which has priority settings, main.cf or master.cf?
Hi, We can configure these in main.cf smtpd_recipient_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination,check_poli cy_service unix:private/policyd-spf,reject_invalid_hostname,reject_unauth_pipelining,reject_non_fqdn_sender,reject_unknown_sender_domain,reject_non_fqdn_recipient,reject_unknown_recipient_domain,reject_unauth_pipelining,ch eck_recipient_access hash:/etc/postfix/recipient_access And can overwrite parameters=value in master.cf like; below smtp...smtpd/postscreen or sub..mi.ssion...smtpd -o smtpd_recipient_restrictions=reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated,reject which has priority setting? Thanks.
Re: how to forbid telnet to port 25 or 587 to send mail via my server?
> On Nov 9, 2016, at 9:32 PM, vod voswrote: > > hi, > > when telnet mail.example.com 25 or 587, the server will echo 220, > > how to c_a_n_c_e_l the respond to telnet after mail server configuration? Your question makes no sense... An SMTP server will respond to TCP client connections via "telnet", "netcat", "posttls-finger", "swaks", Perl scripts that connect to port 25, Python scripts that connect to Port 25. Haskell programs that connect to port 25... The server does not and need not know the details of the client implementation. That's the power of open standards like TCP/IP. If you want to disable inbound email, turn off the smtp/inet service. If you want to disable outbound submission, turn off the submission/inet service. -- Viktor.
how to forbid telnet to port 25 or 587 to send mail via my server?
hi, when telnet mail.example.com 25 or 587, the server will echo 220, how to cancel the respond to telnet after mail server configuration? thanks
Re: How to forbid using openssl.. starttls to connect port 25?
> On Nov 9, 2016, at 9:54 AM, vod voswrote: > > master.cf: > smtp inet ... smtpd > ... > -o smtp_relay_restrictions=$mua_relay_restrictions > -o smtp_recipient_restrictions=$mua_recipient_restrictions > -o smtpd_tls_security_level=encrypt > -o smtpd_tls_auth_only=yes > -o smtpd_sasl_auth_enable=yes > > > But this setting will block the mail from non tls configured server. If > smtpd_tls_security_level=may, the port 25 is still could not be forbided. > > any ideas? SORRY, those were supposed to be submission (587) settings... -- Viktor.
Re: Postfix for sendmail users - rejecting users with custom SMTP codes and text
Noel Jones wrote: > On 11/9/2016 8:58 AM, Kris Deugau wrote: >> I'm in the process of migrating my personal domain to a new server, and >> in the process I'm switching from sendmail to Postfix. >> >> One feature I haven't been able to quite figure out is part of >> sendmail's "virtusertable" - *most* of this is equivalent to >> virtual_alias_maps, but it also allows you to do a variety of other >> things such as reject arbitrary recipients with a custom SMTP response >> code and message. >> >> For instance: >> >> kdeugau...@deepnet.cx error:5.1.1:550 This address is no longer valid >> as it was sold to spammers >> >> I've come close to an exact match by adding a check_recipient_access map >> to smtpd_recipient_restrictions, but the resulting SMTP status codes >> aren't quite correct - 554 vs 550. > > Yes, check_recipient_access is the right tool for this. You can > manually specify the result code, see: > http://www.postfix.org/access.5.html > > oldu...@example.com 550 5.1.1 address not valid Ahh, I found my mistake; I misread that reference page. You use EITHER the numeric codes OR the text codes, not both. -kgd
Re: TLS details not in header as viewed from email client (claws)
The claws group sent me on a wild goose chase. Postfix seems to work just fine with Seamonkey email. The TLS portion of the header follows. from nm24-vm3.bullet.mail.ne1.yahoo.com (nm24-vm3.bullet.mail.ne1.yahoo.com [98.138.91.154]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by www.inplanesight.org (Postfix) with ESMTPS id 2E255EB20F for; Tue, 8 Nov 2016 07:22:25 + (UTC) On Wed, 9 Nov 2016 09:03:12 -0800 "li...@lazygranch.com" wrote: > "smtpd_tls_received_header = yes" is in the postconf. But I appreciate > the heads up on what to look for. So many parameters! > > I'm going to set up a different mail client as a double check. The > Claws people say nothing has changed on their end, but who knows. If > I just set up a second imap, there shouldn't be any lost mail issues. > > > On Wed, 9 Nov 2016 10:17:04 -0600 > Noel Jones wrote: > > > On 11/9/2016 9:32 AM, li...