Re: howto setup outgoing port to 587 ?
Le Fri 26/12/2008, mouss disait it's not required. but if you don't verify the cert, then you trust DNS. so a DNS attack (poisoning, ...) would make him send passwords to the wrong server. But if you want to verify the cert the standard way of trusting any CA just because it appears in the default lists for OSes is also wrong. Those CAs have done nopthing to build this trust. The only way would be to get the certificate directly from google, and not by electronic mean... The validation part of SSL works if SSL is correctly used, but NOT in the standard modus of operation. -- Erwan
Relay Access Denied for remote domains
I don't have much experience on linux. I needed to install a mail server on my ubuntu server running apache2 virtual hosts. I had to be quick so I tried this http://flurdy.com/docs/postfix/ tutorial. Skipped firewall; installed postfix and courier-imap. (added pop3) But since I tried to do all as quick as possible, and since I have a very low experience, I messed up somewhere. I now am able to log-in and recieve through imap or pop3. Also able to send mails to accounts of my domain. But when I try to send a mail to remote (gmail, yahoo, example.com etc.) I get Relay Access Denied. Many of googleing led me to smtpd_recipient_restrictions I throubled much but could not solve it. And so confused. My goal is to have a mail server that: - restrict users to use TSL for all (POP3/IMAP/SMTP). - make it as hard as possible for spammers to target my domains. But now I have a headache for more than 3 days. Im adding the last shapes of my cf's. Could you tell me what am I doing wrong? --- main.cf --- smtpd_banner = $myhostname ESMTP $mail_name biff = no append_dot_mydomain = no delay_warning_time = 4h unknown_local_recipient_reject_code = 450 maximal_queue_lifetime = 7d minimal_backoff_time = 1000s maximal_backoff_time = 8000s readme_directory = no smtpd_helo_required = yes smtpd_delay_reject = yes smtp_helo_timeout = 60s smtpd_recipient_limit = 32 smtpd_soft_error_limit = 3 smtpd_hard_error_limit = 12 smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key smtpd_use_tls=yes smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache smtp_tls_security_level = may smtpd_tls_security_level = may #smtpd_tls_auth_only = no smtp_tls_note_starttls_offer = yes smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s tls_random_source = dev:/dev/urandom #myhostname = example.com #already done in /etc/mailname as mail.**.com alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases myorigin = **.com mydestination = relayhost = mynetworks = 127.0.0.0/8 [:::127.0.0.0]/104 [::1]/128 mailbox_size_limit = 0 recipient_delimiter = + inet_interfaces = all mynetworks_style = host masquerade_domains = mail.**.com smtpd_helo_restrictions = permit_mynetworks, warn_if_reject reject_non_fqdn_hostname, reject_invalid_hostname, permit smtpd_sender_restrictions = permit_mynetworks, warn_if_reject reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unauth_pipelining, permit smtpd_client_restrictions = reject_rbl_client sbl.spamhaus.org, reject_rbl_client blackholes.easynet.nl, reject_rbl_client dnsbl.njabl.org smtpd_data_restrictions = reject_unauth_pipelining #smtpd_recipient_restrictions = permit_sasl_authenticated, reject_unauth_pipelining, permit_mynetworks, reject_non_fqdn_recipient, reject_unauth_destination, permit #smtpd_recipient_restrictions = reject_unauth_pipelining, permit_mynetworks, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_unauth_destination, permit #smtpd_recipient_restrictions = reject_unauth_pipelining, permit_mynetworks, reject_non_fqdn_recipient, permit smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination #smtpd_recipient_restrictions = permit disable_vrfy_command = yes virtual_mailbox_base = /var/spool/mail/virtual virtual_mailbox_maps = mysql:/etc/postfix/mysql_mailbox.cf virtual_uid_maps = mysql:/etc/postfix/mysql_uid.cf virtual_gid_maps = mysql:/etc/postfix/mysql_gid.cf virtual_alias_maps = mysql:/etc/postfix/mysql_alias.cf virtual_mailbox_domains = mysql:/etc/postfix/mysql_domains.cf # this is how to connect to the domains (all virtual, but the option is there) not used yet # transport_maps = mysql:/etc/postfix/mysql_transport.cf --- //main.cf master.cf --- smtp inet n - - - - smtpd #submission inet n - - - - smtpd # -o smtpd_tls_security_level=encrypt # -o smtpd_sasl_auth_enable=yes # -o smtpd_client_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING #smtps inet n - - -
Re: howto setup outgoing port to 587 ?
