Re: smtpd not announcing sasl capabilities

[Noel Jones]

On 1/16/2017 12:04 AM, David Mehler wrote:
> Hello,
> 
> I'm running Postfix 3.1. A telnet connection to port 25 and another to
> port 587, does not announce the sasl auth capabilities.

> smtpd_tls_auth_only = yes

http://www.postfix.org/postconf.5.html#smtpd_tls_auth_only
... "do not announce or accept SASL authentication over unencrypted
connections"



  -- Noel Jones




> 
> I'd appreciate a sanity check of my configuration done with postconf -n.
> 
> Thanks.
> Dave.
> 
> autoresponder_destination_recipient_limit = 1
> biff = no
> bounce_template_file = /usr/local/etc/postfix/bounce.cf
> broken_sasl_auth_clients = no
> command_directory = /usr/local/sbin
> compatibility_level = 
> daemon_directory = /usr/local/libexec/postfix
> data_directory = /var/db/postfix
> disable_vrfy_command = yes
> dovecot_destination_recipient_limit = 1
> hash_queue_depth = 2
> hash_queue_names = incoming, hold defer deferred
> header_checks = pcre:/usr/local/etc/postfix/header_checks,
> regexp:/usr/local/etc/postfix/phish419.regexp
> html_directory = no
> in_flow_delay = 1s
> inet_interfaces = xxx.xxx.xxx.xxx, 127.0.0.1
> inet_protocols = ipv4
> local_recipient_maps =
> mail_owner = postfix
> mailq_path = /usr/local/bin/mailq
> manpage_directory = /usr/local/man
> meta_directory = /usr/local/libexec/postfix
> milter_default_action = accept
> milter_protocol = 6
> mime_header_checks = regexp:/usr/local/etc/postfix/mime_header_checks
> mydestination = localhost
> mydomain = example.com
> myhostname = mail.example.com
> mynetworks = 127.0.0.0/8, xxx.xxx.xxx.xxx/32
> myorigin = $mydomain
> newaliases_path = /usr/local/bin/newaliases
> non_smtpd_milters = $smtpd_milters
> postscreen_access_list = permit_mynetworks,
> cidr:/usr/local/etc/postfix/postscreen_access.cidr,
> cidr:/usr/local/etc/postfix/postscreen_spf_whitelist.cidr
> postscreen_blacklist_action = drop
> postscreen_cache_cleanup_interval = 0
> postscreen_cache_map = proxy:btree:${data_directory}/postscreen_cache
> postscreen_dnsbl_action = enforce
> postscreen_dnsbl_reply_map =
> pcre:/usr/local/etc/postfix/postscreen_dnsbl_reply_map.pcre
> postscreen_dnsbl_sites = zen.spamhaus.org*3 b.barracudacentral.org*2
> bl.spameatingmonkey.net*2 dnsbl.ahbl.org*2 bl.spamcop.net
> dnsbl.sorbs.net psbl.surriel.com bl.mailspike.net swl.spamhaus.org*-4
> list.dnswl.org=127.[0..255].[0..255].0*-2
> list.dnswl.org=127.[0..255].[0..255].1*-3
> list.dnswl.org=127.[0..255].[0..255].[2..255]*-4
