Re: upgrade/compile options

[Peter]

On 12/07/17 15:05, techlist06 wrote:
>> Why are you trying to upgrade from old to slightly less old?  The
>> current stable of postfix is 3.2.2. 
> 
> Valid question.  It wasn't because of EOL concerns.  I was looking to add
> the feature available in 2.11+:
> postscreen_dnsbl_whitelist_threshold
> 
> Beyond that, I was just chicken of biting off too much at a time without
> having a handle on it.  Baby steps.  v2.10 (and now 2.11) will be my first
> use of postscreen and will have enough new to it vs. the old version I'm
> upgrading from.  
> 
> Maybe an unfounded fear and I should go right to 3.2, but that's why I was
> just moving to 2.11.  Once I'm comfy, maybe move up another few rungs to
> 3.2.

I think you're looking at this the wrong way.  Going from pre-packaged
postscript to compile-your-own is much more likely to cause issues than
the step to 3.2.  Yes there are certainly a lot more features in 3.2
than there are in 2.11, but you don't have to enable those new features
and there are very few backwards compatibility issues which are well
documented and easy to overcome.

Have a look again at the link I mentioned before.  It lists all the
issues that you will have switching from the stock postfix 2.10 to the
Ghettoforge-provided 3.2 and exactly what to do to have a smooth
transition.  I think you'll find that it's much easier than trying to
compile your own and install from source and you will continue to get
updates from Ghettoforge without having to worry about rebuilding
yourself every time a new version comes out with bug or security fixes,
plus you won't have to worry about when 2.11 goes EOL sometime early
next year.

Here's the link again for you:
http://ghettoforge.org/index.php/Postfix3


Peter

Re: upgrade/compile options

[techlist06]

Hi Peter: 

> Why are you trying to upgrade from old to slightly less old?  The
> current stable of postfix is 3.2.2. 

Valid question.  It wasn't because of EOL concerns.  I was looking to add
the feature available in 2.11+:
postscreen_dnsbl_whitelist_threshold

Beyond that, I was just chicken of biting off too much at a time without
having a handle on it.  Baby steps.  v2.10 (and now 2.11) will be my first
use of postscreen and will have enough new to it vs. the old version I'm
upgrading from.  

Maybe an unfounded fear and I should go right to 3.2, but that's why I was
just moving to 2.11.  Once I'm comfy, maybe move up another few rungs to
3.2.







--
View this message in context: 
http://postfix.1071664.n5.nabble.com/upgrade-compile-options-tp91241p91250.html
Sent from the Postfix Users mailing list archive at Nabble.com.

Re: upgrade/compile options

[Peter]

On 12/07/17 08:21, techlist06 wrote:
> I have a functioning install of 2.10 from rpm's on Centos7.  I'm trying to
> upgrade the postfix to 2.11.

Why are you trying to upgrade from old to slightly less old?  The
current stable of postfix is 3.2.2.

If you're afraid of 2.10 being EOL then don't worry, Red Hat, and by
extension CentOS will continue to support their build for some time to
come, including backporting of bug and security fixes.

If you have an actual reason to upgrade (need newer features) then
consider using Ghettoforge instead of trying to build it yourself.  See:

http://ghettoforge.org/index.php/Postfix3


Peter

Re: upgrade/compile options

[techlist06]

I removed the one Cyrus SASL path Victor pointed out.

For anyone else who may come on this searching... Google "Steve Jenkins
Building Postfix on RHEL / CentOS from Source" for detailed steps.  Except
for me I wanted TLS, Dovecot SASL (no Cyrus), the rest as normal for the
distribution.

On a stock centos7 install with functioning postfix 2.10, SASL and TLS,  I
did this to upgrade to 2.11:
- yum install gcc openssl-devel pcre pcre-devel dovecot-devel
- download source to /usr/local/src
- used this to build makefile on x64

make makefiles  CCARGS=' -fPIC -DUSE_TLS -DUSE_SSL -DUSE_SASL_AUTH
-DDEF_SERVER_SASL_TYPE=\"dovecot\"
 -DPREFIX=\"/usr\" -DHAS_PCRE -I/usr/include/openssl -I/usr/include/dovecot
-I/usr/include' AUXLIBS='
-L/usr/lib64 -L/usr/lib64/openssl -lssl -lcrypto -lpcre -lz -lm
-Wl,-rpath,/usr/lib64/openssl -pie -W
l,-z,relro' OPT='-O' DEBUG='-g'

Be sure to exclude postfix from yum updates so it doesn't get hosed if they
ever get around to updating.





