[pfx] Re: TLS config for gmail relay

2023-12-23 Thread Christian Kivalo via Postfix-users 




On 2023-12-23 22:22, saunders.nicholas--- via Postfix-users wrote:
I think that I have the SASL figured out, and probably it's a similar 
process to get the tls_policy compliant and functional.  The log:



Dec 23 13:11:32 mordor postfix/smtp[287549]: error: open database 
/etc/postfix/tls_policy.db: No such file or directory

You need to run: postmap /etc/postfix/tls_policy

--
 Christian Kivalo
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: smtp auth on port 25

2023-08-15 Thread Christian Kivalo via Postfix-users 



On August 15, 2023 2:15:21 AM GMT+02:00, Jon Smart via Postfix-users 
 wrote:
>Hello,
>
>I have disabled port 587/465 to be accessed publicly.
>
>but port 25 must be open to internet for MTA communications.
>
>My question is, can external users access port 25 for smtp auth and send
>mail then?
Not if you disable auth on port 25, which you should. For MTA to MTA 
communication you don't need smtp auth enabled to receive mails destined to 
your server.
Your users should use ports 465/587 with auth to send their mail. Auth should 
only be enabled on the ports you intend to use for mail submission.
-- 
Christian Kivalo
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Postfix Help with a rejection message

2023-08-15 Thread Christian Kivalo via Postfix-users 



On August 15, 2023 7:05:32 AM GMT+02:00, Chad Lundquist via Postfix-users 
 wrote:
>I am getting legitimate emails REJECTED by postfix and I need to figure out a 
>way to forward them or whitelist them from getting blocked.
>
> 
>
>I am using PFLogsumm and see this:
>
> 
>
>message reject detail
>
>-
>
>  RCPT
>
>450 4.7.1 : Helo 
> command rejected: Host not found; from=<03349...@alight.com> 
> to= proto=ESMTP 
> helo= (total: 21)
>
>  21   amazonaws.com  (03349...@alight.com)
>
> 
>
>What file do I edit in postfix to allow this message to flow and get delivered 
>or whitelisted?
>

Do you by any chance have reject_unknown_helo_hostname in your 
smtpd_*_restrictions in main.cf? This results in a reject, when the announced 
helo name has no A/MX dns entry.
The host from your log message has no dns A entry.

-- 
Christian Kivalo
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Anyone using SMTP relay through dnsexit.com?

2023-06-23 Thread Christian Kivalo via Postfix-users 

My settings

main.cf:
relayhost = [relay.dnsexit.com]:587
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_auth_enable = yes
smtp_sasl_security_options =

And my sasl_passwd file (and yes, I did do a postmap after my changes)
relay.dnsexit.com:587 myusername:mypassword
Your lookup key is missing the [ ] you used for the relayhost setting. 
This results in no authentication to the dnsexit relay.
This is described in the section "Enabling SASL authentication in the 
Postfix SMTP/LMTP client" of the SASL README file at 
https://www.postfix.org/SASL_README.html#client_sasl_enable



--
 Christian Kivalo
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Painful Postfix

2023-04-30 Thread Christian Kivalo via Postfix-users 


On April 30, 2023 7:03:59 AM GMT+02:00, Kolusion K via Postfix-users 
 wrote:
>So, I tried using the 'debug_peer_list' parameter like this, but it didn't 
>work...
> 
>debug_peer_list = 1.2.3.4, 5.6.7.8
Last time i had to debug an smtp session i implemented it as, in main.cf (i use 
cdb, but hash should also work)
debug_peer_list = cdb:/etc/postfix/debug_peer

The content of debug_peer beeing
1.2.3.4 check
2.3.4.5 check

Don't forget to postmap that file:
postmap /etc/postfix/debug_peer

The smtp session is in your mail log. 

>I did restart the Postfix service after applying the change to 'main.cf'.
> 
> 
>It looks like Postfix lacks the capability to show the SMTP session, right?
> 
>Thanks
> 
> 
>Kolusion
> 
> 
>
>Sent: Sunday, April 30, 2023 at 2:54 PM
>From: "Kolusion K" 
>To: postfix-users@postfix.org
>Subject: Painful Postfix
>Hello again
>
>
>I am again trying to use the 'debug_peer_list' parameter to see if it will 
>show me the SMTP session in the mail log.
>
>The e-mail address I am sending to has a server or servers with multiple IP 
>addresses. How can I go about using multiple IP addresses with the 
>'debug_peer_list' parameter?
>
>Like this?
>
>debug_peer_list = 1.2.3.4 5.6.7.8
>
>or perhaps like this?
>
>debug_peer_list = 1.2.3.4, 5.6.7.8
>
>
>Thanks
>
>Kolusion
>___
>Postfix-users mailing list -- postfix-users@postfix.org
>To unsubscribe send an email to postfix-users-le...@postfix.org

-- 
Christian Kivalo
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

RE: Wrong Domain in Null Client Setup

2022-09-27 Thread Christian Kivalo 



On September 27, 2022 10:16:40 PM GMT+02:00, Eddie Rowe 
 wrote:
>In my last email I did share that I tried setting myhostname in the main.cf to 
>the FQDN that is returned by the above steps and there was no change as part 
>of my troubleshooting.  After this I reloaded the configuration and even 
>restarted the service and postconf -d myhostname is still wrong.
Thats because postconf -d myhostname gives you the _default_ configuration 
setting.

man postconf

   -d Print  main.cf default parameter settings instead of actual set‐
  tings.  Specify -df to fold long  lines  for  human  readability
  (Postfix 2.9 and later).

Use postconf myhostname to get the actual configured parameter.

>I am just baffled that /etc/hosts has the fully qualified domain name, the 
>/usr/bin/hostname -f command gives the output that is FQDN...not a programmer 
>so no idea how to see what the function that is documented does.
>
>
>-Original Message-
>From: owner-postfix-us...@postfix.org  On 
>Behalf Of Viktor Dukhovni
>Sent: Tuesday, September 27, 2022 1:28 PM
>To: postfix-users@postfix.org
>Subject: Re: Wrong Domain in Null Client Setup
>...
>
>Your mistake is to use "hostname -f".  Postfix uses the actual configured 
>hostname, not some randomly canonicalised version that changes unpredictably.  
>Either set the system hostname to the desired FQDN, or set "myhostname" in 
>main.cf.
>
>> Running postconf -d myhostname returns the host.localdomain where the 
>> host is the correct hostname, but localdomain is just the string 
>> "localdomain"
>
>You need to configure a fully-qualified hostname, or set myhostname explicitly.
>

-- 
Christian Kivalo

Re: smtpd NOQUEUE without reject

2022-08-05 Thread Christian Kivalo 

On 2022-08-05 20:13, J David wrote:

I noticed something in our mail logs that I thought was unusual.

What does it mean when smtpd reports a NOQUEUE without any kind of
reject: reason?  All that's there is the client.

Aug  5 17:42:58 b1 postfix/smtpd[18503]: NOQUEUE:
client=a26-70.smtp-out.us-west-2.amazonses.com[54.240.26.70]
Aug  5 17:43:34 b1 postfix/smtpd[18632]: NOQUEUE:
client=mail-mw2nam12on2054.outbound.protection.outlook.com[40.107.244.54]
Aug  5 17:44:59 b1 postfix/smtpd[18653]: NOQUEUE:
client=mail-io1-f54.google.com[209.85.166.54]

I don't see any rhyme or reason to the affected clients.  There are
plenty of big email providers, small ones, etc.  I even found an
internal connection from another server, which helped me see that the
same connection *does* go on to send a message successfully after the
NOQUEUE.  Here's an example from outlook.com:

Aug  5 18:06:59 b1 postfix/smtpd[20637]: connect from
mail-mw2nam12olkn2071.outbound.protection.outlook.com[40.92.23.71]
Aug  5 18:07:00 b1 postfix/smtpd[20637]: Trusted TLS connection
established from
mail-mw2nam12olkn2071.outbound.protection.outlook.com[40.92.23.71]:
TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)
Aug  5 18:07:00 b1 postfix/smtpd[20637]: NOQUEUE:
client=mail-mw2nam12olkn2071.outbound.protection.outlook.com[40.92.23.71]
Aug  5 18:07:04 b1 postfix/smtpd[20637]: proxy-accept: END-OF-MESSAGE:
250 2.6.0 from MTA(smtp:[127.0.0.1]:10027): 250 Queued on server;
from= to= proto=ESMTP
helo=


What is listening on 127.0.0.1:10027?


Aug  5 18:07:04 b1 postfix/smtpd[20637]: disconnect from
mail-mw2nam12olkn2071.outbound.protection.outlook.com[40.92.23.71]
ehlo=2 starttls=1 mail=1 rcpt=1 bdat=1 quit=1 commands=7

There's only one mail, one rcpt, etc shown in the disconnect summary,
and one actual message with one recipient did go through, so I just
don't understand where the NOQUEUE came from.

This appears to happen ~25,000 times a day, so I'd like to better
understand what's causing it and if it represents a problem.  Or if
I've just left a debug setting enabled somewhere. :-)

If it matters, this is on Postfix 3.7.2.

Thanks for any advice!


--
 Christian Kivalo

Re: Blacklisted - SASL Login Attempt

2022-01-13 Thread Christian Kivalo 




On 2022-01-14 07:33, Maurizio Caloro wrote:

Hello, I see he tried to log in "authentication failed" and failed ,
but the IP is blacklisted, please why? should it not be blocked
before.

--

OS

Debian 10.11 - Postfix - mail_version = 3.4.14

--

Main.cf

postscreen_access_list = permit_mynetworks,
cidr:/etc/postfix/whitelistCIDR+IP, cidr:/etc/postfix/blacklistIP

--

BlacklistIP

root@mail:/etc/postfix# cat blacklistIP |  grep 5.188.206.199

5.188.206.199   REJECT

--

Mail.log

Jan 14 07:17:56 nmail postfix/smtps/smtpd[7809]: warning:
unknown[5.188.206.199]: SASL LOGIN authentication failed: UGFzc3dvcmQ6

Jan 14 07:17:57 nmail postfix/smtps/smtpd[7809]: lost connection after
AUTH from unknown[5.188.206.199]
This is smtps (port 465). Your config and blocklist is for postscreen 
which should only be enabled for port 25.


--
 Christian Kivalo

Re: Some DNSSEC/DANE questions

2022-01-03 Thread Christian Kivalo 

On 2022-01-03 23:02, Dan Mahoney wrote:

On Jan 3, 2022, at 1:46 PM, Mike  wrote:

On 1/3/2022 2:38 PM, Dan Mahoney (Gushi) wrote:

[snip]

One more question: Does anyone know of a "reflector" like service 
that one
can use to test DANE validation, i.e. a site that one is allowed to 
send

test messages to, that *only* has DANE as the trust mech (so, say, a
self-signed cert?)


Here's an SMTP DANE validator that I use when I make changes to my 
server.


https://dane.sys4.de/


I'm not sure if it is just what you're looking for, though.


No, I am looking for a server to which I can send mail to make sure
DANE is being looked up and used on my end.

Not something that looks up MY domain and connects to it.

Maybe this is more like what you're looking for
https://havedane.net/

--
 Christian Kivalo

Re: Submission behind haproxy, TLS issues

2021-05-20 Thread Christian Kivalo 




On 2021-05-20 01:12, post...@ptld.com wrote:

Best i can gather from your last few replies is to rsync a copy of the
cert created on the load balancer to the backend servers and point
postfix at that cert.

Is that the answer?

This is all ive been trying to ask from the beginning, best method of
getting a cert created on the load balancer to postfix on a different
server to use for TLS.
There are other lets encrypt clients than certbot that can eg. copy 
certs around or restart services if needed.

-> https://letsencrypt.org/docs/client-options/

I'm using getssl for some years now and am happy with it.

--
 Christian Kivalo

Re: warning: dnsblog_query lookup error

2021-04-08 Thread Christian Kivalo 



On April 8, 2021 9:10:04 AM GMT+02:00, Maurizio Caloro  
wrote:
>>>You should not use public dns servers to query dnsbls as they are
>likely blocked due to excessive query volume at the dnsbl. Install and
>use >>a local resolver like unbound, knot, bind and use nameserver
>127.0.0.1 in /etc/resolv.conf
>
>root@nmail:/etc/postfix# cat /etc/resolv.conf
>nameserver 127.0.0.1
>nameserver 8.8.8.8
>
>Please I can ping everything ..
>
>root@nmail:/etc/postfix# ping 42.89.92.40
>PING 42.89.92.40 (42.89.92.40) 56(84) bytes of data.
>16 packets transmitted, 0 received, 100% packet loss, time 354ms
>
>root@nmail:/etc/postfix# ping 109.75.92.40
>PING 109.75.92.40 (109.75.92.40) 56(84) bytes of data.
>3 packets transmitted, 0 received, 100% packet loss, time 27ms
You don't need to ping anything.
Try the query directly. I'm only using a local unbound on this server for name 
resolution.
This is what I get:
valo:~ $ dig 109.75.92.40.list.dnswl.org +short
127.0.3.0
valo:~ $

>Thanks
>Mauri
>-Ursprüngliche Nachricht-----
>Von: owner-postfix-us...@postfix.org 
>Im Auftrag von Christian Kivalo
>Gesendet: Donnerstag, 8. April 2021 09:02
>An: postfix-users@postfix.org
>Betreff: Re: warning: dnsblog_query lookup error
>
>
>
>On April 8, 2021 8:29:09 AM GMT+02:00, Maurizio Caloro
> wrote:
>>Hello
>>
>>I have the issue with mail from Outlook, or Hotmail this Warning
>appair 
>>and the mail don't deliver to me.
>>cat /etc
>> 
>>
>>Apr  8 08:04:24  ail postfix/dnsblog[7379]: warning: dnsblog_query:
>>lookup
>>error for DNS query 109.75.92.40.list.dnswl.org: Host or domain name 
>>not found. Name service error for name=109.75.92.40.list.dnswl.org 
>>type=A:
>>Host
>>not found, try again
>>
>> 
>>
>>Apr  8 08:23:10 ail postfix/dnsblog[7943]: warning: dnsblog_query:
>>lookup
>>error for DNS query 42.89.92.40.list.dnswl.org: Host or domain name
>not 
>>found. Name service error for name=42.89.92.40.list.dnswl.org type=A:
>>Host
>>not
>>
>>found, try again
>>
>> 
>>
>>postscreen_dnsbl_sites = zen.spamhaus.org*3
>>
>>b.barracudacentral.org*2
>>
>>bl.spameatingmonkey.net*2
>>
>>bl.spamcop.net
>>
>>dnsbl.sorbs.net
>>
>>psbl.surriel.com
>>
>>bl.mailspike.net
>>
>>list.dnswl.org=127.0.[0..255].0*-2
>>
>>list.dnswl.org=127.0.[0..255].1*-3
>>
>>list.dnswl.org=127.0.[0..255].[2..3]*-4
>>
>> 
>>
>>root@nmail:/etc/postfix# ping 42.89.92.40
>>
>>PING 42.89.92.40 (42.89.92.40) 56(84) bytes of data.
>>
>>181 packets transmitted, 0 received, 100% packet loss, time 482ms
>>
>> 
>>
>>root@nmail:/etc/postfix# cat /etc/resolv.conf
>>
>>nameserver 8.8.8.8
>>
>>nameserver 46.38.225.230
>You should not use public dns servers to query dnsbls as they are
>likely blocked due to excessive query volume at the dnsbl. Install and
>use a local resolver like unbound, knot, bind and use nameserver
>127.0.0.1 in /etc/resolv.conf
>> 
>>
>>regards
>>
>>Mauri
>>
>> 
>>
>> 
>
>--
>Christian Kivalo

-- 
Christian Kivalo

Re: warning: dnsblog_query lookup error

2021-04-08 Thread Christian Kivalo 



On April 8, 2021 8:29:09 AM GMT+02:00, Maurizio Caloro  
wrote:
>Hello
>
>I have the issue with mail from Outlook, or Hotmail this Warning appair
>and
>the mail don't deliver to me.
>
> 
>
>Apr  8 08:04:24  ail postfix/dnsblog[7379]: warning: dnsblog_query:
>lookup
>error for DNS query 109.75.92.40.list.dnswl.org: Host or domain name
>not
>found. Name service error for name=109.75.92.40.list.dnswl.org type=A:
>Host
>not found, try again
>
> 
>
>Apr  8 08:23:10 ail postfix/dnsblog[7943]: warning: dnsblog_query:
>lookup
>error for DNS query 42.89.92.40.list.dnswl.org: Host or domain name not
>found. Name service error for name=42.89.92.40.list.dnswl.org type=A:
>Host
>not 
>
>found, try again
>
> 
>
>postscreen_dnsbl_sites = zen.spamhaus.org*3
>
>b.barracudacentral.org*2
>
>bl.spameatingmonkey.net*2
>
>bl.spamcop.net
>
>dnsbl.sorbs.net
>
>psbl.surriel.com
>
>bl.mailspike.net
>
>list.dnswl.org=127.0.[0..255].0*-2
>
>list.dnswl.org=127.0.[0..255].1*-3
>
>list.dnswl.org=127.0.[0..255].[2..3]*-4
>
> 
>
>root@nmail:/etc/postfix# ping 42.89.92.40
>
>PING 42.89.92.40 (42.89.92.40) 56(84) bytes of data.
>
>181 packets transmitted, 0 received, 100% packet loss, time 482ms
>
> 
>
>root@nmail:/etc/postfix# cat /etc/resolv.conf
>
>nameserver 8.8.8.8
>
>nameserver 46.38.225.230
You should not use public dns servers to query dnsbls as they are likely 
blocked due to excessive query volume at the dnsbl. Install and use a local 
resolver like unbound, knot, bind and use nameserver 127.0.0.1 in 
/etc/resolv.conf
> 
>
>regards
>
>Mauri
>
> 
>
> 

