Re: allowing outside users access to mailman lists

2010-01-30 Thread Jeff Weinberger 
On Thu, Jan 28, 2010 at 4:02 PM, Jeff Weinberger
 wrote:
> On Thu, Jan 28, 2010 at 3:39 PM, Noel Jones  wrote:
>> On 1/28/2010 5:36 PM, Jeff Weinberger wrote:
>>>
>>> On Thu, Jan 28, 2010 at 3:16 PM, Noel Jones
>>>  wrote:

 On 1/28/2010 4:46 PM, Jeff Weinberger wrote:
>
> virtual_alias_domains =
> mysql:/etc/postfix/mysql_virtual_alias_domains.cf

 does lists.mylistserver.com match the above lookup?
 postmap -q lists.mylistserver.com mysql:...

>>>
>>> No. `postmap -q "lists.mylistserver.com"
>>> mysql:/etc/postfix/mysql_virtual_alias_domains.cf` returns nothing
>>> (empty). However, `postmap -q "lists.mylistserver.com"
>>> mysql:/etc/postfix/mysql_relay_domain_maps.cf returns "OK" (a constant
>>> value, as recommended).
>>>
>>> I was hopeful that you had identified something here...so I did test to be
>>> sure.
>>
>> So enable debug output on smtpd (or add a test client to debug_peer_list)
>> and show us the UNALTERED results of a failed transaction.
>> http://www.postfix.org/DEBUG_README.html#debug_peer
>>
>
> OK, I see what this will do - thanks for the suggestion. I'll post the
> complete log here (naturally, anything sensitive masked, but otherwise
> unaltered).
>
I'm closing this request. I've found some issues with MySQL on my
system (no explanation other than user error for the attempts without
mysql), that have now been fixed. This has caused the postfix behavior
to return to normal and expected, and all is working as I want.

My apologies for bringing this to this forum (though I"m sure you'll
see how I thought this was a postfix issue). Thank you to all who
helped find the ways to diagnose this.

This has raised other questions that I do not fully understand, but
for clarity will post them separately.

Thank you.

Re: allowing outside users access to mailman lists

2010-01-28 Thread Jeff Weinberger 
On Thu, Jan 28, 2010 at 3:39 PM, Noel Jones  wrote:
> On 1/28/2010 5:36 PM, Jeff Weinberger wrote:
>>
>> On Thu, Jan 28, 2010 at 3:16 PM, Noel Jones
>>  wrote:
>>>
>>> On 1/28/2010 4:46 PM, Jeff Weinberger wrote:

 virtual_alias_domains =
 mysql:/etc/postfix/mysql_virtual_alias_domains.cf
>>>
>>> does lists.mylistserver.com match the above lookup?
>>> postmap -q lists.mylistserver.com mysql:...
>>>
>>
>> No. `postmap -q "lists.mylistserver.com"
>> mysql:/etc/postfix/mysql_virtual_alias_domains.cf` returns nothing
>> (empty). However, `postmap -q "lists.mylistserver.com"
>> mysql:/etc/postfix/mysql_relay_domain_maps.cf returns "OK" (a constant
>> value, as recommended).
>>
>> I was hopeful that you had identified something here...so I did test to be
>> sure.
>
> So enable debug output on smtpd (or add a test client to debug_peer_list)
> and show us the UNALTERED results of a failed transaction.
> http://www.postfix.org/DEBUG_README.html#debug_peer
>

OK, I see what this will do - thanks for the suggestion. I'll post the
complete log here (naturally, anything sensitive masked, but otherwise
unaltered).

Re: allowing outside users access to mailman lists

2010-01-28 Thread Noel Jones 

On 1/28/2010 5:36 PM, Jeff Weinberger wrote:

On Thu, Jan 28, 2010 at 3:16 PM, Noel Jones  wrote:

On 1/28/2010 4:46 PM, Jeff Weinberger wrote:


virtual_alias_domains = mysql:/etc/postfix/mysql_virtual_alias_domains.cf


does lists.mylistserver.com match the above lookup?
postmap -q lists.mylistserver.com mysql:...



No. `postmap -q "lists.mylistserver.com"
mysql:/etc/postfix/mysql_virtual_alias_domains.cf` returns nothing
(empty). However, `postmap -q "lists.mylistserver.com"
mysql:/etc/postfix/mysql_relay_domain_maps.cf returns "OK" (a constant
value, as recommended).

I was hopeful that you had identified something here...so I did test to be sure.


