Re: relay server - allow connections from DSL with dynamic IP

2016-05-29 Thread Rohit Shriwas 
Ahh, crap. I just read your other thread about wanting to have an
external relay on AWS heh  You'll want to remove relayhost and
everything smtp_ from the last email to achieve that on your AWS
instance. Cheers!

On Monday 30 May 2016 09:58 AM, Rohit Shriwas wrote:
> Hey Zalezny,
> 
> I have a similar setup where my local machine has a dynamic IP and needs
> to relay mail through an external SMTP server (smtp.zoho.com) to deliver
> anything outside. I have the following (relevant) configuration for this
> on my local Postfix instance:
> 
>   # /etc/postfix/main.cf
>   inet_interfaces = all # receive mail from everywhere
> 
>   smtpd_sasl_auth_enable = yes
>   smtpd_relay_restrictions =
> reject_unauth_pipelining,
> reject_non_fqdn_recipient,
> reject_unknown_recipient_domain,
> permit_auth_destination,
> permit_sasl_authenticated,
> reject
> 
>   smtp_sasl_auth_enable = yes
>   smtp_sasl_password_maps = hash:/etc/postfix/sasl/sasl_passwd
>   smtp_sasl_security_options = noanonymous
>   smtp_sasl_tls_security_options = noanonymous
>   relayhost = [smtp.zoho.com]:587
> 
> Apart from this I have the following sasl configuration (to use sasldb):
> 
>   # /etc/sasl2/smtpd.conf
>   pwcheck_method: auxprop
>   auxprop_plugin: sasldb
>   mech_list: plain login
> 
> I used saslpasswd2 to create users, I had to run the following command
> to get postfix to read the sasldb users:
> 
>   chown 0:postfix /etc/sasldb2
> 
> With the above configuration, my local machine is able to receive mail
> for itself, and any other mail is relayed through the relayhost ONLY if
> the client is SASL authenticated.
> 
> You don't need to put anything to configure a domain if your FROM header
> includes the full email including the domain.
> 
> On Sunday 29 May 2016 08:09 PM, Zalezny Niezalezny wrote:
>> hi,
>>
>> my local MTA using DSL with dynamic IP address so I need to forward my
>> messages to some external relay server with static IP.
>>
>> Unfortunately I`m not able to setup, my dynamic IP on the relay server
>> in the network_table (or in the mynetworks). Base on the (ONLY) username
>> and password (SASL) I would like to permit any external host to relay
>> any messages. Is it possible ?
>>
>> If my local MTA sending message to relay server, with
>> From: u...@domainexample.com 
>>
>> do I need to configure "domainexample.com "
>> somewhere in the postfix ?
>>
>> I have all the time problem with "access relay denied"...
>>
>> Maybe somebody will be able to support me here.
>>
>>
>> With kind regards
>>
>> Zalezny
>>
>>
>>
>>
> 



signature.asc
Description: OpenPGP digital signature

Re: relay server - allow connections from DSL with dynamic IP

2016-05-29 Thread Rohit Shriwas 
Hey Zalezny,

I have a similar setup where my local machine has a dynamic IP and needs
to relay mail through an external SMTP server (smtp.zoho.com) to deliver
anything outside. I have the following (relevant) configuration for this
on my local Postfix instance:

  # /etc/postfix/main.cf
  inet_interfaces = all # receive mail from everywhere

  smtpd_sasl_auth_enable = yes
  smtpd_relay_restrictions =
reject_unauth_pipelining,
reject_non_fqdn_recipient,
reject_unknown_recipient_domain,
permit_auth_destination,
permit_sasl_authenticated,
reject

  smtp_sasl_auth_enable = yes
  smtp_sasl_password_maps = hash:/etc/postfix/sasl/sasl_passwd
  smtp_sasl_security_options = noanonymous
  smtp_sasl_tls_security_options = noanonymous
  relayhost = [smtp.zoho.com]:587

Apart from this I have the following sasl configuration (to use sasldb):

  # /etc/sasl2/smtpd.conf
  pwcheck_method: auxprop
  auxprop_plugin: sasldb
  mech_list: plain login

I used saslpasswd2 to create users, I had to run the following command
to get postfix to read the sasldb users:

  chown 0:postfix /etc/sasldb2

With the above configuration, my local machine is able to receive mail
for itself, and any other mail is relayed through the relayhost ONLY if
the client is SASL authenticated.

