which has priority settings, main.cf or master.cf?

2016-11-09 Thread vod vos 
Hi,



We can configure these in main.cf





smtpd_recipient_restrictions = 
permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination,check_poli
cy_service 
unix:private/policyd-spf,reject_invalid_hostname,reject_unauth_pipelining,reject_non_fqdn_sender,reject_unknown_sender_domain,reject_non_fqdn_recipient,reject_unknown_recipient_domain,reject_unauth_pipelining,ch
eck_recipient_access hash:/etc/postfix/recipient_access





And can overwrite parameters=value in master.cf like;



below smtp...smtpd/postscreen or sub..mi.ssion...smtpd



-o 
smtpd_recipient_restrictions=reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated,reject



which has priority setting?



Thanks.

Re: how to forbid telnet to port 25 or 587 to send mail via my server?

2016-11-09 Thread Viktor Dukhovni 

> On Nov 9, 2016, at 9:32 PM, vod vos  wrote:
> 
> hi,
> 
> when telnet mail.example.com 25 or 587, the server will echo 220,
> 
> how to c_a_n_c_e_l the respond to telnet after mail server configuration?

Your question makes no sense...

An SMTP server will respond to TCP client connections via "telnet",
"netcat", "posttls-finger", "swaks", Perl scripts that connect to
port 25, Python scripts that connect to Port 25.  Haskell programs
that connect to port 25...  The server does not and need not know
the details of the client implementation.

That's the power of open standards like TCP/IP.

If you want to disable inbound email, turn off the smtp/inet service.
If you want to disable outbound submission, turn off the submission/inet
service.

-- 
Viktor.

how to forbid telnet to port 25 or 587 to send mail via my server?

2016-11-09 Thread vod vos 


hi,



when telnet mail.example.com 25 or 587, the server will echo 220,



how to cancel the respond to telnet after mail server configuration?



thanks

Re: How to forbid using openssl.. starttls to connect port 25?

2016-11-09 Thread Viktor Dukhovni 

> On Nov 9, 2016, at 9:54 AM, vod vos  wrote:
> 
> master.cf: 
> smtp inet ... smtpd 
>  ... 
>  -o smtp_relay_restrictions=$mua_relay_restrictions 
>  -o smtp_recipient_restrictions=$mua_recipient_restrictions 
>  -o smtpd_tls_security_level=encrypt 
>  -o smtpd_tls_auth_only=yes 
>  -o smtpd_sasl_auth_enable=yes
> 
> 
> But this setting will block the mail from non tls configured server. If 
> smtpd_tls_security_level=may, the port 25 is still could not be forbided.
> 
> any ideas?

SORRY, those were supposed to be submission (587) settings...

-- 
Viktor.

Re: Postfix for sendmail users - rejecting users with custom SMTP codes and text

2016-11-09 Thread Kris Deugau 
Noel Jones wrote:
> On 11/9/2016 8:58 AM, Kris Deugau wrote:
>> I'm in the process of migrating my personal domain to a new server, and
>> in the process I'm switching from sendmail to Postfix.
>>
>> One feature I haven't been able to quite figure out is part of
>> sendmail's "virtusertable" - *most* of this is equivalent to
>> virtual_alias_maps, but it also allows you to do a variety of other
>> things such as reject arbitrary recipients with a custom SMTP response
>> code and message.
>>
>> For instance:
>>
>> kdeugau...@deepnet.cx   error:5.1.1:550 This address is no longer valid
>> as it was sold to spammers
>>
>> I've come close to an exact match by adding a check_recipient_access map
>> to smtpd_recipient_restrictions, but the resulting SMTP status codes
>> aren't quite correct - 554 vs 550.
> 
> Yes, check_recipient_access is the right tool for this.  You can
> manually specify the result code, see:
> http://www.postfix.org/access.5.html
> 
> oldu...@example.com  550 5.1.1 address not valid

Ahh, I found my mistake;  I misread that reference page.

You use EITHER the numeric codes OR the text codes, not both.

-kgd

Re: TLS details not in header as viewed from email client (claws)

2016-11-09 Thread li...@lazygranch.com 
The claws group sent me on a wild goose chase. Postfix seems to work
just fine with Seamonkey email. The TLS portion of the header follows.


from nm24-vm3.bullet.mail.ne1.yahoo.com
(nm24-vm3.bullet.mail.ne1.yahoo.com [98.138.91.154]) (using TLSv1.2
with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client
certificate requested) by www.inplanesight.org (Postfix) with ESMTPS id
2E255EB20F for ; Tue,  8 Nov 2016 07:22:25 +
(UTC)

On Wed, 9 Nov 2016 09:03:12 -0800
"li...@lazygranch.com"  wrote:

