master.cf Pipe delivery to virtual
Hello all,
I'm using postfix together with LDAP from where I take information
about user addresses and their home dirs, where I want to store emails.
I have everything configured correctly, it's working for all users
except for users that don't have created homedir yet. I want to
implement script, that will get message based on that will create
homedir + maildir for user is not exists already and then it will pass
transparently whole message to virtual, that will do delivery as usual.
Over the Internet I've found such scripts for maildrop delivery, but
with implementing same logic I had no success to apply that knowledge in
my scenario.
My configuration is in master.cf:
---
homedir unix - n n - - pipe
user=nobody:nobody argv=/usr/libexec/postfix/home -d
${user}@${nexthop} -f ${sender}
---
Content of /usr/libexec/postfix/home is:
---
#!/bin/bash
INSPECT_DIR=/var/spool/filter
# Exit codes from sysexits.h
EX_TEMPFAIL=75
EX_UNAVAILABLE=69
# Clean up when done or when aborting.
trap rm -f in.$$ 0 1 2 3 15
cd $INSPECT_DIR || { echo $INSPECT_DIR does not exist; exit
$EX_TEMPFAIL; }
cat in.$$ || { echo Cannot save mail to file; exit $EX_TEMPFAIL; }
/usr/libexec/postfix/virtual $@ in.$$
exit $?
---
Now when I end email to machine, I see following in log:
---
Nov 19 15:29:01 localhost postfix/postfix-script[4343]: starting the
Postfix mail system
Nov 19 15:29:01 localhost postfix/master[4344]: daemon started --
version 2.9.4, configuration /etc/postfix
Nov 19 15:29:05 localhost postfix/smtpd[4349]: connect from
unknown[192.168.255.201]
Nov 19 15:29:05 localhost postfix/smtpd[4349]: F117F43F2D:
client=unknown[192.168.255.201]
Nov 19 15:29:06 localhost postfix/cleanup[4353]: F117F43F2D:
message-id=
Nov 19 15:29:07 localhost postfix/qmgr[4348]: F117F43F2D:
from=r...@b.zn, size=421, nrcpt=1 (queue active)
Nov 19 15:29:07 localhost postfix/smtpd[4349]: disconnect from
unknown[192.168.255.201]
Nov 19 15:29:07 localhost postfix/virtual[4357]: fatal: no transport
type specified
Nov 19 15:29:08 localhost postfix/pipe[4354]: F117F43F2D:
to=lukas@A.Z, relay=homedir, delay=2.3, delays=1.2/0.01/0/1.2,
dsn=5.3.0, status=bounced (Command died with status 1:
/usr/libexec/postfix/home)
---
What I believe is wrong is way, how I pass email to virtual at the end
of script. Unfortunately when I try to run /usr/libexec/postfix/virtual
with parameters such as --help or -h I don't get any help, and also I
didn't found any documentation saying if virtual needs to get any
command line arguments or something special to STDIN. so question is how
can I specify all required inputs to virtual, in log it's asking for
transport specification, but I'm not sure it will be only one
information virtual needs.
Thank you in advance.
CSI Cloudmark configuration
Hello, Some of the biggest french provider are using CSI “cloudmark sender intelligence” : the big problem wih CSI cloudmark is that they don’t accept many simultaneous connexions. i always get a log like “too many connexion, slow down” so i made the following configuration : In /etc/postfix.transport wanadoo.com slow: wanadoo.fr slow: In /etc/postfix/master.cf slow unix – - n – 5 smtp -o syslog_name=postfix-slow -o smtp_destination_concurrency_limit=3 -o slow_destination_rate_delay=1 In /etc/postfix/main.cf transport_maps = /etc/postfix/transport slow_destination_recipient_limit = 20 slow_destination_concurrency_limit = 2 but i keep have some trouble in my logs... In the CSI advice, they says : if you have 100 Messages to deliver to this server, the better way is to open 1 connection and send 100 messages instead of opening 100 connexions delivering 1 message each... do i have to change the slow_destination_recipient_limit parametter to follow this advice ? Thanks in advance Nico Angenon
Re: Sending of several delayed warnings
On Mon, 19 Nov 2012 08:47:35 -0500 (EST) Wietse Venema wie...@porcupine.org wrote: Titanus Eramius: Running Postfix 2.7.x I have set delay_warning_time to 4 hours, but was wondering if it is possible to send out two or more bounce messages about a delayed message? If you want to know if mail is finally out the door, turn on the DSN success notify option. Message multipliers are unsafe. Don't do it. Thank you for the answer and the explanation. I've will indeed read up on the notify system, and use that instead. - Titanus
Re: Sending of several delayed warnings
Titanus Eramius: On Mon, 19 Nov 2012 08:47:35 -0500 (EST) Wietse Venema wie...@porcupine.org wrote: Titanus Eramius: Running Postfix 2.7.x I have set delay_warning_time to 4 hours, but was wondering if it is possible to send out two or more bounce messages about a delayed message? If you want to know if mail is finally out the door, turn on the DSN success notify option. Message multipliers are unsafe. Don't do it. Thank you for the answer and the explanation. I've will indeed read up on the notify system, and use that instead. Pointers: this is requested by the SMTP client in RCPT TO commands, or with the Postfix sendmail -N command-line option. It can also be forced with smtpd_command_filter. See man 5 postconf for an example that manipulates RCPT TO commands. That's tricky enough that it may require help from the mailing list. Wietse
Re: Initial 220 greeting timeout
Alex: Nov 19 20:39:03 mail01 postfix/smtpd[19820]: lost connection after CONNECT from listserver.translateplanmulti.info[198.41.120.7] Your server is too slow, so that connections pile up in front of it. Find out where the bottle neck is by SYSTEMATICALLY MEASURING latency (not: manual telnet to port 25 tests): name lookups, header checks, body checks, file system, CPU, memory, and so on. If you can't figure it out then hire a professional. Wietse
Freemailer segregation best way? Transports - Instances IP's
