Re: smtp_sasl_password_maps and more users with the same smtp host

[Michele Carandente]

Hi Wietse,
thanks for the reply.

I had a look at the link that you suggest me, but I didn't find the solution...
The problem is that in 'smtp_sasl_password_maps' I can setup an
authentication(username:password) for every smtp server.
But if I have more than one user with a gmail account, I need to have
the smtp authentication related to the proper user...

I hope my question is not confused...

Thanks

> See: http://www.postfix.org/SOHO_README.html, section on multiple
> ISP accounts.

Re: smtp_sasl_password_maps and more users with the same smtp host

[Michele Carandente]

Ok I found the solution:
smtp_sender_dependent_authentication = yes

Now I can match the sender and have the proper authentication...

Thanks a lot
Michele

postfix 2.7 release date

[Robert Schetterer]

Hi Wietse, is their any
fixed release date for version 2.7 ?

-- 
Best Regards

MfG Robert Schetterer

Germany/Munich/Bavaria

Re: postfix 2.7 release date

[Patrick Ben Koetter]

* Robert Schetterer :
> Hi Wietse, is their any
> fixed release date for version 2.7 ?

famous last words ... :)

-- 
All technical questions asked privately will be automatically answered on the
list and archived for public access unless privacy is explicitely required and
justified.

saslfinger (debugging SMTP AUTH):

Re: postfix 2.7 release date

[Dhiraj Chatpar]

I think 2.7 is already released in the stable candidate.


Pablo Picasso
- "Computers are useless. They can only give you answers."

On Mon, Feb 8, 2010 at 15:46, Robert Schetterer wrote:

> Hi Wietse, is their any
> fixed release date for version 2.7 ?
>
> --
> Best Regards
>
> MfG Robert Schetterer
>
> Germany/Munich/Bavaria
>

Re: Setup "SMTP authentication" and "encrypted connections (SSL)" in postfix

[Michele Carandente]

Guys may somebody confirm that with my option I can offer both "SMTP
authentication" and "encrypted connections (SSL)"?

I'm creating a simple GUI to configure an email in this mailserver and
I guess that with that options I don't need to add in the GUI the part
for "SMTP authentication" and "encrypted connections (SSL)"...
Right?

Thanks a lot

Re: postfix 2.7 release date

[DUBOURG Kevin]

No, the stable candidate is 2.6. 

On debian repository 2.5.5-1.1 ... Snif ... 

On Mon, 8 Feb 2010 15:49:16 +0530, Dhiraj Chatpar  wrote:  

I think 2.7 is already released in the stable candidate.

Pablo Picasso [1] - "Computers are useless. They can only give you
answers." 

 On Mon, Feb 8, 2010 at 15:46, Robert Schetterer  wrote:
 Hi Wietse, is their any
 fixed release date for version 2.7 ?

 --
 Best Regards

 MfG Robert Schetterer

 Germany/Munich/Bavaria

 

Links:
--
[1] http://www.brainyquote.com/quotes/authors/p/pablo_picasso.html
[2] mailto:rob...@schetterer.org

Re: postfix 2.7 release date

[Robert Schetterer]

Am 08.02.2010 11:19, schrieb Patrick Ben Koetter:
> * Robert Schetterer :
>> Hi Wietse, is their any
>> fixed release date for version 2.7 ?
> 
> famous last words ... :)
> 
expected to hear "when its ready" *g

-- 
Best Regards

MfG Robert Schetterer

Germany/Munich/Bavaria

Re: postfix 2.7 release date

[Jerry]

On Mon, 08 Feb 2010 11:23:45 +0100
DUBOURG Kevin  replied:

>No, the stable candidate is 2.6. 
>
>On debian repository 2.5.5-1.1 ... Snif ...

Wow, I was not aware the debian had actually progressed that far.

--  
Jerry
postfix.u...@yahoo.com

TO REPORT A PROBLEM see http://www.postfix.org/DEBUG_README.html#mail
TO (UN)SUBSCRIBE see http://www.postfix.org/lists.html

A bank is a place where they lend you an umbrella in fair weather and
ask for it back the when it begins to rain.

Robert Frost

local and remote delivery permission

[phasma]

Hello,

how i can permit to some sasl users to send to local domain only and not to
external domains ?

Thanks

Re: postfix 2.7 release date

[Wietse Venema]

Robert Schetterer:
> Hi Wietse, is their any
> fixed release date for version 2.7 ?

There is a release candidate for testing. 