-- 
Christian Kivalo

Re: Problem with starttls / orange.fr

2021-03-29 Thread Christian Kivalo 



On March 30, 2021 7:08:39 AM GMT+02:00, "DEPRÉ Gaëtan - NGServers.com" 
 wrote:
>Hi !
>
> 
>
>While trying to send an email to some...@orange.fr
><mailto:some...@orange.fr> , I get this error log :
>
> 
>
>Mar 30 06:47:39 mail postfix/qmgr[18959]: 29D0248A23DC:
>from=x...@domain.dom
><mailto:x...@domain.dom> , size=93541, nrcpt=1 (queue active)
>
>Mar 30 06:47:39 mail postfix/smtp[24365]: SSL_connect error to
>smtp-in.orange.fr[80.12.242.9]:25: -1
>
>Mar 30 06:47:39 mail postfix/smtp[24365]: warning: TLS library problem:
>error:1425F102:SSL routines:ssl_choose_client_version:unsupported
>protocol:../ssl/statem/statem_lib.c:1929:
>
>Mar 30 06:47:39 mail postfix/smtp[24365]: 29D0248A23DC: Cannot start
>TLS:
>handshake failure
>
>Mar 30 06:47:39 mail postfix/smtp[24365]: SSL_connect error to
>smtp-in.orange.fr[193.252.22.65]:25: -1
>
>Mar 30 06:47:39 mail postfix/smtp[24365]: warning: TLS library problem:
>error:1425F102:SSL routines:ssl_choose_client_version:unsupported
>protocol:../ssl/statem/statem_lib.c:1929:
>
>Mar 30 06:47:39 mail postfix/smtp[24365]: 29D0248A23DC:
>to=y...@orange.fr,
>relay=smtp-in.orange.fr[193.252.22.65]:25, delay=0.52,
>delays=0.29/0.01/0.22/0, dsn=4.7.5, status=deferred (Cannot start TLS:
>handshake failure)
>
>Mar 30 06:47:41 mail postfix/submission/smtpd[24351]: disconnect from
>lfbn-nan-xxx.abo.wanadoo.fr[xx.yy.zz.xx] ehlo=2 starttls=1 auth=1
>mail=1
>rcpt=1 data=1 quit=1 commands=8
>
> 
>
>After a few minutes, without doing anything, I get this :
>
> 
>
>Mar 30 06:56:16 mail postfix/qmgr[18959]: 29D0248A23DC:
>from=x...@domain.dom,
>size=93541, nrcpt=1 (queue active)
>
>Mar 30 06:56:17 mail postfix/smtp[24509]: SSL_connect error to
>smtp-in.orange.fr[193.252.22.65]:25: -1
>
>Mar 30 06:56:17 mail postfix/smtp[24509]: warning: TLS library problem:
>error:1425F102:SSL routines:ssl_choose_client_version:unsupported
>protocol:../ssl/statem/statem_lib.c:1929:
>
>Mar 30 06:56:17 mail postfix/smtp[24509]: 29D0248A23DC: Cannot start
>TLS:
>handshake failure
>
>Mar 30 06:56:17 mail postfix/smtp[24509]: 29D0248A23DC:
>to=y...@orange.fr
><mailto:y...@orange.fr> , relay=smtp-in.orange.fr[193.252.22.65]:25,
>delay=518, delays=518/0.02/0.12/0.35, dsn=2.0.0, status=sent (250 2.0.0
>mUwH240075Jsp0m01UwHze mail accepted for delivery)
>
>Mar 30 06:56:17 mail postfix/qmgr[18959]: 29D0248A23DC: removed
>
> 
>
>The TLS part in main.cf :
>
> 
>
>### Outbound SMTP connections (Postfix as sender)
>
>smtp_tls_security_level = dane
>
>smtp_dns_support_level = dnssec
>
>smtp_tls_policy_maps = mysql:/etc/postfix/sql/tls-policy.cf
>
>smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
>
>smtp_tls_protocols = !SSLv2, !SLv3 TLSv1.1, TLSv1.2
You have a missing "," after !SLv3 which also misses an "S"
And you exclude TLSv1 with which I can establish an encrypted connection to 
orange.fr 
>
>smtp_tls_ciphers = high
>
>smtp_tls_CAfile =
>/etc/letsencrypt/live/mymailserver.domain.dom/chain.pem
You probably don't need client certificates.
>
> 
>
> 
>
>Any clue about this error ? Which cert do I use and that orange does
>not
>want ? Why is the email sent after a few attempts ?
Eventually the email is sent in plaintext without encryption.
> 
>
>Regards,
>
> 
>
>Gaetan

-- 
Christian Kivalo

Re: Catch a forged Return Path

2021-02-04 Thread Christian Kivalo 




On 2021-02-04 09:08, ludic...@gmail.com wrote:

Hi all,

new MS Azure Cloudapp Spam Wave these days.

Just a few hosts, but a lot of Spam. There is a pattern there, they all 
use


Return-Path: 

to disguise as a bounce and bypass any further checks.

So the PCRE header check

/^Return-Path: /   REJECT Forged Return-Path

does not catch.

Any other chance of making this work in postfix checks?

Actually a re-visit to my topic about MS Azure Cloud Spam from 
December, but

much more clarified matters now after some time of observation.


Add postscreen to your config. Postscreen stopped that spam wave with 
high DNSBL ranks for me.
This http://rob0.nodns4.us/postscreen.html is a good ressource and i 
have it setup more or less the way described there + some minor 
adjustments needed for my setup.




Greets,
Ludi


--
 Christian Kivalo

Re: SASL auth cache?

2021-01-17 Thread Christian Kivalo 



On January 17, 2021 2:32:49 PM GMT+01:00, Tom Sommer  wrote:
>
>
>On 2021-01-17 14:22, Wietse Venema wrote:
>> Tom Sommer:
>>> Hi all
>>> 
>>> I just observed Postfix not picking up changes in the SASL auth 
>>> backend,
>>> is there some kind of cache involved here?
>> 
>> There is no such thing in Postfix. Also not in the Postfix Dovcecot 
>> client.
>
>Curious, and it couldn't be connection cache/reuse or something?
Could it have been an authenticated, still open connection that got closed as 
postfix was restarted?
>---
>Tom

-- 
Christian Kivalo

Re: Postfix failed to start at boot

2020-07-23 Thread Christian Kivalo 



On July 23, 2020 2:33:04 PM GMT+02:00, Linkcheck  
wrote:
>I have a private postfix server on my local network. It runs under 
>Manjaro. On booting Manjaro I get half a dozen ERROR lines as:
>
>FAILED: Failed to start (eg) Postfix
>
>All are to do with postfix, dmarc, dkim etc.
>
>I've wondered for some time now why I have to start postfix manually 
>after reboot but haven't had time to track it down. Since I usually 
>drive the machine through Remmina I never see the boot sequence, so
>have 
>previously missed this.
>
>Postfix runs without a manual restart but dkim/dmarc leave complaints
>in 
>the log about having no path to the PID files. When starting them 
>manually I use:
>
>===
>   sudo mkdir /var/run/opendkim/
>   sudo chown -R opendkim:opendkim /var/run/opendkim
>   sudo systemctl enable opendkim
>   sudo systemctl start opendkim
>
>   sudo mkdir /var/run/opendmarc/
>   sudo chown -R opendmarc:postfix /var/run/opendmarc
>   sudo chmod -R 774 /var/run/opendmarc
If the distribution packages don't take care that the necessary directories 
under /var/run are created, need to create them after every boot.
Look at man 5 tmpfiles.d and create the necessary files in /etc/tmpfiles.d
>   sudo systemctl enable opendmarc
>   sudo systemctl start opendmarc
>   sudo systemctl restart postfix
>===
>(the sequence is probably incorrect: I have to run the second block 
>twice before I get the proper ownership of opendmarc)
>
>I checked the status of postfix immediately after boot and before 
>restarting it manually and got...
>
>===
>postfix.service - Postfix Mail Transport Agent
> Loaded: loaded (/usr/lib/systemd/system/postfix.service; enabled; 
>vendor preset: disabled)
>  Active: active (running) since Sat 2020-07-04 15:55:09 BST; 2min 
>27s ago
> Process: 742 ExecStart=/usr/bin/postfix start (code=exited, 
>status=0/SUCCESS)
>Main PID: 851 (master)
>   Tasks: 8 (limit: 9148)
>  Memory: 19.7M
>  CGroup: /system.slice/postfix.service
>  ├─ 851 /usr/lib/postfix/bin/master -w
>  ├─ 867 pickup -l -t fifo -u -o content_filter= -o 
>receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters
>  ├─ 868 qmgr -l -t fifo -u
>  ├─1591 smtpd -n smtp -t inet -u -o stress= -s 2 -o 
>content_filter=
>  ├─1592 proxymap -t unix -u
>  ├─1593 tlsmgr -l -t unix -u
>  ├─1594 anvil -l -t unix -u
>  └─1604 smtpd -n smtp -t inet -u -o stress= -s 2 -o 
>content_filter=
>
>Jul 04 15:55:02 SSPH systemd[1]: postfix.service: Scheduled restart
>job, 
>restart counter is at 3.
>Jul 04 15:55:02 SSPH systemd[1]: Stopped Postfix Mail Transport Agent.
>Jul 04 15:55:02 SSPH systemd[1]: Starting Postfix Mail Transport
>Agent...
>Jul 04 15:55:03 SSPH systemd[1]: postfix.service: Control process 
>exited, code=exited, status=1/FAILURE
>Jul 04 15:55:03 SSPH systemd[1]: postfix.service: Failed with result 
>'exit-code'.
>Jul 04 15:55:03 SSPH systemd[1]: Failed to start Postfix Mail Transport
>
>Agent.
>Jul 04 15:55:04 SSPH systemd[1]: postfix.service: Scheduled restart
>job, 
>restart counter is at 4.
>Jul 04 15:55:04 SSPH systemd[1]: Stopped Postfix Mail Transport Agent.
>Jul 04 15:55:04 SSPH systemd[1]: Starting Postfix Mail Transport
>Agent...
>Jul 04 15:55:09 SSPH systemd[1]: Started Postfix Mail Transport Agent.
>===
>
>I do not know how to fix this failure. Any help, please? I have asked 
>this question in the Manjaro forum but with no resolution.

-- 
Christian Kivalo

Re: Nothing in /var/log/maillog under stress

2020-07-13 Thread Christian Kivalo 




On 2020-07-13 02:08, Greg Sims wrote:

I updated my maillog processing tool to make use of journalctl.  This
is working well and I can now see the "missing" maillog entries with
my tool.  This is a great step in the right direction.

That sounds great.


I have rsyslog running which looks like it might be redundant -- based
on the serverfault post you supplied.  I will try running without
rsyslog and see what happens.

I am aware of the systemd journal rate limits from CentOS 7.  I will
do additional research to know when I hit these limits and make needed
adjustments if I do.
I added this to /etc/system/journal.conf.d/journald.conf and it works 
for me.


[Journal]
RateLimitIntervalSec=1s
RateLimitBurst=0



Thanks for your help Christian!  I am now able to accomplish my goals
using journalctl.

I am more than willing to collect data to help determine why the three
minutes of log data is not making it to /var/log/maillog.  To be
honest, I do not know how to "... find out how your syslog daemon gets
the messages from the systemd journal.".

Greg Sims

On Sun, Jul 12, 2020 at 3:51 PM Christian Kivalo
 wrote:


On 2020-07-13 00:10, Greg Sims wrote:

Thank you Christian.  I am running on CentOS 8.2 and the name of

the

service is "postfix.service".  When I enter:


journalctl -u postfix.service --since="2020-07-12 03:06:00"
--until="2020-07-12 03:11:00"

I see all of the missing data that should be in /var/log/maillog

--

almost 50,000 records.  You discovered a way to gain access to the
missing data!

The big question for me continues to be, why did this data not

make it

to /var/log/maillog?

You'd have to find out how your syslog daemon get the messages from
the
systemd journal. What syslog daemon do you have installed?
Be aware that systemd journal has some rate limits which can lead to

loss of log messages, see the man 5 journald.conf

I found this


https://serverfault.com/questions/959982/is-rsyslog-redundant-on-when-using-journald


which covers rsyslog on centos 7. There is an import module for
systemd
journal.

On my server rsyslog is configured to create a log socket at
/var/spool/postfix/dev/log and ignore systemd journal and that works

well for my use case.


Greg Sims

On Sun, Jul 12, 2020 at 2:40 PM Christian Kivalo
 wrote:


On 2020-07-12 23:01, Greg Sims wrote:

Nothing Christian:


[root@mail0 postfix]# journalctl -u postfix@-.service
--since="2020-07-12 03:06:00" --until="2020-07-12 03:11:00"
-- Logs begin at Sat 2020-07-11 09:35:28 CDT, end at Sun

2020-07-12

15:50:00 CDT. --
-- No entries --

Maybe your systemd unit is named slightly different as in debian,
postfix@-.service is what tab completion makes for me...

Is there anything in journalctl? What does systemctl status

postfix

show?

You can have postfix log to a file as described in
http://www.postfix.org/MAILLOG_README.html first and then fix

your

logging.

--
Christian Kivalo


--
Christian Kivalo


--
 Christian Kivalo

Re: Nothing in /var/log/maillog under stress

2020-07-13 Thread Christian Kivalo 




On 2020-07-13 03:57, Greg Sims wrote:

I removed rsyslog using yum, rebooted the VM and made sure postfix was
running.  I then sent five emails from a remote VM using SMTP.  I can
see the postfix logs using journalctl.  This set of postfix logs do
not make it to /var/log/maillog. The five emails were delivered.  I'm
not sure if this is the expected behavior.
This is expected as rsyslog writes to /var/log/maillog. Now you only 
have the journal except for those services that write to their own 
logfile directly...



Apache is also running on this VM.  I performed "tail
/var/log/httpd/access_log" and can see Apache logging.

... like apache does.


Greg Sims
www.RayStedman.org [1]

On Sun, Jul 12, 2020 at 5:08 PM Greg Sims 
wrote:


I updated my maillog processing tool to make use of journalctl.
This is working well and I can now see the "missing" maillog entries
with my tool.  This is a great step in the right direction.

I have rsyslog running which looks like it might be redundant --
based on the serverfault post you supplied.  I will try running
without rsyslog and see what happens.

I am aware of the systemd journal rate limits from CentOS 7.  I will
do additional research to know when I hit these limits and make
needed adjustments if I do.

Thanks for your help Christian!  I am now able to accomplish my
goals using journalctl.

I am more than willing to collect data to help determine why the
three minutes of log data is not making it to /var/log/maillog.  To
be honest, I do not know how to "... find out how your syslog daemon
gets the messages from the systemd journal.".

Greg Sims

On Sun, Jul 12, 2020 at 3:51 PM Christian Kivalo
 wrote:


On 2020-07-13 00:10, Greg Sims wrote:

Thank you Christian.  I am running on CentOS 8.2 and the name of

the

service is "postfix.service".  When I enter:


journalctl -u postfix.service --since="2020-07-12 03:06:00"
--until="2020-07-12 03:11:00"

I see all of the missing data that should be in

/var/log/maillog --

almost 50,000 records.  You discovered a way to gain access to

the

missing data!

The big question for me continues to be, why did this data not

make it

to /var/log/maillog?

You'd have to find out how your syslog daemon get the messages
from the
systemd journal. What syslog daemon do you have installed?
Be aware that systemd journal has some rate limits which can lead
to
loss of log messages, see the man 5 journald.conf

I found this




https://serverfault.com/questions/959982/is-rsyslog-redundant-on-when-using-journald


which covers rsyslog on centos 7. There is an import module for
systemd
journal.

On my server rsyslog is configured to create a log socket at
/var/spool/postfix/dev/log and ignore systemd journal and that
works
well for my use case.


Greg Sims

On Sun, Jul 12, 2020 at 2:40 PM Christian Kivalo
 wrote:


On 2020-07-12 23:01, Greg Sims wrote:

Nothing Christian:


[root@mail0 postfix]# journalctl -u postfix@-.service
--since="2020-07-12 03:06:00" --until="2020-07-12 03:11:00"
-- Logs begin at Sat 2020-07-11 09:35:28 CDT, end at Sun

2020-07-12

15:50:00 CDT. --
-- No entries --

Maybe your systemd unit is named slightly different as in

debian,

postfix@-.service is what tab completion makes for me...

Is there anything in journalctl? What does systemctl status

postfix

show?

You can have postfix log to a file as described in
http://www.postfix.org/MAILLOG_README.html first and then fix

your

logging.

--
Christian Kivalo


--
Christian Kivalo



Links:
--
[1] https://www.RayStedman.org


--
 Christian Kivalo

Re: Nothing in /var/log/maillog under stress

2020-07-12 Thread Christian Kivalo 




On 2020-07-13 00:10, Greg Sims wrote:

Thank you Christian.  I am running on CentOS 8.2 and the name of the
service is "postfix.service".  When I enter:


journalctl -u postfix.service --since="2020-07-12 03:06:00"
--until="2020-07-12 03:11:00"

 I see all of the missing data that should be in /var/log/maillog --
almost 50,000 records.  You discovered a way to gain access to the
missing data!

The big question for me continues to be, why did this data not make it
to /var/log/maillog?
You'd have to find out how your syslog daemon get the messages from the 
systemd journal. What syslog daemon do you have installed?
Be aware that systemd journal has some rate limits which can lead to 
loss of log messages, see the man 5 journald.conf


I found this 
https://serverfault.com/questions/959982/is-rsyslog-redundant-on-when-using-journald 
which covers rsyslog on centos 7. There is an import module for systemd 
journal.


On my server rsyslog is configured to create a log socket at 
/var/spool/postfix/dev/log and ignore systemd journal and that works 
well for my use case.



Greg Sims

On Sun, Jul 12, 2020 at 2:40 PM Christian Kivalo
 wrote:


On 2020-07-12 23:01, Greg Sims wrote:

Nothing Christian:


[root@mail0 postfix]# journalctl -u postfix@-.service
--since="2020-07-12 03:06:00" --until="2020-07-12 03:11:00"
-- Logs begin at Sat 2020-07-11 09:35:28 CDT, end at Sun

2020-07-12

15:50:00 CDT. --
-- No entries --

Maybe your systemd unit is named slightly different as in debian,
postfix@-.service is what tab completion makes for me...

Is there anything in journalctl? What does systemctl status postfix
show?

You can have postfix log to a file as described in
http://www.postfix.org/MAILLOG_README.html first and then fix your
logging.

--
Christian Kivalo


--
 Christian Kivalo

Re: Nothing in /var/log/maillog under stress

2020-07-12 Thread Christian Kivalo 

On 2020-07-12 23:01, Greg Sims wrote:

Nothing Christian:


[root@mail0 postfix]# journalctl -u postfix@-.service
--since="2020-07-12 03:06:00" --until="2020-07-12 03:11:00"
-- Logs begin at Sat 2020-07-11 09:35:28 CDT, end at Sun 2020-07-12
15:50:00 CDT. --
-- No entries --
Maybe your systemd unit is named slightly different as in debian, 
postfix@-.service is what tab completion makes for me...


Is there anything in journalctl? What does systemctl status postfix 
show?


You can have postfix log to a file as described in 
http://www.postfix.org/MAILLOG_README.html first and then fix your 
logging.


--
Christian Kivalo

Re: Nothing in /var/log/maillog under stress

2020-07-12 Thread Christian Kivalo 




On 2020-07-12 20:59, Greg Sims wrote:

We are making good progress building a mail server.  The server is a
KVM running CentOs 8.2 with vcpus=2 and ram=4GB.  The system is under
heavy load and is likely limited by disk performance.  The load is
generated by a second KVM using SMTP to send email. Everything seems
to be working except there is nothing in /var/log/maillog for a period
of 3 minutes.  I'm not sure what is causing the omission of logs and
how to correct this issue.
Maybe systemd-journald rate limit is your problem. I found some 
information here 
https://www.rootusers.com/how-to-change-log-rate-limiting-in-linux


Do these 3 minutes show up when you call journalctl -u postfix@-.service 
or more specific


journalctl -u postfix@-.service --since="2020-07-12 03:06:00" 
--until="2020-07-12 03:11:00"



I'm concerned that we are not following this recommendation, "Don't
overwhelm the disk with mail submissions. Optimize the mail submission
rate by tuning the number of parallel submissions and/or by tuning the
Postfix in_flow_delay parameter setting."  There is no indication in
/var/log/maillog of problems (other than 3 minutes of missing logs). I
do not know if "overwhelming the disk" would lead to shutting down
data going to the maillog altogether.  I will set in_flow_delay = 2s
for this KVM mail server this evening.

The performance snapshots below seem to show: cpu load average is not
heavy, plenty of ram free, no swapping (stable at 108Mi), dm-0 is
working hard at 129 tps and postfix seems to be keeping up with the
load with 39-50 emails in the queue. This run started at 03:05 and
created two minutes of data in /var/log/maillog -- and then nothing
for 3 minutes starting at 03:07.  I am certain the email in the
missing three minutes was actually delivered or I would be seeing lots
of negative feedback from our subscribers.