Vidar Salberg Normann a écrit : My ISP, ATT blocks port 25. I think if I just send the email to port 587 ( which is how I've configured Thunderbird ) this should work. On 587, you will also need SASL authentication. This is a submission service. Does this mean you can't make postfix treat traffic on port 587 exactly like normal SMTP traffic on port 25, while also accepting SASL and/or AUTH LOGIN if used? you can do what you want _your_ postfix. 587 is just a number. it just happens to be the recommended submission port and the recommendation is to use SASL for submission.
Re: howto setup outgoing port to 587 ?
Vidar Salberg Normann: Does this mean you can't make postfix treat traffic on port 587 exactly like normal SMTP traffic on port 25, while also accepting SASL and/or AUTH LOGIN if used? The only difference between 25 and 587 is in the Postfix master.cf file. Wietse
Re: Reject/Discard mails to a Receipient
On 23-Dec-2008, at 17:06, Sahil Tandon wrote: Linux Addict wrote: Hello, I have clients sending mails to an non-existent email address/domain, emailerm...@exchange.example.net. I want to discard any mail sent to this address. I looked at smtpd_recipient_restrictions, but cant figure out how to get this done. Please help me!! Why not simply reject such messages? What is the reason you want to accept but silently discard messages to that non-existent user? Well, if you can delete the entire message to a specific user, including any CC or Bcc copies of it, then you could use this as a spamtrap... for that 1% of spam that still comes to multiple recipients... -- http://en.wikipedia.org/wiki/TOFU
FYI: Secure-channel TLS from Exchange 2007 to Postfix
In Exchange 2007 it is possible to configure selected destinations for Domain Secured email, this is approximately equivalent to the Postfix secure setting. There are a few pitfalls: - One must be careful to only enforce Domain Security *outbound*. The GUI management tools only support enforcing Domain Security in both directions, this is unwise and breaks mail forwarding, since mail delivered indirectly from the origin domain will not have the right client certs and will be refused (in many cases even the real sending domain won't have suitable client certs). To enable just the outbound direction one needs to use the power shell interface to manipulated Global Transport settings. - It is not as easy to configure custom certificate matching rules per destination. There is no TLS policy table, rather the peer certificate must exactly match the nexthop domain. Custom connectors can be used to make explicit nexthop choices as necessary. The process is roughly as follows: - Create one or more outbound Connectors for which Domain Security is enabled (easy via GUI). - Associate selected domains with a connector as above (easy via GUI). - Define which domains require outbound Domain Security, non-obvious power-shell scripting. One of our Exchange admins has put together the attached power shell script which you may find useful. For Microsoft's instructions, see: http://technet.microsoft.com/en-us/library/bb266978.aspx#ConfigOutbound -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly. param( [Microsoft.Exchange.Data.SmtpDomain] $domain = $(throw Need a domain name (i.e. example.com)), [switch] $add, # add specified domains [switch] $remove, # remove specified domains [switch] $send, # update TLSSendDomainSecureList [switch] $receive # update TLSReceiveDomainSecureList ) if ($add -and $remove) { write-error Specify either -add or -remove, not both exit } if (-not ($send -or $receive)) { write-error Specify the domain secure list type (-send and/or -receive) exit } # Update the Send Domain Secure list if ($send) { # current list of domains $doms = @( (Get-TransportConfig).TLSSendDomainSecureList ) # add $domain to the current list and make it unique if ($add) { $doms += $domain $doms = $doms | sort-object -unique } # remove the current domain by filtering it out in where-object {} if ($remove) { $doms = $doms | where-object { $_ -ne $domain } } # if $doms is empty (i.e. last domain removed from the list), set # the domain secure list value to $null, otherwise @($doms) if ($doms.count -eq 0 -or -not $doms) { Set-TransportConfig -TLSSendDomainSecureList $null } else { Set-TransportConfig -TLSSendDomainSecureList @($doms) } } # Update the Receive Domain Secure list if ($receive) { # current list of domains $doms = @( (Get-TransportConfig).TLSReceiveDomainSecureList ) # add $domain to the current list and make it unique if ($add) { $doms += $domain $doms = $doms | sort-object -unique } # remove the current domain by filtering it out in where-object {} if ($remove) { $doms = $doms | where-object { $_ -ne $domain } } # if $doms is empty (i.e. last domain removed from the list), set # the domain secure list value to $null, otherwise @($doms) if ($doms.count -eq 0 -or -not $doms) { Set-TransportConfig -TLSReceiveDomainSecureList $null } else { Set-TransportConfig -TLSReceiveDomainSecureList @($doms) } } # output our new view of the Send/Receive domain secure list Get-TransportConfig | format-list TLS*Domain*
Implementing autoreply for all received mail (including internally forwarded)
Hi: I am hoping I can ask for suggestions or pointers to help solve this challenge. I am trying to implement an autoreply capability. I am putting together a script that will handle the messages. Many of the autoreply examples I've found suggest implementing this by: main.cf: always_bcc = autoreply local_alias_maps: autoreply '|/path/to/autoreply/script' effectively causing all mail sent to anyone to be bcc'ed to the script, which then determines if an autoreply needs to be sent. This also ensures that delivery to the intended recipient (in my case, they are all virtual mailboxes) will also happen. However, as I started to test this, I discovered a limitation that I am having difficulty finding a solution for. The scenario is that one user on one domain that I host sends mail to another user at another domain that I host. The recipient has autoreply turned on in my script. However, according to http://www.postfix.com/ADDRESS_REWRITING_README.html : To avoid mailer loops, automatic BCC recipients are not generated for mail that Postfix forwards internally and the actual behavior matches that statement. So my question: Is there another mechanism I can use to send the mail to the script without interfering with normal mail delivery in all cases , including this internally forwarded mail? Or, is there another way to handle autoreplies that anyone can suggest or point me to that avoids this issue? (I don't want all mail forwarded to the script, as I do not want to - and am not sufficiently proficient to - handle reinjection into postfix and the associated handling of SMTP/LMTP protocol) Thank you very much for any help or pointers you can offer!
Can recipient_bcc_maps be over-riden in master.cf?
Hi: I am having a problem with duplicate bcc's (from recipient_bcc_maps) and I suspect I know why - but I hope someone can point me to a solution. I have a content filter set up for dspam (content_filter = dspam:dspam in main.cf) set up as described in the Advanced content filter example section of http://www.postfix.com/FILTER_README.html - it works fine. Now I've added the ability for selected virtual mailbox addresses to trigger recipient_bcc_maps so that a bcc is generated to a specific address only when mail is sent to designated recipients. This is where the problem arises. When mail arrives, the bcc is generated and sent. Then when the mail is injected back into postfix after the content filter, another bcc is generated and sent. The secind bcc is, of course, undesireable. I tried adding: -o recipient_bcc_maps= to the overrides for localhost:10026 (where dspam reinjects the mail) but that did not change the behavior. It still generated the second bcc. I don't see this documented per se (am I missing something?), but can recipient_bcc_maps be over-riden this way? If not, is there another way to avoid the second bcc? Thank you for any help, pointers and/or advice you can offer!!