@lazygranch.com wrote: > > > I posted the entire header from claws. That is the receive header > > > since I sent the message from yahoo. > > > > > > > There are no Received: headers in what you posted. That's where the > > TLS information is found. Either your claws is set to hide those > > headers or you've configured postfix header_checks to remove them > > with an IGNORE statement. Don't do that. > > > > > > > > -- Noel Jones > > > > > > > > Original Message > > > From: Noel Jones > > > Sent: Wednesday, November 9, 2016 6:53 AM > > > To: postfix-users@postfix.org > > > Reply To: postfix users > > > Subject: Re: TLS details not in header as viewed from email client > > > (claws) > > > > > > On 11/9/2016 2:56 AM, li...@lazygranch.com wrote: > > >> I no longer see TLS details in the header. I checked maillog and > > >> TLS is being established. > > >> --- > > >> From maillog: > > >> Nov 8 07:49:44 theranch postfix/smtpd[30627]: Anonymous TLS > > >> connection established from > > >> nm27.bullet.mail.ne1.yahoo.com[98.138.90.90]: TLSv1.2 with cipher > > >> ECDHE-RSA-AES128-GCM-SHA2 56 (128/128 bits) > > >> > > >> > > >> Header (slightly sanitized to stay off of google) > > >> - > > >> From: some dude > > >> To: "me" > > >> Subject: from yahoo > > >> Date: Tue, 8 Nov 2016 07:49:41 + (UTC) > > >> Reply-To: some dude > > >> Return-Path: > > >> X-Original-To: m...@mydomain.com > > >> Delivered-To: m...@mydomain.com > > >> X-Virus-Scanned: amavisd-new at mydomain.com > > >> Authentication-Results: www.mydomain.com (amavisd-new); > > >> dkim=pass (2048-bit key) header.d=yahoo.com > > >> DKIM-Filter: OpenDKIM Filter v2.10.3 www.mydomain.com 6AA43EB20F > > >> Authentication-Results: mydomain.com; > > >> dkim=pass (2048-bit key; unprotected) header.d=yahoo.com > > >> header.i=@yahoo.com header.b=trAlWMaE DKIM-Signature: v=1; > > >> a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; > > >> t=1478591383; bh=cRZGv5wOLgNFzbAfI5tLNkRMXYbHl/vWifDflA5eMtw=; > > >> h=Date:From:Reply-To:To:Subject:References:From:Subject; > > >> b=trAlWMaE/s+6aINuk6b6ySW6h1CZF6LiKQOfQgoUg4i8JzjySXbgBkAOuH+GAb55+QQHA6A8sjJeK77UvhVUS+BkAyZMiTAMkt8m9kMe77m31MjzWQ4Ig82CXogOA5+SESyKrwZZAuipFGuIq4APO06SM0hCGBmUJYHNuYytxKpTrW5FT8TFXm89vq2+MspXjd1k75qcQ+fF1kwst3n6X28teuV6o65mInGqL9vkrPrwtOGihdQqcrepyEkRnU7RflFRb1rtC0zS9pVuo1/ZcJjKeldeHsYzDzDpdiOiJNXokcRot/X5yidLYkgI5JkSPbFHe+HgQupWXOxdMxI8iQ== > > >> X-Yahoo-Newman-Property: ymail-3 X-Yahoo-Newman-Id: > > >> 878361.88180...@omp1007.mail.ne1.yahoo.com X-YMail-OSG: > > >> nEWp4QsVM1nZt5mFz73vbEgYx.Lt3B_GBcEvOTw0Vp0LtD3J99f0OjdWkUcARg5 > > >> fQOYXcuRTpVY9z.FPYba81.F6ZWzTg7R9.2qD4awC6TFWAARiWK43ECrmkWodJuHDdL8gxc3OyX5 > > >> LAcxtI9b9TGqh0OfPAU1dWmpLs3sALzDSN3bWIvvbmDfRoJfwshV.Z3NlBRXE0BTRlXIEZ9yTMHP > > >> 7hroI1tkmFwOOVOqUs8YFevk0ma39L1OCaZ4tkr2rr0Tv0pkkgrCdXiHJIWrUNNEHrsQsePKlcn7 > > >> 3TI.yj5J2Xocsga14Zqbnn6Nkm8QYuTeELAPA5RIb4VUNcptkCZQcyeUF8ikKx9aVKM31kGveMNe > > >> ANNorn_lvKSS9u2P95D2V6dsUcZwujC5ctuWOtFZN1qheWGIOXTfP3HkjaVIq9AYQBFX_EA50W1f > > >> 3.O5tpuiZsim9J7g6CQxJPkQq4HzhmTNxAQ6iKABKju3ukJKUoFtNlC8V5qzon6y5M4AJEH3B1ep > > >> ObjfCt_ERaTcEhRs2wQ_sCyg- > > >> > > >> from yahoo > > >> - > > > > > > > > > > > > Where are the Received: headers? Don't remove them. > > > > > > > > > > > > -- Noel Jones > > > > > > > > >> > > >> > > >> # postconf -n (sanitized also) > > >> > > >> > > >> broken_sasl_auth_clients = yes > > >> command_directory = /usr/local/sbin > > >> compatibility_level = 2 > > >> content_filter = amavisfeed:[127.0.0.1]:10024 > > >> daemon_directory = /usr/local/libexec/postfix > > >> data_directory = /var/db/postfix > > >> debug_peer_level = 2 > > >> debugger_command = > > >> PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd > > >>
Re: How to forbid using openssl.. starttls to connect port 25?
it seem modify "-o smtpd_sasl_auth_enable=no" below "smtp ... smtpd" work for me. then you could not auth successfully via port 25, and could auth successfully via port 587 using tls. thanks all. On 星期三, 09 十一月 2016 08:35:36 -0800Wietse Venema wie...@porcupine.org wrote vod vos: What I want to do is to forbid AUTH PLAIN on port 25, /etc/postfix/main.cf: smtp ... smtpd -o smtpd_tls_auth_only=yes However, you should not enable AUTH on port 25 at all, when your submission clients connect to port 587. The port 25 service is for MTA-to-MTA traffic, and that should not be using AUTH. and just on port 587. And forbid what on port 587? Wietse
Re: TLS details not in header as viewed from email client (claws)
