Re: [AMaViS-user] DKIM: SMTP-AUTH not signed
Hello, Am 19.11.2008 17:59 Uhr, Mark Martinec schrieb: >> If a mail comes in through SMTP-AUTH it goes also throught amavisfeed. >> >> I've did this settings: >> >> smtpd_client_restrictions = >> check_client_access pcre:/etc/postfix/filter_outbound >> permit_mynetworks >> permit_sasl_authenticated >> check_client_access pcre:/etc/postfix/filter_inbound > > So far so good. Within smtpd_client_restrictions the filter_outbound > will apply if mail is from mynetworks or is sasl_authenticated. It was my mistake. I'm normally using the Submission port, which is not covered here. DKIM signing through the regular smtp port works fine now. For the submission port, I've added this to master.cf: submission inet n - n - - smtpd -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o content_filter=amavisauth:[127.0.0.1]:10026 Mark, thank you very much for your help. Ihsan -- [EMAIL PROTECTED] http://blog.dogan.ch/ - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] DKIM: SMTP-AUTH not signed
Ihsan, > I've set that up, but something is not working right: > > Nov 19 16:20:25 bender postfix/smtpd[27979]: [ID 197553 mail.info] > NOQUEUE: filter: RCPT from mx1.cnd-ag.ch[82.197.176.19]: > : Client host triggers FILTER > amavisauth:[127.0.0.1]:10026; from=<[EMAIL PROTECTED]> > to=<[EMAIL PROTECTED]> proto=ESMTP helo= > > Nov 19 16:20:25 bender postfix/smtpd[27979]: [ID 197553 mail.info] > NOQUEUE: filter: RCPT from mx1.cnd-ag.ch[82.197.176.19]: > : Client host triggers FILTER > amavisfeed:[127.0.0.1]:10024; from=<[EMAIL PROTECTED]> > to=<[EMAIL PROTECTED]> proto=ESMTP helo= > > When I receive an e-mail, it seems that it triggers on both, but it > selects amavisfeed. When multiple postfix restrictions are triggered and each specifies its own FILTER, the last one applied prevails. > If a mail comes in through SMTP-AUTH it goes also throught amavisfeed. > > I've did this settings: > > smtpd_client_restrictions = > check_client_access pcre:/etc/postfix/filter_outbound > permit_mynetworks > permit_sasl_authenticated > check_client_access pcre:/etc/postfix/filter_inbound So far so good. Within smtpd_client_restrictions the filter_outbound will apply if mail is from mynetworks or is sasl_authenticated. Are you sure the 82.197.176.19 is either in postfix' mynetworks or the client was SASL authenticated? It doesn't look that way. After smtpd_client_restrictions there come other smtp restrictions, make sure they do not replace the FILTER with their own choice. > I've disabled the content_filter for that. > > I have to admit, that I'm using permit_sasl_authenticated on different > places: > smtpd_recipient_restrictions = permit_sasl_authenticated, > smtpd_helo_restrictions = permit_sasl_authenticated, > smtpd_sender_restrictions = permit_sasl_authenticated, That should be alright, as long as you do not have some other restriction specifying a FILTER. Mark - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] DKIM: SMTP-AUTH not signed
Hello Martin, Am 19.11.2008 15:10 Uhr, Mark Martinec schrieb: >>> Any mail which MTA will pass to a filter on port 10026 (but not on 10024) >>> will now be eligible for DKIM signing. This is useful for mail submitted >>> from authenticated roaming clients which have foreign IP addresses. >>> >>> See also: >>> http://marc.info/?l=postfix-users&m=122658465804423 > >>> pickupfifo n - n 60 1 pickup >>> -o content_filter=amavisfeed:[127.0.0.1]:10026 >> I would prefer this solution more, but SASL authenticated mail is >> normally not handled by pickup. Is there a way, to put the 'originating' >> flag to SASL authenticated mails? > > Just follow the combined advise from mouss and me in the > referenced Postfix thread, it covers mail from SASL authenticated > and from local networks. I'm sorry, I haven't read carefully enough. I've set that up, but something is not working right: Nov 19 16:20:25 bender postfix/smtpd[27979]: [ID 197553 mail.info] NOQUEUE: filter: RCPT from mx1.cnd-ag.ch[82.197.176.19]: : Client host triggers FILTER amavisauth:[127.0.0.1]:10026; from=<[EMAIL PROTECTED]> to=<[EMAIL PROTECTED]> proto=ESMTP helo= Nov 19 16:20:25 bender postfix/smtpd[27979]: [ID 197553 mail.info] NOQUEUE: filter: RCPT from mx1.cnd-ag.ch[82.197.176.19]: : Client host triggers FILTER amavisfeed:[127.0.0.1]:10024; from=<[EMAIL PROTECTED]> to=<[EMAIL PROTECTED]> proto=ESMTP helo= When I receive an e-mail, it seems that it triggers on both, but it selects amavisfeed. If a mail comes in through SMTP-AUTH it goes also throught amavisfeed. I've did this settings: smtpd_client_restrictions = check_client_access pcre:/etc/postfix/filter_outbound permit_mynetworks permit_sasl_authenticated check_client_access pcre:/etc/postfix/filter_inbound I've disabled the content_filter for that. I have to admit, that I'm using permit_sasl_authenticated on different places: smtpd_recipient_restrictions = permit_sasl_authenticated, smtpd_helo_restrictions = permit_sasl_authenticated, smtpd_sender_restrictions = permit_sasl_authenticated, Ihsan -- [EMAIL PROTECTED] http://blog.dogan.ch/ - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] DKIM: SMTP-AUTH not signed
Ihsan, > > Any mail which MTA will pass to a filter on port 10026 (but not on 10024) > > will now be eligible for DKIM signing. This is useful for mail submitted > > from authenticated roaming clients which have foreign IP addresses. > > > > See also: > > http://marc.info/?l=postfix-users&m=122658465804423 > > pickupfifo n - n 60 1 pickup > > -o content_filter=amavisfeed:[127.0.0.1]:10026 > > I would prefer this solution more, but SASL authenticated mail is > normally not handled by pickup. Is there a way, to put the 'originating' > flag to SASL authenticated mails? Just follow the combined advise from mouss and me in the referenced Postfix thread, it covers mail from SASL authenticated and from local networks. The 'pickup ... -o conte...' entry is IN ADDITION to the above, to also cover mail submitted through sendmail/pickup directly on the mailer host. Mark - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] DKIM: SMTP-AUTH not signed
Hello Mark,
Am 19.11.2008 13:11 Uhr, Mark Martinec schrieb:
>> DKIM works for me so far. If I send an e-mail through the webmail
>> interface, the E-Mail is signed.
