Re: upgrade/compile options
On 12/07/17 15:05, techlist06 wrote: >> Why are you trying to upgrade from old to slightly less old? The >> current stable of postfix is 3.2.2. > > Valid question. It wasn't because of EOL concerns. I was looking to add > the feature available in 2.11+: > postscreen_dnsbl_whitelist_threshold > > Beyond that, I was just chicken of biting off too much at a time without > having a handle on it. Baby steps. v2.10 (and now 2.11) will be my first > use of postscreen and will have enough new to it vs. the old version I'm > upgrading from. > > Maybe an unfounded fear and I should go right to 3.2, but that's why I was > just moving to 2.11. Once I'm comfy, maybe move up another few rungs to > 3.2. I think you're looking at this the wrong way. Going from pre-packaged postscript to compile-your-own is much more likely to cause issues than the step to 3.2. Yes there are certainly a lot more features in 3.2 than there are in 2.11, but you don't have to enable those new features and there are very few backwards compatibility issues which are well documented and easy to overcome. Have a look again at the link I mentioned before. It lists all the issues that you will have switching from the stock postfix 2.10 to the Ghettoforge-provided 3.2 and exactly what to do to have a smooth transition. I think you'll find that it's much easier than trying to compile your own and install from source and you will continue to get updates from Ghettoforge without having to worry about rebuilding yourself every time a new version comes out with bug or security fixes, plus you won't have to worry about when 2.11 goes EOL sometime early next year. Here's the link again for you: http://ghettoforge.org/index.php/Postfix3 Peter
Re: upgrade/compile options
Hi Peter: > Why are you trying to upgrade from old to slightly less old? The > current stable of postfix is 3.2.2. Valid question. It wasn't because of EOL concerns. I was looking to add the feature available in 2.11+: postscreen_dnsbl_whitelist_threshold Beyond that, I was just chicken of biting off too much at a time without having a handle on it. Baby steps. v2.10 (and now 2.11) will be my first use of postscreen and will have enough new to it vs. the old version I'm upgrading from. Maybe an unfounded fear and I should go right to 3.2, but that's why I was just moving to 2.11. Once I'm comfy, maybe move up another few rungs to 3.2. -- View this message in context: http://postfix.1071664.n5.nabble.com/upgrade-compile-options-tp91241p91250.html Sent from the Postfix Users mailing list archive at Nabble.com.
Re: upgrade/compile options
On 12/07/17 08:21, techlist06 wrote: > I have a functioning install of 2.10 from rpm's on Centos7. I'm trying to > upgrade the postfix to 2.11. Why are you trying to upgrade from old to slightly less old? The current stable of postfix is 3.2.2. If you're afraid of 2.10 being EOL then don't worry, Red Hat, and by extension CentOS will continue to support their build for some time to come, including backporting of bug and security fixes. If you have an actual reason to upgrade (need newer features) then consider using Ghettoforge instead of trying to build it yourself. See: http://ghettoforge.org/index.php/Postfix3 Peter
Re: upgrade/compile options
I removed the one Cyrus SASL path Victor pointed out. For anyone else who may come on this searching... Google "Steve Jenkins Building Postfix on RHEL / CentOS from Source" for detailed steps. Except for me I wanted TLS, Dovecot SASL (no Cyrus), the rest as normal for the distribution. On a stock centos7 install with functioning postfix 2.10, SASL and TLS, I did this to upgrade to 2.11: - yum install gcc openssl-devel pcre pcre-devel dovecot-devel - download source to /usr/local/src - used this to build makefile on x64 make makefiles CCARGS=' -fPIC -DUSE_TLS -DUSE_SSL -DUSE_SASL_AUTH -DDEF_SERVER_SASL_TYPE=\"dovecot\" -DPREFIX=\"/usr\" -DHAS_PCRE -I/usr/include/openssl -I/usr/include/dovecot -I/usr/include' AUXLIBS=' -L/usr/lib64 -L/usr/lib64/openssl -lssl -lcrypto -lpcre -lz -lm -Wl,-rpath,/usr/lib64/openssl -pie -W l,-z,relro' OPT='-O' DEBUG='-g' Be sure to exclude postfix from yum updates so it doesn't get hosed if they ever get around to updating. -- View this message in context: http://postfix.1071664.n5.nabble.com/upgrade-compile-options-tp91241p91248.html Sent from the Postfix Users mailing list archive at Nabble.com.