Good afternoon, I'm looking to get some views and advice on the best way to set Postfix up so I can segregate a large newsletter list up into a semi decent working structure. Basically my newsletter server has a /29 and I want to set up Postfix to (hopefully) do something like this: eth0:1 1.1.1.1 GMAIL Subscribers eth0:2 2.2.2.2 AoL Subscribers eht0:3 3.3.3.3 all others I'd like to be able to rate control the Gmail AoL to complicate issues a little. I know how powerful and fast Postfix can be and I don't want to exceed the limits set on small scale mailers like us. What I'm looking for is the best approach to do this? I don't think I can do this with multiple instances as the incoming mail stream from the newsletter server (SMTP) has a stream of recipients at various domains, so what arrives in the Instance of Postfix will be mixed to start with. So I guess this means I'll need to simply do this in transports. I think I read that it's possible to create transports for specific SMTP destinations in the Book of Postfix. I guess I'd need to ask 'can I assign a specific interface/IP on a per transport basis?' Any suggestions or feedback would be gratefully received. Sam
Re: Freemailer segregation best way? Transports - Instances IP's
Am 20.11.2012 14:13, schrieb Sam Jones: Good afternoon, I'm looking to get some views and advice on the best way to set Postfix up so I can segregate a large newsletter list up into a semi decent working structure. Basically my newsletter server has a /29 and I want to set up Postfix to (hopefully) do something like this: eth0:1 1.1.1.1 GMAIL Subscribers eth0:2 2.2.2.2 AoL Subscribers eht0:3 3.3.3.3 all others I'd like to be able to rate control the Gmail AoL to complicate issues a little. I know how powerful and fast Postfix can be and I don't want to exceed the limits set on small scale mailers like us. What I'm looking for is the best approach to do this? I don't think I can do this with multiple instances as the incoming mail stream from the newsletter server (SMTP) has a stream of recipients at various domains, so what arrives in the Instance of Postfix will be mixed to start with. So I guess this means I'll need to simply do this in transports. I think I read that it's possible to create transports for specific SMTP destinations in the Book of Postfix. I guess I'd need to ask 'can I assign a specific interface/IP on a per transport basis?' Any suggestions or feedback would be gratefully received. Sam perhaps do it like this ( total untested ) master.cf smtpaol unix - - n - - smtp -o smtp_bind_address=1.2.3.1 smtpgmail unix - - n - - smtp . -o smtp_bind_address=1.2.3.2 main.cf smtpaol_destination_concurrency_limit = 2 smtpaol_destination_recipient_limit = 5 smtpaol_destination_rate_delay = 1s smtpaol_destination_concurrency_failed_cohort_limit = 100 smtpgmail_destination_concurrency_limit = 2 smtpgmail_destination_recipient_limit = 5 smtpgmail_destination_rate_delay = 1s smtpgmail_destination_concurrency_failed_cohort_limit = 100 transport googlemail.com smtpgmail:googlemail.com aol.com smtpaol:aol.com Best Regards MfG Robert Schetterer -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer Aufsichtsratsvorsitzender: Joerg Heidrich
Re: Freemailer segregation best way? Transports - Instances IP's
That looks like a good starting point, Thank you for the pointers Robert, really appreciated. On Tue, 2012-11-20 at 14:35 +0100, Robert Schetterer wrote: Am 20.11.2012 14:13, schrieb Sam Jones: Good afternoon, I'm looking to get some views and advice on the best way to set Postfix up so I can segregate a large newsletter list up into a semi decent working structure. Basically my newsletter server has a /29 and I want to set up Postfix to (hopefully) do something like this: eth0:1 1.1.1.1 GMAIL Subscribers eth0:2 2.2.2.2 AoL Subscribers eht0:3 3.3.3.3 all others I'd like to be able to rate control the Gmail AoL to complicate issues a little. I know how powerful and fast Postfix can be and I don't want to exceed the limits set on small scale mailers like us. What I'm looking for is the best approach to do this? I don't think I can do this with multiple instances as the incoming mail stream from the newsletter server (SMTP) has a stream of recipients at various domains, so what arrives in the Instance of Postfix will be mixed to start with. So I guess this means I'll need to simply do this in transports. I think I read that it's possible to create transports for specific SMTP destinations in the Book of Postfix. I guess I'd need to ask 'can I assign a specific interface/IP on a per transport basis?' Any suggestions or feedback would be gratefully received. Sam perhaps do it like this ( total untested ) master.cf smtpaol unix - - n - - smtp -o smtp_bind_address=1.2.3.1 smtpgmail unix - - n - - smtp . -o smtp_bind_address=1.2.3.2 main.cf smtpaol_destination_concurrency_limit = 2 smtpaol_destination_recipient_limit = 5 smtpaol_destination_rate_delay = 1s smtpaol_destination_concurrency_failed_cohort_limit = 100 smtpgmail_destination_concurrency_limit = 2 smtpgmail_destination_recipient_limit = 5 smtpgmail_destination_rate_delay = 1s smtpgmail_destination_concurrency_failed_cohort_limit = 100 transport googlemail.com smtpgmail:googlemail.com aol.com smtpaol:aol.com Best Regards MfG Robert Schetterer
Re: Freemailer segregation best way? Transports - Instances IP's
Sam Jones: That looks like a good starting point, Thank you for the pointers Robert, really appreciated. You need to keep the following in mind, if you ever decide to use a per-destination recipient of 1. Wietse default_destination_rate_delay (default: 0s) The default amount of delay that is inserted between individual deliv- eries to the same destination; the resulting behavior depends on the value of the corresponding per-destination recipient limit. o With a corresponding per-destination recipient limit1, the rate delay specifies the time between deliveries to the same domain. Different domains are delivered in parallel, subject to the process limits specified in master.cf. o With a corresponding per-destination recipient limit equal to 1, the rate delay specifies the time between deliveries to the same recipient. Different recipients are delivered in parallel, sub- ject to the process limits specified in master.cf.
