Re: smtp-sink does not support all ipv6 addresses?
On 04-01-16 18:58, Wietse Venema wrote: > Tom Hendrikx: >> >> Hi, >> >> I'm trying to setup a test environment using smtp-sink as a mail >> receiver. For ipv4 I'm running smtp-sink on random addresses in >> 127.0.0.0/8, and was looking for the same trick on ipv6. My OS allows me >> to (ab)use :::0:0/96 for this, but unfortunately, smtp-sink does not: >> >> $ smtp-sink -v :::127.1.2.3:12345 100 >> smtp-sink: name_mask: all >> smtp-sink: trying... [:::127.1.2.3]:12345 >> smtp-sink: fatal: bind :::127.1.2.3 port 12345: Invalid argument > > The bind(2) system call rejects the address. Postfix is the messenger > of bad news. Don't blame the messenger. > > Wietse > I did some rummaging in the source code to see what I'm doing wrong, and found out that inet_listen.c sets the IPV6_V6ONLY flag on the socket [1], which makes the bind(2) bail out. If I remove the setsockopt(2) call and recompile, smtp-sink works as I hoped: $ ./smtp-sink -v :::127.1.2.3:12345 100 ./smtp-sink: name_mask: all ./smtp-sink: trying... [:::127.1.2.3]:12345 ./smtp-sink: connect (AF_INET6 :::127.0.0.1) ./smtp-sink: vstream_tweak_tcp: TCP_MAXSEG 21888 ./smtp-sink: fd=5: stream buffer size old=0 new=43776 ./smtp-sink: smtp_stream_setup: maxtime=100 enable_deadline=0 ./smtp-sink: helo test ./smtp-sink: quit ./smtp-sink: disconnect I can see the use of the setsockopt call, since leaving it out has the side effect that smtp-sink is also reachable on 127.1.2.3 (ipv4). On the other hand, that behaviour is sort of what I requested when I explicitly specified an IPv4-mapped IPv6 address. So this means IMHO that IPv4-mapped IPv6 listen addresses are not supported/explicitly disabled by postfix, it has nothing to do with bind(2). Would be nice if that was mentioned somewhere. [1]: https://github.com/vdukhovni/postfix/blob/master/postfix/src/util/inet_listen.c#L145 Regards, Tom
Virtual_Users for single domain
Hey there, i would like to benefit from the convenience that virtual_users bring to your configuration, that is - from my point of view - that you don`t need to create local accounts for every e-mail user, even though in my case i only have a few of them. As far as i know, you can enable virtual_users in postfix by using the *virtual_alias_maps* directive, but *virtual_alias_maps* seem to require hosted domains in*virtual_alias_domains*. I only got one domain for which postfix will be resposible for directly, therefor i have set *mydestination* to mydomain.de. If i am not mistaken you shouldn`t set the same domain in *mydestination* and *virtual_alias_domains *so i would like to ask, what can i do to accomplish a virtual_user configuration for a single domain setup? I am just guessing here but i assume i could set mydestination to localhost and put mydomain.de in*virtual_alias_maps* but maybe thats not "best practice" or there are any side effects i am not taking into account. As always, thanks for helping me out. :) Dennis
Re: Virtual_Users for single domain
On 1/5/2016 9:57 AM, Dennis Steinkamp wrote: > Hey there, > > i would like to benefit from the convenience that virtual_users > bring to your configuration, that is - from my point of view - that > you don`t need to create local accounts for every e-mail user, > even though in my case i only have a few of them. > > As far as i know, you can enable virtual_users in postfix by using > the *virtual_alias_maps* directive, but *virtual_alias_maps* seem to > require hosted domains in*virtual_alias_domains*. > I only got one domain for which postfix will be resposible for > directly, therefor i have set *mydestination* to mydomain.de. > If i am not mistaken you shouldn`t set the same domain in > *mydestination* and *virtual_alias_domains *so i would like to ask, > what can i do to accomplish a virtual_user configuration for a > single domain setup? > I am just guessing here but i assume i could set mydestination to > localhost and put mydomain.de in*virtual_alias_maps* but maybe thats > not "best practice" or there are any side effects i am not taking > into account. > > As always, thanks for helping me out. :) > > Dennis Sounds as if you want a virtual MAILBOX domain, not a virtual ALIAS domain http://www.postfix.org/ADDRESS_CLASS_README.html#virtual_mailbox_class You can find an example setup in http://www.postfix.org/VIRTUAL_README.html -- Noel Jones
Re: ldap validate