Wietse

Re: Setup "SMTP authentication" and "encrypted connections (SSL)" in postfix

[/dev/rob0]

On Mon, Feb 08, 2010 at 10:20:39AM +, Michele Carandente wrote:
> Guys may somebody confirm that with my option I can offer both 
> "SMTP authentication" and "encrypted connections (SSL)"?

Eero already gave you this link which covers the former:
http://www.postfix.org/SASL_README.html

This link covers the latter:
http://www.postfix.org/TLS_README.html

> I'm creating a simple GUI to configure an email in this mailserver 
> and I guess that with that options I don't need to add in the GUI 
> the part for "SMTP authentication" and "encrypted connections 
> (SSL)"... Right?

I do not understand this. A GUI for what purpose?
-- 
Offlist mail to this address is discarded unless
"/dev/rob0" or "not-spam" is in Subject: header

Re: How to setup postfix to put the queued emails in hold (and not in deferred)

[Michele Carandente]

Hi,
sorry if I write again, but I've found how to queue directly in HOLD.
Basically the option is:
smtpd_sender_restrictions = static:HOLD

But in this way all the emails will be queued, even the internal one...
There is a way to queue just the emails that will be relayed externally?
Googling a bit I found that should be something like:
smtpd_sender_restrictions = permit_auth_destination static:hold
but it's not working for me...

In my configuration I'm matching the internal addresses in
transport_maps = proxy:mysql:/etc/postfix/mysql-virtual_transports.cf

Thanks
Michele

Re: How to setup postfix to put the queued emails in hold (and not in deferred)

[Wietse Venema]

Michele Carandente:
> Hi,
> sorry if I write again, but I've found how to queue directly in HOLD.
> Basically the option is:
> smtpd_sender_restrictions = static:HOLD
> 
> But in this way all the emails will be queued, even the internal one...
> There is a way to queue just the emails that will be relayed externally?
> Googling a bit I found that should be something like:
> smtpd_sender_restrictions = permit_auth_destination static:hold
> but it's not working for me...

It works exactly as documented: permit the request when the RECIPIENT
is internal; otherwise, hold the message.

These, and other features, are painstakingly documented in, for
example, http://www.postfix.org/postconf.5.html

In particular, client features are documented unter
http://www.postfix.org/postconf.5.html#smtpd_client_restrictions

Sender features are documented under
http://www.postfix.org/postconf.5.html#smtpd_sender_restrictions

See also: http://www.postfix.org/SMTPD_ACCESS_README.html

Wietse

Re: Setup "SMTP authentication" and "encrypted connections (SSL)" in postfix

[Michele Carandente]

I'm making a GUI to configure in an easy way my mailserver.
Anyway I had a look at both links and I've maked some changes:

I've added this line to configure the encrypted SMTP session(TLS)
smtpd_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = noanonymous
#Enabling TLS in the SMTP server
smtpd_tls_security_level = may

So now in the GUI I'll give the opportunity to choose the SMTP
authentication (YES or NOT) and the result of that will change this
line:
smtpd_sasl_auth_enable = yes [or blank]

About the encrypted connection, I guess that with the option
'smtpd_tls_security_level = may' I don't need to change nothing in the
postfix configuration, so I don't need to add this feature in the GUI.

Do you agree?

Sorry for my questions, but I'm not a big expert of postfix and I'm
trying to understand a bit better his behaviour...

Thanks
Michele

Re: postfix 2.7 release date

[Stan Hoeppner]

DUBOURG Kevin put forth on 2/8/2010 4:23 AM:

> On debian repository 2.5.5-1.1 ... Snif ... 

You're looking in the Lenny/Stable repo.  Debian never adds new software revs
into Stable TTBOMK.  Lenny was released 14 Feb 09, one year ago.  If you want
Postfix 2.6.5 as a Deb package, you'll have to go to Squeeze, wait for Squeeze
to become Stable, wait for a backport, or go the RPM-DEB route.  If you want
newer than 2.6.5 you'll have to go the RPM-DEB route or install from source.

-- 
Stan

Re: How to setup postfix to put the queued emails in hold (and not in deferred)

[Michele Carandente]

Hi Wietse,
I had a look at the links that you've suggested me.
If I've understand correctly, I don't have to use the
'smtpd_sender_restrictions' option, because I have to match the
receiver and, if it's in transport_maps =
proxy:mysql:/etc/postfix/mysql-virtual_transports.cf, then means that
it's internal and don't need to be in queue.

