Re: [gentoo-user] SSL CUPS and SMTP on port 587
I uncommented the above line and added the following to main.cf: smtpd_tls_security_level = may as instructed here: http://www.postfix.org/TLS_README.html#server_enable and restarted postfix, but I still can't send. In claws-mail, I tried specifying 587 and I'm specifying Use SSL for SSMTP. I'm guessing TLS isn't set up properly? You need more than that. My /etc/postfix/main.cf looks like this and you'll need to create the actual certs listed below as well. I recommend smtpd_tls_auth_only so that anyone trying to smtp auth is required to do it over an encrypted session. # TLS stuff smtpd_tls_security_level = may smtpd_tls_auth_only = yes smtpd_tls_key_file = /etc/postfix/newkey.pem smtpd_tls_cert_file = /etc/postfix/newcert.pem smtpd_tls_CAfile = /etc/postfix/cacert.pem #smtpd_tls_loglevel = 3 #smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s tls_random_source = dev:/dev/urandom Additionally check to see what port Postfix is listening on. It's on port 465 on my server and you'll need to set your mail client to SSL rather than TLS. Thank you kashani. Now I'm getting Relay access denied. I've been sending via squirrelmail running on the same server so I need to make an adjustment. What I'd like to do is allow relaying for any authenticated smtp client but I don't see any option for that in the main.cf comments. I tried adding grant to the postdrop group with no luck. Is allowing relay access based on authentication not something postfix does? It makes sense to me. How do you guys make the relay decision? - Grant Here's my main.cf (I'm using postgrey): mydestination = mydomain.com setgid_group = postdrop smtpd_recipient_restrictions = permit_mynetworks, check_policy_service inet:127.0.0.1:10030 reject_unauth_destination, permit virtual_alias_maps = hash:/etc/postfix/virtual message_size_limit = 2048 smtpd_tls_security_level = may smtpd_tls_auth_only = yes smtpd_tls_key_file = /etc/ssl/postfix/server.key smtpd_tls_cert_file = /etc/ssl/postfix/server.crt smtpd_tls_CAfile = /etc/ssl/postfix/server.pem smtpd_tls_session_cache_timeout = 3600s tls_random_source = dev:/dev/urandom How does that look? - Grant -- gentoo-user@lists.gentoo.org mailing list
Re: [gentoo-user] SSL CUPS and SMTP on port 587
Grant wrote: Here's my main.cf (I'm using postgrey): mydestination = mydomain.com setgid_group = postdrop smtpd_recipient_restrictions = permit_mynetworks, check_policy_service inet:127.0.0.1:10030 reject_unauth_destination, permit virtual_alias_maps = hash:/etc/postfix/virtual message_size_limit = 2048 smtpd_tls_security_level = may smtpd_tls_auth_only = yes smtpd_tls_key_file = /etc/ssl/postfix/server.key smtpd_tls_cert_file = /etc/ssl/postfix/server.crt smtpd_tls_CAfile = /etc/ssl/postfix/server.pem smtpd_tls_session_cache_timeout = 3600s tls_random_source = dev:/dev/urandom How does that look? Where is your mynetwork statement. You need to have at least 127.0.0.1 in it or locally generated emails won't be able to relay. kashani -- gentoo-user@lists.gentoo.org mailing list
Re: [gentoo-user] SSL CUPS and SMTP on port 587
Here's my main.cf (I'm using postgrey): mydestination = mydomain.com setgid_group = postdrop smtpd_recipient_restrictions = permit_mynetworks, check_policy_service inet:127.0.0.1:10030 reject_unauth_destination, permit virtual_alias_maps = hash:/etc/postfix/virtual message_size_limit = 2048 smtpd_tls_security_level = may smtpd_tls_auth_only = yes smtpd_tls_key_file = /etc/ssl/postfix/server.key smtpd_tls_cert_file = /etc/ssl/postfix/server.crt smtpd_tls_CAfile = /etc/ssl/postfix/server.pem smtpd_tls_session_cache_timeout = 3600s tls_random_source = dev:/dev/urandom How does that look? Where is your mynetwork statement. You need to have at least 127.0.0.1 in it or locally generated emails won't be able to relay. I actually don't have a mynetworks statement in main.cf at all and I send from squirrelmail all over the place. I won't be able to specify a single IP for my laptop. Can I allow authenticated users to send? - Grant -- gentoo-user@lists.gentoo.org mailing list
Re: [gentoo-user] SSL CUPS and SMTP on port 587