Re: master.cf Pipe delivery to virtual
r...@tntwrk.info: /usr/libexec/postfix/virtual $@ in.$$ As documented postfix/virtual does not read from pipe. Wietse
Re: Freemailer segregation best way? Transports - Instances IP's
Appreciated, thanks. I'm just installing it to an old bare metal test server so I can get it right before putting it into production. Many thanks to you both - really appreciated. On Tue, 2012-11-20 at 09:58 -0500, Wietse Venema wrote: Sam Jones: That looks like a good starting point, Thank you for the pointers Robert, really appreciated. You need to keep the following in mind, if you ever decide to use a per-destination recipient of 1. Wietse default_destination_rate_delay (default: 0s) The default amount of delay that is inserted between individual deliv- eries to the same destination; the resulting behavior depends on the value of the corresponding per-destination recipient limit. o With a corresponding per-destination recipient limit 1, the rate delay specifies the time between deliveries to the same domain. Different domains are delivered in parallel, subject to the process limits specified in master.cf. o With a corresponding per-destination recipient limit equal to 1, the rate delay specifies the time between deliveries to the same recipient. Different recipients are delivered in parallel, sub- ject to the process limits specified in master.cf.
Re: OpenSSL: TXT_DB error number 2
On Tue, Nov 20, 2012 at 07:25:11AM -0500, c...@lavabit.com wrote: SMTP servers negotiate TLS over SMTP via STARTTLS, you're trying to start the SSL/TLS handshake without the prior SMTP handshake. You must: $ openssl s_client -starttls smtp -connect mail.example.com:25 The above command returned SSL routines:SSL23_GET_SERVER_HELLO: unknown protocol Check the server logs. This works when mail.example.com (that is is whatever you're actually testing) is replaced by mx.lavabit.com. There is one thing I forgot to ask when we discussed DH keys and certs. Should I also alter courier config? At no point did I suggest creating DH certificates, neither for Postfix nor for any other software. EDH Key Exchange is NOT certificate authentication, nobody uses DH certs, continue to use RSA. [For the record, in private peering arrangements I've sometimes used ECDSA, but that won't work too well on the public internet, for Internet facing SMTP servers one always needs at least RSA, and given the OPs level of experience with SSL, ... I would not recommend adventurous multi-certificate configurations] There are related fields: TLS_DHCERTFILE= TLS_CERTFILE=/usr/lib/courier/imapd.pem TLS_TRUSTCERTS=/etc/ssl/certs Should I point TLS_DHCERTFILE to /etc/postfix/smtpd.pem? NO. Do not use DH certificates, use RSA. The DH parameter files you were advised to generate are not certificates. Your smtpd.pem file should be mode 0600 and contain an RSA private key and associated self-signed certificate. Should I point TLS_CERTFILE to /etc/postfix/smtpd.pem? (Postfix uses it as smtpd_tls_cert_file.) You can use the same certificate for both IMAP and SMTP, if the same CN (hostname) is used by clients for both protocols. Should I point TLS_TRUSTCERTS to /etc/ssl/certs/cacert.pem? (Postfix uses the above as smtpd_tls_CAfile.) You don't need a CA file, your certificate is self-signed. imapd.pem was generated with mkimapdcert. Then you can use that if you like. I attached the script and comments connected with options: I am not going to read it, sorry about that. -- Viktor.
Re: master.cf Pipe delivery to virtual
Le 20/11/2012 10:28, r...@tntwrk.info a écrit :
Hello all,
I'm using postfix together with LDAP from where I take information about
user addresses and their home dirs, where I want to store emails.
I have everything configured correctly, it's working for all users
except for users that don't have created homedir yet. I want to
implement script, that will get message based on that will create
homedir + maildir for user is not exists already and then it will pass
transparently whole message to virtual, that will do delivery as usual.
Over the Internet I've found such scripts for maildrop delivery, but
with implementing same logic I had no success to apply that knowledge in
my scenario.
My configuration is in master.cf:
---
homedir unix - nn--pipe
user=nobody:nobody argv=/usr/libexec/postfix/home -d
${user}@${nexthop} -f ${sender}
---
Content of /usr/libexec/postfix/home is:
---
#!/bin/bash
INSPECT_DIR=/var/spool/filter
# Exit codes from sysexits.h
EX_TEMPFAIL=75
EX_UNAVAILABLE=69
# Clean up when done or when aborting.
trap rm -f in.$$ 0 1 2 3 15
cd $INSPECT_DIR || { echo $INSPECT_DIR does not exist; exit $EX_TEMPFAIL; }
cat in.$$ || { echo Cannot save mail to file; exit $EX_TEMPFAIL; }
/usr/libexec/postfix/virtual $@ in.$$
exit $?
