Re: sign auto-reply vacation with OpenDKIM
My final goal is to have all kind of outbound mails signed by DKIM, including bounce, auto-reply... And then announce a reject DMARC policy in DNS I already have some kind of separation for inbound/outbound but it's probably not optimal... - A dedicated IP is used for SMTP inbound and an another for users submission/POP/IMAP. - Outgoing mails, sent by users, use a dedicated IP (1 per domain). - Everything runs on single machine and actually works :) - bounce, and auto-reply are not signed :( Here is the relevant part of my configuration : master.cf # IP xx.xx.xx.1 is MX and only used to receive mail from remote MTA xx.xx.xx.1:smtp inet n - - - 1 postscreen smtpd pass - - - - - smtpd -o smtpd_milters=inet:$dkim_milter,$dmarc_milter # OpenDKIM and OpenDMARC check compliance -o non_smtpd_milters=inet:$dkim_milter,$dmarc_milter # don't know if I really need this line ? dnsblog unix - - - - 0 dnsblog tlsproxy unix - - - - 0 tlsproxy # IP xx.xx.xx.2 for users submission only xx.xx.xx.2:submission inet n - - - - smtpd -o syslog_name=postfix/submission -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING -o smtpd_recipient_restrictions=reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated,reject -o smtpd_milters=inet:$dkim_milter # IP xx.xx.xx.3 only used for outbound mail of domain1.com out_domain1 unix - - n - - smtp -o smtp_bind_address=xx.xx.xx.3 -o smtp_helo_name=domain1.com -o syslog_name=postfix-customer-domain1 # IP xx.xx.xx.4 only used for outbound mail of domain2.com out_domain2 unix - - n - - smtp -o smtp_bind_address=xx.xx.xx.4 -o smtp_helo_name=domain2.com -o syslog_name=postfix-customer-domain2 # Amavis part amavis unix - - - - 2 smtp -o smtp_data_done_timeout=1200 -o smtp_send_xforward_command=yes -o disable_mime_output_conversion=yes 127.0.0.1:10025 inet n - n - - smtpd -o content_filter= -o local_recipient_maps= -o relay_recipient_maps= -o smtpd_restriction_classes= -o smtpd_client_restrictions= -o smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o mynetworks=127.0.0.0/8 -o strict_rfc821_envelopes=yes -o receive_override_options=no_unknown_recipient_checks -o cleanup_service_name=smtp-cleanup -o local_header_rewrite_clients= main.cf : # we don't have LAN, customer connect from Internet to get/receive mail mynetworks = 127.0.0.0/8 [:::127.0.0.0]/104 [::1]/128 # bind to main IP smtp_bind_address = xx.xx.xx.1 # each customer use it's own outgoing IP sender_dependent_default_transport_maps = hash:/etc/postfix/sender_transport # postfix-policyd-spf-python is used here smtpd_recipient_restrictions = , reject_unauth_destination, check_policy_service unix:private/policy-spf # amavis scan inbound and outbound mails content_filter = amavis:[127.0.0.1]:10024 sender_transport : @domain1.com out_domain1: @domain2.com out_domain2: Let me know if you need more information and thanks for your precious advices. Alexandre Le 18/10/2013 23:25, Viktor Dukhovni a écrit : On Fri, Oct 18, 2013 at 10:49:33PM +0200, Alexandre Ellert wrote: Postfix currently does not apply content filters to mail that is forwarded or aliased internally, or to mail that is generated internally such as bounces or Postmaster notifications. This may be a problem when you want to apply a signing Milter to such mail Internally, means internally by Postfix. So, can you confirm that auto-reply message from dovecot are considered as bounces and are impossible to get signed by OpenDKIM ? An auto-reply from Dovecot is not generated internally by Postfix.
