Re: smtp-sink does not support all ipv6 addresses?

[Tom Hendrikx]

On 04-01-16 18:58, Wietse Venema wrote:
> Tom Hendrikx:
>>
>> Hi,
>>
>> I'm trying to setup a test environment using smtp-sink as a mail
>> receiver. For ipv4 I'm running smtp-sink on random addresses in
>> 127.0.0.0/8, and was looking for the same trick on ipv6. My OS allows me
>> to (ab)use :::0:0/96 for this, but unfortunately, smtp-sink does not:
>>
>> $ smtp-sink -v :::127.1.2.3:12345 100
>> smtp-sink: name_mask: all
>> smtp-sink: trying... [:::127.1.2.3]:12345
>> smtp-sink: fatal: bind :::127.1.2.3 port 12345: Invalid argument
> 
> The bind(2) system call rejects the address. Postfix is the messenger
> of bad news.  Don't blame the messenger.
> 
>   Wietse
> 

I did some rummaging in the source code to see what I'm doing wrong, and
found out that inet_listen.c sets the IPV6_V6ONLY flag on the socket
[1], which makes the bind(2) bail out. If I remove the setsockopt(2)
call and recompile, smtp-sink works as I hoped:

$ ./smtp-sink -v :::127.1.2.3:12345 100
./smtp-sink: name_mask: all
./smtp-sink: trying... [:::127.1.2.3]:12345

./smtp-sink: connect (AF_INET6 :::127.0.0.1)
./smtp-sink: vstream_tweak_tcp: TCP_MAXSEG 21888
./smtp-sink: fd=5: stream buffer size old=0 new=43776
./smtp-sink: smtp_stream_setup: maxtime=100 enable_deadline=0
./smtp-sink: helo test
./smtp-sink: quit
./smtp-sink: disconnect

I can see the use of the setsockopt call, since leaving it out has the
side effect that smtp-sink is also reachable on 127.1.2.3 (ipv4). On the
other hand, that behaviour is sort of what I requested when I explicitly
specified an IPv4-mapped IPv6 address.

So this means IMHO that IPv4-mapped IPv6 listen addresses are not
supported/explicitly disabled by postfix, it has nothing to do with
bind(2). Would be nice if that was mentioned somewhere.

[1]:
https://github.com/vdukhovni/postfix/blob/master/postfix/src/util/inet_listen.c#L145

Regards,
Tom

Virtual_Users for single domain

[Dennis Steinkamp]

Hey there,

i would like to benefit from the convenience that virtual_users bring to 
your configuration, that is - from my point of view - that you don`t 
need to create local accounts for every e-mail user,

even though in my case i only have a few of them.

As far as i know, you can enable virtual_users in postfix by using the 
*virtual_alias_maps* directive, but *virtual_alias_maps* seem to require 
hosted domains in*virtual_alias_domains*.
I only got one domain for which postfix will be resposible for directly, 
therefor i have set *mydestination* to mydomain.de.
If i am not mistaken you shouldn`t set the same domain in 
*mydestination* and *virtual_alias_domains *so i would like to ask, what 
can i do to accomplish a virtual_user configuration for a single domain 
setup?
I am just guessing here but i assume i could set mydestination to 
localhost and put mydomain.de in*virtual_alias_maps* but maybe thats not 
"best practice" or there are any side effects i am not taking into account.


As always, thanks for helping me out. :)

Dennis

Re: Virtual_Users for single domain

[Noel Jones]

On 1/5/2016 9:57 AM, Dennis Steinkamp wrote:
> Hey there,
> 
> i would like to benefit from the convenience that virtual_users
> bring to your configuration, that is - from my point of view - that
> you don`t need to create local accounts for every e-mail user,
> even though in my case i only have a few of them.
> 
> As far as i know, you can enable virtual_users in postfix by using
> the *virtual_alias_maps* directive, but *virtual_alias_maps* seem to
> require hosted domains in*virtual_alias_domains*.
> I only got one domain for which postfix will be resposible for
> directly, therefor i have set *mydestination* to mydomain.de.
> If i am not mistaken you shouldn`t set the same domain in
> *mydestination* and *virtual_alias_domains *so i would like to ask,
> what can i do to accomplish a virtual_user configuration for a
> single domain setup?
> I am just guessing here but i assume i could set mydestination to
> localhost and put mydomain.de in*virtual_alias_maps* but maybe thats
> not "best practice" or there are any side effects i am not taking
> into account.
> 
> As always, thanks for helping me out. :)
> 
> Dennis