So enable debug output on smtpd (or add a test client to 
debug_peer_list) and show us the UNALTERED results of a failed 
transaction.

http://www.postfix.org/DEBUG_README.html#debug_peer

Re: allowing outside users access to mailman lists

2010-01-28 Thread Jeff Weinberger 
On Thu, Jan 28, 2010 at 3:16 PM, Noel Jones  wrote:
> On 1/28/2010 4:46 PM, Jeff Weinberger wrote:
>>
>> virtual_alias_domains = mysql:/etc/postfix/mysql_virtual_alias_domains.cf
>
> does lists.mylistserver.com match the above lookup?
> postmap -q lists.mylistserver.com mysql:...
>

No. `postmap -q "lists.mylistserver.com"
mysql:/etc/postfix/mysql_virtual_alias_domains.cf` returns nothing
(empty). However, `postmap -q "lists.mylistserver.com"
mysql:/etc/postfix/mysql_relay_domain_maps.cf returns "OK" (a constant
value, as recommended).

I was hopeful that you had identified something here...so I did test to be sure.

Re: allowing outside users access to mailman lists

2010-01-28 Thread Noel Jones 

On 1/28/2010 4:46 PM, Jeff Weinberger wrote:

virtual_alias_domains = mysql:/etc/postfix/mysql_virtual_alias_domains.cf


does lists.mylistserver.com match the above lookup?
postmap -q lists.mylistserver.com mysql:...

Re: allowing outside users access to mailman lists

2010-01-28 Thread Jeff Weinberger 
On Thu, Jan 28, 2010 at 2:38 PM, Stan Hoeppner  wrote:
> Jeff Weinberger put forth on 1/28/2010 4:18 PM:
>
>> You've made it clear I'm posting the wrong thing - but I don't know
>> what the "right" thing is
>
> Sorry to but in Wietse.
>
> Jeff, paste all of postconf -n output and obfuscate any sensitive information 
> in
> it such as hostnames or IP addresses that you don't want made public here.
> Wietse may not know what the "right" thing is until he sees all of postconf 
> -n.
>  There are interdependencies between various settings and often problems can't
> be identified without seeing the big picture.
>
> If you read the list welcome message and posting instructions you'd see that
> "postconf -n" output is a standard requirement here for receiving help.  You 
> are
> not being asked to provide anything beyond what everyone else is asked to
> provide.  If you want assistance, we need to see the data.  It's that's 
> simple.
>
> Cooperate and everything will work out fine, you'll have a solution.
>
> Best regards.
>
> --
> Stan
>

Stan - I can't speak for Wietse, but thanks for butting in. I posted
it in the original message, and only changed the one item on the
presumption that when diagnosing an issue, making other,
non-controlled changes just confuses things.

That said, here's the latest, still not working, `postconf -n`
complete output, If it got lost somewhere, I"m running Postfix 2.6.5
on Mac OS/X (client) 10.5.8

Again, if there is anything else I can post that will help, please let
me know and I will be glad to do so.

-`postconf -n` output

alias_database = mysql:/etc/postfix/mysql_alias_maps.cf
alias_maps = mysql:/etc/postfix/mysql_alias_maps.cf
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
default_verp_delimiters = +=
disable_vrfy_command = yes
header_checks = pcre:/etc/postfix/header_checks.pcre
html_directory = /etc/postfix/html
inet_interfaces = all
local_recipient_maps =
luser_relay = ot...@jeffweinberger.com
mail_owner = _postfix
mailbox_size_limit = 0
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
message_size_limit = 0
mydestination = mysql:/etc/postfix/mysql_mydestination_maps.cf
mydomain = jweinberger.homeip.net
myhostname = jweinberger.homeip.net
mynetworks = 127.0.0.0/8, !10.0.1.1, !10.0.1.210, 10.0.1.0/28
newaliases_path = /usr/bin/newaliases
queue_directory = /private/var/spool/postfix
readme_directory = /usr/share/doc/postfix
recipient_delimiter = +
relay_domains = lists.mylistserver.com
relay_recipient_maps =
relayhost = outbound.mailhop.org
sample_directory = /usr/share/doc/postfix/examples
sender_canonical_maps = mysql:/etc/postfix/mysql_sender_canonical_maps.cf
sendmail_path = /usr/sbin/sendmail
setgid_group = _postdrop
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options =
smtp_tls_CAfile = /etc/postfix/certs/demoCA/cacert.pem
smtp_tls_cert_file = /etc/postfix/certs/postfix-cert.pem
smtp_tls_key_file = /etc/postfix/certs/postfix-key.pem
smtp_tls_loglevel = 1
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_tls_session_cache
smtp_use_tls = yes
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_etrn_restrictions = permit_mynetworks, reject
smtpd_helo_required = yes
smtpd_recipient_restrictions = check_recipient_access
mysql:/etc/postfix/mysql_check_recipient_access_maps.cf,
permit_mynetworks, reject_unauth_destination,
reject_unauth_pipelining, reject_non_fqdn_sender,
reject_non_fqdn_recipient, reject_rbl_client list.dsbl.org,
reject_rbl_client sbl-xbl.spamhaus.org, check_policy_service
inet:127.0.0.1:2501, permit
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $mydomain
smtpd_sasl_security_options = noanonymous
smtpd_sender_login_maps = mysql:/etc/postfix/mysql_smtpd_sender_login_maps.cf
smtpd_sender_restrictions = check_sender_access
pcre:/etc/postfix/smtpd_sender_restrictions.pcre
smtpd_tls_CAfile = /etc/postfix/certs/demoCA/cacert.pem
smtpd_tls_cert_file = /etc/postfix/certs/postfix-cert.pem
smtpd_tls_key_file = /etc/postfix/certs/postfix-key.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_database =
btree:/var/lib/postfix/smtpd_tls_session_cache
smtpd_use_tls = yes
tls_random_source = dev:/dev/urandom
transport_maps =
mysql:/etc/postfix/mysql_peraddress_transport_maps.cf,
mysql:/etc/postfix/mysql_virtual_transport_maps.cf
unknown_local_recipient_reject_code = 550
verp_delimiter_filter = -=+
virtual_alias_domains = mysql:/etc/postfix/mysql_virtual_alias_domains.cf
virtual_alias_maps = mysql:/etc/postfix/mysql_virtual_alias_maps.cf
virtual_gid_maps = static:102
virtual_mailbox_base = /usr/local/virtual/
virtual_mailbox_domains = mysql:/etc/postfix/mysql_virtual_domains_maps.cf
virtual_mailbox_limit = 0
virtual_mailbox_maps = mys

