Re: Can send but not receive

[IL Ka]

>
>
> I can send and receive via Yahoo mail.  I can not receive when I use an
> email account on my VPS which has worked for years.
>
Check your VPS MTA logs or contact your VPS support

Re: Can send but not receive

[IL Ka]

>
>
> Nothing that looks like an error in : /var/log/mail.log or
> /var/log/syslog
>
> try to send email to your domain from some host outside of your network
and see what is in /var/log/mail.log

I just checked and can confirm that your host accepts email for @
keiththewebguy.com.
So you should see something in your mail.log

Re: can't get mails to be sent outside my server using Postfix!

[IL Ka]

>
>
> I know this, it's exactly why I want my out mail to use only secure
> ports 465 and/or 587.
>

You can't connect to 465 on some random MTA to send email. These ports are
only used by local clients.

Ask your hoster support for relayhost and configure it as "relayhost"

Re: can't get mails to be sent outside my server using Postfix!

[IL Ka]

Hello.

> relayhost = [smtp.externalserver]
Do you really want to send all emails via this host or do you want to send
them directly?

> Jun 24 12:50:53 amiga postfix/smtpd[26449]: connect from
localhost[127.0.0.1]
> Jun 24 12:53:14 amiga postfix/smtpd[26449]: SSL_accept error from
localhost[127.0.0.1]: -1
> Jun 24 12:53:14 amiga postfix/smtpd[26449]: warning: TLS library problem:
error:1408F10B:SSL routines:ssl3_get_record:wrong version
number:../ssl/record/ssl3_record.c:332:

Local client failed to connect to the local server using TLS. Which client
do you use?

  > Jun 24 12:58:54 amiga postfix/smtp[26836]: connect to mail.'external
host'[external host IP]:25: Connection timed out
For some reason smtp client failed to connect to this host to send email


> Jun 24 13:13:24 amiga postfix/smtp[27566]: ACD741C80B56:
to=, relay=smtp.free.fr[2a01:e0c:1::25]:25, delay=1494,
delays=1494/0.02/0.04/0.08, dsn=2.0.0, status=sent (250 2.0.0 Ok: q$

Email to the "customer@anywhere" was sent using "smtp.free.fr" (which I
believe is "smtp.externalserver", right?)

So:

If you want to send all emails via smarthost (relayhost), then you need:
* Find smarthost (provided by your ISP or hoster or whatever)
 * http://www.postfix.org/STANDARD_CONFIGURATION_README.html#null_client

If you want to send emails directly, you need to:
* make sure 25 port is opened for the outgoing connections
* you have SPF, DKIM and DMARC
*  http://www.postfix.org/STANDARD_CONFIGURATION_README.html#stand_alone

Re: can't get mails to be sent outside my server using Postfix!

[IL Ka]

> problem is that despite all the tutos I can read / use I can't get
> Postfix to send any mail from that server to the outside. using SSL ot not.
>

Hi.
1. Please show the last 20 messages from your ``mail.log``
2. ``postconf -n`` output please
3. Did you change anything in your ``main.cf`` or do you use default
configuration?
4. What did you choose when installing postfix on debian? debconf usually
asks you what type of configuration you want to have

Re: Question about separate MTA and MDA servers and how to get them communicating properly

[IL Ka]

>
>
> Our dilemma is that most online tutorials and how-to's have everything on
> one server.
>

I'd start with

http://www.postfix.org/STANDARD_CONFIGURATION_README.html#firewall

Re: Clarification request for mua_*_restrictions

[IL Ka]

> What are the $mua_helo_restrictions and $mua_sender_restrictions in the
> master.cf


http://www.postfix.org/master.5.html

-o name=value (short form)
Override the named main.cf configuration parameter.
The parameter value can refer to other parameters as $name etc., just like
in main.cf.
See postconf(5) for syntax.


 ``smtpd_sender_restrictions`` and other options may be different for
public SMTPD and smtpd used by clients (mua)
So, you specify variable "mua_helo_restrictions" in your ``main.cf`` and
provide it as an option to the smtps.

> How do they affect the restrictions for the submission if left commented ?

Smtpd server uses  ``smtpd_sender_restrictions`` and other options.
See : http://www.postfix.org/postconf.5.html#smtpd_sender_restrictions

But if you add  ``-o smtpd_sender_restrictions=$my_fancy_new_restrictions``
it will use value of this variable instead of ``smtpd_sender_restrictions``

If you have several SMTPD servers (the public one and the one used for
submission) you may want them to have different settings.

Re: Newbie question about transport_maps failing

[IL Ka]

>
>
> > If you want to choose transport based on sender, you probably want
> > "sender_dependent_default_transport_maps"
> >
> >
> http://www.postfix.org/postconf.5.html#sender_dependent_default_transport_maps
> >
>
>
It seems that this option doesn't support wildcards.
It says
>The tables are searched by the envelope sender address and @domain.

So, I set "discard" as default transport, and did one exception with this
option.

main.cf:
sender_dependent_default_transport_maps = hash:/etc/postfix/map
default_transport=discard

map:
@example.orgsmtp

Sending mail from "example.org"
$ swaks --to u...@example.net --from r...@example.org -4 --server 127.0.0.1

Goes to SMTP:
postfix/smtp[4156]: 62D4D9F81D: to=, relay=none,
delay=0.04, delays=0.01/0.01/0.03/0, dsn=5.1.0, status=bounced (Domain
example.net does not accept mail (nullMX))

Sending mail from "example.net"
$ swaks --to u...@example.net --from r...@example.net -4 --server 127.0.0.1

Discard:
 postfix/discard[4162]: 2209D9F81D: to=, relay=none,
delay=0.01, delays=0.01/0/0/0, dsn=2.0.0, status=sent (example.net)

Re: Newbie question about transport_maps failing

[IL Ka]

On Fri, May 28, 2021 at 6:28 PM David Favor  wrote:

> My goal is to limit allowed sender domains, to ensure no
> mail config problem sends from a domain with no no SPF
> authorization for sending IP.
>

If you want to choose transport based on sender, you probably want
"sender_dependent_default_transport_maps"

http://www.postfix.org/postconf.5.html#sender_dependent_default_transport_maps

Re: Relay denied - failed from WORLD 2 LAN

[IL Ka]

On Fri, May 28, 2021 at 10:40 AM Maurizio Caloro  wrote:

> Hello
>
> want to put this setup into operation and it failed. I have a Postfix
> server with this setup and Spamassassin.
>
> in the background there is an HCL Domino server. I was able to E-Mail from
> (LAN) to myself (WORLD), but
>
> E-mail that sending (WORLD) to (LAN INSIDE), never arrive.
>

What is the name of the domain of your server? "carag.com"?

Postfix accepts emails to "mydestination" or "relay_domains" from the
"WORLD".
It seems that you didn't set any of them (I do not see em in your postconf
-n output)
Default values could be checked with "postconf -d".

You probably should set mydestination = $mydomain to accept mail
Or relay_domains= $mydomain and then configure transport(5) to send
email to the Domino


>
>
> also didnt see the mechanisms from incomming mail that will send to HCL
> Domino Server?
>
That could be done with "relay_domains"  and transport(5)
Or with "mydestination", "mailbox_transport" and lmtp if Domino supports it.

See http://www.postfix.org/BASIC_CONFIGURATION_README.html

Re: Submission behind haproxy, TLS issues

[IL Ka]

>
>
> Which "backend"?
>
"random or designated"

Viktor's comment:

7.  Some suitable process arranges to update the peer servers
whenever a new certificate is obtained by some (
*random ordesignated)* server in the cluster.  Or some completely
separate provisioning system could do the certificate
acquisition and push the cert files, ...

---
>From my point of view this approach requires some scripting and probably
more complex than "frontend" Postfix with several $relayhost I wrote about

Re: Submission behind haproxy, TLS issues

[IL Ka]

> Using certbot (with a validation method that works with auto renew) i
> can create a certificate on the backend.exmample.com server and tell
> certbot the certificate will be for submission.example.com even though
> submission.example.com will not resolve to the server im running certbot
> on?
>

I believe here is an answer:

Viktor:
[quote]
No you just have to *also proxy port 443* as well as 587, and then
Let's Encrypt will issue a certificate for submission.example.com
to (one of the) underlying servers.
[/quote]

Letsencrypt will connect to the "submission" but request would go to the
"backend"

Re: Submission behind haproxy, TLS issues

[IL Ka]

> Proxies are only needed for very large mail plants, where the message
> rate is too high for any one machine to handle, and you also need
> GeoIP DNS load-balancing, front-end proxies per datacentre, ...
>
> For those of us not working for Google, much simpler approaches
> are more robust (easier to manage).
>
> Ok.

