[SLUG] Postfix Virtual Mailbox redirection/copy
I've got a virtual mailbox that the user wants all incoming email *COPIED* to an external email address. Easy to do in procmail but I can't quite see how to do it for postfix virtual mailboxes. Can anyone point me the right way please? thanks -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
[SLUG] Postfix and PCRE filtering
Hi all, I'm messing postfix-pcre version 2.6.5-3 from Debian testing. In the /etc/postfix/pcre_table I have the following rule: /^Subject: .*(casino|nline pharmacy).*/i REJECT I also have in /etc/postfix/main.sf I have: header_checks = pcre:/etc/postfix/pcre_table to enable pcre checks. If I send email from a gmail account with the word 'casino' in the subject line, the email is rejected and the gmail account gets a 'Delivery Status Notification' message. However, even with all the above, I'm still getting emails with 'casino' in the subject line. Anybody have any idea why PCRE is only working with postfix some of the time? Cheers, Erik -- -- Erik de Castro Lopo http://www.mega-nerd.com/ -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Postfix and PCRE filtering
Erik de Castro Lopo mle+s...@mega-nerd.com writes: I'm messing postfix-pcre version 2.6.5-3 from Debian testing. In the /etc/postfix/pcre_table I have the following rule: [...] However, even with all the above, I'm still getting emails with 'casino' in the subject line. Anybody have any idea why PCRE is only working with postfix some of the time? IIRC, header_checks see only raw headers, so anything encoded with RFC 2047 syntax might look nothing like that. For example, 2047 base-64 encoded headers seem popular in spam, and those could contain 'casino' without, y'know, containing 'casino'. Daniel I suggest you use something like amavisd-new which pushes the email through all the relevant normalization before it applies rules like that. -- ✣ Daniel Pittman✉ dan...@rimspace.net☎ +61 401 155 707 ♽ made with 100 percent post-consumer electrons -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Postfix and PCRE filtering
On 06/06/10 20:10, Erik de Castro Lopo wrote: If I send email from a gmail account with the word 'casino' in the subject line, the email is rejected and the gmail account gets a 'Delivery Status Notification' message. However, even with all the above, I'm still getting emails with 'casino' in the subject line. Anybody have any idea why PCRE is only working with postfix some of the time? I have never set up Postfix filtering before, so this is probably a stupid question, but is it possible the rules you added are only matching when sent with your e-mail address in the “To:” header (rather than the “Delivered-To:” header)? Most spam I get doesn’t contain my address in the To header. Try sending a “casino” e-mail from your Gmail account with some other address (i.e. your Gmail account) in the To field, and then Bcc with your Postfix address. Any difference? Sorry in advance if I’m sending you on a wild goose chase. Other things you could try is piping the mail through a hex editor to see if there are any funny U+ characters lurking in there. Cheers, Jeremy. signature.asc Description: OpenPGP digital signature -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Postfix and PCRE filtering
Jeremy Visser jer...@visser.name writes: On 06/06/10 20:10, Erik de Castro Lopo wrote: If I send email from a gmail account with the word 'casino' in the subject line, the email is rejected and the gmail account gets a 'Delivery Status Notification' message. However, even with all the above, I'm still getting emails with 'casino' in the subject line. Anybody have any idea why PCRE is only working with postfix some of the time? I have never set up Postfix filtering before, so this is probably a stupid question, but is it possible the rules you added are only matching when sent with your e-mail address in the “To:” header (rather than the “Delivered-To:” header)? They are not in either: the {header,body}_checks in Postfix are very blunt tools, inside the MTA. [...] Sorry in advance if I’m sending you on a wild goose chase. It might have helped if you had a better understanding of the tool you were giving advice about... Other things you could try is piping the mail through a hex editor to see if there are any funny U+ characters lurking in there. ...and possibly about the data transfer formats, too, since this is extremely unlikely: having a NUL byte embedded in the word would, y'know, show up (and the U+ notation means the Unicode code point with the 16-bit value 0.) I suspect you actually meant check if the data is encoding in UCS2/UTF16, in which you would see ASCII characters as a series of regular characters separated by NUL bytes, because it is a 16-bit[1] encoding of Unicode. ...which you wouldn't try and transit through an email system even if it /was/ 8-bit clean, which most of them are not. Daniel Footnotes: [1] ...more or less, leaving aside the complications of the variable width encoding used. -- ✣ Daniel Pittman✉ dan...@rimspace.net☎ +61 401 155 707 ♽ made with 100 percent post-consumer electrons -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
[SLUG] postfix - moving queue to another server?
A question for the postfix gurus about moving the queue to another server ... I'm working on a system with n postfix mailservers behind load balancers. I want to take one of the the servers (say MTA2) off the load balancers for testing a new configuration (there's no test environment - duh!). I then want to move the existing queue onto another mailserver (MTA1), so that real emails don't get lost. What's the easiest way of doing this? I was thinking of changing the transport table on MTA2 to point everything at MTA1 and force flushing the queue - sound sane? % cat '* smtp:[mta1.example.com]' /etc/postfix/transport # rebuild map % postmap dbm:/etc/postfix/transport % postfix reload # flush queue % postqueue -f # watch contents of queue until empty % postqueue -p # start playing % la-la-la... -- Sonia Hamilton. -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
[SLUG] postfix/dovecot/ssl and certificates
On a clean Hardy server install, I'm running postfix/dovecot/ssl/imap/postfixadmin/squirrelmail Using squirrelmail, everything works fine. I've imported the snakeoil certificate [1] into evolution [2] on my fiesty client and although it seems to accept the certificate correctly it always wants to know if I want to accept this unknown certificate. I have the same problem on a Macintosh using Entourage mail client. Have I missed the point? I feel like their should be something in dovecot to point at the certificates, but can't find it. Please forgive me if it's blindingly obvious :) David. [1] server: /etc/ssl/certs/ssl-cert-snakeoil.pem [2] Evolution: Preferences/Certificates/Authorities/Import -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] postfix error sending email every 15 mins
On Tue, June 17, 2008 10:56 pm, Daniel Pittman wrote: Ben Donohue [EMAIL PROTECTED] writes: Where can I look to see the queue? as well as mailq, there is also qshape QSHAPE(1) QSHAPE(1) NAME qshape - Print Postfix queue domain and age distribution SYNOPSIS qshape [-s] [-p] [-m min_subdomains] [-b bucket_count] [-t bucket_time] [-l] [-w terminal_width] [-N batch_msg_count] [-n batch_top_domains] [-c config_directory] [queue_name ...] DESCRIPTION The qshape program helps the administrator understand the Postfixqueue message distribution in time and by sender domain or recipient domain. The program needs read access to the queue directories andqueue files, so it must run as the superuser or the mail_owner speci- fied in main.cf (typically postfix). -- Voytek -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
[SLUG] postfix error sending email every 15 mins
Hi all, I have a postfix email server with dovecot. Someone I sent an email to with an attachment is getting the email every 15 minutes. I presume it's my mail server resending it as there was some error somewhere. After Googling a bit I've run... postfix flush I'm not a postfix guru so is there any other way to check if this has been stopped? Where can I look to see the queue? Any other tips? Thanks Ben -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] postfix error sending email every 15 mins
Ben Donohue [EMAIL PROTECTED] writes: I have a postfix email server with dovecot. Someone I sent an email to with an attachment is getting the email every 15 minutes. I presume it's my mail server resending it as there was some error somewhere. After Googling a bit I've run... The error would need to be at the recipients end for that to happen, which is possible. postfix flush That shouldn't have any effect, save to send another copy of the email. I'm not a postfix guru so is there any other way to check if this has been stopped? Well, the first thing to do is to find out what is actually happening, and if you can actually do anything about it. Where can I look to see the queue? As root, run 'mailq', which prints out the information. Any other tips? Look in /var/log/maillog or /var/log/mail.log [1], find the records for the mail in question, and work out /why/ it is being sent multiple times. (Assuming it is from your machine sending it several times.) If you are not clear, post the entire detail for one sending attempt here and we can advise. Postfix tags each mail with a hex key, so you can find all lines with the same key to track down all the stuff about a single message. (This is the same as the queue ID you see from mailq, also. :) Regards, Daniel Footnotes: [1] Which one is appropriate depends on your distribution. -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
[SLUG] Postfix, SASL, old-skool
On Mon, Apr 21, 2008, Jeff Waugh wrote: Well, how about using multiple parameters in the postfix relayhost setting? relayhost = [usual.server.on.normal.port]:25 [usual.server.on.submission.port]:587 [fascist.university.server]:25 Then set up multiple entries in /etc/postfix/sasl_passwd like so: usual.server.on.normal.port p4ssw0rd fascist.university.serverp4ssw0rd In case anyone finds this useful, what I actually had to do: First, the relevant fascist server does not support the modern STARTTLS way of doing secure SMTP, they use the old wrapper mode on port 465 which Postfix DOESN'T support in client mode. (Before anyone mails, no, they don't support STARTTLS on port 587 either, that seems to be wrapper mode too.) In order to get Postfix to do this, I used stunnel to forward a local port per http://www.postfix.org/SASL_README.html#client_sasl and http://www.postfix.org/TLS_README.html#client_smtps stunnel is an absolute pain in the neck on Ubuntu: it refuses to log errors in any meaningful way and will often claim to start without actually having done so. To debug it, I suggest running it on the command line sudo stunnel4 /etc/stunnel/stunnel.conf so you can see what it really thinks it is doing. In addition, don't forget to set ENABLED=1 in /etc/default/stunnel4 so that the init scripts will at least try and work. This is what my /etc/stunnel/stunnel.conf ended up looking like: #; very simple config from http://archives.neohapsis.com/archives/postfix/2007-03/1350.html pid = /var/run/stunnel.pid key = /etc/stunnel/stunnel.pem [smtp-tls-wrapper] accept = 11125 client = yes connect = fascist.university.server:465 I generated /etc/stunnel/stunnel.pem with openssl req -new -x509 -days 3650 -nodes -out stunnel.pem -keyout stunnel.pem per http://ubuntuforums.org/showthread.php?t=679779 According to most guides to Postfix and stunnel around, the key shouldn't be required, but I didn't get stunnel to work without it. Then in /etc/postfix/main.cf: relayhost = [127.0.0.1]:11125 smtp_sasl_auth_enable = yes smtp_sasl_password_maps = hash:/etc/postfix/sasl/passwd smtp_sasl_security_options = The last line is required because the server in question ALSO isn't strict enough in terms of password transmission for our good friend Postfix, so I needed to turn off the security checking. You can tell from the Postfix logs, you will get messages like warning: SASL authentication failure: No worthy mechs found Finally, make sure that /etc/postfix/sasl/passwd has the relay host and not the fascist.university.server:465 value: [127.0.0.1]:11125 USERNAME:PASSWORD -Mary -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
[SLUG] Postfix configuration
Can anyone guide me in the following Postfix configuration? mx.example.com has local users who receive mail, it is an MX for a particular domain AND it is a mail gateway for users of its network. 1. mx.example.com should deliver mail for local users in the usual manner. If local delivery is impossible (one case is when amavis, which is specified as the content_filter, is down) it should queue it. 2. mx.example.com should deliver mail to example.org to finaldest.example.org, and if finaldest.example.org fails, it should queue it (mx.example.com is a MX for example.org, and if finaldest.example.org is down for long periods of time, I'd like to be able to get at the mails in the queue). I'm currently achieving this via a transport_maps line: example.org smtp:[finaldest.example.org] 3. mx.example.com should deliver all other mail (from the internal network) to relay.example.com port 10025 (this bypasses a second amavis check on relay.example.com and this is good since relay.example.com is not overly endowed with resources). However, if relay.example.com it should deliver mail to isp-relay.example.com, port 25. Why do I want #3? Well, I don't want to deliver mail directly because mx.example.com is on a residential ADSL connection and could be blocked at some point by the blackhole lists. I don't want to *normally* use isp-relay.example.com because it's got an incredibly slow re-try time on failures (every time I mail someone through it who greylists me the mail doesn't get through for 24 hours), but I want to have mail go somewhere when relay.example.com is down. But #3 is a pain in the butt especially in combination with #2. Things I've thought of doing: - setting relayhost to both [relay.example.com]:10025 and [isp-relay.example.com]:25, but relayhost only takes one value - creating an MX record, say, dummymx.example.com that returns both relay.example.com and isp-relay.example.com as mail exchangers, and then set relayhost = dummymx.example.com but the different port numbers make this impossible and doesn't help with #2 - setting relayhost = [relay.example.com]:10025 and smtp_fallback_relay = [isp-relay.example.com]:25 but then if amavis is down condition #1 is violated[1] and LOCAL mail starts being sent out to isp-relay.example.com, and if finaldest.example.org is down, example.org mail also heads for isp-relay.example.com. smtp_fallback_relay is too strong -Mary [1] This may be a bug in Postfix on the interaction between content_filter and smtp_fallback_relay, because man 5 postconf says To prevent mailer loops between MX hosts and fall-back hosts, Postfix version 2.3 and later will not use the smtp_fallback_relay feature for destinations that it is MX host for. -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
[SLUG] postfix rpm mysql yum centos prob
I'm trying to build binary postfix rpm from source rpm on centos I'm failing dependencies as: # rpmbuild -ba postfix.spec error: Failed build dependencies: MySQL-shared is needed by postfix-2.4.5-3.pcre.MySQL.sasl2.rhel4.i386 MySQL-devel is needed by postfix-2.4.5-3.pcre.MySQL.sasl2.rhel4.i386 I tried yum install but get this: # yum install MySQL* . Nothing to do what's my best way fwd ? # uname -a Linux 2.6.9-55.0.2.EL #1 Tue Jun 26 14:08:18 EDT 2007 i686 i686 i386 GNU/Linux -- Voytek -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Postfix question
