Re: howto setup outgoing port to 587 ?
Le Fri 26/12/2008, mouss disait it's not required. but if you don't verify the cert, then you trust DNS. so a DNS attack (poisoning, ...) would make him send passwords to the wrong server. But if you want to verify the cert the standard way of trusting any CA just because it appears in the default lists for OSes is also wrong. Those CAs have done nopthing to build this trust. The only way would be to get the certificate directly from google, and not by electronic mean... The validation part of SSL works if SSL is correctly used, but NOT in the standard modus of operation. -- Erwan
Relay Access Denied for remote domains
I don't have much experience on linux.
I needed to install a mail server on my ubuntu server running apache2
virtual hosts. I had to be quick so I tried this
http://flurdy.com/docs/postfix/ tutorial.
Skipped firewall; installed postfix and courier-imap. (added pop3) But since
I tried to do all as quick as possible, and since I have a very low
experience, I messed up somewhere.
I now am able to log-in and recieve through imap or pop3. Also able to send
mails to accounts of my domain.
But when I try to send a mail to remote (gmail, yahoo, example.com etc.) I
get Relay Access Denied. Many of googleing led me to
smtpd_recipient_restrictions I throubled much but could not solve it. And
so confused.
My goal is to have a mail server that:
- restrict users to use TSL for all (POP3/IMAP/SMTP).
- make it as hard as possible for spammers to target my domains.
But now I have a headache for more than 3 days.
Im adding the last shapes of my cf's.
Could you tell me what am I doing wrong?
---
main.cf
---
smtpd_banner = $myhostname ESMTP $mail_name
biff = no
append_dot_mydomain = no
delay_warning_time = 4h
unknown_local_recipient_reject_code = 450
maximal_queue_lifetime = 7d
minimal_backoff_time = 1000s
maximal_backoff_time = 8000s
readme_directory = no
smtpd_helo_required = yes
smtpd_delay_reject = yes
smtp_helo_timeout = 60s
smtpd_recipient_limit = 32
smtpd_soft_error_limit = 3
smtpd_hard_error_limit = 12
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_tls_security_level = may
smtpd_tls_security_level = may
#smtpd_tls_auth_only = no
smtp_tls_note_starttls_offer = yes
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
#myhostname = example.com
#already done in /etc/mailname as mail.**.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = **.com
mydestination =
relayhost =
mynetworks = 127.0.0.0/8 [:::127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
mynetworks_style = host
masquerade_domains = mail.**.com
smtpd_helo_restrictions = permit_mynetworks, warn_if_reject
reject_non_fqdn_hostname, reject_invalid_hostname, permit
smtpd_sender_restrictions = permit_mynetworks, warn_if_reject
reject_non_fqdn_sender, reject_unknown_sender_domain,
reject_unauth_pipelining, permit
smtpd_client_restrictions = reject_rbl_client sbl.spamhaus.org,
reject_rbl_client blackholes.easynet.nl, reject_rbl_client dnsbl.njabl.org
smtpd_data_restrictions = reject_unauth_pipelining
#smtpd_recipient_restrictions = permit_sasl_authenticated,
reject_unauth_pipelining, permit_mynetworks, reject_non_fqdn_recipient,
reject_unauth_destination, permit
#smtpd_recipient_restrictions = reject_unauth_pipelining, permit_mynetworks,
reject_non_fqdn_recipient, reject_unknown_recipient_domain,
reject_unauth_destination, permit
#smtpd_recipient_restrictions = reject_unauth_pipelining, permit_mynetworks,
reject_non_fqdn_recipient, permit
smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination
#smtpd_recipient_restrictions = permit
disable_vrfy_command = yes
virtual_mailbox_base = /var/spool/mail/virtual
virtual_mailbox_maps = mysql:/etc/postfix/mysql_mailbox.cf
virtual_uid_maps = mysql:/etc/postfix/mysql_uid.cf
virtual_gid_maps = mysql:/etc/postfix/mysql_gid.cf
virtual_alias_maps = mysql:/etc/postfix/mysql_alias.cf
virtual_mailbox_domains = mysql:/etc/postfix/mysql_domains.cf
# this is how to connect to the domains (all virtual, but the option is
there) not used yet
# transport_maps = mysql:/etc/postfix/mysql_transport.cf
---
//main.cf
master.cf
---
smtp inet n - - - - smtpd
#submission inet n - - - - smtpd
# -o smtpd_tls_security_level=encrypt
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
#smtps inet n - - -
Re: howto setup outgoing port to 587 ?