Re: upgrade/compile options
Wietse: >If I correct your command for word-wrap breakage and spurious spaces, >but otherwise leave all the unnecessary stuff in place, it produces >a working build with Postfix 3.3 on Fedora Core 24. The reference I started with was one by Steve Jenkins for a Centos 7 system (and others). I'd be grateful to see the compile arguments without the "unnecessary stuff". make makefiles CCARGS=' -fPIC -DUSE_TLS -DUSE_SSL -DUSE_SASL_AUTH -DDEF_SERVER_SASL_TYPE=\"dovecot\" -DPREFIX=\"/usr\" -DHAS_PCRE -I/usr/include/openssl -I/usr/include/dovecot -I/usr/include' AUXLIBS='-L/usr/lib64 -L/usr/lib64/openssl -lssl -lcrypto -L/usr/lib64/sasl2 -lpcre -lz -lm -Wl,-rpath,/usr/lib64/openssl -pie -Wl,-z,relro' OPT='-O' DEBUG='-g' Anyway after make upgrade and a restart I didn't get the warnings this time on test messages. Apologies for the static. I would be grateful for the "only necessary stuff" line Thank you (Victor too). -- View this message in context: http://postfix.1071664.n5.nabble.com/upgrade-compile-options-tp91241p91247.html Sent from the Postfix Users mailing list archive at Nabble.com.
Re: upgrade/compile options
techlist06: > I have a functioning install of 2.10 from rpm's on Centos7. I'm trying to > upgrade the postfix to 2.11. > > I don't use LDAP and I'm using Dovecot for SASL. I use TLS. Following the > postfix docs and other's directions, I've tried to pick the correct compile > options. Unfortunately for me RedHat/Centos doesn't appear to include the > .out file I need to see how they compiled theirs. > > This is the script I'm using to create the makefile and compile. The > compile goes fine without any errors that I see: > > make makefiles CCARGS=' -fPIC -DUSE_TLS -DUSE_SSL -DUSE_SASL_AUTH > -DDEF_SERVER_SASL_TYPE=\"dovecot\" - > DPREFIX=\\"/usr\\" -DHAS_PCRE -I/usr/include/openssl -I/usr/include/dovecot > -I/usr/include' AUXLIBS='- > L/usr/lib64 -L/usr/lib64/openssl -lssl -lcrypto -L/usr/lib64/sasl2 -lpcre > -lz -lm -Wl,-rpath, /usr/lib > 64/openssl -pie -Wl,-z,relro' OPT='-O' DEBUG='-g' > > But in the logs I have warnings about both TLS and SASL not being compiled > in: >warning: smtpd_sasl_auth_enable is true, but SASL support is not compiled > in >warning: TLS has been selected, but TLS support is not compiled in If I correct your command for word-wrap breakage and spurious spaces, but otherwise leave all the unnecessary stuff in place, it produces a working build with Postfix 3.3 on Fedora Core 24. $ env - PATH=/usr/bin make makefiles CCARGS=' -fPIC -DUSE_TLS -DUSE_SSL -DUSE_SASL_AUTH -DDEF_SERVER_SASL_TYPE=\"dovecot\" -DPREFIX=\"/usr\" -DHAS_PCRE -I/usr/include/openssl -I/usr/include/dovecot -I/usr/include' AUXLIBS='-L/usr/lib64 -L/usr/lib64/openssl -lssl -lcrypto -L/usr/lib64/sasl2 -lpcre -lz -lm -Wl,-rpath,/usr/lib64/openssl -pie -Wl,-z,relro' OPT='-O' DEBUG='-g' $ make -j8 $ su Password: # make upgrade # echo test | mail -s test wie...@porcupine.org # tail -f /var/log/maillog ... Jul 11 19:16:23 wzv postfix/qmgr[8236]: 63882A0173: from=, size=258, nrcpt=1 (queue active) Jul 11 19:16:29 wzv postfix/smtp[8246]: Anonymous TLS connection established to spike.porcupine.org[168.100.189.2]:25: TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits) Jul 11 19:16:29 wzv postfix/smtp[8271]: 63882A0173: to= , relay=spike.porcupine.org[168.100.189.2]:25, ... It should also work Postfix 2.11. Wietse
Re: upgrade/compile options