Using dovecot as LDA for postfix
Hi Here is my environment: Red Hat Enterprise Linux Server release 5.7 (Tikanga) postfix-2.9.1-1.rhel5 dovecot 1.0.7 I want to config a complete postfix-dovecot mail server. First I configured postfix to use procmail, its default LDA and dovecot for pop3 and imap. I didn't changed main.cf a lot, just myhostname and a few other properties. I didn't set home_mailbox. About dovecot.conf here is the output of dovecot -n : # 1.0.7: /etc/dovecot.conf log_path: /var/log/dovecot.log protocols: imap pop3 login_dir: /var/run/dovecot/login login_executable(default): /usr/libexec/dovecot/imap-login login_executable(imap): /usr/libexec/dovecot/imap-login login_executable(pop3): /usr/libexec/dovecot/pop3-login mail_debug: yes mail_executable(default): /usr/libexec/dovecot/imap mail_executable(imap): /usr/libexec/dovecot/imap mail_executable(pop3): /usr/libexec/dovecot/pop3 mail_plugin_dir(default): /usr/lib64/dovecot/imap mail_plugin_dir(imap): /usr/lib64/dovecot/imap mail_plugin_dir(pop3): /usr/lib64/dovecot/pop3 auth default: mechanisms: plain login passdb: driver: pam userdb: driver: passwd As you can see mail_location is not set. At this time everything was OK and working. I was able to send email using SquirrelMail and thunderbird. I got two users, user1 and user2, in my linux machine and when I sent an email from us...@software.com to us...@software.com the sent mail was saved in /home/user1/mail/Sent and the received email was in /var/mail/user2. The log file for dovecot had entries like this for user1 and user2: dovecot: Oct 14 14:44:52 Info: IMAP(user1): maildir: couldn't find root dir dovecot: Oct 14 14:44:52 Info: IMAP(user1): mbox: root exists (/home/user1/mail) dovecot: Oct 14 14:44:52 Info: IMAP(user1): mbox: INBOX exists (/var/mail/user1) dovecot: Oct 14 14:44:52 Info: IMAP(user1): mbox: root=/home/user1/mail, index=/home/user1/mail, inbox=/var/mail/user1 At this point I tried to change the LDA from procmail to dovecot by the following settings: I added/changed the following in the main.cf: mailbox_command = /usr/libexec/dovecot/deliver dovecot_destination_recipient_limit = 1 virtual_mailbox_domains = software.com virtual_transport = dovecot I added the following in the master.cf: dovecot unix - n n - - pipe flags=DRhu user=vmail:vmail argv=/usr/libexec/dovecot/deliver -f ${sender} -d ${recipient} But it didn't work. When I send email from from user2 to user1 the sent email is correctly saved in /home/user2/mail/Sent but it seems that user1 doesn't receive the incoming email. dovecot.log had entries like the following: dovecot: Oct 14 14:54:04 Info: imap-login: Login: user=user1, method=PLAIN, rip=:::172.27.7.8, lip=:::172.16.100.183, TLS dovecot: Oct 14 14:54:04 Info: IMAP(user1): Effective uid=504, gid=504, home=/home/user1 dovecot: Oct 14 14:54:04 Info: IMAP(user1): maildir: access(/home/user1/Maildir, rwx): failed: No such file or directory dovecot: Oct 14 14:54:04 Info: IMAP(user1): maildir: couldn't find root dir dovecot: Oct 14 14:54:04 Info: IMAP(user1): mbox: root exists (/home/user1/mail) dovecot: Oct 14 14:54:04 Info: IMAP(user1): mbox: INBOX exists (/var/mail/user1) dovecot: Oct 14 14:54:04 Info: IMAP(user1): mbox: root=/home/user1/mail, index=/home/user1/mail, inbox=/var/mail/user1 Setting home_mailbox = Maildir/ in main.cf and mail_location = maildir:~/Maildir in dovecot.cf didn't help. I have been googling and reading and testing for 4 or 5 days for this but there was no chance. Now, I am stuck and any help would be really really appreciated. Regards, Ferez
Re: Using dovecot as LDA for postfix