"smtpd_tls_received_header = yes" is in the postconf. But I appreciate the heads up on what to look for. So many parameters! I'm going to set up a different mail client as a double check. The Claws people say nothing has changed on their end, but who knows. If I just set up a second imap, there shouldn't be any lost mail issues. On Wed, 9 Nov 2016 10:17:04 -0600 Noel Joneswrote: > On 11/9/2016 9:32 AM, li...@lazygranch.com wrote: > > I posted the entire header from claws. That is the receive header > > since I sent the message from yahoo. > > > > There are no Received: headers in what you posted. That's where the > TLS information is found. Either your claws is set to hide those > headers or you've configured postfix header_checks to remove them > with an IGNORE statement. Don't do that. > > > > -- Noel Jones > > > > > Original Message > > From: Noel Jones > > Sent: Wednesday, November 9, 2016 6:53 AM > > To: postfix-users@postfix.org > > Reply To: postfix users > > Subject: Re: TLS details not in header as viewed from email client > > (claws) > > > > On 11/9/2016 2:56 AM, li...@lazygranch.com wrote: > >> I no longer see TLS details in the header. I checked maillog and > >> TLS is being established. > >> --- > >> From maillog: > >> Nov 8 07:49:44 theranch postfix/smtpd[30627]: Anonymous TLS > >> connection established from > >> nm27.bullet.mail.ne1.yahoo.com[98.138.90.90]: TLSv1.2 with cipher > >> ECDHE-RSA-AES128-GCM-SHA2 56 (128/128 bits) > >> > >> > >> Header (slightly sanitized to stay off of google) > >> - > >> From: some dude > >> To: "me" > >> Subject: from yahoo > >> Date: Tue, 8 Nov 2016 07:49:41 + (UTC) > >> Reply-To: some dude > >> Return-Path: > >> X-Original-To: m...@mydomain.com > >> Delivered-To: m...@mydomain.com > >> X-Virus-Scanned: amavisd-new at mydomain.com > >> Authentication-Results: www.mydomain.com (amavisd-new); > >> dkim=pass (2048-bit key) header.d=yahoo.com > >> DKIM-Filter: OpenDKIM Filter v2.10.3 www.mydomain.com 6AA43EB20F > >> Authentication-Results: mydomain.com; > >> dkim=pass (2048-bit key; unprotected) header.d=yahoo.com > >> header.i=@yahoo.com header.b=trAlWMaE DKIM-Signature: v=1; > >> a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; > >> t=1478591383; bh=cRZGv5wOLgNFzbAfI5tLNkRMXYbHl/vWifDflA5eMtw=; > >> h=Date:From:Reply-To:To:Subject:References:From:Subject; > >> b=trAlWMaE/s+6aINuk6b6ySW6h1CZF6LiKQOfQgoUg4i8JzjySXbgBkAOuH+GAb55+QQHA6A8sjJeK77UvhVUS+BkAyZMiTAMkt8m9kMe77m31MjzWQ4Ig82CXogOA5+SESyKrwZZAuipFGuIq4APO06SM0hCGBmUJYHNuYytxKpTrW5FT8TFXm89vq2+MspXjd1k75qcQ+fF1kwst3n6X28teuV6o65mInGqL9vkrPrwtOGihdQqcrepyEkRnU7RflFRb1rtC0zS9pVuo1/ZcJjKeldeHsYzDzDpdiOiJNXokcRot/X5yidLYkgI5JkSPbFHe+HgQupWXOxdMxI8iQ== > >> X-Yahoo-Newman-Property: ymail-3 X-Yahoo-Newman-Id: > >> 878361.88180...@omp1007.mail.ne1.yahoo.com X-YMail-OSG: > >> nEWp4QsVM1nZt5mFz73vbEgYx.Lt3B_GBcEvOTw0Vp0LtD3J99f0OjdWkUcARg5 > >> fQOYXcuRTpVY9z.FPYba81.F6ZWzTg7R9.2qD4awC6TFWAARiWK43ECrmkWodJuHDdL8gxc3OyX5 > >> LAcxtI9b9TGqh0OfPAU1dWmpLs3sALzDSN3bWIvvbmDfRoJfwshV.Z3NlBRXE0BTRlXIEZ9yTMHP > >> 7hroI1tkmFwOOVOqUs8YFevk0ma39L1OCaZ4tkr2rr0Tv0pkkgrCdXiHJIWrUNNEHrsQsePKlcn7 > >> 3TI.yj5J2Xocsga14Zqbnn6Nkm8QYuTeELAPA5RIb4VUNcptkCZQcyeUF8ikKx9aVKM31kGveMNe > >> ANNorn_lvKSS9u2P95D2V6dsUcZwujC5ctuWOtFZN1qheWGIOXTfP3HkjaVIq9AYQBFX_EA50W1f > >> 3.O5tpuiZsim9J7g6CQxJPkQq4HzhmTNxAQ6iKABKju3ukJKUoFtNlC8V5qzon6y5M4AJEH3B1ep > >> ObjfCt_ERaTcEhRs2wQ_sCyg- > >> > >> from yahoo > >> - > > > > > > > > Where are the Received: headers? Don't remove them. > > > > > > > > -- Noel Jones > > > > > >> > >> > >> # postconf -n (sanitized also) > >> > >> > >> broken_sasl_auth_clients = yes > >> command_directory = /usr/local/sbin > >> compatibility_level = 2 > >> content_filter = amavisfeed:[127.0.0.1]:10024 > >> daemon_directory = /usr/local/libexec/postfix > >> data_directory = /var/db/postfix > >> debug_peer_level = 2 > >> debugger_command = > >> PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd > >> $daemon_directory/$process_name $process_id & sleep 5 home_mailbox > >> = Maildir/ html_directory = /usr/local/share/doc/postfix > >> inet_interfaces = all inet_protocols = ipv4 > >> lmtp_tls_mandatory_protocols = !SSLv2, !SSLv3 > >> lmtp_tls_protocols = !SSLv2, !SSLv3 > >> mail_owner = postfix > >> mailbox_command = /usr/local/libexec/dovecot/deliver > >> mailbox_size_limit = 0 > >> mailq_path = /usr/local/bin/mailq > >> manpage_directory = /usr/local/man > >> message_size_limit = 0 > >> milter_default_action = accept > >> milter_protocol = 6 > >> mydomain = somedomain.com > >> myhostname = www.somedomain.com > >> mynetworks_style = host > >> myorigin = $mydomain > >> newaliases_path = /usr/local/bin/newaliases > >> non_smtpd_milters = $smtpd_milters > >>
Re: How to forbid using openssl.. starttls to connect port 25?
