Re: smtpd not announcing sasl capabilities
On 1/16/2017 12:04 AM, David Mehler wrote: > Hello, > > I'm running Postfix 3.1. A telnet connection to port 25 and another to > port 587, does not announce the sasl auth capabilities. > smtpd_tls_auth_only = yes http://www.postfix.org/postconf.5.html#smtpd_tls_auth_only ... "do not announce or accept SASL authentication over unencrypted connections" -- Noel Jones > > I'd appreciate a sanity check of my configuration done with postconf -n. > > Thanks. > Dave. > > autoresponder_destination_recipient_limit = 1 > biff = no > bounce_template_file = /usr/local/etc/postfix/bounce.cf > broken_sasl_auth_clients = no > command_directory = /usr/local/sbin > compatibility_level = > daemon_directory = /usr/local/libexec/postfix > data_directory = /var/db/postfix > disable_vrfy_command = yes > dovecot_destination_recipient_limit = 1 > hash_queue_depth = 2 > hash_queue_names = incoming, hold defer deferred > header_checks = pcre:/usr/local/etc/postfix/header_checks, > regexp:/usr/local/etc/postfix/phish419.regexp > html_directory = no > in_flow_delay = 1s > inet_interfaces = xxx.xxx.xxx.xxx, 127.0.0.1 > inet_protocols = ipv4 > local_recipient_maps = > mail_owner = postfix > mailq_path = /usr/local/bin/mailq > manpage_directory = /usr/local/man > meta_directory = /usr/local/libexec/postfix > milter_default_action = accept > milter_protocol = 6 > mime_header_checks = regexp:/usr/local/etc/postfix/mime_header_checks > mydestination = localhost > mydomain = example.com > myhostname = mail.example.com > mynetworks = 127.0.0.0/8, xxx.xxx.xxx.xxx/32 > myorigin = $mydomain > newaliases_path = /usr/local/bin/newaliases > non_smtpd_milters = $smtpd_milters > postscreen_access_list = permit_mynetworks, > cidr:/usr/local/etc/postfix/postscreen_access.cidr, > cidr:/usr/local/etc/postfix/postscreen_spf_whitelist.cidr > postscreen_blacklist_action = drop > postscreen_cache_cleanup_interval = 0 > postscreen_cache_map = proxy:btree:${data_directory}/postscreen_cache > postscreen_dnsbl_action = enforce > postscreen_dnsbl_reply_map = > pcre:/usr/local/etc/postfix/postscreen_dnsbl_reply_map.pcre > postscreen_dnsbl_sites = zen.spamhaus.org*3 b.barracudacentral.org*2 > bl.spameatingmonkey.net*2 dnsbl.ahbl.org*2 bl.spamcop.net > dnsbl.sorbs.net psbl.surriel.com bl.mailspike.net swl.spamhaus.org*-4 > list.dnswl.org=127.[0..255].[0..255].0*-2 > list.dnswl.org=127.[0..255].[0..255].1*-3 > list.dnswl.org=127.[0..255].[0..255].[2..255]*-4 > postscreen_dnsbl_threshold = 3 > postscreen_greet_action = enforce > queue_directory = /var/spool/postfix > readme_directory = no > recipient_delimiter = + > sample_directory = /usr/local/etc/postfix > sendmail_path = /usr/local/sbin/sendmail > setgid_group = maildrop > shlib_directory = /usr/local/lib/postfix > show_user_unknown_table_name = no > smtp_helo_timeout = 60s > smtpd_banner = $myhostname ESMTP > smtpd_data_restrictions = reject_unauth_pipelining > smtpd_helo_required = yes > smtpd_milters = inet:127.0.0.1:8891 > smtpd_recipient_restrictions = permit_mynetworks > permit_sasl_authenticated reject_unauth_destination > check_sender_access hash:/usr/local/etc/postfix/safe_addresses > check_sender_access hash:/usr/local/etc/postfix/auto-whtlst > check_client_access cidr:/usr/local/etc/postfix/spamfarms > check_client_access cidr:/usr/local/etc/postfix/sinokorea.cidr > permit_dnswl_client list.dnswl.org=127.0.[2..14].