> "smtpd_tls_received_header = yes" is in the postconf. But I appreciate
> the heads up on what to look for. So many parameters!
> 
> I'm going to set up a different mail client as a double check. The
> Claws people say nothing has changed on their end, but who knows. If
> I just set up a second imap, there shouldn't be any lost mail issues. 
> 
> 
> On Wed, 9 Nov 2016 10:17:04 -0600
> Noel Jones  wrote:
> 
> > On 11/9/2016 9:32 AM, li...@lazygranch.com wrote:  
> > > I posted the entire header from claws. That is the receive header
> > > since I sent the message from yahoo.
> > >   
> > 
> > There are no Received: headers in what you posted.  That's where the
> > TLS information is found. Either your claws is set to hide those
> > headers or you've configured postfix header_checks to remove them
> > with an IGNORE statement.  Don't do that.
> > 
> > 
> > 
> >   -- Noel Jones
> >   
> > > 
> > >   Original Message  
> > > From: Noel Jones
> > > Sent: Wednesday, November 9, 2016 6:53 AM
> > > To: postfix-users@postfix.org
> > > Reply To: postfix users
> > > Subject: Re: TLS details not in header as viewed from email client
> > > (claws)
> > > 
> > > On 11/9/2016 2:56 AM, li...@lazygranch.com wrote:  
> > >> I no longer see TLS details in the header. I checked maillog and
> > >> TLS is being established.
> > >> ---
> > >> From maillog:
> > >> Nov 8 07:49:44 theranch postfix/smtpd[30627]: Anonymous TLS
> > >> connection established from
> > >> nm27.bullet.mail.ne1.yahoo.com[98.138.90.90]: TLSv1.2 with cipher
> > >> ECDHE-RSA-AES128-GCM-SHA2 56 (128/128 bits)
> > >> 
> > >>
> > >> Header (slightly sanitized to stay off of google)
> > >> -
> > >> From: some dude 
> > >> To: "me" 
> > >> Subject: from yahoo
> > >> Date: Tue, 8 Nov 2016 07:49:41 + (UTC)
> > >> Reply-To: some dude 
> > >> Return-Path: 
> > >> X-Original-To: m...@mydomain.com
> > >> Delivered-To: m...@mydomain.com
> > >> X-Virus-Scanned: amavisd-new at mydomain.com
> > >> Authentication-Results: www.mydomain.com (amavisd-new);
> > >> dkim=pass (2048-bit key) header.d=yahoo.com
> > >> DKIM-Filter: OpenDKIM Filter v2.10.3 www.mydomain.com 6AA43EB20F
> > >> Authentication-Results: mydomain.com;
> > >> dkim=pass (2048-bit key; unprotected) header.d=yahoo.com
> > >> header.i=@yahoo.com header.b=trAlWMaE DKIM-Signature: v=1;
> > >> a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048;
> > >> t=1478591383; bh=cRZGv5wOLgNFzbAfI5tLNkRMXYbHl/vWifDflA5eMtw=;
> > >> h=Date:From:Reply-To:To:Subject:References:From:Subject;
> > >> b=trAlWMaE/s+6aINuk6b6ySW6h1CZF6LiKQOfQgoUg4i8JzjySXbgBkAOuH+GAb55+QQHA6A8sjJeK77UvhVUS+BkAyZMiTAMkt8m9kMe77m31MjzWQ4Ig82CXogOA5+SESyKrwZZAuipFGuIq4APO06SM0hCGBmUJYHNuYytxKpTrW5FT8TFXm89vq2+MspXjd1k75qcQ+fF1kwst3n6X28teuV6o65mInGqL9vkrPrwtOGihdQqcrepyEkRnU7RflFRb1rtC0zS9pVuo1/ZcJjKeldeHsYzDzDpdiOiJNXokcRot/X5yidLYkgI5JkSPbFHe+HgQupWXOxdMxI8iQ==
> > >> X-Yahoo-Newman-Property: ymail-3 X-Yahoo-Newman-Id:
> > >> 878361.88180...@omp1007.mail.ne1.yahoo.com X-YMail-OSG:
> > >> nEWp4QsVM1nZt5mFz73vbEgYx.Lt3B_GBcEvOTw0Vp0LtD3J99f0OjdWkUcARg5
> > >> fQOYXcuRTpVY9z.FPYba81.F6ZWzTg7R9.2qD4awC6TFWAARiWK43ECrmkWodJuHDdL8gxc3OyX5
> > >> LAcxtI9b9TGqh0OfPAU1dWmpLs3sALzDSN3bWIvvbmDfRoJfwshV.Z3NlBRXE0BTRlXIEZ9yTMHP
> > >> 7hroI1tkmFwOOVOqUs8YFevk0ma39L1OCaZ4tkr2rr0Tv0pkkgrCdXiHJIWrUNNEHrsQsePKlcn7
> > >> 3TI.yj5J2Xocsga14Zqbnn6Nkm8QYuTeELAPA5RIb4VUNcptkCZQcyeUF8ikKx9aVKM31kGveMNe
> > >> ANNorn_lvKSS9u2P95D2V6dsUcZwujC5ctuWOtFZN1qheWGIOXTfP3HkjaVIq9AYQBFX_EA50W1f
> > >> 3.O5tpuiZsim9J7g6CQxJPkQq4HzhmTNxAQ6iKABKju3ukJKUoFtNlC8V5qzon6y5M4AJEH3B1ep
> > >> ObjfCt_ERaTcEhRs2wQ_sCyg-
> > >>
> > >> from yahoo
> > >> -  
> > > 
> > > 
> > > 
> > > Where are the Received: headers? Don't remove them.
> > > 
> > > 
> > > 
> > > -- Noel Jones
> > > 
> > >   
> > >>
> > >>
> > >> # postconf -n (sanitized also)
> > >>
> > >>
> > >> broken_sasl_auth_clients = yes
> > >> command_directory = /usr/local/sbin
> > >> compatibility_level = 2
> > >> content_filter = amavisfeed:[127.0.0.1]:10024
> > >> daemon_directory = /usr/local/libexec/postfix
> > >> data_directory = /var/db/postfix
> > >> debug_peer_level = 2
> > >> debugger_command =
> > >> PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd
> > >>

Re: How to forbid using openssl.. starttls to connect port 25?

2016-11-09 Thread vod vos 
it seem modify "-o smtpd_sasl_auth_enable=no" below "smtp ... smtpd" work for 
me.



then you could not auth successfully via port 25, and could auth successfully 
via port 587 using tls.



thanks all. 





 On 星期三, 09 十一月 2016 08:35:36 -0800Wietse Venema 
wie...@porcupine.org wrote 




vod vos: 

 What I want to do is to forbid AUTH PLAIN on port 25, 



/etc/postfix/main.cf: 

smtp ... smtpd -o smtpd_tls_auth_only=yes 



However, you should not enable AUTH on port 25 at all, when your 

submission clients connect to port 587. 



The port 25 service is for MTA-to-MTA traffic, and that should not 

be using AUTH. 



 and just on port 587. 



And forbid what on port 587? 



Wietse

Re: TLS details not in header as viewed from email client (claws)

2016-11-09 Thread li...@lazygranch.com 
"smtpd_tls_received_header = yes" is in the postconf. But I appreciate
the heads up on what to look for. So many parameters!

I'm going to set up a different mail client as a double check. The Claws
people say nothing has changed on their end, but who knows. If I just
set up a second imap, there shouldn't be any lost mail issues. 


On Wed, 9 Nov 2016 10:17:04 -0600
Noel Jones  wrote:

> On 11/9/2016 9:32 AM, li...@lazygranch.com wrote:
> > I posted the entire header from claws. That is the receive header
> > since I sent the message from yahoo.
> > 
> 
> There are no Received: headers in what you posted.  That's where the
> TLS information is found. Either your claws is set to hide those
> headers or you've configured postfix header_checks to remove them
> with an IGNORE statement.  Don't do that.
> 
> 
> 
>   -- Noel Jones
> 
> > 
> >   Original Message  
> > From: Noel Jones
> > Sent: Wednesday, November 9, 2016 6:53 AM
> > To: postfix-users@postfix.org
> > Reply To: postfix users
> > Subject: Re: TLS details not in header as viewed from email client
> > (claws)
> > 
> > On 11/9/2016 2:56 AM, li...@lazygranch.com wrote:
> >> I no longer see TLS details in the header. I checked maillog and
> >> TLS is being established.
> >> ---
> >> From maillog:
> >> Nov 8 07:49:44 theranch postfix/smtpd[30627]: Anonymous TLS
> >> connection established from
> >> nm27.bullet.mail.ne1.yahoo.com[98.138.90.90]: TLSv1.2 with cipher
> >> ECDHE-RSA-AES128-GCM-SHA2 56 (128/128 bits)
> >> 
> >>
> >> Header (slightly sanitized to stay off of google)
> >> -
> >> From: some dude 
> >> To: "me" 
> >> Subject: from yahoo
> >> Date: Tue, 8 Nov 2016 07:49:41 + (UTC)
> >> Reply-To: some dude 
> >> Return-Path: 
> >> X-Original-To: m...@mydomain.com
> >> Delivered-To: m...@mydomain.com
> >> X-Virus-Scanned: amavisd-new at mydomain.com
> >> Authentication-Results: www.mydomain.com (amavisd-new);
> >> dkim=pass (2048-bit key) header.d=yahoo.com
> >> DKIM-Filter: OpenDKIM Filter v2.10.3 www.mydomain.com 6AA43EB20F
> >> Authentication-Results: mydomain.com;
> >> dkim=pass (2048-bit key; unprotected) header.d=yahoo.com
> >> header.i=@yahoo.com header.b=trAlWMaE DKIM-Signature: v=1;
> >> a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048;
> >> t=1478591383; bh=cRZGv5wOLgNFzbAfI5tLNkRMXYbHl/vWifDflA5eMtw=;
> >> h=Date:From:Reply-To:To:Subject:References:From:Subject;
> >> b=trAlWMaE/s+6aINuk6b6ySW6h1CZF6LiKQOfQgoUg4i8JzjySXbgBkAOuH+GAb55+QQHA6A8sjJeK77UvhVUS+BkAyZMiTAMkt8m9kMe77m31MjzWQ4Ig82CXogOA5+SESyKrwZZAuipFGuIq4APO06SM0hCGBmUJYHNuYytxKpTrW5FT8TFXm89vq2+MspXjd1k75qcQ+fF1kwst3n6X28teuV6o65mInGqL9vkrPrwtOGihdQqcrepyEkRnU7RflFRb1rtC0zS9pVuo1/ZcJjKeldeHsYzDzDpdiOiJNXokcRot/X5yidLYkgI5JkSPbFHe+HgQupWXOxdMxI8iQ==
> >> X-Yahoo-Newman-Property: ymail-3 X-Yahoo-Newman-Id:
> >> 878361.88180...@omp1007.mail.ne1.yahoo.com X-YMail-OSG:
> >> nEWp4QsVM1nZt5mFz73vbEgYx.Lt3B_GBcEvOTw0Vp0LtD3J99f0OjdWkUcARg5
> >> fQOYXcuRTpVY9z.FPYba81.F6ZWzTg7R9.2qD4awC6TFWAARiWK43ECrmkWodJuHDdL8gxc3OyX5
> >> LAcxtI9b9TGqh0OfPAU1dWmpLs3sALzDSN3bWIvvbmDfRoJfwshV.Z3NlBRXE0BTRlXIEZ9yTMHP
> >> 7hroI1tkmFwOOVOqUs8YFevk0ma39L1OCaZ4tkr2rr0Tv0pkkgrCdXiHJIWrUNNEHrsQsePKlcn7
> >> 3TI.yj5J2Xocsga14Zqbnn6Nkm8QYuTeELAPA5RIb4VUNcptkCZQcyeUF8ikKx9aVKM31kGveMNe
> >> ANNorn_lvKSS9u2P95D2V6dsUcZwujC5ctuWOtFZN1qheWGIOXTfP3HkjaVIq9AYQBFX_EA50W1f
> >> 3.O5tpuiZsim9J7g6CQxJPkQq4HzhmTNxAQ6iKABKju3ukJKUoFtNlC8V5qzon6y5M4AJEH3B1ep
> >> ObjfCt_ERaTcEhRs2wQ_sCyg-
> >>
> >> from yahoo
> >> -
> > 
> > 
> > 
> > Where are the Received: headers? Don't remove them.
> > 
> > 
> > 
> > -- Noel Jones
> > 
> > 
> >>
> >>
> >> # postconf -n (sanitized also)
> >>
> >>
> >> broken_sasl_auth_clients = yes
> >> command_directory = /usr/local/sbin
> >> compatibility_level = 2
> >> content_filter = amavisfeed:[127.0.0.1]:10024
> >> daemon_directory = /usr/local/libexec/postfix
> >> data_directory = /var/db/postfix
> >> debug_peer_level = 2
> >> debugger_command =
> >> PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd
> >> $daemon_directory/$process_name $process_id & sleep 5 home_mailbox
> >> = Maildir/ html_directory = /usr/local/share/doc/postfix
> >> inet_interfaces = all inet_protocols = ipv4
> >> lmtp_tls_mandatory_protocols = !SSLv2, !SSLv3
> >> lmtp_tls_protocols = !SSLv2, !SSLv3
> >> mail_owner = postfix
> >> mailbox_command = /usr/local/libexec/dovecot/deliver
> >> mailbox_size_limit = 0
> >> mailq_path = /usr/local/bin/mailq
> >> manpage_directory = /usr/local/man
> >> message_size_limit = 0
> >> milter_default_action = accept
> >> milter_protocol = 6
> >> mydomain = somedomain.com
> >> myhostname = www.somedomain.com
> >> mynetworks_style = host
> >> myorigin = $mydomain
> >> newaliases_path = /usr/local/bin/newaliases
> >> non_smtpd_milters = $smtpd_milters
> >>

Re: How to forbid using openssl.. starttls to connect port 25?

2016-11-09 Thread Wietse Venema 
vod vos:
> What I want to do is to forbid AUTH PLAIN on port 25,

/etc/postfix/main.cf:
smtp ... smtpd -o smtpd_tls_auth_only=yes

However, you should not enable AUTH on port 25 at all, when your
submission clients connect to port 587.

The port 25 service is for MTA-to-MTA traffic, and that should not
be using AUTH.

> and just on port 587. 

And forbid what on port 587?

Wietse

Re: TLS details not in header as viewed from email client (claws)

2016-11-09 Thread Noel Jones 
On 11/9/2016 9:32 AM, li...@lazygranch.com wrote:
> I posted the entire header from claws. That is the receive header since I 
> sent the message from yahoo.
> 

There are no Received: headers in what you posted.  That's where the
TLS information is found. Either your claws is set to hide those
headers or you've configured postfix header_checks to remove them
with an IGNORE statement.  Don't do that.