> postscreen_dnsbl_threshold = 3
> postscreen_greet_action = enforce
> queue_directory = /var/spool/postfix
> readme_directory = no
> recipient_delimiter = +
> sample_directory = /usr/local/etc/postfix
> sendmail_path = /usr/local/sbin/sendmail
> setgid_group = maildrop
> shlib_directory = /usr/local/lib/postfix
> show_user_unknown_table_name = no
> smtp_helo_timeout = 60s
> smtpd_banner = $myhostname ESMTP
> smtpd_data_restrictions = reject_unauth_pipelining
> smtpd_helo_required = yes
> smtpd_milters = inet:127.0.0.1:8891
> smtpd_recipient_restrictions = permit_mynetworks
> permit_sasl_authenticated reject_unauth_destination
> check_sender_access hash:/usr/local/etc/postfix/safe_addresses
> check_sender_access hash:/usr/local/etc/postfix/auto-whtlst
> check_client_access cidr:/usr/local/etc/postfix/spamfarms
> check_client_access cidr:/usr/local/etc/postfix/sinokorea.cidr
> permit_dnswl_client list.dnswl.org=127.0.[2..14].[1..3]
> check_reverse_client_hostname_access
> pcre:/usr/local/etc/postfix/fqrdns.pcre
> reject_unknown_reverse_client_hostname reject_non_fqdn_sender
> reject_non_fqdn_helo_hostname reject_invalid_helo_hostname
> reject_unknown_helo_hostname reject_unlisted_recipient
> reject_rbl_client b.barracudacentral.org reject_rbl_client
> zen.spamhaus.org reject_rbl_client psbl.surriel.com reject_rbl_client
> bl.spamcop.net reject_rbl_client cbl.abuseat.org reject_rhsbl_client
> dbl.spamhaus.org reject_rhsbl_sender dbl.spamhaus.org
> reject_rhsbl_helo dbl.spamhaus.org check_policy_service
> unix:private/spf-policy check_policy_service inet:127.0.0.1:12345
> smtpd_reject_unlisted_sender = yes
> smtpd_sasl_auth_enable = yes
> smtpd_sasl_local_domain = $mydomain
> smtpd_sasl_path = private/auth
> smtpd_sasl_security_options = noanonymous
> smtpd_sasl_tls_security_options = noanonymous
> smtpd_sasl_type = dovecot
> smtpd_soft_error_limit = 3
> smtpd_tls_CAfile = /etc/ssl/certs/cacert.crt
> smtpd_tls_auth_only = yes
> smtpd_tls_cert_file = /etc/ssl/certs/server.crt
> smtpd_tls_dh1024_param_file = ${config_directory}/dh2048.pem
> smtpd_tls_dh512_param_file = ${config_directory}/dh512.pem
> smtpd_tls_eecdh_grade = strong
> smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK,
> aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDB3-SHA, KRB5-DES, CBC3-SHA
> smtpd_tls_key_file = /etc/ssl/private/server.key
> smtpd_tls_loglevel = 1
> smtpd_tls_mandatory_ciphers = medium
> smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
> smtpd_tls_protocols = !SSLv2, !SSLv3
> 