---
Now when I end email to machine, I see following in log:
---
Nov 19 15:29:01 localhost postfix/postfix-script[4343]: starting the
Postfix mail system
Nov 19 15:29:01 localhost postfix/master[4344]: daemon started --
version 2.9.4, configuration /etc/postfix
Nov 19 15:29:05 localhost postfix/smtpd[4349]: connect from
unknown[192.168.255.201]
Nov 19 15:29:05 localhost postfix/smtpd[4349]: F117F43F2D:
client=unknown[192.168.255.201]
Nov 19 15:29:06 localhost postfix/cleanup[4353]: F117F43F2D: message-id=
Nov 19 15:29:07 localhost postfix/qmgr[4348]: F117F43F2D:
from=r...@b.zn, size=421, nrcpt=1 (queue active)
Nov 19 15:29:07 localhost postfix/smtpd[4349]: disconnect from
unknown[192.168.255.201]
Nov 19 15:29:07 localhost postfix/virtual[4357]: fatal: no transport
type specified
Nov 19 15:29:08 localhost postfix/pipe[4354]: F117F43F2D:
to=lukas@A.Z, relay=homedir, delay=2.3, delays=1.2/0.01/0/1.2,
dsn=5.3.0, status=bounced (Command died with status 1:
/usr/libexec/postfix/home)
---
What I believe is wrong is way, how I pass email to virtual at the end
of script. Unfortunately when I try to run /usr/libexec/postfix/virtual
with parameters such as --help or -h I don't get any help, and also I
didn't found any documentation saying if virtual needs to get any
command line arguments or something special to STDIN. so question is how
can I specify all required inputs to virtual, in log it's asking for
transport specification, but I'm not sure it will be only one
information virtual needs.
Thank you in advance.
the easy answer is: when you create an email account, do create the
mailbox. what's so complicated about this? why do you want the mailbox
be created at inbound mail reception? optimise for the common case. the
common case for a mailbox is receiving email, not creating the mailbox.
from a security perspective, it is debatable to let a network
connected daemon create arbitrary directories on your system.
System watcher to check if Postfix is running
We have some scripts that run to check that important processes like Postfix are running. The Postfix check does a 'ps ax' and looks for '/postfix/master', 'qmgr', 'pickup', and 'tlsmgr'. Should we be checking for all 4 of these or are there normal circumstances where some of these may be missing? Thanks, Larry M. Rosenbaum Oak Ridge National Laboratory
Re: CSI Cloudmark configuration
Le 20/11/2012 09:46, Nico Angenon a écrit : Hello, Some of the biggest french provider are using CSI “cloudmark sender intelligence” : the big problem wih CSI cloudmark is that they don’t accept many simultaneous connexions. i always get a log like “too many connexion, slow down” so i made the following configuration : In /etc/postfix.transport wanadoo.com slow: wanadoo.fr slow: In /etc/postfix/master.cf slow unix – - n – 5 smtp -o syslog_name=postfix-slow -o smtp_destination_concurrency_limit=3 -o slow_destination_rate_delay=1 In /etc/postfix/main.cf transport_maps = /etc/postfix/transport slow_destination_recipient_limit = 20 slow_destination_concurrency_limit = 2 but i keep have some trouble in my logs... In the CSI advice, they says : if you have 100 Messages to deliver to this server, the better way is to open 1 connection and send 100 messages instead of opening 100 connexions delivering 1 message each... do i have to change the slow_destination_recipient_limit parametter to follow this advice ? Thanks in advance Nico Angenon if your goal is to send mass mail, then you should ask to be whitelisted. (of course, it is necessary that you follow good practices. unfortunately, this is not sufficient!).
Re: System watcher to check if Postfix is running
Rosenbaum, Larry M.: We have some scripts that run to check that important processes like Postfix are running. The Postfix check does a 'ps ax' and looks for '/postfix/master', 'qmgr', 'pickup', and 'tlsmgr'. Should we be checking for all 4 of these or are there normal circumstances where some of these may be missing? To find out if Postfix works, send mail into Postfix and see if it delivers the message within a set time. For example: - Submit over SMTP, perhaps with a mini SMTP client. - Submit with Postfix sendmail command. - Deliver mail over SMTP, perhaps over a dedicated server and port. - Deliver mail locally, perhaps via a pipe-to-command. Other performance metrics would be the size of the queues. Wietse
Re: System watcher to check if Postfix is running
Am 20.11.2012 21:44, schrieb Rosenbaum: We have some scripts that run to check that important processes like Postfix are running. The Postfix check does a ‘ps ax’ and looks for ‘/postfix/master’, ‘qmgr’, ‘pickup’, and ‘tlsmgr’. Should we be checking for all 4 of these or are there normal circumstances where some of these may be missing? the master porcess is the controller of the other ones signature.asc Description: OpenPGP digital signature
Re: System watcher to check if Postfix is running
Le 20/11/2012 21:44, Rosenbaum, Larry M. a écrit : We have some scripts that run to check that important processes like Postfix are running. The Postfix check does a 'ps ax' and looks for '/postfix/master', 'qmgr', 'pickup', and 'tlsmgr'. Should we be checking for all 4 of these or are there normal circumstances where some of these may be missing? if the goal is to monitor the mail system, then setup a monitoring address, send mail to and have a process to read that mail (pop or whatever).