Howard Lowndes wrote: That's what I am trying to achieve. Ideally and ultimately, the Postfix machine will do a lookup into the Domino LDAP system to find valid users, but until I can get that working I am doing LDAP lookups into an OpenLDAP database where the user account names match those in the Domino LDAP database, and it's this OpenLDAP lookup that is not finding a match but at the same time is not rejecting the email. The Postfix option you are after is relay_recipient_maps - see http://www.postfix.org/postconf.5.html#relay_recipient_maps E.g. in main.cf: relay_recipient_maps http://www.postfix.org/postconf.5.html#relay_recipient_maps = hash:/etc/postfix/relay_recipients And ensure that you put the list in relay_recipients and run postmap on it. All the best, Raphael -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Postfix question
Raphael Kraus wrote: E.g. in main.cf: relay_recipient_maps http://www.postfix.org/postconf.5.html#relay_recipient_maps = hash:/etc/postfix/relay_recipients And ensure that you put the list in relay_recipients and run postmap on it. or you could make that an ldap lookup i think dave -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Postfix question
Of course. Note the use of E.g. inferring for example ;) For an LDAP example see http://postfix.wiki.xs4all.nl/index.php?title=Relay_recipient_maps_using_LDAP_against_Active_Directory Aah... the beauty of documentation... :) All the best, Raphael Dave Kempe wrote: Raphael Kraus wrote: E.g. in main.cf: relay_recipient_maps http://www.postfix.org/postconf.5.html#relay_recipient_maps = hash:/etc/postfix/relay_recipients And ensure that you put the list in relay_recipients and run postmap on it. or you could make that an ldap lookup i think dave -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Postfix question
My apologies to anyone looking at this in the archives and wondering why I seem to be responding to a non-existent email. Howard didn't feel that his email was worth archiving, even thous the replies are going to be archived. On 13/06/07, Howard Lowndes [EMAIL PROTECTED] wrote: I have a Linux/Postfix server that accepts email from the Internet, performs filtering checks on the email and then forwards acceptable emails onto a Linux/Domino server on the local intranet. The Postfix checks are all being done by LDAP so I am able to see what is happening on the Linux/Postfix server. Postfix has the relayhost parameter set in main.cf to point to the Linux/Domino server so that emails are correctly forwarded on. I can see the Linux/Postfix server doing all the checks that I have specified in main.cf. These include: smtpd_client_restrictions smtpd_helo_restrictions smtpd_sender_restrictions smtpd_recipient_restrictions However, the smtpd_recipient_restrictions appear to be failing safe with a default DUNNO result rather than a default REJECT result. The same checks, when not used in conjunction with a relayhost setting appear to default fail as REJECT rather than DUNNO. Am I right in assuming that the use of the relayhost parameter is causing this change in default behaviour, and how is the best way to fix it? The Domino machine, being the real MTA, obviously knows what addresses it's going to accept mail for (the ones that are defined as valid addresses) and which it's going to reject (the rest - unless it has a catchall, in which case, there aren't any that it will reject). Does the Postfix machine have some way of knowing this same information, or is it just left knowing that all mail for that domain gets forwarded to 1.2.3.4? -- There is nothing more worthy of contempt than a man who quotes himself - Zhasper, 2004 -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Postfix question
Howard, I think you have the wrong idea about relayhost. The relayhost parameter in main.cf of postfix is for you to specify an external SMTP server to send through (aka a smarthost). Don't specify an internal host for this (unless you insist on sending through that host). Usually the parameter would be set to your ISP's SMTP server, or the SMTP server specified by your SPF records. What you want to do is set up the relay_domains and transport parameters: Something like: relay_domains = yourdomainname.com.au transport_maps = hash:/etc/postfix/transport in main.cf and put in /etc/postfix/transport yourdomainname.com.au smtp:[192.168.0.143] Again, remember to run postmap /etc/postfix/transport Obviously you'll also have to adjust domain names and IP addresses as needed. http://www.postfix.org/ has wonderful documentation available. There are also a lot of examples that you can learn from. All the best. Raphael Howard Lowndes wrote: I have a Linux/Postfix server that accepts email from the Internet, performs filtering checks on the email and then forwards acceptable emails onto a Linux/Domino server on the local intranet. The Postfix checks are all being done by LDAP so I am able to see what is happening on the Linux/Postfix server. Postfix has the relayhost parameter set in main.cf to point to the Linux/Domino server so that emails are correctly forwarded on. I can see the Linux/Postfix server doing all the checks that I have specified in main.cf. These include: smtpd_client_restrictions smtpd_helo_restrictions smtpd_sender_restrictions smtpd_recipient_restrictions However, the smtpd_recipient_restrictions appear to be failing safe with a default DUNNO result rather than a default REJECT result. The same checks, when not used in conjunction with a relayhost setting appear to default fail as REJECT rather than DUNNO. Am I right in assuming that the use of the relayhost parameter is causing this change in default behaviour, and how is the best way to fix it? -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Postfix/SASL issue on ubuntu
How is your saslauthd running ? My working one is running like so: server:/var/run/saslauthd# ps ax | grep sasl 3352 ?Ss 0:00 /usr/sbin/saslauthd -a pam 3354 ?S 0:00 /usr/sbin/saslauthd -a pam 3355 ?S 0:00 /usr/sbin/saslauthd -a pam 3356 ?S 0:00 /usr/sbin/saslauthd -a pam 3357 ?S 0:00 /usr/sbin/saslauthd -a pam On Fri, 13 Apr 2007 09:47:05 pm Tony Green wrote: I resorted to some stracing and found that it looks like it's not able to file /var/run/saslauthd/mux, however it's there and the saslauthd is running 8652 read(12, AUTH PLAIN xxx\r..., 4096) = 33 8652 gettimeofday({1176464431, 158663}, NULL) = 0 8652 socket(PF_FILE, SOCK_STREAM, 0) = 14 8652 connect(14, {sa_family=AF_FILE, path=/var/run/saslauthd/mux}, 110) = -1 ENOENT (No such file or directory) 8652 close(14) = 0 8652 time(NULL)= 1176464431 8652 stat64(/etc/localtime, {st_mode=S_IFREG|0644, st_size=785, ...}) = 0 8652 stat64(/etc/localtime, {st_mode=S_IFREG|0644, st_size=785, ...}) = 0 8652 stat64(/etc/localtime, {st_mode=S_IFREG|0644, st_size=785, ...}) = 0 8652 send(7, 20Apr 13 21:40:31 postfix/smtp..., 140, MSG_NOSIGNAL) = 140 8652 time(NULL)= 1176464431 8652 stat64(/etc/localtime, {st_mode=S_IFREG|0644, st_size=785, ...}) = 0 8652 stat64(/etc/localtime, {st_mode=S_IFREG|0644, st_size=785, ...}) = 0 8652 stat64(/etc/localtime, {st_mode=S_IFREG|0644, st_size=785, ...}) = 0 8652 send(7, 20Apr 13 21:40:31 postfix/smtp..., 107, MSG_NOSIGNAL) = 107 8652 time(NULL)= 1176464431 8652 stat64(/etc/localtime, {st_mode=S_IFREG|0644, st_size=785, ...}) = 0 8652 stat64(/etc/localtime, {st_mode=S_IFREG|0644, st_size=785, ...}) = 0 8652 stat64(/etc/localtime, {st_mode=S_IFREG|0644, st_size=785, ...}) = 0 8652 send(7, 20Apr 13 21:40:31 postfix/smtp..., 148, MSG_NOSIGNAL) = 148 8652 time(NULL)= 1176464431 8652 select(13, NULL, [12], [12], {300, 0}) = 1 (out [12], left {300, 0}) 8652 write(12, 535 5.7.0 Error: authentication ..., 57) = 57 8652 gettimeofday({1176464431, 160965}, NULL) = 0 /var/run/saslauthd# ls -ltr total 4 -rw--- 1 root root 5 2007-04-13 21:22 saslauthd.pid -rw--- 1 root root 0 2007-04-13 21:22 mux.accept srwxrwxrwx 1 root root 0 2007-04-13 21:22 mux # ps -ef | egrep sasl root 8160 1 0 21:22 ?00:00:00 /usr/sbin/saslauthd - a pam root 8161 8160 0 21:22 ?00:00:00 /usr/sbin/saslauthd - a pam root 8162 8160 0 21:22 ?00:00:00 /usr/sbin/saslauthd - a pam root 8163 8160 0 21:22 ?00:00:00 /usr/sbin/saslauthd - a pam root 8164 8160 0 21:22 ?00:00:00 /usr/sbin/saslauthd - a pam Going to do some more comparison on the old server, but thought this might shed more light on the matter. -- -- Regards David Ward -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Postfix/SASL issue on ubuntu
PS I am running Debian Sarge though On Fri, 13 Apr 2007 09:47:05 pm Tony Green wrote: I resorted to some stracing and found that it looks like it's not able to file /var/run/saslauthd/mux, however it's there and the saslauthd is running 8652 read(12, AUTH PLAIN xxx\r..., 4096) = 33 8652 gettimeofday({1176464431, 158663}, NULL) = 0 8652 socket(PF_FILE, SOCK_STREAM, 0) = 14 8652 connect(14, {sa_family=AF_FILE, path=/var/run/saslauthd/mux}, 110) = -1 ENOENT (No such file or directory) 8652 close(14) = 0 8652 time(NULL)= 1176464431 8652 stat64(/etc/localtime, {st_mode=S_IFREG|0644, st_size=785, ...}) = 0 8652 stat64(/etc/localtime, {st_mode=S_IFREG|0644, st_size=785, ...}) = 0 8652 stat64(/etc/localtime, {st_mode=S_IFREG|0644, st_size=785, ...}) = 0 8652 send(7, 20Apr 13 21:40:31 postfix/smtp..., 140, MSG_NOSIGNAL) = 140 8652 time(NULL)= 1176464431 8652 stat64(/etc/localtime, {st_mode=S_IFREG|0644, st_size=785, ...}) = 0 8652 stat64(/etc/localtime, {st_mode=S_IFREG|0644, st_size=785, ...}) = 0 8652 stat64(/etc/localtime, {st_mode=S_IFREG|0644, st_size=785, ...}) = 0 8652 send(7, 20Apr 13 21:40:31 postfix/smtp..., 107, MSG_NOSIGNAL) = 107 8652 time(NULL)= 1176464431 8652 stat64(/etc/localtime, {st_mode=S_IFREG|0644, st_size=785, ...}) = 0 8652 stat64(/etc/localtime, {st_mode=S_IFREG|0644, st_size=785, ...}) = 0 8652 stat64(/etc/localtime, {st_mode=S_IFREG|0644, st_size=785, ...}) = 0 8652 send(7, 20Apr 13 21:40:31 postfix/smtp..., 148, MSG_NOSIGNAL) = 148 8652 time(NULL)= 1176464431 8652 select(13, NULL, [12], [12], {300, 0}) = 1 (out [12], left {300, 0}) 8652 write(12, 535 5.7.0 Error: authentication ..., 57) = 57 8652 gettimeofday({1176464431, 160965}, NULL) = 0 /var/run/saslauthd# ls -ltr total 4 -rw--- 1 root root 5 2007-04-13 21:22 saslauthd.pid -rw--- 1 root root 0 2007-04-13 21:22 mux.accept srwxrwxrwx 1 root root 0 2007-04-13 21:22 mux # ps -ef | egrep sasl root 8160 1 0 21:22 ?00:00:00 /usr/sbin/saslauthd - a pam root 8161 8160 0 21:22 ?00:00:00 /usr/sbin/saslauthd - a pam root 8162 8160 0 21:22 ?00:00:00 /usr/sbin/saslauthd - a pam root 8163 8160 0 21:22 ?00:00:00 /usr/sbin/saslauthd - a pam root 8164 8160 0 21:22 ?00:00:00 /usr/sbin/saslauthd - a pam Going to do some more comparison on the old server, but thought this might shed more light on the matter. -- -- Regards David Ward -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Postfix/SASL issue on ubuntu
Yes On 14/04/2007, at 10:53 PM, David Ward wrote: How is your saslauthd running ? My working one is running like so: server:/var/run/saslauthd# ps ax | grep sasl 3352 ?Ss 0:00 /usr/sbin/saslauthd -a pam 3354 ?S 0:00 /usr/sbin/saslauthd -a pam 3355 ?S 0:00 /usr/sbin/saslauthd -a pam 3356 ?S 0:00 /usr/sbin/saslauthd -a pam 3357 ?S 0:00 /usr/sbin/saslauthd -a pam On Fri, 13 Apr 2007 09:47:05 pm Tony Green wrote: I resorted to some stracing and found that it looks like it's not able to file /var/run/saslauthd/mux, however it's there and the saslauthd is running # ps -ef | egrep sasl root 8160 1 0 21:22 ?00:00:00 /usr/sbin/saslauthd - a pam root 8161 8160 0 21:22 ?00:00:00 /usr/sbin/saslauthd - a pam root 8162 8160 0 21:22 ?00:00:00 /usr/sbin/saslauthd - a pam root 8163 8160 0 21:22 ?00:00:00 /usr/sbin/saslauthd - a pam root 8164 8160 0 21:22 ?00:00:00 /usr/sbin/saslauthd - a pam Going to do some more comparison on the old server, but thought this might shed more light on the matter. -- -- Regards David Ward -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Postfix/SASL issue on ubuntu
On 13/04/2007, at 3:10 PM, Sonia Hamilton wrote: If you feel it isn't reading the conf file, could it be errors related to postfix chrooting? On my server I do this in /etc/fstab, so postfix can access saslauthd: Hey Sonia, thanks for the reply. I've tried it both chrooted and none-chrooted, same result with both (the old server ISN'T, but I get the same results on the new server chroot or no chroot) It's only a hunch that it's not reading the smtpd.conf, not sure where postfix gets it list of auth mechs from if it's not in there. Also, is postfix a member of the sasl group? Yep #egrep sasl /etc/group sasl:x:45:postfix Any other ideas? -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Postfix/SASL issue on ubuntu
I resorted to some stracing and found that it looks like it's not able to file /var/run/saslauthd/mux, however it's there and the saslauthd is running 8652 read(12, AUTH PLAIN xxx\r..., 4096) = 33 8652 gettimeofday({1176464431, 158663}, NULL) = 0 8652 socket(PF_FILE, SOCK_STREAM, 0) = 14 8652 connect(14, {sa_family=AF_FILE, path=/var/run/saslauthd/mux}, 110) = -1 ENOENT (No such file or directory) 8652 close(14) = 0 8652 time(NULL)= 1176464431 8652 stat64(/etc/localtime, {st_mode=S_IFREG|0644, st_size=785, ...}) = 0 8652 stat64(/etc/localtime, {st_mode=S_IFREG|0644, st_size=785, ...}) = 0 8652 stat64(/etc/localtime, {st_mode=S_IFREG|0644, st_size=785, ...}) = 0 8652 send(7, 20Apr 13 21:40:31 postfix/smtp..., 140, MSG_NOSIGNAL) = 140 8652 time(NULL)= 1176464431 8652 stat64(/etc/localtime, {st_mode=S_IFREG|0644, st_size=785, ...}) = 0 8652 stat64(/etc/localtime, {st_mode=S_IFREG|0644, st_size=785, ...}) = 0 8652 stat64(/etc/localtime, {st_mode=S_IFREG|0644, st_size=785, ...}) = 0 8652 send(7, 20Apr 13 21:40:31 postfix/smtp..., 107, MSG_NOSIGNAL) = 107 8652 time(NULL)= 1176464431 8652 stat64(/etc/localtime, {st_mode=S_IFREG|0644, st_size=785, ...}) = 0 8652 stat64(/etc/localtime, {st_mode=S_IFREG|0644, st_size=785, ...}) = 0 8652 stat64(/etc/localtime, {st_mode=S_IFREG|0644, st_size=785, ...}) = 0 8652 send(7, 20Apr 13 21:40:31 postfix/smtp..., 148, MSG_NOSIGNAL) = 148 8652 time(NULL)= 1176464431 8652 select(13, NULL, [12], [12], {300, 0}) = 1 (out [12], left {300, 0}) 8652 write(12, 535 5.7.0 Error: authentication ..., 57) = 57 8652 gettimeofday({1176464431, 160965}, NULL) = 0 /var/run/saslauthd# ls -ltr total 4 -rw--- 1 root root 5 2007-04-13 21:22 saslauthd.pid -rw--- 1 root root 0 2007-04-13 21:22 mux.accept srwxrwxrwx 1 root root 0 2007-04-13 21:22 mux # ps -ef | egrep sasl root 8160 1 0 21:22 ?00:00:00 /usr/sbin/saslauthd - a pam root 8161 8160 0 21:22 ?00:00:00 /usr/sbin/saslauthd - a pam root 8162 8160 0 21:22 ?00:00:00 /usr/sbin/saslauthd - a pam root 8163 8160 0 21:22 ?00:00:00 /usr/sbin/saslauthd - a pam root 8164 8160 0 21:22 ?00:00:00 /usr/sbin/saslauthd - a pam Going to do some more comparison on the old server, but thought this might shed more light on the matter. -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
[SLUG] Postfix/SASL issue on ubuntu