On Sat, Oct 19, 2013 at 05:41:25AM -0700, Farzad Mahdikhani wrote: I have been googling and reading and testing for 4 or 5 days for this but there was no chance. Now, I am stuck and any help would be really really appreciated. That's exactly what you said 5 days ago on the Dovecot list. This seems to be the exact same post, without any evidence that you bothered to read any of the replies you got on the Dovecot list. If you really really appreciate the help, you should really really read your replies. You are probably correct to bring this here, because as one of the Dovecot replies said, it looked like a probable Postfix issue. But you need to comply with the list welcome message when posting. See: http://www.postfix.org/DEBUG_README.html#mail -- http://rob0.nodns4.us/ -- system administration and consulting Offlist GMX mail is seen only if /dev/rob0 is in the Subject:
saslpasswd2 (and auth)
Hi all :-) I configurated a postfix with sasl authentication. saslpasswd2 -c -u `postconf -h myhostname` test0 testsaslauthd -u test0 -p test0 0: NO authentication failed Try with: saslpasswd2 -c test1 testsaslauthd -u test1 -p test1 0: OK Success. sasldblistusers2 te...@domain1.org: userPassword te...@server2.domain1.org: userPassword So obviously, from client email smtp auth runs only with user0 and test0 (password) echo `postconf -h myhostname` domain1.org I don't understand what's the error... any idea? Thanks! Pol
Re: Using dovecot as LDA for postfix
Farzad Mahdikhani: I added/changed the following in the main.cf: mailbox_command = /usr/libexec/dovecot/deliver dovecot_destination_recipient_limit = 1 virtual_mailbox_domains = software.com virtual_transport = dovecot I added the following in the master.cf: dovecot?? unix? -?? n?? n?? -?? -?? pipe ? flags=DRhu user=vmail:vmail argv=/usr/libexec/dovecot/deliver -f ${sender} -d ${recipient} But it didn't work. When I send email from from user2 to user1 the sent email is correctly saved in /home/user2/mail/Sent but it seems that user1 doesn't receive the incoming email. dovecot.log had entries like the following: You are reporting a problem WITHOUT showing Postfix logs. TO REPORT A PROBLEM see http://www.postfix.org/DEBUG_README.html#mail TO (UN)SUBSCRIBE see http://www.postfix.org/lists.html Thank you for using Postfix.
Re: disable ipv6 when sending to gmail ?
On 10/19/2013 01:45, DTNX Postmaster wrote: On Oct 19, 2013, at 00:13, Dominik George n...@naturalnet.de wrote: if i would be you i would *not* use v=spf1 mx ~all If I were [...] ... here you go for ipv6 http://www.openspf.org/SPF_Record_Syntax#ip6 Jeez, I don't believe it. The problem is that the mx mechanism simply only enumerates A records of MXs. That's broken ... The only place I've seen this problem with the lookup of IPv6 addresses via the 'mx' construct in SPF records was Gmail, which was resolved, and recently some small local operator who kept insisting that the problem was on our side until the evidence was so overwhelmingly pointing to his own setup that he could no longer ignore it. He made the same claim, however, but never backed it up. How are you reaching your conclusion? Because this only mentions A records and IPv4 prefixes? http://www.openspf.org/SPF_Record_Syntax#mx Mvg, Joni Quick testing: m...@staticsafe.ca - @gmail.com account Received-SPF: pass (google.com: domain of m...@staticsafe.ca designates 2607:5300:60:e3a::1 as permitted sender) client-ip=2607:5300:60:e3a::1; staticsafe.ca. 1792IN SPF v=spf1 mx -all To check-a...@verifier.port25.com: -- SPF check details: -- Result: pass ID(s) verified: smtp.mailfrom=m...@staticsafe.ca DNS record(s): staticsafe.ca. 1800 IN SPF v=spf1 mx -all staticsafe.ca. 1800 IN MX 10 mx1.staticsafe.ca. mx1.staticsafe.ca. 1800 IN 2607:5300:60:e3a::1 -- staticsafe O ascii ribbon campaign - stop html mail - www.asciiribbon.org Please don't top post. It is not logical. Please don't CC me! I'm subscribed to whatever list I just posted on.
Re: disable ipv6 when sending to gmail ?