So I guess I need to use the option 'smtpd_recipient_restrictions'
At the moment it is that option: smtpd_recipient_restrictions =
permit_mynetworks, permit_sasl_authenticated,
reject_unauth_destination

So now I think I've to modify it, so that I'll tell that if the
receiver is matching with an address of transport_maps (Internal
email), then nothing, otherwhise put all the emails in HOLD.

This is the theory. But pratically how the
smtpd_recipient_restrictions should look like?

Thanks
Michele

Re: postfix 2.7 release date

[Stan Hoeppner]

Jerry put forth on 2/8/2010 5:13 AM:

> Wow, I was not aware the debian had actually progressed that far.

Debian jumped from Postfix 2.3.8 on Etch to 2.5.5 when Lenny was flipped to
Stable.  Looong release cycles tend to produce these miracle "rev leaps" on
occasion.  On the flip side, more often, users have to wait 2 years for needed
functionality.  Depends on where an upstream rev is at when it enters Debian
Un-stable and how much progress the upstream makes after that point.  If Squeeze
is flipped to Stable within 6 months, the Postfix package will be 2.6.5, not far
at all behind upstream, considering Postfix 2.7 isn't finalized yet.

Many people have been pushing Debian towards more frequent releases.  The
problem is the gargantuan number of architectures Debian supports.  That equals
a ton of general and bug testing, as they release all archs simultaneously.  If
one has a problem and is lagging behind, all must wait for release.

Debian Stable has its problems, but overall, I've been more than happy with it
for the past 10 years.

-- Stan

Re: How to setup postfix to put the queued emails in hold (and not in deferred)

[Wietse Venema]

Michele Carandente:
> Hi Wietse,
> I had a look at the links that you've suggested me.
> If I've understand correctly, I don't have to use the
> 'smtpd_sender_restrictions' option, because I have to match the
> receiver and, if it's in transport_maps =
> proxy:mysql:/etc/postfix/mysql-virtual_transports.cf, then means that
> it's internal and don't need to be in queue.
> 
> So I guess I need to use the option 'smtpd_recipient_restrictions'
> At the moment it is that option: smtpd_recipient_restrictions =
> permit_mynetworks, permit_sasl_authenticated,
> reject_unauth_destination
> 
> So now I think I've to modify it, so that I'll tell that if the
> receiver is matching with an address of transport_maps (Internal
> email), then nothing, otherwhise put all the emails in HOLD.
> 
> This is the theory. But pratically how the
> smtpd_recipient_restrictions should look like?

What problem are you trying to solve: hold mail only from
non-local clients? then use

smtpd_client_restrictions = permit_mynetworks static:hold

Something else? This would be a good time to describe what
you actually want, instead of what does "not work".

Wietse

Re: How to setup postfix to put the queued emails in hold (and not in deferred)

[Michele Carandente]

Hi Wietse,
first of all thaks for your reply.

The problem is exatly what you said before: hold mail only from
non-local clients.
I tried as you said with smtpd_client_restrictions = permit_mynetworks
static:hold (actually was like that: smtpd_recipient_restrictions =
permit_mynetworks static:HOLD, permit_sasl_authenticated,
reject_unauth_destination) but it''s putting everithing in HOLD.

Basically my configuration is not a real standard one.
I've this mailserver that must queue all external email and, when I
want, relay them to different domains (depending of the sender).
To say to postfix which email is internal, instead of use
virtual_mailbox_domains, that will consider all the emails part of
that domain as internal, I'm using transport_maps =
proxy:mysql:/etc/postfix/mysql-virtual_transports.cf, where is
pointing to a column of the mail_users database. That column will have
as value 'virtual', so postfix will know if the receiver is internal
or not.

I hope now my configuration is more understandble.

Thanks
Michele

admin GUI for Postfix (was: Re: Setup "SMTP authentication" ...)

[/dev/rob0]

On Mon, Feb 08, 2010 at 01:33:35PM +, Michele Carandente wrote:
> I'm making a GUI to configure in an easy way my mailserver.
snip
> Do you agree?
> 
> Sorry for my questions, but I'm not a big expert of postfix and
> I'm trying to understand a bit better his behaviour...

My thought is that to make a useful administrative GUI, you would
need to be a Postfix expert. And if you were, what advantage does
this GUI give you? Not much that I can see.

Typically the goal of a GUI is to put highly technical matters in the
hands of non-technical people. For email admin, I think that is a
terribly bad idea.

If someone qualified disagreed, and decided to work on making a GUI,
IMO the best possible model for it would be SWAT, the Samba Web
Administration Tool. In fact SWAT itself could probably be adapted
fairly easily.