Sluggers, I've got an issue trying to get SMTP auth working on a 6.10 ubuntu server. I've got it working on 6.06, but I'm banging my head against a wall trying it in 6.10. Basically, I get 535 5.7.0 Error: authentication failed: authentication failure when I try to authenticate using SMTP AUTH My initial feeling is that SASL isn't reading the /etc/postfix/sasl/smtpd.conf. I've set that file to: pwcheck_method: saslauthd mech_list: plain login However, when I check through telnet, I see: 250-AUTH NTLM LOGIN PLAIN DIGEST-MD5 CRAM-MD5, where as on the working (6.06 ) server I see only PLAIN and LOGIN. I've double checked all settings that I can think of, I've copied smtpd.conf into /usr/lib/sasl2 (strings on /usr/lib/libsasl.so.2). I've verified the locations specified in main.cf. A manual check of sasl (testsaslauthd) works fine with the same user # /etc/default/saslauthd # This needs to be uncommented before saslauthd will be run automatically START=yes # You must specify the authentication mechanisms you wish to use. # This defaults to pam for PAM support, but may also include # shadow or sasldb, like this: # MECHANISMS=pam shadow MECHANISMS=pam # main.cf egrep sasl|tls /etc/postfix/main.cf smtpd_sasl_auth_enable = yes #smtpd_sasl_security_options = noanonymous, noplaintext smtpd_sasl_security_options = noanonymous smtpd_sasl_local_domain = $myhostname smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, check_relay_domains #smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination smtpd_sasl_path = /etc/postfix/sasl smtpd_tls_cert_file = /etc/postfix/cert.pem smtpd_tls_key_file = /etc/postfix/privkey.pem smtpd_use_tls = yes tls_random_source = dev:/dev/urandom tls_daemon_random_source = dev:/dev/urandom Cluesticks welcome, I know now why I love sendmail so much :-) -- Tony Green [EMAIL PROTECTED] -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Postfix/SASL issue on ubuntu
* On Fri, Apr 13, 2007 at 02:38:53PM +1000, Tony Green wrote: I've got an issue trying to get SMTP auth working on a 6.10 ubuntu server. I've got it working on 6.06, but I'm banging my head against a wall trying it in 6.10. Basically, I get 535 5.7.0 Error: authentication failed: authentication failure when I try to authenticate using SMTP AUTH My initial feeling is that SASL isn't reading the /etc/postfix/sasl/smtpd.conf. I've set that file to: pwcheck_method: saslauthd mech_list: plain login If you feel it isn't reading the conf file, could it be errors related to postfix chrooting? On my server I do this in /etc/fstab, so postfix can access saslauthd: /var/run/saslauthd/var/spool/postfix/var/run/saslauthdnone rw,bind0 0 Also, is postfix a member of the sasl group? $ grep sasl /etc/group sasl:!:45:smmta,smmsp,postfix -- Sonia Hamilton | GNU/Linux - 'free' as in | free speech, not free beer. -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Postfix, LDAP, NFS, virtual domains, Mailman, et al
On 21/02/07, Howard Lowndes [EMAIL PROTECTED] wrote: An even further alternative thinking might be to not NFS mount anything anywhere, but to have Postfix on the mail server relay all inbounds to the mailing lists on the mail server directly to the MTA on the web server. Does that all make sense, and is it likely to work? Without personal experience with this, the above is closest to what I was thinking about while reading your message - let the virtual transport do its stuff and wherever it transports its message to will forward mailing-list stuff to mailman, as if there is no virtual involved in the chain. Not even sure it makes sense on the detailed level but it's a simple break down the problem to manageble bits approach on the logical level at least... (also I'm generally suspicious of NFS, especially where mail is involved). Hope this gives you some useful perspective. Cheers, --Amos -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
[SLUG] Postfix experts
Hi can anybody suggest a reason for this? If it is timing can postfix be told to wait-longer? Of course mostly it works correctly thanks James Jan 4 13:04:03 server postfix/smtpd[17455]: NOQUEUE: reject: RCPT from unknown[202.14.131.60]: 450 Client host rejected: cannot find your hostname, [202.14.131.60]; from=[EMAIL PROTECTED] to=[EMAIL PROTECTED] proto=ESMTP helo=wrcmail.wagr.wa.gov.au [server] /home/jam [905]% dig -x 202.14.131.60 ; DiG 9.3.1 -x 202.14.131.60 ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 5697 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0 ;; QUESTION SECTION: ;60.131.14.202.in-addr.arpa.IN PTR ;; ANSWER SECTION: 60.131.14.202.in-addr.arpa. 6724 IN PTR PC0.wagr.wa.gov.au. ;; AUTHORITY SECTION: 131.14.202.in-addr.arpa. 6724 IN NS karri.bs.wa.gov.au. 131.14.202.in-addr.arpa. 6724 IN NS mulga.bs.wa.gov.au. ;; Query time: 1 msec ;; SERVER: 192.168.17.254#53(192.168.17.254) ;; WHEN: Thu Jan 4 13:11:52 2007 ;; MSG SIZE rcvd: 119 -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Postfix experts
On Thursday 04 January 2007 13:17, you wrote: On 1/4/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Hi can anybody suggest a reason for this? If it is timing can postfix be told to wait-longer? Of course mostly it works correctly thanks James Jan 4 13:04:03 server postfix/smtpd[17455]: NOQUEUE: reject: RCPT from unknown[202.14.131.60]: 450 Client host rejected: cannot find your hostname, [202.14.131.60]; from=[EMAIL PROTECTED] to=[EMAIL PROTECTED] proto=ESMTP helo=wrcmail.wagr.wa.gov.au I might be wrong, but I believe the following; The mail server on the other end gave the error 450 Client host rejected: cannot find your hostname to your mail server, so it appears however that server does lookups to determine hostname cannot resolve your ip to host/domain name. Sure as you prooved you can look this up fine, but the problem is with the other end doing the same thing. Anyone agree with this... Michael thanks this is the error logged at destination saying unable to find source (wa.gov.au) machine which DOES exist. The puzzle it it mostly works, but intermittently fails Hmmm your latest letter makes sense! James -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Postfix experts
On 1/4/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Michael thanks this is the error logged at destination saying unable to find source (wa.gov.au) machine which DOES exist. The puzzle it it mostly works, but intermittently fails Hmmm your latest letter makes sense! I reckon if you have the hostname resolve to ip and the ip resolve to hostname.. ie.. correctly configure forward and reverse dns lookups. It will probably end up working no problem.. seems odd your forward lookups don't work. Guess you better fix that. Thanks -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Postfix experts
On 1/4/07, Michael Fox [EMAIL PROTECTED] wrote: On 1/4/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Hi can anybody suggest a reason for this? If it is timing can postfix be told to wait-longer? Of course mostly it works correctly thanks James Jan 4 13:04:03 server postfix/smtpd[17455]: NOQUEUE: reject: RCPT from unknown[202.14.131.60]: 450 Client host rejected: cannot find your hostname, [202.14.131.60]; from=[EMAIL PROTECTED] to=[EMAIL PROTECTED] proto=ESMTP helo=wrcmail.wagr.wa.gov.au I might be wrong, but I believe the following; The mail server on the other end gave the error 450 Client host rejected: cannot find your hostname to your mail server, so it appears however that server does lookups to determine hostname cannot resolve your ip to host/domain name. Sure as you prooved you can look this up fine, but the problem is with the other end doing the same thing. Anyone agree with this... And to further follow up, it appears I too can look up your ip to your hostname, but it don't work the opposite way.. # nslookup 202.14.131.60 Name:PC0.wagr.wa.gov.au Address: 202.14.131.60 # nslookup PC0.wagr.wa.gov.au ... and this fails... might be a cause of the problem.. -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
[SLUG] postfix error cannot finx your hostname
I occasionally get errors from my postfix mail server like this: [EMAIL PROTECTED]: connect to mx.bar.com[1.2.3.4]: server refused to talk to me: 591 5.7.1 Client host rejected: cannot find your hostname, [203.57.122.98] I presume this is because I don't have a PTR dns record setup for my mail server. If so, would I ask for this to be configured with my isp or with apnic, or would I ask my isp to delegate control of the reverse mapping info to me? The netblock delegated to me is 203.57.122.96/27. -- Sonia Hamilton. GPG key A8B77238. -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] postfix error cannot finx your hostname
* On Tue, Jan 02, 2007 at 12:30:30PM +1100, Howard Lowndes wrote: Guilty. Didn't want to point the bone in my email :-) You'll need to talk to whoever has the in-addr.arpa zone for your IP block (most likely your ISP) about getting PTR records inserted. Am doing now. It's also probably also happening because you are not culling CC: addresses in your responses to the SLUG list. No, I use the list-reply feature of mutt (L). Thanks for your help. When you want a computer system that works, just choose Linux; When you want a computer system that works, just, choose Microsoft. Nice sig. -- Sonia Hamilton. GPG key A8B77238. -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] postfix error cannot finx your hostname
* On Tue, Jan 02, 2007 at 01:59:29PM +1100, Howard Lowndes wrote: It's also probably also happening because you are not culling CC: addresses in your responses to the SLUG list. No, I use the list-reply feature of mutt (L). I don't know mutt, but my guess is that it's doing a reply-all. No, the list-reply features just replies to the mail-list; it doesn't do a reply all. I got this errors from your server when doing an offlist thankyou for some pointer you gave me :-) The (munged) headers on the previous email were: From soniaXXsnowfrog.net Tue Jan 2 13:35:58 2007 Date: Tue, 2 Jan 2007 13:35:58 +1100 From: Sonia Hamilton soniaXXsnowfrog.net To: slugXXslug.org.au Subject: ... -- Sonia Hamilton. GPG key A8B77238. -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
[SLUG] Postfix configuration help needed
Hi all, I'm trying to configure postfix on a new machine at home to replace an old installation of sendmail on another machine. I want the new machine to be the outgoing mail server for the LAN and to masquerade addresses in my domain, exactly as sendmail is already doing. The mail server for my domain is elsewhere, so this new server should forward all mail for the domain (except those directly addressed to LAN hosts) to the external mail server. I've almost got it, but there's one thing I can't get to work and that's correct handling of mail addressed to root. I want mail to root, [EMAIL PROTECTED] and [EMAIL PROTECTED] to be delivered locally, but [EMAIL PROTECTED] needs to be forwarded to the external mail server. I've only been able to make it forward all variations of root to the external server, or deliver them all locally. I'm using postfix 2.2.4-1ubuntu2.1 on breezy. Here are the relevant bits of my main.cf: append_dot_mydomain = no alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases myorigin = /etc/mailname mydestination = dropbear.kirriwa.net, localhost.localdomain, localhost, localhost.kirriwa.net relay_domains = kirriwa.net relayhost = mail.internode.on.net mynetworks = 127.0.0.0/8, 192.168.42.0/24 virtual_alias_maps = hash:/etc/postfix/virtual masquerade_domains = kirrwa.net masquerade_exceptions = root /etc/mailname contains: kirriwa.net /etc/aliases contains: root: [EMAIL PROTECTED] clamav: root /etc/postfix/virtual contains: root[EMAIL PROTECTED] I've tried with without masquerade_exceptions, with without virtual_alias_maps, but I can't make it do what I want. I either get mail to root delivered externally, or mail to [EMAIL PROTECTED] delivered locally. Is there a postfix guru out there who can whack me with the appropriate cluestick? Thanks, John -- Wow. They've got you both coming *and* going, eh mate? Yep. That's why semen is white and urine is yellow. That way, the soccer/football fans can tell whether they're coming or going. -- Mike Andrews -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
[SLUG] Postfix query
This is a dumb postfix question that I should be able to answer, but can't. If I have a virtual mail domain of, say, example.com.au, then how do I get emails addressed to, say, [EMAIL PROTECTED] or [EMAIL PROTECTED] to be directed into the virtual mailbox .../example.com.au/fred I'm using virtual_mailbox_domains rather than virtual_alias_domains as fred does not have a UNIX account. -- Howard LANNet Computing Associates http://lannet.com.au When you want a computer system that works, just choose Linux; When you want a computer system that works, just, choose Microsoft. -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
[SLUG] postfix and SRS (used with SPF filtering)
I've done some experimenting and have found a short-term workaround for not having SRS support in postfix for the SLUG machine. This affects those SLUG members who've got [EMAIL PROTECTED] email addresses and who use SPF to verify the host of the domain of the sender of an email. The workaround is to specify delivery via procmail for each user concerned and have a procmail recipe. I just did some limited testing with my account. Please, if somebody has limited their permitted sender hosts to specific hosts send me an email via [EMAIL PROTECTED], NOT THE LIST, and I'll reply to test it. -- ---GRiP--- Electronic Hobbyist, Former Arcadia BBS nut, Occasional nudist, Linux Guru, SLUG President, AUUG and Linux Australia member, Sydney Flashmobber, Tenpin Bowler, BMX rider, Walker, Raver rave music lover, Big kid that refuses to grow up. I'd make a good family pet, take me home today! Some people actually read these things it seems. -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
[SLUG] postfix
I'm used to setting up qmail. I found some references on setting up postfix from postfix.org. However some references are better than others. Does anybody know a good reference for setting up a decent postfix server for a postfix newbe? (decent Imean spam filter, virus et al) I tried to find Jeffs talk from a few onths ago I'm sure it is on the SLUG site somewhere. Rgards, Ashley -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] postfix
ashley maher wrote: I found some references on setting up postfix from postfix.org. However some references are better than others. Does anybody know a good reference for setting up a decent postfix server for a postfix newbe? (decent Imean spam filter, virus et al) there are a few guides around. search for howto postfix spamassasin clamav etc or amavisd-new. depends on your distro choice dave -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] postfix
quote who=ashley maher I'm used to setting up qmail. I found some references on setting up postfix from postfix.org. However some references are better than others. Does anybody know a good reference for setting up a decent postfix server for a postfix newbe? (decent Imean spam filter, virus et al) I've used the actual postfix docs from postfix.org, then, Jim Seymor's sp? anti UCE how-to, postfixadmin, MySQL, later added amavisd-new, most of the docs are referenced on postfix.org. postfix ml is also invaluable all the docs I've used are referenced on postfix.org even though I didn't understand most of the docs, it didn't stop postfix from working, setting it up turned out simpler than I feared courier-imap, postfixadmin, MySQL, amavisd-new, clamav bdc is what I've used with it -- Voytek -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Postfix, IMAP, Lotus Notes, Evolution OfflineIMAP
At Sun, 7 Aug 2005 19:28:57 +1000, steven wrote: 2. With the Lotus Notes client running in IMAP mode I can create emails offline. When I sync the client with the server the server will send out any unsent emails. Copies of sent mails are thus filed in the main server sent folder or as directed by the user. [...] is there an OSS client that would allow me to do this? My MUA, wanderlust can do this. -- - Gus -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