Grant wrote: I actually don't have a mynetworks statement in main.cf at all and I send from squirrelmail all over the place. I won't be able to specify a single IP for my laptop. Can I allow authenticated users to send? You connect to squirrelmail from many different IPs via HTTP, but squirrelmain only calls SMTP from the localhost IP, 127.0.0.1. So add the default mynetworks back in if you want Squirrelmail to be able to send at all. And quit trying out poorly thought out security tricks in Postfix if you don't know what you're doing. Once that is fixed you can start looking at why you can't authenticate. I'm going to guess that you haven't bothered to setup smtp authentication via sasl yet. kashani -- gentoo-user@lists.gentoo.org mailing list
Re: [gentoo-user] SSL CUPS and SMTP on port 587
I actually don't have a mynetworks statement in main.cf at all and I send from squirrelmail all over the place. I won't be able to specify a single IP for my laptop. Can I allow authenticated users to send? You connect to squirrelmail from many different IPs via HTTP, but squirrelmain only calls SMTP from the localhost IP, 127.0.0.1. So add the default mynetworks back in if you want Squirrelmail to be able to send at all. And quit trying out poorly thought out security tricks in Postfix if you don't know what you're doing. I haven't removed the mynetworks statement. It was never there. Could it be somewhere other than main.cf and master.cf? Maybe 127.0.0.1 is the default. I can send from squirrelmail just fine as always. Admittedly all over the place was a bad choice of words. Once that is fixed you can start looking at why you can't authenticate. I'm going to guess that you haven't bothered to setup smtp authentication via sasl yet. I didn't realize I wasn't authenticating. I'm working on sasl now. - Grant kashani -- gentoo-user@lists.gentoo.org mailing list
Re: [gentoo-user] SSL CUPS and SMTP on port 587
I actually don't have a mynetworks statement in main.cf at all and I send from squirrelmail all over the place. I won't be able to specify a single IP for my laptop. Can I allow authenticated users to send? You connect to squirrelmail from many different IPs via HTTP, but squirrelmain only calls SMTP from the localhost IP, 127.0.0.1. So add the default mynetworks back in if you want Squirrelmail to be able to send at all. And quit trying out poorly thought out security tricks in Postfix if you don't know what you're doing. I haven't removed the mynetworks statement. It was never there. Could it be somewhere other than main.cf and master.cf? Maybe 127.0.0.1 is the default. I can send from squirrelmail just fine as always. Admittedly all over the place was a bad choice of words. Once that is fixed you can start looking at why you can't authenticate. I'm going to guess that you haven't bothered to setup smtp authentication via sasl yet. I didn't realize I wasn't authenticating. I'm working on sasl now. Got it! Thanks a lot for everyone's help. I'm running courier-imapd-ssl, postfix, and saslauthd. With the following config everything should be encrypted between my laptop and the server: /etc/postfix/main.cf: [snip] smtpd_sasl_auth_enable = yes smtpd_sasl2_auth_enable = yes smtpd_sasl_security_options = noanonymous smtpd_sasl_local_domain = smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, check_policy_service inet:127.0.0.1:10030 reject_unauth_destination, permit virtual_alias_maps = hash:/etc/postfix/virtual message_size_limit = 2048 smtpd_tls_security_level = may smtpd_tls_auth_only = yes smtpd_tls_key_file = /etc/ssl/postfix/server.key smtpd_tls_cert_file = /etc/ssl/postfix/server.crt smtpd_tls_CAfile = /etc/ssl/postfix/server.pem smtpd_tls_session_cache_timeout = 3600s tls_random_source = dev:/dev/urandom /etc/postfix/master.cf: smtp inet n - n - - smtpd smtps inet n - n - - smtpd -o smtpd_tls_wrappermode=yes /etc/sasl2/smtpd.conf: mech_list: PLAIN LOGIN pwcheck_method:saslauthd - Grant -- gentoo-user@lists.gentoo.org mailing list
Re: [gentoo-user] SSL CUPS and SMTP on port 587
