[pfx] Re: Postfix + Dovecot FreeBSD - a problem
On Mon, Mar 11, 2024 at 11:08 PM Viktor Dukhovni via Postfix-users wrote: > Well, at this point, post in one message: > > - Logging of a submission failure postdating your most recent > changes and "postfix restart". > - Output of: postmap -q au...@domain.name $(postconf -xh > smtpd_sender_login_maps) > - Output of: postconf -nf > - Output of: postconf -Mf Taking a break and getting away from a long series of change-this,try-that, etc. I've gone through all of my settings and changes and found a change that included a typo. So, fixing that typo and... it's working. Thank you for your assistance and patience. Glenn ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Postfix + Dovecot FreeBSD - a problem
Am 2024-03-12 07:08, schrieb Viktor Dukhovni via Postfix-users: Where is your configuration directory? Are you editing "/etc/postfix/main.cf", or /usr/local/etc/postfix/main.cf? Which "postfix" command are you running, "/usr/sbin/postfix" or "/usr/local/sbin/postfix"? You probably have Postfix both in the base system and from ports. Make sure you're editing the files and using the commands from /usr/local... And that the Postfix that is running (master process, and service daemons) are also the ones from /usr/local/libexec... If there is postfix not only in /usr/local/, but also in /, there is a big problem. There is no postfix supposed to be in / in FreeBSD, it shall only be in /usr/local/. Bye, Alexander. -- http://www.Leidinger.net alexan...@leidinger.net: PGP 0x8F31830F9F2772BF http://www.FreeBSD.orgnetch...@freebsd.org : PGP 0x8F31830F9F2772BF signature.asc Description: OpenPGP digital signature ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Postfix + Dovecot FreeBSD - a problem
On Mon, Mar 11, 2024 at 10:30:19PM -0700, Glenn Tenney wrote: > > Right, the missing "client=" is because the message was not accepted, > > and so no queue id was assigned. It seems this was before the changes > > to master.cf were made effective. > > Ok... that does sound like it's always been this way... > So, any idea of what's causing that? As I mentioned, "client=" is logged for messages that are accepted, that wasn't yet the case in the examples you posted. So nothing to see here, move along. > Just wondering, could it maybe be "-o > smtpd_sasl_security_options=noanonymous" -- I'm just asking because I > saw "Anonymous TLS connection established from > mail-ua1-f50.google.com[209.85.222.50]" in the logs I've sent. Your intuiting is way off base, best to resist the temptation to make guesses. If you don't know, that's fine, no need to waste time chasing shadows, just ask. > > Well, if you've restarted Postfix after those changes, it should now > > work (a "reload" should actually suffice, but a restart is harmless for > > a low-volume personal server). > > Oh, I always do "sudo postmap main.cf" when editing it and then, again > always, do "sudo service postfix restart" after every change before > every test. That's pointless, "main.cf" is not a table that needs to be indexed. What you should be running through "postmap" is various "hash:" or "btree", ... tables defined in your configuration, after changing the source file. Well, at this point, post in one message: - Logging of a submission failure postdating your most recent changes and "postfix restart". - Output of: postmap -q au...