SWAT is not a "point-and-drool" GUI. The administrator has to know
the subject, and the GUI does little to shield him/her from the
details. In fact, the best part of it is the integrated hyperlinking
to the HTML documentation.

Note, Postfix already boasts extensive HTML documentation. The hard
part is already done.

A GUI might have a handful of basic templates corresponding to
various typical roles that a mail server might need to fulfill.

But all that said, back to the question of why? Who is this going to 
benefit, how? Look at "postfixadmin". That's the kind of thing which 
can be put in the hands of a non-technical person, because it is not 
at all what the name implies. It's a Mysql frontend for management of 
IMAP user maps. You set up Postfix to work with it, then basically 
leave Postfix alone.
-- 
Offlist mail to this address is discarded unless
"/dev/rob0" or "not-spam" is in Subject: header

Re: admin GUI for Postfix (was: Re: Setup "SMTP authentication" ...)

[Michele Carandente]

Well, I'm making a kind of GUI because it must be implemented in
another product.

Anyway, coming back to my old question, I think I'm ok with SMTP authentication.

Now I've just to setup how to change the encryption (SSL or TLS) and
then I'm happy :p

Re: admin GUI for Postfix (was: Re: Setup "SMTP authentication" ...)

[Victor Duchovni]

On Mon, Feb 08, 2010 at 04:49:44PM +, Michele Carandente wrote:

> Well, I'm making a kind of GUI because it must be implemented in
> another product.
> 
> Anyway, coming back to my old question, I think I'm ok with SMTP 
> authentication.
> 
> Now I've just to setup how to change the encryption (SSL or TLS) and
> then I'm happy :p

It is not "SSL *or* TLS", it is "SSL/TLS", the two are the same, just
different revision levels of a single protocol:

SSL 2   - Obsolete Netscape SSL protocol
SSL 3   - Version 3.0 of the SSL protocol
TLS 1.0 - Version 3.1 of the SSL protocol an IETF standard
TLS 1.1 - Version 3.2 of the SSL protocol an IETF standard
TLS 1.2 - Version 3.3 of the SSL protocol an IETF standard

You can safely disable SSLv2. Now there is also a separate question
of how SSL/TLS is used, STARTTLS versus wrapper-mode. See a recent
post by Noel Jones in the list archive.

-- 
Viktor.

P.S. Morgan Stanley is looking for a New York City based, Senior Unix
system/email administrator to architect and sustain our perimeter email
environment.  If you are interested, please drop me a note.

postfix truncating "To:"-recipient list

[Axel]

Hello!

We are running postfix 2.3.8 on Debian etch with a pretty much standard
configuration (we didn't tweak any limit settings etc.)

If I send an email with 49 recipients all emails get delivered (so the 
envelope recipient list is complete) but the recipient list in the header
"To:" gets truncated. Interestingly at 960 characters, the next email 
recipient with address is 60 characters long. 

In a dump of the traffic on port 25 on the mailer everything looks ok (the list 
has CR/LF at the end of every recipient, so the SMTP line length should be 
ok). But if i look in the queue with postcat the To:  list in the header ist 
truncated. The recipients see in the MUA also an truncated list.

Does anyone have an idea  what might be the cause of this or how to find the 
cuplrit?

Thanks very much for any ideas and help in advance.

Regards,

Axel

=== postcat ===
[...]

User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X 10.4; de; rv:1.9.1.7) 
Gecko/20100111 Thunderbird/3.0.1
MIME-Version: 1.0
To: Dasdfg asdfasdf ,
 demo10 ,
 demo10 , Demo2 ,
 Demo2 ,
 Demo3 , Demo3 ,
 Demo4 ,
 Demo4 , demo5 ,
 demo5 ,
 dfgmgth ,
 dfgmgth ,
 hjfghjk ,
 hjfghjk ,
 jkdfgjjkdfgjnb ,
 jkdfgjjkdfgjnb ,
 jksdfkj ,
 jksdfkj ,
 jkshdkfbjksdfjkbnj ,
 jkshdkfbjksdfjkbnj ,
 knjsdfjkgbjksdfb ,
Subject: test

[...]
=== end postcat ===

=== tcpdump on port 25 ===
220 out.host NO UCE ESMTP MTA
EHLO our-client
250-out.client
250-PIPELINING
250-SIZE 2048
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
MAIL FROM: SIZE=143539
250 2.1.0 Ok
RCPT TO:
250 2.1.5 Ok