Re: Mutliple Certificates - Multiple IP addresses - Again
On Wed, Nov 21, 2012 at 01:03:28AM +0200, Ali Jawad wrote: Hi I have a postfix with 7 domains and 7 IPs, each domain has it's own IP and everything is running fine, up till now I had one certificate for all domains in the following fashion in main.cf smtpd_use_tls = yes smtpd_tls_auth_only = yes smtpd_tls_cert_file = /etc/postfix/domainssl/domain.crt smtpd_tls_key_file = /etc/postfix/domainssl/domain.key smtpd_tls_CAfile = /etc/postfix/domainssl/comodo_CA.txt This is domain.crt is a valid certificate and for this particular domain it does not throw errors, however for all the remaining domains I get hostname mismatch errors. So far so good, I did purchase certificates for the remaining domains and did some research and read through the list and based on what I understood all I need to do is the add the below to master.cf and remove smtpd_tls_cert_file and smtpd_tls_key_file and smtpd_tls_CAfile from main.cf, and then add the below as said per domain to master.cf ip.ip.ip.ip:smtp inet n - n - - smtpd -o myhostname=mail.domain2.com -o smtpd_tls_wrappermode=yes -o smtpd_tls_key_file=/etc/postfix/domainssl/mail.domian2.com.key -o smtpd_tls_cert_file=/etc/postfix/domainssl/mail.domain2.com.crt -o smtpd_tls_CAfile=/etc/postfix/domainssl/comodo_CA.txt See the master.cf documentation, long lines are continued by prepending leading whitespace on the continuation lines: 192.0.2.1:smtp inet n - n - - smtpd -o myhostname=mail.example.com -o smtpd_tls_cert_file=/etc/postfix/domainssl/cert-mail.example.com.pem -o smtpd_tls_key_file=/etc/postfix/domainssl/key-mail.example.com.pem - Do make sure all the cert and key files are in PEM format. - Do append the PEM certificates of all intermediate CAs to the the server certificate file in order from leaf to root: - BEGIN ... base64-encoded server cert - END ... - BEGIN ... base64-encoded intermediate cert that signed previous cert - END ... - BEGIN ... base64-encoded intermediate cert that signed previous cert - END ... - BEGIN ... optional base64-encoded root cert, typically leave it out - END ... - DO NOT enable wrappermode on a port 25 SMTP server. - DO NOT define the CAfile in master.cf, it is the same for all the certificates, and is typically not needed at all, but can in any case be set in main.cf The CA file if used should contain PEM encoded root CA certificates. So these options should NOT be set: # -o smtpd_tls_wrappermode=yes # -o smtpd_tls_CAfile=/etc/postfix/domainssl/comodo_CA.txt When you change master.cf, you need to reload postfix for the changes to take effect. -- Viktor.
Re: Mutliple Certificates - Multiple IP addresses - Again
Hi Victor Thank you for the input my master.cf looks as follows now : x.x.x.x:smtp inet n - n - - smtpd -o myhostname=mail.domain.com -o smtpd_tls_key_file=/etc/postfix/domainssl/mail.domain.com.key -o smtpd_tls_cert_file=/etc/postfix/domainssl/mail.domain.com.crt with this setting I still do get only the certificate of the certificate defined in /etc/main.cf, if I remove the certificatet in /etc/main.cf I only get Nov 21 00:41:42 root379 postfix/smtpd[18650]: warning: No server certs available. TLS won't be enabled In logs. Please advice. On Wed, Nov 21, 2012 at 1:24 AM, Viktor Dukhovni postfix-us...@dukhovni.org wrote: On Wed, Nov 21, 2012 at 01:03:28AM +0200, Ali Jawad wrote: Hi I have a postfix with 7 domains and 7 IPs, each domain has it's own IP and everything is running fine, up till now I had one certificate for all domains in the following fashion in main.cf smtpd_use_tls = yes smtpd_tls_auth_only = yes smtpd_tls_cert_file = /etc/postfix/domainssl/domain.crt smtpd_tls_key_file = /etc/postfix/domainssl/domain.key smtpd_tls_CAfile = /etc/postfix/domainssl/comodo_CA.txt This is domain.crt is a valid certificate and for this particular domain it does not throw errors, however for all the remaining domains I get hostname mismatch errors. So far so good, I did purchase certificates for the remaining domains and did some research and read through the list and based on what I understood all I need to do is the add the below to master.cf and remove smtpd_tls_cert_file and smtpd_tls_key_file and smtpd_tls_CAfile from main.cf, and then add the below as said per domain to master.cf ip.ip.ip.ip:smtp inet n - n - - smtpd -o myhostname=mail.domain2.com -o smtpd_tls_wrappermode=yes -o smtpd_tls_key_file=/etc/postfix/domainssl/mail.domian2.com.key -o smtpd_tls_cert_file=/etc/postfix/domainssl/mail.domain2.com.crt -o smtpd_tls_CAfile=/etc/postfix/domainssl/comodo_CA.txt See the master.cf documentation, long lines are continued by prepending leading whitespace on the continuation lines: 192.0.2.1:smtp inet n - n - - smtpd -o myhostname=mail.example.com -o smtpd_tls_cert_file=/etc/postfix/domainssl/cert-mail.example.com.pem -o smtpd_tls_key_file=/etc/postfix/domainssl/key-mail.example.com.pem - Do make sure all the cert and key files are in PEM format. - Do append the PEM certificates of all intermediate CAs to the the server certificate file in order from leaf to root: - BEGIN ... base64-encoded server cert - END ... - BEGIN ... base64-encoded intermediate cert that signed previous cert - END ... - BEGIN ... base64-encoded intermediate cert that signed previous cert - END ... - BEGIN ... optional base64-encoded root cert, typically leave it out - END ... - DO NOT enable wrappermode on a port 25 SMTP server. - DO NOT define the CAfile in master.cf, it is the same for all the certificates, and is typically not needed at all, but can in any case be set in main.cf The CA file if used should contain PEM encoded root CA certificates. So these options should NOT be set: # -o smtpd_tls_wrappermode=yes # -o smtpd_tls_CAfile=/etc/postfix/domainssl/comodo_CA.txt When you change master.cf, you need to reload postfix for the changes to take effect. -- Viktor.
