Re: Postfix and DNSSEC
On Wednesday 17 December 2008, Wietse Venema wrote: klondike: Bernhard Fischer escribi?: I'd like to use DNSSEC with Postfix. I did some research on the web but although DNSSEC is there nobody really cares about it. The most recent patch for Postfix is for release 2.3 and is based on libs (libval, libsres) I didn't find any download page for. Is there any recent development going on? Although I don't know wether there is actual development or not in DNSSEC, you should bear on mind that there are still a lot of servers which don't support DNSSEC, either because it is disabled, due to problems with the proved denial of existence system used originaly, or because the admins haven't updated the machine as DNS is a fairly sensitive service. Said that, if postfix developers want to add DNSSEC support, although that should be implemented on the name resolving libraries, I wouldn't mind sharing my, scarce, knowledge on it. What are the application-visible changes? If one relies on BIND etc. for validation, where does DNSSEC affect the application? Postfix uses the standard resolver library but these calls are entirely encapsulated in a single module. Wietse A resolver basically resolves a name to an IP, not more not less. Resolving an IP with DNSSEC could lead to several different answers, i.e. a name could be resolved DNSSEC valid or invalid (wrong sigs). As we all know, DNSSEC is not fully deployed yet, that's why I think an application should have the option to decide how to behave (if a response is either DNSSEC valid or INVALID). Bernhard signature.asc Description: This is a digitally signed message part.
Re: Postfix and DNSSEC
On Wednesday 17 December 2008, mouss wrote: Bernhard Fischer a écrit : I'd like to use DNSSEC with Postfix. I did some research on the web but although DNSSEC is there nobody really cares about it. The most recent patch for Postfix is for release 2.3 and is based on libs (libval, libsres) I didn't find any download page for. Is there any recent development going on? given that DNSSEC was proposed a long time ago, but has not been adopted, I don't see any reason why this would change. My opinion is that dnssec was proposed at that time means that it is obsolete (at that time, most people wanted pki, spoke perimeter security, ...). I think that's your personal opinion and I'm not sure if the rest of the world shares it. Bernhard signature.asc Description: This is a digitally signed message part.
Re: Postfix and DNSSEC
On Thursday 18 December 2008, Patrick Vande Walle wrote: On Wed, 17 Dec 2008 20:42:55 +0100, Bernhard Fischer b...@abenteuerland.at wrote: I'd like to use DNSSEC with Postfix. I did some research on the web but although DNSSEC is there nobody really cares about it. The most recent patch for Postfix is for release 2.3 and is based on libs (libval, libsres) I didn't find any download page for. Please have a look here: http://sourceforge.net/projects/dnssec-tools/ Main web site is http://www.dnssec-tools.org/ The DNSSEC-tools contain the libs you mentioned, patches to Postfix up to version 2.5.1 as well as patches to libspf2, if you want to build Postfix against it. The page lists patches up to 2.3.x but maybe it also works on more recent releases, I'll simply try it. http://www.dnssec-tools.org/wiki/index.php/DNSSEC-Tools_Components Bernhard signature.asc Description: This is a digitally signed message part.
Re: how to send mail to gmail account
Jose Ildefonso Camargo Tolosa a écrit : On Fri, Dec 19, 2008 at 7:19 AM, Jorey Bump l...@joreybump.com wrote: Jose Ildefonso Camargo Tolosa wrote, at 12/18/2008 06:28 AM: I think you should send more info on your config, for example: MX record for your domain. myhostname entry from main.cf these two should match. There is no requirement that these match. They are completely unrelated. I said: should. No, they are unrelated, so there is no need for them to match. Sites with There are some spam filters which uses the hostname provided by the server and make several verifications like: + Is the hostname listed as a MX for the domain? They may use this for whitelisiting, not blacklisting. similar to SPF. but they should not consider a mismatch as an anomaly. + Does the hostname *forward* resolve to the IP I'm being contacted from? I guess you use the term hostname for the HELO argument. Some people do this, but: - it will cause FPs - The RFC recommends against it + Does the IP *reverse* resolve to the hostname? if the hostname is the HELO argument, then no. there were some borked filters that do this, but this is borked... what is done is: - resolve the client IP. get the first returned PTR - resolve this PTR and check that the original IP is returned by this resolution. note that the PTR and the hostname are two different terms (even if they may be set to the same value in many cases). The OP needs to describe the problem more accurately. In general, no special configuration is required to send mail to any domain. Correct, as long as there are no spam filters around. OP problem has nothing to do with filters. he is trying to submit mail to gmail. for that, he needs smtp TLS (without a certificate) and smtp SASL and submit to [smtp.gmail.com]:587. of course, if he has an firewall/proxy/anti-virus/... that interferes with the communication (some don't allow TLS because they can't filter the content. some don't support ESMTP, ... etc), he needs to disable this.