smtpd not announcing sasl capabilities

[David Mehler]

Hello,

I'm running Postfix 3.1. A telnet connection to port 25 and another to
port 587, does not announce the sasl auth capabilities.

I'd appreciate a sanity check of my configuration done with postconf -n.

Thanks.
Dave.

autoresponder_destination_recipient_limit = 1
biff = no
bounce_template_file = /usr/local/etc/postfix/bounce.cf
broken_sasl_auth_clients = no
command_directory = /usr/local/sbin
compatibility_level = 
daemon_directory = /usr/local/libexec/postfix
data_directory = /var/db/postfix
disable_vrfy_command = yes
dovecot_destination_recipient_limit = 1
hash_queue_depth = 2
hash_queue_names = incoming, hold defer deferred
header_checks = pcre:/usr/local/etc/postfix/header_checks,
regexp:/usr/local/etc/postfix/phish419.regexp
html_directory = no
in_flow_delay = 1s
inet_interfaces = xxx.xxx.xxx.xxx, 127.0.0.1
inet_protocols = ipv4
local_recipient_maps =
mail_owner = postfix
mailq_path = /usr/local/bin/mailq
manpage_directory = /usr/local/man
meta_directory = /usr/local/libexec/postfix
milter_default_action = accept
milter_protocol = 6
mime_header_checks = regexp:/usr/local/etc/postfix/mime_header_checks
mydestination = localhost
mydomain = example.com
myhostname = mail.example.com
mynetworks = 127.0.0.0/8, xxx.xxx.xxx.xxx/32
myorigin = $mydomain
newaliases_path = /usr/local/bin/newaliases
non_smtpd_milters = $smtpd_milters
postscreen_access_list = permit_mynetworks,
cidr:/usr/local/etc/postfix/postscreen_access.cidr,
cidr:/usr/local/etc/postfix/postscreen_spf_whitelist.cidr
postscreen_blacklist_action = drop
postscreen_cache_cleanup_interval = 0
postscreen_cache_map = proxy:btree:${data_directory}/postscreen_cache
postscreen_dnsbl_action = enforce
postscreen_dnsbl_reply_map =
pcre:/usr/local/etc/postfix/postscreen_dnsbl_reply_map.pcre
postscreen_dnsbl_sites = zen.spamhaus.org*3 b.barracudacentral.org*2
bl.spameatingmonkey.net*2 dnsbl.ahbl.org*2 bl.spamcop.net
dnsbl.sorbs.net psbl.surriel.com bl.mailspike.net swl.spamhaus.org*-4
list.dnswl.org=127.[0..255].[0..255].0*-2
list.dnswl.org=127.[0..255].[0..255].1*-3
list.dnswl.org=127.[0..255].[0..255].[2..255]*-4
postscreen_dnsbl_threshold = 3
postscreen_greet_action = enforce
queue_directory = /var/spool/postfix
readme_directory = no
recipient_delimiter = +
sample_directory = /usr/local/etc/postfix
sendmail_path = /usr/local/sbin/sendmail
setgid_group = maildrop
shlib_directory = /usr/local/lib/postfix
show_user_unknown_table_name = no
smtp_helo_timeout = 60s
smtpd_banner = $myhostname ESMTP
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_helo_required = yes
smtpd_milters = inet:127.0.0.1:8891
smtpd_recipient_restrictions = permit_mynetworks
permit_sasl_authenticated reject_unauth_destination
check_sender_access hash:/usr/local/etc/postfix/safe_addresses
check_sender_access hash:/usr/local/etc/postfix/auto-whtlst
check_client_access cidr:/usr/local/etc/postfix/spamfarms
check_client_access cidr:/usr/local/etc/postfix/sinokorea.cidr
permit_dnswl_client list.dnswl.org=127.0.[2..14].[1..3]
check_reverse_client_hostname_access
pcre:/usr/local/etc/postfix/fqrdns.pcre
reject_unknown_reverse_client_hostname reject_non_fqdn_sender
reject_non_fqdn_helo_hostname reject_invalid_helo_hostname
reject_unknown_helo_hostname reject_unlisted_recipient
reject_rbl_client b.barracudacentral.org reject_rbl_client
zen.spamhaus.org reject_rbl_client psbl.surriel.com reject_rbl_client
bl.spamcop.net reject_rbl_client cbl.abuseat.org reject_rhsbl_client
dbl.spamhaus.org reject_rhsbl_sender dbl.spamhaus.org
reject_rhsbl_helo dbl.spamhaus.org check_policy_service
unix:private/spf-policy check_policy_service inet:127.0.0.1:12345
smtpd_reject_unlisted_sender = yes
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $mydomain
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_soft_error_limit = 3
smtpd_tls_CAfile = /etc/ssl/certs/cacert.crt
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/ssl/certs/server.crt
smtpd_tls_dh1024_param_file = ${config_directory}/dh2048.pem
smtpd_tls_dh512_param_file = ${config_directory}/dh512.pem
smtpd_tls_eecdh_grade = strong
smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK,
aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDB3-SHA, KRB5-DES, CBC3-SHA
smtpd_tls_key_file = /etc/ssl/private/server.key
smtpd_tls_loglevel = 1
smtpd_tls_mandatory_ciphers = medium
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_protocols = !SSLv2, !SSLv3
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
smtputf8_enable = no
soft_bounce = no
spf-policy_time_limit = 3600s
strict_rfc821_envelopes = yes
tls_preempt_cipherlist = yes
unknown_address_reject_code = 554
unknown_client_reject_code = 554
unknown_hostname_reject_code = 554
unknown_local_recipient_reject_code = 550
virtual_alias_maps =

Re: masquerade_domains not working

[Richie Rich]

A word to the wise. Message received.

Again, thanks!

