Re: Symlink problem = file is a symbolic link or Mailbox vulnerable - directory /var/spool/mail must have 1777 protection

[Stan Hoeppner]

On 11/8/2011 1:29 AM, Marek Krolikowski wrote:
>> -Oryginalna wiadomość- From: Stan Hoeppner
>> Sent: Tuesday, November 08, 2011 8:26 AM
>> To: postfix-users@postfix.org
>> Subject: Re: Symlink problem = file is a symbolic link or Mailbox
>> vulnerable - directory /var/spool/mail must have 1777 protection
> 
>> Simply mount the EMC device to a temporary mount point, which you have
>> done.  Stop all mail related daemons so nothing is accessing
>> /var/spool/mail.  Use 'cp -a' to copy all the mail files to the EMC
>> filesystem.  Verify the copy process.  Delete all the mail files and any
>> subdirectories from /var/spool/mail/ so the directory is empty and can
>> be used as a mount point.  Unmount the EMC filesystem and remount it at
>> /var/spool/mail/.  Verify directory permissions are correct.  Restart
>> mail daemons.  Done.
> 
> 
> Yes i know but this is how to move EVERYONE to EMC.
> I don`t want move everyone to EMC i want move only half of all users.
> Iknow i can mount EMC to /var/spool/mail but this is not what i want.
> I want move user per user not everyone in 1 time.

Then you need to tell us what MDA you are currently using and what type
of mailbox storage.  The list welcome message directed you to paste the
output of "postconf -n".  That will tell us what MDA you use, if what
you want to do can be done, and how easy/difficult it may be to setup
such a thing.  If you're using Dovecot it is relatively painless, if not
time consuming.  If you are simply having Postfix local(8) delivery
directly to mbox mailboxes it will be more difficult to move user
mailboxes one by one.  I've never used procmail so I have no tips for
you in that case.

-- 
Stan

Re: understanding the logs

[Stan Hoeppner]

On 11/8/2011 1:13 AM, Geert Mak wrote:

> We had a user account hacked (weak password) and our SMTP server was used for 
> sending spam. We discovered it after our mail server IP began to show up in 
> RBLs. We improved the passwords, however the question is how best to watch 
> the server in case a similar thing happens again.

1.  Create and enforce a minimum password complexity policy, preferably
on your web based account creation page, something like:

http://www.webresourcesdepot.com/10-password-strength-meter-scripts-for-a-better-registration-interface/

2.  Install/configure http://www.policyd.org/
Create an outbound policy limiting users to 30 messages/hour, or one
message every 2 minutes.  This will mitigate the damage the next time an
account is hijacked.

Season to taste.

-- 
Stan

Re: Symlink problem = file is a symbolic link or Mailbox vulnerable - directory /var/spool/mail must have 1777 protection

[Marek Krolikowski]

-Oryginalna wiadomość- 
From: Stan Hoeppner

Sent: Tuesday, November 08, 2011 8:26 AM
To: postfix-users@postfix.org
Subject: Re: Symlink problem = file is a symbolic link or Mailbox 
vulnerable - directory /var/spool/mail must have 1777 protection



Simply mount the EMC device to a temporary mount point, which you have
done.  Stop all mail related daemons so nothing is accessing
/var/spool/mail.  Use 'cp -a' to copy all the mail files to the EMC
filesystem.  Verify the copy process.  Delete all the mail files and any
subdirectories from /var/spool/mail/ so the directory is empty and can
be used as a mount point.  Unmount the EMC filesystem and remount it at
/var/spool/mail/.  Verify directory permissions are correct.  Restart
mail daemons.  Done.



Yes i know but this is how to move EVERYONE to EMC.
I don`t want move everyone to EMC i want move only half of all users.
Iknow i can mount EMC to /var/spool/mail but this is not what i want.
I want move user per user not everyone in 1 time.

Thanks

Re: Symlink problem = file is a symbolic link or Mailbox vulnerable - directory /var/spool/mail must have 1777 protection

[Stan Hoeppner]

On 11/7/2011 11:13 PM, Marek Królikowski wrote:
> -Oryginalna wiadomość- From: Wietse Venema
> Sent: Tuesday, November 08, 2011 2:27 AM
> To: Postfix users
> Subject: Re: Symlink problem = file is a symbolic link or Mailbox
> vulnerable - directory /var/spool/mail must have 1777 protection
>>> Marek Krolikowski:
>>> Hello Guys
>>> Yesterday i buy new EMC storage and i want move few ppl from old SATA
>>> HDD to new FC EMC HDD but i got problem and don`t know how resolve
>>> this problem mayby You help me:
>>> 1. I mount new storage to /mnt/EMC
>>> 2. I create a /mnt/EMC/var/spool/mail/
>>> 3. i move user file (test) from /var/spool/mail/test to
>>> /mnt/EMC/var/spool/mail/test
>>> 4. i do symlink to that file: ln -sn /mnt/EMC/var/spool/mail/test
>>> /var/spool/mail/test
>>>
> 
>> Unfortunately, symlinks to mailbox files are unsafe when the mail
>> directory is writable by users other than root, regardless of who
>> owns the symlink. You can thank the Linux, Solaris and IRIX people
>> for that. This security check will not be removed from Postfix.
> 
> Thanks for answer so the best way is chmod 755 /var/spool/mail and
> ignore log spam about directory /var/spool/mail must have 1777
> protection ???
> Sounds little stupid and crazy ;)

Simply mount the EMC device to a temporary mount point, which you have
done.  Stop all mail related daemons so nothing is accessing
/var/spool/mail.  Use 'cp -a' to copy all the mail files to the EMC
filesystem.  Verify the copy process.  Delete all the mail files and any
subdirectories from /var/spool/mail/ so the directory is empty and can
be used as a mount point.  Unmount the EMC filesystem and remount it at
/var/spool/mail/.  Verify directory permissions are correct.  Restart
mail daemons.  Done.

-- 
Stan

understanding the logs

[Geert Mak]

Hi,

We had a user account hacked (weak password) and our SMTP server was used for 
sending spam. We discovered it after our mail server IP began to show up in 
RBLs. We improved the passwords, however the question is how best to watch the 
server in case a similar thing happens again.

We created a small regex based log analyzer and received the following result 
(see below) -

The question is: is there somewhere a description what each entry means?

If not: which number shows the number of e-mails sent by the mail server? Or 
should we dig deeper into some of the entries or combine some or both? Our 
current idea is that if we watch this number for unusual increase, we will be 
able to discover abuse this way before we discover it by the means of RBL.