[complete list follows as rcpt to:]

RCPT TO:
250 2.1.5 Ok
DATA
354 End data with .
Message-ID: <4b7c.8030...@our.domain>
Date: Mon, 08 Feb 2010 15:45:16 +0100
From: Data 
User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X 10.4; de; rv:1.9.1.7) 
Gecko/20100111 Thunderbird/3.0.1
MIME-Version: 1.0
To: Dasdfg asdfasdf , 
 demo10 ,
 demo10 , 
 Demo2 , 
 Demo2 ,
 Demo3 , 
 Demo3 , 
 Demo4 ,
 Demo4 , 
 demo5 , 
 demo5 ,
 dfgmgth , 
 dfgmgth ,
 hjfghjk , 
 hjfghjk ,
 jkdfgjjkdfgjnb , 
 jkdfgjjkdfgjnb ,
 jksdfkj , 
 jksdfkj ,
 jkshdkfbjksdfjkbnj , 
 jkshdkfbjksdfjkbnj ,
 knjsdfjkgbjksdfb , 
 knjsdfjkgbjksdfb ,
 lkdfjgljdfgn , 
 lkdfjgljdfgn ,
 lkdflkgjkdfkgl , 
 lkdflkgjkdfkgl ,
 lkdjfgkkjdfg , 
 lkdjfgkkjdfg ,
 lkjlkjhksldfb , 
 lkjlkjhksldfb ,
 Demo Mustermann 1 , 
 Demo Mustermann 1 ,
 sdfghmhzj , 
 sdfghmhzj ,
 sdfgsdfg , 
 sdfgsdfg ,
 sdfgsdfg , 
 sdfgsdfg ,
 sgmhfgjm , 
 sgmhfgjm ,
 sijgfdlkjsdfgjbjsdfgb , 
 sijgfdlkjsdfgjbjsdfgb ,
 skdjfkjlsdjkbh , 
 skdjfkjlsdjkbh ,
 tzjtzjasdfgasdfasdf , 
 tzjtzjasdfgasdfasdf ,
 zuuiousdfg , 
 zuuiousdfg 
Subject: test

[...]
=== end tcpdump ===

Re: admin GUI for Postfix (was: Re: Setup "SMTP authentication" ...)

[Victor Duchovni]

On Mon, Feb 08, 2010 at 05:22:41PM +, Michele Carandente wrote:

> smtp_tls_cert_file = /etc/postfix/smtpd.cert
> smtp_tls_key_file = /etc/postfix/smtpd.key

Set these empty, you don't need them.

> smtp_use_tls = yes

Obsolete, set:

smtp_tls_security_level = may

> smtp_tls_scert_verifydepth = 9

Don't set this to the default, just leave it out, unless you want
a smaller value for some reason.

-- 
Viktor.

P.S. Morgan Stanley is looking for a New York City based, Senior Unix
system/email administrator to architect and sustain our perimeter email
environment.  If you are interested, please drop me a note.

Re: How to setup postfix to put the queued emails in hold (and not in deferred)

[Wietse Venema]

Michele Carandente:
> Hi Wietse,
> first of all thaks for your reply.
> 
> The problem is exatly what you said before: hold mail only from
> non-local clients.
> I tried as you said with smtpd_client_restrictions = permit_mynetworks
> static:hold (actually was like that: smtpd_recipient_restrictions =
> permit_mynetworks static:HOLD, permit_sasl_authenticated,
> reject_unauth_destination) but it''s putting everithing in HOLD.

If Postfix holds ALL mail, then you have other hold actions in
the configuration. Get rid of them.

With:

smtpd_client_restrictions = permit_mynetworks static:hold 

Postfix will HOLD mail from clients that do not match the mynetworks
setting.

Wietse

Re: How to setup postfix to put the queued emails in hold (and not in deferred)

[Noel Jones]

On 2/8/2010 9:23 AM, Michele Carandente wrote:

Hi Wietse,
first of all thaks for your reply.

The problem is exatly what you said before: hold mail only from
non-local clients.
I tried as you said with smtpd_client_restrictions = permit_mynetworks
static:hold (actually was like that: smtpd_recipient_restrictions =
permit_mynetworks static:HOLD, permit_sasl_authenticated,
reject_unauth_destination) but it''s putting everithing in HOLD.