Sounds as if you want a virtual MAILBOX domain, not a virtual ALIAS
domain
http://www.postfix.org/ADDRESS_CLASS_README.html#virtual_mailbox_class

You can find an example setup in
http://www.postfix.org/VIRTUAL_README.html



  -- Noel Jones

Re: ldap validate

[Noel Jones]

On 1/5/2016 1:22 PM, Gomes, Rich wrote:
> Does this imply an actual list\map?
> 
> " and list the valid recipients in relay_recipient_maps"
> 

relay_recipient_maps = ldap:/path/to/file



> 
> I am looking to do real-time LDAP lookups.
> 
> The only time I get it to work is when using virtual mailbox domains and maps
> 
> Not sure what I am missing here.
> Relaying is working great via relay domains and maps
> LDAP lookups, not so much with that same config
> Only with virtual mailbox domains

You're using relay_domains and relay_recipient_maps.  Don't use any
of the virtual_mailbox_* parameters.



  -- Noel Jones

RE: ldap validate

[Gomes, Rich]

Does this imply an actual list\map?

" and list the valid recipients in relay_recipient_maps"


I am looking to do real-time LDAP lookups.

The only time I get it to work is when using virtual mailbox domains and maps

Not sure what I am missing here.
Relaying is working great via relay domains and maps
LDAP lookups, not so much with that same config
Only with virtual mailbox domains






-Original Message-
From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] 
On Behalf Of Noel Jones
Sent: Monday, January 04, 2016 4:58 PM
To: postfix-users@postfix.org
Subject: Re: ldap validate

On 1/4/2016 3:37 PM, Gomes, Rich wrote:
> So I should change the config to use relay domains instead of virtual mailbox?


You previously wrote that these domains were defined in relay_domains (which 
they should be).

Don't define domains in more than one address class ie. not in more than one 
*_domains parameter.

List your internal Exchange domains in relay_domains, and list the valid 
recipients in relay_recipient_maps.  Don't list the valid recipients anywhere 
else.


> The idea behind dropping invalid users is that this is by attrition 
> Homegrown applications sending reports to people who haven't worked here in 
> years.
> Better to drop in those cases

You can assign specific bad users to the discard: transport.
# transport table
previousresid...@example.com  discard:

Or maybe better, use virtual_alias_maps to redirect the mail to the appropriate 
person.



  -- Noel Jones




> 
> Again, this is an internal server and not receiving from Internet, just 
> receiving from applications.
> 
> Is dropping an option?
> 
> 
> 
> 
> -Original Message-
> From: owner-postfix-us...@postfix.org 
> [mailto:owner-postfix-us...@postfix.org] On Behalf Of Noel Jones
> Sent: Monday, January 04, 2016 4:32 PM
> To: postfix-users@postfix.org
> Subject: Re: ldap validate
> 
> On 1/4/2016 3:11 PM, Gomes, Rich wrote:
>> Ok, I have LDAP working in stream although still have a few bugs.
>>
>> I found this article:
>>
>> http://www.experts-exchange.com/questions/28251757/How-to-configure-L
>> D AP-Authentication-for-Incoming-SMTP-Traffic.html
>>
>>
>> Basically I added these lines
>>
>> virtual_mailbox_domains = example.com, example.org, example.net 
>> virtual_mailbox_maps = ldap:/etc/postfix/ldap-users.cf
>>
>> to where I already  had
>> virtual_alias_maps = ldap:/etc/postfix/ldap-aliases.cf
>>
>> and it worked.
> 
> That's correct if you're using virtual_mailbox_domains, but not for 
> relay_domains.
> 
> 
>> Is there a way to have Postfix DROP the message if the recipient is invalid? 
>> As opposed to sending an NDR?
> 
> 
> Postfix will reject invalid recipients.  Discarding invalid recipients is a 
> terrible idea.
> 
> 
> 
> 
>   -- Noel Jones
> 

