[pfx] Re: Postfix + Dovecot FreeBSD - a problem
On Mon, Mar 11, 2024 at 10:07 PM Viktor Dukhovni via Postfix-users wrote: > > I truly have no clue why my maillog is so different than yours. I set > > "smtpd_tls_loglevel = 2" and here's the log (on the machine running > > postfix @ domain.name) from gmail connecting, and logging in as > > "auser" and then trying to send an email as "auser" back to me here at > > gmail: > > So you decided to add more hay to stack to hide the needle? :-) > Best to set the log level back to 1. I figured that maybe level 2 would give me "client" and if not, that it might show you something more helpful. Back to 1... > > Mar 11 18:57:11 MACHINE postfix/submission/smtpd[40225]: NOQUEUE: > > reject: RCPT from mail-ua1-f50.google.com[209.85.222.50]: 553 5.7.1 > > : Sender address rejected: not owned by user auser; > > from= to= proto=ESMTP > > helo= > > Right, the missing "client=" is because the message was not accepted, > and so no queue id was assigned. It seems this was before the changes > to master.cf were made effective. Ok... that does sound like it's always been this way... So, any idea of what's causing that? Just wondering, could it maybe be "-o smtpd_sasl_security_options=noanonymous" -- I'm just asking because I saw "Anonymous TLS connection established from mail-ua1-f50.google.com[209.85.222.50]" in the logs I've sent. But any ideas for me to try are most gladly appreciated. > Well, if you've restarted Postfix after those changes, it should now > work (a "reload" should actually suffice, but a restart is harmless for > a low-volume personal server). Oh, I always do "sudo postmap main.cf" when editing it and then, again always, do "sudo service postfix restart" after every change before every test. Thanks ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Postfix + Dovecot FreeBSD - a problem
On Mon, Mar 11, 2024 at 07:50:22PM -0700, Glenn Tenney via Postfix-users wrote: > > You should also remove the "smtpd_sasl_auth_enable = yes" from > > "mail.cf", leaving just the "-o smtpd_sasl_auth_enable=yes" above, and > > in main.cf set: > > No "mail.cf", but only "-o" is left... I meant "main.cf" of course... > > Well, it has to be there, unless your syslog configuration filters it > > out. Here's an example (long line folded) from my system: > > > > Mar 10 18:28:39 amnesiac postfix/submission/smtpd[555754]: > > 00D8B893CE0: client=, sasl_method=, > > sasl_username= > > I truly have no clue why my maillog is so different than yours. I set > "smtpd_tls_loglevel = 2" and here's the log (on the machine running > postfix @ domain.name) from gmail connecting, and logging in as > "auser" and then trying to send an email as "auser" back to me here at > gmail: So you decided to add more hay to stack to hide the needle? :-) Best to set the log level back to 1. > Mar 11 18:57:11 MACHINE postfix/submission/smtpd[40225]: NOQUEUE: > reject: RCPT from mail-ua1-f50.google.com[209.85.222.50]: 553 5.7.1 > : Sender address rejected: not owned by user auser; > from= to= proto=ESMTP > helo= Right, the missing "client=" is because the message was not accepted, and so no queue id was assigned. It seems this was before the changes to master.cf were made effective. > And with all of the various changes made, here's the most recent postconf -Mf > > smtp inet n - y - - smtpd > submission inet n - n - - smtpd > -o syslog_name=postfix/submission > -o smtpd_tls_wrappermode=no > -o smtpd_tls_security_level=may > -o smtpd_sasl_auth_enable=yes > -o > smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject > -o milter_macro_daemon_name=ORIGINATING > -o smtpd_sasl_type=dovecot > -o smtpd_sasl_path=private/auth > -o smtpd_sasl_security_options=noanonymous > -o smtpd_sasl_local_domain=$myhostname > -o smtpd_client_restrictions=permit_sasl_authenticated,reject > -o smtpd_sender_restrictions=reject_sender_login_mismatch Well, if you've restarted Postfix after those changes, it should now work (a "reload" should actually suffice, but a restart is harmless for a low-volume personal server). -- Viktor. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Postfix + Dovecot FreeBSD - a problem