You don't need to put anything to configure a domain if your FROM header
includes the full email including the domain.

On Sunday 29 May 2016 08:09 PM, Zalezny Niezalezny wrote:
> hi,
> 
> my local MTA using DSL with dynamic IP address so I need to forward my
> messages to some external relay server with static IP.
> 
> Unfortunately I`m not able to setup, my dynamic IP on the relay server
> in the network_table (or in the mynetworks). Base on the (ONLY) username
> and password (SASL) I would like to permit any external host to relay
> any messages. Is it possible ?
> 
> If my local MTA sending message to relay server, with
> From: u...@domainexample.com 
> 
> do I need to configure "domainexample.com "
> somewhere in the postfix ?
> 
> I have all the time problem with "access relay denied"...
> 
> Maybe somebody will be able to support me here.
> 
> 
> With kind regards
> 
> Zalezny
> 
> 
> 
> 



signature.asc
Description: OpenPGP digital signature

Re: Need clarification of lookup table result values

2016-05-29 Thread Peter 
On 30/05/16 03:29, Michael Fox wrote:
> Ah. O.K.  My original post said that I'm trying to configure
> postscreen_access.cidr,

This is the name of a table, which has absolutely no bearing on what
setting it is used for.  You could point alias_maps to
postscreen_access.cidr and then the expected results would be completely
different than if you set postscreen_access_list to it.  Also you didn't
mention the map type you are using, so we are meant to infer from a
table name that you chose what the actual setting is where that table is
used and the map type.

Look up the setting name in postconf(5) and it will either list the info
you want right there or reference another doc that contains the info you
want.


Peter

RE: Need clarification of lookup table result values

2016-05-29 Thread Michael Fox 
> The access(5) manpage is for the Postfix SMTP DAEMON. It says so
> on the first line of the manpage, and it says so again in the first
> paragraph.
>
> The postscreen_access_list parameter, as the name suggests, is for
> the POSTSCREEN DAEMON. This name is as explicit as it can be, without
> changing the name to this_is_not_smtpd_this_is_postscreen_access_list.

Ah. O.K.  My original post said that I'm trying to configure
postscreen_access.cidr, but also want to understand things more generally.
I didn't see any differentiation between the two parts in your answer.  In
fact, "... an access table expects results as described in the access(5)
manpage ..." led me in the opposite direction, thinking that, since
postscreen_access.cider is "an access table", then access(5) must apply.
Now I understand.  Thanks.

> 
> Here is a summary of the definition in the postconf(5) manpage:
> 
> postscreen_access_list (default: permit_mynetworks)
>Permanent   white/blacklist   for  remote  SMTP  client  IP
> addresses.
>postscreen(8) searches this list immediately after a remote SMTP
> client
>   ...
> 
> permit_mynetworks
>   ...
> 
> type:table
>   ...
> 
> permit
>   ...
> 
> reject
>   ...

Yes.  If it helps, my confusion started here.  The above paragraph lists
permit, reject and dunno.  But doesn't say they are the only values.  It
also says to use a CIDR table.  And the CIDR table page shows an example
using "OK".  It does not say that "OK" doesn't work for postscreen.  Hence,
my original question about "OK" vs. "permit".  Now I understand.  Thanks.

What about case?  The other result values in various table examples
(including the CIDR table example) are in caps ("OK", "REJECT",...).  But
postconf(5) shows the values of postscreen_access_list to be in lower case.
Should permit/reject/dunno be strictly lowercase in the
postscreen_access.cider table, or does upper case also work?