He made the same claim, however, but never backed it up. How are you reaching your conclusion? Because this only mentions A records and IPv4 prefixes? http://www.openspf.org/SPF_Record_Syntax#mx Quick testing: m...@staticsafe.ca - @gmail.com account Received-SPF: pass (google.com: domain of m...@staticsafe.ca designates 2607:5300:60:e3a::1 as permitted sender) client-ip=2607:5300:60:e3a::1; Correct. The changes to SPF proposed yesterday do not change anything. -nik -- Wer den Grünkohl nicht ehrt, ist der Mettwurst nicht wert! PGP-Fingerprint: 3C9D 54A4 7575 C026 FB17 FD26 B79A 3C16 A0C4 F296 signature.asc Description: Digital signature
Re: Timeout when delivering to large group of aliases
Am 18.10.2013 17:56, schrieb List: If so is there a more efficient way to go about delivering to many thousands of aliases? By using a mailing list software for that task? Regards -- Robert Sander Heinlein Support GmbH Schwedter Str. 8/9b, 10119 Berlin http://www.heinlein-support.de Tel: 030 / 405051-43 Fax: 030 / 405051-19 Zwangsangaben lt. §35a GmbHG: HRB 93818 B / Amtsgericht Berlin-Charlottenburg, Geschäftsführer: Peer Heinlein -- Sitz: Berlin signature.asc Description: OpenPGP digital signature
Re: Timeout when delivering to large group of aliases
On Fri, Oct 18, 2013 at 10:56:59AM -0500, List wrote: For example we have the address distgr...@domain.tld which is an alias to 3000 local users. What kind of alias? Are you using virtual(5) aliases via virtual_alias_maps, and with backend database, the database schema and query used as well as information about available indexes may be pertinent? Or are you using local aliases(5)? When our inbound spam filter connects to the Postfix server to relay a message to this user we are seeing a timeout after 60 seconds and the message gets deferred on the filter, but the message has actually been delivered to the alias and subsequently all the recipients. Therefore (as Wietse points out) your timeout is at the . command, since earlier timeouts would not see the message delivered. The RFC recommended minimum timeout for . is 600s, not 60s. For clients feeding MTAs that expand large recipient lists, I've sometimes set timeouts of 1200s (or more as required). Is it true that Postfix is waiting to send 250 OK back to the filter until all the recipients have had a copy of the message delivered to their inbox? No. Delivery happends asynchronously. However, virtual alias expansion (which is recursive) happens synchronously during cleanup(8) processing. Large lists can take time to expand, especially if your database is poorly indexed. If so is there a more efficient way to go about delivering to many thousands of aliases? Index the alias database properly and use queries that can use the index and don't force table scans. Query databases with short network round-trip times that are not overloaded (network, disk, CPU, ...). Do not use aggressive timeouts, they are counter-productive. -- Viktor.
Need some help: fatal: no login name found for user ID
Hi! I have postfix 2.1 installed on my server. And i want to use virtual users from mysql. Everything works fine except sending emails from processes running from virtual users accounts. I receive the following error in maillog: Oct 20 00:09:33 1gb postfix/sendmail[14070]: fatal: no login name found for user ID 10020 How can I tell postfix where to find login names for virtual uids? I already have the following lines in main.cf: virtual_uid_maps = static:2000 virtual_gid_maps = static:2000 It doesn't help.