On Mon, Mar 11, 2024 at 5:13 PM Viktor Dukhovni via Postfix-users wrote: thanks for your patience with me and your help! > The reject message in your original post was: > > Mar 8 20:41:08 MACHINE postfix/submission/smtpd[28831]: NOQUEUE: > reject: RCPT from mail-oo1-f41.google.com[209.85.161.41]: 553 5.7.1 > : Sender address rejected: not owned by user auser; > from= to= > proto=ESMTP helo= > > Which means that the lookup key "au...@domain.name" does not in fact map > to "auser" in the indexed (hash table) file: > > You can examine the hash table with: > postmap -q au...@domain.name hash:/usr/local/etc/postfix/senderlogin Here are the results... To me it would sure seem that au...@domain.name does map to auser and vice-versa. % postmap -q au...@domain.name hash:/usr/local/etc/postfix/senderlogin auser % postmap -q auser hash:/usr/local/etc/postfix/senderlogin au...@domain.name > Which explains the source of the problem. Just remove that erroneous > setting. The virtual(5) alias table is not your sender -> sasl login > table. done > You should also remove the "smtpd_sasl_auth_enable = yes" from > "mail.cf", leaving just the "-o smtpd_sasl_auth_enable=yes" above, and > in main.cf set: No "mail.cf", but only "-o" is left... > Also in the above submission service set: > smtpd_tls_security_level=encrypt done BUT the problem remains... > > I don't see "client=" anywhere in the logs... > > Well, it has to be there, unless your syslog configuration filters it > out. Here's an example (long line folded) from my system: > > Mar 10 18:28:39 amnesiac postfix/submission/smtpd[555754]: > 00D8B893CE0: client=, sasl_method=, > sasl_username= I truly have no clue why my maillog is so different than yours. I set "smtpd_tls_loglevel = 2" and here's the log (on the machine running postfix @ domain.name) from gmail connecting, and logging in as "auser" and then trying to send an email as "auser" back to me here at gmail: Mar 11 18:57:11 MACHINE postfix/submission/smtpd[40225]: initializing the server-side TLS engine Mar 11 18:57:11 MACHINE postfix/submission/smtpd[40225]: connect from mail-ua1-f50.google.com[209.85.222.50] Mar 11 18:57:11 MACHINE postfix/submission/smtpd[40225]: setting up TLS connection from mail-ua1-f50.google.com[209.85.222.50] Mar 11 18:57:11 MACHINE postfix/submission/smtpd[40225]: mail-ua1-f50.google.com[209.85.222.50]: TLS cipher list "aNULL:-aNULL:HIGH:MEDIUM:!SEED:!IDEA:!3DES:!RC2:!RC4:!RC5:!kDH:!kECDH:!aDSS:!MD5:+RC4:@STRENGTH" Mar 11 18:57:11 MACHINE postfix/submission/smtpd[40225]: SSL_accept:before SSL initialization Mar 11 18:57:11 MACHINE syslogd: last message repeated 1 times Mar 11 18:57:11 MACHINE postfix/submission/smtpd[40225]: SSL_accept:SSLv3/TLS read client hello Mar 11 18:57:11 MACHINE postfix/submission/smtpd[40225]: SSL_accept:SSLv3/TLS write server hello Mar 11 18:57:11 MACHINE postfix/submission/smtpd[40225]: SSL_accept:SSLv3/TLS write change cipher spec Mar 11 18:57:11 MACHINE postfix/submission/smtpd[40225]: SSL_accept:TLSv1.3 write encrypted extensions Mar 11 18:57:11 MACHINE postfix/submission/smtpd[40225]: SSL_accept:SSLv3/TLS write certificate Mar 11 18:57:11 MACHINE postfix/submission/smtpd[40225]: SSL_accept:TLSv1.3 write server certificate verify Mar 11 18:57:11 MACHINE postfix/submission/smtpd[40225]: SSL_accept:SSLv3/TLS write finished Mar 11 18:57:11 MACHINE postfix/submission/smtpd[40225]: SSL_accept:TLSv1.3 early data Mar 11 18:57:11 MACHINE syslogd: last message repeated 1 times Mar 11 18:57:11 MACHINE postfix/submission/smtpd[40225]: SSL_accept:SSLv3/TLS read finished Mar 11 