@domain.name $(postconf -xh smtpd_sender_login_maps) - Output of: postconf -nf - Output of: postconf -Mf And do double-check that the (I assume obfuscated in your posts) "auser" in the log entries match the lookup key used in the postmap query, and the reported value matches the logged mismatch. Mar 8 20:41:08 MACHINE postfix/submission/smtpd[28831]: NOQUEUE: reject: RCPT from mail-oo1-f41.google.com[209.85.161.41]: 553 5.7.1 : Sender address rejected: That's the envelope sender address that should be the lookup key in your table. not owned by user auser; That's the authenticated SASL user name that should be the corresponding value. from= to= proto=ESMTP helo= This is is just context. Clearly the lookup table did NOT return "auser" for that address, otherwise the message would not have been reject as a sender-login mismatch. Where is your configuration directory? Are you editing "/etc/postfix/main.cf", or /usr/local/etc/postfix/main.cf? Which "postfix" command are you running, "/usr/sbin/postfix" or "/usr/local/sbin/postfix"? You probably have Postfix both in the base system and from ports. Make sure you're editing the files and using the commands from /usr/local... And that the Postfix that is running (master process, and service daemons) are also the ones from /usr/local/libexec... -- Viktor. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Postfix + Dovecot FreeBSD - a problem
On Mon, Mar 11, 2024 at 10:07 PM Viktor Dukhovni via Postfix-users wrote: > > I truly have no clue why my maillog is so different than yours. I set > > "smtpd_tls_loglevel = 2" and here's the log (on the machine running > > postfix @ domain.name) from gmail connecting, and logging in as > > "auser" and then trying to send an email as "auser" back to me here at > > gmail: > > So you decided to add more hay to stack to hide the needle? :-) > Best to set the log level back to 1. I figured that maybe level 2 would give me "client" and if not, that it might show you something more helpful. Back to 1... > > Mar 11 18:57:11 MACHINE postfix/submission/smtpd[40225]: NOQUEUE: > > reject: RCPT from mail-ua1-f50.google.com[209.85.222.50]: 553 5.7.1 > > : Sender address rejected: not owned by user auser; > > from= to= proto=ESMTP > > helo= > > Right, the missing "client=" is because the message was not accepted, > and so no queue id was assigned. It seems this was before the changes > to master.cf were made effective. Ok... that does sound like it's always been this way... So, any idea of what's causing that? Just wondering, could it maybe be "-o smtpd_sasl_security_options=noanonymous" -- I'm just asking because I saw "Anonymous TLS connection established from mail-ua1-f50.google.com[209.85.222.50]" in the logs I've sent. But any ideas for me to try are most gladly appreciated. > Well, if you've restarted Postfix after those changes, it should now > work (a "reload" should actually suffice, but a restart is harmless for > a low-volume personal server). Oh, I always do "sudo postmap main.cf" when editing it and then, again always, do "sudo service postfix restart" after every change before every test. Thanks ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Postfix + Dovecot FreeBSD - a problem
On Mon, Mar 11, 2024 at 07:50:22PM -0700, Glenn Tenney via Postfix-users wrote: > > You should also remove the "smtpd_sasl_auth_enable = yes" from > > "mail.cf", leaving just the "-o smtpd_sasl_auth_enable=yes" above, and > > in main.cf set: > > No "mail.cf", but only "-o" is left... I meant "main.cf" of course... > > Well, it has to be there, unless your syslog configuration filters it > > out. Here's an example (long line folded) from my system: > > > > Mar 10 18:28:39 amnesiac postfix/submission/smtpd[555754]: > > 00D8B893CE0: client=, sasl_method=, > > sasl_username= > > I truly have no clue why my maillog is so different than yours. I set > "smtpd_tls_loglevel = 2" and here's the log (on the machine running > postfix @ domain.name) from gmail connecting, and logging in as > "auser" and then trying to send an email as "auser" back to me here at > gmail: So you decided to add more hay to stack to hide the needle? :-) Best to set the log level back to 1. > Mar 11 18:57:11 MACHINE