Topic starter said:
> On a typical dedicated server (Intel Xeon E5, 128G ram) how many messages
(ball park) can postfix juggle at once or per min?

>From my point of view it is more than enough to install just a "frontend"
postfix and terminate TLS there (and also implement SASL for clients)

Client-FrontEndPostfix-BackEndServerN

Implementing HAProxy and several backends each having its own
certificate is like solving a XY problem IMHO.
What do I miss?

Re: Submission behind haproxy, TLS issues

[IL Ka]

> > > 2.  This (same) certificate chain and associated private key is
> > > deployed
> > > on all the backend servers that sit behind the load-balancer.
> > >
> > > I wrote that CNAME doesn't work with several backends.
> > I now see it works if all backends share the same key and cert. Sounds
> good)
>
> They don't even need to have the same key and cert, so long
> as they each have some key and a matching cert for that key
> that has the right DNS subject (alt) name.
>

So, each backend can have it's own certificate, but for the same DNS name (
haproxy.example.com), right?
I didn't know that letsencrypt could issue a new certificate without
revoking the old one.

Just curious: what do you think about replacing HAProxy with "frontend"
Postfix that receives mails and forwards them to the backend using
$relayhost with several values?

Re: Submission behind haproxy, TLS issues

[IL Ka]

>
>
> 2.  This (same) certificate chain and associated private key is
> deployed
> on all the backend servers that sit behind the load-balancer.
>
> I wrote that CNAME doesn't work with several backends.
I now see it works if all backends share the same key and cert. Sounds good)

Thank you, Viktor)

Re: Submission behind haproxy, TLS issues

[IL Ka]

Disclaimer: I am not a network guru, but here is what I know.


WIth CNAME scenario you can't have more than one backend. Because HAProxy
acts as L4 (TCP) balancer, it has no idea which server you are trying to
connect to and which server's certificate you are waiting for.

It just sends your packets to some random backend.


When you install load balancer that acts as a front-end for the several
backends, you can:

1. Terminate TLS on it.
This is how people do HTTPS:
ClientLoadBalancerSomeRandomBackEndN

You can't use STARTTLS in this scenario because LoadBalancer is L4 (TCP)
not L7 (SMTP) hence it doesn't "speak" SMTP.

So, it COULD be
ClientLoadBalancerSomeRandomBackEndN
But I do not know if this scenario is supported.

2. Use SubjAltName certificate and terminate TLS on the backend.
Client: I want to connect to the haproxy.example.com
Haproxy (Silently sends all packets to the backend64)
Backend64: here is my cert. It is valid for Backend64 AND
haproxy.example.com

Client: I want to connect to the haproxy.example.com
Haproxy (Silently sends all packets to the backend42)
Backend 42 : here is my cert. It is valid for Backend42 AND
haproxy.example.com


3. Replace L4 (TCP) load balancer with L7(SMTP) load balancer and terminate
TLS there.
This load balancer is called Postfix:)

You install postfix instead of HAProxy.

It accepts emails, speaks TLS (along with STARTTLS), and provides it's
certificate.
Everything works.

Then, it forwards emails to the backends via $relayhost:

relayhost = backend1:587, backend2:587,  backend3:587,  backendN:587
http://www.postfix.org/postconf.5.html#relayhost

I am for the third solution.

Re: Submission behind haproxy, TLS issues

[IL Ka]

>
> Load balancing.
>
Do you really have such a big load so one submission postfix isn't enough?

If you are speaking about fault tolerance only, then you could run
"submission only" postfix instead of haproxy. This postfix will then store
messages in queue and send them to the appropriate backend server.

You can also do fault-tolerance on the network level (see CARP protocol and
friends)


If Haproxy is absolutely necessary then you can try to use either
SubjectAltName or wildcard cert from my prev. email.

Re: Submission behind haproxy, TLS issues

[IL Ka]

>
>
>
> The client is trying to TLS with postfix, who has a certificate for
> submission.example.com
> The client is connected to haproxy.example.com
>
> haproxy.example.com:587 != crt submission.example.com


You can create a certificate with several domain names.
Honestly, I have never tried that for SMTP, but for HTTPS it works.
https://knowledge.digicert.com/solution/SO9440.html

You can also try to create wildcard cert like

"*.mail.mycompany.com"

submission.mail.mycompany.com
haproxy.mail.mycompany.com

Re: Submission behind haproxy, TLS issues

[IL Ka]

>
>
> Server haproxy.example.com:587 accepts public connections and proxies to
> submission.example.com:587

Why forward it via haproxy?
What is wrong with postfix connected to the public IP?



>
> Each server was given its own SSL cert (Let's Encrypt certbot).
>
If you use haproxy TLS support, then you do not need postfix TLS.
You can use mandatory (autostarted TLS) on haproxy and terminate it there
like

client--haproxy-postfix

You wouldn't need a cert in this case.

But again: I see no reason to do that.
I run postfix with opportunistic TLS support for :25 and mandatory for
submission. And it works.


>
> I did this because i assume default postfix certs are self signed, i
> remember getting some warning in thunderbird which is why i switched
> over to certbot.
>

You can run your own CA, issue cert for postfix and install this CA's cert
to the trusted storage on your client.
Internal CA is useful anyway, especially if you have internal resources
that need HTTPS or use cert-based VPN

I wonder how you installed letsencrypt cert to the submission server
Does it have public IP and shares name with haproxy?




>
> My understanding is the user's client connects to haproxy server, which
> allows them to communication with the submission server, who gives them
> the submission server TLS info which the client wants to verify against
> the haproxy server connection.
>

I didn't get this part.

Either client establishes TLS connection with HAProxy  (which is mandatory
TLS, because HA doesn't support opportunistic) or
or postfix smtpd (which supports both: mandatory (aka SMTPS) and
opportunistic (aka STARTTLS))

http://www.postfix.org/TLS_README.html



> My first guess is copy over the haproxy certs to the submission server
> and point to them in main.cf.


Cert is useless without the private key.
Sharing private keys between two servers is an extremely bad idea IMHO


> But that would break on the first auto
> renewal. My second guess is setup NFS from submission server to haproxy
> server and point main.cf through NFS to the haproxy certs. Id rather
> not. Is there another standard solution?
>

I believe the standard solution is to use postfix and it's TLS support
directly, without any proxy.




>
> What is the best strategy to solve this issue?
>
> Then follow up question is what about SSL ports 993/995? Is that going
> to be even more complicated?
>

Those are POPS and IMAPS (mandatory TLS).
They aren't used by Postfix.

Postfix is MTA only: it doesn't support POP nor IMAP.

Re: Emails sent as an authenticated user does not route throu amavis

[IL Ka]

> Hi!
>
> I am having trouble to figure out why emails send as an authenticated
> user (saslauthd) seems to not be "routed" via milters or amavis?
>

Does the user use SMTP or sendmail command?
There are 2 types of milters:
http://www.postfix.org/postconf.5.html#non_smtpd_milters
http://www.postfix.org/postconf.5.html#smtpd_milters

Re: Mail sent thru submission to user on same server.

[IL Ka]

>
>
> The issue im trying to avoid is that when postfix/submission accepts a
> message meant for another user on the same domain, it delivers it
> directly to maildir and does not put that message through the same
> filters, milters, policy servers as if the message was accepted by
> smtp:25.

You can try to share configuration between these two servers.
To share access lists and other database things you could use sql-based
solutions (like postgres) I think



> For one example if j...@example.com wants to blacklist
> j...@example.com it does no good as submission will drop jack's email
> right into jill's maildir anyways.
>

submission (smtpd) service doesn't drop it to the mailbox
Instead, it sends it to the cleanup, and then to the queue.
Qmgr takes it from there, consults trivial-rewrite (which returns local
transport because of mydestination) and gives it to the "local".
"local" puts it to the local mailbox.

If you want to intercept this process, you can
* Add smtp_* restriction to the "smtpd" submission service
* Add "error" transport to the transport table
etc

Re: Mail sent thru submission to user on same server.

[IL Ka]

>
> And i know you all keep politely telling me im crazy for not
> understanding postfix wants to deliver to user's mailboxes. I get that.
> Not knowing the inner workings of postfix, from a logical point of view,
> submission isn't smtp:25, it has its own service spawn, it works on its
> own port, so it didn't seem crazy to expect it to be able to behave
> differently than smtp:25.