18:57:11 MACHINE postfix/submission/smtpd[40225]: mail-ua1-f50.google.com[209.85.222.50]: Issuing session ticket, key expiration: 1710210430 Mar 11 18:57:11 MACHINE postfix/submission/smtpd[40225]: SSL_accept:SSLv3/TLS write session ticket Mar 11 18:57:11 MACHINE postfix/submission/smtpd[40225]: Anonymous TLS connection established from mail-ua1-f50.google.com[209.85.222.50]: TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256 Mar 11 18:57:11 MACHINE postfix/submission/smtpd[40225]: NOQUEUE: reject: RCPT from mail-ua1-f50.google.com[209.85.222.50]: 553 5.7.1 : Sender address rejected: not owned by user auser; from= to= proto=ESMTP helo= Mar 11 18:57:12 MACHINE postfix/submission/smtpd[40225]: disconnect from mail-ua1-f50.google.com[209.85.222.50] ehlo=2 starttls=1 auth=1 mail=1 rcpt=0/1 bdat=0/1 quit=1 commands=6/8 And with all of the various changes made, here's the most recent postconf -Mf smtp inet n - y - - smtpd submission inet n - n - - smtpd -o syslog_name=postfix/submission -o smtpd_tls_wrappermode=no -o smtpd_tls_security_level=may -o smtpd_sasl_auth_enable=yes -o
[pfx] Re: Postfix + Dovecot FreeBSD - a problem
On Mon, Mar 11, 2024 at 5:13 PM Viktor Dukhovni via Postfix-users wrote: thanks for your patience with me and your help! > The reject message in your original post was: > > Mar 8 20:41:08 MACHINE postfix/submission/smtpd[28831]: NOQUEUE: > reject: RCPT from mail-oo1-f41.google.com[209.85.161.41]: 553 5.7.1 > : Sender address rejected: not owned by user auser; > from= to= > proto=ESMTP helo= > > Which means that the lookup key "au...@domain.name" does not in fact map > to "auser" in the indexed (hash table) file: > > You can examine the hash table with: > postmap -q au...@domain.name hash:/usr/local/etc/postfix/senderlogin Here are the results... To me it would sure seem that au...@domain.name does map to auser and vice-versa. % postmap -q au...@domain.name hash:/usr/local/etc/postfix/senderlogin auser % postmap -q auser hash:/usr/local/etc/postfix/senderlogin au...@domain.name > Which explains the source of the problem. Just remove that erroneous > setting. The virtual(5) alias table is not your sender -> sasl login > table. done > You should also remove the "smtpd_sasl_auth_enable = yes" from > "mail.cf", leaving just the "-o smtpd_sasl_auth_enable=yes" above, and > in main.cf set: No "mail.cf", but only "-o" is left... > Also in the above submission service set: > smtpd_tls_security_level=encrypt done BUT the problem remains... > > I don't see "client=" anywhere in the logs... > > Well, it has to be there, unless your syslog configuration filters it > out. Here's an example (long line folded) from my system: > > Mar 10 18:28:39 amnesiac postfix/submission/smtpd[555754]: > 00D8B893CE0: client=, sasl_method=, > sasl_username= I truly have no clue why my maillog is so different than yours. I set "smtpd_tls_loglevel = 2" and here's the log (on the machine running postfix @ domain.name) from gmail connecting, and logging in as "auser" and then trying to send an email as "auser" back to me here at gmail: Mar 11 18:57:11 MACHINE postfix/submission/smtpd[40225]: initializing the server-side TLS engine Mar 11 18:57:11 MACHINE postfix/submission/smtpd[40225]: connect from mail-ua1-f50.google.com[209.85.222.50] Mar 11 18:57:11 MACHINE postfix/submission/smtpd[40225]: setting up TLS connection from mail-ua1-f50.google.com[209.85.222.50] Mar 11 18:57:11 MACHINE postfix/submission/smtpd[40225]: mail-ua1-f50.google.com[209.85.222.50]: TLS cipher list "aNULL:-aNULL:HIGH:MEDIUM:!SEED:!IDEA:!3DES:!RC2:!RC4:!RC5:!kDH:!kECDH:!aDSS:!MD5:+RC4:@STRENGTH" Mar 11 18:57:11 MACHINE postfix/submission/smtpd[40225]: SSL_accept:before SSL initialization Mar 11 18:57:11 MACHINE syslogd: last message repeated 1 times Mar 11 18:57:11 MACHINE postfix/submission/smtpd[40225]: SSL_accept:SSLv3/TLS read client hello