RE: limiting connections to a single host

2020-11-05 Thread Fazzina, Angelo 
Maybe this section of the docs is what you are trying to accomplish ?
http://www.postfix.org/TUNING_README.html#rope



-ANGELO FAZZINA

ang...@uconn.edu
University of Connecticut,  ITS, SSG, Server Systems
860-486-9075

-Original Message-
From: owner-postfix-us...@postfix.org  On 
Behalf Of Zsombor B
Sent: Thursday, November 5, 2020 8:12 AM
To: postfix-users@postfix.org
Subject: limiting connections to a single host

*Message sent from a system outside of UConn.*


Hi,

I have to relay mails to a mail gateway that often rejects connections
because we are too pushy.
The admin of that service suggested us to open X connections and send
Y messages per connection.

How can I set this up either for one specific destination or to all?

Thanks in advance,
Zsombor

RE: postfix3 with opendkim

2020-03-10 Thread Fazzina, Angelo 
Hi, may I ask what your Postfix config looks like for OpenDkim ?

In Postfix 2.x it is close to this :
smtpd_milters = inet:127.0.0.1:8891
non_smtpd_milters = $smtpd_milters
milter_default_action = accept
milter_protocol = 6



-ANGELO FAZZINA

ang...@uconn.edu
University of Connecticut,  ITS, SSG, Server Systems
860-486-9075

From: owner-postfix-us...@postfix.org  On 
Behalf Of SysAdmin EM
Sent: Tuesday, March 10, 2020 9:26 AM
To: postfix-users@postfix.org
Subject: postfix3 with opendkim

*Message sent from a system outside of UConn.*

Hello, my again.

I update my Postfix 2 to Postfix 3. Postfix not communicating with opendkim.

Mar 10 10:14:31 server003 opendkim[18596]: OpenDKIM Filter: mi_stop=1
Mar 10 10:14:31 server003 opendkim[18596]: OpenDKIM Filter v2.11.0 terminating 
with status 0, errno = 0
Mar 10 10:14:34 server opendkim[18915]: OpenDKIM Filter v2.11.0 starting (args: 
-x /etc/opendkim.conf -P /var/run/opendkim/opendkim.pid)



Mar 10 10:15:44 server003 postfix/cleanup[19015]: 614D2C09B473: 
message-id=<20200310131544.614d2c09b...@mail03.server.com>
Mar 10 10:15:44 server003 postfix/qmgr[18994]: 614D2C09B473: 
from=mailto:r...@mail03.server.com>>, size=512, nrcpt=1 
(queue active)
Mar 10 10:15:44 server003 postfix/smtp[19018]: connect to 
gmail-smtp-in.l.google.com[2800:3f0:4003:c00::1a]:25:
 Network is unreachable
Mar 10 10:15:45 server003 postfix/smtp[19018]: 614D2C09B473: 
to=mailto:emaw...@gmail.com>>, 
relay=gmail-smtp-in.l.google.com[64.233.186.26]:25,
 delay=1, delay
s=0.07/0/0.43/0.54, dsn=2.0.0, status=sent (250 2.0.0 OK  1583846145 
z199si8204777qka.20 - gsmtp)
Mar 10 10:15:45 server003 postfix/qmgr[18994]: 614D2C09B473: removed
In the openDKIM config file i add this options:

 /etc/opendkim.conf

PidFile>/var/run/opendkim/opendkim.pid
KeyTable/etc/opendkim/KeyTable
SigningTable   refile:/etc/opendkim/SigningTable
ExternalIgnoreList  refile:/etc/opendkim/TrustedHosts
InternalHosts   refile:/etc/opendkim/TrustedHosts
Mode<-->v
Syslog<>yes
SyslogSuccess<->yes
LogWhy<>yes
UserID<>opendkim:opendkim
Socket<>inet:8891@localhost
Umask<->002
SendReports<--->yes
SoftwareHeader<>yes
Canonicalization<-->relaxed/relaxed
Selector<-->default
MinimumKeyBits<>1024
KeyFile>/etc/opendkim/keys/default.private
OversignHeaders>From

any ideas?

Regards,

Question on ver 2.6.6

2020-02-27 Thread Fazzina, Angelo 
Hi, does Postfix have any built-in parameters to delete emails that postqueue 
shows like this ?

A530D14D6D53528 Thu Feb 27 10:13:52  MAILER-DAEMON
(host aspmx.l.google.com[209.85.144.26] said: 450-4.2.1 The user you are trying 
to contact is receiving mail too quickly. 450-4.2.1 Please resend your message 
at a later time. If the user is able to 450-4.2.1 receive mail at that time, 
your message will be delivered. For more 450-4.2.1 information, please visit 
450 4.2.1  https://support.google.com/mail/?p=OverReceiveLimit 
h4si126053qtp.117 - gsmtp (in reply to RCPT TO command))
 
first.l...@gapps.uconn.edu


was gonna write a script to do it but wanted to ask.

I have multiple servers with over 50K in each queue of these emails and growing 
fast.

Thank you.


-ANGELO FAZZINA

ang...@uconn.edu
University of Connecticut,  ITS, SSG, Server Systems
860-486-9075

RE: How to trigger a script based on header

2019-12-05 Thread Fazzina, Angelo 
Hi, to answer your question I messed around even though i don't think this is 
going to do it for you but it's a start.

master.cf

filterunix  -   n   n   -   0  pipe
  -o syslog_name=postfix/trigg
  flags=Fq  user=filter
  null_sender= argv=/usr/local/bin/angelo  ${sender}  ${recipient}

header_checks
/^Subject: .*stuff.*/ FILTER filter:
/^subject:/ WARN

The major problem is i have not figured out how to deliver the original email 
that triggered the filter
in the first place.

here is logs of it working, and running my "angelo" script based on email 
subject

Dec  5 13:34:42 mta5 postfix/smtpd[1432]: connect from 
angelo.uits.uconn.edu[137.99.80.129]
Dec  5 13:34:43 mta5 postfix/smtpd[1432]: 092653000371: 
client=angelo.uits.uconn.edu[137.99.80.129]
Dec  5 13:34:43 mta5 postfix/cleanup[1438]: 092653000371: filter: header 
Subject: this is stuff in here from angelo.uits.uconn.edu[137.99.80.129]; 
from=mailto:alf02...@appmail.uconn.edu>> 
to=mailto:angelo.fazz...@uconn.edu>> proto=ESMTP 
helo=<[137.99.80.129]>: filter:
Dec  5 13:34:43 mta5 postfix/cleanup[1438]: 092653000371: 
message-id=<4d982c1d-0260-55e6-fe0f-77034be4c...@appmail.uconn.edu<mailto:4d982c1d-0260-55e6-fe0f-77034be4c...@appmail.uconn.edu>>
Dec  5 13:34:43 mta5 opendkim[1494]: 092653000371: DKIM-Signature field added 
(s=dkim1, d=mta5.uits.uconn.edu)
Dec  5 13:34:43 mta5 postfix/qmgr[1246]: 092653000371: 
from=mailto:alf02...@appmail.uconn.edu>>, size=721, 
nrcpt=1 (queue active)
Dec  5 13:34:43 mta5 postfix/smtpd[1432]: disconnect from 
angelo.uits.uconn.edu[137.99.80.129]
Dec  5 13:34:43 mta5 postfix/trigg/pipe[1441]: 092653000371: 
to=mailto:alf02...@uconn.mail.onmicrosoft.com>>,
 orig_to=mailto:angelo.fazz...@uconn.edu>>, 
relay=filter, delay=0.17, delays=0.12/0.02/0/0.03, dsn=2.0.0, status=sent 
(delivered via filter service)
Dec  5 13:34:43 mta5 postfix/qmgr[1246]: 092653000371: removed
Dec  5 13:34:43 mta5 postfix/pickup[1245]: 2D3293000395: uid=1038 from=
Dec  5 13:34:43 mta5 postfix/cleanup[1438]: 2D3293000395: warning: header 
Subject: Your email to 
alf02...@appmail.uconn.edu<mailto:alf02...@appmail.uconn.edu> was delivered 
from local; from=mailto:fil...@mta5.uits.uconn.edu>>
Dec  5 13:34:43 mta5 postfix/cleanup[1438]: 2D3293000395: 
message-id=<20191205183443.2d3293000...@mta5.uits.uconn.edu<mailto:20191205183443.2d3293000...@mta5.uits.uconn.edu>>
Dec  5 13:34:43 mta5 opendkim[1494]: 2D3293000395: DKIM-Signature field added 
(s=dkim1, d=mta5.uits.uconn.edu)
Dec  5 13:34:43 mta5 postfix/qmgr[1246]: 2D3293000395: 
from=mailto:fil...@mta5.uits.uconn.edu>>, size=802, 
nrcpt=1 (queue active)
Dec  5 13:34:44 mta5 postfix/smtp[1446]: 2D3293000395: 
to=mailto:alf02...@uconn.mail.onmicrosoft.com>>,
 
relay=uconn-mail-onmicrosoft-com.mail.protection.outlook.com[104.47.55.110]:25, 
delay=1.7, delays=0.06/0.02/0.28/1.3, dsn=2.6.0, status=sent (250 2.6.0 
<20191205183443.2d3293000...@mta5.uits.uconn.edu<mailto:20191205183443.2d3293000...@mta5.uits.uconn.edu>>
 [InternalId=20963735375625, Hostname=MWHPR05MB2973.namprd05.prod.outlook.com] 
10746 bytes in 0.174, 60.000 KB/sec Queued mail for delivery)
Dec  5 13:34:44 mta5 postfix/qmgr[1246]: 2D3293000395: removed

But as you can see i don't understand Postfix well enough to make a proper 
script, or reroute to another Postfix instance as suggested in other threads 
from
my searching here http://postfix.1071664.n5.nabble.com/

Also i thought i could swap my script for the one in documentation here
http://www.postfix.org/FILTER_README.html
but i got a permission error.

Dec  5 13:27:05 mta5 postfix/qmgr[29586]: 42D50300039A: 
from=mailto:alf02...@appmail.uconn.edu>>, 
size=1518, nrcpt=1 (queue active)
Dec  5 13:27:15 mta5 postfix/trigg/pipe[1078]: 42D50300039A: 
to=mailto:alf02...@uconn.mail.onmicrosoft.com>>,
 orig_to=mailto:angelo.fazz...@uconn.edu>>, 
relay=filter, delay=9057, delays=9047/0.02/
0/10, dsn=4.3.0, status=deferred (temporary failure. Command output: 
/usr/local/bin/trigger: line 21: in.1079: Permission denied Cannot save mail to 
file )

Sorry i can't be more helpful, good luck.

-ANGELO FAZZINA

ang...@uconn.edu<mailto:ang...@uconn.edu>
University of Connecticut,  ITS, SSG, Server Systems
860-486-9075


Hi Angelo,
thanks for your quick reply.
I had a look at your solution, but I'd need a filter on the subject, not on 
sender or recipient. Can your solution be modified to include subject filtering 
as well?
Grazie :-)

On Wed, 4 Dec 2019 at 21:20, Fazzina, Angelo 
mailto:angelo.fazz...@uconn.edu>> wrote:
Hi, AFA I know there is the “argv” parameter in 
master.cf<https://nam10.safelinks.protection.outlook.com/?url=http%3A%2F%2Fmaster.cf=02%7C01%7Cangelo.fazzina%40uconn.edu%7Cca1d1c47e2234bccb28308d778f9e346%7C17f1a87e2a254eaab9df9d439034b080%7C0%7C0%7C637110886960899887=2oEICgu%2FmRmdCWeM2HgAKto

RE: How to trigger a script based on header

2019-12-04 Thread Fazzina, Angelo 
Hi, AFA I know there is the “argv” parameter in master.cf that can run scripts 
you create, there may be others.

This is my test config:

autoreply unix  -   n   n   -   -   pipe
flags=DFuser=nobody
argv=/usr/local/bin/angelo $sender $recipient $original_recipient $user 
 $mailbox


And here is the script:

[root@mta5 ]# more /usr/local/bin/angelo
#!/usr/bin/bash


/usr/sbin/sendmail -oi -t <
To: $1
Subject: Your email to $3 was delivered
Content-Type: text/plain; charset=utf-8

This is a test email.
This is a notice to inform you that in the future when you send emails
to $3 they will fail to send.
Please send all future emails to users  @uconn.edu address.
Thank you.


this is 2 = $2
this is 1 = $1
this is 3 = $3
this is user = $4
this is mailbox = $5


And i recall only adding this to main.cf

transport_destination_recipient_limit = 1

and in virtual
@uchc.edu   ang...@uconn.edu, 
autore...@autoreply.uconn.edu


You will likely get a more specific answers with more details about your 
scenario.
I do not know if header_checks is normal way to trigger a script, I never did 
it that way.

Good Luck.



-ANGELO FAZZINA

ang...@uconn.edu
University of Connecticut,  ITS, SSG, Server Systems
860-486-9075

From: owner-postfix-us...@postfix.org  On 
Behalf Of Quasar
Sent: Wednesday, December 4, 2019 3:02 PM
To: postfix-users@postfix.org
Subject: How to trigger a script based on header

Hi there,
I need some help, tried to find the answer googling for it, but no luck.
Here's my question: I'd need to trigger a script whenever an email is processed 
and sent. This trigger should be based on some header fields (e.g. subject).
I tried playing with header_checks but without getting anything.
Can you please help me?

Thanks
Giuseppe.

RE: looking for a little documentation please

2019-11-21 Thread Fazzina, Angelo 
Thank you, I need to learn to Google better, my bad.

https://groups.google.com/forum/#!topic/mailing.postfix.users/mpeVD0d56zM

Wietse, seems to have answered this question in the past.

I am going to just do more simultaneous testing with client like you said and 
sniff the wire.

Thanks everyone.

-ANGELO FAZZINA

ang...@uconn.edu
University of Connecticut,  ITS, SSG, Server Systems
860-486-9075


-Original Message-
From: owner-postfix-us...@postfix.org  On 
Behalf Of Noel Jones
Sent: Thursday, November 21, 2019 11:48 AM
To: postfix-users@postfix.org
Subject: Re: looking for a little documentation please

On 11/21/2019 10:18 AM, Fazzina, Angelo wrote:
> Thank you for clearing that up.
> Since this client I have is having trouble and I am trying to determine if 
> the clients IP is the one generating these log entries do you think these to 
> settings will give me more info in the logs for smtpd related data ?
> 
>debug_peer_level (x)
> and
>debug_peer_list (y)


For the unknown[unknown] connections, postfix doesn't know the peer, 
so the above won't give any additional information.

You might be able to use a packet sniffer such as tcpdump or 
wireshark to see the connecting IP before it drops.


   -- Noel Jones

RE: looking for a little documentation please

2019-11-21 Thread Fazzina, Angelo 
Thank you for clearing that up.
Since this client I have is having trouble and I am trying to determine if the 
clients IP is the one generating these log entries do you think these to 
settings will give me more info in the logs for smtpd related data ?

  debug_peer_level (x)
and
  debug_peer_list (y)

thank  you.

-ANGELO FAZZINA

ang...@uconn.edu
University of Connecticut,  ITS, SSG, Server Systems
860-486-9075


-Original Message-
From: owner-postfix-us...@postfix.org  On 
Behalf Of Viktor Dukhovni
Sent: Thursday, November 21, 2019 11:07 AM
To: Postfix users 
Subject: Re: looking for a little documentation please

> On Nov 21, 2019, at 10:54 AM, Fazzina, Angelo  
> wrote:
> 
> ov 21 09:00:15 mail5 postfix/smtpd[31265]: lost connection after CONNECT from 
> unknown[unknown]
> Nov 21 09:00:15 mail5 postfix/smtpd[31265]: disconnect from unknown[unknown]

The connection was lost right after it was established, before
the client sent any SMTP commands, and indeed the client had
already reset the connection by the time smtpd(8) accepted it,
so that even the client's IP address was no longer available.

> that PID 31265 was running along happily processing mail from one IP over 
> port 25 cuz
> that IP is in the mynetworks setting. Then those 2 lines and that pid is not 
> seen again.

The previous connection is unrelated.

> Is the 1st line reporting the result of the HELO/EHLO command ?

No.

-- 
Viktor.

looking for a little documentation please

2019-11-21 Thread Fazzina, Angelo 
Hi, i read this
http://www.postfix.org/OVERVIEW.html
which got me to this
http://www.postfix.org/smtpd.8.html

Then i got lost...

I am trying to diagnose the details of what smtpd does when a client
tries to connect to my postfix server, based on these 2 lines

Nov 21 09:00:15 mail5 postfix/smtpd[31265]: lost connection after CONNECT from 
unknown[unknown]
Nov 21 09:00:15 mail5 postfix/smtpd[31265]: disconnect from unknown[unknown]



that PID 31265 was running along happily processing mail from one IP over port 
25 cuz
that IP is in the mynetworks setting. Then those 2 lines and that pid is not 
seen again.

Is the 1st line reporting the result of the HELO/EHLO command ?


thanks for any hints.


-ANGELO FAZZINA

ang...@uconn.edu
University of Connecticut,  ITS, SSG, Server Systems
860-486-9075

RE: OpenDKIM , Postfix , SpamAssassin, Amavisd-New, SPF and FreeBSD

2019-10-25 Thread Fazzina, Angelo 

From what I can tell the DNS record was not found.


Oct 23 18:26:14 triggerfish opendkim[5845]: E0C34CB4A69: key retrieval failed 
(s=zendesk1, 
d=lightandmotion.com):
 
'zendesk1._domainkey.lightandmotion.com'
 record not found

And I can’t find it…..

[root@exa02dbadm01 ~]# dig -t txt zendesk1._domainkey.lightandmotion.com

; <<>> DiG 9.9.4-RedHat-9.9.4-74.el7_6.1 <<>> -t txt 
zendesk1._domainkey.lightandmotion.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 33283
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;zendesk1._domainkey.lightandmotion.com.IN TXT

;; AUTHORITY SECTION:
lightandmotion.com. 10800   IN  SOA dns042.a.register.com. 
root.register.com. 2019021518 28800 7200 604800 14400

;; Query time: 65 msec
;; SERVER: 137.99.25.14#53(137.99.25.14)
;; WHEN: Fri Oct 25 13:12:38 EDT 2019
;; MSG SIZE  rcvd: 126



-ANGELO FAZZINA

ang...@uconn.edu
University of Connecticut,  ITS, SSG, Server Systems
860-486-9075

From: owner-postfix-us...@postfix.org  On 
Behalf Of Jason Hirsh
Sent: Friday, October 25, 2019 12:53 PM
To: Dominic Raferd ; postfix-users@postfix.org
Subject: Re: OpenDKIM , Postfix , SpamAssassin, Amavisd-New, SPF and FreeBSD

I have gone over my configuration with a fine tooth comb, but considering I put 
them together it is not surprising I can’t spot anything


O have been trying to locate opendkim action in my log file.  It appears that 
that the  mail is being reviewed but now header added




Any thoughts any one/?
On Oct 24, 2019, at 11:29 AM, Jason Hirsh 
mailto:kasd...@mac.com>> wrote:

Thank you  for the quick response


I am 99% certain they are…I had the OpenDkim running for about a week and did 
not change those (I think0

Trusted Hosts

127.0.0.1
localhost
example.com
example1.com



KeyTable

default._domainkey.example.com:default:/usr/local/etc/opendkim/keys/example.com.com/default.private
default._domainkey.example1.com:default:/usr/local/etc/opendkim/keys/example1.com/default.private

SigningTable

*@example.com 
default._domainkey.example.com
*@example1.com

RE: Trying to understand error message in logs

2019-10-11 Thread Fazzina, Angelo 
x users 
Subject: Re: Trying to understand error message in logs

...and check permissions on *all* the directories in the path leading to the 
lockfile for proper access (at least eXecute permission) and no conflicting 
ACLs 
(as viktor already wrote).

--tmolitor


Am Freitag, 11. Oktober 2019, 15:00:36 CEST schrieb Viktor Dukhovni:
> Reboot your system, and try again.
> 
> > On Oct 11, 2019, at 2:49 PM, Fazzina, Angelo 
> > wrote:
> > 
> > Hi, thanks for the tip about checking SELINUX.  Sadly no change when
> > testing openssl command with SELINUX off.
> TLS has nothing to with this.  The SMTP server is unable to
> lock a file that is used to avoid waking up all the SMTP
> listeners every time a new connection arrives.  The lock
> file ensures that only listener is waiting to accept new
> connections at a time.
> 
> The EPERM error is not normal in this context.  On my
> system:
> 
>   $ ls -ld /var/spool/postfix{,/pid{,/inet.smtp}}
>   drwxr-xr-x  16 root  wheel16 Aug  4 22:46 /var/spool/postfix
>   drwxr-xr-x   2 root  postfix  19 Apr 18 04:43 /var/spool/postfix/pid
>   -rw---   1 root  postfix   0 Feb 19  2017
> /var/spool/postfix/pid/inet.smtp
> 
> which shows that only root can open the lock file, and yet
> there are no issues with the lock, because Postfix opens
> the file before dropping privs.  So if you're seeing EPERM,
> your system is either configured with additional security
> restrictions, or has become confused and needs a reboot.
> 
> Also, make sure there are no additional extended ACLs on the file,
> immutable bits, ...  Good luck.
> 
> Don't waste time with TLS, that's entirely irrelevant.

RE: Trying to understand error message in logs

2019-10-11 Thread Fazzina, Angelo 
Hi, thanks for the tip about checking SELINUX.  Sadly no change when testing 
openssl command with SELINUX off. :-(


Not sure if this is a hint but  this works on the server
openssl s_client -connect mail6.its.uconn.edu:465
so I think the SSL cert files are all good, as 465 and 587 use same files.


I have to "control-C" to get back to prompt
[root@mail6 postfix]# openssl s_client -starttls smtp -connect 
mail6.its.uconn.edu:587
CONNECTED(0003)
^C


I tried even adding "- v" to this line in master.cf with a restart and logs 
went up for port 465 but nothing changed for 587
submission inet n   -   n   -   -   smtpd -v

thanks.


-ANGELO FAZZINA

ang...@uconn.edu
University of Connecticut,  ITS, SSG, Server Systems
860-486-9075


-Original Message-
From: owner-postfix-us...@postfix.org  On 
Behalf Of Wietse Venema
Sent: Friday, October 11, 2019 11:55 AM
To: Postfix users 
Subject: Re: Trying to understand error message in logs

Fazzina, Angelo:
> Hi, thank you for trying to help.
> I hope this answers your question.
> 
> [root@mail6 pid]# pwd
> /var/spool/postfix/pid
> [root@mail6 pid]# ll
> total 4
> -rw---. 1 root root  0 Oct  6 22:14 inet.smtp
...and so on...

Postfix daemons open lockfiles while running as root. If they can't
do that, then check out
- NFS server configuration (disable the root->nobody mapping)
- Selinux or AppArmor configuration

Wietse

RE: Trying to understand error message in logs

2019-10-11 Thread Fazzina, Angelo 
Hi, thank you for trying to help.
I hope this answers your question.

[root@mail6 pid]# pwd
/var/spool/postfix/pid
[root@mail6 pid]# ll
total 4
-rw---. 1 root root  0 Oct  6 22:14 inet.smtp
-rw---. 1 root root  0 Oct  3 10:00 inet.smtps
-rw---. 1 root root  0 Oct  6 22:18 inet.submission
-rw---. 1 root root 33 Oct  9 11:44 master.pid
-rw---. 1 root root  0 Sep 26 11:18 unix.cleanup
-rw---. 1 root root  0 Sep 26 11:18 unix.local
-rw---. 1 root root  0 Oct  9 11:34 unix.showq
-rw---. 1 root root  0 Sep 26 11:18 unix.smtp

I have not touched this file ever. BTW.
/usr/libexec/postfix/postfix-files

Also config is same on working server mail5.its.uconn.edu

-ANGELO FAZZINA

ang...@uconn.edu
University of Connecticut,  ITS, SSG, Server Systems
860-486-9075


-Original Message-
From: Marty Lee  
Sent: Friday, October 11, 2019 11:35 AM
To: Fazzina, Angelo 
Cc: postfix-users@postfix.org
Subject: Re: Trying to understand error message in logs

> Oct 11 11:16:08 mail6 postfix/submission/smtpd[18091]: fatal: open lock file 
> pid/inet.submission: cannot open file: Permission denied

This would be the clue, and according to the docs, pid files are written to the
queue directory by default.

> queue_directory = /var/spool/postfix

so - is there a directory /var/spool/postfix/pid and is it writeable by the
postfix user?

marty

Trying to understand error message in logs

2019-10-11 Thread Fazzina, Angelo 
Hi, I am building new server RHEL7 and Postfix 2.10

The log file is constantly outputting this...

Oct 11 11:15:08 mail6 postfix/master[3266]: warning: process 
/usr/libexec/postfix/smtpd pid 18008 exit status 1
Oct 11 11:15:08 mail6 postfix/master[3266]: warning: 
/usr/libexec/postfix/smtpd: bad command startup -- throttling
Oct 11 11:16:08 mail6 postfix/submission/smtpd[18091]: fatal: open lock file 
pid/inet.submission: cannot open file: Permission denied
Oct 11 11:16:09 mail6 postfix/master[3266]: warning: process 
/usr/libexec/postfix/smtpd pid 18091 exit status 1
Oct 11 11:16:09 mail6 postfix/master[3266]: warning: 
/usr/libexec/postfix/smtpd: bad command startup -- throttling
Oct 11 11:17:09 mail6 postfix/submission/smtpd[18161]: fatal: open lock file 
pid/inet.submission: cannot open file: Permission denied
Oct 11 11:17:10 mail6 postfix/master[3266]: warning: process 
/usr/libexec/postfix/smtpd pid 18161 exit status 1
Oct 11 11:17:10 mail6 postfix/master[3266]: warning: 
/usr/libexec/postfix/smtpd: bad command startup - throttling

TESTING:
This fails:  openssl s_client -starttls smtp -connect mail6.its.uconn.edu:587

I have supposedly identical server and this works :
openssl s_client -starttls smtp -connect mail5.its.uconn.edu:587

Thank you.

[root@mail6 pid]# postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd 
$daemon_directory/$process_name $process_id & sleep 5
header_checks = regexp:/etc/postfix/header_checks
html_directory = no
inet_interfaces = all
inet_protocols = all
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
milter_default_action = accept
milter_protocol = 6
mydestination = $myhostname, localhost.$mydomain, localhost
mynetworks = 137.99.28.110 137.99.28.117 137.99.28.90 137.99.28.116 
137.99.188.202 10.3.28.90 10.3.28.116 10.4.25.183 10.4.40.212 10.4.40.194 
10.4.40.189 66.29.212.37 137.99.25.0/24
newaliases_path = /usr/bin/newaliases.postfix
non_smtpd_milters = $smtpd_milters
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.10.1/README_FILES
sample_directory = /usr/share/doc/postfix-2.10.1/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
slowaol_destination_concurrency_limit = 2
slowaol_destination_rate_delay = 30s
slowaol_destination_recipient_limit = 10
slowhot_destination_concurrency_limit = 2
slowhot_destination_rate_delay = 10s
slowhot_destination_recipient_limit = 10
smtpd_milters = inet:127.0.0.1:8891
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, 
reject_unauth_destination
smtpd_tls_cert_file = /etc/pki/tls/certs/massmail_uconn_edu_cert_interm.cer
smtpd_tls_key_file = /etc/pki/tls/private/massmail_key.key
smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3
unknown_local_recipient_reject_code = 550
virtual_alias_maps = hash:/etc/postfix/virtual

-ANGELO FAZZINA

ang...@uconn.edu
University of Connecticut,  ITS, SSG, Server Systems
860-486-9075

RE: outbound.protection.outlook.com

2019-10-02 Thread Fazzina, Angelo 
Hi, not sure if this helps but, these are the networks that my postfix server 
is setup to send email to O365 so users get their mail delivered

#  Microsoft Networks
23.103.132.0/22
23.103.136.0/21
23.103.144.0/20
23.103.198.0/23
23.103.200.0/22
23.103.212.0/22
40.92.0.0/14   
40.107.0.0/17 
40.107.128.0/18
52.100.0.0/14  
65.55.88.0/24
65.55.169.0/24
94.245.120.64/26
104.47.0.0/17
157.55.234.0/24
157.56.110.0/23
157.56.112.0/24
207.46.100.0/24
207.46.163.0/24
213.199.154.0/24
213.199.180.128/26
216.32.180.0/23

You may need to lock things down more than me but this is the list that works 
for me.

-ANGELO FAZZINA

ang...@uconn.edu
University of Connecticut,  ITS, SSG, Server Systems
860-486-9075


-Original Message-
From: owner-postfix-us...@postfix.org  On 
Behalf Of Stuart Henderson
Sent: Wednesday, October 2, 2019 11:04 AM
To: postfix-users@postfix.org
Subject: Re: outbound.protection.outlook.com

On 2019/10/02 16:13, Henrik K wrote:
> On Wed, Oct 02, 2019 at 02:50:23PM +0200, ratatouille wrote:
> > Henrik K  schrieb am 02.10.19 um 15:46:18 Uhr:
> > 
> > > On Wed, Oct 02, 2019 at 02:20:48PM +0200, Matus UHLAR - fantomas wrote:
> > > >
> > > > I got rid of it, since of too many false positives related to outlook, 
> > > > gmail
> > > > etc.  
> > > 
> > > Why would you greylist something that's easily skipped using DNSWL etc?
> > 
> > Thank you! I'll look for that stuff.
> 
> Just use permit_dnswl_client before your postgrey
> 
> permit_dnswl_client list.dnswl.org
> check_policy_service inet:127.0.0.1:12345
> 
> These should be pretty much last lines in your checks, remember that is
> accepts the message at that stage when listed.
> 
> Of course you can also create manual whitelist lookup tables.
> 

dnswl doesn't have a good list of Microsoft servers, less than half of their
deliveries to me today came from servers listed on dnswl. I make my own list
from their SPF records to exempt them from greylist-type checks.

Examples of some currently used that aren't on dnswl:

104.47.0.33
104.47.4.33
104.47.9.33
104.47.9.36
104.47.12.33
104.47.13.33
104.47.46.33
104.47.58.33
104.47.125.33
104.47.126.33

RE: sasl config confusion postfix 2.10.1-- FIXED

2019-08-07 Thread Fazzina, Angelo 
Sorry for the noise,

I changed it to

relayhost = [massmail.uconn.edu]:587
smtp_fallback_relay = [massmail.uconn.edu]:587
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/nexus_passwd
smtp_sasl_security_options = noanonymous
smtp_use_tls = yes

and ran

yum install cyrus-sasl-plain


and it works fine now.
Case closed.

-ANGELO FAZZINA

ang...@uconn.edu
University of Connecticut,  ITS, SSG, Server Systems
860-486-9075

From: owner-postfix-us...@postfix.org  On 
Behalf Of Fazzina, Angelo
Sent: Wednesday, August 7, 2019 12:37 PM
To: postfix-users@postfix.org
Subject: sasl config confusion postfix 2.10.1


Hi, I added this to main.cf

relayhost = [massmail.uconn.edu]:587
smtp_fallback_relay = [massmail.uconn.edu]:587
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/nexus_passwd
smtp_sasl_security_options =


I added this to master.cf
submission inet n   -   n   -   -   smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o milter_macro_daemon_name=ORIGINATING

I reloaded postfix
And see this in logs

[root@production0 alf02013]# grep  89C1F121242FF /var/log/maillog
Aug  7 12:27:28 production0 postfix/cleanup[18993]: 89C1F121242FF: 
message-id=<20190807162728.89c1f12124...@production0.nexus.uconn.edu<mailto:20190807162728.89c1f12124...@production0.nexus.uconn.edu>>
Aug  7 12:27:28 production0 postfix/bounce[19011]: 85A08121242FE: sender 
non-delivery notification: 89C1F121242FF
Aug  7 12:27:28 production0 postfix/qmgr[18989]: 89C1F121242FF: from=<>, 
size=3290, nrcpt=1 (queue active)
Aug  7 12:27:59 production0 postfix/smtp[18995]: 89C1F121242FF: 
to=mailto:userdc48ca76b6273197891464369...@production0.nexus.uconn.edu>>,
 relay=massmail.uconn.edu[137.99.26.55]:587, delay=31, delays=0/0/31/0, 
dsn=5.7.0, status=bounced (host massmail.uconn.edu[137.99.26.55] said: 530 
5.7.0 Must issue a STARTTLS command first (in reply to MAIL FROM command))
Aug  7 12:27:59 production0 postfix/qmgr[18989]: 89C1F121242FF: removed


What am I doing wrong ?

Should I see  250-STARTTLS when I do this ???

