[pfx] Re: TLS config for gmail relay
On 2023-12-23 22:22, saunders.nicholas--- via Postfix-users wrote: I think that I have the SASL figured out, and probably it's a similar process to get the tls_policy compliant and functional. The log: Dec 23 13:11:32 mordor postfix/smtp[287549]: error: open database /etc/postfix/tls_policy.db: No such file or directory You need to run: postmap /etc/postfix/tls_policy -- Christian Kivalo ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: smtp auth on port 25
On August 15, 2023 2:15:21 AM GMT+02:00, Jon Smart via Postfix-users wrote: >Hello, > >I have disabled port 587/465 to be accessed publicly. > >but port 25 must be open to internet for MTA communications. > >My question is, can external users access port 25 for smtp auth and send >mail then? Not if you disable auth on port 25, which you should. For MTA to MTA communication you don't need smtp auth enabled to receive mails destined to your server. Your users should use ports 465/587 with auth to send their mail. Auth should only be enabled on the ports you intend to use for mail submission. -- Christian Kivalo ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Postfix Help with a rejection message
On August 15, 2023 7:05:32 AM GMT+02:00, Chad Lundquist via Postfix-users wrote: >I am getting legitimate emails REJECTED by postfix and I need to figure out a >way to forward them or whitelist them from getting blocked. > > > >I am using PFLogsumm and see this: > > > >message reject detail > >- > > RCPT > >450 4.7.1 : Helo > command rejected: Host not found; from=<03349...@alight.com> > to= proto=ESMTP > helo= (total: 21) > > 21 amazonaws.com (03349...@alight.com) > > > >What file do I edit in postfix to allow this message to flow and get delivered >or whitelisted? > Do you by any chance have reject_unknown_helo_hostname in your smtpd_*_restrictions in main.cf? This results in a reject, when the announced helo name has no A/MX dns entry. The host from your log message has no dns A entry. -- Christian Kivalo ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Anyone using SMTP relay through dnsexit.com?
My settings main.cf: relayhost = [relay.dnsexit.com]:587 smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd smtp_sasl_auth_enable = yes smtp_sasl_security_options = And my sasl_passwd file (and yes, I did do a postmap after my changes) relay.dnsexit.com:587 myusername:mypassword Your lookup key is missing the [ ] you used for the relayhost setting. This results in no authentication to the dnsexit relay. This is described in the section "Enabling SASL authentication in the Postfix SMTP/LMTP client" of the SASL README file at https://www.postfix.org/SASL_README.html#client_sasl_enable -- Christian Kivalo ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Painful Postfix
On April 30, 2023 7:03:59 AM GMT+02:00, Kolusion K via Postfix-users wrote: >So, I tried using the 'debug_peer_list' parameter like this, but it didn't >work... > >debug_peer_list = 1.2.3.4, 5.6.7.8 Last time i had to debug an smtp session i implemented it as, in main.cf (i use cdb, but hash should also work) debug_peer_list = cdb:/etc/postfix/debug_peer The content of debug_peer beeing 1.2.3.4 check 2.3.4.5 check Don't forget to postmap that file: postmap /etc/postfix/debug_peer The smtp session is in your mail log. >I did restart the Postfix service after applying the change to 'main.cf'. > > >It looks like Postfix lacks the capability to show the SMTP session, right? > >Thanks > > >Kolusion > > > >Sent: Sunday, April 30, 2023 at 2:54 PM >From: "Kolusion K" >To: postfix-users@postfix.org >Subject: Painful Postfix >Hello again > > >I am again trying to use the 'debug_peer_list' parameter to see if it will >show me the SMTP session in the mail log. > >The e-mail address I am sending to has a server or servers with multiple IP >addresses. How can I go about using multiple IP addresses with the >'debug_peer_list' parameter? > >Like this? > >debug_peer_list = 1.2.3.4 5.6.7.8 > >or perhaps like this? > >debug_peer_list = 1.2.3.4, 5.6.7.8 > > >Thanks > >Kolusion >___ >Postfix-users mailing list -- postfix-users@postfix.org >To unsubscribe send an email to postfix-users-le...@postfix.org -- Christian Kivalo ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
RE: Wrong Domain in Null Client Setup
On September 27, 2022 10:16:40 PM GMT+02:00, Eddie Rowe wrote: >In my last email I did share that I tried setting myhostname in the main.cf to >the FQDN that is returned by the above steps and there was no change as part >of my troubleshooting. After this I reloaded the configuration and even >restarted the service and postconf -d myhostname is still wrong. Thats because postconf -d myhostname gives you the _default_ configuration setting. man postconf -d Print main.cf default parameter settings instead of actual set‐ tings. Specify -df to fold long lines for human readability (Postfix 2.9 and later). Use postconf myhostname to get the actual configured parameter. >I am just baffled that /etc/hosts has the fully qualified domain name, the >/usr/bin/hostname -f command gives the output that is FQDN...not a programmer >so no idea how to see what the function that is documented does. > > >-Original Message- >From: owner-postfix-us...@postfix.org On >Behalf Of Viktor Dukhovni >Sent: Tuesday, September 27, 2022 1:28 PM >To: postfix-users@postfix.org >Subject: Re: Wrong Domain in Null Client Setup >... > >Your mistake is to use "hostname -f". Postfix uses the actual configured >hostname, not some randomly canonicalised version that changes unpredictably. >Either set the system hostname to the desired FQDN, or set "myhostname" in >main.cf. > >> Running postconf -d myhostname returns the host.localdomain where the >> host is the correct hostname, but localdomain is just the string >> "localdomain" > >You need to configure a fully-qualified hostname, or set myhostname explicitly. > -- Christian Kivalo
Re: smtpd NOQUEUE without reject
On 2022-08-05 20:13, J David wrote: I noticed something in our mail logs that I thought was unusual. What does it mean when smtpd reports a NOQUEUE without any kind of reject: reason? All that's there is the client. Aug 5 17:42:58 b1 postfix/smtpd[18503]: NOQUEUE: client=a26-70.smtp-out.us-west-2.amazonses.com[54.240.26.70] Aug 5 17:43:34 b1 postfix/smtpd[18632]: NOQUEUE: client=mail-mw2nam12on2054.outbound.protection.outlook.com[40.107.244.54] Aug 5 17:44:59 b1 postfix/smtpd[18653]: NOQUEUE: client=mail-io1-f54.google.com[209.85.166.54] I don't see any rhyme or reason to the affected clients. There are plenty of big email providers, small ones, etc. I even found an internal connection from another server, which helped me see that the same connection *does* go on to send a message successfully after the NOQUEUE. Here's an example from outlook.com: Aug 5 18:06:59 b1 postfix/smtpd[20637]: connect from mail-mw2nam12olkn2071.outbound.protection.outlook.com[40.92.23.71] Aug 5 18:07:00 b1 postfix/smtpd[20637]: Trusted TLS connection established from mail-mw2nam12olkn2071.outbound.protection.outlook.com[40.92.23.71]: TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits) Aug 5 18:07:00 b1 postfix/smtpd[20637]: NOQUEUE: client=mail-mw2nam12olkn2071.outbound.protection.outlook.com[40.92.23.71] Aug 5 18:07:04 b1 postfix/smtpd[20637]: proxy-accept: END-OF-MESSAGE: 250 2.6.0 from MTA(smtp:[127.0.0.1]:10027): 250 Queued on server; from= to= proto=ESMTP helo= What is listening on 127.0.0.1:10027? Aug 5 18:07:04 b1 postfix/smtpd[20637]: disconnect from mail-mw2nam12olkn2071.outbound.protection.outlook.com[40.92.23.71] ehlo=2 starttls=1 mail=1 rcpt=1 bdat=1 quit=1 commands=7 There's only one mail, one rcpt, etc shown in the disconnect summary, and one actual message with one recipient did go through, so I just don't understand where the NOQUEUE came from. This appears to happen ~25,000 times a day, so I'd like to better understand what's causing it and if it represents a problem. Or if I've just left a debug setting enabled somewhere. :-) If it matters, this is on Postfix 3.7.2. Thanks for any advice! -- Christian Kivalo
Re: Blacklisted - SASL Login Attempt
On 2022-01-14 07:33, Maurizio Caloro wrote: Hello, I see he tried to log in "authentication failed" and failed , but the IP is blacklisted, please why? should it not be blocked before. -- OS Debian 10.11 - Postfix - mail_version = 3.4.14 -- Main.cf postscreen_access_list = permit_mynetworks, cidr:/etc/postfix/whitelistCIDR+IP, cidr:/etc/postfix/blacklistIP -- BlacklistIP root@mail:/etc/postfix# cat blacklistIP | grep 5.188.206.199 5.188.206.199 REJECT -- Mail.log Jan 14 07:17:56 nmail postfix/smtps/smtpd[7809]: warning: unknown[5.188.206.199]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 Jan 14 07:17:57 nmail postfix/smtps/smtpd[7809]: lost connection after AUTH from unknown[5.188.206.199] This is smtps (port 465). Your config and blocklist is for postscreen which should only be enabled for port 25. -- Christian Kivalo
Re: Some DNSSEC/DANE questions
On 2022-01-03 23:02, Dan Mahoney wrote: On Jan 3, 2022, at 1:46 PM, Mike wrote: On 1/3/2022 2:38 PM, Dan Mahoney (Gushi) wrote: [snip] One more question: Does anyone know of a "reflector" like service that one can use to test DANE validation, i.e. a site that one is allowed to send test messages to, that *only* has DANE as the trust mech (so, say, a self-signed cert?) Here's an SMTP DANE validator that I use when I make changes to my server. https://dane.sys4.de/ I'm not sure if it is just what you're looking for, though. No, I am looking for a server to which I can send mail to make sure DANE is being looked up and used on my end. Not something that looks up MY domain and connects to it. Maybe this is more like what you're looking for https://havedane.net/ -- Christian Kivalo
Re: Submission behind haproxy, TLS issues
On 2021-05-20 01:12, post...@ptld.com wrote: Best i can gather from your last few replies is to rsync a copy of the cert created on the load balancer to the backend servers and point postfix at that cert. Is that the answer? This is all ive been trying to ask from the beginning, best method of getting a cert created on the load balancer to postfix on a different server to use for TLS. There are other lets encrypt clients than certbot that can eg. copy certs around or restart services if needed. -> https://letsencrypt.org/docs/client-options/ I'm using getssl for some years now and am happy with it. -- Christian Kivalo
Re: warning: dnsblog_query lookup error
On April 8, 2021 9:10:04 AM GMT+02:00, Maurizio Caloro wrote: >>>You should not use public dns servers to query dnsbls as they are >likely blocked due to excessive query volume at the dnsbl. Install and >use >>a local resolver like unbound, knot, bind and use nameserver >127.0.0.1 in /etc/resolv.conf > >root@nmail:/etc/postfix# cat /etc/resolv.conf >nameserver 127.0.0.1 >nameserver 8.8.8.8 > >Please I can ping everything .. > >root@nmail:/etc/postfix# ping 42.89.92.40 >PING 42.89.92.40 (42.89.92.40) 56(84) bytes of data. >16 packets transmitted, 0 received, 100% packet loss, time 354ms > >root@nmail:/etc/postfix# ping 109.75.92.40 >PING 109.75.92.40 (109.75.92.40) 56(84) bytes of data. >3 packets transmitted, 0 received, 100% packet loss, time 27ms You don't need to ping anything. Try the query directly. I'm only using a local unbound on this server for name resolution. This is what I get: valo:~ $ dig 109.75.92.40.list.dnswl.org +short 127.0.3.0 valo:~ $ >Thanks >Mauri >-Ursprüngliche Nachricht----- >Von: owner-postfix-us...@postfix.org >Im Auftrag von Christian Kivalo >Gesendet: Donnerstag, 8. April 2021 09:02 >An: postfix-users@postfix.org >Betreff: Re: warning: dnsblog_query lookup error > > > >On April 8, 2021 8:29:09 AM GMT+02:00, Maurizio Caloro > wrote: >>Hello >> >>I have the issue with mail from Outlook, or Hotmail this Warning >appair >>and the mail don't deliver to me. >>cat /etc >> >> >>Apr 8 08:04:24 ail postfix/dnsblog[7379]: warning: dnsblog_query: >>lookup >>error for DNS query 109.75.92.40.list.dnswl.org: Host or domain name >>not found. Name service error for name=109.75.92.40.list.dnswl.org >>type=A: >>Host >>not found, try again >> >> >> >>Apr 8 08:23:10 ail postfix/dnsblog[7943]: warning: dnsblog_query: >>lookup >>error for DNS query 42.89.92.40.list.dnswl.org: Host or domain name >not >>found. Name service error for name=42.89.92.40.list.dnswl.org type=A: >>Host >>not >> >>found, try again >> >> >> >>postscreen_dnsbl_sites = zen.spamhaus.org*3 >> >>b.barracudacentral.org*2 >> >>bl.spameatingmonkey.net*2 >> >>bl.spamcop.net >> >>dnsbl.sorbs.net >> >>psbl.surriel.com >> >>bl.mailspike.net >> >>list.dnswl.org=127.0.[0..255].0*-2 >> >>list.dnswl.org=127.0.[0..255].1*-3 >> >>list.dnswl.org=127.0.[0..255].[2..3]*-4 >> >> >> >>root@nmail:/etc/postfix# ping 42.89.92.40 >> >>PING 42.89.92.40 (42.89.92.40) 56(84) bytes of data. >> >>181 packets transmitted, 0 received, 100% packet loss, time 482ms >> >> >> >>root@nmail:/etc/postfix# cat /etc/resolv.conf >> >>nameserver 8.8.8.8 >> >>nameserver 46.38.225.230 >You should not use public dns servers to query dnsbls as they are >likely blocked due to excessive query volume at the dnsbl. Install and >use a local resolver like unbound, knot, bind and use nameserver >127.0.0.1 in /etc/resolv.conf >> >> >>regards >> >>Mauri >> >> >> >> > >-- >Christian Kivalo -- Christian Kivalo
Re: warning: dnsblog_query lookup error
On April 8, 2021 8:29:09 AM GMT+02:00, Maurizio Caloro wrote: >Hello > >I have the issue with mail from Outlook, or Hotmail this Warning appair >and >the mail don't deliver to me. > > > >Apr 8 08:04:24 ail postfix/dnsblog[7379]: warning: dnsblog_query: >lookup >error for DNS query 109.75.92.40.list.dnswl.org: Host or domain name >not >found. Name service error for name=109.75.92.40.list.dnswl.org type=A: >Host >not found, try again > > > >Apr 8 08:23:10 ail postfix/dnsblog[7943]: warning: dnsblog_query: >lookup >error for DNS query 42.89.92.40.list.dnswl.org: Host or domain name not >found. Name service error for name=42.89.92.40.list.dnswl.org type=A: >Host >not > >found, try again > > > >postscreen_dnsbl_sites = zen.spamhaus.org*3 > >b.barracudacentral.org*2 > >bl.spameatingmonkey.net*2 > >bl.spamcop.net > >dnsbl.sorbs.net > >psbl.surriel.com > >bl.mailspike.net > >list.dnswl.org=127.0.[0..255].0*-2 > >list.dnswl.org=127.0.[0..255].1*-3 > >list.dnswl.org=127.0.[0..255].[2..3]*-4 > > > >root@nmail:/etc/postfix# ping 42.89.92.40 > >PING 42.89.92.40 (42.89.92.40) 56(84) bytes of data. > >181 packets transmitted, 0 received, 100% packet loss, time 482ms > > > >root@nmail:/etc/postfix# cat /etc/resolv.conf > >nameserver 8.8.8.8 > >nameserver 46.38.225.230 You should not use public dns servers to query dnsbls as they are likely blocked due to excessive query volume at the dnsbl. Install and use a local resolver like unbound, knot, bind and use nameserver 127.0.0.1 in /etc/resolv.conf > > >regards > >Mauri > > > > -- Christian Kivalo
Re: Problem with starttls / orange.fr
On March 30, 2021 7:08:39 AM GMT+02:00, "DEPRÉ Gaëtan - NGServers.com" wrote: >Hi ! > > > >While trying to send an email to some...@orange.fr ><mailto:some...@orange.fr> , I get this error log : > > > >Mar 30 06:47:39 mail postfix/qmgr[18959]: 29D0248A23DC: >from=x...@domain.dom ><mailto:x...@domain.dom> , size=93541, nrcpt=1 (queue active) > >Mar 30 06:47:39 mail postfix/smtp[24365]: SSL_connect error to >smtp-in.orange.fr[80.12.242.9]:25: -1 > >Mar 30 06:47:39 mail postfix/smtp[24365]: warning: TLS library problem: >error:1425F102:SSL routines:ssl_choose_client_version:unsupported >protocol:../ssl/statem/statem_lib.c:1929: > >Mar 30 06:47:39 mail postfix/smtp[24365]: 29D0248A23DC: Cannot start >TLS: >handshake failure > >Mar 30 06:47:39 mail postfix/smtp[24365]: SSL_connect error to >smtp-in.orange.fr[193.252.22.65]:25: -1 > >Mar 30 06:47:39 mail postfix/smtp[24365]: warning: TLS library problem: >error:1425F102:SSL routines:ssl_choose_client_version:unsupported >protocol:../ssl/statem/statem_lib.c:1929: > >Mar 30 06:47:39 mail postfix/smtp[24365]: 29D0248A23DC: >to=y...@orange.fr, >relay=smtp-in.orange.fr[193.252.22.65]:25, delay=0.52, >delays=0.29/0.01/0.22/0, dsn=4.7.5, status=deferred (Cannot start TLS: >handshake failure) > >Mar 30 06:47:41 mail postfix/submission/smtpd[24351]: disconnect from >lfbn-nan-xxx.abo.wanadoo.fr[xx.yy.zz.xx] ehlo=2 starttls=1 auth=1 >mail=1 >rcpt=1 data=1 quit=1 commands=8 > > > >After a few minutes, without doing anything, I get this : > > > >Mar 30 06:56:16 mail postfix/qmgr[18959]: 29D0248A23DC: >from=x...@domain.dom, >size=93541, nrcpt=1 (queue active) > >Mar 30 06:56:17 mail postfix/smtp[24509]: SSL_connect error to >smtp-in.orange.fr[193.252.22.65]:25: -1 > >Mar 30 06:56:17 mail postfix/smtp[24509]: warning: TLS library problem: >error:1425F102:SSL routines:ssl_choose_client_version:unsupported >protocol:../ssl/statem/statem_lib.c:1929: > >Mar 30 06:56:17 mail postfix/smtp[24509]: 29D0248A23DC: Cannot start >TLS: >handshake failure > >Mar 30 06:56:17 mail postfix/smtp[24509]: 29D0248A23DC: >to=y...@orange.fr ><mailto:y...@orange.fr> , relay=smtp-in.orange.fr[193.252.22.65]:25, >delay=518, delays=518/0.02/0.12/0.35, dsn=2.0.0, status=sent (250 2.0.0 >mUwH240075Jsp0m01UwHze mail accepted for delivery) > >Mar 30 06:56:17 mail postfix/qmgr[18959]: 29D0248A23DC: removed > > > >The TLS part in main.cf : > > > >### Outbound SMTP connections (Postfix as sender) > >smtp_tls_security_level = dane > >smtp_dns_support_level = dnssec > >smtp_tls_policy_maps = mysql:/etc/postfix/sql/tls-policy.cf > >smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache > >smtp_tls_protocols = !SSLv2, !SLv3 TLSv1.1, TLSv1.2 You have a missing "," after !SLv3 which also misses an "S" And you exclude TLSv1 with which I can establish an encrypted connection to orange.fr > >smtp_tls_ciphers = high > >smtp_tls_CAfile = >/etc/letsencrypt/live/mymailserver.domain.dom/chain.pem You probably don't need client certificates. > > > > > >Any clue about this error ? Which cert do I use and that orange does >not >want ? Why is the email sent after a few attempts ? Eventually the email is sent in plaintext without encryption. > > >Regards, > > > >Gaetan -- Christian Kivalo
Re: Catch a forged Return Path
On 2021-02-04 09:08, ludic...@gmail.com wrote: Hi all, new MS Azure Cloudapp Spam Wave these days. Just a few hosts, but a lot of Spam. There is a pattern there, they all use Return-Path: to disguise as a bounce and bypass any further checks. So the PCRE header check /^Return-Path: / REJECT Forged Return-Path does not catch. Any other chance of making this work in postfix checks? Actually a re-visit to my topic about MS Azure Cloud Spam from December, but much more clarified matters now after some time of observation. Add postscreen to your config. Postscreen stopped that spam wave with high DNSBL ranks for me. This http://rob0.nodns4.us/postscreen.html is a good ressource and i have it setup more or less the way described there + some minor adjustments needed for my setup. Greets, Ludi -- Christian Kivalo
Re: SASL auth cache?