  -- Noel Jones

> 
>   Original Message  
> From: Noel Jones
> Sent: Wednesday, November 9, 2016 6:53 AM
> To: postfix-users@postfix.org
> Reply To: postfix users
> Subject: Re: TLS details not in header as viewed from email client (claws)
> 
> On 11/9/2016 2:56 AM, li...@lazygranch.com wrote:
>> I no longer see TLS details in the header. I checked maillog and
>> TLS is being established.
>> ---
>> From maillog:
>> Nov 8 07:49:44 theranch postfix/smtpd[30627]: Anonymous TLS connection
>> established from nm27.bullet.mail.ne1.yahoo.com[98.138.90.90]: TLSv1.2
>> with cipher ECDHE-RSA-AES128-GCM-SHA2 56 (128/128 bits)
>> 
>>
>> Header (slightly sanitized to stay off of google)
>> -
>> From: some dude 
>> To: "me" 
>> Subject: from yahoo
>> Date: Tue, 8 Nov 2016 07:49:41 + (UTC)
>> Reply-To: some dude 
>> Return-Path: 
>> X-Original-To: m...@mydomain.com
>> Delivered-To: m...@mydomain.com
>> X-Virus-Scanned: amavisd-new at mydomain.com
>> Authentication-Results: www.mydomain.com (amavisd-new);
>> dkim=pass (2048-bit key) header.d=yahoo.com
>> DKIM-Filter: OpenDKIM Filter v2.10.3 www.mydomain.com 6AA43EB20F
>> Authentication-Results: mydomain.com;
>> dkim=pass (2048-bit key; unprotected) header.d=yahoo.com
>> header.i=@yahoo.com header.b=trAlWMaE DKIM-Signature: v=1;
>> a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1478591383;
>> bh=cRZGv5wOLgNFzbAfI5tLNkRMXYbHl/vWifDflA5eMtw=;
>> h=Date:From:Reply-To:To:Subject:References:From:Subject;
>> b=trAlWMaE/s+6aINuk6b6ySW6h1CZF6LiKQOfQgoUg4i8JzjySXbgBkAOuH+GAb55+QQHA6A8sjJeK77UvhVUS+BkAyZMiTAMkt8m9kMe77m31MjzWQ4Ig82CXogOA5+SESyKrwZZAuipFGuIq4APO06SM0hCGBmUJYHNuYytxKpTrW5FT8TFXm89vq2+MspXjd1k75qcQ+fF1kwst3n6X28teuV6o65mInGqL9vkrPrwtOGihdQqcrepyEkRnU7RflFRb1rtC0zS9pVuo1/ZcJjKeldeHsYzDzDpdiOiJNXokcRot/X5yidLYkgI5JkSPbFHe+HgQupWXOxdMxI8iQ==
>> X-Yahoo-Newman-Property: ymail-3 X-Yahoo-Newman-Id:
>> 878361.88180...@omp1007.mail.ne1.yahoo.com X-YMail-OSG:
>> nEWp4QsVM1nZt5mFz73vbEgYx.Lt3B_GBcEvOTw0Vp0LtD3J99f0OjdWkUcARg5
>> fQOYXcuRTpVY9z.FPYba81.F6ZWzTg7R9.2qD4awC6TFWAARiWK43ECrmkWodJuHDdL8gxc3OyX5
>> LAcxtI9b9TGqh0OfPAU1dWmpLs3sALzDSN3bWIvvbmDfRoJfwshV.Z3NlBRXE0BTRlXIEZ9yTMHP
>> 7hroI1tkmFwOOVOqUs8YFevk0ma39L1OCaZ4tkr2rr0Tv0pkkgrCdXiHJIWrUNNEHrsQsePKlcn7
>> 3TI.yj5J2Xocsga14Zqbnn6Nkm8QYuTeELAPA5RIb4VUNcptkCZQcyeUF8ikKx9aVKM31kGveMNe
>> ANNorn_lvKSS9u2P95D2V6dsUcZwujC5ctuWOtFZN1qheWGIOXTfP3HkjaVIq9AYQBFX_EA50W1f
>> 3.O5tpuiZsim9J7g6CQxJPkQq4HzhmTNxAQ6iKABKju3ukJKUoFtNlC8V5qzon6y5M4AJEH3B1ep
>> ObjfCt_ERaTcEhRs2wQ_sCyg-
>>
>> from yahoo
>> -
> 
> 
> 
> Where are the Received: headers? Don't remove them.
> 
> 
> 
> -- Noel Jones
> 
> 
>>
>>
>> # postconf -n (sanitized also)
>>
>>
>> broken_sasl_auth_clients = yes
>> command_directory = /usr/local/sbin
>> compatibility_level = 2
>> content_filter = amavisfeed:[127.0.0.1]:10024
>> daemon_directory = /usr/local/libexec/postfix
>> data_directory = /var/db/postfix
>> debug_peer_level = 2
>> debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd 
>> $daemon_directory/$process_name $process_id & sleep 5
>> home_mailbox = Maildir/
>> html_directory = /usr/local/share/doc/postfix
>> inet_interfaces = all
>> inet_protocols = ipv4
>> lmtp_tls_mandatory_protocols = !SSLv2, !SSLv3
>> lmtp_tls_protocols = !SSLv2, !SSLv3
>> mail_owner = postfix
>> mailbox_command = /usr/local/libexec/dovecot/deliver
>> mailbox_size_limit = 0
>> mailq_path = /usr/local/bin/mailq
>> manpage_directory = /usr/local/man
>> message_size_limit = 0
>> milter_default_action = accept
>> milter_protocol = 6
>> mydomain = somedomain.com
>> myhostname = www.somedomain.com
>> mynetworks_style = host
>> myorigin = $mydomain
>> newaliases_path = /usr/local/bin/newaliases
>> non_smtpd_milters = $smtpd_milters
>> policyd-spf_time_limit = 3600
>> queue_directory = /var/spool/postfix
>> readme_directory = /usr/local/share/doc/postfix
>> sample_directory = /usr/local/etc/postfix
>> sendmail_path = /usr/local/sbin/sendmail
>> setgid_group = maildrop
>> smtp_tls_ciphers = medium
>> smtp_tls_exclude_ciphers = EXPORT, LOW
>> smtp_tls_loglevel = 2
>> smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
>> smtp_tls_protocols = !SSLv2, !SSLv3
>> smtp_tls_security_level = may
>> smtpd_client_restrictions = permit_sasl_authenticated, permit_mynetworks, 
>> reject_unauth_destination, check_client_access 
>> hash:/usr/local/etc/postfix/spamsources
>> smtpd_milters =

Re: How to forbid using openssl.. starttls to connect port 25?

2016-11-09 Thread vod vos 
What I want to do is to forbid AUTH PLAIN on port 25, and just on port 587. 