On Sun, Feb 17, 2008 at 07:18:00AM -0800, Penguin Lover Grant squawked: My ISP (Cox) blocks outgoing port 25 so I can't submit mail to my remote mail server. From what I understand, port 587 is commonly used to get around this. Can I have postfix listen on port 25 and port 587? Has anyone set that up? I do it slightly differently: I leave an SSH connection from my box to the mail server, which maps some local port to port 25 on the mail server, and send all my mail to the local port. HTH, W -- `Incidentally,' he said, `what does teleport mean?' Another moment passed. Slowly, the others turned to face him. `Probably the wrong moment to ask,' said Arthur, `It's just I remember you use the word a short while ago and I only bring it up because...' `Where,' said Ford quietly, `does it say teleport?' `Well, just over here in fact,' said Arthur, pointing at a dark control box in the rear of the cabin, `Just under the word emergency, above the word system and beside the sign saying out of order.' - Arthur finding an escape route from a certain death situation. Sortir en Pantoufles: up 436 days, 15:48 -- gentoo-user@lists.gentoo.org mailing list
Re: [gentoo-user] SSL CUPS and SMTP on port 587
My ISP (Cox) blocks outgoing port 25 so I can't submit mail to my remote mail server. From what I understand, port 587 is commonly used to get around this. Can I have postfix listen on port 25 and port 587? Has anyone set that up? I do it slightly differently: I leave an SSH connection from my box to the mail server, which maps some local port to port 25 on the mail server, and send all my mail to the local port. Yeah I think I'll do that if port 587 doesn't work out. From what I understand, using 587 in this way is somewhat of a standard? - Grant HTH, W -- gentoo-user@lists.gentoo.org mailing list
Re: [gentoo-user] SSL CUPS and SMTP on port 587
Grant wrote: My ISP (Cox) blocks outgoing port 25 so I can't submit mail to my remote mail server. From what I understand, port 587 is commonly used to get around this. Can I have postfix listen on port 25 and port 587? Has anyone set that up? I do it slightly differently: I leave an SSH connection from my box to the mail server, which maps some local port to port 25 on the mail server, and send all my mail to the local port. Yeah I think I'll do that if port 587 doesn't work out. From what I understand, using 587 in this way is somewhat of a standard? In your master.cf uncomment the following lines and then restart Postfix. It should just work if you already have TLS setup. smtps inet n - n - - smtpd -o smtpd_tls_wrappermode=yes kashani -- gentoo-user@lists.gentoo.org mailing list
Re: [gentoo-user] SSL CUPS and SMTP on port 587
My ISP (Cox) blocks outgoing port 25 so I can't submit mail to my remote mail server. From what I understand, port 587 is commonly used to get around this. Can I have postfix listen on port 25 and port 587? Has anyone set that up? I do it slightly differently: I leave an SSH connection from my box to the mail server, which maps some local port to port 25 on the mail server, and send all my mail to the local port. Yeah I think I'll do that if port 587 doesn't work out. From what I understand, using 587 in this way is somewhat of a standard? In your master.cf uncomment the following lines and then restart Postfix. It should just work if you already have TLS setup. smtps inet n - n - - smtpd -o smtpd_tls_wrappermode=yes kashani I uncommented the above line and added the following to main.cf: smtpd_tls_security_level = may as instructed here: http://www.postfix.org/TLS_README.html#server_enable and restarted postfix, but I still can't send. In claws-mail, I tried specifying 587 and I'm specifying Use SSL for SSMTP. I'm guessing TLS isn't set up properly? - Grant Also I can see with nmap that smtps 465 is open and 587 is not. No luck specifying 465 in claws-mail though. - Grant -- gentoo-user@lists.gentoo.org mailing list
Re: [gentoo-user] SSL CUPS and SMTP on port 587