On January 17, 2021 2:32:49 PM GMT+01:00, Tom Sommer wrote: > > >On 2021-01-17 14:22, Wietse Venema wrote: >> Tom Sommer: >>> Hi all >>> >>> I just observed Postfix not picking up changes in the SASL auth >>> backend, >>> is there some kind of cache involved here? >> >> There is no such thing in Postfix. Also not in the Postfix Dovcecot >> client. > >Curious, and it couldn't be connection cache/reuse or something? Could it have been an authenticated, still open connection that got closed as postfix was restarted? >--- >Tom -- Christian Kivalo
Re: Postfix failed to start at boot
On July 23, 2020 2:33:04 PM GMT+02:00, Linkcheck wrote: >I have a private postfix server on my local network. It runs under >Manjaro. On booting Manjaro I get half a dozen ERROR lines as: > >FAILED: Failed to start (eg) Postfix > >All are to do with postfix, dmarc, dkim etc. > >I've wondered for some time now why I have to start postfix manually >after reboot but haven't had time to track it down. Since I usually >drive the machine through Remmina I never see the boot sequence, so >have >previously missed this. > >Postfix runs without a manual restart but dkim/dmarc leave complaints >in >the log about having no path to the PID files. When starting them >manually I use: > >=== > sudo mkdir /var/run/opendkim/ > sudo chown -R opendkim:opendkim /var/run/opendkim > sudo systemctl enable opendkim > sudo systemctl start opendkim > > sudo mkdir /var/run/opendmarc/ > sudo chown -R opendmarc:postfix /var/run/opendmarc > sudo chmod -R 774 /var/run/opendmarc If the distribution packages don't take care that the necessary directories under /var/run are created, need to create them after every boot. Look at man 5 tmpfiles.d and create the necessary files in /etc/tmpfiles.d > sudo systemctl enable opendmarc > sudo systemctl start opendmarc > sudo systemctl restart postfix >=== >(the sequence is probably incorrect: I have to run the second block >twice before I get the proper ownership of opendmarc) > >I checked the status of postfix immediately after boot and before >restarting it manually and got... > >=== >postfix.service - Postfix Mail Transport Agent > Loaded: loaded (/usr/lib/systemd/system/postfix.service; enabled; >vendor preset: disabled) > Active: active (running) since Sat 2020-07-04 15:55:09 BST; 2min >27s ago > Process: 742 ExecStart=/usr/bin/postfix start (code=exited, >status=0/SUCCESS) >Main PID: 851 (master) > Tasks: 8 (limit: 9148) > Memory: 19.7M > CGroup: /system.slice/postfix.service > ├─ 851 /usr/lib/postfix/bin/master -w > ├─ 867 pickup -l -t fifo -u -o content_filter= -o >receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters > ├─ 868 qmgr -l -t fifo -u > ├─1591 smtpd -n smtp -t inet -u -o stress= -s 2 -o >content_filter= > ├─1592 proxymap -t unix -u > ├─1593 tlsmgr -l -t unix -u > ├─1594 anvil -l -t unix -u > └─1604 smtpd -n smtp -t inet -u -o stress= -s 2 -o >content_filter= > >Jul 04 15:55:02 SSPH systemd[1]: postfix.service: Scheduled restart >job, >restart counter is at 3. >Jul 04 15:55:02 SSPH systemd[1]: Stopped Postfix Mail Transport Agent. >Jul 04 15:55:02 SSPH systemd[1]: Starting Postfix Mail Transport >Agent... >Jul 04 15:55:03 SSPH systemd[1]: postfix.service: Control process >exited, code=exited, status=1/FAILURE >Jul 04 15:55:03 SSPH systemd[1]: postfix.service: Failed with result >'exit-code'. >Jul 04 15:55:03 SSPH systemd[1]: Failed to start Postfix Mail Transport > >Agent. >Jul 04 15:55:04 SSPH systemd[1]: postfix.service: Scheduled restart >job, >restart counter is at 4. >Jul 04 15:55:04 SSPH systemd[1]: Stopped Postfix Mail Transport Agent. >Jul 04 15:55:04 SSPH systemd[1]: Starting Postfix Mail Transport >Agent... >Jul 04 15:55:09 SSPH systemd[1]: Started Postfix Mail Transport Agent. >=== > >I do not know how to fix this failure. Any help, please? I have asked >this question in the Manjaro forum but with no resolution. -- Christian Kivalo
Re: Nothing in /var/log/maillog under stress
On 2020-07-13 02:08, Greg Sims wrote: I updated my maillog processing tool to make use of journalctl. This is working well and I can now see the "missing" maillog entries with my tool. This is a great step in the right direction. That sounds great. I have rsyslog running which looks like it might be redundant -- based on the serverfault post you supplied. I will try running without rsyslog and see what happens. I am aware of the systemd journal rate limits from CentOS 7. I will do additional research to know when I hit these limits and make needed adjustments if I do. I added this to /etc/system/journal.conf.d/journald.conf and it works for me. [Journal] RateLimitIntervalSec=1s RateLimitBurst=0 Thanks for your help Christian! I am now able to accomplish my goals using journalctl. I am more than willing to collect data to help determine why the three minutes of log data is not making it to /var/log/maillog. To be honest, I do not know how to "... find out how your syslog daemon gets the messages from the systemd journal.". Greg Sims On Sun, Jul 12, 2020 at 3:51 PM Christian Kivalo wrote: On 2020-07-13 00:10, Greg Sims wrote: Thank you Christian. I am running on CentOS 8.2 and the name of the service is "postfix.service". When I enter: journalctl -u postfix.service --since="2020-07-12 03:06:00" --until="2020-07-12 03:11:00" I see all of the missing data that should be in /var/log/maillog -- almost 50,000 records. You discovered a way to gain access to the missing data! The big question for me continues to be, why did this data not make it to /var/log/maillog? You'd have to find out how your syslog daemon get the messages from the systemd journal. What syslog daemon do you have installed? Be aware that systemd journal has some rate limits which can lead to loss of log messages, see the man 5 journald.conf I found this https://serverfault.com/questions/959982/is-rsyslog-redundant-on-when-using-journald which covers rsyslog on centos 7. There is an import module for systemd journal. On my server rsyslog is configured to create a log socket at /var/spool/postfix/dev/log and ignore systemd journal and that works well for my use case. Greg Sims On Sun, Jul 12, 2020 at 2:40 PM Christian Kivalo wrote: On 2020-07-12 23:01, Greg Sims wrote: Nothing Christian: [root@mail0 postfix]# journalctl -u postfix@-.service --since="2020-07-12 03:06:00" --until="2020-07-12 03:11:00" -- Logs begin at Sat 2020-07-11 09:35:28 CDT, end at Sun 2020-07-12 15:50:00 CDT. -- -- No entries -- Maybe your systemd unit is named slightly different as in debian, postfix@-.service is what tab completion makes for me... Is there anything in journalctl? What does systemctl status postfix show? You can have postfix log to a file as described in http://www.postfix.org/MAILLOG_README.html first and then fix your logging. -- Christian Kivalo -- Christian Kivalo -- Christian Kivalo
Re: Nothing in /var/log/maillog under stress
On 2020-07-13 03:57, Greg Sims wrote: I removed rsyslog using yum, rebooted the VM and made sure postfix was running. I then sent five emails from a remote VM using SMTP. I can see the postfix logs using journalctl. This set of postfix logs do not make it to /var/log/maillog. The five emails were delivered. I'm not sure if this is the expected behavior. This is expected as rsyslog writes to /var/log/maillog. Now you only have the journal except for those services that write to their own logfile directly... Apache is also running on this VM. I performed "tail /var/log/httpd/access_log" and can see Apache logging. ... like apache does. Greg Sims www.RayStedman.org [1] On Sun, Jul 12, 2020 at 5:08 PM Greg Sims wrote: I updated my maillog processing tool to make use of journalctl. This is working well and I can now see the "missing" maillog entries with my tool. This is a great step in the right direction. I have rsyslog running which looks like it might be redundant -- based on the serverfault post you supplied. I will try running without rsyslog and see what happens. I am aware of the systemd journal rate limits from CentOS 7. I will do additional research to know when I hit these limits and make needed adjustments if I do. Thanks for your help Christian! I am now able to accomplish my goals using journalctl. I am more than willing to collect data to help determine why the three minutes of log data is not making it to /var/log/maillog. To be honest, I do not know how to "... find out how your syslog daemon gets the messages from the systemd journal.". Greg Sims On Sun, Jul 12, 2020 at 3:51 PM Christian Kivalo wrote: On 2020-07-13 00:10, Greg Sims wrote: Thank you Christian. I am running on CentOS 8.2 and the name of the service is "postfix.service". When I enter: journalctl -u postfix.service --since="2020-07-12 03:06:00" --until="2020-07-12 03:11:00" I see all of the missing data that should be in /var/log/maillog -- almost 50,000 records. You discovered a way to gain access to the missing data! The big question for me continues to be, why did this data not make it to /var/log/maillog? You'd have to find out how your syslog daemon get the messages from the systemd journal. What syslog daemon do you have installed? Be aware that systemd journal has some rate limits which can lead to loss of log messages, see the man 5 journald.conf I found this https://serverfault.com/questions/959982/is-rsyslog-redundant-on-when-using-journald which covers rsyslog on centos 7. There is an import module for systemd journal. On my server rsyslog is configured to create a log socket at /var/spool/postfix/dev/log and ignore systemd journal and that works well for my use case. Greg Sims On Sun, Jul 12, 2020 at 2:40 PM Christian Kivalo wrote: On 2020-07-12 23:01, Greg Sims wrote: Nothing Christian: [root@mail0 postfix]# journalctl -u postfix@-.service --since="2020-07-12 03:06:00" --until="2020-07-12 03:11:00" -- Logs begin at Sat 2020-07-11 09:35:28 CDT, end at Sun 2020-07-12 15:50:00 CDT. -- -- No entries -- Maybe your systemd unit is named slightly different as in debian, postfix@-.service is what tab completion makes for me... Is there anything in journalctl? What does systemctl status postfix show? You can have postfix log to a file as described in http://www.postfix.org/MAILLOG_README.html first and then fix your logging. -- Christian Kivalo -- Christian Kivalo Links: -- [1] https://www.RayStedman.org -- Christian Kivalo
Re: Nothing in /var/log/maillog under stress
On 2020-07-13 00:10, Greg Sims wrote: Thank you Christian. I am running on CentOS 8.2 and the name of the service is "postfix.service". When I enter: journalctl -u postfix.service --since="2020-07-12 03:06:00" --until="2020-07-12 03:11:00" I see all of the missing data that should be in /var/log/maillog -- almost 50,000 records. You discovered a way to gain access to the missing data! The big question for me continues to be, why did this data not make it to /var/log/maillog? You'd have to find out how your syslog daemon get the messages from the systemd journal. What syslog daemon do you have installed? Be aware that systemd journal has some rate limits which can lead to loss of log messages, see the man 5 journald.conf I found this https://serverfault.com/questions/959982/is-rsyslog-redundant-on-when-using-journald which covers rsyslog on centos 7. There is an import module for systemd journal. On my server rsyslog is configured to create a log socket at /var/spool/postfix/dev/log and ignore systemd journal and that works well for my use case. Greg Sims On Sun, Jul 12, 2020 at 2:40 PM Christian Kivalo wrote: On 2020-07-12 23:01, Greg Sims wrote: Nothing Christian: [root@mail0 postfix]# journalctl -u postfix@-.service --since="2020-07-12 03:06:00" --until="2020-07-12 03:11:00" -- Logs begin at Sat 2020-07-11 09:35:28 CDT, end at Sun 2020-07-12 15:50:00 CDT. -- -- No entries -- Maybe your systemd unit is named slightly different as in debian, postfix@-.service is what tab completion makes for me... Is there anything in journalctl? What does systemctl status postfix show? You can have postfix log to a file as described in http://www.postfix.org/MAILLOG_README.html first and then fix your logging. -- Christian Kivalo -- Christian Kivalo
Re: Nothing in /var/log/maillog under stress
On 2020-07-12 23:01, Greg Sims wrote: Nothing Christian: [root@mail0 postfix]# journalctl -u postfix@-.service --since="2020-07-12 03:06:00" --until="2020-07-12 03:11:00" -- Logs begin at Sat 2020-07-11 09:35:28 CDT, end at Sun 2020-07-12 15:50:00 CDT. -- -- No entries -- Maybe your systemd unit is named slightly different as in debian, postfix@-.service is what tab completion makes for me... Is there anything in journalctl? What does systemctl status postfix show? You can have postfix log to a file as described in http://www.postfix.org/MAILLOG_README.html first and then fix your logging. -- Christian Kivalo
Re: Nothing in /var/log/maillog under stress
On 2020-07-12 20:59, Greg Sims wrote: We are making good progress building a mail server. The server is a KVM running CentOs 8.2 with vcpus=2 and ram=4GB. The system is under heavy load and is likely limited by disk performance. The load is generated by a second KVM using SMTP to send email. Everything seems to be working except there is nothing in /var/log/maillog for a period of 3 minutes. I'm not sure what is causing the omission of logs and how to correct this issue. Maybe systemd-journald rate limit is your problem. I found some information here https://www.rootusers.com/how-to-change-log-rate-limiting-in-linux Do these 3 minutes show up when you call journalctl -u postfix@-.service or more specific journalctl -u postfix@-.service --since="2020-07-12 03:06:00" --until="2020-07-12 03:11:00" I'm concerned that we are not following this recommendation, "Don't overwhelm the disk with mail submissions. Optimize the mail submission rate by tuning the number of parallel submissions and/or by tuning the Postfix in_flow_delay parameter setting." There is no indication in /var/log/maillog of problems (other than 3 minutes of missing logs). I do not know if "overwhelming the disk" would lead to shutting down data going to the maillog altogether. I will set in_flow_delay = 2s for this KVM mail server this evening. The performance snapshots below seem to show: cpu load average is not heavy, plenty of ram free, no swapping (stable at 108Mi), dm-0 is working hard at 129 tps and postfix seems to be keeping up with the load with 39-50 emails in the queue. This run started at 03:05 and created two minutes of data in /var/log/maillog -- and then nothing for 3 minutes starting at 03:07. I am certain the email in the missing three minutes was actually delivered or I would be seeing lots of negative feedback from our subscribers. You can also put 03:07:04 up 17:31, 0 users, load average: 0.42, 0.26, 0.10 totalusedfree shared buff/cache available Mem: 3.7Gi 832Mi 2.0Gi 101Mi 931Mi 2.5Gi Swap: 1.0Gi 108Mi 915Mi Device tpskB_read/skB_wrtn/skB_read kB_wrtn dm-0129.00 0.00 2373.50 0 4747 incoming/active queue: T 5 10 20 40 80 160 320 640 1280 1280+ TOTAL 39 39 0 0 0 0 0 0 00 0 gmail.com [1] 8 8 0 0 0 0 0 0 00 0 att.net [2] 7 7 0 0 0 0 0 0 00 0 bellsouth.net [3] 7 7 0 0 0 0 0 0 00 0 sbcglobal.net [4] 7 7 0 0 0 0 0 0 00 0 aol.com [5] 4 4 0 0 0 0 0 0 00 0 icloud.com [6] 4 4 0 0 0 0 0 0 00 0 yahoo.com [7] 1 1 0 0 0 0 0 0 00 0 outlook.com [8] 1 1 0 0 0 0 0 0 00 0 deferred queue: T 5 10 20 40 80 160 320 640 1280 1280+ TOTAL 1 0 0 0 0 0 0 0 00 1 icloud.com [6] 1 0 0 0 0 0 0 0 00 1 03:07:11 up 17:31, 0 users, load average: 0.36, 0.25, 0.10 totalusedfree shared buff/cache available Mem: 3.7Gi 858Mi 1.9Gi 101Mi 933Mi 2.5Gi Swap: 1.0Gi 108Mi 915Mi Device tpskB_read/skB_wrtn/skB_read kB_wrtn dm-0121.50 0.00 2326.00 0 4652 incoming/active queue: T 5 10 20 40 80 160 320 640 1280 1280+ TOTAL 56 56 0 0 0 0 0 0 00 0 gmail.com [1] 13 13 0 0 0 0 0 0 00 0 att.net [2] 11 11 0 0 0 0 0 0 00 0 sbcglobal.net [4] 11 11 0 0 0 0 0 0 00 0 bellsouth.net [3] 9 9 0 0 0 0 0 0 00 0 icloud.com [6] 6 6 0 0 0 0 0 0 00 0 yahoo.com [7] 5 5 0 0 0 0 0 0 00 0 rocketmail.com [9] 1 1 0 0 0 0 0 0 00 0 deferred queue: T 5 10 20 40 80 160 320 640 1280 1280+ TOTAL 1 0 0 0 0 0 0 0 00 1 icloud.com [6] 1 0 0 0 0 0 0 0 00 1 Thanks, Greg Links: -- [1] http://gmail.com [2] http://att.net [3] http://bellsouth.net [4] http://sbcglobal.net [5] http://aol.com [6] http://icloud.com [7] http://yahoo.com [8] http://outlook.com [9] http://rocketmail.com -- Christian Kivalo