You can also put


03:07:04 up 17:31,  0 users,  load average: 0.42, 0.26, 0.10


totalusedfree  shared  buff/cache
available

Mem:  3.7Gi   832Mi   2.0Gi   101Mi   931Mi
2.5Gi

Swap: 1.0Gi   108Mi   915Mi

Device tpskB_read/skB_wrtn/skB_read
kB_wrtn

dm-0129.00 0.00  2373.50  0
4747

incoming/active queue:

T  5 10 20 40 80 160 320
640 1280 1280+

TOTAL 39 39  0  0  0  0   0   0
00 0

gmail.com [1]  8  8  0  0  0  0   0
0   00 0

att.net [2]  7  7  0  0  0  0   0
0   00 0

bellsouth.net [3]  7  7  0  0  0  0   0
0   00 0

sbcglobal.net [4]  7  7  0  0  0  0   0
0   00 0

aol.com [5]  4  4  0  0  0  0   0
0   00 0

icloud.com [6]  4  4  0  0  0  0   0
0   00 0

yahoo.com [7]  1  1  0  0  0  0   0
0   00 0

outlook.com [8]  1  1  0  0  0  0   0
0   00 0

deferred queue:

T  5 10 20 40 80 160 320
640 1280 1280+

TOTAL  1  0  0  0  0  0   0   0
00 1

icloud.com [6]  1  0  0  0  0  0   0
0   00 1


03:07:11 up 17:31,  0 users,  load average: 0.36, 0.25, 0.10


totalusedfree  shared  buff/cache
available

Mem:  3.7Gi   858Mi   1.9Gi   101Mi   933Mi
2.5Gi

Swap: 1.0Gi   108Mi   915Mi

Device tpskB_read/skB_wrtn/skB_read
kB_wrtn

dm-0121.50 0.00  2326.00  0
4652

incoming/active queue:

T  5 10 20 40 80 160 320
640 1280 1280+

TOTAL 56 56  0  0  0  0   0   0
00 0

gmail.com [1] 13 13  0  0  0  0   0
0   00 0

att.net [2] 11 11  0  0  0  0   0
0   00 0

sbcglobal.net [4] 11 11  0  0  0  0   0
0   00 0

bellsouth.net [3]  9  9  0  0  0  0   0
0   00 0

icloud.com [6]  6  6  0  0  0  0   0
0   00 0

yahoo.com [7]  5  5  0  0  0  0   0
0   00 0

rocketmail.com [9]  1  1  0  0  0  0   0
0   00 0

deferred queue:

T  5 10 20 40 80 160 320
640 1280 1280+

TOTAL  1  0  0  0  0  0   0   0
00 1

icloud.com [6]  1  0  0  0  0  0   0
0   00 1


Thanks, Greg

Links:
--
[1] http://gmail.com
[2] http://att.net
[3] http://bellsouth.net
[4] http://sbcglobal.net
[5] http://aol.com
[6] http://icloud.com
[7] http://yahoo.com
[8] http://outlook.com
[9] http://rocketmail.com


--
 Christian Kivalo

Re: TLS verification problem - ca untrusted, but it shouldn't be

2020-07-08 Thread Christian Kivalo 

On 2020-07-08 09:03, Rainer Ruprechtsberger wrote:

Hello,

this is not my only problem with TLS verification - and I'm struggling
to debug this:

*mail.mail.protection.outlook.com cannot be verified by postfix:
posttls-finger: certificate verification failed for
blahblahommited.mail.protection.outlook.com[104.47.14.36]:25: untrusted
issuer /C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA


How did you call posttls-finger? Did you use "-F" and point it to 
/etc/ssl/certs/ca-certificates.crt?



But I do trust this CA:
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt

This setting does not affect posttls-finger

What does postfix log when you send a mail there?

--
 Christian Kivalo

Re: 5 messages per second

2020-06-03 Thread Christian Kivalo 



On June 3, 2020 11:52:10 AM GMT+02:00, Paul Martin  
wrote:
>Hello,
>
>I have many logs  postfix/lmtp "deferred" like:
>
>Jun  2 11:38:21 mail331 postfix/lmtp[17386]: A2E3212C86D:
>to=, relay=none, delay=5930,
>delays=2879/2862/189/0, dsn=4.4.1, status=deferred (connect to
>127.0.0.1[127.0.0.1]:24: Connection timed out)
>
>do you have a solution ?
Whatever should listen on 127.0.0.1:24 is not listening / running.

What should accept the lmtp connections? Check if that service is running. 

>Regards,
>Paul

-- 
Christian Kivalo

Re: Remove part of rbl name from response to blocked client

2020-01-16 Thread Christian Kivalo 




On 2020-01-16 09:47, Dominic Raferd wrote:

I recently started using an RBL service where we have a 'private key'
and this operates very simply by prefixing the key to the RBL address.
But I just realised that this appears to mean that for any rejections
the whole address - including the key - is passed back to the
offending client. Which if true makes a bit of a nonsense of the idea
of a 'private' key.

rbl_reply_maps and default_rbl_reply_maps is probably what you are 
looking for

http://www.postfix.org/postconf.5.html#rbl_reply_maps
http://www.postfix.org/postconf.5.html#default_rbl_reply

and for postscreen there is 
http://www.postfix.org/postconf.5.html#postscreen_dnsbl_reply_map

Is there a way to cut out this private key in the response message? It
happens both with postscreen and smtpd. Here is a barely-obfuscated
example:

550 5.7.1 Service unavailable; client [51.88.120.222] blocked using
sp8lefi4grtb7jftpslxxztu3y.zen.dx.spamhous.net [1]

Links:
--
[1] http://sp8lefi4grtb7jftpslxxztu3y.zen.dx.spamhous.net


--
 Christian Kivalo

Re: Problems with header checks

2019-11-08 Thread Christian Kivalo 



On November 8, 2019 1:53:13 PM GMT+01:00, Stephan Seitz 
 wrote:
>On Fr, Nov 08, 2019 at 01:44:53 +0100, Stephan Seitz wrote:
>>Has anyone an idea how I can debug this further? Or why it is only 
>>sometimes working?
>
>I think I’ve found the problem. It happens if the subject has non-ASCII
>
>characters to the line looks like:
>
>=?UTF-8?Q?Aw=3A_Weinprobe_gut_=C3=BCberstanden=3F?=
>
>Has anyone an idea how can I change the regex so that it works with 
>encoded subject lines? Or can I tell postfix to decode the line, then 
>employ the regex und encode the line again?
For such encoded content you need to match the encoded form. See 
http://www.postfix.org/BUILTIN_FILTER_README.html
I don't think that postfix is the right tool for this job, on the other hand I 
don't really see the problem you're trying to solve. 
Be careful not to break dkim signatures when modifying headers. Subject is a 
signed header in most cases. 
>Shade and sweet water!
>
>   Stephan

-- 
Christian Kivalo

Re: OpenDKIM , Postfix , SpamAssassin, Amavisd-New, SPF and FreeBSD

2019-10-25 Thread Christian Kivalo 



On October 25, 2019 9:58:28 PM GMT+02:00, Jason Hirsh  wrote:
>I am getting entries in my maiillog, but only in regards to OpenDKIM
>working to verify INCOMING
>These are clearly entries from OpenDKIM.  There is nothing
>corresponding for actions relative to outgoing mail
What happens when you comment the ExternalIgnoreList and InternalHost settings 
in opendkim.conf, restart the service and send a test mail originating from one 
of the domains you're trying to sign?
What do the logs show?

My opendkim.conf has refile: prefix also for the KeyTable option. 

Regards
Christian
-- 
Christian Kivalo

Re: OpenDKIM , Postfix , SpamAssassin, Amavisd-New, SPF and FreeBSD

2019-10-25 Thread Christian Kivalo 
On October 25, 2019 6:52:52 PM GMT+02:00, Jason Hirsh  wrote:
>I have gone over my configuration with a fine tooth comb, but
>considering I put them together it is not surprising I can’t spot
>anything
>
>
>O have been trying to locate opendkim action in my log file.  It
>appears that that the  mail is being reviewed but now header added

You should revert to non debug logging for postfix as it makes it extremely 
hard to discover the relevant log messages. 

I have the same opendkim config with regard to the Syslog, SyslogSuccess, 
Logwhy  options

My opendkim logs show up in mail.log and syslog as that's how rsyslog in Debian 
is configured. Opendkim logs with the mail.* facility to syslog so whatever 
syslog daemon you use it's configuration should tell you where the logging can 
be found. 

>The thing that concerns me is the appearance of “dummy”
>
>Any thoughts any one/?
>> On Oct 24, 2019, at 11:29 AM, Jason Hirsh  wrote:
>> 
>> Thank you  for the quick response
>> 
>> 
>> I am 99% certain they are…I had the OpenDkim running for about a week
>and did not change those (I think0
>> 
>> Trusted Hosts
>> 
>> 127.0.0.1
>> localhost
>> example.com <http://example.com/>
>> example1.com <http://example1.com/>
>> 
>> 
>> 
>> KeyTable
>> 
>> default._domainkey.example.com
><http://domainkey.example.com/>:default:/usr/local/etc/opendkim/keys/example.com.com/default.private
><http://example.com.com/default.private>
>> default._domainkey.example1.com
><http://domainkey.example1.com/>:default:/usr/local/etc/opendkim/keys/example1.com/default.private
><http://example1.com/default.private>
>> 
>> SigningTable
>> 
>> *@example.com default._domainkey.example.com
><http://domainkey.example.com/>
>> *@example1.com default._domainkey.example1.com
><http://domainkey.example1.com/>
>> 
>> In my maillog.  I did find something a little strange response to an
>outgoing message
>> 
>> 
>> Oct 23 18:26:14 triggerfish opendkim[5845]: E0C34CB4A69: key
>retrieval failed (s=zendesk1, d=lightandmotion.com
><http://lightandmotion.com/>): 'zendesk1._domainkey.lightandmotion.com
><http://domainkey.lightandmotion.com/>' record not found
>> Oct 24 10:23:10 triggerfish opendkim[5845]: 9B3A8CB4A69:
>s=verifier201208 d=port25.com <http://port25.com/> SSL 
>> Oct 24 11:02:02 triggerfish opendkim[5845]: 93C75CB4A9A:
>s=verifier201208 d=port25.com <http://port25.com/> SSL 
>> Oct 24 11:18:43 triggerfish opendkim[5845]: 4AADACB4A99: key
>retrieval failed (s=zendesk1, d=lightandmotion.com
><http://lightandmotion.com/>): 'zendesk1._domainkey.lightandmotion.com
><http://domainkey.lightandmotion.com/>' record not found
>> 
>> Light and Motion was who the message was going to and has no presence
>in my mail system
>> 
>> 
>> Is this log entry a clue??
>> 
>> 
>>> On Oct 24, 2019, at 10:50 AM, Dominic Raferd
>mailto:domi...@timedicer.co.uk>> wrote:
>>> 
>>> On Thu, 24 Oct 2019 at 15:28, Jason Hirsh <mailto:kasd...@mac.com>> wrote:
>>>> 
>>>> I am trying to revive my OpenDKIM installation. I had it working
>but managed to break it when I updated my ports.  It is running but not
>signing outgoing messages
>>>> 
>>>> My main.cf configuration relative to OpenDkim is
>>>> 
>>>> smtpd_milters =  inet:localhost:8891
>>>> non_smtpd_milters =  $smtpd_milters
>>>> milter_default_action = accept
>>>> 
>>>> My OpenDkim.conf is
>>>> 
>>>> AutoRestart Yes
>>>> AutoRestartRate 10/1h
>>>> LogWhy  Yes
>>>> Syslog  Yes
>>>> SyslogSuccess   Yes
>>>> Modesv
>>>> Canonicalizationrelaxed/simple
>>>> ExternalIgnoreList  refile:/usr/local/etc/opendkim/TrustedHosts
>>>> InternalHosts   refile:/usr/local/etc/opendkim/TrustedHosts
>>>> KeyTable/usr/local/etc/opendkim/KeyTable
>>>> SigningTablerefile:/usr/local/etc/opendkim/SigningTable
>>>> SignatureAlgorithm  rsa-sha256
>>>> Socket  inet:8891@127.0.0.1 <mailto:8891@127.0.0.1>
>>>> UMask   022
>>>> UserID  opendkim:opendkim
>>>> TemporaryDirectory  /var/tmp
>>>> 
>>>> As I stated it is running... But not signing from a test site...
>>>> 
>>>> Any thoughts would be appreciated
>>> 
>>> Are files /usr/local/etc/opendkim/TrustedHosts, KeyTable and
>>> SigningTable set up correctly? Do you need to use KeyTable and
>>> SigningTable - this is a more complex setup; standard setup uses
>>> parameters Domain, Selector and KeyFile - see
>>> http://www.opendkim.org/opendkim-README
><http://www.opendkim.org/opendkim-README>.
>> 

-- 
Christian Kivalo

Re: MAILTO without SIZE=

2019-10-10 Thread Christian Kivalo 



On October 10, 2019 3:54:50 PM GMT+02:00, "Tobias Köck"  
wrote:
>Hi,
>
>I have a Postfix set up to relay the messages to an Exchange server.
>
>It declines the mails with
>
>ntern_mail.someurl.de,08D7265A6F30DBE4,12,10.32.68.13:2525,10.32.66.152:49726,*,Tarpit
>
>for '0.00:00:05' due to '550 5.7.61 SMTP; Anonymous client does not
>have 
>permissions to send as this sender',
>
>It works manually with telnet mail.someurl.de.
Did you test it from your postfix relay or from a different IP?
>I suspect it is because Postfix send in the Envelope address for some 
>reason the SIZE=423 with it
>
>MAIL FROM: SIZE=434,
>
>How can I disable the sending of the SIZE parameter?
>
>Greetings
>Tobias

-- 
Christian Kivalo

Re: Are sha1 & TLSv1 fully deprecated wrt mail, and time to block them?

2018-10-13 Thread Christian Kivalo 



On October 13, 2018 5:32:54 PM GMT+02:00, Gary  wrote:
>
>https://support.google.com/mail/answer/81126?hl=en
>
>Look at "authenticate your mail" in the above link. Gmail required 1024
>bits. Google market dominance makes it a defacto standard. 

They require to use at least 1024 bits keys for dkim signatures, more bits are 
good and accepted. 
-- 
Christian Kivalo

Re: Commenting multi line option

2018-07-23 Thread Christian Kivalo 



On July 23, 2018 5:00:33 PM GMT+02:00, dur...@mgtsciences.com wrote:
>I would like to know if comments may be used in this fashion.  In the 
>example below, will the last line 'permit' be seen as part of the 
>'smtpd_helo_restrictions' option?
>
>smtpd_helo_restrictions =
>permit_mynetworks
>#   check_helo_access hash:/etc/postfix/helo_access
>#   reject_invalid_helo_hostname
>#   reject_unknown_helo_hostname
>permit
>
Yes, permit will be seen as part of smtpd_helo_restrictions in this example. 

For an explanation of the main.cf file format see 
http://www.postfix.org/postconf.5.HTML
-- 
Christian Kivalo

Re: Postfix does not authenticate to relayhost

2018-05-16 Thread Christian Kivalo 

On 2018-05-16 20:41, Florian Lindner wrote:

Am 16.05.2018 um 15:24 schrieb Matus UHLAR - fantomas:

On 15.05.18 22:17, Florian Lindner wrote:
May 15 22:10:04 venus postfix/smtpd[20438]: NOQUEUE: reject: RCPT 
from host[x.x.x]: 450 4.1.8
<florian@horus.localdomain>: Sender address rejected: Domain not 
found; from=<florian@horus.localdomain>

to=<florian.lind...@xgm.de> proto=ESMTP helo=

smtpd_sender_restrictions =
 permit_mynetworks,
 permit_sasl_authenticated,
 reject_non_fqdn_sender,
 reject_unknown_sender_domain,
 permit



What could be wrong here?



On 15.05.18 23:12, Florian Lindner wrote:
I understand why there is the Domain not found for horus.localdomain, 
but not why it blocks the delivery, given my

sender_restriction and relay_restrictions.


you have reject_unknown_sender_domain in sender restrictions.

your DNS servers don't apparently know "horus.localdomain"
you should better configure proper sender address in source address.


But there is also permit_sasl_authenticated positioned before
reject_unknown_sender_domain. The sending MTA should
authenticate to the relay host.

I am pretty sure that the problem is not the relay host, but the
sending machine. The relay host venus.centershock works just fine as
an SMTP drop off with the usual clients, but the sending postix
doesn't even try to authenticate.
Complete postconf -n output from both hosts would help here so just a 
shot in the dark based on a config snippet from your first message:



Local configuration is

% postconf -n
[...]
mynetworks_style = host
relayhost = [venus.centershock.net]
smtp_sasl_password_maps = hash:/etc/postfix/relay
smtp_sasl_security_options = noanonymous
smtpd_tls_security_level = encrypt


In your local config have you set smtp_sasl_auth_enable = yes ?


Thanks,
Florian


--
 Christian Kivalo

Re: WG: Reject but styl connection established

2018-02-28 Thread Christian Kivalo 


On March 1, 2018 6:42:17 AM GMT+01:00, Maurizio Caloro <mauri...@caloro.ch> 
wrote:
>Hello
>
>I have have create any acceslist to deny, but if  check me situation
>this
>will conntecd successfuly to me maschine
>
>But i think this way need to negotiat, but styl not working correct,
>thanks
>for any help !
>
> 
>
>Regard
>
>Mauri
>
> 
>
>Postfix 2.11.3
>
> 
>
># cat /etc/postfix/access | grep 103.233.193.106
>
>103.233.193.106REJECT
>
>103.233.193.106 REJECT
>
>181.49.176.106 REJECT
>
>103.233.193.106 REJECT
>
> 
>
> 
>
># cat mail.log
>
>Mar  1 00:18:08 mail postfix/smtpd [2178]: connect from
>server1.hostict.com[103.233.193.106]
>
>Anonymous TLS connection established from
>smtp.elcolombiano.com.co[181.49.176.106]
>
>Anonymous TLS connection established from
>server1.hostict.com[103.233.193.106]
>
>Anonymous TLS connection established from
>34725.simplecloud.ru[85.143.218.134]
>
> 
>
>[main.cf]
>
>smtpd_sender_restrictions = permit_mynetworks,
>
>## reject_sender_login_mismatch,
>
>check_client_access hash:/etc/postfix/access,
>
>check_sender_access hash:/etc/postfix/access,
>
>  
>
>smtpd_recipient_restrictions = permit_mynetworks,
>
>check_client_access hash:/etc/postfix/access,
>
>check_recipient_access hash:/etc/postfix/access,
>
>..
You did postmap /etc/postfix/access file after adding the IP?

-- 
Christian Kivalo

Re: Try dane and still got "Untrusted TLS connection..."

