Re: GhettoForge Postfix3

2022-01-18 Thread jdebert 
On Tue, 18 Jan 2022 17:13:32 -0500
post...@ptld.com wrote:


> Wait, so its a fork of Postfix?
> And not the same code as what Wietse releases for the same version?

It's whatever the maintainer of that code wants, intends, etc. 

Why not ask the maintainer?

--
jd

Re: SASL per user or per host disable and, use of trace, strace

2022-01-18 Thread Joe Acquisto-j4 
> Wietse Venema:
>> Joe Acquisto-j4:
>> > For version 3.7.4, is there a means of disabling for smtp per user,
>> > per domain, per IP, when "smtp_sender_dependent_authentication =
>> > yes"?
>> 
>> Postfix will search smtp_sasl_password_maps by sender first, and
>> if that is not found, then by destination.
>> 
>> If you don't want Postfix to authenticate to a specific destination,
>> then don't list that destination in smtp_sasl_password_maps.

Ah, but that seem to be the case now.  I do not have the destination for that 
user in "smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd"
yet it attempts to deliver to the correct destination and attempts to 
authenticate.

yet when "smtp_sender_dependent_authentication = no" it makes no attempt to 
authenticate to the very same target server.

> 
> It is possible to separate the per-sender and other email streams,
> but that is a bit more complicated, because most people don't have
> your requireents.
> 
> This uses sender_dependent_default_transport_maps, where all
> per-sender default transports share a customized Postfix SMTP cient
> with its own smtp_sasl_passwd_maps setting in master.cf, which has
> all the per-sender entries.
> 
> The other email streams use the 'normal' Postfix SMTP client with
> only per-destination entries in smtp_sasl_passwd_maps.
> 
>   Wietse

This does look a bit complicated and I hesitate to hack at it without further 
eyeballing.  Not sure I see how this helps "coax" postfix to not authenticate 
on this one inbound user.  Perhaps I just need to think about it more.

joe a.

Re: SASL questions

2022-01-18 Thread Joe Acquisto-j4 
. . .
> I would imagine that Postfix can only authenticate to
> servers that have entries in /etc/postfix/sasl_passwd.
> 
>   smtp_sasl_password_maps (default: empty)
> 
> Optional Postfix SMTP client lookup tables with one
> username:password entry per sender, remote hostname
> or next-hop domain. Per-sender lookup is done only
> when sender-dependent authentication is enabled. If
> no username:password entry is found, then the
> Postfix SMTP client will not attempt to
> authenticate to the remote host.
> 
> But it seems unlikely that you'd have put an entry there
> for a server of yours that doesn't authenticate.
> 
> Perhaps you need to add that server to debug_peer_list
> and see what the extra logs say.
> 
> cheers,
> raf

I believe I have that correct, per examples (and it is working mostly as 
expected)
/etc/postfixsasl_passwd takes this form:

j...@aaa.comjoea@AAA:ADADAD
j...@aaad.comj...@aaad.com:ADADAD2

As said, this appears to work and does not interfer with incoming email that 
goes to a local host, unauthenticated, in all but one case.

joe a

Re: SASL per user or per host disable and, use of trace, strace

2022-01-18 Thread Joe Acquisto-j4 
> Wietse Venema:
>> Joe Acquisto-j4:
>> > For version 3.7.4, is there a means of disabling for smtp per user,
>> > per domain, per IP, when "smtp_sender_dependent_authentication =
>> > yes"?
>> 
>> Postfix will search smtp_sasl_password_maps by sender first, and
>> if that is not found, then by destination.
>> 
>> If you don't want Postfix to authenticate to a specific destination,
>> then don't list that destination in smtp_sasl_password_maps.
> 
> It is possible to separate the per-sender and other email streams,
> but that is a bit more complicated, because most people don't have
> your requireents.
> 
> This uses sender_dependent_default_transport_maps, where all
> per-sender default transports share a customized Postfix SMTP cient
> with its own smtp_sasl_passwd_maps setting in master.cf, which has
> all the per-sender entries.
> 
> The other email streams use the 'normal' Postfix SMTP client with
> only per-destination entries in smtp_sasl_passwd_maps.
> 
>   Wietse

Thanks much.  I'll go searching for details/examples in a bit.

joe a.

Re: SASL per user or per host disable and, use of trace, strace

2022-01-18 Thread Wietse Venema 
Wietse Venema:
> Joe Acquisto-j4:
> > For version 3.7.4, is there a means of disabling for smtp per user,
> > per domain, per IP, when "smtp_sender_dependent_authentication =
> > yes"?
> 
> Postfix will search smtp_sasl_password_maps by sender first, and
> if that is not found, then by destination.
> 
> If you don't want Postfix to authenticate to a specific destination,
> then don't list that destination in smtp_sasl_password_maps.

It is possible to separate the per-sender and other email streams,
but that is a bit more complicated, because most people don't have
your requireents.

This uses sender_dependent_default_transport_maps, where all
per-sender default transports share a customized Postfix SMTP cient
with its own smtp_sasl_passwd_maps setting in master.cf, which has
all the per-sender entries.

The other email streams use the 'normal' Postfix SMTP client with
only per-destination entries in smtp_sasl_passwd_maps.

Wietse

Re: SASL per user or per host disable and, use of trace, strace

2022-01-18 Thread Wietse Venema 
Joe Acquisto-j4:
> For version 3.7.4, is there a means of disabling for smtp per user,
> per domain, per IP, when "smtp_sender_dependent_authentication =
> yes"?

Postfix will search smtp_sasl_password_maps by sender first, and
if that is not found, then by destination.

If you don't want Postfix to authenticate to a specific destination,
then don't list that destination in smtp_sasl_password_maps.

Wietse

Re: GhettoForge Postfix3

2022-01-18 Thread postfix 
> likely at least a minimal attempt to avoid naming conflicts. renaming
> forked the code (hopefully) helps avoid blaming Wietse for whatever gets
> broken in that fork.

Wait, so its a fork of Postfix?
And not the same code as what Wietse releases for the same version?

Re: SASL questions

2022-01-18 Thread raf 
On Mon, Jan 17, 2022 at 10:04:13PM -0500, Joe Acquisto-j4 
 wrote:

> > On 2022-01-17 at 20:09:55 UTC-0500 (Mon, 17 Jan 2022 20:09:55 -0500)
> > Joe Acquisto-j4 
> > is rumored to have said:
> > 
> > 
> >> Sorry for the garbled message.  Looking for the config files, etc that 
> >> are normally requested.
> > 
> > 
> > The non-default main.cf settings, formatted for human eyes:
> > postconf -nf
> > 
> > The master.cf settings, formatted for human eyes:
> > postconf -Mf
> > 
> > 
> > 
> > 
> > -- 
> > Bill Cole
> > b...@scconsult.com or billc...@apache.org 
> > (AKA @grumpybozo and many *@billmail.scconsult.com addresses)
> > Not Currently Available For Hire
> 
> OK, here goes -  
> 
> Using version 3.4.7 packaged by Suse.  I use "fetchmail" to retrieve email 
> via imap one of which is gmail.  The fetched mail is all sent to a local "off 
> box" machine, via postfix, spamassassin and clamav, all on the same server.  
> The off box machine let's call it "fubar", runs a rather dated groupware 
> product I used to support.  
> 
> I send mail to one upstream provider They require authentication.  Seem to 
> have successfully setup per user SASL authentication, with one "problem" 
> remaining.
> 
> Since I would sometimes forget to check the gmail account, added that account 
> to fetchmail.  It would deliver to fubar via the means described above, with 
> a unique fubar user, via the means mentioned above. It became convenient to  
> occasionally use the gmail account to test changes I might make to my local 
> system.  That worked well, till now.
> 
> Now when I set "smtp_sender_dependent_authentication = yes" any email I send 
> to the gmail account from fubar, upon being "fetched", fails to deliver to 
> "fubar" with postfix reporting "501 Authentication failed" and the mail is 
> deferred. If I set "smtp_sender_dependent_authentication = no" and restart 
> postfix, the deferred mail is delivered. Any mail that arrives at the gmail 
> account by any other means delivers normally regardless of the value of 
> "smtp_sender_dependent_authentication".
> 
> Ultimately, I determined the attempt to authenticate to fubar happens with 
> any mail I send to the gmail account, where the "from" address is any valid 
> user on the fubar system.  That includes test emails sent using swaks, via 
> the same upstream provider. 
> 
> On the receiving end I can see logged information that shows fubar is 
> attempting to authenticate, which it does not attempt to do when sender 
> dependent authentication is not enabled. At least, not in any visible way or 
> even any configured way, While from the point of view of the professionals 
> this may "not be a real problem" perhaps for myriad uttered reasons including 
> "WFT dude"?, it still seems odd at the least. Probably it will be due to 
> "something you did and should have known better".
> 
> Below is output from postconf -Mf:
> 
> smtp   inet  n   -   n   -   -   smtpd
> -o content_filter=spamassassin
> pickup fifo  n   -   n   60  1   pickup
> cleanupunix  n   -   n   -   0   cleanup
> qmgr   fifo  n   -   n   300 1   qmgr
> rewriteunix  -   -   n   -   -   trivial-rewrite
> bounce unix  -   -   n   -   0   bounce
> defer  unix  -   -   n   -   0   bounce
> trace  unix  -   -   n   -   0   bounce
> verify unix  -   -   n   -   1   verify
> flush  unix  n   -   n   1000?   0   flush
> proxymap   unix  -   -   n   -   -   proxymap
> proxywrite unix  -   -   n   -   1   proxymap
> smtp   unix  -   -   n   -   -   smtp
> relay  unix  -   -   n   -   -   smtp
> -o smtp_fallback_relay=
> showq  unix  n   -   n   -   -   showq
> error  unix  -   -   n   -   -   error
> retry  unix  -   -   n   -   -   error
> discardunix  -   -   n   -   -   discard
> local  unix  -   n   n   -   -   local
> virtualunix  -   n   n   -   -   virtual
> lmtp   unix  -   -   n   -   -   lmtp
> anvil  unix  -   -   n   -   1   anvil
> scache unix  -   -   n   -   1   scache
> spamassassin unix -  n   n   -   -   pipe flags=Rq
> user=spamfilter argv=/usr/local/bin/spamass.sh -e /usr/sbin/sendmail -oi 
> -f
> ${sender} -- ${recipient}
> tlsmgr unix  -   -   n   1000?   1   tlsmgr
> postlogunix-dgram n  -   n   -   1   postlogd
> 
> Below is output from postconf -Mf: (obfuscated)
> 
> alias_maps = hash:/etc/aliases
> biff = no
> canonical_maps = hash:/etc/postfix/canonical
> command_directory =

Re: GhettoForge Postfix3

2022-01-18 Thread jdebert 
On Tue, 18 Jan 2022 15:39:24 -0500
post...@ptld.com wrote:

> > According to http://ghettoforge.org/index.php/Postfix3 it's the
> > latest (presumably stable) release. They appear to have Postfix
> > 3.6 at this time.  
> 
> 
> Yes, I see that. But why "Postfix3"? How is that different from
> normal Postfix? 

[snip]

likely at least a minimal attempt to avoid naming conflicts. renaming
forked the code (hopefully) helps avoid blaming Wietse for whatever gets
broken in that fork.

renaming forks should reasonably be a common practice.

--
jd

Re: GhettoForge Postfix3

2022-01-18 Thread Cooper, Robert A 
It's "postfix3" so it does not conflict with the RHEL/CentOS system "postfix" 
package.

RobertC


From: owner-postfix-us...@postfix.org  on 
behalf of post...@ptld.com 
Sent: Tuesday, January 18, 2022 14:39
To: Postfix users 
Subject: Re: GhettoForge Postfix3

This message is from an External Sender
This message came from outside your organization

--
> According to 
> https://urldefense.com/v3/__http://ghettoforge.org/index.php/Postfix3__;!!KwNVnqRv!Wc7JmT7WZlQE0_oAHiOY8Q18RdCHxYJdQrg-KVMctdl7YbYouHyQN4K47Dk6NkZ8$
>   it's the
> latest (presumably stable) release. They appear to have Postfix
> 3.6 at this time.


Yes, I see that. But why "Postfix3"? How is that different from normal Postfix? 
If it's a repo providing the same Postfix as every other repo why does it have 
a 3 as part of the name? People usually rename a product to distinguish its 
different. Why would one (using their yum examples) have to remove Postfix and 
install Postfix3? Why wouldn't you just update postfix and be done with it. 
This is what causes me to wonder.

Re: GhettoForge Postfix3

2022-01-18 Thread postfix 
> According to http://ghettoforge.org/index.php/Postfix3 it's the
> latest (presumably stable) release. They appear to have Postfix
> 3.6 at this time.


Yes, I see that. But why "Postfix3"? How is that different from normal Postfix? 
If it's a repo providing the same Postfix as every other repo why does it have 
a 3 as part of the name? People usually rename a product to distinguish its 
different. Why would one (using their yum examples) have to remove Postfix and 
install Postfix3? Why wouldn't you just update postfix and be done with it. 
This is what causes me to wonder.

SASL per user or per host disable and, use of trace, strace

2022-01-18 Thread Joe Acquisto-j4 
For version 3.7.4, is there a means of disabling for smtp per user, per domain, 
per IP, when "smtp_sender_dependent_authentication = yes"?

Docs/supplements seem say some roughly analogous settings were available pre V 
3.x, but are now deprecated.   I've not found any current setting while 
flailing about in the deep ethereal seas.

Essentially, looking for a means to tell postfix specifically (the little 
dickens) to not attempt to authenticate to a specific host, by user, or 
hostname/IP.. By domain would seem unlikely to help resolve an annoying oddity, 
described in another post.

Any assistance in adding trace or strace. explicit or referral to recent (and 
reachable) docs would be appreciated.   The two referenced programs are all 
that are natively available in this distribution.

Thanks in advance.

joe a

Re: webmail question

2022-01-18 Thread Ralph Seichter 
* Frank Hwa:

> I like postfix and dovecot for setting up mail systems. But I don't
> like roundcube or rainloop webmail.

You might give SOGo (https://www.sogo.nu) a shot.

-Ralph

Re: GhettoForge Postfix3

2022-01-18 Thread Wietse Venema 
post...@ptld.com:
> GhettoForge has a repo for Postfix3, it is not clear to me if
> Postfix3 is another beast entirely or if it is just a normal Postfix
> version 3 and higher. Can someone explain what is the purpose of
> "Postfix3"?

According to http://ghettoforge.org/index.php/Postfix3 it's the
latest (presumably stable) release. They appear to have Postfix
3.6 at this time.

> Are there other options (repos) for getting current versions of
> Postfix using dnf on a RHEL system?

The exmples on that page use yum, not dnf.

Wietse

Re: GhettoForge Postfix3

2022-01-18 Thread PGNet Dev 

Are there other options (repos) for getting current versions of Postfix using 
dnf on a RHEL system?


fwiw,

use existing pkgs from https://src.fedoraproject.org/rpms/postfix for 'Fedora 
ELN, if that fits your needs

or rebuild & package from those sources, or your own tweaked/modified .spec, on 
your own COPR (https://docs.fedoraproject.org/en-US/infra/sysadmin_guide/copr/), 
specifically for your chroot of choice

Fedora COPR certainly a variety of EPEL chroots, including 9,

  https://communityblog.fedoraproject.org/epel-9-is-now-available/

i regularly rebuild the rawhide sources, which only slightly/ocassionaly lag 
new Postfix releases, for F35 for production use; works a charm.