Re: allowing outside users access to mailman lists

2010-01-28 Thread Stan Hoeppner 
Jeff Weinberger put forth on 1/28/2010 4:18 PM:

> You've made it clear I'm posting the wrong thing - but I don't know
> what the "right" thing is

Sorry to but in Wietse.

Jeff, paste all of postconf -n output and obfuscate any sensitive information in
it such as hostnames or IP addresses that you don't want made public here.
Wietse may not know what the "right" thing is until he sees all of postconf -n.
 There are interdependencies between various settings and often problems can't
be identified without seeing the big picture.

If you read the list welcome message and posting instructions you'd see that
"postconf -n" output is a standard requirement here for receiving help.  You are
not being asked to provide anything beyond what everyone else is asked to
provide.  If you want assistance, we need to see the data.  It's that's simple.

Cooperate and everything will work out fine, you'll have a solution.

Best regards.

-- 
Stan

Re: allowing outside users access to mailman lists

2010-01-28 Thread Jeff Weinberger 
On Thu, Jan 28, 2010 at 1:36 PM, Wietse Venema  wrote:
> Jeff Weinberger:
>> > Jeff Weinberger:
>> > > I changed main.cf so the only "relay_domains" entry is:
>> > >
>> > > relay_domains=lists.mylistserver.com
>> >
>> > You need to verify this with the command
>> >
>> > postconf -n
>> >
>> > It's no good posting unverified cut-and-paste to the mailing list.
>> >
>> > Wietse
>> >
>>
>> So you want me to post the entire `postconf -n` again? copying and pasting
>
> I was trying to help, but posting tidbits out of their context
> makes support difficult.
>
>        Wietse
>

I get that - but I'm not sure what would help. I posted my entire
`postconf -n` then I posted the result of `postconf -n | grep
relay_domains` (as that's the only change I've been making -
especially to be sure that no other change could possibly affect
this).

If there's something else that will help or a different way you want
me to post information to help you understand it better, I'm glad to -
just tell me what will help and I'll post it here.

You've made it clear I'm posting the wrong thing - but I don't know
what the "right" thing is

Re: allowing outside users access to mailman lists

2010-01-28 Thread Wietse Venema 
Jeff Weinberger:
> > Jeff Weinberger:
> > > I changed main.cf so the only "relay_domains" entry is:
> > >
> > > relay_domains=lists.mylistserver.com
> >
> > You need to verify this with the command
> >
> > postconf -n
> >
> > It's no good posting unverified cut-and-paste to the mailing list.
> >
> > Wietse
> >
> 
> So you want me to post the entire `postconf -n` again? copying and pasting

I was trying to help, but posting tidbits out of their context
makes support difficult.

Wietse

Re: allowing outside users access to mailman lists

2010-01-28 Thread Jeff Weinberger 
--- In postfix-us...@yahoogroups.com, Wietse Venema  wrote:
>
> Jeff Weinberger:
> > I changed main.cf so the only "relay_domains" entry is:
> >
> > relay_domains=lists.mylistserver.com
>
> You need to verify this with the command
>
> postconf -n
>
> It's no good posting unverified cut-and-paste to the mailing list.
>
> Wietse
>

So you want me to post the entire `postconf -n` again? copying and pasting
the one relevant line and stating clearly that I verified it exactly
that way doesn't suffice? How do you suggest I verify my cut-and-paste?
I'll be happy to do so, if it will help us move beyond log discussions
and to the issue at handthat said:

I executed `postconf -n | grep relay_domains` and the result was:

relay_domains=lists.mylistserver.com



I made no other changes other than to relay_domains as suggested.