Re: PATCH: saslauthd show remote ip address

[Quanah Gibson-Mount]

--On Thursday, December 10, 2015 11:49 AM -0800 Quanah Gibson-Mount 
 wrote:



--On Thursday, December 10, 2015 2:29 PM -0500 Wietse Venema
 wrote:


Quanah Gibson-Mount:

--On Thursday, December 10, 2015 2:02 PM -0500 Wietse Venema
 wrote:

> This is not completely trivial because the port information needs
> to be consistent with information from proxies, postscreen, and
> XCLIENT, otherwise results will be incorrect.

Ok, good to know.  Is there any general timeline on when that will be
available for testing?


No. Time is in short supply, especially for functionality that has
been missing for 15+ years.


Ok, thanks.  Not sure if it falls into the legal issue of required source
port logging that Belgium has implemented or not.  I.e., being able to
tie the source port logged at the smtp server to a specific sasl auth
request.


After deploying live with this patch, we found ports 465/587 were busted:

Jan  5 12:40:12 edge01 postfix/submission/smtpd[63043]: connect from 
edge01.zimbra.com[10.210.0.174]
Jan  5 12:40:12 edge01 postfix/submission/smtpd[63043]: Anonymous TLS 
connection established from edge01.zimbra.com[10.210.0.174]: TLSv1.2 with 
cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Jan  5 12:40:12 edge01 postfix/submission/smtpd[63043]: warning: 
server_addr=, client_addr=10.210.0.174
Jan  5 12:40:12 edge01 postfix/submission/smtpd[63043]: warning: SASL 
per-connection server initialization: invalid parameter supplied
Jan  5 12:40:12 edge01 postfix/submission/smtpd[63043]: fatal: SASL 
per-connection initialization failed



From the command line with openssl, it'd drop with:


250 DSN
read:errno=0

So we will be working further on this patch, and will push back whatever 
further changes are necessary.


--Quanah

--

Quanah Gibson-Mount
Platform Architect
Zimbra, Inc.

Zimbra ::  the leader in open source messaging and collaboration

Re: Virtual_Users for single domain

[Dennis Steinkamp]

I am aware of the readme article its based on multiple hosted domains.
Correct me if i am wrong here but virtual_mailbox_maps also requires 
virtual_mailbox_domains
but i don`t have any "additional" virtual_mailbox_domains, i only need 
postifx to be responsible for one single domain only
and that is already taken care of with mydestination = mydomain.de hence 
my question if its allright to put localhost

in mydestination so that i can use mydomain.de in virtual_mailbox_domains.
The readme clearly says that you can`t list mydomain.xy in mydestination 
and virtual_mailbox_domains at the same time.
My bad, i was talking about virtual_alias_domains instead of 
virtual_mailbox_domains, sorry if that caused any confusion.


Dennis

Am 05.01.2016 um 19:00 schrieb Noel Jones:

On 1/5/2016 9:57 AM, Dennis Steinkamp wrote:

Hey there,

i would like to benefit from the convenience that virtual_users
bring to your configuration, that is - from my point of view - that
you don`t need to create local accounts for every e-mail user,
even though in my case i only have a few of them.

As far as i know, you can enable virtual_users in postfix by using
the *virtual_alias_maps* directive, but *virtual_alias_maps* seem to
require hosted domains in*virtual_alias_domains*.
I only got one domain for which postfix will be resposible for
directly, therefor i have set *mydestination* to mydomain.de.
If i am not mistaken you shouldn`t set the same domain in
*mydestination* and *virtual_alias_domains *so i would like to ask,
what can i do to accomplish a virtual_user configuration for a
single domain setup?
I am just guessing here but i assume i could set mydestination to
localhost and put mydomain.de in*virtual_alias_maps* but maybe thats
not "best practice" or there are any side effects i am not taking
into account.