Re: TLS verification problem - ca untrusted, but it shouldn't be
On 2020-07-08 09:03, Rainer Ruprechtsberger wrote: Hello, this is not my only problem with TLS verification - and I'm struggling to debug this: *mail.mail.protection.outlook.com cannot be verified by postfix: posttls-finger: certificate verification failed for blahblahommited.mail.protection.outlook.com[104.47.14.36]:25: untrusted issuer /C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA How did you call posttls-finger? Did you use "-F" and point it to /etc/ssl/certs/ca-certificates.crt? But I do trust this CA: smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt This setting does not affect posttls-finger What does postfix log when you send a mail there? -- Christian Kivalo
Re: 5 messages per second
On June 3, 2020 11:52:10 AM GMT+02:00, Paul Martin wrote: >Hello, > >I have many logs postfix/lmtp "deferred" like: > >Jun 2 11:38:21 mail331 postfix/lmtp[17386]: A2E3212C86D: >to=, relay=none, delay=5930, >delays=2879/2862/189/0, dsn=4.4.1, status=deferred (connect to >127.0.0.1[127.0.0.1]:24: Connection timed out) > >do you have a solution ? Whatever should listen on 127.0.0.1:24 is not listening / running. What should accept the lmtp connections? Check if that service is running. >Regards, >Paul -- Christian Kivalo
Re: Remove part of rbl name from response to blocked client
On 2020-01-16 09:47, Dominic Raferd wrote: I recently started using an RBL service where we have a 'private key' and this operates very simply by prefixing the key to the RBL address. But I just realised that this appears to mean that for any rejections the whole address - including the key - is passed back to the offending client. Which if true makes a bit of a nonsense of the idea of a 'private' key. rbl_reply_maps and default_rbl_reply_maps is probably what you are looking for http://www.postfix.org/postconf.5.html#rbl_reply_maps http://www.postfix.org/postconf.5.html#default_rbl_reply and for postscreen there is http://www.postfix.org/postconf.5.html#postscreen_dnsbl_reply_map Is there a way to cut out this private key in the response message? It happens both with postscreen and smtpd. Here is a barely-obfuscated example: 550 5.7.1 Service unavailable; client [51.88.120.222] blocked using sp8lefi4grtb7jftpslxxztu3y.zen.dx.spamhous.net [1] Links: -- [1] http://sp8lefi4grtb7jftpslxxztu3y.zen.dx.spamhous.net -- Christian Kivalo
Re: Problems with header checks
On November 8, 2019 1:53:13 PM GMT+01:00, Stephan Seitz wrote: >On Fr, Nov 08, 2019 at 01:44:53 +0100, Stephan Seitz wrote: >>Has anyone an idea how I can debug this further? Or why it is only >>sometimes working? > >I think I’ve found the problem. It happens if the subject has non-ASCII > >characters to the line looks like: > >=?UTF-8?Q?Aw=3A_Weinprobe_gut_=C3=BCberstanden=3F?= > >Has anyone an idea how can I change the regex so that it works with >encoded subject lines? Or can I tell postfix to decode the line, then >employ the regex und encode the line again? For such encoded content you need to match the encoded form. See http://www.postfix.org/BUILTIN_FILTER_README.html I don't think that postfix is the right tool for this job, on the other hand I don't really see the problem you're trying to solve. Be careful not to break dkim signatures when modifying headers. Subject is a signed header in most cases. >Shade and sweet water! > > Stephan -- Christian Kivalo
Re: OpenDKIM , Postfix , SpamAssassin, Amavisd-New, SPF and FreeBSD
On October 25, 2019 9:58:28 PM GMT+02:00, Jason Hirsh wrote: >I am getting entries in my maiillog, but only in regards to OpenDKIM >working to verify INCOMING >These are clearly entries from OpenDKIM. There is nothing >corresponding for actions relative to outgoing mail What happens when you comment the ExternalIgnoreList and InternalHost settings in opendkim.conf, restart the service and send a test mail originating from one of the domains you're trying to sign? What do the logs show? My opendkim.conf has refile: prefix also for the KeyTable option. Regards Christian -- Christian Kivalo
Re: OpenDKIM , Postfix , SpamAssassin, Amavisd-New, SPF and FreeBSD
On October 25, 2019 6:52:52 PM GMT+02:00, Jason Hirsh wrote: >I have gone over my configuration with a fine tooth comb, but >considering I put them together it is not surprising I can’t spot >anything > > >O have been trying to locate opendkim action in my log file. It >appears that that the mail is being reviewed but now header added You should revert to non debug logging for postfix as it makes it extremely hard to discover the relevant log messages. I have the same opendkim config with regard to the Syslog, SyslogSuccess, Logwhy options My opendkim logs show up in mail.log and syslog as that's how rsyslog in Debian is configured. Opendkim logs with the mail.* facility to syslog so whatever syslog daemon you use it's configuration should tell you where the logging can be found. >The thing that concerns me is the appearance of “dummy” > >Any thoughts any one/? >> On Oct 24, 2019, at 11:29 AM, Jason Hirsh wrote: >> >> Thank you for the quick response >> >> >> I am 99% certain they are…I had the OpenDkim running for about a week >and did not change those (I think0 >> >> Trusted Hosts >> >> 127.0.0.1 >> localhost >> example.com <http://example.com/> >> example1.com <http://example1.com/> >> >> >> >> KeyTable >> >> default._domainkey.example.com ><http://domainkey.example.com/>:default:/usr/local/etc/opendkim/keys/example.com.com/default.private ><http://example.com.com/default.private> >> default._domainkey.example1.com ><http://domainkey.example1.com/>:default:/usr/local/etc/opendkim/keys/example1.com/default.private ><http://example1.com/default.private> >> >> SigningTable >> >> *@example.com default._domainkey.example.com ><http://domainkey.example.com/> >> *@example1.com default._domainkey.example1.com ><http://domainkey.example1.com/> >> >> In my maillog. I did find something a little strange response to an >outgoing message >> >> >> Oct 23 18:26:14 triggerfish opendkim[5845]: E0C34CB4A69: key >retrieval failed (s=zendesk1, d=lightandmotion.com ><http://lightandmotion.com/>): 'zendesk1._domainkey.lightandmotion.com ><http://domainkey.lightandmotion.com/>' record not found >> Oct 24 10:23:10 triggerfish opendkim[5845]: 9B3A8CB4A69: >s=verifier201208 d=port25.com <http://port25.com/> SSL >> Oct 24 11:02:02 triggerfish opendkim[5845]: 93C75CB4A9A: >s=verifier201208 d=port25.com <http://port25.com/> SSL >> Oct 24 11:18:43 triggerfish opendkim[5845]: 4AADACB4A99: key >retrieval failed (s=zendesk1, d=lightandmotion.com ><http://lightandmotion.com/>): 'zendesk1._domainkey.lightandmotion.com ><http://domainkey.lightandmotion.com/>' record not found >> >> Light and Motion was who the message was going to and has no presence >in my mail system >> >> >> Is this log entry a clue?? >> >> >>> On Oct 24, 2019, at 10:50 AM, Dominic Raferd >mailto:domi...@timedicer.co.uk>> wrote: >>> >>> On Thu, 24 Oct 2019 at 15:28, Jason Hirsh <mailto:kasd...@mac.com>> wrote: >>>> >>>> I am trying to revive my OpenDKIM installation. I had it working >but managed to break it when I updated my ports. It is running but not >signing outgoing messages >>>> >>>> My main.cf configuration relative to OpenDkim is >>>> >>>> smtpd_milters = inet:localhost:8891 >>>> non_smtpd_milters = $smtpd_milters >>>> milter_default_action = accept >>>> >>>> My OpenDkim.conf is >>>> >>>> AutoRestart Yes >>>> AutoRestartRate 10/1h >>>> LogWhy Yes >>>> Syslog Yes >>>> SyslogSuccess Yes >>>> Modesv >>>> Canonicalizationrelaxed/simple >>>> ExternalIgnoreList refile:/usr/local/etc/opendkim/TrustedHosts >>>> InternalHosts refile:/usr/local/etc/opendkim/TrustedHosts >>>> KeyTable/usr/local/etc/opendkim/KeyTable >>>> SigningTablerefile:/usr/local/etc/opendkim/SigningTable >>>> SignatureAlgorithm rsa-sha256 >>>> Socket inet:8891@127.0.0.1 <mailto:8891@127.0.0.1> >>>> UMask 022 >>>> UserID opendkim:opendkim >>>> TemporaryDirectory /var/tmp >>>> >>>> As I stated it is running... But not signing from a test site... >>>> >>>> Any thoughts would be appreciated >>> >>> Are files /usr/local/etc/opendkim/TrustedHosts, KeyTable and >>> SigningTable set up correctly? Do you need to use KeyTable and >>> SigningTable - this is a more complex setup; standard setup uses >>> parameters Domain, Selector and KeyFile - see >>> http://www.opendkim.org/opendkim-README ><http://www.opendkim.org/opendkim-README>. >> -- Christian Kivalo
Re: MAILTO without SIZE=
On October 10, 2019 3:54:50 PM GMT+02:00, "Tobias Köck" wrote: >Hi, > >I have a Postfix set up to relay the messages to an Exchange server. > >It declines the mails with > >ntern_mail.someurl.de,08D7265A6F30DBE4,12,10.32.68.13:2525,10.32.66.152:49726,*,Tarpit > >for '0.00:00:05' due to '550 5.7.61 SMTP; Anonymous client does not >have >permissions to send as this sender', > >It works manually with telnet mail.someurl.de. Did you test it from your postfix relay or from a different IP? >I suspect it is because Postfix send in the Envelope address for some >reason the SIZE=423 with it > >MAIL FROM: SIZE=434, > >How can I disable the sending of the SIZE parameter? > >Greetings >Tobias -- Christian Kivalo
Re: Are sha1 & TLSv1 fully deprecated wrt mail, and time to block them?
On October 13, 2018 5:32:54 PM GMT+02:00, Gary wrote: > >https://support.google.com/mail/answer/81126?hl=en > >Look at "authenticate your mail" in the above link. Gmail required 1024 >bits. Google market dominance makes it a defacto standard. They require to use at least 1024 bits keys for dkim signatures, more bits are good and accepted. -- Christian Kivalo
Re: Commenting multi line option
On July 23, 2018 5:00:33 PM GMT+02:00, dur...@mgtsciences.com wrote: >I would like to know if comments may be used in this fashion. In the >example below, will the last line 'permit' be seen as part of the >'smtpd_helo_restrictions' option? > >smtpd_helo_restrictions = >permit_mynetworks ># check_helo_access hash:/etc/postfix/helo_access ># reject_invalid_helo_hostname ># reject_unknown_helo_hostname >permit > Yes, permit will be seen as part of smtpd_helo_restrictions in this example. For an explanation of the main.cf file format see http://www.postfix.org/postconf.5.HTML -- Christian Kivalo
Re: Postfix does not authenticate to relayhost
On 2018-05-16 20:41, Florian Lindner wrote: Am 16.05.2018 um 15:24 schrieb Matus UHLAR - fantomas: On 15.05.18 22:17, Florian Lindner wrote: May 15 22:10:04 venus postfix/smtpd[20438]: NOQUEUE: reject: RCPT from host[x.x.x]: 450 4.1.8 <florian@horus.localdomain>: Sender address rejected: Domain not found; from=<florian@horus.localdomain> to=<florian.lind...@xgm.de> proto=ESMTP helo= smtpd_sender_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_sender, reject_unknown_sender_domain, permit What could be wrong here? On 15.05.18 23:12, Florian Lindner wrote: I understand why there is the Domain not found for horus.localdomain, but not why it blocks the delivery, given my sender_restriction and relay_restrictions. you have reject_unknown_sender_domain in sender restrictions. your DNS servers don't apparently know "horus.localdomain" you should better configure proper sender address in source address. But there is also permit_sasl_authenticated positioned before reject_unknown_sender_domain. The sending MTA should authenticate to the relay host. I am pretty sure that the problem is not the relay host, but the sending machine. The relay host venus.centershock works just fine as an SMTP drop off with the usual clients, but the sending postix doesn't even try to authenticate. Complete postconf -n output from both hosts would help here so just a shot in the dark based on a config snippet from your first message: Local configuration is % postconf -n [...] mynetworks_style = host relayhost = [venus.centershock.net] smtp_sasl_password_maps = hash:/etc/postfix/relay smtp_sasl_security_options = noanonymous smtpd_tls_security_level = encrypt In your local config have you set smtp_sasl_auth_enable = yes ? Thanks, Florian -- Christian Kivalo
Re: WG: Reject but styl connection established
On March 1, 2018 6:42:17 AM GMT+01:00, Maurizio Caloro <mauri...@caloro.ch> wrote: >Hello > >I have have create any acceslist to deny, but if check me situation >this >will conntecd successfuly to me maschine > >But i think this way need to negotiat, but styl not working correct, >thanks >for any help ! > > > >Regard > >Mauri > > > >Postfix 2.11.3 > > > ># cat /etc/postfix/access | grep 103.233.193.106 > >103.233.193.106REJECT > >103.233.193.106 REJECT > >181.49.176.106 REJECT > >103.233.193.106 REJECT > > > > > ># cat mail.log > >Mar 1 00:18:08 mail postfix/smtpd [2178]: connect from >server1.hostict.com[103.233.193.106] > >Anonymous TLS connection established from >smtp.elcolombiano.com.co[181.49.176.106] > >Anonymous TLS connection established from >server1.hostict.com[103.233.193.106] > >Anonymous TLS connection established from >34725.simplecloud.ru[85.143.218.134] > > > >[main.cf] > >smtpd_sender_restrictions = permit_mynetworks, > >## reject_sender_login_mismatch, > >check_client_access hash:/etc/postfix/access, > >check_sender_access hash:/etc/postfix/access, > > > >smtpd_recipient_restrictions = permit_mynetworks, > >check_client_access hash:/etc/postfix/access, > >check_recipient_access hash:/etc/postfix/access, > >.. You did postmap /etc/postfix/access file after adding the IP? -- Christian Kivalo
Re: Try dane and still got "Untrusted TLS connection..."