2017-10-26 Thread Christian Kivalo 


Am 26. Oktober 2017 23:08:16 MESZ schrieb Gao <g...@pztop.com>:
>Hi,
>
>I am trying to setup dane on my mail server. But I never seen a 
>"Verified TLS connection..." in the log. I always got:
>Oct 26 13:52:23 cac postfix/smtp[18165]: Untrusted TLS connection 
>established to gmail-smtp-in.l.google.com[74.125.124.26]:25: TLSv1.2 
>with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
>
>My system is Postfix 3.2.3 on Centos 7.4
># postconf -d | grep mail_version
>mail_version = 3.2.3
>
>main.cf:
>smtp_dns_support_level = dnssec
>smtp_tls_security_level = dane
>smtp_tls_loglevel = 1
>
>DNSSEC has been setup and added TLSA record. Passed test at 
>https://www.huque.com/bin/danecheck and https://dane.sys4.de/
>
>TLSA records found: 1
>TLSA: 3 1 1
>f2545e3b5b42c7d309127c3a7f326b509f8bd199daf950d5f5bbf7530c7dc616
>
>Connecting to IPv4 address: 45.62.235.110 port 25
>recv: 220 cac.mydomain.com ESMTP Postfix
>send: EHLO cheetara.huque.com
>recv: 250-cac.mydomain.com
>recv: 250-PIPELINING
>recv: 250-SIZE 1024
>recv: 250-VRFY
>recv: 250-ETRN
>recv: 250-STARTTLS
>recv: 250-ENHANCEDSTATUSCODES
>recv: 250-8BITMIME
>recv: 250 DSN
>send: STARTTLS
>recv: 220 2.0.0 Ready to start TLS
>TLSv1.2 handshake succeeded.
>Cipher: TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384
>Peer Certificate chain:
>  0 Subject CN: cac.mydomain.com
>    Issuer  CN: Let's Encrypt Authority X3
>  1 Subject CN: Let's Encrypt Authority X3
>    Issuer  CN: DST Root CA X3
>  SAN dNSName: cac.mydomain.com
>  SAN dNSName: mydomain.com
>DANE TLSA 3 1 1 [f2545e3b5b42...] matched EE certificate at depth 0
>Validated Certificate chain:
>  0 Subject CN: cac.mydomain.com
>    Issuer  CN: Let's Encrypt Authority X3
>  SAN dNSName: cac.mydomain.com
>  SAN dNSName: mydomain.com
>
>[0] Authentication succeeded for all (1) peers.
>
>So I must missed something... I can't figure it out. Please help.
It looms you have your inbound dane config setup and Dane checking systems can 
utilize Dane to verify your certs. 

You will only have "verified" in your logs when you /send/ mail to a Dane 
enabled domain. Try this service to check your outbound Dane config:
https://havedane.net/


>Thanks.
>
>Gao

-- 
Christian Kivalo

Re: address extension fails for mailman

2017-09-29 Thread Christian Kivalo 

On 2017-09-29 10:07, thorthor wrote:

This post should contain the log and main.cf.

Don't attach, post inline


--
Sent from: http://postfix.1071664.n5.nabble.com/Postfix-Users-f2.html


--
 Christian Kivalo

Re: Communication between Postfix and Dovecot LDA

2017-09-18 Thread Christian Kivalo 

On 2017-09-18 14:21, Daniel Ryšlink wrote:

Hello,

I am trying to solve a problem with error mails clogging my queue on a
system with the following components:

Incoming mail -> Postfix -> DSpam -> reinjection back to postfix queue
-> Dovecot LDA

The system also handles outgoing mail for non-local users, for any
mail address not found in a table of local users, Postfix just tries
to deliver it according to the MX records.

However, the Postfix handling the incoming messages for local users
(before DSpam) has incomplete information whether the local delivery
will be successful. I would like to immediately reject mails for
mailboxes that are full, for example, but the Postfix does not have
this information. That means that the mail is initially accepted,
passed to DSPam, and only the Dovecot LDA founds out that the mailbox
is full, and generates an error mail message, that is often not
deliverable and clogs the mailqueue.

I would like to reject as many mails as possible during the intial
SMTP session, as a part of the "check_recipient_access" phase. Is
there any way for Postfix to ask dovecot-lda "Will you be able to
locally deliver a message to this user"? I have read dovecot-lda man
page, but did not find any option of "dry" or test delivery. I
understand that Postfix can use a "policy server" - an external script
or daemon that could query dovecot for this information, but so far I
have failed to find a proper way to query dovecot to find out if a
specific mail would be deliverable.
Dovecot provides a quota service, a policy service that can be used by 
postfix.


Take a look at the dovecot wiki for the quota service: 
https://wiki2.dovecot.org/Quota


From the wiki:
Quota service

The quota service allows postfix to check quota before delivery:

service quota-status {
executable = quota-status -p postfix
inet_listener {
port = 12340
# You can choose any port you want
}
client_limit = 1
}

And then have postfix check_policy_service check that:

smtpd_recipient_restrictions =
...
check_policy_service inet:mailstore.example.com:12340

For more about this service see 
https://sys4.de/en/blog/2013/04/08/postfix-dovecot-mailbox-quota/




I know I will be probably referred to Dovecot mailing lists, but I
thought some of you could know the answer.

Thank you in advance for any hint or advice.

--
S pozdravem,
Daniel Ryšlink
System Administrator

Dial Telecom a. s.
Křižíkova 36a/237
186 00 Praha 3, Česká Republika
Tel.:+420.226204627
daniel.rysl...@dialtelecom.cz
---
www.dialtelecom.cz
Dial Telecom, a.s.
Jednoduše se připojte
-------


--
 Christian Kivalo

Re: postfix/postfix-script[6735] error: unknown command: 'quiet-quick-start'

2017-09-12 Thread Christian Kivalo 



>I know was postmulti arguments problem, but I want to know is: is this
>postfix version difference or ubuntu make some change, or
>/etc/init.d/postfix has some special?
The Debian / Ubuntu start script probably expects some distribution specific 
configuration to be in place. 

Your best bet is to remove the existing init script for postfix and create a 
systemd unit for your needs. 
-- 
Christian Kivalo

Re: Letsencrypt tip

2017-09-11 Thread Christian Kivalo 



On 2017-09-11 11:21, Dominic Raferd wrote:

​Does anyone know a way to detect if the certificate currently being
used by Postfix and/or Dovecot is nearing expiry (esp. in case they
haven't picked up the updated letsencrypt certificate)?

You mean like this from the letsencrypt forum

adapted for submission on port 587 with starttls:
openssl s_client -connect yourdomain.tld:587 -starttls smtp -servername 
yourdomain.tld 2>/dev/null | openssl x509 -noout -dates


https://community.letsencrypt.org/t/it-there-a-command-to-show-how-many-days-certificate-you-have/11351/2

--
 Christian Kivalo

Re: 451 4.3.5 Server configuration error

2017-08-30 Thread Christian Kivalo 

user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
ifmail unix  -   n   n   -   -   pipe flags=F 
user=ftn

argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp  unix  -   n   n   -   -   pipe flags=Fq.
user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender 
$recipient

scalemail-backend unix - n   n   -   2   pipe flags=R
user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store 
${nexthop}

${user} ${extension}
mailmanunix  -   n   n   -   -   pipe flags=FR
user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py 
${nexthop}

${user}
policyd-spf unix -   n   n   -   0   spawn 
user=policyd-spf

argv=/usr/bin/policyd-spf
spamassassin unix -  n   n   -   -   pipe 
user=debian-spamd
argv=/usr/bin/spamc -f -e /usr/sbin/sendmail -oi -f ${sender} 
${recipient}





___
Daniel A. Rodriguez
Departamento de Tecnología para la Gestión
Escuela Provincial de Educación Técnica N° 1
Posadas - Misiones - Argentina
(0376) 443-8578
www.epet1.edu.ar


--
 Christian Kivalo

Re: 451 4.3.5 Server configuration error

2017-08-30 Thread Christian Kivalo 



On 2017-08-30 14:51, Daniel Armando Rodriguez wrote:

Hi, I'm getting such message logged after the warning: unknown smtpd
restriction: "milter_default_action"

Note that options in master.cf are without spaces around the "=".


All incoming mail is rejected.

What I'm trying to achieve is to get dkim validation working,
following this guide
https://wiki.debian.org/opendkim

It helps to show your configuration.

See http://www.postfix.org/DEBUG_README.html#mail

Send the output of
postconf -n
postconf -Mf





regards in advance


--
 Christian Kivalo

Re: sender_access question

2017-08-30 Thread Christian Kivalo 
hanks for any support.
Mark



--
Sent from: http://postfix.1071664.n5.nabble.com/Postfix-Users-f2.html


--
 Christian Kivalo

Re: postfix log in mysql

2017-08-27 Thread Christian Kivalo 


Am 28. August 2017 05:51:10 MESZ schrieb Kev <savage-gar...@hanikamail.com>:
>Hi postfixers,
>
>We have spam filter servers for our down, 5 of them to be exact. we use
>amavisd, bitdefender & clamav for spam and virus filter. 
>
>we have a self help portal done in php/mysql for users to manage
>whitelist/blacklist etc, now i want to allow users to check there email
>logs to they can find if any wanted email is blocked,
>
>so the question is, how can i log postfix to a mysql db where i can
>write
>an interface for users to search for email and see what did the
>blocking, such as rbl, amavis etc ? 
>
>ive seen some solutions to use syslog in to mysql but i was thinking
>something much simpler where i will still have logs in place even if
>mysql fails.
Most syslog daemons can write to more than one output stream so besides 
absorbing your logs with mysql additionally you could keep logging to file and 
have your logs as normal. 
>rgds

-- 
Christian Kivalo

Re: pickup/maildrop being used to spam through my machine.

2017-06-13 Thread Christian Kivalo 


Am 13. Juni 2017 10:28:39 MESZ schrieb Homer Wilson Smith 
<homerwsm...@lightlink.com>:
>
> Running postfix 2.3.3 CentOS 5.x
>
> This is a simple apache 2 web server running postfix for
>incoming mail for shell users on the same server.  Very low key,
>almost no traffic, outside is not allowed to connect to the
>postfix on this machine.
>
>  This machine's only handles shell users on the its own domain,
>adore.lightlink.com and mail addressed or forward to it from our other
>real mail servers that talk to the outside world.
>
>  Suddenly I am find adore's mailq queue filled with spam, each having 
>a pickup line in the logs, but no indication where it comes from,
>probably 
>the web server as the from username is apache, but so far no
>corellation 
>between web logs and time stamp on pickup line.
>
>  This machine is also running an innd news server if it makes
>any difference, innd 2.x
>
> Can someone tell me about possible injection routes into the
>maildrop directory and how to stop it if I can't
>find the web page doing it.

Start with restricting which users are allowed to locally submit mail 
authorized_submit_users 
http://www.postfix.org/postconf.5.html#authorized_submit_users



> Thanks  Homer
>
>Jun 12 05:26:16 adore2 postfix/pickup[14251]: E39582B000C: uid=48
>from=
>Jun 12 05:26:17 adore2 postfix/pickup[14251]: F23D62B000F: uid=48
>from=
>Jun 12 05:26:17 adore2 postfix/pickup[14251]: 099E82B0028: uid=48
>from=
>Jun 12 05:26:17 adore2 postfix/pickup[14251]: 2169C2B0038: uid=48
>from=
>Jun 12 05:26:17 adore2 postfix/pickup[14251]: 260E32B0065: uid=48
>from=
>Jun 12 05:26:17 adore2 postfix/pickup[14251]: 2AB902B007D: uid=48
>from=
>Jun 12 05:26:17 adore2 postfix/pickup[14251]: 325422B0080: uid=48
>from=
>Jun 12 05:26:17 adore2 postfix/pickup[14251]: 3AC572B0095: uid=48
>from=
>Jun 12 05:26:17 adore2 postfix/pickup[14251]: 3D0A32B00B8: uid=48
>from=
>Jun 12 05:26:17 adore2 postfix/pickup[14251]: 417DD2B00BD: uid=48
>from=
>Jun 12 05:26:17 adore2 postfix/pickup[14251]: 4728B2B00CA: uid=48
>from=
>Jun 12 05:26:17 adore2 postfix/pickup[14251]: 4FE062B00D2: uid=48
>from=
>Jun 12 05:26:17 adore2 postfix/pickup[14251]: 89BB02B00DD: uid=48
>from=
>Jun 12 05:26:17 adore2 postfix/pickup[14251]: A53092B00E3: uid=48
>from=
>Jun 12 05:26:17 adore2 postfix/pickup[14251]: BEAB72B00E7: uid=48
>from=
>Jun 12 05:26:17 adore2 postfix/pickup[14251]: CA9F42B00EC: uid=48
>from=
>... on and on and on thousands etc.

-- 
Christian Kivalo

Re: gmail servers on blacklists?

2017-03-18 Thread Christian Kivalo 

On 2017-03-17 22:47, David Mehler wrote:

Hello,

Thank you.

Hi

Please reply to the list


I have postwhite running, not sure if it's updating?

Do you run postwhite and if so do you have an update procedure so you
always have the updated postwhite?
I use it but doing updates manually. Doing it automatically is on a todo 
list ;)

Thanks.
Dave.

On 3/17/17, Christian Kivalo <ml+postfix-us...@valo.at> wrote:



On 2017-03-17 22:12, David Mehler wrote:

Hello,

I'm starting to see blocks on my messages to my mail server. For some
reason postscreen is not letting any gmail servers send mail, it's
blocking them.

Has anyone got an idea or have you seen this?

You could use postwhite https://github.com/stevejenkins/postwhite to
whitelist gmail.
The map is created by postwhite from gmails spf records.

--
  Christian Kivalo



--
 Christian Kivalo

Re: gmail servers on blacklists?

2017-03-17 Thread Christian Kivalo 



On 2017-03-17 22:12, David Mehler wrote:

Hello,

I'm starting to see blocks on my messages to my mail server. For some
reason postscreen is not letting any gmail servers send mail, it's
blocking them.

Has anyone got an idea or have you seen this?
You could use postwhite https://github.com/stevejenkins/postwhite to 
whitelist gmail.

The map is created by postwhite from gmails spf records.

--
 Christian Kivalo

Re: Question on embedded variables in postconf command

2017-03-07 Thread Christian Kivalo 


Am 7. März 2017 20:00:55 MEZ schrieb Robert Moskowitz :
>After a bit of reflection, I may have asked the wrong question. Perhaps
>
>a better question is does the substitution take place on processing the
>
>option?
What about testing the assumption? Build the configuration and try to make a 
tls secured connection, it either works or you will see the error in your  logs.

Just changed my configuration to use $myhostname variable for the cert name 
filename and that works very well. Thanks for the idea.
>thanks
>
>On 03/07/2017 01:59 PM, Robert Moskowitz wrote:
>> Is there a way to get the following:
>>
>> postconf -e 'smtpd_tls_key_file =
>/etc/pki/tls/private/$myhostname.key'
>>
>> To work and substitute the value for $myhostname?
>>
>> I am building a new server and writing up my scripts and I am trying 
>> to adhere to the lessons I learned here some 2+ years ago. And trying
>
>> to be better than I was then...
>>
>>
>> Thank you.
>>
>>
-- 
Christian

Re: dovecot cram-md5 setting break sending emails

2017-02-23 Thread Christian Kivalo 
p://www.postfix.org/DEBUG_README.html
[3] http://main.cf


--
 Christian Kivalo

Re: send an email with specified sender/recipient address to different servers

2017-02-22 Thread Christian Kivalo 

On 2017-02-22 16:51, Zalezny Niezalezny wrote:

Hi,

I just would like to know, how may send specified messages to
different hosts.

/etc/postfix/transport

domain.com [1]relay:mx-domain.local
*   host

All E-mails To: u...@domain.com system sending to mx-domain.local.
This is working fine.

But what should I do, if I would like to send an e-mail To:
user_...@domain.com to some other system with IP 10.204.2.2 ? What
should I do ?


add the emailadress and nexthop definition to transport_maps before the 
domain.com entry


user_...@domain.com   smtp:10.204.2.2
domain.com   relay:mx-domain.local
*   host

see transport(5) section Table Search Order
http://www.postfix.org/transport.5.html


The same question for senders. How to send message From:
sender@domain.example not via my default gateway ("*   host" like the
rest of not defined E-mails ) but via some other system "host2" ?

How to properly do it ?


i think sender_dependent_transport_maps should do it
http://www.postfix.org/postconf.5.html#sender_dependent_default_transport_maps


Thanks in advance for Your support.

Cheers

Zalezny


Links:
--
[1] http://domain.com


--
 Christian Kivalo

Re: Postfix, Dmarc, and Dkim for multiple domains

2017-02-21 Thread Christian Kivalo 


Am 21. Februar 2017 19:52:42 MEZ schrieb David Mehler <dave.meh...@gmail.com>:
>Hello,
>
>I'm not sure if this is the right place to ask this question, but it
>is mail related.
>
>I've got Postfix 3.1, and two milter filters dkim (with OpenDKIM), and
>dmarc (with OpenDMARC). At the time of initial setup I had one virtual
>mailbox domain and things were working fine.
>
>Now I've added two more virtual mailbox domains and need to configure
>both opendkim and opendmarc to handle them. I believe I have this with
>OpenDKIM here's the config:
>
>AllowSHA1Only  no
>AlwaysAddARHeader  yes
>AuthservID hostname.example.com
>AutoRestartYes
>AutoRestartRate5/1h
>Canonicalization   relaxed/simple
>ExternalIgnoreList refile:/usr/local/etc/mail/TrustedHosts
>InternalHosts  refile:/usr/local/etc/mail/TrustedHosts
>KeyTable   /usr/local/etc/mail/KeyTable
>MinimumKeyBits 2048
>Mode   sv
>PidFile/var/run/milteropendkim/opendkim.pid
>SigningTable   /usr/local/etc/mail/SigningTable
>Socket inet:8891@localhost
>SoftwareHeader yes
>SubDomains  yes
>Syslog Yes
>SyslogSuccess  yes
>UserID opendkim
>
># OPENDKIM TRUSTED HOSTS
>127.0.0.1
>::1
>localhost
>host.example.com
>example.com
>host.example2.com
>example2.com
>host.example3.com
>example3.com
>
># KeyTable
>selector._domainkey.example.com
>example.com:selector:/usr/local/etc/mail/keys/example.com/selector
>selector._domainkey.example2.com
>example2.com:selector:/usr/local/etc/mail/keys/example2.com/selector
>selector._domainkey.example3.com
>example3.com:selector:/usr/local/etc/mail/keys/example3.com/selector
>
># SigningTable
>example.com selector._domainkey.example.com
>example2.com selector._domainkey.example2.com
>example3.com selector._domainkey.example3.com
>
>With regards dkim will having an AuthservID of hostname.example.com
>mess up dkim checks for any of the other virtual mailbox domains as
>they are all on the one server?
No.
If you don't set the AuthservID configuration parameter the name of the MTA is 
used, when looking at the emails in my inbox this is the systems hostname.
The AuthservID has nothing to do with your virtual domains and is just a label 
that e.g. opendmarc uses to get the input for its decisions, when checking SPF 
then there is probably another AR header with the same authservid name.

>I am not sure how to do this using opendmarc as I can't use a table.
Why would you need a table for opendmarc?
Opendmarc uses the authentication-result headers of SPF and dkim checks and 
then retrieves the sending domains dmarc policy from DNS and makes its decision 
based on that information.

>If anyone has this working with these filters please let me know.
I'm running such a setup with 6 domains for which I dkim sign and i receive for 
11 domains. The AuthservID is the receiving systems hostname (postfix 
$myhostname and the real fqdn are the same, did not test which name is used 
when they differ)

-- 
Christian Kivalo
>
>Thanks.
>Dave.

Re: SASL LOGIN authentication failed: no mechanism available

2017-02-09 Thread Christian Kivalo 



On 2017-02-09 09:09, Nick - ServerBuddies Support wrote:

Hello guys,

For some reason Im unable to send any email from this postfix server,
Im getting the following error:

Feb  9 03:00:35 buf postfix/smtpd[6424]: warning: SASL PLAIN
authentication failed: no mechanism available


For debian install the package libsasl2-modules

--
 Christian Kivalo

Re: can't get postfix to send on port 587

2017-01-22 Thread Christian Kivalo 

On 2017-01-22 23:29, Steven Borrelli wrote:

@domain.name in-v3.mailjet.com


sender_dependent_relayhost_maps is used to override your relayhost 
setting.


Your relayhost setting [in-v3.malijet.com]:587 was overruled by 
in-v3.mailjet.com (port 25).


Remove the sender_dependent_* settings and all your mail will be sent 
through your configured relayhost.


On Sun, Jan 22, 2017 at 3:59 PM, Noel Jones <njo...@megan.vbhcs.org> 
wrote:

On 1/22/2017 3:47 PM, Steven Borrelli wrote:

Hello all,

I've got Postfix 3.1.3 running on FreeBSD 10.3-STABLE (last updated
1/2/17) at home, where my ISP blocks port 25, so I'm trying to go
through Mailjet's SMTP relay. All the required settings as directed 
by

Mailjet's online support are in place for sending on port 587 but
Postfix is not even trying to send on port 587, as my 
/var/log/maillog

regularly shows messages like this with every mail attempt:
[...] status=deferred (delivery temporarily suspended: connect to
smtp-ovhfr11.mailjet.com[5.196.43.135]:25: Operation timed out)

My question: What part of my configuration is telling it not to send
on port 587? Any help is appreciated.




So what's in here?
sender_dependent_relayhost_maps = 
hash:/usr/local/etc/postfix/sender_relay





  -- Noel Jones


Thanks,
Steve


Below is a snippet of my main.cf:
**
# TLS
smtpd_use_tls = yes
smtpd_tls_security_level = may
smtpd_tls_auth_only = yes
smtpd_tls_key_file = /usr/local/etc/postfix/myserver.key
smtpd_tls_cert_file = /usr/local/etc/postfix/server.crt
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
smtpd_tls_ask_ccert= = yes

# SASL
smtpd_sasl_type = dovecot
broken_sasl_auth_clients = yes
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_recipient_restrictions = permit_sasl_authenticated,
permit_mynetworks, reject_unauth_destination
smtpd_relay_restrictions = permit_sasl_authenticated,
permit_mynetworks, reject_unauth_destination

# Forward all SMTP to Mailjet
relayhost = [in-v3.mailjet.com]:587
smtp_sender_dependent_authentication = yes
sender_dependent_relayhost_maps = 
hash:/usr/local/etc/postfix/sender_relay

smtp_sasl_auth_enable = yes
smtp_sasl_security_options = noanonymous
smtp_sasl_password_maps = hash:/usr/local/etc/postfix/sasl-passwords

**

And here is a snippet of my master.cf:
**
smtp  inet  n   -   n   -   -   smtpd
#smtp  inet  n   -   n   -   1   postscreen
#smtpd pass  -   -   n   -   -   smtpd
#dnsblog   unix  -   -   n   -   0   dnsblog
#tlsproxy  unix  -   -   n   -   0   tlsproxy
submission inet n   -   n   -   -   smtpd
  -o syslog_name=postfix/submission
  -o smtpd_enforce_tls=yes
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_reject_unlisted_recipient=no
#  -o smtpd_client_restrictions=$mua_client_restrictions
#  -o smtpd_helo_restrictions=$mua_helo_restrictions
#  -o smtpd_sender_restrictions=$mua_sender_restrictions
  -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
#  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
  -o milter_macro_daemon_name=ORIGINATING
#smtps inet  n   -   n   -   -   smtpd
#  -o syslog_name=postfix/smtps
#  -o smtpd_tls_wrappermode=yes
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_reject_unlisted_recipient=no
#  -o smtpd_client_restrictions=$mua_client_restrictions
#  -o smtpd_helo_restrictions=$mua_helo_restrictions
#  -o smtpd_sender_restrictions=$mua_sender_restrictions
#  -o smtpd_recipient_restrictions=
#  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING





--
 Christian Kivalo

Re: SSL_accept error from other MTA

2017-01-14 Thread Christian Kivalo 


Am 14. Jänner 2017 09:40:22 MEZ schrieb Admin Beckspaced <ad...@beckspaced.com>:
>Dear postfix users,
>
>I'm running Postfix version 2.11.6 on an OpenSUSE 42.1 box and all is
>running sweet & fine ;)
>Except a customer calls me that he can't receive emails from one of his
>partners.
>
>After looking for the partner email I found those log entries:
>
>2017-01-14T00:31:28.312121+01:00 cx20 postfix/smtpd[12579]: connect
>from
>mail.kommunalunternehmen.de[217.6.53.146]
>2017-01-14T00:31:28.419190+01:00 cx20 postfix/smtpd[12579]: SSL_accept
>error from mail.kommunalunternehmen.de[217.6.53.146]: Connection reset
>by peer
>2017-01-14T00:31:28.420304+01:00 cx20 postfix/smtpd[12579]: lost
>connection after STARTTLS from
>mail.kommunalunternehmen.de[217.6.53.146]
>2017-01-14T00:31:28.420870+01:00 cx20 postfix/smtpd[12579]: disconnect
>from mail.kommunalunternehmen.de[217.6.53.146]
>
>and those log entries repeat and repeat. From what I can also see in
>the
>logs it seems to be an exchange mail server:
>
>2017-01-13T14:17:55.649227+01:00 cx20 postfix/cleanup[3703]:
>960DA1A198A:
>message-id=<96C90C91ED31E24D8985DCEF2658CA0923EFD130@ku-exchange-02.kommunalunternehmen.local>
>
>is this a buggy or wrong configured MTA which has problems with TLS on
>port 25?
>
>All other MTA's don't seem to have any problems with TLS / STARTTLS.
>
>What can I do to fix this problem? Let the other MTA know that they got
>an issue with their TLS setup?
>
>Thanks & greetings
>Becki
>
>Here's my postconf, using a valid certificate from letsencrypt
>
>linux:~ # postconf -n | grep tls
>smtp_enforce_tls = no
>smtp_tls_CAfile =
>smtp_tls_CApath =
>smtp_tls_cert_file = /fullchain.pem
>smtp_tls_key_file = /privkey.pem
>smtp_tls_loglevel = 0
>smtp_tls_session_cache_database =
>smtp_use_tls = yes
>smtpd_tls_CAfile =
>smtpd_tls_CApath =
>smtpd_tls_ask_ccert = no
>smtpd_tls_cert_file = /fullchain.pem
>smtpd_tls_key_file = /privkey.pem
>smtpd_tls_loglevel = 0
>smtpd_tls_received_header = no
>smtpd_use_tls = yes
>tls_random_source = dev:/dev/urandom

You could set smtpd_tls_loglevel = 1 and get some more information on the next 
connection attempt.

Without knowing more details i'd say you have no cipher in common, that could 
be when you're dealing with an ancient version of exchange or some crappy 
middlebox.

-- 
 Christian Kivalo

Re: Dovecot + Postfix: virtual users Mailbox folder

2017-01-13 Thread Christian Kivalo 


Am 13. Jänner 2017 16:27:23 MEZ schrieb mohamed <mohamedmaalej@gmail.com>:
>I checked the mail log in /var/log and discovered that now errors
>happened
>when sending the e-mail. However, I couldn't figure out where the
>incoming
>e-mails will be stored in the system (I'm on Ubuntu 16.04 LTS).
Hard to guess an answer...

Show logs for one message and the output of postconf -n.

-- 
 Christian Kivalo

>
>
>
>--
>View this message in context:
>http://postfix.1071664.n5.nabble.com/Dovecot-Postfix-virtual-users-Mailbox-folder-tp88255.html
>Sent from the Postfix Users mailing list archive at Nabble.com.

Re: Forwarding all mail to office365.com exchange server.

2017-01-12 Thread Christian Kivalo 


I have several things like printers and applications that send email to 
a
local linux host running postfix, and I need to get that postfix 
instance to

forward all of its email to the Office365.com Exchange server via an
authenticated connection.  I have an account that we have used for 
system

email previously.  It's set up as a normal email user.

I have configured postfix so that it will not deliver any mail locally.

I have set the relayhost to

[smtp.office365.com]:587

I have created a smtp_sasl_passwd file that has the following contents
(redacted where necessary)

[smtp.office365.com]:587kem...@mydomain.com:PASSWORD

This connects just fine, and rewrites the mail sender when I send email 
from

the local postfix host.

I have added the following lines to main.cf to try and get mail from 
other

hosts to forward:

sender_canonical_classes = envelope_sender,header_sender
sender_canonical_maps = regexp:/etc/postfix/sender_canonical_maps

the sender_canonical_maps looks like this:

/.+/kem...@mydomain.com

and I have remembered to run postmap on all of the mapping file I have 
tried

over the last week or so of trying this.

but for some reason, no email from any other host or device ever gets
through.


Have you read http://www.postfix.org/ADDRESS_REWRITING_README.html ?

For better help show logs of one message that passes through your 
system.


If someone has a working example of a main.cf that is configured to 
relay

mail from local systems and devices to office365.com through an
authenticated connection, I would really love to see it.  I'm tired of
banging my head on the wall.

Below is my postconf -n output.  I have tried several permutations on 
this,
so just because you don't see something obvious in that info, believe 
me, I

probably tried it.

At any rate, anything I tried failed, so I'm ready to try out all
suggestions.

postconf -n output:

[2299]# postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
debug_peer_list = smtp.office365.com
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd
$daemon_directory/$process_name $process_id & sleep 5
html_directory = no
inet_protocols = all
local_recipient_maps =
local_transport = error:local mail delivery is disabled
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
message_size_limit = 2048
mydestination =
myhostname = pet-mail-01.enphaseenergy.com
myorigin = enphaseenergy.com
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.10.1/README_FILES
relay_domains = enphaseenergy.com
relayhost = [smtp.office365.com]:587
sample_directory = /usr/share/doc/postfix-2.10.1/samples
sender_canonical_classes = envelope_sender,header_sender
sender_canonical_maps = regexp:/etc/postfix/sender_canonical_maps


Take a look at the documentation for sender_canonical_maps 
http://www.postfix.org/postconf.5.html#sender_canonical_maps and 
canonical_maps http://www.postfix.org/postconf.5.html#canonical_maps


I suspect you probably need to set local_header_rewrite_clients 
http://www.postfix.org/postconf.5.html#local_header_rewrite_clients for 
your rewriting of mails from remote hosts to be made.



sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp_always_send_ehlo = yes
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/smtp_sasl_passwd
smtp_sasl_security_options =
smtp_tls_CAfile = /etc/ssl/certs/ca-bundle.trust.crt
smtp_tls_ciphers = export
smtp_tls_mandatory_ciphers = high
smtp_tls_protocols = !SSLv2, !SSLv3
smtp_tls_security_level = encrypt
smtp_use_tls = yes
unknown_local_recipient_reject_code = 550



-
 Thanks,
James "Zeke" Dehnert

--
mailto:jdehn...@dehnert.com  James "Zeke" Dehnert
  -= Eschew Obfuscation =-
 "Life is racing. Everything else is just waiting"
--
View this message in context:
http://postfix.1071664.n5.nabble.com/Forwarding-all-mail-to-office365-com-exchange-server-tp87986p88226.html
Sent from the Postfix Users mailing list archive at Nabble.com.


--
 Christian Kivalo

Re: Suppress connection logging for IP

2016-12-02 Thread Christian Kivalo 


Am 2. Dezember 2016 20:39:58 MEZ, schrieb Ray Dzek <ray.d...@specialized.com>:
>Hi,
>
>We have a load balancer that opens a connection to the SMTP port on our
>postfix boxes to ensure the ports are alive and kicking. But obviously,
>this generates a lot of log clutter that is not needed. How would I go
>about suppressing the connect from... / disconnect from... log entry
>for this particular IP?

Configure your syslog daemon to discard these messages from the stream.

>
>Thanks in advance,
>
>Ray
-- 
Christian Kivalo

Re: Open relay

2016-10-22 Thread Christian Kivalo 


Am 22. Oktober 2016 08:18:36 MESZ, schrieb Tomoyuki Murakami 
<tomoy...@pobox.com>:
>
>On Fri, 21 Oct 2016 22:15:32 +0200, Paul van der Vlis
><p...@vandervlis.nl> wrote:
>> Hello,
>
>> Some settings and logs:
>>
>> smtpd_relay_restrictions =
>>   permit_mynetworks,
>>   permit_sasl_authenticated,
>>   check_sender_access hash:/etc/postfix/whitelist,
>>   reject_invalid_hostname,
>>   reject_non_fqdn_sender,
>>   reject_non_fqdn_recipient,
>>   reject_unknown_sender_domain,
>>   reject_unknown_recipient_domain,
>>   reject_unauth_pipelining,
>>   reject_unauth_destination,
>>   check_policy_service unix:private/shadelist,
>>   reject_rbl_client bl.spamcop.net,
>>   reject_rbl_client zen.spamhaus.org,
>>   reject_rbl_client ix.dnsbl.manitu.net,
>>   permit
>
>permit after all ?

Yes.

- Permit the stuff that shouldn't be rejected (mynetworks, sasl authenticated)
- Perform various checks and reject the things you don't like
- Permit everything that made it through that obstacle course

-- 
Christian Kivalo

Re: Hardening relay and sender-specified routing

2016-10-20 Thread Christian Kivalo 


Am 20. Oktober 2016 07:57:58 MESZ, schrieb Ross Naheedy <lsl...@gmail.com>:
>I am having a peculiar issue in not being able to lock down my postfix
>2.10.  This is on a server that is on the Internet and must receive
>emails
>and relay email for authenticated users.  My main.cf relevant portions
>look
>like this:
>
>myhostname=example.com
>mydomain=example.com
>smtpd_sasl_auth_enable = yes
>smtpd_sasl_security_options = noanonymous
>smtpd_recipient_restrictions = permit_sasl_authenticated,
>permit_mynetworks, reject_unauth_destination
>smtpd_relay_restrictions = permit_sasl_authenticated,
>permit_mynetworks,
>reject_unauth_destination
>
>Looking at my maillog, it looks like the server is being used to a
>relay,
>although I'm not sure why.  I checked some of the messages
>to /var/spool/postfix/defer and here's one of them (with my domain
>being
>example.com)
>
>
><8467-6900600747-824-sales=example@mail.gretofrr.us>: connect to
>mail.gretofrr.us[2400:cb00:2048:1::681b:8eb4]:25: Connection timed out
>recipient=8467-6900600747-824-sales=example@mail.gretofrr.us
>offset=707
>dsn_orig_rcpt=rfc822;8467-6900600747-824-sales=example@mail.gretofrr.us
>status=4.4.1
>action=delayed
>reason=connect to mail.gretofrr.us[2400:cb00:2048:1::681b:8eb4]:25:
>Connection timed out
>
>It looks to me that postfix accepted a message destined to
>8467-6900600747-824-sales=example@mail.gretofrr.us and is
>attempting to
>deliver it.  Looks to me a different form of sender-specified routing
>based
>on what I've read http://www.postfix.org/postconf.5.html#reject_unauth_destination;>here.
>
>I must be doing something wrong, but for the life of me I cannot figure
>it
>out.
Please post postconf -n and of you have logs for one of those messages entering 
your system
>
>Thanks,
>Ross.
-- 
Christian Kivalo

Re: WoSign/StartCom CA in the news

2016-09-28 Thread Christian Kivalo 


Am 28. September 2016 10:25:42 MESZ, schrieb li...@lazygranch.com:
>I don't want take this thread off course, but suggestions for low cost
>certs would be appreciated. I don't like how Let's Encrypt works, else
>that would be the obvious solution. 
I get mine through https://www.ssls.com

>Domain registration isn't free. Server time isn't free. Something like
>$20 a year would be fine. I already have a self signed cert for email,
>but would like to eventually encrypt my websites and attempt
>dnssec/dane.
>
>When Symantec first announced that they would compete with Let's
>Encrypt, I signed up with them. But it looks like their free cert
>program is more like you need to recruit customers for them.
>
>
>  Original Message  
>From: Sven Schwedas
>Sent: Wednesday, September 28, 2016 1:10 AM
>To: postfix-users@postfix.org
>Subject: Re: WoSign/StartCom CA in the news
>
>On 2016-09-28 00:31, Giovanni Harting wrote:
>> Correct me if I'm wrong, but that document you describe issues by
>> Mozilla and others, doesn't it state that it would only affect new
>> issues certs after a certain date?
>
>Yes, but most StartSSL/WoSign certificates are only valid for a year or
>less. So customers should start looking for alternative providers
>*now*,
>because a year-long block will affect almost all of them.
>
>> Am 09/28/16 um 00:29 schrieb Viktor Dukhovni:
>>> WoSign (who seemingly purchased StartCom) seem to have run into
>>> some compliance issues as reported by Firefox:
>>>
>>> 
>>>
>http://arstechnica.com/security/2016/09/firefox-ready-to-block-certificate-authority-that-threatened-web-security/
>>>
>>>
>>> Many SMTP servers are using certs from StartCom. In my DANE
>>> adoption survey, out of 2201 certificates used by DANE MX
>>> hosts 411 are issued by StartCom and 47 by WoSign. So that's
>>> just over 20% of observed certificates. While the rate is
>>> likely different for the larger SMTP ecosystem (DANE users
>>> are bleeding edge, not representative at this time), I expect
>>> that these CAs are still quite popular overall.
>>>
>>> If you're using StartCom/WoSign certs, and rely on them being
>>> verified by MUAs and/or peer MTAs. you may want to make
>>> contingency plans if Mozilla and perhaps others go through
>>> with delisting (or disabling) the related root CAs from
>>> their trusted CA bundles.
>>>
>>

Re: greylist doesn't seem to be working? Setup correctly.

2016-06-06 Thread Christian Kivalo 



On 2016-06-06 11:54, Robert Chalmers wrote:

I have set up the greylist policy, exactly according to the postfix
docs, but nothing seems to be getting generated in /var/mta - no
database that is.

When reloading I get this.

postconf: warning: /usr/local/etc/postfix/main.cf: unused parameter:
greylist_time_limit=3600

However, the documents say to put it in.

# Greylist policy server
#
greypolicyunix  -   n   n   -   0   spawn
  user=nobody:mail argv=/opt/local/bin/perl
/usr/local/libexec/postfix/greylist.pl
#

and in main.cf


5 /etc/postfix/main.cf [1]:
6 greylist_time_limit [2] = 3600
7 smtpd_recipient_restrictions [3] =
8 ...
9 reject_unauth_destination [4]
10 check_policy_service [5] unix:private/greylist
11 ...
12 # smtpd_policy_service_request_limit [6] = 1


But ok, I remove the greylist_time_limit = 3600 and proceed, but there
is no greylist.db being generated?

Is greylisting a good thing?


I removed greylilsting from my setup, it needlessly slows things down 
and postscreen does most of the work already. I wouldn't bother setting 
it up.



 What am I doing wrong?
thanks

Robert Chalmers
rob...@chalmers.com.au

Mac mini 6.2 - 2012, Intel Core i7,2.3 GHz, Memory:16 GB. El-Capitan
10.11.  XCode 7.2.1
2TB: Drive 0:HGST HTS721010A9E630. Upper bay. Drive 1:ST1000LM024
HN-M101MBB. Lower Bay



Links:
--
[1] http://www.postfix.org/postconf.5.html
[2] http://www.postfix.org/postconf.5.html#transport_time_limit
[3] http://www.postfix.org/postconf.5.html#smtpd_recipient_restrictions
[4] http://www.postfix.org/postconf.5.html#reject_unauth_destination
[5] http://www.postfix.org/postconf.5.html#check_policy_service
[6] 
http://www.postfix.org/postconf.5.html#smtpd_policy_service_request_limit


--
 Christian Kivalo

Re: Is there a Check my IPv6 Email server out there anywhere?

