Re: Question about separate MTA and MDA servers and how to get them communicating properly
White, Daniel E. (GSFC-770.0)[NICS]: > Given a pair of postfix instances, one "out front" to be a relay (MTA), the > other "behind" to host mailboxes (MDA) > > How do we get the MTA to relay incoming mail to the MDA ? SMTP or LMTP or ?? > Mail sent to the MTA is looking for a "local recipient". > > Then the same question for outgoing mail from MDA to MTA to final destination. > > Our dilemma is that most online tutorials and how-to's have everything on one > server. Use SMTP, follow instructions http://www.postfix.org/STANDARD_CONFIGURATION_README.html#firewall This has many things in common with http://www.postfix.org/STANDARD_CONFIGURATION_README.html#backup Wietse
Re: Question about separate MTA and MDA servers and how to get them communicating properly
On 2021-06-23 at 17:28:22 UTC-0400 (Wed, 23 Jun 2021 21:28:22 +) White, Daniel E. (GSFC-770.0)[NICS] is rumored to have said: Given a pair of postfix instances, one "out front" to be a relay (MTA), the other "behind" to host mailboxes (MDA) How do we get the MTA to relay incoming mail to the MDA ? SMTP or LMTP or …? Mail sent to the MTA is looking for a "local recipient". Postfix classifies addresses into 4 classes: local, virtual, relay, and default. See the ADDRESS_CLASS_README in the distribution or at http://www.postfix.org/ADDRESS_CLASS_README.html for details. The short version is that you need to tell Postfix what domains you want to relay mail for and where to send it. The simplest way to define that set is with the relay_domains configuration parameter, documented in the postconf(5) man page. Then the same question for outgoing mail from MDA to MTA to final destination. To have a Postfix instance send all 'outbound' mail to another machine, you need to define the 'relayhost' parameter. The postconf(5) man page describes that and all of the other available configuration parameters. Note that you will also need to have the inside machine understand what addresses it to to treat as 'local' (real system accounts) and 'virtual' (addresses that deliver locally but do not map directly to a system account.) Our dilemma is that most online tutorials and how-to's have everything on one server. Postfix's own documentation is very helpful, and is much more reliable than what you might find on a random web page. The README files in the distribution hint at their purpose in their name. The STANDARD_CONFIGURATION_README is particularly useful and describes something close to what you are setting up. -- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo and many *@billmail.scconsult.com addresses) Not Currently Available For Hire
Re: Question about separate MTA and MDA servers and how to get them communicating properly
> > > Our dilemma is that most online tutorials and how-to's have everything on > one server. > I'd start with http://www.postfix.org/STANDARD_CONFIGURATION_README.html#firewall
Question about separate MTA and MDA servers and how to get them communicating properly
Given a pair of postfix instances, one "out front" to be a relay (MTA), the other "behind" to host mailboxes (MDA) How do we get the MTA to relay incoming mail to the MDA ? SMTP or LMTP or …? Mail sent to the MTA is looking for a "local recipient". Then the same question for outgoing mail from MDA to MTA to final destination. Our dilemma is that most online tutorials and how-to's have everything on one server.
Re: SPF guidance
On 2021-06-23 at 12:00:39 UTC-0400 (Wed, 23 Jun 2021 18:00:39 +0200) David Bürgin is rumored to have said: Alex: I've set up postfix to use policyd-spf using python-policyd-spf and have some questions. Hopefully this isn't off-topic, as my search returns results from only many years ago. Is this still the best SPF policy service for postfix integration on Linux? You can verify SPF using a policy service or a milter. For example, in Debian both postfix-policyd-spf-python and pyspf-milter are available (produced from the same source package, spf-engine). You can find other milters online, too. smtpd_recipient_restrictions = ... check_sender_access pcre:$config_directory/sender_checks.pcre, check_policy_service unix:private/policy-spf, I’m curious, why check SPF in *recipient* restrictions? SPF is about the sender, isn’t it? Yes, but smtpd_recipient_restrictions can include restriction directives for any "earlier" SMTP stage. This allows you to make per-recipient decisions about whether to enforce problematic restrictions such as SPF. The resulting reply text ‘: Recipient address rejected’ is misleading. Not really. The SMTP command which is rejected is one RCPT command with one specific address. If there are multiple RCPT commands, they may not all be rejected. -- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo and many *@billmail.scconsult.com addresses) Not Currently Available For Hire
Re: SPF guidance
Alex: I've set up postfix to use policyd-spf using python-policyd-spf and have some questions. Hopefully this isn't off-topic, as my search returns results from only many years ago. Is this still the best SPF policy service for postfix integration on Linux? You can verify SPF using a policy service or a milter. For example, in Debian both postfix-policyd-spf-python and pyspf-milter are available (produced from the same source package, spf-engine). You can find other milters online, too. smtpd_recipient_restrictions = ... check_sender_access pcre:$config_directory/sender_checks.pcre, check_policy_service unix:private/policy-spf, I’m curious, why check SPF in *recipient* restrictions? SPF is about the sender, isn’t it? The resulting reply text ‘: Recipient address rejected’ is misleading.