I am hoping that someone can please help with the authenticated user
issue and either help me determine why this happens or explain why my
interpretation of this is wrong?

The crux of this issue is there

To recap: Authenticated (SASL) senders can send successfully, outside
users can't. My interpretation is the problem lies in there. as that is
the only thing that makes any difference at all. I need help figuring
out what would cause that, or an explanation of why my interpretation
is wrong.

I would appreciate some help on this, if anyone has any ideas.

Re: allowing outside users access to mailman lists

2010-01-27 Thread Wietse Venema 
Jeff Weinberger:
> I changed main.cf so the only "relay_domains" entry is:
> 
> relay_domains=lists.mylistserver.com

You need to verify this with the command

postconf -n

It's no good posting unverified cut-and-paste to the mailing list.

Wietse

Re: allowing outside users access to mailman lists

2010-01-27 Thread Jeff Weinberger 
--- In postfix-us...@yahoogroups.com, Wietse Venema  wrote: > >
Jeff Weinberger: > > > > > > Jeff Weinberger: > > > [ Charset UTF-8
unsupported, converting... ] > > > > --- In postfix-us...@yahoogroups.com,
mouss  wrote: > > > > > > > > > > Jeff Weinberger a ?crit : > > > >
> > I am hoping that this is something fairly simple that I am > >
missing > > > > > > > > > > > > I have a few lists on a mailman server
that I run. Until recently, > > only > > > > > > authenticated users (those
who have actual accounts on my > > IMAP/Virtual > > > > > > mailboxes server
and can authenticate via SASL). Now I want to allow > > > > > > certain
users who are not authenticated (i. e. they are outside my > > > > > >
server and domains) to send mail to those lists. > > > > > > > > > > > > as
far as I can tell, mailman would allow this (I've made them list > > > > > >
owners). But when they try, I'm getting this in my mail log: > > > > > > > >
> > > > Jan 25 15:18:18 s postfix/smtpd[46331]: NOQUEUE: reject: RCPT from >
> > > > > ns1.siteground235.com [75.125.60.15]:
> > 554 > > > > > > 5.7.1  > > > > > >: Relay
access denied; > > > > > > You have not listed the domain in relay_domains,
virtual_alias_domains, > > > virtual_mailbox_domains or mydestination. > > >
> > > Convince yourself and examine the output from: > > > > > > # postconf
relay_domains > > > # postconf virtual_alias_domains > > > # postconf
mailbox_domains > > > # postconf mydestination > > > > > > Wietse > > > > >
> > I did this test prior to posting. You'll see in my postconf -n output
that: > > > > relay_domains = $mydestination, mysql:/etc/postfix/ > >
mysql_relay_domain_maps.cf > > > > I then checked with `postmap -q
"maill...@..." > > mysql:/etc/postfix/mysql_relay_domain_maps.cf` and it
showed up fine. > > Sorry, that is incorrect. > > As documented, Postfix
searches relay_domains for the DOMAIN NAME > not the email address. >
http://www.postfix.org/postconf.5.html#relay_domains > > Also, as
documented, relay_domains lookup ignores the result value, > it only cares
about existence. > http://www.postfix.org/postconf.5.html#relay_domains > >
Finally, as documented, don't use MySQL databases BEFORE you have things >
working with simple main.cf lists or hash tables. >
http://www.postfix.org/DATABASE_README.html > > Wietse >

OK, point taken.

I have now, based on your suggestion tested the following:

`postmap -q "maill...@lists.mylistserver.com" mysql:/etc/postfix/
mysql_relay_domain_maps.cf`

and

`postmap -q "lists.mylistserver.com" mysql:/etc/postfix/
mysql_relay_domain_maps.cf`


Both returned successful results.

I tested this extensively with the domains typed in to mail.cf before I
moved to mysql queries, but at your suggestion, I tested this also.

I changed main.cf so the only "relay_domains" entry is:

relay_domains=lists.mylistserver.com


I executed `sudo postfix reload` and the confirmed the setting with
`postconf -n`

The result did not change. I received the same NOQUEUE message in my logs
(it is identical in every character to the one I posted previously, with the
exception of the timestamp).

I suspect you may have other suggestions as to how to address the relay
domain issue, and I would appreciate them, and will do my best to try them.

However, I am coming to believe that the issue is not in the relay domains,
but rather in a sender or recipient restriction.

