Re: Relay Error?
kbajwa wrote: CentOS 5.2 Postfix 2.3.3 (comes packaged with OS) Dovecot 1.1.1 Did a fresh install and created a new web site: http://www.imwell-usa.com. The web site has an email address for 'Contact Us'. When I try to send an email from the web page (from Win XP PC), I get the following error: what you see on your mail client does not matter. the real truth is in postfix logs. (my Thunderbird sometimes tells me is not an IMAP server. duh... next time I promiss it: I'll take a screenshot!). An error occurred while sending mail. The mail server responded: 5.7.1 [EMAIL PROTECTED]: Relay excess denied. Please check the messge recipient and try again. something is insulting you (it talks about mess and excess :). you need to configure your MUA to connect to your postfix, and you need to make sure it really does (traffic isn't diverted by some firewall/router/proxy/AV/...). the logs are the right place to look for evidence. [snip]
RE: Relay Error?
Mouss: I deleted /var/log/maillog file, rebooted the system and tried to send the email from (using Win XP PC) the web site. Same error message. I checked the log file /va/log/maillog, no error message logged (see below). I assume this the log file where Postfix logs messages. Then I check any new email for account [EMAIL PROTECTED] I received confirmation that there was no message for this account on the server. I normally use MS Outlook to check messages but for this test I used Thunderbird. In the logs, it does show that there is an inquiry to check new messages for the above email account. Any other suggestions are highly appreciated! Kirti Jul 24 15:03:51 www dovecot: Dovecot v1.1.1 starting up Jul 24 15:03:53 www postfix/postfix-script: starting the Postfix mail system Jul 24 15:03:53 www postfix/master[4792]: daemon started -- version 2.3.3, configuration /etc/postfix Jul 24 15:07:37 www dovecot: pop3-login: Login: user=contactus, method=PLAIN, rip=192.168.0.64, lip=65.103.190.105, TLS Jul 24 15:07:37 www dovecot: POP3(contactus): Disconnected: Logged out top=0/0, retr=0/0, del=0/0, size=0
Re: stopping anonymous smtp login (dovecot)
Wietse Venema: Rich Winkel: Hi, I'm setting up a mail server with dovecot-1.0.13 and postfix-2.5.1 on freebsd 7.0. I'm a newbie to postfix, I almost have it running but have two questions: I'm using dovecot auth-client for sasl authentication. I want it to reject mail from anonymous logins, but this isn't working. This requires Postfix 2.5.2. In addition, it is a good idea to configure Dovecot as per SASL_README, and NOT allow it to support anomymous logins. Wietse
Re: How to defer under load?
Tero Tilus [EMAIL PROTECTED] wrote: How do I make postfix (2.3.7) defer, not bounce, on delivery command timeout? I've got dspam occasionally hitting Command time limit exceeded and it bounces. This thread may help you understand your options: http://archives.neohapsis.com/archives/postfix/2008-06/1179.html -- Sahil Tandon [EMAIL PROTECTED]
Re: stopping anonymous smtp login (dovecot)
Rich Winkel wrote:
Hi, I'm setting up a mail server with dovecot-1.0.13 and
postfix-2.5.1 on freebsd 7.0. I'm a newbie to postfix, I almost
have it running but have two questions:
I'm using dovecot auth-client for sasl authentication. I want it to
reject mail from anonymous logins, but this isn't working.
postconf -a says dovecot
OK, that's correct.
In main.cf I have:
smtpd_sasl_path=/var/run/dovecot/auth-client
smtpd_sasl_type=dovecot
auth-client is rw by group postfix.
The sasl_security options are the defaults from main.cf.default:
lmtp_sasl_security_options = noplaintext, noanonymous
smtp_sasl_security_options = noplaintext, noanonymous
The above two have no effect on dovecot (client side SASL not
implemented).
smtpd_sasl_security_options = noanonymous
OK.
I'm testing this in a local network, so I temporarily removed
permit_mynetworks from smtpd_sender_restrictions and
smtpd_recipient_restrictions, so that they read:
smtpd_sender_restrictions = permit_sasl_authenticated
Each smtpd_*_restrictions section ends with an implied
permit, so the above has no effect; all clients are
accepted. That's OK.
smtpd_recipient_restrictions = permit_sasl_authenticated,reject_unauth_destinati
on
OK, SASL authenticated clients are allowed to relay off-site,
anyone else can send mail to your local/virtual/relay domains.
But it still accepts anonymous logins:
postfix/smtpd[29015]: Anonymous TLS connection established
and the delivery goes through.
Hold on a minute... Anonymous TLS connection does *not* imply
anonymous SASL authentication. Anonymous TLS is normal and
expected; it just says your client doesn't have it's own
security certificate.
You'll need to show more evidence that dovecot is accepting an
anonymous login...
http://www.postfix.org/DEBUG_README.html#mail
If the recipient is in your own domain the message will still
be accepted from any client, authenticated or not. To only
accept mail from authenticated clients, you need
smtpd_recipient_restrictions =
permit_sasa_authenticated
reject
Of course this is only suitable for testing, or on a MSA such
as the submission port 587, since it won't accept mail from
anyone else.
The other question I had was regarding where to specify the dovecot delivery
agent to postfix. There seem to be two ways:
in main.cf:
mailbox_command=/usr/local/libexec/dovecot/deliver
or in master.cf:
dovecot unix - n n - - pipe
flags=DRhu user=root:mail argv=/usr/local/libexec/dovecot/deliver -d
${recipient}
Could someone tell me the difference(s) ?
See the MAILDROP_README. The interface to postfix is the same
with both, so most of it applies directly to using any
alternate delivery agent.
http://www.postfix.org/MAILDROP_README.html
Many thanks for any help!!!
Rich
Enjoy!
--
Noel Jones
Re: stopping anonymous smtp login (dovecot)
On Thu, Jul 24, 2008 at 11:00:32PM -0500, Noel Jones wrote: But it still accepts anonymous logins: postfix/smtpd[29015]: Anonymous TLS connection established and the delivery goes through. Hold on a minute... Anonymous TLS connection does *not* imply anonymous SASL authentication. Anonymous TLS is normal and expected; it just says your client doesn't have it's own security certificate. More specifically, the cipher-suite selected by the client and server does not make use of any certificates. The client was not interested in authenticating the server, offered anonymous TLS ciphers, and the server accepted this. Nothing wrong with this. $ openssl ciphers -v 'ALL+aNULL:!EXPORT:@STRENGTH' ADH-AES256-SHA SSLv3 Kx=DH Au=None Enc=AES(256) Mac=SHA1 ADH-DES-CBC3-SHASSLv3 Kx=DH Au=None Enc=3DES(168) Mac=SHA1 ADH-AES128-SHA SSLv3 Kx=DH Au=None Enc=AES(128) Mac=SHA1 ADH-RC4-MD5 SSLv3 Kx=DH Au=None Enc=RC4(128) Mac=MD5 ADH-DES-CBC-SHA SSLv3 Kx=DH Au=None Enc=DES(56) Mac=SHA1 The most frequently used cipher in this context with OpenSSL 0.9.[78] is ADH-AES256-SHA. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:[EMAIL PROTECTED] If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: emergency help how to add a domain
On Thursday 24 July 2008 10:27:42 pm mouss wrote: johnf wrote: [snip] if you have problems, please follow the directions documented in http://www.postfix.org/DEBUG_README.html#mail In particular: - explain clearly what problem you are trying to solve - show output of 'postconf -n' - show relevant log lines (full lines, do not truncate) feel free to replace private infos but do so coherently. you really need to read the cited documents. we can't read them for you. Well there is no accounting for dumb because I have read it but it's beyond me. Is it beyond you to - explain clearly what problem you are trying to solve ... - show relevant log lines ? Thanks. It turns out that the linux OS did not know about my sasl2 libs. The good Jay Chandler helped and was able to discover the issue. Again thanks. BTW I think I did explain the problem. The users were unable to send. -- John Fabiani