>> If I send an e-mail with a regular client, which is authenticated with
>> SMTP-AUTH, the mail is not signed.
>> Is it possible to catch these mails as well?
>
> 'originating' flag must be on to permit DKIM signing.
Ok.
[...]
> A more general way of turning up the 'originating' flag is through a
> policy bank, e.g.:
>
> $inet_socket_port = [10024,10026];
>
> $interface_policy{'10026'} = 'ORIGINATING';
>
> $policy_bank{'ORIGINATING'} = { # mail originating from our users
> originating => 1,
> # force MTA conversion to 7-bit before DKIM signing
> # to avoid later conversions, destroying signature:
> smtpd_discard_ehlo_keywords => ['8BITMIME'],
> };
>
> Any mail which MTA will pass to a filter on port 10026 (but not on 10024)
> will now be eligible for DKIM signing. This is useful for mail submitted
> from authenticated roaming clients which have foreign IP addresses.
>
>
> pickupfifo n - n 60 1 pickup
> -o content_filter=amavisfeed:[127.0.0.1]:10026
I would prefer this solution more, but SASL authenticated mail is
normally not handled by pickup. Is there a way, to put the 'originating'
flag to SASL authenticated mails?
Ihsan
--
[EMAIL PROTECTED] http://blog.dogan.ch/
-
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
___
AMaViS-user mailing list
AMaViS-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] DKIM: SMTP-AUTH not signed
Ihsan,
> DKIM works for me so far. If I send an e-mail through the webmail
> interface, the E-Mail is signed.
> If I send an e-mail with a regular client, which is authenticated with
> SMTP-AUTH, the mail is not signed.
> Is it possible to catch these mails as well?
'originating' flag must be on to permit DKIM signing.
The simplest way of turning 'originating' is implicitly,
when sending client's IP address matches @mynetworks list.
In your case inserting a 0.0.0.0 into @mynetworks list would
probably solve the issue of mail submitted through pickup:
2.4.5 release notes:
- for the purpose of looking up client IP address in @mynetworks_maps,
treat unknown/unavailable IP address as 0.0.0.0; this allows treating
directly submitted mail on the MTA host (not submitted through SMTP) as
coming from IP address 0.0.0.0 (i.e. "This" Network - according to RFC 1700);
Note that this is indistinguishable from other reasons when IP address
is not made available to amavisd, e.g. when smtp_send_xforward_command
option in Postfix smtp service is not enabled, which is why the default
setting of @mynetworks does not include a 0.0.0.0/8 network to prevent
unintentionally loading a MYNETS policy bank.
One should add 0.0.0.0/8 to a @mynetworks list only when XFORWARD is known
to work and if some software on the MTA host is submitting its mail to MTA
directly, e.g. through a sendmail mail submission command (or its lookalike),
and MYNETS policy bank loading is needed for proper processing of such mail
(e.g. DKIM signing or adding disclaimers in later versions of amavisd);
A more general way of turning up the 'originating' flag is through a
policy bank, e.g.:
$inet_socket_port = [10024,10026];
$interface_policy{'10026'} = 'ORIGINATING';
$policy_bank{'ORIGINATING'} = { # mail originating from our users
originating => 1,
# force MTA conversion to 7-bit before DKIM signing
# to avoid later conversions, destroying signature:
smtpd_discard_ehlo_keywords => ['8BITMIME'],
};
Any mail which MTA will pass to a filter on port 10026 (but not on 10024)
will now be eligible for DKIM signing. This is useful for mail submitted
from authenticated roaming clients which have foreign IP addresses.
pickupfifo n - n 60 1 pickup
-o content_filter=amavisfeed:[127.0.0.1]:10026
See also:
http://marc.info/?l=postfix-users&m=122658465804423
Mark
-
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
___
AMaViS-user mailing list
AMaViS-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/