Re: Adding Additional domains and outgoing email

2022-01-18 Thread Matus UHLAR - fantomas 

On Tue, Jan 18, 2022 at 04:50:11PM +0100, Matus UHLAR - fantomas wrote:

don't use grep for master.cf, there are usuallu options on next lines



# postconf -M smtps submission
submission inet  n   -   y   -   -   smtpd -o 
syslog_name=postfix/submission -o smtpd_tls_security_level=encrypt -o 
smtpd_sasl_auth_enable=yes -o smtpd_tls_auth_only=yes -o 
smtpd_client_restrictions=$mua_client_restrictions -o 
smtpd_helo_restrictions=$mua_helo_restrictions -o 
smtpd_relay_restrictions=permit_sasl_authenticated,reject -o 
milter_macro_daemon_name=ORIGINATING
smtps  inet  n   -   y   -   -   smtpd -o 
syslog_name=postfix/smtps -o smtpd_tls_wrappermode=yes -o 
smtpd_sasl_auth_enable=yes -o 
smtpd_client_restrictions=$mua_client_restrictions -o 
smtpd_helo_restrictions=$mua_helo_restrictions -o 
smtpd_relay_restrictions=permit_sasl_authenticated,reject -o 
milter_macro_daemon_name=ORIGINATING


On 18.01.22 11:14, Ruben Safir wrote:

www2:~ # postconf -M submission
submission inet  n   -   n   -   -   smtpd -o
syslog_name=postfix/submission -o smtpd_tls_security_level=encrypt -o
smtpd_sasl_auth_enable=yes -o smtpd_sasl_auth_enable=yes -o
smtpd_recipient_restrictions=permit_sasl_authenticated,reject


so you apparently have in master.cf

submission inet  n   -   n   -   -   smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_recipient_restrictions=permit_sasl_authenticated,reject

the smtpd_sasl_auth_enable is there two times, but that's not a problem.
you may need to override:

smtpd_client_restrictions
smtpd_helo_restrictions
smtpd_sender_restrictions
smtpd_recipient_restrictions

otherwise those from main.cf are used. according to:
https://marc.info/?l=postfix-users=164252079029931=2

you have set up smtpd_recipient_restrictions to do dnsbl checking


www2:~ # postconf -M smtp


"smtps" is not "smtp".
smtps should be mostly the same than submission, with added
smtpd_tls_wrappermode.


smtp   inet  n   -   n   -   -   smtpd
smtp   unix  -   -   n   -   -   smtp

although this doesn't really say what the files say or which files are
being edited.


nothing is edited yet. We are trying to explain what/how/where to put.
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Save the whales. Collect the whole set.

GhettoForge Postfix3

2022-01-18 Thread postfix 
GhettoForge has a repo for Postfix3, it is not clear to me if Postfix3 is 
another beast entirely or if it is just a normal Postfix version 3 and higher. 
Can someone explain what is the purpose of "Postfix3"?

Are there other options (repos) for getting current versions of Postfix using 
dnf on a RHEL system?

Re: SASL questions

2022-01-18 Thread Joe Acquisto-j4 
. . .
> OK, here goes -  
> 
> Using version 3.4.7 packaged by Suse.  I use "fetchmail" to retrieve email 
> via imap one of which is gmail.  The fetched mail is all sent to a local "off 
> box" machine, via postfix, spamassassin and clamav, all on the same server.  
> The off box machine let's call it "fubar", runs a rather dated groupware 
> product I used to support.  
> 
> I send mail to one upstream provider They require authentication.  Seem to 
> have successfully setup per user SASL authentication, with one "problem" 
> remaining.
> 
> Since I would sometimes forget to check the gmail account, added that 
> account to fetchmail.  It would deliver to fubar via the means described 
> above, with a unique fubar user, via the means mentioned above. It became 
> convenient to  occasionally use the gmail account to test changes I might 
> make to my local system.  That worked well, till now.
> 
> Now when I set "smtp_sender_dependent_authentication = yes" any email I send 
> to the gmail account from fubar, upon being "fetched", fails to deliver to 
> "fubar" with postfix reporting "501 Authentication failed" and the mail is 
> deferred. If I set "smtp_sender_dependent_authentication = no" and restart 
> postfix, the deferred mail is delivered. Any mail that arrives at the gmail 
> account by any other means delivers normally regardless of the value of 
> "smtp_sender_dependent_authentication".
> 
> Ultimately, I determined the attempt to authenticate to fubar happens with 
> any mail I send to the gmail account, where the "from" address is any valid 
> user on the fubar system.  That includes test emails sent using swaks, via 
> the same upstream provider. 
> 
> On the receiving end I can see logged information that shows fubar is 
> attempting to authenticate, which it does not attempt to do when sender 
> dependent authentication is not enabled. At least, not in any visible way or 
> even any configured way, While from the point of view of the professionals 
> this may "not be a real problem" perhaps for myriad uttered reasons including 
> "WFT dude"?, it still seems odd at the least. Probably it will be due to 
> "something you did and should have known better".
> 

Resubmitting with a bit more information, hopefully useful.  It seems 
inescapable to conclude that postfix is initiating the attempt to authenticate 
in this odd case. Why that is so escapes me at the moment. The server on the 
receiving end is set to not authenticate, which does raise the question of why 
it seems to be attempting to at all.  In any case, I submit below the output of 
postfinger and saslfinger as the debugging page suggests.  I see some of the 
information in each section is redundant, but I did not want to risk causing 
any further confusion and consternation.

-- postfinger:

postfinger - postfix configuration on Tue Jan 18 11:54:49 EST 2022
version: 1.30

--System Parameters--
mail_version = 3.4.7
hostname = auxilary
uname = Linux auxilary 5.3.18-lp152.87-default #1 SMP Sun Aug 8 21:53:57 UTC 
2021 (44d702a) x86_64 x86_64 x86_64 GNU/Linux

--Packaging information--
looks like this postfix comes from RPM package: postfix-3.4.7-lp152.2.9.1.x86_64

--Mailbox locking methods--
flock fcntl dotlock

--Supported Lookup tables--
btree cidr environ fail hash inline internal ldap lmdb memcache mysql nis pcre 
pgsql pipemap proxy randmap regexp socketmap static tcp texthash unionmap unix

--main.cf non-default parameters--
alias_maps = hash:/etc/aliases
biff = no
canonical_maps = hash:/etc/postfix/canonical
compatibility_level = 2
daemon_directory = /usr/lib/postfix/bin/
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd 
$daemon_directory/$process_name $process_id & sleep 5
delay_warning_time = 1h
disable_dns_lookups = yes
disable_vrfy_command = yes
html_directory = /usr/share/doc/packages/postfix-doc/html
inet_protocols = ipv4
mailbox_size_limit = 0
maillog_file = /var/log/postfix.log
manpage_directory = /usr/share/man
masquerade_exceptions = root
message_size_limit = 0
message_strip_characters = \0
milter_default_action = accept
mydestination = $myhostname, localhost.$mydomain
myhostname = AAA.AA.com
mynetworks = DDD.DDD.DDD.221/32,DDD.DDD.DDD.222,DDD.DDD.DDD.211/32,127.0.0.0/8
mynetworks_style = subnet
readme_directory = /usr/share/doc/packages/postfix-doc/README_FILES
relay_domains = $mydestination, hash:/etc/postfix/relay
relocated_maps = hash:/etc/postfix/relocated
sample_directory = /usr/share/doc/packages/postfix-doc/samples
sender_canonical_maps = hash:/etc/postfix/sender_canonical
sender_dependent_relayhost_maps = hash:/etc/postfix/sender_relay
setgid_group = maildrop
smtp_enforce_tls = yes
smtp_sasl_auth_enable = yes
smtp_sasl_mechanism_filter = login
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_tls_CAfile = /etc/postfix/ssl/certs/cacert.pem
smtp_tls_CApath = /etc/postfix/ssl/certs/
smtp_tls_cert_file =

Postfix stable release 3.6.4 and legacy releases 3.5.14, 3.4.24, 3.3.21

2022-01-18 Thread Wietse Venema 
[An on-line version of this announcement will be available at
http://www.postfix.org/announcements/postfix-3.6.4.html]

Fixed in Postfix 3.6.4, 3.5.14, 3.4.24, 3.3.21:

  * Bug introduced in bugfix 20210708: duplicate bounce_notice_recipient
entries in postconf output. This was caused by an incomplete
fix to send SMTP session transcripts to $bounce_notice_recipient.
Reported by Vincent Lefevre.

  * Bug introduced in Postfix 3.0: the proxymap daemon did not
automatically authorize proxied maps inside pipemap (example:
pipemap:{proxy:maptype:mapname, ...}) or inside unionmap. Problem
reported by Mirko Vogt.

  * Bug introduced in Postfix 2.5: off-by-one error while writing
a string terminator. This code passed all memory corruption
tests, presumably because it wrote over an alignment padding
byte, or over an adjacent character byte that was never read.
Reported by Robert Siemer.

Fixed in Postfix 3.6.4, 3.5.14, 3.4.24:

  * The proxymap daemon did not automatically authorize map features
added after Postfix 3.3, caused by missing *_maps parameter
names in the proxy_read_maps default value. Found during code
maintenance.