Mar 11 18:57:11 MACHINE postfix/submission/smtpd[40225]: SSL_accept:SSLv3/TLS write server hello Mar 11 18:57:11 MACHINE postfix/submission/smtpd[40225]: SSL_accept:SSLv3/TLS write change cipher spec Mar 11 18:57:11 MACHINE postfix/submission/smtpd[40225]: SSL_accept:TLSv1.3 write encrypted extensions Mar 11 18:57:11 MACHINE postfix/submission/smtpd[40225]: SSL_accept:SSLv3/TLS write certificate Mar 11 18:57:11 MACHINE postfix/submission/smtpd[40225]: SSL_accept:TLSv1.3 write server certificate verify Mar 11 18:57:11 MACHINE postfix/submission/smtpd[40225]: SSL_accept:SSLv3/TLS write finished Mar 11 18:57:11 MACHINE postfix/submission/smtpd[40225]: SSL_accept:TLSv1.3 early data Mar 11 18:57:11 MACHINE syslogd: last message repeated 1 times Mar 11 18:57:11 MACHINE postfix/submission/smtpd[40225]: SSL_accept:SSLv3/TLS read finished Mar 11 18:57:11 MACHINE postfix/submission/smtpd[40225]: mail-ua1-f50.google.com[209.85.222.50]: Issuing session ticket, key expiration: 1710210430 Mar 11 18:57:11 MACHINE postfix/submission/smtpd[40225]: SSL_accept:SSLv3/TLS write session ticket Mar 11 18:57:11 MACHINE postfix/submission/smtpd[40225]: Anonymous TLS connection established from mail-ua1-f50.google.com[209.85.222.50]: TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256 Mar 11 18:57:11 MACHINE postfix/submission/smtpd[40225]: NOQUEUE: reject: RCPT from mail-ua1-f50.google.com[209.85.222.50]: 553 5.7.1 : Sender address rejected: not owned by user auser; from= to= proto=ESMTP helo= Mar 11 18:57:12 MACHINE postfix/submission/smtpd[40225]: disconnect from mail-ua1-f50.google.com[209.85.222.50] ehlo=2 starttls=1 auth=1 mail=1 rcpt=0/1 bdat=0/1 quit=1 commands=6/8 And with all of the various changes made, here's the most recent postconf -Mf smtp inet n - y - - smtpd submission inet n - n - - smtpd -o syslog_name=postfix/submission -o smtpd_tls_wrappermode=no -o smtpd_tls_security_level=may -o smtpd_sasl_auth_enable=yes -o
[pfx] Re: Postfix + Dovecot FreeBSD - a problem
On Mon, Mar 11, 2024 at 03:17:01PM -0700, Glenn Tenney via Postfix-users wrote: > So, the actual SASL login is "auser"? (which is what I've told gmail > to use to login) I don't know what it is, the logs will tell the true story. Please post both the "client=" and the "reject:" log entries for one one the failed attempts from Gmail to use your server as an outbound relay. > > No, the issue is the content of your sender login table. > > My current guess is that the virtual or senderlogin files are wrong > and that's my problem... The actual problem was stated above, I'm puzzled why you're still "guessing"... > Sorry, I forgot to include the contents of my smtpd_sender_login_maps file: > # senderlogin > au...@domain.name auser > au...@machine.domain.name auser The reject message in your original post was: Mar 8 20:41:08 MACHINE postfix/submission/smtpd[28831]: NOQUEUE: reject: RCPT from mail-oo1-f41.google.com[209.85.161.41]: 553 5.7.1 : Sender address rejected: not owned by user auser; from= to= proto=ESMTP helo= Which means that the lookup key "au...@domain.name" does not in fact map to "auser" in the indexed (hash table) file: smtpd_sender_login_maps = hash:/usr/local/etc/postfix/senderlogin You can examine the hash table with: postmap -q au...@domain.name hash:/usr/local/etc/postfix/senderlogin > And here's /etc/virtual (again, my best guess of what it should be) Irrelevant to the reported problem. > > If you post also the "client=" log entry for the transaction of > > interest, the "postconf -Mf" output and the content of the sender login > > table, more help will be possible. > > I don't see "client=" anywhere in the logs... but here's the "postconf > -Mf" after making the changes you suggested above: Well, it has to be there, unless your syslog configuration filters it out. Here's an example (long line folded) from my system: Mar 10 18:28:39 