Re: Mutliple Certificates - Multiple IP addresses - Again
On a seperate but related note, I did notice that even though I connect on differnet IPs using telnet IP 25 I always get the default myhostname, the -o myhostname setting overwrite that value ? Regards On Wed, Nov 21, 2012 at 1:43 AM, Ali Jawad alijaw...@gmail.com wrote: Hi Victor Thank you for the input my master.cf looks as follows now : x.x.x.x:smtp inet n - n - - smtpd -o myhostname=mail.domain.com -o smtpd_tls_key_file=/etc/postfix/domainssl/mail.domain.com.key -o smtpd_tls_cert_file=/etc/postfix/domainssl/mail.domain.com.crt with this setting I still do get only the certificate of the certificate defined in /etc/main.cf, if I remove the certificatet in /etc/main.cf I only get Nov 21 00:41:42 root379 postfix/smtpd[18650]: warning: No server certs available. TLS won't be enabled In logs. Please advice. On Wed, Nov 21, 2012 at 1:24 AM, Viktor Dukhovni postfix-us...@dukhovni.org wrote: On Wed, Nov 21, 2012 at 01:03:28AM +0200, Ali Jawad wrote: Hi I have a postfix with 7 domains and 7 IPs, each domain has it's own IP and everything is running fine, up till now I had one certificate for all domains in the following fashion in main.cf smtpd_use_tls = yes smtpd_tls_auth_only = yes smtpd_tls_cert_file = /etc/postfix/domainssl/domain.crt smtpd_tls_key_file = /etc/postfix/domainssl/domain.key smtpd_tls_CAfile = /etc/postfix/domainssl/comodo_CA.txt This is domain.crt is a valid certificate and for this particular domain it does not throw errors, however for all the remaining domains I get hostname mismatch errors. So far so good, I did purchase certificates for the remaining domains and did some research and read through the list and based on what I understood all I need to do is the add the below to master.cf and remove smtpd_tls_cert_file and smtpd_tls_key_file and smtpd_tls_CAfile from main.cf, and then add the below as said per domain to master.cf ip.ip.ip.ip:smtp inet n - n - - smtpd -o myhostname=mail.domain2.com -o smtpd_tls_wrappermode=yes -o smtpd_tls_key_file=/etc/postfix/domainssl/mail.domian2.com.key -o smtpd_tls_cert_file=/etc/postfix/domainssl/mail.domain2.com.crt -o smtpd_tls_CAfile=/etc/postfix/domainssl/comodo_CA.txt See the master.cf documentation, long lines are continued by prepending leading whitespace on the continuation lines: 192.0.2.1:smtp inet n - n - - smtpd -o myhostname=mail.example.com -o smtpd_tls_cert_file=/etc/postfix/domainssl/cert-mail.example.com.pem -o smtpd_tls_key_file=/etc/postfix/domainssl/key-mail.example.com.pem - Do make sure all the cert and key files are in PEM format. - Do append the PEM certificates of all intermediate CAs to the the server certificate file in order from leaf to root: - BEGIN ... base64-encoded server cert - END ... - BEGIN ... base64-encoded intermediate cert that signed previous cert - END ... - BEGIN ... base64-encoded intermediate cert that signed previous cert - END ... - BEGIN ... optional base64-encoded root cert, typically leave it out - END ... - DO NOT enable wrappermode on a port 25 SMTP server. - DO NOT define the CAfile in master.cf, it is the same for all the certificates, and is typically not needed at all, but can in any case be set in main.cf The CA file if used should contain PEM encoded root CA certificates. So these options should NOT be set: # -o smtpd_tls_wrappermode=yes # -o smtpd_tls_CAfile=/etc/postfix/domainssl/comodo_CA.txt When you change master.cf, you need to reload postfix for the changes to take effect. -- Viktor.