I believe this because whenever I send to any address within
lists.mylistserver.com from a user who is SASL-authenticated on my server,
the message goes successfully. When I send to any address within
lists.mylistserver.com from any user (address) outside my server (not
authenticated on my server, simply sending to it), this error occurs.

I think in my attempts to ensure tight security on the server, I've
disallowed external senders to lists, but I can't see how exactly.

Any help on the question on how I might be disallowing external senders to
*...@lists.mylistserver.com would be much appreciated.

Thank you.

Re: allowing outside users access to mailman lists

2010-01-27 Thread Wietse Venema 
Jeff Weinberger:
> >
> > Jeff Weinberger:
> > [ Charset UTF-8 unsupported, converting... ]
> > > --- In postfix-us...@yahoogroups.com, mouss  wrote:
> > > >
> > > > Jeff Weinberger a ?crit :
> > > > > I am hoping that this is something fairly simple that I am
> missing
> > > > >
> > > > > I have a few lists on a mailman server that I run. Until recently,
> only
> > > > > authenticated users (those who have actual accounts on my
> IMAP/Virtual
> > > > > mailboxes server and can authenticate via SASL). Now I want to allow
> > > > > certain users who are not authenticated (i. e. they are outside my
> > > > > server and domains) to send mail to those lists.
> > > > >
> > > > > as far as I can tell, mailman would allow this (I've made them list
> > > > > owners). But when they try, I'm getting this in my mail log:
> > > > >
> > > > > Jan 25 15:18:18 s postfix/smtpd[46331]: NOQUEUE: reject: RCPT from
> > > > > ns1.siteground235.com [75.125.60.15]:
> 554
> > > > > 5.7.1  > > > > >: Relay access denied;
> >
> > You have not listed the domain in relay_domains, virtual_alias_domains,
> > virtual_mailbox_domains or mydestination.
> >
> > Convince yourself and examine the output from:
> >
> > # postconf relay_domains
> > # postconf virtual_alias_domains
> > # postconf mailbox_domains
> > # postconf mydestination
> >
> > Wietse
> >
> 
> I did this test prior to posting. You'll see in my postconf -n output that:
> 
> relay_domains = $mydestination, mysql:/etc/postfix/
> mysql_relay_domain_maps.cf
> 
> I then checked with `postmap -q "maill...@lists.mylistserver.com"
> mysql:/etc/postfix/mysql_relay_domain_maps.cf` and it showed up fine.

Sorry, that is incorrect.

As documented, Postfix searches relay_domains for the DOMAIN NAME
not the email address.
http://www.postfix.org/postconf.5.html#relay_domains

Also, as documented, relay_domains lookup ignores the result value,
it only cares about existence.
http://www.postfix.org/postconf.5.html#relay_domains

Finally, as documented, don't use MySQL databases BEFORE you have things
working with simple main.cf lists or hash tables.
http://www.postfix.org/DATABASE_README.html

Wietse

Re: allowing outside users access to mailman lists

2010-01-26 Thread /dev/rob0 
On Tue, Jan 26, 2010 at 10:35:23PM -0800, Jeff Weinberger wrote:
> > Wietse:
> > > > > 5.7.1  > > > > >: Relay access denied;
> >
> > You have not listed the domain in relay_domains, 
> > virtual_alias_domains, virtual_mailbox_domains or mydestination.
> >
> > Convince yourself and examine the output from:
> >
> > # postconf relay_domains

> I did this test prior to posting. You'll see in my postconf -n 
> output that:
> 
> relay_domains = $mydestination, mysql:/etc/postfix/
> mysql_relay_domain_maps.cf

This looks strange. Maybe it's a matter of your MUA doing a bad job
of line wrapping, or maybe there is a space in there? If you have
"mysql:/etc/postfix/ mysql_relay_domain_maps.cf" instead of
"mysql:/etc/postfix/mysql_relay_domain_maps.cf", that could surely
explain this.

You don't need $mydestination in there, take that out. Then show us
   postconf relay_domains
   postmap -q  
mysql:/etc/postfix/mysql_relay_domain_maps.cf ; echo $?

> I then checked with `postmap -q "maill...@lists.mylistserver.com"
> mysql:/etc/postfix/mysql_relay_domain_maps.cf` and it showed up
> fine.

Wrong query, relay_domains is a list of domains.

> There is a possibility that the MySQL query is returning a result 
> that is not what postfix needs. I have perused the documentation on 
> this repeatedly and found no specification as to what that query 
> should return for postfix to accept the domain.

The documentation says that if you use a lookup table for this, the
lookup result is ignored. All that matters is that a result is
returned.

> I have tried it where postfix returns the domain 
> ("lists.mylistserver.com" without the quotes)

"Returns"? The domain name would be the lookup key, not necessarily
the result, which per above, is ignored.

