Re: Strange behavior Postfix 3.1.4 address verification

[Waschl]

Hello. Here is the log after disabling the reject reasons:

Jul 28 07:44:04 mail postfix/smtpd[12265]: connect from
itexchange16.itbspa.local[192.168.116.200]
Jul 28 07:44:05 mail postfix/smtpd[12265]: Anonymous TLS connection
established from itexchange16.itbspa.local[192.168.116.200]: TLSv1.2 with
cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
Jul 28 07:44:05 mail postfix/verify[12269]: cache
btree:/var/lib/postfix/verify_cache full cleanup: retained=0 dropped=0
entries
Jul 28 07:44:05 mail postfix/cleanup[12270]: 3xJd7n0QgSz110M:
message-id=<3xjd7n0qgsz1...@mail.itbspa.de>
Jul 28 07:44:05 mail postfix/qmgr[12176]: 3xJd7n0QgSz110M:
from=, size=223, nrcpt=1 (queue active)
Jul 28 07:44:05 mail postfix/smtp[12271]: Untrusted TLS connection
established to 172.18.1.11[172.18.1.11]:25: TLSv1.2 with cipher
ECDHE-RSA-AES256-SHA384 (256/256 bits)
Jul 28 07:44:10 mail postfix/smtp[12271]: 3xJd7n0QgSz110M:
to=, relay=172.18.1.11[172.18.1.11]:25, delay=5.1,
delays=0/0.02/0.1/5, dsn=2.1.5, status=deliverable (250 2.1.5 Recipient OK)
Jul 28 07:44:10 mail postfix/qmgr[12176]: 3xJd7n0QgSz110M: removed
Jul 28 07:44:11 mail postgrey[789]: action=pass, reason=client whitelist,
client_name=itexchange16.itbspa.local, client_address=192.168.116.200,
sender=ebenb...@itbspa.de, recipient=j.wallin...@bspa.de
Jul 28 07:44:11 mail postfix/smtpd[12265]: NOQUEUE: reject: RCPT from
itexchange16.itbspa.local[192.168.116.200]: 450 4.1.1 :
Recipient address rejected: unverified address: Address verification in
progress; from= to= proto=ESMTP
helo=
Jul 28 07:44:11 mail postfix/smtpd[12265]: disconnect from
itexchange16.itbspa.local[192.168.116.200] ehlo=2 starttls=1 mail=1 rcpt=0/1
quit=1 commands=5/6



--
View this message in context: 
http://postfix.1071664.n5.nabble.com/Strange-behavior-Postfix-3-1-4-address-verification-tp91564p91585.html
Sent from the Postfix Users mailing list archive at Nabble.com.

RE: Deciphering maillog transaction that resulted in reply to spammer

[Scott Techlist]

>Did you configure your content filter to send a bounce message?

Not intentionally.

>Jul 26 19:05:57 mail1 postfix/smtpd[11093]: 67FB13910:
>client=localhost[127.0.0.1]
>
>Jul 26 19:05:57 mail1 postfix/cleanup[11094]: 67FB13910:
>message-id=
>
>That is not a Postfix-generated message ID. Is that from your content
filter?

I presume it must be then.  Amavis

It appears as if the message gets sent through amavis;  amavis has some
trouble with it, and it comes back to postfix as a reject, then it appears
to get sent back through amavis again on its way to attempt a reject reply?

I was hoping someone would help me with a tour of the log steps of what's
handing off to what along the way.  I get the jist of what's happening, but
I'm trying to learn the details.

Or even better someone who uses amavis happens to know what I'm doing wrong.
Or if I'm trying to fix something that's not broken.


Here's my master.cf FWIW
Aside, I just noticed 2 lines starting with smtp.  Is that an error on my
part?

Thanks, Scott

submission inet  n   -   n   -   -   smtpd -o
content_filter= -o
smtpd_recipient_restrictions=permit_sasl_authenticated,reject -o
smtpd_sasl_type=dovecot -o smtpd_sasl_path=private/auth -o
smtpd_sasl_security_options=noanonymous -o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes -o syslog_name=postfix-submission -o
milter_macro_daemon_name=ORIGINATING
smtp-amavis unix -   -   n   -   3   smtp -o
disable_dns_lookups=yes -o smtp_send_xforward_command=yes
smtp   inet  n   -   n   -   1   postscreen
smtpd  pass  -   -   n   -   -   smtpd -o
cleanup_service_name=pre-cleanup
tlsproxy   unix  -   -   n   -   0   tlsproxy
dnsblogunix  -   -   n   -   0   dnsblog
pickup fifo  n   -   n   60  1   pickup -o
cleanup_service_name=pre-cleanup
pre-cleanup unix n   -   n   -   0   cleanup -o
virtual_alias_maps= -o canonical_maps= -o sender_canonical_maps= -o
recipient_canonical_maps= -o masquerade_domains=
cleanupunix  n   -   n   -   0   cleanup -o
mime_header_checks= -o nested_header_checks= -o body_checks=
127.0.0.1:10025 inet n   -   n   -   -   smtpd -o
content_filter= -o local_recipient_maps= -o relay_recipient_maps= -o
smtpd_restriction_classes= -o smtpd_delay_reject=no -o
smtpd_client_restrictions=permit_mynetworks,reject -o
smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o
smtpd_recipient_restrictions=permit_mynetworks,reject -o
mynetworks_style=host -o mynetworks=127.0.0.0/8 -o
strict_rfc821_envelopes=yes -o smtpd_client_connection_count_limit=0 -o
smtpd_client_connection_rate_limit=0 -o
receive_override_options=no_header_body_checks,no_unknown_recipient_checks
qmgr   unix  n   -   n   300 1   qmgr
rewriteunix  -   -   n   -   -   trivial-rewrite
bounce unix  -   -   n   -   0   bounce
defer  unix  -   -   n   -   0   bounce
trace  unix  -   -   n   -   0   bounce
verify unix  -   -   n   -   1   verify
flush  unix  n   -   n   1000?   0   flush
proxymap   unix  -   -   n   -   -   proxymap
smtp   unix  -   -   n   -   -   smtp
relay  unix  -   -   n   -   -   smtp
showq  unix  n   -   n   -   -   showq
error  unix  -   -   n   -   -   error
local  unix  -   n   n   -   -   local
virtualunix  -   n   n   -   -   virtual
lmtp   unix  -   -   n   -   -   lmtp
anvil  unix  -   -   n   -   1   anvil
scache unix  -   -   n   -   1   scache
discardunix  -   -   n   -   -   discard
tlsmgr unix  -   -   n   1000?   1   tlsmgr
retry  unix  -   -   n   -   -   error
proxywrite unix  -   -   n   -   1   proxymap

RE: List posting question

[Scott Techlist]

>Do you have concrete evidence that the posting actually reaches the list
host,
>and isn't blocked at a point closer to you?

Yes, but I figured it out.  It was right there in front of me in the
auto-reply/bounce message.  Just missed it.  Apologies for the static.

Re: Deciphering maillog transaction that resulted in reply to spammer

[Wietse Venema]

Did you configure your content filter to send a bounce message?

Jul 26 19:05:57 mail1 postfix/smtpd[11093]: 67FB13910:
client=localhost[127.0.0.1]

Jul 26 19:05:57 mail1 postfix/cleanup[11094]: 67FB13910:
message-id=

That is not a Postfix-generated message ID. Is that from your content
filter?

Jul 26 19:05:57 mail1 postfix/qmgr[910]: 67FB13910: from=<>,
size=3222, nrcpt=1 (queue active)

Jul 26 19:05:57 mail1 postfix/smtp[11064]: 67FB13910:
to=, relay=none, delay=0.38,
delays=0.03/0/0.35/0, dsn=4.4.1, status=deferred (connect to
mail.preal.us[5.133.8.185]:25: Connection refused


Wietse

Re: List posting question

[Wietse Venema]

techlist06:
> I'm trying to post: a question, a copy of 20 lines or so of a maillog, and
> the output of postconf -n .
> 
> The list does not seem to be accepting it.  Maybe because the log has some
> IP's and and address of a spammer?  What should I do to sanitize it so it
> will post?  Not sure what's triggering the block.  I tried posting it from
> my server and from nabble.com as well.  Nabble stays at "...not accepted
> yet"

Do you have concrete evidence that the posting actually reaches the
list host, and isn't blocked at a point closer to you?

Wietse

Deciphering maillog transaction that resulted in reply to spammer

[Scott Techlist]

Postfix 3.2.2, Centos7, amavisd, clamav

Upgrading my server, and recently migrated one of my older domains that gets
more spam.  When checking my mail queue I saw a few deferred messages to
addresses that alarmed me.  I had a moment of panic thinking maybe I had
configured something allowing a relay.  Looked and decided I was OK there
but I want to understand what caused these deferred messages.  I figure I
have something set wrong that allowed it in the first place.  I *think* it's
a bounce where I would not want a bounce.

Can someone help me follow/decode this sample transaction?  (apologies for
the wrapping, copied/pasted out of putty).  My comments of the pieces I
think I "get" are in-line:

Sanitized:
myu...@userdomain.org - target recipient mail1.myserver - the server
pp.pp.pp.pp and ss.ss.ss.ss  primary and secondary IPs of the box.

> spammer connects
Jul 26 19:05:48 mail1 postfix/postscreen[11080]: CONNECT from
[5.133.8.185]:44150 to [pp.pp.pp.pp]:25

> apparently passes postscreen, gets 450 "greylisted" due to after-220 
> checks

Jul 26 19:05:55 mail1 postfix/postscreen[11080]: NOQUEUE: reject: RCPT from
[5.133.8.185]:44150: 450 4.3.2 Service c urrently unavailable;
from=, to=,
proto=ESMTP, helo=

> added to temp whitelist, disconnect

Jul 26 19:05:55 mail1 postfix/postscreen[11080]: PASS NEW
[5.133.8.185]:44150 Jul 26 19:05:55 mail1 postfix/postscreen[11080]:
DISCONNECT [5.133.8.185]:44150

> reconnects to secondary IP and is passed due to previous PASS
Jul 26 19:05:55 mail1 postfix/postscreen[11080]: CONNECT from
[5.133.8.185]:33753 to [ss.ss.ss.ss]:25 Jul 26 19:05:55 mail1
postfix/postscreen[11080]: PASS OLD [5.133.8.185]:33753

> the rest, and why there was a reply to spammer attempt is fuzzy to me:

Jul 26 19:05:56 mail1 postfix/smtpd[11088]: warning: hostname
accept.rootp.us does not resolve to address 5.133.8.18
5: Name or service not known
Jul 26 19:05:56 mail1 postfix/smtpd[11088]: connect from
unknown[5.133.8.185] Jul 26 19:05:56 mail1 postfix/smtpd[11088]: E58673D02:
client=unknown[5.133.8.185]

Jul 26 19:05:57 mail1 postfix/cleanup[11090]: E58673D02:
message-id=<5ad4d5216a4bc054e796b681c153b4ca.16322808.16275
482@pearls.preal.us_jt0>
Jul 26 19:05:57 mail1 postfix/qmgr[910]: E58673D02:
from=, size=6760, nrcpt=1 ( queue
active) Jul 26 19:05:57 mail1 amavis[5520]: (05520-17) ESMTP :10024
/var/spool/amavisd/tmp/amavis-20170726T133617-05520-rH4y
Ye3A:  -> 
SIZE=6760 BODY=8BITMIME RET=HDRS Received: from mail1.myserver.com
([127.0.0.1]) by localhost (mail1.myserver.com [127.0.0.1]) (amavisd-new,
port 10
024) with ESMTP for ; Wed, 26 Jul 2017 19:05:57 -0500
(CDT) Jul 26 19:05:57 mail1 amavis[5520]: (05520-17) Checking: pqyogYJQxVad
[5.133.8.185]  ->
 Jul 26 19:05:57 mail1 amavis[5520]: (05520-17) WARN:
MIME::Parser error: unexpected end of header; ; error: couldn't  parse head;
error near:; ; ; error: part did not end with expected boundary; ; error:
unexpected end of parts bef ore epilogue Jul 26 19:05:57 mail1 clamd[788]:
SelfCheck: Database status OK.
Jul 26 19:05:57 mail1 postfix/smtpd[11093]: connect from
localhost[127.0.0.1] Jul 26 19:05:57 mail1 postfix/smtpd[11093]: 67FB13910:
client=localhost[127.0.0.1] Jul 26 19:05:57 mail1 postfix/cleanup[11094]:
67FB13910: message-id=
Jul 26 19:05:57 mail1 postfix/qmgr[910]: 67FB13910: from=<>, size=3222,
nrcpt=1 (queue active) Jul 26 19:05:57 mail1 postfix/smtpd[11093]:
disconnect from localhost[127.0.0.1] ehlo=1 mail=1 rcpt=1 data=1 quit=1
commands=5
Jul 26 19:05:57 mail1 amavis[5520]: (05520-17) waLiP0ZsHz9C(pqyogYJQxVad)
SEND from <> -> ,
ENVID=am.walip0zshz9c.20170727t0005...@mail1.myserver.com BODY=7BIT 250
2.0.0 from MTA(smtp:[1
27.0.0.1]:10025): 250 2.0.0 Ok: queued as 67FB13910 Jul 26 19:05:57 mail1
amavis[5520]: (05520-17) Blocked BAD-HEADER-0 {BouncedInbound,Quarantined},
[5.133.8.185]:3375
3 [5.133.8.185]  ->
, Queue-ID: E58673D02, Message-ID: <5ad
4d5216a4bc054e796b681c153b4ca.16322808.16275482@pearls.preal.us_jt0>,
mail_id: pqyogYJQxVad, Hits: -, size: 6763,
160 ms
Jul 26 19:05:57 mail1 postfix/smtp[11091]: E58673D02:
to=, relay=127.0.0.1[127.0.0.1]:10024, delay =0.66,
delays=0.49/0.01/0.01/0.15, dsn=2.5.0, status=sent (250 2.5.0 Ok,
id=05520-17, BOUNCE) Jul 26 19:05:57 mail1 postfix/qmgr[910]: E58673D02:
removed Jul 26 19:05:57 mail1 postfix/smtpd[11088]: disconnect from
unknown[5.133.8.185] ehlo=1 mail=1 rcpt=1 data=1 quit=1
commands=5
Jul 26 19:05:57 mail1 postfix/smtp[11064]: connect to
mail.preal.us[5.133.8.185]:25: Connection refused Jul 26 19:05:57 mail1
postfix/smtp[11064]: 67FB13910: to=,

Re: Migrating 2.11 to 3.2

[Peter]

On 28/07/17 08:31, Nikolaos Milas wrote:
> Yep, I know; As I've mentioned, I prefer to build against ltb openldap,
> which has proved to be well-updated and trustworthy.

Ok, I prefer to stick to stock CentOS packages where I can and do so as
a policy to avoid too many 3rd-party deps.

> [I must pay my respect to GhettoForge who are providing reliable updated
> packages for numerous software projects.]

Thank you.

> Interestingly, I've also noticed that postfix binaries are built against
> original mysql, although CentOS 7 now uses mariadb as standard.

They're built against whatever is provided by mysql-devel, in CentOS 6
that's mysql, in CentOS 7 that's MariaDB:

1:mariadb-devel-5.5.52-1.el7.x86_64 : Files for development of
MariaDB/MySQL applications
Repo: base
Matched from:
Provides: mysql-devel = 1:5.5.52-1.el7

> I've tried switching the dependency to mariadb instead, and building
> using mariadb works fine as well.

Yes, because you're actually building against MariaDB eitehr way and the
exact same packages.

> Is there a particular reason why mysql is used in the spec file rather
> than mariadb (both in the GhettoForge and in the Oostergo versions)?

Two reasons:  I use the same spec to build for CentOS 6 and CentOS 7,
since mysql-devel pulls in mariadb-devel in CentOS 7 anyways, there is
no reason to special-case it in the spec.

The second reason is that the spec file is historic, in that it was
originally from older Fedora, and then CentOS versions and continually
updated to keep up with what's new.  There is no real reason to change
the requirement at this stage since it works just fine the way it is.
That said, I might change it in 2020 once CentOS 6 goes EOL.

> I am still wondering about the possible cause of the startup problem I
> faced.

I can't say for sure, but it looks to be permissions-related to me.  It
might have to do with the way you built and subsequently installed
postfix, or it might be an selinux issue that simply isn't present in
the GhettoForge packages (assuming you haven't disabled selinux).


Peter

List posting question

[techlist06]

I'm trying to post: a question, a copy of 20 lines or so of a maillog, and
the output of postconf -n .

The list does not seem to be accepting it.  Maybe because the log has some
IP's and and address of a spammer?  What should I do to sanitize it so it
will post?  Not sure what's triggering the block.  I tried posting it from
my server and from nabble.com as well.  Nabble stays at "...not accepted
yet"

Thanks, Scott






--
View this message in context: 
http://postfix.1071664.n5.nabble.com/List-posting-question-tp91580.html
Sent from the Postfix Users mailing list archive at Nabble.com.

Re: Migrating 2.11 to 3.2

[Nikolaos Milas]

On 27/7/2017 10:45 μμ, Peter wrote:


You don't have to actually rebuild the src.rpms, although you certainly
can if you want.  There are binary rpms you can just install as per the
directions at:

http://ghettoforge.org/index.php/Postfix3


Yep, I know; As I've mentioned, I prefer to build against ltb openldap, 
which has proved to be well-updated and trustworthy.


[Additionally, I like to maintain my (slight) rpm-build know-how; it has 
been very useful in various occasions.]


[I must pay my respect to GhettoForge who are providing reliable updated 
packages for numerous software projects.]


Interestingly, I've also noticed that postfix binaries are built against 
original mysql, although CentOS 7 now uses mariadb as standard.


I've tried switching the dependency to mariadb instead, and building 
using mariadb works fine as well.


Is there a particular reason why mysql is used in the spec file rather 
than mariadb (both in the GhettoForge and in the Oostergo versions)?



The main thing to be concerned about here is the possibility of
different versions of the compiled berkley db files.  Simply re-running
postmap on the source files should correct those issues.


I haven't noticed any such issues, but I'll keep an eye for possible 
problems.


My concern was that by switching the whole directory I might have missed 
some files that may have been needed, although I did not notice any such 
files (by comparing the content of the /etc/postfix/ directories on the 
two servers) when I tried to resolve the issue.


I am still wondering about the possible cause of the startup problem I 
faced.


Cheers,
Nick

Re: Migrating 2.11 to 3.2

[Peter]

On 28/07/17 01:51, Nikolaos Milas wrote:
> On 27/7/2017 1:50 μμ, Peter wrote:
> 
>>> http://ghettoforge.org/index.php/Packages
>> Right, that one is highly recommended, much better than attempting to
>> install from source.
> 
> OK, I followed your advice and I rebuilt the rpm(s) using:
>   
> http://mirror.ghettoforge.org/distributions/gf/el/7Server/plus/SRPMS/postfix3-3.2.2-4.gf.el7.src.rpm

You don't have to actually rebuild the src.rpms, although you certainly
can if you want.  There are binary rpms you can just install as per the
directions at:

http://ghettoforge.org/index.php/Postfix3

> It may have been wrong from my side to simply replace the whole
> /etc/postfix/ directory with the one from the original server (as I
> initially did). This time I have been more cautious (as I explained above).

The main thing to be concerned about here is the possibility of
different versions of the compiled berkley db files.  Simply re-running
postmap on the source files should correct those issues.


Peter

Re: Strange behavior Postfix 3.1.4 address verification

[Wietse Venema]

> unverified_recipient_reject_reason = User unknown
> unverified_sender_reject_reason = User unknown

Please disable these two settings, for example:

$ postconf -# unverified_recipient_reject_reason unverified_sender_reject_reason
$ postfix reload

and report the logs of the problem with these settings.

I need to know the true reason why the request is rejected,
not the text that you configured in main.cf.

Wietse

Re: Change gateway on bounce

[Matthew McGehrin]

Peter,

As of Postfix 2.3 you can use smtp_fallback_relay.

http://www.postfix.org/postconf.5.html#smtp_fallback_relay
Optional list of relay hosts for SMTP destinations that can't be found 
or that are unreachable. With Postfix 2.2 and earlier this parameter is 
called fallback_relay.


-- Matthew


Peter wrote:

Hey guys,

I have been thinking if postfix has capability to forward a bounced 
email to another server. I know I can relay emails using transport but 
can I relay (retry) an email from a different server? Let's say the 
target server says 'blacklisted' and I'd just forward that email to 
another server so it's sent out from there?


Cheers,
Peter

Re: Strange behavior Postfix 3.1.4 address verification

[Waschl]

postconf -Mf:

smtp   inet  n   -   y   -   1   postscreen
smtpd  pass  -   -   y   -   -   smtpd
-o smtpd_proxy_filter=127.0.0.1:10024
-o smtpd_client_connection_count_limit=20
-o smtpd_proxy_options=speed_adjust
dnsblogunix  -   -   y   -   0   dnsblog
tlsproxy   unix  -   -   y   -   0   tlsproxy
pickup unix  n   -   n   60  1   pickup
cleanupunix  n   -   n   -   0   cleanup
qmgr   unix  n   -   n   300 1   qmgr
tlsmgr unix  -   -   n   1000?   1   tlsmgr
rewriteunix  -   -   n   -   -   trivial-rewrite
bounce unix  -   -   n   -   0   bounce
defer  unix  -   -   n   -   0   bounce
trace  unix  -   -   n   -   0   bounce
verify unix  -   -   n   -   1   verify
flush  unix  n   -   n   1000?   0   flush
proxymap   unix  -   -   n   -   -   proxymap
proxywrite unix  -   -   n   -   1   proxymap
smtp   unix  -   -   n   -   -   smtp
relay  unix  -   -   n   -   -   smtp
showq  unix  n   -   n   -   -   showq
error  unix  -   -   n   -   -   error
retry  unix  -   -   n   -   -   error
discardunix  -   -   n   -   -   discard
local  unix  -   n   n   -   -   local
virtualunix  -   n   n   -   -   virtual
lmtp   unix  -   -   n   -   -   lmtp
anvil  unix  -   -   n   -   1   anvil
scache unix  -   -   n   -   1   scache
maildrop   unix  -   n   n   -   -   pipe flags=DRhu
user=vmail argv=/usr/bin/maildrop -d ${recipient}
uucp   unix  -   n   n   -   -   pipe flags=Fqhu
user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
ifmail unix  -   n   n   -   -   pipe flags=F
user=ftn
argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp  unix  -   n   n   -   -   pipe flags=Fq.
user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix - n   n   -   2   pipe flags=R
user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop}
${user} ${extension}
mailmanunix  -   n   n   -   -   pipe flags=FR
user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py ${nexthop}
${user}
submission inet  n   -   n   -   -   smtpd
-o syslog_name=postfix/submission
-o smtpd_proxy_filter=127.0.0.1:10026
-o smtpd_client_connection_count_limit=20
-o smtpd_proxy_options=speed_adjust
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_tls_auth_only=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o smtpd_recipient_restrictions=$submission_recipient_restrictions
dovecotunix  -   n   n   -   -   pipe flags=DRh
user=vmail:vmail argv=/usr/lib/dovecot/deliver -f ${sender} -d
${user}@${domain} -m ${extension}
127.0.0.1:10025 inet n   -   n   -   -   smtpd
-o syslog_name=postfix/10025
-o content_filter=
-o local_recipient_maps=
-o relay_recipient_maps=
-o smtpd_authorized_xforward_hosts=127.0.0.0/8
-o smtpd_restriction_classes=
-o smtpd_delay_reject=no
-o smtpd_tls_security_level=none
-o smtpd_client_restrictions=permit_mynetworks,reject
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o smtpd_end_of_data_restrictions=
-o mynetworks_style=host
-o mynetworks=127.0.0.0/8
-o strict_rfc821_envelopes=yes
-o smtpd_error_sleep_time=0
-o smtpd_soft_error_limit=1001
-o smtpd_hard_error_limit=1000
-o smtpd_client_connection_count_limit=0
-o smtpd_client_connection_rate_limit=0
-o
receive_override_options=no_header_body_checks,no_unknown_recipient_checks

postconf -n:

address_verify_positive_expire_time = 7d
address_verify_positive_refresh_time = 1d
alias_database = hash:/etc/postfix/aliases
alias_maps = hash:/etc/postfix/aliases
allow_min_user = no
allow_percent_hack = no
biff = no
bounce_queue_lifetime = 4h
bounce_template_file = /etc/postfix/bounce.de-DE.cf
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
compatibility_level = 2
daemon_directory = /usr/lib/postfix/sbin
data_directory = /var/lib/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd
$daemon_directory/$process_name $process_id & sleep 5
delay_warning_time = 1h
disable_vrfy_command = yes

Re: Strange behavior Postfix 3.1.4 address verification

[Wietse Venema]

Waschl:
> Hello,
> 
> first the logs:
> 
> Jul 27 12:52:46 mail postfix/smtpd[4341]: connect from
> itexchange16.itbspa.local[192.168.116.200]
> Jul 27 12:52:46 mail postfix/smtpd[4341]: Anonymous TLS connection
> established from itexchange16.itbspa.local[192.168.116.200]: TLSv1.2 with
> cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
> Jul 27 12:52:46 mail postfix/cleanup[4345]: 3xJ82Q6ycVzyp9:
> message-id=<3xj82q6ycvz...@mail.itbspa.de>
> Jul 27 12:52:46 mail postfix/qmgr[4150]: 3xJ82Q6ycVzyp9:
> from=, size=221, nrcpt=1 (queue active)
> Jul 27 12:52:47 mail postfix/smtp[4346]: Untrusted TLS connection
> established to 172.18.1.11[172.18.1.11]:25: TLSv1.2 with cipher
> ECDHE-RSA-AES256-SHA384 (256/256 bits)
> Jul 27 12:52:52 mail postfix/smtp[4346]: 3xJ82Q6ycVzyp9:
> to=, relay=172.18.1.11[172.18.1.11]:25, delay=5.1,
> delays=0/0.02/0.1/5, dsn=2.1.5, status=deliverable (250 2.1.5 Recipient OK)
> Jul 27 12:52:52 mail postfix/qmgr[4150]: 3xJ82Q6ycVzyp9: removed
> Jul 27 12:52:52 mail postgrey[705]: action=pass, reason=client whitelist,
> client_name=itexchange16.itbspa.local, client_address=192.168.116.200,
> sender=ebenb...@itbspa.de, recipient=j.wallin...@bspa.de
> Jul 27 12:52:52 mail postfix/smtpd[4341]: NOQUEUE: reject: RCPT from
> itexchange16.itbspa.local[192.168.116.200]: 450 4.1.1 :
> Recipient address rejected: unverified address: User unknown;
> from= to= proto=ESMTP
> helo=
> Jul 27 12:52:52 mail postfix/smtpd[4341]: disconnect from
> itexchange16.itbspa.local[192.168.116.200] ehlo=2 starttls=1 mail=1 rcpt=0/1
> quit=1 commands=5/6
> 
> The strange thing is that the verification probe is all lowercase while the
> mail address has two uppercase letters. The verification probe is succesfull
> but the receipient gets rejected. Test with mail address in lowercase works.
> Before with Postfix 2.11 everything was fine. Now i have a new mailserver
> with Postfix 3.1.4 that acts like described.
> 
> Hope someone can help me... 

TO REPORT A PROBLEM see http://www.postfix.org/DEBUG_README.html#mail

TO (UN)SUBSCRIBE see http://www.postfix.org/lists.html

Thank you for using Postfix.

In particular, note the request for configuration information.  Do
not cut and paste from files; use 'postconf' command output instead.

Wietse

Re: Change gateway on bounce

[Viktor Dukhovni]

> On Jul 27, 2017, at 11:17 AM, Peter  wrote:
> 
> I have been thinking if postfix has capability to forward a bounced email to 
> another server. I know I can relay emails using transport but can I relay 
> (retry) an email from a different server? Let's say the target server says 
> 'blacklisted' and I'd just forward that email to another server so it's sent 
> out from there?

Yes, but if that server only sends originally refused mail, its "reputation" 
will be terrible and pretty soon all of its mail will be rejected too.

Best to just go with "no means no".  If you're sending mail the provider's 
users don't want, don't try to sneak past their filters.  If the recipients do 
want the mail, work with the receiving system's postmaster to resolve the issue.

-- 
Viktor.

Change gateway on bounce

[Peter]

Hey guys,

I have been thinking if postfix has capability to forward a bounced email to 
another server. I know I can relay emails using transport but can I relay 
(retry) an email from a different server? Let's say the target server says 
'blacklisted' and I'd just forward that email to another server so it's sent 
out from there?
Cheers,
Peter

Re: Protecting mail addresses using check_sasl_access

[Nikolaos Milas]

On 26/7/2017 2:09 μμ, Nikolaos Milas wrote:


Can you please confirm that this is a valid configuration?


In the meantime I tested this configuration and it does work fine (as I 
expected)!



Any other suggestions, pitfalls and/or comments?


I surely appreciate any suggestions, pitfalls and/or comments on this 
approach!


Cheers,
Nick

Re: Migrating 2.11 to 3.2

[Nikolaos Milas]

On 27/7/2017 1:50 μμ, Peter wrote:


http://ghettoforge.org/index.php/Packages

Right, that one is highly recommended, much better than attempting to
install from source.


OK, I followed your advice and I rebuilt the rpm(s) using:

   
http://mirror.ghettoforge.org/distributions/gf/el/7Server/plus/SRPMS/postfix3-3.2.2-4.gf.el7.src.rpm

I uninstalled postfix and re-installed using the new builds; then I 
copied the migrated (simply transferred from the original server) custom 
config files to the new config directory (/etc/postfix/).


Postfix started fine this time. Things appear running smoothly until now.

It may have been wrong from my side to simply replace the whole 
/etc/postfix/ directory with the one from the original server (as I 
initially did). This time I have been more cautious (as I explained above).


Thanks,
Nick

Strange behavior Postfix 3.1.4 address verification

[Waschl]

Hello,

first the logs:

Jul 27 12:52:46 mail postfix/smtpd[4341]: connect from
itexchange16.itbspa.local[192.168.116.200]
Jul 27 12:52:46 mail postfix/smtpd[4341]: Anonymous TLS connection
established from itexchange16.itbspa.local[192.168.116.200]: TLSv1.2 with
cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
Jul 27 12:52:46 mail postfix/cleanup[4345]: 3xJ82Q6ycVzyp9:
message-id=<3xj82q6ycvz...@mail.itbspa.de>
Jul 27 12:52:46 mail postfix/qmgr[4150]: 3xJ82Q6ycVzyp9:
from=, size=221, nrcpt=1 (queue active)
Jul 27 12:52:47 mail postfix/smtp[4346]: Untrusted TLS connection
established to 172.18.1.11[172.18.1.11]:25: TLSv1.2 with cipher
ECDHE-RSA-AES256-SHA384 (256/256 bits)
Jul 27 12:52:52 mail postfix/smtp[4346]: 3xJ82Q6ycVzyp9:
to=, relay=172.18.1.11[172.18.1.11]:25, delay=5.1,
delays=0/0.02/0.1/5, dsn=2.1.5, status=deliverable (250 2.1.5 Recipient OK)
Jul 27 12:52:52 mail postfix/qmgr[4150]: 3xJ82Q6ycVzyp9: removed
Jul 27 12:52:52 mail postgrey[705]: action=pass, reason=client whitelist,
client_name=itexchange16.itbspa.local, client_address=192.168.116.200,
sender=ebenb...@itbspa.de, recipient=j.wallin...@bspa.de
Jul 27 12:52:52 mail postfix/smtpd[4341]: NOQUEUE: reject: RCPT from
itexchange16.itbspa.local[192.168.116.200]: 450 4.1.1 :
Recipient address rejected: unverified address: User unknown;
from= to= proto=ESMTP
helo=
Jul 27 12:52:52 mail postfix/smtpd[4341]: disconnect from
itexchange16.itbspa.local[192.168.116.200] ehlo=2 starttls=1 mail=1 rcpt=0/1
quit=1 commands=5/6

The strange thing is that the verification probe is all lowercase while the
mail address has two uppercase letters. The verification probe is succesfull
but the receipient gets rejected. Test with mail address in lowercase works.
Before with Postfix 2.11 everything was fine. Now i have a new mailserver
with Postfix 3.1.4 that acts like described.

Hope someone can help me... 



--
View this message in context: 
http://postfix.1071664.n5.nabble.com/Strange-behavior-Postfix-3-1-4-address-verification-tp91564.html
Sent from the Postfix Users mailing list archive at Nabble.com.

Re: Migrating 2.11 to 3.2

[Nikolaos Milas]

On 27/7/2017 1:02 μμ, Pinter Tibor wrote:


# rpm -ql postfix | grep files
/usr/libexec/postfix/postfix-files 


Thank you all for your responses. Please see below:

   # rpm -ql postfix | grep files
   /usr/share/postfix/postfix-files

   rpm -qa postfix | grep postfix
   postfix-3.2.2-2.el7.centos.appletech.x86_64

I've built postfix myself, using:

   http://repos.oostergo.net/7/SRPMS/postfix-3.2.2-1.el7.centos.src.rpm

having adapted it slightly to get built using the ltb openldap libraries 
(see https://ltb-project.org/download) which I use on all my systems for 
years.


Postfix worked fine after the package installation (with the default 
config); However it presents this problem when I try to start it with 
the config I copied from the initial server.


Any suggestions on how to correct things without having to rebuild the 
software?


Cheers,
Nick

Re: Migrating 2.11 to 3.2

[Peter]

On 27/07/17 22:44, Postfix User wrote:
> You might try one of these URLs:
> 
> http://ghettoforge.org/index.php/Packages

Right, that one is highly recommended, much better than attempting to
install from source.

Once again, though, I'd like to know where the OP got his postfix from,
I get the feeling he installed it from source directly.


Peter

Re: Migrating 2.11 to 3.2

[Postfix User]

On Thu, 27 Jul 2017 22:20:36 +1200, Peter stated:

>On 27/07/17 21:54, Nikolaos Milas wrote:
>> Hello,
>> 
>> We are moving to a new (virtual) server (from CentOS 5 with Postfix
>> 2.11.6 to CentOS 7 with Postfix 3.2.2).  
>
>Where did you get Postfix 3.2 from?
>
>
>Peter


You might try one of these URLs:

http://ghettoforge.org/index.php/Packages

ftp://ftp.reverse.net/pub/postfix/index.html

-- 
Jerry

Re: Migrating 2.11 to 3.2

[Peter]

On 27/07/17 21:54, Nikolaos Milas wrote:
> Hello,
> 
> We are moving to a new (virtual) server (from CentOS 5 with Postfix
> 2.11.6 to CentOS 7 with Postfix 3.2.2).

Where did you get Postfix 3.2 from?


Peter

Re: Migrating 2.11 to 3.2

[Pinter Tibor]

On 07/27/2017 11:59 AM, Paul Menzel wrote:

Dear Nikolaos,


On 07/27/17 11:54, Nikolaos Milas wrote:

We are moving to a new (virtual) server (from CentOS 5 with Postfix 
2.11.6 to CentOS 7 with Postfix 3.2.2).


I have moved the original configuration to the new server and Postfix 
won't start; I am getting:


# systemctl status postfix
  postfix.service - Postfix Mail Transport Agent
Loaded: loaded (/usr/lib/systemd/system/postfix.service; enabled; 
vendor preset: disabled)
Active: failed (Result: exit-code) since Thu 2017-07-27 12:25:14 
EEST; 12min ago
   Process: 21895 ExecStart=/usr/sbin/postfix start (code=exited, 
status=1/FAILURE)
   Process: 21893 ExecStartPre=/usr/libexec/postfix/chroot-update 
(code=exited, status=0/SUCCESS)
   Process: 21890 ExecStartPre=/usr/libexec/postfix/aliasesdb 
(code=exited, status=0/SUCCESS)

  Main PID: 14815 (code=killed, signal=TERM)

Jul 27 12:25:12 vmail2.noa.gr postfix[21895]: /usr/sbin/postconf: 
warning: /etc/postfix/main.cf: unused parameter: 
127.0.0.1:10040_time_limit=3600
Jul 27 12:25:12 vmail2.noa.gr postfix[21895]: /usr/sbin/postconf: 
warning: /etc/postfix/main.cf: unused parameter: 
127.0.0.1:10040_time_limit=3600
Jul 27 12:25:12 vmail2.noa.gr postfix[21895]: /usr/sbin/postconf: 
warning: /etc/postfix/main.cf: unused parameter: 
127.0.0.1:10040_time_limit=3600
Jul 27 12:25:12 vmail2.noa.gr postfix[21895]: 
/usr/libexec/postfix/post-install: Error: /etc/postfix/postfix-files 
is not a file.
Jul 27 12:25:12 vmail2.noa.gr postfix/postfix-script[21913]: fatal: 
unable to create missing queue directories
Jul 27 12:25:13 vmail2.noa.gr postfix/postfix-script[21914]: fatal: 
Postfix integrity check failed!
Jul 27 12:25:14 vmail2.noa.gr systemd[1]: postfix.service: control 
process exited, code=exited status=1
Jul 27 12:25:14 vmail2.noa.gr systemd[1]: Failed to start Postfix 
Mail Transport Agent.
Jul 27 12:25:14 vmail2.noa.gr systemd[1]: Unit postfix.service 
entered failed state.

Jul 27 12:25:14 vmail2.noa.gr systemd[1]: postfix.service failed.

I also tried:

# /usr/libexec/postfix/post-install create-missing
postconf: warning: /etc/postfix/main.cf: unused parameter: 
127.0.0.1:10040_time_limit=3600

/usr/libexec/postfix/post-install: Error: /postfix-files is not a file.

Can you please let me know what may be the issue here?


Please post the output of the commands below.

```
$ ls -l /etc/postfix/
$ file /etc/postfix/postfix-files
```

[…]


Kind regards,

Paul

# rpm -ql postfix | grep files
/usr/libexec/postfix/postfix-files

t

Re: Migrating 2.11 to 3.2

[Paul Menzel]

Dear Nikolaos,


On 07/27/17 11:54, Nikolaos Milas wrote:

We are moving to a new (virtual) server (from CentOS 5 with Postfix 
2.11.6 to CentOS 7 with Postfix 3.2.2).


I have moved the original configuration to the new server and Postfix 
won't start; I am getting:


# systemctl status postfix
  postfix.service - Postfix Mail Transport Agent
Loaded: loaded (/usr/lib/systemd/system/postfix.service; enabled; 
vendor preset: disabled)
Active: failed (Result: exit-code) since Thu 2017-07-27 12:25:14 
EEST; 12min ago
   Process: 21895 ExecStart=/usr/sbin/postfix start (code=exited, 
status=1/FAILURE)
   Process: 21893 ExecStartPre=/usr/libexec/postfix/chroot-update 
(code=exited, status=0/SUCCESS)
   Process: 21890 ExecStartPre=/usr/libexec/postfix/aliasesdb 
(code=exited, status=0/SUCCESS)

  Main PID: 14815 (code=killed, signal=TERM)

Jul 27 12:25:12 vmail2.noa.gr postfix[21895]: /usr/sbin/postconf: 
warning: /etc/postfix/main.cf: unused parameter: 
127.0.0.1:10040_time_limit=3600
Jul 27 12:25:12 vmail2.noa.gr postfix[21895]: /usr/sbin/postconf: 
warning: /etc/postfix/main.cf: unused parameter: 
127.0.0.1:10040_time_limit=3600
Jul 27 12:25:12 vmail2.noa.gr postfix[21895]: /usr/sbin/postconf: 
warning: /etc/postfix/main.cf: unused parameter: 
127.0.0.1:10040_time_limit=3600
Jul 27 12:25:12 vmail2.noa.gr postfix[21895]: 
/usr/libexec/postfix/post-install: Error: /etc/postfix/postfix-files is 
not a file.
Jul 27 12:25:12 vmail2.noa.gr postfix/postfix-script[21913]: fatal: 
unable to create missing queue directories
Jul 27 12:25:13 vmail2.noa.gr postfix/postfix-script[21914]: fatal: 
Postfix integrity check failed!
Jul 27 12:25:14 vmail2.noa.gr systemd[1]: postfix.service: control 
process exited, code=exited status=1
Jul 27 12:25:14 vmail2.noa.gr systemd[1]: Failed to start Postfix Mail 
Transport Agent.
Jul 27 12:25:14 vmail2.noa.gr systemd[1]: Unit postfix.service entered 
failed state.

Jul 27 12:25:14 vmail2.noa.gr systemd[1]: postfix.service failed.

I also tried:

# /usr/libexec/postfix/post-install create-missing
postconf: warning: /etc/postfix/main.cf: unused parameter: 
127.0.0.1:10040_time_limit=3600

/usr/libexec/postfix/post-install: Error: /postfix-files is not a file.

Can you please let me know what may be the issue here?


Please post the output of the commands below.

```
$ ls -l /etc/postfix/
$ file /etc/postfix/postfix-files
```

[…]


Kind regards,

Paul

Migrating 2.11 to 3.2

[Nikolaos Milas]

Hello,

We are moving to a new (virtual) server (from CentOS 5 with Postfix 
2.11.6 to CentOS 7 with Postfix 3.2.2).


I have moved the original configuration to the new server and Postfix 
won't start; I am getting:


# systemctl status postfix
 postfix.service - Postfix Mail Transport Agent
   Loaded: loaded (/usr/lib/systemd/system/postfix.service; enabled; 
vendor preset: disabled)
   Active: failed (Result: exit-code) since Thu 2017-07-27 12:25:14 
EEST; 12min ago
  Process: 21895 ExecStart=/usr/sbin/postfix start (code=exited, 
status=1/FAILURE)
  Process: 21893 ExecStartPre=/usr/libexec/postfix/chroot-update 
(code=exited, status=0/SUCCESS)
  Process: 21890 ExecStartPre=/usr/libexec/postfix/aliasesdb 
(code=exited, status=0/SUCCESS)

 Main PID: 14815 (code=killed, signal=TERM)

Jul 27 12:25:12 vmail2.noa.gr postfix[21895]: /usr/sbin/postconf: 
warning: /etc/postfix/main.cf: unused parameter: 
127.0.0.1:10040_time_limit=3600
Jul 27 12:25:12 vmail2.noa.gr postfix[21895]: /usr/sbin/postconf: 
warning: /etc/postfix/main.cf: unused parameter: 
127.0.0.1:10040_time_limit=3600
Jul 27 12:25:12 vmail2.noa.gr postfix[21895]: /usr/sbin/postconf: 
warning: /etc/postfix/main.cf: unused parameter: 
127.0.0.1:10040_time_limit=3600
Jul 27 12:25:12 vmail2.noa.gr postfix[21895]: 
/usr/libexec/postfix/post-install: Error: /etc/postfix/postfix-files is 
not a file.
Jul 27 12:25:12 vmail2.noa.gr postfix/postfix-script[21913]: fatal: 
unable to create missing queue directories
Jul 27 12:25:13 vmail2.noa.gr postfix/postfix-script[21914]: fatal: 
Postfix integrity check failed!
Jul 27 12:25:14 vmail2.noa.gr systemd[1]: postfix.service: control 
process exited, code=exited status=1
Jul 27 12:25:14 vmail2.noa.gr systemd[1]: Failed to start Postfix Mail 
Transport Agent.
Jul 27 12:25:14 vmail2.noa.gr systemd[1]: Unit postfix.service entered 
failed state.

Jul 27 12:25:14 vmail2.noa.gr systemd[1]: postfix.service failed.

I also tried:

# /usr/libexec/postfix/post-install create-missing
postconf: warning: /etc/postfix/main.cf: unused parameter: 
127.0.0.1:10040_time_limit=3600

/usr/libexec/postfix/post-install: Error: /postfix-files is not a file.

Can you please let me know what may be the issue here?

I have checked the queue directory: /var/spool/postfix/ and I don't see 
anything different between the two installations.


Here is my config details:

# postconf -n
alias_database = hash:/etc/postfix/aliases, 
hash:/etc/postfix/aliases.d/virtual_aliases

alias_maps = hash:/etc/aliases
allowed_gein = check_client_access 
cidr:/etc/postfix/gein_admin_ips.cidr,reject
allowed_iaasars = check_client_access 
cidr:/etc/postfix/iaasars_admin_ips.cidr,reject
allowed_list1 = check_sasl_access 
hash:/etc/postfix/allowed_groupmail_users,reject

allowed_list2 = permit_mynetworks,reject
allowed_meteo = check_client_access 
cidr:/etc/postfix/meteo_admin_ips.cidr,reject

broken_sasl_auth_clients = yes
command_directory = /usr/sbin
controlled_senders = check_sender_access hash:/etc/postfix/blocked_senders
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin 
xxgdb $daemon_directory/$process_name $process_id & sleep 5

default_process_limit = 25
delay_logging_resolution_limit = 3
deliver_lock_attempts = 40
dovecot_destination_recipient_limit = 1
gwcheck = reject_unverified_recipient, reject_unauth_destination
home_mailbox = Maildir/
html_directory = no
inet_interfaces = all
inet_protocols = ipv4, ipv6
local_header_rewrite_clients = static:all
mail_name = NOA Mail Srv XAPITI XPICTOY
mail_owner = postfix
mailbox_command = /usr/lib/dovecot/deliver
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
message_size_limit = 41943040
milter_default_action = accept
mydestination = $myhostname, localhost.$mydomain, localhost
mydomain = noa.gr
myhostname = vmail2.noa.gr
mynetworks = 195.251.204.0/24, 195.251.202.0/23, 194.177.194.0/23, 
127.0.0.0/8, 10.201.0.0/16, [2001:648:2011::]/48, 83.212.5.24/29, 
[2001:648:2ffc:1115::]/64, 62.217.124.0/29, [2001:648:2ffc:126::]/64

myorigin = $mydomain
newaliases_path = /usr/bin/newaliases.postfix
non_smtpd_milters = $smtpd_milters
parent_domain_matches_subdomains =
postfwdcheck = check_policy_service inet:127.0.0.1:10040
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES
recipient_canonical_maps = hash:/etc/postfix/domainrecipientmap
relay_domains = $mydestination
sample_directory = /usr/share/doc/postfix-2.3.3/samples
sender_canonical_maps = hash:/etc/postfix/domainsendermap
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp_tls_security_level = may
smtpd_client_restrictions = 
permit_mynetworks,permit_sasl_authenticated,reject

smtpd_delay_reject = yes
smtpd_end_of_data_restrictions = check_client_access 
cidr:/etc/postfix/postfwdpolicy.cidr

smtpd_milters = inet:127.0.0.1:8891
smtpd_recipient_restrictions = 

Re: Use 1 TLS certificate for multiple domains

[Z3us Linux]

Thank you Viktor!
Totally clear to me now.