Re: Mutliple Certificates - Multiple IP addresses - Again
Sorry that should have been telnet ip 587 not telnet ip 25 as you can not connect to port 25. Regards On Wed, Nov 21, 2012 at 2:13 AM, Ali Jawad alijaw...@gmail.com wrote: On a seperate but related note, I did notice that even though I connect on differnet IPs using telnet IP 25 I always get the default myhostname, the -o myhostname setting overwrite that value ? Regards On Wed, Nov 21, 2012 at 1:43 AM, Ali Jawad alijaw...@gmail.com wrote: Hi Victor Thank you for the input my master.cf looks as follows now : x.x.x.x:smtp inet n - n - - smtpd -o myhostname=mail.domain.com -o smtpd_tls_key_file=/etc/postfix/domainssl/mail.domain.com.key -o smtpd_tls_cert_file=/etc/postfix/domainssl/mail.domain.com.crt with this setting I still do get only the certificate of the certificate defined in /etc/main.cf, if I remove the certificatet in /etc/main.cf I only get Nov 21 00:41:42 root379 postfix/smtpd[18650]: warning: No server certs available. TLS won't be enabled In logs. Please advice. On Wed, Nov 21, 2012 at 1:24 AM, Viktor Dukhovni postfix-us...@dukhovni.org wrote: On Wed, Nov 21, 2012 at 01:03:28AM +0200, Ali Jawad wrote: Hi I have a postfix with 7 domains and 7 IPs, each domain has it's own IP and everything is running fine, up till now I had one certificate for all domains in the following fashion in main.cf smtpd_use_tls = yes smtpd_tls_auth_only = yes smtpd_tls_cert_file = /etc/postfix/domainssl/domain.crt smtpd_tls_key_file = /etc/postfix/domainssl/domain.key smtpd_tls_CAfile = /etc/postfix/domainssl/comodo_CA.txt This is domain.crt is a valid certificate and for this particular domain it does not throw errors, however for all the remaining domains I get hostname mismatch errors. So far so good, I did purchase certificates for the remaining domains and did some research and read through the list and based on what I understood all I need to do is the add the below to master.cf and remove smtpd_tls_cert_file and smtpd_tls_key_file and smtpd_tls_CAfile from main.cf, and then add the below as said per domain to master.cf ip.ip.ip.ip:smtp inet n - n - - smtpd -o myhostname=mail.domain2.com -o smtpd_tls_wrappermode=yes -o smtpd_tls_key_file=/etc/postfix/domainssl/mail.domian2.com.key -o smtpd_tls_cert_file=/etc/postfix/domainssl/mail.domain2.com.crt -o smtpd_tls_CAfile=/etc/postfix/domainssl/comodo_CA.txt See the master.cf documentation, long lines are continued by prepending leading whitespace on the continuation lines: 192.0.2.1:smtp inet n - n - - smtpd -o myhostname=mail.example.com -o smtpd_tls_cert_file=/etc/postfix/domainssl/cert-mail.example.com.pem -o smtpd_tls_key_file=/etc/postfix/domainssl/key-mail.example.com.pem - Do make sure all the cert and key files are in PEM format. - Do append the PEM certificates of all intermediate CAs to the the server certificate file in order from leaf to root: - BEGIN ... base64-encoded server cert - END ... - BEGIN ... base64-encoded intermediate cert that signed previous cert - END ... - BEGIN ... base64-encoded intermediate cert that signed previous cert - END ... - BEGIN ... optional base64-encoded root cert, typically leave it out - END ... - DO NOT enable wrappermode on a port 25 SMTP server. - DO NOT define the CAfile in master.cf, it is the same for all the certificates, and is typically not needed at all, but can in any case be set in main.cf The CA file if used should contain PEM encoded root CA certificates. So these options should NOT be set: # -o smtpd_tls_wrappermode=yes # -o smtpd_tls_CAfile=/etc/postfix/domainssl/comodo_CA.txt When you change master.cf, you need to reload postfix for the changes to take effect. -- Viktor.
Postfix problems after year of flawless functioning
Hello all my postfix smpt server started acting strangely after a year of flawless functioning. I am getting these messages in my mailqueue: host 127.0.0.1[127.0.0.1] said: 451 4.5.0 From MTA([127.0.0.1]:10025) during fwd-connect (Negative greeting: at (eval 87) line 442, GEN30 line 6215.): id=12736-02-2 (in reply to end of DATA command) I am using amavis for email filtering as well as postgrey Postfix version 2.5.1 Ubuntu Server 8.04 LTS also when I try to start postfix /etc/init.d/postfix start I get: * Stopping Postfix Mail Transport Agent postfix postfix/postfix-script: fatal: usage: postfix start (or stop, reload, abort, flush, check, set-permissions, upgrade-configuration) [fail] But I can start postfix through the postfix webmin module. I have tried removing and reinstalling postfix, amavis and postgrey with no luck. I have made no changes to configurations. Just run normal updates. I searched the internet for a solution but no luck. does anybody have an idea about what could be the issue?
