Re: LDAP related "postconf: warning" with most recent build

[Wietse Venema]

Ralf Hildebrandt:
> % postconf -h queue_directory
>  
> gives me a lot of LDAP related warnings:
> 
> postconf: warning: ldap:/etc/postfix/laborberlin.com.cf: unused parameter: 
> query_filter=(proxyAddresses=smtp:%s)
> postconf: warning: ldap:/etc/postfix/laborberlin.com.cf: unused parameter: 
> start_tls=yes
> postconf: warning: ldap:/etc/postfix/laborberlin.com.cf: unused parameter: 
> bind_pw=xxx
> postconf: warning: ldap:/etc/postfix/laborberlin.com.cf: unused parameter: 
> version=3
> postconf: warning: ldap:/etc/postfix/laborberlin.com.cf: unused parameter: 
> bind_dn=yyy
> postconf: warning: ldap:/etc/postfix/laborberlin.com.cf: unused parameter: 
> server_host=10.28.0.31?  10.28.0.32
> postconf: warning: ldap:/etc/postfix/laborberlin.com.cf: unused parameter: 
> result_attribute=mail
> postconf: warning: ldap:/etc/postfix/laborberlin.com.cf: unused parameter: 
> search_base=dc=laborberlin,dc=intern
> 
> mail_version = 3.3-20170730

Does not reproduce when I create a file with those entries, and use
it as alias_maps.

% cat /etc/postfix/laborberlin.com.cf
query_filter=(proxyAddresses=smtp:%s)
start_tls=yes
bind_pw=xxx
version=3
bind_dn=yyy
server_host=10.28.0.31?  10.28.0.32
result_attribute=mail
search_base=dc=laborberlin,dc=intern
foo=bar
% postconf >/dev/null
postconf: warning: /etc/postfix/main.cf, line 649: overriding earlier entry: 
alias_maps=proxy:hash:/etc/aliases
postconf: warning: ldap:/etc/postfix/laborberlin.com.cf: unused parameter: 
foo=bar

Wietse

Wietse

Re: Restrict outgoing/submission to defined local or virtual users

[techlist06]

First time I've tried the inline map type.  And, I think the spaces may have
been what was hosing my earlier attempts.  Appreciate the pointer very much. 
Will give this a go.






--
Sent from: http://postfix.1071664.n5.nabble.com/Postfix-Users-f2.html

Re: MX backup doesn't queue

[Davide Marchi]

Il 2017-09-01 22:57 Noel Jones ha scritto:
[..]


On the backup MX:
[..]


Well, finally we did it!
Basically I think we can say that the backup server does not have to 
recognize as local, domains and addresses.


This is what I did:

"server1.org" the.backed-up.domain.tld (primary domain)
"server2.org" the backup MX (secondary domain)


1) never list in mydomains/myhostname the primary server domain.
2) never list in virtual_alias_domains the primary server domain.  I've 
commented it.
3) never list in mailbox_domains o in virtual_mailbox_domains the 
primary domain. I've commented it.
4) do not list in virtual_alias_maps the primary domain. I've commented 
it.

5) this is useless: smtpd_sender_login_maps. I've commented it.
6) myorigin = $myhostname
7) mydestination = server2.org, localhost.server2.org, localhost
8) always list in relay_domains every domains (virtual too)

to do so via mysql add in main.cf the following files and their 
configurations:


relay_domains = mysql:/etc/postfix/mysql-relay-domains.cf

then create a file called: "/etc/postfix/mysql-relay-domains.cf" with 
content:



user = user-db-postfix
password = my-password
hosts = 127.0.0.1
dbname = db-postfix-server
query = SELECT name FROM virtual_domains WHERE name='%s'

(the query content depend from the database structure)



9) then add in main.cf:

relay_recipient_maps = mysql:/etc/postfix/mysql-relay-recipient-maps.cf

create file "/etc/postfix/mysql-relay-recipient-maps.cf" with content:


user = user-db-postfix
password = my-password
hosts = 127.0.0.1
dbname = db-postfix-server
query = SELECT email FROM virtual_users WHERE email = '%s'

(the query content depend from the database structure)



10) to ensure that aliases are also accepted (is it correct?):

add in main.cf too:

relay_recipient_maps = 
mysql:/etc/postfix/mysql-alias-relay-recipient-maps.cf
(relay_recipient_maps = 
mysql:/etc/postfix/mysql-relay-recipient-maps.cf,mysql:/etc/postfix/mysql-alias-relay-recipient-maps.cf)



create file:

/etc/postfix/mysql-alias-relay-recipient-maps.cf

whose content must be:


user = user-db-postfix
password = my-password
hosts = 127.0.0.1
dbname = db-postfix-server
query = SELECT source FROM virtual_aliases WHERE source = '%s'