You can find the updated Postfix source code at the mirrors listed
at http://www.postfix.org/.

Wietse

Re: master_wakeup_timer_event

2022-01-18 Thread Wietse Venema 
natan:
> W dniu 18.01.2022 o 16:17, Wietse Venema pisze:
> > natan:
> >> Hi
> >> My happiness did not last long
> >>
> >> Jan 18 13:33:22? postfix/master[3581]: warning:
> >> master_wakeup_timer_event: service qmgr(public/qmgr): Resource
> >> temporarily unavailable
> >>
> >> I'm so confused beacuse I cannot resolv thats problem and I dont known
> >> where is realy problem
> > Repeat:
> > Reduce the process limits for "smtp pass" by half.
> > Reduce the default_process_limit by half
> > (this is used by postscreen to size its connection queues).
> > Execute "postfix reload".
> > Wait for a few hours.
> > Until Postfix stops logging "Resource > temporarily unavailable".
> >
> > Wietse
> >
> master.cf
> smtpd pass  -   -   -   -   150   smtpd -o
> receive_override_options=no_address_mappings

That is a meaningful change.

> main.cf
> default_process_limit = 200

That is backwards. The limit should not be larger than the "smtpd
pass" process limit.

What were the process limits for deliveries to amavis and non-amavis
content filters? Those limits can be ~10x smaller than the "smtpd
pass" process limit (see http://www.postfix.org/FILTER_README.html).

Wietse

Re: Adding a second line to .forward, can one prevent errors feeding back to sender?

2022-01-18 Thread Fred Morris 

On Tue, 18 Jan 2022, Chris Green wrote:

[...]
Currently I deliver local mail to myself on my linux (xubuntu 21.10)
system using a ~/.forward file as follows:-

   | /home/chris/.mutt/bin/filter.py

I'm looking for a simple way to test new versions of filter.py and I'm
not coming up with easy answers.


This is something which historically I've used formail (part of procmail) 
for. (Come to think of it I've kept the source around and compile it 
myself.)


As a grizzled veteran, I suggest you contemplate a workflow somewhat like:

* Save mail to a "unix mail" or "maildir" mailbox; this is your "corpus".
  You might consider doing this upstream, e.g. in aliases.

* Find something to process that corpus back into individual messages for
  reprocessing, e.g. formail.

* Build a proper test suite. ;-)

* Test, test, test!

--

Fred Morris, internet plumber

Re: Adding Additional domains and outgoing email

2022-01-18 Thread Ruben Safir 
On Tue, Jan 18, 2022 at 04:50:11PM +0100, Matus UHLAR - fantomas wrote:
> On 18.01.22 10:32, Ruben Safir wrote:
> >I am sorry, that is wrong.  I am getting main and master confused.
> [...]
> 
> >THIS is in Master
> >www2:/etc/postfix # grep "smtpd"  master.cf|grep -v "#"
> 
> don't use grep for master.cf, there are usuallu options on next lines
> 
> >smtp  inet  n   -   n   -   -   smtpd
> >submission inet n   -   n   -   -   smtpd
> > -o smtpd_tls_security_level=encrypt
> >
> >So it looks I have work to do in master.
> 
> # postconf -M smtps submission
> submission inet  n   -   y   -   -   smtpd -o 
> syslog_name=postfix/submission -o smtpd_tls_security_level=encrypt -o 
> smtpd_sasl_auth_enable=yes -o smtpd_tls_auth_only=yes -o 
> smtpd_client_restrictions=$mua_client_restrictions -o 
> smtpd_helo_restrictions=$mua_helo_restrictions -o 
> smtpd_relay_restrictions=permit_sasl_authenticated,reject -o 
> milter_macro_daemon_name=ORIGINATING
> smtps  inet  n   -   y   -   -   smtpd -o 
> syslog_name=postfix/smtps -o smtpd_tls_wrappermode=yes -o 
> smtpd_sasl_auth_enable=yes -o 
> smtpd_client_restrictions=$mua_client_restrictions -o 
> smtpd_helo_restrictions=$mua_helo_restrictions -o 
> smtpd_relay_restrictions=permit_sasl_authenticated,reject -o 
> milter_macro_daemon_name=ORIGINATING
> 
> 

www2:~ # postconf -M submission
submission inet  n   -   n   -   -   smtpd -o
syslog_name=postfix/submission -o smtpd_tls_security_level=encrypt -o
smtpd_sasl_auth_enable=yes -o smtpd_sasl_auth_enable=yes -o
smtpd_recipient_restrictions=permit_sasl_authenticated,reject

www2:~ # postconf -M smtp
smtp   inet  n   -   n   -   -   smtpd
smtp   unix  -   -   n   -   -   smtp

although this doesn't really say what the files say or which files are
being edited.



> 
> 
> -- 
> Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
> Warning: I wish NOT to receive e-mail advertising to this address.
> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
> "To Boot or not to Boot, that's the question." [WD1270 Caviar]

-- 
So many immigrant groups have swept through our town
that Brooklyn, like Atlantis, reaches mythological
proportions in the mind of the world - RI Safir 1998
http://www.mrbrklyn.com 

DRM is THEFT - We are the STAKEHOLDERS - RI Safir 2002
http://www.nylxs.com - Leadership Development in Free Software
http://www2.mrbrklyn.com/resources - Unpublished Archive 
http://www.coinhangout.com - coins!
http://www.brooklyn-living.com 

Being so tracked is for FARM ANIMALS and extermination camps, 
but incompatible with living as a free human being. -RI Safir 2013

Re: master_wakeup_timer_event

2022-01-18 Thread natan 
W dniu 18.01.2022 o 16:53, natan pisze:
> W dniu 18.01.2022 o 16:17, Wietse Venema pisze:
>> natan:
>>> Hi
>>> My happiness did not last long
>>>
>>> Jan 18 13:33:22? postfix/master[3581]: warning:
>>> master_wakeup_timer_event: service qmgr(public/qmgr): Resource
>>> temporarily unavailable
>>>
>>> I'm so confused beacuse I cannot resolv thats problem and I dont known
>>> where is realy problem
>> Repeat:
>> Reduce the process limits for "smtp pass" by half.
>> Reduce the default_process_limit by half
>>  (this is used by postscreen to size its connection queues).
>> Execute "postfix reload".
>> Wait for a few hours.
>> Until Postfix stops logging "Resource > temporarily unavailable".
>>
>>  Wietse
>>
> master.cf
> smtpd pass  -   -   -   -   150   smtpd -o
> receive_override_options=no_address_mappings
>
> main.cf
> default_process_limit = 200
> --
>
sorry:

master.cf
smtpd pass  -   -   -   -   200   smtpd -o
receive_override_options=no_address_mappings

main.cf
default_process_limit = 200




--

Re: master_wakeup_timer_event

2022-01-18 Thread natan 
W dniu 18.01.2022 o 16:17, Wietse Venema pisze:
> natan:
>> Hi
>> My happiness did not last long
>>
>> Jan 18 13:33:22? postfix/master[3581]: warning:
>> master_wakeup_timer_event: service qmgr(public/qmgr): Resource
>> temporarily unavailable
>>
>> I'm so confused beacuse I cannot resolv thats problem and I dont known
>> where is realy problem
> Repeat:
> Reduce the process limits for "smtp pass" by half.
> Reduce the default_process_limit by half
>   (this is used by postscreen to size its connection queues).
> Execute "postfix reload".
> Wait for a few hours.
> Until Postfix stops logging "Resource > temporarily unavailable".
>
>   Wietse
>
master.cf
smtpd pass  -   -   -   -   150   smtpd -o
receive_override_options=no_address_mappings

main.cf
default_process_limit = 200
--

Re: Adding Additional domains and outgoing email

2022-01-18 Thread Ruben Safir 
On Tue, Jan 18, 2022 at 10:47:05AM -0500, Wietse Venema wrote:
> Ruben Safir:
> > UNDER main.cf I have this:
> > 
> > smtpd_data_restrictions = reject_unauth_pipelining, permit
> > 
> > 
> > # SASL stuff
> > 
> ...
> > smtpd_sasl_auth_enable = yes
> 
> Note, SASL is enabled in main.cf, but can be disabled in master.cf
> with per-service "-o smtpd_sasl_auth_enable=no" overrides.
> 
> > I don't see sasl on telnet
> > 
> > www2:/etc/postfix # telnet www2.mrbrklyn.com 587
> > Trying 96.57.23.82...
> > Connected to www2.mrbrklyn.com.
> > Escape character is '^]'.
> > 220 mrbrklyn.com ESMTP
> > EHLO client flatbush.mrbrklyn.com
> > 250-mrbrklyn.com
> > 250-PIPELINING
> > 250-SIZE
> > 250-ETRN
> > 250-STARTTLS
> > 250-ENHANCEDSTATUSCODES
> > 250-8BITMIME
> > 250 DSN
> 
> Good. I suppose there is a "-o smtpd_sasl_auth_enable=no" setting
> for this service in master.cf. That's fine.