--
View this message in context: 
http://postfix.1071664.n5.nabble.com/upgrade-compile-options-tp91241p91248.html
Sent from the Postfix Users mailing list archive at Nabble.com.

Re: upgrade/compile options

[techlist06]

Wietse:  

>If I correct your command for word-wrap breakage and spurious spaces,
>but otherwise leave all the unnecessary stuff in place, it produces
>a working build with Postfix 3.3 on Fedora Core 24. 

The reference I started with was one by Steve Jenkins for a Centos 7 system
(and others).  I'd be grateful to see the compile arguments without the
"unnecessary stuff".  

make makefiles  CCARGS=' -fPIC -DUSE_TLS -DUSE_SSL -DUSE_SASL_AUTH
-DDEF_SERVER_SASL_TYPE=\"dovecot\" -DPREFIX=\"/usr\" -DHAS_PCRE
-I/usr/include/openssl -I/usr/include/dovecot -I/usr/include'
AUXLIBS='-L/usr/lib64 -L/usr/lib64/openssl -lssl -lcrypto -L/usr/lib64/sasl2
-lpcre -lz -lm -Wl,-rpath,/usr/lib64/openssl -pie -Wl,-z,relro' OPT='-O'
DEBUG='-g' 

Anyway after make upgrade and a restart I didn't get the warnings this time
on test messages.  Apologies for the static.

I would be grateful for the "only necessary stuff" line

Thank you (Victor too).  







--
View this message in context: 
http://postfix.1071664.n5.nabble.com/upgrade-compile-options-tp91241p91247.html
Sent from the Postfix Users mailing list archive at Nabble.com.

Re: upgrade/compile options

[Wietse Venema]

techlist06:
> I have a functioning install of 2.10 from rpm's on Centos7.  I'm trying to
> upgrade the postfix to 2.11.
> 
> I don't use LDAP and I'm using Dovecot for SASL.  I use TLS.  Following the
> postfix docs and other's directions, I've tried to pick the correct compile
> options.  Unfortunately for me RedHat/Centos doesn't appear to include the
> .out file I need to see how they compiled theirs.
> 
> This is the script I'm using to create the makefile and compile.  The
> compile goes fine without any errors that I see:
> 
> make makefiles CCARGS=' -fPIC -DUSE_TLS -DUSE_SSL -DUSE_SASL_AUTH
> -DDEF_SERVER_SASL_TYPE=\"dovecot\" -
> DPREFIX=\\"/usr\\" -DHAS_PCRE -I/usr/include/openssl -I/usr/include/dovecot
> -I/usr/include' AUXLIBS='-
> L/usr/lib64 -L/usr/lib64/openssl -lssl -lcrypto -L/usr/lib64/sasl2 -lpcre
> -lz -lm -Wl,-rpath, /usr/lib
> 64/openssl -pie -Wl,-z,relro' OPT='-O' DEBUG='-g'
> 
> But in the logs I have warnings about both TLS and SASL not being compiled
> in:
>warning: smtpd_sasl_auth_enable is true, but SASL support is not compiled
> in
>warning: TLS has been selected, but TLS support is not compiled in

If I correct your command for word-wrap breakage and spurious spaces,
but otherwise leave all the unnecessary stuff in place, it produces
a working build with Postfix 3.3 on Fedora Core 24.

$ env - PATH=/usr/bin make makefiles  CCARGS=' -fPIC -DUSE_TLS -DUSE_SSL 
-DUSE_SASL_AUTH -DDEF_SERVER_SASL_TYPE=\"dovecot\" -DPREFIX=\"/usr\" -DHAS_PCRE 
-I/usr/include/openssl -I/usr/include/dovecot -I/usr/include' 
AUXLIBS='-L/usr/lib64 -L/usr/lib64/openssl -lssl -lcrypto -L/usr/lib64/sasl2 
-lpcre -lz -lm -Wl,-rpath,/usr/lib64/openssl -pie -Wl,-z,relro' OPT='-O' 
DEBUG='-g'
$ make -j8
$ su
Password: 
# make upgrade
# echo test | mail -s test wie...@porcupine.org
# tail -f /var/log/maillog
...
Jul 11 19:16:23 wzv postfix/qmgr[8236]: 63882A0173: from=, 
size=258, nrcpt=1 (queue active)
Jul 11 19:16:29 wzv postfix/smtp[8246]: Anonymous TLS connection established to 
spike.porcupine.org[168.100.189.2]:25: TLSv1.2 with cipher AECDH-AES256-SHA 
(256/256 bits)
Jul 11 19:16:29 wzv postfix/smtp[8271]: 63882A0173: to=, 
relay=spike.porcupine.org[168.100.189.2]:25, ...

It should also work Postfix 2.11.

Wietse

Re: upgrade/compile options

[Viktor Dukhovni]

On Tue, Jul 11, 2017 at 01:21:44PM -0700, techlist06 wrote:

> make makefiles CCARGS=' -fPIC -DUSE_TLS -DUSE_SSL -DUSE_SASL_AUTH
> -DDEF_SERVER_SASL_TYPE=\"dovecot\" -DPREFIX=\\"/usr\\" -DHAS_PCRE
> -I/usr/include/openssl
> -I/usr/include/dovecot
> -I/usr/include'

Do NOT add "/usr/include/openssl" to the include path, the OpenSSL
headers are included as "#include " and so the include
path is just "/usr/include", which should already be used by default,
but if your compiler is putting something else first, just
"/usr/include" will suffice.

The above is sufficient for "dovecot" SASL support in smtpd(8), but
not for Cyrus SASL support in smtp(8).  See SASL_README.

http://www.postfix.org/SASL_README.html#sasl_support

> AUXLIBS='-L/usr/lib64 -L/usr/lib64/openssl
>  -lssl -lcrypto -L/usr/lib64/sasl2 -lpcre -lz -lm
>  -Wl,-rpath,/usr/lib64/openssl -pie -Wl,-z,relro'

Does the OpenSSL whose headers are in /usr/include really put
its libraries in a non-default location: /usr/lib64/openssl?

More importantly, /usr/lib64/sasl2 is surely Cyrus SASL, but you've
not enabled Cyrus support.

Compilation instructions are in:

http://www.postfix.org/INSTALL.html

and in "README" files for various optional features:

TLS_README
SASL_README
...

-- 
Viktor.

RE: upgrade/compile options

[Scott Techlist]

>Do "postfix reload" and see what Postfix version is being logged.

Jul 11 15:58:29 tn2 postfix/postfix-script[17935]: refreshing the Postfix
mail system
Jul 11 15:58:29 tn2 postfix/master[17876]: reload -- version 2.11.10,
configuration /etc/postfix

Re: upgrade/compile options

[Wietse Venema]

techlist06:
> I have a functioning install of 2.10 from rpm's on Centos7.  I'm trying to
> upgrade the postfix to 2.11.
> 
> I don't use LDAP and I'm using Dovecot for SASL.  I use TLS.  Following the
> postfix docs and other's directions, I've tried to pick the correct compile
> options.  Unfortunately for me RedHat/Centos doesn't appear to include the
> .out file I need to see how they compiled theirs.
> 
> This is the script I'm using to create the makefile and compile.  The
> compile goes fine without any errors that I see:
> 
> make makefiles CCARGS=' -fPIC -DUSE_TLS -DUSE_SSL -DUSE_SASL_AUTH
> -DDEF_SERVER_SASL_TYPE=\"dovecot\" -
> DPREFIX=\\"/usr\\" -DHAS_PCRE -I/usr/include/openssl -I/usr/include/dovecot
> -I/usr/include' AUXLIBS='-
> L/usr/lib64 -L/usr/lib64/openssl -lssl -lcrypto -L/usr/lib64/sasl2 -lpcre
> -lz -lm -Wl,-rpath, /usr/lib
> 64/openssl -pie -Wl,-z,relro' OPT='-O' DEBUG='-g'
> 
> But in the logs I have warnings about both TLS and SASL not being compiled
> in:
>warning: smtpd_sasl_auth_enable is true, but SASL support is not compiled
> in
>warning: TLS has been selected, but TLS support is not compiled in

Do "postfix reload" and see what Postfix version is being logged.

Wietse

upgrade/compile options

[techlist06]

I have a functioning install of 2.10 from rpm's on Centos7.  I'm trying to
upgrade the postfix to 2.11.

I don't use LDAP and I'm using Dovecot for SASL.  I use TLS.  Following the
postfix docs and other's directions, I've tried to pick the correct compile
options.  Unfortunately for me RedHat/Centos doesn't appear to include the
.out file I need to see how they compiled theirs.

This is the script I'm using to create the makefile and compile.  The
compile goes fine without any errors that I see:

make makefiles CCARGS=' -fPIC -DUSE_TLS -DUSE_SSL -DUSE_SASL_AUTH
-DDEF_SERVER_SASL_TYPE=\"dovecot\" -
DPREFIX=\\"/usr\\" -DHAS_PCRE -I/usr/include/openssl -I/usr/include/dovecot
-I/usr/include' AUXLIBS='-
L/usr/lib64 -L/usr/lib64/openssl -lssl -lcrypto -L/usr/lib64/sasl2 -lpcre
-lz -lm -Wl,-rpath, /usr/lib
64/openssl -pie -Wl,-z,relro' OPT='-O' DEBUG='-g'

But in the logs I have warnings about both TLS and SASL not being compiled
in:
   warning: smtpd_sasl_auth_enable is true, but SASL support is not compiled
in
   warning: TLS has been selected, but TLS support is not compiled in

I did add this include:  -I/usr/include/dovecot 
In lieu of a direction to use /usr/include/sasl which did not exist

Can someone help me with my compile options?  Do I have to keep the CYRUS
parts in there, too?  Figure I'm missing an option or path.

Thanks






--
View this message in context: 
http://postfix.1071664.n5.nabble.com/upgrade-compile-options-tp91241.html
Sent from the Postfix Users mailing list archive at Nabble.com.

Re: Postfix ignoring order of smtpd_recipient_restrictions

[Alex JOST]

Am 11.07.2017 um 17:21 schrieb Darren Share:

Hi,

I've posted this as a serverfault [1]question but had no bites so far.

I am receiving about 50 rejected emails per day because there is a typo
in the sending email address and it's hitting
reject_unknown_sender_domain:

Jul 10 12:21:31 serverb3 postfix/smtpd[6647]: NOQUEUE: reject: RCPT from
smtp.correctly-spelt-domain.co.uk[X.X.X.X]: 450 4.1.8
: Sender address rejected: Domain not
found; from= to=
proto=ESMTP helo=

I've added em...@mispelt-domain.co.uk OK to /etc/postfix/sender_access,
ran postmap /etc/postfix/sender_access and restarted postfix.

Despite check_sender_access hash:/etc/postfix/sender_access appearing in
my smtpd_recipient_restrictions list before reject_unknown_sender_domain
the emails are still being rejected for that reason. Why is this and how
can I fix it?

Postfix v2.11.3

Output of postconf -n:



smtpd_relay_restrictions = permit_mynetworks reject_unauth_destination
reject_unauth_pipelining reject_invalid_hostname reject_non_fqdn_sender
reject_unknown_sender_domain reject_non_fqdn_recipient
reject_unknown_recipient_domain check_sender_access
hash:/etc/postfix/sender_access reject_rbl_client bl.spamcop.net
reject_rbl_client zen.spamhaus.org reject_rbl_client dul.dnsbl.sorbs.net
permit


You have 'reject_unknown_sender_domain' in 'smtpd_relay_restrictions' 
which is evaluated before 'smtpd_recipient_restrictions'. Note that the 
reject is delayed until RCPT TO.


http://www.postfix.org/postconf.5.html#smtpd_relay_restrictions
http://www.postfix.org/postconf.5.html#smtpd_delay_reject

--
Alex JOST

Postfix ignoring order of smtpd_recipient_restrictions

[Darren Share]

Hi, 

I've posted this as a serverfault [1]question but had no bites so far. 

I am receiving about 50 rejected emails per day because there is a typo
in the sending email address and it's hitting
reject_unknown_sender_domain:

Jul 10 12:21:31 serverb3 postfix/smtpd[6647]: NOQUEUE: reject: RCPT from
smtp.correctly-spelt-domain.co.uk[X.X.X.X]: 450 4.1.8
: Sender address rejected: Domain not
found; from= to=
proto=ESMTP helo=

I've added em...@mispelt-domain.co.uk OK to /etc/postfix/sender_access,
ran postmap /etc/postfix/sender_access and restarted postfix. 

Despite check_sender_access hash:/etc/postfix/sender_access appearing in
my smtpd_recipient_restrictions list before reject_unknown_sender_domain
the emails are still being rejected for that reason. Why is this and how
can I fix it? 