Geert 

RESULT:
---

LINES TOTAL: 4328247

LINES_LOGIN: 20353
LINES_LOGOUT: 0
LINES_AMAVIS: 0
LINES_CYRUS_CTL_CYRUSDB: 749
LINES_CYRUS_CYR_EXPIRE: 11397
LINES_CYRUS_IMAP: 6874
LINES_CYRUS_LMTPUNIX: 8711
LINES_CYRUS_MASTER: 2182
LINES_CYRUS_TLS_PRUNE: 4
LINES_DOVECOT: 960
LINES_IMAPPROXYD: 0
LINES_POSTFIX_ANVIL: 999
LINES_POSTFIX_BOUNCE: 193
LINES_POSTFIX_CLEANUP: 1446
LINES_POSTFIX_ERROR: 974
LINES_POSTFIX_LMTP: 902
LINES_POSTFIX_LOCAL: 221
LINES_POSTFIX_PICKUP: 443
LINES_POSTFIX_QMGR: 3096601
LINES_POSTFIX_VERIFY: 0
LINES_POSTFIX_POSTMAP: 0
LINES_POSTFIX_TLSMGR: 0
LINES_POSTFIX_MASTER: 0
LINES_POSTFIX_SCACHE: 261
LINES_POSTFIX_SMTP: 20346
LINES_POSTFIX_SMTPD: 1154379
LINES_SPAMD: 0
LINES_POSTFIX: 0
LINES_POSTFIX_POSTFIX_SCRIPT: 0
LINES_POSTFIX_TRIVIAL_REWRITE: 252

LINES NOT PROCESSED: 0

Distribute mail based on sending domain?

[vr]

We have Exchange 2010 with a few domains and have run across the need 
to split outgoing mail direct to the Internet and also to smart hosts 
depending on their @domain.tld. Exchange 2010 does not support this "by 
design" so if Postfix does, is this functionality a relay? Looking at 
the BASIC_CONFIGURATION_README doesn't quite look like a match to my 
untrained eyes so any clues or configuration pointers are greatly 
appreciated.

Re: Symlink problem = file is a symbolic link or Mailbox vulnerable - directory /var/spool/mail must have 1777 protection

[Marek Królikowski]

-Oryginalna wiadomość- 
From: Wietse Venema

Sent: Tuesday, November 08, 2011 2:27 AM
To: Postfix users
Subject: Re: Symlink problem = file is a symbolic link or Mailbox 
vulnerable - directory /var/spool/mail must have 1777 protection

Marek Krolikowski:
Hello Guys
Yesterday i buy new EMC storage and i want move few ppl from old SATA HDD 
to new FC EMC HDD but i got problem and don`t know how resolve this 
problem mayby You help me:

1. I mount new storage to /mnt/EMC
2. I create a /mnt/EMC/var/spool/mail/
3. i move user file (test) from /var/spool/mail/test to 
/mnt/EMC/var/spool/mail/test
4. i do symlink to that file: ln -sn /mnt/EMC/var/spool/mail/test 
/var/spool/mail/test





Unfortunately, symlinks to mailbox files are unsafe when the mail
directory is writable by users other than root, regardless of who
owns the symlink. You can thank the Linux, Solaris and IRIX people
for that. This security check will not be removed from Postfix.


Thanks for answer so the best way is chmod 755 /var/spool/mail and ignore 
log spam about directory /var/spool/mail must have 1777 protection ???

Sounds little stupid and crazy ;)

Re: Symlink problem = file is a symbolic link or Mailbox vulnerable - directory /var/spool/mail must have 1777 protection

[Wietse Venema]

Marek Kr?likowski:
> Hello Guys
> Yesterday i buy new EMC storage and i want move few ppl from old SATA HDD to 
> new FC EMC HDD but i got problem and don`t know how resolve this problem 
> mayby You help me:
> 1. I mount new storage to /mnt/EMC
> 2. I create a /mnt/EMC/var/spool/mail/
> 3. i move user file (test) from /var/spool/mail/test to 
> /mnt/EMC/var/spool/mail/test
> 4. i do symlink to that file: ln -sn /mnt/EMC/var/spool/mail/test 
> /var/spool/mail/test
> 

Unfortunately, symlinks to mailbox files are unsafe when the mail
directory is writable by users other than root, regardless of who
owns the symlink. You can thank the Linux, Solaris and IRIX people
for that. This security check will not be removed from Postfix.

Wietse

Symlink problem = file is a symbolic link or Mailbox vulnerable - directory /var/spool/mail must have 1777 protection

[Marek Królikowski]

Hello Guys
Yesterday i buy new EMC storage and i want move few ppl from old SATA HDD to 
new FC EMC HDD but i got problem and don`t know how resolve this problem mayby 
You help me:
1. I mount new storage to /mnt/EMC
2. I create a /mnt/EMC/var/spool/mail/
3. i move user file (test) from /var/spool/mail/test to 
/mnt/EMC/var/spool/mail/test
4. i do symlink to that file: ln -sn /mnt/EMC/var/spool/mail/test 
/var/spool/mail/test

and now i got problem... when i try  send anything to this user i got:
Nov  8 00:41:36 MAIL01 postfix/local[23980]: 0F7CA3193CAF: to=, 
relay=local, delay=0.03, delays=0.02/0/0/0.01, dsn=5.2.0, status=bounced 
(cannot update mailbox /var/spool/mail/test for user test. file is a symbolic 
link)
and he don`t get email.

so i remove write permision for /var/spool/mail for other users like this:
chmod 755 /var/spool/mail
but now i got warnings in mail.log:
Nov  8 00:41:10 MAIL01 ipop3d[24089]: Mailbox vulnerable - directory 
/var/spool/mail must have 1777 protection


Any idea how resolve this problem?

Thanks

RE: dkim-milter verify, but don't sign.

[Murray S. Kucherawy]

> -Original Message-
> From: owner-postfix-us...@postfix.org 
> [mailto:owner-postfix-us...@postfix.org] On Behalf Of Josef Karliak
> Sent: Monday, November 07, 2011 3:50 AM
> To: Robert Schetterer
> Cc: postfix-users@postfix.org
> Subject: Re: dkim-milter verify, but don't sign.
> 
>Hi,
>thanks for tips, I used "-i ilistfile containing list of
> internal (signing) hosts".
>It is signing now, but signature fails on the verifier :
> Nov  7 12:40:54 celer dkim-filter[4888]: 5CCC8C750A SSL
> error:04077068:rsa routines:RSA_verify:bad signature Nov  7 12:40:54
> celer dkim-filter[4888]: 5CCC8C750A: bad signature data

Both dkim-filter (which is now obsolete, and 2.7.2 wasn't the most recent 
release anyway) and opendkim have tools to debug these problems, especially if 
you are both the signer and the verifier as you are in this case.

But this isn't a postfix problem.  I suggest upgrading to opendkim and then 
posting your question on the opendkim-users list.

-MSK

Re: Fw: sasldb or PAM

[Patrick Ben Koetter]

* gaby :
> I use TLS withPAM,but what is disadvantage PAM versus sasldb ?
> Sasldb is more security?

sasldb must be read/write protected from other uses, but remain readable to
the user postfix or one of the groups it is in e.g. group sasl.
sasldb must reside on the same machine as the Postfix instance that uses
sasldb.

With PAM you can access various backends. It depends on the backend you use.
If you use system accouts, I'd say sasldb is more secure, because it separates
mail accounts from system accounts. If the backend is a database on a
different host, it may be more secure.