The submission should be yes though, should it not?  I thought that was
the point :)  We are trying to use dovecot to authorize submissions for
relaying on 587 

If I am confusing you, I appologize and thank you sincerely for the
help.  FWIW - I am looking over the docs at
http://www.postfix.org/SASL_README.html#server_sasl_enable

> 
> Now we need to make sure that spanhaus etc. aren't enforced for the
> submission service (and smtpd, of enabled).
> 
>   Wietse

-- 
So many immigrant groups have swept through our town
that Brooklyn, like Atlantis, reaches mythological
proportions in the mind of the world - RI Safir 1998
http://www.mrbrklyn.com 

DRM is THEFT - We are the STAKEHOLDERS - RI Safir 2002
http://www.nylxs.com - Leadership Development in Free Software
http://www2.mrbrklyn.com/resources - Unpublished Archive 
http://www.coinhangout.com - coins!
http://www.brooklyn-living.com 

Being so tracked is for FARM ANIMALS and extermination camps, 
but incompatible with living as a free human being. -RI Safir 2013

Re: Adding Additional domains and outgoing email

2022-01-18 Thread Wietse Venema 
Wietse Venema:
> Ruben Safir:
> > UNDER main.cf I have this:
> > 
> > smtpd_data_restrictions = reject_unauth_pipelining, permit
> > 
> > 
> > # SASL stuff
> > 
> ...
> > smtpd_sasl_auth_enable = yes
> 
> Note, SASL is enabled in main.cf, but can be disabled in master.cf
> with per-service "-o smtpd_sasl_auth_enable=no" overrides.
> 
> > I don't see sasl on telnet
> > 
> > www2:/etc/postfix # telnet www2.mrbrklyn.com 587
> > Trying 96.57.23.82...
> > Connected to www2.mrbrklyn.com.
> > Escape character is '^]'.
> > 220 mrbrklyn.com ESMTP
> > EHLO client flatbush.mrbrklyn.com
> > 250-mrbrklyn.com
> > 250-PIPELINING
> > 250-SIZE
> > 250-ETRN
> > 250-STARTTLS
> > 250-ENHANCEDSTATUSCODES
> > 250-8BITMIME
> > 250 DSN
> 
> Good. I suppose there is a "-o smtpd_sasl_auth_enable=no" setting
> for this service in master.cf. That's fine.
> 
> Now we need to make sure that spanhaus etc. aren't enforced for the
> submission service (and smtpd, of enabled).

That should be (and smtps, if enabled).

Wietse

Re: Adding Additional domains and outgoing email

2022-01-18 Thread Wietse Venema 
Ruben Safir:
> >   -o milter_macro_daemon_name=ORIGINATING
> 
> I don't need the milter I assume?

You can comment it out and leave it as a reminder. If you ever want
to add a signing milter, then this may be needed.

Wietse

Re: Adding Additional domains and outgoing email

2022-01-18 Thread Matus UHLAR - fantomas 

On 18.01.22 10:32, Ruben Safir wrote:

I am sorry, that is wrong.  I am getting main and master confused.

[...]


THIS is in Master
www2:/etc/postfix # grep "smtpd"  master.cf|grep -v "#"


don't use grep for master.cf, there are usuallu options on next lines


smtp  inet  n   -   n   -   -   smtpd
submission inet n   -   n   -   -   smtpd
 -o smtpd_tls_security_level=encrypt

So it looks I have work to do in master.


# postconf -M smtps submission
submission inet  n   -   y   -   -   smtpd -o 
syslog_name=postfix/submission -o smtpd_tls_security_level=encrypt -o 
smtpd_sasl_auth_enable=yes -o smtpd_tls_auth_only=yes -o 
smtpd_client_restrictions=$mua_client_restrictions -o 
smtpd_helo_restrictions=$mua_helo_restrictions -o 
smtpd_relay_restrictions=permit_sasl_authenticated,reject -o 
milter_macro_daemon_name=ORIGINATING
smtps  inet  n   -   y   -   -   smtpd -o 
syslog_name=postfix/smtps -o smtpd_tls_wrappermode=yes -o 
smtpd_sasl_auth_enable=yes -o 
smtpd_client_restrictions=$mua_client_restrictions -o 
smtpd_helo_restrictions=$mua_helo_restrictions -o 
smtpd_relay_restrictions=permit_sasl_authenticated,reject -o 
milter_macro_daemon_name=ORIGINATING




--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
"To Boot or not to Boot, that's the question." [WD1270 Caviar]

Re: Adding Additional domains and outgoing email

2022-01-18 Thread Ruben Safir 
On Tue, Jan 18, 2022 at 10:36:34AM -0500, Ruben Safir wrote:
> >   -o milter_macro_daemon_name=ORIGINATING
> > 
> 
> I don't need the milter I assume?
> 


I have this line as well, which I think might be wrong
smtp  inet  n   -   n   -   -   smtpd <<==


As for specifying port 25 through smtp - it is not currently set up like
that.  Instead in main.cf I have:
 
smtpd_recipient_restrictions =
...
 reject_rbl_client zen.spamhaus.org,
 reject_rbl_client bl.spamcop.net
 reject_rbl_client cbl.abuseat.org,

So do I need to restructure the main config file to seperate smtp and smtpd?


> 
> > Wietse
> 
> -- 
> So many immigrant groups have swept through our town
> that Brooklyn, like Atlantis, reaches mythological
> proportions in the mind of the world - RI Safir 1998
> http://www.mrbrklyn.com 
> 
> DRM is THEFT - We are the STAKEHOLDERS - RI Safir 2002
> http://www.nylxs.com - Leadership Development in Free Software
> http://www2.mrbrklyn.com/resources - Unpublished Archive 
> http://www.coinhangout.com - coins!
> http://www.brooklyn-living.com 
> 
> Being so tracked is for FARM ANIMALS and extermination camps, 
> but incompatible with living as a free human being. -RI Safir 2013

-- 
So many immigrant groups have swept through our town
that Brooklyn, like Atlantis, reaches mythological
proportions in the mind of the world - RI Safir 1998
http://www.mrbrklyn.com 

DRM is THEFT - We are the STAKEHOLDERS - RI Safir 2002
http://www.nylxs.com - Leadership Development in Free Software
http://www2.mrbrklyn.com/resources - Unpublished Archive 
http://www.coinhangout.com - coins!
http://www.brooklyn-living.com 

Being so tracked is for FARM ANIMALS and extermination camps, 
but incompatible with living as a free human being. -RI Safir 2013

Re: Adding Additional domains and outgoing email

2022-01-18 Thread Wietse Venema 
Ruben Safir:
> UNDER main.cf I have this:
> 
> smtpd_data_restrictions = reject_unauth_pipelining, permit
> 
> 
> # SASL stuff
> 
...
> smtpd_sasl_auth_enable = yes

Note, SASL is enabled in main.cf, but can be disabled in master.cf
with per-service "-o smtpd_sasl_auth_enable=no" overrides.

> I don't see sasl on telnet
> 
> www2:/etc/postfix # telnet www2.mrbrklyn.com 587
> Trying 96.57.23.82...
> Connected to www2.mrbrklyn.com.
> Escape character is '^]'.
> 220 mrbrklyn.com ESMTP
> EHLO client flatbush.mrbrklyn.com
> 250-mrbrklyn.com
> 250-PIPELINING
> 250-SIZE
> 250-ETRN
> 250-STARTTLS
> 250-ENHANCEDSTATUSCODES
> 250-8BITMIME
> 250 DSN

Good. I suppose there is a "-o smtpd_sasl_auth_enable=no" setting
for this service in master.cf. That's fine.