Re: masquerade_domains not working

[Viktor Dukhovni]

> On Jan 15, 2017, at 2:23 PM, Richie Rich  wrote:
> 
> I'm sorry Viktor, but it seems I didn't make my goal clear. Here it is again 
> restated.

No need, I understood what you wanted the first time.

> I have tested using canonical_maps where:
> u...@domainb.comu...@example.com

This is the correct approach

> This seems to do what I need it to do, though once I spend
> some time with it I may need to check out regexp_table. 
> Thankfully I'm no stranger to regexes :)

Save yourself the time and DO NOT go there.  Regular expression
mappings break recipient validation when used in canonical_maps
(on input).  If used on gateway relay, they can safely be used
on output in smtp_generic_maps, but then your recipient validation
still has to deal with all the variant addresses on input in some
manner.  So it is best to do the work just once in canonical_maps,
without any regex wildcards.

-- 
Viktor.

Re: masquerade_domains not working

[Richie Rich]

I'm sorry Viktor, but it seems I didn't make my goal clear. Here it is
again restated.

Our canonical domain is example.com
Two of our hosted domains are domainA.com, and domainB.com. These are not
subdomains of example.com, but rather separate domains entirely that are
delivered locally.

The goal is that users in domainA.com will see their mail as being
addressed to u...@domaina.com, but
users in domainB.com will see their mail as being addressed to
u...@example.com

I have tested using canonical_maps where:
u...@domainb.comu...@example.com 

This seems to do what I need it to do, though once I spend some time with
it I may need to check out regexp_table.
Thankfully I'm no stranger to regexes :)

Thanks to all that responded!





On Sun, Jan 15, 2017 at 1:31 PM, Viktor Dukhovni  wrote:

>
> > On Jan 15, 2017, at 1:12 PM, Viktor Dukhovni 
> wrote:
> >
> > I recommend against masquerading, because it breaks recipient
> > validation.  Instead, construct a table of all the valid addresses
> > for each user, and use canonical_maps.
>
> To be more precise, it is not that masquerading directly breaks
> recipient validation, but rather that accepting mail for
> an arbitrary sub-domain of a domain, as well as the domain itself,
> means requires recipient validation to take place after rewriting,
> but the Postfix smtpd(8) server performs validation on the original
> input address prior to rewriting (which happens in cleanup(8)).
>
> If the goal is just to map user@a.example to user@b.example without
> also accepting mail for user@foo.a.example, then masquerading is
> entirely the wrong tool for the job (it is perhaps unfortunate
> that Postfix and Sendmail use the same name for noticeably different
> mechanisms).
>
> Mapping of secondary domains to primary domains is best accomplished
> with canonical_maps, and wildcards need to be avoided in order to
> retain recipient validation and not become a backscatter source.
>
> Therefore, build tables of explicit user@a.example -> user@b.example
> canonical mappings.  In Microsoft Exchange environments this is
> accomplished by using LDAP to resolve "proxyAddresses = smtp:%s"
> (each secondary address) to "mail" (the primary address).
>
> --
> Viktor.
>
>

Re: masquerade_domains not working

[Viktor Dukhovni]

> On Jan 15, 2017, at 1:12 PM, Viktor Dukhovni  
> wrote:
> 
> I recommend against masquerading, because it breaks recipient
> validation.  Instead, construct a table of all the valid addresses
> for each user, and use canonical_maps.

To be more precise, it is not that masquerading directly breaks
recipient validation, but rather that accepting mail for
an arbitrary sub-domain of a domain, as well as the domain itself,
means requires recipient validation to take place after rewriting,
but the Postfix smtpd(8) server performs validation on the original
input address prior to rewriting (which happens in cleanup(8)).

If the goal is just to map user@a.example to user@b.example without
also accepting mail for user@foo.a.example, then masquerading is
entirely the wrong tool for the job (it is perhaps unfortunate
that Postfix and Sendmail use the same name for noticeably different
mechanisms).

Mapping of secondary domains to primary domains is best accomplished
with canonical_maps, and wildcards need to be avoided in order to
retain recipient validation and not become a backscatter source.