Think about postfix as about some kind of router.
It has several "input channels" like smtpd server or sendmail command.
All messages go to the queue and routed by "qmgr" regardless the way they
got to the system

http://www.postfix.org/OVERVIEW.html

I also like this picture from the Wikipedia (but the generic(5) table is
missing there for some reason)
https://en.wikipedia.org/wiki/Postfix_(software)#/media/File:Postfix_architecture.svg

"smtp:25" is not a different postfix, it is just one more "input channel"



> I at first didn't understand that it has to
> use the same setting values that smtp:25 uses. I mean, logically that
> being the case, what is the point of having a separate submission on
> port 587 when smtp:25 could just "answer the call" if all of the
> settings are the same between the two?
>

permissions may be different. You can filter incoming calls on 25 but not
on the submission port.
It is not uncommon to see things like

 -o syslog_name=postfix/submission
 -o smtpd_client_restrictions=$mua_client_restrictions

so, we have different restrictions for mua (client here).

"smtp:25" is your front door.
"submission" and "sendmail command" are  backyard doors.

All of them are used by email to "jump" into the Postfix, but "front door"
(25) is used by foreign visitors and has strong security policy)

>
>

Re: Submission Only, Not Listening on 25.

[IL Ka]

>
>
> I am setting up a postfix instance as submission only to compliment
> dovecot in imap mode.
> Is there a way to turn off listening on port 25 and only have submission
> listen on 587?
> I already know how to bind the submission service to 587 in the
> master.cf


Any service could be commented out in master.cf



>
> I assume listening on 25 is controlled by inet_interfaces however i
> don't see anything in docs about specifying "nothing", its either all or
> a specific IP.
>

In most cases it is safe  to bind it to the "loopback-only" interface


Is my only choice to allow postfix to bind to 25 and just firewall it

off from the public?


You can comment it in master.cf but even if you couldn't, you can always
bind it to the localhost only
either by preprending smtp service with "127.0.0.1:"  in master.conf or by
using
inet_interfaces="loopback-only"

Latter approach is recommended.


>

Re: Message sent by SMTP get lost whereas those via pickup(sendmail) are OK

[IL Ka]

>
>
> I am trying to debug it by connecting directly to port 25 on localhost
> using telnet and composing mail that way.  It appears to be sent
> according to the postfix mail.log but it just disappears.
>
It could be that it went to spam because you misused some headers while
sending mail manually

Try to use mail from mailutils or some other tool.

Also, try to send email here: https://www.mail-tester.com/ and see how much
score do you have

Re: zendesk and relay denied

[IL Ka]

>
> I've done a terrible job of explaining this, partly because I don't
> fully understand and also don't have all the facts.
>
Try to gather as much information as possible and draw a diagram on a piece
of paper)


>

> We are trying to provide mail filtering using postfix/amavis for a
> company using O365 for their corporate mail who realizes just O365
> filtering isn't enough.
>
> The clients are using Outlook without SMTP Auth and outlook.office.com
> webmail.
>
> The primary problem we're having is that outbound filtering through
> the postfix server doesn't work because it won't allow relaying from
> the outbound.protection.outlook.com server, and we haven't implemented
> submission support.
>

I am not an expert in O365, but it seems that it can't use SASL for the
outbound connector.
But it can use certificate
https://docs.microsoft.com/en-us/exchange/mail-flow-best-practices/use-connectors-to-configure-mail-flow/use-connectors-to-configure-mail-flow

Postfix also supports certs:
http://www.postfix.org/TLS_README.html#server_access

permit_tls_clientcerts:
>  Permit the request when the remote SMTP client certificate fingerprint
or public key fingerprint (Postfix 2.9 and later) is listed in
$relay_clientcerts

With all of that you can try to add O365 cert to the  $relay_clientcerts
and add " permit_tls_clientcerts" to the "smtpd_relay_restrictions"

I heard that O365 supports VPN, so if you setup it, you would be able to
add O365 IP to the $mynetworks (I am not sure if it is possible to send
emails from O365 via VPN)

I suggest to ask O365 support/forum/superuser.com for help.

Again:
Postfix needs to distinguish O365 from some random bot that sends spam,
otherwise it will not relay email!

There are 3 ways to do that:
* Add O365 IP to the $mynetworks (can't be done unless you setup VPN
between O365 and Postfix, because you do not know public IP of O365)
* Make O365 use SASL authentication (but looks like it is not supported)
* Use O365 certificate for the authentication. Should work.








>

Re: Managing allow/block list for outbound traffic

[IL Ka]

>
>
>
> If now a user of such a domain requests that he can be blocked
> from receiving email from my domain, due to abuse of my service,
> would be a simple REJECT of his email address in the same
> transport map list be sufficient, or does postfix may get confused?
>
>
transport(5) can have "error" transport for a certain domain, there is an
example in the man page.
.example.com error:mail for *.example.com is not deliverable
But if someone abuses your service, wouldn't it be better to block the
abuser?

You can also use access(5) to block smtpd from relaying emails to some
domains




>

Re: zendesk and relay denied

[IL Ka]

>
>
>
> We've created an outbound O365 connector to route outbound mail
> through our servers before being delivered to their final destination
> - I believe this is effectively relaying mail from
> outbound.protection.outlook.com:
>

I am a little bit confused).

Zenddesk sends email to the O365, which in turn sends it to your postfix,
and you want postfix to relay it to the final destination, right?

What MTA ("mail servers") do you have?
What clients (apps, users etc) do you have?
What are their settings?
Which task are you trying to solve?

Re: zendesk and relay denied

[IL Ka]

>
>
> So I'm unable to send mail as a...@mydomain.com to any domain other
> than the ones managed by our mail server.  How do I convince postfix
> that it should route mail for mydomain.com from
> outbound.protection.outlook.com?
>
> 1. If you want postfix to route/relay email TO some domain from ANY
client, you should add this domain to the "relay_domains".
2. If you want postfix to route/relay email TO ANY domain from CERTAIN
client you should add this client's IP to the mynetworks OR configure the
client to use SASL authentication.

This is how "smtpd_relay_restrictions" works by default.
http://www.postfix.org/postconf.5.html#smtpd_relay_restrictions
Technically you can configure it, but there is no reason to do so.

Default configuration says:
*  permit_mynetworks: allow any email to any destination from client in
"mynetworks"
*  permit_sasl_authenticated:  allow any email to any destination from
client that is SASL authenticated
* defer_unauth_destination: unless destination is mydestination or
relay_domains, defer email!

There are " smtpd_relay_restrictions " AND "smtpd_recipient_restrictions":
BOTH of them must permit email.
There is a table in this chapter:
http://www.postfix.org/SMTPD_ACCESS_README.html#lists

You configure " smtpd_recipient_restrictions", but you also need to pay
attention to "smtpd_relay_restrictions".

When playing with all of this try not to create an open relay (i.e. never
add foreign public network to the "mynetworks")

Re: zendesk and relay denied

[IL Ka]

>
>
> Hi,
>
Hello,


>
> I've set up postfix to be the mail relay for a domain so we can
> process it through amavis/spamassassin prior to it being forwarded on
> to our O365 domain.
>
You need to add this domain to the "relay_domains"


>
> I've set up a recipient check to allow relaying for our zendesk
> support domain, but for some reason it's still being rejected. Is it
> due to the empty envelope sender?
>
SMTPD checks "smtpd_relay_restrictions" also.
By default it accepts email from unauthenticated users/networks to
mydestination and relay_domains only.



>
> main.cf:
> relay_domains = $mydestination, example.com

 Add "nnnhelp.zendesk.com" here.
Be sure Postfix knows how to deliver email there (there must be MX record
or record in "transport(5)" table)


> check_recipient_access pcre:$config_directory/nnnhelp-zendesk,
>
Did you add it to the "smtpd_recipient_restrictions" ?

Check this doc carefully: http://www.postfix.org/SMTPD_ACCESS_README.html
It has examples and very useful table

Re: Monitoring logs for blocks and deferrals

[IL Ka]

>
>
> Postfix have any native capabilities good for detecting these issues and
> acting on them, or would I just need to do some kind of checks on the
> pflogsumm output each day? Obviously the sooner I can catch these messages
> and act on them, the better, so the more realtime I can do this, the better.
>
Random ideas:

* Configure your syslog/rsyslog to copy logs to the pipe. Write a simple
script that parses "status=" and sends you a message.
There are alot of parsers like
https://metacpan.org/pod/Mail::Log::Parse::Postfix

* Use your network monitor tool if you have any.
For Zabbix you could use https://github.com/aadz/mlogtail
Zabbix can send you email/sms/slack message/what ever when "bounced" (or
some other counter) increased

Re: postfix-users@postfix.org

[IL Ka]

>
>
> Is there any security benefits to creating this smart host as a separate
> SMTP server?  Are there any "best practices" for this kind of situation?
>

It depends on your network structure and how much do you trust your new
clients.