On Tue, Jul 11, 2017 at 01:21:44PM -0700, techlist06 wrote: > make makefiles CCARGS=' -fPIC -DUSE_TLS -DUSE_SSL -DUSE_SASL_AUTH > -DDEF_SERVER_SASL_TYPE=\"dovecot\" -DPREFIX=\\"/usr\\" -DHAS_PCRE > -I/usr/include/openssl > -I/usr/include/dovecot > -I/usr/include' Do NOT add "/usr/include/openssl" to the include path, the OpenSSL headers are included as "#include " and so the include path is just "/usr/include", which should already be used by default, but if your compiler is putting something else first, just "/usr/include" will suffice. The above is sufficient for "dovecot" SASL support in smtpd(8), but not for Cyrus SASL support in smtp(8). See SASL_README. http://www.postfix.org/SASL_README.html#sasl_support > AUXLIBS='-L/usr/lib64 -L/usr/lib64/openssl > -lssl -lcrypto -L/usr/lib64/sasl2 -lpcre -lz -lm > -Wl,-rpath,/usr/lib64/openssl -pie -Wl,-z,relro' Does the OpenSSL whose headers are in /usr/include really put its libraries in a non-default location: /usr/lib64/openssl? More importantly, /usr/lib64/sasl2 is surely Cyrus SASL, but you've not enabled Cyrus support. Compilation instructions are in: http://www.postfix.org/INSTALL.html and in "README" files for various optional features: TLS_README SASL_README ... -- Viktor.
RE: upgrade/compile options
>Do "postfix reload" and see what Postfix version is being logged. Jul 11 15:58:29 tn2 postfix/postfix-script[17935]: refreshing the Postfix mail system Jul 11 15:58:29 tn2 postfix/master[17876]: reload -- version 2.11.10, configuration /etc/postfix
Re: upgrade/compile options
techlist06: > I have a functioning install of 2.10 from rpm's on Centos7. I'm trying to > upgrade the postfix to 2.11. > > I don't use LDAP and I'm using Dovecot for SASL. I use TLS. Following the > postfix docs and other's directions, I've tried to pick the correct compile > options. Unfortunately for me RedHat/Centos doesn't appear to include the > .out file I need to see how they compiled theirs. > > This is the script I'm using to create the makefile and compile. The > compile goes fine without any errors that I see: > > make makefiles CCARGS=' -fPIC -DUSE_TLS -DUSE_SSL -DUSE_SASL_AUTH > -DDEF_SERVER_SASL_TYPE=\"dovecot\" - > DPREFIX=\\"/usr\\" -DHAS_PCRE -I/usr/include/openssl -I/usr/include/dovecot > -I/usr/include' AUXLIBS='- > L/usr/lib64 -L/usr/lib64/openssl -lssl -lcrypto -L/usr/lib64/sasl2 -lpcre > -lz -lm -Wl,-rpath, /usr/lib > 64/openssl -pie -Wl,-z,relro' OPT='-O' DEBUG='-g' > > But in the logs I have warnings about both TLS and SASL not being compiled > in: >warning: smtpd_sasl_auth_enable is true, but SASL support is not compiled > in >warning: TLS has been selected, but TLS support is not compiled in Do "postfix reload" and see what Postfix version is being logged. Wietse
upgrade/compile options
I have a functioning install of 2.10 from rpm's on Centos7. I'm trying to upgrade the postfix to 2.11. I don't use LDAP and I'm using Dovecot for SASL. I use TLS. Following the postfix docs and other's directions, I've tried to pick the correct compile options. Unfortunately for me RedHat/Centos doesn't appear to include the .out file I need to see how they compiled theirs. This is the script I'm using to create the makefile and compile. The compile goes fine without any errors that I see: make makefiles CCARGS=' -fPIC -DUSE_TLS -DUSE_SSL -DUSE_SASL_AUTH -DDEF_SERVER_SASL_TYPE=\"dovecot\" - DPREFIX=\\"/usr\\" -DHAS_PCRE -I/usr/include/openssl -I/usr/include/dovecot -I/usr/include' AUXLIBS='- L/usr/lib64 -L/usr/lib64/openssl -lssl -lcrypto -L/usr/lib64/sasl2 -lpcre -lz -lm -Wl,-rpath, /usr/lib 64/openssl -pie -Wl,-z,relro' OPT='-O' DEBUG='-g' But in the logs I have warnings about both TLS and SASL not being compiled in: warning: smtpd_sasl_auth_enable is true, but SASL support is not compiled in warning: TLS has been selected, but TLS support is not compiled in I did add this include: -I/usr/include/dovecot In lieu of a direction to use /usr/include/sasl which did not exist Can someone help me with my compile options? Do I have to keep the CYRUS parts in there, too? Figure I'm missing an option or path. Thanks -- View this message in context: http://postfix.1071664.n5.nabble.com/upgrade-compile-options-tp91241.html Sent from the Postfix Users mailing list archive at Nabble.com.