SPF guidance
Hi, I've set up postfix to use policyd-spf using python-policyd-spf and have some questions. Hopefully this isn't off-topic, as my search returns results from only many years ago. Is this still the best SPF policy service for postfix integration on Linux? smtpd_recipient_restrictions = ... check_sender_access pcre:$config_directory/sender_checks.pcre, check_policy_service unix:private/policy-spf, My problem is with allowing mail from domains using servers not listed in the domain's SPF record. I would like to allow mail from domain1 being processed by secureserver.net to bypass SPF restrictions for mydomain.com. Jun 21 15:14:52 xavier postfix-117/smtpd[1636578]: NOQUEUE: reject: RCPT from p3plsmtpa06-06.prod.phx3.secureserver.net[173.201.192.107]: 550 5.7.23 : Recipient address rejected: Message rejected due to: SPF fail - not authorized. Please see http://www.openspf.net/Why?s=mfrom;id=pharri...@domain1.com;ip=173.201.192.107;r=; from= to= proto=ESMTP helo= Perhaps I add a check_sender_access check above the policy check, and bypass the policyd altogether? The problem I have is how to allow domain1.com, and obviously not secureserver.net. Also, any idea on a replacement for the incredibly helpful openspf.net/Why service from some years ago? I've tried the following, but I believe it is operating on the connecting server level, not the client domain level. # grep -Ev '^$|^#' policyd-spf.conf debugLevel = 1 TestOnly = 1 HELO_reject = Fail Mail_From_reject = Fail PermError_reject = False TempError_Defer = False skip_addresses = 127.0.0.0/8,209.216.99.0/24,:::127.0.0.0/104,::1 Domain_Whitelist = domain1.com Reject_Not_Pass_Domains = domain1.com
Re: Unable to connect to IMAP - Exceeded Maximum Number of Connections
On Wed, Jun 23, 2021 at 11:43:32AM +0200, Bastian Blank wrote: > On Wed, Jun 23, 2021 at 10:36:49AM +0100, Adam Weremczuk wrote: > > "Unable to connect to your IMAP server. > > You may have exceeded the maximum number of connections to this server. > > If so use the Advanced IMAP Server Settings dialog to reduce the number of > > cached connections." > > Postfix does not speak IMAP, this is all Cyrus. As this is a Postfix > mailing list, you are barking up the wrong tree. > > Also, this does not look like an IMAP error message. You need to read > logs and/or get correct error messages out of your client. "Unable to > connect" sounds like: I can't open a TCP connection, so it might be your > routing. > > I don't even think this is Cyrus related, so your best bet is the > Thunderbird support. > Yes, in my experience it's a pretty standard problem with Thunderbird. -- Chris Green
Re: Unable to connect to IMAP - Exceeded Maximum Number of Connections
On Wed, Jun 23, 2021 at 10:36:49AM +0100, Adam Weremczuk wrote: > "Unable to connect to your IMAP server. > You may have exceeded the maximum number of connections to this server. > If so use the Advanced IMAP Server Settings dialog to reduce the number of > cached connections." Postfix does not speak IMAP, this is all Cyrus. As this is a Postfix mailing list, you are barking up the wrong tree. Also, this does not look like an IMAP error message. You need to read logs and/or get correct error messages out of your client. "Unable to connect" sounds like: I can't open a TCP connection, so it might be your routing. I don't even think this is Cyrus related, so your best bet is the Thunderbird support. Bastian -- Humans do claim a great deal for that particular emotion (love). -- Spock, "The Lights of Zetar", stardate 5725.6
Unable to connect to IMAP - Exceeded Maximum Number of Connections
Hi all, The mail server is an old Postfix/Cyrus stack. I access emails from 4 different Thunderbird clients using either VPN or SSH port forwarding which gives up to 8 combinations in total. When switching I often see: "Unable to connect to your IMAP server. You may have exceeded the maximum number of connections to this server. If so use the Advanced IMAP Server Settings dialog to reduce the number of cached connections." I have already tried reducing the maximum number of server connections to cache from 5 to 1 across all clients and waited 24 hours before reconnecting but the issue didn't go away. My question: where do I find an option to slightly increase the limit on server side and what is it called? I've already looked into cyrus.conf, imapd.conf, postfix/main.cf, postfix/master.cf and few other places but couldn't find any obvious setting. Regards, Adam