Greetings

2017-07-26 16:43 GMT+02:00 Viktor Dukhovni :

>
> > On Jul 26, 2017, at 6:01 AM, Z3us Linux  wrote:
> >
> > I'm running Postfix with MailScanner as a spamfilter for multiple
> domains/customers.
> > Is it possible to create a TLS configuration to force encryption for a
> set of domains with one 1 SSL certificate for the FQDN of the mailserver?
>
> Deploying an RSA 2048-bit key and matching certificate is generally
> sufficient to allow clients that support SMTP STARTTLS to employ
> opportunistic TLS.  See:
>
> http://www.postfix.org/TLS_README.html#quick-start
> AND http://www.postfix.org/postfix-tls.1.html
>
> > The MX-records of the hosted domains are pointing to my mailserver
> > and my mailserver is forwarding the mail to the destionation mailserver
> > of the customer.
>
> Generate a certificate whose DNS subject alternative name is the DNS
> name of your MX host as it appears in the MX records of the customer
> domains.
>
> > Does the SSL certificate need to contain the domainnames of the
> > destination domains?
>
> A few broken senders aside, opportunistic TLS in SMTP does not
> validate the server certificate, and it makes little difference
> whether the certificate has a matching name, is "expired" or
> issued by a CA trusted by the sending SMTP client.
>
> That said, you should generally try to make your certificate
> broadly interoperable, and avoid leaving "expired" certificates
> in place, or not having the MX hostname as a DNS subject alternative
> name.  However, you may, and often should employ your own CA, that
> will not be known to the sender.
>
> > Or is the FQDN of the active mailserver enough for good encryption?
>
> Some SMTP servers have no names in their certificate at all.  See
> below my signature for an example.  It is not necessarily a good
> idea to have such a minimal certificate, but it does interoperate
> with the vast majority of sending clients.  The 1000-year lifetime
> is especially "cute", the administrator of the server in question
> truly understands that with opportunistic TLS only the public key
> matters, and the certificate is largely devoid of any extraneous
> information.
>
> --
> Viktor.
>
> Certificate:
> Data:
> Version: 3 (0x2)
> Serial Number:
> c3:26:2b:13:ca:b1:36:72
> Signature Algorithm: sha256WithRSAEncryption
> Issuer:
> Validity
> Not Before: Jul 27 14:59:59 2014 GMT
> Not After : Nov 27 14:59:59 3013 GMT
> Subject:
> Subject Public Key Info:
> Public Key Algorithm: rsaEncryption
> Public-Key: (4096 bit)
> Modulus:
> 00:b6:d3:42:35:68:e9:2a:9e:ba:f8:f0:f4:bf:30:
> b5:0b:40:cd:10:4b:20:94:aa:fc:e8:d3:b1:b8:15:
> cc:24:ba:7f:95:b5:85:92:e9:d5:97:70:d3:fd:b3:
> c9:91:ba:d5:85:5d:c6:6d:98:8b:c3:b3:79:74:a7:
> 41:c6:f4:df:14:53:bb:90:21:72:71:ba:e2:56:03:
> 0a:0b:a9:db:d5:92:d3:90:58:4e:eb:a4:8b:51:80:
> db:5f:56:26:cf:9b:26:a8:2e:42:df:54:14:86:4e:
> 1f:ad:b2:9c:57:54:16:7a:39:25:a3:b3:90:97:eb:
> 70:92:04:27:10:b6:fd:9e:70:4f:b2:02:e2:fa:6d:
> 90:eb:9a:0c:64:3c:31:86:4c:98:99:47:00:75:b6:
> d0:bb:80:02:13:c7:43:97:24:ec:1e:3e:b1:1c:d6:
> c7:b7:de:fc:e8:bb:c6:d8:20:74:16:09:27:2d:17:
> 17:a5:a4:41:d0:f6:60:de:a2:84:fa:e4:8d:dd:1e:
> 98:7e:19:75:a4:87:52:18:45:d9:6d:39:3e:2c:b2:
> 64:1a:13:37:26:3f:72:8c:7d:fe:2e:d6:26:d7:cc:
> 37:aa:06:4a:2f:ea:bc:0f:00:5f:d5:30:79:e8:11:
> 21:64:03:b9:91:e5:da:47:6b:7d:43:e6:5e:20:e8:
> 1d:1d:1e:3d:b8:57:62:01:98:13:5b:cc:a8:9f:6b:
> d2:34:e0:6f:86:b8:ac:9d:89:f1:e9:27:b9:f8:55:
> ce:a2:8a:33:2b:ac:3a:65:c0:fb:12:b8:f7:5a:47:
> a6:ea:83:80:88:0f:ca:d4:d5:dc:62:5c:08:d9:cf:
> e6:ca:fe:32:00:9e:e3:c0:53:99:21:a3:c9:4f:66:
> 07:fc:61:e2:20:18:01:7f:61:dd:e1:72:b5:fd:c3:
> 97:23:2a:51:bf:42:58:64:0d:2b:4e:cc:85:a0:5e:
> 01:52:2b:7b:46:f0:63:19:9b:a3:5e:2c:70:23:36:
> a3:a9:3a:b3:60:2e:ad:78:68:96:ce:a4:4c:ea:13:
> 77:02:97:c4:55:82:f3:fd:3b:f3:f4:65:4e:dd:3b:
> fe:d2:dd:d0:da:29:e8:3e:dd:a9:e3:c6:16:db:eb:
> f8:90:72:dc:54:37:17:15:c9:43:1f:de:9d:5b:02:
> 5e:03:a9:3e:78:75:15:4d:bc:84:bf:a0:7e:4a:68:
> 7d:2b:c6:c5:b5:da:09:8b:f3:45:6e:82:2b:8b:be:
> e9:5d:b7:b3:f0:e8:0d:04:8c:e3:b8:ca:23:1d:dc:
>