Does a policy server exist to filter on domain age/creation?
$ whois linendim.com Record created on:2008-12-15 11:45:30.0 Database last updated on: 2008-12-15 11:42:09.153 Domain Expires on:2009-12-15 11:45:31.0 A 1-second life domain name. First, is there an existing policy server out there that checks how many days old a domain is? I know there is an RHSBL for it but this seems rather odd, if the domain has expired/etc it would be nice to filter on these statistics.. Justin.
Re: how to send mail to gmail account
mouss a écrit : Jose Ildefonso Camargo Tolosa a écrit : On Fri, Dec 19, 2008 at 7:19 AM, Jorey Bump l...@joreybump.com wrote: Jose Ildefonso Camargo Tolosa wrote, at 12/18/2008 06:28 AM: I think you should send more info on your config, for example: MX record for your domain. myhostname entry from main.cf these two should match. There is no requirement that these match. They are completely unrelated. I said: should. No, they are unrelated, so there is no need for them to match. Sites with my mouse likes eating some lines ;-p I was saying: sites with multiple servers, ones for MX and others for outbound relay will have mismatching inbound and outbound names. There are some spam filters which uses the hostname provided by the server and make several verifications like: + Is the hostname listed as a MX for the domain? They may use this for whitelisiting, not blacklisting. similar to SPF. but they should not consider a mismatch as an anomaly. + Does the hostname *forward* resolve to the IP I'm being contacted from? I guess you use the term hostname for the HELO argument. Some people do this, but: - it will cause FPs - The RFC recommends against it + Does the IP *reverse* resolve to the hostname? if the hostname is the HELO argument, then no. there were some borked filters that do this, but this is borked... what is done is: - resolve the client IP. get the first returned PTR - resolve this PTR and check that the original IP is returned by this resolution. note that the PTR and the hostname are two different terms (even if they may be set to the same value in many cases). The OP needs to describe the problem more accurately. In general, no special configuration is required to send mail to any domain. Correct, as long as there are no spam filters around. OP problem has nothing to do with filters. he is trying to submit mail to gmail. for that, he needs smtp TLS (without a certificate) and smtp SASL and submit to [smtp.gmail.com]:587. of course, if he has an firewall/proxy/anti-virus/... that interferes with the communication (some don't allow TLS because they can't filter the content. some don't support ESMTP, ... etc), he needs to disable this.
Re: Does a policy server exist to filter on domain age/creation?
Justin Piszcz a écrit : $ whois linendim.com Record created on:2008-12-15 11:45:30.0 Database last updated on: 2008-12-15 11:42:09.153 Domain Expires on:2009-12-15 11:45:31.0 A 1-second life domain name. First, is there an existing policy server out there that checks how many days old a domain is? if you mean querying whois in real time, this is not possible. you will be blocked (by whois servers) if you do too many queries. if you mean using an RHSBL such as DOB, then check postfwd. However: - judging by the scores in spamassassin, this doesn't look very useful (I personally disable DOB in SA). - spammers have learned this and register domains ahead of time, so the whois age is less useful than it was. one needs to detect when a domain is first used in email, but there's no registry for this. I know there is an RHSBL for it but this seems rather odd, if the domain has expired/etc it would be nice to filter on these statistics..
Re: Does a policy server exist to filter on domain age/creation?
Justin Piszcz wrote, at 12/20/2008 05:43 AM: $ whois linendim.com Record created on:2008-12-15 11:45:30.0 Domain Expires on:2009-12-15 11:45:31.0 A 1-second life domain name. What do you mean? The domain expires in one year and a second from its creation date. First, is there an existing policy server out there that checks how many days old a domain is? If so, it would probably end up working a lot like greylisting. You'd get a similar effect scoring with the SpamCop dnsbl, since it penalizes fresh domains. I know there is an RHSBL for it but this seems rather odd, if the domain has expired/etc it would be nice to filter on these statistics.. True. There's no reason to accept mail from a long-expired domain (but your example hasn't expired). [BTW, there appears to be a problem with the DNS for your domain, lucidpixels.com. Your nameservers are not responding.]