[root@production0 postfix]# telnet localhost 25
Trying ::1...
Connected to localhost.
Escape character is '^]'.
220 production0.nexus.uconn.edu ESMTP Postfix
ehlo uconn.edu
250-production0.nexus.uconn.edu
250-PIPELINING
250-SIZE 1024
250-VRFY
250-ETRN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
quit
221 2.0.0 Bye


-ANGELO FAZZINA

ang...@uconn.edu<mailto:ang...@uconn.edu>
University of Connecticut,  ITS, SSG, Server Systems
860-486-9075

sasl config confusion postfix 2.10.1

2019-08-07 Thread Fazzina, Angelo 

Hi, I added this to main.cf

relayhost = [massmail.uconn.edu]:587
smtp_fallback_relay = [massmail.uconn.edu]:587
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/nexus_passwd
smtp_sasl_security_options =


I added this to master.cf
submission inet n   -   n   -   -   smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o milter_macro_daemon_name=ORIGINATING

I reloaded postfix
And see this in logs

[root@production0 alf02013]# grep  89C1F121242FF /var/log/maillog
Aug  7 12:27:28 production0 postfix/cleanup[18993]: 89C1F121242FF: 
message-id=<20190807162728.89c1f12124...@production0.nexus.uconn.edu>
Aug  7 12:27:28 production0 postfix/bounce[19011]: 85A08121242FE: sender 
non-delivery notification: 89C1F121242FF
Aug  7 12:27:28 production0 postfix/qmgr[18989]: 89C1F121242FF: from=<>, 
size=3290, nrcpt=1 (queue active)
Aug  7 12:27:59 production0 postfix/smtp[18995]: 89C1F121242FF: 
to=, 
relay=massmail.uconn.edu[137.99.26.55]:587, delay=31, delays=0/0/31/0, 
dsn=5.7.0, status=bounced (host massmail.uconn.edu[137.99.26.55] said: 530 
5.7.0 Must issue a STARTTLS command first (in reply to MAIL FROM command))
Aug  7 12:27:59 production0 postfix/qmgr[18989]: 89C1F121242FF: removed


What am I doing wrong ?

Should I see  250-STARTTLS when I do this ???

[root@production0 postfix]# telnet localhost 25
Trying ::1...
Connected to localhost.
Escape character is '^]'.
220 production0.nexus.uconn.edu ESMTP Postfix
ehlo uconn.edu
250-production0.nexus.uconn.edu
250-PIPELINING
250-SIZE 1024
250-VRFY
250-ETRN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
quit
221 2.0.0 Bye


-ANGELO FAZZINA

ang...@uconn.edu
University of Connecticut,  ITS, SSG, Server Systems
860-486-9075

RE: SPF failure

2019-07-15 Thread Fazzina, Angelo 
When you plug your domain [forevermetalroof.com] in here you see too many 
lookups explained better

https://dmarcian.com/spf-survey/

limit is 10.

-ANGELO FAZZINA

ang...@uconn.edu
University of Connecticut,  ITS, SSG, Server Systems
860-486-9075

-Original Message-
From: owner-postfix-us...@postfix.org  On 
Behalf Of Phil Stracchino
Sent: Monday, July 15, 2019 2:02 PM
To: postfix-users@postfix.org
Subject: SPF failure

I have mail from one specific domain (handled by Google) being rejected
by pypolicyd-spf because of an apparent DNS lookup problem — 'SPF
Permanent Error: Too many DNS lookups' — but it is not obvious to me
what the problem is, unless it's something to do with having five MX
forwarders to look up.  Only this one domain seems to be affected.  I
can SEND mail to them, but not RECEIVE mail from them.  I have added
forevermetalroofs.com to pypolicyd's domain whitelist, and it didn't help.


Their SPF record is:

forevermetalroof.com descriptive text "v=spf1 a mx
include:websitewelcome.com +include:sendgrid.net ~all"


And here's the log of the last failure:


Jul 15 13:48:59 minbar postfix/postscreen[24844]: CONNECT from
[209.85.160.176]:37644 to [10.24.32.15]:25
Jul 15 13:49:05 minbar postfix/postscreen[24844]: PASS NEW
[209.85.160.176]:37644
Jul 15 13:49:05 minbar postfix/smtpd[25113]: connect from
mail-qt1-f176.google.com[209.85.160.176]
Jul 15 13:49:05 minbar postfix/smtpd[25113]: warning: connect to Milter
service inet:localhost:8891: Connection refused
Jul 15 13:49:05 minbar postfix/smtpd[25113]: Anonymous TLS connection
established from mail-qt1-f176.google.com[209.85.160.176]: TLSv1.2 with
cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
Jul 15 13:49:05 minbar postfix/smtpd[25113]: NOQUEUE: permit: RCPT from
mail-qt1-f176.google.com[209.85.160.176]: action=permit for Helo
command=mail-qt1-f176.google.com ; from=
to= proto=ESMTP helo=
Jul 15 13:49:11 minbar policyd-spf[25139]: Starting
Jul 15 13:49:11 minbar policyd-spf[25139]: Config: {'debugLevel': 3,
'HELO_reject': 'SPF_Not_Pass', 'Mail_From_reject': 'SPF_Not_Pass',
'PermError_reject': 'True', 'TempError_Defer': 'True', 'skip_addresses':
'127.0.0.0/8,:::127.0.0.0/104,::1', 'TestOnly': 1,
'SPF_Enhanced_Status_Codes': 'Yes', 'Header_Type': 'SPF',
'Hide_Receiver': 'Yes', 'Authserv_Id': 'minbar', 'Lookup_Time': 20,
'Whitelist_Lookup_Time': 10, 'Void_Limit': 2, 'Reason_Message': 'Message
{rejectdefer} due to: {spf}. Please see {url}', 'No_Mail': False,
'Mock': False, 'Whitelist': '10.24.32.0/20', 'Domain_Whitelist':
'thisistrue.com, forum.thisistrue.com, beefruityandnutty.com,
kimmel.com, novylen.net, pluspora.com, forevermetalroofs.com',
'HELO_Whitelist': 'hades.listmoms.net, panini.novylen.net,
fritter.limelight.ca'}
Jul 15 13:49:11 minbar policyd-spf[25139]: spfcheck: pyspf result:
"['None', '', 'helo']"
Jul 15 13:49:11 minbar policyd-spf[25139]: None; identity=no SPF record;
client-ip=209.85.160.176; helo=mail-qt1-f176.google.com;
envelope-from=d...@forevermetalroof.com; receiver=
Jul 15 13:49:11 minbar policyd-spf[25139]: spfcheck: pyspf result:
"['Permerror', 'SPF Permanent Error: Too many DNS lookups', 'mailfrom']"
Jul 15 13:49:11 minbar policyd-spf[25139]: Permerror; identity=mailfrom;
client-ip=209.85.160.176; helo=mail-qt1-f176.google.com;
envelope-from=d...@forevermetalroof.com; receiver=
Jul 15 13:49:11 minbar policyd-spf[25139]: Action: reject: Text: Message
rejected due to: SPF Permanent Error: Too many DNS lookups. Please see
https://nam01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.openspf.net%2FWhy%3Fs%3Dmfrom%3Bid%3Ddeb%40forevermetalroof.com%3Bip%3D209.85.160.176%3Brdata=02%7C01%7Cangelo.fazzina%40uconn.edu%7Cd92a45cb4fc241a5fbfa08d7094eb7c9%7C17f1a87e2a254eaab9df9d439034b080%7C0%7C0%7C636988106010931867sdata=TLhXSm4Q4XB98CnmW0bYqF27Hr2O7bDbTKLGe%2FzMl1A%3Dreserved=0=
Reject action: 550 5.7.24
Jul 15 13:49:11 minbar policyd-spf[25139]: 550 5.7.24 Message rejected
due to: SPF Permanent Error: Too many DNS lookups. Please see
https://nam01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.openspf.net%2FWhy%3Fs%3Dmfrom%3Bid%3Ddeb%40forevermetalroof.com%3Bip%3D209.85.160.176%3Brdata=02%7C01%7Cangelo.fazzina%40uconn.edu%7Cd92a45cb4fc241a5fbfa08d7094eb7c9%7C17f1a87e2a254eaab9df9d439034b080%7C0%7C0%7C636988106010941866sdata=jh35z03ccmg%2F5pRDO6IHN0peiw8%2BK2z%2FoAGniO0xDnk%3Dreserved=0=
Jul 15 13:49:11 minbar postfix/smtpd[25113]: NOQUEUE: reject: RCPT from
mail-qt1-f176.google.com[209.85.160.176]: 550 5.7.24
: Recipient address rejected: Message rejected
due to: SPF Permanent Error: Too many DNS lookups. Please see
https://nam01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.openspf.net%2FWhy%3Fs%3Dmfrom%3Bid%3Ddeb%40forevermetalroof.com%3Bip%3D209.85.160.176%3Brdata=02%7C01%7Cangelo.fazzina%40uconn.edu%7Cd92a45cb4fc241a5fbfa08d7094eb7c9%7C17f1a87e2a254eaab9df9d439034b080%7C0%7C0%7C636988106010941866sdata=jh35z03ccmg%2F5pRDO6IHN0peiw8%2BK2z%2FoAGniO0xDnk%3Dreserved=0=;
from= to=

RE: Rejecting mail if LDAP lookup returns empty

2019-06-21 Thread Fazzina, Angelo 
Hi, what is the output when you test if testing is possible of say these 
commands ?

postmap -q racoo...@tamu.edu  ldap:/etc/postfix/tamu.ldap

postmap -q bad_a...@tamu.edu  ldap:/etc/postfix/tamu.ldap


if I'm sending you down the wrong rabbit hole I am sure someone more savvy will 
help out.



-ANGELO FAZZINA

ang...@uconn.edu
University of Connecticut,  ITS, SSG, Server Systems
860-486-9075

From: owner-postfix-us...@postfix.org  On 
Behalf Of Cooper, Robert A
Sent: Friday, June 21, 2019 9:44 AM
To: postfix-users@postfix.org
Subject: Rejecting mail if LDAP lookup returns empty

Howdy!

We are setting up Postfix to be an on-premise mail lookup and forward service 
for a cloud-based mail filter service (ProofPoint).  Our campus uses LDAP to 
route email from a public alias (@tamu.edu) to an internal mailbox (e.g., 
@exchange.tamu.edu) or external destination such as yahoo or gmail.

The issue we are seeing is that the lookups are working just fine, but if an 
email is sent to a bogus public alias or a valid alias without a defined 
routing address in LDAP, Postfix then attempts to pass on the @tamu.edu address 
to the next hop instead of failing the lookup and bouncing.  We are running 
postfix 2.10.1 (CentOS 7) and I can't seem to find a configuration that will 
fail messages back if there is no LDAP mailRoutingAddress. Right now, we are 
getting bounces but they are being generated from the on-prem ProofPoint 
appliance and not Postfix.  The on-prem appliances are going away (which is 
what prompted this change to begin with).

Is there something I'm missing in configuration that would fail if LDAP does 
not return a routing address?

Thanks,
RobertC


postconf -n

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_at_myorigin = yes
biff = no
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd 
$daemon_directory/$process_name $process_id & sleep 5
defer_transports =
disable_dns_lookups = no
disable_mime_output_conversion = no
disable_vrfy_command = yes
html_directory = no
inet_interfaces = all
inet_protocols = ipv4
lmtp_destination_concurrency_limit = 2
lmtp_host_lookup = native
mail_owner = postfix
mail_spool_directory = /var/mail
mailbox_command =
mailbox_size_limit = 0
mailbox_transport =
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
masquerade_classes = envelope_sender, header_sender, header_recipient
masquerade_domains =
masquerade_exceptions = root
message_size_limit = 52428800
mydestination = $myhostname, localhost.$mydomain
mydomain = syse.tamu.edu
mynetworks = /etc/postfix/mynetworks.cidr
myorigin = $myhostname
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
queue_run_delay = 300s
readme_directory = /usr/share/doc/postfix-2.10.1/README_FILES
relayhost =
sample_directory = /usr/share/doc/postfix-2.10.1/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp_host_lookup = native
smtp_sasl_auth_enable = no
smtp_use_tls = no
smtpd_client_connection_count_limit = 1000
smtpd_client_restrictions =
smtpd_helo_required = no
smtpd_helo_restrictions =
smtpd_recipient_limit = 1000
smtpd_recipient_restrictions = 
permit_mynetworks,reject_unknown_recipient_domain,reject_unverified_recipient
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, 
reject_unauth_destination
smtpd_sasl_auth_enable = no
smtpd_use_tls = no
strict_8bitmime = no
strict_rfc821_envelopes = no
transport_maps = hash:/etc/postfix/transport
unknown_local_recipient_reject_code = 550
virtual_alias_maps = ldap:/etc/postfix/tamu.ldap

postconf -M
smtp   inet  n   -   n   -   -   smtpd
pickup unix  n   -   n   60  1   pickup
cleanupunix  n   -   n   -   0   cleanup
qmgr   unix  n   -   n   300 1   qmgr
tlsmgr unix  -   -   n   1000?   1   tlsmgr
rewriteunix  -   -   n   -   -   trivial-rewrite
bounce unix  -   -   n   -   0   bounce
defer  unix  -   -   n   -   0   bounce
trace  unix  -   -   n   -   0   bounce
verify unix  -   -   n   -   1   verify
flush  unix  n   -   n   1000?   0   flush
proxymap   unix  -   -   n   -   -   proxymap
proxywrite unix  -   -   n   -   1   proxymap
smtp   unix  -   -   n   -   -   smtp
relay  unix  -   -   n   -   -   smtp -o 
smtp_fallback_relay=
showq  unix  n   -   n   -   -   showq
error  unix  -   -   n   -   -   error
retry  unix  -   -   n   -   -   error
discardunix  -   -   n

RE: Add header based on subject

2019-06-21 Thread Fazzina, Angelo 
I have a question, wouldn't that break a DKIM sig if the incoming email had one 
?

Thank you.

-ANGELO FAZZINA

ang...@uconn.edu
University of Connecticut,  ITS, SSG, Server Systems
860-486-9075

-Original Message-
From: owner-postfix-us...@postfix.org  On 
Behalf Of Ralph Seichter
Sent: Friday, June 21, 2019 7:54 AM
To: postfix-users@postfix.org
Subject: Re: Add header based on subject

* Marcelo Machado:

> Is possible add a header based on a regex in a subject?

Yes, see 
https://nam01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.postfix.org%2Fheader_checks.5.htmldata=02%7C01%7Cangelo.fazzina%40uconn.edu%7C5fe624f0bb2748eb6c1208d6f63f6004%7C17f1a87e2a254eaab9df9d439034b080%7C0%7C1%7C636967149385235271sdata=h9mNY25n5%2BnZQnCJT8w4wlR6gRAgR6MeRvhcs2BN%2Fw4%3Dreserved=0
 (PREPEND action).

-Ralph

RE: How to tell my ISP there's a problem

2019-06-18 Thread Fazzina, Angelo 
Hi, your Postfix logs look normal to my untrained eyes.
If it was me i would figure out the best contact email for the ISP and tell 
them as much detailed
info as i could, so it is easy for them to get you the answer to "what happened 
to X email ?".

Looks like they just need this line :

Jun 17 12:03:16 localhost postfix/smtp[8033]: 10C52100049C: 
to=, orig_to=, 
relay=smtp.embarqmail.com[206.152.134.66]:25, delay=3.6, 
delays=0.05/0.01/0.17/3.3, dsn=2.0.0, 
status=sent (250 SPF validation soft failure)

They will then know the :
DATE
TIME
IP address of server that accepted your email

Also i think they will want the FQDN and IP address of your server.

Good luck

-ANGELO FAZZINA

ang...@uconn.edu
University of Connecticut,  ITS, SSG, Server Systems
860-486-9075

-Original Message-
From: owner-postfix-us...@postfix.org  On 
Behalf Of Richard James Salts
Sent: Monday, June 17, 2019 11:29 PM
To: postfix-users@postfix.org
Subject: Re: How to tell my ISP there's a problem

On Monday, 17 June 2019 7:48:05 PM AEST Chris Pollock wrote:
> Apologies if the subject is vague however I'll attempt to explain
> further. I run a cron job once a day that updates my Spamassassin
> rules. Up until a couple of weeks ago I would get the output of that
> cron job mailed to me. For some reason this is the only cron job output
> that's not coming back. I've determined that size it not a factor since
> some of my hourly logcheck messages are up to 400k if a restart has
> taken place. Below is the output when it was working and the output
> since them. I can't see a difference so it has to be something at my
> ISP with just this one cron job but I can't see it.
> 
> https://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpastebin.com%2Fv0rMErQhdata=02%7C01%7Cangelo.fazzina%40uconn.edu%7C442762b0d67a4f43757a08d6f39d536a%7C17f1a87e2a254eaab9df9d439034b080%7C0%7C0%7C636964254387499317sdata=zUjcikOfrs11SwYzM7o%2Bi6txTfWZeuQkXkqNHxOmT9k%3Dreserved=0
> 
> Thanks for any suggestions
Maybe it's going to a spam folder. I notice that the reply from your isp says 
250 SPF validation soft failure in both cases, but if they stopped forwarding 
"potentially forged" emails that might be a possible cause. It is definitely 
the behaviour on smtp.embarqmail.com that has changed though, so you need to 
ask the administrators of that server. Is this direct to MX or is it a fixed 
relay intended to be a smarthost?

RE: OpenDKIM not signing

2019-04-09 Thread Fazzina, Angelo 
Hi, not sure my SOP will help you but here it is and it does work.

https://linux.uits.uconn.edu/dkim-review-of-all-aspects/

Your logs will be the best place to find problems.
Good Luck.

-ANGELO FAZZINA

ang...@uconn.edu
University of Connecticut,  ITS, SSG, Server Systems
860-486-9075

-Original Message-
From: owner-postfix-us...@postfix.org  On 
Behalf Of Laura Smith
Sent: Tuesday, April 9, 2019 5:43 AM
To: Jim P. 
Cc: postfix-users@postfix.org
Subject: Re: OpenDKIM not signing

‐‐‐ Original Message ‐‐‐
On Tuesday, April 9, 2019 9:40 AM, Jim P.  wrote:

> On Tue, 2019-04-09 at 08:22 +, Laura Smith wrote:
>
> > OpenDKIM is not signing my mails.
>
> .
>
> > KeyTable    /etc/opendkim/KeyTable
>
> I think this should be:
>
> KeyTable refile:/etc/opendkim/KeyTable
>
> > InternalHosts   refile:/etc/opendkim/TrustedHosts
>
> Try using ExternalIgnoreList (i don't know why it works, but it does)
>
> #InternalHosts refile:/etc/opendkim/InternalHosts
> ExternalIgnoreList refile:/etc/opendkim/InternalHosts
>
> hth,
>
> -Jim P.


That seems to have woken something up (although not the signing), the logs have 
started showing something:
Apr  9 09:40:14 rx200 mail.info opendkim[4396]: C03DE1014429: 
foobar.example.com [192.0.2.10] not internal
Apr  9 09:40:14 rx200 mail.info opendkim[4396]: C03DE1014429: not authenticated
Apr  9 09:40:14 rx200 mail.debug opendkim[4396]: C03DE1014429: no signature data

RE: Release from HOLD

2019-03-21 Thread Fazzina, Angelo 
From the man page 

man 5 postconf


transport_maps (default: empty)
   Optional lookup tables with mappings from recipient address to (message 
delivery transport, next-hop destination).  See transport(5) for
   details.

   Specify  zero  or more "type:table" lookup tables.  If you use this 
feature with local files, run "postmap /etc/postfix/transport" after
   making a change.


This 
proxy:mysql:/etc/postfix/mysql_transport.cf
looks like   type:type:table
not
type:table


Did your postfix server work and suddenly stop  and you have made no changes ?
If so then I cannot help you. And you need more expert advice.



-ANGELO FAZZINA

ang...@uconn.edu
University of Connecticut,  ITS, SSG, Server Systems
860-486-9075


-Original Message-
From: Rafael Azevedo  
Sent: Thursday, March 21, 2019 10:34 AM
To: Fazzina, Angelo 
Cc: Postfix users 
Subject: Re: Release from HOLD

Hi Angelo, thanks for your reply!

transport_maps = proxy:mysql:/etc/postfix/mysql_transport.cf
virtual_transport = virtual

BR,
Rafael


Em qui, 21 de mar de 2019 às 10:53, Fazzina, Angelo
 escreveu:
>
> Hi, you may get more help by providing helpful info like
>
>
> # postconf -n | grep -i transport
>
>
>
> -ANGELO FAZZINA
>
> ang...@uconn.edu
> University of Connecticut,  ITS, SSG, Server Systems
> 860-486-9075
>
> -Original Message-
> From: owner-postfix-us...@postfix.org  On 
> Behalf Of Rafael Azevedo
> Sent: Thursday, March 21, 2019 8:19 AM
> To: Postfix users 
> Subject: Release from HOLD
>
> Hi guys,
>
> I had a failure in one of our postfix routines that sent all messages to HOLD.
>
> Now, I'm trying to release from HOLD using 'postsuper -H ALL'.
>
> The thing is that all messages are being deferred (mail transport 
> unavailable).
>
> So, is there a way to check current message transport and maybe move
> to another one?
>
> Thanks a lot.
>
> BR,
>
> Rafael

RE: Release from HOLD

2019-03-21 Thread Fazzina, Angelo 
Hi, you may get more help by providing helpful info like


# postconf -n | grep -i transport



-ANGELO FAZZINA

ang...@uconn.edu
University of Connecticut,  ITS, SSG, Server Systems
860-486-9075

-Original Message-
From: owner-postfix-us...@postfix.org  On 
Behalf Of Rafael Azevedo
Sent: Thursday, March 21, 2019 8:19 AM
To: Postfix users 
Subject: Release from HOLD

Hi guys,

I had a failure in one of our postfix routines that sent all messages to HOLD.

Now, I'm trying to release from HOLD using 'postsuper -H ALL'.

The thing is that all messages are being deferred (mail transport unavailable).

So, is there a way to check current message transport and maybe move
to another one?

Thanks a lot.

BR,

Rafael

Re: DKIM setup writeup for multi domain?

2019-03-12 Thread Fazzina, Angelo 
Hi, wouldn't the answer to the OP's question be to just list all the domains 
they want signed in the file
/etc/opendkim/SigningTable

Assuming they are using Opendkim.

I wrote some documentation here.
https://linux.uits.uconn.edu/dkim-review-of-all-aspects/


-ANGELO FAZZINA

ang...@uconn.edu
University of Connecticut,  ITS, SSG, Server Systems
860-486-9075

-Original Message-
From: owner-postfix-us...@postfix.org  On 
Behalf Of Michael
Sent: Tuesday, March 12, 2019 2:48 PM
To: postfix-users@postfix.org
Subject: {SPAM?} Re: DKIM setup writeup for multi domain?

I think this is the one I used.  Works great. 
https://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.stevejenkins.com%2Fblog%2F2011%2F08%2Finstalling-opendkim-rpm-via-yum-with-postfix-or-sendmail-for-rhel-centos-fedora%2Fdata=02%7C01%7Cangelo.fazzina%40uconn.edu%7C9624b05d01574a99475608d6a71b7196%7C17f1a87e2a254eaab9df9d439034b080%7C0%7C0%7C636880133650788591sdata=YTfwUuvVVUSb8bzRRKXWNg1xpaVCclorJ6eKAxz2ybw%3Dreserved=0


On 2019-03-12 7:31 am, li...@sbt.net.au wrote:

> I;m looking at adding DKIM to my Postfix
> 
> is there some up to date DKIM setup write up for multi domain Postfix
> setup ? most of the ones I've found are for single domain, and, use
> different setups, hence I'm trying to figure out what's the best way to
> set this up.
> 
> V

RE: stress tested postfix

2019-03-06 Thread Fazzina, Angelo 
Hi, I am curious why no one has recommended using what looks like a built-in 
testing [benchmark] tool in Postfix ?

/usr/sbin/smtp-source


I gave the man page a quick look and it seemed it may help, based on the given 
specs provided by the OP.

I have versions 2.6.x and 2.10.x and assume it is still in versions 3.x.x

Good Luck in your testing.

-ANGELO FAZZINA

ang...@uconn.edu
University of Connecticut,  ITS, SSG, Server Systems
860-486-9075

-Original Message-
From: owner-postfix-us...@postfix.org  On 
Behalf Of Mauricio Tavares
Sent: Wednesday, March 6, 2019 9:20 AM
To: De Petter Mattheas 
Cc: Postfix users 
Subject: Re: stress tested postfix

On Wed, Mar 6, 2019 at 7:50 AM De Petter Mattheas
 wrote:
>
> Comments below
>
> Thanks for the help by the way :)
>
> -Original Message-
> From: patpro 
> Sent: 06 March 2019 13:34
> To: De Petter Mattheas 
> Cc: Postfix users ; owner-postfix-us...@postfix.org
> Subject: Re: stress tested postfix
>
> On 2019-03-06 13:10, De Petter Mattheas wrote:
>
>
> > Yes it is a strange business model, but the postfix must run on are
> > vessels.
> > So they sail over the world and because of the time difference we
> > can't help them ride away.
>
> I believe you should clarify or remake your test model, there is something 
> I'm not sure to understand:
>
> - is a single ship likely to generate +40K email messages in an hour, or does 
> this high figure applies to the postfix that will receive all messages from 
> all ships?
> - do you account for the latency of offshore internet connection
> (satellite?) in your test?
>
> # a single ship can generate up to 60 K in a hour, we have had it in the past 
> when a ship goes in error or failure or by mistake of the programmer it send 
> alert mails to HQ

  Meh, the Nigerian Prince can do better. ;)

> # the test was done in are virtual lab sow there was no SatCom involved, that 
> was are next test. The interfaces where to virtual nic on a virtual switch.
>
>
> Also, to my experience high throughput email servers are heavily dependent on 
> storage IO: you might find out that every other server performs OK on your 
> virtualization node and still get an IO bottleneck in your email server.
>
> # still even when I/O is the bottleneck postfix should not accept the mail 
> and leave it in que at the exchange, doesn't it ?
>
>
> Finally, like Wietse wrote, postfix does not lose email. Worse case
> scenario: your OS lose files. Normal scenario: postfix refuses email it can't 
> ingest with temp error, sender retries later.
>
> # as I wrote before,  than postfix should drop indeed the mail, and send 
> retries but that doesn't happen. Postfix accepts the mail and exchange 
> thinks its delivered.  And the mail itself is lost not anymore on exchange 
> and not in the maildir of postfix.
>
  Could you crank up the postfix log to debug mode? I do remember
that when you let the log file be really verbose, it will keep track
of everything that happens to every single email. Then you have to
find which emails are going missing and follow them. Not a fun step
but has to be done.

If you can then find where in the sequence of events those emails are
disappearing, you might be able to figure out why. Or, posting that
part of the log will help others help you.

>
> Patrick
> 
> Any reaction to this e-mail or any other mail, including any
> files transmitted therewith to sender's e-mail address(es)
> shall be dealt with not as private, but as business
> communication(s) and shall be registered as such.
> 
>

RE: New SASL error when relaying through gmail

2019-01-15 Thread Fazzina, Angelo 
It may be time to crank up debug level on Postfix or do tcpdump capture to see 
what you are sending over the wire when it works and when it doesn't ?


-ANGELO FAZZINA

ang...@uconn.edu
University of Connecticut,  ITS, SSG, Server Systems
860-486-9075


-Original Message-
From: owner-postfix-us...@postfix.org  On 
Behalf Of Michael
Sent: Tuesday, January 15, 2019 2:48 PM
To: postfix-users@postfix.org
Subject: Re: New SASL error when relaying through gmail

On 1/14/19 11:19 AM, Wietse Venema wrote:

> The 'invalid parameter supplied' is an error message the local SASL
> library. This error happens while Postfix prepares to send the AUTH
> command.
>
> Why does the Cyrus SASL library return 'invalid parameter supplied'?
> I can only speculate that it does not like something about the SASL
> mechanism list (which Postfix got from the Gmail server), or something
> about the username or password (which it got from local file).
>
> It would be worthwhile to see the AUTH parameter in the server's
> EHLO response before and after Postfix sends STARTTLS.
>
>   Wietse


Thanks Wietse,


Using Angelo's testing methodology, I can see this:

250-smtp.gmail.com at your service, [68.226.113.229]
250-SIZE 35882577
250-8BITMIME
250-AUTH LOGIN PLAIN XOAUTH2 PLAIN-CLIENTTOKEN OAUTHBEARER XOAUTH
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-CHUNKING
250 SMTPUTF8


I am not sure how to check from postfix.


Michael

RE: New SASL error when relaying through gmail

2019-01-14 Thread Fazzina, Angelo 
Hi, can you manually use commands to test the U/P are working from your postfix 
server ?

1. Run this to test connectivity to your server 
openssl s_client -starttls smtp -connect your.host.name:587
Typical OUTPUT =
250 DSN
quit
221 2.0.0 Bye
closed

2. Run this to create a hash
python -c 'import base64,sys; u,p=sys.argv[1:3]; print 
base64.encodestring("%s\x00%s\x00%s" % (u,u,p))' username password
OUTPUT = dXNlcm5hbWUAdXNlcm5hbWUAcGFzc3dvcmQ=
Replace username and password with real ones


Once Steps 1 and 2 work, you can test authentication with the hash in Step 3

3. Run the openssl commands and connect to your server.
A. do and "ehlo domain" to see commands supported
EXAMPLE :
ehlo domain
250-localpart.domain.part
250-PIPELINING
250-SIZE 31457280
250-VRFY
250-ETRN
250-AUTH PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
B. execute the AUTH PLAIN LOGIN command option using the HASH you made 
in Step 3
AUTH PLAIN dXNlcm5hbWUAdXNlcm5hbWUAcGFzc3dvcmQ= 

C. look for output
235 2.7.0 Authentication successful


-ANGELO FAZZINA

ITS Service Manager:
Spam and Virus Prevention
Mass Mailing
G Suite/Gmail

ang...@uconn.edu
University of Connecticut,  ITS, SSG, Server Systems
860-486-9075

-Original Message-
From: owner-postfix-us...@postfix.org  On 
Behalf Of Michael
Sent: Monday, January 14, 2019 1:00 PM
To: postfix-users@postfix.org
Subject: Re: New SASL error when relaying through gmail

On 1/14/19 10:42 AM, Christopher van de Sande wrote:
> Just a guess, but are you using App passwords for GMail?  It's 
> possible Gmail is enforcing some 2FA/MFA or otherwise some kind of 
> "enhanced" authentication.
>
> Even if you aren't using 2FA, it might be worth giving a shot.
>
>> I thought this might be the case as well.   I reset the password the 
>> account password and also re-setup the application password on the 
>> gmail account for postfix (in my my sasl password file). That didn't 
>> seem to make a difference.   Is there an easy way to test the app 
>> password on google?
>>
>>
>> Michael
>>
>>


I went back into my account and turned on less secure apps and turned 
off 2FA.    I tried again with the regular password and the app 
password.   Still the same error. I hate when things work and then 
suddenly break :(


Michael

RE: New SASL error when relaying through gmail

2019-01-14 Thread Fazzina, Angelo 
Hi, I suspect this is wrong

relayhost = [smtp.gmail.com]:587


that looks like typical setup for an email client using IMAP and that is the 
config for sending email.
It would require a username and password.

https://support.google.com/mail/answer/7126229?visit_id=636830764979015900-598820322=en=1



-ANGELO FAZZINA

ITS Service Manager:
Spam and Virus Prevention
Mass Mailing
G Suite/Gmail

ang...@uconn.edu
University of Connecticut,  ITS, SSG, Server Systems
860-486-9075

-Original Message-
From: owner-postfix-us...@postfix.org  On 
Behalf Of Michael
Sent: Monday, January 14, 2019 10:23 AM
To: postfix-us...@cloud9.net
Subject: New SASL error when relaying through gmail

Hello,

I have been using postfix on a local machine for a few years to act as a 
relay for my domain to send email out through gmail.


This has worked well enough, but I noticed recently that I had some 
email queued up and was not getting emails out any longer.


In my mailog, I am seeing these errors:

Jan 14 08:16:18 deathstar postfix/smtp[16142]: 8CBF11E12B5: 
to=, relay=smtp.gmail.com[173.194.203.108]:587, 
delay=58297, delays=58297/0.05/0.71/0, dsn=4.7.0, status=deferred (SASL 
authentication failed; cannot authenticate to server 
smtp.gmail.com[173.194.203.108]: invalid parameter supplied)

I have googled a lot, but I am not finding anything that matches this 
error message.   I am not sure also what might have changed to cause 
this.   Not sure if Google changed something or a package update broke 
something, etc.