Re: Need some help: fatal: no login name found for user ID
Maksim Kulik: Hi! I have postfix 2.1 installed on my server. And i want to use virtual users from mysql. Everything works fine except sending emails from processes running from virtual users accounts. I receive the following error in maillog: Oct 20 00:09:33 1gb postfix/sendmail[14070]: fatal: no login name found for user ID 10020 How can I tell postfix where to find login names for virtual uids? The Postfix sendmail accepts mail from UNIX system processes. It uses the getpwuid() system library function to look up the UNIX system user's name. This name is used for the envelope sender and the rfc822.from address. To prevent Postfix sendmail from looking up this information you must supply the sender name or address with the -f command-line option. Wietse
Re: Need some help: fatal: no login name found for user ID
On Sun, Oct 20, 2013 at 12:29:44AM +0300, Maksim Kulik wrote: I have postfix 2.1 installed on my server. 2.1? Do you mean 2.10? Do not start out with an old, unsupported version. And i want to use virtual users from mysql. Everything works fine except sending emails from processes running from virtual users accounts. How did you manage to do this? The whole idea of a virtual account is that it is not a system account, not able to run system commands. Typically a virtual user uses SMTP submission, not sendmail(1). I receive the following error in maillog: Oct 20 00:09:33 1gb postfix/sendmail[14070]: fatal: no login name found for user ID 10020 How can I tell postfix where to find login names for virtual uids? UID-to-name resolution is done by your OS NSS (name service switch) libraries; this usually uses /etc/passwd(5). I already have the following lines in main.cf: virtual_uid_maps = static:2000 virtual_gid_maps = static:2000 It doesn't help. Of course not, and 10020 != 2000. Where did this UID 10020 cone from, and why is it running sendmail? http://www.postfix.org/DEBUG_README.html#mail WAG: 10020 is your httpd or webmail UID, and your webmail is wrongly configured to use sendmail. Change your webmail client to use SMTP. -- http://rob0.nodns4.us/ -- system administration and consulting Offlist GMX mail is seen only if /dev/rob0 is in the Subject:
Connection refused to local stunnel tunnel
Dear all, I am setting up postfix in my OmniOS/illumos installation (at home, I am an enthusiast an no expert admin) and I encountered the issue I will describe. I tried for more than two evenings but I had no success at all, so I ask here and I hope you will be able to help. I have a domain with OVH and they allow (according to http://help.ovh.co.uk/EmailSmtpPop3Imap ) only SMTPS or SSL/TLS (I copy and paste from OVH): • SSL/TLS: you can activate a coding tunnel between your email software and our SMTP server (port 25), • SMTPS: you can create a coding SSL tunnel directly to any connection (port 465), • Our SMTP servers always try to force the connections in SSL/TLS (port 25). If I use ssl0.ovh.net:25, I get a timeout. If I use port 587, I get (TLS is required, but was not offered by host ssl0.ovh.net[213.186.33.20]), so I opted for SMTPS. However, Postfix cannot do SMTPS on port 465, so I installed stunnel and I set it to connect to ssl0.ovh.net:465. I did it on my OS X 10.8 and it worked, I can send mail from command line. As reference, I used the config suggested in postifx help: [smtp-tls-wrapper] accept = localhost:11125 client = yes connect = ssl0.ovh.net:465 ;delay = yes I replicated both main.cf and stunnel.conf on OmniOS and it doesn't work! However, I ask in this mailing list because postfix is an extra package not part of the base OmniOS distro. If you tell me everything seems ok, I will ask them. The error I get from postfix is the following, taken from the output of mailq: (connect to 127.0.0.1[127.0.0.1]:11125: Connection refused) Well, I tried telnet 127.0.0.1 465 from a SSH prompt and I was able to connect to the remote mail server, so stunnel is working and listening. So what should I do now? This is the output of postconf -n: command_directory = /usr/local/sbin config_directory = /etc/postfix daemon_directory = /usr/local/libexec/postfix data_directory = /var/postfix debug_peer_level = 2 debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id sleep 5 html_directory = /usr/local/html/postfix inet_protocols = ipv4 mail_owner = postfix mailq_path = /usr/local/bin/mailq manpage_directory = /usr/local/man mydestination = $myhostname, localhost.