[1..3] > check_reverse_client_hostname_access > pcre:/usr/local/etc/postfix/fqrdns.pcre > reject_unknown_reverse_client_hostname reject_non_fqdn_sender > reject_non_fqdn_helo_hostname reject_invalid_helo_hostname > reject_unknown_helo_hostname reject_unlisted_recipient > reject_rbl_client b.barracudacentral.org reject_rbl_client > zen.spamhaus.org reject_rbl_client psbl.surriel.com reject_rbl_client > bl.spamcop.net reject_rbl_client cbl.abuseat.org reject_rhsbl_client > dbl.spamhaus.org reject_rhsbl_sender dbl.spamhaus.org > reject_rhsbl_helo dbl.spamhaus.org check_policy_service > unix:private/spf-policy check_policy_service inet:127.0.0.1:12345 > smtpd_reject_unlisted_sender = yes > smtpd_sasl_auth_enable = yes > smtpd_sasl_local_domain = $mydomain > smtpd_sasl_path = private/auth > smtpd_sasl_security_options = noanonymous > smtpd_sasl_tls_security_options = noanonymous > smtpd_sasl_type = dovecot > smtpd_soft_error_limit = 3 > smtpd_tls_CAfile = /etc/ssl/certs/cacert.crt > smtpd_tls_auth_only = yes > smtpd_tls_cert_file = /etc/ssl/certs/server.crt > smtpd_tls_dh1024_param_file = ${config_directory}/dh2048.pem > smtpd_tls_dh512_param_file = ${config_directory}/dh512.pem > smtpd_tls_eecdh_grade = strong > smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, > aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDB3-SHA, KRB5-DES, CBC3-SHA > smtpd_tls_key_file = /etc/ssl/private/server.key > smtpd_tls_loglevel = 1 > smtpd_tls_mandatory_ciphers = medium > smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3 > smtpd_tls_protocols = !SSLv2, !SSLv3 >
smtpd not announcing sasl capabilities
Hello, I'm running Postfix 3.1. A telnet connection to port 25 and another to port 587, does not announce the sasl auth capabilities. I'd appreciate a sanity check of my configuration done with postconf -n. Thanks. Dave. autoresponder_destination_recipient_limit = 1 biff = no bounce_template_file = /usr/local/etc/postfix/bounce.cf broken_sasl_auth_clients = no command_directory = /usr/local/sbin compatibility_level = daemon_directory = /usr/local/libexec/postfix data_directory = /var/db/postfix disable_vrfy_command = yes dovecot_destination_recipient_limit = 1 hash_queue_depth = 2 hash_queue_names = incoming, hold defer deferred header_checks = pcre:/usr/local/etc/postfix/header_checks, regexp:/usr/local/etc/postfix/phish419.regexp html_directory = no in_flow_delay = 1s inet_interfaces = xxx.xxx.xxx.xxx, 127.0.0.1 inet_protocols = ipv4 local_recipient_maps = mail_owner = postfix mailq_path = /usr/local/bin/mailq manpage_directory = /usr/local/man meta_directory = /usr/local/libexec/postfix milter_default_action = accept milter_protocol = 6 mime_header_checks = regexp:/usr/local/etc/postfix/mime_header_checks mydestination = localhost mydomain = example.com myhostname = mail.example.com mynetworks = 127.0.0.0/8, xxx.xxx.xxx.xxx/32 myorigin = $mydomain newaliases_path = /usr/local/bin/newaliases non_smtpd_milters = $smtpd_milters postscreen_access_list = permit_mynetworks, cidr:/usr/local/etc/postfix/postscreen_access.cidr, cidr:/usr/local/etc/postfix/postscreen_spf_whitelist.cidr postscreen_blacklist_action = drop postscreen_cache_cleanup_interval = 0 postscreen_cache_map = proxy:btree:${data_directory}/postscreen_cache postscreen_dnsbl_action = enforce postscreen_dnsbl_reply_map = pcre:/usr/local/etc/postfix/postscreen_dnsbl_reply_map.pcre postscreen_dnsbl_sites = zen.spamhaus.org*3 b.barracudacentral.org*2 bl.spameatingmonkey.net*2 dnsbl.ahbl.org*2 bl.spamcop.net dnsbl.sorbs.net psbl.surriel.com bl.mailspike.net swl.spamhaus.org*-4 list.dnswl.org=127.[0..255].[0..255].0*-2 list.dnswl.org=127.[0..255].[0..255].1*-3 list.dnswl.org=127.[0..255].[0..255].