> and where it returns the value "OK" (again, without the
> quotes) and neither one works.
>
> If you can offer specifics on what that query should return, I will
> make it do so and test again.
>
> Otherwise, if the proper return value is one of those noted, I'd
> appreciate other suggestions on why this might not be working.

You munged the domain name. That's a bad idea in troubleshooting
email routing issues. If you typoed your log mung or your postmap
query, we are not seeing it, you are on your own. Your logs tell us
that the domain is not an authorized destination handled by your
Postfix. We will choose to believe your logs.

How many domains are there in this relay_domains lookup? SQL maps
make sense for large datasets which change frequently. They do not
make sense for small, relatively static lists. It also creates a
certain risk of mail loss, because class definitions are very
important to Postfix. (Mail loss such as you are seeing, for that
matter.)

So the first suggestion is to use the real domain name, direct
copy and paste from logs and command line to your list post. And the
second suggestion is to take mysql out of this, just put your list of
relay_domains directly into the main.cf file.
-- 
Offlist mail to this address is discarded unless
"/dev/rob0" or "not-spam" is in Subject: header

Re: allowing outside users access to mailman lists

2010-01-26 Thread Jeff Weinberger 
--- In postfix-us...@yahoogroups.com, Wietse Venema  wrote:
>
> Jeff Weinberger:
> [ Charset UTF-8 unsupported, converting... ]
> > --- In postfix-us...@yahoogroups.com, mouss  wrote:
> > >
> > > Jeff Weinberger a ?crit :
> > > > I am hoping that this is something fairly simple that I am
missing
> > > >
> > > > I have a few lists on a mailman server that I run. Until recently,
only
> > > > authenticated users (those who have actual accounts on my
IMAP/Virtual
> > > > mailboxes server and can authenticate via SASL). Now I want to allow
> > > > certain users who are not authenticated (i. e. they are outside my
> > > > server and domains) to send mail to those lists.
> > > >
> > > > as far as I can tell, mailman would allow this (I've made them list
> > > > owners). But when they try, I'm getting this in my mail log:
> > > >
> > > > Jan 25 15:18:18 s postfix/smtpd[46331]: NOQUEUE: reject: RCPT from
> > > > ns1.siteground235.com [75.125.60.15]:
554
> > > > 5.7.1  > > > >: Relay access denied;
>
> You have not listed the domain in relay_domains, virtual_alias_domains,
> virtual_mailbox_domains or mydestination.
>
> Convince yourself and examine the output from:
>
> # postconf relay_domains
> # postconf virtual_alias_domains
> # postconf mailbox_domains
> # postconf mydestination
>
> Wietse
>

I did this test prior to posting. You'll see in my postconf -n output that:

relay_domains = $mydestination, mysql:/etc/postfix/
mysql_relay_domain_maps.cf

I then checked with `postmap -q "maill...@lists.mylistserver.com"
mysql:/etc/postfix/mysql_relay_domain_maps.cf` and it showed up fine.

There is a possibility that the MySQL query is returning a result that is
not what postfix needs. I have perused the documentation on this repeatedly
and found no specification as to what that query should return for postfix
to accept the domain.

I have tried it where postfix returns the domain ("lists.mylistserver.com"
without the quotes) and where it returns the value "OK" (again, without the
quotes) and neither one works.

If you can offer specifics on what that query should return, I will make it
do so and test again.

Otherwise, if the proper return value is one of those noted, I'd appreciate
other suggestions on why this might not be working.

Thanks!

Re: allowing outside users access to mailman lists

2010-01-26 Thread Wietse Venema 
Jeff Weinberger:
[ Charset UTF-8 unsupported, converting... ]
> --- In postfix-us...@yahoogroups.com, mouss  wrote:
> >
> > Jeff Weinberger a ?crit :
> > > I am hoping that this is something fairly simple that I am missing
> > >
> > > I have a few lists on a mailman server that I run. Until recently, only
> > > authenticated users (those who have actual accounts on my IMAP/Virtual
> > > mailboxes server and can authenticate via SASL). Now I want to allow
> > > certain users who are not authenticated (i. e. they are outside my
> > > server and domains) to send mail to those lists.
> > >
> > > as far as I can tell, mailman would allow this (I've made them list
> > > owners). But when they try, I'm getting this in my mail log:
> > >
> > > Jan 25 15:18:18 s postfix/smtpd[46331]: NOQUEUE: reject: RCPT from
> > > ns1.siteground235.com [75.125.60.15]: 554
> > > 5.7.1  > > >: Relay access denied;

You have not listed the domain in relay_domains, virtual_alias_domains,
virtual_mailbox_domains or mydestination.