postfix/submission/smtpd[40225]: NOQUEUE: > reject: RCPT from mail-ua1-f50.google.com[209.85.222.50]: 553 5.7.1 > : Sender address rejected: not owned by user auser; > from= to= proto=ESMTP > helo= Right, the missing "client=" is because the message was not accepted, and so no queue id was assigned. It seems this was before the changes to master.cf were made effective. > And with all of the various changes made, here's the most recent postconf -Mf > > smtp inet n - y - - smtpd > submission inet n - n - - smtpd > -o syslog_name=postfix/submission > -o smtpd_tls_wrappermode=no > -o smtpd_tls_security_level=may > -o smtpd_sasl_auth_enable=yes > -o > smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject > -o milter_macro_daemon_name=ORIGINATING > -o smtpd_sasl_type=dovecot > -o smtpd_sasl_path=private/auth > -o smtpd_sasl_security_options=noanonymous > -o smtpd_sasl_local_domain=$myhostname > -o smtpd_client_restrictions=permit_sasl_authenticated,reject > -o smtpd_sender_restrictions=reject_sender_login_mismatch Well, if you've restarted Postfix after those changes, it should now work (a "reload" should actually suffice, but a restart is harmless for a low-volume personal server). -- Viktor. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Postfix + Dovecot FreeBSD - a problem
On Mon, Mar 11, 2024 at 5:13 PM Viktor Dukhovni via Postfix-users wrote: thanks for your patience with me and your help! > The reject message in your original post was: > > Mar 8 20:41:08 MACHINE postfix/submission/smtpd[28831]: NOQUEUE: > reject: RCPT from mail-oo1-f41.google.com[209.85.161.41]: 553 5.7.1 > : Sender address rejected: not owned by user auser; > from= to= > proto=ESMTP helo= > > Which means that the lookup key "au...@domain.name" does not in fact map > to "auser" in the indexed (hash table) file: > > You can examine the hash table with: > postmap -q au...@domain.name hash:/usr/local/etc/postfix/senderlogin Here are the results... To me it would sure seem that au...@domain.name does map to auser and vice-versa. % postmap -q au...@domain.name hash:/usr/local/etc/postfix/senderlogin auser % postmap -q auser hash:/usr/local/etc/postfix/senderlogin au...@domain.name > Which explains the source of the problem. Just remove that erroneous > setting. The virtual(5) alias table is not your sender -> sasl login > table. done > You should also remove the "smtpd_sasl_auth_enable = yes" from > "mail.cf", leaving just the "-o smtpd_sasl_auth_enable=yes" above, and > in main.cf set: No "mail.cf", but only "-o" is left... > Also in the above submission service set: > smtpd_tls_security_level=encrypt done BUT the problem remains... > > I don't see "client=" anywhere in the logs... > > Well, it has to be there, unless your syslog configuration filters it > out. Here's an example (long line folded) from my system: > > Mar 10 18:28:39 amnesiac postfix/submission/smtpd[555754]: > 00D8B893CE0: client=, sasl_method=, > sasl_username= I truly have no clue why my maillog is so different than yours. I set "smtpd_tls_loglevel = 2" and here's the log (on the machine running postfix @ domain.name) from gmail connecting, and logging in as "auser" and then trying to send an email as "auser" back to me here at gmail: Mar 11 18:57:11 MACHINE postfix/submission/smtpd[40225]: initializing the server-side TLS engine Mar 11 18:57:11 MACHINE postfix/submission/smtpd[40225]: connect from mail-ua1-f50.google.com[209.85.222.50] Mar 11 18:57:11 MACHINE postfix/submission/smtpd[40225]: setting up TLS connection from mail-ua1-f50.google.com[209.85.222.50] Mar 11 18:57:11 MACHINE postfix/submission/smtpd[40225]: mail-ua1-f50.google.com[209.85.222.50]: TLS cipher list "aNULL:-aNULL:HIGH:MEDIUM:!SEED:!IDEA:!3DES:!RC2:!RC4:!RC5:!kDH:!kECDH:!aDSS:!MD5:+RC4:@STRENGTH" Mar 11 18:57:11 