Basically my configuration is not a real standard one.
I've this mailserver that must queue all external email and, when I
want, relay them to different domains (depending of the sender).
To say to postfix which email is internal, instead of use
virtual_mailbox_domains, that will consider all the emails part of
that domain as internal, I'm using transport_maps =
proxy:mysql:/etc/postfix/mysql-virtual_transports.cf, where is
pointing to a column of the mail_users database. That column will have
as value 'virtual', so postfix will know if the receiver is internal
or not.


The documented way to tell postfix to accept mail for a domain 
is to put the domain in one of {mydestination, relay_domains, 
virtual_alias_domains, virtual_mailbox_domains}.  See below 
for some documentation links.  I don't see transport_maps 
listed there.


When you don't use the documented interface, you're on your 
own.  While it may be possible to do what you ask with your 
current configuration, the standard tools and standard answers 
won't work.  Be aware future postfix upgrades may "break" your 
non-documented configuration.


Good luck.

http://www.postfix.org/BASIC_CONFIGURATION_README.html
http://www.postfix.org/SOHO_README.html
http://www.postfix.org/STANDARD_CONFIGURATION_README.html
http://www.postfix.org/VIRTUAL_README.html
http://www.postfix.org/ADDRESS_CLASS_README.html


  -- Noel Jones

Re: admin GUI for Postfix (was: Re: Setup "SMTP authentication" ...)

[Michele Carandente]

Thanks Victor for your answer.

Well in this case with my configuration I don't need to specify in the
GUI which kind of encryption...
I've tried with this configuration with gmail, hotmail, yahoo and
another private server that doesn't need the encryption and it's
always working with the same configuration:

smtpd_tls_cert_file = /etc/postfix/smtpd.cert
smtpd_tls_key_file = /etc/postfix/smtpd.key
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_tls_CAfile = /etc/postfix/cacert.pem
smtpd_tls_auth_only = no
smtpd_tls_security_level = may
smtpd_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = noanonymous
smtpd_tls_received_header = yes
smtpd_tls_loglevel = 1
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_tls_CAfile = /etc/postfix/cacert.pem
smtp_tls_cert_file = /etc/postfix/smtpd.cert
smtp_tls_key_file = /etc/postfix/smtpd.key
smtp_use_tls = yes
smtp_tls_scert_verifydepth = 9
smtp_tls_loglevel = 1
smtp_sasl_tls_security_options = $smtp_sasl_security_options
smtp_sasl_tls_verified_security_options = $smtp_sasl_security_options
smtp_sasl_auth_enable = yes
smtp_sender_dependent_authentication = yes

If somebody can see some errors in this configuration, please let me know...

Thanks
Michele

Re: postfix truncating "To:"-recipient list

[Wietse Venema]

Axel:
> Hello!
> 
> We are running postfix 2.3.8 on Debian etch with a pretty much standard
> configuration (we didn't tweak any limit settings etc.)
> 
> If I send an email with 49 recipients all emails get delivered (so the 
> envelope recipient list is complete) but the recipient list in the header
> "To:" gets truncated. Interestingly at 960 characters, the next email 
> recipient with address is 60 characters long. 

This does not reproduce. 

I take your example message and double the number of To: addresses
by appending the header to itself, and nothing is truncated when
I send the result from one Postfix over SMTP into another Postfix.

You did not show the entire message header in the postcat output,
but I suspect that you will see a content filter at 127.0.0.1.

Wietse

Re: postfix 2.7 release date

[Stefan Foerster]

* DUBOURG Kevin :
> No, the stable candidate is 2.6. 
> 
> On debian repository 2.5.5-1.1 ... Snif ... 

I've been maintaining backports for Debian/stable since the stress
dep. server personality patch was first published. Right now, my
personal repository at http://debian.incertum.net/ has 2.6.5 and
2.7-20100117 (I'll package 2.7.0rc2 ASAP) packages. I tried to include
a few bug fixes (packaging wise) that are not yet included, e.g.
improved handling of multi-instace setups.

Be aware that I'm not an official Debian Developer, though.


Stefan

Re: postfix 2.7 release date

[Stefan Foerster]

Hallo Wietse,

* Wietse Venema :
> Robert Schetterer:
> > Hi Wietse, is their any
> > fixed release date for version 2.7 ?
> 
> There is a release candidate for testing. 

The TLS caches won't get automatic cleanups in the initial 2.7
release(s)?


Stefan

Re: postfix 2.7 release date

[Stefan Foerster]

* Stefan Foerster :
> * Wietse Venema :
> > Robert Schetterer:
> > > Hi Wietse, is their any
> > > fixed release date for version 2.7 ?
> > 
> > There is a release candidate for testing. 
> 
> The TLS caches won't get automatic cleanups in the initial 2.7
> release(s)?