It depends on your PAM backend.

p@rick




> 
> - Original Message - 
> From: Patrick Ben Koetter 
> To: postfix-users@postfix.org 
> Sent: Monday, November 07, 2011 11:06 AM
> Subject: Re: sasldb or PAM
> 
> 
> * gaby :
> >  I use PAM authentication method for send emal via postfix with Cyrus Sasl.
> >  If use sasldb2 method instead PAM,it is more secure, or more  Ok?Sasdb is
> >  more usable?
> 
> There are two sections you need to pay attention for:
> 
> 1. Transmission of identification data over the network
> 2. Storage of authentication data in a backend, where libsasl can access and
>verify the identification data.
> 
> The most secure method with regular clients is 1) to use PLAIN and LOGIN over
> a TLS secured transport layer and 2) store authentication data crypted. sasldb
> can do that and PAM can do that too.
> 
> Everything else means a tradeoff. If you use 1) CRAM-MD5 and NTLM you can send
> identification data over a transport layer that isn't TLS protected, but you
> will have to store passwords in plaintext, because the mechanisms CRAM-MD5 and
> NTLM require access to plaintext password for comparison.
> 
> p@rick
> 
> 
> -- 
> All technical questions asked privately will be automatically answered on the
> list and archived for public access unless privacy is explicitely required and
> justified.
> 
> saslfinger (debugging SMTP AUTH):
> 

-- 
All technical questions asked privately will be automatically answered on the
list and archived for public access unless privacy is explicitely required and
justified.

saslfinger (debugging SMTP AUTH):

Fw: sasldb or PAM

[gaby]

I use TLS withPAM,but what is disadvantage PAM versus sasldb ?
Sasldb is more security?

- Original Message - 
From: Patrick Ben Koetter 
To: postfix-users@postfix.org 
Sent: Monday, November 07, 2011 11:06 AM
Subject: Re: sasldb or PAM


* gaby :
>  I use PAM authentication method for send emal via postfix with Cyrus Sasl.
>  If use sasldb2 method instead PAM,it is more secure, or more  Ok?Sasdb is
>  more usable?

There are two sections you need to pay attention for:

1. Transmission of identification data over the network
2. Storage of authentication data in a backend, where libsasl can access and
   verify the identification data.

The most secure method with regular clients is 1) to use PLAIN and LOGIN over
a TLS secured transport layer and 2) store authentication data crypted. sasldb
can do that and PAM can do that too.

Everything else means a tradeoff. If you use 1) CRAM-MD5 and NTLM you can send
identification data over a transport layer that isn't TLS protected, but you
will have to store passwords in plaintext, because the mechanisms CRAM-MD5 and
NTLM require access to plaintext password for comparison.

p@rick


-- 
All technical questions asked privately will be automatically answered on the
list and archived for public access unless privacy is explicitely required and
justified.

saslfinger (debugging SMTP AUTH):

Re: Quota for mail

[Leslie León Sinclair]

Thanks again, and sorry the thread, I´am stacked here. Almost near the 
solution.


Best regards.




You should move this discussion over to the Dovecot mailing list.




--
/***
*Leslie León Sinclair
*Administrador de Redes
*Facultad de Ingenieria Electrica, CUJAE.
*Calle 114 #11901 e/ Ciclovía y Rotonda
*Marianao 19390, Ciudad de la Habana, Cuba
*Tel: (53 7) 266-3321
*Miembro de GUTL ->  
http://www.ecured.cu/index.php/Grupo_de_Usuarios_de_Tecnolog%C3%ADas_Libres_GUTL
*Another happy Slackware&  Debian GNU/Linux user
*Proud GNU/Linux User #445535 ->  http://counter.li.org/
*Katana yanai, otoko nanda.
/




Participe en Universidad 2012, del 13 al 17 de febrero de 2012.
Habana, Cuba: http://www.congresouniversidad.cu
Consulte la enciclopedia colaborativa cubana. http://www.ecured.cu

Participe en el Segundo Congreso Medio Ambiente Construido y 
Desarrollo Sustentable (MACDES 2011) del 6 al 9 de diciembre de 2011, 
Hotel Nacional, Habana, Cuba: http://macdes.cujae.edu.cu

Re: dkim-milter verify, but don't sign.

[Frank Bonnet]

On 11/07/2011 05:15 PM, Steve Jenkins wrote:

2011/11/7 Robert Schetterer:

post your problem dkim-milter list

http://sourceforge.net/mail/?group_id=139420

FYI - that list doesn't exist any more. dkim-milter has been
deprecated in favor of OpenDKIM (http://opendkim.org/). It's an
actively-supported milter project, and switching over from dkim-milter
is painless. :)

SteveJ


+1

opendkim works fine with Postfix

Re: Quota for mail

[Duane Hill]

On Monday, November 07, 2011 at 17:02:24 UTC, les...@electrica.cujae.edu.cu 
confabulated:

> The issue is that I have multiple quotas/domains, for my users. Some 
> users have 10MB, others have 100MB, and Admin/Root[postmaster, 
> webmaster, abuse, hostmaster] have 500MB and I need to fetch the quota,
> for the specific user with MySQL.

> Best regards.

Have you checked out this page:
  http://wiki1.dovecot.org/Quota/Dict

I used the one similar for v2.x and was able to set up per-user quotas
with MySQL.

You should move this discussion over to the Dovecot mailing list.

-- 
Duane Hill

Re: dkim-milter verify, but don't sign.

[Steve Jenkins]

2011/11/7 Robert Schetterer :
> post your problem dkim-milter list
>
> http://sourceforge.net/mail/?group_id=139420

FYI - that list doesn't exist any more. dkim-milter has been
deprecated in favor of OpenDKIM (http://opendkim.org/). It's an
actively-supported milter project, and switching over from dkim-milter
is painless. :)

SteveJ

Re: Quota for mail

[Reindl Harald]

Am 07.11.2011 18:02, schrieb Leslie León Sinclair:
> The issue is that I have multiple quotas/domains, for my users. Some users 
> have 10MB, others have 100MB, and
> Admin/Root[postmaster, webmaster, abuse, hostmaster] have 500MB and I need to 
> fetch the quota, for the specific
> user with MySQL.

well, give http://www.dbmail.org/ a try
there you have a column for quota in the user-table since a long time



signature.asc
Description: OpenPGP digital signature

Re: Quota for mail

[Leslie León Sinclair]

The issue is that I have multiple quotas/domains, for my users. Some 
users have 10MB, others have 100MB, and Admin/Root[postmaster, 
webmaster, abuse, hostmaster] have 500MB and I need to fetch the quota, 
for the specific user with MySQL.


Best regards.