vod vos: > What I want to do is to forbid AUTH PLAIN on port 25, /etc/postfix/main.cf: smtp ... smtpd -o smtpd_tls_auth_only=yes However, you should not enable AUTH on port 25 at all, when your submission clients connect to port 587. The port 25 service is for MTA-to-MTA traffic, and that should not be using AUTH. > and just on port 587. And forbid what on port 587? Wietse
Re: TLS details not in header as viewed from email client (claws)
On 11/9/2016 9:32 AM, li...@lazygranch.com wrote: > I posted the entire header from claws. That is the receive header since I > sent the message from yahoo. > There are no Received: headers in what you posted. That's where the TLS information is found. Either your claws is set to hide those headers or you've configured postfix header_checks to remove them with an IGNORE statement. Don't do that. -- Noel Jones > > Original Message > From: Noel Jones > Sent: Wednesday, November 9, 2016 6:53 AM > To: postfix-users@postfix.org > Reply To: postfix users > Subject: Re: TLS details not in header as viewed from email client (claws) > > On 11/9/2016 2:56 AM, li...@lazygranch.com wrote: >> I no longer see TLS details in the header. I checked maillog and >> TLS is being established. >> --- >> From maillog: >> Nov 8 07:49:44 theranch postfix/smtpd[30627]: Anonymous TLS connection >> established from nm27.bullet.mail.ne1.yahoo.com[98.138.90.90]: TLSv1.2 >> with cipher ECDHE-RSA-AES128-GCM-SHA2 56 (128/128 bits) >> >> >> Header (slightly sanitized to stay off of google) >> - >> From: some dude>> To: "me" >> Subject: from yahoo >> Date: Tue, 8 Nov 2016 07:49:41 + (UTC) >> Reply-To: some dude >> Return-Path: >> X-Original-To: m...@mydomain.com >> Delivered-To: m...@mydomain.com >> X-Virus-Scanned: amavisd-new at mydomain.com >> Authentication-Results: www.mydomain.com (amavisd-new); >> dkim=pass (2048-bit key) header.d=yahoo.com >> DKIM-Filter: OpenDKIM Filter v2.10.3 www.mydomain.com 6AA43EB20F >> Authentication-Results: mydomain.com; >> dkim=pass (2048-bit key; unprotected) header.d=yahoo.com >> header.i=@yahoo.com header.b=trAlWMaE DKIM-Signature: v=1; >> a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1478591383; >> bh=cRZGv5wOLgNFzbAfI5tLNkRMXYbHl/vWifDflA5eMtw=; >> h=Date:From:Reply-To:To:Subject:References:From:Subject; >> b=trAlWMaE/s+6aINuk6b6ySW6h1CZF6LiKQOfQgoUg4i8JzjySXbgBkAOuH+GAb55+QQHA6A8sjJeK77UvhVUS+BkAyZMiTAMkt8m9kMe77m31MjzWQ4Ig82CXogOA5+SESyKrwZZAuipFGuIq4APO06SM0hCGBmUJYHNuYytxKpTrW5FT8TFXm89vq2+MspXjd1k75qcQ+fF1kwst3n6X28teuV6o65mInGqL9vkrPrwtOGihdQqcrepyEkRnU7RflFRb1rtC0zS9pVuo1/ZcJjKeldeHsYzDzDpdiOiJNXokcRot/X5yidLYkgI5JkSPbFHe+HgQupWXOxdMxI8iQ== >> X-Yahoo-Newman-Property: ymail-3 X-Yahoo-Newman-Id: >> 878361.88180...@omp1007.mail.ne1.yahoo.com X-YMail-OSG: >> nEWp4QsVM1nZt5mFz73vbEgYx.Lt3B_GBcEvOTw0Vp0LtD3J99f0OjdWkUcARg5 >> fQOYXcuRTpVY9z.FPYba81.F6ZWzTg7R9.2qD4awC6TFWAARiWK43ECrmkWodJuHDdL8gxc3OyX5 >> LAcxtI9b9TGqh0OfPAU1dWmpLs3sALzDSN3bWIvvbmDfRoJfwshV.Z3NlBRXE0BTRlXIEZ9yTMHP >> 7hroI1tkmFwOOVOqUs8YFevk0ma39L1OCaZ4tkr2rr0Tv0pkkgrCdXiHJIWrUNNEHrsQsePKlcn7 >> 3TI.yj5J2Xocsga14Zqbnn6Nkm8QYuTeELAPA5RIb4VUNcptkCZQcyeUF8ikKx9aVKM31kGveMNe >> ANNorn_lvKSS9u2P95D2V6dsUcZwujC5ctuWOtFZN1qheWGIOXTfP3HkjaVIq9AYQBFX_EA50W1f >> 3.O5tpuiZsim9J7g6CQxJPkQq4HzhmTNxAQ6iKABKju3ukJKUoFtNlC8V5qzon6y5M4AJEH3B1ep >> ObjfCt_ERaTcEhRs2wQ_sCyg- >> >> from yahoo >> - > > > > Where are the Received: headers? Don't remove them. > > > > -- Noel Jones > > >> >> >> # postconf -n (sanitized also) >> >> >> broken_sasl_auth_clients = yes >> command_directory = /usr/local/sbin >> compatibility_level = 2 >> content_filter = amavisfeed:[127.0.0.1]:10024 >> daemon_directory = /usr/local/libexec/postfix >> data_directory = /var/db/postfix >> debug_peer_level = 2 >> debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd >> $daemon_directory/$process_name $process_id & sleep 5 >> home_mailbox = Maildir/ >> html_directory = /usr/local/share/doc/postfix >> inet_interfaces = all >> inet_protocols = ipv4 >> lmtp_tls_mandatory_protocols = !SSLv2, !SSLv3 >> lmtp_tls_protocols = !SSLv2, !SSLv3 >> mail_owner = postfix >> mailbox_command = /usr/local/libexec/dovecot/deliver >> mailbox_size_limit = 0 >> mailq_path = /usr/local/bin/mailq >> manpage_directory = /usr/local/man >> message_size_limit = 0 >> milter_default_action = accept >> milter_protocol = 6 >> mydomain = somedomain.com >> myhostname = www.somedomain.com >> mynetworks_style = host >> myorigin = $mydomain >> newaliases_path = /usr/local/bin/newaliases >> non_smtpd_milters = $smtpd_milters >> policyd-spf_time_limit = 3600 >> queue_directory = /var/spool/postfix >> readme_directory = /usr/local/share/doc/postfix >> sample_directory = /usr/local/etc/postfix >> sendmail_path = /usr/local/sbin/sendmail >> setgid_group = maildrop >> smtp_tls_ciphers = medium >> smtp_tls_exclude_ciphers = EXPORT, LOW >> smtp_tls_loglevel = 2 >> smtp_tls_mandatory_protocols = !SSLv2, !SSLv3 >> smtp_tls_protocols = !SSLv2, !SSLv3 >> smtp_tls_security_level = may >> smtpd_client_restrictions = permit_sasl_authenticated, permit_mynetworks, >> reject_unauth_destination, check_client_access >> hash:/usr/local/etc/postfix/spamsources >> smtpd_milters =
Re: How to forbid using openssl.. starttls to connect port 25?