If your client resides directly at your local network (either physical or
VPN) you can use
"mynetworks" to allow relaying. This is a typical config for SOHO

If no, then you should use SASL to auth the client.
Be sure to force TLS ( smtpd_tls_auth_only) in this case.
You can also enable client certificate verification (see TLS_README) to
make the system even more secure.
Also, use "smtpd_sender_login_maps" to make sure client uses only allowed
"From".

But if you want to delegate the management of your clients to someone who
doesn't have access to your MTA, then you can
install separate "relayhost" for them and give the appropriate person
rights to manager authentication, generic, canonical and other things.

Some untrusted clients should never send email anywhere except one/two
well-known addresses.
This could be done with regex-based virtual(5), and it could be convenient
to configure it on the separate server not to pollute your MTA.

There are some "dumb" SMTP clients that can't use SMTP AUTH nor TLS. If you
want  such client to be connected to your MTA via the public Internet,
then you have to install "relayhost" for it

Tell us more about the problem you are trying to solve.



>

Re: Postfix: SASL authentication failure

[IL Ka]

saslauthd creates a socket (usually in /var/run/saslauthd) and listens to
it.

Here what I see when run saslauthd from the command line:

(I use getpwent but pam should be used probably)
# saslauthd -a getpwent -d
saslauthd[22825] :main: num_procs  : 5
saslauthd[22825] :main: mech_option: NULL
saslauthd[22825] :main: run_path   : /var/state/saslauthd
saslauthd[22825] :main: auth_mech  : getpwent
saslauthd[22825] :ipc_init: using accept lock file:
/var/state/saslauthd/mux.accept
saslauthd[22825] :ipc_init: listening on socket:
/var/run/saslauthd/mux
Look
here--^^
saslauthd[22825] :detach_tty  : master pid is: 0

What do you see when you run it?

This is a saslauthd socket on my distro. It should be readable and
accessible by postfix.

There could be 2 types of problem:
* Postfix user may have no access to this file because it doesn't belong to
a certain group.
Check who has access to this file (with ls -h) and make sure postfix runs
under the account who has it.

* Postfix may be chrooted. In this case it simply can't access file outside
of its chroot.
People solve it by symlinking this socket to the postfix chroot:

See "ln" command here:
https://serverfault.com/questions/319703/postfix-sasl-cannot-connect-to-saslauthd-server-no-such-file-or-directory/530346
and here:
http://www.jimmy.co.at/weblog/2005/12/05/postfix-and-sasl-debian/

I believe the latter is your case.




saslauthd[22825] :ipc_init: listening on socket:
/var/state/saslauthd/mux

Re: Postfix: SASL authentication failure

[IL Ka]

>
>
> May 10 09:17:42 smtp01 postfix/smtpd[21033]: warning: SASL
> authentication failure: cannot connect to saslauthd server: No such file
> or directory
>
this is a problem

>
> /var/run/saslauthd is present - yes
> /var/spool/postfix/var/run/saslauthd is present - yes
>
Is one dir link to another?
Do you see any files there?

Run saslauthd from the command line with the "-d" argument: it should print
the name of the socket it listens to or use
tool like "ss" to check the socket.

Check that account used by postfix has access to this folder.

masquerade_domains and local_header_rewrite_clients: small doc inconsistence

[IL Ka]

Hello,

As I understand, local_header_rewrite_clients is used for 2 purposes:
* Add $mydomain to the incomplete address
* Masquerade domain (remove redundant part)

Latter is documented here:
http://www.postfix.org/ADDRESS_REWRITING_README.html#masquerade
and it seems to work correctly

But "local_header_rewrite_clients" doc only says:
"Append the domain name in $myorigin or $mydomain"
http://www.postfix.org/postconf.5.html#local_header_rewrite_clients

it says so several times, but never mention masquerading.

It seems that it may be a good idea to add this info to this part of
documentation
Do I miss something?

Ilya

Re: "default_transport = smtp:relay" vs "relayhost = relay"

[IL Ka]

>
> Yes, "relayhost" also affects the routing of mail to "relay_domains".
>
> Thank you, Viktor.

I see: "relay_domains" -> "relay_transport".
"relayhost" affects both: default_transport and relay_transport

Re: backup mx: relay_domains vs permit_mx_backup

[IL Ka]

Thank you Bill,

This is the part I missed:

> Anyone can make their domain point to your MTA as a
> backup MX.

And my postfix will automatically act as backup MX for anyone who simply
adds my ip as back MX unless I set "permit_mx_backup_networks".
Now it is clear

backup mx: relay_domains vs permit_mx_backup

[IL Ka]

Hello,

It is suggested to provide list of relay_domains explicitly for the backup
mx:
http://www.postfix.org/STANDARD_CONFIGURATION_README.html#backup

But another solution is to set "permit_mx_backup" for
"smtp_relay_restrictions".
It seems to be a flexible approach (since only DNS should be changed), but
for some reason
this method hasn't been mentioned in the document.
Does it have drawbacks?

By the way, should I explicitly set "permit_mx_backup_networks" to my
primary MX if I use
"permit_mx_backup"?
I can't imagine any case when this feature could be misused (except DNS
spoofing probably)

Thank you.
Ilya.

"default_transport = smtp:relay" vs "relayhost = relay"

[IL Ka]

Hello,

Does there any difference between setting "relayhost" and default_transport
smtp with
explicit next hop?

Ilya.

Re: Redirect emails from localhost to a given host, and normally route the other emails

[IL Ka]

>
> I would like to configure Postfix the following way:
>
>- emails from localhost -> 192.168.1.5
>- emails from my_network (192.168.1.0/24) -> the rest of the world
>(with MX resolution)
>
> Do you know which sender will be used for your locally generated mail?
If so, try
http://www.postfix.org/postconf.5.html#sender_dependent_relayhost_maps

Re: Clients Sending Phantom Email

[IL Ka]

>
>
> We are getting reports, more and more, of email clients (Type App, Mac
> Mail, iOS Mail) that seem to send email, and show that the email has
> been sent on the client, but the mail server has no record of email ever
> reaching the SMTP service, nor does it even seem that the client is
> connecting to the server.
>

Hi.
What reports? How do you get them?
It could be that they send emails via another server (simple if your do not
have SPF and DKIM records)

Re: postfix newbe - which standard configuration to use

[IL Ka]

>
> just add that IP to "mynetworks" and send the mail to your server the
> normal way via port 25... Less to set up...
>

IMHO: no need to listen to 25 on the public ip if you aren't going to
receive any email from there.
"mynetworks" will protect server from open relay, but still many bots will
try to send something through it and pollute server logs.

Re: postfix newbe - which standard configuration to use

[IL Ka]

> Mails are collected by fethcmail (as daemon using /etc/fetchmail.rc)
>
>
> So, you aren't going to receive any email on your VPS, then you should
configure inet_interfaces to listen only your VPN IP
http://www.postfix.org/postconf.5.html#inet_interfaces

You can even listen to the submission port (instead of SMTP/25) and close
25 with a firewall.

Re: postfix newbe - which standard configuration to use

[IL Ka]

>
>
> I do not need to receive any emails on my VPS (I using my home server to
> that, storing emails starting from 2002 using dovecot and roundcube - we
> are happy with this).
>
Hm.. how can you receive emails for your domain on your home server? What
will the MX record contain?



> Seem to be I need sasl authentication between my home server and vps
> server. That mean I need to study how do it with exim4 (on my home server).
>
Btw, I like what Bernardo Reino suggested: You can create VPN between your
homeserver and the VPS (you can use StrongSwan, OpenVPN, Wireguard or any
other solution).
With it you can:
* Skip SASL (because only homeserver would be able to connect to your VPS,
you can even close port with firewall)
* Do not bother with TLS, because VPN provides encryption (although you
need to configure outgoing TLS on your VPS to send emails to the other
servers)



>

Re: postfix newbe - which standard configuration to use

[IL Ka]

Hi.

In most cases you shouldn't send email from @gmail through your server,
because gmail has SPF policy (srv record in DNS) and only gmail servers are
allowed to send emails from this domain (email sent from another IP will go
to spam).
You can configure your server to forward these emails via gmail server by
mimicking the email client (you would need to enable SMTP access in gmail I
believe).
To do so, you will configure SASL to authenticate your postfix as a gmail
client, and transport along with "sender_dependent_default_transport_maps"
to relay emails from @gmail.com via gmail servers.
(http://www.postfix.org/transport.5.html ,
http://www.postfix.org/postconf.5.html#sender_dependent_default_transport_maps
)

But it is tricky, so let's start from the domain you own.