[2..255]*-4 postscreen_dnsbl_threshold = 3 postscreen_greet_action = enforce queue_directory = /var/spool/postfix readme_directory = no recipient_delimiter = + sample_directory = /usr/local/etc/postfix sendmail_path = /usr/local/sbin/sendmail setgid_group = maildrop shlib_directory = /usr/local/lib/postfix show_user_unknown_table_name = no smtp_helo_timeout = 60s smtpd_banner = $myhostname ESMTP smtpd_data_restrictions = reject_unauth_pipelining smtpd_helo_required = yes smtpd_milters = inet:127.0.0.1:8891 smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination check_sender_access hash:/usr/local/etc/postfix/safe_addresses check_sender_access hash:/usr/local/etc/postfix/auto-whtlst check_client_access cidr:/usr/local/etc/postfix/spamfarms check_client_access cidr:/usr/local/etc/postfix/sinokorea.cidr permit_dnswl_client list.dnswl.org=127.0.[2..14].[1..3] check_reverse_client_hostname_access pcre:/usr/local/etc/postfix/fqrdns.pcre reject_unknown_reverse_client_hostname reject_non_fqdn_sender reject_non_fqdn_helo_hostname reject_invalid_helo_hostname reject_unknown_helo_hostname reject_unlisted_recipient reject_rbl_client b.barracudacentral.org reject_rbl_client zen.spamhaus.org reject_rbl_client psbl.surriel.com reject_rbl_client bl.spamcop.net reject_rbl_client cbl.abuseat.org reject_rhsbl_client dbl.spamhaus.org reject_rhsbl_sender dbl.spamhaus.org reject_rhsbl_helo dbl.spamhaus.org check_policy_service unix:private/spf-policy check_policy_service inet:127.0.0.1:12345 smtpd_reject_unlisted_sender = yes smtpd_sasl_auth_enable = yes smtpd_sasl_local_domain = $mydomain smtpd_sasl_path = private/auth smtpd_sasl_security_options = noanonymous smtpd_sasl_tls_security_options = noanonymous smtpd_sasl_type = dovecot smtpd_soft_error_limit = 3 smtpd_tls_CAfile = /etc/ssl/certs/cacert.crt smtpd_tls_auth_only = yes smtpd_tls_cert_file = /etc/ssl/certs/server.crt smtpd_tls_dh1024_param_file = ${config_directory}/dh2048.pem smtpd_tls_dh512_param_file = ${config_directory}/dh512.pem smtpd_tls_eecdh_grade = strong smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDB3-SHA, KRB5-DES, CBC3-SHA smtpd_tls_key_file = /etc/ssl/private/server.key smtpd_tls_loglevel = 1 smtpd_tls_mandatory_ciphers = medium smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3 smtpd_tls_protocols = !SSLv2, !SSLv3 smtpd_tls_received_header = yes smtpd_tls_security_level = may smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtpd_use_tls = yes smtputf8_enable = no soft_bounce = no spf-policy_time_limit = 3600s strict_rfc821_envelopes = yes tls_preempt_cipherlist = yes unknown_address_reject_code = 554 unknown_client_reject_code = 554 unknown_hostname_reject_code = 554 unknown_local_recipient_reject_code = 550 virtual_alias_maps =
Re: masquerade_domains not working
A word to the wise. Message received. Again, thanks!
Re: masquerade_domains not working
> On Jan 15, 2017, at 2:23 PM, Richie Richwrote: > > I'm sorry Viktor, but it seems I didn't make my goal clear. Here it is again > restated. No need, I understood what you wanted the first time. > I have tested using canonical_maps where: > u...@domainb.comu...@example.com This is the correct approach > This seems to do what I need it to do, though once I spend > some time with it I may need to check out regexp_table. > Thankfully I'm no stranger to regexes :) Save yourself the time and DO NOT go there. Regular expression mappings break recipient validation when used in canonical_maps (on input). If used on gateway relay, they can safely be used on output in smtp_generic_maps, but then your recipient validation still has to deal with all the variant addresses on input in some manner. So it is best to do the work just once in canonical_maps, without any regex wildcards. -- Viktor.