Convince yourself and examine the output from:

# postconf relay_domains
# postconf virtual_alias_domains
# postconf mailbox_domains
# postconf mydestination

Wietse

Re: allowing outside users access to mailman lists

2010-01-26 Thread Noel Jones 

On 1/26/2010 7:15 PM, Jeff Weinberger wrote:

--- In postfix-us...@yahoogroups.com
, mouss  wrote:
 >
 > Jeff Weinberger a �crit :
 > > I am hoping that this is something fairly simple that I am missing
 > >
 > > I have a few lists on a mailman server that I run. Until recently, only
 > > authenticated users (those who have actual accounts on my IMAP/Virtual
 > > mailboxes server and can authenticate via SASL). Now I want to allow
 > > certain users who are not authenticated (i. e. they are outside my
 > > server and domains) to send mail to those lists.
 > >
 > > as far as I can tell, mailman would allow this (I've made them list
 > > owners). But when they try, I'm getting this in my mail log:
 > >
 > > Jan 25 15:18:18 s postfix/smtpd[46331]: NOQUEUE: reject: RCPT from
 > > ns1.siteground235.com 
[75.125.60.15]: 554
 > > 5.7.1  > ...>>: Relay access denied;
 > > from=mailto:otheruser@ ...>>
 > > to= > ...>> proto=ESMTP
 > > helo=http://serv01.siteground235.com>
>
 > >
 >
 > you need to add lists.mylistserver.com
 to one (and only one) of
 > mydestination, relay_domains or virtual_maibox_domains.

 From my original post:

FYI: the transport for everything to lists.mylistserver.com
 is mailman: and lists.mylistserver.com
 is in $relay_domains

which means that it is not working as you suggest it should


The error message says the destination domain is not in 
relay_domains (or mydestination, virtual_mailbox_domains, 
virtual_alias_domains).


Not much else we can do with the information given.

  -- Noel Jones




Any suggestions on where else to look?


 >
 > > [snip]
 >

Re: allowing outside users access to mailman lists

2010-01-26 Thread Jeff Weinberger 
--- In postfix-us...@yahoogroups.com, mouss  wrote:
>
> Jeff Weinberger a �crit :
> > I am hoping that this is something fairly simple that I am missing
> >
> > I have a few lists on a mailman server that I run. Until recently, only
> > authenticated users (those who have actual accounts on my IMAP/Virtual
> > mailboxes server and can authenticate via SASL). Now I want to allow
> > certain users who are not authenticated (i. e. they are outside my
> > server and domains) to send mail to those lists.
> >
> > as far as I can tell, mailman would allow this (I've made them list
> > owners). But when they try, I'm getting this in my mail log:
> >
> > Jan 25 15:18:18 s postfix/smtpd[46331]: NOQUEUE: reject: RCPT from
> > ns1.siteground235.com [75.125.60.15]: 554
> > 5.7.1  > >: Relay access denied;
> > from=mailto:otheru...@...>>
> > to= > > proto=ESMTP
> > helo=http://serv01.siteground235.com/>>
> >
>
> you need to add lists.mylistserver.com to one (and only one) of
> mydestination, relay_domains or virtual_maibox_domains.

>From my original post:

FYI: the transport for everything to lists.mylistserver.com is mailman: and
lists.mylistserver.com is in $relay_domains

which means that it is not working as you suggest it should

Any suggestions on where else to look?


>
> > [snip]
>

Re: allowing outside users access to mailman lists

2010-01-26 Thread mouss 
Jeff Weinberger a écrit :
> I am hoping that this is something fairly simple that I am missing
> 
> I have a few lists on a mailman server that I run. Until recently, only
> authenticated users (those who have actual accounts on my IMAP/Virtual
> mailboxes server and can authenticate via SASL). Now I want to allow
> certain users who are not authenticated (i. e. they are outside my
> server and domains) to send mail to those lists.
> 
> as far as I can tell, mailman would allow this (I've made them list
> owners). But when they try, I'm getting this in my mail log:
> 
> Jan 25 15:18:18 s postfix/smtpd[46331]: NOQUEUE: reject: RCPT from
> ns1.siteground235.com [75.125.60.15]: 554
> 5.7.1  >: Relay access denied;
> from=mailto:otheru...@otherdomain.com>>
> to= > proto=ESMTP
> helo=http://serv01.siteground235.com/>>
> 

you need to add lists.mylistserver.com to one (and only one) of
mydestination, relay_domains or virtual_maibox_domains.