Now we need to make sure that spanhaus etc. aren't enforced for the
submission service (and smtpd, of enabled).

Wietse

Re: Adding Additional domains and outgoing email

2022-01-18 Thread Ruben Safir 
>   -o milter_macro_daemon_name=ORIGINATING
> 

I don't need the milter I assume?


>   Wietse

-- 
So many immigrant groups have swept through our town
that Brooklyn, like Atlantis, reaches mythological
proportions in the mind of the world - RI Safir 1998
http://www.mrbrklyn.com 

DRM is THEFT - We are the STAKEHOLDERS - RI Safir 2002
http://www.nylxs.com - Leadership Development in Free Software
http://www2.mrbrklyn.com/resources - Unpublished Archive 
http://www.coinhangout.com - coins!
http://www.brooklyn-living.com 

Being so tracked is for FARM ANIMALS and extermination camps, 
but incompatible with living as a free human being. -RI Safir 2013

Re: Adding Additional domains and outgoing email

2022-01-18 Thread Ruben Safir 
I am sorry, that is wrong.  I am getting main and master confused.

This is in main

www2:/etc/postfix # grep "^smtpd"  main.cf
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, reject_invalid_hostname,
regexp:/etc/postfix/helo.regexp, permit
smtpd_sender_restrictions = hash:/etc/postfix/access,
reject_unknown_sender_domain
smtpd_recipient_restrictions = 
smtpd_data_restrictions = reject_unauth_pipelining, permit
smtpd_sasl_type = dovecot
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_use_tls = yes 
smtpd_tls_loglevel = 1
smtpd_tls_CAfile = /etc/postfix/tls/smtpd.pem
smtpd_tls_cert_file = /etc/postfix/tls/smtpd.pem 
smtpd_tls_key_file = /etc/postfix/tls/smtpd.pem 
smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
smtpd_tls_security_level = may
smtpd_tls_received_header = yes
smtpd_tls_ask_ccert = yes
smtpd_delay_reject = yes
smtpd_banner = $myhostname ESMTP


THIS is in Master
www2:/etc/postfix # grep "smtpd"  master.cf|grep -v "#"
smtp  inet  n   -   n   -   -   smtpd
submission inet n   -   n   -   -   smtpd
  -o smtpd_tls_security_level=encrypt

So it looks I have work to do in master.


  

> 
> UNDER main.cf I have this:
> 
> smtpd_data_restrictions = reject_unauth_pipelining, permit
> 
> 
> # SASL stuff
> 
> smtp_sasl_auth_enable = no
> smtp_sasl_security_options =
> smtp_sasl_password_maps =
> smtpd_sasl_type = dovecot
> smtpd_sasl_path = private/auth
> smtpd_sasl_auth_enable = yes
> smtpd_use_tls = yes
> smtpd_tls_loglevel = 1
> smtpd_tls_CAfile = /etc/postfix/tls/smtpd.pem
> #smtpd_tls_CApath = 
> smtpd_tls_cert_file = /etc/postfix/tls/smtpd.pem
> smtpd_tls_key_file = /etc/postfix/tls/smtpd.pem
> smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
> smtpd_tls_security_level = may
> smtpd_tls_received_header = yes
> smtpd_tls_ask_ccert = yes
> smtpd_delay_reject = yes
> smtpd_banner = $myhostname ESMTP
> 
> I don't see sasl on telnet
> 
> www2:/etc/postfix # telnet www2.mrbrklyn.com 587
> Trying 96.57.23.82...
> Connected to www2.mrbrklyn.com.
> Escape character is '^]'.
> 220 mrbrklyn.com ESMTP
> EHLO client flatbush.mrbrklyn.com
> 250-mrbrklyn.com
> 250-PIPELINING
> 250-SIZE
> 250-ETRN
> 250-STARTTLS
> 250-ENHANCEDSTATUSCODES
> 250-8BITMIME
> 250 DSN
> 
> 
> 
> > Note that there are no DNSBL checks on the submission port.
> > 
> > Wietse
> 
> -- 
> So many immigrant groups have swept through our town
> that Brooklyn, like Atlantis, reaches mythological
> proportions in the mind of the world - RI Safir 1998
> http://www.mrbrklyn.com 
> 
> DRM is THEFT - We are the STAKEHOLDERS - RI Safir 2002
> http://www.nylxs.com - Leadership Development in Free Software
> http://www2.mrbrklyn.com/resources - Unpublished Archive 
> http://www.coinhangout.com - coins!
> http://www.brooklyn-living.com 
> 
> Being so tracked is for FARM ANIMALS and extermination camps, 
> but incompatible with living as a free human being. -RI Safir 2013

-- 
So many immigrant groups have swept through our town
that Brooklyn, like Atlantis, reaches mythological
proportions in the mind of the world - RI Safir 1998
http://www.mrbrklyn.com 

DRM is THEFT - We are the STAKEHOLDERS - RI Safir 2002
http://www.nylxs.com - Leadership Development in Free Software
http://www2.mrbrklyn.com/resources - Unpublished Archive 
http://www.coinhangout.com - coins!
http://www.brooklyn-living.com 

Being so tracked is for FARM ANIMALS and extermination camps, 
but incompatible with living as a free human being. -RI Safir 2013

Re: Adding Additional domains and outgoing email

2022-01-18 Thread Ruben Safir 
On Wed, Jan 12, 2022 at 10:43:11AM -0500, Wietse Venema wrote:
> Wietse:
> > I think it is a mistake to enforce Spamhaus for clients that connect
> > to port 578. Clients on port 25 must authenticate.
> 
> Ruben Safir:
> > I agree, but I don't know how to control rules for 587?
> > How do I tell it to  do something only on port 587?
> 
> In the stock master.cf file:
> 
> #submission inet n   -   n   -   -   smtpd
> #  -o syslog_name=postfix/submission
> #  -o smtpd_tls_security_level=encrypt
> #  -o smtpd_sasl_auth_enable=yes
> #  -o smtpd_tls_auth_only=yes
> #  -o smtpd_reject_unlisted_recipient=no
> # Instead of specifying complex smtpd__restrictions here,
> # specify "smtpd__restrictions=$mua__restrictions"
> # here, and specify mua__restrictions in main.cf (where
> # "" is "client", "helo", "sender", "relay", or "recipient").
> #  -o smtpd_client_restrictions=
> #  -o smtpd_helo_restrictions=
> #  -o smtpd_sender_restrictions=
> #  -o smtpd_relay_restrictions=
> #  -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
> #  -o milter_macro_daemon_name=ORIGINATING
> 
> Once the "#" is removed, the smtpd restrictions are:
> 
> submission inet n   -   n   -   -   smtpd
>   ...
>   -o smtpd_client_restrictions=
>   -o smtpd_helo_restrictions=
>   -o smtpd_sender_restrictions=
>   -o smtpd_relay_restrictions=
>   -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
>   ...
> 


UNDER main.cf I have this:

smtpd_data_restrictions = reject_unauth_pipelining, permit


# SASL stuff

smtp_sasl_auth_enable = no
smtp_sasl_security_options =
smtp_sasl_password_maps =
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_use_tls = yes
smtpd_tls_loglevel = 1
smtpd_tls_CAfile = /etc/postfix/tls/smtpd.pem
#smtpd_tls_CApath = 
smtpd_tls_cert_file = /etc/postfix/tls/smtpd.pem
smtpd_tls_key_file = /etc/postfix/tls/smtpd.pem
smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
smtpd_tls_security_level = may
smtpd_tls_received_header = yes
smtpd_tls_ask_ccert = yes
smtpd_delay_reject = yes
smtpd_banner = $myhostname ESMTP

I don't see sasl on telnet

www2:/etc/postfix # telnet www2.mrbrklyn.com 587
Trying 96.57.23.82...
Connected to www2.mrbrklyn.com.
Escape character is '^]'.
220 mrbrklyn.com ESMTP
EHLO client flatbush.mrbrklyn.com
250-mrbrklyn.com
250-PIPELINING
250-SIZE
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN



> Note that there are no DNSBL checks on the submission port.
> 
>   Wietse

-- 
So many immigrant groups have swept through our town
that Brooklyn, like Atlantis, reaches mythological
proportions in the mind of the world - RI Safir 1998
http://www.mrbrklyn.com 

DRM is THEFT - We are the STAKEHOLDERS - RI Safir 2002
http://www.nylxs.com - Leadership Development in Free Software
http://www2.mrbrklyn.com/resources - Unpublished Archive 
http://www.coinhangout.com - coins!
http://www.brooklyn-living.com 

Being so tracked is for FARM ANIMALS and extermination camps, 
but incompatible with living as a free human being. -RI Safir 2013

Re: master_wakeup_timer_event

2022-01-18 Thread Wietse Venema 
natan:
> Hi
> My happiness did not last long
> 
> Jan 18 13:33:22? postfix/master[3581]: warning:
> master_wakeup_timer_event: service qmgr(public/qmgr): Resource
> temporarily unavailable
> 
> I'm so confused beacuse I cannot resolv thats problem and I dont known
> where is realy problem

Repeat:
Reduce the process limits for "smtp pass" by half.
Reduce the default_process_limit by half
(this is used by postscreen to size its connection queues).
Execute "postfix reload".
Wait for a few hours.
Until Postfix stops logging "Resource > temporarily unavailable".