--
/***
*Leslie León Sinclair
*Administrador de Redes
*Facultad de Ingenieria Electrica, CUJAE.
*Calle 114 #11901 e/ Ciclovía y Rotonda
*Marianao 19390, Ciudad de la Habana, Cuba
*Tel: (53 7) 266-3321
*Miembro de GUTL ->  
http://www.ecured.cu/index.php/Grupo_de_Usuarios_de_Tecnolog%C3%ADas_Libres_GUTL
*Another happy Slackware&  Debian GNU/Linux user
*Proud GNU/Linux User #445535 ->  http://counter.li.org/
*Katana yanai, otoko nanda.
/




Participe en Universidad 2012, del 13 al 17 de febrero de 2012.
Habana, Cuba: http://www.congresouniversidad.cu
Consulte la enciclopedia colaborativa cubana. http://www.ecured.cu

Participe en el Segundo Congreso Medio Ambiente Construido y 
Desarrollo Sustentable (MACDES 2011) del 6 al 9 de diciembre de 2011, 
Hotel Nacional, Habana, Cuba: http://macdes.cujae.edu.cu

Re: Quota for mail

[Leslie León Sinclair]

The problem is the query for MySQL... I have quotas in a table in mysql, 
but there´s a lot of parameters that I dont know when to use it.


For example:
1- The quota query in MySQL -> query = SELECT quota FROM mailbox WHERE 
username='%s'
2- The quota query in Dovecot -> user_query = SELECT home, uid, gid, 
concat('maildir:storage=', quota_kb) AS quota FROM users WHERE userid = '%u'


I´am testing -> SELECT quota CONCAT('maildir:storage=', quota_kb) FROM 
mailbox WHERE username='%s', or alternative queries...


If works I will post the answer.

Thanks for the reply :D.

--
/***
*Leslie León Sinclair
*Administrador de Redes
*Facultad de Ingenieria Electrica, CUJAE.
*Calle 114 #11901 e/ Ciclovía y Rotonda
*Marianao 19390, Ciudad de la Habana, Cuba
*Tel: (53 7) 266-3321
*Miembro de GUTL ->  
http://www.ecured.cu/index.php/Grupo_de_Usuarios_de_Tecnolog%C3%ADas_Libres_GUTL
*Another happy Slackware&  Debian GNU/Linux user
*Proud GNU/Linux User #445535 ->  http://counter.li.org/
*Katana yanai, otoko nanda.
/




Participe en Universidad 2012, del 13 al 17 de febrero de 2012.
Habana, Cuba: http://www.congresouniversidad.cu
Consulte la enciclopedia colaborativa cubana. http://www.ecured.cu

Participe en el Segundo Congreso Medio Ambiente Construido y 
Desarrollo Sustentable (MACDES 2011) del 6 al 9 de diciembre de 2011, 
Hotel Nacional, Habana, Cuba: http://macdes.cujae.edu.cu

Re: Postfix on Virtual Guest Cannot send mail

[Blair, Rick]

Thanks That was the clue I was needing.   I had to explicitly set mynetworks on 
the guest OS.
seemed to fix it.

RIck



On Nov 6, 2011, at 11:17 AM, Wietse Venema wrote:

> Blair, Rick:
>> [root@guestServer init.d]# telnet fileserver 25
>> Trying 192.168.1.31...
>> Connected to fileserver.
>> Escape character is '^]'.
>> 220 fileserver.test.org ESMTP Postfix
>> HELO guestServer
>> 250 fileserver.guest.org
> 
> You can make ONE SINGLE connection.
> 
>> I get the following when trying to send mail.
>> 
>> 
>> Nov  6 09:44:41 guestServer postfix/qmgr[14456]: DD94E63D92: 
>> from=, size=464, nrcpt=1 (queue active)
>> Nov  6 09:44:41 guestServer postfix/error[14507]: DD94E63D92: 
>> to=, orig_to=, relay=none, 
>> delay=553, delays=553/0.01/0/0.31, dsn=4.4.1, status=deferred (delivery 
>> temporarily suspended: connect to fileserver.test.org192.168.1.31]:25: 
>> Connection timed out)
>> 
> 
> Postfix can't make MULTIPLE connections. The message "delivery
> temporarily suspended" means that not just one connection failed,
> but that a whole sequence of them failed.
> 
> You have to find out if there is a traffic shaper on the SMTP client,
> on the remote SMTP server, in the hypervisor, or in the host under
> the hypervisor.
> 
> Otherwise, you can only make one SMTP connection at a time.
> 
>   Wietse

--

Tìoraidh!

Rick Blair
Associate Technical Fellow
Boeing Research and Technology 
Network Systems Technology
Information Management Program
M/S:  42-50
Voice:  (206) 544-1610 
Cell: (206) 249-6877  --> NEW NUMBER



smime.p7s
Description: S/MIME cryptographic signature

Re: Quota for mail

[Robert Schetterer]

Am 07.11.2011 15:48, schrieb Duane Hill:
> On Monday, November 07, 2011 at 15:41:38 UTC, les...@electrica.cujae.edu.cu 
> confabulated:
> 
>> Hi:
> 
>> I have a Postfix+MySQL+Dovecot+PostfixAdmin[Lenny server] setup, and 
>> works very nice. But I need to put quota in my webmail[RoundCube], and
>> after a long research in Internet, I see DoveAdm as a good option,the 
>> issue is...
> 
>> - It´s DoveAdm a command part of Dovecot, if so, where is it?
> 
>> - Or a script/package,if so, where can I download it? Because I don´t 
>> find the download link.
> 
>> - Another simple way to implement quota in mail. I´m still 
>> reading/searching several ways to do the same with ease.
> 
>> Thanks in advance & for your time.
>> Best regards.
> 
> I believe doveadm is a part of Dovecot 2.x.
> 

imap quota can be configured in sql
then configure dovecot imap/lmtp/lda to honor it
and use dovecot/postfix with lmtp/lda

no need for doveadm
look dovecot site for configure examples

-- 
Best Regards

MfG Robert Schetterer

Germany/Munich/Bavaria

Re: Quota for mail

[Nikolaos Milas]

On 7/11/2011 5:41 μμ, Leslie León Sinclair wrote:


But I need to put quota in my webmail


Hi,

Use postfix and dovecot, with lda or lmtp and setup quotas in dovecot.

See: http://www.dovecot.org/list/dovecot/2011-February/057630.html

Hope that helps,
Nick



smime.p7s
Description: S/MIME Cryptographic Signature

Postfix stable release 2.8.7

[Wietse Venema]

 [An on-line version of this announcement will be available at
 http://www.postfix.org/announcements/postfix-2.8.7.html]

Postfix stable release 2.8.7 is available. This contains a workaround
for a problem that is fixed in Postfix 2.9.

* The postscreen daemon, which is not enabled by default, sent
  non-compliant SMTP responses (220- followed by 421) when it
  could not give a connection to a real smtpd process. These
  responses caused some remote SMTP clients to return mail as
  undeliverable.

  The workaround is to hang up after sending 220- without sending
  the 421 "sorry" reply; this is harmless.

  The complete fix involves too much change for a stable release:
  send the 220 greeting, wait for the EHLO command, then send
  the 421 "sorry" reply and hang up.

You can find the updated Postfix source code at the mirrors listed
at http://www.postfix.org/.