> [snip]

allowing outside users access to mailman lists

2010-01-26 Thread Jeff Weinberger 
I am hoping that this is something fairly simple that I am missing

I have a few lists on a mailman server that I run. Until recently, only
authenticated users (those who have actual accounts on my IMAP/Virtual
mailboxes server and can authenticate via SASL). Now I want to allow certain
users who are not authenticated (i. e. they are outside my server and
domains) to send mail to those lists.

as far as I can tell, mailman would allow this (I've made them list owners).
But when they try, I'm getting this in my mail log:

Jan 25 15:18:18 s postfix/smtpd[46331]: NOQUEUE: reject: RCPT from
ns1.siteground235.com[75.125.60.15]: 554 5.7.1 <
myl...@lists.mylistserver.com>: Relay access denied; from=<
otheru...@otherdomain.com> to= proto=ESMTP
helo=

(names changed to protect the innocent, no data changes of relevance)

I've tried a few changes (I'd log them here, if I had documented them,
sorry) that I thought would have taken away the authentication requirement,
to no avail. this might also me an issue of the HELO domain and the FROM
domain being different (which is OK, in this case, but not sure how I have
prohibited it, so don't know what to change.

The goal is to allow outside users without opening up the mailserver (or the
mailman server) to spam, etc...

FYI: the transport for everything to lists.mylistserver.com is mailman: and
lists.mylistserver.com is in $relay_domains

Here are snips from my master.cf that show the path of the message (in smtp,
into amavisd content filter, out of amavisd on 10026 and to mailman)

smtp  inet  n   -   n   -   -   smtpd
   -o recipient_bcc_maps=mysql:/etc/postfix/mysql_recipient_bcc_maps.cf
   -o receive_override_options=no_address_mappings
   -o content_filter=amavisfeedl:[127.0.0.1]:10027
amavisfeedl unix-   -   n-  2 lmtp
-o lmtp_data_done_timeout=1200
-o lmtp_send_xforward_command=yes
-o disable_dns_lookups=yes
-o max_use=20
localhost:10026 inet n - n - - smtpd
  -o content_filter=
  -o
receive_override_options=no_unknown_recipient_checks,no_header_body_checks
  -o smtpd_helo_restrictions=
  -o smtpd_client_restrictions=permit_mynetworks,reject
  -o smtpd_sender_restrictions=
  -o
smtpd_recipient_restrictions=permit_mynetworks,permit_auth_destinations,reject
  -o mynetworks=127.0.0.0/8
  -o smtpd_authorized_xforward_hosts=127.0.0.0/8
  -o smtpd_delay_reject=no
  -o smtpd_data_restrictions=reject_unauth_pipelining
  -o smtpd_end_of_data_restrictions=
  -o smtpd_restriction_classes=
  -o smtpd_error_sleep_time=0
  -o smtpd_soft_error_limit=1001
  -o smtpd_hard_error_limit=1000
  -o smtpd_client_connection_count_limit=0
  -o smtpd_client_connection_rate_limit=0
  -o
receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters
  -o local_header_rewrite_clients=
mailman unix  -   n   n   -   10   pipe
  flags=FR user=_mailman argv=/usr/local/mailman/postfix-to-mailman.py
${nexthop} ${user}

and my `postconf -n` output is below.

I'm running Postfix 2.6.5 on Mac OS/X (client) 10.5.8

Any help is appreciated and I will do my best to answer any questions.

Thank you!

--Jeff

-`postconf -n` output

alias_database = mysql:/etc/postfix/mysql_alias_maps.cf
alias_maps = mysql:/etc/postfix/mysql_alias_maps.cf
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
default_verp_delimiters = +=
disable_vrfy_command = yes
header_checks = pcre:/etc/postfix/header_checks.pcre
html_directory = /etc/postfix/html
inet_interfaces = all
local_recipient_maps =
luser_relay = ot...@jeffweinberger.com
mail_owner = _postfix
mailbox_size_limit = 0
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
message_size_limit = 0
mydestination = mysql:/etc/postfix/mysql_mydestination_maps.cf
mydomain = jweinberger.homeip.net
myhostname = jweinberger.homeip.net
mynetworks = 127.0.0.0/8, !10.0.1.1, !10.0.1.210, 10.0.1.0/28
newaliases_path = /usr/bin/newaliases
queue_directory = /private/var/spool/postfix
readme_directory = /usr/share/doc/postfix
recipient_delimiter = +
relay_domains = $mydestination, mysql:/etc/postfix/
mysql_relay_domain_maps.cf
relay_recipient_maps =
relayhost = outbound.mailhop.org
sample_directory = /usr/share/doc/postfix/examples
sender_canonical_maps = mysql:/etc/postfix/mysql_sender_canonical_maps.cf
sendmail_path = /usr/sbin/sendmail
setgid_group = _postdrop
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options =
smtp_tls_CAfile = /etc/postfix/certs/demoCA/cacert.pem
smtp_tls_cert_file = /etc/postfix/certs/postfix-cert.pem
smtp_tls_key_file = /etc/postfix/certs/postfix-key.pem
smtp_tls_loglevel = 1
smtp_tls_security_level = may
smtp_tls_session_cache_database =
btree:/var/lib/postfix/smtp_tls_session_cache
smtp_use_tls = yes
smtpd_data_restrictions