Re: masquerade_domains not working
I'm sorry Viktor, but it seems I didn't make my goal clear. Here it is again restated. Our canonical domain is example.com Two of our hosted domains are domainA.com, and domainB.com. These are not subdomains of example.com, but rather separate domains entirely that are delivered locally. The goal is that users in domainA.com will see their mail as being addressed to u...@domaina.com, but users in domainB.com will see their mail as being addressed to u...@example.com I have tested using canonical_maps where: u...@domainb.comu...@example.comThis seems to do what I need it to do, though once I spend some time with it I may need to check out regexp_table. Thankfully I'm no stranger to regexes :) Thanks to all that responded! On Sun, Jan 15, 2017 at 1:31 PM, Viktor Dukhovni wrote: > > > On Jan 15, 2017, at 1:12 PM, Viktor Dukhovni > wrote: > > > > I recommend against masquerading, because it breaks recipient > > validation. Instead, construct a table of all the valid addresses > > for each user, and use canonical_maps. > > To be more precise, it is not that masquerading directly breaks > recipient validation, but rather that accepting mail for > an arbitrary sub-domain of a domain, as well as the domain itself, > means requires recipient validation to take place after rewriting, > but the Postfix smtpd(8) server performs validation on the original > input address prior to rewriting (which happens in cleanup(8)). > > If the goal is just to map user@a.example to user@b.example without > also accepting mail for user@foo.a.example, then masquerading is > entirely the wrong tool for the job (it is perhaps unfortunate > that Postfix and Sendmail use the same name for noticeably different > mechanisms). > > Mapping of secondary domains to primary domains is best accomplished > with canonical_maps, and wildcards need to be avoided in order to > retain recipient validation and not become a backscatter source. > > Therefore, build tables of explicit user@a.example -> user@b.example > canonical mappings. In Microsoft Exchange environments this is > accomplished by using LDAP to resolve "proxyAddresses = smtp:%s" > (each secondary address) to "mail" (the primary address). > > -- > Viktor. > >
Re: masquerade_domains not working
> On Jan 15, 2017, at 1:12 PM, Viktor Dukhovni> wrote: > > I recommend against masquerading, because it breaks recipient > validation. Instead, construct a table of all the valid addresses > for each user, and use canonical_maps. To be more precise, it is not that masquerading directly breaks recipient validation, but rather that accepting mail for an arbitrary sub-domain of a domain, as well as the domain itself, means requires recipient validation to take place after rewriting, but the Postfix smtpd(8) server performs validation on the original input address prior to rewriting (which happens in cleanup(8)). If the goal is just to map user@a.example to user@b.example without also accepting mail for user@foo.a.example, then masquerading is entirely the wrong tool for the job (it is perhaps unfortunate that Postfix and Sendmail use the same name for noticeably different mechanisms). Mapping of secondary domains to primary domains is best accomplished with canonical_maps, and wildcards need to be avoided in order to retain recipient validation and not become a backscatter source. Therefore, build tables of explicit user@a.example -> user@b.example canonical mappings. In Microsoft Exchange environments this is accomplished by using LDAP to resolve "proxyAddresses = smtp:%s" (each secondary address) to "mail" (the primary address). -- Viktor.
Re: masquerade_domains not working
Thank you. I understand, but this requirement is imposed by my business unit... I haven't tried canonical_maps yet, but I was about to head down that road. I'll give it a shot. On Sun, Jan 15, 2017 at 1:12 PM, Viktor Dukhovniwrote: > On Sun, Jan 15, 2017 at 01:02:37PM -0500, Richie Rich wrote: > > Thanks for the replies. I really appreciate the help. > > > > I am already leveraging /etc/postfix/virtual to route traffic to my > "hosted > > domains". > > > > The problem I'm trying to solve, simply stated, is that I need to be able > > to selectively masquerade inbound email to my hosted domains. > > So, u...@doma.com will see his mail addressed to u...@doma.com, but > > u...@domb.com might see his mail addressed to u...@myco.com, our > canonical > > domain name. > > I recommend against masquerading, because it breaks recipient > validation. Instead, construct a table of all the valid addresses > for each user, and use canonical_maps. > > -- > Viktor. >
Re: masquerade_domains not working
As a side note, we are migrating to Postfix. In our current Sendmail environment, we accomplish the requisite masquerading by adding each domain to /etc/mail/local-host-names. This accomplishes the masquerading piece and allows for virtual hosting. Then for those domains we do not want to masquerade, we edit sendmail.cf and add a CN entry. Easy peasy. On Sun, Jan 15, 2017 at 1:02 PM, Richie Richwrote: > Thanks for the replies. I really appreciate the help. > > I am already leveraging /etc/postfix/virtual to route traffic to my > "hosted domains". > > The problem I'm trying to solve, simply stated, is that I need to be able > to selectively masquerade inbound email to my hosted domains. > So, u...@doma.com will see his mail addressed to u...@doma.com, but > u...@domb.com might see his mail addressed to u...@myco.com, our > canonical domain name. > > > > >
Re: masquerade_domains not working
On Sun, Jan 15, 2017 at 01:02:37PM -0500, Richie Rich wrote: > Thanks for the replies. I really appreciate the help. > > I am already leveraging /etc/postfix/virtual to route traffic to my "hosted > domains". > > The problem I'm trying to solve, simply stated, is that I need to be able > to selectively masquerade inbound email to my hosted domains. > So, u...@doma.com will see his mail addressed to u...@doma.com, but > u...@domb.com might see his mail addressed to u...@myco.com, our canonical > domain name. I recommend against masquerading, because it breaks recipient validation. Instead, construct a table of all the valid addresses for each user, and use canonical_maps. -- Viktor.