Wietse

Re: Quota for mail

[Duane Hill]

On Monday, November 07, 2011 at 15:41:38 UTC, les...@electrica.cujae.edu.cu 
confabulated:

> Hi:

> I have a Postfix+MySQL+Dovecot+PostfixAdmin[Lenny server] setup, and 
> works very nice. But I need to put quota in my webmail[RoundCube], and
> after a long research in Internet, I see DoveAdm as a good option,the 
> issue is...

> - It´s DoveAdm a command part of Dovecot, if so, where is it?

> - Or a script/package,if so, where can I download it? Because I don´t 
> find the download link.

> - Another simple way to implement quota in mail. I´m still 
> reading/searching several ways to do the same with ease.

> Thanks in advance & for your time.
> Best regards.

I believe doveadm is a part of Dovecot 2.x.

-- 
Duane Hill

Quota for mail

[Leslie León Sinclair]

Hi:

I have a Postfix+MySQL+Dovecot+PostfixAdmin[Lenny server] setup, and 
works very nice. But I need to put quota in my webmail[RoundCube], and 
after a long research in Internet, I see DoveAdm as a good option,the 
issue is...


- It´s DoveAdm a command part of Dovecot, if so, where is it?

- Or a script/package,if so, where can I download it? Because I don´t 
find the download link.


- Another simple way to implement quota in mail. I´m still 
reading/searching several ways to do the same with ease.


Thanks in advance & for your time.
Best regards.

--
/***
*Leslie León Sinclair
*Administrador de Redes
*Facultad de Ingenieria Electrica, CUJAE.
*Calle 114 #11901 e/ Ciclovía y Rotonda
*Marianao 19390, Ciudad de la Habana, Cuba
*Tel: (53 7) 266-3321
*Miembro de GUTL ->  
http://www.ecured.cu/index.php/Grupo_de_Usuarios_de_Tecnolog%C3%ADas_Libres_GUTL
*Another happy Slackware&  Debian GNU/Linux user
*Proud GNU/Linux User #445535 ->  http://counter.li.org/
*Katana yanai, otoko nanda.
/




Participe en Universidad 2012, del 13 al 17 de febrero de 2012.
Habana, Cuba: http://www.congresouniversidad.cu
Consulte la enciclopedia colaborativa cubana. http://www.ecured.cu

Participe en el Segundo Congreso Medio Ambiente Construido y 
Desarrollo Sustentable (MACDES 2011) del 6 al 9 de diciembre de 2011, 
Hotel Nacional, Habana, Cuba: http://macdes.cujae.edu.cu

Re: dkim-milter verify, but don't sign.

[Robert Schetterer]

Am 07.11.2011 12:50, schrieb Josef Karliak:
>   Hi,
>   thanks for tips, I used "-i ilistfile containing list of
> internal (signing) hosts".
>   It is signing now, but signature fails on the verifier :
> Nov  7 12:40:54 celer dkim-filter[4888]: 5CCC8C750A SSL
> error:04077068:rsa routines:RSA_verify:bad signature
> Nov  7 12:40:54 celer dkim-filter[4888]: 5CCC8C750A: bad signature data
> 
>   In the message header :
> X-DKIM: Sendmail DKIM Filter v2.7.2 celer.ajetaci.cz 5CCC8C750A
> Authentication-Results: celer.ajetaci.cz; dkim=hardfail
> (verification failed) header.i=@fnhk.cz; dkim-adsp=fail
> 
>   Interesting is, that verifier in the way of this email accepted it
> signing domain fnhk.cz (I don't wanna overwite domain before post it
> here anymore :)  :
> X-DKIM: Sendmail DKIM Filter v2.7.2 antivir2.fnhk.cz 71EAF282B8
> Authentication-Results: antivir2.fnhk.cz; dkim=pass (1024-bit key)
> header.i=@fnhk.cz; dkim-adsp=pass
> 
>   Maybe error in the adding some headers by server antivir2.fnhk.cz ? :
> DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=fnhk.cz; s=mail;
> t=1320665813; bh=FD+AeMxIothgfnBUmgiB3BMcpAHS75XIiHCbbzJzcPg=;
> h=Subject:From:To:Content-Type:Date:Message-ID:Mime-Version:
>  Content-Transfer-Encoding; b=CRNC8R1tz/4LDsr6SwSAErYvN7y7Zfa2EK6pf
> cwrtlfBBvYWRBCVr8n0doU2dAGdPVEq96q9Jf9cVf2o5deFLosOLxW/OnXuXhflWqzU
> jao6Pjw/JU5473lDWxr2tk7BzPco6N80LsjvmY3cN+4dChWhUxlnEaGVUm51PlgvU08
> =
> 
>   Thanks a lot
>   J.K.

sorry no time to check that further
keep safe that nothing does change the header, after
dkim milter does ( i.e some x antivirus mail was added too etc)

verifieres sometimes need long to give right answers, about failed and
reconfigured  dkim keys
cause they use dns caching, so try a new verifier,

post your problem dkim-milter list

http://sourceforge.net/mail/?group_id=139420

> 
> Cituji Robert Schetterer :
> 
>> Am 07.11.2011 10:56, schrieb Josef Karliak:
>>>   In the message header I've :
>>> X-DKIM: Sendmail DKIM Filter v2.7.2 kostnew.ajetaci.cz 8840B239C3
>>> Authentication-Results: kostnew.ajetaci.cz; dkim=none (no signature)
>>>  header.i=unknown; dkim-adsp=fail
>>>
>>>  And in the mail log:
>>> Nov  7 10:48:37 kostnew dkim-filter[16623]: 8840B239C3 external host
>>> [192.168.2.5] attempted to send as ajetaci.cz
>>>
>>>   I've a few similar dkim installations that works (but on older
>>> opensuses..).
>>>
>>>   Maybe some small stupid misconfig, but where. It is all simple :-/
>>>
>>>
>>>   thanks
>>>   J.K.
>>
>>
>> sorry i am short in time perhaps this helps
>>
>> man dkim-filter.conf
>>
>>  ExternalIgnoreList (string)
>>   Identifies a file of "external" hosts which may send mail
>> through the server as one of the signing domains without credentials as
>> such.  Basically suppresses the
>>   "external host (hostname) tried to send mail as (domain)"
>> log messages.  Entries in the file should be of the same form as those
>> of the  PeerList  option  below.
>>   The list is empty by default.
>>
>>>
>>> Cituji Robert Schetterer :
>>>
 Am 07.11.2011 10:46, schrieb Robert Schetterer:
> Am 07.11.2011 10:39, schrieb Josef Karliak:
>>   Good morning,
>>   I configured dkim-milter (2.7.2-x) to postfix (2.7.2-x) on opensuse
>> 11.4 64-bit, generated keys (named "mail"). In the dkim-milter
>> config I
>> defined my options:
>> DKIM_MODES="sv"
>> DKIM_DOMAIN="ajetaci.cz"
>> DKIM_SELECTOR="mail"
>> DKIM_CANON="simple"
>> DKIM_REJECTION="bad=a,dns=t,no=a,sec=t"
>> DKIM_EXTRA_ARGS="-l -h -D"
>> DKIM_SIGNALG="rsa-sha256"
>>
>> and in the main.cf I've :
>> milter_protocol = 2
>> smtpd_milters = inet:localhost:8891
>> non_smtpd_milters = inet:localhost:8891
>> milter_default_action = accept
>>
>>   I tried this over unix socket too.
>>
>>   Where is an error ? Any kicks to the right way ? :-/
>>   Thanks and best regards
>>   J.K.
>>
>>
>
> perhaps this helps
>
> Mode (string)
>   Selects operating modes.  The string is a
> concatenation of
> characters which indicate which mode(s) of operation are desired. 
> Valid
> modes are s  (signer)  and  v
>   (verifier).  The default is sv except in test mode (see
> the dkim-filter(8) man page) in which case the default is v.
>
> so configure your
>
> DKIM_MODES="sv" as you want it

 ups sorry, guess that was not what you asked for

 what exactly does not work
 do you have any logs?