On your VPS you configure your Postifx as a regular MTA setting your domain
as "myhostname"  to your FQDN.
http://www.postfix.org/STANDARD_CONFIGURATION_README.html#local_network
but set "mynetworks = 127.0.0.0/8"

Check the following variables, and change them if they aren't configured
correctly:

http://www.postfix.org/postconf.5.html#myhostname
$ postconf -d myhostname
myhostname = your.server.full.name

http://www.postfix.org/postconf.5.html#myorigin
$ postconf -d myorigin
myorigin = $myhostname

Then try to send an email:
$ mail some_external_a...@foo.bar

If it works, then your VPS server can now send emails from your domain (I
suggest to configure SPF for your domain at this point:
https://mediatemple.net/community/products/dv/204404314/how-can-i-create-an-spf-record-for-my-domain
)

Note:
$ postconf -d mynetworks
should only contain 127.0.0.0 for now

Now we need to set this server as smarthost (aka relayhost) for your home
server.

If you have public static IP, then you can simply set it to the "mynetworks"
http://www.postfix.org/BASIC_CONFIGURATION_README.html#relay_from
This will tell Postifx "accept and relay all emails from this IP". You only
need to set VPS IP as smarthost then.

If no, you would need to authenticate your home server using SASL: SMTP
servers use it to authenticate clients
http://www.postfix.org/SASL_README.html

Since the Internet is a public network, you may need to enable TLS (which
provides encryption) (http://www.postfix.org/TLS_README.html#server_tls)
and configure your home server to use it (we do not want your ISP sniffing
your email content)

Questions:
* Do you have public static IP at home? Configuring SASL is only worth
doing if you do not.
* How do you want to receive emails for your domain? Do you want them to
arrive at your VPS so you can fetch them using pop/imap or forward them
somewhere?

Re: postfix newbe - which standard configuration to use

[IL Ka]

>
>
> Hi.

Do you have email addresses in different domains? Do you own all these
domains (have access to their DNS configuration etc)?
Do you want to receive emails for these domains?

Re: Certificate Postfix.org missing?

[IL Ka]

>
>
> There is neither a service at port 443, nor a postfix.org website.
>
>
I believe this is about http://www.postfix.org/
There is no https there.

It should be easy to install Letsencrypt certificate there, but I am not
sure if it's worth the effort

Re: Rootless postfix

[IL Ka]

>
> It is an *ANCIENT* reference, but the but the O'Reilly book "Building
> Internet
> Firewalls" describes a simple program called smap.

It runs without root privileges and ONLY accepts incoming SMTP connections,
> dropping messages into a queue for processing by another program.
> (Could this be the MAILDROP queue perhaps?)


Postfix smtpd is pretty powerful, see "STANDARDS" section:
http://www.postfix.org/smtpd.8.html

I am not sure if "smap" supports all of that (STARTTLS is very
important IMHO)

I am not a security expert, but I believe it should be possible to create a
virtual machine dedicated to email processing.
If an attacker breaks it and gets root privileges on this machine  it still
wouldn't do much harm to the other services.

Re: delay time between postfix send email on finding some code 4xx

[IL Ka]

On Tue, Feb 23, 2021 at 4:58 PM Francesc Peñalvez 
wrote:

> I was looking in the postfix manual for the waiting parameter by which
> an email is tried to send after receiving a 4xx code. I am interested in


Hi.
I think you need to configure qmgr: http://www.postfix.org/qmgr.8.html
Look at "backoff" parameters.

Re: SASL authentication failure: Internal Error

[IL Ka]

>
>
> Feb 18 13:03:31 server07 postfix/smtpd[11585]: warning: SASL
> authentication failure: Internal Error -4 in server.c near line 1757
>

Do you have cyrus sasl installed?

>

Re: bug in debian10

[IL Ka]

It is just a warning, you can live with it.
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=926331

On Mon, Oct 26, 2020 at 7:59 PM natan  wrote:

> Hi
> Probably bug in debian 10 ...
> "warning: symlink leaves directory: /etc/postfix/./makedefs.out"
>
> ii  postfix3.4.14-0+deb10u1 amd64High-performance mail
> transport agent
>
> Maybe another repo ? I don't want to install from source ... eh
>
> I search in google and probably bug in
> --
>
>

Re: any success with postfix + dkimpy-milter outbound DKIM signing -- with ed25519 keys?

[IL Ka]

Hello.

I haven't tried it yet, but DKIM with ed25519 is draft:
https://tools.ietf.org/id/draft-ietf-dcrup-dkim-crypto-11.html
and official RFC doesn't mention it: https://tools.ietf.org/html/rfc6376

Doesn't it mean that ed25519 support is optional and many MTAs over the
Internet simply wouldn't be able to validate it?
In other words, isn't it too early?



On Mon, Oct 26, 2020 at 5:04 AM PGNet Dev  wrote:

> i'm swapping out opendkim milter from a postfix setup.
>
> inbound verification's been replaced with fastmail's authentication_milter
> -- in smtpd mode
> so far, behaving well.
>
> outbound signing on postfix sumbission has been replaced with
> dkimpy-milter.
> seems to work nicely for rsa signing.
>
> support's supposedly _there_ for ed25519 signing.
> but, when I deploy -- simply enabling ed25519 signingtable -- I get lots
> of errors -- just starting to troubleshoot now.
>
> 1st question ...
>
> ... is outbound ed25519 signing with dkimpy-milter in Postfix
> known-to-work for anyone here?
>
> iiuc, there's no Postfix-reason that it shouldn't work; a milter's a
> milter.
>
> so, just looking for any evidence that someone's got it working at all b4
> diving in.
>
>

Re: multiple relay servers

[IL Ka]

I think you can install the DNS server locally (on the same machine where
postfix runs) and configure postfix to use it


On Wed, Oct 21, 2020 at 1:42 PM Zsombor B  wrote:

>
> I can' force the customer changing their DNS.
>
> Any postfix solution?
>
> BTW it looks like postfix delivers mails to all the relay servers so
> the postmap warning is a bit misleading as if it won't work.
>
> But this brings up another question: if any of the relay servers can't
> accept mail will postfix try any other relay server in the list at the
> next attempt?
>
>
> Zsombor
>
> >> How can I solve this?
> >
> > Create mail.whatever with A or CNAME records that point to each server.
> >
> > Then you use:
> >
> > @foo.bar [mail.whatever]:123
>
>
>

Re: Limiting HELO spoofing in Postfix?

[IL Ka]

>
/index.php?s=index/\\think\\app/invokefunction=call_user_func_array[0]=phpinfo[1][]=1
That is fine: networks are constantly scanned by bots. They are trying to
hack any site using well-known vulnerabilities.

I have a lot of similar entries, although I do not have PHP on my site)

I have never been hacked, but if I were, here is what I would do:
* Reformat drive and install the latest stable version of your favorite OS.
Be sure to upgrade it on the regular basis. Many OSes can do that using
cron.
* Use the latest stable version of some mature framework and also update
it. If you aren't using one, then make sure you understand how to write
secure code and how to run it correctly
* Close all ports except http, https and ssh (which you should move away
from 22 port because 22 port is also scanned by bots). Disable password
authentication for ssh (use keys instead)
* Check your server from the remote one to be sure all other ports are
closed.
* Configure lowatch (or something like that) to send your logs every day.
Check logs carefully.