2016-05-31 Thread Christian Kivalo 


On 2016-05-31 15:36, Robert Chalmers wrote:

I have a message for en.internet.nl [1] advising me that
 “Modern internet address? Not reachable or improvements possible
(IPv6)”
->
"Unfortunately, this e-mail domain can NOT be reached by senders using
modern IPv6 addresses or there is an error in its configuration. It is
NOT yet part of the modern Internet. You should ask your e-mail
provider to enable IPv6 or to fix the issues in its configuration.”

So I’m trying to figure out just what it is thats wrong with it.
I’ve had something of a similar message from Gmail.
My service provider only recently enabled IPv6 for customers, and
although I’m pretty far along with it, I could use a checking server
somewhere that actually delved into it a bit.

Does Postfix need anything special - I can’t see anything in the
docs.


Have you assigned a ipv6 address to your server? Is it reachable on that 
address? Can you ping6 e.g. www.google.com from your server?


Take a look at http://www.postfix.org/postconf.5.html#inet_protocols

Please share your postconf -n



Thanks
Robert

Links:
--
[1] http://en.internet.nl


--
 Christian Kivalo

RE: Need clarification of lookup table result values

2016-05-29 Thread Christian Kivalo 

On 2016-05-29 06:34, Michael Fox wrote:

What is a valid result depends on what the result is used for: an
access table expects results as described in the access(5) manpage,
a virtual aliases table expects  the results as described in the
virtual(5) manpage, a transport table expects results as described
in the transport(5) manpage, a the local aliases table expects
results as described in the aliases(5) manpage. You get the idea.


Generally speaking, yes.  But it's not so clear (to me) when applying 
to a

specific case, like postscreen_access.



> 2)  Is there a difference between "OK" and "permit"?  If so, what?
> 3)  When can/should text follow the "reject"

Those things are described in the access(5) manpage.


Hmmm ... I don't see it.

The access(5) manpage lists many valid result formats, including OK.
Regarding OK and permit, it says:

OK Accept the address etc. that matches the pattern.

... and then the only mention of permit is:

restriction...
  Applythe   named   UCE   restriction(s)   (permit,
reject,
  reject_unauth_destination, and so on).


So I don't see the answer.  In fact, OK doesn't seem to make sense for
postscreen_access.  After all, OK what?  OK blacklist the address?  OK
whitelist the address?


Take a look at this 
http://www.postfix.org/postconf.5.html#postscreen_access_list



I realize the difficulty of documenting something that's so infinitely
flexible.  But without saying more explicitly what's allowed and what's 
not,

there's just too much indirection (for me) to follow.

So, back to my original question ... for postscreen_access.cidr:
-- what would be the difference in behavior between using "OK" vs. 
"permit"?

-- when can/should text follow the reject?

Also, I can't find anywhere that says if the case matters.  Is "PERMIT"
equivalent to "permit"?

Thanks,
Michael


--
 Christian Kivalo

Re: Blocking email from specific IPs

2016-05-14 Thread Christian Kivalo 



On 2016-05-14 21:27, Viktor Dukhovni wrote:
On May 14, 2016, at 3:21 PM, Christian Kivalo 
<ml+postfix-us...@valo.at> wrote:



smtpd_recipient_restrictions =
...
 check_client_access 
hash:/etc/postfix/client_checks,
...
$ cat /etc/postfix/client_checks
...
138.185.116.0/24  REJECT


This looks correct.


And yet it is wrong, look closely.

Thanks, missed it.

The access(5) manpage has an example for this
1.2.3   REJECT

The client_checks file should then be like
138.185.116   REJECT

For IP address ranges probably better use a cidr_table(5).

Still: logs showing it not working are highly welcome.

--
 Christian Kivalo

Re: Blocking email from specific IPs

2016-05-14 Thread Christian Kivalo 



On 2016-05-14 19:37, Noah wrote:

Hi there,

I am hoping to have a blacklist file that stops postfix from accepting
email from specific IP or IP ranges.

I follow this tutorial and it does not working.  I still receive email
from the IP addresses in the range:

http://www.linuxlasse.net/linux/howtos/Blacklist_and_Whitelist_with_Postfix

Is there an option out there that actually works?

From my main.cf:
smtpd_recipient_restrictions =
 permit_mynetworks,
 permit_sasl_authenticated,
 reject_unauth_destination,
 check_client_access 
hash:/etc/postfix/client_checks,
 check_policy_service inet:127.0.0.1:10023


www-virt 17:34:12 /var/log $ cat /etc/postfix/client_checks
# Restricts which clients this system accepts SMTP connections from.

example.com   REJECT No spammers
.example.com  REJECT No spammers, from your subdomain
138.185.116.0/24  REJECT


This looks correct.
You did postmap the client_checks file? You did a postfix reload?
Provide logs that show it's used / not working and the postconf -n 
output

How did you check it's working/not working?


Cheers,

Noah


--
 Christian Kivalo

Re: Goal: Setup transport that runs a header check to strip out specific header for emails from specific source

2016-05-09 Thread Christian Kivalo 


On 2016-05-07 19:16, /dev/rob0 wrote:

On Sat, May 07, 2016 at 11:05:07AM +0200, Christian Kivalo wrote:

On 2016-05-07 10:27, Viktor Dukhovni wrote:
>On Sat, May 07, 2016 at 09:59:00AM +0200, Christian Kivalo wrote:
>
>>>Looking at those emails, I see that
>>>calendar-notificat...@google.com is the source address. I added
>>>the entry to my check_sender_access table with an action of
>>>'FILTER strip-automated-headers:'
>>
>>You could probably get it working with a restriction class.
>>
>>check_sender_access hash:/path/to/sender_access
>>
>>smtpd_restriction_classes: strip_automated_headers
>>
>>strip_automated_headers =
>>  header_checks = pcre:/path/to/strip_automated_headers.pcre
>
>No.  This can't work.
Ok, so i'm wrong. Could you explain why?


Restriction classes are groups of smtpd(8) restrictions.

header_checks(5) is not a smtpd restriction.  In fact it's not even
implemented in smtpd.  See Wietse's reply in this thread.

Thanks, will do.

--
 Christian Kivalo

Re: Goal: Setup transport that runs a header check to strip out specific header for emails from specific source

2016-05-07 Thread Christian Kivalo 



On 2016-05-07 10:27, Viktor Dukhovni wrote:

On Sat, May 07, 2016 at 09:59:00AM +0200, Christian Kivalo wrote:


>Looking at those emails, I see that calendar-notificat...@google.com is
>the source address. I added the entry to my check_sender_access table
>with an action of 'FILTER strip-automated-headers:'

You could probably get it working with a restriction class.

check_sender_access hash:/path/to/sender_access

smtpd_restriction_classes: strip_automated_headers

strip_automated_headers =
  header_checks = pcre:/path/to/strip_automated_headers.pcre



No.  This can't work.

Ok, so i'm wrong. Could you explain why?

Thanks
--
 Christian Kivalo

Re: Goal: Setup transport that runs a header check to strip out specific header for emails from specific source

2016-05-07 Thread Christian Kivalo 




Since Postfix (2.11) is my MTA and it supports removing headers, I'd
like to have it strip this one. I found that I can include this line in
the same file I use for the other header checks applied to ALL mail:

/^Auto-Submitted:/IGNORE

but then it will affect all mail and I'd rather not do that.

What I'm currently trying to get working is a service entry in 
master.cf

that has its own header checks conf file. This service would only be
used for specific sender addresses in order to limit the header removal
to just those email notifications generated by Google Calendar.

Looking at those emails, I see that calendar-notificat...@google.com is
the source address. I added the entry to my check_sender_access table
with an action of 'FILTER strip-automated-headers:'


You could probably get it working with a restriction class.

check_sender_access hash:/path/to/sender_access


smtpd_restriction_classes: strip_automated_headers

strip_automated_headers =
  header_checks = pcre:/path/to/strip_automated_headers.pcre



sender_access:
calendar-notificat...@google.com   strip_automated_headers


strip_automated_headers.pcre
/^Auto-Submitted:/IGNORE

Haven't come around to test it tough...


http://www.postfix.org/RESTRICTION_CLASS_README.html




Thanks in advance for your help!


--
 Christian Kivalo

Re: Postfix error 450 4.7.1 Sender address rejected: Access denied

2016-05-05 Thread Christian Kivalo 


Am 5. Mai 2016 18:30:40 MESZ, schrieb "James B. Byrne" <byrn...@harte-lyne.ca>:
>
>On Thu, May 5, 2016 12:11, Christian Kivalo wrote:
>>
>>
>> Am 5. Mai 2016 17:34:36 MESZ, schrieb "James B. Byrne"
>> <byrn...@harte-lyne.ca>:
>>>Can anyone clue me in on what configuration issue might be causing
>>>this and whose configuration it is, mine or theirs?
>>>
>>>postfix-p25/smtpd[18149]: NOQUEUE: reject: RCPT from
>>>smout-245174.nsmailserv.com[202.162.245.174]: 450 4.7.1
>>><impo...@lymanworldwide.com>: Sender address rejected: Access denied;
>>>from=<impo...@lymanworldwide.com> to=<expo...@harte-lyne.ca>
>>>proto=ESMTP helo=
>>>
>>>
>>># postconf -n
>. . .
>>>smtpd_sender_restrictions = permit_mynetworks, check_sender_access
>>>hash:/etc/postfix/sender_access, check_sender_mx_access
>>>hash:/etc/postfix/sender_mx_access, check_sender_ns_access
>>>hash:/etc/postfix/sender_ns_access, permit_sasl_authenticated,
>>>reject_non_fqdn_sender, reject_unknown_sender_domain, permit
>>
>> Whats in these files?

...

># cat /etc/postfix/sender_ns_access
>. . .
># Cannot use OK result in this map, use DUNNO instead.
>#
>colocrossings.com   DEFER
>name-services.com   DEFER
>name-services.net   DEFER


There it is: lymanworldwide.com uses nameservices provided by name-services.com 

valo@karl:~ $ dig ns lymanworldwide.com

; <<>> DiG 9.9.5-9+deb8u6-Debian <<>> ns lymanworldwide.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51294
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;lymanworldwide.com.IN  NS

;; ANSWER SECTION:
lymanworldwide.com. 3600IN  NS  dns5.name-services.com.
lymanworldwide.com. 3600IN  NS  dns3.name-services.com.
lymanworldwide.com. 3600IN  NS  dns4.name-services.com.
lymanworldwide.com. 3600IN  NS  dns1.name-services.com.
lymanworldwide.com. 3600IN  NS  dns2.name-services.com.

;; Query time: 179 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu May 05 18:33:14 CEST 2016
;; MSG SIZE  rcvd: 156


-- 
 Christian Kivalo

Re: Postfix error 450 4.7.1 Sender address rejected: Access denied

2016-05-05 Thread Christian Kivalo 


Am 5. Mai 2016 17:34:36 MESZ, schrieb "James B. Byrne" :
>Can anyone clue me in on what configuration issue might be causing
>this and whose configuration it is, mine or theirs?
>
>postfix-p25/smtpd[18149]: NOQUEUE: reject: RCPT from
>smout-245174.nsmailserv.com[202.162.245.174]: 450 4.7.1
>: Sender address rejected: Access denied;
>from= to=
>proto=ESMTP helo=
>
>
># postconf -n
>alias_maps = hash:/etc/aliases
>broken_sasl_auth_clients = yes
>command_directory = /usr/sbin
>config_directory = /etc/postfix
>content_filter = smtp-amavis:[127.0.0.1]:10024
>daemon_directory = /usr/libexec/postfix
>data_directory = /var/lib/postfix
>debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
>ddd $daemon_directory/$process_name $process_id & sleep 5
>delay_warning_time = 30m
>disable_vrfy_command = yes
>header_checks = regexp:/etc/postfix/header_checks.regexp
>home_mailbox = Maildir/
>html_directory = no
>ignore_mx_lookup_error = no
>inet_interfaces = localhost, inet08.hamilton.harte-lyne.ca
>inet_protocols = all
>local_transport = smtp
>mail_spool_directory = /var/spool/mail
>mailman_destination_recipient_limit = 1
>mailq_path = /usr/bin/mailq.postfix
>manpage_directory = /usr/share/man
>message_size_limit = 2048
>milter_default_action = accept
>milter_protocol = 2
>mydestination =
>mynetworks = 216.185.71.0/26, 127.0.0.0/8
>newaliases_path = /usr/bin/newaliases.postfix
>non_smtpd_milters = $smtpd_milters
>policyd-spf_time_limit = 3600
>queue_minfree = 4096
>rbl_reply_maps = hash:/etc/postfix/rbl_reply
>readme_directory = /usr/share/doc/postfix-2.11.1/README_FILES
>recipient_delimiter = +
>relay_clientcerts = hash:/etc/postfix/relay_clientcerts
>relay_domains = hash:/etc/postfix/relay_domains
>sample_directory = /usr/share/doc/postfix-2.11.1/samples
>sendmail_path = /usr/sbin/sendmail.postfix
>setgid_group = postdrop
>smtp_dns_support_level = dnssec
>smtp_host_lookup = dns
>smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
>smtp_tls_cert_file = /etc/pki/tls/certs/ca.harte-lyne.smtp.crt
>smtp_tls_ciphers = medium
>smtp_tls_exclude_ciphers = MD5, aDSS, SRP, PSK, aECDH, aDH, SEED,
>IDEA, RC2, RC5
>smtp_tls_key_file = /etc/pki/tls/private/ca.harte-lyne.smtp.key
>smtp_tls_protocols = !SSLv2, !SSLv3
>smtp_tls_security_level = dane
>smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_scache
>smtp_tls_session_cache_timeout = 3600s
>smtpd_client_restrictions = permit
>smtpd_data_restrictions = permit_mynetworks,
>reject_multi_recipient_bounce, reject_unauth_pipelining, permit
>smtpd_helo_required = yes
>smtpd_helo_restrictions = permit_mynetworks, check_helo_access
>pcre:/etc/postfix/helo_checks.pcre, reject_non_fqdn_helo_hostname,
>reject_unknown_helo_hostname, permit
>smtpd_milters = inet:127.0.0.1:8891
>smtpd_proxy_timeout = 300s
>smtpd_recipient_restrictions = reject_non_fqdn_recipient,
>reject_unknown_recipient_domain, permit_mynetworks,
>permit_sasl_authenticated, reject_unauth_destination,
>reject_unauth_pipelining, check_policy_service
>unix:/var/spool/postfix/postgrey/socket, check_policy_service
>unix:private/policyd-spf, permit
>smtpd_relay_restrictions = permit_mynetworks,
>permit_sasl_authenticated, defer_unauth_destination
>smtpd_sasl_auth_enable = yes
>smtpd_sasl_path = smtpd
>smtpd_sender_restrictions = permit_mynetworks, check_sender_access
>hash:/etc/postfix/sender_access, check_sender_mx_access
>hash:/etc/postfix/sender_mx_access, check_sender_ns_access
>hash:/etc/postfix/sender_ns_access, permit_sasl_authenticated,
>reject_non_fqdn_sender, reject_unknown_sender_domain, permit

Whats in these files?

>smtpd_starttls_timeout = ${stress?10}${stress:120}s
>smtpd_timeout = ${stress?10}${stress:120}s
>smtpd_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
>smtpd_tls_ask_ccert = yes
>smtpd_tls_auth_only = yes
>smtpd_tls_cert_file = /etc/pki/tls/certs/ca.harte-lyne.smtpd.crt
>smtpd_tls_ciphers = medium
>smtpd_tls_dh1024_param_file = ${config_directory}/dh2048.pem
>smtpd_tls_fingerprint_digest = sha1
>smtpd_tls_key_file = /etc/pki/tls/private/ca.harte-lyne.smtpd.key
>smtpd_tls_protocols = !SSLv2, !SSLv3
>smtpd_tls_received_header = yes
>smtpd_tls_security_level = may
>smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache
>smtpd_tls_session_cache_timeout = 3600s
>soft_bounce = no
>strict_rfc821_envelopes = yes
>tls_random_source = dev:/dev/urandom
>transport_maps = hash:/etc/postfix/transport
>unknown_local_recipient_reject_code = 550
>virtual_alias_maps = hash:/etc/postfix/virtual,
>regexp:/etc/postfix/virtual.regexp

Re: Policyd-spf and RBL white listing

2016-04-19 Thread Christian Kivalo 

On 2016-04-19 08:52, li...@lazygranch.com wrote:

From what I can tell, if you whitelist a domain, the policyd-spf check
is skipped. Now I white listed domains to stop the RBL from blocking
them, but it would be nice to see if SPF passes.

Am I right about the SPF being skipped?

While I'm at it, can you whitelist specific users at a domain, that is
the full email address, or only the domain itself.


You could move your RBL excludes to a restriction class

smtpd_restriction_classes = rbl_exclude1, rbl_exclude2, ...

rbl_exclude1 =
  check_client_access pcre:rbl_exclude1.pcre,
  reject_rbl_client zen.spamhaus.org,

smtpd_recipient_restrictions =

  ...

  rbl_exclude1,
  ...

See also http://www.postfix.org/RESTRICTION_CLASS_README.html

--
 Christian Kivalo

Re: NEWSFLASH: DANE TLSA records published for web.de!

2016-04-15 Thread Christian Kivalo 


>> There are 165 "postfix-users" subscriber domains that have MX
>> records and MX hosts in DNSSEC signed zones.  You've done the hard
>> part of deploying DNSSEC, deploying DANE TLSA for email is
>> comparatively simple.
>
>One would think so, but: I asked my main domain provider
>domaindiscount24 
>which introduced DNSSEC last year when they will offer TLSA, DS and
>SSHFP 
>records also. Their answer: Currently the requested features aren't 
>available and we can make no statement if and when they will be
>available.
>
>Actually I don't understand this. They did the major task of
>implementing 
>DNSSEC and aren't able to offer the 3 most important DNS types to
>actually 
>get a benefit from DNSSEC.

You could still just switch to a provider that offers what you need and tell 
them why. That takes some time and effort but it's worth it.
Probably won't change much but you get the features you want.
I did that some time ago, my former provider still hasn't changed anything but 
i don't cae anymore.

-- 
Christian

Re: Thousands of login attempts

2016-03-21 Thread Christian Kivalo 


Am 21. März 2016 00:59:36 MEZ, schrieb "@lbutlr" <krem...@kreme.com>:
>On Sun Mar 20 2016 16:01:44 Christian Kivalo   <ml+postfix-us...@valo.at>
>said:
>> 
>>>> One minor comment: I would not even offer AUTH on port 25.
>>> 
>>> I don’t. I offer opportunistic TLS on port 25 for SMTPd. All mail
>>> submission have to be on port 587.
>> 
>> You do.
>
>Oh, that is right, I forgot I had to enable that temporarily for
>someone. I think temporarily has passed.
>
>Port 25 shouldn’t even allow STARTTLS, IIRC.
I don't agree. Offering opportunistic TLS on port 25 gives the sending party 
the choice to use the encrypted channel. There is no harm in offering starttls 
on port 25.

-- Christian

Re: Thousands of login attempts

2016-03-20 Thread Christian Kivalo 
>> One minor comment: I would not even offer AUTH on port 25.
>
>I don’t. I offer opportunistic TLS on port 25 for SMTPd. All mail
>submission have to be on port 587.

You do.

valo@uschi:~ $ telnet mail.covisp.net 25
Trying 65.121.55.42...
Connected to mail.covisp.net.
Escape character is '^]'.
220-mail.covisp.net ESTMP -- Please wait
220 mail.covisp.net ESMTP Postfix 3.0.3
ehlo test.local.host
250-mail.covisp.net
250-PIPELINING
250-SIZE 26214400
250-ETRN
250-STARTTLS
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
quit
221 2.0.0 Bye
Connection closed by foreign host.