Vidar Salberg Normann a écrit : My ISP, ATT blocks port 25. I think if I just send the email to port 587 ( which is how I've configured Thunderbird ) this should work. On 587, you will also need SASL authentication. This is a submission service. Does this mean you can't make postfix treat traffic on port 587 exactly like normal SMTP traffic on port 25, while also accepting SASL and/or AUTH LOGIN if used? you can do what you want _your_ postfix. 587 is just a number. it just happens to be the recommended submission port and the recommendation is to use SASL for submission.
Re: howto setup outgoing port to 587 ?
Vidar Salberg Normann: Does this mean you can't make postfix treat traffic on port 587 exactly like normal SMTP traffic on port 25, while also accepting SASL and/or AUTH LOGIN if used? The only difference between 25 and 587 is in the Postfix master.cf file. Wietse
Re: Reject/Discard mails to a Receipient
On 23-Dec-2008, at 17:06, Sahil Tandon wrote: Linux Addict wrote: Hello, I have clients sending mails to an non-existent email address/domain, emailerm...@exchange.example.net. I want to discard any mail sent to this address. I looked at smtpd_recipient_restrictions, but cant figure out how to get this done. Please help me!! Why not simply reject such messages? What is the reason you want to accept but silently discard messages to that non-existent user? Well, if you can delete the entire message to a specific user, including any CC or Bcc copies of it, then you could use this as a spamtrap... for that 1% of spam that still comes to multiple recipients... -- http://en.wikipedia.org/wiki/TOFU
FYI: Secure-channel TLS from Exchange 2007 to Postfix
In Exchange 2007 it is possible to configure selected destinations
for Domain Secured email, this is approximately equivalent to the
Postfix secure setting. There are a few pitfalls:
- One must be careful to only enforce Domain Security *outbound*.
The GUI management tools only support enforcing Domain Security
in both directions, this is unwise and breaks mail forwarding,
since mail delivered indirectly from the origin domain will not
have the right client certs and will be refused (in many cases
even the real sending domain won't have suitable client certs).
To enable just the outbound direction one needs to use the
power shell interface to manipulated Global Transport settings.
- It is not as easy to configure custom certificate matching rules
per destination. There is no TLS policy table, rather the
peer certificate must exactly match the nexthop domain. Custom
connectors can be used to make explicit nexthop choices as
necessary.
The process is roughly as follows:
- Create one or more outbound Connectors for which Domain Security
is enabled (easy via GUI).
- Associate selected domains with a connector as above (easy via GUI).
- Define which domains require outbound Domain Security, non-obvious
power-shell scripting.
One of our Exchange admins has put together the attached power shell
script which you may find useful.
For Microsoft's instructions, see:
http://technet.microsoft.com/en-us/library/bb266978.aspx#ConfigOutbound
--
Viktor.
Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the Reply-To header.
To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
mailto:majord...@postfix.org?body=unsubscribe%20postfix-users
If my response solves your problem, the best way to thank me is to not
send an it worked, thanks follow-up. If you must respond, please put
It worked, thanks in the Subject so I can delete these quickly.