[SLUG] Postfix, IMAP, Lotus Notes, Evolution OfflineIMAP
Our current email setup at work is Postfix on firewall running spamassassin across all incoming emails, dropping emails for unknown local users and forwarding what remains via SMTP to the local Notes Domino server (running on RedHat 9). I am trying to gradually phase out Notes. I am looking to replace it with a local IMAP server and use OfflineIMAP to allow users to synchronise their mail to laptops and the like. They will probably use Evolution as their client. This combination of tools looks like it will provide the functionality they are used to (except for problem 2 below). For the moment I will have 2 systems. New users will get the new system. Old users will be phased accross as they need new equipment (or any oher excuse I can think of such as when they break something and I have to fix it) I have been fiddling with this for a while now and have a few problems and am looking for any suggestions. 1. At the moment I use an entry in the transport file for Postfix to direct all mail for our domain to the Notes server. I need to be able to this by user but can't see how it is done. Transport seems only to accept domains. Can postfix do this,and if so, how? 2. With the Lotus Notes client running in IMAP mode I can create emails offline. When I sync the client with the server the server will send out any unsent emails. Copies of sent mails are thus filed in the main server sent folder or as directed by the user. Evolution seems to insist on either an SMTP server or sendmail. This will not create a sent mail copy in the main server IMAP store but will store it on the machine the user happened to be using when they sent the email. Is there a way round this? If not, is there an OSS client that would allow me to do this? Thank you and regards Steven -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Postfix, IMAP, Lotus Notes, Evolution OfflineIMAP
quote who=[EMAIL PROTECTED] 1. At the moment I use an entry in the transport file for Postfix to direct all mail for our domain to the Notes server. I need to be able to this by user but can't see how it is done. Transport seems only to accept domains. Can postfix do this,and if so, how? How about aliases? [EMAIL PROTECTED] - [EMAIL PROTECTED] where poo is the notes server. 2. With the Lotus Notes client running in IMAP mode I can create emails offline. When I sync the client with the server the server will send out any unsent emails. Copies of sent mails are thus filed in the main server sent folder or as directed by the user. Evolution seems to insist on either an SMTP server or sendmail. This will not create a sent mail copy in the main server IMAP store but will store it on the machine the user happened to be using when they sent the email. Is there a way round this? If not, is there an OSS client that would allow me to do this? Hrm. I know of some really whackass hacks some people use to do this with, say, mutt and imap, but nothing approaching sanity (or supported properly in the client). - Jeff -- EuroOSCON: October 17th-20thhttp://conferences.oreillynet.com/eurooscon/ In addition to these ample facilities, there exists a powerful configuration tool called gcc. - Elliot Hughes, author of lwm -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
[SLUG] postfix + sasl smtp auth
hi just having a problem with postfix and sasl smtp auth. system is debain stable with postfix from backports.org sasl v1 is installed: libsasl7 sasl-bin libsasl-modules-plain libsasl-digestmd5-plain relevant bits of main.cf: smtpd_sasl_local_domain = $myhostname smtpd_sasl_auth_enable = yes smtpd_sasl_security_options = noanonymous smtpd_sasl_authenticated_header = yes broken_sasl_auth_clients = yes smtpd_sasl_application_name = smtpd smtpd_sasl_path = /etc/postfix/sasl,/usr/lib/sasl smtp_sasl_password_maps = hash:/etc/postfix/sasl/passwd /etc/postfix/sasl/smtpd.conf: pwcheck_method: pwcheck mech_list: plain login postfix is loading the libs. strace output: open(/etc/postfix/sasl/smtpd.conf, O_RDONLY) = 10 open(/etc/postfix/sasl, O_RDONLY|O_NONBLOCK|O_LARGEFILE|O_DIRECTORY) = 10 open(/usr/lib/sasl, O_RDONLY|O_NONBLOCK|O_LARGEFILE|O_DIRECTORY) = 10 open(/usr/lib/sasl/libdigestmd5.so, O_RDONLY) = 25 open(/etc/sasldb, O_RDONLY) = 25 open(/usr/lib/sasl/libcrammd5.so, O_RDONLY) = 25 open(/usr/lib/sasl/libanonymous.so, O_RDONLY) = 25 open(/usr/lib/sasl/libplain.so, O_RDONLY) = 25 open(/usr/lib/sasl/liblogin.so, O_RDONLY) = 25 but when i connect it doesn't offer AUTH. telnet HOST 25 output: 220 HOST ESMTP Postfix ehlo CLIENT 250-HOST 250-PIPELINING 250-SIZE 1024 250-ETRN 250-STARTTLS 250 8BITMIME any ideas? cheers marty -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] postfix with TLS/SASL on debian woody
O Plameras wrote: I assume SMTP AUTH is now working. no, but I've run out of time now, will have to play with it again at a later date. thanks for your efforts anyway. Dave. -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] postfix with TLS/SASL on debian woody
Michael Fox wrote: On 5/6/05, David Fitch [EMAIL PROTECTED] wrote: do you mean mynetworks? as I said, it receives mail on all interfaces so that's not it. mynetworks relates to which hosts are allowed to use this smtp server.. ie. relay control. It doesn't relate to what interfaces the smtp will listen on. Populate the mynetworks variable and see how you go. Mail servers that allow open relay = bad. Google the reasons why. This is why SMTP AUTH is excellent. When anybody wishes to use a mail-server to send emails, that person is challenged with username/password combination. Then, emails could be sent only, once the user is authenticated. SMTP AUTH is based on username/password combination and not on IP address which was the prevalent authentication for SMTP during the early days of the Internet. I can say in my 'main.cf' under postfix, inet_interfaces=all # which will allow any IP address to # connect to my smtp-server smtpd_sasl_auth_enable=yes # but process all smtp connections # thru SASL AUTH smtpd_use_tls=yes# and then allow only valid users smtpd_tls_auth_only=yes # to send out emails -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] postfix with TLS/SASL on debian woody
On Sat, 2005-05-07 at 01:55, O Plameras wrote: In the Postfix RPM distribution, as far as I know, config for inet_interfaces defaults to 'localhost',i.e, 'inet_interfaces=localhost'. debian have their own (sensible) defaults, but I've put it in to see if it makes any difference. Well it has been pointed that without 'SMTP AUTH' you have an open-relay when inet_interfaces is left out, which is very bad as pointed out by another poster. it's not an open relay, for one it would be in all the blacklists after this many years. As I said, it's a fully working mail server, I'm just trying to add smtp authentication to it. Dave. -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] postfix with TLS/SASL on debian woody
O Plameras wrote: What does this show when your do this on your postfix server ? the AUTH stuff is there: $ telnet localhost 25 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 220 mail ESMTP Postfix ehlo localhost 250-mail 250-PIPELINING 250-SIZE 1024 250-VRFY 250-ETRN 250-STARTTLS 250-AUTH LOGIN PLAIN CRAM-MD5 GSSAPI DIGEST-MD5 250-AUTH=LOGIN PLAIN CRAM-MD5 GSSAPI DIGEST-MD5 250 8BITMIME quit 221 Bye Connection closed by foreign host. Dave. -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] postfix with TLS/SASL on debian woody
David Fitch wrote: O Plameras wrote: What does this show when your do this on your postfix server ? the AUTH stuff is there: $ telnet localhost 25 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 220 mail ESMTP Postfix ehlo localhost 250-mail 250-PIPELINING 250-SIZE 1024 250-VRFY 250-ETRN 250-STARTTLS 250-AUTH LOGIN PLAIN CRAM-MD5 GSSAPI DIGEST-MD5 250-AUTH=LOGIN PLAIN CRAM-MD5 GSSAPI DIGEST-MD5 250 8BITMIME quit 221 Bye Connection closed by foreign host. The above listings just confirm that your OPENSSL and CYRUS-SASL2 are working correctly. Now you just concentrate on setting up postfix. You just need to change a few things in your postfix setup. The ff. are the suggested configurations: 1. smtp.conf may have: pwcheck_method:saslauthd mech_list: plain login 2. /etc/default/saslauthd shall have: snipped MECHANISMS=shadow /snipped 3. /etc/postfix/main.cf shall have the ff: mydomain=yourdomain myhostname=yourhostname mynetworks=192.168.1.0/24,127.0.0.0/8 alias_maps=hash:/etc/postfix/aliases alias_database=hash:/etc/postfix/aliases # # enable sasl support smtpd_sasl_auth_enable=yes smtpd_sasl_security_options=noanonymous smtpd_sasl_local_domain=$myhostname broken_sasl_auth_clients=yes # search for relay_domains, then add smtpd_recipient_restrictions= permit_sasl_authenticated, permit_mynetworks, check_relay_domains # tls support smtpd_use_tls=yes smtpd_tls_auth_only=yes smtpd_tls_cert_file=/etc/postfix/servercrt.pem smtpd_tls_key_file=/etc/postfix/serverkey.pem smtpd_tls_CAfile=/etc/postfix/cacert.pem smtpd_tls_loglevel=3 smtpd_tls_received_header=yes smtpd_tls_session_cache_timeout=3600s tls_random_source=dev:/dev/urandom The above setup will show this. # telnet localhost 25; ehlo localhost, will show: [EMAIL PROTECTED] RPMS]# telnet localhost 25 Trying 127.0.0.1... Connected to localhost (127.0.0.1). Escape character is '^]'. 220 hdtv.noy.com.au ESMTP Postfix ehlo hdtv 250-hdtv.noy.com.au 250-PIPELINING 250-SIZE 1024 250-VRFY 250-ETRN 250-STARTTLS 250 8BITMIME I can comment out # smtpd_tls_auth_only=yes and 'telnet localhost 25' and 'ehlo localhost' will show: [EMAIL PROTECTED] RPMS]# telnet localhost 25 Trying 127.0.0.1... Connected to localhost (127.0.0.1). Escape character is '^]'. 220 hdtv.noy.com.au ESMTP Postfix ehlo hdtv 250-hdtv.noy.com.au 250-PIPELINING 250-SIZE 1024 250-VRFY 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN 250-AUTH=PLAIN LOGIN 250 8BITMIME I setup postfix, TLS, and SASL this morning to test. BTW, I am using TLS and SASL on sendmail-MTA in my network. I find it easier to set-up and maintain compared to postfix because I have to deal with only one file to re-configure. This file is 'sendmail.mc'. Have fun. O Plameras -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] postfix with TLS/SASL on debian woody
I received an email asking how do I check if TLS/PLAIN auth works since there are several mail clients with various setup procedures. So, it is difficult to tell if it is the mail client that is not working or it is the postfix setup that has a problem. To separate any problem with mail-clients from mail-server, this is a procedure that I follow to test postfix smtp server (or sendmail smtp server): create a test-user #useradd testuser #passwd testuser testpass Create Base64 encoding for user/pass combination: #printf 'testuser\0testuser\testpass' | mmencode dGVzdHVzZXIAdGVzdHVzZXIAdGVzdHBhc3M= [EMAIL PROTECTED] mail]# telnet localhost 25 Trying 127.0.0.1... Connected to localhost.localdomain (127.0.0.1). Escape character is '^]'. 220 otr.noy.com.au ESMTP Sendmail 8.13.1/8.13.1; Thu, 5 May 2005 20:59:49+1000 ehlo hdtv 250-otr.noy.com.au Hello otr.noy.com.au [127.0.0.1], pleased to meet you 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-8BITMIME 250-SIZE 250-DSN 250-ETRN 250-AUTH LOGIN PLAIN 250-STARTTLS 250-DELIVERBY 250 HELP AUTH PLAIN dGVzdHVzZXIAdGVzdHVzZXIAdGVzdHBhc3M= 235 2.0.0 OK Authenticated O Plameras wrote: David Fitch wrote: O Plameras wrote: What does this show when your do this on your postfix server ? the AUTH stuff is there: $ telnet localhost 25 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 220 mail ESMTP Postfix ehlo localhost 250-mail 250-PIPELINING 250-SIZE 1024 250-VRFY 250-ETRN 250-STARTTLS 250-AUTH LOGIN PLAIN CRAM-MD5 GSSAPI DIGEST-MD5 250-AUTH=LOGIN PLAIN CRAM-MD5 GSSAPI DIGEST-MD5 250 8BITMIME quit 221 Bye Connection closed by foreign host. The above listings just confirm that your OPENSSL and CYRUS-SASL2 are working correctly. Now you just concentrate on setting up postfix. You just need to change a few things in your postfix setup. The ff. are the suggested configurations: 1. smtp.conf may have: pwcheck_method:saslauthd mech_list: plain login 2. /etc/default/saslauthd shall have: snipped MECHANISMS=shadow /snipped 3. /etc/postfix/main.cf shall have the ff: mydomain=yourdomain myhostname=yourhostname mynetworks=192.168.1.0/24,127.0.0.0/8 alias_maps=hash:/etc/postfix/aliases alias_database=hash:/etc/postfix/aliases # # enable sasl support smtpd_sasl_auth_enable=yes smtpd_sasl_security_options=noanonymous smtpd_sasl_local_domain=$myhostname broken_sasl_auth_clients=yes # search for relay_domains, then add smtpd_recipient_restrictions= permit_sasl_authenticated, permit_mynetworks, check_relay_domains # tls support smtpd_use_tls=yes smtpd_tls_auth_only=yes smtpd_tls_cert_file=/etc/postfix/servercrt.pem smtpd_tls_key_file=/etc/postfix/serverkey.pem smtpd_tls_CAfile=/etc/postfix/cacert.pem smtpd_tls_loglevel=3 smtpd_tls_received_header=yes smtpd_tls_session_cache_timeout=3600s tls_random_source=dev:/dev/urandom The above setup will show this. # telnet localhost 25; ehlo localhost, will show: [EMAIL PROTECTED] RPMS]# telnet localhost 25 Trying 127.0.0.1... Connected to localhost (127.0.0.1). Escape character is '^]'. 220 hdtv.noy.com.au ESMTP Postfix ehlo hdtv 250-hdtv.noy.com.au 250-PIPELINING 250-SIZE 1024 250-VRFY 250-ETRN 250-STARTTLS 250 8BITMIME I can comment out # smtpd_tls_auth_only=yes and 'telnet localhost 25' and 'ehlo localhost' will show: [EMAIL PROTECTED] RPMS]# telnet localhost 25 Trying 127.0.0.1... Connected to localhost (127.0.0.1). Escape character is '^]'. 220 hdtv.noy.com.au ESMTP Postfix ehlo hdtv 250-hdtv.noy.com.au 250-PIPELINING 250-SIZE 1024 250-VRFY 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN 250-AUTH=PLAIN LOGIN 250 8BITMIME I setup postfix, TLS, and SASL this morning to test. BTW, I am using TLS and SASL on sendmail-MTA in my network. I find it easier to set-up and maintain compared to postfix because I have to deal with only one file to re-configure. This file is 'sendmail.mc'. Have fun. O Plameras -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] postfix with TLS/SASL on debian woody