See the two lines offering auth on port 25. You should disable auth on port 25.

-- 
Christian

Re: Postfix message_size_limit

2016-03-19 Thread Christian Kivalo 


Am 19. März 2016 20:22:13 MEZ, schrieb Daniel Wasilewski :
>Hi,
>
>At the beginning it's my first email on mailing list, so if I does
>wrong 
>please forgive me.
>
>Is somebody can explain why postfix still using default values ?
>
>root@vps1:~# postconf -e mailbox_size_limit=0
>root@vps1:~# postconf -e message_size_limit=0
>root@vps1:~# /etc/init.d/postfix restart
>[ ok ] Stopping Postfix Mail Transport Agent: postfix.
>[ ok ] Starting Postfix Mail Transport Agent: postfix.
>root@vps1:~# postconf -d | grep size_limit
>body_checks_size_limit = 51200
>bounce_size_limit = 5
>header_size_limit = 102400
>mailbox_size_limit = 5120
>message_size_limit = 1024
See man postconf.
postconf -d shows postfix default values instead of the actual configured 
values.

>root@vps1:~# postconf -n | grep size_limit
>mailbox_size_limit = 0
>message_size_limit = 0
That are your configured values and should be in use by postfix.
You can check when you connect to port 25, message size is advertised after helo

>root@vps1:~#
>
>Best regards
>Daniel
-- 
Christian

Re: Postifix 2.11.3 sends some mails (not spam) to postmater@

2016-03-19 Thread Christian Kivalo 


Am 17. März 2016 14:34:32 MEZ, schrieb Josef Karliak :
>  Hi,
>  I found that only emails with "dmarc=fail" in the headers are sent to
>postmaster - as it is defined in our dmarc record, but that should be
>statistics, not emails...
>  Thanks and best resgards
>  J.K.

Do they dmarc fail at your server when you receive them or are these mails 
received from external source? Headers showing your findings would help.

You specified a ruf= recipient address and that reqests forensic reports when 
Mails dmarc fail. How much content you receive for failed messages depends 
mostly on settings in the checking server.

-- 
Christian

Re: How can I block this user...

2016-03-04 Thread Christian Kivalo 
l-mailbox-domains.cf
virtual_mailbox_limit = 0
virtual_mailbox_maps =
mysql:/usr/local/etc/postfix/mysql-virtual-mailbox-maps.cf
virtual_minimum_uid = 100
virtual_transport = lmtp:unix:private/dovecot-lmtp
virtual_uid_maps = static:5000

thanks

Robert Chalmers


--
 Christian Kivalo

Re: SOLVED: Re: mail sent via sendmail is queued and delayed for approx. 300 seconds

2016-03-03 Thread Christian Kivalo 

On 2016-03-03 11:31, Dietrich Streifert wrote:

And here is the solution:

I had to explicitely tell the smtp proxy to NOT use tls by specifying

-o smtpd_use_tls=no
-o smtp_use_tls=no
-o smtpd_tls_security_level=none
-o smtp_tls_security_level=none

where it seems that simply setting smtpd_use_tls and smtp_use_tls to
no was not enough! The additional smtp_tls_security_level set to
"none" was also necessary


The options smtpd/smtp_use_tls are obsolete and 
smtpd/smtp_tls_security_level should be used instead. You can remove the 
smtpd/smtp_use_tls option from both main.cf and master.cf and it should 
be good


Take a look at the documentation
From http://www.postfix.org/postconf.5.html#smtp_tls_security_level
- smtp_tls_security_level
The default SMTP TLS security level for the Postfix SMTP client; when a 
non-empty value is specified, this overrides the obsolete parameters 
smtp_use_tls, smtp_enforce_tls, and smtp_tls_enforce_peername.

-

From http://www.postfix.org/postconf.5.html#smtpd_tls_security_level
- smtpd_tls_security_level
The SMTP TLS security level for the Postfix SMTP server; when a 
non-empty value is specified, this overrides the obsolete parameters 
smtpd_use_tls and smtpd_enforce_tls. This parameter is ignored with 
"smtpd_tls_wrappermode = yes".

-


Thank you for your patience and help!

Regards
Dietrich


--
 Christian Kivalo

Re: Postfix Mailman integration

2016-02-29 Thread Christian Kivalo 

On 2016-02-29 08:43, Ruben Safir wrote:
Can I have input about this recommendation?  Is there unreasonable 
security

risk?  I think not, but I want to double check


That looks sensible. That comes near to the configuration i use for my 
mailman installation.


You should not do rbl checks on the mailman -> postfix reinject.
Do that when you accept mail from external sources via port 25 in e.g. 
postscreen and afterwards.


To have mailman reinject on an extra port on localhost is how it should 
be done.

On 02/28/2016 10:51 PM, Ruben Safir wrote:

On 02/29/2016 01:34 AM, Mark Sapiro wrote:

I think we can fix your issue fairly simply.

Please, as I asked in my reply at
<https://mail.python.org/pipermail/mailman-users/2016-February/080524.html>,
post the output from 'postconf -n' and the contents of mm_cfg.py.



Sorry, I got mixed up.  Its just probably the frustration.  Everyone
uses mailman, I don't know why I'm so stupid





smtpd_recipient_restrictions = check_client_access
hash:/etc/postfix/helo_client_exceptions check_sender_access
hash:/etc/postfix/sender_checks, reject_invalid_hostname,
reject_non_fqdn_hostname, reject_non_fqdn_sender,
reject_non_fqdn_recipient, reject_unknown_sender_domain,
reject_unknown_recipient_domain, permit_mynetworks,
reject_unauth_destination, permit_mynetworks, 
reject_unauth_destination,

reject_invalid_hostname, reject_non_fqdn_hostname,
reject_non_fqdn_sender, reject_non_fqdn_recipient,
reject_unknown_sender_domain, reject_unknown_recipient_domain,
reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net
reject_rbl_client cbl.abuseat.org, permit



This is almost certainly your problem. All those checks take time,
especially if DNS is slow. If you send a message from a client and
Postfix takes 5 seconds to accept it, it's no big deal. If Mailman 
sends

to 10 or 20 recipients, and it takes Postfix a minute to respond, it
still may be no big deal unless another two posts arrive in that minute
, and so on until you have a big backlog.

I suggest that if you really want all those checks, that you set up a
separate port for Mailman to send to without all those rbl lookups and
recipient domain lookups. See below.



vim /usr/lib/mailman/Mailman/mm_cfg.py

###
# Here's where we get the distributed defaults.

from Defaults import *

##
# Put YOUR site-specific settings below this line.
DEFAULT_URL_PATTERN = 'http://%s/mailman/'
DEFAULT_NNTP_HOST = 'www.mrbrklyn.com'
DEFAULT_EMAIL_HOST = 'nylxs.com'
DEFAULT_URL_HOST = 'www.nylxs.com'
MTA = 'Postfix'
POSTFIX_ALIAS_CMD = '/usr/sbin/postalias'
POSTFIX_MAP_CMD = '/usr/sbin/postmap'
DELIVERY_MODULE = 'SMTPDirect'
SMTPHOST = 'mrbrklyn.com'
SMTPPORT = '25'



Here's where I'm suggesting changes. Pick a port, say 8000, although it
could be anything that doesn't conflict.

Then change the above to

SMTPHOST = '127.0.0.1'
SMTPPORT = 8000

(don't quote the port - it's a number, not a string)

Also, while you're at it I suggest adding

VERP_PASSWORD_REMINDERS = Yes
VERP_PERSONALIZED_DELIVERIES = Yes
VERP_DELIVERY_INTERVAL = 1

for more reliable bounce processing.

But, see below for changes to Postfix master.cf that you must make 
first.



add_virtualhost(DEFAULT_URL_HOST, DEFAULT_EMAIL_HOST)
add_virtualhost('lists.mrbrklyn.com', 'mrbrklyn.com')
IMAGE_LOGOS = '/mailmanicons/'



There is another one in apache:
I don't know if it is being used.
vim /usr/local/apache/conf/mailman/Mailman/mm_cfg.py


No, that shouldn't be used.


In Postfix master.cf add the following stanza

127.0.0.1:8000  inet  n   -   -   --  smtpd
-o smtpd_authorized_xforward_hosts=127.0.0.0/8
-o mynetworks=127.0.0.0/8
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o smtpd_client_restrictions=
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_data_restrictions=

Make this addition to Postfix master.cf and reload Postfix. Only after
you've done that and Postfix is listening on the loopback interface 
port

8000, make the changes to mm_cfg.py and restart Mailman.

--
Mark Sapiro <m...@msapiro.net>The highway is for gamblers,
San Francisco Bay Area, Californiabetter use your sense - B. Dylan


--
So many immigrant groups have swept through our town
that Brooklyn, like Atlantis, reaches mythological
proportions in the mind of the world - RI Safir 1998
http://www.mrbrklyn.com

DRM is THEFT - We are the STAKEHOLDERS - RI Safir 2002
http://www.nylxs.com - Leadership Development in Free Software
http://www2.mrbrklyn.com/resources - Unpublished Archive
http://www.coinhangout.com - coins!
http://www.brooklyn-living.com

Being so tracked is for FARM ANIMALS and and extermination camps,
but incompatible with living as a free human being. -RI Safir 2013


--
 Christian Kivalo

Re: A bug, maybe?

2016-02-20 Thread Christian Kivalo 

On 2016-02-20 16:45, Curtis Maurand wrote:

Not sure if I found something or not.  A client tried to send email
to one of my other addresses.  The requisite portion of the main.cf
follows at the end of the message.  The logs are telling me:

Feb 19 16:30:29 ispconfig postfix/smtpd[18437]: warning: hostname
delivery.mailspamprotection.com does not resolve to address
108.163.243.188
Feb 19 16:30:29 ispconfig postfix/smtpd[18437]: connect from
unknown[108.163.243.188]
Feb 19 16:30:29 ispconfig postfix/smtpd[18437]: NOQUEUE: reject: RCPT
from unknown[108.163.243.188]: 450 4.7.1 Client host rejected: cannot
find your hostname, [108.163.243.188];
from=<edi...@whiteeaglenews.com> to=<cmaur...@xyonet.com> proto=ESMTP
helo=


Have you had dns lookup problems? This is a temporary error and the 
client should retry delivery



Feb 19 16:30:30 ispconfig postfix/smtpd[18437]: disconnect from
unknown[108.163.243.188]

deliver.mailspamprotection.com resolves to a lot of addresses (and
this is a partial list):

dig delivery.mailspamprotection.com |grep 108.163.243
delivery.mailspamprotection.com. 30 IN  A   108.163.243.188
delivery.mailspamprotection.com. 30 IN  A   108.163.243.187
delivery.mailspamprotection.com. 30 IN  A   108.163.243.189
delivery.mailspamprotection.com. 30 IN  A   108.163.243.190
delivery.mailspamprotection.com. 30 IN  A   108.163.243.186

and

;188.243.163.108.in-addr.arpa.  IN  PTR

;; ANSWER SECTION:
188.243.163.108.in-addr.arpa. 3600 IN   PTR
delivery.mailspamprotection.com.

given such a round robin setup, does postfix account for this when
performing it's hostname lookup?  This email should not have been
rejected for any kind of ip mismatch.  Forward, reverse and helo all
match.

Thanks,
Curtis

smtpd_sender_restrictions =
  check_sender_access regexp:/etc/postfix/tag_as_originating.re
  permit_mynetworks,
  permit_sasl_authenticated,
  check_recipient_access
mysql:/etc/postfix/mysql-virtual_recipient.cf,
  check_sender_access mysql:/etc/postfix/mysql-virtual_sender.cf,
regexp:/etc/postfix/tag_as_foreign.re
  reject_invalid_hostname,
  reject_unknown_sender_domain,
  reject_unknown_recipient_domain,
  reject_unauth_pipelining,
  reject_rbl_client bl.spamcop.net,
  reject_rbl_client zen.spamhaus.org,
  reject_rbl_client b.barracudacentral.org

smtpd_client_restrictions =
  permit_mynetworks,
  permit_sasl_authenticated,
  check_client_access
  mysql:/etc/postfix/mysql-virtual_client.cf,
  reject_unknown_client,
this restriction causes the reject, see 
http://www.postfix.org/postconf.5.html#reject_unknown_client_hostname


reject_unknown_client_hostname (with Postfix < 2.3: 
reject_unknown_client)
Reject the request when 1) the client IP address->name mapping fails, 2) 
the name->address mapping fails, or 3) the name->address mapping does 
not match the client IP address.
This is a stronger restriction than the 
reject_unknown_reverse_client_hostname feature, which triggers only 
under condition 1) above.
The unknown_client_reject_code parameter specifies the response code for 
rejected requests (default: 450). The reply is always 450 in case the 
address->name or name->address lookup failed due to a temporary problem.


reject_unknown_reverse_client_hostname is considered the safer 
alternative but in your case maybe removing it altogether allows more 
legitimate mail through.



  reject_invalid_hostname,
  reject_unknown_sender_domain,
  reject_unknown_recipient_domain,
  reject_unauth_pipelining,
  reject_unauth_destination,
  reject_rbl_client bl.spamcop.net,
  reject_rbl_client zen.spamhaus.org,
  reject_rbl_client b.barracudacentral.org

--
Curtis Maurand
cur...@maurand.com
207-252-7748


--
 Christian Kivalo

Re: Suppress logs for monitor connections

2016-02-19 Thread Christian Kivalo 


Am 19. Februar 2016 20:32:20 MEZ, schrieb Ray Dzek :
>We are load balancing our Postfix servers and as part of that there is
>a connection test to ensure the services are running. So the logs fill
>with connection checks. Is there a way to suppress those connections
>from the logs?
Create a filter in your syslog daemon to remove your monitoring checks from the 
log stream

>Thanks in advance,
>
>Ray
-- 
 Christian

Re: Can't get mynetworks to match a specific host

2016-02-15 Thread Christian Kivalo 

On 2016-02-14 16:39, Michael Sperber wrote:
I'm trying to set up a mail relay for a specific host with Postfix, 
with

little success:

I've got this:

mynetworks = 88.198.58.179/32 127.0.0.0/8 134.2.186.48/32
u-186-ls048.wi50.uni-tuebingen.de
Hostnames in mynetworks are prone to errors when you have dns lookup 
problems. Using the ip address if the sending system is preferred.


88.x is the local host, 134.x is the host I'm trying to set up the
relay for, as is the host name.

(First question: Where exactly do I put permit_mynetworks?  I tried
smtpd_client_restrictions and smtpd_recipient_restrictions, similarly 
to

no avail.)

Please show postconf -n output.

Show logging of it not working / mail beeing blocked.



Whatever I do, I get this:

Feb 14 15:32:32 deinprogramm postfix/submission/smtpd[61536]:
generic_checks: name=permit_mynetworks
Feb 14 15:32:32 deinprogramm postfix/submission/smtpd[61536]:
permit_mynetworks: u-186-ls048.wi50.uni-tuebingen.de 134.2.186.48
Feb 14 15:32:32 deinprogramm postfix/submission/smtpd[61536]:
match_hostname: u-186-ls048.wi50.uni-tuebingen.de ~? 88.198.58.179/32
Feb 14 15:32:32 deinprogramm postfix/submission/smtpd[61536]:
match_hostaddr: 134.2.186.48 ~? 88.198.58.179/32
Feb 14 15:32:32 deinprogramm postfix/submission/smtpd[61536]:
match_hostname: u-186-ls048.wi50.uni-tuebingen.de ~? 127.0.0.0/8
Feb 14 15:32:32 deinprogramm postfix/submission/smtpd[61536]:
match_hostaddr: 134.2.186.48 ~? 127.0.0.0/8
Feb 14 15:32:32 deinprogramm postfix/submission/smtpd[61536]:
match_hostname: u-186-ls048.wi50.uni-tuebingen.de ~? 134.2.186.48/32
Feb 14 15:32:32 deinprogramm postfix/submission/smtpd[61536]:
match_hostaddr: 134.2.186.48 ~? 134.2.186.48/32
Feb 14 15:32:32 deinprogramm postfix/submission/smtpd[61536]:
match_list_match: permit_mynetworks: no match
Feb 14 15:32:32 deinprogramm postfix/submission/smtpd[61536]:
generic_checks: name=permit_mynetworks status=1

Why is there no match?

Any help would be much appreciated!
You are showing logs from the submission service, there could be 
overrides in place. Show the configuration from master.cf.


Take a look at http://www.postfix.org/DEBUG_README.html#mail this should 
clarify what is helpful to others when asking on the mailinglist.


--
 Christian Kivalo

Re: Clarification - How can/could I redirect based upon sender.

2016-02-14 Thread Christian Kivalo 


Am 13. Februar 2016 06:30:30 MEZ, schrieb "John A @ KLaM" :
>
>> Am 13. Februar 2016 00:05:53 MEZ, schrieb John :
>>>Is it possible to redirect mail based upon sender.
>>
>> What about sender_bcc_maps
>> http://www.postfix.org/postconf.5.html#sender_bcc_maps ?
>>
>>>
>>>I need to redirect email from j...@example.com which would normally
>be
>>>sent
>>>to some...@klam.com to legal@our_lawyers.com and/or ab...@klam.com.
>>>
>>>I would like to just block them but they may be needed!
>>>
>>>Thanks
>>>John A
>> - Christian
>>
>I want to redirect incoming mail.
>
>One of our users is having trouble with an abusive ex. we want to
>redirect 
>any mail from hom to either or both her lawyer and abuse@...
>The redirect to abuse is to archive in case of legal action.
>
>Any help appreciated.
Take a look at this thread from a few days ago
http://marc.info/?l=postfix-users=145517108614652=2
That was also a question about sender dependent mail redirect and uses 
sender_bcc_maps and virtual aliases.

- Christian

Re: Outbound TLS

2016-02-13 Thread Christian Kivalo 


Am 13. Februar 2016 11:10:25 MEZ, schrieb Joy :
>May i know how can i force postfix to use TLS if remote MTA advertises
>STARTTLS on port 25 to connect to remote server ?
>
>I am already using TLS and connecting from outlook is working
>perfectly,
>but when sending mail to google it now says TLS fail.
Take a look at http://www.postfix.org/DEBUG_README.html#mail and provide all 
necessary information

At least postconf -n / postconf -Mf and log output of the tls fail to google

- Christian

Re: How can/could I redirect based upon sender.

2016-02-12 Thread Christian Kivalo 


Am 13. Februar 2016 00:05:53 MEZ, schrieb John :
>Is it possible to redirect mail based upon sender.

What about sender_bcc_maps
http://www.postfix.org/postconf.5.html#sender_bcc_maps ?

>
>I need to redirect email from j...@example.com which would normally be
>sent 
>to some...@klam.com to legal@our_lawyers.com and/or ab...@klam.com.
>
>I would like to just block them but they may be needed!
>
>Thanks
>John A
- Christian

Re: Client Certificate Authentication for Auth Only

2016-02-01 Thread Christian Kivalo 

On 2016-02-01 19:39, Haravikk wrote:

Hi there,

Hi,

I’m trying to configure client certificate authentication such that it
is only required for users (with valid username/password) when sending
e-mail *from* my mail server.

Where do you set it?

However, setting smtpd_tls_req_ccert = yes causes postfix to request a
certificate from all incoming connections, including mail servers that
are attempting to deliver mail.

Is there a way to enable client certificates only for auth
connections? I’ve already set smtpd_tls_auth_only = yes, but I’m not
sure how to enable client certificates only for senders, without
causing incoming messages to also be blocked.
When you set it in master.cf only for the submission service it's only 
required for clients connecting to port 587.