(the query content depend from the database structure)


// I hope, if this is right, this scheme may be of help to others. //


Thanks to all

Re: Restrict outgoing/submission to defined local or virtual users

[Noel Jones]

On 9/5/2017 3:39 PM, techlist06 wrote:
> Just what I was hoping for, the easy button.  Thank you.
> 
> What about the one (valid) sender I want to prevent?  I've got a IMAP
> account setup for spam reporting, I want to be sure no one who has access to
> it sends anything from that account.
> 
> 
> 
> 
> 
> 
> --
> Sent from: http://postfix.1071664.n5.nabble.com/Postfix-Users-f2.html
> 



Use a check_sender_access map to reject that one sender.  You can't
use spaces in master.cf, so do something like:

main.cf:
submission_sender_restrictions = reject_unlisted_sender,
   check_sender_access inline:{ s...@example.com=REJECT }

master.cf:
...
submission ...
  -o smtpd_sender_restrictions=$submission_sender_restrictions

My example uses the inline: map type, which is great for simple
tables with few elements, but any postfix map type may be used.
http://www.postfix.org/DATABASE_README.html#types



  -- Noel Jones

Re: Restrict outgoing/submission to defined local or virtual users

[techlist06]

Just what I was hoping for, the easy button.  Thank you.

What about the one (valid) sender I want to prevent?  I've got a IMAP
account setup for spam reporting, I want to be sure no one who has access to
it sends anything from that account.






--
Sent from: http://postfix.1071664.n5.nabble.com/Postfix-Users-f2.html

Re: Restrict outgoing/submission to defined local or virtual users

[Noel Jones]

On 9/5/2017 2:48 PM, techlist06 wrote:
> Postfix 3.2.2, Centos7.  All functioning as configured.  I have a few local 
> accounts, several virtual addresses delivered to those accounts, and some 
> domains relayed, the latter do not submit mail through this box.
> 
> All local accounts send via TLS authentication on 587.  Currently I don't 
> think I have any restrictions on what an outbound address can be.  I do have 
> some aliases so I do not want to restrict to logon names only.  
> 
> Is it possible to restrict outgoing mail to be from one of my "valid" local 
> or virtual aliases?  And I want to restrict outbound from one address in 
> particular.
> 
> I looked here:
> http://www.postfix.org/RESTRICTION_CLASS_README.html
> but if the answer is there I'd be grateful for some more help, I didn't get 
> it.  On or off-list.
> 
> Right now my submission section of master.cf I sbelow.  I tried adding 
> something here as -o o smtpd_sender_restrictions but didn't get that right.
> 
> submission   inetn   -   n   -   -   smtpd
> ## subsequent indented lines override main.cf settings.
>   -o content_filter=
>   -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
>   -o smtpd_sasl_type=dovecot
>   -o smtpd_sasl_path=private/auth
>   -o smtpd_sasl_security_options=noanonymous
>   -o smtpd_tls_security_level=encrypt
>   -o smtpd_sasl_auth_enable=yes
>   -o syslog_name=postfix-submission
>   -o milter_macro_daemon_name=ORIGINATING
> 
> Happy to provide all the configs if needed.
> 
> 
> 


The easiest way would be to add
  -o smtpd_sender_restrictions=reject_unlisted_sender


http://www.postfix.org/postconf.5.html#reject_unlisted_sender




  -- Noel Jones

Restrict outgoing/submission to defined local or virtual users

[techlist06]

Postfix 3.2.2, Centos7.  All functioning as configured.  I have a few local 
accounts, several virtual addresses delivered to those accounts, and some 
domains relayed, the latter do not submit mail through this box.

All local accounts send via TLS authentication on 587.  Currently I don't think 
I have any restrictions on what an outbound address can be.  I do have some 
aliases so I do not want to restrict to logon names only.  

Is it possible to restrict outgoing mail to be from one of my "valid" local or 
virtual aliases?  And I want to restrict outbound from one address in 
particular.

I looked here:
http://www.postfix.org/RESTRICTION_CLASS_README.html
but if the answer is there I'd be grateful for some more help, I didn't get it. 
 On or off-list.

Right now my submission section of master.cf I sbelow.  I tried adding 
something here as -o o smtpd_sender_restrictions but didn't get that right.

submission   inetn   -   n   -   -   smtpd
## subsequent indented lines override main.cf settings.
  -o content_filter=
  -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
  -o smtpd_sasl_type=dovecot
  -o smtpd_sasl_path=private/auth
  -o smtpd_sasl_security_options=noanonymous
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o syslog_name=postfix-submission
  -o milter_macro_daemon_name=ORIGINATING

Happy to provide all the configs if needed.