This is in Fedora 29, x86_64, postfix-3.3.1, and 
cyrus-sasl-lib-2.1.27-0.3rc7.


output of postconf

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
command_directory = /usr/sbin
compatibility_level = 2
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd 
$daemon_directory/$process_name $process_id & sleep 5
html_directory = no
inet_interfaces = localhost, $myhostname
inet_protocols = ipv4
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
meta_directory = /etc/postfix
mydestination = $myhostname, localhost.$mydomain, localhost
mydomain = my.domain
myhostname = deathstar.my.domain
mynetworks = 192.168.0.0/16, 127.0.0.0/8
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix/README_FILES
relayhost = [smtp.gmail.com]:587
sample_directory = /usr/share/doc/postfix/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
shlib_directory = /usr/lib64/postfix
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl/passwd
smtp_sasl_security_options = noanonymous
smtp_tls_CAfile = /root/.acme.sh/my.domain/my.domain.cer
smtp_use_tls = yes
unknown_local_recipient_reject_code = 550


Any thoughts on what the error means and what I might need to change?


Michael

RE: dnsbl postscreen - not blocking

2018-12-19 Thread Fazzina, Angelo 
Hi, I don’t know the answer to your question but from this site
http://www.sorbs.net/using.shtml
it looks like the IP 209.85.166.196 seems to have tripped one of these :


new.spam.dnsbl.sorbs.net127.0.0.6
   recent.spam.dnsbl.sorbs.net127.0.0.6
  old.spam.dnsbl.sorbs.net127.0.0.6
  spam.dnsbl.sorbs.net127.0.0.6
   escalations.dnsbl.sorbs.net127.0.0.6


Maybe going down that rabbit hole will get you some answers ?
Good Luck.


-ANGELO FAZZINA

ITS Service Manager:
Spam and Virus Prevention
Mass Mailing
G Suite/Gmail

ang...@uconn.edu
University of Connecticut,  ITS, SSG, Server Systems
860-486-9075

From: owner-postfix-us...@postfix.org  On 
Behalf Of Stefan Bauer
Sent: Wednesday, December 19, 2018 8:01 AM
To: Postfix users 
Subject: dnsbl postscreen - not blocking

Hi,

Dec 19 13:04:36 mx1 postfix/postscreen[4770]: CONNECT from 
[209.85.166.196]:52168 to [public-ip]:25
Dec 19 13:04:42 mx1 postfix/dnsblog[4774]: addr 209.85.166.196 listed by domain 
dnsbl.sorbs.net
 as 127.0.0.6
Dec 19 13:04:42 mx1 postfix/postscreen[4770]: PASS NEW [209.85.166.196]:52168
Dec 19 13:04:42 mx1 postfix/smtpd[4778]: connect from 
mail-it1-f196.google.com[209.85.166.196]

why did google pass postscreen even though its listed in one of the RBL?


postscreen_dnsbl_sites = 
zen.spamhaus.org*2
 
bl.spamcop.net*1
 
b.barracudacentral.org*1
 
dnsbl.sorbs.net*1
postscreen_blacklist_action = drop
postscreen_dnsbl_action = enforce

Am i missing something obvious?

Stefan

RE: Looking for appropriate place to ask a DKIM question

2018-12-17 Thread Fazzina, Angelo 
Thank you.
I am still setting up the servers DNS TXT records.
I started with DKIM, have not got around to DMARC yet, but  I guess that will 
be the next thing to configure and then more testing.


-ANGELO FAZZINA

ITS Service Manager:
Spam and Virus Prevention
Mass Mailing
G Suite/Gmail

ang...@uconn.edu
University of Connecticut,  ITS, SSG, Server Systems
860-486-9075

-Original Message-
From: owner-postfix-us...@postfix.org  On 
Behalf Of Benny Pedersen
Sent: Monday, December 17, 2018 1:18 PM
To: postfix-users@postfix.org
Subject: Re: Looking for appropriate place to ask a DKIM question

Viktor Dukhovni skrev den 2018-12-17 18:03:
>> On Dec 17, 2018, at 11:48 AM, Thiago Souza 
>>  wrote:
>> 
>> _DMARC.mta5.uits.uconn.edu
>> v=DMARC1; p=none; rua=dkim-err...@mta5.uits.uconn.edu; 
>> ruf=mailto:dkim-err...@mta5.uits.uconn.edu; rf=afrf; fo=1; pct=100; 
>> adkim=s; aspf=s
>> Note the p=none, to do not lose any e-mails at first..
>> After your configuration is checked and correct. Change to quarentine 
>> or reject.
> 
> But first see:
> https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdmarc.org%2Fwiki%2FFAQ%23Do_I_want_to_receive_Failure_Reports_.28ruf.3D.29.3Fdata=02%7C01%7Cangelo.fazzina%40uconn.edu%7Cc6f2578c792d4d7d8af508d6644c202e%7C17f1a87e2a254eaab9df9d439034b080%7C0%7C0%7C636806675456554603sdata=c%2F5bJwMXDnhUNuS4mMV0%2ByxzpB6BpTEOckwvWOHQPm8%3Dreserved=0

+1

dmarc is now removed for that domain, it solved that rua just missed 
mailto:

https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdmarcian.com%2Fdmarc-inspector%2F%3Fdomain%3Dmta5.uits.uconn.edudata=02%7C01%7Cangelo.fazzina%40uconn.edu%7Cc6f2578c792d4d7d8af508d6644c202e%7C17f1a87e2a254eaab9df9d439034b080%7C0%7C0%7C636806675456554603sdata=H1oCwjG8X6k4AsBKuBUh3F2zcW02KoPv5KI98THbd9U%3Dreserved=0

https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdmarcian.com%2Fdmarc-record-wizard%2Fdata=02%7C01%7Cangelo.fazzina%40uconn.edu%7Cc6f2578c792d4d7d8af508d6644c202e%7C17f1a87e2a254eaab9df9d439034b080%7C0%7C0%7C636806675456554603sdata=HgoSjf2NSX1jjEXHCYIyCBQsqS77zMnTBkowZJ%2FiKYA%3Dreserved=0

hopefully its help

testing question

2018-12-14 Thread Fazzina, Angelo 
Hi, I am trying to simulate a DKIM failure and have not been able to figure out 
how.

Goal: test my "report" TXT record actually works.  Talking about RFC 6651

I was hoping that with postfix and opendkim running and signing emails I could 
just turn opendkim off and send an email through and get it to fail, but 
instead the headers have
dkim=none

I was expecting "fail"

This is a test server so I can beak stuff. Should I just change the public key 
in the DNS of the key TXT record so it is wrong and send another email through 
and see what I get ?

Thanks to anyone that knows how to test this stuff. The dkim mailing list seems 
to be a ghost town.
Was using this link to come up with ideas for a testing plan. 
https://bobcares.com/blog/dkim-result-fail-bad-signature/

-ANGELO FAZZINA

ITS Service Manager:
Spam and Virus Prevention
Mass Mailing
G Suite/Gmail

ang...@uconn.edu
University of Connecticut,  ITS, SSG, Server Systems
860-486-9075

RE: SSL not working after unwanted server migration

2018-12-10 Thread Fazzina, Angelo 
Hi, once you correct your configuration this may help you test it is correct


1. Run this to test connectivity to your server via STARTTLS  [Submission in 
master.cf]
openssl s_client -starttls smtp -connect your.host.name:587
Typical OUTPUT =
250 DSN
quit
221 2.0.0 Bye
closed
2. Run this to test connectivity to your server via SMTPS
openssl s_client  -connect your.host.name:465
Typical OUTPUT =
220 your.host.name ESMTP Postfix (2.10.1)

3. Run this to create a hash
python -c 'import base64,sys; u,p=sys.argv[1:3]; print 
base64.encodestring("%s\x00%s\x00%s" % (u,u,p))' username password
OUTPUT = dXNlcm5hbWUAdXNlcm5hbWUAcGFzc3dvcmQ=
Replace username and password with real ones

Once Steps 1 and 2 work, you can test authentication with the hash in Step 3

4. Run the openssl commands and connect to your server.
A. do and "ehlo domain" to see commands supported
EXAMPLE :
ehlo domain
250-localpart.domain.part
250-PIPELINING
250-SIZE 31457280
250-VRFY
250-ETRN
250-AUTH PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
B. execute the AUTH PLAIN LOGIN command option using the HASH you made 
in Step 3
AUTH PLAIN dXNlcm5hbWUAdXNlcm5hbWUAcGFzc3dvcmQ= 

C. look for output
235 2.7.0 Authentication successful

5. you can just type quit or finish the smtp commands and send yourself an 
email. Also errors should show up at stdout if you still have any.

-ANGELO FAZZINA

ITS Service Manager:
Spam and Virus Prevention
Mass Mailing
G Suite/Gmail

ang...@uconn.edu
University of Connecticut,  ITS, SSG, Server Systems
860-486-9075

-Original Message-
From: owner-postfix-us...@postfix.org  On 
Behalf Of Viktor Dukhovni
Sent: Monday, December 10, 2018 10:01 AM
To: Postfix users 
Subject: Re: SSL not working after unwanted server migration

> On Dec 10, 2018, at 9:46 AM, Marco Fioretti  wrote:
> 
> This afternoon I have urgent family matters to attend, not sure if I
> will able to test and report before tomorrow afternoon about all the
> other advice I got so far.

You can skip all the other advice.  You need to post logs, specifically
logs that report the problem initializing TLS support in smtpd(8) and
smtp(8).  You also need to confirm the configured file names, and
report "ls -l" output for the *exact* files in your configuration, not
some similarly named files.  The file permissions should be standard,
owner root mode 0600 for private keys, and either 0600 or 0644 for
certs if separate and there are no keys in the cert files.

> But I need to restore email anyway asap, and right
> now it feels as being forced to solve a puzzle without knowing what it
> represents...

The answers are in the logs.

-- 
Viktor.

RE: looking for any options to better deal with mail looping

2018-11-28 Thread Fazzina, Angelo 
Hi, I am still lost with how this all works together, sadly.  Do you see 
obvious errors or am I misunderstanding the limits of what can be done ?

I am not sure yet what is relevant 
My current settings:
relay_recipient_maps = mysql:/etc/postfix/files/mysql_pn.cf
smtpd_recipient_restrictions =  reject_unknown_recipient_domain,  
check_recipient_access 
hash:/etc/postfix/files/sender_relay_domains, 
reject_unverified_recipient, 
permit_mynetworks, 
permit_sasl_authenticate
smtpd_relay_restrictions =  check_recipient_access 
hash:/etc/postfix/maps/block_to, permit_mynetworks, permit_sasl_authenticated, 
defer_unauth_destination

[root@mta5 files]# more sender_relay_domains
## -ALF This should allow Listerv addresses even though they are not in PerName 
DB
listserv.uconn.edu  DUNNO

[root@mta5 maps]# more transport
#  Domains *relayed*  by pn.uconn.edu and which map to the hosts' A record.
ad.uconn.edusmtp:[uconn-edu.mail.protection.outlook.com]
darwin.eeb.uconn.edusmtp:[darwin.eeb.uconn.edu]
listserv.uconn.edu  smtp:[listserv.uconn.edu]



My goal is to allow all mail TO  anyth...@listserv.uconn.edu but still check 
recipient for other domains like darwin.eeb.uconn.edu

MY testing:

Connected to localhost.
Escape character is '^]'.
220 mta5.uits.uconn.edu ESMTP Postfix (2.10.1)
ehlo uconn.edu
250-mta5.uits.uconn.edu
250-PIPELINING
250-SIZE 31457280
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
mail from:ang...@uconn.edu
250 2.1.0 Ok
rcpt to:b...@darwin.eeb.uconn.edu
450 4.1.1 : Recipient address rejected: unverified 
address: Address verification in progress
rcpt to:k...@darwin.eeb.uconn.edu
250 2.1.5 Ok
rcpt to:spa...@listserv.uconn.edu
450 4.1.1 : Recipient address rejected: unverified 
address: Address verification in progress
quit
221 2.0.0 Bye
Connection closed by foreign host.

-ANGELO FAZZINA

ITS Service Manager:
Spam and Virus Prevention
Mass Mailing
G Suite/Gmail

ang...@uconn.edu
University of Connecticut,  ITS, SSG, Server Systems
860-486-9075

-Original Message-
From: owner-postfix-us...@postfix.org  On 
Behalf Of Noel Jones
Sent: Friday, November 16, 2018 4:10 PM
To: postfix-users@postfix.org
Subject: Re: looking for any options to better deal with mail looping

On 11/16/2018 2:41 PM, Fazzina, Angelo wrote:
> Hi again,
> Even though my configuration does what I need it to do, it seems to have 
> broken something else that needs to still work.
> Did I forget something or just did this wrong ?
> Will this setting allow whitelisting something to help the issue 
> "smtpd_sender_restrictions"
> I maybe just confusing the processing Postfix does AFA  envelope TO and FROM 
> and header TO and FROM...?

The To: From: headers have no relation to postfix delivery. All
delivery is based on envelope addresses.


> 
> Here is the test showing what is broken:
>... 
> 250 2.1.0 Ok
> rcpt to:uconn_employee...@listserv.uconn.edu
> 450 4.1.1 : Recipient address rejected: 
> unverified address: Address verification in progress
>...

Nothing wrong here.  The address verification is in progress and the
client is free to retry delivery.  Presumably the verification
completed a few seconds later.  This will be noted in the log.

If you wish to exempt some recipient from verification, add a
check_recipient_access map before the reject_unverified_recipient


> Here is my current config in main.cf :
> smtpd_recipient_restrictions = reject_unknown_recipient_domain, 
> reject_unverified_recipient, permit_mynetworks, permit_sasl_authenticated, 
> reject_unauth_destination

Typically, reject_unverified_recipient would be after
reject_unauth_destination to prevent verifying random internet
recipients, or in a check_recipient_access map to limit the scope of
the checks.  Something like:

dontverif...@example.com  DUNNO
listserv.example.com  DUNNO
example.com  reject_unverified_recipient


> relay_recipient_maps = hash:/etc/postfix/files/sender_relay_domains,  
> mysql:/etc/postfix/files/mysql_pn.cf
>   [root@mta5 files]# more sender_relay_domains
>   @listserv.uconn.edu  OK

relay_recipient_maps does not exempt addresses from the
reject_unverified_recipient check.  See the above example for how to
exempt addresses from verification.


> 
> Here is [most of] the headers of a real email that gets delivered to my 
> first.l...@uconn.edu address even though it does not appear anywhere in the 
> headers :

Headers are irrelevant for this discussion.  Postfix logs will show
what is happening.




  -- Noel Jones

RE: looking for any options to better deal with mail looping

2018-11-16 Thread Fazzina, Angelo 
son: OriginalSubmit
X-MS-Exchange-Organization-ExpirationInterval: 2:00:00:00.000
X-MS-Exchange-Organization-ExpirationIntervalReason: OriginalSubmit
X-MS-Exchange-Organization-Network-Message-Id:
 0a4efb32-d35a-449f-e496-08d64bdcaee0
X-EOPAttributedMessage: 0
X-MS-Exchange-Organization-MessageDirectionality: Originating
X-Forefront-Antispam-Report:
 
CIP:137.99.25.243;IPV:CAL;SCL:-1;CTRY:US;EFV:NLI;SFV:SKN;SFS:;DIR:INB;SFP:;SCL:-1;SRVR:SN4PR0501MB3808;H:mta4.uits.uconn.edu;FPR:;SPF:None;LANG:en;
X-MS-Exchange-Organization-SCL: -1
X-Microsoft-Exchange-Diagnostics:
 
1;SN1NAM01FT027;1:PZzZoGAKUxBT9R17nn4wTMBrtIq5f1Sl3Tb4MN5cfhDVh+TdGNuPlSoWWxfnOmrZGMaAdheQeGzojD4hLrG0YknZbsf7Pl1IJT5+uxfpBLFnditOeRybjUThWSYiHeE4
X-MS-Exchange-Organization-AuthSource:
 SN1NAM01FT027.eop-nam01.prod.protection.outlook.com
X-MS-Exchange-Organization-AuthAs: Anonymous
X-OriginatorOrg: uconn.onmicrosoft.com
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 0a4efb32-d35a-449f-e496-08d64bdcaee0
X-Microsoft-Antispam:
 
BCL:0;PCL:0;RULEID:(2390098)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600074)(711020)(4608076)(2017052603328)(7153060);SRVR:SN4PR0501MB3808;
X-Microsoft-Exchange-Diagnostics:
 
1;SN4PR0501MB3808;3:b1PemKe27pMQg+4aKjxrUsj4AvGHh49PJXVLiPX3avepFYwgnRdUHI3kM3/PB/YAIiUcHAn3f9YSZHPAOdYcbtK14uHE2IFapaE/OSW2KBeR33VZc7Bu9fODurUsJBb78D4q+wB8uknH5d+zPJj1gEwJ4iNaMLrvNNvEairCkRkhIZg+/tXa4nrK84bOfwFsY5xjCfN8ryoimSNiQdfXHN1TqazV85onjJsw5JTmkP7T+nGns9l1wfyvYh1xrJXaLMqh9HZGjvfNjHaD/2XE9s6ZlQIvHA+ol9qf51/O+0YE/4TGWJlXKupLNI8MJ+XsteRT3f14NIWwiyfZ+WkXCajqD/8edxmzctP/fxizD5E=;25:H+n/QpU3xz6XLZrIfa5TP4KtPq4sZx/nE3Q2iWxbH8EYxQw+iwBFvJun3QxUdqtKywpHUxr7ZuM/bFyK9OAs4JNCQTwYpWo/jxk5hdT56xkP6sTo5EXeBCYV9N5ZPZ3ylt33a7/4adSRhflJhnwVFV2L+A5+rtRnThnJMCNexVvcu3Uor24SXn6ulJVPK0WSz4iENeMbopsZzNVe0vDxWwVQA5Lu9QwrI2sjBKX+JC/tzLbi/DUtxcuY9T+gIpVADN0WRwk4HRyv+BXQ52a8yXmyQZcLTCKTT0gXIJ0fEbmy0/BMTTFCRN6GcgJ7nQ3hTafkQyNwhTxJ5Z98+3wMGQ==
X-MS-TrafficTypeDiagnostic: SN4PR0501MB3808:
X-MS-Exchange-AtpMessageProperties: sap=1;slp=1;
X-MS-Exchange-Safelinks-Url-KeyVer: 1
X-MS-Exchange-ATPSafeLinks-Stat: 1
SpamDiagnosticOutput: 1:99
SpamDiagnosticMetadata: SKN
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 16 Nov 2018 16:00:49.1803
 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 
0a4efb32-d35a-449f-e496-08d64bdcaee0
X-MS-Exchange-CrossTenant-Id: 17f1a87e-2a25-4eaa-b9df-9d439034b080
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: 
TenantId=17f1a87e-2a25-4eaa-b9df-9d439034b080;Ip=[137.99.25.243];Helo=[mta4.uits.uconn.edu]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN4PR0501MB3808
X-MS-Exchange-Transport-EndToEndLatency: 00:00:05.1047330
X-MS-Exchange-Processed-By-BccFoldering: 15.20.1339.000



Thank you for any breadcrumbs to get this working without breaking existing 
functionality.


-ANGELO FAZZINA

ITS Service Manager:
Spam and Virus Prevention
Mass Mailing
G Suite/Gmail

ang...@uconn.edu
University of Connecticut,  ITS, SSG, Server Systems
860-486-9075

-Original Message-
From: owner-postfix-us...@postfix.org  On 
Behalf Of Viktor Dukhovni
Sent: Tuesday, November 13, 2018 4:30 PM
To: Postfix users 
Subject: Re: looking for any options to better deal with mail looping



> On Nov 13, 2018, at 4:22 PM, Fazzina, Angelo  wrote:
> 
> Is it as simple as changing this parameter in main.cf ?
> unverified_recipient_defer_code (default: 450)

Yes.

-- 
Viktor.

RE: looking for any options to better deal with mail looping

2018-11-13 Thread Fazzina, Angelo 
Hi, thank you Viktor, i deleted the .db file. 
i reread the docs and removed all my previous changes and started over.

Wietse, thanks for the tip "relay_recipient_maps"

My old config was :

smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, 
reject_unauth_destination

transport_maps = hash:/etc/postfix/maps/transport
/etc/postfix/maps/transport .
darwin.eeb.uconn.edusmtp:[darwin.eeb.uconn.edu]

My new config is :

smtpd_recipient_restrictions = reject_unknown_recipient_domain, 
reject_unverified_recipient, permit_mynetworks, permit_sasl_auth
enticated, reject_unauth_destination

relay_recipient_maps =  mysql:/etc/postfix/files/mysql_pn.cf

the transport stuff was left untouched.

RAN  systemctl reload postfix
tested 
[root@mta4 postfix]# telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 mta4.uits.uconn.edu ESMTP Postfix (2.10.1)
ehlo uconn.edu
250-mta4.uits.uconn.edu
250-PIPELINING
250-SIZE 31457280
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
mail from:ang...@uconn.edu
250 2.1.0 Ok
rcpt to:ang...@darwin.eeb.uconn.edu
450 4.1.1 : Recipient address rejected: unverified 
address: host darwin.eeb.uconn.edu[137.99.139.139] said: 550 5.1.1 
: Recipient address rejected: User unknown in 
local recipient table (in reply to RCPT TO command)
rcpt to:k...@darwin.eeb.uconn.edu
250 2.1.5 Ok
quit
221 2.0.0 Bye

I think it's working as desired, only one thing I can't understand.
My server mta4 gave the 450 4.1.1 and server Darwin.eeb.uconn.edu gave 550 
5.1.1, so why is it taking so long to get an NDR ?

[ I did another test with my outlook client and got same response  as seen here 
from O365 message trace details]
Reason: [{LED=450 4.1.1 : Recipient address 
rejected: unverified address: host darwin.eeb.uconn.edu[137.99.139.139] said: 
550 5.1.1 : Recipient address rejected: User 
unknown in local recipient table (in reply to RCPT TO 
command)};{MSG=};{FQDN=smtp.uconn.edu};{IP=137.99. OutboundProxyTargetIP: 
137.99.25.243. OutboundProxyTargetHostName: smtp.uconn.edu

Is it as simple as changing this parameter in main.cf ?
unverified_recipient_defer_code (default: 450)


-ANGELO FAZZINA

ITS Service Manager:
Spam and Virus Prevention
Mass Mailing
G Suite/Gmail

ang...@uconn.edu
University of Connecticut,  ITS, SSG, Server Systems
860-486-9075

-Original Message-
From: owner-postfix-us...@postfix.org  On 
Behalf Of Viktor Dukhovni
Sent: Wednesday, November 7, 2018 4:55 PM
To: postfix users 
Subject: Re: looking for any options to better deal with mail looping

> On Nov 7, 2018, at 3:26 PM, Fazzina, Angelo  wrote:
> 
> relay_recipient_maps =  mysql:/etc/postfix/files/mysql_pn.cf
> 
> I did a test
> postmap /etc/postfix/files/mysql_pn.cf

There's no point in trying to "postmap" MySQL, LDAP, PosgreSQL, "pcre", 
"regexp", ...
tables.

Only tables that have an on-disk *indexed* format need "postmap":

- cdb
- btree
- hash
- lmdb
- dbm  (obsolete)
- sdbm (obsolete)

-- 
Viktor.

RE: looking for any options to better deal with mail looping

2018-11-07 Thread Fazzina, Angelo 
I changed my config and added/changed in main.cf

smtpd_recipient_restrictions = reject_unknown_recipient_domain, 
reject_unverified_recipient, permit_mynetworks, permit_sasl_authenticated, 
reject_unauth_destination
address_verify_poll_count = ${stress?1}${stress:3}
address_verify_poll_delay = 3s
address_verify_map = btree:$data_directory/verify_cache
relay_recipient_maps =  mysql:/etc/postfix/files/mysql_pn.cf

I did a test
postmap /etc/postfix/files/mysql_pn.cf
systemctl restart postfix

THEN
[root@mta5 postfix]# telnet localhost 25
Connected to localhost.
Escape character is '^]'.
220 mta5.uits.uconn.edu ESMTP Postfix (2.10.1)
ehlo uconn.edu
250-mta5.uits.uconn.edu
250-PIPELINING
250-SIZE 31457280
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
mail from:ang...@uconn.edu
250 2.1.0 Ok
rcpt to:ange...@darwin.eeb.uconn.edu
250 2.1.5 Ok
quit
221 2.0.0 Bye

[root@mta5 postfix]# mlgrep 2F56E3000A39 /var/log/maillog

Nov  7 14:49:02 mta5 postfix/cleanup[32604]: 2F56E3000A39: 
message-id=<20181107194902.2f56e3000...@mta5.uits.uconn.edu>
Nov  7 14:49:02 mta5 postfix/qmgr[31379]: 2F56E3000A39: 
from=, size=284, nrcpt=1 (queue active)
Nov  7 14:49:02 mta5 postfix/smtp[32607]: 2F56E3000A39: 
to=, 
relay=darwin-eeb-uconn-edu.mail.protection.outlook.com[207.46.163.106]:25, 
delay=0.39, delays=0.01/0.02/0.23/0.14, dsn=2.1.5, status=deliverable (250 
2.1.5 Recipient OK)
Nov  7 14:49:02 mta5 postfix/qmgr[31379]: 2F56E3000A39: removed


MY QUESTION:
Why do logs show " status=deliverable" ? I get this no matter if "TO" is real 
or a fake address BTW.
Is it due to the relay[207.46.163.106] blindly accepting all mail with "TO" of  
anyth...@darwin.eeb.uconn.edu ?

Have I misinterpreted how to use relay_recipient_maps =  
mysql:/etc/postfix/files/mysql_pn.cf ?? From logs I think postfix is not using 
this setting

-ANGELO FAZZINA

ITS Service Manager:
Spam and Virus Prevention
Mass Mailing
G Suite/Gmail

ang...@uconn.edu
University of Connecticut,  ITS, SSG, Server Systems
860-486-9075

-Original Message-
From: owner-postfix-us...@postfix.org  On 
Behalf Of Wietse Venema
Sent: Wednesday, November 7, 2018 11:38 AM
To: Postfix users 
Subject: Re: looking for any options to better deal with mail looping

Fazzina, Angelo:
> Hi, I have a domain that has MX point to O365 and then O365 relays
> mail to Postfix server.  Currently, Postfix does a lookup in a
> MySql table to know where to relay the email to, AFA next hop. If
> not found in table Postfix looks up MX and relays the email.

Postfix should first verfy that the recipient exists, before accepting
the mail. Perhaps you can use the MySQL table with relay_recipient_maps.

For more info on inbound recipient validation:

https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.postfix.org%2FSTANDARD_CONFIGURATION_README.htmldata=02%7C01%7Cangelo.fazzina%40uconn.edu%7C6af734f1e965454dce3008d644cf81a0%7C17f1a87e2a254eaab9df9d439034b080%7C0%7C0%7C636772055359110475sdata=T1YWt5JhrZOFA3vvfgqfawCBeFGJBeGE0bAHUlwEaYA%3Dreserved=0
https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.postfix.org%2FADDRESS_VERIFICATION_README.htmldata=02%7C01%7Cangelo.fazzina%40uconn.edu%7C6af734f1e965454dce3008d644cf81a0%7C17f1a87e2a254eaab9df9d439034b080%7C0%7C0%7C636772055359110475sdata=xGbSWP8WYDX%2BpiCjOFVbpz%2F1BMsYpbzXLRhcf3CCo14%3Dreserved=0

Basically, have a list of valid recipients, or dynamically build
a cache with reject_unverified_recipient.

Wietse

looking for any options to better deal with mail looping

2018-11-07 Thread Fazzina, Angelo 
Hi, I have a domain that has MX point to O365 and then O365 relays mail to 
Postfix server.
Currently, Postfix does a lookup in a MySql table to know where to relay the 
email to, AFA next hop. If not found in table Postfix looks up MX and relays 
the email.

I want to know if there is a more graceful way of dealing with mail loops 
caused by sending to invalid addresses ?

Example:

A.  TO: realu...@test.domain.com  -> O365 
-> postfix -> relay to destination server [cuz found in table]

B.  TO: fakeu...@test.domain.com -> O365 
-> postfix ->  lookup MX and relay[cuz not found in table ] ->O365 -> 
Postfix -> you get the idea

For "B" I tested and it finally sends me the bounce back after 9 loops

[216.32.180.170] said: 554
5.4.14 Hop count exceeded - possible mail loop ATTR1

Is there a savvy setting in Postfix to deal with this scenario [ like telling 
postfix, for this domain, if you don't find entry in table bounce and don't 
look up MX ?]  Or is Postfix already doing the best it can.

Thank you.



-ANGELO FAZZINA

ITS Service Manager:
Spam and Virus Prevention
Mass Mailing
G Suite/Gmail

ang...@uconn.edu
University of Connecticut,  ITS, SSG, Server Systems
860-486-9075

Postscreen newb questions

2018-10-31 Thread Fazzina, Angelo 
Hi, i am learning/testing Postscreen on Postfix 2.10.1
I read the man page and need a little help understanding this :

This program should not be used on SMTP ports that receive mail from end-user 
clients (MUAs). In a typical
   deployment,  postscreen(8)  handles  the  MX service on TCP port 25, 
while MUA clients submit mail via the
   submission service on TCP port 587 which requires client authentication. 
 Alternatively, a site could  set
   up  a  dedicated, non-postscreen, "port 25" server that provides 
submission service and client authenticaâ[m
   tion, but no MX service.

What does "MX service" mean ?

I am not sure how to leverage postscreen for authenticated smtp traffic to my 
server over ports 587 and 465, or is that not
what postscreen was meant to handle ?

i changed main.cf and master.cf as advised on www.postfix.org/ 
POSTSCREEN_README.html#enable
but did not do step #7.
Then did a systemctl reload postfix

I sent  test emails with T-bird directly to the server testing port 25,587, and 
465 to see what shows up in logs.
Postscreen logs only show up when i send over port 25 as i think they should.

Oct 31 16:03:27 mta5 postfix/postscreen[3944]: CONNECT from 
[137.99.80.129]:51476 to [137.99.25.249]:25
Oct 31 16:03:27 mta5 postfix/postscreen[3944]: WHITELISTED [137.99.80.129]:51476
Oct 31 16:03:27 mta5 postfix/smtpd[3945]: connect from 
angelo.uits.uconn.edu[137.99.80.129]
Oct 31 16:03:27 mta5 postfix/smtpd[3945]: 61D353000A3A: 
client=angelo.uits.uconn.edu[137.99.80.129]
Oct 31 16:03:27 mta5 postfix/cleanup[3968]: 61D353000A3A: warning: header 
Subject: new testing from angelo.uits.uconn.edu[137.99.80.129]; 
from= to= proto=ESMTP 
helo=<[137.99.80.129]>
Oct 31 16:03:27 mta5 postfix/cleanup[3968]: 61D353000A3A: 
message-id=
Oct 31 16:03:27 mta5 opendkim[1446]: 61D353000A3A: DKIM-Signature field added 
(s=dkim1, d=mta5.uits.uconn.edu)
Oct 31 16:03:27 mta5 postfix/qmgr[3936]: 61D353000A3A: 
from=, size=676, nrcpt=1 (queue active)
Oct 31 16:03:27 mta5 postfix/smtpd[3945]: disconnect from 
angelo.uits.uconn.edu[137.99.80.129]
Oct 31 16:03:29 mta5 postfix/smtp[3971]: 61D353000A3A: 
to=, orig_to=, 
relay=uconn-mail-onmicrosoft-com.mail.protection.outlook.com[216.32.180.170]:25,
 delay=1.9, delays=0.11/0.02/0.05/1.8, dsn=2.6.0, status=sent (250 2.6.0 
 
[InternalId=3019362009548, Hostname=BN7PR05MB5859.namprd05.prod.outlook.com] 
9969 bytes in 0.262, 37.150 KB/sec Queued mail for delivery)

I guess what i am getting at is, if i only allow port 25 traffic from within my 
network via this setting
mynetworks = /etc/postfix/files/mynetwork
/etc/postfix/files/mynetwork contains
137.99.0.0/16
then everything postscreen will ever see will be whitelisted. If i got that 
right then, am i not a good use case for using it
and should just keep it off ?


More of my random thoughts:
If i wanna send an email through the server from home i have to use port 587 or 
465 and it seems like postscreen is not
part of the equation from this line in master.cf
smtp  inet  n   -   n   -   1   postscreen

Still trying to wrap my head around if my environment is a good candidate for 
using postscreen.
thanks for any replies.

-ANGELO FAZZINA

ITS Service Manager:
Spam and Virus Prevention
Mass Mailing
G Suite/Gmail

ang...@uconn.edu
University of Connecticut,  ITS, SSG, Server Systems
860-486-9075

RE: Not sure if i have a DNS or Postfix issue ?