Re: Postfix ignoring order of smtpd_recipient_restrictions
Am 11.07.2017 um 17:21 schrieb Darren Share: Hi, I've posted this as a serverfault [1]question but had no bites so far. I am receiving about 50 rejected emails per day because there is a typo in the sending email address and it's hitting reject_unknown_sender_domain: Jul 10 12:21:31 serverb3 postfix/smtpd[6647]: NOQUEUE: reject: RCPT from smtp.correctly-spelt-domain.co.uk[X.X.X.X]: 450 4.1.8: Sender address rejected: Domain not found; from= to= proto=ESMTP helo= I've added em...@mispelt-domain.co.uk OK to /etc/postfix/sender_access, ran postmap /etc/postfix/sender_access and restarted postfix. Despite check_sender_access hash:/etc/postfix/sender_access appearing in my smtpd_recipient_restrictions list before reject_unknown_sender_domain the emails are still being rejected for that reason. Why is this and how can I fix it? Postfix v2.11.3 Output of postconf -n: smtpd_relay_restrictions = permit_mynetworks reject_unauth_destination reject_unauth_pipelining reject_invalid_hostname reject_non_fqdn_sender reject_unknown_sender_domain reject_non_fqdn_recipient reject_unknown_recipient_domain check_sender_access hash:/etc/postfix/sender_access reject_rbl_client bl.spamcop.net reject_rbl_client zen.spamhaus.org reject_rbl_client dul.dnsbl.sorbs.net permit You have 'reject_unknown_sender_domain' in 'smtpd_relay_restrictions' which is evaluated before 'smtpd_recipient_restrictions'. Note that the reject is delayed until RCPT TO. http://www.postfix.org/postconf.5.html#smtpd_relay_restrictions http://www.postfix.org/postconf.5.html#smtpd_delay_reject -- Alex JOST
Postfix ignoring order of smtpd_recipient_restrictions
Hi, I've posted this as a serverfault [1]question but had no bites so far. I am receiving about 50 rejected emails per day because there is a typo in the sending email address and it's hitting reject_unknown_sender_domain: Jul 10 12:21:31 serverb3 postfix/smtpd[6647]: NOQUEUE: reject: RCPT from smtp.correctly-spelt-domain.co.uk[X.X.X.X]: 450 4.1.8: Sender address rejected: Domain not found; from= to= proto=ESMTP helo= I've added em...@mispelt-domain.co.uk OK to /etc/postfix/sender_access, ran postmap /etc/postfix/sender_access and restarted postfix. Despite check_sender_access hash:/etc/postfix/sender_access appearing in my smtpd_recipient_restrictions list before reject_unknown_sender_domain the emails are still being rejected for that reason. Why is this and how can I fix it? Postfix v2.11.3 Output of postconf -n: alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases biff = no command_directory = /usr/sbin config_directory = /etc/postfix daemon_directory = /usr/lib/postfix disable_vrfy_command = yes home_mailbox = Mail/ mailbox_command = /usr/lib/dovecot/deliver mailbox_size_limit = 0 message_size_limit = 2048 mydestination = b3.localdomain, localhost.localdomain, localhost, /etc/postfix/bubbadomains, $myhostname mynetworks = 127.0.0.0/8 [:::127.0.0.0]/104 [::1]/128 recipient_delimiter = + relayhost = smtp.gmail.com sender_bcc_maps = hash:/etc/postfix/sender_bcc smtp_sasl_auth_enable = yes smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd smtp_sasl_security_options = noanonymous smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache smtp_use_tls = yes smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU) smtpd_helo_required = yes smtpd_recipient_restrictions = permit_mynetworks check_sender_access hash:/etc/postfix/sender_access reject_unauth_destination reject_unauth_pipelining reject_invalid_hostname reject_non_fqdn_sender