What I want to do is to forbid AUTH PLAIN on port 25, and just on port 587. Thanks Wietse. If smtpd_tls_security_level=may, the port 25 is still could not be forbided. You can't forbid connections made with "starttls s_client...". Where do you get the idea from that that is even possible? Wietse
Re: TLS details not in header as viewed from email client (claws)
I posted the entire header from claws. That is the receive header since I sent the message from yahoo. Original Message From: Noel Jones Sent: Wednesday, November 9, 2016 6:53 AM To: postfix-users@postfix.org Reply To: postfix users Subject: Re: TLS details not in header as viewed from email client (claws) On 11/9/2016 2:56 AM, li...@lazygranch.com wrote: > I no longer see TLS details in the header. I checked maillog and > TLS is being established. > --- > From maillog: > Nov 8 07:49:44 theranch postfix/smtpd[30627]: Anonymous TLS connection > established from nm27.bullet.mail.ne1.yahoo.com[98.138.90.90]: TLSv1.2 > with cipher ECDHE-RSA-AES128-GCM-SHA2 56 (128/128 bits) > > > Header (slightly sanitized to stay off of google) > - > From: some dude> To: "me" > Subject: from yahoo > Date: Tue, 8 Nov 2016 07:49:41 + (UTC) > Reply-To: some dude > Return-Path: > X-Original-To: m...@mydomain.com > Delivered-To: m...@mydomain.com > X-Virus-Scanned: amavisd-new at mydomain.com > Authentication-Results: www.mydomain.com (amavisd-new); > dkim=pass (2048-bit key) header.d=yahoo.com > DKIM-Filter: OpenDKIM Filter v2.10.3 www.mydomain.com 6AA43EB20F > Authentication-Results: mydomain.com; > dkim=pass (2048-bit key; unprotected) header.d=yahoo.com > header.i=@yahoo.com header.b=trAlWMaE DKIM-Signature: v=1; > a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1478591383; > bh=cRZGv5wOLgNFzbAfI5tLNkRMXYbHl/vWifDflA5eMtw=; > h=Date:From:Reply-To:To:Subject:References:From:Subject; > b=trAlWMaE/s+6aINuk6b6ySW6h1CZF6LiKQOfQgoUg4i8JzjySXbgBkAOuH+GAb55+QQHA6A8sjJeK77UvhVUS+BkAyZMiTAMkt8m9kMe77m31MjzWQ4Ig82CXogOA5+SESyKrwZZAuipFGuIq4APO06SM0hCGBmUJYHNuYytxKpTrW5FT8TFXm89vq2+MspXjd1k75qcQ+fF1kwst3n6X28teuV6o65mInGqL9vkrPrwtOGihdQqcrepyEkRnU7RflFRb1rtC0zS9pVuo1/ZcJjKeldeHsYzDzDpdiOiJNXokcRot/X5yidLYkgI5JkSPbFHe+HgQupWXOxdMxI8iQ== > X-Yahoo-Newman-Property: ymail-3 X-Yahoo-Newman-Id: > 878361.88180...@omp1007.mail.ne1.yahoo.com X-YMail-OSG: > nEWp4QsVM1nZt5mFz73vbEgYx.Lt3B_GBcEvOTw0Vp0LtD3J99f0OjdWkUcARg5 > fQOYXcuRTpVY9z.FPYba81.F6ZWzTg7R9.2qD4awC6TFWAARiWK43ECrmkWodJuHDdL8gxc3OyX5 > LAcxtI9b9TGqh0OfPAU1dWmpLs3sALzDSN3bWIvvbmDfRoJfwshV.Z3NlBRXE0BTRlXIEZ9yTMHP > 7hroI1tkmFwOOVOqUs8YFevk0ma39L1OCaZ4tkr2rr0Tv0pkkgrCdXiHJIWrUNNEHrsQsePKlcn7 > 3TI.yj5J2Xocsga14Zqbnn6Nkm8QYuTeELAPA5RIb4VUNcptkCZQcyeUF8ikKx9aVKM31kGveMNe > ANNorn_lvKSS9u2P95D2V6dsUcZwujC5ctuWOtFZN1qheWGIOXTfP3HkjaVIq9AYQBFX_EA50W1f > 3.O5tpuiZsim9J7g6CQxJPkQq4HzhmTNxAQ6iKABKju3ukJKUoFtNlC8V5qzon6y5M4AJEH3B1ep > ObjfCt_ERaTcEhRs2wQ_sCyg- > > from yahoo > - Where are the Received: headers? Don't remove them. -- Noel Jones > > > # postconf -n (sanitized also) > > > broken_sasl_auth_clients = yes > command_directory = /usr/local/sbin > compatibility_level = 2 > content_filter = amavisfeed:[127.0.0.1]:10024 > daemon_directory = /usr/local/libexec/postfix > data_directory = /var/db/postfix > debug_peer_level = 2 > debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd > $daemon_directory/$process_name $process_id & sleep 5 > home_mailbox = Maildir/ > html_directory = /usr/local/share/doc/postfix > inet_interfaces = all > inet_protocols = ipv4 > lmtp_tls_mandatory_protocols = !SSLv2, !SSLv3 > lmtp_tls_protocols = !SSLv2, !SSLv3 > mail_owner = postfix > mailbox_command = /usr/local/libexec/dovecot/deliver > mailbox_size_limit = 0 > mailq_path = /usr/local/bin/mailq > manpage_directory = /usr/local/man > message_size_limit = 0 > milter_default_action = accept > milter_protocol = 6 > mydomain = somedomain.com > myhostname = www.somedomain.com > mynetworks_style = host > myorigin = $mydomain > newaliases_path = /usr/local/bin/newaliases > non_smtpd_milters = $smtpd_milters > policyd-spf_time_limit = 3600 > queue_directory = /var/spool/postfix > readme_directory = /usr/local/share/doc/postfix > sample_directory = /usr/local/etc/postfix > sendmail_path = /usr/local/sbin/sendmail > setgid_group = maildrop > smtp_tls_ciphers = medium > smtp_tls_exclude_ciphers = EXPORT, LOW > smtp_tls_loglevel = 2 > smtp_tls_mandatory_protocols = !SSLv2, !SSLv3 > smtp_tls_protocols = !SSLv2, !SSLv3 > smtp_tls_security_level = may > smtpd_client_restrictions = permit_sasl_authenticated, permit_mynetworks, > reject_unauth_destination, check_client_access > hash:/usr/local/etc/postfix/spamsources > smtpd_milters = inet:127.0.0.1:8891 > smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, > reject_unauth_destination, check_client_access > hash:/usr/local/etc/postfix/rbl_override, reject_rbl_client > rhsbl.scientificspam.net, reject_rbl_client bl.spamcop.net, reject_rbl_client > cbl.abuseat.org, reject_rbl_client b.barracudacentral.org, reject_rbl_client > ix.dnsbl.manitu.net, reject_rbl_client rabl.nuclearelephant.com, >
Re: How to forbid using openssl.. starttls to connect port 25?
vod vos: > master.cf: > > smtp inet ... smtpd > ... > -o smtp_relay_restrictions=$mua_relay_restrictions > -o smtp_recipient_restrictions=$mua_recipient_restrictions > -o smtpd_tls_security_level=encrypt > -o smtpd_tls_auth_only=yes > -o smtpd_sasl_auth_enable=yes > > But this setting will block the mail from non tls configured server. Right, so don't do that. > If smtpd_tls_security_level=may, the port 25 is still could not be forbided. You can't forbid connections made with "starttls s_client...". Where do you get the idea from that that is even possible? Wietse
Re: Postfix for sendmail users - rejecting users with custom SMTP codes and text
On 11/9/2016 8:58 AM, Kris Deugau wrote: > I'm in the process of migrating my personal domain to a new server, and > in the process I'm switching from sendmail to Postfix. > > One feature I haven't been able to quite figure out is part of > sendmail's "virtusertable" - *most* of this is equivalent to > virtual_alias_maps, but it also allows you to do a variety of other > things such as reject arbitrary recipients with a custom SMTP response > code and message. > > For instance: > > kdeugau...@deepnet.cx error:5.1.1:550 This address is no longer valid > as it was sold to spammers > > I've come close to an exact match by adding a check_recipient_access map > to smtpd_recipient_restrictions, but the resulting SMTP status codes > aren't quite correct - 554 vs 550. Yes, check_recipient_access is the right tool for this. You can manually specify the result code, see: http://www.postfix.org/access.5.html oldu...@example.com 550 5.1.1 address not valid CAUTION: as documented, an all numeric result with no text is treated as OK. -- Noel Jones
Postfix for sendmail users - rejecting users with custom SMTP codes and text
I'm in the process of migrating my personal domain to a new server, and in the process I'm switching from sendmail to Postfix. One feature I haven't been able to quite figure out is part of sendmail's "virtusertable" - *most* of this is equivalent to virtual_alias_maps, but it also allows you to do a variety of other things such as reject arbitrary recipients with a custom SMTP response code and message. For instance: kdeugau...@deepnet.cx error:5.1.1:550 This address is no longer valid as it was sold to spammers I've come close to an exact match by adding a check_recipient_access map to smtpd_recipient_restrictions, but the resulting SMTP status codes aren't quite correct - 554 vs 550. It doesn't matter that much, but I'd like to be precise with these responses. Postfix 2.11 on Debian 8/Jessie. Suggestions for other minor fixups welcome as well, although I'm pretty sure I've got everything else working the way I want. -kgd # postconf -n alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases append_dot_mydomain = no biff = no config_directory = /etc/postfix delay_warning_time = 1h mailbox_command = procmail -a "$EXTENSION" mailbox_size_limit = 0 mydestination = tiny.deepnet.cx, localhost.deepnet.cx, deepnet.cx, deepnet.ca, localhost myhostname = tiny.deepnet.cx mynetworks = 127.0.0.0/8 [:::127.0.0.0]/104 [::1]/128 myorigin = /etc/mailname readme_directory = no recipient_delimiter = +_ smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache smtpd_milters = unix:/var/spool/MIMEDefang/mimedefang.sock smtpd_recipient_restrictions = check_recipient_access hash:/etc/postfix/nosuchuser, permit_sasl_authenticated smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination smtpd_sasl_auth_enable = yes smtpd_sasl_path = private/auth smtpd_sasl_security_options = noanonymous, noplaintext smtpd_sasl_tls_security_options = noanonymous smtpd_sasl_type = dovecot smtpd_tls_auth_only = yes smtpd_tls_cert_file = /etc/ssl/certs/smtp_deepnet_cx.crt smtpd_tls_key_file = /etc/ssl/private/hex.key smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtpd_use_tls = yes virtual_alias_maps = hash:/etc/postfix/virtual_alias, regexp:/etc/postfix/regexp_virtual_alias # cat /etc/postfix/nosuchuser kdeugau...@deepnet.cx REJECT 5.1.1 550 This address is no longer valid as it was sold to spammers someuserwhol...@deepnet.cx REJECT Sorry, not accepting mail for this account supp...@deepnet.cx REJECT sendmail, old server: $ telnet localhost 25 Trying 127.0.0.1... Connected to localhost.localdomain (127.0.0.1). Escape character is '^]'. 220 hex.deepnet.cx ESMTP Sendmail 8.13.8/8.13.8; Tue, 8 Nov 2016 14:40:32 -0500 helo local 250 hex.deepnet.cx Hello hex.deepnet.cx [127.0.0.1], pleased to meet you mail from:kdeu...@deepnet.cx 250 2.1.0 kdeu...@deepnet.cx... Sender ok rcpt to:kdeugau...@deepnet.cx 550 5.1.1 kdeugau...@deepnet.cx... This address is no longer valid as it was sold to spammers quit 221 2.0.0 hex.deepnet.cx closing connection Connection closed by foreign host. $ postfix, new server: $ telnet localhost 25 Trying ::1... Connected to localhost. Escape character is '^]'. 220 tiny.deepnet.cx ESMTP Postfix helo local 250 tiny.deepnet.cx mail from:kdeu...@deepnet.cx 250 2.1.0 Ok rcpt to:kdeugau...@deepnet.cx 554 5.1.1: Recipient address rejected: 550 This address is no longer valid as it was sold to spammers quit 221 2.0.0 Bye Connection closed by foreign host. $
Re: How to forbid using openssl.. starttls to connect port 25?
master.cf: smtp inet ... smtpd ... -o smtp_relay_restrictions=$mua_relay_restrictions -o smtp_recipient_restrictions=$mua_recipient_restrictions -o smtpd_tls_security_level=encrypt -o smtpd_tls_auth_only=yes -o smtpd_sasl_auth_enable=yes But this setting will block the mail from non tls configured server. If smtpd_tls_security_level=may, the port 25 is still could not be forbided. any ideas? On 星期三, 09 十一月 2016 02:18:01 -0800vod vos vod...@zoho.com wrote That helps. Thanks. On 星期三, 09 十一月 2016 01:21:15 -0800Viktor Dukhovni postfix-us...@dukhovni.org wrote On Wed, Nov 09, 2016 at 12:47:05AM -0800, vod vos wrote: How to forbid using openssl.. starttls to connect port 25? You can only do that by disabling TLS entirely, but that does not seem to be what you're asking for. On the receiving end, there is no way to distinguish between "openssl -starttls tls" and an actual TLS-capable MTA. Or how to forbid AUTH PLAIN on port 25, and just using port 587 for submission? That's easy enough, only enable sasl auth on port 587 via the appropriate master.cf "-o smtpd_...=value" override settings, and require TLS on port 587: master.cf: smtp inet ... smtpd ... -o smtp_relay_restrictions=$mua_relay_restrictions -o smtp_recipient_restrictions=$mua_recipient_restrictions -o smtpd_tls_security_level=encrypt -o smtpd_tls_auth_only=yes -o smtpd_sasl_auth_enable=yes main.cf: # Postfix 2.10 or later, else recipient restrictions mua_relay_restictions = permit_sasl_authenticated, reject # Default off smtpd_sasl_auth_enable = no # Minimum recommended server TLS settings: # # Also see: http://www.postfix.org/FORWARD_SECRECY_README.html # smtpd_tls_security_level = may smtpd_tls_loglevel = 1 smtpd_tls_protocols = !SSLv2, !SSLv3 smtpd_tls_ciphers = medium tls_preempt_cipherlist = yes -- Viktor.
Re: TLS details not in header as viewed from email client (claws)
On 11/9/2016 2:56 AM, li...@lazygranch.com wrote: > I no longer see TLS details in the header. I checked maillog and > TLS is being established. > --- > From maillog: > Nov 8 07:49:44 theranch postfix/smtpd[30627]: Anonymous TLS connection > established from nm27.bullet.mail.ne1.yahoo.com[98.138.90.90]: TLSv1.2 > with cipher ECDHE-RSA-AES128-GCM-SHA2 56 (128/128 bits) > > > Header (slightly sanitized to stay off of google) > - > From: some dude> To: "me" > Subject: from yahoo > Date: Tue, 8 Nov 2016 07:49:41 + (UTC) > Reply-To: some dude > Return-Path: > X-Original-To: m...@mydomain.com > Delivered-To: m...@mydomain.com > X-Virus-Scanned: amavisd-new at mydomain.com > Authentication-Results: www.mydomain.com (amavisd-new); > dkim=pass (2048-bit key) header.d=yahoo.com > DKIM-Filter: OpenDKIM Filter v2.10.3 www.mydomain.com 6AA43EB20F > Authentication-Results: mydomain.com; > dkim=pass (2048-bit key; unprotected) header.d=yahoo.com > header.i=@yahoo.com header.b=trAlWMaE DKIM-Signature: v=1; > a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1478591383; > bh=cRZGv5wOLgNFzbAfI5tLNkRMXYbHl/vWifDflA5eMtw=; > h=Date:From:Reply-To:To:Subject:References:From:Subject; > b=trAlWMaE/s+6aINuk6b6ySW6h1CZF6LiKQOfQgoUg4i8JzjySXbgBkAOuH+GAb55+QQHA6A8sjJeK77UvhVUS+BkAyZMiTAMkt8m9kMe77m31MjzWQ4Ig82CXogOA5+SESyKrwZZAuipFGuIq4APO06SM0hCGBmUJYHNuYytxKpTrW5FT8TFXm89vq2+MspXjd1k75qcQ+fF1kwst3n6X28teuV6o65mInGqL9vkrPrwtOGihdQqcrepyEkRnU7RflFRb1rtC0zS9pVuo1/ZcJjKeldeHsYzDzDpdiOiJNXokcRot/X5yidLYkgI5JkSPbFHe+HgQupWXOxdMxI8iQ== > X-Yahoo-Newman-Property: ymail-3 X-Yahoo-Newman-Id: > 878361.88180...@omp1007.mail.ne1.yahoo.com X-YMail-OSG: > nEWp4QsVM1nZt5mFz73vbEgYx.Lt3B_GBcEvOTw0Vp0LtD3J99f0OjdWkUcARg5 > fQOYXcuRTpVY9z.FPYba81.F6ZWzTg7R9.2qD4awC6TFWAARiWK43ECrmkWodJuHDdL8gxc3OyX5 > LAcxtI9b9TGqh0OfPAU1dWmpLs3sALzDSN3bWIvvbmDfRoJfwshV.Z3NlBRXE0BTRlXIEZ9yTMHP > 7hroI1tkmFwOOVOqUs8YFevk0ma39L1OCaZ4tkr2rr0Tv0pkkgrCdXiHJIWrUNNEHrsQsePKlcn7 > 3TI.yj5J2Xocsga14Zqbnn6Nkm8QYuTeELAPA5RIb4VUNcptkCZQcyeUF8ikKx9aVKM31kGveMNe > ANNorn_lvKSS9u2P95D2V6dsUcZwujC5ctuWOtFZN1qheWGIOXTfP3HkjaVIq9AYQBFX_EA50W1f > 3.O5tpuiZsim9J7g6CQxJPkQq4HzhmTNxAQ6iKABKju3ukJKUoFtNlC8V5qzon6y5M4AJEH3B1ep > ObjfCt_ERaTcEhRs2wQ_sCyg- > > from yahoo > - Where are the Received: headers? Don't remove them. -- Noel Jones > > > # postconf -n (sanitized also) > > > broken_sasl_auth_clients = yes > command_directory = /usr/local/sbin > compatibility_level = 2 > content_filter = amavisfeed:[127.0.0.1]:10024 > daemon_directory = /usr/local/libexec/postfix > data_directory = /var/db/postfix > debug_peer_level = 2 > debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd > $daemon_directory/$process_name $process_id & sleep 5 > home_mailbox = Maildir/ > html_directory = /usr/local/share/doc/postfix > inet_interfaces = all > inet_protocols = ipv4 > lmtp_tls_mandatory_protocols = !SSLv2, !SSLv3 > lmtp_tls_protocols = !SSLv2, !SSLv3 > mail_owner = postfix > mailbox_command = /usr/local/libexec/dovecot/deliver > mailbox_size_limit = 0 > mailq_path = /usr/local/bin/mailq > manpage_directory = /usr/local/man > message_size_limit = 0 > milter_default_action = accept > milter_protocol = 6 > mydomain = somedomain.com > myhostname = www.somedomain.com > mynetworks_style = host > myorigin = $mydomain > newaliases_path = /usr/local/bin/newaliases > non_smtpd_milters = $smtpd_milters > policyd-spf_time_limit = 3600 > queue_directory = /var/spool/postfix > readme_directory = /usr/local/share/doc/postfix > sample_directory = /usr/local/etc/postfix > sendmail_path = /usr/local/sbin/sendmail > setgid_group = maildrop > smtp_tls_ciphers = medium > smtp_tls_exclude_ciphers = EXPORT, LOW > smtp_tls_loglevel = 2 > smtp_tls_mandatory_protocols = !SSLv2, !SSLv3 > smtp_tls_protocols = !SSLv2, !SSLv3 > smtp_tls_security_level = may > smtpd_client_restrictions = permit_sasl_authenticated, permit_mynetworks, > reject_unauth_destination, check_client_access > hash:/usr/local/etc/postfix/spamsources > smtpd_milters = inet:127.0.0.1:8891 > smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, > reject_unauth_destination, check_client_access > hash:/usr/local/etc/postfix/rbl_override, reject_rbl_client > rhsbl.scientificspam.net, reject_rbl_client bl.spamcop.net, reject_rbl_client > cbl.abuseat.org, reject_rbl_client b.barracudacentral.org, reject_rbl_client > ix.dnsbl.manitu.net, reject_rbl_client rabl.nuclearelephant.com, > reject_rbl_client zen.spamhaus.org, check_policy_service > unix:private/policyd-spf, permit > smtpd_relay_restrictions = permit_sasl_authenticated, permit_mynetworks, > reject_unauth_destination > smtpd_sasl_auth_enable = yes > smtpd_sasl_path = private/auth > smtpd_sasl_security_options = noanonymous >
Re: How to forbid using openssl.. starttls to connect port 25?
That helps. Thanks. On 星期三, 09 十一月 2016 01:21:15 -0800Viktor Dukhovni postfix-us...@dukhovni.org wrote On Wed, Nov 09, 2016 at 12:47:05AM -0800, vod vos wrote: How to forbid using openssl.. starttls to connect port 25? You can only do that by disabling TLS entirely, but that does not seem to be what you're asking for. On the receiving end, there is no way to distinguish between "openssl -starttls tls" and an actual TLS-capable MTA. Or how to forbid AUTH PLAIN on port 25, and just using port 587 for submission? That's easy enough, only enable sasl auth on port 587 via the appropriate master.cf "-o smtpd_...=value" override settings, and require TLS on port 587: master.cf: smtp inet ... smtpd ... -o smtp_relay_restrictions=$mua_relay_restrictions -o smtp_recipient_restrictions=$mua_recipient_restrictions -o smtpd_tls_security_level=encrypt -o smtpd_tls_auth_only=yes -o smtpd_sasl_auth_enable=yes main.cf: # Postfix 2.10 or later, else recipient restrictions mua_relay_restictions = permit_sasl_authenticated, reject # Default off smtpd_sasl_auth_enable = no # Minimum recommended server TLS settings: # # Also see: http://www.postfix.org/FORWARD_SECRECY_README.html # smtpd_tls_security_level = may smtpd_tls_loglevel = 1 smtpd_tls_protocols = !SSLv2, !SSLv3 smtpd_tls_ciphers = medium tls_preempt_cipherlist = yes -- Viktor.
Re: How to forbid using openssl.. starttls to connect port 25?
On Wed, Nov 09, 2016 at 12:47:05AM -0800, vod vos wrote: > How to forbid using openssl.. starttls to connect port 25? You can only do that by disabling TLS entirely, but that does not seem to be what you're asking for. On the receiving end, there is no way to distinguish between "openssl -starttls tls" and an actual TLS-capable MTA. > Or how to forbid AUTH PLAIN on port 25, and just using port 587 > for submission? That's easy enough, only enable sasl auth on port 587 via the appropriate master.cf "-o smtpd_...=value" override settings, and require TLS on port 587: master.cf: smtp inet ... smtpd ... -o smtp_relay_restrictions=$mua_relay_restrictions -o smtp_recipient_restrictions=$mua_recipient_restrictions -o smtpd_tls_security_level=encrypt -o smtpd_tls_auth_only=yes -o smtpd_sasl_auth_enable=yes main.cf: # Postfix 2.10 or later, else recipient restrictions mua_relay_restictions = permit_sasl_authenticated, reject # Default off smtpd_sasl_auth_enable = no # Minimum recommended server TLS settings: # # Also see: http://www.postfix.org/FORWARD_SECRECY_README.html # smtpd_tls_security_level = may smtpd_tls_loglevel = 1 smtpd_tls_protocols = !SSLv2, !SSLv3 smtpd_tls_ciphers = medium tls_preempt_cipherlist = yes -- Viktor.
How to forbid using openssl.. starttls to connect port 25?
hi, How to forbid using openssl.. starttls to connect port 25? Or how to forbid AUTH PLAIN on port 25, and just using port 587 for submission? Thanks.
Re: Transport mapping via mySQL?
>It's actually quite simple: >1) Create a file with the MySQL credentials and the query >2) Include the created file in transport_maps within main.cf > >/etc/postfix/mysql_relay_transport_maps.cf > user = dbuser > password = dbpass > dbname = maildb > hosts = unix:/var/run/mysqld/mysqld.sock > query = SELECT transport FROM domain WHERE domain = '%s' > >/etc/postfix/main.cf >transport_maps = >btree:/etc/postfix/transport_maps, >proxy:mysql:/etc/postfix/mysql_relay_transport_maps.cf Thank you kindly, is there some short code for the entire email address, because just domain won’t cut it (were chosing transport based on full emailaddress)