Therefore, build tables of explicit user@a.example -> user@b.example
canonical mappings.  In Microsoft Exchange environments this is
accomplished by using LDAP to resolve "proxyAddresses = smtp:%s"
(each secondary address) to "mail" (the primary address).

-- 
Viktor.

Re: masquerade_domains not working

[Richie Rich]

Thank you. I understand, but this requirement is imposed by my business
unit...

I haven't tried canonical_maps yet, but I was about to head down that road.
I'll give it a shot.


On Sun, Jan 15, 2017 at 1:12 PM, Viktor Dukhovni  wrote:

> On Sun, Jan 15, 2017 at 01:02:37PM -0500, Richie Rich wrote:
> > Thanks for the replies. I really appreciate the help.
> >
> > I am already leveraging /etc/postfix/virtual to route traffic to my
> "hosted
> > domains".
> >
> > The problem I'm trying to solve, simply stated, is that I need to be able
> > to selectively masquerade inbound email to my hosted domains.
> > So, u...@doma.com will see his mail addressed to u...@doma.com, but
> > u...@domb.com might see his mail addressed to u...@myco.com, our
> canonical
> > domain name.
>
> I recommend against masquerading, because it breaks recipient
> validation.  Instead, construct a table of all the valid addresses
> for each user, and use canonical_maps.
>
> --
> Viktor.
>

Re: masquerade_domains not working

[Richie Rich]

As a side note, we are migrating to Postfix. In our current Sendmail
environment, we accomplish the requisite masquerading by adding each domain
to /etc/mail/local-host-names.
This accomplishes the masquerading piece and allows for virtual hosting.
Then for those domains we do not want to masquerade, we edit sendmail.cf
and add a CN entry.

Easy peasy.


On Sun, Jan 15, 2017 at 1:02 PM, Richie Rich  wrote:

> Thanks for the replies. I really appreciate the help.
>
> I am already leveraging /etc/postfix/virtual to route traffic to my
> "hosted domains".
>
> The problem I'm trying to solve, simply stated, is that I need to be able
> to selectively masquerade inbound email to my hosted domains.
> So, u...@doma.com will see his mail addressed to u...@doma.com, but
> u...@domb.com might see his mail addressed to u...@myco.com, our
> canonical domain name.
>
>
>
>
>

Re: masquerade_domains not working

[Viktor Dukhovni]

On Sun, Jan 15, 2017 at 01:02:37PM -0500, Richie Rich wrote:
> Thanks for the replies. I really appreciate the help.
> 
> I am already leveraging /etc/postfix/virtual to route traffic to my "hosted
> domains".
> 
> The problem I'm trying to solve, simply stated, is that I need to be able
> to selectively masquerade inbound email to my hosted domains.
> So, u...@doma.com will see his mail addressed to u...@doma.com, but
> u...@domb.com might see his mail addressed to u...@myco.com, our canonical
> domain name.

I recommend against masquerading, because it breaks recipient
validation.  Instead, construct a table of all the valid addresses
for each user, and use canonical_maps.

-- 
Viktor.

Re: masquerade_domains not working

[Richie Rich]

Thanks for the replies. I really appreciate the help.

I am already leveraging /etc/postfix/virtual to route traffic to my "hosted
domains".

The problem I'm trying to solve, simply stated, is that I need to be able
to selectively masquerade inbound email to my hosted domains.
So, u...@doma.com will see his mail addressed to u...@doma.com, but
u...@domb.com might see his mail addressed to u...@myco.com, our canonical
domain name.