MACHINE postfix/submission/smtpd[40225]: SSL_accept:before SSL initialization Mar 11 18:57:11 MACHINE syslogd: last message repeated 1 times Mar 11 18:57:11 MACHINE postfix/submission/smtpd[40225]: SSL_accept:SSLv3/TLS read client hello Mar 11 18:57:11 MACHINE postfix/submission/smtpd[40225]: SSL_accept:SSLv3/TLS write server hello Mar 11 18:57:11 MACHINE postfix/submission/smtpd[40225]: SSL_accept:SSLv3/TLS write change cipher spec Mar 11 18:57:11 MACHINE postfix/submission/smtpd[40225]: SSL_accept:TLSv1.3 write encrypted extensions Mar 11 18:57:11 MACHINE postfix/submission/smtpd[40225]: SSL_accept:SSLv3/TLS write certificate Mar 11 18:57:11 MACHINE postfix/submission/smtpd[40225]: SSL_accept:TLSv1.3 write server certificate verify Mar 11 18:57:11 MACHINE postfix/submission/smtpd[40225]: SSL_accept:SSLv3/TLS write finished Mar 11 18:57:11 MACHINE postfix/submission/smtpd[40225]: SSL_accept:TLSv1.3 early data Mar 11 18:57:11 MACHINE syslogd: last message repeated 1 times Mar 11 18:57:11 MACHINE postfix/submission/smtpd[40225]: SSL_accept:SSLv3/TLS read finished Mar 11 18:57:11 MACHINE postfix/submission/smtpd[40225]: mail-ua1-f50.google.com[209.85.222.50]: Issuing session ticket, key expiration: 1710210430 Mar 11 18:57:11 MACHINE postfix/submission/smtpd[40225]: SSL_accept:SSLv3/TLS write session ticket Mar 11 18:57:11 MACHINE postfix/submission/smtpd[40225]: Anonymous TLS connection established from mail-ua1-f50.google.com[209.85.222.50]: TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256 Mar 11 18:57:11 MACHINE postfix/submission/smtpd[40225]: NOQUEUE: reject: RCPT from mail-ua1-f50.google.com[209.85.222.50]: 553 5.7.1 : Sender address rejected: not owned by user auser; from= to= proto=ESMTP helo= Mar 11 18:57:12 MACHINE postfix/submission/smtpd[40225]: disconnect from mail-ua1-f50.google.com[209.85.222.50] ehlo=2 starttls=1 auth=1 mail=1 rcpt=0/1 bdat=0/1 quit=1 commands=6/8 And with all of the various changes made, here's the most recent postconf -Mf smtp inet n - y - - smtpd submission inet n - n - - smtpd -o syslog_name=postfix/submission -o smtpd_tls_wrappermode=no -o smtpd_tls_security_level=may -o smtpd_sasl_auth_enable=yes -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authentic
[pfx] Re: Postfix + Dovecot FreeBSD - a problem
On Mon, Mar 11, 2024 at 5:13 PM Viktor Dukhovni via Postfix-users wrote: thanks for your patience with me and your help! > The reject message in your original post was: > > Mar 8 20:41:08 MACHINE postfix/submission/smtpd[28831]: NOQUEUE: > reject: RCPT from mail-oo1-f41.google.com[209.85.161.41]: 553 5.7.1 > : Sender address rejected: not owned by user auser; > from= to= > proto=ESMTP helo= > > Which means that the lookup key "au...@domain.name" does not in fact map > to "auser" in the indexed (hash table) file: > > You can examine the hash table with: > postmap -q au...@domain.name hash:/usr/local/etc/postfix/senderlogin Here are the results... To me it would sure seem that au...@domain.name does map to auser and vice-versa. % postmap -q au...@domain.name hash:/usr/local/etc/postfix/senderlogin auser % postmap -q auser hash:/usr/local/etc/postfix/senderlogin au...@domain.name > Which explains the source of the problem. Just remove that erroneous > setting. The virtual(5) alias table is not your sender -> sasl login > table. done > You should also remove the "smtpd_sasl_auth_enable = yes" from > "mail.cf", leaving just the "-o smtpd_sasl_auth_enable=yes" above, and > in main.cf set: No "mail.cf", but only "-o" is left... > Also in the above submission service set: > smtpd_tls_security_level=encrypt done BUT the problem remains... > > I don't see "client=" anywhere in the logs... > > Well, it has to be there, unless your syslog configuration filters it > out. Here's an example (long