On Wed, Oct 21, 2020 at 2:03 AM Rich Wales  wrote:

> On 2020-10-20 06:45, Wietse Venema wrote:
>
> > Extract time stamps for NON-ERROR web server responses, and
> > correlate those time stamnps with activity in Postfix logs.
>
> Working on this now.  There are log entries for several GET requests
> asking for nonsensical things like the following:
>
>
> /index.php?s=/Index/\\think\\app/invokefunction=call_user_func_array[0]=md5[1][]=HelloThinkPHP
>
>
> /index.php?s=index/\\think\\app/invokefunction=call_user_func_array[0]=phpinfo[1][]=1
>
> /index.php?m=admin=index=login=1
>
> /?a=fetch=die(@md5(HelloThinkCMF))
>
> A couple of the above are near the dates/times when I was having the
> e-mail problem.  But this could just as easily be a coincidence -- and
> as far as I can tell, none of the above would accomplish anything -- the
> supplied parameters are completely different from what the "index.php"
> script in question is expecting.  Are these strange GET requests still
> something which I should investigate further?
>
> Some other observations (none apparently pointing to any problem):
>
> My server runs a web site which sells a book on shoemaking which my
> mother wrote long ago.  The site uses PHP, plus one JavaScript file.
> There are, however, NO FORMS -- it's all done by clicking buttons, and
> the financial transactions are handled by PayPal.  Lots and lots of GETs
> in the log for this site, but no PUTs or POSTs, and the files themselves
> are all read-only, so I can't really see how they could have been
> exploited (though I'm open to enlightenment on this).  All of the above
> weird GETs with random options tacked onto the URL were for this site.
> And for what it may be worth, this site consists of raw PHP and JS which
> I wrote from scratch, without using any frameworks or toolkits.
>
> Lots of attempts to GET a script named "wp-login.php" in several
> directories.  In fact, there are not (and never have been) ANY
> "wp-login.php files on this server (not running WordPress).  Strangely,
> though, many of the GETs return a 200 HTTP status code -- not something
> I would expect when a requested file doesn't exist.  Were it not for the
> 200 HTTP status code, I would have just dismissed these as irrelevant.
> In any case, none of these "wp-login.php" attempts correspond to the
> dates when I was having the e-mail problem.
>
> I had a couple of VERY old PHP scripts supporting "Project Honey Pot".
> I've removed them, though, and will review my security before putting
> them back (or, more properly, installing fresh scripts from the
> project).  The logs showed about 20 accesses to my honeypot scripts, but
> none around the dates of interest.
>
> And I have still not seen any further instances of the hacker attack in
> the last several days.
>
> Rich Wales
> ri...@richw.org
>

Re: Mail server recently became an open relay

[IL Ka]

Rock solid solution is to separate htdocs (a folder that is accessible via
web) from the code folder (the one with scripts).
I do not know how that could be done with PHP (I believe you can serve
static files with nginx and run php as FPM connected to the nginx with
FastCGI) but in Python world we have separate process (uwsgi or gunicorn)
that is connected to the nginx and it runs under the different user.
All user files are uploaded to the folder accessible by nginx, far away
from the folder with python scripts.
Even if you upload a .py file, nginx will serve it as a static plain text
file.

On Tue, Oct 20, 2020 at 1:27 AM Demi M. Obenour 
wrote:

> On 10/19/20 3:29 PM, Jaroslaw Rafa wrote:
> > Dnia 19.10.2020 o godz. 21:12:20 John Fawcett pisze:
> >> Sorry not to be able to give a definitive answer. Typical mail injection
> >> via php will use a script that already calls the php mail function or
> >> similar functions that open the smtp connection. But there are other
> >> attack vectors that are possible that allow hackers to gain the
> >> privileges of the web server user.
> >
> > Very often hackers abuse web pages that allow users to upload files to
> the
> > web server. If the input is not correctly sanitized, it may be possible
> to
> > upload an arbitrary php script and get it executed.
> >
> > There were multiple attacks based on this scenario.
>
> Can this be mitigated by denying the PHP user write permission on
> any directory where PHP files will be executed?
>
> Demi
>
>

Re: Mail server recently became an open relay

[IL Ka]

If someone hacked your PHP script, he or she may add any code to it,
including code that connects to your smtpd and sends email.
In PHP one can use mail() function (which can use TCP connection to the
localhost:25 according to the settings in php.ini) or establish connection
directly.

As we can see from
>Oct 15 14:48:06 memoryalpha postfix/postscreen[18030]: CONNECT from
[127.0.0.1]:52138 to [127.0.0.1]:25

Some locally running process just connected to your server and send spam.
I think you can use iptables to log all connections to this port to catch
the pid of the culprit.

As a quick-and-dirty solution you can move your smtpd to the different port
(see master.cf).
Script would not know about the new port, hence it wouldn't be able to
connect to postfix.

Or you can move smtpd to the unix domain socket or even disable it and
use the "sendmail" interface instead.

Greping your scripts for "socket_connect" and "mail" is also worth doing.

Btw, this is not an "open relay": relaying mail from the localhost
(127.0.0.1) is the default postfix behavior because "mynewtorks =
127.0.0.0/8" in may installations,
and "smtpd_relay_restrictions" includes $mynetworks by default.

If you were running each website in the separate docker instance for
example, then you would be able to create the separate port for each
container in master.cf, and know for sure which one was hacked.





<#m_-2421472136311685306_DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>

On Mon, Oct 19, 2020 at 9:51 PM Rich Wales  wrote:

> John Fawcett wrote:
>
> > One thing I would suggest looking at is if there is a web server running
> > on the same host it may be allowing email to be injected into postfix
> > via smtp on the loopback interface using some scripting language like
> > php or others.
>
> I suppose that's possible.
>
> I spent some time last night cleaning up old stuff from the server in
> question -- and also rebooting the box for good measure -- so the
> problem *might* just go away at this point.
>
> Before I can say anything more about this, unfortunately, I'll probably
> need to wait for another incident similar to the preceding ones, and try
> to capture more evidence while the problem is ongoing.  If it never
> happens again, then maybe it was the fault of an old PHP web page which
> I have removed.
>
> If the problem were in fact due to a hijacked PHP page, btw, would this
> necessarily require the page to be using e-mail or TCP connections
> already for its own legitimate purposes, but being co-opted by a hacker
> to nefarious ends?  Or could *any* PHP script theoretically be infected
> in a way that would cause this misbehaviour?
>
> Rich Wales
> ri...@richw.org
>


Без
вирусов. www.avg.com

<#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>

pass vs unix in master.cf

[IL Ka]

Hello.

What is the difference between these two types?
Thank you.

Ilya.

Re: Forward mail and obey SPF and DKIM

[IL Ka]

Thank you all. This is how I fixed it (after Bill Cole's email): I needed
to substitute envelope (MAIL FROM:) to match my address, but the message
(along with it's headers) shouldn't be touched.

sender_canonical_classes = envelope_sender  # Only change envelope, not body
sender_canonical_maps =  regexp:/etc/postfix/sender_canonical_map # In this
file I change envelope address to my domain.

Google is now perfectly happy with both SPF and DKIM.

Shouldn't we add this recipe to the official postfix documentation?



On Mon, Sep 14, 2020 at 4:31 PM IL Ka  wrote:

> Hello.
> I have postfix running on linux box.
>
> I setup OpenDKIM with both smtpd and non_smtp milters.
> I also set my address in DNS as permitted IP for SPF.
>
> So far, so good.
>
> But I want all my mail to be forwarded to gmail.
>
> Some user sends me email from user@some_sender_domain.
>
> If I use .forward or alias, then postfix doesn't change "From" header,
> so gmail believes email was sent from @some_sender_domain.
> This domain doesn't have my box IP as permitted in DNS, so SPF failed.
>
> I can change header using headers_check. But then DKIM signature
> would be broken because some_sender_domain signed email and I changed it.
>
> It seems that I need to:
> * Change headers
> * Sign email with my DKIM
> * Forward it to gmail
>
> But milters are not applied on forwarded emails because they aren't
> locally generated (or I failed to configure it correctly?)
>
> I can fix it using custom script that reads my local email
> and sends it to gmail.
>
> But how can I do that with postfix?
>
> Ilya.
>

Re: OpenDKIM but no log of postfix milter running or trying to run

[IL Ka]

Shutdown OpenDKIM, set "milter_default_action = tempfail", reload postfix
and try to send something.
If your mail is rejected, then Postfix configuration is ok, and you need to
grep maillog (or other logs) for DKIM

On Wed, Oct 14, 2020 at 5:28 PM Jeff Abrahamson  wrote:

> On 14/10/2020 16:02, IL Ka wrote:
>
> > The config file is active, however.
>
> You can check your milter config with
>
> $  postconf smtpd_milters non_smtpd_milters milter_default_action
>
> or even
>
> $ postconf  | grep milter
>
> You can probably post output it here.
> Also, try to increase logging:
> http://www.postfix.org/DEBUG_README.html
>
> I've been playing with postconf this afternoon.  It's fun, but not telling
> me what I don't know.  (Here I've added a blank line between the two for
> readability):
>
> [T] jeff@nantes-1:postfix $ postconf -P | grep milter
> submission/inet/milter_macro_daemon_name = ORIGINATING
> smtps/inet/milter_macro_daemon_name = ORIGINATING
>
> [T] jeff@nantes-1:postfix $ postconf | grep milter
> milter_command_timeout = 30s
> milter_connect_macros = j {daemon_name} v
> milter_connect_timeout = 30s
> milter_content_timeout = 300s
> milter_data_macros = i
> milter_default_action = accept
> milter_end_of_data_macros = i
> milter_end_of_header_macros = i
> milter_header_checks =
> milter_helo_macros = {tls_version} {cipher} {cipher_bits} {cert_subject}
> {cert_issuer}
> milter_macro_daemon_name = $myhostname
> milter_macro_defaults =
> milter_macro_v = $mail_name $mail_version
> milter_mail_macros = "i {mail_addr} {client_addr} {client_name}
> {auth_type} {auth_authen}"
> milter_protocol = 6
> milter_rcpt_macros = i {rcpt_addr} {rcpt_host} {rcpt_mailer}
> milter_unknown_command_macros =
> non_smtpd_milters = $smtpd_milters
> smtpd_milters = inet:127.0.0.1:8891
> [T] jeff@nantes-1:postfix $
>
> If I add -vvv I can see that non_smtpd_milters is set to the correct
> value (inet:127.0.0.1:8891).
>
> I tried changing invocation to "smtpd -v" for both smtp and submission,
> but the send transaction doesn't change in any obvious way.
>
> --
> Jeff Abrahamson
> +33 6 24 40 01 57
> +44 7920 594 255
> http://p27.eu/jeff/http://transport-nantes.com/
>
>

Re: OpenDKIM but no log of postfix milter running or trying to run

[IL Ka]

> The config file is active, however.

You can check your milter config with

$  postconf smtpd_milters non_smtpd_milters milter_default_action

or even

$ postconf  | grep milter

You can probably post output it here.
Also, try to increase logging:
http://www.postfix.org/DEBUG_README.html


 
>
>

Re: OpenDKIM but no log of postfix milter running or trying to run

[IL Ka]

Set "milter_default_action" to "reject", reload postfix, and try to send
mail.
You should probably get some errors in maillog.
Check your syslog config, to make sure opendkim logs are also written.

Check your dkim is running (telnet 127.0.0.1 8891).

Btw, I have not set "milter_mail_macros" explicitly.
The default on my system is "milter_mail_macros = i {auth_type}
{auth_authen} {auth_author} {mail_addr} {mail_host} {mail_mailer}" and it
works.


On Wed, Oct 14, 2020 at 1:27 PM Jeff Abrahamson  wrote:

> I've set up OpenDKIM.  I've noted the config below, but the basic issue is
> that my mails aren't being DKIM signed and my logs, while showing no
> mail-related errors, also don't show any evidence of milters running or
> trying to run.  So I'm suspecting postfix config error rather than
> opendkim.  So far all doc reading and googling is leading me nowhere
> immediately helpful.
>
> I'm trying to figure out what's wrong or at least how to debug it
> further.  (This is all on ubuntu 16.04.6 LTS.  I sadly need to get this
> working before I can spend the time to transition us to a 20.04 host.)
> Postfix is v 3.1.0, opendkim is 2.10.3.
>
> This is the relevant config I've added to my /etc/postfix/main.cf:
>
> smtpd_milters   = inet:127.0.0.1:8891
> non_smtpd_milters   = $smtpd_milters
> milter_default_action   = accept
> milter_protocol = 6
> # Appears default doesn't include {auth_type}.
> # Cf. http://www.opendkim.org/opendkim.8.html
> milter_mail_macros="i {mail_addr} {client_addr} {client_name} {auth_type}
> {auth_authen}"
>
> The OpenDKIM config is this:
>
> Canonicalizationrelaxed/relaxed
> ExternalIgnoreList  refile:/etc/opendkim/TrustedHosts
> InternalHosts   refile:/etc/opendkim/TrustedHosts
> KeyTablerefile:/etc/opendkim/KeyTable
> LogWhy  Yes
> # MilterDebug0
> MilterDebug1
> MinimumKeyBits  1024
> Modesv
> PidFile /var/run/opendkim/opendkim.pid
> SigningTablerefile:/etc/opendkim/SigningTable
> # Must agree with value in /etc/default/opendkim.
> Socket  inet:8891@localhost
> Syslog  Yes
> SyslogSuccess   Yes
> TemporaryDirectory  /var/tmp
> UMask   022
> UserID  opendkim:opendkim
> OversignHeaders From
> SignatureAlgorithm  rsa-sha256
> AutoRestart Yes
>
> KeyTable is
>
> nantes-1.p27.eu   p27.eu:mail:/etc/opendkim/p27.eu.key
>
> SigningTable is
>
> *@p27.eu nantes-1.p27.eu
> *@transport-nantes.com   nantes-1.p27.eu
>
> and TrustedHosts (which may not be needed) is
>
> 127.0.0.1
>
> Any suggestions?
>
> --
> Jeff Abrahamson
> +33 6 24 40 01 57
> +44 7920 594 255
> http://p27.eu/jeff/http://transport-nantes.com/
>
>

Re: Mail server without MX record.

[IL Ka]

>1- Each domain can have a MX record?
If you want to receive email for this domain then yes, you should have an
MX record for it. Without it  "A" record will be used, but it is better to
have MX.


>2- If a company need multi MX record then it must have multi DNS server
too?
You can have multiple MX records with different priorities. Sender's MTA
will try first one first.
Number of DNS servers doesn't affect the number of MX records: in most
cases all public servers must have the same records.

>3- Other methods like forwarding need MX record too?
No, if you only want to send email, you are not required to have an MX
record. Some MTAs may decline messages from domains without of MX, but most
of them accept such mails.
But if you have no MX, then you can't get replies and non delivery reports.

There are some books about Postfix: "The book of Postfix", "Postfix: The
Definitive Guide". It may be a good idea to read some of them: they cover
how postfix works with DNS and MX.



On Tue, Oct 13, 2020 at 10:15 PM Jason Long  wrote:

> I'm really thankful for all information and help.
> Excuse me, I have some questions and I'm thankful if anyone answer to them
> by number:
> 1- Each domain can have a MX record?
> 2- If a company need multi MX record then it must have multi DNS server
> too?
> 3- Other methods like forwarding need MX record too?
>
> Thank you.
>
>
> Sent from Yahoo Mail on Android
> 
>
> On Tue, Oct 13, 2020 at 10:12 PM, @lbutlr
>  wrote:
> On 13 Oct 2020, at 12:03, Fred Morris  wrote:
>
> > Notwithstanding, any "fully qualified domain name" (FQDN) can have email
> sent to it; typically only the FQDN immediately below the zone cut, and
> also the subject of SOA and NS records, has MX records.
>
>
> Pretty sure it is prefect fine to have different MX records for subdomains.
>
> example.comMX10mail.example.com.
> fooMX10mail.sub1.example.com.
> BarMX10mail.sub2.example.com.
>
> Universities used to often have different MX servers for different
> departments/machines, though now it seems they are using external services
> for MX (maybe lucky, I checked five and all were using google or outlook
> for MX).
>
> --
> "Are you pondering what I'm pondering?"
> "I think so, Brain, but Tuesday Weld isn't a complete sentence."
>
>

Re: Mail server without MX record.

[IL Ka]

> DNS server have another MX record for other mail server.
Then all mail to your domain will go to that mail server. No way to change
it. This is how SMTP works:


If one or more MX RRs are found for a given name, SMTP systems MUST
NOT utilize any A RRs


https://tools.ietf.org/html/rfc2821#section-5



You need to contact the DNS administrator. You would need DNS anyway,
because serious MTAs need SPF and DKIM: both are DNS records.


On Tue, Oct 13, 2020 at 6:53 PM Jason Long  wrote:

> I can't have MX record because the DNS server have another MX record for
> other mail server.
> I'm thankful if anyone tell me how can I solve my problem without MX
> record. Is t possible with A record?
>
>
>
>
>
>
> On Tuesday, October 13, 2020, 07:19:56 PM GMT+3:30, @lbutlr <
> krem...@kreme.com> wrote:
>
>
>
>
>
> On 13 Oct 2020, at 09:45, Bernardo Reino  wrote:
>
> > On Tue, 13 Oct 2020, Jason Long wrote:
> >
> >> I have an Internet domain name and a Linux server and I want to have an
> email server for send and receive emails. For example, if my domain is "
> example.net" then I want to have a "i...@example.net" address for send
> and receive emails from the Internet.
> >
> > But then why no MX record?
> >
> > It's absolutely common, normal and expected to have an MX record so that
> other MTAs know where you actually want to have your mail delivered.
>
>
> It is also somewhat suspicious to have a mail server without an MX record.
> Sure, it’s ALLOWED, but it’s still weird.
>
> --
> 99 percent of police give the rest a bad name.
>

Re: Mail server without MX record.