Connections to port 25 are not required to present a client cert.


Thanks,
Haravikk


--
Christian

Re: postfix installation and make error (ATTENTION: Unknown system type)

2016-01-22 Thread Christian Kivalo 

On 2016-01-22 10:44, timos wrote:
I'm new to Postfix. I tried to compile postfix-2.11.3 but ran into an 
error

and failed with following message:

Why don't you compile postfix 3.x?

make -f Makefile.in MAKELEVEL= Makefiles
(echo "# Do not edit -- this file documents how Postfix was built for 
your

machine."; /bin/sh makedefs) >makedefs.tmp
ATTENTION:
ATTENTION: Unknown system type: Linux 4.1.13-19.31.amzn1.x86_64
ATTENTION:
make: *** [Makefiles] Error 1
make: *** [Makefiles] Error 2

I've gone through all possible solution but can't figure out any!
 ... any help or  fix is appreciated. :(
Thank you
See http://marc.info/?l=postfix-users=142744304401645=2 for the 
question
and http://marc.info/?l=postfix-users=143006758311432=2 for the 
answer


--
Christian

Re: Postfix Postscreen Pregreet Test

2016-01-22 Thread Christian Kivalo 


Am 23. Jänner 2016 04:30:02 MEZ, schrieb Nguyen Nang Thang 
:
>- Original Message -
>> From: "Wietse Venema" 
>> To: "Postfix users" 
>> Sent: Saturday, January 23, 2016 9:57:40 AM
>> Subject: Re: Postfix Postscreen Pregreet Test
>
>> Nguyen Nang Thang:
>>> > Postfix sends:
>>> > 
>>> >   220-myhostname ESMTP
>>> > 
>>> > Postfix waits $postscreen_greet_wait seconds.
>>> > Bad SMTP clients will greet before $postscreen_greet_wait seconds
>>> > have passed.
>>> > 
>>> >   220 myhostname ESMTP
>>> > 
>>> > Good SMTP clients will greet now.
>>> 
>>> Wietse:
>>> Thanks for your detailed explain. Can you suggest me technical ways
>to manually
>>> test Bad SMTP clients
>>> that greet before $postscreen_greet_wait seconds have passed?
>> 
>> echo whatever | nc host 25
> 
>Wietse:
>I dit my test as below:
># nc localhost 25 < /tmp/postscreen-greet-wait.txt
>The output:
>220 gw.mydomain.com ESMTP Postfix (2.10.1)
>250 2.1.0 Ok
>250 2.1.5 Ok
>354 End data with .
>250 2.0.0 Ok: queued as 35CA025E69
>
>The postfix/postcreeen log does not show info "PREGREET count after
>time from [address]:port text...",
>test message delivered normally (expect: test message prevented by
>postscreen).
>So, is there another way to quickly make smtp connection via "nc" or
>another tool to test the parameter
>"postscreen_greet_wait"?
Do this test from a different device. You probably have localhost in mynetworks 
and have configured 
> postscreen_access_list = permit_mynetworks,
> cidr:/etc/postfix/postscreen_access.cidr

>Thanks.
>
>Regards,
>N. Thang
-- 
Christian

Re: body_checks with postscreen. Test works at blocking, but 'real mail' slips through?

2016-01-18 Thread Christian Kivalo 

Save the message to a file. And test like this:

% postmap -q - pcre:/etc/postfix/body_checks.pcre 

So does this.

 cat << EOF > /tmp/testfile
 TEST BAD CONTENT
 EOF
 postmap -q - pcre:/etc/postfix/body_checks.pcre You could use the message file from your imap server or look at the raw 
message in your mail program and save that to a file...

Thanks,

Billy


Christian

Re: Postfix 3.0 also introduces inline:

2015-11-17 Thread Christian Kivalo 



On 2015-11-17 12:08, Postfix User wrote:
Okay, I suppose I don't pay as close attention to release announcements 
as I

should. I noticed this is another post recently:

Postfix 3.0 also introduces inline: tables whose keys and values are 
stored

inside main.cf

I did not see any documentation on the Postfix site for that. Am I just
blind, or is it documented somewhere there?


First try: http://www.postfix.org/DATABASE_README.html#types


Thanks!


- christian

RE: rejecting email from specific domains

2015-11-16 Thread Christian Kivalo 


Am 17. November 2015 06:31:23 MEZ, schrieb Chris Boylan 
:
>So if I build a one line /etc/postfix/access with
>.xyz   REJECT
>
>and use smtpd_sender_restrictions=check_sender_access 
>

You have to add the path to the access map, e.g. you postmap the 
/etc/postfix/access file and add hash:/etc/postfix/access after 
check_sender_access

>That seems from the documentation like it would reject all email from
>.XYZ.
>Is this a reasonable approach?
>


Regards
C

>
>-Original Message-
>From: owner-postfix-us...@postfix.org
>[mailto:owner-postfix-us...@postfix.org]
>On Behalf Of Viktor Dukhovni
>Sent: Monday, November 16, 2015 22:55
>To: postfix-users@postfix.org
>Subject: Re: rejecting email from specific domains
>
>On Mon, Nov 16, 2015 at 10:38:07PM -0600, Chris Boylan wrote:
>
>> I think I'd like to key off the from information and block anything,
>for
>> example, that self-identifies as being from a sender in .xyz domain.
>
>The ".xyz" domain is a real TLD, for a generic example use ".example"
>or "example.com", ...
>
>> Would appreciate being pointed in the right direction as I'm just
>drawing a
>> blank.
>
>http://www.postfix.org/SMTPD_ACCESS_README.html#lists
>http://www.postfix.org/access.5.html
>http://www.postfix.org/BUILTIN_FILTER_README.html
>
>Envelope senders are blocked with:
>
>http://www.postfix.org/postconf.5.html#check_sender_access
>
>Header senders can be blocked with header_checks(5), but this does
>not always give good results, because regular expressions in headers
>don't really parse the header particularly well and are difficult
>to craft.  I don't recommend header_checks(5) for blocking by header
>sender address.
>
>If you can find a "Sieve" milter, it will make it much
>easier to construct rules on header addresses.

Re: Weak Ciphers

2015-11-08 Thread Christian Kivalo 

Hi John,

On 2015-11-08 13:52, John Allen wrote:

I ran the ssl-tools tests on my mail server.
Everything seems to be OK, BUT it reports that i am using a weak
cipher "ECDHE_RSA_WITH_RC4_128_SHA"!

So I sat down and googled - postfix/dovecot/apache  - ciphers
suites/recommendations less than one year old.
I gave up at about the fifteenth response. Everyone of them was
different and gave me lists of cipher ranging in length from about
eight to almost a full web page.

Would somebody point me in the right direction. I am trying to make my
installation secure, but manageable.


I am using Viktors recommendation from august 2015 here on the list, 
see:


-> http://thread.gmane.org/gmane.mail.postfix.user/251935/focus=251935

The ssl-tools.net test warns about supported weak ciphers, namely 
ECDHE_RSA_WITH_RC4_128_SHA as in your result, checking the mail log of 
my small 6 users mailserver shows that in the last month 70 of nearly 
16000 inbound tls connections used a RC4 cipher, the majority (48) 
coming from Yahoo using TLSv1 ECDHE-RSA-RC4-SHA.


Testing with https://www.checktls.com the test selects the most used 
(~13000 inbound connections) cipher my server offers TLSv1.2 
ECDHE-RSA-AES256-GCM-SHA384.


regards
christian

Re: OpenDKIM

2015-11-07 Thread Christian Kivalo 

Hi

On 2015-11-07 14:30, John Allen wrote:

Interesting!
I tried a couple of DKIM test sites, one says I am signing my emails,
the other says I am not!!
Mailradar say I am not signing!
DKIMValidator say I am!



They are both right.

Mailradar checks for DomainKeys (rfc4870) signatures, DomainKeys 
successor is DKIM (rfc4871 and rfc6376). DomainKeys and DKIM both use a 
signature in the mail headers and keys in dns.


I'd say that your mails are correctly dkim signed, this one is:

From the headers of the email i now reply to:
Authentication-Results: uschi.sec-svcs.eu;
dkim=pass (1024-bit key; secure) header.d=klam.ca header.i=@klam.ca 
header.b=JMyFd1MM;

dkim-adsp=pass; dkim-atps=neutral

Regards
christian

Re: OpenDKIM

2015-11-07 Thread Christian Kivalo 



On 2015-11-07 16:41, Mike wrote:

On 11/7/2015 9:09 AM, Steve Jenkins wrote:

On Saturday, November 7, 2015, John Allen > wrote:

Interesting!
I tried a couple of DKIM test sites, one says I am signing my
emails, the other says I am not!!
Mailradar say I am not signing!
DKIMValidator say I am!


My favorite "test site" for SPF, DKIM, DMARC configuration
and validation is sending to a Gmail account and then viewing the raw
message headers.


Does gmail display whether or not the DNS information for DKIM is
secured by DNSSEC?

No, thats not displayed.

Re: This maybe off topic, but could somebody tell me what i am doing wrong?

2015-10-21 Thread Christian Kivalo 



On 2015-10-21 01:51, John Allen wrote:

I have not looked at the code, so I am guessing, but it seems that
mail/mailx hadle a continuous block of text differently to a
multi-line block. I am not competent to decide if the as it should be
or not.


I have a script that checks for various available updates and the 
results are written to a file whose contents i redirect to mailx and 
that works well with multiline text


mailx -n -s "Subject" -r f...@example.com t...@example.net <$file


I don't recall why i chose this approach but it could be that i was 
having the same issues with pipeing to mailx


Regards
Christian


thanks everyone
John A

Re: This maybe off topic, but could somebody tell me what i am doing wrong?

2015-10-20 Thread Christian Kivalo 

On 2015-10-20 12:38, John Allen wrote:

That is in fact what is installed. Mail and mailx are symlinks to
heirloom-mailx.


True, symlinked to the same binary.

Just tried your initial command. The resulting email has the text 
"message text" in the body when run as


echo "message text \r" | /usr/bin/mail -s "Server xxx - Alert" -r 
f...@example.com t...@example.net


but i get the same error as you when i run the command

echo -e "message text \r" | /usr/bin/mail -s "Server xxx - Alert" -r 
f...@example.com t...@example.net


mailx seems to base64 encode the message text because of the \r?

The difference between these two invocations in mail headers is:

echo without -e
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

echo with -e
Content-Type: application/octet-stream
Content-Transfer-Encoding: base64


regards
christian

Re: This maybe off topic, but could somebody tell me what i am doing wrong?

2015-10-19 Thread Christian Kivalo 


Am 20. Oktober 2015 02:58:43 MESZ, schrieb John Allen :
>That should say echo -e "message text \r" | 
>Sorry about that

I'd recommend you install the package heirloom-mailx, it's much more flexible 
in what you can do with it.

Regards
Christian

Re: Helo command rejected: need fully-qualified hostname; 504 5.5.2

2015-10-13 Thread Christian Kivalo 

Hi,

On 2015-10-13 05:22, Richard B. Pyne wrote:

I am running postfix 2.10.1, dovecot 2.2.10, with postfixadmin and
maia mailguard.

I am trying to figure out how to disable the HELO/EHLO
reject_non_fqdn_hostname on the submission port since many (most)
desktop and laptop clients don't send it.

I want to keep the restriction on port 25

Thanks.

--Richard


[...]


master.cf

smtp  inet  n   -   n   -   -   smtpd
#
submission inet n   -   n   -   -   smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject


add
   -o 
smtpd_helo_restrictions=permit_mynetworks,reject_invalid_hostname,permit

to the submission port settings...


#
smtps inet  n   -   n   -   -   smtpd
  -o syslog_name=postfix/smtps
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
  -o 
smtpd_helo_restrictions=permit_mynetworks,reject_invalid_hostname,permit

  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  -o milter_macro_daemon_name=ORIGINATING
#


...as are set on port 465. That removes/overrides the setting from 
main.cf.


regards
christian

Re: Error: queue file write error

2015-10-10 Thread Christian Kivalo 


Am 10. Oktober 2015 17:53:12 MESZ, schrieb Dan Lists :
>I am receiving the transcript file with the error "Error: queue file
>write
>error."   It appears that postfix is timing out the connection after 10
>minutes.   The thing that disturbs me is that nothing is logged.   Is
>there
>a way to get postfix to put something in the logs?

How mich space is reported to be free in the filesystem?

- Christian

Re: postgresql table does not exist error

2015-10-05 Thread Christian Kivalo 


Hi,

>the postfix file (/etc/postfix/pgsql-aliases.cf) has this
>
>hosts = /run/postgresql/

You should specify the socket to use.

>From http://www.postfix.org/pgsql_table.5.html

hosts
The hosts that Postfix will try to connect to and query from. Specify unix: for 
UNIX-domain sockets, inet: for TCP connections (default). Example:
hosts = host1.some.domain host2.some.domain:port
hosts = unix:/file/name
The hosts are tried in random order, with all connections over UNIX domain 
sockets being tried before those over TCP. The con- nections are automatically 
closed after being idle for about 1 minute, and are re-opened as necessary.
NOTE: the unix: and inet: prefixes are accepted for backwards compatibility 
reasons, but are actually ignored. The PostgreSQL client library will always 
try to connect to an UNIX socket if the name starts with a slash, and will try 
a TCP connection otherwise.

>user = mailreader
>dbname = mail
>query = SELECT alias FROM "al" WHERE email='%s'

Regards
- christian

Re: Dynamic 'myhostname'

2015-09-11 Thread Christian Kivalo 


Am 10. September 2015 23:13:59 MESZ, schrieb Mick :
>On 10/09/2015 21:13, Wietse Venema wrote:
>> Mick:
>>> Hi,
>>>
>>> I'm trialling DMARC to two of my domains.  On checking the results
>when
>>> posting from the secondary domain I receive 'SPF Domain Alignment
>Result
>>> = FAIL'. I think this is because postfix always says HELO with the
>>> primary domain name, which is obviously different to the secondary. 
>Is
>>> there a way to rewrite the message envelope to say HELO using the
>same
>>> domain used in the from field?
>> I suspect that the problem is that the SMTP client IP address no
>> not match the SPF rule.
>>
>> You may want to set up sender_dependent_default_transport to use
>> different Postfix SMTP clients depending on the envelope sender
>> email address, with "-o smtp_bind_address" settings in master.cf
>> for the proper client IP address.
>Hi Wietse,
>
>I only have 1 IP address (2 if you count the IPv6 address).  A reverse 
>DNS lookup will always find my primary domain so even if I used 
>'sender_dependent_default_transport' and set up multiple switches just 
>to change HELO name, they still have to point to the same IP.  If 
>reverse DNS was then carried out, secondary domain provided in the HELO
>
>would not match and mail could be rejected. Think I'm stuffed without 
>additional IPv4s, but at least I know why.

Your setup should work. I have a similar setup with 5 domains of which the one 
that holds the helo-name of my Mailserver is not my primary maildomain... and 
that works well with spf dkim and dmarc.

When searching for your error message it seems that maybe your envelope and 
from aren't aligned, this could be checked on spf test websites that analyse 
your setup after you send them an email to a special one-time address.

Have you had a look at the spf rfc 7208?

Regards
Christian


>Thanks for your advice.
>
>Mick.
>
>
>>
>>  Wietse
>>

Re: making relay access denied permanent

2015-09-05 Thread Christian Kivalo 

Hi,

On 2015-09-05 14:07, A. Meyer wrote:

Hello!

# postconf mail_version
mail_version = 2.11.3

I have this in my log this morning:

Sep  5 08:05:46 bitmachine1 postfix/smtpd[7475]: NOQUEUE: reject: RCPT
from unknown[14.215.136.46]: 454 4.7.1 : Relay
access denied; from= to=
proto=ESMTP helo=
Sep  5 08:05:49 bitmachine1 postfix/smtpd[7475]: too many errors after
DATA from unknown[14.215.136.46]

How can I change the temporary 454 to a 5xx reject?



Take a look at http://www.postfix.org/postconf.5.html#soft_bounce


I dont find anything in the main.cf regarding this.

smtpd_recipient_restrictions =
check_sender_access hash:/etc/postfix/access_sender,
permit_mynetworks,
#check_recipient_access hash:/etc/postfix/hold,
reject_sender_login_mismatch,
permit_sasl_authenticated,
#permit_mynetworks,
reject_invalid_helo_hostname,
reject_unlisted_recipient,
reject_unknown_sender_domain,
check_sender_access pcre:/etc/postfix/umlaute.pcre,
check_recipient_access pcre:/etc/postfix/umlaute.pcre,
reject_unauth_destination,
reject_rbl_client bl.spamcop.net,
reject_rbl_client zen.spamhaus.org,
reject_rbl_client spam.bl.alt-backspace.org,
reject_rbl_client spamtrap.bl.alt-backspace.org,
check_client_access cidr:/etc/postfix/client.cidr,
check_policy_service inet:127.0.0.1:10023

# postconf -n | grep reject_code
unknown_address_reject_code = 550

# postconf -d | grep reject_code
access_map_reject_code = 554
invalid_hostname_reject_code = 501
maps_rbl_reject_code = 554
multi_recipient_bounce_reject_code = 550
non_fqdn_reject_code = 504
plaintext_reject_code = 450
reject_code = 554
relay_domains_reject_code = 554
unknown_address_reject_code = 450
unknown_client_reject_code = 450
unknown_hostname_reject_code = 450
unknown_local_recipient_reject_code = 550
unknown_relay_recipient_reject_code = 550
unknown_virtual_alias_reject_code = 550
unknown_virtual_mailbox_reject_code = 550
unverified_recipient_reject_code = 450
unverified_sender_reject_code = 450

bitmachine1:/etc/postfix # fgrep -r 454 .
bitmachine1:/etc/postfix # fgrep -r defer_unauth_destination .

outputs nothing.

I'm a bit helpless with this one.

Greetings

  Andreas


regards
- c

Re: DKIM DNS record

2015-09-02 Thread Christian Kivalo 



On 2015-09-02 10:29, Martin Skjöldebrand wrote:

Quoting Steve Jenkins :


On Wed, Aug 19, 2015 at 10:07 AM, Martin Skjöldebrand
 wrote:


Following the tutorial here:




http://arstechnica.com/business/2014/03/taking-e-mail-back-part-3-fortifying-your-box-against-spammers/

[1]

What would a DKIM DNS record look like for my server
mail.skjoldebrand.eu [2]?


Hi, Martin. This tutorial is WAY better. Of course, I'm a bit
biased. :)



http://www.stevejenkins.com/blog/2011/08/installing-opendkim-rpm-via-yum-with-postfix-or-sendmail-for-rhel-centos-fedora/

[3]

SJ

 After some problems with the hosting I've now gotten this to work
using your tutorial.
 Maybe I'm missing it but the the following setting was required for
my server to send mail.

 _RequireSafeKeys false_

 It's not clear from http://www.opendkim.org/opendkim.conf.5.html if
there is any implications of setting this (I've seen it recommended in
other replies when Googling)?


From the manpage:

RequireSafeKeys (boolean)
When reading a key file, a message will be logged if the key file has 
the read or write bit set other than for the owner or for a group that 
the executing process is in. With this feature set to "true", the filter 
will further consider this an error and refuse to make use of the file’s 
contents. The default is "true".


Your key files are not owned by the user you run opendkim as.

You should _chown_ the key files to the user you run opendkim as. The 
user (and group) should be set in opendkim.conf as UserID.




 /Martin S


regards
- c

  1   2   >