line folded) from my system: > > Mar 10 18:28:39 amnesiac postfix/submission/smtpd[555754]: > 00D8B893CE0: client=, sasl_method=, > sasl_username= I truly have no clue why my maillog is so different than yours. I set "smtpd_tls_loglevel = 2" and here's the log (on the machine running postfix @ domain.name) from gmail connecting, and logging in as "auser" and then trying to send an email as "auser" back to me here at gmail: Mar 11 18:57:11 MACHINE postfix/submission/smtpd[40225]: initializing the server-side TLS engine Mar 11 18:57:11 MACHINE postfix/submission/smtpd[40225]: connect from mail-ua1-f50.google.com[209.85.222.50] Mar 11 18:57:11 MACHINE postfix/submission/smtpd[40225]: setting up TLS connection from mail-ua1-f50.google.com[209.85.222.50] Mar 11 18:57:11 MACHINE postfix/submission/smtpd[40225]: mail-ua1-f50.google.com[209.85.222.50]: TLS cipher list "aNULL:-aNULL:HIGH:MEDIUM:!SEED:!IDEA:!3DES:!RC2:!RC4:!RC5:!kDH:!kECDH:!aDSS:!MD5:+RC4:@STRENGTH" Mar 11 18:57:11 MACHINE postfix/submission/smtpd[40225]: SSL_accept:before SSL initialization Mar 11 18:57:11 MACHINE syslogd: last message repeated 1 times Mar 11 18:57:11 MACHINE postfix/submission/smtpd[40225]: SSL_accept:SSLv3/TLS read client hello Mar 11 18:57:11 MACHINE postfix/submission/smtpd[40225]: SSL_accept:SSLv3/TLS write server hello Mar 11 18:57:11 MACHINE postfix/submission/smtpd[40225]: SSL_accept:SSLv3/TLS write change cipher spec Mar 11 18:57:11 MACHINE postfix/submission/smtpd[40225]: SSL_accept:TLSv1.3 write encrypted extensions Mar 11 18:57:11 MACHINE postfix/submission/smtpd[40225]: SSL_accept:SSLv3/TLS write certificate Mar 11 18:57:11 MACHINE postfix/submission/smtpd[40225]: SSL_accept:TLSv1.3 write server certificate verify Mar 11 18:57:11 MACHINE postfix/submission/smtpd[40225]: SSL_accept:SSLv3/TLS write finished Mar 11 18:57:11 MACHINE postfix/submission/smtpd[40225]: SSL_accept:TLSv1.3 early data Mar 11 18:57:11 MACHINE syslogd: last message repeated 1 times Mar 11 18:57:11 MACHINE postfix/submission/smtpd[40225]: SSL_accept:SSLv3/TLS read finished Mar 11 18:57:11 MACHINE postfix/submission/smtpd[40225]: mail-ua1-f50.google.com[209.85.222.50]: Issuing session ticket, key expiration: 1710210430 Mar 11 18:57:11 MACHINE postfix/submission/smtpd[40225]: SSL_accept:SSLv3/TLS write session ticket Mar 11 18:57:11 MACHINE postfix/submission/smtpd[40225]: Anonymous TLS connection established from mail-ua1-f50.google.com[209.85.222.50]: TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256 Mar 11 18:57:11 MACHINE postfix/submission/smtpd[40225]: NOQUEUE: reject: RCPT from mail-ua1-f50.google.com[209.85.222.50]: 553 5.7.1 : Sender address rejected: not owned by user auser; from= to= proto=ESMTP helo= Mar 11 18:57:12 MACHINE postfix/submission/smtpd[40225]: disconnect from mail-ua1-f50.google.com[209.85.222.50] ehlo=2 starttls=1 auth=1 mail=1 rcpt=0/1 bdat=0/1 quit=1 commands=6/8 And with all of the various changes made, here's the most recent postconf -Mf smtp inet n - y - - smtpd submission inet n - n - - smtpd -o syslog_name=postfix/submission -o smtpd_tls_wrappermode=no -o smtpd_tls_security_level=may -o smtpd_sasl_auth_enable=yes -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authentic
[pfx] Re: Postfix + Dovecot FreeBSD - a problem