My ISP (Cox) blocks outgoing port 25 so I can't submit mail to my remote mail server. From what I understand, port 587 is commonly used to get around this. Can I have postfix listen on port 25 and port 587? Has anyone set that up? I do it slightly differently: I leave an SSH connection from my box to the mail server, which maps some local port to port 25 on the mail server, and send all my mail to the local port. Yeah I think I'll do that if port 587 doesn't work out. From what I understand, using 587 in this way is somewhat of a standard? In your master.cf uncomment the following lines and then restart Postfix. It should just work if you already have TLS setup. smtps inet n - n - - smtpd -o smtpd_tls_wrappermode=yes kashani I uncommented the above line and added the following to main.cf: smtpd_tls_security_level = may as instructed here: http://www.postfix.org/TLS_README.html#server_enable and restarted postfix, but I still can't send. In claws-mail, I tried specifying 587 and I'm specifying Use SSL for SSMTP. I'm guessing TLS isn't set up properly? - Grant -- gentoo-user@lists.gentoo.org mailing list
Re: [gentoo-user] SSL CUPS and SMTP on port 587
Grant wrote: I uncommented the above line and added the following to main.cf: smtpd_tls_security_level = may as instructed here: http://www.postfix.org/TLS_README.html#server_enable and restarted postfix, but I still can't send. In claws-mail, I tried specifying 587 and I'm specifying Use SSL for SSMTP. I'm guessing TLS isn't set up properly? You need more than that. My /etc/postfix/main.cf looks like this and you'll need to create the actual certs listed below as well. I recommend smtpd_tls_auth_only so that anyone trying to smtp auth is required to do it over an encrypted session. # TLS stuff smtpd_tls_security_level = may smtpd_tls_auth_only = yes smtpd_tls_key_file = /etc/postfix/newkey.pem smtpd_tls_cert_file = /etc/postfix/newcert.pem smtpd_tls_CAfile = /etc/postfix/cacert.pem #smtpd_tls_loglevel = 3 #smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s tls_random_source = dev:/dev/urandom Additionally check to see what port Postfix is listening on. It's on port 465 on my server and you'll need to set your mail client to SSL rather than TLS. kashani -- gentoo-user@lists.gentoo.org mailing list
Re: [gentoo-user] SSL CUPS and SMTP on port 587
I uncommented the above line and added the following to main.cf: smtpd_tls_security_level = may as instructed here: http://www.postfix.org/TLS_README.html#server_enable and restarted postfix, but I still can't send. In claws-mail, I tried specifying 587 and I'm specifying Use SSL for SSMTP. I'm guessing TLS isn't set up properly? You need more than that. My /etc/postfix/main.cf looks like this and you'll need to create the actual certs listed below as well. I recommend smtpd_tls_auth_only so that anyone trying to smtp auth is required to do it over an encrypted session. # TLS stuff smtpd_tls_security_level = may smtpd_tls_auth_only = yes smtpd_tls_key_file = /etc/postfix/newkey.pem smtpd_tls_cert_file = /etc/postfix/newcert.pem smtpd_tls_CAfile = /etc/postfix/cacert.pem #smtpd_tls_loglevel = 3 #smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s tls_random_source = dev:/dev/urandom Additionally check to see what port Postfix is listening on. It's on port 465 on my server and you'll need to set your mail client to SSL rather than TLS. Thank you kashani. Now I'm getting Relay access denied. I've been sending via squirrelmail running on the same server so I need to make an adjustment. What I'd like to do is allow relaying for any authenticated smtp client but I don't see any option for that in the main.cf comments. I tried adding grant to the postdrop group with no luck. Here's my main.cf (I'm using postgrey): mydestination = mydomain.com setgid_group = postdrop smtpd_recipient_restrictions = permit_mynetworks, check_policy_service inet:127.0.0.1:10030 reject_unauth_destination, permit virtual_alias_maps = hash:/etc/postfix/virtual message_size_limit = 2048 smtpd_tls_security_level = may smtpd_tls_auth_only = yes smtpd_tls_key_file = /etc/ssl/postfix/server.key smtpd_tls_cert_file = /etc/ssl/postfix/server.crt smtpd_tls_CAfile = /etc/ssl/postfix/server.pem smtpd_tls_session_cache_timeout = 3600s tls_random_source = dev:/dev/urandom How does that look? - Grant -- gentoo-user@lists.gentoo.org mailing list