 -- 
 Best Regards

 MfG Robert Schetterer

 Germany/Munich/Bavaria

>>>
>>>
>>>
>>
>>
>> -- 
>> Best Regards
>>
>> MfG Robert Schetterer
>>
>> Germany/Munich/Bavaria
>>
> 
> 
> 


-- 
Best Regards

MfG Robert Schetterer

Germany/Munich/Bavaria

Re: redirecting mail from a particular server

[Timothy Smith]

Thank you Robert,

I was able to follow your instructions and achieved what I want. I am
now rejecting with a message.

Sorry about the misleading subject.

Kind Regards,
Tim

On Mon, Nov 7, 2011 at 1:10 PM, Robert Schetterer  wrote:
> Am 07.11.2011 11:02, schrieb Timothy Smith:
>> Hi Users,
>>
>> I am relaying mail for many IPs using postfix version 2.1.6. For some
>> particular IPs, I would like to just drop their email (rather than
>> turn off relaying for them). Is that possible?
>>
>> I appreciate your help.
>>
>> Tim
>
> rejecting ips is simple but
> you should never silent drop
> i.e
>
> smtpd_client_restrictions = permit_mynetworks,
> permit_sasl_authenticated,
> check_client_access hash:/etc/postfix/access,
> ...
>
> /etc/postfix/access
> bad.ip.add.re REJECT i dont like you
>
> but be aware , it wont work with this example
> if they allready are in my networks or sasl authed before
> if so ,do the reject at first second place, what you like
>
> --
> Best Regards
>
> MfG Robert Schetterer
>
> Germany/Munich/Bavaria
>

Re: dkim-milter verify, but don't sign.

[Josef Karliak]

  Hi,
  thanks for tips, I used "-i ilistfile containing list of  
internal (signing) hosts".

  It is signing now, but signature fails on the verifier :
Nov  7 12:40:54 celer dkim-filter[4888]: 5CCC8C750A SSL  
error:04077068:rsa routines:RSA_verify:bad signature

Nov  7 12:40:54 celer dkim-filter[4888]: 5CCC8C750A: bad signature data

  In the message header :
X-DKIM: Sendmail DKIM Filter v2.7.2 celer.ajetaci.cz 5CCC8C750A
Authentication-Results: celer.ajetaci.cz; dkim=hardfail
(verification failed) header.i=@fnhk.cz; dkim-adsp=fail

  Interesting is, that verifier in the way of this email accepted it  
signing domain fnhk.cz (I don't wanna overwite domain before post it  
here anymore :)  :

X-DKIM: Sendmail DKIM Filter v2.7.2 antivir2.fnhk.cz 71EAF282B8
Authentication-Results: antivir2.fnhk.cz; dkim=pass (1024-bit key)
header.i=@fnhk.cz; dkim-adsp=pass

  Maybe error in the adding some headers by server antivir2.fnhk.cz ? :
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=fnhk.cz; s=mail;
t=1320665813; bh=FD+AeMxIothgfnBUmgiB3BMcpAHS75XIiHCbbzJzcPg=;
h=Subject:From:To:Content-Type:Date:Message-ID:Mime-Version:
 Content-Transfer-Encoding; b=CRNC8R1tz/4LDsr6SwSAErYvN7y7Zfa2EK6pf
cwrtlfBBvYWRBCVr8n0doU2dAGdPVEq96q9Jf9cVf2o5deFLosOLxW/OnXuXhflWqzU
jao6Pjw/JU5473lDWxr2tk7BzPco6N80LsjvmY3cN+4dChWhUxlnEaGVUm51PlgvU08
=

  Thanks a lot
  J.K.

Cituji Robert Schetterer :


Am 07.11.2011 10:56, schrieb Josef Karliak:

  In the message header I've :
X-DKIM: Sendmail DKIM Filter v2.7.2 kostnew.ajetaci.cz 8840B239C3
Authentication-Results: kostnew.ajetaci.cz; dkim=none (no signature)
 header.i=unknown; dkim-adsp=fail

 And in the mail log:
Nov  7 10:48:37 kostnew dkim-filter[16623]: 8840B239C3 external host
[192.168.2.5] attempted to send as ajetaci.cz

  I've a few similar dkim installations that works (but on older
opensuses..).

  Maybe some small stupid misconfig, but where. It is all simple :-/


  thanks
  J.K.



sorry i am short in time perhaps this helps

man dkim-filter.conf

 ExternalIgnoreList (string)
  Identifies a file of "external" hosts which may send mail
through the server as one of the signing domains without credentials as
such.  Basically suppresses the
  "external host (hostname) tried to send mail as (domain)"
log messages.  Entries in the file should be of the same form as those
of the  PeerList  option  below.
  The list is empty by default.



Cituji Robert Schetterer :


Am 07.11.2011 10:46, schrieb Robert Schetterer:

Am 07.11.2011 10:39, schrieb Josef Karliak:

  Good morning,
  I configured dkim-milter (2.7.2-x) to postfix (2.7.2-x) on opensuse
11.4 64-bit, generated keys (named "mail"). In the dkim-milter config I
defined my options:
DKIM_MODES="sv"
DKIM_DOMAIN="ajetaci.cz"
DKIM_SELECTOR="mail"
DKIM_CANON="simple"
DKIM_REJECTION="bad=a,dns=t,no=a,sec=t"
DKIM_EXTRA_ARGS="-l -h -D"
DKIM_SIGNALG="rsa-sha256"

and in the main.cf I've :
milter_protocol = 2
smtpd_milters = inet:localhost:8891
non_smtpd_milters = inet:localhost:8891
milter_default_action = accept

  I tried this over unix socket too.

  Where is an error ? Any kicks to the right way ? :-/
  Thanks and best regards
  J.K.




perhaps this helps

Mode (string)
  Selects operating modes.  The string is a concatenation of
characters which indicate which mode(s) of operation are desired.  Valid
modes are s  (signer)  and  v
  (verifier).  The default is sv except in test mode (see
the dkim-filter(8) man page) in which case the default is v.

so configure your

DKIM_MODES="sv" as you want it


ups sorry, guess that was not what you asked for

what exactly does not work
do you have any logs?