O Plameras wrote: The ff. are the suggested configurations: 1. smtp.conf may have: pwcheck_method:saslauthd mech_list: plain login # cat sasl/smtpd.conf pwcheck_method: saslauthd mech_list: plain login #log_level: 7 saslauthd_path: /var/spool/postfix/var/run/saslauthd/mux 2. /etc/default/saslauthd shall have: snipped MECHANISMS=shadow /snipped # cat /etc/default/saslauthd START=yes MECHANISMS=shadow PARAMS=-m /var/spool/postfix/var/run/saslauthd 3. /etc/postfix/main.cf shall have the ff: mydomain=yourdomain myhostname=yourhostname mynetworks=192.168.1.0/24,127.0.0.0/8 I have mynetworks commented out, so using the default as I want it to listen on all interfaces anyway (incl ippp0) alias_maps=hash:/etc/postfix/aliases alias_database=hash:/etc/postfix/aliases # # enable sasl support smtpd_sasl_auth_enable=yes smtpd_sasl_security_options=noanonymous smtpd_sasl_local_domain=$myhostname broken_sasl_auth_clients=yes # search for relay_domains, then add smtpd_recipient_restrictions= permit_sasl_authenticated, permit_mynetworks, check_relay_domains # tls support smtpd_use_tls=yes smtpd_tls_auth_only=yes smtpd_tls_cert_file=/etc/postfix/servercrt.pem smtpd_tls_key_file=/etc/postfix/serverkey.pem smtpd_tls_CAfile=/etc/postfix/cacert.pem smtpd_tls_loglevel=3 smtpd_tls_received_header=yes smtpd_tls_session_cache_timeout=3600s tls_random_source=dev:/dev/urandom got all that The above setup will show this. # telnet localhost 25; ehlo localhost, will show: [EMAIL PROTECTED] RPMS]# telnet localhost 25 Trying 127.0.0.1... Connected to localhost (127.0.0.1). Escape character is '^]'. 220 hdtv.noy.com.au ESMTP Postfix ehlo hdtv 250-hdtv.noy.com.au 250-PIPELINING 250-SIZE 1024 250-VRFY 250-ETRN 250-STARTTLS 250 8BITMIME yep I can comment out # smtpd_tls_auth_only=yes and 'telnet localhost 25' and 'ehlo localhost' will show: [EMAIL PROTECTED] RPMS]# telnet localhost 25 Trying 127.0.0.1... Connected to localhost (127.0.0.1). Escape character is '^]'. 220 hdtv.noy.com.au ESMTP Postfix ehlo hdtv 250-hdtv.noy.com.au 250-PIPELINING 250-SIZE 1024 250-VRFY 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN 250-AUTH=PLAIN LOGIN 250 8BITMIME yep, except for me it's: AUTH LOGIN PLAIN CRAM-MD5 GSSAPI DIGEST-MD5 I setup postfix, TLS, and SASL this morning to test. BTW, I am using TLS and SASL on sendmail-MTA in my network. I find it easier to set-up and maintain compared to postfix because I have to deal with only one file to re-configure. This file is 'sendmail.mc'. I dislike sendmail and much prefer postfix, anyway... the above settings all work, and my mailserver keeps functioning accepting normal mail and so on. Problem is I still can't relay through it remotely. I dialed in via another ISP like as if I was on the road and trying to send mail out through my mailserver. Note I can connect with imaps and receive fine. I'm using thunderbird, first I set the smtp server settings to use tls but didn't tick use name and passwd. errors are: May 5 21:01:12 gw postfix/smtpd[15992]: connect from 203-217-6-209.dyn.iinet.net.au[203.217.6.209] May 5 21:01:29 gw postfix/smtpd[15992]: warning: support for restriction reject_maps_rbl will be removed from Postfix; use reject_rbl_client domain-name instead May 5 21:01:34 gw postfix/smtpd[15992]: warning: support for restriction check_relay_domains will be removed from Postfix; use reject_unauth_destination instead May 5 21:01:34 gw postfix/smtpd[15992]: NOQUEUE: reject: RCPT from 203-217-6-209.dyn.iinet.net.au[203.217.6.209]: 554 [EMAIL PROTECTED]: Recipient address rejected: Relay access denied; from=[EMAIL PROTECTED] to=[EMAIL PROTECTED] proto=ESMTP helo=[203.217.6.209] May 5 21:01:43 gw postfix/smtpd[15992]: lost connection after RCPT from 203-217-6-209.dyn.iinet.net.au[203.217.6.209] May 5 21:01:43 gw postfix/smtpd[15992]: disconnect from 203-217-6-209.dyn.iinet.net.au[203.217.6.209] So then I ticked the use name and passwd box and entered my username davidf. It kept popping up a box asking for my passwd, which I entered. errors are: May 5 21:02:13 gw postfix/smtpd[15992]: connect from 203-217-6-209.dyn.iinet.net.au[203.217.6.209] May 5 21:02:34 gw postfix/smtpd[15992]: warning: 203-217-6-209.dyn.iinet.net.au[203.217.6.209]: SASL CRAM-MD5 authentication failed May 5 21:02:35 gw postfix/smtpd[15992]: warning: SASL authentication problem: unrecognized plaintext verifier saslauthd May 5 21:02:35 gw postfix/smtpd[15992]: warning: 203-217-6-209.dyn.iinet.net.au[203.217.6.209]: SASL PLAIN authentication failed May 5 21:02:39 gw postfix/smtpd[15992]: warning: SASL authentication problem: unrecognized plaintext verifier saslauthd May 5 21:02:39 gw postfix/smtpd[15992]: warning: 203-217-6-209.dyn.iinet.net.au[203.217.6.209]: SASL LOGIN authentication failed May 5 21:02:50 gw postfix/smtpd[15992]: warning: 203-217-6-209.dyn.iinet.net.au[203.217.6.209]: SASL CRAM-MD5 authentication failed May 5 21:02:51 gw postfix/smtpd[15992]: warning: SASL authentication
Re: [SLUG] postfix with TLS/SASL on debian woody
David Fitch wrote: O Plameras wrote: The ff. are the suggested configurations: 1. smtp.conf may have: pwcheck_method:saslauthd mech_list: plain login # cat sasl/smtpd.conf pwcheck_method: saslauthd mech_list: plain login #log_level: 7 saslauthd_path: /var/spool/postfix/var/run/saslauthd/mux 2. /etc/default/saslauthd shall have: snipped MECHANISMS=shadow /snipped # cat /etc/default/saslauthd START=yes MECHANISMS=shadow PARAMS=-m /var/spool/postfix/var/run/saslauthd 3. /etc/postfix/main.cf shall have the ff: mydomain=yourdomain myhostname=yourhostname mynetworks=192.168.1.0/24,127.0.0.0/8 I have mynetworks commented out, so using the default as I want it to listen on all interfaces anyway (incl ippp0) alias_maps=hash:/etc/postfix/aliases alias_database=hash:/etc/postfix/aliases # # enable sasl support smtpd_sasl_auth_enable=yes smtpd_sasl_security_options=noanonymous smtpd_sasl_local_domain=$myhostname broken_sasl_auth_clients=yes # search for relay_domains, then add smtpd_recipient_restrictions= permit_sasl_authenticated, permit_mynetworks, check_relay_domains # tls support smtpd_use_tls=yes smtpd_tls_auth_only=yes smtpd_tls_cert_file=/etc/postfix/servercrt.pem smtpd_tls_key_file=/etc/postfix/serverkey.pem smtpd_tls_CAfile=/etc/postfix/cacert.pem smtpd_tls_loglevel=3 smtpd_tls_received_header=yes smtpd_tls_session_cache_timeout=3600s tls_random_source=dev:/dev/urandom got all that The above setup will show this. # telnet localhost 25; ehlo localhost, will show: [EMAIL PROTECTED] RPMS]# telnet localhost 25 Trying 127.0.0.1... Connected to localhost (127.0.0.1). Escape character is '^]'. 220 hdtv.noy.com.au ESMTP Postfix ehlo hdtv 250-hdtv.noy.com.au 250-PIPELINING 250-SIZE 1024 250-VRFY 250-ETRN 250-STARTTLS 250 8BITMIME yep I can comment out # smtpd_tls_auth_only=yes and 'telnet localhost 25' and 'ehlo localhost' will show: [EMAIL PROTECTED] RPMS]# telnet localhost 25 Trying 127.0.0.1... Connected to localhost (127.0.0.1). Escape character is '^]'. 220 hdtv.noy.com.au ESMTP Postfix ehlo hdtv 250-hdtv.noy.com.au 250-PIPELINING 250-SIZE 1024 250-VRFY 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN 250-AUTH=PLAIN LOGIN 250 8BITMIME yep, except for me it's: AUTH LOGIN PLAIN CRAM-MD5 GSSAPI DIGEST-MD5 This is strange. What displays here is controlled by 'smtp.conf' and '#smtpd_tls_auth_only=yes'. # cat sasl/smtpd.conf pwcheck_method: saslauthd mech_list: plain login AUTH PLAIN LOGIN should be listed and no more. I can't explain this. Something is wrong somewhere. As a matter of fact, CRAM-MD5, GSSAPI, and DIGEST-MD5 should'nt be used at all in your case because you are already using TLS. TLS and anyone of these are mutually exclusive. You use TLS of one of this. I setup postfix, TLS, and SASL this morning to test. BTW, I am using TLS and SASL on sendmail-MTA in my network. I find it easier to set-up and maintain compared to postfix because I have to deal with only one file to re-configure. This file is 'sendmail.mc'. I dislike sendmail and much prefer postfix, anyway... the above settings all work, and my mailserver keeps functioning accepting normal mail and so on. Problem is I still can't relay through it remotely. I think it is your, inet_interfaces = localhost You're telling postfix to accept 'SMTP' connections from 'localhost' only. Consult README and change 'localhost' to something else I dialed in via another ISP like as if I was on the road and trying to send mail out through my mailserver. Note I can connect with imaps and receive fine. I'm using thunderbird, first I set the smtp server settings to use tls but didn't tick use name and passwd. I tried a number of mail-clients. One of them is 'thunderbird' and they all work. For thunderbird the setting is: Tools-Account Settings-Outgoing Server(SMTP) Tick username and password Tick TLS for 'Use secure connection:'. Not SSL. errors are: May 5 21:01:12 gw postfix/smtpd[15992]: connect from 203-217-6-209.dyn.iinet.net.au[203.217.6.209] May 5 21:01:29 gw postfix/smtpd[15992]: warning: support for restriction reject_maps_rbl will be removed from Postfix; use reject_rbl_client domain-name instead May 5 21:01:34 gw postfix/smtpd[15992]: warning: support for restriction check_relay_domains will be removed from Postfix; use reject_unauth_destination instead May 5 21:01:34 gw postfix/smtpd[15992]: NOQUEUE: reject: RCPT from 203-217-6-209.dyn.iinet.net.au[203.217.6.209]: 554 [EMAIL PROTECTED]: Recipient address rejected: Relay access denied; from=[EMAIL PROTECTED] to=[EMAIL PROTECTED] proto=ESMTP helo=[203.217.6.209] May 5 21:01:43 gw postfix/smtpd[15992]: lost connection after RCPT from 203-217-6-209.dyn.iinet.net.au[203.217.6.209] May 5 21:01:43 gw postfix/smtpd[15992]: disconnect from 203-217-6-209.dyn.iinet.net.au[203.217.6.209] So then I ticked the use name and passwd box and entered my username davidf. It kept popping up a box asking for my passwd, which I entered. errors are: May 5 21:02:13 gw
Re: [SLUG] postfix with TLS/SASL on debian woody
O Plameras wrote: This is strange. What displays here is controlled by 'smtp.conf' and '#smtpd_tls_auth_only=yes'. # cat sasl/smtpd.conf pwcheck_method: saslauthd mech_list: plain login AUTH PLAIN LOGIN should be listed and no more. I can't explain this. Something is wrong somewhere. As a matter of fact, CRAM-MD5, GSSAPI, and DIGEST-MD5 should'nt be used at all in your case because you are already using TLS. TLS and anyone of these are mutually exclusive. You use TLS of one of this. hmm dunno the above settings all work, and my mailserver keeps functioning accepting normal mail and so on. Problem is I still can't relay through it remotely. I think it is your, inet_interfaces = localhost You're telling postfix to accept 'SMTP' connections from 'localhost' only. do you mean mynetworks? as I said, it receives mail on all interfaces so that's not it. Tick username and password Tick TLS for 'Use secure connection:'. Not SSL. yes the result of that is here: So then I ticked the use name and passwd box and entered my username davidf. It kept popping up a box asking for my passwd, which I entered. errors are: May 5 21:02:13 gw postfix/smtpd[15992]: connect from 203-217-6-209.dyn.iinet.net.au[203.217.6.209] May 5 21:02:34 gw postfix/smtpd[15992]: warning: 203-217-6-209.dyn.iinet.net.au[203.217.6.209]: SASL CRAM-MD5 authentication failed May 5 21:02:35 gw postfix/smtpd[15992]: warning: SASL authentication problem: unrecognized plaintext verifier saslauthd May 5 21:02:35 gw postfix/smtpd[15992]: warning: 203-217-6-209.dyn.iinet.net.au[203.217.6.209]: SASL PLAIN authentication failed May 5 21:02:39 gw postfix/smtpd[15992]: warning: SASL authentication problem: unrecognized plaintext verifier saslauthd May 5 21:02:39 gw postfix/smtpd[15992]: warning: 203-217-6-209.dyn.iinet.net.au[203.217.6.209]: SASL LOGIN authentication failed May 5 21:02:50 gw postfix/smtpd[15992]: warning: 203-217-6-209.dyn.iinet.net.au[203.217.6.209]: SASL CRAM-MD5 authentication failed May 5 21:02:51 gw postfix/smtpd[15992]: warning: SASL authentication problem: unrecognized plaintext verifier saslauthd May 5 21:02:51 gw postfix/smtpd[15992]: warning: 203-217-6-209.dyn.iinet.net.au[203.217.6.209]: SASL PLAIN authentication failed May 5 21:02:55 gw postfix/smtpd[15992]: warning: SASL authentication problem: unrecognized plaintext verifier saslauthd May 5 21:02:55 gw postfix/smtpd[15992]: warning: 203-217-6-209.dyn.iinet.net.au[203.217.6.209]: SASL LOGIN authentication failed May 5 21:03:06 gw postfix/smtpd[15992]: warning: 203-217-6-209.dyn.iinet.net.au[203.217.6.209]: SASL CRAM-MD5 authentication failed May 5 21:03:07 gw postfix/smtpd[15992]: warning: SASL authentication problem: unrecognized plaintext verifier saslauthd May 5 21:03:07 gw postfix/smtpd[15992]: warning: 203-217-6-209.dyn.iinet.net.au[203.217.6.209]: SASL PLAIN authentication failed May 5 21:03:11 gw postfix/smtpd[15992]: warning: SASL authentication problem: unrecognized plaintext verifier saslauthd May 5 21:03:11 gw postfix/smtpd[15992]: warning: 203-217-6-209.dyn.iinet.net.au[203.217.6.209]: SASL LOGIN authentication failed May 5 21:03:19 gw postfix/smtpd[15992]: warning: 203-217-6-209.dyn.iinet.net.au[203.217.6.209]: SASL CRAM-MD5 authentication failed May 5 21:03:19 gw postfix/smtpd[15992]: too many errors after AUTH from 203-217-6-209.dyn.iinet.net.au[203.217.6.209] May 5 21:03:19 gw postfix/smtpd[15992]: disconnect from 203-217-6-209.dyn.iinet.net.au[203.217.6.209] (I'm not ticking the ssl box, cos then it uses port 465) Try ticking 'TLS'. see above Dave. -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] postfix with TLS/SASL on debian woody
David Fitch wrote: SNIPPED I think it is your, inet_interfaces = localhost You're telling postfix to accept 'SMTP' connections from 'localhost' only. do you mean mynetworks? as I said, it receives mail on all interfaces so that's not it. /SNIPPED No, 'mynetworks' has different functionality. 'inet_interfaces' has another functionality and if you try, inet_interfaces = all, you'll discover you can smtp from another host. O Plameras -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] postfix with TLS/SASL on debian woody
David Fitch wrote: As a matter of fact, CRAM-MD5, GSSAPI, and DIGEST-MD5 should'nt be used at all in your case because you are already using TLS. TLS and anyone of these are mutually exclusive. You use TLS of one of this. hmm dunno TLS is needed to protect plain text messages sent and received across a network. When using PLAIN text, TLS is a must as far as I'm concerned. There are many networks that use PLAIN text whithout security protections. Check if your ISP provider provides email service in PLAIN text authentication. Perhaps, they are using TLS or perhaps not. Anybody may use 'ethereal' or 'tcpdump' to sniff the messages this days and AUTH PLAIN without TLS is a NONO. CRAM-MD5(1), GSSAPI(2), and DIGEST-MD5(3) are encrypted messages and not PLAIN text. Therefore, it is redundant to have TLS when the messages is using one of the above. As a matter of fact, when a client selects TLS it is not allowed to use (1), (2), or (3) by most software. For example, see 'Testing' in: http://www.ofb.net/%7Ejheiss/krbldap/howto.html#ldapserv So, why does SASL allow multiple 'AUTH' to be configured ? The answer is SASL is a negotiation network protocol that lets client and server selects a particular 'AUTH' to use in a specific session. This means that SASL provides the selections and mail-client decides what AUTH to use. This is why we configure our mail-server in 'smtpd.conf' and our mail-client software like 'thunderbird'. E.g. I have a mail-server with several clients using heterogenous mail-client softwares. I require a protocol that will allow my mail-server to offer as many AUTH options to my clients. Here is a list of mail-clients and their authentication protocols capabilities: http://www.melnikov.ca/mel/devel/SASL_ClientRef.html O Plameras -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] postfix with TLS/SASL on debian woody
On 5/6/05, David Fitch [EMAIL PROTECTED] wrote: do you mean mynetworks? as I said, it receives mail on all interfaces so that's not it. mynetworks relates to which hosts are allowed to use this smtp server.. ie. relay control. It doesn't relate to what interfaces the smtp will listen on. Populate the mynetworks variable and see how you go. Mail servers that allow open relay = bad. Google the reasons why. :) -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] postfix with TLS/SASL on debian woody