Am 26. Oktober 2017 23:08:16 MESZ schrieb Gao <g...@pztop.com>: >Hi, > >I am trying to setup dane on my mail server. But I never seen a >"Verified TLS connection..." in the log. I always got: >Oct 26 13:52:23 cac postfix/smtp[18165]: Untrusted TLS connection >established to gmail-smtp-in.l.google.com[74.125.124.26]:25: TLSv1.2 >with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits) > >My system is Postfix 3.2.3 on Centos 7.4 ># postconf -d | grep mail_version >mail_version = 3.2.3 > >main.cf: >smtp_dns_support_level = dnssec >smtp_tls_security_level = dane >smtp_tls_loglevel = 1 > >DNSSEC has been setup and added TLSA record. Passed test at >https://www.huque.com/bin/danecheck and https://dane.sys4.de/ > >TLSA records found: 1 >TLSA: 3 1 1 >f2545e3b5b42c7d309127c3a7f326b509f8bd199daf950d5f5bbf7530c7dc616 > >Connecting to IPv4 address: 45.62.235.110 port 25 >recv: 220 cac.mydomain.com ESMTP Postfix >send: EHLO cheetara.huque.com >recv: 250-cac.mydomain.com >recv: 250-PIPELINING >recv: 250-SIZE 1024 >recv: 250-VRFY >recv: 250-ETRN >recv: 250-STARTTLS >recv: 250-ENHANCEDSTATUSCODES >recv: 250-8BITMIME >recv: 250 DSN >send: STARTTLS >recv: 220 2.0.0 Ready to start TLS >TLSv1.2 handshake succeeded. >Cipher: TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 >Peer Certificate chain: > 0 Subject CN: cac.mydomain.com > Issuer CN: Let's Encrypt Authority X3 > 1 Subject CN: Let's Encrypt Authority X3 > Issuer CN: DST Root CA X3 > SAN dNSName: cac.mydomain.com > SAN dNSName: mydomain.com >DANE TLSA 3 1 1 [f2545e3b5b42...] matched EE certificate at depth 0 >Validated Certificate chain: > 0 Subject CN: cac.mydomain.com > Issuer CN: Let's Encrypt Authority X3 > SAN dNSName: cac.mydomain.com > SAN dNSName: mydomain.com > >[0] Authentication succeeded for all (1) peers. > >So I must missed something... I can't figure it out. Please help. It looms you have your inbound dane config setup and Dane checking systems can utilize Dane to verify your certs. You will only have "verified" in your logs when you /send/ mail to a Dane enabled domain. Try this service to check your outbound Dane config: https://havedane.net/ >Thanks. > >Gao -- Christian Kivalo
Re: address extension fails for mailman
On 2017-09-29 10:07, thorthor wrote: This post should contain the log and main.cf. Don't attach, post inline -- Sent from: http://postfix.1071664.n5.nabble.com/Postfix-Users-f2.html -- Christian Kivalo
Re: Communication between Postfix and Dovecot LDA
On 2017-09-18 14:21, Daniel Ryšlink wrote: Hello, I am trying to solve a problem with error mails clogging my queue on a system with the following components: Incoming mail -> Postfix -> DSpam -> reinjection back to postfix queue -> Dovecot LDA The system also handles outgoing mail for non-local users, for any mail address not found in a table of local users, Postfix just tries to deliver it according to the MX records. However, the Postfix handling the incoming messages for local users (before DSpam) has incomplete information whether the local delivery will be successful. I would like to immediately reject mails for mailboxes that are full, for example, but the Postfix does not have this information. That means that the mail is initially accepted, passed to DSPam, and only the Dovecot LDA founds out that the mailbox is full, and generates an error mail message, that is often not deliverable and clogs the mailqueue. I would like to reject as many mails as possible during the intial SMTP session, as a part of the "check_recipient_access" phase. Is there any way for Postfix to ask dovecot-lda "Will you be able to locally deliver a message to this user"? I have read dovecot-lda man page, but did not find any option of "dry" or test delivery. I understand that Postfix can use a "policy server" - an external script or daemon that could query dovecot for this information, but so far I have failed to find a proper way to query dovecot to find out if a specific mail would be deliverable. Dovecot provides a quota service, a policy service that can be used by postfix. Take a look at the dovecot wiki for the quota service: https://wiki2.dovecot.org/Quota From the wiki: Quota service The quota service allows postfix to check quota before delivery: service quota-status { executable = quota-status -p postfix inet_listener { port = 12340 # You can choose any port you want } client_limit = 1 } And then have postfix check_policy_service check that: smtpd_recipient_restrictions = ... check_policy_service inet:mailstore.example.com:12340 For more about this service see https://sys4.de/en/blog/2013/04/08/postfix-dovecot-mailbox-quota/ I know I will be probably referred to Dovecot mailing lists, but I thought some of you could know the answer. Thank you in advance for any hint or advice. -- S pozdravem, Daniel Ryšlink System Administrator Dial Telecom a. s. Křižíkova 36a/237 186 00 Praha 3, Česká Republika Tel.:+420.226204627 daniel.rysl...@dialtelecom.cz --- www.dialtelecom.cz Dial Telecom, a.s. Jednoduše se připojte ------- -- Christian Kivalo
Re: postfix/postfix-script[6735] error: unknown command: 'quiet-quick-start'
>I know was postmulti arguments problem, but I want to know is: is this >postfix version difference or ubuntu make some change, or >/etc/init.d/postfix has some special? The Debian / Ubuntu start script probably expects some distribution specific configuration to be in place. Your best bet is to remove the existing init script for postfix and create a systemd unit for your needs. -- Christian Kivalo
Re: Letsencrypt tip
On 2017-09-11 11:21, Dominic Raferd wrote: Does anyone know a way to detect if the certificate currently being used by Postfix and/or Dovecot is nearing expiry (esp. in case they haven't picked up the updated letsencrypt certificate)? You mean like this from the letsencrypt forum adapted for submission on port 587 with starttls: openssl s_client -connect yourdomain.tld:587 -starttls smtp -servername yourdomain.tld 2>/dev/null | openssl x509 -noout -dates https://community.letsencrypt.org/t/it-there-a-command-to-show-how-many-days-certificate-you-have/11351/2 -- Christian Kivalo
Re: 451 4.3.5 Server configuration error
user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient) ifmail unix - n n - - pipe flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient) bsmtp unix - n n - - pipe flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient scalemail-backend unix - n n - 2 pipe flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension} mailmanunix - n n - - pipe flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py ${nexthop} ${user} policyd-spf unix - n n - 0 spawn user=policyd-spf argv=/usr/bin/policyd-spf spamassassin unix - n n - - pipe user=debian-spamd argv=/usr/bin/spamc -f -e /usr/sbin/sendmail -oi -f ${sender} ${recipient} ___ Daniel A. Rodriguez Departamento de Tecnología para la Gestión Escuela Provincial de Educación Técnica N° 1 Posadas - Misiones - Argentina (0376) 443-8578 www.epet1.edu.ar -- Christian Kivalo
Re: 451 4.3.5 Server configuration error
On 2017-08-30 14:51, Daniel Armando Rodriguez wrote: Hi, I'm getting such message logged after the warning: unknown smtpd restriction: "milter_default_action" Note that options in master.cf are without spaces around the "=". All incoming mail is rejected. What I'm trying to achieve is to get dkim validation working, following this guide https://wiki.debian.org/opendkim It helps to show your configuration. See http://www.postfix.org/DEBUG_README.html#mail Send the output of postconf -n postconf -Mf regards in advance -- Christian Kivalo
Re: sender_access question
hanks for any support. Mark -- Sent from: http://postfix.1071664.n5.nabble.com/Postfix-Users-f2.html -- Christian Kivalo
Re: postfix log in mysql
Am 28. August 2017 05:51:10 MESZ schrieb Kev <savage-gar...@hanikamail.com>: >Hi postfixers, > >We have spam filter servers for our down, 5 of them to be exact. we use >amavisd, bitdefender & clamav for spam and virus filter. > >we have a self help portal done in php/mysql for users to manage >whitelist/blacklist etc, now i want to allow users to check there email >logs to they can find if any wanted email is blocked, > >so the question is, how can i log postfix to a mysql db where i can >write >an interface for users to search for email and see what did the >blocking, such as rbl, amavis etc ? > >ive seen some solutions to use syslog in to mysql but i was thinking >something much simpler where i will still have logs in place even if >mysql fails. Most syslog daemons can write to more than one output stream so besides absorbing your logs with mysql additionally you could keep logging to file and have your logs as normal. >rgds -- Christian Kivalo
Re: pickup/maildrop being used to spam through my machine.
Am 13. Juni 2017 10:28:39 MESZ schrieb Homer Wilson Smith <homerwsm...@lightlink.com>: > > Running postfix 2.3.3 CentOS 5.x > > This is a simple apache 2 web server running postfix for >incoming mail for shell users on the same server. Very low key, >almost no traffic, outside is not allowed to connect to the >postfix on this machine. > > This machine's only handles shell users on the its own domain, >adore.lightlink.com and mail addressed or forward to it from our other >real mail servers that talk to the outside world. > > Suddenly I am find adore's mailq queue filled with spam, each having >a pickup line in the logs, but no indication where it comes from, >probably >the web server as the from username is apache, but so far no >corellation >between web logs and time stamp on pickup line. > > This machine is also running an innd news server if it makes >any difference, innd 2.x > > Can someone tell me about possible injection routes into the >maildrop directory and how to stop it if I can't >find the web page doing it. Start with restricting which users are allowed to locally submit mail authorized_submit_users http://www.postfix.org/postconf.5.html#authorized_submit_users > Thanks Homer > >Jun 12 05:26:16 adore2 postfix/pickup[14251]: E39582B000C: uid=48 >from= >Jun 12 05:26:17 adore2 postfix/pickup[14251]: F23D62B000F: uid=48 >from= >Jun 12 05:26:17 adore2 postfix/pickup[14251]: 099E82B0028: uid=48 >from= >Jun 12 05:26:17 adore2 postfix/pickup[14251]: 2169C2B0038: uid=48 >from= >Jun 12 05:26:17 adore2 postfix/pickup[14251]: 260E32B0065: uid=48 >from= >Jun 12 05:26:17 adore2 postfix/pickup[14251]: 2AB902B007D: uid=48 >from= >Jun 12 05:26:17 adore2 postfix/pickup[14251]: 325422B0080: uid=48 >from= >Jun 12 05:26:17 adore2 postfix/pickup[14251]: 3AC572B0095: uid=48 >from= >Jun 12 05:26:17 adore2 postfix/pickup[14251]: 3D0A32B00B8: uid=48 >from= >Jun 12 05:26:17 adore2 postfix/pickup[14251]: 417DD2B00BD: uid=48 >from= >Jun 12 05:26:17 adore2 postfix/pickup[14251]: 4728B2B00CA: uid=48 >from= >Jun 12 05:26:17 adore2 postfix/pickup[14251]: 4FE062B00D2: uid=48 >from= >Jun 12 05:26:17 adore2 postfix/pickup[14251]: 89BB02B00DD: uid=48 >from= >Jun 12 05:26:17 adore2 postfix/pickup[14251]: A53092B00E3: uid=48 >from= >Jun 12 05:26:17 adore2 postfix/pickup[14251]: BEAB72B00E7: uid=48 >from= >Jun 12 05:26:17 adore2 postfix/pickup[14251]: CA9F42B00EC: uid=48 >from= >... on and on and on thousands etc. -- Christian Kivalo
Re: gmail servers on blacklists?
On 2017-03-17 22:47, David Mehler wrote: Hello, Thank you. Hi Please reply to the list I have postwhite running, not sure if it's updating? Do you run postwhite and if so do you have an update procedure so you always have the updated postwhite? I use it but doing updates manually. Doing it automatically is on a todo list ;) Thanks. Dave. On 3/17/17, Christian Kivalo <ml+postfix-us...@valo.at> wrote: On 2017-03-17 22:12, David Mehler wrote: Hello, I'm starting to see blocks on my messages to my mail server. For some reason postscreen is not letting any gmail servers send mail, it's blocking them. Has anyone got an idea or have you seen this? You could use postwhite https://github.com/stevejenkins/postwhite to whitelist gmail. The map is created by postwhite from gmails spf records. -- Christian Kivalo -- Christian Kivalo
Re: gmail servers on blacklists?
On 2017-03-17 22:12, David Mehler wrote: Hello, I'm starting to see blocks on my messages to my mail server. For some reason postscreen is not letting any gmail servers send mail, it's blocking them. Has anyone got an idea or have you seen this? You could use postwhite https://github.com/stevejenkins/postwhite to whitelist gmail. The map is created by postwhite from gmails spf records. -- Christian Kivalo
Re: Question on embedded variables in postconf command
Am 7. März 2017 20:00:55 MEZ schrieb Robert Moskowitz: >After a bit of reflection, I may have asked the wrong question. Perhaps > >a better question is does the substitution take place on processing the > >option? What about testing the assumption? Build the configuration and try to make a tls secured connection, it either works or you will see the error in your logs. Just changed my configuration to use $myhostname variable for the cert name filename and that works very well. Thanks for the idea. >thanks > >On 03/07/2017 01:59 PM, Robert Moskowitz wrote: >> Is there a way to get the following: >> >> postconf -e 'smtpd_tls_key_file = >/etc/pki/tls/private/$myhostname.key' >> >> To work and substitute the value for $myhostname? >> >> I am building a new server and writing up my scripts and I am trying >> to adhere to the lessons I learned here some 2+ years ago. And trying > >> to be better than I was then... >> >> >> Thank you. >> >> -- Christian
Re: dovecot cram-md5 setting break sending emails
p://www.postfix.org/DEBUG_README.html [3] http://main.cf -- Christian Kivalo
Re: send an email with specified sender/recipient address to different servers
On 2017-02-22 16:51, Zalezny Niezalezny wrote: Hi, I just would like to know, how may send specified messages to different hosts. /etc/postfix/transport domain.com [1]relay:mx-domain.local * host All E-mails To: u...@domain.com system sending to mx-domain.local. This is working fine. But what should I do, if I would like to send an e-mail To: user_...@domain.com to some other system with IP 10.204.2.2 ? What should I do ? add the emailadress and nexthop definition to transport_maps before the domain.com entry user_...@domain.com smtp:10.204.2.2 domain.com relay:mx-domain.local * host see transport(5) section Table Search Order http://www.postfix.org/transport.5.html The same question for senders. How to send message From: sender@domain.example not via my default gateway ("* host" like the rest of not defined E-mails ) but via some other system "host2" ? How to properly do it ? i think sender_dependent_transport_maps should do it http://www.postfix.org/postconf.5.html#sender_dependent_default_transport_maps Thanks in advance for Your support. Cheers Zalezny Links: -- [1] http://domain.com -- Christian Kivalo
Re: Postfix, Dmarc, and Dkim for multiple domains
Am 21. Februar 2017 19:52:42 MEZ schrieb David Mehler <dave.meh...@gmail.com>: >Hello, > >I'm not sure if this is the right place to ask this question, but it >is mail related. > >I've got Postfix 3.1, and two milter filters dkim (with OpenDKIM), and >dmarc (with OpenDMARC). At the time of initial setup I had one virtual >mailbox domain and things were working fine. > >Now I've added two more virtual mailbox domains and need to configure >both opendkim and opendmarc to handle them. I believe I have this with >OpenDKIM here's the config: > >AllowSHA1Only no >AlwaysAddARHeader yes >AuthservID hostname.example.com >AutoRestartYes >AutoRestartRate5/1h >Canonicalization relaxed/simple >ExternalIgnoreList refile:/usr/local/etc/mail/TrustedHosts >InternalHosts refile:/usr/local/etc/mail/TrustedHosts >KeyTable /usr/local/etc/mail/KeyTable >MinimumKeyBits 2048 >Mode sv >PidFile/var/run/milteropendkim/opendkim.pid >SigningTable /usr/local/etc/mail/SigningTable >Socket inet:8891@localhost >SoftwareHeader yes >SubDomains yes >Syslog Yes >SyslogSuccess yes >UserID opendkim > ># OPENDKIM TRUSTED HOSTS >127.0.0.1 >::1 >localhost >host.example.com >example.com >host.example2.com >example2.com >host.example3.com >example3.com > ># KeyTable >selector._domainkey.example.com >example.com:selector:/usr/local/etc/mail/keys/example.com/selector >selector._domainkey.example2.com >example2.com:selector:/usr/local/etc/mail/keys/example2.com/selector >selector._domainkey.example3.com >example3.com:selector:/usr/local/etc/mail/keys/example3.com/selector > ># SigningTable >example.com selector._domainkey.example.com >example2.com selector._domainkey.example2.com >example3.com selector._domainkey.example3.com > >With regards dkim will having an AuthservID of hostname.example.com >mess up dkim checks for any of the other virtual mailbox domains as >they are all on the one server? No. If you don't set the AuthservID configuration parameter the name of the MTA is used, when looking at the emails in my inbox this is the systems hostname. The AuthservID has nothing to do with your virtual domains and is just a label that e.g. opendmarc uses to get the input for its decisions, when checking SPF then there is probably another AR header with the same authservid name. >I am not sure how to do this using opendmarc as I can't use a table. Why would you need a table for opendmarc? Opendmarc uses the authentication-result headers of SPF and dkim checks and then retrieves the sending domains dmarc policy from DNS and makes its decision based on that information. >If anyone has this working with these filters please let me know. I'm running such a setup with 6 domains for which I dkim sign and i receive for 11 domains. The AuthservID is the receiving systems hostname (postfix $myhostname and the real fqdn are the same, did not test which name is used when they differ) -- Christian Kivalo > >Thanks. >Dave.