Thanks Wietse.





 

 If smtpd_tls_security_level=may, the port 25 is still could not be 
forbided. 

 

You can't forbid connections made with "starttls s_client...". 

Where do you get the idea from that that is even possible? 

 

Wietse

Re: TLS details not in header as viewed from email client (claws)

2016-11-09 Thread lists 
I posted the entire header from claws. That is the receive header since I sent 
the message from yahoo.


  Original Message  
From: Noel Jones
Sent: Wednesday, November 9, 2016 6:53 AM
To: postfix-users@postfix.org
Reply To: postfix users
Subject: Re: TLS details not in header as viewed from email client (claws)

On 11/9/2016 2:56 AM, li...@lazygranch.com wrote:
> I no longer see TLS details in the header. I checked maillog and
> TLS is being established.
> ---
> From maillog:
> Nov 8 07:49:44 theranch postfix/smtpd[30627]: Anonymous TLS connection
> established from nm27.bullet.mail.ne1.yahoo.com[98.138.90.90]: TLSv1.2
> with cipher ECDHE-RSA-AES128-GCM-SHA2 56 (128/128 bits)
> 
> 
> Header (slightly sanitized to stay off of google)
> -
> From: some dude 
> To: "me" 
> Subject: from yahoo
> Date: Tue, 8 Nov 2016 07:49:41 + (UTC)
> Reply-To: some dude 
> Return-Path: 
> X-Original-To: m...@mydomain.com
> Delivered-To: m...@mydomain.com
> X-Virus-Scanned: amavisd-new at mydomain.com
> Authentication-Results: www.mydomain.com (amavisd-new);
> dkim=pass (2048-bit key) header.d=yahoo.com
> DKIM-Filter: OpenDKIM Filter v2.10.3 www.mydomain.com 6AA43EB20F
> Authentication-Results: mydomain.com;
> dkim=pass (2048-bit key; unprotected) header.d=yahoo.com
> header.i=@yahoo.com header.b=trAlWMaE DKIM-Signature: v=1;
> a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1478591383;
> bh=cRZGv5wOLgNFzbAfI5tLNkRMXYbHl/vWifDflA5eMtw=;
> h=Date:From:Reply-To:To:Subject:References:From:Subject;
> b=trAlWMaE/s+6aINuk6b6ySW6h1CZF6LiKQOfQgoUg4i8JzjySXbgBkAOuH+GAb55+QQHA6A8sjJeK77UvhVUS+BkAyZMiTAMkt8m9kMe77m31MjzWQ4Ig82CXogOA5+SESyKrwZZAuipFGuIq4APO06SM0hCGBmUJYHNuYytxKpTrW5FT8TFXm89vq2+MspXjd1k75qcQ+fF1kwst3n6X28teuV6o65mInGqL9vkrPrwtOGihdQqcrepyEkRnU7RflFRb1rtC0zS9pVuo1/ZcJjKeldeHsYzDzDpdiOiJNXokcRot/X5yidLYkgI5JkSPbFHe+HgQupWXOxdMxI8iQ==
> X-Yahoo-Newman-Property: ymail-3 X-Yahoo-Newman-Id:
> 878361.88180...@omp1007.mail.ne1.yahoo.com X-YMail-OSG:
> nEWp4QsVM1nZt5mFz73vbEgYx.Lt3B_GBcEvOTw0Vp0LtD3J99f0OjdWkUcARg5
> fQOYXcuRTpVY9z.FPYba81.F6ZWzTg7R9.2qD4awC6TFWAARiWK43ECrmkWodJuHDdL8gxc3OyX5
> LAcxtI9b9TGqh0OfPAU1dWmpLs3sALzDSN3bWIvvbmDfRoJfwshV.Z3NlBRXE0BTRlXIEZ9yTMHP
> 7hroI1tkmFwOOVOqUs8YFevk0ma39L1OCaZ4tkr2rr0Tv0pkkgrCdXiHJIWrUNNEHrsQsePKlcn7
> 3TI.yj5J2Xocsga14Zqbnn6Nkm8QYuTeELAPA5RIb4VUNcptkCZQcyeUF8ikKx9aVKM31kGveMNe
> ANNorn_lvKSS9u2P95D2V6dsUcZwujC5ctuWOtFZN1qheWGIOXTfP3HkjaVIq9AYQBFX_EA50W1f
> 3.O5tpuiZsim9J7g6CQxJPkQq4HzhmTNxAQ6iKABKju3ukJKUoFtNlC8V5qzon6y5M4AJEH3B1ep
> ObjfCt_ERaTcEhRs2wQ_sCyg-
> 
> from yahoo
> -



Where are the Received: headers? Don't remove them.



-- Noel Jones


> 
> 
> # postconf -n (sanitized also)
> 
> 
> broken_sasl_auth_clients = yes
> command_directory = /usr/local/sbin
> compatibility_level = 2
> content_filter = amavisfeed:[127.0.0.1]:10024
> daemon_directory = /usr/local/libexec/postfix
> data_directory = /var/db/postfix
> debug_peer_level = 2
> debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd 
> $daemon_directory/$process_name $process_id & sleep 5
> home_mailbox = Maildir/
> html_directory = /usr/local/share/doc/postfix
> inet_interfaces = all
> inet_protocols = ipv4
> lmtp_tls_mandatory_protocols = !SSLv2, !SSLv3
> lmtp_tls_protocols = !SSLv2, !SSLv3
> mail_owner = postfix
> mailbox_command = /usr/local/libexec/dovecot/deliver
> mailbox_size_limit = 0
> mailq_path = /usr/local/bin/mailq
> manpage_directory = /usr/local/man
> message_size_limit = 0
> milter_default_action = accept
> milter_protocol = 6
> mydomain = somedomain.com
> myhostname = www.somedomain.com
> mynetworks_style = host
> myorigin = $mydomain
> newaliases_path = /usr/local/bin/newaliases
> non_smtpd_milters = $smtpd_milters
> policyd-spf_time_limit = 3600
> queue_directory = /var/spool/postfix
> readme_directory = /usr/local/share/doc/postfix
> sample_directory = /usr/local/etc/postfix
> sendmail_path = /usr/local/sbin/sendmail
> setgid_group = maildrop
> smtp_tls_ciphers = medium
> smtp_tls_exclude_ciphers = EXPORT, LOW
> smtp_tls_loglevel = 2
> smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
> smtp_tls_protocols = !SSLv2, !SSLv3
> smtp_tls_security_level = may
> smtpd_client_restrictions = permit_sasl_authenticated, permit_mynetworks, 
> reject_unauth_destination, check_client_access 
> hash:/usr/local/etc/postfix/spamsources
> smtpd_milters = inet:127.0.0.1:8891
> smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, 
> reject_unauth_destination, check_client_access 
> hash:/usr/local/etc/postfix/rbl_override, reject_rbl_client 
> rhsbl.scientificspam.net, reject_rbl_client bl.spamcop.net, reject_rbl_client 
> cbl.abuseat.org, reject_rbl_client b.barracudacentral.org, reject_rbl_client 
> ix.dnsbl.manitu.net, reject_rbl_client rabl.nuclearelephant.com, 
>

Re: How to forbid using openssl.. starttls to connect port 25?