--
Best Regards

MfG Robert Schetterer

Germany/Munich/Bavaria








--
Best Regards

MfG Robert Schetterer

Germany/Munich/Bavaria





--
Ma domena pouziva zabezpeceni a kontrolu SPF (www.openspf.org) a  
DomainKeys/DKIM (with ADSP) . Pokud mate problemy s dorucenim emailu,  
zacnete pouzivat metody overeni puvody emailu zminene vyse. Dekuji.
My domain use SPF (www.openspf.org) and DomainKeys/DKIM (with ADSP)  
policy and check. If you've problem with sending emails to me, start  
using email origin methods mentioned above. Thank you.



This message was sent using IMP, the Internet Messaging Program.



binPzrqOlCTG5.bin
Description: Veřejný PGP klíč

Re: redirecting mail from a particular server

[Robert Schetterer]

Am 07.11.2011 11:10, schrieb Robert Schetterer:
> Am 07.11.2011 11:02, schrieb Timothy Smith:
>> Hi Users,
>>
>> I am relaying mail for many IPs using postfix version 2.1.6. For some
>> particular IPs, I would like to just drop their email (rather than
>> turn off relaying for them). Is that possible?
>>
>> I appreciate your help.
>>
>> Tim
> 
> rejecting ips is simple but
> you should never silent drop
> i.e
> 
> smtpd_client_restrictions = permit_mynetworks,
> permit_sasl_authenticated,
> check_client_access hash:/etc/postfix/access,
> ...
> 
> /etc/postfix/access
> bad.ip.add.re REJECT i dont like you
> 
> but be aware , it wont work with this example
> if they allready are in my networks or sasl authed before
> if so ,do the reject at first second place, what you like
> 

i am not sure about your subject redirect cause this is not drop

-- 
Best Regards

MfG Robert Schetterer

Germany/Munich/Bavaria

Re: redirecting mail from a particular server

[Robert Schetterer]

Am 07.11.2011 11:02, schrieb Timothy Smith:
> Hi Users,
> 
> I am relaying mail for many IPs using postfix version 2.1.6. For some
> particular IPs, I would like to just drop their email (rather than
> turn off relaying for them). Is that possible?
> 
> I appreciate your help.
> 
> Tim

rejecting ips is simple but
you should never silent drop
i.e

smtpd_client_restrictions = permit_mynetworks,
permit_sasl_authenticated,
check_client_access hash:/etc/postfix/access,
...

/etc/postfix/access
bad.ip.add.re REJECT i dont like you

but be aware , it wont work with this example
if they allready are in my networks or sasl authed before
if so ,do the reject at first second place, what you like

-- 
Best Regards

MfG Robert Schetterer

Germany/Munich/Bavaria

redirecting mail from a particular server

[Timothy Smith]

Hi Users,

I am relaying mail for many IPs using postfix version 2.1.6. For some
particular IPs, I would like to just drop their email (rather than
turn off relaying for them). Is that possible?

I appreciate your help.

Tim

Re: dkim-milter verify, but don't sign.

[Robert Schetterer]

Am 07.11.2011 10:56, schrieb Josef Karliak:
>   In the message header I've :
> X-DKIM: Sendmail DKIM Filter v2.7.2 kostnew.ajetaci.cz 8840B239C3
> Authentication-Results: kostnew.ajetaci.cz; dkim=none (no signature)
>  header.i=unknown; dkim-adsp=fail
> 
>  And in the mail log:
> Nov  7 10:48:37 kostnew dkim-filter[16623]: 8840B239C3 external host
> [192.168.2.5] attempted to send as ajetaci.cz
> 
>   I've a few similar dkim installations that works (but on older
> opensuses..).
> 
>   Maybe some small stupid misconfig, but where. It is all simple :-/
> 
> 
>   thanks
>   J.K.


sorry i am short in time perhaps this helps

man dkim-filter.conf

 ExternalIgnoreList (string)
  Identifies a file of "external" hosts which may send mail
through the server as one of the signing domains without credentials as
such.  Basically suppresses the
  "external host (hostname) tried to send mail as (domain)"
log messages.  Entries in the file should be of the same form as those
of the  PeerList  option  below.
  The list is empty by default.

> 
> Cituji Robert Schetterer :
> 
>> Am 07.11.2011 10:46, schrieb Robert Schetterer:
>>> Am 07.11.2011 10:39, schrieb Josef Karliak:
   Good morning,
   I configured dkim-milter (2.7.2-x) to postfix (2.7.2-x) on opensuse
 11.4 64-bit, generated keys (named "mail"). In the dkim-milter config I
 defined my options:
 DKIM_MODES="sv"
 DKIM_DOMAIN="ajetaci.cz"
 DKIM_SELECTOR="mail"
 DKIM_CANON="simple"
 DKIM_REJECTION="bad=a,dns=t,no=a,sec=t"
 DKIM_EXTRA_ARGS="-l -h -D"
 DKIM_SIGNALG="rsa-sha256"

 and in the main.cf I've :
 milter_protocol = 2
 smtpd_milters = inet:localhost:8891
 non_smtpd_milters = inet:localhost:8891
 milter_default_action = accept

   I tried this over unix socket too.

   Where is an error ? Any kicks to the right way ? :-/
   Thanks and best regards
   J.K.


>>>
>>> perhaps this helps
>>>
>>> Mode (string)
>>>   Selects operating modes.  The string is a concatenation of
>>> characters which indicate which mode(s) of operation are desired.  Valid
>>> modes are s  (signer)  and  v
>>>   (verifier).  The default is sv except in test mode (see
>>> the dkim-filter(8) man page) in which case the default is v.
>>>
>>> so configure your
>>>
>>> DKIM_MODES="sv" as you want it
>>
>> ups sorry, guess that was not what you asked for
>>
>> what exactly does not work
>> do you have any logs?
>>
>>
>> -- 
>> Best Regards
>>
>> MfG Robert Schetterer
>>
>> Germany/Munich/Bavaria
>>
> 
> 
> 


-- 
Best Regards

MfG Robert Schetterer

Germany/Munich/Bavaria

Re: dkim-milter verify, but don't sign.

[Josef Karliak]

  In the message header I've :
X-DKIM: Sendmail DKIM Filter v2.7.2 kostnew.ajetaci.cz 8840B239C3
Authentication-Results: kostnew.ajetaci.cz; dkim=none (no signature)
 header.i=unknown; dkim-adsp=fail

 And in the mail log:
Nov  7 10:48:37 kostnew dkim-filter[16623]: 8840B239C3 external host  
[192.168.2.5] attempted to send as ajetaci.cz


  I've a few similar dkim installations that works (but on older opensuses..).

  Maybe some small stupid misconfig, but where. It is all simple :-/


  thanks
  J.K.