On Mon, Mar 11, 2024 at 03:17:01PM -0700, Glenn Tenney via Postfix-users wrote: > So, the actual SASL login is "auser"? (which is what I've told gmail > to use to login) I don't know what it is, the logs will tell the true story. Please post both the "client=" and the "reject:" log entries for one one the failed attempts from Gmail to use your server as an outbound relay. > > No, the issue is the content of your sender login table. > > My current guess is that the virtual or senderlogin files are wrong > and that's my problem... The actual problem was stated above, I'm puzzled why you're still "guessing"... > Sorry, I forgot to include the contents of my smtpd_sender_login_maps file: > # senderlogin > au...@domain.name auser > au...@machine.domain.name auser The reject message in your original post was: Mar 8 20:41:08 MACHINE postfix/submission/smtpd[28831]: NOQUEUE: reject: RCPT from mail-oo1-f41.google.com[209.85.161.41]: 553 5.7.1 : Sender address rejected: not owned by user auser; from= to= proto=ESMTP helo= Which means that the lookup key "au...@domain.name" does not in fact map to "auser" in the indexed (hash table) file: smtpd_sender_login_maps = hash:/usr/local/etc/postfix/senderlogin You can examine the hash table with: postmap -q au...@domain.name hash:/usr/local/etc/postfix/senderlogin > And here's /etc/virtual (again, my best guess of what it should be) Irrelevant to the reported problem. > > If you post also the "client=" log entry for the transaction of > > interest, the "postconf -Mf" output and the content of the sender login > > table, more help will be possible. > > I don't see "client=" anywhere in the logs... but here's the "postconf > -Mf" after making the changes you suggested above: Well, it has to be there, unless your syslog configuration filters it out. Here's an example (long line folded) from my system: Mar 10 18:28:39 amnesiac postfix/submission/smtpd[555754]: 00D8B893CE0: client=, sasl_method=, sasl_username= > submission inet n - n - - smtpd > -o syslog_name=postfix/submission > -o smtpd_tls_wrappermode=no > -o smtpd_tls_security_level=may > -o smtpd_sasl_auth_enable=yes > -o > smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject > -o milter_macro_daemon_name=ORIGINATING > -o smtpd_sasl_type=dovecot > -o smtpd_sasl_path=private/auth > -o smtpd_sasl_security_options=noanonymous > -o smtpd_sasl_local_domain=$myhostname > -o smtpd_client_restrictions=permit_sasl_authenticated,reject > -o smtpd_sender_login_maps=hash:/etc/virtual > -o smtpd_sender_restrictions=reject_sender_login_mismatch This is where you're requiring the envelope sender address to match the expected login, and have for no particular reason included: > -o smtpd_sender_login_maps=hash:/etc/virtual Which explains the source of the problem. Just remove that erroneous setting. The virtual(5) alias table is not your sender -> sasl login table. You should also remove the "smtpd_sasl_auth_enable = yes" from "mail.cf", leaving just the "-o smtpd_sasl_auth_enable=yes" above, and in main.cf set: smtpd_tls_auth_only = yes Also in the above submission service set: smtpd_tls_security_level=encrypt (not "may"). -- Viktor. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Postfix + Dovecot FreeBSD - a problem
On Mon, Mar 11, 2024 at 1:09 AM Viktor Dukhovni via Postfix-users wrote: > You've implemented smtpd_sender_login_maps and > reject_sender_login_mismatch or an equivalent variant, but the entry > for that sender address does list the actual SASL login used (which > is shown in an earlier log entry for the same SMTP transaction). Thank you Viktor! So, the actual SASL login is "auser"? (which is what I've told gmail to use to login) > > I'm guessing that the issue is that postfix/dovecot sees only "auser" > > and if instead it saw "au...@domain.name" it would work, but I > > couldn't find any way to be able to login that way. > > No, the issue is the content of your sender login table. My current guess is that the virtual or senderlogin files are wrong and that's my problem... These were my best guess as to what should be in those files, but I doubt that's correct... but I don't know what it should be. Sorry, I forgot to include the contents of my smtpd_sender_login_maps file: # senderlogin au...@domain.name auser au...