Oh, and where is postscreen(8)?


Stefan

Re: postfix 2.7 release date

[Victor Duchovni]

On Mon, Feb 08, 2010 at 10:03:07PM +0100, Stefan Foerster wrote:

> Hallo Wietse,
> 
> * Wietse Venema :
> > Robert Schetterer:
> > > Hi Wietse, is their any
> > > fixed release date for version 2.7 ?
> > 
> > There is a release candidate for testing. 
> 
> The TLS caches won't get automatic cleanups in the initial 2.7
> release(s)?

TLS caches have had automatic cleanup for some time...

-- 
Viktor.

P.S. Morgan Stanley is looking for a New York City based, Senior Unix
system/email administrator to architect and sustain our perimeter email
environment.  If you are interested, please drop me a note.

Re: postfix 2.7 release date

[Wietse Venema]

Stefan Foerster:
> Hallo Wietse,
> 
> * Wietse Venema :
> > Robert Schetterer:
> > > Hi Wietse, is their any
> > > fixed release date for version 2.7 ?
> > 
> > There is a release candidate for testing. 
> 
> The TLS caches won't get automatic cleanups in the initial 2.7
> release(s)?

TLS caches have always had automatic cache cleanup. 

In fact, the verify and postscreen daemons use a library module
that contains a generalized version of tlsmgr code.

When I have time left over I'll "port" the tlsmgr to use that same
library module. For now, if it ain't broken then don't change it.

Wietse

Re: postfix 2.7 release date

[Victor Duchovni]

On Mon, Feb 08, 2010 at 10:32:05PM +0100, Stefan Foerster wrote:

> > The TLS caches won't get automatic cleanups in the initial 2.7
> > release(s)?
> 
> Oh, and where is postscreen(8)?

In the 2.8 snapshot release.

-- 
Viktor.

P.S. Morgan Stanley is looking for a New York City based, Senior Unix
system/email administrator to architect and sustain our perimeter email
environment.  If you are interested, please drop me a note.

Re: postfix 2.7 release date\

[Wietse Venema]

Stefan Foerster:
> * Stefan Foerster :
> > * Wietse Venema :
> > > Robert Schetterer:
> > > > Hi Wietse, is their any
> > > > fixed release date for version 2.7 ?
> > > 
> > > There is a release candidate for testing. 
> > 
> > The TLS caches won't get automatic cleanups in the initial 2.7
> > release(s)?
> 
> Oh, and where is postscreen(8)?

The stable release is for code that can evolve without breaking
compatibility. Postscreen will reach that point after the 2.7
release.

Wietse

Re: postfix 2.7 release date

[Stefan Foerster]

* Wietse Venema :
> Stefan Foerster:
> > The TLS caches won't get automatic cleanups in the initial 2.7
> > release(s)?
> 
> TLS caches have always had automatic cache cleanup. 
> 
> In fact, the verify and postscreen daemons use a library module
> that contains a generalized version of tlsmgr code.

I confused those. Sorry.


Stefan

Re: I'm not able to smtp relay email to yahoo...

[mouss]

Ion-Mihai Tetcu a écrit :
> On Fri, 5 Feb 2010 18:44:48 -0500 (EST)
> Wietse Venema  wrote:
> 
>> Jerry:
>>> On Fri, 5 Feb 2010 18:03:59 +0200
>>> Ion-Mihai Tetcu  replied:
>>>
 On Fri, 5 Feb 2010 15:59:24 +
 Michele Carandente  wrote:

> Hi to everybody.
> I'm not able to smtp relay emails to yahoo (smtp.mail.yahoo.it).
>
> I'm relaying emails to gmail and hotmail without problems... but
> with yahoo I've this error:
>
> relay=smtp.mail.yahoo.it[217.12.11.88]:465, delay=40,
> delays=19/0.28/20/0, dsn=4.4.2, status=deferred (lost connection
> with smtp.mail.yahoo.it[217.12.11.88] while receiving the
> initial server greeting)
 [ .. ]

 I'm seeing this, but only with some yahoo servers, not with all.
>>> Why are you using port 465? I use 587 and do not experience any
>>> problems.
>> Confirmed. Postfix does not support the port 465 protocol. 
> 
> I believe that's an awful copy/paste, I pasted that from a multitail
> window that tails multiple files. I have nothing configured that would
> force 465 and greping the maillog doesn't show it either. Sorry.
> 
> I'm only seeing things of the type:
>   lost connection with f.mx.mail.yahoo.com[98.137.54.237] while
>   sending end of data -- message may be sent more than once
> All on port 25.
> 

Yahoo have a problem since some time now. It's not yet completely fixed.
There's nothing you can do on your side.