ok think I've got the ssl stuff sorted out now, problem is the smtp authentication still doesn't work, eg. see log extract: May 2 23:21:02 gw postfix/smtpd[22461]: TLS connection established from noodle[192.168.1.5]: TLSv1 with cipher RC4-MD 5 (128/128 bits) May 2 23:21:02 gw postfix/smtpd[22461]: connect from noodle[192.168.1.5] May 2 23:21:14 gw postfix/smtpd[22461]: warning: noodle[192.168.1.5]: SASL CRAM-MD5 authentication failed May 2 23:21:14 gw postfix/smtpd[22461]: warning: SASL authentication problem: unrecognized plaintext verifier saslauthd May 2 23:21:14 gw postfix/smtpd[22461]: warning: noodle[192.168.1.5]: SASL PLAIN authentication failed May 2 23:21:14 gw postfix/smtpd[22461]: warning: SASL authentication problem: unrecognized plaintext verifier saslauthd May 2 23:21:14 gw postfix/smtpd[22461]: warning: noodle[192.168.1.5]: SASL LOGIN authentication failed May 2 23:21:36 gw postfix/smtpd[22461]: warning: noodle[192.168.1.5]: SASL CRAM-MD5 authentication failed May 2 23:21:36 gw postfix/smtpd[22461]: warning: SASL authentication problem: unrecognized plaintext verifier saslauthd May 2 23:21:36 gw postfix/smtpd[22461]: warning: noodle[192.168.1.5]: SASL PLAIN authentication failed May 2 23:21:36 gw postfix/smtpd[22461]: warning: SASL authentication problem: unrecognized plaintext verifier saslauthd May 2 23:21:36 gw postfix/smtpd[22461]: warning: noodle[192.168.1.5]: SASL LOGIN authentication failed May 2 23:21:40 gw postfix/smtpd[22461]: lost connection after AUTH from noodle[192.168.1.5] May 2 23:21:40 gw postfix/smtpd[22461]: disconnect from noodle[192.168.1.5] it's like postfix doesn't know what saslauthd means, any more ideas... ta Dave. -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] postfix with TLS/SASL on debian woody
What does this show when your do this on your postfix server ? # telnet localhost 25 then put 'ehlo localhost' and 'ENTER'. then put 'quit' and 'ENTER' to exit. # David Fitch wrote: ok think I've got the ssl stuff sorted out now, problem is the smtp authentication still doesn't work, eg. see log extract: May 2 23:21:02 gw postfix/smtpd[22461]: TLS connection established from noodle[192.168.1.5]: TLSv1 with cipher RC4-MD 5 (128/128 bits) May 2 23:21:02 gw postfix/smtpd[22461]: connect from noodle[192.168.1.5] May 2 23:21:14 gw postfix/smtpd[22461]: warning: noodle[192.168.1.5]: SASL CRAM-MD5 authentication failed May 2 23:21:14 gw postfix/smtpd[22461]: warning: SASL authentication problem: unrecognized plaintext verifier saslauthd May 2 23:21:14 gw postfix/smtpd[22461]: warning: noodle[192.168.1.5]: SASL PLAIN authentication failed May 2 23:21:14 gw postfix/smtpd[22461]: warning: SASL authentication problem: unrecognized plaintext verifier saslauthd May 2 23:21:14 gw postfix/smtpd[22461]: warning: noodle[192.168.1.5]: SASL LOGIN authentication failed May 2 23:21:36 gw postfix/smtpd[22461]: warning: noodle[192.168.1.5]: SASL CRAM-MD5 authentication failed May 2 23:21:36 gw postfix/smtpd[22461]: warning: SASL authentication problem: unrecognized plaintext verifier saslauthd May 2 23:21:36 gw postfix/smtpd[22461]: warning: noodle[192.168.1.5]: SASL PLAIN authentication failed May 2 23:21:36 gw postfix/smtpd[22461]: warning: SASL authentication problem: unrecognized plaintext verifier saslauthd May 2 23:21:36 gw postfix/smtpd[22461]: warning: noodle[192.168.1.5]: SASL LOGIN authentication failed May 2 23:21:40 gw postfix/smtpd[22461]: lost connection after AUTH from noodle[192.168.1.5] May 2 23:21:40 gw postfix/smtpd[22461]: disconnect from noodle[192.168.1.5] it's like postfix doesn't know what saslauthd means, any more ideas... ta Dave. -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] postfix with TLS/SASL on debian woody
O Plameras wrote: Firstly, I assume you have postfix running as distributed without SASL/TLS. yes If so, I suggest that you test each of the major components, SASL and TLS (or OPENSSL) to ensure that you have them setup correctly before combining them to work in Postfix. This is the part that's left out by the HOWTO's on the Net. sounds a good idea [snip] I don't have these programs: sasl2-sample-server, sasl2-sample-client also I'm only trying to setup postfix as a server so mail clients can smtp/relay to it remotely. I don't need postfix to be a client to another server. 2. After you generated your CA cert, Server cert, and Cert Key and re-configure your Postfix with these certificates, then run following tests a. and b. on your Postfix.server with: - a. openssl s_client -connect localhost:465 -showcerts -state \ -CAfile /etc/postfix/cacert.pem assuming 'cacert.pem' is your root certificate filename. This should return towards the end something like: - SNIPPED Verify return code: 0 (ok) no, I get: #openssl s_client -connect localhost:465 -showcerts -state -CAfile /etc/ssl/server.pem New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA Server public key is 1024 bit SSL-Session: Protocol : TLSv1 Cipher: EDH-RSA-DES-CBC3-SHA Session-ID: 271CBA7DF3D680633B9D6B663667DE61B14DC3EAC5A9E03FDD8A55BB605CCB76 Session-ID-ctx: Master-Key: 6DF3BE079F1A1DD377FA49EDF1709F1C50ABAE826E6BC78DCF6D1A89F84302E5191B540616E36494EEAD2189FA66B5CA Key-Arg : None Start Time: 1115024986 Timeout : 300 (sec) Verify return code: 21 (unable to verify the first certificate) but hang on, I've got another .pem I created before as well which does work: #openssl s_client -connect localhost:465 -showcerts -state -CAfile /etc/ssl/demoCA/cacert.pem New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA Server public key is 1024 bit SSL-Session: Protocol : TLSv1 Cipher: EDH-RSA-DES-CBC3-SHA Session-ID: 8ECB434C370AE7A8E00366A802E53CA2B972FD2081AB561672A9B37E55E04F36 Session-ID-ctx: Master-Key: 3B97C09319C724CF45891FA48B2D69BC7EA22EBB61DB106E138AE6AF97B789CDD53EA27B32429DC7A5E20D4B040EE33F Key-Arg : None Start Time: 1115025345 Timeout : 300 (sec) Verify return code: 0 (ok) in my postfix main.cf I've got: # enable authenticated smtp for mail clients smtpd_sasl_auth_enable = yes smtpd_sasl_security_options = noanonymous smtpd_sasl_tls_security_options = noanonymous #smtpd_sasl_local_domain = $mydomain broken_sasl_auth_clients = yes smtpd_use_tls = yes #smtpd_tls_auth_only = yes smtpd_tls_key_file = /etc/ssl/server.pem smtpd_tls_cert_file = /etc/ssl/server.pem smtpd_tls_CAfile = /etc/ssl/server.pem smtpd_tls_loglevel = 2 smtpd_use_pw_server = yes smtpd_pw_server_security_options = plain, login smtpd_sasl_authenticated_header = yes #smtp_sasl_password_maps = yes smtpd_sasl_path = /etc/postfix/sasl:/usr/lib/sasl2 it now looks apparent the key, cert and CAfile are wrong. I generated them with the following instructions: --- # First create a CA key and certificate: openssl req -new -x509 -keyout ca.key -out ca.crt -days 4096 -nodes # Now create a server key certificate request openssl genrsa -out server.key 1024 openssl req -new -key server.key -out server.csr # Now make the CA infrastructure: mkdir -p demoCA/private cp ca.crt demoCA/cacert.pem cp ca.key demoCA/private/cakey.pem mkdir demoCA/newcerts touch demoCA/index.txt echo 01 demoCA/serial # And sign your server certificate openssl ca -policy policy_anything -in server.csr -out server.crt # Then combine the server key and server certificate into a single PEM encoded file cat server.key server.crt server.pem --- is that the recommended way to do it? ta Dave. -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] postfix with TLS/SASL on debian woody
David Fitch wrote: O Plameras wrote: Firstly, I assume you have postfix running as distributed without SASL/TLS. yes If so, I suggest that you test each of the major components, SASL and TLS (or OPENSSL) to ensure that you have them setup correctly before combining them to work in Postfix. This is the part that's left out by the HOWTO's on the Net. sounds a good idea [snip] I don't have these programs: sasl2-sample-server, sasl2-sample-client These programs usually come installed with cyrus-sasl2. It is highly recommended you get hold of these programs and test your SASL setup. These two programs will give you confidence that when there is a setup problem it is not due to your SASL setup. also I'm only trying to setup postfix as a server so mail clients can smtp/relay to it remotely. I don't need postfix to be a client to another server. These two programs above simply ensures that your SASL are installed and functioning correctly. There is no suggestion that your server has to be an SMTP client too. It is just to test that SASL installation is correct and functioning correctly. 2. After you generated your CA cert, Server cert, and Cert Key and re-configure your Postfix with these certificates, then run following tests a. and b. on your Postfix.server with: - a. openssl s_client -connect localhost:465 -showcerts -state \ -CAfile /etc/postfix/cacert.pem assuming 'cacert.pem' is your root certificate filename. This should return towards the end something like: - SNIPPED Verify return code: 0 (ok) no, I get: #openssl s_client -connect localhost:465 -showcerts -state -CAfile /etc/ssl/server.pem New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA Server public key is 1024 bit SSL-Session: Protocol : TLSv1 Cipher: EDH-RSA-DES-CBC3-SHA Session-ID: 271CBA7DF3D680633B9D6B663667DE61B14DC3EAC5A9E03FDD8A55BB605CCB76 Session-ID-ctx: Master-Key: 6DF3BE079F1A1DD377FA49EDF1709F1C50ABAE826E6BC78DCF6D1A89F84302E5191B540616E36494EEAD2189FA66B5CA Key-Arg : None Start Time: 1115024986 Timeout : 300 (sec) Verify return code: 21 (unable to verify the first certificate) The file, /etc/ssl/server.pem, apparently is not the correct file. That's why you get a return code: 21. but hang on, I've got another .pem I created before as well which does work: #openssl s_client -connect localhost:465 -showcerts -state -CAfile /etc/ssl/demoCA/cacert.pem New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA Server public key is 1024 bit SSL-Session: Protocol : TLSv1 Cipher: EDH-RSA-DES-CBC3-SHA Session-ID: 8ECB434C370AE7A8E00366A802E53CA2B972FD2081AB561672A9B37E55E04F36 Session-ID-ctx: Master-Key: 3B97C09319C724CF45891FA48B2D69BC7EA22EBB61DB106E138AE6AF97B789CDD53EA27B32429DC7A5E20D4B040EE33F Key-Arg : None Start Time: 1115025345 Timeout : 300 (sec) Verify return code: 0 (ok) So, this one above is the correct CA root certificate. But I suggest it to be changed as I've shown below. in my postfix main.cf I've got: # enable authenticated smtp for mail clients smtpd_sasl_auth_enable = yes smtpd_sasl_security_options = noanonymous smtpd_sasl_tls_security_options = noanonymous #smtpd_sasl_local_domain = $mydomain broken_sasl_auth_clients = yes smtpd_use_tls = yes #smtpd_tls_auth_only = yes smtpd_tls_key_file = /etc/ssl/server.pem smtpd_tls_cert_file = /etc/ssl/server.pem smtpd_tls_CAfile = /etc/ssl/server.pem Your test previously has indicated that these files are incorrect. You need to re-point these to the correct files. See down below. smtpd_tls_loglevel = 2 smtpd_use_pw_server = yes smtpd_pw_server_security_options = plain, login smtpd_sasl_authenticated_header = yes #smtp_sasl_password_maps = yes smtpd_sasl_path = /etc/postfix/sasl:/usr/lib/sasl2 it now looks apparent the key, cert and CAfile are wrong. I generated them with the following instructions: --- # First create a CA key and certificate: openssl req -new -x509 -keyout ca.key -out ca.crt -days 4096 -nodes # Now create a server key certificate request openssl genrsa -out server.key 1024 openssl req -new -key server.key -out server.csr # Now make the CA infrastructure: mkdir -p demoCA/private cp ca.crt demoCA/cacert.pem Do not do the above line. cp ca.key demoCA/private/cakey.pem Do not do the above line. mkdir demoCA/newcerts touch demoCA/index.txt echo 01 demoCA/serial After the above procedure insert these: openssl -new -x509 -keyout demoCA/private/cakey.pem \ -out demoCA/cacert.pem -days 365 # And sign your server certificate openssl ca -policy policy_anything -in server.csr -out server.crt # Then combine the server and server certificate into a single PEM encoded file cat server.key server.crt server.pem Do not do the above. Instead, do a request for a key, as follows: openssl -newkey rsa:1024 -nodes -keyout newreq.pem -out newreq.pem -days 365 then sign it, as follows: openssl -policy policy_anything -out newcert.pem -infiles
Re: [SLUG] postfix with TLS/SASL on debian woody
* On Mon, May 02, 2005 at 07:26:15AM +0930, David Fitch wrote: has anyone got this combination working? (postfix with TLS/SASL on debian woody) No, haven't got it going, but it's on my todo list... The tutorial at [1] may help. [1] http://workaround.org/articles/ispmail-sarge/ -- Sonia Hamilton. GPG key A8B77238. . Linux: the dot in dot org. -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] postfix with TLS/SASL on debian woody
O Plameras wrote: After the above procedure insert these: openssl -new -x509 -keyout demoCA/private/cakey.pem \ -out demoCA/cacert.pem -days 365 no such command '-new', did you mean: openssl req -new -x509 -keyout demoCA/private/cakey.pem \ -out demoCA/cacert.pem -days 365 # And sign your server certificate openssl ca -policy policy_anything -in server.csr -out server.crt # Then combine the server and server certificate into a single PEM encoded file cat server.key server.crt server.pem Do not do the above. Instead, do a request for a key, as follows: openssl -newkey rsa:1024 -nodes -keyout newreq.pem -out newreq.pem -days 365 and same error then sign it, as follows: openssl -policy policy_anything -out newcert.pem -infiles newreq.pem are you sure about this one too? I've not tried it yet but it's not in the man page No, this is not the recommended way. In fact it is discouraged. With this method, you reveal your secrets; hardly a security at all. I see! thanks BTW! ta, Dave. -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] postfix with TLS/SASL on debian woody
David Fitch wrote: O Plameras wrote: After the above procedure insert these: openssl -new -x509 -keyout demoCA/private/cakey.pem \ -out demoCA/cacert.pem -days 365 no such command '-new', did you mean: openssl req -new -x509 -keyout demoCA/private/cakey.pem \ -out demoCA/cacert.pem -days 365 Yes, you are right. I left out 'req'. # And sign your server certificate openssl ca -policy policy_anything -in server.csr -out server.crt # Then combine the server and server certificate into a single PEM encoded file cat server.key server.crt server.pem Do not do the above. Instead, do a request for a key, as follows: openssl -newkey rsa:1024 -nodes -keyout newreq.pem -out newreq.pem -days 365 and same error then sign it, as follows: openssl -policy policy_anything -out newcert.pem -infiles newreq.pem I left out 'ca'. This should be openssl ca -policy policy_anything -out newcert.pem -infiles newreq.pem are you sure about this one too? I've not tried it yet but it's not in the man page No, this is not the recommended way. In fact it is discouraged. With this method, you reveal your secrets; hardly a security at all. I see! thanks BTW! ta, Dave. -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
[SLUG] postfix with TLS/SASL on debian woody
Hi all has anyone got this combination working? (postfix with TLS/SASL on debian woody) I've followed all the instructions I can find on the web, and even added backports.org to get postfix2 and sasl2 and still I keep getting the same error: May 1 22:09:15 gw postfix/smtpd[13280]: starting TLS engine May 1 22:09:15 gw postfix/smtpd[13280]: connect from spiral.parachilna.com[192.168.1.2] May 1 22:09:22 gw postfix/smtpd[13280]: warning: SASL authentication problem: unrecognized plaintext verifier saslauthd May 1 22:09:22 gw postfix/smtpd[13280]: warning: spiral.parachilna.com[192.168.1.2]: SASL PLAIN authenticatio n failed May 1 22:09:25 gw postfix/smtpd[13280]: disconnect from spiral.parachilna.com[192.168.1.2] # cat /etc/postfix/sasl/smtpd.conf pwcheck_method: saslauthd mech_list: plain login log_level: 7 saslauthd_path: /var/spool/postfix/var/run/saslauthd/mux # cat /etc/default/saslauthd # This needs to be uncommented before saslauthd will be run automatically START=yes # You must specify the authentication mechanisms you wish to use. # This defaults to pam for PAM support, but may also include # shadow or sasldb, like this: # MECHANISMS=pam shadow MECHANISMS=sasldb PARAMS=-m /var/spool/postfix/var/run/saslauthd (I've also tried it with shadow above instead of sasldb) I have the user (me) added to /etc/sasldb and /etc/sasldb2 and testsaslauthd says it's ok. Anyone got this working? or got any ideas? ta, Dave. -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Postfix Virtual Domains and Timezones