amnesiac postfix/submission/smtpd[555754]: 00D8B893CE0: client=, sasl_method=, sasl_username= > submission inet n - n - - smtpd > -o syslog_name=postfix/submission > -o smtpd_tls_wrappermode=no > -o smtpd_tls_security_level=may > -o smtpd_sasl_auth_enable=yes > -o > smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject > -o milter_macro_daemon_name=ORIGINATING > -o smtpd_sasl_type=dovecot > -o smtpd_sasl_path=private/auth > -o smtpd_sasl_security_options=noanonymous > -o smtpd_sasl_local_domain=$myhostname > -o smtpd_client_restrictions=permit_sasl_authenticated,reject > -o smtpd_sender_login_maps=hash:/etc/virtual > -o smtpd_sender_restrictions=reject_sender_login_mismatch This is where you're requiring the envelope sender address to match the expected login, and have for no particular reason included: > -o smtpd_sender_login_maps=hash:/etc/virtual Which explains the source of the problem. Just remove that erroneous setting. The virtual(5) alias table is not your sender -> sasl login table. You should also remove the "smtpd_sasl_auth_enable = yes" from "mail.cf", leaving just the "-o smtpd_sasl_auth_enable=yes" above, and in main.cf set: smtpd_tls_auth_only = yes Also in the above submission service set: smtpd_tls_security_level=encrypt (not "may"). -- Viktor. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Postfix + Dovecot FreeBSD - a problem
On Mon, Mar 11, 2024 at 1:09 AM Viktor Dukhovni via Postfix-users wrote: > You've implemented smtpd_sender_login_maps and > reject_sender_login_mismatch or an equivalent variant, but the entry > for that sender address does list the actual SASL login used (which > is shown in an earlier log entry for the same SMTP transaction). Thank you Viktor! So, the actual SASL login is "auser"? (which is what I've told gmail to use to login) > > I'm guessing that the issue is that postfix/dovecot sees only "auser" > > and if instead it saw "au...@domain.name" it would work, but I > > couldn't find any way to be able to login that way. > > No, the issue is the content of your sender login table. My current guess is that the virtual or senderlogin files are wrong and that's my problem... These were my best guess as to what should be in those files, but I doubt that's correct... but I don't know what it should be. Sorry, I forgot to include the contents of my smtpd_sender_login_maps file: # senderlogin au...@domain.name auser au...@machine.domain.name auser And here's /etc/virtual (again, my best guess of what it should be) # virtual au...@domain.name au...@domain.name aotheru...@domain.name au...@domain.name # in case I could have anotheruser send as auser auser au...@domain.name > > (2) Postfix sends to gmail, but does not encrypt when sending. > > You need to enable outbound STARTTLS, possibly mandatory for > "smtp.gmail.com", ideally even with certificate checks, to avoid leaking > the account password in case of an MiTM attack. Is this submission > traffic, or traffic to random gmail users? I'd prefer that whenever possible, my emails get sent (directly from this machine) encrypted. Sending to gmail is my test case since the received email clearly says if it's not encrypted. > Missing "smtp_tls_security_level = may". And if doing submission via > GMail, ideally also a TLS policy table entry for "[smtp.gmail.com]:587", > though it is not yet clear how you route mail to the GMail submission > service. (this server will send directly) Ah I just literally forgot that smtp and smtpd are two different directions :-) And, it now does send encrypted to gmail. I haven't yet tested if it can send unencrypted if need be, but I suspect that just adding the correct smtp setting for "may" fixed it!. Thank you! That issue is now fixed (cockpit error on my part!) > This (combined with unposted definitions, postconf -Mf, of the > submission services in master.cf) is the source of breakage in #1. >... > If you post also the "client=" log entry for the transaction of > interest, the "postconf -Mf" output and the content of the sender login > table, more help will be possible. I don't see "client=" anywhere in the logs... but here's the "postconf -Mf" after making the changes you suggested above: smtp inet n - y - - smtpd submission inet n - n - - smtpd -o syslog_name=postfix/submission -o smtpd_tls_wrappermode=no -o smtpd_tls_security_level=may -o smtpd_sasl_auth_enable=yes -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING -o smtpd_sasl_type=dovecot -o smtpd_sasl_path=private/auth -o smtpd_sasl_security_options=noanonymous -o smtpd_sasl_local_domain=$myhostname -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o smtpd_sender_login_maps=hash:/etc/virtual -o smtpd_sender_restrictions=reject_sender_login_mismatch pickup unix n - n 60 1 pickup cleanupunix n - n - 0 cleanup qmgr unix n - n 300 1 qmgr tlsmgr unix - - n 1000? 1 tlsmgr rewriteunix - - n - - trivial-rewrite bounce unix - - n - 0 bounce defer unix - - n - 0 bounce trace unix - - n - 0 bounce verify unix - - n - 1 verify flush unix n - n 1000? 0 flush proxymap unix - - n - - proxymap proxywrite unix - - n - 1 proxymap smtp unix - - n - - smtp relay unix - - n - - smtp -o syslog_name=postfix/$service_name showq unix n - n - - showq error unix - - n - - error retry unix - - n - - error discardunix - - n - - discard local unix - n n - - local virtualunix - n n - - virtual lmtp unix - - n - - lmtp anvil
[pfx] Re: [PATCH] Drop removed -style option from html2text
Wietse Venema via Postfix-users: > Christian Goettsche via Postfix-users: > > On Mon, 11 Mar 2024 at 17:50, Wietse Venema wrote: > > > > > > Christian Goettsche via Postfix-users: > > > > html2text dropped the command line option -style in version 2[1]. > > > > > > I am not using that html2text version on the machine where I prepare > > > Postfix releases. I found that removing that flag makes the output > > > massively different. > > > > > > I need that documentation builds are reproducible. Otherwise, that > > > greatly affects the sizes of source-code diffs and patches. > > > > Maybe one could incorporate the "pretty" default values from > > https://github.com/grobian/html2text/blob/master/contrib/pretty.style > > into the bundled proto/html2text.rc? > > Someone who is more familiar with html2text could do that. But this > still would not address the need for reproducible documentation builds. > > Almost every improvement to html2text will change the result > (othewise, why bother :-), so that earlier results are no longer > reproducible, and diffs and patches will bloat. > > It's the same problem with code formatting: the indent tool has > imperfections, but the result needs to be reproducible otherwise > (bug or emergency) patches will bloat, and worse: they will fail > to apply when I need to rebase them to an earlier Postfix release. Just for due diligence I appended the pretty.style settings at the end of html2text.rc. With the existing html2text version on my release machine, that does not reproduce the existing results, for example, less leading space with items in unordered lists, and more leading space with block quotes. That in turn changes word wrapping. This is not a request to update the Postfix settings for the html2text version on the machine that builds documentation for releases, or to arrive at settings that reproduce existing output with a current html2text version. That would take hours away from the time that I want to spend on Postfix. Wietse ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: [PATCH] Drop removed -style option from html2text
Christian Goettsche via Postfix-users: > On Mon, 11 Mar 2024 at 17:50, Wietse Venema wrote: > > > > Christian Goettsche via Postfix-users: > > > html2text dropped the command line option -style in version 2[1]. > > > > I am not using that html2text version on the machine where I prepare > > Postfix releases. I found that removing that flag makes the output > > massively different. > > > > I need that documentation builds are reproducible. Otherwise, that > > greatly affects the sizes of source-code diffs and patches. > > Maybe one could incorporate the "pretty" default values from > https://github.com/grobian/html2text/blob/master/contrib/pretty.style > into the bundled proto/html2text.rc? Someone who is more familiar with html2text could do that. But this still would not address the need for reproducible documentation builds. Almost every improvement to html2text will change the result (othewise, why bother :-), so that earlier results are no longer reproducible, and diffs and patches will bloat. It's the same problem with code formatting: the indent tool has imperfections, but the result needs to be reproducible otherwise (bug or emergency) patches will bloat, and worse: they will fail to apply when I need to rebase them to an earlier Postfix release. Wietse ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: [PATCH] Drop removed -style option from html2text
On Mon, 11 Mar 2024 at 17:50, Wietse Venema wrote: > > Christian Goettsche via Postfix-users: > > html2text dropped the command line option -style in version 2[1]. > > I am not using that html2text version on the machine where I prepare > Postfix releases. I found that removing that flag makes the output > massively different. > > I need that documentation builds are reproducible. Otherwise, that > greatly affects the sizes of source-code diffs and patches. Maybe one could incorporate the "pretty" default values from https://github.com/grobian/html2text/blob/master/contrib/pretty.style into the bundled proto/html2text.rc? > > Wietse ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: [PATCH] Drop removed -style option from html2text
Christian Goettsche via Postfix-users: > html2text dropped the command line option -style in version 2[1]. I am not using that html2text version on the machine where I prepare Postfix releases. I found that removing that flag makes the output massively different. I need that documentation builds are reproducible. Otherwise, that greatly affects the sizes of source-code diffs and patches. Wietse ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] [PATCH] Drop removed -style option from html2text
html2text dropped the command line option -style in version 2[1]. Rely on the format via the specified html2text.rc file. [1]: https://github.com/grobian/html2text/commit/0dfd262836231a77d6fa8c678310799ef3a13752 --- mantools/html2readme | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mantools/html2readme b/mantools/html2readme index b7d110c5..c98d41c1 100755 --- a/mantools/html2readme +++ b/mantools/html2readme @@ -1,6 +1,6 @@ #!/bin/sh -HTML2TEXT="html2text -ascii -style pretty -rcfile html2text.rc" +HTML2TEXT="html2text -ascii -rcfile html2text.rc" #case $# in # 0) $HTML2TEXT;; -- 2.43.0 ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Postfix + Dovecot FreeBSD - a problem
On Mon, 2024-03-11 at 08:57 +0100, Alexander Leidinger via Postfix- users wrote: > Am 2024-03-11 05:19, schrieb Glenn Tenney via Postfix-users: > > > (2) Postfix sends to gmail, but does not encrypt when sending. > > You only tell the receiving side of postfix to set the encrypt level > to > "may". For the sending side you do not have such a setting: > smtp_tls_security_level = ... > To Glenn: In addition, *smtp_tls_policy_maps* is good for detail setting: https://www.postfix.org/TLS_README.html#client_tls_encrypt > Maybe you also want to set the TLS protocols for the sending side > (sending and receiving side have different config options, "smtp_..." > vs > "smtpd_..."): > smtp_tls_protocols = ... > > > smtp_tls_CApath = /etc/ssl/certs > > smtp_tls_loglevel = 1 > > smtpd_tls_cert_file = > > /usr/local/etc/letsencrypt/live/domain.name/fullchain.pem > > smtpd_tls_key_file = > > /usr/local/etc/letsencrypt/live/domain.name/privkey.pem > > smtpd_tls_protocols = !SSLv2, !SSLv3 > > smtpd_tls_security_level = may > > smtpd_use_tls = yes > > Bye, > Alexander. > Thanks, Byunghee from South Korea signature.asc Description: This is a digitally signed message part ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Postfix + Dovecot FreeBSD - a problem
On Sun, Mar 10, 2024 at 09:19:09PM -0700, Glenn Tenney via Postfix-users wrote: > Gmail can login to the imap as "auser", but... when it tries to send > as "au...@domain.name" I get the following error: > > Mar 8 20:41:08 MACHINE postfix/submission/smtpd[28831]: NOQUEUE: > reject: RCPT from mail-oo1-f41.google.com[209.85.161.41]: 553 5.7.1 > : Sender address rejected: not owned by user auser; > from= to= > proto=ESMTP helo= You've implemented smtpd_sender_login_maps and reject_sender_login_mismatch or an equivalent variant, but the entry for that sender address does list the actual SASL login used (which is shown in an earlier log entry for the same SMTP transaction). > I'm guessing that the issue is that postfix/dovecot sees only "auser" > and if instead it saw "au...@domain.name" it would work, but I > couldn't find any way to be able to login that way. No, the issue is the content of your sender login table. > (2) Postfix sends to gmail, but does not encrypt when sending. You need to enable outbound STARTTLS, possibly mandatory for "smtp.gmail.com", ideally even with certificate checks, to avoid leaking the account password in case of an MiTM attack. Is this submission traffic, or traffic to random gmail users? > shlib_directory = /usr/local/lib/postfix > smtp_tls_CApath = /etc/ssl/certs > smtp_tls_loglevel = 1 Missing "smtp_tls_security_level = may". And if doing submission via GMail, ideally also a TLS policy table entry for "[smtp.gmail.com]:587", though it is not yet clear how you route mail to the GMail submission service. > smtpd_sasl_auth_enable = yes Best done only for the TLS submission ports, in master.cf and left disabled on port 25. > smtpd_sender_login_maps = hash:/usr/local/etc/postfix/senderlogin This (combined with unposted definitions, postconf -Mf, of the submission services in master.cf) is the source of breakage in #1. > smtpd_tls_protocols = !SSLv2, !SSLv3 Just use the default. > smtpd_tls_security_level = may > smtpd_use_tls = yes The second is redundant and obsolete (deprecated). If you post also the "client=" log entry for the transaction of interest, the "postconf -Mf" output and the content of the sender login table, more help will be possible. -- Viktor. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Postfix + Dovecot FreeBSD - a problem
Am 2024-03-11 05:19, schrieb Glenn Tenney via Postfix-users: (2) Postfix sends to gmail, but does not encrypt when sending. You only tell the receiving side of postfix to set the encrypt level to "may". For the sending side you do not have such a setting: smtp_tls_security_level = ... Maybe you also want to set the TLS protocols for the sending side (sending and receiving side have different config options, "smtp_..." vs "smtpd_..."): smtp_tls_protocols = ... smtp_tls_CApath = /etc/ssl/certs smtp_tls_loglevel = 1 smtpd_tls_cert_file = /usr/local/etc/letsencrypt/live/domain.name/fullchain.pem smtpd_tls_key_file = /usr/local/etc/letsencrypt/live/domain.name/privkey.pem smtpd_tls_protocols = !SSLv2, !SSLv3 smtpd_tls_security_level = may smtpd_use_tls = yes Bye, Alexander. -- http://www.Leidinger.net alexan...@leidinger.net: PGP 0x8F31830F9F2772BF http://www.FreeBSD.orgnetch...@freebsd.org : PGP 0x8F31830F9F2772BF signature.asc Description: OpenPGP digital signature ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