Fwd: masquerade_domains not working

[Dominic Raferd]

On 15 January 2017 at 08:51, Jan Ceuleers  wrote:

> On 14/01/17 20:58, Richie Rich wrote:
> > Thanks for the quick response. Can you point me in a direction to
> > accomplish what I'm trying to do?
> > I'm totally new to postfix.
>
> I am by no means an expert, but I do hope that the following helps:
>
> http://www.postfix.org/postconf.5.html#smtp_generic_maps for the
> outgoing side and
> http://www.postfix.org/postconf.5.html#virtual_alias_maps for the
> incoming side.
>
>
Yes I agree that for incoming mails, virtual_alias_maps is the way to go, I
use 'virtual_alias_maps = pcre:/etc/postfix/virtual' and file 'virtual'
looks a bit like this (data obfuscated):

if /@streamingbats\.co(m|\.uk)$/
/^accounts@/ jenny...@gmail.com,jim9...@gmail.com
/^adam@/ adamdelane...@gmail.com
/^(input|sarah[-0-9a-z]*)@/ sarahcorriga...@gmail.com
/^(admin|administrator|dominic|MAILER-DAEMON|paypal|
payments|vps1|dl[12]|pbx|timedicer[12]?|hostmaster|postmaster|abuse)@/
myaddr...@gmail.com
endif
/@streamingbats\.co(m|\.uk)$/ root@localhost

I wrote a script to auto-configure postfix and intra alia this builds a
file 'filtered_names' from my 'virtual' file​. In one of my restrictions
lists I have line 'check_recipient_access pcre:/etc/postfix/filtered_names'.
This blocks emails to anyone@mydomains that isn't one of the names
explicitly remapped in my virtual file (except for authenticated senders)
and looks a bit like this:

if /@streamingbats\.co(m|\.uk)$/
/^accounts@/ OK
/^adam@/ OK
/^(input|sarah[-0-9a-z]*)@/ OK
/^(admin|administrator|dominic|MAILER-DAEMON|paypal|
payments|vps1|dl[12]|pbx|timedicer[12]?|hostmaster|postmaster|abuse)@/ OK
endif
/@streamingbats\.co(m|\.uk)$/ REJECT

For the outgoing mails, I originally used smtp_generic_maps but when I
started using opendkim I needed to switch to canonical (
http://www.postfix.org/canonical.5.html) - because the changes made by
canonical happen before milters (including opendkim), otherwise opendkim's
key line header is immediately broken by smtp_generic_maps' address
rewriting. So I have a line 'canonical_maps = hash:/etc/postfix/canonical'
and canonical file looks a bit like this:

<> d...@streamingbats.co.uk
root d...@streamingbats.co.uk
www-data d...@streamingbats.co.uk
postfix d...@streamingbats.co.uk
root@localhost d...@streamingbats.co.uk
root@dl1 d...@streamingbats.co.uk

​There may be simpler ways of achieving the same objectives (and I'd be
interested to hear of them), but these work for me.​

Re: SSL_accept error from other MTA

[Admin Beckspaced]

On 15.01.2017 07:39, Noel Jones wrote:

On 1/14/2017 2:40 AM, Admin Beckspaced wrote:

All other MTA's don't seem to have any problems with TLS / STARTTLS.

What can I do to fix this problem? Let the other MTA know that they
got an issue with their TLS setup?

Thanks & greetings
Becki


If your goal is to get the mail flowing, you can disable STARTTLS
for this particular client by using
http://www.postfix.org/postconf.5.html#smtpd_discard_ehlo_keyword_address_maps

Use a cidr: type map with an entry like:
10.10.10.10  starttls



   -- Noel Jones




I decided to go with this option to keep mail flowing for the moment
being ... also aware that this is just a temporary workaround.

will contact the admin, in the hope that they still use an ancient
exchange server version and are going to update that?

or is there any other option on my site to fix things with this specific
client?

thanks & greetings
Becki

---
Diese E-Mail wurde von Avast Antivirus-Software auf Viren geprüft.
https://www.avast.com/antivirus

Re: masquerade_domains not working

[Jan Ceuleers]

On 14/01/17 20:58, Richie Rich wrote:
> Thanks for the quick response. Can you point me in a direction to
> accomplish what I'm trying to do?
> I'm totally new to postfix.

I am by no means an expert, but I do hope that the following helps:

http://www.postfix.org/postconf.5.html#smtp_generic_maps for the
outgoing side and
http://www.postfix.org/postconf.5.html#virtual_alias_maps for the
incoming side.