@machine.domain.name auser And here's /etc/virtual (again, my best guess of what it should be) # virtual au...@domain.name au...@domain.name aotheru...@domain.name au...@domain.name # in case I could have anotheruser send as auser auser au...@domain.name > > (2) Postfix sends to gmail, but does not encrypt when sending. > > You need to enable outbound STARTTLS, possibly mandatory for > "smtp.gmail.com", ideally even with certificate checks, to avoid leaking > the account password in case of an MiTM attack. Is this submission > traffic, or traffic to random gmail users? I'd prefer that whenever possible, my emails get sent (directly from this machine) encrypted. Sending to gmail is my test case since the received email clearly says if it's not encrypted. > Missing "smtp_tls_security_level = may". And if doing submission via > GMail, ideally also a TLS policy table entry for "[smtp.gmail.com]:587", > though it is not yet clear how you route mail to the GMail submission > service. (this server will send directly) Ah I just literally forgot that smtp and smtpd are two different directions :-) And, it now does send encrypted to gmail. I haven't yet tested if it can send unencrypted if need be, but I suspect that just adding the correct smtp setting for "may" fixed it!. Thank you! That issue is now fixed (cockpit error on my part!) > This (combined with unposted definitions, postconf -Mf, of the > submission services in master.cf) is the source of breakage in #1. >... > If you post also the "client=" log entry for the transaction of > interest, the "postconf -Mf" output and the content of the sender login > table, more help will be possible. I don't see "client=" anywhere in the logs... but here's the "postconf -Mf" after making the changes you suggested above: smtp inet n - y - - smtpd submission inet n - n - - smtpd -o syslog_name=postfix/submission -o smtpd_tls_wrappermode=no -o smtpd_tls_security_level=may -o smtpd_sasl_auth_enable=yes -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING -o smtpd_sasl_type=dovecot -o smtpd_sasl_path=private/auth -o smtpd_sasl_security_options=noanonymous -o smtpd_sasl_local_domain=$myhostname -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o smtpd_sender_login_maps=hash:/etc/virtual -o smtpd_sender_restrictions=reject_sender_login_mismatch pickup unix n - n 60 1 pickup cleanupunix n - n - 0 cleanup qmgr unix n - n 300 1 qmgr tlsmgr unix - - n 1000? 1 tlsmgr rewriteunix - - n - - trivial-rewrite bounce unix - - n - 0 bounce defer unix - - n - 0 bounce trace unix - - n - 0 bounce verify unix - - n - 1 verify flush unix n - n 1000? 0 flush proxymap unix - - n - - proxymap proxywrite unix - - n - 1 proxymap smtp unix - - n - - smtp relay unix - - n - - smtp -o syslog_name=postfix/$service_name showq unix n - n - - showq error unix - - n - - error retry unix - - n - - error discardunix - - n - - discard local unix - n n - - local virtualunix - n n - - virtual lmtp unix - - n - - lmtp anvil
[pfx] Re: Postfix + Dovecot FreeBSD - a problem
On Mon, 2024-03-11 at 08:57 +0100, Alexander Leidinger via Postfix- users wrote: > Am 2024-03-11 05:19, schrieb Glenn Tenney via Postfix-users: > > > (2) Postfix sends to gmail, but does not encrypt when sending. > > You only tell the receiving side of postfix to set the encrypt level > to > "may". For the sending side you do not have such a setting: > smtp_tls_security_level = ... > To Glenn: In addition, *smtp_tls_policy_maps* is good for detail setting: https://www.postfix.org/TLS_README.html#client_tls_encrypt > Maybe you also want to set the TLS protocols for the sending side > (sending and receiving side have different config options, "smtp_..." > vs > "smtpd_..."): > smtp_tls_protocols = ... > > > smtp_tls_CApath = /etc/ssl/certs > > smtp_tls_loglevel = 1 > > smtpd_tls_cert_file = > > /usr/local/etc/letsencrypt/live/domain.name/fullchain.pem > > smtpd_tls_key_file = > > /usr/local/etc/letsencrypt/live/domain.name/privkey.pem > > smtpd_tls_protocols = !SSLv2, !SSLv3 > > smtpd_tls_security_level = may > > smtpd_use_tls = yes > > Bye, > Alexander. > Thanks, Byunghee from South Korea signature.asc Description: This is a digitally signed message part ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Postfix + Dovecot FreeBSD - a problem
