Le 10/09/2023 à 18:23, Viktor Dukhovni via Postfix-users a écrit :
On Sun, Sep 10, 2023 at 10:38:27AM +0200, François Patte via Postfix-users
wrote:
Sep 9 16:50:49 myserver postfix/smtp[205832]: 92BEFB4BEA:
to=<francois.pa...@gmx.fr>, relay=my-fai-smtp[x.x.x.x]:465, delay=0.22,
delays=0.04/0.08/0.08/0.02, dsn=5.0.0, status=bounced (host
my-fai-smtps[x.x.x.x] said: 530 Authentication required (in reply to
MAIL FROM command))
https://www.postfix.org/DEBUG_README.html#mail
It looks like you "tampered" with the logs. They don't match your
reported configuration below.
If you continue to treat the hostname of your ISP's (FAI's) SMTP relay
as restricted sensitive information, the help you'll receive will also
be restricted to vague generalities.
My new main.cf :
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
command_directory = /usr/sbin
compatibility_level = 3.7
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd
$daemon_directory/$process_name $process_id & sleep 5
html_directory = no
inet_interfaces = localhost
inet_protocols = all
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
meta_directory = /etc/postfix
mydestination =
myhostname = pingala.fqdn
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix/README_FILES
relayhost = [smtp.gmx.com]:465
sample_directory = /usr/share/doc/postfix/samples
sender_canonical_maps =
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
shlib_directory = /usr/lib64/postfix
smtp_generic_maps = hash:/etc/postfix/generic
smtp_sasl_auth_enable = yes
smtp_sasl_mechanism_filter = plain, login
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options =
smtp_sasl_tls_security_options = noanonymous
smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
smtp_tls_CApath = /etc/pki/tls/certs
smtp_tls_loglevel = 1
smtp_tls_secure_cert_match = smtp.gmx.com
smtp_tls_security_level = encrypt
smtp_tls_verify_cert_match = pingala.fqdn
smtp_tls_wrappermode = yes
smtpd_tls_CApath = /etc/pki/tls/certs
smtpd_tls_cert_file = /etc/pki/tls/certs/postfix.pem
smtpd_tls_key_file = /etc/pki/tls/private/postfix.key
smtpd_tls_req_ccert =
unknown_local_recipient_reject_code = 550
smtp_enforce_tls = yes
smtp_use_tls = yes
These are obsolete and redundant.
You should have by now removed these settings from "main.cf" (so that
these parameters no longer appear in "postconf -n" output).
Removed
smtp_tls_security_level = encrypt
If the relay has a valid certificate, make that "secure".
smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
smtp_tls_CApath = /etc/pki/tls/certs
Otherwise, no need to bother with CAfile / CApath.
You should also have "smtp_tls_loglevel = 1".
And updated the security level to "secure".
If I turn this to "secure", I get in maillog file:
server certificate verification failed for
smtp.gmx.com[212.227.17.174]:465: num=62:hostname mismatch
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_tls_verify_cert_match = myhost.fqdn
And switched to :
smtp_tls_secure_cert_match = ... not so secret ISP relay ...
[ definitely not your server's hostname, if that's what "myhost.fqdn" is
supposed to be. ]
Done
smtpd_sasl_auth_enable = yes
You probably don't want this.
smtpd_tls_security_level = encrypt
Nor this, except on the submission services in master.cf.
Suppressed (I don't understand : "except on the submission services in
master.cf" I did not change anything in master.cf)
And turned off SASL AUTH on your inbound port 25.
I don't understand this...
You're obfuscating the essential hostnames, making help needlessly
difficult. Did you read the text in SASL_README that explains the
lookup key syntax for the password table, when using "[]" and/or ":port"
in the relay name?
You probably have the wrong lookup key syntax.
You need to post the exact syntax of the lookup key in your
"smtp_sasl_password_maps" table, and check that:
# postmap -q "$(postconf -xh relayhost)" \
$(postconf -xh smtp_sasl_password_maps) | cat -etv
returns the expected result. (The "cat -etv" should highlight
any unexpected invisible characters).
I made an error in password_maps : the relayhost wanted my full email
address as my user name. Corrected.
#postconf -n
inet_interfaces = localhost
Is your server supposed to receive any mail from outside? Or
is it a "send-only" server?
A "send-only" server.
myhostname = myhost.fqdn
relayhost = [smtp.myfai.fqdn]:465
More needless obfuscation.
ok
smtp_sasl_auth_enable = yes
smtp_sasl_mechanism_filter = login
Why insist on "login"? Any reason to not include "plain"?
plain is added
smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
smtp_tls_CApath = /etc/pki/tls/certs
Only useful with the security level set to "secure" (or "verify", given
equal "*_cert_match" values).
In case of "secure" : server certificate verification failed for
smtp.gmx.com[212.227.17.174]:465: num=62:hostname mismatch
smtp_tls_security_level = encrypt
smtp_tls_verify_cert_match = myhost.fqdn
But these have not been fixed.
smtpd_sasl_auth_enable = yes
And this remains in place.
smtpd_tls_cert_file = /etc/pki/tls/certs/postfix.pem
smtpd_tls_key_file = /etc/pki/tls/private/postfix.key
smtpd_tls_security_level = secure
This makes no sense, the Postfix SMTP server only supports
"none", "may" and "encrypt". This was supposed to be "smtp"
not "smtpd".
Sep 10 08:31:30 pingala postfix/smtp[216476]:
Trusted TLS connection established to smtp.myfai.fqdn[x.x.x.x]:465:
TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (2048 bits)
server-digest SHA256
This is due to the security level being only "encrypt". You should
be seeing "Verififed" not "Trusted", once your configuration is
correct.
See above : "secure" is impossible upto now
Sep 10 08:31:30 pingala postfix/smtp[216476]: 9A2ECB6DCF: SASL
authentication failed; server smtp.myfai.fqdn[x.x.x.x] said: 535
Authentication credentials invalid
So something was now found in the "smtp_sasl_password_maps" table
matching the relay host, but the ISP did not accept the credentials.
Perhaps they wanted a different mechanism?
Corrected.
Now postfix can send mails only if the sender is me (from my email
address), other senders are rejected by the relayhost. I added :
smtp_generic_maps = hash:/etc/postfix/generic
with /etc/postfix/generic:
r...@pingala.fqdn myemail-address
@pingala.fqdn myemail-address
and postfix is able to send emails but all mails come from me even if
the sender is the user John Doe on this machine. Is it possible to
change this?
Thank you for your help.
F.P.
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