2016-11-09 Thread Wietse Venema 
vod vos:
> master.cf: 
> 
> smtp inet ... smtpd 
>  ... 
>  -o smtp_relay_restrictions=$mua_relay_restrictions 
>  -o smtp_recipient_restrictions=$mua_recipient_restrictions 
>  -o smtpd_tls_security_level=encrypt 
>  -o smtpd_tls_auth_only=yes 
>  -o smtpd_sasl_auth_enable=yes
> 
> But this setting will block the mail from non tls configured server.

Right, so don't do that.

> If smtpd_tls_security_level=may, the port 25 is still could not be forbided.

You can't forbid connections made with "starttls s_client...". 
Where do you get the idea from that that is even possible?

Wietse

Re: Postfix for sendmail users - rejecting users with custom SMTP codes and text

2016-11-09 Thread Noel Jones 
On 11/9/2016 8:58 AM, Kris Deugau wrote:
> I'm in the process of migrating my personal domain to a new server, and
> in the process I'm switching from sendmail to Postfix.
> 
> One feature I haven't been able to quite figure out is part of
> sendmail's "virtusertable" - *most* of this is equivalent to
> virtual_alias_maps, but it also allows you to do a variety of other
> things such as reject arbitrary recipients with a custom SMTP response
> code and message.
> 
> For instance:
> 
> kdeugau...@deepnet.cx   error:5.1.1:550 This address is no longer valid
> as it was sold to spammers
> 
> I've come close to an exact match by adding a check_recipient_access map
> to smtpd_recipient_restrictions, but the resulting SMTP status codes
> aren't quite correct - 554 vs 550.

Yes, check_recipient_access is the right tool for this.  You can
manually specify the result code, see:
http://www.postfix.org/access.5.html

oldu...@example.com  550 5.1.1 address not valid

CAUTION: as documented, an all numeric result with no text is
treated as OK.


  -- Noel Jones

Postfix for sendmail users - rejecting users with custom SMTP codes and text

2016-11-09 Thread Kris Deugau 
I'm in the process of migrating my personal domain to a new server, and
in the process I'm switching from sendmail to Postfix.

One feature I haven't been able to quite figure out is part of
sendmail's "virtusertable" - *most* of this is equivalent to
virtual_alias_maps, but it also allows you to do a variety of other
things such as reject arbitrary recipients with a custom SMTP response
code and message.

For instance:

kdeugau...@deepnet.cx   error:5.1.1:550 This address is no longer valid
as it was sold to spammers

I've come close to an exact match by adding a check_recipient_access map
to smtpd_recipient_restrictions, but the resulting SMTP status codes
aren't quite correct - 554 vs 550.

It doesn't matter that much, but I'd like to be precise with these
responses.

Postfix 2.11 on Debian 8/Jessie.  Suggestions for other minor fixups
welcome as well, although I'm pretty sure I've got everything else
working the way I want.

-kgd



# postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
config_directory = /etc/postfix
delay_warning_time = 1h
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
mydestination = tiny.deepnet.cx, localhost.deepnet.cx, deepnet.cx,
deepnet.ca, localhost
myhostname = tiny.deepnet.cx
mynetworks = 127.0.0.0/8 [:::127.0.0.0]/104 [::1]/128
myorigin = /etc/mailname
readme_directory = no
recipient_delimiter = +_
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_milters = unix:/var/spool/MIMEDefang/mimedefang.sock
smtpd_recipient_restrictions = check_recipient_access
hash:/etc/postfix/nosuchuser, permit_sasl_authenticated
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated
defer_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous, noplaintext
smtpd_sasl_tls_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/ssl/certs/smtp_deepnet_cx.crt
smtpd_tls_key_file = /etc/ssl/private/hex.key
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
virtual_alias_maps = hash:/etc/postfix/virtual_alias,
regexp:/etc/postfix/regexp_virtual_alias

# cat /etc/postfix/nosuchuser
kdeugau...@deepnet.cx   REJECT 5.1.1 550 This address is no longer valid
as it was sold to spammers
someuserwhol...@deepnet.cx  REJECT Sorry, not accepting mail for
this account
supp...@deepnet.cx  REJECT


sendmail, old server:

$ telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
220 hex.deepnet.cx ESMTP Sendmail 8.13.8/8.13.8; Tue, 8 Nov 2016
14:40:32 -0500
helo local
250 hex.deepnet.cx Hello hex.deepnet.cx [127.0.0.1], pleased to meet you
mail from:kdeu...@deepnet.cx
250 2.1.0 kdeu...@deepnet.cx... Sender ok
rcpt to:kdeugau...@deepnet.cx
550 5.1.1 kdeugau...@deepnet.cx... This address is no longer valid as it
was sold to spammers
quit
221 2.0.0 hex.deepnet.cx closing connection
Connection closed by foreign host.
$

postfix, new server:

$ telnet localhost 25
Trying ::1...
Connected to localhost.
Escape character is '^]'.
220 tiny.deepnet.cx ESMTP Postfix
helo local
250 tiny.deepnet.cx
mail from:kdeu...@deepnet.cx
250 2.1.0 Ok
rcpt to:kdeugau...@deepnet.cx
554 5.1.1 : Recipient address rejected: 550 This
address is no longer valid as it was sold to spammers
quit
221 2.0.0 Bye
Connection closed by foreign host.
$

Re: How to forbid using openssl.. starttls to connect port 25?

2016-11-09 Thread vod vos 
master.cf: 

smtp inet ... smtpd 

 ... 

 -o smtp_relay_restrictions=$mua_relay_restrictions 

 -o smtp_recipient_restrictions=$mua_recipient_restrictions 

 -o smtpd_tls_security_level=encrypt 

 -o smtpd_tls_auth_only=yes 

 -o smtpd_sasl_auth_enable=yes







But this setting will block the mail from non tls configured server. If 
smtpd_tls_security_level=may, the port 25 is still could not be forbided.



any ideas?






 On 星期三, 09 十一月 2016 02:18:01 -0800vod vos vod...@zoho.com wrote 





That helps. Thanks.