On Sun, Mar 10, 2024 at 09:19:09PM -0700, Glenn Tenney via Postfix-users wrote: > Gmail can login to the imap as "auser", but... when it tries to send > as "au...@domain.name" I get the following error: > > Mar 8 20:41:08 MACHINE postfix/submission/smtpd[28831]: NOQUEUE: > reject: RCPT from mail-oo1-f41.google.com[209.85.161.41]: 553 5.7.1 > : Sender address rejected: not owned by user auser; > from= to= > proto=ESMTP helo= You've implemented smtpd_sender_login_maps and reject_sender_login_mismatch or an equivalent variant, but the entry for that sender address does list the actual SASL login used (which is shown in an earlier log entry for the same SMTP transaction). > I'm guessing that the issue is that postfix/dovecot sees only "auser" > and if instead it saw "au...@domain.name" it would work, but I > couldn't find any way to be able to login that way. No, the issue is the content of your sender login table. > (2) Postfix sends to gmail, but does not encrypt when sending. You need to enable outbound STARTTLS, possibly mandatory for "smtp.gmail.com", ideally even with certificate checks, to avoid leaking the account password in case of an MiTM attack. Is this submission traffic, or traffic to random gmail users? > shlib_directory = /usr/local/lib/postfix > smtp_tls_CApath = /etc/ssl/certs > smtp_tls_loglevel = 1 Missing "smtp_tls_security_level = may". And if doing submission via GMail, ideally also a TLS policy table entry for "[smtp.gmail.com]:587", though it is not yet clear how you route mail to the GMail submission service. > smtpd_sasl_auth_enable = yes Best done only for the TLS submission ports, in master.cf and left disabled on port 25. > smtpd_sender_login_maps = hash:/usr/local/etc/postfix/senderlogin This (combined with unposted definitions, postconf -Mf, of the submission services in master.cf) is the source of breakage in #1. > smtpd_tls_protocols = !SSLv2, !SSLv3 Just use the default. > smtpd_tls_security_level = may > smtpd_use_tls = yes The second is redundant and obsolete (deprecated). If you post also the "client=" log entry for the transaction of interest, the "postconf -Mf" output and the content of the sender login table, more help will be possible. -- Viktor. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Postfix + Dovecot FreeBSD - a problem
Am 2024-03-11 05:19, schrieb Glenn Tenney via Postfix-users: (2) Postfix sends to gmail, but does not encrypt when sending. You only tell the receiving side of postfix to set the encrypt level to "may". For the sending side you do not have such a setting: smtp_tls_security_level = ... Maybe you also want to set the TLS protocols for the sending side (sending and receiving side have different config options, "smtp_..." vs "smtpd_..."): smtp_tls_protocols = ... smtp_tls_CApath = /etc/ssl/certs smtp_tls_loglevel = 1 smtpd_tls_cert_file = /usr/local/etc/letsencrypt/live/domain.name/fullchain.pem smtpd_tls_key_file = /usr/local/etc/letsencrypt/live/domain.name/privkey.pem smtpd_tls_protocols = !SSLv2, !SSLv3 smtpd_tls_security_level = may smtpd_use_tls = yes Bye, Alexander. -- http://www.Leidinger.net alexan...@leidinger.net: PGP 0x8F31830F9F2772BF http://www.FreeBSD.orgnetch...@freebsd.org : PGP 0x8F31830F9F2772BF signature.asc Description: OpenPGP digital signature ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