Postfix v2.11.3 

Output of postconf -n:

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
biff = no
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/lib/postfix
disable_vrfy_command = yes
home_mailbox = Mail/
mailbox_command = /usr/lib/dovecot/deliver
mailbox_size_limit = 0
message_size_limit = 2048
mydestination = b3.localdomain, localhost.localdomain, localhost,
/etc/postfix/bubbadomains, $myhostname
mynetworks = 127.0.0.0/8 [:::127.0.0.0]/104 [::1]/128
recipient_delimiter = +
relayhost = smtp.gmail.com
sender_bcc_maps = hash:/etc/postfix/sender_bcc
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache
smtp_use_tls = yes
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
smtpd_helo_required = yes
smtpd_recipient_restrictions = permit_mynetworks check_sender_access
hash:/etc/postfix/sender_access reject_unauth_destination
reject_unauth_pipelining reject_invalid_hostname reject_non_fqdn_sender
reject_unknown_sender_domain reject_non_fqdn_recipient
reject_unknown_recipient_domain reject_rbl_client bl.spamcop.net
reject_rbl_client zen.spamhaus.org reject_rbl_client dul.dnsbl.sorbs.net
permit
smtpd_reject_unlisted_sender = yes
smtpd_relay_restrictions = permit_mynetworks reject_unauth_destination
reject_unauth_pipelining reject_invalid_hostname reject_non_fqdn_sender
reject_unknown_sender_domain reject_non_fqdn_recipient
reject_unknown_recipient_domain check_sender_access
hash:/etc/postfix/sender_access reject_rbl_client bl.spamcop.net
reject_rbl_client zen.spamhaus.org reject_rbl_client dul.dnsbl.sorbs.net
permit
smtpd_tls_cert_file = /etc/letsencrypt/live/mydomain.co.uk/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/mydomain.co.uk/privkey.pem
smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
smtpd_use_tls = yes
unknown_local_recipient_reject_code = 550

PS. I have also tried to address the root cause by contacting the owners
of the domain in question and informing them. I am not holding my breath
they will fix it. 

Thanks. 

Darren. 

Links:
--
[1]
https://serverfault.com/questions/861268/postfix-ignoring-order-of-smtpd-recipient-restrictions

Re: postfix + selinux - does it make sense ?

[Zalezny Niezalezny]

I think that Postfix is one of the most secure servers. I will stay with
basic SE settings.


On Tue, Jul 11, 2017 at 1:01 PM, Wietse Venema  wrote:

> Zalezny Niezalezny:
> > Hi,
> >
> > I would like to know Your opinion about selinux + postfix ?
> >
> > Does onyone using it ? Does it make sense to setup some policies for
> > postfix ?
>
> Do what you like, but I won't provide help for platform-specific
> features. Postfix is a cross-platform system.
>
> Wietse
>

Re: postfix + selinux - does it make sense ?

[Wietse Venema]

Zalezny Niezalezny:
> Hi,
> 
> I would like to know Your opinion about selinux + postfix ?
> 
> Does onyone using it ? Does it make sense to setup some policies for
> postfix ?

Do what you like, but I won't provide help for platform-specific
features. Postfix is a cross-platform system.

Wietse

Re: postfix + selinux - does it make sense ?

[Paul Menzel]

Dear Zalezny,


On 07/11/17 09:31, Zalezny Niezalezny wrote:


I would like to know your opinion about selinux + postfix?

Does anyone using it? Does it make sense to set up some policies for
postfix?


It largely depends on your threat model, but in my opinion, as it 
doesn’t hurt, I would say it makes a lot of sense to set up SE Linux. 
Especially as a basic(?) policy is already available, and depending on 
your setup, you only need to tune a few things.



Kind regards,

Paul


PS: As you only sent plain text, it’d be awesome if you configure your 
Google Mail account in a way, that it doesn’t include HTML parts in the 
message [1].



[1] 
https://www.lifewire.com/how-to-send-a-message-in-plain-text-from-gmail-1171963

Re: postfix + selinux - does it make sense ?

[Peter]

On 11/07/17 19:31, Zalezny Niezalezny wrote:
> I would like to know Your opinion about selinux + postfix ?
> 
> Does onyone using it ? Does it make sense to setup some policies for
> postfix ?

It works as well as any other software + selinux.  What policies and
label contexts you have to customize depend largely on your exact setup,
and how people set up postfix can vary widely.  I can say that I have
yet to run across a setup where I had to resort to disabling selinux
entirely.


Peter

postfix + selinux - does it make sense ?

[Zalezny Niezalezny]

Hi,

I would like to know Your opinion about selinux + postfix ?

Does onyone using it ? Does it make sense to setup some policies for
postfix ?




Thanks in advance for your answers and suggestions.



Cheers

Zalezny