2018-09-20 Thread Fazzina, Angelo 
Thanks for the clarification. I was afraid i would get the RTFM response to a 
question i had, 
which may be related.
MTA4 = RHEL 7.5 and PF 2.10.1
MTA1-3 = RHEL 6.9 and PF 2.6.6

I did read a lot about the differences 
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/pdf/Migration_Planning_Guide/Red_Hat_Enterprise_Linux-7-Migration_Planning_Guide-en-US.pdf
and noticed mention of this at a page 37

A new smtpd_relay_restrictions parameter has been added. By default this 
enables permit_mynetworks, permit_sasl_authenticated, and 
defer_unauth_destination.
This prevents open relay problems due to mistakes with spam filter rules in 
smtpd_recipient_restrictions. 
However, if your site has a complex mail relay policy configured under 
smtpd_recipient_restrictions, some mail may be incorrectly
deferred. To correct this, either remove smtpd_relay_restrictions configuration 
and usethe existing policy in smtpd_recipient_restrictions,
or copy the existing policy from smtpd_recipient_restrictions to 
smtpd_relay_restrictions


MTA1-3 have this
smtpd_recipient_restrictions = check_recipient_access 
hash:/etc/postfix/maps/block_to, permit_mynetworks, permit_sasl_authenticated, 
reject_unauth_destination
and no smtpd_relay_restrictions in the file main.cf

MTA4 has
smtpd_recipient_restrictions = reject_unauth_destination
smtpd_relay_restrictions = check_recipient_access 
hash:/etc/postfix/maps/block_to, permit_mynetworks, permit_sasl_authenticated, 
defer_unauth_destination

So i think i found the error.
My question is how to understand that paragragh so i know what to set 
smtpd_recipient_restrictions
and
smtpd_relay_restrictions
to so mail flows the same way ?

do i simply change 
smtpd_recipient_restrictions = reject_unauth_destination
to
smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination

I say this because all servers have
mynetworks = /etc/postfix/files/mynetwork
[root@mta2 files]# more mynetwork
#  These are networks whose hosts are authorized to relay mail.
#  Localhost 
127.0.0.0/8
#  UConn networks
137.99.0.0/16 # UConn Public

Thanks again.


-ANGELO FAZZINA

ITS Service Manager:
Spam and Virus Prevention
Mass Mailing
G Suite/Gmail

ang...@uconn.edu
University of Connecticut,  ITS, SSG, Server Systems
860-486-9075

-Original Message-
From: owner-postfix-us...@postfix.org  On 
Behalf Of Viktor Dukhovni
Sent: Thursday, September 20, 2018 12:10 PM
To: Postfix users 
Subject: Re: Not sure if i have a DNS or Postfix issue ?



> On Sep 20, 2018, at 11:37 AM, Fazzina, Angelo  
> wrote:
> 
> User sends email to ling...@listserv.uconn.edu.
> [two of recipients are woodsan...@msn.com and jb...@albanylaw.edu]
>  
> Listserv.uconn.edu relays the email to smtp.uconn.edu
> When smtp.uconn.edu resolves to MTA4 and not MTA1-3 we have an issue.
>  
> I get these errors
> Sep 19 09:40:26 mta4 postfix/smtpd[22724]: 529981802840: reject: RCPT from 
> MSB-P-Listserv.grove.ad.uconn.edu[137.99.30.25]:
> 554 5.7.1 : Relay access denied; 
> from=
> to= proto=ESMTP helo=
>  
> Sep 19 09:40:25 mta4 postfix/smtpd[22724]: NOQUEUE: reject: RCPT from 
> MSB-P-Listserv.grove.ad.uconn.edu[137.99.30.25]:
> 554 5.7.1 : Relay access denied; 
> from=
> to= proto=ESMTP helo=

The Postfix configuration of mta4 is not suited to its use:

  * You're using it as an *outbound* relay to deliver email to list members.
  * It is configured with access control rules that make sense on an *inbound*
relay, allowing only email to internal domains.

This relay needs to permit all mail to external recipients from authorized
clients (perhaps all) on your network.  How it determines whether a client
is authorized to relay outbound email is generally a site-specific issue.

Clients can be allowed via CIDR table by IP address, or could be required
to authenticate with TLS client certs or SASL.  Or with the server only
accepting mail on an internal network where all clients are trusted, it
could allow all clients, with the network topology doing the access control.

-- 
Viktor.

Not sure if i have a DNS or Postfix issue ?

2018-09-20 Thread Fazzina, Angelo 
Hi, not sure if i am looking in the wrong place:
If you want my postconf I can get it.

User sends email to ling...@listserv.uconn.edu with client.  [one of recipients 
is woodsan...@msn.com and jb...@albanylaw.edu]
MX for listserv.uconn.edu is spam boxes.
Email goes to spam boxes, and spam boxes relay email to listserv.uconn.edu

Listserv.uconn.edu relays the email to smtp.uconn.edu
When smtp.uconn.edu resolves to MTA4 and not MTA1-3 we have an issue.

I get these errors
Sep 19 09:40:26 mta4 postfix/smtpd[22724]: 529981802840: reject: RCPT from 
MSB-P-Listserv.grove.ad.uconn.edu[137.99.30.25]:
554 5.7.1 : Relay access denied; 
from=
to= proto=ESMTP helo=

Sep 19 09:40:25 mta4 postfix/smtpd[22724]: NOQUEUE: reject: RCPT from 
MSB-P-Listserv.grove.ad.uconn.edu[137.99.30.25]:
554 5.7.1 : Relay access denied; 
from=
to= proto=ESMTP helo=

Is MTA4 having a problem due to the Load Balancer set to Ratio with 1% and when 
mail servers for MSN.com and Albanylaw.edu do DNS lookups for smtp.uconn.edu 
MTA4 rarely shows as a valid IP, and that is why Postfix gets the "relay" error 
?

MTA4 is new so I wanted to test it and only give it 1% and the other 3 get 99%.

Sample of working on MTA2:
Sep 19 10:56:45 mta2 postfix/smtp[6866]: 93BA31323: to=, 
relay=msn-com.olc.protection.outlook.COM[104.47.12.33]:25, delay=1.1, 
delays=0.15/0.03/0.31/0.58, dsn=2.6.0, status=sent (250 2.6.0 
 
[InternalId=25031069508292, 
Hostname=DB3EUR04HT137.eop-eur04.prod.protection.outlook.com] 14339 bytes in 
0.181, 77.092 KB/sec Queued mail for delivery)

RAW data:

[root@mta4 log]# dig any smtp.uconn.edu

; <<>> DiG 9.9.4-RedHat-9.9.4-61.el7_5.1 <<>> any smtp.uconn.edu
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59980
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;smtp.uconn.edu.IN  ANY

;; ANSWER SECTION:
smtp.uconn.edu. 300 IN  A   137.99.25.235
smtp.uconn.edu. 300 IN  A   137.99.25.233
smtp.uconn.edu. 300 IN  A   137.99.25.234

;; Query time: 1 msec
;; SERVER: 137.99.25.14#53(137.99.25.14)
;; WHEN: Thu Sep 20 11:28:47 EDT 2018
;; MSG SIZE  rcvd: 91

[root@mta4 log]# dig any mta4.uits.uconn.edu

; <<>> DiG 9.9.4-RedHat-9.9.4-61.el7_5.1 <<>> any mta4.uits.uconn.edu
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22377
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;mta4.uits.uconn.edu.   IN  ANY

;; ANSWER SECTION:
mta4.uits.uconn.edu.14400   IN  A   137.99.25.243

;; Query time: 1 msec
;; SERVER: 137.99.25.14#53(137.99.25.14)
;; WHEN: Thu Sep 20 11:29:10 EDT 2018
;; MSG SIZE  rcvd: 64


I also did a telnet test on mta4 to msn.com and albanylaw.edu and got 250 so I 
know addresses are ok
Escape character is '^]'.
220 CO1NAM04FT020.mail.protection.outlook.com Microsoft ESMTP MAIL Service 
ready at Thu, 20 Sep 2018 15:16:28 +
ehlo uconn.edu
250-CO1NAM04FT020.mail.protection.outlook.com Hello [137.99.25.235]
250-SIZE 157286400
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-STARTTLS
250-8BITMIME
250-BINARYMIME
250-CHUNKING
250 SMTPUTF8
mail from:ang...@uconn.edu
250 2.1.0 Sender OK
rcpt to:jb...@albanylaw.edu
250 2.1.5 Recipient OK
quit
221 2.0.0 Service closing transmission channel

Thank you.
-ANGELO FAZZINA

ITS Service Manager:
Spam and Virus Prevention
Mass Mailing
G Suite/Gmail

ang...@uconn.edu
University of Connecticut,  ITS, SSG, Server Systems
860-486-9075

RE: Want to be sure i am not throttling user.

2018-08-31 Thread Fazzina, Angelo 
Hi, I was able to run a packet capture with tcpdump on the 3 load balanced 
servers that handle massmail.uconn.edu during the users mail merge today.
It was looking like one email every 12 seconds from me doing [tail -f 
/var/log/maillog |grep 137.99.31.52] on each server, during the capture as well.
I am using this link to get up to speed on wireshark  
https://blogs.technet.microsoft.com/eopfieldnotes/2015/08/27/useful-wireshark-filters-for-mail-flow-troubleshooting/

I will try to merge the captures of the 3 servers so I can see the real picture 
as the LB does round robin.
Hopefully I will have news to report this issue is not related to Postfix.

1. They use sasl on port 587

2. this time they used different IP that had a DNS entry. 
Aug 31 13:32:38 mail4 postfix/smtpd[24239]: 99867627: 
client=d31h52.public.uconn.edu[137.99.31.52], sasl_method=LOGIN, 
sasl_username=wellness

3.  This is instantaneous every time I test 
[root@mail4 ~]# telnet massmail.uconn.edu  587
Trying 137.99.26.55...
Connected to massmail.uconn.edu.
Escape character is '^]'.
220 mail4.uits.uconn.edu ESMTP Postfix
quit
221 2.0.0 Bye
Connection closed by foreign host.
[root@mail4 ~]# telnet massmail.uconn.edu  587
Trying 137.99.26.55...
Connected to massmail.uconn.edu.
Escape character is '^]'.
220 mail5.uits.uconn.edu ESMTP Postfix
quit
221 2.0.0 Bye
Connection closed by foreign host.
[root@mail4 ~]# telnet massmail.uconn.edu  587
Trying 137.99.26.55...
Connected to massmail.uconn.edu.
Escape character is '^]'.
220 mail6.uits.uconn.edu ESMTP Postfix
quit
221 2.0.0 Bye
Connection closed by foreign host.

4.  Servers are never that busy IMHO but I have 7 days of graphs that would 
show that here [mail4,mail5,mail6] are the servers.
http://ssgunix.uits.uconn.edu/ssgunix.php

thanks again.

P.S. header_checks file has one line to dump email subjects in my logs.
P.P.S.  I take it this is not the place to ask someone to look at my capture 
file, to help speed up forensics ? 




-ANGELO FAZZINA

ITS Service Manager:
Spam and Virus Prevention
Mass Mailing
G Suite/Gmail

ang...@uconn.edu
University of Connecticut,  ITS, SSG, Server Systems
860-486-9075

-Original Message-
From: owner-postfix-us...@postfix.org  On 
Behalf Of Viktor Dukhovni
Sent: Wednesday, August 29, 2018 2:09 PM
To: Postfix users 
Subject: Re: Want to be sure i am not throttling user.



> On Aug 29, 2018, at 1:53 PM, Fazzina, Angelo  wrote:
> 
> [root@mail4 log]# cat maillog-20180829 |grep 137.99.149.148 |grep -v 
> disconnect |grep -v submission|grep connect

You forgot to aggregate:

  $ ... | awk '{print $3}' | sed -e 's/.:..$/0/' | uniq -c
  15 09:20
  28 09:30
  30 09:40
  20 09:50
  28 10:00
  33 10:10
  10 10:20

So that's a peak rate of of 33 messages per 10 minutes, or 3
messages a minute!  With mail transactions lasting just a couple
of seconds, and average connection spacing at ~20 seconds, 
the client is spending most of its time disconnected or waiting
for the SMTP banner.

One possibility is that you don't have enough smtpd(8) process
concurrency.  If your server is busy handling lots of concurrent
traffic, perhaps it reaches the $default_process_limit often, and
the client's connection are stuck waiting for a free process to
accept a new connection.

You should try connecting to the relevant port on your server
a few times (spaced minutes apart) and see how long you typically
need to wait before you see a 220 banner?  (The same port the
user is using to submit mail, not clear whether it is 25 or 587).

The default process limits in Postfix date back to Y2K hardware,
and servers have a lot more RAM, CPU and network bandwidth these
days.

-- 
Viktor.

RE: Want to be sure i am not throttling user.

2018-08-29 Thread Fazzina, Angelo 
 not throttling user.



> On Aug 29, 2018, at 12:19 PM, Fazzina, Angelo  
> wrote:
> 
> In answer to: "I get a quick NXDOMAIN.  Is that also true for your mail 
> server?"
>   Yes i get the same results when i do a "dig -x 137.99.149.148" or 
> "nslookup 137.99.149.148"

Are you doing the test on the MTA, or a nearby machine? As "root", or as the 
"postfix" user?
Is the Postfix smtpd(8) service the user is connecting to chrooted?  Look 
carefully at the
relevant master.cf entries.  If chrooted, check for a working etc/resolv.conf 
in the chroot
jail (queue_directory).

> My response to the user has always been it is the client that is sending 
> slow, i am just learning how to prove it with my logs.
> I also noticed the repeated new connections, but always blamed the client for 
> doing that and not holding onto the connection, and send multiple emails.

Though a new connection for each message is less efficient, it should not be 
prohibitively so,
the user should still be able to send O(10) messages per second.  Not O(10s) 
per message.

> I take this literally "disconnect from unknown[137.99.149.148]" and not that 
> Postfix disconnected from the client, but the client disconnected from 
> Postfix server.

Yes, the client sends "QUIT" and disconnects.

> In answer to : "How many messages were sent by that user during a sustained 
> transmission window."
>   "What was the arrival rate?  Did it change over that window?"
> 
>   My claim that i am trying to prove is there is no "sustained 
> transmission window" hence the constant  connect and disconnect seen in the 
> logs. 

A sustained transmission window is a period of time during which the client is
actively sending a batch of mail.  

> This is what i saw in the logs, 
> start = 2018-08-28-09:22:43 
> 166 emails sent on mail4
> end = 2018-08-28-10:22:20 

166 messages per hour is rather slow.  Was this a sustained batch,
or did you arbitrarily choose an hour.  Perhaps most of the 166
arrived during the first few minutes???  You need to aggregate
the deliveries by the arrival minute and look at a histogram
of messages per minute.

This is a data analysis problem, you should be able to figure it out,
by rolling up your sleeves and looking carefully at the data.  You
may also need PCAP files for the next file this user sends a batch
of mail, so you can see what happens after TCP connection setup.

-- 
Viktor.

RE: Want to be sure i am not throttling user.

2018-08-29 Thread Fazzina, Angelo 
Hi, the client/[sender] ip 137.99.149.148 is a users desktop running Outlook, 
likely with a DHCP address.

In answer to: "I get a quick NXDOMAIN.  Is that also true for your mail server?"
Yes i get the same results when i do a "dig -x 137.99.149.148" or 
"nslookup 137.99.149.148"

My response to the user has always been it is the client that is sending slow, 
i am just learning how to prove it with my logs.
I also noticed the repeated new connections, but always blamed the client for 
doing that and not holding onto the connection, and send multiple emails.
I take this literally "disconnect from unknown[137.99.149.148]" and not that 
Postfix disconnected from the client, but the client disconnected from Postfix 
server.

In answer to : "How many messages were sent by that user during a sustained 
transmission window."
"What was the arrival rate?  Did it change over that window?"

My claim that i am trying to prove is there is no "sustained 
transmission window" hence the constant  connect and disconnect seen in the 
logs. 
Unless i don't know what you mean by a "sustained transmission window" ?

Client connects to massmail.uconn.edu and Load balancer sends email for 
massmail.uconn.edu to 3 servers
If the "arrival rate" is calculated from all the "connect from 
unknown[137.99.149.148]" lines,
then i will have to crunch the numbers. across 3 servers for 9:40AM 10 
emails were processed.
across 3 servers for 9:30AM 36 
emails were processed.
This is what i saw in the logs, 
start = 2018-08-28-09:22:43 
166 emails sent on mail4
end = 2018-08-28-10:22:20 

start = 2018-08-28-09:21:55 
231 emails sent on mail5
end = 2018-08-28-10:22:27 

start = 2018-08-28-08:36:42
257 emails send on mail6
end = 2018-08-28-10:22:06

I am going to recommend user requests a static IP with an A record in our DNS 
servers.
I don't see any down side to asking for that.
Thank you.


-ANGELO FAZZINA

ITS Service Manager:
Spam and Virus Prevention
Mass Mailing
G Suite/Gmail

ang...@uconn.edu
University of Connecticut,  ITS, SSG, Server Systems
860-486-9075


-Original Message-
From: owner-postfix-us...@postfix.org  On 
Behalf Of Wietse Venema
Sent: Wednesday, August 29, 2018 12:03 PM
To: Postfix users 
Subject: Re: Want to be sure i am not throttling user.

Viktor Dukhovni:
> > 09:22:43 mail4 postfix/smtpd[16278]: connect from unknown[137.99.149.148]
> > 09:22:45 mail4 postfix/smtpd[16278]: disconnect from unknown[137.99.149.148]
> > 
> > 09:23:06 mail4 postfix/smtpd[16278]: connect from unknown[137.99.149.148]
> > 09:23:08 mail4 postfix/smtpd[16278]: disconnect from unknown[137.99.149.148]
> > 
> > 09:23:12 mail4 postfix/smtpd[16278]: connect from unknown[137.99.149.148]
> > 09:23:15 mail4 postfix/smtpd[16278]: disconnect from unknown[137.99.149.148]
> > 
> > 09:23:17 mail4 postfix/smtpd[16278]: connect from unknown[137.99.149.148]
> > 09:23:20 mail4 postfix/smtpd[16278]: disconnect from unknown[137.99.149.148]
> 
> If the client is doing one delivery at a time with a new connection for each
> message, with no concurrency, what's interesting to see here is the spacing
> *between* connections, which is considerably longer than the duration of
> connections, which again hints at a possible DNS issue, but you have to
> look more closely.

The time from 'TCP connect' to the time that Postfix logs 'connect
from' includes the time to look up the client hostname (and if
available, IP address for that hostname). This -should- be quick,
but may be slow because of a problem in your local DNS.

Wietse

RE: Want to be sure i am not throttling user.

2018-08-29 Thread Fazzina, Angelo 
tive)36744 Aug 28 09:23:18 mail4 
postfix/smtp[15268]: 98698300: to=, 
relay=uconn-edu.mail.protection.outlook.com[216.32.180.170]:25, delay=0.61, 
delays=0.01/0/0.05/0.54, dsn=2.6.0, status=sent (250 2.6.0 
<01e601d43ed2$482f7130$d88e5390$@uconn.edu> [InternalId=1511828492319, 
Hostname=SN2PR05MB2494.namprd05.prod.outlook  .com] 11312 bytes in 0.195, 
56.403 KB/sec Queued mail for delivery)36745 Aug 28 09:23:18 mail4 
postfix/qmgr[3142]: 98698300: removed36746 Aug 28 09:23:20 mail4 
postfix/smtpd[16278]: disconnect from unknown[137.99.149.148]36747 Aug 28 
09:23:28 mail4 postfix/smtpd[16278]: connect from unknown[137.99.149.148]
Aug 28 09:23:28 mail4 postfix/smtpd[16278]: B9F70300: 
client=unknown[137.99.149.148], sasl_method=LOGIN, sasl_username=wellness


-ANGELO FAZZINA

ITS Service Manager:
Spam and Virus Prevention
Mass Mailing
G Suite/Gmail

ang...@uconn.edu
University of Connecticut,  ITS, SSG, Server Systems
860-486-9075

-Original Message-
From: owner-postfix-us...@postfix.org  On 
Behalf Of Viktor Dukhovni
Sent: Tuesday, August 28, 2018 2:39 PM
To: Postfix users 
Subject: Re: Want to be sure i am not throttling user.



> On Aug 28, 2018, at 1:47 PM, Fazzina, Angelo  wrote:
> 
> Hi, i am troubleshooting a client complaint.
> This user “wellness”
>  
> Aug 28 10:22:27 mail5 postfix/smtpd[7534]: EE46E2FB: 
> client=unknown[137.99.149.148], sasl_method=LOGIN, sasl_username=wellness
>  
> Some user feedback :
> On Friday I sent a batch of 436 and it took 
> 11 minutes to send
> This morning I sent a batch of 725 and it 
> took 1 hour and 21 minutes

The answer is in your logs.

-- 
Viktor.

Want to be sure i am not throttling user.

2018-08-28 Thread Fazzina, Angelo 
Hi, i am troubleshooting a client complaint.
This user "wellness"

Aug 28 10:22:27 mail5 postfix/smtpd[7534]: EE46E2FB: 
client=unknown[137.99.149.148], sasl_method=LOGIN, sasl_username=wellness

Some user feedback :
On Friday I sent a batch of 436 and it took 11 
minutes to send
This morning I sent a batch of 725 and it took 
1 hour and 21 minutes


Do any of my settings throttle their ability to send to my postfix server ?

I think it is the client they use. MS Outlook.
I think i accept as fast as they send, and Outlook is sending slow and 
dictating the rate.

Thanks for looking.


smtp  inet  n   -   n   -   -   smtpd
submission inet n   -   n   -   -   smtpd
  -o smtpd_tls_security_level=encrypt
  -o smtpd_recipient_limit=5000
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  -o milter_macro_daemon_name=ORIGINATING
smtps inet  n   -   n   -   -   smtpd
  -o smtpd_tls_wrappermode=yes
  -o smtpd_recipient_limit=5000
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  -o milter_macro_daemon_name=ORIGINATING

[root@mail4 postfix]# postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
header_checks = regexp:/etc/postfix/header_checks
html_directory = no
inet_interfaces = all
inet_protocols = all
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
message_size_limit = 31457280
mydestination = $myhostname, localhost.$mydomain, localhost, appmail2.uconn.edu
mynetworks = 137.99.28.110 137.99.28.117 137.99.28.90 137.99.28.116 
137.99.188.202 10.3.28.90 10.3.28.116 10.4.25.183 10.4.40.212 10.4.40.194 
10.4.40.189  66.29.212.37
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES
sample_directory = /usr/share/doc/postfix-2.6.6/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtpd_recipient_restrictions = check_recipient_access hash:/etc/postfix/static, 
permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
smtpd_tls_cert_file = /etc/pki/tls/certs/massmail_uconn_edu_cert_interm.cer
smtpd_tls_exclude_ciphers = IDEA-CBC-SHA, DES-CBC3-SHA, EDH-RSA-DES-CBC3-SHA, 
RC4, aNULL
smtpd_tls_key_file = /etc/pki/tls/private/massmail_key.key
smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3
unknown_local_recipient_reject_code = 550
virtual_alias_maps = hash:/etc/postfix/virtual

-ANGELO FAZZINA

ITS Service Manager:
Spam and Virus Prevention
Mass Mailing
G Suite/Gmail

ang...@uconn.edu
University of Connecticut,  ITS, SSG, Server Systems
860-486-9075

RE: Spamhaus blocking Spectrum IPs; rbl_override not working

2018-08-21 Thread Fazzina, Angelo 
Hi, they are return codes.

https://www.spamhaus.org/news/article/713/changes-in-spamhaus-dbl-dnsbl-return-codes


-ANGELO FAZZINA

ITS Service Manager:
Spam and Virus Prevention
Mass Mailing
G Suite/Gmail

ang...@uconn.edu
University of Connecticut,  ITS, SSG, Server Systems
860-486-9075

-Original Message-
From: owner-postfix-us...@postfix.org  On 
Behalf Of Fongaboo
Sent: Tuesday, August 21, 2018 1:51 PM
To: Postfix users 
Subject: Re: Spamhaus blocking Spectrum IPs; rbl_override not working



On Tue, 21 Aug 2018, Bill Cole wrote:

> smtpd_client_restrictions
>check_client_access cidr:/usr/local/etc/postfix/rbl_override
>reject_rbl_client zen.spamhaus.org=127.0.0.2,
>reject_rbl_client zen.spamhaus.org=127.0.0.3,
>reject_rbl_client zen.spamhaus.org=127.0.0.4,
>check_client_access cidr:/usr/local/etc/postfix/pbl_override
>reject_rbl_client zen.spamhaus.org=127.0.0.10,
>reject_rbl_client zen.spamhaus.org=127.0.0.11,

That's pretty neat. Are those IP's on the end ones to be specifically 
*rejected*? Can CIDR format be used?

Also should the last two lines start with reject_pbl_client?

Flags question in master.cf

2018-07-25 Thread Fazzina, Angelo 
Hi, i have this in my master file.

autoreply unix  -   n   n   -   -   pipe
flags=DFuser=nobody
argv=/usr/local/bin/angelo $sender $recipient $original_recipient $user 
$domain


everything is working as I want. Is there a flag or macro that can get me the 
localpart of the $original_recipient ?

so I want  "angelo" from ang...@uconn.edu.

If not possible fine, just want to know. Been reading man page for "pipe"

Thanks.





-ANGELO FAZZINA

ITS Service Manager:
Spam and Virus Prevention
Mass Mailing
G Suite/Gmail

ang...@uconn.edu
University of Connecticut,  ITS, SSG, Server Systems
860-486-9075

RE: Open Relay on local lan

2018-07-25 Thread Fazzina, Angelo 
Hi, I run 2.10.1

I think this should help
http://www.postfix.org/VIRTUAL_README.html

maybe
virtual_alias_domains =  test.net test.com


not sure what you would need to configure for
mynetworks =
http://www.postfix.org/postconf.5.html#mynetworks


-ANGELO FAZZINA

ITS Service Manager:
Spam and Virus Prevention
Mass Mailing
G Suite/Gmail

ang...@uconn.edu
University of Connecticut,  ITS, SSG, Server Systems
860-486-9075

From: owner-postfix-us...@postfix.org  On 
Behalf Of Software Information
Sent: Tuesday, July 24, 2018 1:31 PM
To: postfix-users@postfix.org
Subject: Open Relay on local lan

Hi All
I have my postfix server up and running now for some time. Recently though, 
auditors made a deal that the server is an open relay. It is true that on the 
local lan it is. What's the best way to change this behavior? For example, is 
there a way to configure postfix to accept mail from say two domains, 
test.net and test.com but no other?

Regards
SI

RE: new strangeness with O365 [OT] --TESTING

2018-07-12 Thread Fazzina, Angelo 
I'm conducting a test to see if the URL rewrite issue is better, for me anyway. 
Please ignore.
Test =  
http://postfix.1071664.n5.nabble.com/new-strangeness-with-O365-td96344.html

Should be  http:// postfix.1071664.n5.nabble.com 
/new-strangeness-with-O365-td96344.html

-ANGELO FAZZINA

ITS Service Manager:
Spam and Virus Prevention
Mass Mailing
G Suite/Gmail

ang...@uconn.edu
University of Connecticut,  ITS, SSG, Server Systems
860-486-9075


-Original Message-
From: owner-postfix-us...@postfix.org  On 
Behalf Of Mike Guelfi
Sent: Thursday, May 17, 2018 8:12 PM
To: postfix-users@postfix.org
Subject: Re: new strangeness with O365 [OT]


Quoting Daniele Nicolodi :

> On 5/17/18 3:59 PM, Mike Guelfi wrote:
>> Quoting Noel Jones :
>>> It seems counterproductive to rewrite a plain-text link...  I don't
>>> know it there's a setting in the O365 controls to avoid mangling
>>> plain text, so you may have to live with it.
>>>
>>>
>>>
>>>   -- Noel Jones
>>
>> The worst of it is, MS are inserting themselves in the transaction so
>> they get to track which links you click in emails.
>>
>> There's a good security reason to do so
>
> What MS does is to "check" (whatever that entails) the URL and then
> respond to the HTTP client with a redirect. I can envision a very simple
> mechanism for which the response served to the MS robot that verify the
> URL is different from the one served to other clients.
>
> Can you please elaborate on what are the "good security reasons" for
> which that is a good idea and not simply a form of user tracking?
>
> Thanks. Cheers,
> Dan

It's at least a reputation service, which means that if they notice it go
bad after they've already sent you the email, they can still block it when
you attempt to click through on their server.

They might be expending some actual effort like sandboxing to inform their
reputation server, or user reporting, etc. But either way it's better from a
service delivery perspective to allow the email before the testing is complete
and hope you click the link afterwards. They have no warranty on the service
anyway so no downside to them.

That said; I have still asked them to turn it off.

I got a 1st level human to acknowledge it's been escalated, but  
nothing else so far.

I think this thread is starting to be wildly OT though...

--
Mike.

RE: STARTTLS / DANE difficulties?

2018-07-10 Thread Fazzina, Angelo 
My test of connecting to your server
openssl s_client -starttls smtp -connect mx31.harte-lyne.ca:587

Start Time: 1531242804
Timeout   : 300 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
---
250 SMTPUTF8
quit
221 2.0.0 Bye
closed
[root@mta5 alf02013]#

MY SERVER

Start Time: 1531242903
Timeout   : 300 (sec)
Verify return code: 0 (ok)
---
250 DSN
quit
221 2.0.0 Bye
closed
[root@mta5 alf02013]#



-ANGELO FAZZINA

ITS Service Manager:
Spam and Virus Prevention
Mass Mailing
G Suite/Gmail

ang...@uconn.edu
University of Connecticut,  ITS, SSG, Server Systems
860-486-9075


-Original Message-
From: owner-postfix-us...@postfix.org  On 
Behalf Of Fazzina, Angelo
Sent: Tuesday, July 10, 2018 1:06 PM
To: postfix-users@postfix.org
Subject: RE: STARTTLS / DANE difficulties?

When you test connecting to your servers yourself do you get any errors ?
Not sure if sslv3 is ok to see if using TLS ???

Commands to try, just replace with your server name
openssl s_client  -connect mta5.uits.uconn.edu:465
openssl s_client -starttls smtp -connect mta5.uits.uconn.edu:587

openssl s_client  -connect :465
openssl s_client -starttls smtp -connect :587


good luck.



-ANGELO FAZZINA

ITS Service Manager:
Spam and Virus Prevention
Mass Mailing
G Suite/Gmail

ang...@uconn.edu
University of Connecticut,  ITS, SSG, Server Systems
860-486-9075

-Original Message-
From: owner-postfix-us...@postfix.org  On 
Behalf Of James B. Byrne
Sent: Tuesday, July 10, 2018 12:56 PM
To: postfix-users@postfix.org
Subject: STARTTLS / DANE difficulties?