Re: Postfix problems after year of flawless functioning
On Tuesday, November 20, 2012 11:07:20 PM Jumping Mouse wrote: Hello all my postfix smpt server started acting strangely after a year of flawless functioning. I am getting these messages in my mailqueue: host 127.0.0.1[127.0.0.1] said: 451 4.5.0 From MTA([127.0.0.1]:10025) during fwd-connect (Negative greeting: at (eval 87) line 442, GEN30 line 6215.): id=12736-02-2 (in reply to end of DATA command) I am using amavis for email filtering as well as postgrey Postfix version 2.5.1 Ubuntu Server 8.04 LTS also when I try to start postfix /etc/init.d/postfix start I get: * Stopping Postfix Mail Transport Agent postfixpostfix/postfix-script: fatal: usage: postfix start (or stop, reload, abort, flush, check, set-permissions, upgrade-configuration) [fail] But I can start postfix through the postfix webmin module. I have tried removing and reinstalling postfix, amavis and postgrey with no luck. I have made no changes to configurations. Just run normal updates. I searched the internet for a solution but no luck. does anybody have an idea about what could be the issue? Webmin ships it's own postfix configuration files and expects those to be used instead of the ones shipped with postfix. I have seen it before that webmin not only didn't use the shipped config files, but it also clobbered them. I would try to purge postfix (sudo apt-get purge postfix) and then reinstall it. That will cause dpkg to no longer track that config files have been removed by an agent outside the packaging system and reinstall them. Scott K
220 banner shows up after about 20 seconds
When testing my smtp connection I get a timeout after 16 seconds. using telnet I will finally get a connected after more than 16 seconds. I used to get a connection right away. Please help me to troubleshoot this. The server is not loaded at all! DNS servers are responsive so I am at a loss to what could be causing this. Here are some warning logs that may help: warning: milter inet:10.0.0.26:8092: read error in initial handshake Nov 21 01:49:54 mail postfix/smtpd[19317]: warning: milter inet:10.0.0.26:8092: can't read SMFIC_OPTNEG reply packet header: Connection timed out Nov 21 01:49:54 mail postfix/smtpd[19317]: warning: milter inet:10.0.0.26:8092: read error in initial handshake Nov 21 01:49:55 mail postfix/smtpd[20194]: warning: milter inet:10.0.0.26:8092: can't read SMFIC_OPTNEG reply packet header: Connection timed out Nov 21 01:49:55 mail postfix/smtpd[20194]: warning: milter inet:10.0.0.26:8092: read error in initial handshake Nov 21 01:49:55 mail postfix/smtpd[20247]: warning: milter inet:10.0.0.26:8092: can't read SMFIC_OPTNEG reply packet header: Connection timed out Nov 21 01:49:55 mail postfix/smtpd[20247]: warning: milter inet:10.0.0.26:8092: read error in initial handshake Nov 21 01:49:58 mail postfix/smtpd[20248]: warning: milter inet:10.0.0.26:8092: can't read SMFIC_OPTNEG reply packet header: Connection timed out Nov 21 01:49:58 mail postfix/smtpd[20248]: warning: milter inet:10.0.0.26:8092: read error in initial handshake Nov 21 01:50:00 mail postfix/smtpd[20249]: warning: milter inet:10.0.0.26:8092: can't read SMFIC_OPTNEG reply packet header: Connection timed out Nov 21 01:50:00 mail postfix/smtpd[20249]: warning: milter inet:10.0.0.26:8092: read error in initial handshake Nov 21 01:50:07 mail postfix/smtpd[18310]: warning: milter inet:10.0.0.26:8092: can't read SMFIC_OPTNEG reply packet header: Connection timed out Nov 21 01:50:07 mail postfix/smtpd[18310]: warning: milter inet:10.0.0.26:8092: read error in initial handshake Nov 21 01:50:11 mail postfix/smtpd[20228]: warning: 123.28.208.235: address not listed for hostname localhost
Re: 220 banner shows up after about 20 seconds
Am 21.11.2012 07:57, schrieb Jumping Mouse: When testing my smtp connection I get a timeout after 16 seconds. using telnet I will finally get a connected after more than 16 seconds. I used to get a connection right away. Please help me to troubleshoot this. The server is not loaded at all! DNS servers are responsive so I am at a loss to what could be causing this. Here are some warning logs that may help: warning: milter inet:10.0.0.26:8092: read error in initial handshake Nov 21 01:49:54 mail postfix/smtpd[19317]: warning: milter inet:10.0.0.26:8092: can't read SMFIC_OPTNEG reply packet header: Connection timed out Nov 21 01:49:54 mail postfix/smtpd[19317]: warning: milter inet:10.0.0.26:8092: read error in initial handshake Nov 21 01:49:55 mail postfix/smtpd[20194]: warning: milter inet:10.0.0.26:8092: can't read SMFIC_OPTNEG reply packet header: Connection timed out Nov 21 01:49:55 mail postfix/smtpd[20194]: warning: milter inet:10.0.0.26:8092: read error in initial handshake Nov 21 01:49:55 mail postfix/smtpd[20247]: warning: milter inet:10.0.0.26:8092: can't read SMFIC_OPTNEG reply packet header: Connection timed out Nov 21 01:49:55 mail postfix/smtpd[20247]: warning: milter inet:10.0.0.26:8092: read error in initial handshake Nov 21 01:49:58 mail postfix/smtpd[20248]: warning: milter inet:10.0.0.26:8092: can't read SMFIC_OPTNEG reply packet header: Connection timed out Nov 21 01:49:58 mail postfix/smtpd[20248]: warning: milter inet:10.0.0.26:8092: read error in initial handshake Nov 21 01:50:00 mail postfix/smtpd[20249]: warning: milter inet:10.0.0.26:8092: can't read SMFIC_OPTNEG reply packet header: Connection timed out Nov 21 01:50:00 mail postfix/smtpd[20249]: warning: milter inet:10.0.0.26:8092: read error in initial handshake Nov 21 01:50:07 mail postfix/smtpd[18310]: warning: milter inet:10.0.0.26:8092: can't read SMFIC_OPTNEG reply packet header: Connection timed out Nov 21 01:50:07 mail postfix/smtpd[18310]: warning: milter inet:10.0.0.26:8092: read error in initial handshake Nov 21 01:50:11 mail postfix/smtpd[20228]: warning: 123.28.208.235: address not listed for hostname localhost ok ,what milter is that ?, perhaps ask on their mail list disable this milter tmp , and see what happens then Best Regards MfG Robert Schetterer -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer Aufsichtsratsvorsitzender: Joerg Heidrich