 On 星期三, 09 十一月 2016 01:21:15 -0800Viktor Dukhovni 
postfix-us...@dukhovni.org wrote 









On Wed, Nov 09, 2016 at 12:47:05AM -0800, vod vos wrote: 



 How to forbid using openssl.. starttls to connect port 25? 



You can only do that by disabling TLS entirely, but that does not 

seem to be what you're asking for. On the receiving end, there is 

no way to distinguish between "openssl -starttls tls" and an actual 

TLS-capable MTA. 



 Or how to forbid AUTH PLAIN on port 25, and just using port 587 

 for submission? 



That's easy enough, only enable sasl auth on port 587 via the 

appropriate master.cf "-o smtpd_...=value" override settings, 

and require TLS on port 587: 



master.cf: 

smtp inet ... smtpd 

 ... 

 -o smtp_relay_restrictions=$mua_relay_restrictions 

 -o smtp_recipient_restrictions=$mua_recipient_restrictions 

 -o smtpd_tls_security_level=encrypt 

 -o smtpd_tls_auth_only=yes 

 -o smtpd_sasl_auth_enable=yes 



main.cf: 

# Postfix 2.10 or later, else recipient restrictions 

mua_relay_restictions = permit_sasl_authenticated, reject 



# Default off 

smtpd_sasl_auth_enable = no 



# Minimum recommended server TLS settings: 

# 

# Also see: http://www.postfix.org/FORWARD_SECRECY_README.html 

# 

smtpd_tls_security_level = may 

smtpd_tls_loglevel = 1 

smtpd_tls_protocols = !SSLv2, !SSLv3 

smtpd_tls_ciphers = medium 

tls_preempt_cipherlist = yes 



-- 

Viktor.

Re: TLS details not in header as viewed from email client (claws)

2016-11-09 Thread Noel Jones 
On 11/9/2016 2:56 AM, li...@lazygranch.com wrote:
> I no longer see TLS details in the header. I checked maillog and
> TLS is being established.
> ---
> From maillog:
> Nov  8 07:49:44 theranch postfix/smtpd[30627]: Anonymous TLS connection
> established from nm27.bullet.mail.ne1.yahoo.com[98.138.90.90]: TLSv1.2
> with cipher ECDHE-RSA-AES128-GCM-SHA2 56 (128/128 bits)
> 
> 
> Header (slightly sanitized to stay off of google)
> -
> From: some dude 
> To: "me" 
> Subject: from yahoo
> Date: Tue, 8 Nov 2016 07:49:41 + (UTC)
> Reply-To: some dude 
> Return-Path: 
> X-Original-To: m...@mydomain.com
> Delivered-To: m...@mydomain.com
> X-Virus-Scanned: amavisd-new at mydomain.com
> Authentication-Results: www.mydomain.com (amavisd-new);
>  dkim=pass (2048-bit key) header.d=yahoo.com
> DKIM-Filter: OpenDKIM Filter v2.10.3 www.mydomain.com 6AA43EB20F
> Authentication-Results: mydomain.com;
>  dkim=pass (2048-bit key; unprotected) header.d=yahoo.com
> header.i=@yahoo.com header.b=trAlWMaE DKIM-Signature: v=1;
> a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1478591383;
> bh=cRZGv5wOLgNFzbAfI5tLNkRMXYbHl/vWifDflA5eMtw=;
> h=Date:From:Reply-To:To:Subject:References:From:Subject;
> b=trAlWMaE/s+6aINuk6b6ySW6h1CZF6LiKQOfQgoUg4i8JzjySXbgBkAOuH+GAb55+QQHA6A8sjJeK77UvhVUS+BkAyZMiTAMkt8m9kMe77m31MjzWQ4Ig82CXogOA5+SESyKrwZZAuipFGuIq4APO06SM0hCGBmUJYHNuYytxKpTrW5FT8TFXm89vq2+MspXjd1k75qcQ+fF1kwst3n6X28teuV6o65mInGqL9vkrPrwtOGihdQqcrepyEkRnU7RflFRb1rtC0zS9pVuo1/ZcJjKeldeHsYzDzDpdiOiJNXokcRot/X5yidLYkgI5JkSPbFHe+HgQupWXOxdMxI8iQ==
> X-Yahoo-Newman-Property: ymail-3 X-Yahoo-Newman-Id:
> 878361.88180...@omp1007.mail.ne1.yahoo.com X-YMail-OSG:
> nEWp4QsVM1nZt5mFz73vbEgYx.Lt3B_GBcEvOTw0Vp0LtD3J99f0OjdWkUcARg5
> fQOYXcuRTpVY9z.FPYba81.F6ZWzTg7R9.2qD4awC6TFWAARiWK43ECrmkWodJuHDdL8gxc3OyX5
> LAcxtI9b9TGqh0OfPAU1dWmpLs3sALzDSN3bWIvvbmDfRoJfwshV.Z3NlBRXE0BTRlXIEZ9yTMHP
> 7hroI1tkmFwOOVOqUs8YFevk0ma39L1OCaZ4tkr2rr0Tv0pkkgrCdXiHJIWrUNNEHrsQsePKlcn7
> 3TI.yj5J2Xocsga14Zqbnn6Nkm8QYuTeELAPA5RIb4VUNcptkCZQcyeUF8ikKx9aVKM31kGveMNe
> ANNorn_lvKSS9u2P95D2V6dsUcZwujC5ctuWOtFZN1qheWGIOXTfP3HkjaVIq9AYQBFX_EA50W1f
> 3.O5tpuiZsim9J7g6CQxJPkQq4HzhmTNxAQ6iKABKju3ukJKUoFtNlC8V5qzon6y5M4AJEH3B1ep
> ObjfCt_ERaTcEhRs2wQ_sCyg-
> 
> from yahoo
> -



Where are the Received: headers?  Don't remove them.