As always, thanks for helping me out. :)

Dennis


Sounds as if you want a virtual MAILBOX domain, not a virtual ALIAS
domain
http://www.postfix.org/ADDRESS_CLASS_README.html#virtual_mailbox_class

You can find an example setup in
http://www.postfix.org/VIRTUAL_README.html



   -- Noel Jones

Re: Virtual_Users for single domain

[Noel Jones]

On 1/5/2016 1:10 PM, Dennis Steinkamp wrote:
> I am aware of the readme article its based on multiple hosted domains.
> Correct me if i am wrong here but virtual_mailbox_maps also requires
> virtual_mailbox_domains
> but i don`t have any "additional" virtual_mailbox_domains, i only
> need postifx to be responsible for one single domain only
> and that is already taken care of with mydestination = mydomain.de
> hence my question if its allright to put localhost
> in mydestination so that i can use mydomain.de in
> virtual_mailbox_domains.

Yes, it is correct to use
mydestination = localhost.example.com
virtual_mailbox_domains = example.com



  -- Noel Jones


> The readme clearly says that you can`t list mydomain.xy in
> mydestination and virtual_mailbox_domains at the same time.
> My bad, i was talking about virtual_alias_domains instead of
> virtual_mailbox_domains, sorry if that caused any confusion.
> 
> Dennis
> 
> Am 05.01.2016 um 19:00 schrieb Noel Jones:
>> On 1/5/2016 9:57 AM, Dennis Steinkamp wrote:
>>> Hey there,
>>>
>>> i would like to benefit from the convenience that virtual_users
>>> bring to your configuration, that is - from my point of view - that
>>> you don`t need to create local accounts for every e-mail user,
>>> even though in my case i only have a few of them.
>>>
>>> As far as i know, you can enable virtual_users in postfix by using
>>> the *virtual_alias_maps* directive, but *virtual_alias_maps* seem to
>>> require hosted domains in*virtual_alias_domains*.
>>> I only got one domain for which postfix will be resposible for
>>> directly, therefor i have set *mydestination* to mydomain.de.
>>> If i am not mistaken you shouldn`t set the same domain in
>>> *mydestination* and *virtual_alias_domains *so i would like to ask,
>>> what can i do to accomplish a virtual_user configuration for a
>>> single domain setup?
>>> I am just guessing here but i assume i could set mydestination to
>>> localhost and put mydomain.de in*virtual_alias_maps* but maybe thats
>>> not "best practice" or there are any side effects i am not taking
>>> into account.
>>>
>>> As always, thanks for helping me out. :)
>>>
>>> Dennis
>>
>> Sounds as if you want a virtual MAILBOX domain, not a virtual ALIAS
>> domain
>> http://www.postfix.org/ADDRESS_CLASS_README.html#virtual_mailbox_class
>>
>>
>> You can find an example setup in
>> http://www.postfix.org/VIRTUAL_README.html
>>
>>
>>
>>-- Noel Jones
>>
>>
> 

RE: ldap validate

[Gomes, Rich]

It works!

Thanks for all you help!
Just have to see if I can turf certain emails now.

I'll also need to see if I can filter the logs, smtpd -v gives way too much 
while without the -v gives way too little



-Original Message-
From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] 
On Behalf Of Noel Jones
Sent: Tuesday, January 05, 2016 3:04 PM
To: postfix-users@postfix.org
Subject: Re: ldap validate

On 1/5/2016 1:50 PM, Gomes, Rich wrote:
> Ok, my bad that does work in fact.
> I had shut off smtpd -v in master.cf so I was not seeing the full LDAP 
> queries.
> 
> However it will only validate the default domain even though I have more than 
> one domain listed in relay_domains.
> Is it picking this from mydomain setting in main.cf perhaps?
> Or somewhere else?

This is in your lookup map definition.