[IL Ka]

What are you trying to achieve?

There are alot of scenarios where Postfix may be used:
* "Send only" email server for your website (to give your website ability
to send emails). You never receive any emails from the outside.
* Forward only: it just accepts mails from your apps, and sends them via
smart host (SMTP server of your provider). Some people run it on their
laptops)
* Email hosting: users send and receive emails with your Postfix (as they
do with Gmail, for example)
etc

It is important to choose a scenario, because if you only need to send
emails from your website, then you do not need dovecot nor MX record and
you even do not need to listen for incoming connections to the public port,
but you may need DKIM and SPF.

In the "forward only via smart host" scenario you need almost nothing: no
MX, no SPF/DKIM, no public port.
If you want to receive emails, then having an MX record is a good idea.
You would also need to listen public port for incoming connections, and may
be one more port for clients (465 or 587)






On Tue, Oct 13, 2020 at 5:19 PM Jason Long  wrote:

> Thank you for all of your messages.
> With that tutorial, which record or port is needed?
>
>
>
>
>
>
> On Tuesday, October 13, 2020, 04:31:34 PM GMT+3:30, Wietse Venema <
> wie...@porcupine.org> wrote:
>
>
>
>
>
> Jason Long:
>
> > Hello,
> > Can I use Postfix without MX record? I installed Postfix and?Dovecot
> > via "https://wiki.centos.org/HowTos/postfix; tutorial and I want
> > to know can I use it without MX record?
>
>
> The SMTP standard (RFC 2821) does not *require* MX records. Some
> uninformed mail operators may require one, but those are rare.
>
> Wietse
>
>

Re: I'm a beginner and want to setup Postfix on CentOS.

[IL Ka]

" ::1"  is a local address for IPv6
"127.[something]" is a local address of IPv4.
https://en.wikipedia.org/wiki/Localhost

My guess is that you didn't include IPv6 address to the list of
"mynetworks", so Postfix can't "trust" it, because
"smtpd_relay_restrictions" is default to: "permit_mynetworks,
permit_sasl_authenticated, defer_unauth_destination", which means it only
relays emails either from "mynetworks" or authenticated users.

"localhost" is resolved to the IPv6 address on CentOS. You can
explicitly disable IPv6:
https://www.tecmint.com/disable-ipv6-in-centos-8/

Or use IPv4 address explicitly: "telnet 127.0.0.1 25".

I'd stay with the latter case.



On Mon, Oct 12, 2020 at 5:55 PM Jason Long  wrote:

> Thank you for your reply.
> How can I sure I'm using IPv4 or IPv6?
>
>
> On Monday, October 12, 2020, 06:18:10 PM GMT+3:30, IL Ka <
> kazakevichi...@gmail.com> wrote:
>
> > mynetworks = 127.0.0.0/8, My Public IP
> > Trying ::1...
> It could be that you are using IPv6 to connect while "mynetworks" is IPv4
> address.
> Try "telnet 127.0.0.1 25"
>

Re: I'm a beginner and want to setup Postfix on CentOS.

[IL Ka]

> mynetworks = 127.0.0.0/8, My Public IP
> Trying ::1...
It could be that you are using IPv6 to connect while "mynetworks" is IPv4
address.
Try "telnet 127.0.0.1 25"

On Mon, Oct 12, 2020 at 3:25 PM Jason Long  wrote:

> Hello,
> I installed Postfix on CentOS and my "main.cf" file is as below:
>
> myhostname = mail.my-example.com
> mydomain = my-example.com
> myorigin = $mydomain
> ## Uncomment and Set inet_interfaces to all ##
> inet_interfaces = all
> ## Change to all ##
> inet_protocols = all
> ## Comment ##
> ##- Uncomment ##
> mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
> ## Uncomment and add IP range ##
> mynetworks = 127.0.0.0/8, My Public IP
> ## Uncomment ##
> home_mailbox = Maildir/
> smtpd_use_tls = yes
> smtpd_tls_cert_file = /etc/postfix/mail.crt
> smtpd_tls_key_file = /etc/postfix/mail.key
> smtpd_tls_security_level = may
> mynetworks_style = subnet
> queue_directory = /var/spool/postfix
>
>
>
> When I want to send an email to Yahoo! then it show me below error:
>
> # telnet localhost 25
> Trying ::1...
> Connected to localhost.
> Escape character is '^]'.
> ehlo localhost
> 220 mail.my-example.net.com ESMTP Postfix
> 250-mail.my-example.net.com
> 250-PIPELINING
> 250-SIZE 1024
> 250-VRFY
> 250-ETRN
> 250-STARTTLS
> 250-ENHANCEDSTATUSCODES
> 250-8BITMIME
> 250 DSN
> mail from:
> 250 2.1.0 Ok
> rcpt to:
> 554 5.7.1 : Relay access denied
>
>
> I searched and find a solution as below:
>
> "smtpd_recipient_restrictions = permit_sasl_authenticated"
>
> But when I added it to main.cf then I can't do anything:
>
> # telnet localhost 25
> Trying ::1...
> Connected to localhost.
> Escape character is '^]'.
> ehlo localhost
>
>
> How can I solve it?
>
> Thank you.
>

Re: strange issue with postfix

[IL Ka]

Hi.
I'd start with checking your logs (i.e. "/var/log/maillog")

On Thu, Oct 1, 2020 at 10:01 PM Ranjan Maitra  wrote:

> Hi,
>
> I have an issue that I can not resolve at my work environment.
>
> When I use commandline mail, my e-mail gets delivered.
>
> However, when I use a mailer (like sylpheed) to use localhost, it does not
> get delivered. I have SMTP port set to the default, and this same setup
> works fine when I send e-mail from my home machine. What could be wrong,
> and how may I fix it? Any suggestions?
>
> Many thanks and best wishes,
> Ranjan
>
>

Re: Forward mail and obey SPF and DKIM

[IL Ka]

Thank you.
I see "SPF: SOFTFAIL" in my gmail message.

Authentication results:
spf=softfail (google.com: domain of transitioning some_user@sender_domain
does not designate MY_IP_ADDR as permitted sender)

While the message is not blocked, it is still not good to have SPF failure.
Even when failure is soft.

It seems that I can't fix it, right?



On Mon, Sep 14, 2020 at 4:53 PM Dominic Raferd 
wrote:

> On 14/09/2020 14:31, IL Ka wrote:
> > Hello.
> > I have postfix running on linux box.
> >
> > I setup OpenDKIM with both smtpd and non_smtp milters.
> > I also set my address in DNS as permitted IP for SPF.
> >
> > So far, so good.
> >
> > But I want all my mail to be forwarded to gmail.
> >
> > Some user sends me email from user@some_sender_domain.
> >
> > If I use .forward or alias, then postfix doesn't change "From" header,
> > so gmail believes email was sent from @some_sender_domain.
> > This domain doesn't have my box IP as permitted in DNS, so SPF failed.
> >
> > I can change header using headers_check. But then DKIM signature
> > would be broken because some_sender_domain signed email and I changed it.
> >
> > It seems that I need to:
> > * Change headers
> > * Sign email with my DKIM
> > * Forward it to gmail
> >
> > But milters are not applied on forwarded emails because they aren't
> > locally generated (or I failed to configure it correctly?)
> >
> > I can fix it using custom script that reads my local email
> > and sends it to gmail.
> >
> > But how can I do that with postfix?
>
> The short answer is that SPF failures do not normally matter when
> forwarding to gmail. They only matter if sender uses DMARC with p=reject
> *and* has not signed their email with DKIM, which is a poor and rare
> practice (though not forbidden). (Forwarding to gmail should not break
> the original sender's DKIM signature.)
>
>

Forward mail and obey SPF and DKIM

[IL Ka]

Hello.
I have postfix running on linux box.

I setup OpenDKIM with both smtpd and non_smtp milters.
I also set my address in DNS as permitted IP for SPF.

So far, so good.

But I want all my mail to be forwarded to gmail.

Some user sends me email from user@some_sender_domain.

If I use .forward or alias, then postfix doesn't change "From" header,
so gmail believes email was sent from @some_sender_domain.
This domain doesn't have my box IP as permitted in DNS, so SPF failed.

I can change header using headers_check. But then DKIM signature
would be broken because some_sender_domain signed email and I changed it.

It seems that I need to:
* Change headers
* Sign email with my DKIM
* Forward it to gmail

But milters are not applied on forwarded emails because they aren't locally
generated (or I failed to configure it correctly?)

I can fix it using custom script that reads my local email
and sends it to gmail.

But how can I do that with postfix?

Ilya.