Re: masquerade_domains not working
Thanks for the replies. I really appreciate the help. I am already leveraging /etc/postfix/virtual to route traffic to my "hosted domains". The problem I'm trying to solve, simply stated, is that I need to be able to selectively masquerade inbound email to my hosted domains. So, u...@doma.com will see his mail addressed to u...@doma.com, but u...@domb.com might see his mail addressed to u...@myco.com, our canonical domain name.
Fwd: masquerade_domains not working
On 15 January 2017 at 08:51, Jan Ceuleerswrote: > On 14/01/17 20:58, Richie Rich wrote: > > Thanks for the quick response. Can you point me in a direction to > > accomplish what I'm trying to do? > > I'm totally new to postfix. > > I am by no means an expert, but I do hope that the following helps: > > http://www.postfix.org/postconf.5.html#smtp_generic_maps for the > outgoing side and > http://www.postfix.org/postconf.5.html#virtual_alias_maps for the > incoming side. > > Yes I agree that for incoming mails, virtual_alias_maps is the way to go, I use 'virtual_alias_maps = pcre:/etc/postfix/virtual' and file 'virtual' looks a bit like this (data obfuscated): if /@streamingbats\.co(m|\.uk)$/ /^accounts@/ jenny...@gmail.com,jim9...@gmail.com /^adam@/ adamdelane...@gmail.com /^(input|sarah[-0-9a-z]*)@/ sarahcorriga...@gmail.com /^(admin|administrator|dominic|MAILER-DAEMON|paypal| payments|vps1|dl[12]|pbx|timedicer[12]?|hostmaster|postmaster|abuse)@/ myaddr...@gmail.com endif /@streamingbats\.co(m|\.uk)$/ root@localhost I wrote a script to auto-configure postfix and intra alia this builds a file 'filtered_names' from my 'virtual' file. In one of my restrictions lists I have line 'check_recipient_access pcre:/etc/postfix/filtered_names'. This blocks emails to anyone@mydomains that isn't one of the names explicitly remapped in my virtual file (except for authenticated senders) and looks a bit like this: if /@streamingbats\.co(m|\.uk)$/ /^accounts@/ OK /^adam@/ OK /^(input|sarah[-0-9a-z]*)@/ OK /^(admin|administrator|dominic|MAILER-DAEMON|paypal| payments|vps1|dl[12]|pbx|timedicer[12]?|hostmaster|postmaster|abuse)@/ OK endif /@streamingbats\.co(m|\.uk)$/ REJECT For the outgoing mails, I originally used smtp_generic_maps but when I started using opendkim I needed to switch to canonical ( http://www.postfix.org/canonical.5.html) - because the changes made by canonical happen before milters (including opendkim), otherwise opendkim's key line header is immediately broken by smtp_generic_maps' address rewriting. So I have a line 'canonical_maps = hash:/etc/postfix/canonical' and canonical file looks a bit like this: <> d...@streamingbats.co.uk root d...@streamingbats.co.uk www-data d...@streamingbats.co.uk postfix d...@streamingbats.co.uk root@localhost d...@streamingbats.co.uk root@dl1 d...@streamingbats.co.uk There may be simpler ways of achieving the same objectives (and I'd be interested to hear of them), but these work for me.
Re: SSL_accept error from other MTA
On 15.01.2017 07:39, Noel Jones wrote: On 1/14/2017 2:40 AM, Admin Beckspaced wrote: All other MTA's don't seem to have any problems with TLS / STARTTLS. What can I do to fix this problem? Let the other MTA know that they got an issue with their TLS setup? Thanks & greetings Becki If your goal is to get the mail flowing, you can disable STARTTLS for this particular client by using http://www.postfix.org/postconf.5.html#smtpd_discard_ehlo_keyword_address_maps Use a cidr: type map with an entry like: 10.10.10.10 starttls -- Noel Jones I decided to go with this option to keep mail flowing for the moment being ... also aware that this is just a temporary workaround. will contact the admin, in the hope that they still use an ancient exchange server version and are going to update that? or is there any other option on my site to fix things with this specific client? thanks & greetings Becki --- Diese E-Mail wurde von Avast Antivirus-Software auf Viren geprüft. https://www.avast.com/antivirus
Re: masquerade_domains not working
On 14/01/17 20:58, Richie Rich wrote: > Thanks for the quick response. Can you point me in a direction to > accomplish what I'm trying to do? > I'm totally new to postfix. I am by no means an expert, but I do hope that the following helps: http://www.postfix.org/postconf.5.html#smtp_generic_maps for the outgoing side and http://www.postfix.org/postconf.5.html#virtual_alias_maps for the incoming side.