$mydomain, localhost mydomain = rijswijk.marzocchi.net myhostname = OmniOS-Xeon.rijswijk.marzocchi.net mynetworks_style = host myorigin = $mydomain newaliases_path = /usr/local/bin/newaliases queue_directory = /var/spool/postfix readme_directory = no relayhost = [127.0.0.1]:11125 sample_directory = /etc/postfix sendmail_path = /usr/local/sbin/sendmail setgid_group = postfix smtp_sasl_auth_enable = yes smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd smtp_sasl_security_options = noanonymous smtp_use_tls = no smtpd_tls_exclude_ciphers = SSLv2, aNULL, ADH, eNULL unknown_local_recipient_reject_code = 550 Needless to say, when I did the test on port 25 and 587 of the remote SMTP server, I had different options: relayhost=ssl0.ovh.net:25 (or 587) smtp_use_tls=yes smtp_tls_security_level=encrypt In case it can be useful, I add another bit of information: I tried to use remote port 587 and no encryption (since it said TLS is not available…) but in mailq I got: (local data error while talking to ssl0.ovh.net[213.186.33.20]) Any help will be very welcome, I don't even know where to look for solutions. Google didn't help either and I did my number of searches. Of course, if you see a configuration mistake that prevents me from using directly SSL/TLS on the remote Regards, Olaf Marzocchi
Re: Connection refused to local stunnel tunnel
Am 20.10.2013 01:34, schrieb Olaf Marzocchi: If I use ssl0.ovh.net:25, I get a timeout. If I use port 587, I get (TLS is required, but was not offered by host ssl0.ovh.net[213.186.33.20]), so I opted for SMTPS. However, Postfix cannot do SMTPS on port 465, so I installed stunnel and I set it to connect to ssl0.ovh.net:465. I did it on my OS X 10.8 and it worked, I can send mail from command line. As reference, I used the config suggested in postifx help: [smtp-tls-wrapper] accept = localhost:11125 client = yes connect = ssl0.ovh.net:465 this way you can get no difference because it is still smtps https://www.stunnel.org/pipermail/stunnel-users/2011-April/003056.html
Re: Connection refused to local stunnel tunnel
Olaf Marzocchi: If I use ssl0.ovh.net:25, I get a timeout. If I use port 587, I get (TLS is required, but was not offered by host ssl0.ovh.net[213.186.33.20]), so I opted for SMTPS. However, Postfix cannot do SMTPS on port 465, so I installed stunnel and I set it to connect to ssl0.ovh.net:465. I did it on my OS X 10.8 and it worked, I can send mail from command line. As reference, I used the config suggested in postifx help: [smtp-tls-wrapper] accept = localhost:11125 client = yes connect = ssl0.ovh.net:465 ;delay = yes I replicated both main.cf and stunnel.conf on OmniOS and it doesn't work! However, I ask in this mailing list because postfix is an extra package not part of the base OmniOS distro. If you tell me everything seems ok, I will ask them. The error I get from postfix is the following, taken from the output of mailq: (connect to 127.0.0.1[127.0.0.1]:11125: Connection refused) On the machine that runs Postfix, nothing is listening on 127.0.0.1 TCP port 11125. Well, I tried telnet 127.0.0.1 465 from a SSH prompt and I was able to connect to the remote mail server, so stunnel is working You connect to 127.0.0.1 port 465. That works. Postfix is configured to connect to 127.0.0.1 port 11125. That does not work. Suggestion: configure Postfix to connect to the port that works. Wietse
Re: Connection refused to local stunnel tunnel
On Sun, Oct 20, 2013 at 01:34:57AM +0200, Olaf Marzocchi wrote: However, Postfix cannot do SMTPS on port 465, so I installed stunnel and I set it to connect to ssl0.ovh.net:465. I did it on my OS X 10.8 and it worked, I can send mail from command line. As reference, I used the config suggested in postifx help: [smtp-tls-wrapper] accept = localhost:11125 Port 11125. client = yes connect = ssl0.ovh.net:465 ;delay = yes I replicated both main.cf and stunnel.conf on OmniOS and it doesn't work! However, I ask in this mailing list because postfix is an extra package not part of the base OmniOS distro. If you tell me everything seems ok, I will ask them. The error I get from postfix is the following, taken from the output of mailq: (connect to 127.0.0.1[127.0.0.1]:11125: Connection refused) 11125 is not working, right. Well, I tried telnet 127.0.0.1 465 from a SSH prompt and I was 465 != 11125 able to connect to the remote mail server, so stunnel is working and listening. Not necessarily. So what should I do now? Keep digging on the stunnel configuration. -- http://rob0.nodns4.us/ -- system administration and consulting Offlist GMX mail is seen only if /dev/rob0 is in the Subject:
Save mails into custom DB
Hi, i have a question. What is the most appropriate way to save mails into a database that i built before. I mean, i have a custom structured database and i need to save mails into that database. Some time ago i was using James server and wrote a bunch of Java code, Also i had a chance to use JPA but i decided to use Postfix for some reason this if you can are some idea on how can i save mails and everything in 'my daabase', would be appreciated.