Wietse

Re: master_wakeup_timer_event

2022-01-18 Thread natan 
Hi
My happiness did not last long

Jan 18 13:33:22  postfix/master[3581]: warning:
master_wakeup_timer_event: service qmgr(public/qmgr): Resource
temporarily unavailable

I'm so confused beacuse I cannot resolv thats problem and I dont known
where is realy problem




W dniu 18.01.2022 o 10:34, natan pisze:
> Hi
> Thenx all :) for test i change to 300 for default_process_limit and
> change 190 to 300
>
>
>
> Wysłano z mojego Mi MIX 2
> Wietse Venema  17 sty 2022 18:34 napisał(a):
>
> natan:
> > W dniu 17.01.2022 o?15:58, Wietse Venema pisze:
> > > natan:
> > >> W dniu 14.01.2022 o 22:18, Wietse Venema pisze:
> > >>> natan:
> > >>> Wietse:
> >  Do you know if the problem is a kernel limit or a
> per-process limit?
> >  Does master have 4096 open files (including network
> sockets: ip,
> >  unix-domain, etc.).
> > >>> Wietse:
> >  BTW that last one was a trick question: you need a huge
> number of
> >  services in master.cf  to exceed the 4096
> limit. The master needs
> >  three sockets for each service with type 'unix' in
> master.cf ;
> >  services with type 'inet' require two sockets plus one
> socket per
> >  address in inet_interfaces.
> > >>> natan:
> >  "Do you know if the problem is a kernel limit or a
> per-process limit?"
> > 
> >  I realy dont known where is it the problem - and how
> diagnose this
> > 
> >  I long think about kernel limit but ... no have idea
> > > Wietse:
> > >> Were you the person who has a Postfix process limit in the
> thousands?
> > >> If that is the case, then I suggest that you reduce the Postfix
> > >> process limit to half the number, do "postfix reload", wait
> for a
> > >> while, and keep reducing the limit to half its value until the
> > >> "resource temporarily unavailable" warnings go away. Also, make
> > >> arrangements for more (and more powerful) servers.
> > > natan:
> > >> I don't know if I am that man with limit thousands
> > >> 
> > >> # postconf -nf
> > > ...
> > >> default_process_limit = 1200
> > >>
> > >> from log:
> > >> Jan 17 10:10:50 thebe4b postfix/postscreen[7103]: warning:
> cannot
> > >> connect to service private/smtpd: Resource temporarily
> unavailable
> > > postscreen maintains queues with connetions that still need to be
> > > 'tested' (postscreen_pre_queue_limit) and that need to be
> given to
> > > an smtpd process (postscreen_post_queue_limit). 
> > >
> > > Each postscreen queue size is $default_process_limit. Both queues
> > > together add up to 2400 network sockets.
> > >
> > > If you make this amount the same as your internet-facing smtpd
> > > process limits, then postscreen might leave more resources for
> the
> > > rest of Postfix.
> > >
> > > And then, reduce process limits by half and do "postfix reload",
> > > until the 'Resource temporarily unavailable' message goes away.
> > >
> > >> This is a strong machine where load average: 0,95, 1,19, 2,08
> > > Obviously, it doesn't use much CPU power when it can't create a
> > > UNIX-domain socket.
> > >
> > > Wietse
>
> > #for no scan amavis:
> > 10.0.100.24/32  FILTER
> smtp:10.0.100.5:10025 
> > xxx.xxx.xxx .25/32 FILTER
> smtp:10.0.100.5:10025 
> > #go to amavis-klaster
> > 0.0.0.0/0 FILTER smtp-amavis:[127.0.0.1 ]:10628
> > ##
>
> OK, you're switching between after-queue content filters,
> and there is no smtpd_proxy_filter.
>
>
> That leaves the possibility that postscreen is hogging too many
> network sockets.
>
> Reduce the default_process_limit to the same number as your "smtpd
> pass" service (currently, 190). Then do "postfix reload", and wait
> for some time.
>
> While Postfix logs "resource temporarily unavailable":
>     Halve the process limit for the "smtpd pass" SMTP service.
>     Halve the default_process_limit.
>     Do "postfix reload".
>     Wait for some time.
>
> Wietse
>


--

Re: Adding Additional domains and outgoing email

2022-01-18 Thread Wietse Venema 
Ruben Safir:
> On Wed, Jan 12, 2022 at 10:44:18AM -0500, Wietse Venema wrote:
> > Wietse Venema:
> > > Wietse:
> > > > I think it is a mistake to enforce Spamhaus for clients that connect
> > > > to port 578. Clients on port 25 must authenticate.
> > 
> > Sorry,  25 should have been 578.
> 
> how to control rules for 587?  Is that controlled by the 
> submission init n - n - - smtpd 
> ??

Use Spamhaus etc. on the "smtp" (port 25) service, and require SASL
authentication on the submission service.

submission inet n   -   n   -   -   smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_tls_auth_only=yes
  -o smtpd_reject_unlisted_recipient=no
  #  Instead of specifying complex smtpd__restrictions here,
  #  specify "smtpd__restrictions=$mua__restrictions"
  #  here, and specify mua__restrictions in main.cf (where
  #  "" is "client", "helo", "sender", "relay", or "recipient").
  -o smtpd_client_restrictions=
  -o smtpd_helo_restrictions=
  -o smtpd_sender_restrictions=
  -o smtpd_relay_restrictions=
  -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
  -o milter_macro_daemon_name=ORIGINATING

Wietse

Re: webmail question

2022-01-18 Thread Benny Pedersen 

On 2022-01-18 12:58, Frank Hwa wrote:


I like postfix and dovecot for setting up mail systems.
But I don't like roundcube or rainloop webmail.
How can I make a webmail system like gmail? it would have gmail's
primary features such as grouping, filtering, labeling. is there any
opensource one?


if you like something like gmail, use gmail to use your own imap / smtp 
server, i will let it out to the reader to read how to :)


other ways is squirrelmail, horde, nextcloud, oxcloud, maybe many others

you wont find one that is simple as roundcube and still security safe to 
use

Re: Adding Additional domains and outgoing email

2022-01-18 Thread Ruben Safir 
On Wed, Jan 12, 2022 at 10:44:18AM -0500, Wietse Venema wrote:
> Wietse Venema:
> > Wietse:
> > > I think it is a mistake to enforce Spamhaus for clients that connect
> > > to port 578. Clients on port 25 must authenticate.
> 
> Sorry,  25 should have been 578.

how to control rules for 587?  Is that controlled by the 
submission init n - n - - smtpd 
??