Re: Does a policy server exist to filter on domain age/creation?
Jorey Bump a écrit : Justin Piszcz wrote, at 12/20/2008 05:43 AM: $ whois linendim.com Record created on:2008-12-15 11:45:30.0 Domain Expires on:2009-12-15 11:45:31.0 A 1-second life domain name. What do you mean? The domain expires in one year and a second from its creation date. he meant that the domain has been created a few days ago, and so should not start sending too much mail. Such argument must be used with caution. Few years ago, I have worked on a (social net style) project and marketing decided to chose a new name. The new domain thus started sending a lot of mail few days after it was registered. The same caution is needed when trying to detect domains that only started sending mail recently. Trying to use the age (be it whois age of date of first mail) is not very practical. it may be used while investigating on a suspicious domain. First, is there an existing policy server out there that checks how many days old a domain is? If so, it would probably end up working a lot like greylisting. You'd get a similar effect scoring with the SpamCop dnsbl, since it penalizes fresh domains. I know there is an RHSBL for it but this seems rather odd, if the domain has expired/etc it would be nice to filter on these statistics.. True. There's no reason to accept mail from a long-expired domain (but your example hasn't expired). [BTW, there appears to be a problem with the DNS for your domain, lucidpixels.com. Your nameservers are not responding.] he has only one name server (75.144.35.66) and it is not responding. he should setup a secondary NS, as recommended by the RFCs...
Re: Problems with user's mail file
If the problem is Mailscanner mangling the files, would an upgrade solve the problem? How can I test if the problem is concurrent access? Just to be sure which of these are the problems... Regards, Pedro Augusto de Oliveira Pereira Cisco Certified Network Associate - CCNA On Fri, Dec 19, 2008 at 5:53 PM, Victor Duchovni victor.ducho...@morganstanley.com wrote: On Fri, Dec 19, 2008 at 02:47:49PM -0500, Brian Evans - Postfix List wrote: Pedro Augusto wrote: Good day, I'm having some strange problems with Postfix. It works perfectly, I have no problems sending or receiving e-mail but sometimes the user can't receive any e-mail using his client (such as Outlook Express) or through webmail. When we check the mail file, the first line is full of @ signs. The situation only gets back to normal when we remove all of these @ signs from the first line of the file. This only happens with some users and not all the time. I'm using Postfix 2.2.10, Dovecot 0.99.11-9 without virtual domains, Mailscanner and Clamav on a CentOS 4.7 box. If you need more details, just let me know. This sounds like a classic symptom of a Mailscanner mangle. It is not supported on this list and may mangle or lose emails at random. Or perhaps a mailbox locking problem. Those @ characters may well be ASCII NUL bytes which represent holes in the file because the delivery agent is appending to a file which another program truncates (and locking problems cause unsafe concurrent access). -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: Problems with user's mail file
On Sat, 20 Dec 2008 13:07:03 -0200 Pedro Augusto augusto.pe...@gmail.com wrote: On Fri, Dec 19, 2008 at 5:53 PM, Victor Duchovni victor.ducho...@morganstanley.com wrote: On Fri, Dec 19, 2008 at 02:47:49PM -0500, Brian Evans - Postfix List wrote: Pedro Augusto wrote: Good day, I'm having some strange problems with Postfix. It works perfectly, I have no problems sending or receiving e-mail but sometimes the user can't receive any e-mail using his client (such as Outlook Express) or through webmail. When we check the mail file, the first line is full of @ signs. The situation only gets back to normal when we remove all of these @ signs from the first line of the file. This only happens with some users and not all the time. I'm using Postfix 2.2.10, Dovecot 0.99.11-9 without virtual domains, Mailscanner and Clamav on a CentOS 4.7 box. If you need more details, just let me know. This sounds like a classic symptom of a Mailscanner mangle. It is not supported on this list and may mangle or lose emails at random. Or perhaps a mailbox locking problem. Those @ characters may well be ASCII NUL bytes which represent holes in the file because the delivery agent is appending to a file which another program truncates (and locking problems cause unsafe concurrent access). -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly. If the problem is Mailscanner mangling the files, would an upgrade solve the problem? How can I test if the problem is concurrent access? Just to be sure which of these are the problems... Please lose the 'top posting' technique. While you are at it, use the 'plain text' option or whatever GMail is calling it these days to send mail to this group. Questions regarding 'MailScanner' should be directed at that group's mail forum. In any event, using an outdated version of any software may pose a problem. I would definitely use the latest versions of Postfix, and if you must use it, MailScanner. BTW, your version of 'Dovecot' is not current either. I can only imagine what version of ClamAV you have installed. There were several security issues with some of the older versions. I would definitely consider keeping that current. -- Gerard postfix.u...