We are migrating our Postfix MX services and in the process have
disrupted a setup which has been very stable for the past couple of
years.  One of the remaining items is this sort of message which only
started very recently:


Jul 10 11:55:29 mx31 postfix-p25/smtpd[70030]: connect from
hr1.samba.org[144.76.82.147]
Jul 10 11:55:30 mx31 postfix-p25/smtpd[70030]: warning: TLS library
problem: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad
certificate:/usr/src/crypto/openssl/ssl/s3_pkt.c:1493:SSL alert number
42:
Jul 10 11:55:30 mx31 postfix-p25/smtpd[70030]: lost connection after
STARTTLS from hr1.samba.org[144.76.82.147]
Jul 10 11:55:30 mx31 postfix-p25/smtpd[70030]: disconnect from
hr1.samba.org[144.76.82.147] ehlo=1 starttls=1 commands=2

I thought that these errors were the result of a misconfigured
certificate or private key for the postfix service.  However, I have
examined these and they appear to be correct:

postconf -n | grep -i tls
smtp_tls_CAfile = /usr/local/etc/pki/tls/certs/ca-bundle.crt
smtp_tls_cert_file = /usr/local/etc/pki/tls/certs/ca.harte-lyne.mx31.crt
smtp_tls_ciphers = medium
smtp_tls_exclude_ciphers = MD5, aDSS, SRP, PSK, aECDH, aDH, SEED,
IDEA, RC2, RC5
smtp_tls_key_file = /usr/local/etc/pki/tls/private/ca.harte-lyne.mx31.key
smtp_tls_protocols = !SSLv2, !SSLv3
smtp_tls_security_level = dane
smtp_tls_session_cache_database = btree:/var/db/postfix/smtp_scache
smtp_tls_session_cache_timeout = 3600s
smtpd_starttls_timeout = ${stress?10}${stress:120}s
smtpd_tls_CAfile = /usr/local/etc/pki/tls/certs/ca-bundle.crt
smtpd_tls_ask_ccert = yes
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /usr/local/etc/pki/tls/certs/ca.harte-lyne.mx31.crt
smtpd_tls_ciphers = medium
smtpd_tls_dh1024_param_file = ${config_directory}/dh2048.pem
smtpd_tls_fingerprint_digest = sha256
smtpd_tls_key_file =
/usr/local/etc/pki/tls/private/ca.harte-lyne.mx31.key
smtpd_tls_protocols = !SSLv2, !SSLv3
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:/var/db/postfix/smtpd_scache
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom


# ll /usr/local/etc/pki/tls/private/
total 18
-rw---  1 root  wheel  3243 Jun  7 15:37 2016003E.key
lrwxr-xr-x  1 root  wheel12 Jul 10 12:19 ca.harte-lyne.mx31.key ->
2016003E.key

ll /usr/local/etc/pki/tls/certs
total 565
-rw-r--r--  1 root  wheel   10164 Jun  7 15:37 2016003E.pem
-rw-r--r--  1 root  wheel  822512 Jul 10 12:05 ca-bundle.crt
lrwxr-xr-x  1 root  wheel  22 Jul 10 12:07 ca.harte-lyne.mx31.crt
-> ca.harte-lyne.mx31.pem
lrwxr-xr-x  1 root  wheel  12 Jul 10 12:06 ca.harte-lyne.mx31.pem
-> 2016003E.pem

# openssl x509 -noout -text -in
/usr/local/etc/pki/tls/certs/ca.harte-lyne.mx31.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 538312766 (0x2016003e)
Signature Algorithm: sha512WithRSAEncryption
Issuer: CN=CA_HLL_ISSUER_2016, OU=Networked Data Services,
O=Harte & Lyne Limited, L=Hamilton, ST=Ontario, C=CA,
DC=harte-lyne, DC=ca
Validity
Not Before: Jun  1 00:00:00 2018 GMT
Not After : Jun 30 23:59:59 2023 GMT
Subject: CN=mx31.harte-lyne.ca, OU=Networked Data Services,
O=Harte & Lyne Limited, L=Hamilton, ST=Ontario, C=CA,
DC=hamilton, DC=harte-lyne, DC=ca
Subject Public Key Info:
Pub

RE: STARTTLS / DANE difficulties?

2018-07-10 Thread Fazzina, Angelo 
When you test connecting to your servers yourself do you get any errors ?
Not sure if sslv3 is ok to see if using TLS ???

Commands to try, just replace with your server name
openssl s_client  -connect mta5.uits.uconn.edu:465
openssl s_client -starttls smtp -connect mta5.uits.uconn.edu:587

openssl s_client  -connect :465
openssl s_client -starttls smtp -connect :587


good luck.



-ANGELO FAZZINA

ITS Service Manager:
Spam and Virus Prevention
Mass Mailing
G Suite/Gmail

ang...@uconn.edu
University of Connecticut,  ITS, SSG, Server Systems
860-486-9075

-Original Message-
From: owner-postfix-us...@postfix.org  On 
Behalf Of James B. Byrne
Sent: Tuesday, July 10, 2018 12:56 PM
To: postfix-users@postfix.org
Subject: STARTTLS / DANE difficulties?

We are migrating our Postfix MX services and in the process have
disrupted a setup which has been very stable for the past couple of
years.  One of the remaining items is this sort of message which only
started very recently:


Jul 10 11:55:29 mx31 postfix-p25/smtpd[70030]: connect from
hr1.samba.org[144.76.82.147]
Jul 10 11:55:30 mx31 postfix-p25/smtpd[70030]: warning: TLS library
problem: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad
certificate:/usr/src/crypto/openssl/ssl/s3_pkt.c:1493:SSL alert number
42:
Jul 10 11:55:30 mx31 postfix-p25/smtpd[70030]: lost connection after
STARTTLS from hr1.samba.org[144.76.82.147]
Jul 10 11:55:30 mx31 postfix-p25/smtpd[70030]: disconnect from
hr1.samba.org[144.76.82.147] ehlo=1 starttls=1 commands=2

I thought that these errors were the result of a misconfigured
certificate or private key for the postfix service.  However, I have
examined these and they appear to be correct:

postconf -n | grep -i tls
smtp_tls_CAfile = /usr/local/etc/pki/tls/certs/ca-bundle.crt
smtp_tls_cert_file = /usr/local/etc/pki/tls/certs/ca.harte-lyne.mx31.crt
smtp_tls_ciphers = medium
smtp_tls_exclude_ciphers = MD5, aDSS, SRP, PSK, aECDH, aDH, SEED,
IDEA, RC2, RC5
smtp_tls_key_file = /usr/local/etc/pki/tls/private/ca.harte-lyne.mx31.key
smtp_tls_protocols = !SSLv2, !SSLv3
smtp_tls_security_level = dane
smtp_tls_session_cache_database = btree:/var/db/postfix/smtp_scache
smtp_tls_session_cache_timeout = 3600s
smtpd_starttls_timeout = ${stress?10}${stress:120}s
smtpd_tls_CAfile = /usr/local/etc/pki/tls/certs/ca-bundle.crt
smtpd_tls_ask_ccert = yes
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /usr/local/etc/pki/tls/certs/ca.harte-lyne.mx31.crt
smtpd_tls_ciphers = medium
smtpd_tls_dh1024_param_file = ${config_directory}/dh2048.pem
smtpd_tls_fingerprint_digest = sha256
smtpd_tls_key_file =
/usr/local/etc/pki/tls/private/ca.harte-lyne.mx31.key
smtpd_tls_protocols = !SSLv2, !SSLv3
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:/var/db/postfix/smtpd_scache
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom


# ll /usr/local/etc/pki/tls/private/
total 18
-rw---  1 root  wheel  3243 Jun  7 15:37 2016003E.key
lrwxr-xr-x  1 root  wheel12 Jul 10 12:19 ca.harte-lyne.mx31.key ->
2016003E.key

ll /usr/local/etc/pki/tls/certs
total 565
-rw-r--r--  1 root  wheel   10164 Jun  7 15:37 2016003E.pem
-rw-r--r--  1 root  wheel  822512 Jul 10 12:05 ca-bundle.crt
lrwxr-xr-x  1 root  wheel  22 Jul 10 12:07 ca.harte-lyne.mx31.crt
-> ca.harte-lyne.mx31.pem
lrwxr-xr-x  1 root  wheel  12 Jul 10 12:06 ca.harte-lyne.mx31.pem
-> 2016003E.pem

# openssl x509 -noout -text -in
/usr/local/etc/pki/tls/certs/ca.harte-lyne.mx31.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 538312766 (0x2016003e)
Signature Algorithm: sha512WithRSAEncryption
Issuer: CN=CA_HLL_ISSUER_2016, OU=Networked Data Services,
O=Harte & Lyne Limited, L=Hamilton, ST=Ontario, C=CA,
DC=harte-lyne, DC=ca
Validity
Not Before: Jun  1 00:00:00 2018 GMT
Not After : Jun 30 23:59:59 2023 GMT
Subject: CN=mx31.harte-lyne.ca, OU=Networked Data Services,
O=Harte & Lyne Limited, L=Hamilton, ST=Ontario, C=CA,
DC=hamilton, DC=harte-lyne, DC=ca
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
. . .

Can someone interpret for me what these messages are telling me?  Is
samba.org misconfigured or me?


-- 
***  e-Mail is NOT a SECURE channel  ***
Do NOT transmit sensitive data via e-Mail
 Do NOT open attachments nor follow links sent by e-Mail

James B. Byrnemailto:byrn...@harte-lyne.ca
Harte & Lyne Limited  
https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.harte-lyne.cadata=02%7C01%7Cangelo.fazzina%40uconn.edu%7C6922a5cc8abd4ad2f16608d5e6863894%7C17f1a87e2a254eaab9df9d439034b080%7C0%7C0%7C636668386513643202sdata=uwMebM%2BjRmEqZjkTTbuMggiZED7kKeYUaf8iX7dH32Q%3Dreserved=0
9 Brockley Drive  vox: +1 905 561 1241
Hamilton, Ontario fax: +1 905 561 0757
Canada  L8E 3C3

RE: Can postfix send encrypted but not authenticated emails ?

2018-06-29 Thread Fazzina, Angelo 
Hi, the issue may be resolved, but thanks for the reply.
In answer to your questions:

The firewall is what allows the traffic on port 25 to even make it to the 
server, so are policy is tight enough to only allow who we want.

AFA as design, O365 can only handle one email address per person,  and we offer 
up to 5 aliases per person stored in a DB.
The design change we made was pointing our MX to O365 and not our spam filter 
appliances, but had to make sure all existing mail flow continued to work.

AFA why, It was the simplest solution among the options O365 allows.
As I mentioned already I think, the solution was adding the   250-STARTTLS to 
the "ehlo" command and then O365 was happy.

Thank you.

-ANGELO FAZZINA

ITS Service Manager:
Spam and Virus Prevention
Mass Mailing
G Suite/Gmail

ang...@uconn.edu
University of Connecticut,  ITS, SSG, Server Systems
860-486-9075

-Original Message-
From: owner-postfix-us...@postfix.org  On 
Behalf Of Matus UHLAR - fantomas
Sent: Friday, June 29, 2018 1:49 PM
To: postfix-users@postfix.org
Subject: Re: Can postfix send encrypted but not authenticated emails ?

On 28.06.18 16:41, Fazzina, Angelo wrote:
> Hi, I have been reading the online docs for  TLS_README.html and
> SASL_README.html but still having trouble deducing if I can get Postfix
> 2.6 to accept email over port 587 without giving Postfix a username and
> password ?

you can, but better don't do that. spammers WILL abuse it.

> My current understanding of how my server deals with mail is traffic on
> port 25 with no username and password needed is only allowed from
> on-campus

apparently because your server accepts mail from your campus' IP addresses 
without
authentication. Quite common for backwards compatibility.

>, and traffic on ports 465 and 587 is allowed when you provide a
> username and password,

authentication on ports 465 and 587 is uaually required to avoid spam
sending through those ports.

> and postfix encrypts the email.

postfix does not encrypt mail, but connection to 465 and 587 usually must be
encrypted, as long as suthenticated with user and password.

>I would like to change it so postfix will accept email without a username
> and password, specifically from Office 365, and with encryption [TLS].

why?

> Example :  email to ang...@uconn.edu goes to O365 and then O365 will
> forward to smtp.uconn.edu [which relays back to O365] due to my mailbox
> being angelo.fazz...@uconn.edu .  If you send directly to
> angelo.fazz...@uconn.edu O365 delivers to mailbox without having to
> forward the email.

what is the point of this design/setup?
-- 
Matus UHLAR - fantomas, uh...@fantomas.sk ; 
https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.fantomas.sk%2Fdata=02%7C01%7Cangelo.fazzina%40uconn.edu%7C85b9177640ce41e98c7b08d5dde8c33e%7C17f1a87e2a254eaab9df9d439034b080%7C0%7C0%7C636658914137754552sdata=Krasiz%2FBkyqhS7OXWRsDNt6hk%2Bv4LSaYZS7ZQfUCTRc%3Dreserved=0
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Boost your system's speed by 500% - DEL C:\WINDOWS\*.*

RE: may not be appropriate question but figured what the hay... -- Dovecot

2018-06-29 Thread Fazzina, Angelo 
Case closed...

I was lazy and did not want to do all that work I recreating the accounts so I 
found the error

In /etc/password it looked like this

cec-support:x:592:593::/home/cec_support:/bin/bash
cec-support-comment:x:593:594::/home/cec_support_comment:/bin/bash

I changed it to this

cec-support:x:592:593::/home/cec-support:/bin/bash
cec-support-comment:x:593:594::/home/cec-support-comment:/bin/bash



-ANGELO FAZZINA

ITS Service Manager:
Spam and Virus Prevention
Mass Mailing
G Suite/Gmail

ang...@uconn.edu
University of Connecticut,  ITS, SSG, Server Systems
860-486-9075

From: owner-postfix-us...@postfix.org  On 
Behalf Of Fazzina, Angelo
Sent: Friday, June 29, 2018 1:00 PM
To: Postfix users 
Subject: may not be appropriate question but figured what the hay... -- Dovecot

Hi, based on commands below, anyone know why i would get these errors ?

Jun 29 12:05:02 mail2 dovecot: imap-login: Login: user=, 
method=PLAIN, rip=137.99.24.120, lip=137.99.90.68, mpid=6752, TLS
Jun 29 12:05:02 mail2 dovecot: imap(cec-support-comment): Error: user 
cec-support-comment: Initialization failed: Initializing mail storage from 
mail_location setting failed: mkdir(/home/cec_support_comment/mail) failed: 
Permission denied (euid=593(cec-support-comment) egid=594(cec-support-comment) 
missing +w perm: /home, euid is not dir owner)


Back story, user wanted names to have dashes and not underscores, I guess I may 
need to delete user accounts and just create them again...

usermod cec_support -l cec-support
usermod cec_support_comment -l cec-support-comment

from man page
-l, --login NEW_LOGIN
   The name of the user will be changed from LOGIN to NEW_LOGIN. 
Nothing else is changed. In particular, the user´s home directory or mail spool
   should probably be renamed manually to reflect the new login name.

mv cec_support cec-support
mv cec_support_comment cec-support-comment

groupmod -n cec-support cec_support
groupmod -n cec-support-comment cec_support_comment

-n, --new-name NEW_GROUP
   The name of the group will be changed from GROUP to NEW_GROUP name.


-ANGELO FAZZINA

ITS Service Manager:
Spam and Virus Prevention
Mass Mailing
G Suite/Gmail

ang...@uconn.edu<mailto:ang...@uconn.edu>
University of Connecticut,  ITS, SSG, Server Systems
860-486-9075

may not be appropriate question but figured what the hay... -- Dovecot

2018-06-29 Thread Fazzina, Angelo 
Hi, based on commands below, anyone know why i would get these errors ?

Jun 29 12:05:02 mail2 dovecot: imap-login: Login: user=, 
method=PLAIN, rip=137.99.24.120, lip=137.99.90.68, mpid=6752, TLS
Jun 29 12:05:02 mail2 dovecot: imap(cec-support-comment): Error: user 
cec-support-comment: Initialization failed: Initializing mail storage from 
mail_location setting failed: mkdir(/home/cec_support_comment/mail) failed: 
Permission denied (euid=593(cec-support-comment) egid=594(cec-support-comment) 
missing +w perm: /home, euid is not dir owner)


Back story, user wanted names to have dashes and not underscores, I guess I may 
need to delete user accounts and just create them again...

usermod cec_support -l cec-support
usermod cec_support_comment -l cec-support-comment

from man page
-l, --login NEW_LOGIN
   The name of the user will be changed from LOGIN to NEW_LOGIN. 
Nothing else is changed. In particular, the user´s home directory or mail spool
   should probably be renamed manually to reflect the new login name.

mv cec_support cec-support
mv cec_support_comment cec-support-comment

groupmod -n cec-support cec_support
groupmod -n cec-support-comment cec_support_comment

-n, --new-name NEW_GROUP
   The name of the group will be changed from GROUP to NEW_GROUP name.


-ANGELO FAZZINA

ITS Service Manager:
Spam and Virus Prevention
Mass Mailing
G Suite/Gmail

ang...@uconn.edu
University of Connecticut,  ITS, SSG, Server Systems
860-486-9075

RE: Can postfix send encrypted but not authenticated emails ? -- FIXED

2018-06-28 Thread Fazzina, Angelo 
Hi, I only needed to add one setting and all the deferred test emails on O365 
started flowing into my inbox

RAN vi /etc/postfix/main.cf
added
# -ALF 2018-06-28
smtpd_tls_security_level = may
RAN service postfix reload

Case closed, thanks.

-ANGELO FAZZINA

ITS Service Manager:
Spam and Virus Prevention
Mass Mailing
G Suite/Gmail

ang...@uconn.edu
University of Connecticut,  ITS, SSG, Server Systems
860-486-9075


-Original Message-
From: owner-postfix-us...@postfix.org  On 
Behalf Of Fazzina, Angelo
Sent: Thursday, June 28, 2018 3:26 PM
To: Postfix users 
Subject: RE: Can postfix send encrypted but not authenticated emails ?

Hi, thank you Viktor.

I was able to replicate the error [ a deferral] from O365

450 4.4.317 cannot connect to remote server message= 451 5.7.3 STARTTLS is 
required to send mail

My server 137.99.25.233 on port 25 is not accepting the mail.

I can not control what O365 does, they send on port 25, and I can't find my 
settings that are blocking it?

Even stranger my identical servers in Azure will accept the mail ?  just trying 
to understand the differences to ID the problem.

Confused why this works :
[root@mta2 postfix]# telnet azuresmtp.uconn.edu 25
Trying 104.45.142.253...
Connected to azuresmtp.uconn.edu.
Escape character is '^]'.
220 uconnmta6.cloudapp.net ESMTP Postfix (Debian/GNU)
ehlo uconn.edu
250-uconnmta6.cloudapp.net
250-PIPELINING
250-SIZE 31457280
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
quit
221 2.0.0 Bye

And why this does not ?
[root@uconnMTA5 postfix]# telnet 137.99.25.233 25
Trying 137.99.25.233...
telnet: connect to address 137.99.25.233: Connection timed out


Am I on the right track noticing there is no 250-STARTTLS ?
[root@mta2 postfix]# telnet 137.99.25.233 25
Trying 137.99.25.233...
Connected to 137.99.25.233.
Escape character is '^]'.
220 mta3.uits.uconn.edu ESMTP Postfix (Debian/GNU)
ehlo uconn.edu
250-mta3.uits.uconn.edu
250-PIPELINING
250-SIZE 31457280
250-VRFY
250-ETRN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
quit
221 2.0.0 Bye
Connection closed by foreign host.



-ANGELO FAZZINA

ITS Service Manager:
Spam and Virus Prevention
Mass Mailing
G Suite/Gmail

ang...@uconn.edu
University of Connecticut,  ITS, SSG, Server Systems
860-486-9075

-Original Message-
From: owner-postfix-us...@postfix.org  On 
Behalf Of Viktor Dukhovni
Sent: Thursday, June 28, 2018 1:05 PM
To: Postfix users 
Subject: Re: Can postfix send encrypted but not authenticated emails ?



> On Jun 28, 2018, at 12:41 PM, Fazzina, Angelo  
> wrote:
> 
> Hi, I have been reading the online docs for  TLS_README.html and 
> SASL_README.html but still having trouble deducing if I can get Postfix 2.6 
> to accept email over port 587 without giving Postfix a username and password?

The submission service on ports 587 and 465 is for sending email outbound,
possibly to remote domains, from the end-user's MUA.  While some MTAs on
laptops and SOHO environments send outbound mail via their provider's
submission service, they're essentially just proxies for the user's MUA,
and the mail is still on the "outbound" leg of its journey.
So 587 and 465 are not MTA-to-MTA relay services.

Outbound email requires authentication, due to the potential of open-relay
abuse by spammers.

> I would like to change it so postfix will accept email without a username and 
> password, specifically from Office 365, and with encryption [TLS].

If the email is addressed to your domain (inbound email), Postfix will accept
it from all senders, without SASL authentication.

  
https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.postfix.org%2FBASIC_CONFIGURATION_README.html%23mydestinationdata=02%7C01%7Cangelo.fazzina%40uconn.edu%7C299d6e80854b4686562708d5dd19645b%7C17f1a87e2a254eaab9df9d439034b080%7C0%7C0%7C636658023504600844sdata=pRznQ7f3nztX9VLEkNcu0otSkqdVKNKTAfkAPqmBO3Y%3Dreserved=0
  
https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.postfix.org%2FVIRTUAL_README.html%23canonicaldata=02%7C01%7Cangelo.fazzina%40uconn.edu%7C299d6e80854b4686562708d5dd19645b%7C17f1a87e2a254eaab9df9d439034b080%7C0%7C0%7C636658023504600844sdata=VfZDH5y%2BaHj1Qhtdt87n3ato8oPDixD%2BbEFUuogter0%3Dreserved=0

> I would add that I am not looking to change the current config, but just add 
> this new ability.
>  
> Is it as simple as adding
> 
>   smtpd_tls_security_level = may
> 
> into main.cf ?

To enable inbound opportunistic TLS you'll need that and a suitable
(self-signed is sufficient) certificate, if you already have one for
port 587, you can use that one.


https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.postfix.org%2FTLS_README.html%23quick-startdata=02%7C01%7Cangelo.fazzina%40uconn.edu%7C299d6e80854b4686562708d5dd19645b%7C17f1a87e2a254eaab9df9d439034b080%7C0%7C0%7C636658023504757098sdata=wowhYgr5ogYqjpQx%2Fwf6d1E8yoO

RE: Can postfix send encrypted but not authenticated emails ?

2018-06-28 Thread Fazzina, Angelo 
Hi, thank you Viktor.

I was able to replicate the error [ a deferral] from O365

450 4.4.317 cannot connect to remote server message= 451 5.7.3 STARTTLS is 
required to send mail

My server 137.99.25.233 on port 25 is not accepting the mail.

I can not control what O365 does, they send on port 25, and I can't find my 
settings that are blocking it?

Even stranger my identical servers in Azure will accept the mail ?  just trying 
to understand the differences to ID the problem.

Confused why this works :
[root@mta2 postfix]# telnet azuresmtp.uconn.edu 25
Trying 104.45.142.253...
Connected to azuresmtp.uconn.edu.
Escape character is '^]'.
220 uconnmta6.cloudapp.net ESMTP Postfix (Debian/GNU)
ehlo uconn.edu
250-uconnmta6.cloudapp.net
250-PIPELINING
250-SIZE 31457280
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
quit
221 2.0.0 Bye

And why this does not ?
[root@uconnMTA5 postfix]# telnet 137.99.25.233 25
Trying 137.99.25.233...
telnet: connect to address 137.99.25.233: Connection timed out


Am I on the right track noticing there is no 250-STARTTLS ?
[root@mta2 postfix]# telnet 137.99.25.233 25
Trying 137.99.25.233...
Connected to 137.99.25.233.
Escape character is '^]'.
220 mta3.uits.uconn.edu ESMTP Postfix (Debian/GNU)
ehlo uconn.edu
250-mta3.uits.uconn.edu
250-PIPELINING
250-SIZE 31457280
250-VRFY
250-ETRN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
quit
221 2.0.0 Bye
Connection closed by foreign host.



-ANGELO FAZZINA

ITS Service Manager:
Spam and Virus Prevention
Mass Mailing
G Suite/Gmail

ang...@uconn.edu
University of Connecticut,  ITS, SSG, Server Systems
860-486-9075

-Original Message-
From: owner-postfix-us...@postfix.org  On 
Behalf Of Viktor Dukhovni
Sent: Thursday, June 28, 2018 1:05 PM
To: Postfix users 
Subject: Re: Can postfix send encrypted but not authenticated emails ?



> On Jun 28, 2018, at 12:41 PM, Fazzina, Angelo  
> wrote:
> 
> Hi, I have been reading the online docs for  TLS_README.html and 
> SASL_README.html but still having trouble deducing if I can get Postfix 2.6 
> to accept email over port 587 without giving Postfix a username and password?

The submission service on ports 587 and 465 is for sending email outbound,
possibly to remote domains, from the end-user's MUA.  While some MTAs on
laptops and SOHO environments send outbound mail via their provider's
submission service, they're essentially just proxies for the user's MUA,
and the mail is still on the "outbound" leg of its journey.
So 587 and 465 are not MTA-to-MTA relay services.

Outbound email requires authentication, due to the potential of open-relay
abuse by spammers.

> I would like to change it so postfix will accept email without a username and 
> password, specifically from Office 365, and with encryption [TLS].

If the email is addressed to your domain (inbound email), Postfix will accept
it from all senders, without SASL authentication.

  
https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.postfix.org%2FBASIC_CONFIGURATION_README.html%23mydestinationdata=02%7C01%7Cangelo.fazzina%40uconn.edu%7C299d6e80854b4686562708d5dd19645b%7C17f1a87e2a254eaab9df9d439034b080%7C0%7C0%7C636658023504600844sdata=pRznQ7f3nztX9VLEkNcu0otSkqdVKNKTAfkAPqmBO3Y%3Dreserved=0
  
https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.postfix.org%2FVIRTUAL_README.html%23canonicaldata=02%7C01%7Cangelo.fazzina%40uconn.edu%7C299d6e80854b4686562708d5dd19645b%7C17f1a87e2a254eaab9df9d439034b080%7C0%7C0%7C636658023504600844sdata=VfZDH5y%2BaHj1Qhtdt87n3ato8oPDixD%2BbEFUuogter0%3Dreserved=0

> I would add that I am not looking to change the current config, but just add 
> this new ability.
>  
> Is it as simple as adding
> 
>   smtpd_tls_security_level = may
> 
> into main.cf ?

To enable inbound opportunistic TLS you'll need that and a suitable
(self-signed is sufficient) certificate, if you already have one for
port 587, you can use that one.


https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.postfix.org%2FTLS_README.html%23quick-startdata=02%7C01%7Cangelo.fazzina%40uconn.edu%7C299d6e80854b4686562708d5dd19645b%7C17f1a87e2a254eaab9df9d439034b080%7C0%7C0%7C636658023504757098sdata=wowhYgr5ogYqjpQx%2Fwf6d1E8yoOVInQLGH78OJOixMY%3Dreserved=0
 
> I also heard Postfix can use maybe Kerberos tickets

Cross-organizational Kerberos is not common.  And not needed in your
use case of relaying between MTAs.  Kerberos can be used as a SASL
mechanism on port 587 between the MUA and the submission service.
This message's first hop is GSSAPI (specifically Kerberos) authenticated.
 
> Example :  email to ang...@uconn.edu goes to O365 and then O365 will forward 
> to smtp.uconn.edu [which relays back to O365] due to my mailbox being 
> angelo.fazz...@uconn.edu . If you send directly to angelo.fazz...@uconn.edu 
> O365 delivers to mailbox without having to forward the em

Can postfix send encrypted but not authenticated emails ?

2018-06-28 Thread Fazzina, Angelo 
Hi, I have been reading the online docs for  TLS_README.html and 
SASL_README.html but still having trouble deducing if I can get Postfix 2.6 to 
accept email over port 587 without giving Postfix a username and password ?

My current understanding of how my server deals with mail is traffic on port 25 
with no username and password needed is only allowed from on-campus, and 
traffic on ports 465 and 587 is allowed when you provide a username and 
password, and postfix encrypts the email.

I would like to change it so postfix will accept email without a username and 
password, specifically from Office 365, and with encryption [TLS].
I would add that I am not looking to change the current config, but just add 
this new ability.

Is it as simple as adding   smtpd_tls_security_level = may   
into main.cf ?


I also heard Postfix can use maybe Kerberos tickets or certs and keys to allow 
Office 365 emails to be accepted by my postfix server, anyone know where in the 
docs that is ?  [BTW our MX goes to O365 and forwards mail it can not deliver 
to our Postfix server]

Example :  email to ang...@uconn.edu goes to O365 and 
then O365 will forward to smtp.uconn.edu [which relays back to O365] due to my 
mailbox being angelo.fazz...@uconn.edu . If 
you send directly to angelo.fazz...@uconn.edu 
O365 delivers to mailbox without having to forward the email.

Thank you for any guidance you guys have.

My postconf -n is below

[root@uconnMTA5 postfix]# postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
anvil_rate_time_unit = 60s
anvil_status_update_time = 600s
append_dot_mydomain = no
biff = no
canonical_maps = regexp:/etc/postfix/maps/voip
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_list = 137.99.26.249
fast_flush_domains = $relay_domains, uits.uconn.edu, gapps.uconn.edu
header_checks = regexp:/etc/postfix/header_checks
html_directory = /usr/share/doc/postfix/html
inet_interfaces = all
mail_owner = postfix
mailbox_size_limit = 0
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
message_size_limit = 31457280
mydestination = uconnsmtp.cloudapp.net uconnmta5.cloudapp.net, 
localhost.uits.uconn.edu, localhost, invalid.uconn.edu
myhostname = uconnmta5.cloudapp.net
mynetworks = /etc/postfix/files/mynetwork
newaliases_path = /usr/bin/newaliases
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES
recipient_delimiter = +
sample_directory = /usr/share/doc/postfix-2.6.6/samples
sendmail_path = /usr/sbin/sendmail
setgid_group = postdrop
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
smtpd_client_connection_count_limit = 500
smtpd_client_connection_rate_limit = 500
smtpd_client_event_limit_exceptions = 
${smtpd_client_connection_limit_exceptions:$mynetworks}
smtpd_client_message_rate_limit = 500
smtpd_client_new_tls_session_rate_limit = 500
smtpd_client_recipient_rate_limit = 500
smtpd_client_restrictions = check_client_access 
hash:/etc/postfix/maps/block_ip, permit
smtpd_hard_error_limit = 100
smtpd_junk_command_limit = 3000
smtpd_recipient_restrictions = check_recipient_access 
hash:/etc/postfix/maps/block_to, permit_mynetworks, permit_sasl_authenticated, 
reject_unauth_destination
smtpd_tls_CAfile = /etc/pki/tls/certs/smtp_uconn_edu_2017_interm_root.cer
smtpd_tls_cert_file = /etc/pki/tls/certs/smtp_uconn_edu_x509_cert.cer
smtpd_tls_exclude_ciphers = IDEA-CBC-SHA, DES-CBC3-SHA, EDH-RSA-DES-CBC3-SHA, 
RC4, aNULL
smtpd_tls_key_file = /etc/pki/tls/private/smtp_uconn_key.key
smtpd_tls_mandatory_protocols = !SSLv3, !SSLv2
smtpd_use_tls = yes
transport_maps = hash:/etc/postfix/maps/transport
virtual_alias_domains = access.ced.uconn.edu appmail.uconn.edu eri.uconn.edu 
finearts.sfa.uconn.edu law.uconn.edu math.uconn.edu ropercenter.uconn.edu 
studentorgs.uconn.edu students.law.uconn.edu testexchange.uconn.edu uconn.edu 
huskymail.uconn.edu spamtest.uconn.edu lib.uconn.edu
virtual_alias_maps = hash:/etc/postfix/virtual 
mysql:/etc/postfix/files/mysql_pn.cf  regexp:/etc/postfix/maps/huskygroups 
regexp:/etc/postfix/maps/subaddressing

-ANGELO FAZZINA

ITS Service Manager:
Spam and Virus Prevention
Mass Mailing
G Suite/Gmail

ang...@uconn.edu
University of Connecticut,  ITS, SSG, Server Systems
860-486-9075

RE: Feedback on Tutorial

2018-06-19 Thread Fazzina, Angelo 
Hi, I took a quick look,

I did not see which version of Postfix this was based on, you may want to 
mention it as some settings require a minimum Postfix version to be running. As 
well as some command examples you gave have minimum versions needed to work.

I am no expert but I get lots of legit email from servers with no RDNS so this 
may be too strong a setting ??
smtpd_client_restrictions =
  permit_mynetworks
  permit_sasl_authenticated
  reject_unknown_reverse_client_hostname


The purpose of this section seems to be a bad idea ?
Removing Telltale Headers

How do you troubleshoot delivery or other problems without logs to show what 
postfix decided to do about an email ?


Finally you mention "Nextcloud" I did not google it so I do not know what it 
is, if you are talking about Postfix you should stick to generic topics without 
specifying specific brands of products so a larger audience knows what you are 
talking about.  IMHO.
For example your user repository could be a Directory, database, or files. It 
may not help to mention specific products that implement those repositories ?

Thank you.


-ANGELO FAZZINA

ITS Service Manager:
Spam and Virus Prevention
Mass Mailing
G Suite/Gmail

ang...@uconn.edu
University of Connecticut,  ITS, SSG, Server Systems
860-486-9075

-Original Message-
From: owner-postfix-us...@postfix.org  On 
Behalf Of da-postfixusers...@abelonline.de
Sent: Friday, June 15, 2018 7:52 PM
To: Postfix users 
Subject: Feedback on Tutorial

Hello Postfix users,

I made a relatively comprehensive tutorial[1] on how to set up a mail server 
(Postfix, Dovecot, Rspamd,..) and integrate it with Nextcloud. My goal was to 
create a all-in-one, step-by-step tutorial from beginning to end.

I partly used other tutorials as a basis, but also did a lot of research and 
e.g. used much stricter smtpd_*_restrictions than I have seen anywhere else.

It's a hobby project, I am not a full-time mail admin, so probably not useful 
for large companies.

I would greatly appreciate your feedback and hints on possible errors or 
oversights.