On 1/5/2016 1:22 PM, Gomes, Rich wrote: > Does this imply an actual list\map? > > " and list the valid recipients in relay_recipient_maps" > relay_recipient_maps = ldap:/path/to/file > > I am looking to do real-time LDAP lookups. > > The only time I get it to work is when using virtual mailbox domains and maps > > Not sure what I am missing here. > Relaying is working great via relay domains and maps > LDAP lookups, not so much with that same config > Only with virtual mailbox domains You're using relay_domains and relay_recipient_maps. Don't use any of the virtual_mailbox_* parameters. -- Noel Jones
RE: ldap validate
Does this imply an actual list\map? " and list the valid recipients in relay_recipient_maps" I am looking to do real-time LDAP lookups. The only time I get it to work is when using virtual mailbox domains and maps Not sure what I am missing here. Relaying is working great via relay domains and maps LDAP lookups, not so much with that same config Only with virtual mailbox domains -Original Message- From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] On Behalf Of Noel Jones Sent: Monday, January 04, 2016 4:58 PM To: postfix-users@postfix.org Subject: Re: ldap validate On 1/4/2016 3:37 PM, Gomes, Rich wrote: > So I should change the config to use relay domains instead of virtual mailbox? You previously wrote that these domains were defined in relay_domains (which they should be). Don't define domains in more than one address class ie. not in more than one *_domains parameter. List your internal Exchange domains in relay_domains, and list the valid recipients in relay_recipient_maps. Don't list the valid recipients anywhere else. > The idea behind dropping invalid users is that this is by attrition > Homegrown applications sending reports to people who haven't worked here in > years. > Better to drop in those cases You can assign specific bad users to the discard: transport. # transport table previousresid...@example.com discard: Or maybe better, use virtual_alias_maps to redirect the mail to the appropriate person. -- Noel Jones > > Again, this is an internal server and not receiving from Internet, just > receiving from applications. > > Is dropping an option? > > > > > -Original Message- > From: owner-postfix-us...@postfix.org > [mailto:owner-postfix-us...@postfix.org] On Behalf Of Noel Jones > Sent: Monday, January 04, 2016 4:32 PM > To: postfix-users@postfix.org > Subject: Re: ldap validate > > On 1/4/2016 3:11 PM, Gomes, Rich wrote: >> Ok, I have LDAP working in stream although still have a few bugs. >> >> I found this article: >> >> http://www.experts-exchange.com/questions/28251757/How-to-configure-L >> D AP-Authentication-for-Incoming-SMTP-Traffic.html >> >> >> Basically I added these lines >> >> virtual_mailbox_domains = example.com, example.org, example.net >> virtual_mailbox_maps = ldap:/etc/postfix/ldap-users.cf >> >> to where I already had >> virtual_alias_maps = ldap:/etc/postfix/ldap-aliases.cf >> >> and it worked. > > That's correct if you're using virtual_mailbox_domains, but not for > relay_domains. > > >> Is there a way to have Postfix DROP the message if the recipient is invalid? >> As opposed to sending an NDR? > > > Postfix will reject invalid recipients. Discarding invalid recipients is a > terrible idea. > > > > > -- Noel Jones >
Re: PATCH: saslauthd show remote ip address
--On Thursday, December 10, 2015 11:49 AM -0800 Quanah Gibson-Mountwrote: --On Thursday, December 10, 2015 2:29 PM -0500 Wietse Venema wrote: Quanah Gibson-Mount: --On Thursday, December 10, 2015 2:02 PM -0500 Wietse Venema wrote: > This is not completely trivial because the port information needs > to be consistent with information from proxies, postscreen, and > XCLIENT, otherwise results will be incorrect. Ok, good to know. Is there any general timeline on when that will be available for testing? No. Time is in short supply, especially for functionality that has been missing for 15+ years. Ok, thanks. Not sure if it falls into the legal issue of required source port logging that Belgium has implemented or not. I.e., being able to tie the source port logged at the smtp server to a specific sasl auth request. After deploying live with this patch, we found ports 465/587 were busted: Jan 5 12:40:12 edge01 postfix/submission/smtpd[63043]: connect from edge01.zimbra.com[10.210.0.174] Jan 5 12:40:12 edge01 postfix/submission/smtpd[63043]: Anonymous TLS connection established from edge01.zimbra.com[10.210.0.174]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits) Jan 5 12:40:12 edge01 postfix/submission/smtpd[63043]: warning: server_addr=, client_addr=10.210.0.174 Jan 5 12:40:12 edge01 postfix/submission/smtpd[63043]: warning: SASL per-connection server initialization: invalid parameter supplied Jan 5 12:40:12 edge01 postfix/submission/smtpd[63043]: fatal: SASL per-connection initialization failed From the command line with openssl, it'd drop with: 250 DSN read:errno=0 So we will be working further on this patch, and will push back whatever further changes are necessary. --Quanah -- Quanah Gibson-Mount Platform Architect Zimbra, Inc. Zimbra :: the leader in open source messaging and collaboration
Re: Virtual_Users for single domain
I am aware of the readme article its based on multiple hosted domains. Correct me if i am wrong here but virtual_mailbox_maps also requires virtual_mailbox_domains but i don`t have any "additional" virtual_mailbox_domains, i only need postifx to be responsible for one single domain only and that is already taken care of with mydestination = mydomain.de hence my question if its allright to put localhost in mydestination so that i can use mydomain.de in virtual_mailbox_domains. The readme clearly says that you can`t list mydomain.xy in mydestination and virtual_mailbox_domains at the same time. My bad, i was talking about virtual_alias_domains instead of virtual_mailbox_domains, sorry if that caused any confusion. Dennis Am 05.01.2016 um 19:00 schrieb Noel Jones: On 1/5/2016 9:57 AM, Dennis Steinkamp wrote: Hey there, i would like to benefit from the convenience that virtual_users bring to your configuration, that is - from my point of view - that you don`t need to create local accounts for every e-mail user, even though in my case i only have a few of them. As far as i know, you can enable virtual_users in postfix by using the *virtual_alias_maps* directive, but *virtual_alias_maps* seem to require hosted domains in*virtual_alias_domains*. I only got one domain for which postfix will be resposible for directly, therefor i have set *mydestination* to mydomain.de. If i am not mistaken you shouldn`t set the same domain in *mydestination* and *virtual_alias_domains *so i would like to ask, what can i do to accomplish a virtual_user configuration for a single domain setup? I am just guessing here but i assume i could set mydestination to localhost and put mydomain.de in*virtual_alias_maps* but maybe thats not "best practice" or there are any side effects i am not taking into account. As always, thanks for helping me out. :) Dennis Sounds as if you want a virtual MAILBOX domain, not a virtual ALIAS domain http://www.postfix.org/ADDRESS_CLASS_README.html#virtual_mailbox_class You can find an example setup in http://www.postfix.org/VIRTUAL_README.html -- Noel Jones
Re: Virtual_Users for single domain
On 1/5/2016 1:10 PM, Dennis Steinkamp wrote: > I am aware of the readme article its based on multiple hosted domains. > Correct me if i am wrong here but virtual_mailbox_maps also requires > virtual_mailbox_domains > but i don`t have any "additional" virtual_mailbox_domains, i only > need postifx to be responsible for one single domain only > and that is already taken care of with mydestination = mydomain.de > hence my question if its allright to put localhost > in mydestination so that i can use mydomain.de in > virtual_mailbox_domains. Yes, it is correct to use mydestination = localhost.example.com virtual_mailbox_domains = example.com -- Noel Jones > The readme clearly says that you can`t list mydomain.xy in > mydestination and virtual_mailbox_domains at the same time. > My bad, i was talking about virtual_alias_domains instead of > virtual_mailbox_domains, sorry if that caused any confusion. > > Dennis > > Am 05.01.2016 um 19:00 schrieb Noel Jones: >> On 1/5/2016 9:57 AM, Dennis Steinkamp wrote: >>> Hey there, >>> >>> i would like to benefit from the convenience that virtual_users >>> bring to your configuration, that is - from my point of view - that >>> you don`t need to create local accounts for every e-mail user, >>> even though in my case i only have a few of them. >>> >>> As far as i know, you can enable virtual_users in postfix by using >>> the *virtual_alias_maps* directive, but *virtual_alias_maps* seem to >>> require hosted domains in*virtual_alias_domains*. >>> I only got one domain for which postfix will be resposible for >>> directly, therefor i have set *mydestination* to mydomain.de. >>> If i am not mistaken you shouldn`t set the same domain in >>> *mydestination* and *virtual_alias_domains *so i would like to ask, >>> what can i do to accomplish a virtual_user configuration for a >>> single domain setup? >>> I am just guessing here but i assume i could set mydestination to >>> localhost and put mydomain.de in*virtual_alias_maps* but maybe thats >>> not "best practice" or there are any side effects i am not taking >>> into account. >>> >>> As always, thanks for helping me out. :) >>> >>> Dennis >> >> Sounds as if you want a virtual MAILBOX domain, not a virtual ALIAS >> domain >> http://www.postfix.org/ADDRESS_CLASS_README.html#virtual_mailbox_class >> >> >> You can find an example setup in >> http://www.postfix.org/VIRTUAL_README.html >> >> >> >>-- Noel Jones >> >> >
RE: ldap validate
It works! Thanks for all you help! Just have to see if I can turf certain emails now. I'll also need to see if I can filter the logs, smtpd -v gives way too much while without the -v gives way too little -Original Message- From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] On Behalf Of Noel Jones Sent: Tuesday, January 05, 2016 3:04 PM To: postfix-users@postfix.org Subject: Re: ldap validate On 1/5/2016 1:50 PM, Gomes, Rich wrote: > Ok, my bad that does work in fact. > I had shut off smtpd -v in master.cf so I was not seeing the full LDAP > queries. > > However it will only validate the default domain even though I have more than > one domain listed in relay_domains. > Is it picking this from mydomain setting in main.cf perhaps? > Or somewhere else? This is in your lookup map definition. -- Noel Jones
Re: ldap validate
On 1/5/2016 1:50 PM, Gomes, Rich wrote: > Ok, my bad that does work in fact. > I had shut off smtpd -v in master.cf so I was not seeing the full LDAP > queries. > > However it will only validate the default domain even though I have more than > one domain listed in relay_domains. > Is it picking this from mydomain setting in main.cf perhaps? > Or somewhere else? This is in your lookup map definition. -- Noel Jones
Re: PATCH: saslauthd show remote ip address
Quanah Gibson-Mount: > --On Thursday, December 10, 2015 11:49 AM -0800 Quanah Gibson-Mount >wrote: > > > --On Thursday, December 10, 2015 2:29 PM -0500 Wietse Venema > > wrote: > > > >> Quanah Gibson-Mount: > >>> --On Thursday, December 10, 2015 2:02 PM -0500 Wietse Venema > >>> wrote: > >>> > >>> > This is not completely trivial because the port information needs > >>> > to be consistent with information from proxies, postscreen, and > >>> > XCLIENT, otherwise results will be incorrect. > >>> > >>> Ok, good to know. Is there any general timeline on when that will be > >>> available for testing? > >> > >> No. Time is in short supply, especially for functionality that has > >> been missing for 15+ years. > > > > Ok, thanks. Not sure if it falls into the legal issue of required source > > port logging that Belgium has implemented or not. I.e., being able to > > tie the source port logged at the smtp server to a specific sasl auth > > request. > > After deploying live with this patch, we found ports 465/587 were busted: I think I mentioned in this thread that the patch is not complete because the Cyrus implementation expects a string of the form "ipaddress:portnumber", and the patch provides the address only. > So we will be working further on this patch, and will push back whatever > further changes are necessary. Wietse
Re: PATCH: saslauthd show remote ip address
--On Tuesday, January 05, 2016 3:43 PM -0500 Wietse Venemawrote: I think I mentioned in this thread that the patch is not complete because the Cyrus implementation expects a string of the form "ipaddress:portnumber", and the patch provides the address only. Yep. We're working on completing it. ;) It just had some unanticipated side effects. --Quanah -- Quanah Gibson-Mount Platform Architect Zimbra, Inc. Zimbra :: the leader in open source messaging and collaboration
RE: ldap validate
It's not so much what is missing as there is no in between Smtpd -v just gives so much per transaction. I usually set Sendmail at 18 and it show less than the -v does. I would like a way to see a successful map of email address to what is found during the LDAP query without all the additional info. Somewhere between smtpd and smtpd -v would be about right -Original Message- From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] On Behalf Of Noel Jones Sent: Tuesday, January 05, 2016 5:39 PM To: postfix-users@postfix.org Subject: Re: ldap validate On 1/5/2016 2:32 PM, Gomes, Rich wrote: > > I'll also need to see if I can filter the logs, smtpd -v gives way too > much while without the -v gives way too little I can't remember the last time I needed verbose logging, even to debug a problem. What is missing from the normal logging you need on a regular basis? -- Noel Jones