@yahoo.com TO REPORT A PROBLEM see http://www.postfix.org/DEBUG_README.html#mail TO (UN)SUBSCRIBE see http://www.postfix.org/lists.html There is no likelihood man can ever tap the power of the atom. -- Robert Millikan, Nobel Prize in Physics, 1923 signature.asc Description: PGP signature
Re: Postfix and DNSSEC
Wietse Venema escribió: klondike: Bernhard Fischer escribi?: I'd like to use DNSSEC with Postfix. I did some research on the web but although DNSSEC is there nobody really cares about it. The most recent patch for Postfix is for release 2.3 and is based on libs (libval, libsres) I didn't find any download page for. Is there any recent development going on? Although I don't know wether there is actual development or not in DNSSEC, you should bear on mind that there are still a lot of servers which don't support DNSSEC, either because it is disabled, due to problems with the proved denial of existence system used originaly, or because the admins haven't updated the machine as DNS is a fairly sensitive service. Said that, if postfix developers want to add DNSSEC support, although that should be implemented on the name resolving libraries, I wouldn't mind sharing my, scarce, knowledge on it. What are the application-visible changes? If one relies on BIND etc. for validation, where does DNSSEC affect the application? Postfix uses the standard resolver library but these calls are entirely encapsulated in a single module. Wietse Its a confidence thing over all. You can be more sure of the correctness of a signed, authoritative DNS answer than of a unsigned one. Suposedly, the lookup library should ignore the answers with an invalid signature or those unsigned when the server certifies it could use DNSSEC. Anyway, there are some attacks based on DNS poisoning which could affect the mail system, as an example, you can imagine a spammer who sends fake SPF RRs to various DNS servers forging the origin IP so the MTAs would accept as legit the mail it sends. There are, also, other more dangerous attacks like a man in the middle which I will not expose here. Of course, a properly signed SPF RR is more trustable than an unsigned one and you can be mostly sure a signed RR is valid. Francisco Blas Izquierdo Riera Developer of Kontinuidad Jabata signature.asc Description: OpenPGP digital signature
how hash table in transport_maps has '*' support
Hi, How hash table in transport_maps has '*' support and it in others options (e.g. check_client_access) dont work? Postfix always query for '*'? Why it is necessary if relayhost exist? -- Reinaldo de Carvalho http://korreio.sf.net (Now available in English) http://python-cyrus.sf.net
Re: Problems with user's mail file
Pedro Augusto a écrit : If the problem is Mailscanner mangling the files, would an upgrade solve the problem? I think it's as Viktor said. I've already seen corrupted mbox files like that. consider using maildir instead. How can I test if the problem is concurrent access? Just to be sure which of these are the problems... this is hard to test since such things happen at random times!
Re: how hash table in transport_maps has '*' support
Reinaldo de Carvalho a écrit : Hi, How hash table in transport_maps has '*' support and it in others options (e.g. check_client_access) dont work? Postfix always query for '*'? Why it is necessary if relayhost exist? compatibility with old versions.
Re: Problems with user's mail file
Pedro Augusto: If the problem is Mailscanner mangling the files, would an upgrade solve the problem? How can I test if the problem is concurrent access? Just to be sure which of these are the problems... Null bytes in mailbox files are usually the result of incorrect file locking. To find out if file locking is used, examine source code, strace output, etc. Postfix mailbox file locking is configurable. Wietse
Re: Connection timeout when trying to send email to gmail address
On Fri, Dec 19, 2008 at 5:32 PM, Wietse Venema wie...@porcupine.org wrote:
Asif Iqbal:
need to test it. Just set:
smtp_tls_security_level = encrypt
Thanks, I will put that in
Just checked here that Postfix can talk SSL with [smtp.gmail.com]:587
just fine. But you need to set up client-side SASL authentication.
I did but still failing to relay through gmail
Dec 20 14:24:32 improvise postfix/qmgr[19372]: 4238710E3AA:
from=iqb...@improvise.lan, size=444, nrcpt=1 (queue active)
Dec 20 14:24:32 improvise postfix/smtp[19431]: 4238710E3AA:
to=vad...@gmail.com, relay=smtp.gmail.com[209.85.163.109]:587,
delay=0.31, delays=0.03/0.08/0.16/0.04, dsn=5.7.0, status=bounced
(host smtp.gmail.com[209.85.163.109] said: 530 5.7.0 Must issue a
STARTTLS command first. h27sm3099851elf.16 (in reply to MAIL FROM
command))
Here are my configs
iqb...@improvise:~$ postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
config_directory = /etc/postfix
home_mailbox = Maildir/
inet_interfaces = loopback-only
inet_protocols = ipv4
mailbox_size_limit = 0
mydestination = improvise.lan, localhost.lan, , localhost
myhostname = improvise.lan
mynetworks = 127.0.0.0/8 [:::127.0.0.0]/104 [::1]/128
myorigin = /etc/mailname
readme_directory = no
recipient_delimiter = +
relayhost = [smtp.gmail.com]:submission
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_type = cyrus
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_security_level = encrypt
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
iqb...@improvise:~$ cat /etc/postfix/sasl_passwd
[smtp.gmail.com]:submission vadud3:mygmailpassword
I followed this
http://www.postfix.org/SASL_README.html#client_sasl
Wietse
--
Asif Iqbal
PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
Re: Connection timeout when trying to send email to gmail address
Asif Iqbal:
On Fri, Dec 19, 2008 at 5:32 PM, Wietse Venema wie...@porcupine.org wrote:
Asif Iqbal:
need to test it. Just set:
smtp_tls_security_level = encrypt
Thanks, I will put that in
Just checked here that Postfix can talk SSL with [smtp.gmail.com]:587
just fine. But you need to set up client-side SASL authentication.
I did but still failing to relay through gmail
Dec 20 14:24:32 improvise postfix/qmgr[19372]: 4238710E3AA:
from=iqb...@improvise.lan, size=444, nrcpt=1 (queue active)
Dec 20 14:24:32 improvise postfix/smtp[19431]: 4238710E3AA:
to=vad...@gmail.com, relay=smtp.gmail.com[209.85.163.109]:587,
delay=0.31, delays=0.03/0.08/0.16/0.04, dsn=5.7.0, status=bounced
(host smtp.gmail.com[209.85.163.109] said: 530 5.7.0 Must issue a
STARTTLS command first. h27sm3099851elf.16 (in reply to MAIL FROM
command))
You need to turn on TLS in the Postfix smtp CLIENT.
You have turned on TLS in the Postfix smtp SERVER.
Wietse
Here are my configs
iqb...@improvise:~$ postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
config_directory = /etc/postfix
home_mailbox = Maildir/
inet_interfaces = loopback-only
inet_protocols = ipv4
mailbox_size_limit = 0
mydestination = improvise.lan, localhost.lan, , localhost
myhostname = improvise.lan
mynetworks = 127.0.0.0/8 [:::127.0.0.0]/104 [::1]/128
myorigin = /etc/mailname
readme_directory = no
recipient_delimiter = +
relayhost = [smtp.gmail.com]:submission
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_type = cyrus
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_security_level = encrypt
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
iqb...@improvise:~$ cat /etc/postfix/sasl_passwd
[smtp.gmail.com]:submission vadud3:mygmailpassword
I followed this
http://www.postfix.org/SASL_README.html#client_sasl
Wietse
--
Asif Iqbal
PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
Re: Connection timeout when trying to send email to gmail address
Asif Iqbal wrote:
I did but still failing to relay through gmail
Dec 20 14:24:32 improvise postfix/qmgr[19372]: 4238710E3AA:
from=iqb...@improvise.lan, size=444, nrcpt=1 (queue active)
Dec 20 14:24:32 improvise postfix/smtp[19431]: 4238710E3AA:
to=vad...@gmail.com, relay=smtp.gmail.com[209.85.163.109]:587,
delay=0.31, delays=0.03/0.08/0.16/0.04, dsn=5.7.0, status=bounced
(host smtp.gmail.com[209.85.163.109] said: 530 5.7.0 Must issue a
STARTTLS command first. h27sm3099851elf.16 (in reply to MAIL FROM
command))
Here are my configs
smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
These two are unnecessary; delete them.
smtpd_tls_security_level = encrypt
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
smtpd != smtp. You need the latter.
I followed this
http://www.postfix.org/SASL_README.html#client_sasl
Also follow this: http://www.postfix.org/TLS_README.html
--
Sahil Tandon sa...@tandon.net
Re: Connection timeout when trying to send email to gmail address
On Sat, Dec 20, 2008 at 7:51 PM, Sahil Tandon sa...@tandon.net wrote:
Asif Iqbal wrote:
I did but still failing to relay through gmail
Dec 20 14:24:32 improvise postfix/qmgr[19372]: 4238710E3AA:
from=iqb...@improvise.lan, size=444, nrcpt=1 (queue active)
Dec 20 14:24:32 improvise postfix/smtp[19431]: 4238710E3AA:
to=vad...@gmail.com, relay=smtp.gmail.com[209.85.163.109]:587,
delay=0.31, delays=0.03/0.08/0.16/0.04, dsn=5.7.0, status=bounced
(host smtp.gmail.com[209.85.163.109] said: 530 5.7.0 Must issue a
STARTTLS command first. h27sm3099851elf.16 (in reply to MAIL FROM
command))
Here are my configs
smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
These two are unnecessary; delete them.
smtpd_tls_security_level = encrypt
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
smtpd != smtp. You need the latter.
still failing.
Dec 20 21:25:19 improvise postfix/pickup[6719]: 9E9F510E7DF: uid=1000
from=iqbala
Dec 20 21:25:19 improvise postfix/cleanup[7155]: 9E9F510E7DF:
message-id=20081221022519.9e9f510e...@improvise.lan
Dec 20 21:25:19 improvise postfix/qmgr[6721]: 9E9F510E7DF:
from=iqb...@improvise.lan, size=443, nrcpt=1 (queue active)
Dec 20 21:25:19 improvise postfix/smtp[7157]: certificate verification
failed for smtp.gmail.com[74.125.45.111]:587: untrusted issuer
/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting
cc/OU=Certification Services Division/CN=Thawte Premium Server
CA/emailaddress=premium-ser...@thawte.com
Dec 20 21:25:19 improvise postfix/smtp[7157]: warning: SASL
authentication failure: No worthy mechs found
Dec 20 21:25:19 improvise postfix/smtp[7157]: 9E9F510E7DF: SASL
authentication failed; cannot authenticate to server
smtp.gmail.com[74.125.45.111]: no mechanism available
Dec 20 21:25:20 improvise postfix/smtp[7157]: certificate verification
failed for smtp.gmail.com[74.125.45.109]:587: untrusted issuer
/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting
cc/OU=Certification Services Division/CN=Thawte Premium Server
CA/emailaddress=premium-ser...@thawte.com
Dec 20 21:25:20 improvise postfix/smtp[7157]: warning: SASL
authentication failure: No worthy mechs found
Dec 20 21:25:20 improvise postfix/smtp[7157]: 9E9F510E7DF:
to=va...@gmail.com, relay=smtp.gmail.com[74.125.45.109]:587,
delay=0.68, delays=0.04/0.02/0.63/0, dsn=4.7.0, status=deferred (SASL
authentication failed; cannot authenticate to server
smtp.gmail.com[74.125.45.109]: no mechanism available)
So I tried the openssl test and looks like I need a real certificate?!
iqb...@improvise:~$ openssl s_client -starttls smtp -connect smtp.gmail.com:587
CONNECTED(0003)
depth=0 /C=US/ST=California/L=Mountain View/O=Google Inc/CN=smtp.gmail.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /C=US/ST=California/L=Mountain View/O=Google Inc/CN=smtp.gmail.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 /C=US/ST=California/L=Mountain View/O=Google Inc/CN=smtp.gmail.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=smtp.gmail.com
i:/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting
cc/OU=Certification Services Division/CN=Thawte Premium Server
CA/emailaddress=premium-ser...@thawte.com
---
Server certificate
-BEGIN CERTIFICATE-
MIIDYzCCAsygAwIBAgIQUR2EgGT4+hGKEhCgLMX2sjANBgkqhkiG9w0BAQUFADCB
zjELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJ
Q2FwZSBUb3duMR0wGwYDVQQKExRUaGF3dGUgQ29uc3VsdGluZyBjYzEoMCYGA1UE
CxMfQ2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjEhMB8GA1UEAxMYVGhh
d3RlIFByZW1pdW0gU2VydmVyIENBMSgwJgYJKoZIhvcNAQkBFhlwcmVtaXVtLXNl
cnZlckB0aGF3dGUuY29tMB4XDTA3MDczMDAwMDAwMFoXDTEwMDcyOTIzNTk1OVow
aDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDU1v
dW50YWluIFZpZXcxEzARBgNVBAoTCkdvb2dsZSBJbmMxFzAVBgNVBAMTDnNtdHAu
Z21haWwuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQD+RiG+G3Mo9Q9C
tcwDjpp6dJGifjiR5M2DbEbrsIOlth80nk5A7xstKCUfKobHkf/G9Y/DO24JP5yT
s3hWep05ybyiCmOzGL5K0zy3jIq0vOWy+4pLv2GsDjYi9mQBhobAAx3z38tTrTL+
WF4p0/Kl014+wnukIpj4MdF35rIkgQIDAQABo4GmMIGjMB0GA1UdJQQWMBQGCCsG
AQUFBwMBBggrBgEFBQcDAjBABgNVHR8EOTA3MDWgM6Axhi9odHRwOi8vY3JsLnRo
YXd0ZS5jb20vVGhhd3RlUHJlbWl1bVNlcnZlckNBLmNybDAyBggrBgEFBQcBAQQm
MCQwIgYIKwYBBQUHMAGGFmh0dHA6Ly9vY3NwLnRoYXd0ZS5jb20wDAYDVR0TAQH/
BAIwADANBgkqhkiG9w0BAQUFAAOBgQBeNYOZwMVQ7bd6b4sueAkgm57Cyv2p1Xv1
52e8bLnWqd03mWgn/+TQtrwbE1E6pVuQaZJY33ILpt8IfzwVf2TGQI+M5yazZ2fC
xwArHo20iAss3MLQR8tDXWfBoH2Lk9BBsEKDRP4hp83yfpZgdY3pinHTCbqHpsiS
v97epiiFBA==
-END CERTIFICATE-
subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=smtp.gmail.com
issuer=/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting
cc/OU=Certification Services Division/CN=Thawte Premium Server
CA/emailaddress=premium-ser...@thawte.com
---
No client certificate CA names sent
---
SSL handshake has read 1212
Re: Connection timeout when trying to send email to gmail address
Asif Iqbal: Dec 20 21:25:20 improvise postfix/smtp[7157]: warning: SASL authentication failure: No worthy mechs found This means that the SASL (NOT: SSL) mechanisms are not properly configured. So I tried the openssl test and looks like I need a real certificate?! No, you need to fix the SASL (NOT: SSL) details. Output from: postconf -n |grep sasl Very likely you need to set /etc/postfix/main.cf: smtp_sasl_tls_security_options = noanonymous (the default is to disallow plaintext login mechanisms). Wietse
Re: Problems with user's mail file
On 12/19/2008, Pedro Augusto (augusto.pe...@gmail.com) wrote: It works perfectly, I have no problems sending or receiving e-mail but sometimes the user can't receive any e-mail using his client (such as Outlook Express) or through webmail. When we check the mail file, the first line is full of @ signs. The situation only gets back to normal when we remove all of these @ signs from the first line of the file. This only happens with some users and not all the time. I'm using Postfix 2.2.10, Dovecot 0.99.11-9 without virtual domains, This is actually a well known problem with dovecot 0.99.x and mbox files. Current version of dovecot is 1.1.7, and is so different from 0.99 as to be considered an entirely different animal. Major upgrades are in order... -- Best regards, Charles
Re: Connection timeout when trying to send email to gmail address
On Sat, Dec 20, 2008 at 9:41 PM, Wietse Venema wie...@porcupine.org wrote:
Asif Iqbal:
Dec 20 21:25:20 improvise postfix/smtp[7157]: warning: SASL
authentication failure: No worthy mechs found
This means that the SASL (NOT: SSL) mechanisms are not properly
configured.