A direct link to the Postfix section: 
https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2F123qwe.com%2Ftutorial%2F%23postfix=02%7C01%7Cangelo.fazzina%40uconn.edu%7C213ae3bd20fb4b79bb4c08d5d31b3189%7C17f1a87e2a254eaab9df9d439034b080%7C0%7C1%7C636647036128899329=PfVxAft0NrOjsxCaTUhqmw3Y9cB3Nm2GXCmN%2BE0Hv4s%3D=0

Thank You

Alexey

[1] 
https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2F123qwe.com=02%7C01%7Cangelo.fazzina%40uconn.edu%7C213ae3bd20fb4b79bb4c08d5d31b3189%7C17f1a87e2a254eaab9df9d439034b080%7C0%7C1%7C636647036128899329=XLi2ndZ3kDr9qP9uwDmyixzKmFdMuEK7%2F5RvUrAzb1E%3D=0

RE: new strangeness with O365

2018-05-17 Thread Fazzina, Angelo 
Hi, I'm not sure but this may be getting off topic but here goes.

I use full Outlook client and I think I have it setup to make new emails in 
Plain text, other options are RTF and HTML.
I am guessing replies come back in same format, but could easily be changed by 
replying client.

I guess I can change my client to HTML and see if future posts to the list that 
I get with links, come in normal or not.

Thanks.

-ANGELO FAZZINA

ITS Service Manager:
Spam and Virus Prevention
Mass Mailing
G Suite/Gmail

ang...@uconn.edu
University of Connecticut,  ITS, SSG, Server Systems
860-486-9075


-Original Message-
From: owner-postfix-us...@postfix.org  On 
Behalf Of Kris Deugau
Sent: Thursday, May 17, 2018 12:52 PM
To: postfix users 
Subject: Re: new strangeness with O365

Noel Jones wrote:
> The ability to hover on a link and see something depends on html
> code in the message, so this feature isn't possible in a plain text
> mail.

... especially if the "feature" relies on Javascript to work. 
Personally that's one of the very first things I do when I have reason 
to do a fresh install of Thunderbird or Seamonkey;  allowing active 
Javascript to execute in, from, or around an email message is just 
asking for trouble and IMO any support for it should never have been 
added to email clients in the first place.

-kgd

new strangeness with O365

2018-05-17 Thread Fazzina, Angelo 
Hi, wanted to ask if anyone has this issue and how they deal with it ?

My work email is on O365 and we just turned ATP and EOP on so emails with URLS
are being rewritten. That is fine, but my issue is with plain text emails from
this list.
when they come in i get the rewritten hyper link in the email instead of the URL
that was posted in the email. You are supposed to hover the mouse over the URL 
and then see the link below.
this big mess below is supposed to just be
http:// www. postfix.org/postconf.5.html #reject_unknown_client_hostname

O365 seems to work fine when emails are in html and it does it's rewriting 
black magic

https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.postfix.org%2Fpostconf.5.html%23reject_unknown_client_hostname=02%7C01%7Cangelo.fazzina%40uconn.edu%7Cc19b58d8248e42ba3c3708d5b85340c2%7C17f1a87e2a254eaab9df9d439034b080%7C0%7C0%7C636617590067449013=guRSNY3sghtANvzcdtLMMfUCjXhdVgnNIgoDjRb%2BvQM%3D=0

-ANGELO FAZZINA

ITS Service Manager:
Spam and Virus Prevention
Mass Mailing
G Suite/Gmail

ang...@uconn.edu
University of Connecticut,  ITS, SSG, Server Systems
860-486-9075

RE: check rcpt to, from and destination in one session - nested smtpd_restriction_classes?

2018-05-15 Thread Fazzina, Angelo 
Hi, sounds like you want

If from ( benachrichtig...@cubewerk.de) 
and from (10.8.1.1-3)
Then allow
Else REJECT

Sounds like you would need a regex expression to catch  two conditions and then 
act on it.

Not sure postfix can store result of first check and not act on it and make the 
second check and then act on the email ?
My guess is no…..?

Maybe someone more savvy knows how to do this.
Good Luck.

-ANGELO FAZZINA

ITS Service Manager:
Spam and Virus Prevention
Mass Mailing
G Suite/Gmail

ang...@uconn.edu
University of Connecticut,  ITS, SSG, Server Systems
860-486-9075

From: owner-postfix-us...@postfix.org  On 
Behalf Of Stefan Bauer
Sent: Tuesday, May 15, 2018 11:39 AM
To: postfix-users@postfix.org
Subject: check rcpt to, from and destination in one session - nested 
smtpd_restriction_classes?

Hi,
postfix is configured as relay server. Other systems relay with postfix. Here i 
want to allow for a specific group of hosts, when they use a specific mail from 
address only a few specific destination domains. Other hosts should not be 
bothered. This is only a need to limit a group of hosts to not accidentally 
send out mails to other domains.

smtpd_sender_restrictions = check_sender_access 
hash:/etc/postfix/benachrichtigung
smtpd_restriction_classes = benachrichtigung
benachrichtigung = check_recipient_access hash:/etc/postfix/erlaubt, reject

/etc/postfix/benachrichtigung
benachrichtig...@cubewerk.de 
benachrichtigung

/etc/postfix/erlaubt
microsoft.com
 OK
aol.com
 OK
yahoo.com
 OK
That works and only allows mails with mail from: 
benachrichtig...@cubewerk.de to above 
domains. How can i additionally say - and only limit sending of mails to this 3 
domains, if smtp connection is from 3 local IPs? (10.8.1.1-3) ?
I can not think of a way to achieve this.
thank you.
Stefan

RE: Ptr DNS and domains

2018-05-09 Thread Fazzina, Angelo 
Hi, I would think if you are relaying mail for multiple domains then you may 
not need to.
I relay/handle mail for many sub domains of uconn.edu and some don’t have PTR 
records.

If it is not a sub domain I think you should follow best practice, and my guess 
is yes you want DNS configured as completely as possible.


-ANGELO FAZZINA

ITS Service Manager:
Spam and Virus Prevention
Mass Mailing
G Suite/Gmail

ang...@uconn.edu
University of Connecticut,  ITS, SSG, Server Systems
860-486-9075

From: owner-postfix-us...@postfix.org  On 
Behalf Of Tobias Koeck
Sent: Wednesday, May 9, 2018 11:36 AM
To: postfix-users@postfix.org
Subject: Ptr DNS and domains

Hi,

if I want to use several domains on my Postfix server do every domain need a 
unique PTR DNS entry to an unique IP or is it enough to setup $myhostname to 
the main domain?

smtp_helo_name = $myhostname
smtpd_proxy_ehlo = $myhostname

Greetings
Tobias

RE: postfix maximum load capacities by official document

2018-05-01 Thread Fazzina, Angelo 
Thanks again,
To give you a little insight, I load balance 3 of these for smtp.uconn.edu
So back when I saw the 20K limit it was just DNS round robin which is not real 
load balancing.

I doubt latency of throughput will be significant enough that I notice it in 
the future, my experience seeing issues was over 3 years ago.



[root@mta1 incoming]# tune2fs -l /dev/mapper/vg_mta3-lv_root |grep  'Filesystem 
created'
Filesystem created:   Tue Mar 19 13:58:16 2013

[root@mta1 incoming]# free -m
 total   used   free sharedbuffers cached
Mem:  1877   1526350  0208747
-/+ buffers/cache:571   1305
Swap: 2015193   1822

[root@mta1 incoming]# more /etc/redhat-release 
Red Hat Enterprise Linux Server release 6.9 (Santiago)

-ANGELO FAZZINA

ITS Service Manager:
Spam and Virus Prevention
Mass Mailing
G Suite/Gmail

ang...@uconn.edu
University of Connecticut,  ITS, SSG, Server Systems
860-486-9075


-Original Message-
From: owner-postfix-us...@postfix.org <owner-postfix-us...@postfix.org> On 
Behalf Of Viktor Dukhovni
Sent: Tuesday, May 1, 2018 1:23 PM
To: Postfix users <postfix-users@postfix.org>
Subject: Re: postfix maximum load capacities by official document



> On May 1, 2018, at 12:50 PM, Fazzina, Angelo <angelo.fazz...@uconn.edu> wrote:
> 
> Yes, I was guessing, must have be active and not incoming queue.
> Thanks for the explanation of what I was seeing.

I hope it is clear that the active queue size limits don't determine
the total number of messages Postfix can accept.  Considerably more
mail might be sitting in "incoming" and "deferred".

On modern systems with lots of RAM you can also raise the active
queue limits from the default 20,000 to 100,000 or perhaps more.
Do it gradually and see how much memory qmgr(8) consumes.

More active queue space can help when most of the traffic is to
a small number of slow destinations, which can fill the active
queue and starve out other traffic.

-- 
Viktor.

RE: postfix maximum load capacities by official document

2018-05-01 Thread Fazzina, Angelo 
Yes, I was guessing, must have be active and not incoming queue.
Thanks for the explanation of what I was seeing.

Have a good week.

-ANGELO FAZZINA

ITS Service Manager:
Spam and Virus Prevention
Mass Mailing
G Suite/Gmail

ang...@uconn.edu
University of Connecticut,  ITS, SSG, Server Systems
860-486-9075


-Original Message-
From: owner-postfix-us...@postfix.org <owner-postfix-us...@postfix.org> On 
Behalf Of Viktor Dukhovni
Sent: Tuesday, May 1, 2018 12:38 PM
To: Postfix users <postfix-users@postfix.org>
Subject: Re: postfix maximum load capacities by official document



> On May 1, 2018, at 10:38 AM, Fazzina, Angelo <angelo.fazz...@uconn.edu> wrote:
> 
> Hi, okay that makes sense.
> 
> I guess my next question is what is going on when we get a bulk mail campaign 
> or spam attack and I see the /var/spool/postfix/incoming 
> Directory only allow 20,000 files in there ?

It is the "active" queue that qmgr(8) avoids filling with too many messages
at once, because each *active* message requires memory for scheduler metadata.
The incoming queue will grow (almost) as large as the filesystem permits, but
once the queue manager is no longer keeping up some SMTP sessions will incur 
the inflow-delay (but this does not prevent input from running faster than
output, rather it keeps the amount by which input *exceeds* output to at most
input concurrency / inflow_delay.

If you allow 100 parallel SMTP sessions, and have a 1s inflow delay, then
the input rate can *exceed* the output rate by 100 msgs/sec.  If that
goes on for long enough, your incoming queue will get rather large, but
only your filesystem space will cap that, not any hard-limit in Postfix.

-- 
Viktor.

RE: postfix maximum load capacities by official document

2018-05-01 Thread Fazzina, Angelo 
Hi, okay that makes sense.

I guess my next question is what is going on when we get a bulk mail campaign 
or spam attack and I see the /var/spool/postfix/incoming 
Directory only allow 20,000 files in there ?


Thanks.

-ANGELO FAZZINA

ITS Service Manager:
Spam and Virus Prevention
Mass Mailing
G Suite/Gmail

ang...@uconn.edu
University of Connecticut,  ITS, SSG, Server Systems
860-486-9075


-Original Message-
From: owner-postfix-us...@postfix.org <owner-postfix-us...@postfix.org> On 
Behalf Of Wietse Venema
Sent: Tuesday, May 1, 2018 10:27 AM
To: Postfix users <postfix-users@postfix.org>
Subject: Re: postfix maximum load capacities by official document

Fazzina, Angelo:
> Hi again, I guess I don't have a clear understanding of this in the man page ?
> 
> Ran command
>   [root@mta1 ~]# man 5 postconf
> 
> default_recipient_limit (default: 2)
> 
> The default per-transport upper limit on the number of IN-MEMORY
> recipients.

The Postfix mail queue is not an IN-MEMORY queue. That would limit
the amount of email that Postfix can handle, and it would violate
the requirement that mail is not lost after a system crash.

Wietse

RE: postfix maximum load capacities by official document

2018-05-01 Thread Fazzina, Angelo 
Hi again, I guess I don't have a clear understanding of this in the man page ?

Ran command
[root@mta1 ~]# man 5 postconf




default_recipient_limit (default: 2)

The default per-transport upper limit on the number of in-memory recipients. 
These limits take priority over the global qmgr_message_recipient_limit after 
the message has been assigned to the respective transports. See also 
default_extra_recipient_limit and qmgr_message_recipient_minimum.

Use transport_recipient_limit to specify a transport-specific override, where 
transport is the master.cf name of the message delivery transport.




Thanks.

-ANGELO FAZZINA

ITS Service Manager:
Spam and Virus Prevention
Mass Mailing
G Suite/Gmail

ang...@uconn.edu
University of Connecticut,  ITS, SSG, Server Systems
860-486-9075

-Original Message-
From: owner-postfix-us...@postfix.org <owner-postfix-us...@postfix.org> On 
Behalf Of Viktor Dukhovni
Sent: Monday, April 30, 2018 6:12 PM
To: Postfix users <postfix-users@postfix.org>
Subject: Re: postfix maximum load capacities by official document



> On Apr 30, 2018, at 5:02 PM, Fazzina, Angelo <angelo.fazz...@uconn.edu> wrote:
> 
> B. Our queues only hold 20,000 emails at a time

What is the reason for that?  Postfix has no such built-in limit...

-- 
Viktor.

RE: postfix maximum load capacities by official document

2018-04-30 Thread Fazzina, Angelo 
Hi, I don't mean to hi-jack this thread but figured this was related.

I was asked in 2014 what rate of mail could flow through per hour.
I gave this response. Do you see anything dangerous in my assumptions ?

Thank you for looking.  BTW Postfix version is likely 2.6

###

I took a stab at this..
Assumptions:
Deliver 20,000 emails
All to Yahoo
Each email goes to only ONE recipient
Talima sends us no more than 1000 emails at once
Talisma does not send email to us faster than we can send email out

1000 emails in per second = 20 seconds
20 emails out per second per domain (yahoo) = 996 seconds

996 + 20 = 1016 seconds = 16.93 minutes for 20,000 emails
60 minutes / 16.93 minutes = 3.54
20,000 emails * 3.54 = 70880 emails per hour

GOTCHAS:
A. If Talisma sends to us FASTER than we send mail out, there is a ONE second 
delay added when
We accept a new message.

B. Our queues only hold 20,000 emails at a time

Obviously they will not send to only one DOMAIN but this should be easy to 
re-calculate once they know 
How many different domains a campaign is going to..

QUESTIONS: 
Can domains we send to handle this current setup ?
should we change our setup?  
If we do change setup, will the domains we send to be able to handle our higher 
volume ?



-ANGELO FAZZINA

ITS Service Manager:
Spam and Virus Prevention
Mass Mailing
G Suite/Gmail

ang...@uconn.edu
University of Connecticut,  ITS, SSG, Server Systems
860-486-9075

-Original Message-
From: owner-postfix-us...@postfix.org  On 
Behalf Of si5
Sent: Friday, April 27, 2018 11:40 AM
To: postfix-users@postfix.org
Subject: Re: postfix maximum load capacities by official document

Wietse Venema wrote
> si5:
>> >>May I suggest: you test the modified code and the unmodified code
>> >>and then try to explain why one is better than the other.
>> 
>> >>Wietse
>> 
>> Yes we have tested unmodified code with spirent(200,000 mails per 10
>> minutes) and drops were very less.
> 
> That's 300/s, a performance level that Viktor reported for unmodified
> Postfix with a Dell server from 2003.
> 
> https://groups.google.com/forum/?fromgroups=#!topic/mailing.postfix.users/pPcRJFJmdeA
> 
> "One single Postfix instance has been clocked at ~300 message
> deliveries/second[8] across the Internet, running on commodity
> hardware (a vintage-2003 Dell 1850 system with battery-backed
> MegaRAID controller and two SCSI disks). This delivery rate is
> an order of magnitude below the "intrinsic" limit of 2500 message
> deliveries/second[8] that was achieved with the mail queue on
> a RAM disk while delivering to the "discard" transport (with a
> dual-core Opteron system in 2007)."
> 
>> Ofcourse the unmodified code is better
>> but we modified it based on our requirements and now we are testing it
>> too.
>> And it is showing significant mail drops. Once we are able make the drops
>> less we want to document the maximum load capacities of this modified
>> server. Thatswhy we are trying to find a document which has such
>> information
>> so that we can do an analogous testing and documentation.
> 
> There is no 'formula' to predict the behavior of a non-trivial
> program, especially not when the performance is determined by remote
> network performance, remore DNS server performance, and remote SMTP
> server performance. Meaningful numbers require meaningful measurements.
> 
> BTW I would not consider a mail system as 'working' until all 'lost
> mail' instances can be explained. Your requirements may vary.
> 
>   Wietse


Thankyou for taking time to reply. The information are really helpful.

Regards



--
Sent from: http://postfix.1071664.n5.nabble.com/Postfix-Users-f2.html

RE: alternate ways to mark messages with Received SPF : None

2018-04-24 Thread Fazzina, Angelo 
Hi, wouldn’t that break the DKIM sig if the email was signed ?


-ANGELO FAZZINA

ITS Service Manager:
Spam and Virus Prevention
Mass Mailing
G Suite/Gmail

ang...@uconn.edu
University of Connecticut,  ITS, SSG, Server Systems
860-486-9075

From: owner-postfix-us...@postfix.org  On 
Behalf Of Selcuk Yazar
Sent: Tuesday, April 24, 2018 10:05 AM
To: postfix-users@postfix.org
Subject: alternate ways to mark messages with Received SPF : None

Hi,

how can i mark emails (SPAM or something else) with if it has header  "Received 
SPF : None"

we have redhat EL6 server but it spamassassin version 3.3.1. it's la little bit 
risky upgrade to latest version for me :)

nay alternate soltuion ?

regards.

--
Selçuk YAZAR

RE: user unknown in virtual mailbox table

2018-04-18 Thread Fazzina, Angelo 
You will get more help if you provide helpful info.

http://www.postfix.org/DEBUG_README.html#mail


-ANGELO FAZZINA

ITS Service Manager:
Spam and Virus Prevention
Mass Mailing
G Suite/Gmail

ang...@uconn.edu
University of Connecticut,  ITS, SSG, Server Systems
860-486-9075

From: owner-postfix-us...@postfix.org  On 
Behalf Of Alfredo De Luca
Sent: Wednesday, April 18, 2018 10:15 AM
To: postfix-users@postfix.org
Subject: user unknown in virtual mailbox table

Hi all.
We have 2 domain managed by postfix.

When I send an email to an not existing user in the first donain I got back an 
email user unknown.while if I send it to the second domain I don't receive 
anything.

Any issue/clue on this?

Thanks

--
Alfredo

RE: Howto configure Postfix to relay messages from a specific email address

2018-03-20 Thread Fazzina, Angelo 
Hi, I use postfix version 2.6 or 2.10 I forget

Can you test setting these settings ?
In main.cf

#relay_domains = test.uconn.edu $mydestination
#relay_recipient_maps = hash:/etc/postfix/relay_recipients

tfix]# more relay_recipients
angelo.fazz...@test.uconn.edu OK



Not sure is   virtual_alias_domains setting may help you as well ?

Good Luck.

-ANGELO FAZZINA

ITS Service Manager:
Spam and Virus Prevention
Mass Mailing
G Suite/Gmail

ang...@uconn.edu
University of Connecticut,  ITS, SSG, Server Systems
860-486-9075

-Original Message-
From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] 
On Behalf Of phep
Sent: Tuesday, March 20, 2018 9:42 AM
To: postfix-users@postfix.org
Subject: Howto configure Postfix to relay messages from a specific email address

Hi,

Let's say my domain is example.com. We have a bunch of servers that are 
authorised to use our SMTP server to relay their mail to the outside with 
something like :

mynetworks: 192.168.250.0/24

So far, so good.

Now I have a sister organisation with domain example2.com that operates a 
web app than needs to send mail through our Postfix server and I want to 
relay mails sent from this web app provided the messages sender meets a 
specific email address (say web...@example2.com).

How can I do that in main.cf ? Simply adding the web app server IP to 
mynetworks would not do the trick since I'd rather not relay any email 
traffic from this server, only this webapp messages (notwithstanding fake 
headers).

I read through smtpd_reject_unlisted_recipient and smtpd_relay_restrictions 
documentation but could not figure out how to do it.

Thanks in advance,

phep

RE: Postfix - Amavis erroneus SPAM

2018-03-12 Thread Fazzina, Angelo 
Hi, I would expect you need to search your logs for all the entries for this 
email

CB9E3837E0F

To see exactly what happened and go from there ?
Good Luck.


-ANGELO FAZZINA

ITS Service Manager:
Spam and Virus Prevention
Mass Mailing
G Suite/Gmail

ang...@uconn.edu
University of Connecticut,  ITS, SSG, Server Systems
860-486-9075

-Original Message-
From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] 
On Behalf Of Enrico Morelli
Sent: Monday, March 12, 2018 9:15 AM
To: postfix-users@postfix.org
Subject: Postfix - Amavis erroneus SPAM

Deal, a software that control an hardware has to send alarm mail when
something happens. Starting from two weeks ago, the alarms stops to be
sent and checking in the mail server logs I see the following message:

Mar 12 09:03:57 mailserver amavis[14797]: (14797-01) Blocked SPAM
{DiscardedOpenRelay,Quarantined}, [150.217.XXX.XXX]:3685 [150.217.XXX.XXX] 
 ->
, quarantine: M/spam-M9145UbnjoSh.gz, Queue-ID: 
CB9E3837E0F, Message-ID:
<5E7A686C7FD740989C918BF83AAEECF3@6204eng1>, mail_id: M9145UbnjoSh,
Hits: 6.57, size: 639, 551 ms


The alarms are blocked as SPAM. Is there a way to instruct
amavis/postfix that this mails aren't SPAM?


-- 
---
  Enrico Morelli
  System Administrator | Programmer | Web Developer

  CERM - Polo Scientifico
  via Sacconi, 6 - 50019 Sesto Fiorentino (FI) - ITALY

RE: Postfix using all CPU after nightly mail submission

2018-02-21 Thread Fazzina, Angelo 
Hi Zach, my postfix box is on Vmware too….Did the folks that manage VmWare see 
any oddity? No alarms ? No performance spikes ?
Also I use Zabbix for monitoring so I get email warnings when certain 
thresholds are exceeded.

Maybe the backend VMware storage is having an issue ?  shooting from the hip 
here…
Good Luck.
-ALF
P.S. not sure if list allows including pics from Win10 snipping tool.  ;-)

It doesn’t
http://tinypic.com/r/25hhh68/9



-ANGELO FAZZINA

ITS Service Manager:
Spam and Virus Prevention
Mass Mailing
G Suite/Gmail

ang...@uconn.edu
University of Connecticut,  ITS, SSG, Server Systems
860-486-9075

From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] 
On Behalf Of Zach Sheppard
Sent: Wednesday, February 21, 2018 8:31 AM
To: Postfix users 
Subject: Re: Postfix using all CPU after nightly mail submission

Hi Wietse,

I limited my postfix installation to default_process_limit 5, 4, 3, 2, and even 
1, and still saw the same effects. I am thinking it might be either my opendkim 
milter (which applies the DKIM signature for each mail) or SASL as these are 
the only other processes on the server. Are you aware of any issues with either 
related to I/O? I have not seen any configuration settings for opendkim to do 
any performance throttling.

I am still dumbfounded how this continues to occur. I am not sending mail in 
large quantity - maybe 7,000-8,000 total - just in a short amount of time. The 
I/O shouldn't be THAT high... at least not to leave the server unresponsive... 
the mail client connects to my server every evening (around midnight) and sends 
mails in a burst fashion within an hour or so.

I did as you suggested and opened a console on the VMWare host, did a tail of 
the mail log, and it sent mail for a good 5-10 minutes before finally becoming 
unresponsive. I tried to Ctrl-C out of tail, nothing. I've done the same 
monitoring with top and still see no culprit for the sudden halt. I check 
syslog and other logs on the server and see no crashes or panics.

Any other ideas what might be causing this? Further debugging I can do?

Thanks

On Fri, Jan 19, 2018 at 2:26 PM, Wietse Venema 
> wrote:
Zach Sheppard:
> Wietse:
>
> I have not made any changes to rsyslog.conf. All it does it redirect all
> mail log messages to one log in /var/log/mail which I rotate with a cron
> script nightly. However, I do agree that it really could be the only other
> process that could be hanging the server.
>
> I'm not able to determine what program is consuming the CPU because I can't
> login to the console when this occurs. The only way I can recover the
> machine is by forcibly powering off.

I suspect that heavy I/O from Postfix and syslog is too much for
your VM.

To diagnose the problem, run screen(1) on a stable machine, and
then open a login session into the VM while it still responsive.
Then come back to that screen session when things go bad. You're
likely to find that when the VM is very slow, all time is spent in
the VM's kernel, and the host's VMM.

Note that VMs, while fine for CPU-bound jobs, can introduce serious
CPU overhead for things that do massive amounts of I/O like Postfix
plus syslog.

If you can't get a better VM, you can reduce the impact from a
'large' mailing by reducing the number of concurrent Postfix SMTP
server and client processes.

# postconf default_process_limit=10
# postfix reload

Wietse


This message may contain confidential information and is intended only for the 
individuals named. If you are not the named addressee you should not 
disseminate, distribute or copy this e-mail. Please notify the sender 
immediately by e-mail if you have received this e-mail by mistake and delete 
this e-mail from your system. If you are not the intended recipient you are 
notified that disclosing, copying, distributing or taking any action in 
reliance on the contents of this information is strictly prohibited.

RE: Postfix queue

2018-02-12 Thread Fazzina, Angelo 
Hi, I would think you could write a script to do what you need ?

Here is one I use that is in Python.


[root@mta3 alf02013]# Summary


   Usage:  Summary -s -h {-|POSTFIX_LOG} [ POSTFIX_LOG .. ]

   Summarize postfix mail log.  Gzipped files are OK.

   Print one line for each delivered email, with these columns

  TIME_RECEIVED   TIME_SENT   ELAPSED QUEUEID  SOURCE_IP
   AUTHENTICATE_USER  FINAL_STATUS  FROM_ADDR  TO_ADDRS

   OPTIONS
 -h  Print column headers
 -s  Include email subject (if in Postfix log)




-ANGELO FAZZINA

ITS Service Manager:
Spam and Virus Prevention
Mass Mailing
G Suite/Gmail

ang...@uconn.edu
University of Connecticut,  ITS, SSG, Server Systems
860-486-9075

From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] 
On Behalf Of j.emerlik
Sent: Monday, February 12, 2018 10:07 AM
To: postfix-users@postfix.org
Subject: Postfix queue

Lately I wrote in python postfix policy service that can do something for me 
what I want.
Now I am thinking about next service butI don't know maybe it is not possible.
That is my question:
There is posssible write some service similar  to eg.

check_policy_service unix:private/policy-spf
It is possible to write some policy service that will be working with postfix 
queue ?

I would like have policy service that will be able to write do data base some 
information eg. when exactly  message was sent, message ID, DSN if soemthing 
goes wrong. That means it should be working with Postfix queue.
But policy services can be configured with smtpd_sender_restrictions and 
smtpd_recipient_restrictions.
It 's possible configure some policy service with postfix queue ?
Regards,
MattX

RE: Offering STARTTLS in postfix. need help!

2018-01-12 Thread Fazzina, Angelo 
My RHEL7 install but it install Postfix 2.10 and I use a LDAP backend for 
password storage. Not sure it helps you ?
-ALF

RAN vi /etc/postfix/master.cf
submission inet n   -   n   -   -   smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  -o milter_macro_daemon_name=ORIGINATING
smtps inet  n   -   n   -   -   smtpd
  -o syslog_name=postfix/smtps
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  -o milter_macro_daemon_name=ORIGINATING
RAN vi /etc/postfix/main.cf
smtpd_relay_restrictions = check_recipient_access 
hash:/etc/postfix/maps/block_to, permit_mynetworks, permit_sasl_authenticated, 
defer_unauth_destination

RAN yum install sssd
RAN yum install pamtester
RAN vi /etc/pam.d/smtp
auth  sufficient pam_unix_auth.so
auth  required   pam_ldap.so use_first_pass
account   sufficient pam_unix_acct.so
account   required   pam_ldap.so
comment out other lines(2)

RAN vi /etc/sssd/sssd.conf
[domain/default]

autofs_provider = ldap
cache_credentials = True
ldap_search_base = ou=people,dc=uconn,dc=edu
krb5_realm = UCONN.EDU
krb5_server = kerberos.uconn.edu
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_uri = ldaps://ldap.uconn.edu
ldap_id_use_start_tls = False
ldap_tls_cacertdir = /etc/openldap/cacerts
#ldap_tls_cacertdir = /etc/openldap/cacerts
krb5_store_password_if_offline = True
krb5_kpasswd = kadmin.uconn.edu
[sssd]
services = nss, pam, autofs
config_file_version = 2

domains = default
[nss]
homedir_substring = /home

[pam]

[autofs]

RAN chmod 600 /etc/sssd/sssd.conf
RAN yum install nss-pam-ldapd
RAN vi /etc/nslcd.conf
uri ldaps://ldap.uconn.edu
base dc=uconn,dc=edu
binddn 
bindpw  
tls_reqcert never
ssl no
tls_cacertdir /etc/openldap/cacerts
RAN yum install pam_ldap
RAN authconfig-tui
In "User information" pick "use LDAP"
In "Authentication" pick Use LDAP Authentication"
RAN yum install cyrus-sasl
RAN systemctl status saslauthd
RAN systemctl enable saslauthd
RAN systemctl start saslauthd
RAN yum install cyrus-sasl-plain
RAN pamtester smtp zzz00036 authenticate


-ANGELO FAZZINA

UITS Service Manager:
Spam and Virus Prevention
Mass Mailing
G Suite/Gmail

ang...@uconn.edu
University of Connecticut,  UITS, SSG, Server Systems
860-486-9075


-Original Message-
From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] 
On Behalf Of Philip Paeps
Sent: Friday, January 12, 2018 3:49 PM
To: postfix-users@postfix.org
Subject: Re: Offering STARTTLS in postfix. need help!

On 2018-01-12 15:45:33 (-0500), Sean Son wrote:
>How does one configure an internet facing Postfix SMTP mail relay 
>server, to offer STARTTLS?  I have been googling around and seeing 
>various different articles and blog entries, but I cannot figure out 
>what is the quickest and easiest way to do so.  I am running postfix on 
>RHEL 7.  Any help is greatly appreciated!

I'm surprised Google couldn't find 
http://www.postfix.org/TLS_README.html

DuckDuckGo returns it as the first hit for "Postfix TLS".

Philip

-- 
Philip Paeps
Senior Reality Engineer
Ministry of Information

RE: detect suspicious logins

2017-12-19 Thread Fazzina, Angelo 
I bet I could get something like that going easily, as my logs goto Splunk.  
Just not the biggest fire to put out at the moment.


-ANGELO FAZZINA

UITS Service Manager:
Spam and Virus Prevention
Mass Mailing
G Suite/Gmail

ang...@uconn.edu
University of Connecticut,  UITS, SSG, Server Systems
860-486-9075

-Original Message-
From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] 
On Behalf Of Matthew Broadhead
Sent: Tuesday, December 19, 2017 12:02 PM
To: postfix-users@postfix.org
Subject: detect suspicious logins

does anyone know of a linux module (maybe similar to fail2ban) that 
could be installed which would monitor email logs (sign ins) and alert 
the user to any suspicious activity on their account?  i suspect it 
would need to log geo location, device type and ip address to a 
database.  it seems like a module like this would be very useful and 
should exist already?  thanks in advance

RE: Proper procedure for importing TLS cert & private key for Postfix use

2017-12-08 Thread Fazzina, Angelo 
This
"/etc/ssl/private/tlsprivate.key":
Does not equal
"/etc/ssl/private/tlsprivatekey.key"


-ANGELO FAZZINA

UITS Service Manager:
Spam and Virus Prevention
Mass Mailing
G Suite/Gmail

ang...@uconn.edu
University of Connecticut,  UITS, SSG, Server Systems
860-486-9075

From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] 
On Behalf Of Security Admin (NetSec)
Sent: Friday, December 8, 2017 1:03 PM
To: postfix-users@postfix.org
Subject: Proper procedure for importing TLS cert & private key for Postfix use

Recently imported files that contained the TLS certificate and the private key.

Imported them to them proper directories and changed the default settings from 
the old cert & key files to the new files 
("smtpd_tls_cert_file=/etc/ssl/certs/tlscert.pem" and 
"smtpd_tls_key_file=/etc/ssl/private/tlsprivatekey.key").

When I ran a test e-mail to see if it worked, I got the following errors in 
"mail.log"


Dec  6 21:15:36 portus postfix/smtpd[18839]: warning: cannot get RSA private 
key from file "/etc/ssl/private/tlsprivate.key": disabling TLS support
Dec  6 21:15:36 portus postfix/smtpd[18839]: warning: TLS library problem: 
error:0906406D:PEM routines:PEM_def_callback:problems getting 
password:pem_lib.c:110:
Dec  6 21:15:36 portus postfix/smtpd[18839]: warning: TLS library problem: 
error:0906A068:PEM routines:PEM_do_header:bad password read:pem_lib.c:457:
Dec  6 21:15:36 portus postfix/smtpd[18839]: warning: TLS library problem: 
error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib:ssl_rsa.c:649:


Any thought on what I am doing wrong and how I might fix?  I am thinking 
possibly file permissions but did not want to chmod until I knew for sure.


