.7.1 Service unavailable - try again later; proto=SMTP Oct 22 14:54:35 zqa-398 postfix/smtpd[2857]: NOQUEUE: milter-reject: EHLO from localhost[127.0.0.1]: 451 4.7.1 Service unavailable - try again later; proto=SMTP helo=zqa-398.eng.vmware.com Oct 22 14:54:35 zqa-398 postfix/smtpd[2857]: NOQUEUE: milter-reject: MAIL from localhost[127.0.0.1]: 451 4.7.1 Service unavailable - try again later; from=qt...@zqa-398.eng.vmware.com proto=ESMTP helo=zqa-398.eng.vmware.com Oct 22 14:54:35 zqa-398 postfix/smtpd[2854]: warning: proxy [127.0.0.1]:10029 rejected MAIL FROM:qt...@zqa-398.eng.vmware.com: 451 4.7.1 Service unavailable - try again later Oct 22 14:54:35 zqa-398 postfix/smtpd[2854]: proxy-reject: END-OF-MESSAGE: 451 4.7.1 Service unavailable - try again later; from=qt...@zqa-398.eng.vmware.com to=qt...@zqa-398.eng.vmware.com proto=ESMTP helo=zqa-398.eng.vmware.com Oct 22 14:54:35 zqa-398 postfix/smtpd[2857]: lost connection after MAIL from localhost[127.0.0.1] --Quanah -- Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. Zimbra :: the leader in open source messaging and collaboration
Re: Any best practices for stacking filters?
Quanah Gibson-Mount: --On Monday, October 22, 2012 5:09 PM -0400 Wietse Venema wie...@porcupine.org wrote: 1) Use the before-queue filter for mail from outside: external clients - smtpd - Amavis ... 2) Use the after-queue filter for mail from inside: internal clients - smtpd - cleanup - queue - smtp - Amavis ... Wietse I already tried this, and it is not an acceptable solution, because postfix will not accept mail if OpenDKIM is not running. I need Postfix to accept and queue the email in that scenario, rather than reject it. RTFM http://www.postfix.org/postconf.5.html#milter_default_action Wietse
Re: Any best practices for stacking filters?
--On Monday, October 22, 2012 6:17 PM -0400 Wietse Venema wie...@porcupine.org wrote: Quanah Gibson-Mount: --On Monday, October 22, 2012 5:09 PM -0400 Wietse Venema wie...@porcupine.org wrote: 1) Use the before-queue filter for mail from outside: external clients - smtpd - Amavis ... 2) Use the after-queue filter for mail from inside: internal clients - smtpd - cleanup - queue - smtp - Amavis ... Wietse I already tried this, and it is not an acceptable solution, because postfix will not accept mail if OpenDKIM is not running. I need Postfix to accept and queue the email in that scenario, rather than reject it. RTFM http://www.postfix.org/postconf.5.html#milter_default_action I have read that before. None of the actions it allows are desirable. Changing the action to quarantine requires manual intervention on the admin side to ever get this to deliver. accept is not acceptable, because it gets delivered instead of queued. --Quanah -- Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. Zimbra :: the leader in open source messaging and collaboration
Re: postfix SMTP AUTH
See below ... * William Holt holt.william.aa...@gmail.com: Hi Rob, thanks. I use the reserved adresses because I'm testing the box via local net (my laptop), I have everything setup straight through GoDaddy to my router I just forward the ports when I'm ready. I'll check out the smtpd_sasl_local_domain = $myhostname problem. By the way, do you know of any docs which list and explain the sasl and tls options? this is the result of saslfinger...I'm looking at it now but I forwarded it to you... code postfix start postfix/postfix-script: starting the Postfix mail system [root@messenger saslfinger-1.0.3]# saslfinger -s saslfinger - postfix Cyrus sasl configuration Mon Oct 22 17:45:14 EDT 2012 version: 1.0.2 mode: server-side SMTP AUTH -- basics -- Postfix: 2.9.4 System: Arch Linux \r (\l) -- smtpd is linked to -- libsasl2.so.2 = /usr/lib/libsasl2.so.2 (0xb7712000) -- active SMTP AUTH and TLS parameters for smtpd -- broken_sasl_auth_clients = yes smtpd_sasl_auth_enable = yes smtpd_sasl_local_domain = $myhostname smtpd_sasl_security_options = noanonymous smtpd_sasl_tls_security_options = $smtpd_sasl_security_options smtpd_sasl_type = cyrus smtpd_tls_CAfile = /etc/ssl/private/CA-Messenger-key.pem smtpd_tls_cert_file = /etc/postfix/smtpd.crt smtpd_tls_key_file = /etc/postfix/smtpdpub.key smtpd_tls_security_level = may -- listing of /usr/lib/sasl2 -- total 604 drwxr-xr-x 2 root root 4096 Oct 19 14:21 . drwxr-xr-x 52 root root 20480 Oct 19 14:14 .. -rwxr-xr-x 1 root root 17956 Jan 9 2012 libanonymous.so -rwxr-xr-x 1 root root 17956 Jan 9 2012 libanonymous.so.2 -rwxr-xr-x 1 root root 17956 Jan 9 2012 libanonymous.so.2.0.23 -rwxr-xr-x 1 root root 17956 Jan 9 2012 libcrammd5.so -rwxr-xr-x 1 root root 17956 Jan 9 2012 libcrammd5.so.2 -rwxr-xr-x 1 root root 17956 Jan 9 2012 libcrammd5.so.2.0.23 -rwxr-xr-x 1 root root 51012 Jan 9 2012 libdigestmd5.so -rwxr-xr-x 1 root root 51012 Jan 9 2012 libdigestmd5.so.2 -rwxr-xr-x 1 root root 51012 Jan 9 2012 libdigestmd5.so.2.0.23 -rwxr-xr-x 1 root root 17956 Jan 9 2012 liblogin.so -rwxr-xr-x 1 root root 17956 Jan 9 2012 liblogin.so.2 -rwxr-xr-x 1 root root 17956 Jan 9 2012 liblogin.so.2.0.23 -rwxr-xr-x 1 root root 34436 Jan 9 2012 libntlm.so -rwxr-xr-x 1 root root 34436 Jan 9 2012 libntlm.so.2 -rwxr-xr-x 1 root root 34436 Jan 9 2012 libntlm.so.2.0.23 -rwxr-xr-x 1 root root 17956 Jan 9 2012 libplain.so -rwxr-xr-x 1 root root 17956 Jan 9 2012 libplain.so.2 -rwxr-xr-x 1 root root 17956 Jan 9 2012 libplain.so.2.0.23 -rwxr-xr-x 1 root root 21940 Jan 9 2012 libsasldb.so -rwxr-xr-x 1 root root 21940 Jan 9 2012 libsasldb.so.2 -rwxr-xr-x 1 root root 21940 Jan 9 2012 libsasldb.so.2.0.23 -rw-r--r-- 1 root root 160 Oct 21 12:42 smtpd.conf -- content of /usr/lib/sasl2/smtpd.conf -- ##sasl authentication methods### pwcheck_method: auxprop #saslauthd_path: /var/run/saslauthd/mux mech_list: plain login auxprop_plugin: sasldb2 log_level: 7 Remove '2' at the end of auxprop_plugin: and write this: pwcheck_method: auxprop mech_list: plain login auxprop_plugin: sasldb log_level: 7 Make sure you have no trailing garbage at the end of the lines! -- active services in /etc/postfix/master.cf -- # service type private unpriv chroot wakeup maxproc command + args # (yes) (yes) (yes) (never) (100) smtp inet n - n - - smtpd -v ... -- mechanisms on localhost -- 250-AUTH PLAIN LOGIN 250-AUTH=PLAIN LOGIN -- end of saslfinger output -- So far, so good. What do you get if you run 'sasldblistusers2'? Do the accounts have a domainpart you use when you create the authentication string? If not, use an account as given from sasldblistusers2 output and test with that. p@rick -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer Aufsichtsratsvorsitzender: Joerg Heidrich
Re: postfix SMTP AUTH
P.S. I'm sorry I looked quickly and thought your name was Rob, forgive me Patrick. I'm reading your book, I like it. I also use the postfix web site and debian-wiki/arch-wiki. On Mon, Oct 22, 2012 at 5:53 PM, William Holt holt.william.aa...@gmail.com wrote: Hi Rob, thanks. I use the reserved adresses because I'm testing the box via local net (my laptop), I have everything setup straight through GoDaddy to my router I just forward the ports when I'm ready. I'll check out the smtpd_sasl_local_domain = $myhostname problem. By the way, do you know of any docs which list and explain the sasl and tls options? this is the result of saslfinger...I'm looking at it now but I forwarded it to you... code postfix start postfix/postfix-script: starting the Postfix mail system [root@messenger saslfinger-1.0.3]# saslfinger -s saslfinger - postfix Cyrus sasl configuration Mon Oct 22 17:45:14 EDT 2012 version: 1.0.2 mode: server-side SMTP AUTH -- basics -- Postfix: 2.9.4 System: Arch Linux \r (\l) -- smtpd is linked to -- libsasl2.so.2 = /usr/lib/libsasl2.so.2 (0xb7712000) -- active SMTP AUTH and TLS parameters for smtpd -- broken_sasl_auth_clients = yes smtpd_sasl_auth_enable = yes smtpd_sasl_local_domain = $myhostname smtpd_sasl_security_options = noanonymous smtpd_sasl_tls_security_options = $smtpd_sasl_security_options smtpd_sasl_type = cyrus smtpd_tls_CAfile = /etc/ssl/private/CA-Messenger-key.pem smtpd_tls_cert_file = /etc/postfix/smtpd.crt smtpd_tls_key_file = /etc/postfix/smtpdpub.key smtpd_tls_security_level = may -- listing of /usr/lib/sasl2 -- total 604 drwxr-xr-x 2 root root 4096 Oct 19 14:21 . drwxr-xr-x 52 root root 20480 Oct 19 14:14 .. -rwxr-xr-x 1 root root 17956 Jan 9 2012 libanonymous.so -rwxr-xr-x 1 root root 17956 Jan 9 2012 libanonymous.so.2 -rwxr-xr-x 1 root root 17956 Jan 9 2012 libanonymous.so.2.0.23 -rwxr-xr-x 1 root root 17956 Jan 9 2012 libcrammd5.so -rwxr-xr-x 1 root root 17956 Jan 9 2012 libcrammd5.so.2 -rwxr-xr-x 1 root root 17956 Jan 9 2012 libcrammd5.so.2.0.23 -rwxr-xr-x 1 root root 51012 Jan 9 2012 libdigestmd5.so -rwxr-xr-x 1 root root 51012 Jan 9 2012 libdigestmd5.so.2 -rwxr-xr-x 1 root root 51012 Jan 9 2012 libdigestmd5.so.2.0.23 -rwxr-xr-x 1 root root 17956 Jan 9 2012 liblogin.so -rwxr-xr-x 1 root root 17956 Jan 9 2012 liblogin.so.2 -rwxr-xr-x 1 root root 17956 Jan 9 2012 liblogin.so.2.0.23 -rwxr-xr-x 1 root root 34436 Jan 9 2012 libntlm.so -rwxr-xr-x 1 root root 34436 Jan 9 2012 libntlm.so.2 -rwxr-xr-x 1 root root 34436 Jan 9 2012 libntlm.so.2.0.23 -rwxr-xr-x 1 root root 17956 Jan 9 2012 libplain.so -rwxr-xr-x 1 root root 17956 Jan 9 2012 libplain.so.2 -rwxr-xr-x 1 root root 17956 Jan 9 2012 libplain.so.2.0.23 -rwxr-xr-x 1 root root 21940 Jan 9 2012 libsasldb.so -rwxr-xr-x 1 root root 21940 Jan 9 2012 libsasldb.so.2 -rwxr-xr-x 1 root root 21940 Jan 9 2012 libsasldb.so.2.0.23 -rw-r--r-- 1 root root 160 Oct 21 12:42 smtpd.conf -- content of /usr/lib/sasl2/smtpd.conf -- ##sasl authentication methods### pwcheck_method: auxprop #saslauthd_path: /var/run/saslauthd/mux mech_list: plain login auxprop_plugin: sasldb2 log_level: 7 -- active services in /etc/postfix/master.cf -- # service type private unpriv chroot wakeup maxproc command + args # (yes) (yes) (yes) (never) (100) smtp inet n - n - - smtpd -v pickupfifo n - n 60 1 pickup cleanup unix n - n - 0 cleanup qmgr fifo n - n 300 1 qmgr tlsmgrunix - - n 1000? 1 tlsmgr rewrite unix - - n - - trivial-rewrite bounceunix - - n - 0 bounce defer unix - - n - 0 bounce trace unix - - n - 0 bounce verifyunix - - n - 1 verify flush unix n - n 1000? 0 flush proxymap unix - - n - - proxymap proxywrite unix - - n - 1 proxymap smtp unix - - n - - smtp relay unix - - n - - smtp showq unix n - n - - showq error unix - - n - - error retry unix - - n - - error discard unix - - n - - discard local unix - n n - - local virtual unix - n n - - virtual lmtp unix - - n - - lmtp anvil unix - - n - 1 anvil scacheunix - - n - 1 scache -- mechanisms on localhost
Re: Any best practices for stacking filters?
Quanah Gibson-Mount: --On Monday, October 22, 2012 6:17 PM -0400 Wietse Venema wie...@porcupine.org wrote: Quanah Gibson-Mount: --On Monday, October 22, 2012 5:09 PM -0400 Wietse Venema wie...@porcupine.org wrote: 1) Use the before-queue filter for mail from outside: external clients - smtpd - Amavis ... 2) Use the after-queue filter for mail from inside: internal clients - smtpd - cleanup - queue - smtp - Amavis ... Wietse I already tried this, and it is not an acceptable solution, because postfix will not accept mail if OpenDKIM is not running. I need Postfix to accept and queue the email in that scenario, rather than reject it. RTFM http://www.postfix.org/postconf.5.html#milter_default_action I have read that before. None of the actions it allows are desirable. Changing the action to quarantine requires manual intervention on the admin side to ever get this to deliver. You had a problem with not being able to sign mail with a Milter before it enters your content filter. I kindly provided an example that allows you to do that. It even works with the same content filter. Now you reject the solution. Not because it would fail to sign mail as promised. Not because it wouldn't work with the filter as promised. There is, and there will not be, a queue between the Postfix SMTP server protocol engine and the Postfix Milter client protocol engine, where email messages wait until a broken Milter server comes back. Not in Postfix, not in Sendmail, not in other MTAs. The Milter protocol is designed for before-queue agents, so that they can inspect the SMTP command stream as it happens. Wietse