So I tried the openssl test and looks like I need a real certificate?!
No, you need to fix the SASL (NOT: SSL) details.
Output from:
postconf -n |grep sasl
Very likely you need to set
/etc/postfix/main.cf:
smtp_sasl_tls_security_options = noanonymous
That was it and it is working now. Wow! Thanks!!
Dec 20 21:58:08 improvise postfix/pickup[7939]: C429F10E3B0: uid=1000
from=iqbala
Dec 20 21:58:08 improvise postfix/cleanup[7951]: C429F10E3B0:
message-id=20081221025808.c429f10e...@improvise.lan
Dec 20 21:58:08 improvise postfix/qmgr[7941]: C429F10E3B0:
from=iqb...@improvise.lan, size=445, nrcpt=1 (queue active)
Dec 20 21:58:09 improvise postfix/smtp[7986]: certificate verification
failed for smtp.gmail.com[209.85.163.109]:587: untrusted issuer
/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting
cc/OU=Certification Services Division/CN=Thawte Premium Server
CA/emailaddress=premium-ser...@thawte.com
Dec 20 21:58:10 improvise postfix/smtp[7986]: C429F10E3B0:
to=vad...@gmail.com, relay=smtp.gmail.com[209.85.163.109]:587,
delay=1.9, delays=0.04/0/0.95/0.96, dsn=2.0.0, status=sent (250 2.0.0
OK 1229828290 t26sm7000666ele.17)
Dec 20 21:58:10 improvise postfix/qmgr[7941]: C429F10E3B0: removed
Here is my working postfix main.conf
iqb...@improvise:~$ postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
config_directory = /etc/postfix
home_mailbox = Maildir/
inet_interfaces = loopback-only
inet_protocols = ipv4
mailbox_size_limit = 0
mydestination = improvise.lan, localhost.lan, , localhost
myhostname = improvise.lan
mynetworks = 127.0.0.0/8 [:::127.0.0.0]/104 [::1]/128
myorigin = /etc/mailname
readme_directory = no
recipient_delimiter = +
relayhost = [smtp.gmail.com]:submission
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_tls_security_options = noanonymous
smtp_sasl_type = cyrus
smtp_tls_security_level = encrypt
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_use_tls = yes
I wonder if I make the config file even smaller. I am just using it to
send mail to local and remote addresses
using gmail as relayhost. I don't want to receive any email from
outside. I like to listen to port 25 only on loopback
interface
Thanks again.
I am little confused with SASL and TLS. I guess I have to hit the wikipedia ;-)
(the default is to disallow plaintext login mechanisms).
Wietse
--
Asif Iqbal
PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
sender restriction
hi list, I'd like to ask how I am able to do this kind of restriction on postfix. we have a local access restriction that denied emails from outside to be able to reach those users on the access list. smtpd_recipient_restrictions = check_sender_access hash:/etc/postfix/restricted_senders permit_mynetworks permit_sasl_authenticated reject_unknown_recipient_domain reject_non_fqdn_recipient reject_unlisted_recipient reject_unlisted_sender reject_unauth_destination those on the restricted_senders are not able to receive from yahoo or any other mail, only local. now, if there's an email big...@yahoo.com and big...@gmail.com and I want it to bypass any restriction, how should I do it? tia. aio
Re: sender restriction
aio shin wrote: we have a local access restriction that denied emails from outside to be able to reach those users on the access list. smtpd_recipient_restrictions = check_sender_access hash:/etc/postfix/restricted_senders permit_mynetworks permit_sasl_authenticated reject_unknown_recipient_domain reject_non_fqdn_recipient reject_unlisted_recipient reject_unlisted_sender reject_unauth_destination those on the restricted_senders are not able to receive from yahoo or any other mail, only local. now, if there's an email big...@yahoo.com and big...@gmail.com and I want it to bypass any restriction, how should I do it? Put the following in /etc/postfix/restricted_senders, above the line(s) blocking non-local senders: big...@yahoo.compermit_auth_destination,reject big...@gmail.compermit_auth_destination,reject