Thanks,
Michael

relay server - allow connections from DSL with dynamic IP

2016-05-29 Thread Zalezny Niezalezny 
hi,

my local MTA using DSL with dynamic IP address so I need to forward my
messages to some external relay server with static IP.

Unfortunately I`m not able to setup, my dynamic IP on the relay server in
the network_table (or in the mynetworks). Base on the (ONLY) username and
password (SASL) I would like to permit any external host to relay any
messages. Is it possible ?

If my local MTA sending message to relay server, with
From: u...@domainexample.com

do I need to configure "domainexample.com" somewhere in the postfix ?

I have all the time problem with "access relay denied"...

Maybe somebody will be able to support me here.


With kind regards

Zalezny

Re: resolve local domain with MX records

2016-05-29 Thread Zalezny Niezalezny 
Perfect! Thank You very much!

On Sun, May 29, 2016 at 9:15 AM, Wietse Venema  wrote:

> Zalezny Niezalezny:
> > Hallo Wietse,
> >
> > yes I understand Your point.
> >
> > In my internal host, dns lookup is disabled. I simply would like to know
> > how may I specified some additional hosts in case of accidents one of
> them.
>
> IF you can't rely on DNS, list all gateway IP addresses in /etc/hosts.
>
> /etc/postfix/main.cf:
> relayhost = [gateway]
> smtp_host_lookup = native
>
> /etc/hosts:
> gateway 10.0.0.1
> gateway 10.0.0.2
> gateway 10.0.0.3
> gateway 10.0.0.4
>
> /etc/host.conf:
> multi on
>
> Wietse
>

Re: Need clarification of lookup table result values

2016-05-29 Thread Wietse Venema 
Michael Fox:
>  
> > What is a valid result depends on what the result is used for: an
> > access table expects results as described in the access(5) manpage,
> > a virtual aliases table expects  the results as described in the
> > virtual(5) manpage, a transport table expects results as described
> > in the transport(5) manpage, a the local aliases table expects
> > results as described in the aliases(5) manpage. You get the idea.
> 
> Generally speaking, yes.  But it's not so clear (to me) when applying to a
> specific case, like postscreen_access.

The access(5) manpage is for the Postfix SMTP DAEMON. It says so
on the first line of the manpage, and it says so again in the first
paragraph.

The postscreen_access_list parameter, as the name suggests, is for
the POSTSCREEN DAEMON. This name is as explicit as it can be, without
changing the name to this_is_not_smtpd_this_is_postscreen_access_list.

Here is a summary of the definition in the postconf(5) manpage:

postscreen_access_list (default: permit_mynetworks)
   Permanent   white/blacklist   for  remote  SMTP  client  IP  addresses.
   postscreen(8) searches this list immediately after a remote SMTP client
...

permit_mynetworks
...

type:table
...

permit
...

reject
...


Wietse

Re: resolve local domain with MX records

2016-05-29 Thread Wietse Venema 
Zalezny Niezalezny:
> Hallo Wietse,
> 
> yes I understand Your point.
> 
> In my internal host, dns lookup is disabled. I simply would like to know
> how may I specified some additional hosts in case of accidents one of them.

IF you can't rely on DNS, list all gateway IP addresses in /etc/hosts.

/etc/postfix/main.cf:
relayhost = [gateway]
smtp_host_lookup = native

/etc/hosts:
gateway 10.0.0.1
gateway 10.0.0.2
gateway 10.0.0.3
gateway 10.0.0.4

/etc/host.conf:
multi on

Wietse

RE: Need clarification of lookup table result values

2016-05-29 Thread Christian Kivalo 

On 2016-05-29 06:34, Michael Fox wrote:

What is a valid result depends on what the result is used for: an
access table expects results as described in the access(5) manpage,
a virtual aliases table expects  the results as described in the
virtual(5) manpage, a transport table expects results as described
in the transport(5) manpage, a the local aliases table expects
results as described in the aliases(5) manpage. You get the idea.