On Fri, 25 Mar 2005, Angus Lees wrote: At Wed, 23 Mar 2005 17:26:02 -0700 (MST), Dennis M. Gray wrote: I have set up a Postfix MTA with several virtual mail domains. So far in the doucmentation I have not found a way to have mail sent by Postfix to show a time that is different than that of the server, which is in Arizona, USA. I would like virtual domain users to have their mail sent with the correct time zone, i.e. +10 for Australia. The Date header is added by the original MUA -- the MTA just passes it along, as it does all the other headers. Its in a standard format and most MUAs will convert it to the local timezone when displaying. If it doesn't, its not something you want to fix in the server. In other words the solution is to make sure the MUA (Mail User Agent - aka email client software) has the correct timezone. If for example that's a web based mail client then it will have to have the correct timezone setup (not necessarily the same as the server itself). Try setting the TZ environment variable before launching the application (eg in the apache startup script if you want all websites in the same time zone). If it's only one virtual server then maybe you can use perl setenv in the virtualhost section or write a wrapper for the CGI, or set it in PHP or whatever - experimentation warranted. -- ---GRiP--- ** ROOM FOR RENT $120pw (neg) near Newington Shops 525/401 buses ** Electronic Hobbyist, Former Arcadia BBS nut, Occasional nudist, Linux Guru, SLUG Secretary, AUUG and Linux Australia member, Sydney Flashmobber, Tenpin Bowler, BMX rider, Walker, Raver rave music lover, Big kid that refuses to grow up. I'd make a good family pet, take me home today! Some people actually read these things it seems. -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Postfix Virtual Domains and Timezones
At Wed, 23 Mar 2005 17:26:02 -0700 (MST), Dennis M. Gray wrote: I have set up a Postfix MTA with several virtual mail domains. So far in the doucmentation I have not found a way to have mail sent by Postfix to show a time that is different than that of the server, which is in Arizona, USA. I would like virtual domain users to have their mail sent with the correct time zone, i.e. +10 for Australia. The Date header is added by the original MUA -- the MTA just passes it along, as it does all the other headers. Its in a standard format and most MUAs will convert it to the local timezone when displaying. If it doesn't, its not something you want to fix in the server. -- - Gus -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
[SLUG] Postfix HELO host
Does anyone know how Postfix determines the host to use when sending a HELO to a remote SMTP server? Is there any way I can control that? Regards -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
[SLUG] Postfix Virtual Domains and Timezones
I have set up a Postfix MTA with several virtual mail domains. So far in the doucmentation I have not found a way to have mail sent by Postfix to show a time that is different than that of the server, which is in Arizona, USA. I would like virtual domain users to have their mail sent with the correct time zone, i.e. +10 for Australia. Does anyone have any ideas how I can do this or if it can be done at all? Regards -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Postfix HELO host
postfix relies on DNS and looks up MX records. or do you want to make a mail gateway? Does anyone know how Postfix determines the host to use when sending a HELO to a remote SMTP server? Is there any way I can control that? Regards - This mail sent through IMP: http://horde.org/imp/ -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Postfix HELO host
On Wed, 23 Mar 2005 17:27:17 -0700 (MST), Dennis M. Gray [EMAIL PROTECTED] wrote: Does anyone know how Postfix determines the host to use when sending a HELO to a remote SMTP server? Is there any way I can control that? I believe it uses whatever is set in $myhostname (which, unless set manually, uses gethostname()). I'm not sure this can be changed with some main.cf directive (google?), however, you *can* change the value of $myhostname which will change your HELO greeting, obviously. HTH, Gonzalo -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
[SLUG] Postfix/amavisd-new/clamav setup
I'm looking at installing amavisd-new/clamav with Postfix 2 on RH73; I've used amavisd-new-2.2.0-1.0.rh7.test.i386.rpm and clamav-0.80-1.0.rh7.dag.i386.rpm from dag.wieers.com/packages/ so far, I have amavisd-new running looking at various docs and howtos, they talk about a 'clamd', but, the clamav I've installed doesn't seem to have such...? rpm only has: rpm/usr/bin clamscan freshclam sigtool any advice appreciated -- Voytek -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Postfix/amavisd-new/clamav setup
quote who=Voytek I'm looking at installing amavisd-new/clamav with Postfix 2 on RH73; I've used amavisd-new-2.2.0-1.0.rh7.test.i386.rpm and clamav-0.80-1.0.rh7.dag.i386.rpm from dag.wieers.com/packages/ so far, I have amavisd-new running looking at various docs and howtos, they talk about a 'clamd', but, the clamav I've installed doesn't seem to have such...? rpm only has: oops, I;ve just noticed there is another RPM to install.with clamd... -- Voytek -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
[SLUG] Postfix + mailman..
Anyone happen to recommend a decent site or howto on configuring mailman with postfix... The machine is a debian sarge box :) Thanks -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Postfix + MySQL
Jon Austin wrote: Hey, I have tried to get MySQL and postfix to talk to each other on Debian stable. The problem I have is when Postfix tries to connect to MySQL, it has issues. Oct 28 15:03:09 sheadoffice-bne postfix/trivial-rewrite[27803]: warning: connect to mysql server localhost: Can't connect to local MySQL server throug h socket '/var/run/mysqld/mysqld.sock' (2) Oct 28 15:03:09 sheadoffice-bne postfix/trivial-rewrite[27803]: fatal: mysql:/etc/postfix/mysql_virtual_alias_maps.cf(0,100): table lookup problem Now I can use the mysql client with the same username and password and connect successfully. I can also connect successfully using mysql --socket=/var/run/mysqld/mysqld.sock I've tried getting postfix to talk via 127.0.0.1 and also the real IP address of the machine. I've also tried using 'unix:/var/run/mysqld/mysqld.sock' as the host in the postfix virtual mapping. I'm stumped and very frustrated. Any suggestions? Well...on my machine (SuSE9.1/mysql Ver 12.21 Distrib 4.0.15), it is /var/lib/mysql/mysql.sock I'm using mysql as the local_recipient_maps source (w/ dbmail). Default socket is /tmp/mysql.sock, so double check the socket value in /etc/my.cnf under [mysqld] Has this ever worked for you? Are you sure postfix has mysql support compiled in? (I had to recompile postfix w/SuSE to get it.) smime.p7s Description: S/MIME Cryptographic Signature -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
[SLUG] Postfix + MySQL
Hey, I have tried to get MySQL and postfix to talk to each other on Debian stable. The problem I have is when Postfix tries to connect to MySQL, it has issues. Oct 28 15:03:09 sheadoffice-bne postfix/trivial-rewrite[27803]: warning: connect to mysql server localhost: Can't connect to local MySQL server throug h socket '/var/run/mysqld/mysqld.sock' (2) Oct 28 15:03:09 sheadoffice-bne postfix/trivial-rewrite[27803]: fatal: mysql:/etc/postfix/mysql_virtual_alias_maps.cf(0,100): table lookup problem Now I can use the mysql client with the same username and password and connect successfully. I can also connect successfully using mysql --socket=/var/run/mysqld/mysqld.sock I've tried getting postfix to talk via 127.0.0.1 and also the real IP address of the machine. I've also tried using 'unix:/var/run/mysqld/mysqld.sock' as the host in the postfix virtual mapping. I'm stumped and very frustrated. Any suggestions? Kind regards, Jon -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
[SLUG] Postfix Question
I'm running Postfix with virtual mailboxes and virtual mainbox domains and it runs fine using the virtual delivery agent. So, how do I get it to deliver via Procmail to this same virtual mailboxes. -- Howard. LANNet Computing Associates; Your Linux people http://www.lannetlinux.com -- When you just want a system that works, you choose Linux; when you want a system that just works, you choose Microsoft. -- Flatter government, not fatter government; Get rid of the Australian states. -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Postfix Question
Howard Lowndes wrote: I'm running Postfix with virtual mailboxes and virtual mainbox domains and it runs fine using the virtual delivery agent. So, how do I get it to deliver via Procmail to this same virtual mailboxes. dont you need a shell for procmail? dave -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
[SLUG] Postfix mess
I have just installed a postfix setup and made a boo-boo. For some reason, mail is set as being From: [EMAIL PROTECTED]@x. it should be [EMAIL PROTECTED] Where do I look to fix this? Thanks, Alan -- -- Alan L Tyree http://www2.austlii.edu.au/~alan Tel: +61 2 4782 2670 Mobile: +61 405 084 990 Fax: +61 2 4782 7092 -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Postfix mess
Hi Alan, My guess is an incorrect value in the myhostname variable. You need to modify the myhostname value in /etc/postfix/main.cf. Set this value to just your domain name and restart postfix. Cheers, Shane. On Wed, 2004-10-06 at 08:55, Alan L Tyree wrote: I have just installed a postfix setup and made a boo-boo. For some reason, mail is set as being From: [EMAIL PROTECTED]@x. it should be [EMAIL PROTECTED] Where do I look to fix this? Thanks, Alan -- -- Alan L Tyree http://www2.austlii.edu.au/~alan Tel: +61 2 4782 2670 Mobile: +61 405 084 990 Fax: +61 2 4782 7092 -- - Shane Machon GCUX Proprietor LinSec Consulting Ph: (02) 9979-1222 Fax: (02) 9979-1499 Mob: 0414 992097 Eml: [EMAIL PROTECTED] Web: http://www.linsec.com.au -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Postfix mess
On Wed, 06 Oct 2004 09:46:18 +1000 Shane Machon [EMAIL PROTECTED] wrote: Hi Alan, My guess is an incorrect value in the myhostname variable. You need to modify the myhostname value in /etc/postfix/main.cf. Set this value to just your domain name and restart postfix. SNIP Thanks Shane - it turns out that my problem is slightly different from what I described. I *want* the From line to be: [EMAIL PROTECTED] The problem is that postfix seems to be adding my local account name alant. So what I really need to know is how to change the entire From line. Thanks for any help. Alan -- -- Alan L Tyree http://www2.austlii.edu.au/~alan Tel: +61 2 4782 2670 Mobile: +61 405 084 990 Fax: +61 2 4782 7092 -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Postfix mess - NOT!
On Wed, 6 Oct 2004 10:30:42 +1000 Alan L Tyree [EMAIL PROTECTED] wrote: On Wed, 06 Oct 2004 09:46:18 +1000 Shane Machon [EMAIL PROTECTED] wrote: Hi Alan, My guess is an incorrect value in the myhostname variable. You need to modify the myhostname value in /etc/postfix/main.cf. Set this value to just your domain name and restart postfix. SNIP Thanks Shane - it turns out that my problem is slightly different from what I described. I *want* the From line to be: [EMAIL PROTECTED] The problem is that postfix seems to be adding my local account name alant. So what I really need to know is how to change the entire From line. SNIP I just realised that it is not a postfix problem at all since this mail is sent via postfix. It is a mutt problem - which I can probably fix. Sorry to have been a (needless) pest. Alan -- -- Alan L Tyree http://www2.austlii.edu.au/~alan Tel: +61 2 4782 2670 Mobile: +61 405 084 990 Fax: +61 2 4782 7092 -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Postfix mess
On Wed, 2004-10-06 at 10:30 +1000, Alan L Tyree wrote: Thanks Shane - it turns out that my problem is slightly different from what I described. I *want* the From line to be: [EMAIL PROTECTED] This is really handled in your MUA. If your MUA can't do it, switch to something like Mutt or Evolution, both of which will allow you to set your From address as you see fit. -- A is for Apple. -- Hester Pryne signature.asc Description: This is a digitally signed message part -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Postfix mess
Hi Alan, Ok, that's a little different :) The first part of the email address is configurable in your email client. Just make sure you have an alias to your account name from alan to alant (in /etc/aliases). But the main problem is with your email client, not postfix. Cheers, Shane. On Wed, 2004-10-06 at 10:30, Alan L Tyree wrote: On Wed, 06 Oct 2004 09:46:18 +1000 Shane Machon [EMAIL PROTECTED] wrote: Hi Alan, My guess is an incorrect value in the myhostname variable. You need to modify the myhostname value in /etc/postfix/main.cf. Set this value to just your domain name and restart postfix. SNIP Thanks Shane - it turns out that my problem is slightly different from what I described. I *want* the From line to be: [EMAIL PROTECTED] The problem is that postfix seems to be adding my local account name alant. So what I really need to know is how to change the entire From line. Thanks for any help. Alan -- - Shane Machon GCUX Proprietor LinSec Consulting Ph: (02) 9979-1222 Fax: (02) 9979-1499 Mob: 0414 992097 Eml: [EMAIL PROTECTED] Web: http://www.linsec.com.au 'Specialists in Linux and Security Solutions' -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Postfix mess
On Wed, 06 Oct 2004 10:41:02 +1000 Shane Machon [EMAIL PROTECTED] wrote: Hi Alan, Ok, that's a little different :) The first part of the email address is configurable in your email client. Just make sure you have an alias to your account name from alan to alant (in /etc/aliases). But the main problem is with your email client, not postfix. Yes, I just realised that the messages that I have sent to SLUG are handled by postfix - duh! I have been using sylpheed, but the offending messages were sent with mutt. Sorry to be a (needless) pest. Cheers, Alan Cheers, Shane. On Wed, 2004-10-06 at 10:30, Alan L Tyree wrote: On Wed, 06 Oct 2004 09:46:18 +1000 Shane Machon [EMAIL PROTECTED] wrote: Hi Alan, My guess is an incorrect value in the myhostname variable. You need to modify the myhostname value in /etc/postfix/main.cf. Set this value to just your domain name and restart postfix. SNIP Thanks Shane - it turns out that my problem is slightly different from what I described. I *want* the From line to be: [EMAIL PROTECTED] The problem is that postfix seems to be adding my local account name alant. So what I really need to know is how to change the entire From line. Thanks for any help. Alan -- - Shane Machon GCUX Proprietor LinSec Consulting Ph: (02) 9979-1222 Fax: (02) 9979-1499 Mob: 0414 992097 Eml: [EMAIL PROTECTED] Web: http://www.linsec.com.au 'Specialists in Linux and Security Solutions' -- -- Alan L Tyree http://www2.austlii.edu.au/~alan Tel: +61 2 4782 2670 Mobile: +61 405 084 990 Fax: +61 2 4782 7092 -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Postfix mess - NOT!