reject_unknown_sender_domain reject_non_fqdn_recipient reject_unknown_recipient_domain reject_rbl_client bl.spamcop.net reject_rbl_client zen.spamhaus.org reject_rbl_client dul.dnsbl.sorbs.net permit smtpd_reject_unlisted_sender = yes smtpd_relay_restrictions = permit_mynetworks reject_unauth_destination reject_unauth_pipelining reject_invalid_hostname reject_non_fqdn_sender reject_unknown_sender_domain reject_non_fqdn_recipient reject_unknown_recipient_domain check_sender_access hash:/etc/postfix/sender_access reject_rbl_client bl.spamcop.net reject_rbl_client zen.spamhaus.org reject_rbl_client dul.dnsbl.sorbs.net permit smtpd_tls_cert_file = /etc/letsencrypt/live/mydomain.co.uk/fullchain.pem smtpd_tls_key_file = /etc/letsencrypt/live/mydomain.co.uk/privkey.pem smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache smtpd_use_tls = yes unknown_local_recipient_reject_code = 550 PS. I have also tried to address the root cause by contacting the owners of the domain in question and informing them. I am not holding my breath they will fix it. Thanks. Darren. Links: -- [1] https://serverfault.com/questions/861268/postfix-ignoring-order-of-smtpd-recipient-restrictions
Re: postfix + selinux - does it make sense ?
I think that Postfix is one of the most secure servers. I will stay with basic SE settings. On Tue, Jul 11, 2017 at 1:01 PM, Wietse Venemawrote: > Zalezny Niezalezny: > > Hi, > > > > I would like to know Your opinion about selinux + postfix ? > > > > Does onyone using it ? Does it make sense to setup some policies for > > postfix ? > > Do what you like, but I won't provide help for platform-specific > features. Postfix is a cross-platform system. > > Wietse >
Re: postfix + selinux - does it make sense ?
Zalezny Niezalezny: > Hi, > > I would like to know Your opinion about selinux + postfix ? > > Does onyone using it ? Does it make sense to setup some policies for > postfix ? Do what you like, but I won't provide help for platform-specific features. Postfix is a cross-platform system. Wietse
Re: postfix + selinux - does it make sense ?
Dear Zalezny, On 07/11/17 09:31, Zalezny Niezalezny wrote: I would like to know your opinion about selinux + postfix? Does anyone using it? Does it make sense to set up some policies for postfix? It largely depends on your threat model, but in my opinion, as it doesn’t hurt, I would say it makes a lot of sense to set up SE Linux. Especially as a basic(?) policy is already available, and depending on your setup, you only need to tune a few things. Kind regards, Paul PS: As you only sent plain text, it’d be awesome if you configure your Google Mail account in a way, that it doesn’t include HTML parts in the message [1]. [1] https://www.lifewire.com/how-to-send-a-message-in-plain-text-from-gmail-1171963
Re: postfix + selinux - does it make sense ?
On 11/07/17 19:31, Zalezny Niezalezny wrote: > I would like to know Your opinion about selinux + postfix ? > > Does onyone using it ? Does it make sense to setup some policies for > postfix ? It works as well as any other software + selinux. What policies and label contexts you have to customize depend largely on your exact setup, and how people set up postfix can vary widely. I can say that I have yet to run across a setup where I had to resort to disabling selinux entirely. Peter
postfix + selinux - does it make sense ?
Hi, I would like to know Your opinion about selinux + postfix ? Does onyone using it ? Does it make sense to setup some policies for postfix ? Thanks in advance for your answers and suggestions. Cheers Zalezny