Generally speaking, yes.  But it's not so clear (to me) when applying 
to a

specific case, like postscreen_access.



> 2)  Is there a difference between "OK" and "permit"?  If so, what?
> 3)  When can/should text follow the "reject"

Those things are described in the access(5) manpage.


Hmmm ... I don't see it.

The access(5) manpage lists many valid result formats, including OK.
Regarding OK and permit, it says:

OK Accept the address etc. that matches the pattern.

... and then the only mention of permit is:

restriction...
  Applythe   named   UCE   restriction(s)   (permit,
reject,
  reject_unauth_destination, and so on).


So I don't see the answer.  In fact, OK doesn't seem to make sense for
postscreen_access.  After all, OK what?  OK blacklist the address?  OK
whitelist the address?


Take a look at this 
http://www.postfix.org/postconf.5.html#postscreen_access_list



I realize the difficulty of documenting something that's so infinitely
flexible.  But without saying more explicitly what's allowed and what's 
not,

there's just too much indirection (for me) to follow.

So, back to my original question ... for postscreen_access.cidr:
-- what would be the difference in behavior between using "OK" vs. 
"permit"?

-- when can/should text follow the reject?

Also, I can't find anywhere that says if the case matters.  Is "PERMIT"
equivalent to "permit"?

Thanks,
Michael


--
 Christian Kivalo

Re: resolve local domain with MX records

2016-05-29 Thread Zalezny Niezalezny 
I`m sorry, I sent my last email too fast.

example.com:[192.168.2.10, 192.168.2.11]

Will it be possible something like this ?


Thanks in advance for Your support.

Zalezny

On Sun, May 29, 2016 at 10:44 AM, Zalezny Niezalezny <
zalezny.niezale...@gmail.com> wrote:

> Hallo Wietse,
>
> yes I understand Your point.
>
> In my internal host, dns lookup is disabled. I simply would like to know
> how may I specified some additional hosts in case of accidents one of them.
> For example, in the transport table we have something like this:
>
>
>
>
> *example.com   :[gateway.example.com 
> ]*
>
>
>
> *Once dnslookup is disabled, E-mail will not be deliver to the gateway. At 
> the moment gateway.example.com  include MX record 
> with 2 systems.*
>
>
>
> *mx1.example.com  / mx2.example.com 
> *
>
>
>
>
> *Is it possible somehow to specified in the transport table multiple hosts 
> when dnslookup is off ?*
>
>
> *example.com *
>
>
> On Fri, May 27, 2016 at 7:29 PM, Wietse Venema 
> wrote:
>
>> Please read my email again. Postfix does not use DNS do decide what
>> domains to ***receive*** email for; you must specify those domains
>> with mydestination, relay_domains, vrtial_alias_domains or
>> virtual_mailbox_domains.
>>
>> Of course Postfix will use DNS to decide how to ***deliver*** mail.
>> Sending email without DNS would be problematic.
>>
>> Wietse
>>
>
>

Re: resolve local domain with MX records

2016-05-29 Thread Zalezny Niezalezny 
Hallo Wietse,

yes I understand Your point.

In my internal host, dns lookup is disabled. I simply would like to know
how may I specified some additional hosts in case of accidents one of them.
For example, in the transport table we have something like this:




*example.com   :[gateway.example.com
]*



*Once dnslookup is disabled, E-mail will not be deliver to the
gateway. At the moment gateway.example.com
 include MX record with 2 systems.*



*mx1.example.com  / mx2.example.com
*




*Is it possible somehow to specified in the transport table multiple
hosts when dnslookup is off ?*


*example.com *


On Fri, May 27, 2016 at 7:29 PM, Wietse Venema  wrote:

> Please read my email again. Postfix does not use DNS do decide what
> domains to ***receive*** email for; you must specify those domains
> with mydestination, relay_domains, vrtial_alias_domains or
> virtual_mailbox_domains.
>
> Of course Postfix will use DNS to decide how to ***deliver*** mail.
> Sending email without DNS would be problematic.
>
> Wietse
>