  -- Noel Jones

Re: ldap validate

[Noel Jones]

On 1/5/2016 1:50 PM, Gomes, Rich wrote:
> Ok, my bad that does work in fact.
> I had shut off smtpd -v in master.cf so I was not seeing the full LDAP 
> queries.
> 
> However it will only validate the default domain even though I have more than 
> one domain listed in relay_domains.
> Is it picking this from mydomain setting in main.cf perhaps?
> Or somewhere else?

This is in your lookup map definition.





  -- Noel Jones

Re: PATCH: saslauthd show remote ip address

[Wietse Venema]

Quanah Gibson-Mount:
> --On Thursday, December 10, 2015 11:49 AM -0800 Quanah Gibson-Mount 
>  wrote:
> 
> > --On Thursday, December 10, 2015 2:29 PM -0500 Wietse Venema
> >  wrote:
> >
> >> Quanah Gibson-Mount:
> >>> --On Thursday, December 10, 2015 2:02 PM -0500 Wietse Venema
> >>>  wrote:
> >>>
> >>> > This is not completely trivial because the port information needs
> >>> > to be consistent with information from proxies, postscreen, and
> >>> > XCLIENT, otherwise results will be incorrect.
> >>>
> >>> Ok, good to know.  Is there any general timeline on when that will be
> >>> available for testing?
> >>
> >> No. Time is in short supply, especially for functionality that has
> >> been missing for 15+ years.
> >
> > Ok, thanks.  Not sure if it falls into the legal issue of required source
> > port logging that Belgium has implemented or not.  I.e., being able to
> > tie the source port logged at the smtp server to a specific sasl auth
> > request.
> 
> After deploying live with this patch, we found ports 465/587 were busted:

I think I mentioned in this thread that the patch is not complete
because the Cyrus implementation expects a string of the form
"ipaddress:portnumber", and the patch provides the address only.

> So we will be working further on this patch, and will push back whatever 
> further changes are necessary.

Wietse

Re: PATCH: saslauthd show remote ip address

[Quanah Gibson-Mount]

--On Tuesday, January 05, 2016 3:43 PM -0500 Wietse Venema 
 wrote:




I think I mentioned in this thread that the patch is not complete
because the Cyrus implementation expects a string of the form
"ipaddress:portnumber", and the patch provides the address only.


Yep.  We're working on completing it. ;)  It just had some unanticipated 
side effects.


--Quanah




--

Quanah Gibson-Mount
Platform Architect
Zimbra, Inc.

Zimbra ::  the leader in open source messaging and collaboration

RE: ldap validate

[Gomes, Rich]

It's not so much what is missing as there is no in between
Smtpd -v just gives so much per transaction.

I usually set Sendmail at 18 and it show less than the -v does.
I would like a way to see a successful map of email address to what is found 
during the LDAP query without all the additional info.
Somewhere between smtpd and smtpd -v would be about right

-Original Message-
From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] 
On Behalf Of Noel Jones
Sent: Tuesday, January 05, 2016 5:39 PM
To: postfix-users@postfix.org
Subject: Re: ldap validate

On 1/5/2016 2:32 PM, Gomes, Rich wrote:
> 
> I'll also need to see if I can filter the logs, smtpd -v gives way too 
> much while without the -v gives way too little

I can't remember the last time I needed verbose logging, even to debug a 
problem.

What is missing from the normal logging you need on a regular basis?



  -- Noel Jones

Re: ldap validate

[Noel Jones]

On 1/5/2016 2:32 PM, Gomes, Rich wrote:
> 
> I'll also need to see if I can filter the logs, smtpd -v gives way too much 
> while without the -v gives way too little

I can't remember the last time I needed verbose logging, even to
debug a problem.

What is missing from the normal logging you need on a regular basis?