> 
> > Ruben Safir:
> > > I agree, but I don't know how to control rules for 587?
> > > How do I tell it to  do something only on port 587?
> > 
> > In the stock master.cf file:
> > 
> > #submission inet n   -   n   -   -   smtpd
> > #  -o syslog_name=postfix/submission
> > #  -o smtpd_tls_security_level=encrypt
> > #  -o smtpd_sasl_auth_enable=yes
> > #  -o smtpd_tls_auth_only=yes
> > #  -o smtpd_reject_unlisted_recipient=no
> > # Instead of specifying complex smtpd__restrictions here,
> > # specify "smtpd__restrictions=$mua__restrictions"
> > # here, and specify mua__restrictions in main.cf (where
> > # "" is "client", "helo", "sender", "relay", or "recipient").
> > #  -o smtpd_client_restrictions=
> > #  -o smtpd_helo_restrictions=
> > #  -o smtpd_sender_restrictions=
> > #  -o smtpd_relay_restrictions=
> > #  -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
> > #  -o milter_macro_daemon_name=ORIGINATING
> > 
> > Once the "#" is removed, the smtpd restrictions are:
> > 
> > submission inet n   -   n   -   -   smtpd
> >   ...
> >   -o smtpd_client_restrictions=
> >   -o smtpd_helo_restrictions=
> >   -o smtpd_sender_restrictions=
> >   -o smtpd_relay_restrictions=
> >   -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
> >   ...
> > 
> > Note that there are no DNSBL checks on the submission port.
> > 
> > Wietse
> > 

-- 
So many immigrant groups have swept through our town
that Brooklyn, like Atlantis, reaches mythological
proportions in the mind of the world - RI Safir 1998
http://www.mrbrklyn.com 

DRM is THEFT - We are the STAKEHOLDERS - RI Safir 2002
http://www.nylxs.com - Leadership Development in Free Software
http://www2.mrbrklyn.com/resources - Unpublished Archive 
http://www.coinhangout.com - coins!
http://www.brooklyn-living.com 

Being so tracked is for FARM ANIMALS and extermination camps, 
but incompatible with living as a free human being. -RI Safir 2013

Re: Adding a second line to .forward, can one prevent errors feeding back to sender?

2022-01-18 Thread Chris Green 
On Tue, Jan 18, 2022 at 07:52:23AM -0500, Wietse Venema wrote:
> Chris Green:
> > If I add a second line to .forward, e.g. make it something like:-
> > 
> > | /home/chris/.mutt/bin/filter.py
> > | /home/chris/dev/bin/filter.py
> > 
> > Then, if (as is likely) there are errors in /home/chris/dev/bin/filter.py
> > the message sender will see an error returned even though the message
> > has been delivered successfully by the first line.
> > 
> > Is there a (simple) way to set up an extra message delivery whose
> > status won't get fed back to the sender?
> 
> Using standard shell syntax:
> 
> | /home/chris/.mutt/bin/filter.py
> | /home/chris/dev/bin/filter.py || exit 0
> 
Brilliant (well, 'of course' too, I should have got there myself),
thank you Wietse.

-- 
Chris Green

Re: Adding a second line to .forward, can one prevent errors feeding back to sender?

2022-01-18 Thread Wietse Venema 
Chris Green:
> If I add a second line to .forward, e.g. make it something like:-
> 
> | /home/chris/.mutt/bin/filter.py
> | /home/chris/dev/bin/filter.py
> 
> Then, if (as is likely) there are errors in /home/chris/dev/bin/filter.py
> the message sender will see an error returned even though the message
> has been delivered successfully by the first line.
> 
> Is there a (simple) way to set up an extra message delivery whose
> status won't get fed back to the sender?

Using standard shell syntax:

| /home/chris/.mutt/bin/filter.py
| /home/chris/dev/bin/filter.py || exit 0

Wietse

webmail question

2022-01-18 Thread Frank Hwa 

Hello

I like postfix and dovecot for setting up mail systems.
But I don't like roundcube or rainloop webmail.
How can I make a webmail system like gmail? it would have gmail's 
primary features such as grouping, filtering, labeling. is there any 
opensource one?


Thank you.
Frank

Adding a second line to .forward, can one prevent errors feeding back to sender?

2022-01-18 Thread Chris Green 
This is a possibly naive question.

Currently I deliver local mail to myself on my linux (xubuntu 21.10)
system using a ~/.forward file as follows:-

| /home/chris/.mutt/bin/filter.py

I'm looking for a simple way to test new versions of filter.py and I'm
not coming up with easy answers.

If I add a second line to .forward, e.g. make it something like:-

| /home/chris/.mutt/bin/filter.py
| /home/chris/dev/bin/filter.py

Then, if (as is likely) there are errors in /home/chris/dev/bin/filter.py
the message sender will see an error returned even though the message
has been delivered successfully by the first line.

Is there a (simple) way to set up an extra message delivery whose
status won't get fed back to the sender?

I realise I could set up a complete other user and have a separate
environment but that seems overkill for a simple, single user
situation like this.  I just want an easy way (that I can turn on and
off) to feed my incoming messages into a 'second place' that won't
return errors to the sender if it goes wrong.


It's not super critical that I never send errors back, this is only
handling my own personal mail.  Up until now I have simply edited
filter.py very carefully and lived with the odd undelivered message,
in general SMTP copes very well and resends.  It would just be nice to
come up with a slightly more robust approach which would allow me to
to more major changes to filter.py with less risk.
   
-- 
Chris Green

Re: master_wakeup_timer_event

2022-01-18 Thread natan 
Hi
Thenx all :) for test i change to 300 for default_process_limit and change 190 to 300



Wysłano z mojego Mi MIX 2Wietse Venema  17 sty 2022 18:34 napisał(a):natan:
> W dniu 17.01.2022 o?15:58, Wietse Venema pisze:
> > natan:
> >> W dniu 14.01.2022 o 22:18, Wietse Venema pisze:
> >>> natan:
> >>> Wietse:
>  Do you know if the problem is a kernel limit or a per-process limit?
>  Does master have 4096 open files (including network sockets: ip,
>  unix-domain, etc.).
> >>> Wietse:
>  BTW that last one was a trick question: you need a huge number of
>  services in master.cf to exceed the 4096 limit. The master needs
>  three sockets for each service with type 'unix' in master.cf;
>  services with type 'inet' require two sockets plus one socket per
>  address in inet_interfaces.
> >>> natan:
>  "Do you know if the problem is a kernel limit or a per-process limit?"
> 
>  I realy dont known where is it the problem - and how diagnose this
> 
>  I long think about kernel limit but ... no have idea
> > Wietse:
> >> Were you the person who has a Postfix process limit in the thousands?
> >> If that is the case, then I suggest that you reduce the Postfix
> >> process limit to half the number, do "postfix reload", wait for a
> >> while, and keep reducing the limit to half its value until the
> >> "resource temporarily unavailable" warnings go away. Also, make
> >> arrangements for more (and more powerful) servers.
> > natan:
> >> I don't know if I am that man with limit thousands
> >>  
> >> # postconf -nf
> > ...
> >> default_process_limit = 1200
> >>
> >> from log:
> >> Jan 17 10:10:50 thebe4b postfix/postscreen[7103]: warning: cannot
> >> connect to service private/smtpd: Resource temporarily unavailable
> > postscreen maintains queues with connetions that still need to be
> > 'tested' (postscreen_pre_queue_limit) and that need to be given to
> > an smtpd process (postscreen_post_queue_limit).  
> >
> > Each postscreen queue size is $default_process_limit. Both queues
> > together add up to 2400 network sockets.
> >
> > If you make this amount the same as your internet-facing smtpd
> > process limits, then postscreen might leave more resources for the
> > rest of Postfix.
> >
> > And then, reduce process limits by half and do "postfix reload",
> > until the 'Resource temporarily unavailable' message goes away.
> >
> >> This is a strong machine where load average: 0,95, 1,19, 2,08
> > Obviously, it doesn't use much CPU power when it can't create a
> > UNIX-domain socket.
> >
> > 	Wietse

> #for no scan amavis:
> 10.0.100.24/32 FILTER smtp:10.0.100.5:10025
> xxx.xxx.xxx.25/32 FILTER smtp:10.0.100.5:10025
> #go to amavis-klaster
> 0.0.0.0/0 FILTER smtp-amavis:[127.0.0.1]:10628
> ##

OK, you're switching between after-queue content filters,
and there is no smtpd_proxy_filter.


That leaves the possibility that postscreen is hogging too many
network sockets.

Reduce the default_process_limit to the same number as your "smtpd
pass" service (currently, 190). Then do "postfix reload", and wait
for some time.

While Postfix logs "resource temporarily unavailable":
    Halve the process limit for the "smtpd pass" SMTP service.
    Halve the default_process_limit.
    Do "postfix reload".
    Wait for some time.

	Wietse