Re: Postfix for three domains on one host
On 15 Aug 2019, at 22:20, Andrew Bernard wrote: Now am I further confused. What is $myorigin used for then? It is used to qualify bare sender usernames for mail generated locally. The nuances of when that applies can be found in 'man 5 postconf' in the local_header_rewrite_clients and append_at_myorigin sections. It also is used in some map lookup protocols to detect when to look up bare username parts of qualified addresses. -- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Re: Postfix for three domains on one host
Now am I further confused. What is $myorigin used for then? Andrew On 16/8/19 12:04 pm, Ralph Seichter wrote: The "From" header is usually provided by the MUA. According to your message headers, you are using Thunderbird, so that's where you define your desired sender address(es). Postfix won't overwrite that header. -Ralph
Re: Postfix for three domains on one host
* Andrew Bernard: > Does this cover the case where each domain has its own header showing > origin from each distinct domain? The "From" header is usually provided by the MUA. According to your message headers, you are using Thunderbird, so that's where you define your desired sender address(es). Postfix won't overwrite that header. -Ralph
Re: Postfix for three domains on one host
HI Raplh, Does this cover the case where each domain has its own header showing origin from each distinct domain? When I tried your suggestion they all come out from $myorigin. What am I missing? Inbound works fine to any number of virtual domains for me. It's outbound that has me perplexed. On 16/8/19 11:20 am, Ralph Seichter wrote: Yes, a single Postfix instance with one IP address can easily handle multiple domains. http://www.postfix.org/VIRTUAL_README.html should get you started.
Re: SSL communication between MTAs
These info are really helpful. thanks. On 2019/8/15 星期四 下午 11:29, Viktor Dukhovni wrote: On Thu, Aug 15, 2019 at 02:52:12PM +0800, Eliza wrote: My MTA (postfix) has both 25 (non-SSL) and 465 (SSL) ports enabled. Don't confuse port 25 used for (MTA-to-MTA) SMTP (inter-domain email relay), with ports 587 and 465 used in the MUA-to-MTA *SUBMIT* protocol, which is very similar to MTA-to-MTA SMTP, but serves a different need and differs in some details, like the ports used. Except through bileteral arrangements or abuse of your systems, no remote system will send you email on ports other than 25. How to enforce the peer MTA send messages only to 465 port for better secure communication? This is not possible. Can I just shutdown port 25? No. But you can enable inbound STARTTLS. http://www.postfix.org/TLS_README.html#quick-start Once you've mastered that, you can DNSSEC-sign your domain, and publish TLSA records. https://mail.sys4.de/pipermail/dane-users/2018-February/000440.html https://github.com/baknu/DANE-for-SMTP/wiki/2.-Implementation-resources and enable DANE outbound: http://www.postfix.org/TLS_README.html#client_tls_dane main.cf: smtp_dns_support_level = dnssec smtp_tls_security_level = dane /etc/resolv.conf # A validating *local* resolver nameserver 127.0.0.1
Re: Postfix for three domains on one host
* Andrew Bernard: > is there any way to configure Postfix to act for three separate > domains without the necessity of separate IP's? Yes, a single Postfix instance with one IP address can easily handle multiple domains. http://www.postfix.org/VIRTUAL_README.html should get you started. -Ralph
Postfix for three domains on one host
I want to use my single VPS for three distinct domains. Simple for webservers. I would also want to be able to send and receive email on the three domains using Postfix. I understand there is postfix-multi. Everything I have read so far uses separate IP addresses for this scenario. Most VPS providers are loath to assign more than one or at most two IPV4 address to a VPS, due to the global shortage. I have been unable to get three at Linode. Not just subdomains, but quite distinct ones. For example (just abstract names) ab.space cd.space zx.com The obvious solution is to run three VPS's. But this adds expense and triples the admin overhead. is there any way to configure Postfix to act for three separate domains without the necessity of separate IP's? Pardon me if this is a stupid newbie question, but it seems to me that Postfix is enormously powerful and can do pretty much anthing if you know how. Andrew
Re: SSL communication between MTAs
On Thu, Aug 15, 2019 at 02:52:12PM +0800, Eliza wrote: > My MTA (postfix) has both 25 (non-SSL) and 465 (SSL) ports enabled. Don't confuse port 25 used for (MTA-to-MTA) SMTP (inter-domain email relay), with ports 587 and 465 used in the MUA-to-MTA *SUBMIT* protocol, which is very similar to MTA-to-MTA SMTP, but serves a different need and differs in some details, like the ports used. Except through bileteral arrangements or abuse of your systems, no remote system will send you email on ports other than 25. > How to enforce the peer MTA send messages only to 465 port for better > secure communication? This is not possible. > Can I just shutdown port 25? No. But you can enable inbound STARTTLS. http://www.postfix.org/TLS_README.html#quick-start Once you've mastered that, you can DNSSEC-sign your domain, and publish TLSA records. https://mail.sys4.de/pipermail/dane-users/2018-February/000440.html https://github.com/baknu/DANE-for-SMTP/wiki/2.-Implementation-resources and enable DANE outbound: http://www.postfix.org/TLS_README.html#client_tls_dane main.cf: smtp_dns_support_level = dnssec smtp_tls_security_level = dane /etc/resolv.conf # A validating *local* resolver nameserver 127.0.0.1 -- Viktor.
Re: SSL communication between MTAs
MTA-STS is not the only technique, DANE (rfc7672) can be used, too (and in fact it is by many big german providers at least). See this slides for an introduction: https://www.netnod.se/sites/default/files/ 2016-12/Anders_Berggren_can_haz_secure_mail.pdf Or this wikipedia page: https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities#Email_encryption - Thilo Am Donnerstag, 15. August 2019, 10:44:16 CEST schrieb a: > You can't enforce remote peer to use SSL unless that peer is under your > control. > > Maximum that you can do - enable STARTTLS and configure MTA-STS (rfc8461). > > чт, 15 авг. 2019 г., 9:53 Eliza : > > Hello, > > > > My MTA (postfix) has both 25 (non-SSL) and 465 (SSL) ports enabled. > > > > How to enforce the peer MTA send messages only to 465 port for better > > secure communication? > > > > Can I just shutdown port 25? > > > > Thanks.
Re: SSL communication between MTAs
Hi, on 2019/8/15 15:44, a wrote: Maximum that you can do - enable STARTTLS and configure MTA-STS (rfc8461). Is there a guide for that? thanks.
Re: SSL communication between MTAs
You can't enforce remote peer to use SSL unless that peer is under your control. Maximum that you can do - enable STARTTLS and configure MTA-STS (rfc8461). чт, 15 авг. 2019 г., 9:53 Eliza : > Hello, > > My MTA (postfix) has both 25 (non-SSL) and 465 (SSL) ports enabled. > > How to enforce the peer MTA send messages only to 465 port for better > secure communication? > > Can I just shutdown port 25? > > Thanks. > >
SSL communication between MTAs
Hello, My MTA (postfix) has both 25 (non-SSL) and 465 (SSL) ports enabled. How to enforce the peer MTA send messages only to 465 port for better secure communication? Can I just shutdown port 25? Thanks.