Thanks in advance!


Ed Ray

RE: smtpd_sasl_auth_enable is true but sasl support is not compiled in (postfix-gento)

2017-11-30 Thread Fazzina, Angelo 
And, if you wanna get more detailed this is all I do to test accounts.


RAN pamtester smtp ssl_test authenticate
to test ability to authenticate with account ssl_test  (it worked)
RAN testsaslauthd -s smtp -u ssl_test -p 
to test Saslauthd  (it worked)
RAN python -c 'import base64,sys; u,p=sys.argv[1:3]; print 
base64.encodestring("%s\x00%s\x00%s" % (u,u,p))' ssl_test 
to create hash  (it worked)
RAN openssl s_client -connect 137.99.203.233:465
helo uconn.edu
AUTH PLAIN  




-ANGELO FAZZINA

UITS Service Manager:
Spam and Virus Prevention
Mass Mailing
G Suite/Gmail

ang...@uconn.edu
University of Connecticut,  UITS, SSG, Server Systems
860-486-9075


-Original Message-
From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] 
On Behalf Of Fazzina, Angelo
Sent: Thursday, November 30, 2017 4:25 PM
To: James Reynolds <reyno...@biology.utah.edu>; Postfix users 
<postfix-users@postfix.org>
Subject: RE: smtpd_sasl_auth_enable is true but sasl support is not compiled in 
(postfix-gento)

Mine that I use to test

openssl s_client -connect massmail.uconn.edu:465

openssl s_client -starttls smtp -connect massmail.uconn.edu:587

telnet is just for port 25   YMMV.

-ANGELO FAZZINA

UITS Service Manager:
Spam and Virus Prevention
Mass Mailing
G Suite/Gmail

ang...@uconn.edu
University of Connecticut,  UITS, SSG, Server Systems
860-486-9075


-Original Message-
From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] 
On Behalf Of James Reynolds
Sent: Thursday, November 30, 2017 4:21 PM
To: Postfix users <postfix-users@postfix.org>
Subject: Re: smtpd_sasl_auth_enable is true but sasl support is not compiled in 
(postfix-gento)

I have never heard of using openssl s_client instead of telnet so I tried to 
figure out how to use it.  I could connect to my server with the following.

openssl s_client -connect 10.0.1.1:25  -starttls smtp

And I can do "HELO" and "MAIL FROM:" but when I try to enter "RCPT TO:" I just 
get this output and I can't go further.

RENEGOTIATING
depth=3 /C=SE/O=AddTrust AB/OU=AddTrust External TTP 
Network/CN=AddTrust External CA Root
verify error:num=19:self signed certificate in certificate chain
verify return:0

Do you know what is going on?  Maybe my certificate on my server is 
misconfigured and I didn't even know it?...

James


> On Nov 30, 2017, at 1:55 PM, Benny Pedersen <m...@junc.eu> wrote:
> 
> Yuri Ferreira skrev den 2017-11-30 17:49:
> 
>> someone help-me ?
> 
> to get more help:
> 
> postconf -nf
> postconf -Mf
> 
> on pastebin with a link to maillist
> 
> you should stop using telnet to test ssl, use openssl s_client ... to replace 
> it
> 
> man openssl
> 
> if you see AUTH on port 25 yoy maked a mistake, but if you see STARTTLS it 
> works as best it could
> 
> enable smtpd_sasl on port 587 and 465, i know some will hit me now, but 
> clients sometimes need port 465 depending on clients

RE: smtpd_sasl_auth_enable is true but sasl support is not compiled in (postfix-gento)

2017-11-30 Thread Fazzina, Angelo 
Mine that I use to test

openssl s_client -connect massmail.uconn.edu:465

openssl s_client -starttls smtp -connect massmail.uconn.edu:587

telnet is just for port 25   YMMV.

-ANGELO FAZZINA

UITS Service Manager:
Spam and Virus Prevention
Mass Mailing
G Suite/Gmail

ang...@uconn.edu
University of Connecticut,  UITS, SSG, Server Systems
860-486-9075


-Original Message-
From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] 
On Behalf Of James Reynolds
Sent: Thursday, November 30, 2017 4:21 PM
To: Postfix users 
Subject: Re: smtpd_sasl_auth_enable is true but sasl support is not compiled in 
(postfix-gento)

I have never heard of using openssl s_client instead of telnet so I tried to 
figure out how to use it.  I could connect to my server with the following.

openssl s_client -connect 10.0.1.1:25  -starttls smtp

And I can do "HELO" and "MAIL FROM:" but when I try to enter "RCPT TO:" I just 
get this output and I can't go further.

RENEGOTIATING
depth=3 /C=SE/O=AddTrust AB/OU=AddTrust External TTP 
Network/CN=AddTrust External CA Root
verify error:num=19:self signed certificate in certificate chain
verify return:0

Do you know what is going on?  Maybe my certificate on my server is 
misconfigured and I didn't even know it?...

James


> On Nov 30, 2017, at 1:55 PM, Benny Pedersen  wrote:
> 
> Yuri Ferreira skrev den 2017-11-30 17:49:
> 
>> someone help-me ?
> 
> to get more help:
> 
> postconf -nf
> postconf -Mf
> 
> on pastebin with a link to maillist
> 
> you should stop using telnet to test ssl, use openssl s_client ... to replace 
> it
> 
> man openssl
> 
> if you see AUTH on port 25 yoy maked a mistake, but if you see STARTTLS it 
> works as best it could
> 
> enable smtpd_sasl on port 587 and 465, i know some will hit me now, but 
> clients sometimes need port 465 depending on clients

RE: smtpd_sasl_auth_enable is true but sasl support is not compiled in (postfix-gento)

2017-11-30 Thread Fazzina, Angelo 
Hi,
I put  STARTTLS on port 587 SSL on port 465 and regular on port 25

Not sure how to do  encrypted and unencrypted on port 25 ?

-ANGELO FAZZINA

UITS Service Manager:
Spam and Virus Prevention
Mass Mailing
G Suite/Gmail

ang...@uconn.edu
University of Connecticut,  UITS, SSG, Server Systems
860-486-9075

-Original Message-
From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] 
On Behalf Of Yuri Ferreira
Sent: Thursday, November 30, 2017 11:49 AM
To: postfix-users@postfix.org
Subject: smtpd_sasl_auth_enable is true but sasl support is not compiled in 
(postfix-gento)

*I'm having problems with cyrus-sasl. testsaslauthd is ok, but when I use
telnet localhost 25, I get this:*

/ root # telnet localhost 25
Trying ::1.
Espace character is '^]'.
220 postfix.dominio.com.br ESMTP MEU DOMINIO
ehlo postfix
250-postfix.dominio.com.br
250-PIPELINING
250-SIZE 1024
250-ETRN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DNS

AUTH PLAIN
502 5.5.1 Error: command not implemented
AUTH LOGIN
502 5.5.1 Error: command not implemented /

*my mail.log:
/warning smtpd_sasl_auth_enable is true but sasl support is not compiled in
/
*

*my postfix was installed with support for:: *

/[ebuild   R] mail-mta/postfix-3.1.6::gentoo  USE="berkdb eai ldap  sasl
ssl mbox -cdb -doc -dovecot-sasl -hardened -ldap-bind (-libressl) -lmdb 
-memcached -mysql -nis -postgres (-selinux) -sqlite"/

someone help-me ? 





--
Sent from: http://postfix.1071664.n5.nabble.com/Postfix-Users-f2.html

RE: Backup mx relay got rejected due to SPF

2017-11-17 Thread Fazzina, Angelo 
Hi, to me it looks like email  
from=
 to=

Came in and was cleaned
Nov 17 11:13:00 mail MailScanner[9148]: Content Checks: Detected and have 
disarmed web bug, phishing tags in HTML message in 9202040121F2.A6CDC from 
communicati...@emails.aircanada.com
And requeued
Nov 17 11:13:00 mail MailScanner[9148]: Requeue: 9202040121F2.A6CDC to 
EEAA64012121

And rejected
Nov 17 11:13:02 mail postfix/smtp[9639]: EEAA64012121: 
to=, 
relay=zeta.othermx.com[206.116.44.138]:25, delay=12, delays=10/0.01/1.3/0.33, 
dsn=5.7.1, status=bounced (host zeta.othermx.com[206.116.44.138] said: 550 
5.7.1 : Recipient address rejected: 
Please see 
http://www.openspf.net/Why?s=mfrom;id=communications%40emails.aircanada.com;ip=209.53.201.252;r=zeta.othermx.com
 (in reply to RCPT TO command))
WHY ??
According to
http://www.openspf.org/Why?s=mfrom;id=communications%40emails.aircanada.com;ip=209.53.201.252;r=zeta.othermx.com

the MX of mxdove.com is mail.mxdove.com but mail.mxdove.com has no SPF entry 
that I can find.
Also From was @emails.aircanada.com and allowed IP’s are
p18.neolane.net.1229IN  TXT "v=spf1 ip4:70.38.33.128/30 
ip4:70.38.36.40/30 ip4:174.142.154.200/30 ip4:174.142.245.174 
ip4:174.142.245.175 -all"
But the email came from mail.mxdove.com (209.53.201.252) according to the link 
above.

Your logs show it came from [70.38.36.41]

In short I think SPF checking looks only one hop back, and you want to relay, 
so you need to configure things for that.
Not sure I helped but I tried.


-ANGELO FAZZINA

UITS Service Manager:
Spam and Virus Prevention
Mass Mailing
G Suite/Gmail

ang...@uconn.edu
University of Connecticut,  UITS, SSG, Server Systems
860-486-9075

Hi,

I just built a postfix mail server(mail.mytestmx.com) with PostfixAdmin, SPF 
and DKIM.,etc. It works very well. Now I try to use the new built server as the 
backup mail server of another server (zeta.othermx.com), so I add a backup 
domain in PostfixAdmin and setup DNS accordingly. Later there is an email came 
with destination to b...@othermx.com, the relay 
attempt got rejected at zeta.othermx.com because of SPF.

So what is the solution here? Should I add the mail.mytestmx.com to 
zeta.othermx.com's SPF record and make it trust it? If so are there any risk?

RE: Minimun postfix

2017-10-26 Thread Fazzina, Angelo 
Hi,
I'm pretty sure you need to 
1. Configure  Zimbra
2. Configure Postfix so it accepts mail that is destined for the Zimbra server, 
whatever domain that is. Then postfix is configured to relay
The mail to the next hop, which sounds like the Zimbra server from your 
description of the mail flow.
3. Send a test email and look at your Postfix logs to see the email was 
accepted and processed to be sent along to the Zimbra server.

Postfix logs are pretty good at telling you what the issue is, so test it.
Good Luck.

-ANGELO FAZZINA

UITS Service Manager:
Spam and Virus Prevention
Mass Mailing
G Suite/Gmail

ang...@uconn.edu
University of Connecticut,  UITS, SSG, Server Systems
860-486-9075


-Original Message-
From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] 
On Behalf Of 9acca9
Sent: Thursday, October 26, 2017 12:34 PM
To: postfix-users@postfix.org
Subject: Minimun postfix

Hello everyone.
We have contracted a mail service and we want to make some changes.
The idea is to install zimbra on a local server of ours and that zimbra take
the mails of the postfix of the contracted service.
To test, we are installing a postfix locally on another server.
(ie zimbra and postfix are installed on different servers and will be
published accessible to the internet with different ip to simulate the
scenario we want).
I wanted to ask if you can give me a hand with the postfix configuration.
For now this is my main.cf file

smtpd_banner = $ myhostname ESMTP $ mail_name (Ubuntu)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = no

# TLS parameters
smtpd_tls_cert_file = / etc / ssl / certs / ssl-cert-snakeoil.pem
smtpd_tls_key_file = / etc / ssl / private / ssl-cert-snakeoil.key
smtpd_use_tls = yes
smtpd_tls_session_cache_database = btree: $ {data_directory} / smtpd_scache
smtp_tls_session_cache_database = btree: $ {data_directory} / smtp_scache

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the SMTP client.

smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated
defer_unauth_destination
myhostname = postfix.dominio.org.es
alias_maps = hash: / etc / aliases
alias_database = hash: / etc / aliases
myorigin = / etc / mailname
mydestination = $ myhostname, domain.org.us, localhost.domain.com, localhost
relayhost =
mynetworks = 127.0.0.0/8 [:::127.0.0.0]/104 [:: 1] / 128
mailbox_size_limit = 8192000
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all
home_mailbox = Maildir /


-- --

Would I have to modify something else ???
-Add mx records in dns and spf
and to allow access to Zimbra should configure something else in this
configuration?
should I add zimbra's public ip in mynetworks ??
The truth that I do not know if it is Zimbra who enters the postfix to
download the mails or if it is Postfix who sends them to zimbra

Greetings to all and thanks, sorry but I do not know the subject and I'm
just getting soaked (although I was watching many tutorials, but from what I
saw, I guess the tutorials were more extensive than I need).

(i dont speak english)



--
Sent from: http://postfix.1071664.n5.nabble.com/Postfix-Users-f2.html

RE: Virtual alias maps question

2017-10-24 Thread Fazzina, Angelo 
Hi again,
Thanks, that was helpful, and got me on the right track.
I am pretty confident it's working now.   "test.uconn.edu" is not in the 
virtual_alias_domains list BTW.


/etc/postfix/virtual =
angt...@uconn.edu  angelo.fazz...@test.uconn.edu
angelo.fazz...@test.uconn.edu alf02...@uconn.mail.onmicrosoft.com

/etc/postfix/relay_recipients = 
angelo.fazz...@test.uconn.edu OK


/etc/main.cf = 
relay_domains = test.uconn.edu $mydestination 

relay_recipient_maps = hash:/etc/postfix/relay_recipients

virtual_alias_maps = hash:/etc/postfix/virtual 
mysql:/etc/postfix/files/mysql_pn.cf  regexp:/etc/postfix/maps/huskygroups 
regexp:/etc/postfix/maps/subaddressing


>From these logs I think the only way it could have did the mapping is seeing  
>angt...@uconn.edu goes to angelo.fazz...@test.uconn.edu which goes to my 
>alf02013 account. So I think the virtual file is being read correctly now. 
>Yippee !

Not to mention I double checked there is nothing in the Mysql 
DB that matches  ang*@test.*


Oct 24 16:08:10 mta4 postfix/smtpd[13690]: connect from 
angelo.uits.uconn.edu[137.99.80.129]
Oct 24 16:08:10 mta4 postfix/smtpd[13690]: 38DAFAF: 
client=angelo.uits.uconn.edu[137.99.80.129], sasl_method=PLAIN, 
sasl_username=alf02013
Oct 24 16:08:10 mta4 postfix/cleanup[13696]: 38DAFAF: warning: header Subject: 
newest from angelo.uits.uconn.edu[137.99.80.129]; 
from= to= proto=ESMTP 
helo=<[137.99.80.129]>
Oct 24 16:08:10 mta4 postfix/cleanup[13696]: 38DAFAF: 
message-id=<5dc0defa-f73b-feea-08db-3cbbfe51e...@appmail.uconn.edu>
Oct 24 16:08:10 mta4 opendkim[24106]: 38DAFAF: DKIM-Signature field added 
(s=dkim1, d=mta4.uits.uconn.edu)
Oct 24 16:08:10 mta4 postfix/qmgr[13580]: 38DAFAF: 
from=, size=670, nrcpt=1 (queue active)
Oct 24 16:08:10 mta4 postfix/smtpd[13690]: disconnect from 
angelo.uits.uconn.edu[137.99.80.129]
Oct 24 16:08:11 mta4 postfix/smtp[13698]: 38DAFAF: 
to=, orig_to=, 
relay=uconn-mail-onmicrosoft-com.mail.protection.outlook.com[216.32.181.170]:25,
 delay=1.4, delays=0.1/0.01/0.25/1, dsn=2.6.0, status=sent (250 2.6.0 
<5dc0defa-f73b-feea-08db-3cbbfe51e...@appmail.uconn.edu> 
[InternalId=154245160503103, Hostname=BN1PR05MB262.namprd05.prod.outlook.com] 
8911 bytes in 0.257, 33.757 KB/sec Queued mail for delivery)
Oct 24 16:08:11 mta4 postfix/qmgr[13580]: 38DAFAF: removed




-ANGELO FAZZINA

UITS Service Manager:
Spam and Virus Prevention
Mass Mailing
G Suite/Gmail

ang...@uconn.edu
University of Connecticut,  UITS, SSG, Server Systems
860-486-9075

-Original Message-
From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] 
On Behalf Of Wietse Venema
Sent: Tuesday, October 24, 2017 3:41 PM
To: Postfix users 
Subject: Re: Virtual alias maps question

Keep in mind that virtual aliasing is recursive. The result of lookup 
is used as input for another querry. The recursion ends when:

- The result contains the query itself.

- The query produces no result.

Thus, you may want to specify:

/etc/postfix/virtual:
angelo.fazz...@uconn.eduangelo.fazz...@test.uconn.edu
angelo.fazz...@test.uconn.edu   angelo.fazz...@test.uconn.edu

Wietse

RE: Virtual alias maps question

2017-10-24 Thread Fazzina, Angelo 
Hi Vernon,  exactly what I am pointing out.
Why is it choosing to lookup my destination address via the mysql mapping and 
not use the Virtual file mapping ?

And I did remember to run
Postmap /etc/postfix/virtual

-rw-r--r--. 1 root root 12638 Oct 24 13:37 virtual
-rw-r--r--. 1 root root 12288 Oct 24 13:37 virtual.db

Virtual is listed first is it not ?


virtual_alias_maps = hash:/etc/postfix/virtual 
mysql:/etc/postfix/files/mysql_pn.cf  regexp:/etc/postfix/maps/huskygroups 
regexp:/etc/postfix/maps/subaddressing


Thank you.

-ANGELO FAZZINA

UITS Service Manager:
Spam and Virus Prevention
Mass Mailing
G Suite/Gmail

ang...@uconn.edu
University of Connecticut,  UITS, SSG, Server Systems
860-486-9075

From: Vernon Fort [mailto:vf...@provident-solutions.com]
Sent: Tuesday, October 24, 2017 2:34 PM
To: Fazzina, Angelo <angelo.fazz...@uconn.edu>; postfix-users@postfix.org
Subject: RE: Virtual alias maps question

This line:
>> Oct 24 14:18:56 mta4 postfix/smtp[5448]: 60C55AF: 
>> to=<alf02...@uconn.mail.onmicrosoft.com<mailto:alf02...@uconn.mail.onmicrosoft.com>>,
>>  orig_to=<angelo.fazz...@uconn.edu<mailto:angelo.fazz...@uconn.edu>>, 
>> relay=uconn-mail-onmicrosoft-com.mail.protection.outlook.com[216.32.181.170]:25,
>>  delay=2.6, delays=0.17/0.01/0.27/2.1, dsn=2.6.0, status=sent (250 2.6.0 
>> <53bb9bbe-e299-997b-ddb5-b88893009...@appmail.uconn.edu<mailto:53bb9bbe-e299-997b-ddb5-b88893009...@appmail.uconn.edu>>
>>  [InternalId=150079042227926, 
>> Hostname=CO1PR05MB267.namprd05.prod.outlook.com] 8990 bytes in 0.975, 8.996

The "orig_to" indicated the original to address.  The "to" indicated the new 
address.

Vernon

Virtual alias maps question

2017-10-24 Thread Fazzina, Angelo 
Hi,

I added a test domain for my email address only.

[root@mta4 postfix]# postmap -q "angelo.fazz...@uconn.edu" /etc/postfix/virtual
angelo.fazz...@test.uconn.edu

[root@mta4 postfix]# more main.cf|grep virtual_alias_maps
#virtual_alias_maps = mysql:/etc/postfix/files/mysql_pn.cf
virtual_alias_maps = hash:/etc/postfix/virtual 
mysql:/etc/postfix/files/mysql_pn.cf  regexp:/etc/postfix/maps/huskygroups 
regexp:/etc/postfix/maps/subaddressing


>From reading the docs, addresses are evaluated in the order listed, so for me 
>it's Virtual, and then mysql_pn.cf.
I am and have always been in the mysql lookup. I was hoping all email sent to   
angelo.fazz...@uconn.edu could be redirected 
to angelo.fazz...@test.uconn.edu.

AFA the DNS side of the house I added an MX record of test.uconn.edu pointing 
to mta4.uits.uconn.edu
And an A record of test.uconn.edu pointing to 137.99.25.243. Not sure if that 
was needed at this point.

My Question:
I test by sending an email to  
angelo.fazz...@uconn.edu from T-bird with IMAP 
account setup on it.
The email arrives just fine, but can't tell from the logs if it was redirecting 
the email to  
angelo.fazz...@test.uconn.edu or not ???!
Seems like the /etc/postfix/virtual file is not being used ? why not ?

Postfix logs:

Oct 24 14:18:54 mta4 postfix/smtpd[5440]: connect from 
angelo.uits.uconn.edu[137.99.80.129]
Oct 24 14:18:54 mta4 postfix/smtpd[5440]: 60C55AF: 
client=angelo.uits.uconn.edu[137.99.80.129], sasl_method=PLAIN, 
sasl_username=alf02013
Oct 24 14:18:54 mta4 postfix/cleanup[5446]: 60C55AF: warning: header Subject: 
map test from angelo.uits.uconn.edu[137.99.80.129]; 
from= to= proto=ESMTP 
helo=<[137.99.80.129]>
Oct 24 14:18:54 mta4 postfix/cleanup[5446]: 60C55AF: 
message-id=<53bb9bbe-e299-997b-ddb5-b88893009...@appmail.uconn.edu>
Oct 24 14:18:54 mta4 opendkim[24106]: 60C55AF: DKIM-Signature field added 
(s=dkim1, d=mta4.uits.uconn.edu)
Oct 24 14:18:54 mta4 postfix/qmgr[19716]: 60C55AF: 
from=, size=688, nrcpt=1 (queue active)
Oct 24 14:18:54 mta4 postfix/smtpd[5440]: disconnect from 
angelo.uits.uconn.edu[137.99.80.129]
Oct 24 14:18:56 mta4 postfix/smtp[5448]: 60C55AF: 
to=, orig_to=, 
relay=uconn-mail-onmicrosoft-com.mail.protection.outlook.com[216.32.181.170]:25,
 delay=2.6, delays=0.17/0.01/0.27/2.1, dsn=2.6.0, status=sent (250 2.6.0 
<53bb9bbe-e299-997b-ddb5-b88893009...@appmail.uconn.edu> 
[InternalId=150079042227926, Hostname=CO1PR05MB267.namprd05.prod.outlook.com] 
8990 bytes in 0.975, 8.996 KB/sec Queued mail for delivery)
Oct 24 14:18:56 mta4 postfix/qmgr[19716]: 60C55AF: removed


-ANGELO FAZZINA

UITS Service Manager:
Spam and Virus Prevention
Mass Mailing
G Suite/Gmail

ang...@uconn.edu
University of Connecticut,  UITS, SSG, Server Systems
860-486-9075

easy DKIM question, at least i think it is...

2017-10-20 Thread Fazzina, Angelo 
Hi, i have a small DKIM question.   config files are at bottom of email.
I got it working but don't understand why ?

The one change i made to get it to work was add
137.99.0.0/16 to the TrustedHosts file.

So  tests with from of  x...@appmail.uconn.edu and x...@uconn.edu are getting 
signed and I see it in the Postfix logs.


My question:
my prod servers(3 of them)  smtp.uconn.edu allow authenticated users to send 
over 465 and 587.
So they could come from any IP address in the world.
I assume all users are using a from address of x...@uconn.edu or  
x...@yyy.uconn.edu.
Is it possible to get emails signed with DKIM ?



These are the 3 files i configured
SigningTable =
*@appmail.uconn.edu dkim1._domainkey.mta4.uits.uconn.edu
*@uconn.edu dkim1._domainkey.mta4.uits.uconn.edu
*@uits.uconn.edu dkim1._domainkey.mta4.uits.uconn.edu

KeyTable =
dkim1._domainkey.mta4.uits.uconn.edu 
mta4.uits.uconn.edu:dkim1:/etc/opendkim/keys/uconn/dkim1.private

TrustedHosts = 
127.0.0.1
137.99.0.0/16
::1

This is the opendkim.conf file =

PidFile /var/run/opendkim/opendkim.pid
Modesv
Syslog  yes
SyslogSuccess   yes
LogWhy  yes
UserID  opendkim:opendkim
Socket  inet:8891@localhost
Umask   002
SendReports yes
ReportAddress   "UITS-SSG OpenDKIM" 
SoftwareHeader  yes
Canonicalizationrelaxed/simple
Selectordkim1
MinimumKeyBits  1024
KeyTable/etc/opendkim/KeyTable
SigningTablerefile:/etc/opendkim/SigningTable
ExternalIgnoreList  refile:/etc/opendkim/TrustedHosts
InternalHosts   refile:/etc/opendkim/TrustedHosts

-ANGELO FAZZINA

UITS Service Manager:
Spam and Virus Prevention
Mass Mailing
G Suite/Gmail

ang...@uconn.edu
University of Connecticut,  UITS, SSG, Server Systems
860-486-9075

is this the correct DKIM mailing list ?

2017-10-19 Thread Fazzina, Angelo 
http://mipassoc.org/mailman/listinfo/ietf-dkim

I joined but after a few days nothing but crickets after my post to the list.
Is there a different list you guys use to discuss DKIM ?
Thanks.


-ANGELO FAZZINA

UITS Service Manager:
Spam and Virus Prevention
Mass Mailing
G Suite/Gmail

ang...@uconn.edu
University of Connecticut,  UITS, SSG, Server Systems
860-486-9075

Re: Sending with Multiple Domain Suffixes from Single Apache Server Box

2017-10-10 Thread Fazzina, Angelo 
Umm forget what i said about transport.


check this out

http://www.postfix.org/ADDRESS_REWRITING_README.html


This sounds like your idea :

Replace an internal address by an external address. For example, replace 
"username@localdomain.local" by "isp-account@isp.example" when sending mail 
from a home computer to the Internet.



From: owner-postfix-us...@postfix.org <owner-postfix-us...@postfix.org> on 
behalf of Fazzina, Angelo <angelo.fazz...@uconn.edu>
Sent: Tuesday, October 10, 2017 3:54 PM
To: certified; postfix-users@postfix.org
Subject: Re: Sending with Multiple Domain Suffixes from Single Apache Server Box


Hi,

i am not too savvy, but i think you could do this in PHP or in Postfix.

My guess is, if you know what the "returndomain" is from using PHP code you 
could add it to the transport file maybe, and run postmap to update transport 
file ?


I assume you are pulling the "returndomain" from your PHP code to find it in 
the first place, if so can you just write code to insert it where you want when 
calling the mail(x,y,...) function ?


Is this the type of code you are doing as an example ?


$body="Hello ". $row['First_N']."\n\nPlease remember you have the following 
appointment scheduled for today.\n\nDate: $month/$day/$year \nTime: $time 
$showroom \nWith: ".$row['F_Name']." ". $row['L_Name']."\n\nFor more details on 
your appointment or to cancel your appointment, please go to the link 
below.\n\nhttp://uconn.edu/secure_per/index.php;;

  $from = "nore...@uconn.edu<mailto:nore...@uconn.edu>";

  $headers = "From: $from";



  //***

  //PREPARE EMAIL HEADER

  $headers = array ('From' => $from,

  'To' => $to,

  'Subject' => $subject);

  //SEND EMAIL

  $mail = $smtp->send($to, $headers, $body);

  //THIS APPEARS TO CHECK FOR ERRORS IN THE EMAIL BEING SENT

  if (PEAR::isError($mail)) {

 $failed++;

  }

  else {

 $success++;

  }

  //***





  //mail($to,$subject,$body,$headers);

  //echo "$message";

  $i++;


Not sure i am any help or confusing the matter, you let me know.
-ALF


From: owner-postfix-us...@postfix.org <owner-postfix-us...@postfix.org> on 
behalf of certified <a.herefishyfish...@yahoo.com>
Sent: Tuesday, October 10, 2017 3:23 PM
To: postfix-users@postfix.org
Subject: Sending with Multiple Domain Suffixes from Single Apache Server Box

How do I configure postfix to append the correct domain on outgoing emails
from php on apache:

I have LAMP on Centos 7 and a static IP. There are several domain names
registered to that static IP:
first.com -> my static ip
another.com -> my static ip
third.com -> my static ip
My postfix MX server is also on the webserver box.

php uses the following format:
$result = mail($to, $subject, $message, $headers, "-f returndomain")

So how do I configure postfix to append the correct domain on outgoing
emails:
if returndomain is first.com, I would like postfix to send it with the
virtual u...@first.com from addy
if returndomain is another.com, I would like postfix to send it with the
virtual u...@another.com from addy

Details:
1. I need to send confirmation emails using php on apache to people
registering for my services from the internet
2. I need to have the correct domain suffix and return path added to the
sender's email:
   j...@first.com sending from /var/www/html/first/ needs the email headers
all consistent with mail sent from first.com
   b...@another.com sending from  /var/www/html/another needs mail sent from
b...@another.com
3. these emails go TO pretty much anywhere - google, yahoo - anywhere
visitors request confirmation to go
4. these emails come FROM my MX on the webserver DIRECTLY to their email
addy, not relayed thru google etc.
5. the machine hostname isn't any of the above domain names, it is simply
somehost

Apache sends first.com requests to /var/www/html/first/ using DocumentRoot
"/var/www/html/first/"
Apache sends another.com requests to /var/www/html/first/ using DocumentRoot
"/var/www/html/another/"

obviously the user and group will be apache:apache

So how do I configure postfix to append the correct domain on outgoing
emails:
if returndomain is first.com, I would like postfix to send it with the
virtual u...@first.com from addy
if returndomain is another.com, I would like postfix to send it with the
virtual u...@another.com from addy

Note that I don't want to receive email on my MX.






--
Sent from: http://postfix.1071664.n5.nabble.com/Postfix-Users-f2.html

Re: Sending with Multiple Domain Suffixes from Single Apache Server Box

2017-10-10 Thread Fazzina, Angelo 
Hi,

i am not too savvy, but i think you could do this in PHP or in Postfix.

My guess is, if you know what the "returndomain" is from using PHP code you 
could add it to the transport file maybe, and run postmap to update transport 
file ?


I assume you are pulling the "returndomain" from your PHP code to find it in 
the first place, if so can you just write code to insert it where you want when 
calling the mail(x,y,...) function ?


Is this the type of code you are doing as an example ?


$body="Hello ". $row['First_N']."\n\nPlease remember you have the following 
appointment scheduled for today.\n\nDate: $month/$day/$year \nTime: $time 
$showroom \nWith: ".$row['F_Name']." ". $row['L_Name']."\n\nFor more details on 
your appointment or to cancel your appointment, please go to the link 
below.\n\nhttp://uconn.edu/secure_per/index.php;;

  $from = "nore...@uconn.edu";

  $headers = "From: $from";



  //***

  //PREPARE EMAIL HEADER

  $headers = array ('From' => $from,

  'To' => $to,

  'Subject' => $subject);

  //SEND EMAIL

  $mail = $smtp->send($to, $headers, $body);

  //THIS APPEARS TO CHECK FOR ERRORS IN THE EMAIL BEING SENT

  if (PEAR::isError($mail)) {

 $failed++;

  }

  else {

 $success++;

  }

  //***





  //mail($to,$subject,$body,$headers);

  //echo "$message";

  $i++;


Not sure i am any help or confusing the matter, you let me know.
-ALF


From: owner-postfix-us...@postfix.org  on 
behalf of certified 
Sent: Tuesday, October 10, 2017 3:23 PM
To: postfix-users@postfix.org
Subject: Sending with Multiple Domain Suffixes from Single Apache Server Box

How do I configure postfix to append the correct domain on outgoing emails
from php on apache:

I have LAMP on Centos 7 and a static IP. There are several domain names
registered to that static IP:
first.com -> my static ip
another.com -> my static ip
third.com -> my static ip
My postfix MX server is also on the webserver box.

php uses the following format:
$result = mail($to, $subject, $message, $headers, "-f returndomain")

So how do I configure postfix to append the correct domain on outgoing
emails:
if returndomain is first.com, I would like postfix to send it with the
virtual u...@first.com from addy
if returndomain is another.com, I would like postfix to send it with the
virtual u...@another.com from addy

Details:
1. I need to send confirmation emails using php on apache to people
registering for my services from the internet
2. I need to have the correct domain suffix and return path added to the
sender's email:
   j...@first.com sending from /var/www/html/first/ needs the email headers
all consistent with mail sent from first.com
   b...@another.com sending from  /var/www/html/another needs mail sent from
b...@another.com
3. these emails go TO pretty much anywhere - google, yahoo - anywhere
visitors request confirmation to go
4. these emails come FROM my MX on the webserver DIRECTLY to their email
addy, not relayed thru google etc.
5. the machine hostname isn't any of the above domain names, it is simply
somehost

Apache sends first.com requests to /var/www/html/first/ using DocumentRoot
"/var/www/html/first/"
Apache sends another.com requests to /var/www/html/first/ using DocumentRoot
"/var/www/html/another/"

obviously the user and group will be apache:apache

So how do I configure postfix to append the correct domain on outgoing
emails:
if returndomain is first.com, I would like postfix to send it with the
virtual u...@first.com from addy
if returndomain is another.com, I would like postfix to send it with the
virtual u...@another.com from addy

Note that I don't want to receive email on my MX.