Re: ldap validate
On 1/5/2016 2:32 PM, Gomes, Rich wrote: > > I'll also need to see if I can filter the logs, smtpd -v gives way too much > while without the -v gives way too little I can't remember the last time I needed verbose logging, even to debug a problem. What is missing from the normal logging you need on a regular basis? -- Noel Jones
Re: Certificate does not match mail server for some reason
On 04/01/16 20:24, Viktor Dukhovni wrote: On Mon, Jan 04, 2016 at 08:01:59PM +0100, Maximilian Muster wrote: I am using Dovecot for the IMAP server and installed Dovecot and Postfix in a recommended combined package for ubuntu called "mail-stack-delivery". There were some preconfigurations in this package and that is most likely the reason I missed the option to configure it. If anybody knows on the fly how to configure that in Dovecot it would be a nice shortcut. Otherwise I may be able to google my way out of it. The configuration issue is in Thunderbird which wants to connec to "imap.example.com" rather than "mail.example.com" (which is what is in your certificate). Perhaps you have SRV records for IMAP, you might also want to make sure that those point at "mail.example.com". See RFC6186. Thanks for the tip and I didn't have any SRV records at all. I looked up RFC6186 and did: Name | Type | Wgh | Port | Value | Prio | TTL _imap._tcp | SRV | 0 | 143 | mail..com | 0 | 3600 _imaps._tcp | SRV | 0 | 993 | mail..com | 0 | 3600 _submission._tcp | SRV | 0 | 587 | mail..com | 0 | 3600 Still didn't help and Thunderbird still only detects imap and smtp ones. Will see what topics to auto configuration I can find. At least I am now sure that gmail don't put my first mail into spam because of this certificate error and it is email client related, since all checks like DKIM and SPF seemed to work... Thanks again, Akimiya
RE: ldap validate
Ok, my bad that does work in fact. I had shut off smtpd -v in master.cf so I was not seeing the full LDAP queries. However it will only validate the default domain even though I have more than one domain listed in relay_domains. Is it picking this from mydomain setting in main.cf perhaps? Or somewhere else? -Original Message- From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] On Behalf Of Noel Jones Sent: Tuesday, January 05, 2016 2:33 PM To: postfix-users@postfix.org Subject: Re: ldap validate On 1/5/2016 1:22 PM, Gomes, Rich wrote: > Does this imply an actual list\map? > > " and list the valid recipients in relay_recipient_maps" > relay_recipient_maps = ldap:/path/to/file > > I am looking to do real-time LDAP lookups. > > The only time I get it to work is when using virtual mailbox domains > and maps > > Not sure what I am missing here. > Relaying is working great via relay domains and maps LDAP lookups, not > so much with that same config Only with virtual mailbox domains You're using relay_domains and relay_recipient_maps. Don't use any of the virtual_mailbox_* parameters. -- Noel Jones
Re: smtp-sink does not support all ipv6 addresses?
Tom Hendrikx: > I can see the use of the setsockopt call, since leaving it out has the > side effect that smtp-sink is also reachable on 127.1.2.3 (ipv4). On the > other hand, that behaviour is sort of what I requested when I explicitly > specified an IPv4-mapped IPv6 address. If you want to talk IPv4, you must specify IPv4. Having two ways to specify the same IP address is a security hole. Wietse
Re: Virtual_Users for single domain
On Tue, Jan 05, 2016 at 01:30:32PM -0600, Noel Jones wrote: > Yes, it is correct to use > mydestination = localhost.example.com > virtual_mailbox_domains = example.com I use: main.cf: virtual_mailbox_domains = virtual.invalid virtual_mailbox_maps = ${indexed}vmbox virtual_mailbox_base = /var/spool/virtual # Dovecot static user/gid for mailbox access virtual_uid_maps = static:500 virtual_gid_maps = static:500 virtual_alias_domains = example.com myorigin = example.com mydestination = local.invalid virtual: lu...@example.com luser@local.invalid vu...@example.com vuser@virtual.invalid Then all users are rewritten to either the virtual mailbox or the local domain as appropriate. Mind you, even system users can and likely should have virtual mailboxes (via mailbox_transport if need be). Why limit folks to using local mboxes, when they can use IMAP. -- Viktor.