On Wed, 2004-10-06 at 10:36 +1000, Alan L Tyree wrote: I just realised that it is not a postfix problem at all since this mail is sent via postfix. It is a mutt problem - which I can probably fix. In your .muttrc put this: set from=\My Name\ [EMAIL PROTECTED] -- Hell is empty and all the devils are here. -- Wm. Shakespeare, The Tempest signature.asc Description: This is a digitally signed message part -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
[SLUG] Postfix mess (mutt config) - update
Just for the archives: the Debian distributions have # don't generate a From header unset use_from in the /etc/Muttrc configuration. This overrides the setting in the .muttrc file Changing to set use_from fixes it (obviously). Thanks to those who helped me with this. Cheers, Alan -- -- Alan L Tyree http://www2.austlii.edu.au/~alan Tel: +61 2 4782 2670 Mobile: +61 405 084 990 Fax: +61 2 4782 7092 -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
[SLUG] Postfix potentially relaying
Hi all, I have just tested a server I have been given the pleasure of playing with and I from a few tests I have ran it is reported that the server is has relaying ability. the main.cf file looks a little like this smtpd_sender_restrictions = permit_mynetworks, reject_unknown_client,reject_rbl_client,reject_unauth_destination,reject_rhsbl_sender dsn.rfc-ignorant.org smtpd_recipient_restrictions = reject_invalid_hostname,reject_nonfqdn_recipient,reject_nonfqdn_sender,reject_unknown_sender_domain,reject_unknown_recipient_domain,reject_unauth_pipeling, permit_mynetworks, reject_unauth_destination,reject_rbl_client relays.ordb.org,reject_rbl_client opm.blitzed.org,reject_rbl_client list.dsbl.org,reject_rbl_client cbl.abuseat.org, permit I have appended one of the tests below. Also If I add reject to the end of smtpd_sender_restrictions I get every incoming message blocked. To: [EMAIL PROTECTED] From: 250 Ok MAIL FROM: 250 Ok RCPT TO: 250 Ok DATA 354 End data with . MESSAGE 250 Ok: queued as DECD04210 Thanks Kevin -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
[SLUG] POSTFIX smtp relay access problem SOLVED
POSTfix for RHAS-2.1.with squirrelmail Keyword: == Redhat Linux AS 2.1 RLAS21 RLAS 2.1 postfix configuration compatibility outlook not sending mail to postfix smtp. Postfix smtp relay simple postfix relay how to, postfix relay-how-to. postfix+squirrelmail how to configure.. Server is providing the following services: == Primery DNS Mailing System : Webmail / POP/IMAP client Web Server : for rvpn.co.in Packages Used: == OS : Redhat AS - version 2.1 (RHAS21) apache-1.3.23-10 --- Webserver daemon (service httpd start/stop/status) imap-2001a-15 : POP3 access to Outlook and Edora client Postfix-2.0.13-3.1.rhas21 --- MTA squirrelmail-1.2.7-4 --Webmail for Postfix Imapd squirrelmail-plugins compatibility: 1) change_password---3.1-1.2.80-- change pass of user through webmail 2) compatibility 1.3 -- required for change password option Remark: === 1)when installing this squirrelmail error like httpd required will be popup just ignore it puting rpm -Uvh squirr*.rpm --nodeps. it works. 2) After this entry is required in /etc/httpd/conf/http.conf for alies for /webmail option in the web browser 3) if POP client like outlook express dosn't work. some relay related problem has to be sorted out in the main.cf files. To relay local LAN user in POSTFIX I did the following things: + inet_interfaces = all mynetworks_style = subnet mynetworks = 210.212.60.0/24 192.168.17.0/24 192.168.18.0/24 smtpd_recipient_restrictions = permit_mynetworks check_client_access hash:/etc/postfix/client_access check_sender_access hash:/etc/postfix/sender_access reject_unauth_destination Note : create the file in /etc/postfix for sender_access and check_client_access. Sample of client_access file: 210.212.99.60 OK 210.212.99.51 OK 192.168.17.0OK 127.0.0.1 OK 10.0.0.2OK IMPORTANT: after any entry or changed dont be fool and forget to write it to database. to write it to database just do postmap client_access Now go and check the Mail is sending and receiving from Outlook also. Here is live and running Postfix main.cf file configuration: # readme_directory: The location of the Postfix README files. # readme_directory = /etc/postfix/README_FILES alias_database = hash:/etc/postfix/aliases alias_maps = hash:/etc/postfix/aliases mydestination = pushkar.co.in myorigin = pushkar.co.in masquerade_domains = pushkar.co.in #fallback_transport = smtp:ns.pushkar.co.in inet_interfaces = all mynetworks_style = subnet mynetworks = 2sdsfsdfs60.0/24 192.168.17.0/24 192.168.18.0/24 smtpd_recipient_restrictions = permit_mynetworks check_client_access hash:/etc/postfix/client_access check_sender_access hash:/etc/postfix/sender_access reject_unauth_destination hummm Pushkar Bhatkoti ARTEK ENTERPRISES PVT LTD Nehru Place New Delhi India 45 Deepak Bldg Nehru Place India Mobile : 9810774912 mail : [EMAIL PROTECTED] yahoo : [EMAIL PROTECTED] Its just cook. I have tested and its running working fine -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
[SLUG] postfix question
Hi all, I have built a mail gateway on my dmz using postfix and currently building an internal mail server using postfix as part of Kolab. Has anyone built postfix to relay any internet bound emails to a mail gateway? I have the mail gateway forwarding to the internal mail server. Nothing the other way Thanks -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] postfix question
This one time, at band camp, Kevin Saenz wrote: Hi all, I have built a mail gateway on my dmz using postfix and currently building an internal mail server using postfix as part of Kolab. Has anyone built postfix to relay any internet bound emails to a mail gateway? I have the mail gateway forwarding to the internal mail server. Nothing the other way Yep. Set your mail gateway to relay from your IP space, and tell your other machines where to send their mail with smart_relay. I forget the relay parameter, but if you've left all your comments in from the package install then it should be easy to find. -- [EMAIL PROTECTED] http://spacepants.org/jaq.gpg -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
[SLUG] Postfix upgrade
Hi all, I have upgraded postfix to 2.1.0 and found that my settings for anomy, and spamassassin doesn't work now. Has got this problem? I was reading the new documentation on Postfix and content filtering and I am a little lost in how I could still use the likes of anomy. Could anyone help out? Thanks Kevin -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Postfix and regexp
All who asked for a copy from me, I would advise the securitysage's works better than mine :) if my header_check file doesn't work for you, you could always try http://www.securitysage.com/files/header_checks it is more comprehensive than mine. let us know how you go with this config. Will be happy for more input. Kevin, before: last 4/current mail logs: 10568 received 1386 delivered 9805 rejected (87%) 3439 received 1733 delivered 2555 rejected (59%) 3715 received 1783 delivered 2451 rejected (57%) 8924 received 1870 delivered 8025 rejected (81%) 2126 received 440 delivered 1846 rejected (80%) after: (TBC) -- Regards, Kevin Saenz Spinaweb I.T consultants Ph: 02 4620 5130 Fax: 02 4625 9243 Mobile: 0418455661 Web: http://www.spinaweb.com.au -- Regards, Kevin Saenz Spinaweb I.T consultants Ph: 02 4620 5130 Fax: 02 4625 9243 Mobile: 0418455661 Web: http://www.spinaweb.com.au -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
Re: [SLUG] Postfix and regexp
All who asked for a copy from me, I would advise the securitysage's works better than mine :) Kevin, thanks for letting know I'm as yet not installed it, but, did look, and, d/l ss's files and, was going to look at it next day or two Voytek -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
Re: [SLUG] Postfix and regexp
At 01:13 AM 5/11/2003, Voytek sent this up the stick: ** Reply to note from Kevin Saenz [EMAIL PROTECTED] Tue, 04 Nov 2003 12:24:07 +1100 why are you tuesday 10pm? Kevin, that's a good Q. the answer is long and involved, and, I do not understand some parts of it... snip so, today, when I noticed I'm out by DST, and, adelaide no longer is there, I though, I'd try an NTPD instead of daytime, I've set up NTPD sometime in 1999, but, never used it since then, NTPD had these in: poll interval = 16384 augean.eleceng.adelaide.edu.au ntp.cs.mu.OZ.AU ntp.ml.csiro.au ntp.tip.CSIRO.AU tick.usno.navy.mil tock.usno.navy.mil time.nist.gov 206.54.0.21 Bad ... these are stratum 1 servers. Ordinary folks like us should *really* be synchronising to stratum 2 servers. Real differences between the strata amount to milliseconds usually. www.ntp.org has *all* the info. I guess, NTPD takes an average between local machine time as well as remote clocks, and, I guess, NTPD shouldn't be invoked on on obviously incorrect time, and, I guess, if I left NTPD running, it would eventually correct the time. Perhaps an interval of '16384' prevented re-calc from being somewhat quicker... Not really. ntpd will adjust (slew) your clock according to the dfirtfile (/var/ntp/drift) ntpdate steps the change in one hit (see below). which reminds me, I should really configure ntpd on my Linux server. ntpd probably isn't the best solution for an intermittent dialup, unless you can stay dailled up for about 24 hours while ntpd sets up a drift file. If the Linux box is dialling, put ntpdate into your ppp.up script If you do decide to go ahead with ntpd, be sure to check out the pool.ntp.org website. Cheers, Rob -- A good quantum physicist is hard to find. This is random quote 140 of 1254. Distance from the centre of the brewing universe [15200.8 km (8207.8 mi), 262.8 deg](Apparent) Rennerian Public Key fingerprint = 6219 33BD A37B 368D 29F5 19FB 945D C4D7 1F66 D9C5 -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
[SLUG] Postfix and regexp
Hi all, I figured out my problem with postfix and regexp I was placing the request in the wrong area. Now with the ability to stop certain subject titles entering my system I have stopped about 95% of spam accessing my server before it ever gets the chance to reach spamassassin. If anyone wants a copy of my header_check just email me off list to get a copy. -- Regards, Kevin Saenz Spinaweb I.T consultants Ph: 02 4620 5130 Fax: 02 4625 9243 Mobile: 0418455661 Web: http://www.spinaweb.com.au -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
Re: [SLUG] Postfix and regexp
the request in the wrong area. Now with the ability to stop certain subject titles entering my system I have stopped about 95% of spam accessing my server before it ever gets the chance to reach spamassassin. Kevin, since enabling Postfix with anti UCE configs, purely generic mods, like, black hole, invalid host/sender, no executables check (but no subject checking (as yet...)) I'm bewteen 50% on a bad day, and, on a good day, up to 90% rejecting, date received delivered deferredbounced rejected Nov 2 2003 885115 0 0815 Nov 3 2003 1206312 3 0 1014 and, I was getting a warm and fuzzy feelings getting 90% rejects... I thought I was doing good till I saw yor mssg but, 95% !!, wow, that even better ! BUT, now I'm really envious, pls email your configs, thanks ! say, I'm DISCARDing all windoze executables, except .doc and .xls, now, that should stop majority of windoze malware, no ? Except for HTML emails hidden malware ? and, word/excel macros malware ? is that a reasonable assumption ? thanks -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
Re: [SLUG] Postfix and regexp
I am not blaming Slug. My file is there for people who have postfix and haven't configured UCE to minimise spam. and, I was getting a warm and fuzzy feelings getting 90% rejects... I thought I was doing good till I saw yor mssg but, 95% !!, wow, that even better ! My file is continually being updated to reject subject titles. I guess the part I will come acropper is when spammers start changing their subject titles. I do have reject invalid host/sender and the other stuff. where I was getting minimum of 390+ spam emails in my bullshit folder today I have none :) I think part of it has to do with the header_check settings I have. :) If you like, when I get my next postfix report I will post it. as far as I can see since I began using header_checks there are a lot of emails being rejected because of their subject matter. BUT, now I'm really envious, pls email your configs, thanks ! It will be in your next email. say, I'm DISCARDing all windoze executables, except .doc and .xls, now, that should stop majority of windoze malware, no ? Except for HTML emails hidden malware ? and, word/excel macros malware ? is that a reasonable assumption ? I hope you're kidding. :) thanks -- Regards, Kevin Saenz Spinaweb I.T consultants Ph: 02 4620 5130 Fax: 02 4625 9243 Mobile: 0418455661 Web: http://www.spinaweb.com.au -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
Re: [SLUG] Postfix and regexp
let us know how you go with this config. Will be happy for more input. Kevin, before: last 4/current mail logs: 10568 received 1386 delivered 9805 rejected (87%) 3439 received 1733 delivered 2555 rejected (59%) 3715 received 1783 delivered 2451 rejected (57%) 8924 received 1870 delivered 8025 rejected (81%) 2126 received 440 delivered 1846 rejected (80%) after: (TBC) -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
Re: [SLUG] Postfix and regexp
As I said it blocks about 95% of spam that comes to my boxen not it blocks 95% of all emails that comes to my boxen. Also I should clarify myself a little better my header_checks blocks the recent spate of spam emails that I have been receiving. if my header_check file doesn't work for you, you could always try http://www.securitysage.com/files/header_checks it is more comprehensive than mine. let us know how you go with this config. Will be happy for more input. Kevin, before: last 4/current mail logs: 10568 received 1386 delivered 9805 rejected (87%) 3439 received 1733 delivered 2555 rejected (59%) 3715 received 1783 delivered 2451 rejected (57%) 8924 received 1870 delivered 8025 rejected (81%) 2126 received 440 delivered 1846 rejected (80%) after: (TBC) -- Regards, Kevin Saenz Spinaweb I.T consultants Ph: 02 4620 5130 Fax: 02 4625 9243 Mobile: 0418455661 Web: http://www.spinaweb.com.au -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
Re: [SLUG] Postfix and regexp
** Reply to note from Kevin Saenz [EMAIL PROTECTED] Tue, 04 Nov 2003 00:31:14 +1100 It will be in your next email. thanks, I'll try to implement later today say, I'm DISCARDing all windoze executables, except .doc and .xls, now, that should stop majority of windoze malware, no ? Except for HTML emails hidden malware ? and, word/excel macros malware ? is that a reasonable assumption ? I hope you're kidding. :) Kevin, doesn't a windoze malware has to be some kind of executable application, as per specs below ?? I'm DISCARDing anyhting like these: # M$-Windoze vulnerable to all these as email-borne viruses/worms/trojans # Added .ade, .adp, .bas, .cpl, .crt, .hlp, .inf, .ins, .isp, .lnk, .mdb, # .mde, .msc, .msi, .msp, .mst, .pcd, .reg, .sct, .shs, .url, .vb, and .wsc /^Content-(Disposition|Type):\s+.+?(?:file)?name=?.+?\.(386|ad[ept]|app|as[dpx]|ba[st]|bin|btm|cab|cbt|cgi|chm|cil|cla(ss)?|cmd|cp[el]|crt|cs[chs]|cvp|dll|dot|drv|em(ai)?l|ex[_e]|fon|fxp|hlp|ht[ar]|in[fips]|isp|jar|jse?|keyreg|ksh|lib|lnk|md[abetw]|mht(m|ml)?|mp3|ms[ciopt]|nte|nws|obj|ocx|ops|ov.|pcd|pgm|pif|p[lm]|pot|pps|prg|reg|sc[rt]|sh[bs]?|slb|smm|sw[ft]|sys|url|vb[esx]?|vir|vmx|vxd|wm[dsz]|ws[cfh]|xms|\{[\da-f]{8}(?:-[\da-f]{4}){3}-[\da-f]{12}\})\b/ REJECT hc1 .$2 file attachment types not allowed apart from HTML emails and word/excel, how else can windoze malware travel ? what am I missing ? Voytek Eymont -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
Re: [SLUG] Postfix and regexp
doesn't a windoze malware has to be some kind of executable application, as per specs below ?? Sorry I read you wrong. there are some tips in stopping windows executables from coming into your network what am I missing ? I have spamassassin and anomy killing most windows executables. Voytek Eymont -- Regards, Kevin Saenz Spinaweb I.T consultants Ph: 02 4620 5130 Fax: 02 4625 9243 Mobile: 0418455661 Web: http://www.spinaweb.com.au -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug