[pfx] Re: Thunderbird 91, Postfix 3.7.x, Debian 12, Virtual Mailbox Users, TLS with Letsencrypt, error improper command pipelining after helo
On Mon, Apr 01, 2024 at 04:09:34PM -0400, David Mehler via Postfix-users wrote: > In my master.cf I do have smtpd_tls_wrappermode but it's in the commented > out service for port 465, I'm using submission. > > I've checked with postconf and smtpd_tls_wrappermode is set to no. Of course, but Thunderbird might be attempting wrapper-mode (implicit TLS), which could then be logged as a pipelining violation. > Is there any additional information I can provide? > > Please keep the suggestions coming. The full unedited log entry has already been requested. For meaningful help, post the log entry. -- Viktor. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Thunderbird 91, Postfix 3.7.x, Debian 12, Virtual Mailbox Users, TLS with Letsencrypt, error improper command pipelining after helo
Hello Wietse Thank you for your reply. > Thunderbird pipelining errors after helo? That is the problem yes. In my master.cf I do have smtpd_tls_wrappermode but it's in the commented out service for port 465, I'm using submission. I've checked with postconf and smtpd_tls_wrappermode is set to no. Is there any additional information I can provide? Please keep the suggestions coming. Thanks. Dave. On 4/1/2024 3:41 PM, Wietse Venema via Postfix-users wrote: David Mehler via Postfix-users: to utilize Thunderbird v91.x. I've tried configuring with both the automatic configuration and the manual configuration, in both cases I am getting an error in my maillog from submission/smtpd service stating error improper command pipelining after helo. Googling showed this error Thunderbird pipelining errors after helo? People sometimes have improper command pipelining errors after *connect*, when - The Postfix SMTP server is configured in master.cf with smtpd_tls_wrappermode turned off (this is the usual configuration for connect to the submission service a.k.a. port 587). - The SMTP client is configured with smtpd_tls_wrappermode turned on (this is the usual configuration for clients that connect to the submissions service a.k.a. port 465). The client then starts talking befor the server expects that to happen. Wietse ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org -- Sent from Mozilla Thunderbird 91.13.1 ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Thunderbird 91, Postfix 3.7.x, Debian 12, Virtual Mailbox Users, TLS with Letsencrypt, error improper command pipelining after helo
David Mehler via Postfix-users: > to utilize Thunderbird v91.x. I've tried configuring with both the > automatic configuration and the manual configuration, in both cases I am > getting an error in my maillog from submission/smtpd service stating > error improper command pipelining after helo. Googling showed this error Thunderbird pipelining errors after helo? People sometimes have improper command pipelining errors after *connect*, when - The Postfix SMTP server is configured in master.cf with smtpd_tls_wrappermode turned off (this is the usual configuration for connect to the submission service a.k.a. port 587). - The SMTP client is configured with smtpd_tls_wrappermode turned on (this is the usual configuration for clients that connect to the submissions service a.k.a. port 465). The client then starts talking befor the server expects that to happen. Wietse ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Thunderbird 91, Postfix 3.7.x, Debian 12, Virtual Mailbox Users, TLS with Letsencrypt, error improper command pipelining after helo
On Mon, Apr 01, 2024 at 01:45:11PM -0400, David Mehler via Postfix-users wrote: > I've tried configuring with both the automatic configuration and the > manual configuration, in both cases I am getting an error in my > maillog from submission/smtpd service stating error improper command > pipelining after helo. Instead if reinterpreting/summarising the log message, you should post it verbatim, and in full. > # postconf -n > > compatibility_level = This is not a good idea. Set it to 3.6, if you've resolved all the compatibility issues through that release level. > maximal_backoff_time = 15m This is too short IMHO, I'd like to recommend 2 hours. > maximal_queue_lifetime = 1h This is absurdly short, make it at least 2 days, the recommended value is 5 days. > smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt You don't typically need this, unless you use "secure" or "verify" in your policy table for some destinations. > smtp_tls_policy_maps = proxy:mysql:/etc/postfix/sql/tls-policy.cf > smtpd_tls_eecdh_grade = strong This should be "auto", the "strong" setting is outdated. > smtpd_tls_mandatory_exclude_ciphers = aNULL This is not useful. > smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 Make that: smtpd_tls_mandatory_protocols = >=TLSv1.2 > tls_high_cipherlist = > ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384: > > ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 Not a good idea. Use the defaults. > #cat /etc/postfix/master.cf $ postconf -Mf submission/inet > submission inet n - n - - smtpd > -o syslog_name=postfix/submission > -o smtpd_tls_security_level=encrypt > -o smtpd_sasl_auth_enable=yes > -o smtpd_sasl_type=dovecot > -o smtpd_sasl_path=private/auth > -o smtpd_tls_auth_only=yes > -o smtpd_reject_unlisted_recipient=no > -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject > -o smtpd_client_auth_rate_limit=0 > -o smtpd_client_connection_rate_limit=0 > -o cleanup_service_name=submission-header-cleanup > -o milter_macro_daemon_name=ORIGINATING No obvious issues. -- Viktor. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Thunderbird 91, Postfix 3.7.x, Debian 12, Virtual Mailbox Users, TLS with Letsencrypt, error improper command pipelining after helo
Hello,
I've got a Debian 12.5 vps going, it's running Dovecot 2.3.x, Postfix
3.7.x, secured with letsencrypt. I've confirmed that my certificates are
valid and unexpired. I'm trying to connect via StartTLS to Dovecot 143,
for retrieving mail, and Postfix 587 submission to send it. I'm wanting
to utilize Thunderbird v91.x. I've tried configuring with both the
automatic configuration and the manual configuration, in both cases I am
getting an error in my maillog from submission/smtpd service stating
error improper command pipelining after helo. Googling showed this error
but in that case the solution was he was running Avast Antivirus, I am
not. In either case manual or automatic the configuration does not
complete. I'm wondering if anyone else has seen this with these versions
of Thunderbird and Postfix?
Do my *restrictions and tls configurations look good?
Here's my postconf -n output hope it helps.
Suggestions welcome.
Thanks.
Dave.
# postconf -n
append_dot_mydomain = no
biff = no
bounce_queue_lifetime = 1h
compatibility_level =
disable_vrfy_command = yes
inet_interfaces = 127.0.0.1, xxx.xxx.xxx.xxx
inet_protocols = ipv4
mailbox_size_limit = 0
maximal_backoff_time = 15m
maximal_queue_lifetime = 1h
message_size_limit = 52428800
minimal_backoff_time = 5m
mydomain = example.com
myhostname = mail.example.com
mynetworks = 127.0.0.0/8
myorigin = $mydomain
policyd-spf_time_limit = 3600
postscreen_access_list = permit_mynetworks
cidr:/etc/postfix/postscreen_access
postscreen_blacklist_action = drop
postscreen_dnsbl_action = drop
postscreen_dnsbl_sites = ix.dnsbl.manitu.net*2 zen.spamhaus.org*2
bl.spamcop.net*2
postscreen_dnsbl_threshold = 2
postscreen_greet_action = drop
queue_run_delay = 5m
recipient_delimiter = +
smtp_dns_support_level = dnssec
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
smtp_tls_ciphers = high
smtp_tls_mandatory_protocols = $smtpd_tls_mandatory_protocols
smtp_tls_policy_maps = proxy:mysql:/etc/postfix/sql/tls-policy.cf
smtp_tls_protocols = $smtpd_tls_mandatory_protocols
smtp_tls_security_level = dane
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP
smtpd_client_restrictions = permit_mynetworks,
permit_sasl_authenticated, reject_unknown_client_hostname
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated,
check_helo_access hash:/etc/postfix/helo_access,
reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname,
reject_unknown_helo_hostname
smtpd_recipient_restrictions = check_recipient_access
proxy:mysql:/etc/postfix/sql/recipient-access.cf, permit_mynetworks,
permit_sasl_authenticated, reject_invalid_hostname,
reject_unknown_client_hostname, reject_unknown_recipient_domain,
reject_non_fqdn_recipient, reject_unauth_destination,
reject_sender_access pcre:/etc/postfix/sender_access,
check_policy_service unix:private/dovecot-quota
smtpd_relay_restrictions = reject_non_fqdn_recipient
reject_unknown_recipient_domain permit_mynetworks
permit_sasl_authenticated reject_unauth_destination,
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/ssl/example.com/example.com.fullchain.crt
smtpd_tls_ciphers = high
smtpd_tls_dh1024_param_file = /etc/postfix/dhparams.pem
smtpd_tls_eecdh_grade = strong
smtpd_tls_key_file = /etc/ssl/example.com/example.com.key
smtpd_tls_mandatory_ciphers = high
smtpd_tls_mandatory_exclude_ciphers = aNULL
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_protocols = $smtpd_tls_mandatory_protocols
smtpd_tls_received_header = yes
smtpd_tls_security_level = encrypt
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
tls_high_cipherlist =
ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:
ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
tls_preempt_cipherlist = yes
tls_ssl_options = NO_COMPRESSION NO_RENEGOTIATION
virtual_alias_maps = proxy:mysql:/etc/postfix/sql/aliases.cf
virtual_gid_maps = static:992
virtual_mailbox_domains = proxy:mysql:/etc/postfix/sql/domains.cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/sql/accounts.cf
virtual_transport = lmtp:unix:private/dovecot-lmtp
virtual_uid_maps = static:999
#cat /etc/postfix/master.cf
#
# Postfix master process configuration file. For details on the format
# of the file, see the master(5) manual page (command: "man 5 master" or
# on-line: http://www.postfix.org/master.5.html).
#
# Do not forget to execute "postfix reload" after editing this file.
#
#
==
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (no) (never) (100)
#
==
#smtp inet n - n - - smtpd
smtp inet
[pfx] Re: sender_login_maps and dovecot and roundcube
Hi, > > I've set up a domain with a catch-all to deliver emails to any address > > to a > > single recipient address by specifying it in my virtual_alias_maps. > > However, the user wants to be able to send mail as any user in that > > domain. > > The problem is that it's rejected with "sender address rejected" > > because > > the user isn't defined in the smtpd_sender_login_maps. > > That last sentence provides such a specific and clear problem > description that it virtually provides the solution: Add a suitable > entry to the sender_login_maps file. Run postmap on the file. > > That entry probably should look like: > > @example.com alex > Thank you - I initially didn't think the format supported that, but also just realized it. Thanks, Alex ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