Re: local and remote delivery permission

[mouss]

phasma a écrit :
> Hello,
> 
> how i can permit to some sasl users to send to local domain only and not
> to external domains ? 
> 

there is no check_user_access. but you can use sasl to enforce
sender-login match, then use check_sender_access. if this is what you
want, read about restriction classes.

Re: [OT] suitable webmail

[Stan Hoeppner]

K bharathan put forth on 2/2/2010 10:49 AM:
> thanks for all
> 
> On Tue, Feb 2, 2010 at 6:05 PM, Carlos Williams wrote:
> 
>> On Tue, Feb 2, 2010 at 8:36 AM, Charles Marcus
>>  wrote:
>>> On 2010-02-01 7:17 PM, Stan Hoeppner wrote:
 All of that said, I don't find I'm lacking any functionality with my
>> current
 version of Roundcube.
>>>
>>> Then you haven't looked at it... the new features are really nice...

I just installed 0.3.1 from Lenny backports, up from 0.2.2, and in brief testing
I don't really notice any significant new features.  I still don't see a "reply
to list" option, which would be nice.  What should I be looking for, and where?

Sorry to drudge up an old OT topic.  I'm cc'ing the roundcube list so we can
move this discussion over there.

-- 
Stan

Re: [OT] suitable webmail

[Jose Ildefonso Camargo Tolosa]

Hi!

Sorry for keeping the "off-topic"... but I had to answer

On Mon, Feb 1, 2010 at 4:35 PM, Stan Hoeppner  wrote:
> Kay put forth on 2/1/2010 11:49 AM:
>
>> In my job (hosting company) I see boxes exploited via roundcube all the
>> time.  Squirrelmail? Not one so far.  Part of the reason is that
>> squirrelmail comes with RHEL, so it's kept up to date automatically,
>> while customers install their own roundcube and then don't maintain it.
>

Me too, not just on DCs, even home (DSL dynamic) IPs, these are bots
scanning, and I have found A LOT of roundcube-targeted scans. I have
found lots of access attempts on *all* of the servers I have access
to: more than 10 of them, on different geographical locations.

> I think you're making some incorrect assumptions.  Squirrelmail has had a 
> pretty
> abysmal security track record of its own over the years.  One reason for that 
> is

True: really old ones.

> probably exactly what you're calling out Roundcube for here, which has nothing
> to do with the software, but the administration of the system.  That said, you
> appear to think the world runs on Red Hat, and if Red Hat doesn't have a
> Roundcube package, admins will install from source or an external RPM that
> doesn't get updated by Red Hat's uptodate or whatever it's called.  The world
> doesn't run on Red Hat, and many admins _do_ keep their Roundcube (and other)
> packages up to date.  For instance, I do security updates on my Debian servers
> once a week.  My Roundcube package is currently up to date, and it is a 
> standard
> Debian package:

I use Debian too.

>>  That said, it's not the only webmail client (or any other web app) that
>> gets the install&neglect treatment, it's just the one most frequently
>> exploited.
>
> Do you have any empirical data showing that Roundcube is exploited more often
> today than Squirrelmail?  Claims like this really need to be backed up.  Data
> for only your data center doesn't count, the sample size is way too small.  
> This
> is called "anecdotal" evidence, not empirical evidence.

Ok, you want a "sample": 100% of the servers I have access to, have,
at least once in the last year, been scanned by a bot (or person, who
knows) for /roundcoube or similars, and none of them included scans
for squirrelmail-related files.  My sample size: around 20 servers on
~4 different geographical locations.  One of the servers gets hits
constantly by scans looking for files like roundcube/something and
roundcube3/something (yes, 3, I don't know why, it should be 0.3), and
roundcoube0.2/something and so on. I have never ever used
roundcube, because I studied a little about it, and found that it was
still too young, I mean: it needs to grow as a project to get to a
point where major security issues gets uncommon.

The other case: my own PC, I have a "test" web server there, and it
have been hit by these *scans* a lot and it has a dynamic IP... I
recently decided to block the port 80 from outside, and only open it
when I need it to be accessed from outside (it just gets annoying).

Once again, sorry about off-topic, but this is an interesting discussion,

Sincerely,

Ildefonso Camargo