Re: SASL LOGIN authentication failed: no mechanism available
On 2017-02-09 09:09, Nick - ServerBuddies Support wrote: Hello guys, For some reason Im unable to send any email from this postfix server, Im getting the following error: Feb 9 03:00:35 buf postfix/smtpd[6424]: warning: SASL PLAIN authentication failed: no mechanism available For debian install the package libsasl2-modules -- Christian Kivalo
Re: can't get postfix to send on port 587
On 2017-01-22 23:29, Steven Borrelli wrote: @domain.name in-v3.mailjet.com sender_dependent_relayhost_maps is used to override your relayhost setting. Your relayhost setting [in-v3.malijet.com]:587 was overruled by in-v3.mailjet.com (port 25). Remove the sender_dependent_* settings and all your mail will be sent through your configured relayhost. On Sun, Jan 22, 2017 at 3:59 PM, Noel Jones <njo...@megan.vbhcs.org> wrote: On 1/22/2017 3:47 PM, Steven Borrelli wrote: Hello all, I've got Postfix 3.1.3 running on FreeBSD 10.3-STABLE (last updated 1/2/17) at home, where my ISP blocks port 25, so I'm trying to go through Mailjet's SMTP relay. All the required settings as directed by Mailjet's online support are in place for sending on port 587 but Postfix is not even trying to send on port 587, as my /var/log/maillog regularly shows messages like this with every mail attempt: [...] status=deferred (delivery temporarily suspended: connect to smtp-ovhfr11.mailjet.com[5.196.43.135]:25: Operation timed out) My question: What part of my configuration is telling it not to send on port 587? Any help is appreciated. So what's in here? sender_dependent_relayhost_maps = hash:/usr/local/etc/postfix/sender_relay -- Noel Jones Thanks, Steve Below is a snippet of my main.cf: ** # TLS smtpd_use_tls = yes smtpd_tls_security_level = may smtpd_tls_auth_only = yes smtpd_tls_key_file = /usr/local/etc/postfix/myserver.key smtpd_tls_cert_file = /usr/local/etc/postfix/server.crt smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s tls_random_source = dev:/dev/urandom smtpd_tls_ask_ccert= = yes # SASL smtpd_sasl_type = dovecot broken_sasl_auth_clients = yes smtpd_sasl_path = private/auth smtpd_sasl_auth_enable = yes smtpd_sasl_security_options = noanonymous smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination smtpd_relay_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination # Forward all SMTP to Mailjet relayhost = [in-v3.mailjet.com]:587 smtp_sender_dependent_authentication = yes sender_dependent_relayhost_maps = hash:/usr/local/etc/postfix/sender_relay smtp_sasl_auth_enable = yes smtp_sasl_security_options = noanonymous smtp_sasl_password_maps = hash:/usr/local/etc/postfix/sasl-passwords ** And here is a snippet of my master.cf: ** smtp inet n - n - - smtpd #smtp inet n - n - 1 postscreen #smtpd pass - - n - - smtpd #dnsblog unix - - n - 0 dnsblog #tlsproxy unix - - n - 0 tlsproxy submission inet n - n - - smtpd -o syslog_name=postfix/submission -o smtpd_enforce_tls=yes -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_reject_unlisted_recipient=no # -o smtpd_client_restrictions=$mua_client_restrictions # -o smtpd_helo_restrictions=$mua_helo_restrictions # -o smtpd_sender_restrictions=$mua_sender_restrictions -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject # -o smtpd_relay_restrictions=permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING #smtps inet n - n - - smtpd # -o syslog_name=postfix/smtps # -o smtpd_tls_wrappermode=yes # -o smtpd_sasl_auth_enable=yes # -o smtpd_reject_unlisted_recipient=no # -o smtpd_client_restrictions=$mua_client_restrictions # -o smtpd_helo_restrictions=$mua_helo_restrictions # -o smtpd_sender_restrictions=$mua_sender_restrictions # -o smtpd_recipient_restrictions= # -o smtpd_relay_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING -- Christian Kivalo
Re: SSL_accept error from other MTA
Am 14. Jänner 2017 09:40:22 MEZ schrieb Admin Beckspaced <ad...@beckspaced.com>: >Dear postfix users, > >I'm running Postfix version 2.11.6 on an OpenSUSE 42.1 box and all is >running sweet & fine ;) >Except a customer calls me that he can't receive emails from one of his >partners. > >After looking for the partner email I found those log entries: > >2017-01-14T00:31:28.312121+01:00 cx20 postfix/smtpd[12579]: connect >from >mail.kommunalunternehmen.de[217.6.53.146] >2017-01-14T00:31:28.419190+01:00 cx20 postfix/smtpd[12579]: SSL_accept >error from mail.kommunalunternehmen.de[217.6.53.146]: Connection reset >by peer >2017-01-14T00:31:28.420304+01:00 cx20 postfix/smtpd[12579]: lost >connection after STARTTLS from >mail.kommunalunternehmen.de[217.6.53.146] >2017-01-14T00:31:28.420870+01:00 cx20 postfix/smtpd[12579]: disconnect >from mail.kommunalunternehmen.de[217.6.53.146] > >and those log entries repeat and repeat. From what I can also see in >the >logs it seems to be an exchange mail server: > >2017-01-13T14:17:55.649227+01:00 cx20 postfix/cleanup[3703]: >960DA1A198A: >message-id=<96C90C91ED31E24D8985DCEF2658CA0923EFD130@ku-exchange-02.kommunalunternehmen.local> > >is this a buggy or wrong configured MTA which has problems with TLS on >port 25? > >All other MTA's don't seem to have any problems with TLS / STARTTLS. > >What can I do to fix this problem? Let the other MTA know that they got >an issue with their TLS setup? > >Thanks & greetings >Becki > >Here's my postconf, using a valid certificate from letsencrypt > >linux:~ # postconf -n | grep tls >smtp_enforce_tls = no >smtp_tls_CAfile = >smtp_tls_CApath = >smtp_tls_cert_file = /fullchain.pem >smtp_tls_key_file = /privkey.pem >smtp_tls_loglevel = 0 >smtp_tls_session_cache_database = >smtp_use_tls = yes >smtpd_tls_CAfile = >smtpd_tls_CApath = >smtpd_tls_ask_ccert = no >smtpd_tls_cert_file = /fullchain.pem >smtpd_tls_key_file = /privkey.pem >smtpd_tls_loglevel = 0 >smtpd_tls_received_header = no >smtpd_use_tls = yes >tls_random_source = dev:/dev/urandom You could set smtpd_tls_loglevel = 1 and get some more information on the next connection attempt. Without knowing more details i'd say you have no cipher in common, that could be when you're dealing with an ancient version of exchange or some crappy middlebox. -- Christian Kivalo
Re: Dovecot + Postfix: virtual users Mailbox folder
Am 13. Jänner 2017 16:27:23 MEZ schrieb mohamed <mohamedmaalej@gmail.com>: >I checked the mail log in /var/log and discovered that now errors >happened >when sending the e-mail. However, I couldn't figure out where the >incoming >e-mails will be stored in the system (I'm on Ubuntu 16.04 LTS). Hard to guess an answer... Show logs for one message and the output of postconf -n. -- Christian Kivalo > > > >-- >View this message in context: >http://postfix.1071664.n5.nabble.com/Dovecot-Postfix-virtual-users-Mailbox-folder-tp88255.html >Sent from the Postfix Users mailing list archive at Nabble.com.
Re: Forwarding all mail to office365.com exchange server.
I have several things like printers and applications that send email to a local linux host running postfix, and I need to get that postfix instance to forward all of its email to the Office365.com Exchange server via an authenticated connection. I have an account that we have used for system email previously. It's set up as a normal email user. I have configured postfix so that it will not deliver any mail locally. I have set the relayhost to [smtp.office365.com]:587 I have created a smtp_sasl_passwd file that has the following contents (redacted where necessary) [smtp.office365.com]:587kem...@mydomain.com:PASSWORD This connects just fine, and rewrites the mail sender when I send email from the local postfix host. I have added the following lines to main.cf to try and get mail from other hosts to forward: sender_canonical_classes = envelope_sender,header_sender sender_canonical_maps = regexp:/etc/postfix/sender_canonical_maps the sender_canonical_maps looks like this: /.+/kem...@mydomain.com and I have remembered to run postmap on all of the mapping file I have tried over the last week or so of trying this. but for some reason, no email from any other host or device ever gets through. Have you read http://www.postfix.org/ADDRESS_REWRITING_README.html ? For better help show logs of one message that passes through your system. If someone has a working example of a main.cf that is configured to relay mail from local systems and devices to office365.com through an authenticated connection, I would really love to see it. I'm tired of banging my head on the wall. Below is my postconf -n output. I have tried several permutations on this, so just because you don't see something obvious in that info, believe me, I probably tried it. At any rate, anything I tried failed, so I'm ready to try out all suggestions. postconf -n output: [2299]# postconf -n alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases command_directory = /usr/sbin config_directory = /etc/postfix daemon_directory = /usr/libexec/postfix data_directory = /var/lib/postfix debug_peer_level = 2 debug_peer_list = smtp.office365.com debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5 html_directory = no inet_protocols = all local_recipient_maps = local_transport = error:local mail delivery is disabled mail_owner = postfix mailq_path = /usr/bin/mailq.postfix manpage_directory = /usr/share/man message_size_limit = 2048 mydestination = myhostname = pet-mail-01.enphaseenergy.com myorigin = enphaseenergy.com newaliases_path = /usr/bin/newaliases.postfix queue_directory = /var/spool/postfix readme_directory = /usr/share/doc/postfix-2.10.1/README_FILES relay_domains = enphaseenergy.com relayhost = [smtp.office365.com]:587 sample_directory = /usr/share/doc/postfix-2.10.1/samples sender_canonical_classes = envelope_sender,header_sender sender_canonical_maps = regexp:/etc/postfix/sender_canonical_maps Take a look at the documentation for sender_canonical_maps http://www.postfix.org/postconf.5.html#sender_canonical_maps and canonical_maps http://www.postfix.org/postconf.5.html#canonical_maps I suspect you probably need to set local_header_rewrite_clients http://www.postfix.org/postconf.5.html#local_header_rewrite_clients for your rewriting of mails from remote hosts to be made. sendmail_path = /usr/sbin/sendmail.postfix setgid_group = postdrop smtp_always_send_ehlo = yes smtp_sasl_auth_enable = yes smtp_sasl_password_maps = hash:/etc/postfix/smtp_sasl_passwd smtp_sasl_security_options = smtp_tls_CAfile = /etc/ssl/certs/ca-bundle.trust.crt smtp_tls_ciphers = export smtp_tls_mandatory_ciphers = high smtp_tls_protocols = !SSLv2, !SSLv3 smtp_tls_security_level = encrypt smtp_use_tls = yes unknown_local_recipient_reject_code = 550 - Thanks, James "Zeke" Dehnert -- mailto:jdehn...@dehnert.com James "Zeke" Dehnert -= Eschew Obfuscation =- "Life is racing. Everything else is just waiting" -- View this message in context: http://postfix.1071664.n5.nabble.com/Forwarding-all-mail-to-office365-com-exchange-server-tp87986p88226.html Sent from the Postfix Users mailing list archive at Nabble.com. -- Christian Kivalo
Re: Suppress connection logging for IP
Am 2. Dezember 2016 20:39:58 MEZ, schrieb Ray Dzek <ray.d...@specialized.com>: >Hi, > >We have a load balancer that opens a connection to the SMTP port on our >postfix boxes to ensure the ports are alive and kicking. But obviously, >this generates a lot of log clutter that is not needed. How would I go >about suppressing the connect from... / disconnect from... log entry >for this particular IP? Configure your syslog daemon to discard these messages from the stream. > >Thanks in advance, > >Ray -- Christian Kivalo
Re: Open relay
Am 22. Oktober 2016 08:18:36 MESZ, schrieb Tomoyuki Murakami <tomoy...@pobox.com>: > >On Fri, 21 Oct 2016 22:15:32 +0200, Paul van der Vlis ><p...@vandervlis.nl> wrote: >> Hello, > >> Some settings and logs: >> >> smtpd_relay_restrictions = >> permit_mynetworks, >> permit_sasl_authenticated, >> check_sender_access hash:/etc/postfix/whitelist, >> reject_invalid_hostname, >> reject_non_fqdn_sender, >> reject_non_fqdn_recipient, >> reject_unknown_sender_domain, >> reject_unknown_recipient_domain, >> reject_unauth_pipelining, >> reject_unauth_destination, >> check_policy_service unix:private/shadelist, >> reject_rbl_client bl.spamcop.net, >> reject_rbl_client zen.spamhaus.org, >> reject_rbl_client ix.dnsbl.manitu.net, >> permit > >permit after all ? Yes. - Permit the stuff that shouldn't be rejected (mynetworks, sasl authenticated) - Perform various checks and reject the things you don't like - Permit everything that made it through that obstacle course -- Christian Kivalo
Re: Hardening relay and sender-specified routing
Am 20. Oktober 2016 07:57:58 MESZ, schrieb Ross Naheedy <lsl...@gmail.com>: >I am having a peculiar issue in not being able to lock down my postfix >2.10. This is on a server that is on the Internet and must receive >emails >and relay email for authenticated users. My main.cf relevant portions >look >like this: > >myhostname=example.com >mydomain=example.com >smtpd_sasl_auth_enable = yes >smtpd_sasl_security_options = noanonymous >smtpd_recipient_restrictions = permit_sasl_authenticated, >permit_mynetworks, reject_unauth_destination >smtpd_relay_restrictions = permit_sasl_authenticated, >permit_mynetworks, >reject_unauth_destination > >Looking at my maillog, it looks like the server is being used to a >relay, >although I'm not sure why. I checked some of the messages >to /var/spool/postfix/defer and here's one of them (with my domain >being >example.com) > > ><8467-6900600747-824-sales=example@mail.gretofrr.us>: connect to >mail.gretofrr.us[2400:cb00:2048:1::681b:8eb4]:25: Connection timed out >recipient=8467-6900600747-824-sales=example@mail.gretofrr.us >offset=707 >dsn_orig_rcpt=rfc822;8467-6900600747-824-sales=example@mail.gretofrr.us >status=4.4.1 >action=delayed >reason=connect to mail.gretofrr.us[2400:cb00:2048:1::681b:8eb4]:25: >Connection timed out > >It looks to me that postfix accepted a message destined to >8467-6900600747-824-sales=example@mail.gretofrr.us and is >attempting to >deliver it. Looks to me a different form of sender-specified routing >based >on what I've read http://www.postfix.org/postconf.5.html#reject_unauth_destination;>here. > >I must be doing something wrong, but for the life of me I cannot figure >it >out. Please post postconf -n and of you have logs for one of those messages entering your system > >Thanks, >Ross. -- Christian Kivalo
Re: WoSign/StartCom CA in the news
Am 28. September 2016 10:25:42 MESZ, schrieb li...@lazygranch.com: >I don't want take this thread off course, but suggestions for low cost >certs would be appreciated. I don't like how Let's Encrypt works, else >that would be the obvious solution. I get mine through https://www.ssls.com >Domain registration isn't free. Server time isn't free. Something like >$20 a year would be fine. I already have a self signed cert for email, >but would like to eventually encrypt my websites and attempt >dnssec/dane. > >When Symantec first announced that they would compete with Let's >Encrypt, I signed up with them. But it looks like their free cert >program is more like you need to recruit customers for them. > > > Original Message >From: Sven Schwedas >Sent: Wednesday, September 28, 2016 1:10 AM >To: postfix-users@postfix.org >Subject: Re: WoSign/StartCom CA in the news > >On 2016-09-28 00:31, Giovanni Harting wrote: >> Correct me if I'm wrong, but that document you describe issues by >> Mozilla and others, doesn't it state that it would only affect new >> issues certs after a certain date? > >Yes, but most StartSSL/WoSign certificates are only valid for a year or >less. So customers should start looking for alternative providers >*now*, >because a year-long block will affect almost all of them. > >> Am 09/28/16 um 00:29 schrieb Viktor Dukhovni: >>> WoSign (who seemingly purchased StartCom) seem to have run into >>> some compliance issues as reported by Firefox: >>> >>> >>> >http://arstechnica.com/security/2016/09/firefox-ready-to-block-certificate-authority-that-threatened-web-security/ >>> >>> >>> Many SMTP servers are using certs from StartCom. In my DANE >>> adoption survey, out of 2201 certificates used by DANE MX >>> hosts 411 are issued by StartCom and 47 by WoSign. So that's >>> just over 20% of observed certificates. While the rate is >>> likely different for the larger SMTP ecosystem (DANE users >>> are bleeding edge, not representative at this time), I expect >>> that these CAs are still quite popular overall. >>> >>> If you're using StartCom/WoSign certs, and rely on them being >>> verified by MUAs and/or peer MTAs. you may want to make >>> contingency plans if Mozilla and perhaps others go through >>> with delisting (or disabling) the related root CAs from >>> their trusted CA bundles. >>> >>
Re: greylist doesn't seem to be working? Setup correctly.
On 2016-06-06 11:54, Robert Chalmers wrote: I have set up the greylist policy, exactly according to the postfix docs, but nothing seems to be getting generated in /var/mta - no database that is. When reloading I get this. postconf: warning: /usr/local/etc/postfix/main.cf: unused parameter: greylist_time_limit=3600 However, the documents say to put it in. # Greylist policy server # greypolicyunix - n n - 0 spawn user=nobody:mail argv=/opt/local/bin/perl /usr/local/libexec/postfix/greylist.pl # and in main.cf 5 /etc/postfix/main.cf [1]: 6 greylist_time_limit [2] = 3600 7 smtpd_recipient_restrictions [3] = 8 ... 9 reject_unauth_destination [4] 10 check_policy_service [5] unix:private/greylist 11 ... 12 # smtpd_policy_service_request_limit [6] = 1 But ok, I remove the greylist_time_limit = 3600 and proceed, but there is no greylist.db being generated? Is greylisting a good thing? I removed greylilsting from my setup, it needlessly slows things down and postscreen does most of the work already. I wouldn't bother setting it up. What am I doing wrong? thanks Robert Chalmers rob...@chalmers.com.au Mac mini 6.2 - 2012, Intel Core i7,2.3 GHz, Memory:16 GB. El-Capitan 10.11. XCode 7.2.1 2TB: Drive 0:HGST HTS721010A9E630. Upper bay. Drive 1:ST1000LM024 HN-M101MBB. Lower Bay Links: -- [1] http://www.postfix.org/postconf.5.html [2] http://www.postfix.org/postconf.5.html#transport_time_limit [3] http://www.postfix.org/postconf.5.html#smtpd_recipient_restrictions [4] http://www.postfix.org/postconf.5.html#reject_unauth_destination [5] http://www.postfix.org/postconf.5.html#check_policy_service [6] http://www.postfix.org/postconf.5.html#smtpd_policy_service_request_limit -- Christian Kivalo
Re: Is there a Check my IPv6 Email server out there anywhere?
On 2016-05-31 15:36, Robert Chalmers wrote: I have a message for en.internet.nl [1] advising me that “Modern internet address? Not reachable or improvements possible (IPv6)” -> "Unfortunately, this e-mail domain can NOT be reached by senders using modern IPv6 addresses or there is an error in its configuration. It is NOT yet part of the modern Internet. You should ask your e-mail provider to enable IPv6 or to fix the issues in its configuration.” So I’m trying to figure out just what it is thats wrong with it. I’ve had something of a similar message from Gmail. My service provider only recently enabled IPv6 for customers, and although I’m pretty far along with it, I could use a checking server somewhere that actually delved into it a bit. Does Postfix need anything special - I can’t see anything in the docs. Have you assigned a ipv6 address to your server? Is it reachable on that address? Can you ping6 e.g. www.google.com from your server? Take a look at http://www.postfix.org/postconf.5.html#inet_protocols Please share your postconf -n Thanks Robert Links: -- [1] http://en.internet.nl -- Christian Kivalo
RE: Need clarification of lookup table result values
On 2016-05-29 06:34, Michael Fox wrote: What is a valid result depends on what the result is used for: an access table expects results as described in the access(5) manpage, a virtual aliases table expects the results as described in the virtual(5) manpage, a transport table expects results as described in the transport(5) manpage, a the local aliases table expects results as described in the aliases(5) manpage. You get the idea. Generally speaking, yes. But it's not so clear (to me) when applying to a specific case, like postscreen_access. > 2) Is there a difference between "OK" and "permit"? If so, what? > 3) When can/should text follow the "reject" Those things are described in the access(5) manpage. Hmmm ... I don't see it. The access(5) manpage lists many valid result formats, including OK. Regarding OK and permit, it says: OK Accept the address etc. that matches the pattern. ... and then the only mention of permit is: restriction... Applythe named UCE restriction(s) (permit, reject, reject_unauth_destination, and so on). So I don't see the answer. In fact, OK doesn't seem to make sense for postscreen_access. After all, OK what? OK blacklist the address? OK whitelist the address? Take a look at this http://www.postfix.org/postconf.5.html#postscreen_access_list I realize the difficulty of documenting something that's so infinitely flexible. But without saying more explicitly what's allowed and what's not, there's just too much indirection (for me) to follow. So, back to my original question ... for postscreen_access.cidr: -- what would be the difference in behavior between using "OK" vs. "permit"? -- when can/should text follow the reject? Also, I can't find anywhere that says if the case matters. Is "PERMIT" equivalent to "permit"? Thanks, Michael -- Christian Kivalo
Re: Blocking email from specific IPs
On 2016-05-14 21:27, Viktor Dukhovni wrote: On May 14, 2016, at 3:21 PM, Christian Kivalo <ml+postfix-us...@valo.at> wrote: smtpd_recipient_restrictions = ... check_client_access hash:/etc/postfix/client_checks, ... $ cat /etc/postfix/client_checks ... 138.185.116.0/24 REJECT This looks correct. And yet it is wrong, look closely. Thanks, missed it. The access(5) manpage has an example for this 1.2.3 REJECT The client_checks file should then be like 138.185.116 REJECT For IP address ranges probably better use a cidr_table(5). Still: logs showing it not working are highly welcome. -- Christian Kivalo
Re: Blocking email from specific IPs
On 2016-05-14 19:37, Noah wrote: Hi there, I am hoping to have a blacklist file that stops postfix from accepting email from specific IP or IP ranges. I follow this tutorial and it does not working. I still receive email from the IP addresses in the range: http://www.linuxlasse.net/linux/howtos/Blacklist_and_Whitelist_with_Postfix Is there an option out there that actually works? From my main.cf: smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, check_client_access hash:/etc/postfix/client_checks, check_policy_service inet:127.0.0.1:10023 www-virt 17:34:12 /var/log $ cat /etc/postfix/client_checks # Restricts which clients this system accepts SMTP connections from. example.com REJECT No spammers .example.com REJECT No spammers, from your subdomain 138.185.116.0/24 REJECT This looks correct. You did postmap the client_checks file? You did a postfix reload? Provide logs that show it's used / not working and the postconf -n output How did you check it's working/not working? Cheers, Noah -- Christian Kivalo
Re: Goal: Setup transport that runs a header check to strip out specific header for emails from specific source
On 2016-05-07 19:16, /dev/rob0 wrote: On Sat, May 07, 2016 at 11:05:07AM +0200, Christian Kivalo wrote: On 2016-05-07 10:27, Viktor Dukhovni wrote: >On Sat, May 07, 2016 at 09:59:00AM +0200, Christian Kivalo wrote: > >>>Looking at those emails, I see that >>>calendar-notificat...@google.com is the source address. I added >>>the entry to my check_sender_access table with an action of >>>'FILTER strip-automated-headers:' >> >>You could probably get it working with a restriction class. >> >>check_sender_access hash:/path/to/sender_access >> >>smtpd_restriction_classes: strip_automated_headers >> >>strip_automated_headers = >> header_checks = pcre:/path/to/strip_automated_headers.pcre > >No. This can't work. Ok, so i'm wrong. Could you explain why? Restriction classes are groups of smtpd(8) restrictions. header_checks(5) is not a smtpd restriction. In fact it's not even implemented in smtpd. See Wietse's reply in this thread. Thanks, will do. -- Christian Kivalo
Re: Goal: Setup transport that runs a header check to strip out specific header for emails from specific source
On 2016-05-07 10:27, Viktor Dukhovni wrote: On Sat, May 07, 2016 at 09:59:00AM +0200, Christian Kivalo wrote: >Looking at those emails, I see that calendar-notificat...@google.com is >the source address. I added the entry to my check_sender_access table >with an action of 'FILTER strip-automated-headers:' You could probably get it working with a restriction class. check_sender_access hash:/path/to/sender_access smtpd_restriction_classes: strip_automated_headers strip_automated_headers = header_checks = pcre:/path/to/strip_automated_headers.pcre No. This can't work. Ok, so i'm wrong. Could you explain why? Thanks -- Christian Kivalo
Re: Goal: Setup transport that runs a header check to strip out specific header for emails from specific source
Since Postfix (2.11) is my MTA and it supports removing headers, I'd like to have it strip this one. I found that I can include this line in the same file I use for the other header checks applied to ALL mail: /^Auto-Submitted:/IGNORE but then it will affect all mail and I'd rather not do that. What I'm currently trying to get working is a service entry in master.cf that has its own header checks conf file. This service would only be used for specific sender addresses in order to limit the header removal to just those email notifications generated by Google Calendar. Looking at those emails, I see that calendar-notificat...@google.com is the source address. I added the entry to my check_sender_access table with an action of 'FILTER strip-automated-headers:' You could probably get it working with a restriction class. check_sender_access hash:/path/to/sender_access smtpd_restriction_classes: strip_automated_headers strip_automated_headers = header_checks = pcre:/path/to/strip_automated_headers.pcre sender_access: calendar-notificat...@google.com strip_automated_headers strip_automated_headers.pcre /^Auto-Submitted:/IGNORE Haven't come around to test it tough... http://www.postfix.org/RESTRICTION_CLASS_README.html Thanks in advance for your help! -- Christian Kivalo
Re: Postfix error 450 4.7.1 Sender address rejected: Access denied
Am 5. Mai 2016 18:30:40 MESZ, schrieb "James B. Byrne" <byrn...@harte-lyne.ca>: > >On Thu, May 5, 2016 12:11, Christian Kivalo wrote: >> >> >> Am 5. Mai 2016 17:34:36 MESZ, schrieb "James B. Byrne" >> <byrn...@harte-lyne.ca>: >>>Can anyone clue me in on what configuration issue might be causing >>>this and whose configuration it is, mine or theirs? >>> >>>postfix-p25/smtpd[18149]: NOQUEUE: reject: RCPT from >>>smout-245174.nsmailserv.com[202.162.245.174]: 450 4.7.1 >>><impo...@lymanworldwide.com>: Sender address rejected: Access denied; >>>from=<impo...@lymanworldwide.com> to=<expo...@harte-lyne.ca> >>>proto=ESMTP helo= >>> >>> >>># postconf -n >. . . >>>smtpd_sender_restrictions = permit_mynetworks, check_sender_access >>>hash:/etc/postfix/sender_access, check_sender_mx_access >>>hash:/etc/postfix/sender_mx_access, check_sender_ns_access >>>hash:/etc/postfix/sender_ns_access, permit_sasl_authenticated, >>>reject_non_fqdn_sender, reject_unknown_sender_domain, permit >> >> Whats in these files? ... ># cat /etc/postfix/sender_ns_access >. . . ># Cannot use OK result in this map, use DUNNO instead. ># >colocrossings.com DEFER >name-services.com DEFER >name-services.net DEFER There it is: lymanworldwide.com uses nameservices provided by name-services.com valo@karl:~ $ dig ns lymanworldwide.com ; <<>> DiG 9.9.5-9+deb8u6-Debian <<>> ns lymanworldwide.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51294 ;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;lymanworldwide.com.IN NS ;; ANSWER SECTION: lymanworldwide.com. 3600IN NS dns5.name-services.com. lymanworldwide.com. 3600IN NS dns3.name-services.com. lymanworldwide.com. 3600IN NS dns4.name-services.com. lymanworldwide.com. 3600IN NS dns1.name-services.com. lymanworldwide.com. 3600IN NS dns2.name-services.com. ;; Query time: 179 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Thu May 05 18:33:14 CEST 2016 ;; MSG SIZE rcvd: 156 -- Christian Kivalo
Re: Postfix error 450 4.7.1 Sender address rejected: Access denied
Am 5. Mai 2016 17:34:36 MESZ, schrieb "James B. Byrne": >Can anyone clue me in on what configuration issue might be causing >this and whose configuration it is, mine or theirs? > >postfix-p25/smtpd[18149]: NOQUEUE: reject: RCPT from >smout-245174.nsmailserv.com[202.162.245.174]: 450 4.7.1 > : Sender address rejected: Access denied; >from= to= >proto=ESMTP helo= > > ># postconf -n >alias_maps = hash:/etc/aliases >broken_sasl_auth_clients = yes >command_directory = /usr/sbin >config_directory = /etc/postfix >content_filter = smtp-amavis:[127.0.0.1]:10024 >daemon_directory = /usr/libexec/postfix >data_directory = /var/lib/postfix >debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin >ddd $daemon_directory/$process_name $process_id & sleep 5 >delay_warning_time = 30m >disable_vrfy_command = yes >header_checks = regexp:/etc/postfix/header_checks.regexp >home_mailbox = Maildir/ >html_directory = no >ignore_mx_lookup_error = no >inet_interfaces = localhost, inet08.hamilton.harte-lyne.ca >inet_protocols = all >local_transport = smtp >mail_spool_directory = /var/spool/mail >mailman_destination_recipient_limit = 1 >mailq_path = /usr/bin/mailq.postfix >manpage_directory = /usr/share/man >message_size_limit = 2048 >milter_default_action = accept >milter_protocol = 2 >mydestination = >mynetworks = 216.185.71.0/26, 127.0.0.0/8 >newaliases_path = /usr/bin/newaliases.postfix >non_smtpd_milters = $smtpd_milters >policyd-spf_time_limit = 3600 >queue_minfree = 4096 >rbl_reply_maps = hash:/etc/postfix/rbl_reply >readme_directory = /usr/share/doc/postfix-2.11.1/README_FILES >recipient_delimiter = + >relay_clientcerts = hash:/etc/postfix/relay_clientcerts >relay_domains = hash:/etc/postfix/relay_domains >sample_directory = /usr/share/doc/postfix-2.11.1/samples >sendmail_path = /usr/sbin/sendmail.postfix >setgid_group = postdrop >smtp_dns_support_level = dnssec >smtp_host_lookup = dns >smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt >smtp_tls_cert_file = /etc/pki/tls/certs/ca.harte-lyne.smtp.crt >smtp_tls_ciphers = medium >smtp_tls_exclude_ciphers = MD5, aDSS, SRP, PSK, aECDH, aDH, SEED, >IDEA, RC2, RC5 >smtp_tls_key_file = /etc/pki/tls/private/ca.harte-lyne.smtp.key >smtp_tls_protocols = !SSLv2, !SSLv3 >smtp_tls_security_level = dane >smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_scache >smtp_tls_session_cache_timeout = 3600s >smtpd_client_restrictions = permit >smtpd_data_restrictions = permit_mynetworks, >reject_multi_recipient_bounce, reject_unauth_pipelining, permit >smtpd_helo_required = yes >smtpd_helo_restrictions = permit_mynetworks, check_helo_access >pcre:/etc/postfix/helo_checks.pcre, reject_non_fqdn_helo_hostname, >reject_unknown_helo_hostname, permit >smtpd_milters = inet:127.0.0.1:8891 >smtpd_proxy_timeout = 300s >smtpd_recipient_restrictions = reject_non_fqdn_recipient, >reject_unknown_recipient_domain, permit_mynetworks, >permit_sasl_authenticated, reject_unauth_destination, >reject_unauth_pipelining, check_policy_service >unix:/var/spool/postfix/postgrey/socket, check_policy_service >unix:private/policyd-spf, permit >smtpd_relay_restrictions = permit_mynetworks, >permit_sasl_authenticated, defer_unauth_destination >smtpd_sasl_auth_enable = yes >smtpd_sasl_path = smtpd >smtpd_sender_restrictions = permit_mynetworks, check_sender_access >hash:/etc/postfix/sender_access, check_sender_mx_access >hash:/etc/postfix/sender_mx_access, check_sender_ns_access >hash:/etc/postfix/sender_ns_access, permit_sasl_authenticated, >reject_non_fqdn_sender, reject_unknown_sender_domain, permit Whats in these files? >smtpd_starttls_timeout = ${stress?10}${stress:120}s >smtpd_timeout = ${stress?10}${stress:120}s >smtpd_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt >smtpd_tls_ask_ccert = yes >smtpd_tls_auth_only = yes >smtpd_tls_cert_file = /etc/pki/tls/certs/ca.harte-lyne.smtpd.crt >smtpd_tls_ciphers = medium >smtpd_tls_dh1024_param_file = ${config_directory}/dh2048.pem >smtpd_tls_fingerprint_digest = sha1 >smtpd_tls_key_file = /etc/pki/tls/private/ca.harte-lyne.smtpd.key >smtpd_tls_protocols = !SSLv2, !SSLv3 >smtpd_tls_received_header = yes >smtpd_tls_security_level = may >smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache >smtpd_tls_session_cache_timeout = 3600s >soft_bounce = no >strict_rfc821_envelopes = yes >tls_random_source = dev:/dev/urandom >transport_maps = hash:/etc/postfix/transport >unknown_local_recipient_reject_code = 550 >virtual_alias_maps = hash:/etc/postfix/virtual, >regexp:/etc/postfix/virtual.regexp
Re: Policyd-spf and RBL white listing
On 2016-04-19 08:52, li...@lazygranch.com wrote: From what I can tell, if you whitelist a domain, the policyd-spf check is skipped. Now I white listed domains to stop the RBL from blocking them, but it would be nice to see if SPF passes. Am I right about the SPF being skipped? While I'm at it, can you whitelist specific users at a domain, that is the full email address, or only the domain itself. You could move your RBL excludes to a restriction class smtpd_restriction_classes = rbl_exclude1, rbl_exclude2, ... rbl_exclude1 = check_client_access pcre:rbl_exclude1.pcre, reject_rbl_client zen.spamhaus.org, smtpd_recipient_restrictions = ... rbl_exclude1, ... See also http://www.postfix.org/RESTRICTION_CLASS_README.html -- Christian Kivalo
Re: NEWSFLASH: DANE TLSA records published for web.de!
>> There are 165 "postfix-users" subscriber domains that have MX >> records and MX hosts in DNSSEC signed zones. You've done the hard >> part of deploying DNSSEC, deploying DANE TLSA for email is >> comparatively simple. > >One would think so, but: I asked my main domain provider >domaindiscount24 >which introduced DNSSEC last year when they will offer TLSA, DS and >SSHFP >records also. Their answer: Currently the requested features aren't >available and we can make no statement if and when they will be >available. > >Actually I don't understand this. They did the major task of >implementing >DNSSEC and aren't able to offer the 3 most important DNS types to >actually >get a benefit from DNSSEC. You could still just switch to a provider that offers what you need and tell them why. That takes some time and effort but it's worth it. Probably won't change much but you get the features you want. I did that some time ago, my former provider still hasn't changed anything but i don't cae anymore. -- Christian
Re: Thousands of login attempts
Am 21. März 2016 00:59:36 MEZ, schrieb "@lbutlr" <krem...@kreme.com>: >On Sun Mar 20 2016 16:01:44 Christian Kivalo <ml+postfix-us...@valo.at> >said: >> >>>> One minor comment: I would not even offer AUTH on port 25. >>> >>> I don’t. I offer opportunistic TLS on port 25 for SMTPd. All mail >>> submission have to be on port 587. >> >> You do. > >Oh, that is right, I forgot I had to enable that temporarily for >someone. I think temporarily has passed. > >Port 25 shouldn’t even allow STARTTLS, IIRC. I don't agree. Offering opportunistic TLS on port 25 gives the sending party the choice to use the encrypted channel. There is no harm in offering starttls on port 25. -- Christian
Re: Thousands of login attempts
>> One minor comment: I would not even offer AUTH on port 25. > >I don’t. I offer opportunistic TLS on port 25 for SMTPd. All mail >submission have to be on port 587. You do. valo@uschi:~ $ telnet mail.covisp.net 25 Trying 65.121.55.42... Connected to mail.covisp.net. Escape character is '^]'. 220-mail.covisp.net ESTMP -- Please wait 220 mail.covisp.net ESMTP Postfix 3.0.3 ehlo test.local.host 250-mail.covisp.net 250-PIPELINING 250-SIZE 26214400 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN 250-AUTH=PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN quit 221 2.0.0 Bye Connection closed by foreign host. See the two lines offering auth on port 25. You should disable auth on port 25. -- Christian
Re: Postfix message_size_limit
Am 19. März 2016 20:22:13 MEZ, schrieb Daniel Wasilewski: >Hi, > >At the beginning it's my first email on mailing list, so if I does >wrong >please forgive me. > >Is somebody can explain why postfix still using default values ? > >root@vps1:~# postconf -e mailbox_size_limit=0 >root@vps1:~# postconf -e message_size_limit=0 >root@vps1:~# /etc/init.d/postfix restart >[ ok ] Stopping Postfix Mail Transport Agent: postfix. >[ ok ] Starting Postfix Mail Transport Agent: postfix. >root@vps1:~# postconf -d | grep size_limit >body_checks_size_limit = 51200 >bounce_size_limit = 5 >header_size_limit = 102400 >mailbox_size_limit = 5120 >message_size_limit = 1024 See man postconf. postconf -d shows postfix default values instead of the actual configured values. >root@vps1:~# postconf -n | grep size_limit >mailbox_size_limit = 0 >message_size_limit = 0 That are your configured values and should be in use by postfix. You can check when you connect to port 25, message size is advertised after helo >root@vps1:~# > >Best regards >Daniel -- Christian
Re: Postifix 2.11.3 sends some mails (not spam) to postmater@
Am 17. März 2016 14:34:32 MEZ, schrieb Josef Karliak: > Hi, > I found that only emails with "dmarc=fail" in the headers are sent to >postmaster - as it is defined in our dmarc record, but that should be >statistics, not emails... > Thanks and best resgards > J.K. Do they dmarc fail at your server when you receive them or are these mails received from external source? Headers showing your findings would help. You specified a ruf= recipient address and that reqests forensic reports when Mails dmarc fail. How much content you receive for failed messages depends mostly on settings in the checking server. -- Christian
Re: How can I block this user...
l-mailbox-domains.cf virtual_mailbox_limit = 0 virtual_mailbox_maps = mysql:/usr/local/etc/postfix/mysql-virtual-mailbox-maps.cf virtual_minimum_uid = 100 virtual_transport = lmtp:unix:private/dovecot-lmtp virtual_uid_maps = static:5000 thanks Robert Chalmers -- Christian Kivalo
Re: SOLVED: Re: mail sent via sendmail is queued and delayed for approx. 300 seconds
On 2016-03-03 11:31, Dietrich Streifert wrote: And here is the solution: I had to explicitely tell the smtp proxy to NOT use tls by specifying -o smtpd_use_tls=no -o smtp_use_tls=no -o smtpd_tls_security_level=none -o smtp_tls_security_level=none where it seems that simply setting smtpd_use_tls and smtp_use_tls to no was not enough! The additional smtp_tls_security_level set to "none" was also necessary The options smtpd/smtp_use_tls are obsolete and smtpd/smtp_tls_security_level should be used instead. You can remove the smtpd/smtp_use_tls option from both main.cf and master.cf and it should be good Take a look at the documentation From http://www.postfix.org/postconf.5.html#smtp_tls_security_level - smtp_tls_security_level The default SMTP TLS security level for the Postfix SMTP client; when a non-empty value is specified, this overrides the obsolete parameters smtp_use_tls, smtp_enforce_tls, and smtp_tls_enforce_peername. - From http://www.postfix.org/postconf.5.html#smtpd_tls_security_level - smtpd_tls_security_level The SMTP TLS security level for the Postfix SMTP server; when a non-empty value is specified, this overrides the obsolete parameters smtpd_use_tls and smtpd_enforce_tls. This parameter is ignored with "smtpd_tls_wrappermode = yes". - Thank you for your patience and help! Regards Dietrich -- Christian Kivalo
Re: Postfix Mailman integration
On 2016-02-29 08:43, Ruben Safir wrote: Can I have input about this recommendation? Is there unreasonable security risk? I think not, but I want to double check That looks sensible. That comes near to the configuration i use for my mailman installation. You should not do rbl checks on the mailman -> postfix reinject. Do that when you accept mail from external sources via port 25 in e.g. postscreen and afterwards. To have mailman reinject on an extra port on localhost is how it should be done. On 02/28/2016 10:51 PM, Ruben Safir wrote: On 02/29/2016 01:34 AM, Mark Sapiro wrote: I think we can fix your issue fairly simply. Please, as I asked in my reply at <https://mail.python.org/pipermail/mailman-users/2016-February/080524.html>, post the output from 'postconf -n' and the contents of mm_cfg.py. Sorry, I got mixed up. Its just probably the frustration. Everyone uses mailman, I don't know why I'm so stupid smtpd_recipient_restrictions = check_client_access hash:/etc/postfix/helo_client_exceptions check_sender_access hash:/etc/postfix/sender_checks, reject_invalid_hostname, reject_non_fqdn_hostname, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_sender_domain, reject_unknown_recipient_domain, permit_mynetworks, reject_unauth_destination, permit_mynetworks, reject_unauth_destination, reject_invalid_hostname, reject_non_fqdn_hostname, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net reject_rbl_client cbl.abuseat.org, permit This is almost certainly your problem. All those checks take time, especially if DNS is slow. If you send a message from a client and Postfix takes 5 seconds to accept it, it's no big deal. If Mailman sends to 10 or 20 recipients, and it takes Postfix a minute to respond, it still may be no big deal unless another two posts arrive in that minute , and so on until you have a big backlog. I suggest that if you really want all those checks, that you set up a separate port for Mailman to send to without all those rbl lookups and recipient domain lookups. See below. vim /usr/lib/mailman/Mailman/mm_cfg.py ### # Here's where we get the distributed defaults. from Defaults import * ## # Put YOUR site-specific settings below this line. DEFAULT_URL_PATTERN = 'http://%s/mailman/' DEFAULT_NNTP_HOST = 'www.mrbrklyn.com' DEFAULT_EMAIL_HOST = 'nylxs.com' DEFAULT_URL_HOST = 'www.nylxs.com' MTA = 'Postfix' POSTFIX_ALIAS_CMD = '/usr/sbin/postalias' POSTFIX_MAP_CMD = '/usr/sbin/postmap' DELIVERY_MODULE = 'SMTPDirect' SMTPHOST = 'mrbrklyn.com' SMTPPORT = '25' Here's where I'm suggesting changes. Pick a port, say 8000, although it could be anything that doesn't conflict. Then change the above to SMTPHOST = '127.0.0.1' SMTPPORT = 8000 (don't quote the port - it's a number, not a string) Also, while you're at it I suggest adding VERP_PASSWORD_REMINDERS = Yes VERP_PERSONALIZED_DELIVERIES = Yes VERP_DELIVERY_INTERVAL = 1 for more reliable bounce processing. But, see below for changes to Postfix master.cf that you must make first. add_virtualhost(DEFAULT_URL_HOST, DEFAULT_EMAIL_HOST) add_virtualhost('lists.mrbrklyn.com', 'mrbrklyn.com') IMAGE_LOGOS = '/mailmanicons/' There is another one in apache: I don't know if it is being used. vim /usr/local/apache/conf/mailman/Mailman/mm_cfg.py No, that shouldn't be used. In Postfix master.cf add the following stanza 127.0.0.1:8000 inet n - - -- smtpd -o smtpd_authorized_xforward_hosts=127.0.0.0/8 -o mynetworks=127.0.0.0/8 -o smtpd_recipient_restrictions=permit_mynetworks,reject -o smtpd_client_restrictions= -o smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o smtpd_data_restrictions= Make this addition to Postfix master.cf and reload Postfix. Only after you've done that and Postfix is listening on the loopback interface port 8000, make the changes to mm_cfg.py and restart Mailman. -- Mark Sapiro <m...@msapiro.net>The highway is for gamblers, San Francisco Bay Area, Californiabetter use your sense - B. Dylan -- So many immigrant groups have swept through our town that Brooklyn, like Atlantis, reaches mythological proportions in the mind of the world - RI Safir 1998 http://www.mrbrklyn.com DRM is THEFT - We are the STAKEHOLDERS - RI Safir 2002 http://www.nylxs.com - Leadership Development in Free Software http://www2.mrbrklyn.com/resources - Unpublished Archive http://www.coinhangout.com - coins! http://www.brooklyn-living.com Being so tracked is for FARM ANIMALS and and extermination camps, but incompatible with living as a free human being. -RI Safir 2013 -- Christian Kivalo
Re: A bug, maybe?
On 2016-02-20 16:45, Curtis Maurand wrote: Not sure if I found something or not. A client tried to send email to one of my other addresses. The requisite portion of the main.cf follows at the end of the message. The logs are telling me: Feb 19 16:30:29 ispconfig postfix/smtpd[18437]: warning: hostname delivery.mailspamprotection.com does not resolve to address 108.163.243.188 Feb 19 16:30:29 ispconfig postfix/smtpd[18437]: connect from unknown[108.163.243.188] Feb 19 16:30:29 ispconfig postfix/smtpd[18437]: NOQUEUE: reject: RCPT from unknown[108.163.243.188]: 450 4.7.1 Client host rejected: cannot find your hostname, [108.163.243.188]; from=<edi...@whiteeaglenews.com> to=<cmaur...@xyonet.com> proto=ESMTP helo= Have you had dns lookup problems? This is a temporary error and the client should retry delivery Feb 19 16:30:30 ispconfig postfix/smtpd[18437]: disconnect from unknown[108.163.243.188] deliver.mailspamprotection.com resolves to a lot of addresses (and this is a partial list): dig delivery.mailspamprotection.com |grep 108.163.243 delivery.mailspamprotection.com. 30 IN A 108.163.243.188 delivery.mailspamprotection.com. 30 IN A 108.163.243.187 delivery.mailspamprotection.com. 30 IN A 108.163.243.189 delivery.mailspamprotection.com. 30 IN A 108.163.243.190 delivery.mailspamprotection.com. 30 IN A 108.163.243.186 and ;188.243.163.108.in-addr.arpa. IN PTR ;; ANSWER SECTION: 188.243.163.108.in-addr.arpa. 3600 IN PTR delivery.mailspamprotection.com. given such a round robin setup, does postfix account for this when performing it's hostname lookup? This email should not have been rejected for any kind of ip mismatch. Forward, reverse and helo all match. Thanks, Curtis smtpd_sender_restrictions = check_sender_access regexp:/etc/postfix/tag_as_originating.re permit_mynetworks, permit_sasl_authenticated, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf, check_sender_access mysql:/etc/postfix/mysql-virtual_sender.cf, regexp:/etc/postfix/tag_as_foreign.re reject_invalid_hostname, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_unauth_pipelining, reject_rbl_client bl.spamcop.net, reject_rbl_client zen.spamhaus.org, reject_rbl_client b.barracudacentral.org smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, check_client_access mysql:/etc/postfix/mysql-virtual_client.cf, reject_unknown_client, this restriction causes the reject, see http://www.postfix.org/postconf.5.html#reject_unknown_client_hostname reject_unknown_client_hostname (with Postfix < 2.3: reject_unknown_client) Reject the request when 1) the client IP address->name mapping fails, 2) the name->address mapping fails, or 3) the name->address mapping does not match the client IP address. This is a stronger restriction than the reject_unknown_reverse_client_hostname feature, which triggers only under condition 1) above. The unknown_client_reject_code parameter specifies the response code for rejected requests (default: 450). The reply is always 450 in case the address->name or name->address lookup failed due to a temporary problem. reject_unknown_reverse_client_hostname is considered the safer alternative but in your case maybe removing it altogether allows more legitimate mail through. reject_invalid_hostname, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_unauth_pipelining, reject_unauth_destination, reject_rbl_client bl.spamcop.net, reject_rbl_client zen.spamhaus.org, reject_rbl_client b.barracudacentral.org -- Curtis Maurand cur...@maurand.com 207-252-7748 -- Christian Kivalo
Re: Suppress logs for monitor connections
Am 19. Februar 2016 20:32:20 MEZ, schrieb Ray Dzek: >We are load balancing our Postfix servers and as part of that there is >a connection test to ensure the services are running. So the logs fill >with connection checks. Is there a way to suppress those connections >from the logs? Create a filter in your syslog daemon to remove your monitoring checks from the log stream >Thanks in advance, > >Ray -- Christian
Re: Can't get mynetworks to match a specific host
On 2016-02-14 16:39, Michael Sperber wrote: I'm trying to set up a mail relay for a specific host with Postfix, with little success: I've got this: mynetworks = 88.198.58.179/32 127.0.0.0/8 134.2.186.48/32 u-186-ls048.wi50.uni-tuebingen.de Hostnames in mynetworks are prone to errors when you have dns lookup problems. Using the ip address if the sending system is preferred. 88.x is the local host, 134.x is the host I'm trying to set up the relay for, as is the host name. (First question: Where exactly do I put permit_mynetworks? I tried smtpd_client_restrictions and smtpd_recipient_restrictions, similarly to no avail.) Please show postconf -n output. Show logging of it not working / mail beeing blocked. Whatever I do, I get this: Feb 14 15:32:32 deinprogramm postfix/submission/smtpd[61536]: generic_checks: name=permit_mynetworks Feb 14 15:32:32 deinprogramm postfix/submission/smtpd[61536]: permit_mynetworks: u-186-ls048.wi50.uni-tuebingen.de 134.2.186.48 Feb 14 15:32:32 deinprogramm postfix/submission/smtpd[61536]: match_hostname: u-186-ls048.wi50.uni-tuebingen.de ~? 88.198.58.179/32 Feb 14 15:32:32 deinprogramm postfix/submission/smtpd[61536]: match_hostaddr: 134.2.186.48 ~? 88.198.58.179/32 Feb 14 15:32:32 deinprogramm postfix/submission/smtpd[61536]: match_hostname: u-186-ls048.wi50.uni-tuebingen.de ~? 127.0.0.0/8 Feb 14 15:32:32 deinprogramm postfix/submission/smtpd[61536]: match_hostaddr: 134.2.186.48 ~? 127.0.0.0/8 Feb 14 15:32:32 deinprogramm postfix/submission/smtpd[61536]: match_hostname: u-186-ls048.wi50.uni-tuebingen.de ~? 134.2.186.48/32 Feb 14 15:32:32 deinprogramm postfix/submission/smtpd[61536]: match_hostaddr: 134.2.186.48 ~? 134.2.186.48/32 Feb 14 15:32:32 deinprogramm postfix/submission/smtpd[61536]: match_list_match: permit_mynetworks: no match Feb 14 15:32:32 deinprogramm postfix/submission/smtpd[61536]: generic_checks: name=permit_mynetworks status=1 Why is there no match? Any help would be much appreciated! You are showing logs from the submission service, there could be overrides in place. Show the configuration from master.cf. Take a look at http://www.postfix.org/DEBUG_README.html#mail this should clarify what is helpful to others when asking on the mailinglist. -- Christian Kivalo
Re: Clarification - How can/could I redirect based upon sender.
Am 13. Februar 2016 06:30:30 MEZ, schrieb "John A @ KLaM": > >> Am 13. Februar 2016 00:05:53 MEZ, schrieb John : >>>Is it possible to redirect mail based upon sender. >> >> What about sender_bcc_maps >> http://www.postfix.org/postconf.5.html#sender_bcc_maps ? >> >>> >>>I need to redirect email from j...@example.com which would normally >be >>>sent >>>to some...@klam.com to legal@our_lawyers.com and/or ab...@klam.com. >>> >>>I would like to just block them but they may be needed! >>> >>>Thanks >>>John A >> - Christian >> >I want to redirect incoming mail. > >One of our users is having trouble with an abusive ex. we want to >redirect >any mail from hom to either or both her lawyer and abuse@... >The redirect to abuse is to archive in case of legal action. > >Any help appreciated. Take a look at this thread from a few days ago http://marc.info/?l=postfix-users=145517108614652=2 That was also a question about sender dependent mail redirect and uses sender_bcc_maps and virtual aliases. - Christian
Re: Outbound TLS
Am 13. Februar 2016 11:10:25 MEZ, schrieb Joy: >May i know how can i force postfix to use TLS if remote MTA advertises >STARTTLS on port 25 to connect to remote server ? > >I am already using TLS and connecting from outlook is working >perfectly, >but when sending mail to google it now says TLS fail. Take a look at http://www.postfix.org/DEBUG_README.html#mail and provide all necessary information At least postconf -n / postconf -Mf and log output of the tls fail to google - Christian
Re: How can/could I redirect based upon sender.
Am 13. Februar 2016 00:05:53 MEZ, schrieb John: >Is it possible to redirect mail based upon sender. What about sender_bcc_maps http://www.postfix.org/postconf.5.html#sender_bcc_maps ? > >I need to redirect email from j...@example.com which would normally be >sent >to some...@klam.com to legal@our_lawyers.com and/or ab...@klam.com. > >I would like to just block them but they may be needed! > >Thanks >John A - Christian
Re: Client Certificate Authentication for Auth Only
On 2016-02-01 19:39, Haravikk wrote: Hi there, Hi, I’m trying to configure client certificate authentication such that it is only required for users (with valid username/password) when sending e-mail *from* my mail server. Where do you set it? However, setting smtpd_tls_req_ccert = yes causes postfix to request a certificate from all incoming connections, including mail servers that are attempting to deliver mail. Is there a way to enable client certificates only for auth connections? I’ve already set smtpd_tls_auth_only = yes, but I’m not sure how to enable client certificates only for senders, without causing incoming messages to also be blocked. When you set it in master.cf only for the submission service it's only required for clients connecting to port 587. Connections to port 25 are not required to present a client cert. Thanks, Haravikk -- Christian
Re: postfix installation and make error (ATTENTION: Unknown system type)
On 2016-01-22 10:44, timos wrote: I'm new to Postfix. I tried to compile postfix-2.11.3 but ran into an error and failed with following message: Why don't you compile postfix 3.x? make -f Makefile.in MAKELEVEL= Makefiles (echo "# Do not edit -- this file documents how Postfix was built for your machine."; /bin/sh makedefs) >makedefs.tmp ATTENTION: ATTENTION: Unknown system type: Linux 4.1.13-19.31.amzn1.x86_64 ATTENTION: make: *** [Makefiles] Error 1 make: *** [Makefiles] Error 2 I've gone through all possible solution but can't figure out any! ... any help or fix is appreciated. :( Thank you See http://marc.info/?l=postfix-users=142744304401645=2 for the question and http://marc.info/?l=postfix-users=143006758311432=2 for the answer -- Christian
Re: Postfix Postscreen Pregreet Test
Am 23. Jänner 2016 04:30:02 MEZ, schrieb Nguyen Nang Thang: >- Original Message - >> From: "Wietse Venema" >> To: "Postfix users" >> Sent: Saturday, January 23, 2016 9:57:40 AM >> Subject: Re: Postfix Postscreen Pregreet Test > >> Nguyen Nang Thang: >>> > Postfix sends: >>> > >>> > 220-myhostname ESMTP >>> > >>> > Postfix waits $postscreen_greet_wait seconds. >>> > Bad SMTP clients will greet before $postscreen_greet_wait seconds >>> > have passed. >>> > >>> > 220 myhostname ESMTP >>> > >>> > Good SMTP clients will greet now. >>> >>> Wietse: >>> Thanks for your detailed explain. Can you suggest me technical ways >to manually >>> test Bad SMTP clients >>> that greet before $postscreen_greet_wait seconds have passed? >> >> echo whatever | nc host 25 > >Wietse: >I dit my test as below: ># nc localhost 25 < /tmp/postscreen-greet-wait.txt >The output: >220 gw.mydomain.com ESMTP Postfix (2.10.1) >250 2.1.0 Ok >250 2.1.5 Ok >354 End data with . >250 2.0.0 Ok: queued as 35CA025E69 > >The postfix/postcreeen log does not show info "PREGREET count after >time from [address]:port text...", >test message delivered normally (expect: test message prevented by >postscreen). >So, is there another way to quickly make smtp connection via "nc" or >another tool to test the parameter >"postscreen_greet_wait"? Do this test from a different device. You probably have localhost in mynetworks and have configured > postscreen_access_list = permit_mynetworks, > cidr:/etc/postfix/postscreen_access.cidr >Thanks. > >Regards, >N. Thang -- Christian
Re: body_checks with postscreen. Test works at blocking, but 'real mail' slips through?
Save the message to a file. And test like this: % postmap -q - pcre:/etc/postfix/body_checks.pcre So does this. cat << EOF > /tmp/testfile TEST BAD CONTENT EOF postmap -q - pcre:/etc/postfix/body_checks.pcre You could use the message file from your imap server or look at the raw message in your mail program and save that to a file... Thanks, Billy Christian
Re: Postfix 3.0 also introduces inline:
On 2015-11-17 12:08, Postfix User wrote: Okay, I suppose I don't pay as close attention to release announcements as I should. I noticed this is another post recently: Postfix 3.0 also introduces inline: tables whose keys and values are stored inside main.cf I did not see any documentation on the Postfix site for that. Am I just blind, or is it documented somewhere there? First try: http://www.postfix.org/DATABASE_README.html#types Thanks! - christian
RE: rejecting email from specific domains
Am 17. November 2015 06:31:23 MEZ, schrieb Chris Boylan: >So if I build a one line /etc/postfix/access with >.xyz REJECT > >and use smtpd_sender_restrictions=check_sender_access > You have to add the path to the access map, e.g. you postmap the /etc/postfix/access file and add hash:/etc/postfix/access after check_sender_access >That seems from the documentation like it would reject all email from >.XYZ. >Is this a reasonable approach? > Regards C > >-Original Message- >From: owner-postfix-us...@postfix.org >[mailto:owner-postfix-us...@postfix.org] >On Behalf Of Viktor Dukhovni >Sent: Monday, November 16, 2015 22:55 >To: postfix-users@postfix.org >Subject: Re: rejecting email from specific domains > >On Mon, Nov 16, 2015 at 10:38:07PM -0600, Chris Boylan wrote: > >> I think I'd like to key off the from information and block anything, >for >> example, that self-identifies as being from a sender in .xyz domain. > >The ".xyz" domain is a real TLD, for a generic example use ".example" >or "example.com", ... > >> Would appreciate being pointed in the right direction as I'm just >drawing a >> blank. > >http://www.postfix.org/SMTPD_ACCESS_README.html#lists >http://www.postfix.org/access.5.html >http://www.postfix.org/BUILTIN_FILTER_README.html > >Envelope senders are blocked with: > >http://www.postfix.org/postconf.5.html#check_sender_access > >Header senders can be blocked with header_checks(5), but this does >not always give good results, because regular expressions in headers >don't really parse the header particularly well and are difficult >to craft. I don't recommend header_checks(5) for blocking by header >sender address. > >If you can find a "Sieve" milter, it will make it much >easier to construct rules on header addresses.
Re: Weak Ciphers
Hi John, On 2015-11-08 13:52, John Allen wrote: I ran the ssl-tools tests on my mail server. Everything seems to be OK, BUT it reports that i am using a weak cipher "ECDHE_RSA_WITH_RC4_128_SHA"! So I sat down and googled - postfix/dovecot/apache - ciphers suites/recommendations less than one year old. I gave up at about the fifteenth response. Everyone of them was different and gave me lists of cipher ranging in length from about eight to almost a full web page. Would somebody point me in the right direction. I am trying to make my installation secure, but manageable. I am using Viktors recommendation from august 2015 here on the list, see: -> http://thread.gmane.org/gmane.mail.postfix.user/251935/focus=251935 The ssl-tools.net test warns about supported weak ciphers, namely ECDHE_RSA_WITH_RC4_128_SHA as in your result, checking the mail log of my small 6 users mailserver shows that in the last month 70 of nearly 16000 inbound tls connections used a RC4 cipher, the majority (48) coming from Yahoo using TLSv1 ECDHE-RSA-RC4-SHA. Testing with https://www.checktls.com the test selects the most used (~13000 inbound connections) cipher my server offers TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384. regards christian
Re: OpenDKIM
Hi On 2015-11-07 14:30, John Allen wrote: Interesting! I tried a couple of DKIM test sites, one says I am signing my emails, the other says I am not!! Mailradar say I am not signing! DKIMValidator say I am! They are both right. Mailradar checks for DomainKeys (rfc4870) signatures, DomainKeys successor is DKIM (rfc4871 and rfc6376). DomainKeys and DKIM both use a signature in the mail headers and keys in dns. I'd say that your mails are correctly dkim signed, this one is: From the headers of the email i now reply to: Authentication-Results: uschi.sec-svcs.eu; dkim=pass (1024-bit key; secure) header.d=klam.ca header.i=@klam.ca header.b=JMyFd1MM; dkim-adsp=pass; dkim-atps=neutral Regards christian
Re: OpenDKIM
On 2015-11-07 16:41, Mike wrote: On 11/7/2015 9:09 AM, Steve Jenkins wrote: On Saturday, November 7, 2015, John Allen> wrote: Interesting! I tried a couple of DKIM test sites, one says I am signing my emails, the other says I am not!! Mailradar say I am not signing! DKIMValidator say I am! My favorite "test site" for SPF, DKIM, DMARC configuration and validation is sending to a Gmail account and then viewing the raw message headers. Does gmail display whether or not the DNS information for DKIM is secured by DNSSEC? No, thats not displayed.
Re: This maybe off topic, but could somebody tell me what i am doing wrong?
On 2015-10-21 01:51, John Allen wrote: I have not looked at the code, so I am guessing, but it seems that mail/mailx hadle a continuous block of text differently to a multi-line block. I am not competent to decide if the as it should be or not. I have a script that checks for various available updates and the results are written to a file whose contents i redirect to mailx and that works well with multiline text mailx -n -s "Subject" -r f...@example.com t...@example.net <$file I don't recall why i chose this approach but it could be that i was having the same issues with pipeing to mailx Regards Christian thanks everyone John A
Re: This maybe off topic, but could somebody tell me what i am doing wrong?
On 2015-10-20 12:38, John Allen wrote: That is in fact what is installed. Mail and mailx are symlinks to heirloom-mailx. True, symlinked to the same binary. Just tried your initial command. The resulting email has the text "message text" in the body when run as echo "message text \r" | /usr/bin/mail -s "Server xxx - Alert" -r f...@example.com t...@example.net but i get the same error as you when i run the command echo -e "message text \r" | /usr/bin/mail -s "Server xxx - Alert" -r f...@example.com t...@example.net mailx seems to base64 encode the message text because of the \r? The difference between these two invocations in mail headers is: echo without -e Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit echo with -e Content-Type: application/octet-stream Content-Transfer-Encoding: base64 regards christian
Re: This maybe off topic, but could somebody tell me what i am doing wrong?
Am 20. Oktober 2015 02:58:43 MESZ, schrieb John Allen: >That should say echo -e "message text \r" | >Sorry about that I'd recommend you install the package heirloom-mailx, it's much more flexible in what you can do with it. Regards Christian
Re: Helo command rejected: need fully-qualified hostname; 504 5.5.2
Hi, On 2015-10-13 05:22, Richard B. Pyne wrote: I am running postfix 2.10.1, dovecot 2.2.10, with postfixadmin and maia mailguard. I am trying to figure out how to disable the HELO/EHLO reject_non_fqdn_hostname on the submission port since many (most) desktop and laptop clients don't send it. I want to keep the restriction on port 25 Thanks. --Richard [...] master.cf smtp inet n - n - - smtpd # submission inet n - n - - smtpd -o syslog_name=postfix/submission -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject add -o smtpd_helo_restrictions=permit_mynetworks,reject_invalid_hostname,permit to the submission port settings... # smtps inet n - n - - smtpd -o syslog_name=postfix/smtps -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes -o smtpd_helo_restrictions=permit_mynetworks,reject_invalid_hostname,permit -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING # ...as are set on port 465. That removes/overrides the setting from main.cf. regards christian
Re: Error: queue file write error
Am 10. Oktober 2015 17:53:12 MESZ, schrieb Dan Lists: >I am receiving the transcript file with the error "Error: queue file >write >error." It appears that postfix is timing out the connection after 10 >minutes. The thing that disturbs me is that nothing is logged. Is >there >a way to get postfix to put something in the logs? How mich space is reported to be free in the filesystem? - Christian
Re: postgresql table does not exist error
Hi, >the postfix file (/etc/postfix/pgsql-aliases.cf) has this > >hosts = /run/postgresql/ You should specify the socket to use. >From http://www.postfix.org/pgsql_table.5.html hosts The hosts that Postfix will try to connect to and query from. Specify unix: for UNIX-domain sockets, inet: for TCP connections (default). Example: hosts = host1.some.domain host2.some.domain:port hosts = unix:/file/name The hosts are tried in random order, with all connections over UNIX domain sockets being tried before those over TCP. The con- nections are automatically closed after being idle for about 1 minute, and are re-opened as necessary. NOTE: the unix: and inet: prefixes are accepted for backwards compatibility reasons, but are actually ignored. The PostgreSQL client library will always try to connect to an UNIX socket if the name starts with a slash, and will try a TCP connection otherwise. >user = mailreader >dbname = mail >query = SELECT alias FROM "al" WHERE email='%s' Regards - christian
Re: Dynamic 'myhostname'
Am 10. September 2015 23:13:59 MESZ, schrieb Mick: >On 10/09/2015 21:13, Wietse Venema wrote: >> Mick: >>> Hi, >>> >>> I'm trialling DMARC to two of my domains. On checking the results >when >>> posting from the secondary domain I receive 'SPF Domain Alignment >Result >>> = FAIL'. I think this is because postfix always says HELO with the >>> primary domain name, which is obviously different to the secondary. >Is >>> there a way to rewrite the message envelope to say HELO using the >same >>> domain used in the from field? >> I suspect that the problem is that the SMTP client IP address no >> not match the SPF rule. >> >> You may want to set up sender_dependent_default_transport to use >> different Postfix SMTP clients depending on the envelope sender >> email address, with "-o smtp_bind_address" settings in master.cf >> for the proper client IP address. >Hi Wietse, > >I only have 1 IP address (2 if you count the IPv6 address). A reverse >DNS lookup will always find my primary domain so even if I used >'sender_dependent_default_transport' and set up multiple switches just >to change HELO name, they still have to point to the same IP. If >reverse DNS was then carried out, secondary domain provided in the HELO > >would not match and mail could be rejected. Think I'm stuffed without >additional IPv4s, but at least I know why. Your setup should work. I have a similar setup with 5 domains of which the one that holds the helo-name of my Mailserver is not my primary maildomain... and that works well with spf dkim and dmarc. When searching for your error message it seems that maybe your envelope and from aren't aligned, this could be checked on spf test websites that analyse your setup after you send them an email to a special one-time address. Have you had a look at the spf rfc 7208? Regards Christian >Thanks for your advice. > >Mick. > > >> >> Wietse >>
Re: making relay access denied permanent
Hi, On 2015-09-05 14:07, A. Meyer wrote: Hello! # postconf mail_version mail_version = 2.11.3 I have this in my log this morning: Sep 5 08:05:46 bitmachine1 postfix/smtpd[7475]: NOQUEUE: reject: RCPT from unknown[14.215.136.46]: 454 4.7.1: Relay access denied; from= to= proto=ESMTP helo= Sep 5 08:05:49 bitmachine1 postfix/smtpd[7475]: too many errors after DATA from unknown[14.215.136.46] How can I change the temporary 454 to a 5xx reject? Take a look at http://www.postfix.org/postconf.5.html#soft_bounce I dont find anything in the main.cf regarding this. smtpd_recipient_restrictions = check_sender_access hash:/etc/postfix/access_sender, permit_mynetworks, #check_recipient_access hash:/etc/postfix/hold, reject_sender_login_mismatch, permit_sasl_authenticated, #permit_mynetworks, reject_invalid_helo_hostname, reject_unlisted_recipient, reject_unknown_sender_domain, check_sender_access pcre:/etc/postfix/umlaute.pcre, check_recipient_access pcre:/etc/postfix/umlaute.pcre, reject_unauth_destination, reject_rbl_client bl.spamcop.net, reject_rbl_client zen.spamhaus.org, reject_rbl_client spam.bl.alt-backspace.org, reject_rbl_client spamtrap.bl.alt-backspace.org, check_client_access cidr:/etc/postfix/client.cidr, check_policy_service inet:127.0.0.1:10023 # postconf -n | grep reject_code unknown_address_reject_code = 550 # postconf -d | grep reject_code access_map_reject_code = 554 invalid_hostname_reject_code = 501 maps_rbl_reject_code = 554 multi_recipient_bounce_reject_code = 550 non_fqdn_reject_code = 504 plaintext_reject_code = 450 reject_code = 554 relay_domains_reject_code = 554 unknown_address_reject_code = 450 unknown_client_reject_code = 450 unknown_hostname_reject_code = 450 unknown_local_recipient_reject_code = 550 unknown_relay_recipient_reject_code = 550 unknown_virtual_alias_reject_code = 550 unknown_virtual_mailbox_reject_code = 550 unverified_recipient_reject_code = 450 unverified_sender_reject_code = 450 bitmachine1:/etc/postfix # fgrep -r 454 . bitmachine1:/etc/postfix # fgrep -r defer_unauth_destination . outputs nothing. I'm a bit helpless with this one. Greetings Andreas regards - c
Re: DKIM DNS record
On 2015-09-02 10:29, Martin Skjöldebrand wrote: Quoting Steve Jenkins: On Wed, Aug 19, 2015 at 10:07 AM, Martin Skjöldebrand wrote: Following the tutorial here: http://arstechnica.com/business/2014/03/taking-e-mail-back-part-3-fortifying-your-box-against-spammers/ [1] What would a DKIM DNS record look like for my server mail.skjoldebrand.eu [2]? Hi, Martin. This tutorial is WAY better. Of course, I'm a bit biased. :) http://www.stevejenkins.com/blog/2011/08/installing-opendkim-rpm-via-yum-with-postfix-or-sendmail-for-rhel-centos-fedora/ [3] SJ After some problems with the hosting I've now gotten this to work using your tutorial. Maybe I'm missing it but the the following setting was required for my server to send mail. _RequireSafeKeys false_ It's not clear from http://www.opendkim.org/opendkim.conf.5.html if there is any implications of setting this (I've seen it recommended in other replies when Googling)? From the manpage: RequireSafeKeys (boolean) When reading a key file, a message will be logged if the key file has the read or write bit set other than for the owner or for a group that the executing process is in. With this feature set to "true", the filter will further consider this an error and refuse to make use of the file’s contents. The default is "true". Your key files are not owned by the user you run opendkim as. You should _chown_ the key files to the user you run opendkim as. The user (and group) should be set in opendkim.conf as UserID. /Martin S regards - c