  -- Noel Jones


> 
> 
> # postconf -n (sanitized also)
> 
> 
> broken_sasl_auth_clients = yes
> command_directory = /usr/local/sbin
> compatibility_level = 2
> content_filter = amavisfeed:[127.0.0.1]:10024
> daemon_directory = /usr/local/libexec/postfix
> data_directory = /var/db/postfix
> debug_peer_level = 2
> debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd 
> $daemon_directory/$process_name $process_id & sleep 5
> home_mailbox = Maildir/
> html_directory = /usr/local/share/doc/postfix
> inet_interfaces = all
> inet_protocols = ipv4
> lmtp_tls_mandatory_protocols = !SSLv2, !SSLv3
> lmtp_tls_protocols = !SSLv2, !SSLv3
> mail_owner = postfix
> mailbox_command = /usr/local/libexec/dovecot/deliver
> mailbox_size_limit = 0
> mailq_path = /usr/local/bin/mailq
> manpage_directory = /usr/local/man
> message_size_limit = 0
> milter_default_action = accept
> milter_protocol = 6
> mydomain = somedomain.com
> myhostname = www.somedomain.com
> mynetworks_style = host
> myorigin = $mydomain
> newaliases_path = /usr/local/bin/newaliases
> non_smtpd_milters = $smtpd_milters
> policyd-spf_time_limit = 3600
> queue_directory = /var/spool/postfix
> readme_directory = /usr/local/share/doc/postfix
> sample_directory = /usr/local/etc/postfix
> sendmail_path = /usr/local/sbin/sendmail
> setgid_group = maildrop
> smtp_tls_ciphers = medium
> smtp_tls_exclude_ciphers = EXPORT, LOW
> smtp_tls_loglevel = 2
> smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
> smtp_tls_protocols = !SSLv2, !SSLv3
> smtp_tls_security_level = may
> smtpd_client_restrictions = permit_sasl_authenticated, permit_mynetworks, 
> reject_unauth_destination, check_client_access 
> hash:/usr/local/etc/postfix/spamsources
> smtpd_milters = inet:127.0.0.1:8891
> smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, 
> reject_unauth_destination, check_client_access 
> hash:/usr/local/etc/postfix/rbl_override, reject_rbl_client 
> rhsbl.scientificspam.net, reject_rbl_client bl.spamcop.net, reject_rbl_client 
> cbl.abuseat.org, reject_rbl_client b.barracudacentral.org, reject_rbl_client 
> ix.dnsbl.manitu.net, reject_rbl_client rabl.nuclearelephant.com, 
> reject_rbl_client zen.spamhaus.org, check_policy_service 
> unix:private/policyd-spf, permit
> smtpd_relay_restrictions = permit_sasl_authenticated, permit_mynetworks, 
> reject_unauth_destination
> smtpd_sasl_auth_enable = yes
> smtpd_sasl_path = private/auth
> smtpd_sasl_security_options = noanonymous
>

Re: How to forbid using openssl.. starttls to connect port 25?

2016-11-09 Thread vod vos 
That helps. Thanks.




 On 星期三, 09 十一月 2016 01:21:15 -0800Viktor Dukhovni 
postfix-us...@dukhovni.org wrote 




On Wed, Nov 09, 2016 at 12:47:05AM -0800, vod vos wrote: 

 

 How to forbid using openssl.. starttls to connect port 25? 

 

You can only do that by disabling TLS entirely, but that does not 

seem to be what you're asking for. On the receiving end, there is 

no way to distinguish between "openssl -starttls tls" and an actual 

TLS-capable MTA. 

 

 Or how to forbid AUTH PLAIN on port 25, and just using port 587 

 for submission? 

 

That's easy enough, only enable sasl auth on port 587 via the 

appropriate master.cf "-o smtpd_...=value" override settings, 

and require TLS on port 587: 

 

 master.cf: 

smtp inet ... smtpd 

 ... 

 -o smtp_relay_restrictions=$mua_relay_restrictions 

 -o smtp_recipient_restrictions=$mua_recipient_restrictions 

 -o smtpd_tls_security_level=encrypt 

 -o smtpd_tls_auth_only=yes 

 -o smtpd_sasl_auth_enable=yes 

 

 main.cf: 

# Postfix 2.10 or later, else recipient restrictions 

mua_relay_restictions = permit_sasl_authenticated, reject 

 

# Default off 

smtpd_sasl_auth_enable = no 

 

# Minimum recommended server TLS settings: 

# 

# Also see: http://www.postfix.org/FORWARD_SECRECY_README.html 

# 

smtpd_tls_security_level = may 

smtpd_tls_loglevel = 1 

smtpd_tls_protocols = !SSLv2, !SSLv3 

smtpd_tls_ciphers = medium 

tls_preempt_cipherlist = yes 

 

-- 

Viktor.

Re: How to forbid using openssl.. starttls to connect port 25?

2016-11-09 Thread Viktor Dukhovni 
On Wed, Nov 09, 2016 at 12:47:05AM -0800, vod vos wrote:

> How to forbid using openssl.. starttls to connect port 25? 

You can only do that by disabling TLS entirely, but that does not
seem to be what you're asking for.  On the receiving end, there is
no way to distinguish between "openssl -starttls tls" and an actual
TLS-capable MTA.

> Or how to forbid AUTH PLAIN on port 25, and just using port 587
> for submission?

That's easy enough, only enable sasl auth on port 587 via the
appropriate master.cf "-o smtpd_...=value" override settings,
and require TLS on port 587:

master.cf:
smtp inet ... smtpd
...
-o smtp_relay_restrictions=$mua_relay_restrictions
-o smtp_recipient_restrictions=$mua_recipient_restrictions
-o smtpd_tls_security_level=encrypt
-o smtpd_tls_auth_only=yes
-o smtpd_sasl_auth_enable=yes

main.cf:
# Postfix 2.10 or later, else recipient restrictions
mua_relay_restictions = permit_sasl_authenticated, reject

# Default off
smtpd_sasl_auth_enable = no

# Minimum recommended server TLS settings:
#
# Also see: http://www.postfix.org/FORWARD_SECRECY_README.html
#
smtpd_tls_security_level = may
smtpd_tls_loglevel = 1
smtpd_tls_protocols = !SSLv2, !SSLv3
smtpd_tls_ciphers = medium
tls_preempt_cipherlist = yes

-- 
Viktor.

How to forbid using openssl.. starttls to connect port 25?

2016-11-09 Thread vod vos 
hi,



How to forbid using openssl.. starttls to connect port 25? 



Or how to forbid AUTH PLAIN on port 25, and just using port 587 for submission?



Thanks.

Re: Transport mapping via mySQL?

2016-11-09 Thread Jan Johansson 
>It's actually quite simple:
>1) Create a file with the MySQL credentials and the query
>2) Include the created file in transport_maps within main.cf
>
>/etc/postfix/mysql_relay_transport_maps.cf
>   user = dbuser
>   password = dbpass
>   dbname = maildb
>   hosts = unix:/var/run/mysqld/mysqld.sock
>   query = SELECT transport FROM domain WHERE domain = '%s'
>
>/etc/postfix/main.cf
 >transport_maps =
 >btree:/etc/postfix/transport_maps,
 >proxy:mysql:/etc/postfix/mysql_relay_transport_maps.cf
 

Thank you kindly, is there some short code for the entire email address, 
because just domain won’t cut it (were chosing transport based on full 
emailaddress)