Re: What user should be specified for the opendikm -u UID option?

[Matus UHLAR - fantomas]

Tom Browder:

Does everyone agree with pgndev's detailed cookbook recipe?


On 03.09.17 14:55, Wietse Venema wrote:

No, that advice is incorrect.

1) Specify the opendkim '-u' option with an account that is not
  used by anything else. Not postfix. Not . Not your personal
  account.

2) Make opendkim files/directories owned by root and writable
  only by root.


what about readable by opendkim?


3) Start opendkim as root (DO NOT use systemd user/group settings),


with the above, starting under opendkim:opendkim should be fine.
Of course, unless someone other has access to the opendkim group
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
On the other hand, you have different fingers. 

unknown mime types for some websites' postfix-3.2.2.RELEASE_NOTES & postfix-3.2.2.HISTORY?

[yodeller]

On the web site, when the links for ReleaseNotes or History are


https://archive.mgm51.com/mirrors/postfix-source/official/postfix-3.2.2.RELEASE_NOTES


https://archive.mgm51.com/mirrors/postfix-source/official/postfix-3.2.2.HISTORY

When I click on one of these, the link doesn't open the page in the browser to 
read.  Instead it tries to DL it as a ".BIN" filetype.  No option is given for 
saving the FileType in the browser as far as I see.

I think this is because some of the servers don't set the mime type for those 
extensions.

Other hosts, like

https://de.postfix.org/ftpmirror/official/postfix-3.2.2.RELEASE_NOTES

work OK.  The files open & display right in the browser.

I don't know what the solution is for the servers. Maybe those links could be 
rewritten to "postfix-3.2.2.RELEASE_NOTES.txt" to get around broken servers?

LDAP related "postconf: warning" with most recent build

[Ralf Hildebrandt]

% postconf -h queue_directory
 
gives me a lot of LDAP related warnings:

postconf: warning: ldap:/etc/postfix/laborberlin.com.cf: unused parameter: 
query_filter=(proxyAddresses=smtp:%s)
postconf: warning: ldap:/etc/postfix/laborberlin.com.cf: unused parameter: 
start_tls=yes
postconf: warning: ldap:/etc/postfix/laborberlin.com.cf: unused parameter: 
bind_pw=xxx
postconf: warning: ldap:/etc/postfix/laborberlin.com.cf: unused parameter: 
version=3
postconf: warning: ldap:/etc/postfix/laborberlin.com.cf: unused parameter: 
bind_dn=yyy
postconf: warning: ldap:/etc/postfix/laborberlin.com.cf: unused parameter: 
server_host=10.28.0.31?  10.28.0.32
postconf: warning: ldap:/etc/postfix/laborberlin.com.cf: unused parameter: 
result_attribute=mail
postconf: warning: ldap:/etc/postfix/laborberlin.com.cf: unused parameter: 
search_base=dc=laborberlin,dc=intern

mail_version = 3.3-20170730

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG, 80333 München
   
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

Specify DNSBL reject code in postscreen reply map?

[yodeller]

I'm trying to understand reply maps' use.  Specifically postscreen's.

If I set up config in main.cf as

default_rbl_reply = $rbl_code [P4] Service unavailable; $rbl_class 
[$rbl_what] blocked using $rbl_domain${rbl_reason?; $rbl_reason}

postscreen_dnsbl_reply_map = 
pcre:/etc/postfix/postscreen_dnsbl_reply_map.pcre

rbl_reply_maps = ${stress?lmdb:/etc/postfix/rbl_reply_maps}

and

/etc/postfix/rbl_reply_maps 

b.barracudacentral.org=127.0.0.2 521 4.7.1 Service unavailable;
 $rbl_class [TEST1] [$rbl_what] blocked using
 $rbl_domain${rbl_reason?; $rbl_reason}

/etc/postfix/postscreen_dnsbl_reply_map.pcre

/barracudacentral\.org$/[TEST2] DNSBL[Barracuda]

When postscreen hits on a Barracuda DNSBL, my logs show

Sep  3 02:12:55 virt1 postfix/postscreen[53233]: NOQUEUE: reject: RCPT from 
[37.49.226.131]:5897: 550 5.7.1 Service unavailable; client [37.49.226.131] 
blocked using [TEST2] DNSBL[Barracuda]; from=, 
to=, proto=SMTP, helo=

So obviously the postscreen_dnsbl_reply_map is kicking in.

But it's rejecting with the default "550 5.7.1".

What do I need to edit if I want to postscreen to reject -- in this example -- 
Barracuda hits with "521 4.7.1", leaving the default as-is?