  -- Noel Jones

Re: Certificate does not match mail server for some reason

[Maximilian Muster]

On 04/01/16 20:24, Viktor Dukhovni wrote:

On Mon, Jan 04, 2016 at 08:01:59PM +0100, Maximilian Muster wrote:

I am using Dovecot for the IMAP server and installed Dovecot and Postfix in
a recommended combined package for ubuntu called "mail-stack-delivery".
There were some preconfigurations in this package and that is most likely
the reason I missed the option to configure it.  If anybody knows on the fly
how to configure that in Dovecot it would be a nice shortcut. Otherwise I
may be able to google my way out of it.

The configuration issue is in Thunderbird which wants to connec to
"imap.example.com" rather than "mail.example.com" (which is what
is in your certificate).  Perhaps you have SRV records for IMAP,
you might also want to make sure that those point at "mail.example.com".
See RFC6186.
Thanks for the tip and I didn't have any SRV records at all. I looked up 
RFC6186 and did:


  Name | Type | Wgh | Port |   Value  | 
Prio  | TTL

_imap._tcp   | SRV  | 0  | 143  | mail..com | 0  | 3600
_imaps._tcp | SRV  | 0   | 993  | mail..com | 0 | 3600
_submission._tcp | SRV  | 0  | 587  | mail..com | 0  | 3600

Still didn't help and Thunderbird still only detects imap and smtp ones. 
Will see what topics to auto configuration I can find. At least I am now 
sure that gmail don't put my first mail into spam because of this 
certificate error and it is email client related, since all checks like 
DKIM and SPF seemed to work...


Thanks again,
Akimiya

RE: ldap validate

[Gomes, Rich]

Ok, my bad that does work in fact.
I had shut off smtpd -v in master.cf so I was not seeing the full LDAP queries.

However it will only validate the default domain even though I have more than 
one domain listed in relay_domains.
Is it picking this from mydomain setting in main.cf perhaps?
Or somewhere else?

-Original Message-
From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] 
On Behalf Of Noel Jones
Sent: Tuesday, January 05, 2016 2:33 PM
To: postfix-users@postfix.org
Subject: Re: ldap validate

On 1/5/2016 1:22 PM, Gomes, Rich wrote:
> Does this imply an actual list\map?
> 
> " and list the valid recipients in relay_recipient_maps"
> 

relay_recipient_maps = ldap:/path/to/file



> 
> I am looking to do real-time LDAP lookups.
> 
> The only time I get it to work is when using virtual mailbox domains 
> and maps
> 
> Not sure what I am missing here.
> Relaying is working great via relay domains and maps LDAP lookups, not 
> so much with that same config Only with virtual mailbox domains

You're using relay_domains and relay_recipient_maps.  Don't use any of the 
virtual_mailbox_* parameters.



  -- Noel Jones

Re: smtp-sink does not support all ipv6 addresses?

[Wietse Venema]

Tom Hendrikx:
> I can see the use of the setsockopt call, since leaving it out has the
> side effect that smtp-sink is also reachable on 127.1.2.3 (ipv4). On the
> other hand, that behaviour is sort of what I requested when I explicitly
> specified an IPv4-mapped IPv6 address.

If you want to talk IPv4, you must specify IPv4. Having two ways
to specify the same IP address is a security hole.

Wietse

Re: Virtual_Users for single domain

[Viktor Dukhovni]

On Tue, Jan 05, 2016 at 01:30:32PM -0600, Noel Jones wrote:

> Yes, it is correct to use
> mydestination = localhost.example.com
> virtual_mailbox_domains = example.com

I use:

main.cf:
virtual_mailbox_domains = virtual.invalid
virtual_mailbox_maps = ${indexed}vmbox
virtual_mailbox_base = /var/spool/virtual
# Dovecot static user/gid for mailbox access
virtual_uid_maps = static:500
virtual_gid_maps = static:500

virtual_alias_domains = example.com
myorigin = example.com
mydestination = local.invalid

virtual:
lu...@example.com   luser@local.invalid
vu...@example.com   vuser@virtual.invalid

Then all users are rewritten to either the virtual mailbox
or the local domain as appropriate.

Mind you, even system users can and likely should have virtual
mailboxes (via mailbox_transport if need be).  Why limit folks to
using local mboxes, when they can use IMAP.

-- 
Viktor.