param(
[Microsoft.Exchange.Data.SmtpDomain] $domain = $(throw Need a domain
name (i.e. example.com)),
[switch] $add, # add specified domains
[switch] $remove, # remove specified domains
[switch] $send, # update TLSSendDomainSecureList
[switch] $receive # update TLSReceiveDomainSecureList
)
if ($add -and $remove) {
write-error Specify either -add or -remove, not both
exit
}
if (-not ($send -or $receive)) {
write-error Specify the domain secure list type (-send and/or
-receive)
exit
}
# Update the Send Domain Secure list
if ($send) {
# current list of domains
$doms = @( (Get-TransportConfig).TLSSendDomainSecureList )
# add $domain to the current list and make it unique
if ($add) {
$doms += $domain
$doms = $doms | sort-object -unique
}
# remove the current domain by filtering it out in where-object {}
if ($remove) {
$doms = $doms | where-object { $_ -ne $domain }
}
# if $doms is empty (i.e. last domain removed from the list), set
# the domain secure list value to $null, otherwise @($doms)
if ($doms.count -eq 0 -or -not $doms) {
Set-TransportConfig -TLSSendDomainSecureList $null
} else {
Set-TransportConfig -TLSSendDomainSecureList @($doms)
}
}
# Update the Receive Domain Secure list
if ($receive) {
# current list of domains
$doms = @( (Get-TransportConfig).TLSReceiveDomainSecureList )
# add $domain to the current list and make it unique
if ($add) {
$doms += $domain
$doms = $doms | sort-object -unique
}
# remove the current domain by filtering it out in where-object {}
if ($remove) {
$doms = $doms | where-object { $_ -ne $domain }
}
# if $doms is empty (i.e. last domain removed from the list), set
# the domain secure list value to $null, otherwise @($doms)
if ($doms.count -eq 0 -or -not $doms) {
Set-TransportConfig -TLSReceiveDomainSecureList $null
} else {
Set-TransportConfig -TLSReceiveDomainSecureList @($doms)
}
}
# output our new view of the Send/Receive domain secure list
Get-TransportConfig | format-list TLS*Domain*
Implementing autoreply for all received mail (including internally forwarded)
Hi: I am hoping I can ask for suggestions or pointers to help solve this challenge. I am trying to implement an autoreply capability. I am putting together a script that will handle the messages. Many of the autoreply examples I've found suggest implementing this by: main.cf: always_bcc = autoreply local_alias_maps: autoreply '|/path/to/autoreply/script' effectively causing all mail sent to anyone to be bcc'ed to the script, which then determines if an autoreply needs to be sent. This also ensures that delivery to the intended recipient (in my case, they are all virtual mailboxes) will also happen. However, as I started to test this, I discovered a limitation that I am having difficulty finding a solution for. The scenario is that one user on one domain that I host sends mail to another user at another domain that I host. The recipient has autoreply turned on in my script. However, according to http://www.postfix.com/ADDRESS_REWRITING_README.html : To avoid mailer loops, automatic BCC recipients are not generated for mail that Postfix forwards internally and the actual behavior matches that statement. So my question: Is there another mechanism I can use to send the mail to the script without interfering with normal mail delivery in all cases , including this internally forwarded mail? Or, is there another way to handle autoreplies that anyone can suggest or point me to that avoids this issue? (I don't want all mail forwarded to the script, as I do not want to - and am not sufficiently proficient to - handle reinjection into postfix and the associated handling of SMTP/LMTP protocol) Thank you very much for any help or pointers you can offer!
Can recipient_bcc_maps be over-riden in master.cf?
Hi: I am having a problem with duplicate bcc's (from recipient_bcc_maps) and I suspect I know why - but I hope someone can point me to a solution. I have a content filter set up for dspam (content_filter = dspam:dspam in main.cf) set up as described in the Advanced content filter example section of http://www.postfix.com/FILTER_README.html - it works fine. Now I've added the ability for selected virtual mailbox addresses to trigger recipient_bcc_maps so that a bcc is generated to a specific address only when mail is sent to designated recipients. This is where the problem arises. When mail arrives, the bcc is generated and sent. Then when the mail is injected back into postfix after the content filter, another bcc is generated and sent. The secind bcc is, of course, undesireable. I tried adding: -o recipient_bcc_maps= to the overrides for localhost:10026 (where dspam reinjects the mail) but that did not change the behavior. It still generated the second bcc. I don't see this documented per se (am I missing something?), but can recipient_bcc_maps be over-riden this way? If not, is there another way to avoid the second bcc? Thank you for any help, pointers and/or advice you can offer!!