--
Sent from: http://postfix.1071664.n5.nabble.com/Postfix-Users-f2.html

RE: Trouble sending email to myself on new server i am building

2017-10-02 Thread Fazzina, Angelo 
Hi, sorry if I posted in non-plain text format, did not know that was an issue. 
Will watch for it next time.

I have gone through 2 guys in security/networking department today and was able 
to finally prove it was firewall and not my postfix config being "wrong".

I even turned off SELinux and iptables...

Hopefully by Wednesday I can send email.   Issue closed for now, thanks.


-ANGELO FAZZINA

UITS Service Manager:
Spam and Virus Prevention
Mass Mailing
G Suite/Gmail

ang...@uconn.edu
University of Connecticut,  UITS, SSG, Server Systems
860-486-9075


-Original Message-
From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] 
On Behalf Of Noel Jones
Sent: Monday, October 2, 2017 3:54 PM
To: postfix-users@postfix.org
Subject: Re: Trouble sending email to myself on new server i am building

[Please use plain text next time. Thanks]

On 10/2/2017 1:31 PM, Fazzina, Angelo wrote:
> 
> Oct  2 14:24:43 mta5 postfix/smtp[13114]: connect to
> uconn-mail-onmicrosoft-com.mail.protection.outlook.com[207.46.163.106]:25:
> Connection timed out

"connection timed out" almost always means some sort of network
error outside of postfix, such as a firewall problem.




  -- Noel Jones

RE: Questions about mynetworks_style parameter in main.cf

2017-10-02 Thread Fazzina, Angelo 
Hi,
For this part :

“On Linux, this works correctly only with interfaces specified with the 
ifconfig command”

I think they are saying you can find valid interface names using the ifconfig 
command.
The new way in RHEL 7  is  "ip addr" replaces  "ifconfig".

This:
does that mean that network settings specified with newer commands that replace 
ifconfig will not work ?

Sounds like a linux question and not a postfix one.
What "commands" are you referring to ?




-ANGELO FAZZINA

UITS Service Manager:
Spam and Virus Prevention
Mass Mailing
G Suite/Gmail

ang...@uconn.edu
University of Connecticut,  UITS, SSG, Server Systems
860-486-9075


-Original Message-
From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] 
On Behalf Of J Doe
Sent: Monday, October 2, 2017 4:10 PM
To: postfix-users@postfix.org
Subject: Questions about mynetworks_style parameter in main.cf

Hello,

I have two questions regarding the “mynetworks_style” parameter in main.cf.

In man I see that the “subnet” option for “mynetworks_style” is listed as being 
supported in Postfix < 3.0.  Does this mean that post-Postfix 3.0 this option 
is deprecated ?

I also note that the “subnet” option is listed as working on Linux with the 
following caveat:

“On Linux, this works correctly only with interfaces specified with the 
ifconfig command”

With ifconfig being deprecated on Linux, does that mean that network settings 
specified with newer commands that replace ifconfig will not work ?

Thanks,

- J

Trouble sending email to myself on new server i am building

2017-10-02 Thread Fazzina, Angelo 
Hi,
Ready to pull my hair out herei have a server running 2.6 and everything 
works fine.
Trying to build new server with postfix 2.10.1
I have my postconf -n and postfix logs of my test email.   This data is from 
the new 2.10.1 box.
Do you need anything else ?

Oct  2 14:23:43 mta5 postfix/smtpd[13106]: connect from 
angelo.uits.uconn.edu[137.99.80.129]
Oct  2 14:23:43 mta5 postfix/smtpd[13106]: 6359630038E5: 
client=angelo.uits.uconn.edu[137.99.80.129]
Oct  2 14:23:43 mta5 postfix/cleanup[13111]: 6359630038E5: warning: header 
Subject: test with T-bird from angelo.uits.uconn.edu[137.99.80.129]; 
from= to= proto=ESMTP 
helo=<[137.99.80.129]>
Oct  2 14:23:43 mta5 postfix/cleanup[13111]: 6359630038E5: 
message-id=<39f07e3f-c6fe-642b-26b3-8964efda4...@appmail.uconn.edu>
Oct  2 14:23:43 mta5 postfix/qmgr[13103]: 6359630038E5: 
from=, size=648, nrcpt=1 (queue active)
Oct  2 14:23:43 mta5 postfix/smtpd[13106]: disconnect from 
angelo.uits.uconn.edu[137.99.80.129]
Oct  2 14:24:13 mta5 postfix/smtp[13114]: connect to 
uconn-mail-onmicrosoft-com.mail.protection.outlook.com[216.32.180.170]:25: 
Connection timed out
Oct  2 14:24:43 mta5 postfix/smtp[13114]: connect to 
uconn-mail-onmicrosoft-com.mail.protection.outlook.com[207.46.163.106]:25: 
Connection timed out
Oct  2 14:24:43 mta5 postfix/smtp[13114]: 6359630038E5: 
to=, orig_to=, 
relay=none, delay=60, delays=0.03/0.02/60/0, dsn=4.4.1, status=deferred 
(connect to 
uconn-mail-onmicrosoft-com.mail.protection.outlook.com[207.46.163.106]:25: 
Connection timed out)





[root@mta5 ~]# postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
anvil_rate_time_unit = 60s
anvil_status_update_time = 600s
append_dot_mydomain = no
biff = no
canonical_maps = regexp:/etc/postfix/maps/voip
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd 
$daemon_directory/$process_name $process_id & sleep 5
header_checks = regexp:/etc/postfix/header_checks
html_directory = no
inet_interfaces = all
inet_protocols = ipv4
mail_owner = postfix
mailbox_size_limit = 0
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
message_size_limit = 31457280
mydestination = $myhostname, localhost.$mydomain, localhost
myhostname = mta5.uits.uconn.edu
mynetworks = /etc/postfix/files/mynetwork
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.10.1/README_FILES
recipient_delimiter = +
sample_directory = /usr/share/doc/postfix-2.10.1/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
slowaol_destination_concurrency_limit = 2
slowaol_destination_rate_delay = 30s
slowaol_destination_recipient_limit = 10
slowhot_destination_concurrency_limit = 2
slowhot_destination_rate_delay = 10s
slowhot_destination_recipient_limit = 10
smtpd_banner = $myhostname ESMTP $mail_name ($mail_version)
smtpd_client_connection_rate_limit = 500
smtpd_client_event_limit_exceptions = 
${smtpd_client_connection_limit_exceptions:$mynetworks}
smtpd_client_message_rate_limit = 500
smtpd_client_new_tls_session_rate_limit = 500
smtpd_client_recipient_rate_limit = 500
smtpd_client_restrictions = check_client_access 
hash:/etc/postfix/maps/block_ip, permit
smtpd_recipient_restrictions = check_recipient_access 
hash:/etc/postfix/maps/block_to, permit_mynetworks, permit_sasl_authenticated, 
reject_unauth_destination
smtpd_tls_exclude_ciphers = IDEA-CBC-SHA, DES-CBC3-SHA, EDH-RSA-DES-CBC3-SHA, 
RC4, aNULL
smtpd_tls_mandatory_protocols = !SSLv3, !SSLv2
transport_maps = hash:/etc/postfix/maps/transport
unknown_local_recipient_reject_code = 550
virtual_alias_domains = access.ced.uconn.edu appmail.uconn.edu eri.uconn.edu 
finearts.sfa.uconn.edu law.uconn.edu math.uconn.edu ropercenter.uconn.edu 
studentorgs.uconn.edu students.law.uconn.edu testexchange.uconn.edu uconn.edu
virtual_alias_maps = hash:/etc/postfix/virtual 
mysql:/etc/postfix/files/mysql_pn.cf regexp:/etc/postfix/maps/googlegroups 
regexp:/etc/postfix/maps/subaddressing

-ANGELO FAZZINA

UITS Service Manager:
Spam and Virus Prevention
Mass Mailing
G Suite/Gmail

ang...@uconn.edu
University of Connecticut,  UITS, SSG, Server Systems
860-486-9075

RE: can't get server to start postfix --ISSUE RESOLVED

2017-09-08 Thread Fazzina, Angelo 
Hi again, thanks for the pointers everyone.

It was not a Postfix issue. I have no idea how it happened but permissions on / 
got changed some how.



This fixed the default Postfix install, and then I put my config in and we are 
running normally again.



root@mail2 ~]# ls -ld /

drw---. 23 root root 4096 Sep  8 09:59 /





[root@mail2 ~]# chmod 555 /

[root@mail2 ~]# ls -ld /

dr-xr-xr-x. 23 root root 4096 Sep  8 09:59 /





Server was rebooted



[root@mail2 ~]# ps -ef | grep post

root  1821 1  0 10:15 ?00:00:00 /usr/libexec/postfix/master

postfix   1827  1821  0 10:15 ?00:00:00 pickup -l -t fifo -u

postfix   1828  1821  0 10:15 ?00:00:00 qmgr -l -t fifo -u

root  2637  2609  0 10:15 pts/000:00:00 grep post



Sadly I did not figure it out a co-worker did, but at least production services 
are running again.

With Dovecot and other things running I was convinced it was not the server 
still and a postfix issue

Thanks again for all that tried to help.

-ALF



-Angelo Fazzina

Operating Systems Programmer / Analyst

University of Connecticut,  UITS, SSG, Server Systems

860-486-9075





-Original Message-
From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] 
On Behalf Of Viktor Dukhovni
Sent: Friday, September 8, 2017 10:17 AM
To: postfix-users@postfix.org
Subject: Re: can't get server to start postfix





> On Sep 8, 2017, at 10:07 AM, Fazzina, Angelo 
> <angelo.fazz...@uconn.edu<mailto:angelo.fazz...@uconn.edu>> wrote:

>

> I ran

> Yum remove postfix

> I moved any directories not deleted

> I have SELinux disabled  in /etc/sysconfig/

>

> I ran yum install postfix.

>

> Still same error, this is crazy.



You're not providing actionable information.  Does the "ls -ld"

command still report alternative access control for any of

the directories on the path from the root to

"/var/lib/postfix/master.lock"?



If so, master(8) likely still gets "Permission" denied when trying

to open the lock file.



Either you're wrong and SELinux is not disabled, or as Wietse

suggested there could be filesystem corruption, or there are

inherited access controls in place down from /var, etc.



You can test whether the restriction is still in place by giving

the "postfix" user a shell of "/bin/sh", then:



   # su postfix

   $ touch /var/lib/postfix/master.lock # Likely fails

   $ echo $$ > /var/lib/postfix/master.lock   # Likely fails



Fixing SELinux and broken filesystems is not a subject matter

for Postfix experts, best to ask on some forum dedicated for

your O/S, or just hunker down and figure it out.  Come back

to this list when the Postfix user has full rights to the

/var/lib/postfix/ directory.



--

  Viktor.

RE: can't get server to start postfix

2017-09-08 Thread Fazzina, Angelo 
Thank you all for trying to help.

I ran 
Yum remove postfix
I moved any directories not deleted
I have SELinux disabled  in /etc/sysconfig/

I ran yum install postfix.

Still same error, this is crazy.
-ALF

-Angelo Fazzina
Operating Systems Programmer / Analyst 
University of Connecticut,  UITS, SSG, Server Systems
860-486-9075


-Original Message-
From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] 
On Behalf Of Viktor Dukhovni
Sent: Thursday, September 7, 2017 5:48 PM
To: postfix-users@postfix.org
Subject: Re: can't get server to start postfix

On Thu, Sep 07, 2017 at 09:34:55PM +, Fazzina, Angelo wrote:

> Victor: I messed with it a little but no change.

I did not suggest "messing" with it. :-)

> [root@mail2 ~]#  bash -c "ls -ld /var{,/lib{,/postfix{,/master.lock}}}"
> drwxr-xr-x. 20 rootroot4096 Mar  2  2017 /var
> drwxr-xr-x. 29 rootroot4096 Sep  7 03:46 /var/lib
> drwx--.  2 postfix postfix 4096 Sep  7 16:07 /var/lib/postfix
> -rw-r--r--.  1 postfix postfix0 Sep  7 16:07 /var/lib/postfix/master.lock

Note those "." characters at the end of the file mode, they likely
indicate some sort of file-access ACL beyond the file mode:


https://www.cloudinsidr.com/content/understanding-and-settingchanging-access-privileges-on-unixlinux-files-and-directories-mode-bits-and-alternative-access-methods-explained/

GNU's "ls" command uses a dot (".") to indicate a file with an
*SELinux security context and no other alternate access method*.
A file with *any other combination of alternate access methods*
is marked with a *+* character.

So you've been SELinux'ed, now turn that off or configure it
properly.

> [root@mail2 ~]# chmod 744 /var/lib/postfix/

You should not do that, the "postfix set-permissions" command sets
the directory mode to 0700.

> [root@mail2 ~]#  bash -c "ls -ld /var{,/lib{,/postfix{,/master.lock}}}"
> drwxr-xr-x. 20 rootroot4096 Mar  2  2017 /var
> drwxr-xr-x. 29 rootroot4096 Sep  7 03:46 /var/lib
> drwxr--r--.  2 postfix postfix 4096 Sep  7 16:07 /var/lib/postfix
> -rw-r--r--.  1 postfix postfix0 Sep  7 16:07 /var/lib/postfix/master.lock

And yet the funny "." characters remain...  

-- 
Viktor.

RE: can't get server to start postfix

2017-09-07 Thread Fazzina, Angelo 
I will try that Miles, thanks.

Victor: I messed with it a little but no change.


[root@mail2 ~]#  bash -c "ls -ld /var{,/lib{,/postfix{,/master.lock}}}"
drwxr-xr-x. 20 rootroot4096 Mar  2  2017 /var
drwxr-xr-x. 29 rootroot4096 Sep  7 03:46 /var/lib
drwx--.  2 postfix postfix 4096 Sep  7 16:07 /var/lib/postfix
-rw-r--r--.  1 postfix postfix0 Sep  7 16:07 /var/lib/postfix/master.lock
[root@mail2 ~]# chmod 744 /var/lib/postfix/
[root@mail2 ~]#  bash -c "ls -ld /var{,/lib{,/postfix{,/master.lock}}}"
drwxr-xr-x. 20 rootroot4096 Mar  2  2017 /var
drwxr-xr-x. 29 rootroot4096 Sep  7 03:46 /var/lib
drwxr--r--.  2 postfix postfix 4096 Sep  7 16:07 /var/lib/postfix
-rw-r--r--.  1 postfix postfix0 Sep  7 16:07 /var/lib/postfix/master.lock


My repeatable steps so far
[root@mail2 pid]# rm /var/spool/postfix/pid/master.pid
rm: remove regular file `/var/spool/postfix/pid/master.pid'? y
[root@mail2 pid]# rm /var/lock/subsys/postfix 
rm: remove regular empty file `/var/lock/subsys/postfix'? y
[root@mail2 pid]# service postfix status
master is stopped
[root@mail2 pid]# service postfix stop
[root@mail2 pid]# service postfix start
Starting postfix:  [  OK  ]
[root@mail2 pid]# service postfix status
master dead but pid file exists


-Angelo Fazzina
Operating Systems Programmer / Analyst 
University of Connecticut,  UITS, SSG, Server Systems
860-486-9075


-Original Message-
From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] 
On Behalf Of Miles Fidelman
Sent: Thursday, September 7, 2017 5:28 PM
To: postfix-users@postfix.org
Subject: Re: can't get server to start postfix

after a reboot, you could just try "postfix stop" and delete the lock 
file, then "postfix start"

to find zombie processes, you could try "pstree" (shows a tree of 
processes & sub-processes, in the order they were started at init time - 
note that none of them are named postfix - the top-level process is 
named "master") - you might have to install the tools, I think they're 
part of the "process tools" package on Debian (but that's completely 
from memory) - google is yourf friend

Miles Fidelman


On 9/7/17 2:14 PM, Fazzina, Angelo wrote:
> Server has only been on 25 minutes, I rebooted it.
>
> Can you see it in this list ?
> Thanks for trying.
> -ALF
>
> [root@mail2 log]# ps -ef
> UIDPID  PPID  C STIME TTY  TIME CMD
> root 1 0  0 16:46 ?00:00:00 /sbin/init
> root 2 0  0 16:46 ?00:00:00 [kthreadd]
> root 3 2  0 16:46 ?00:00:00 [migration/0]
> root 4 2  0 16:46 ?00:00:00 [ksoftirqd/0]
> root 5 2  0 16:46 ?00:00:00 [stopper/0]
> root 6 2  0 16:46 ?00:00:00 [watchdog/0]
> root 7 2  0 16:46 ?00:00:00 [migration/1]
> root 8 2  0 16:46 ?00:00:00 [stopper/1]
> root 9 2  0 16:46 ?00:00:00 [ksoftirqd/1]
> root10 2  0 16:46 ?00:00:00 [watchdog/1]
> root11 2  0 16:46 ?00:00:00 [events/0]
> root12 2  0 16:46 ?00:00:00 [events/1]
> root13 2  0 16:46 ?00:00:00 [events/0]
> root14 2  0 16:46 ?00:00:00 [events/1]
> root15 2  0 16:46 ?00:00:00 [events_long/0]
> root16 2  0 16:46 ?00:00:00 [events_long/1]
> root17 2  0 16:46 ?00:00:00 [events_power_ef]
> root18 2  0 16:46 ?00:00:00 [events_power_ef]
> root19 2  0 16:46 ?00:00:00 [cgroup]
> root20 2  0 16:46 ?00:00:00 [khelper]
> root21 2  0 16:46 ?00:00:00 [netns]
> root22 2  0 16:46 ?00:00:00 [async/mgr]
> root23 2  0 16:46 ?00:00:00 [pm]
> root24 2  0 16:46 ?00:00:00 [sync_supers]
> root25 2  0 16:46 ?00:00:00 [bdi-default]
> root26 2  0 16:46 ?00:00:00 [kintegrityd/0]
> root27 2  0 16:46 ?00:00:00 [kintegrityd/1]
> root28 2  0 16:46 ?00:00:00 [kblockd/0]
> root29 2  0 16:46 ?00:00:00 [kblockd/1]
> root30 2  0 16:46 ?00:00:00 [kacpid]
> root31 2  0 16:46 ?00:00:00 [kacpi_notify]
> root32 2  0 16:46 ?00:00:00 [kacpi_hotplug]
> root33 2  0 16:46 ?00:00:00 [ata_aux]
> root34 2  0 16:46 ?00:00:00 [ata_sff/0]
> root35 2  0 16:46 ?00:00:00 [ata_sff/1]
> root36 2  0 16:46 ?00:00:00 [ksuspend_usbd]
> root37 2  0 16:46 ?00:00:00 [khubd]
> root38 2

RE: can't get server to start postfix

2017-09-07 Thread Fazzina, Angelo 
:00:00 [flush-253:2]
root  1464 1  0 16:46 ?00:00:00 auditd
root  1498 1  0 16:46 ?00:00:00 /sbin/rsyslogd -i 
/var/run/syslogd.pid -c 5
dbus  1520 1  0 16:46 ?00:00:00 dbus-daemon --system
root  1655 1  0 16:46 ?00:00:00 /usr/sbin/sshd
ntp   1673 1  0 16:46 ?00:00:00 ntpd -u ntp:ntp -p 
/var/run/ntpd.pid -g
root  1685 1  0 16:46 ?00:00:00 /usr/sbin/dovecot
dovecot   1686  1685  0 16:46 ?00:00:00 dovecot/anvil
root  1688  1685  0 16:46 ?00:00:00 dovecot/log
root  1689  1685  0 16:46 ?00:00:00 dovecot/ssl-params
root  1692  1685  0 16:46 ?00:00:00 dovecot/config
dovecot   1721  1685  0 16:46 ?00:00:00 dovecot/auth
root  1805 1  0 16:46 ?00:00:00 /usr/bin/python 
/usr/bin/denyhosts.py --daemon --config=/etc/denyhos
root  1849 1  0 16:46 ?00:00:00 /usr/bin/python -s 
/usr/sbin/osad --pid-file /var/run/osad.pid
root  1877 1  0 16:46 ?00:00:00 /usr/bin/stunnel
root  1878 1  0 16:46 ?00:00:00 /usr/bin/stunnel
root  1879 1  0 16:46 ?00:00:00 /usr/bin/stunnel
root  1880 1  0 16:46 ?00:00:00 /usr/bin/stunnel
root  1881 1  0 16:46 ?00:00:00 /usr/bin/stunnel
root  1882 1  0 16:46 ?00:00:00 /usr/bin/stunnel
root  1895 1  0 16:46 ?00:00:00 crond
root  2051 1  0 16:46 ?00:00:11 splunkd -h 127.0.0.1 -p 8089 
start
root  2052  2051  0 16:46 ?00:00:00 [splunkd pid=2051] splunkd -h 
127.0.0.1 -p 8089 start [process-runne
root  2151 1  0 16:46 ?00:00:00 
/opt/tivoli/tsm/client/ba/bin/dsmcad
root  2170 1  0 16:46 ?00:00:00 /usr/bin/python 
/usr/bin/virt-who
root  2184 1  0 16:46 ?00:00:03 python /usr/bin/goferd
root  2211  2170  0 16:46 ?00:00:00 /usr/bin/python 
/usr/bin/virt-who
root  2213 1  0 16:46 ?00:00:00 rhnsd
root  2227 1  0 16:46 ?00:00:00 /usr/bin/rhsmcertd
root  2258 1  0 16:46 ?00:00:00 /usr/bin/ruby /usr/bin/puppet 
agent
root  2281 1  0 16:46 tty1 00:00:00 /sbin/mingetty /dev/tty1
root  2283 1  0 16:46 tty2 00:00:00 /sbin/mingetty /dev/tty2
root  2285 1  0 16:46 tty3 00:00:00 /sbin/mingetty /dev/tty3
root  2287 1  0 16:46 tty4 00:00:00 /sbin/mingetty /dev/tty4
root  2289 1  0 16:46 tty5 00:00:00 /sbin/mingetty /dev/tty5
root  2291 1  0 16:46 tty6 00:00:00 /sbin/mingetty /dev/tty6
root  2455  1655  0 16:46 ?00:00:00 sshd: root@pts/0,pts/1
root  2457  2455  0 16:46 pts/000:00:00 -bash
root  2710  2455  0 16:48 pts/100:00:00 -bash
root  5235  1685  0 17:10 ?00:00:00 dovecot/auth -w
root  5472  1685  0 17:12 ?00:00:00 dovecot/auth -w
root  5559  1685  0 17:13 ?00:00:00 dovecot/auth -w
root  5569  2457  0 17:13 pts/000:00:00 ps -ef

-Angelo Fazzina
Operating Systems Programmer / Analyst 
University of Connecticut,  UITS, SSG, Server Systems
860-486-9075


-Original Message-
From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] 
On Behalf Of Patrick Ben Koetter
Sent: Thursday, September 7, 2017 5:02 PM
To: postfix-users@postfix.org
Subject: Re: can't get server to start postfix

you have a zombie master process hanging around. Stop postfix. Get a list of
all running processes and check if there's a orphaned master process hanging
around. Kill it. Start postfix.

p@rick




* Fazzina, Angelo <angelo.fazz...@uconn.edu>:
> Hi,
> All of a sudden postfix won't load ?  where should I look next ?  thanks.
> 
> I tried
> [root@mail2 postfix]# service postfix start
> Starting postfix:  [  OK  ]
> 
> 
> Logs show
> Sep  7 16:50:47 mail2 postfix/postfix-script[3214]: starting the Postfix mail 
> system
> Sep  7 16:50:47 mail2 postfix/master[3215]: fatal: open lock file 
> /var/lib/postfix/master.lock: cannot open file: Permission denied
> 
> [root@mail2 postfix]# ls -l /var/lib/postfix/
> total 0
> -rw-r--r--. 1 postfix postfix 0 Sep  7 16:07 master.lock
> 
> 
> 
> [root@mail2 postfix]# postconf -n
> alias_database = hash:/etc/aliases
> alias_maps = hash:/etc/aliases
> command_directory = /usr/sbin
> config_directory = /etc/postfix
> daemon_directory = /usr/libexec/postfix
> data_directory = /var/lib/postfix
> debug_peer_level = 2
> html_directory = no
> inet_interfaces = all
> inet_protocols = all
> mail_owner = postfix
> mailbox_size_limit = 51200
> mailq_path = /usr/bin/mailq.postfix
> manpage_directory = /usr/share/man
> mydestination = $myhostname, localhost.$mydomain, localhost, appmail.uconn.edu
> myhostname = mail2.uits.uconn.edu
> mynetworks = 10.4.40

can't get server to start postfix

2017-09-07 Thread Fazzina, Angelo 
Hi,
All of a sudden postfix won't load ?  where should I look next ?  thanks.

I tried
[root@mail2 postfix]# service postfix start
Starting postfix:  [  OK  ]


Logs show
Sep  7 16:50:47 mail2 postfix/postfix-script[3214]: starting the Postfix mail 
system
Sep  7 16:50:47 mail2 postfix/master[3215]: fatal: open lock file 
/var/lib/postfix/master.lock: cannot open file: Permission denied

[root@mail2 postfix]# ls -l /var/lib/postfix/
total 0
-rw-r--r--. 1 postfix postfix 0 Sep  7 16:07 master.lock



[root@mail2 postfix]# postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
html_directory = no
inet_interfaces = all
inet_protocols = all
mail_owner = postfix
mailbox_size_limit = 51200
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
mydestination = $myhostname, localhost.$mydomain, localhost, appmail.uconn.edu
myhostname = mail2.uits.uconn.edu
mynetworks = 10.4.40.194 10.4.40.193 10.4.40.189 137.99.80.0/24 127.0.0.0/8 
[:::127.0.0.0]/104 [::1]/128
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES
relay_domains = adm.uconn.edu $mydestination
sample_directory = /usr/share/doc/postfix-2.6.6/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtpd_tls_exclude_ciphers = IDEA-CBC-SHA, DES-CBC3-SHA, EDH-RSA-DES-CBC3-SHA, 
RC4, aNULL
unknown_local_recipient_reject_code = 550
virtual_alias_maps = hash:/etc/postfix/virtual 
regexp:/etc/postfix/maps/subaddressing

-Angelo Fazzina
Operating Systems Programmer / Analyst
University of Connecticut,  UITS, SSG, Server Systems
860-486-9075

RE: no response from postfix on submission port (or 465)

2017-08-23 Thread Fazzina, Angelo 
If anyone needs for future testing

openssl s_client -starttls smtp -connect mail6.uits.uconn.edu:587
openssl s_client -connect 137.99.26.36:465

Replace IP/hostname with yours.
-ALF



-Angelo Fazzina
Operating Systems Programmer / Analyst 
University of Connecticut,  UITS, SSG, Server Systems
860-486-9075


-Original Message-
From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] 
On Behalf Of Matus UHLAR - fantomas
Sent: Tuesday, August 22, 2017 11:35 AM
To: postfix-users@postfix.org
Subject: Re: no response from postfix on submission port (or 465)

>On Tue, 22 Aug 2017 10:14:11 +, Alef Veld stated:
>>Now which clarifies things a lot. I'll probably keep 465 with wrapper mode to
>>support outlook expresss or other clients which want it and put 587 without.

On 22.08.17 07:23, Postfix User wrote:
>MS Outlook Express was depreciated in Windows 7, way back on Oct 2009. It has
>been years since I have seen anyone actually use it. I removed wrapper mode 5
>years ago and never looked back.

I've seen comments from users/admins who recommend using SSL-only ports like
465, as opposed to 587 where plaintext is technically possible.

I've also seen problem where port 587 was blocked by antivirus trying to
scan the connection, where 465 went OK.

That's why I better provide both 587 and 465 on servers I maintain...

-- 
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
REALITY.SYS corrupted. Press any key to reboot Universe.

RE: Recommendations on an spf record?

2017-08-18 Thread Fazzina, Angelo 
Hi,
I was unaware of the controversy. I can tell you that for the specific example 
given :

(For example, a person who uses their home ISP's SMTP servers to send mail with 
their work email as the address.)

I was for years tagging and delivering on SPF failures with my appliances. Just 
recently I added filtering with a cloud appliance before my physical appliances 
and that only allows blocking on failures. So now I live with it.

I thought you had a problem you were trying to solve?
I learned about the limit of lookups being 10 and had to fix my TXT record and 
how some/all appliances can't deal with multiple TXT records for SPF, so I need 
one in DNS with multiple includes

Anyway, good luck in finding the sweet spot.
-ALF

-Angelo Fazzina
Operating Systems Programmer / Analyst 
University of Connecticut,  UITS, SSG, Server Systems
860-486-9075


-Original Message-
From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] 
On Behalf Of Tom Browder
Sent: Friday, August 18, 2017 11:34 AM
To: Alef Veld 
Cc: postfix users 
Subject: Re: Recommendations on an spf record?

On Fri, Aug 18, 2017 at 10:27 AM, Alef Veld  wrote:
> What's the conflicting opinion ?

Looking at a Wikipedia article:

  https://en.wikipedia.org/wiki/Sender_Policy_Framework

But i guess spf is here to stay.

Thanks.

-Tom

smtpd_recipient_restrictions and smtpd_relay_restrictions difference ??

2017-08-17 Thread Fazzina, Angelo 
Hi,
I am reading "man 5 postconf" of version 2.10.1
I am building new server with it, from old 2.6.6.
My question is my server with 2.6 has
smtpd_recipient_restrictions = check_recipient_access 
hash:/etc/postfix/maps/block_to, permit_mynetworks, permit_sasl_authenticated, 
reject_unauth_destination

>From trying to read the difference between
smtpd_recipient_restrictions
smtpd_relay_restrictions

Should my 2.10.1 server have this ?
smtpd_recipient_restrictions = reject_unauth_destination
smtpd_relay_restrictions = check_recipient_access 
hash:/etc/postfix/maps/block_to, permit_mynetworks, permit_sasl_authenticated, 
defer_unauth_destination

thanks
-ALF

-Angelo Fazzina
Operating Systems Programmer / Analyst
University of Connecticut,  UITS, SSG, Server Systems
860-486-9075

RE: reloading postfix with systemd

2017-08-10 Thread Fazzina, Angelo 
IMHO

I would think they both work for backwards compatibility and over time 
"service postfix reload" will eventually be depreciated and no longer be a 
valid command.

I expect that to take years.
-ALF

-Angelo Fazzina
Operating Systems Programmer / Analyst 
University of Connecticut,  UITS, SSG, Server Systems
860-486-9075

-Original Message-
From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] 
On Behalf Of Julian Kippels
Sent: Thursday, August 10, 2017 1:35 PM
To: Michael Fox 
Cc: postfix-users@postfix.org
Subject: Re: reloading postfix with systemd

Am Thu, 10 Aug 2017 10:19:25 -0700
schrieb "Michael Fox" :

> In v16.04 LTS, Ubuntu has switched to systemd.
> 
> "postfix reload" still seems to work just fine.
> But I wonder if I should be using "systemctl reload postfix" instead.
> 
> Which method is preferred on systems that use systemd?
> And if either method works, are there differences or reasons to
> prefer one over the other?
> 
> Thanks,
> Michael
>  
> 

Well at least in Redhat, if you do systemctl reload postfix it just
executes postfix reload internally. So it makes absolutely no
difference.

# cat /usr/lib/systemd/system/postfix.service 
[Unit]
Description=Postfix Mail Transport Agent
After=syslog.target network.target
Conflicts=sendmail.service exim.service

[Service]
Type=forking
PIDFile=/var/spool/postfix/pid/master.pid
EnvironmentFile=-/etc/sysconfig/network
ExecStartPre=-/usr/libexec/postfix/aliasesdb
ExecStartPre=-/usr/libexec/postfix/chroot-update
ExecStart=/usr/sbin/postfix start
ExecReload=/usr/sbin/postfix reload
ExecStop=/usr/sbin/postfix stop

[Install]
WantedBy=multi-user.target

  1   2   >