[pfx] Re: Thunderbird 91, Postfix 3.7.x, Debian 12, Virtual Mailbox Users, TLS with Letsencrypt, error improper command pipelining after helo
On Mon, Apr 01, 2024 at 04:09:34PM -0400, David Mehler via Postfix-users wrote: > In my master.cf I do have smtpd_tls_wrappermode but it's in the commented > out service for port 465, I'm using submission. > > I've checked with postconf and smtpd_tls_wrappermode is set to no. Of course, but Thunderbird might be attempting wrapper-mode (implicit TLS), which could then be logged as a pipelining violation. > Is there any additional information I can provide? > > Please keep the suggestions coming. The full unedited log entry has already been requested. For meaningful help, post the log entry. -- Viktor. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Thunderbird 91, Postfix 3.7.x, Debian 12, Virtual Mailbox Users, TLS with Letsencrypt, error improper command pipelining after helo
Hello Wietse Thank you for your reply. > Thunderbird pipelining errors after helo? That is the problem yes. In my master.cf I do have smtpd_tls_wrappermode but it's in the commented out service for port 465, I'm using submission. I've checked with postconf and smtpd_tls_wrappermode is set to no. Is there any additional information I can provide? Please keep the suggestions coming. Thanks. Dave. On 4/1/2024 3:41 PM, Wietse Venema via Postfix-users wrote: David Mehler via Postfix-users: to utilize Thunderbird v91.x. I've tried configuring with both the automatic configuration and the manual configuration, in both cases I am getting an error in my maillog from submission/smtpd service stating error improper command pipelining after helo. Googling showed this error Thunderbird pipelining errors after helo? People sometimes have improper command pipelining errors after *connect*, when - The Postfix SMTP server is configured in master.cf with smtpd_tls_wrappermode turned off (this is the usual configuration for connect to the submission service a.k.a. port 587). - The SMTP client is configured with smtpd_tls_wrappermode turned on (this is the usual configuration for clients that connect to the submissions service a.k.a. port 465). The client then starts talking befor the server expects that to happen. Wietse ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org -- Sent from Mozilla Thunderbird 91.13.1 ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Thunderbird 91, Postfix 3.7.x, Debian 12, Virtual Mailbox Users, TLS with Letsencrypt, error improper command pipelining after helo
David Mehler via Postfix-users: > to utilize Thunderbird v91.x. I've tried configuring with both the > automatic configuration and the manual configuration, in both cases I am > getting an error in my maillog from submission/smtpd service stating > error improper command pipelining after helo. Googling showed this error Thunderbird pipelining errors after helo? People sometimes have improper command pipelining errors after *connect*, when - The Postfix SMTP server is configured in master.cf with smtpd_tls_wrappermode turned off (this is the usual configuration for connect to the submission service a.k.a. port 587). - The SMTP client is configured with smtpd_tls_wrappermode turned on (this is the usual configuration for clients that connect to the submissions service a.k.a. port 465). The client then starts talking befor the server expects that to happen. Wietse ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Thunderbird 91, Postfix 3.7.x, Debian 12, Virtual Mailbox Users, TLS with Letsencrypt, error improper command pipelining after helo
On Mon, Apr 01, 2024 at 01:45:11PM -0400, David Mehler via Postfix-users wrote: > I've tried configuring with both the automatic configuration and the > manual configuration, in both cases I am getting an error in my > maillog from submission/smtpd service stating error improper command > pipelining after helo. Instead if reinterpreting/summarising the log message, you should post it verbatim, and in full. > # postconf -n > > compatibility_level = This is not a good idea. Set it to 3.6, if you've resolved all the compatibility issues through that release level. > maximal_backoff_time = 15m This is too short IMHO, I'd like to recommend 2 hours. > maximal_queue_lifetime = 1h This is absurdly short, make it at least 2 days, the recommended value is 5 days. > smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt You don't typically need this, unless you use "secure" or "verify" in your policy table for some destinations. > smtp_tls_policy_maps = proxy:mysql:/etc/postfix/sql/tls-policy.cf > smtpd_tls_eecdh_grade = strong This should be "auto", the "strong" setting is outdated. > smtpd_tls_mandatory_exclude_ciphers = aNULL This is not useful. > smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 Make that: smtpd_tls_mandatory_protocols = >=TLSv1.2 > tls_high_cipherlist = > ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384: > > ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 Not a good idea. Use the defaults. > #cat /etc/postfix/master.cf $ postconf -Mf submission/inet > submission inet n - n - - smtpd > -o syslog_name=postfix/submission > -o smtpd_tls_security_level=encrypt > -o smtpd_sasl_auth_enable=yes > -o smtpd_sasl_type=dovecot > -o smtpd_sasl_path=private/auth > -o smtpd_tls_auth_only=yes > -o smtpd_reject_unlisted_recipient=no > -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject > -o smtpd_client_auth_rate_limit=0 > -o smtpd_client_connection_rate_limit=0 > -o cleanup_service_name=submission-header-cleanup > -o milter_macro_daemon_name=ORIGINATING No obvious issues. -- Viktor. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Thunderbird 91, Postfix 3.7.x, Debian 12, Virtual Mailbox Users, TLS with Letsencrypt, error improper command pipelining after helo
Hello, I've got a Debian 12.5 vps going, it's running Dovecot 2.3.x, Postfix 3.7.x, secured with letsencrypt. I've confirmed that my certificates are valid and unexpired. I'm trying to connect via StartTLS to Dovecot 143, for retrieving mail, and Postfix 587 submission to send it. I'm wanting to utilize Thunderbird v91.x. I've tried configuring with both the automatic configuration and the manual configuration, in both cases I am getting an error in my maillog from submission/smtpd service stating error improper command pipelining after helo. Googling showed this error but in that case the solution was he was running Avast Antivirus, I am not. In either case manual or automatic the configuration does not complete. I'm wondering if anyone else has seen this with these versions of Thunderbird and Postfix? Do my *restrictions and tls configurations look good? Here's my postconf -n output hope it helps. Suggestions welcome. Thanks. Dave. # postconf -n append_dot_mydomain = no biff = no bounce_queue_lifetime = 1h compatibility_level = disable_vrfy_command = yes inet_interfaces = 127.0.0.1, xxx.xxx.xxx.xxx inet_protocols = ipv4 mailbox_size_limit = 0 maximal_backoff_time = 15m maximal_queue_lifetime = 1h message_size_limit = 52428800 minimal_backoff_time = 5m mydomain = example.com myhostname = mail.example.com mynetworks = 127.0.0.0/8 myorigin = $mydomain policyd-spf_time_limit = 3600 postscreen_access_list = permit_mynetworks cidr:/etc/postfix/postscreen_access postscreen_blacklist_action = drop postscreen_dnsbl_action = drop postscreen_dnsbl_sites = ix.dnsbl.manitu.net*2 zen.spamhaus.org*2 bl.spamcop.net*2 postscreen_dnsbl_threshold = 2 postscreen_greet_action = drop queue_run_delay = 5m recipient_delimiter = + smtp_dns_support_level = dnssec smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt smtp_tls_ciphers = high smtp_tls_mandatory_protocols = $smtpd_tls_mandatory_protocols smtp_tls_policy_maps = proxy:mysql:/etc/postfix/sql/tls-policy.cf smtp_tls_protocols = $smtpd_tls_mandatory_protocols smtp_tls_security_level = dane smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache smtpd_banner = $myhostname ESMTP smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unknown_client_hostname smtpd_helo_required = yes smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, check_helo_access hash:/etc/postfix/helo_access, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, reject_unknown_helo_hostname smtpd_recipient_restrictions = check_recipient_access proxy:mysql:/etc/postfix/sql/recipient-access.cf, permit_mynetworks, permit_sasl_authenticated, reject_invalid_hostname, reject_unknown_client_hostname, reject_unknown_recipient_domain, reject_non_fqdn_recipient, reject_unauth_destination, reject_sender_access pcre:/etc/postfix/sender_access, check_policy_service unix:private/dovecot-quota smtpd_relay_restrictions = reject_non_fqdn_recipient reject_unknown_recipient_domain permit_mynetworks permit_sasl_authenticated reject_unauth_destination, smtpd_tls_auth_only = yes smtpd_tls_cert_file = /etc/ssl/example.com/example.com.fullchain.crt smtpd_tls_ciphers = high smtpd_tls_dh1024_param_file = /etc/postfix/dhparams.pem smtpd_tls_eecdh_grade = strong smtpd_tls_key_file = /etc/ssl/example.com/example.com.key smtpd_tls_mandatory_ciphers = high smtpd_tls_mandatory_exclude_ciphers = aNULL smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 smtpd_tls_protocols = $smtpd_tls_mandatory_protocols smtpd_tls_received_header = yes smtpd_tls_security_level = encrypt smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache tls_high_cipherlist = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384: ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 tls_preempt_cipherlist = yes tls_ssl_options = NO_COMPRESSION NO_RENEGOTIATION virtual_alias_maps = proxy:mysql:/etc/postfix/sql/aliases.cf virtual_gid_maps = static:992 virtual_mailbox_domains = proxy:mysql:/etc/postfix/sql/domains.cf virtual_mailbox_maps = proxy:mysql:/etc/postfix/sql/accounts.cf virtual_transport = lmtp:unix:private/dovecot-lmtp virtual_uid_maps = static:999 #cat /etc/postfix/master.cf # # Postfix master process configuration file. For details on the format # of the file, see the master(5) manual page (command: "man 5 master" or # on-line: http://www.postfix.org/master.5.html). # # Do not forget to execute "postfix reload" after editing this file. # # == # service type private unpriv chroot wakeup maxproc command + args # (yes) (yes) (no) (never) (100) # == #smtp inet n - n - - smtpd smtp inet
[pfx] Re: sender_login_maps and dovecot and roundcube
Hi, > > I've set up a domain with a catch-all to deliver emails to any address > > to a > > single recipient address by specifying it in my virtual_alias_maps. > > However, the user wants to be able to send mail as any user in that > > domain. > > The problem is that it's rejected with "sender address rejected" > > because > > the user isn't defined in the smtpd_sender_login_maps. > > That last sentence provides such a specific and clear problem > description that it virtually provides the solution: Add a suitable > entry to the sender_login_maps file. Run postmap on the file. > > That entry probably should look like: > > @example.com alex > Thank you - I initially didn't think the format supported that, but also just realized it. Thanks, Alex ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org