Cituji Robert Schetterer :


Am 07.11.2011 10:46, schrieb Robert Schetterer:

Am 07.11.2011 10:39, schrieb Josef Karliak:

  Good morning,
  I configured dkim-milter (2.7.2-x) to postfix (2.7.2-x) on opensuse
11.4 64-bit, generated keys (named "mail"). In the dkim-milter config I
defined my options:
DKIM_MODES="sv"
DKIM_DOMAIN="ajetaci.cz"
DKIM_SELECTOR="mail"
DKIM_CANON="simple"
DKIM_REJECTION="bad=a,dns=t,no=a,sec=t"
DKIM_EXTRA_ARGS="-l -h -D"
DKIM_SIGNALG="rsa-sha256"

and in the main.cf I've :
milter_protocol = 2
smtpd_milters = inet:localhost:8891
non_smtpd_milters = inet:localhost:8891
milter_default_action = accept

  I tried this over unix socket too.

  Where is an error ? Any kicks to the right way ? :-/
  Thanks and best regards
  J.K.




perhaps this helps

Mode (string)
  Selects operating modes.  The string is a concatenation of
characters which indicate which mode(s) of operation are desired.  Valid
modes are s  (signer)  and  v
  (verifier).  The default is sv except in test mode (see
the dkim-filter(8) man page) in which case the default is v.

so configure your

DKIM_MODES="sv" as you want it


ups sorry, guess that was not what you asked for

what exactly does not work
do you have any logs?


--
Best Regards

MfG Robert Schetterer

Germany/Munich/Bavaria





--
Ma domena pouziva zabezpeceni a kontrolu SPF (www.openspf.org) a  
DomainKeys/DKIM (with ADSP) . Pokud mate problemy s dorucenim emailu,  
zacnete pouzivat metody overeni puvody emailu zminene vyse. Dekuji.
My domain use SPF (www.openspf.org) and DomainKeys/DKIM (with ADSP)  
policy and check. If you've problem with sending emails to me, start  
using email origin methods mentioned above. Thank you.



This message was sent using IMP, the Internet Messaging Program.



binzO2tcjszwx.bin
Description: Veřejný PGP klíč

Re: dkim-milter verify, but don't sign.

[Josef Karliak]

  Hi,
  modes "sv" is configured - see my config bellow. That's crazy on  
that. When I "ps -ef" :
/usr/bin/dkim-filter -p inet:8891@localhost -b sv -c simple -C  
bad=a,dns=t,no=a,sec=t -d ajetaci.cz -S rsa-sha256 -s mail -k  
/etc/mail/dkim/mail.private -l -h -D


  Thanks
  J.K.

Cituji Robert Schetterer :


Am 07.11.2011 10:39, schrieb Josef Karliak:

  Good morning,
  I configured dkim-milter (2.7.2-x) to postfix (2.7.2-x) on opensuse
11.4 64-bit, generated keys (named "mail"). In the dkim-milter config I
defined my options:
DKIM_MODES="sv"
DKIM_DOMAIN="ajetaci.cz"
DKIM_SELECTOR="mail"
DKIM_CANON="simple"
DKIM_REJECTION="bad=a,dns=t,no=a,sec=t"
DKIM_EXTRA_ARGS="-l -h -D"
DKIM_SIGNALG="rsa-sha256"

and in the main.cf I've :
milter_protocol = 2
smtpd_milters = inet:localhost:8891
non_smtpd_milters = inet:localhost:8891
milter_default_action = accept

  I tried this over unix socket too.

  Where is an error ? Any kicks to the right way ? :-/
  Thanks and best regards
  J.K.




perhaps this helps

Mode (string)
  Selects operating modes.  The string is a concatenation of
characters which indicate which mode(s) of operation are desired.  Valid
modes are s  (signer)  and  v
  (verifier).  The default is sv except in test mode (see
the dkim-filter(8) man page) in which case the default is v.

so configure your

DKIM_MODES="sv" as you want it
--
Best Regards

MfG Robert Schetterer

Germany/Munich/Bavaria





--
Ma domena pouziva zabezpeceni a kontrolu SPF (www.openspf.org) a  
DomainKeys/DKIM (with ADSP) . Pokud mate problemy s dorucenim emailu,  
zacnete pouzivat metody overeni puvody emailu zminene vyse. Dekuji.
My domain use SPF (www.openspf.org) and DomainKeys/DKIM (with ADSP)  
policy and check. If you've problem with sending emails to me, start  
using email origin methods mentioned above. Thank you.



This message was sent using IMP, the Internet Messaging Program.



bint45iSemasf.bin
Description: Veřejný PGP klíč

Re: dkim-milter verify, but don't sign.

[Josef Karliak]

  Hi,
  modes "sv" is configured - see my config bellow. That's crazy on  
that. When I "ps -ef" :
/usr/bin/dkim-filter -p inet:8891@localhost -b sv -c simple -C  
bad=a,dns=t,no=a,sec=t -d ajetaci.cz -S rsa-sha256 -s mail -k  
/etc/mail/dkim/mail.private -l -h -D


  Thanks
  J.K.

Cituji Robert Schetterer :


Am 07.11.2011 10:39, schrieb Josef Karliak:

  Good morning,
  I configured dkim-milter (2.7.2-x) to postfix (2.7.2-x) on opensuse
11.4 64-bit, generated keys (named "mail"). In the dkim-milter config I
defined my options:
DKIM_MODES="sv"
DKIM_DOMAIN="ajetaci.cz"
DKIM_SELECTOR="mail"
DKIM_CANON="simple"
DKIM_REJECTION="bad=a,dns=t,no=a,sec=t"
DKIM_EXTRA_ARGS="-l -h -D"
DKIM_SIGNALG="rsa-sha256"

and in the main.cf I've :
milter_protocol = 2
smtpd_milters = inet:localhost:8891
non_smtpd_milters = inet:localhost:8891
milter_default_action = accept

  I tried this over unix socket too.

  Where is an error ? Any kicks to the right way ? :-/
  Thanks and best regards
  J.K.




perhaps this helps

Mode (string)
  Selects operating modes.  The string is a concatenation of
characters which indicate which mode(s) of operation are desired.  Valid
modes are s  (signer)  and  v
  (verifier).  The default is sv except in test mode (see
the dkim-filter(8) man page) in which case the default is v.

so configure your

DKIM_MODES="sv" as you want it
--
Best Regards

MfG Robert Schetterer

Germany/Munich/Bavaria





--
Ma domena pouziva zabezpeceni a kontrolu SPF (www.openspf.org) a  
DomainKeys/DKIM (with ADSP) . Pokud mate problemy s dorucenim emailu,  
zacnete pouzivat metody overeni puvody emailu zminene vyse. Dekuji.
My domain use SPF (www.openspf.org) and DomainKeys/DKIM (with ADSP)  
policy and check. If you've problem with sending emails to me, start  
using email origin methods mentioned above. Thank you.



This message was sent using IMP, the Internet Messaging Program.



binZgFQzQIJuG.bin
Description: Veřejný PGP klíč

Re: dkim-milter verify, but don't sign.

[Robert Schetterer]

Am 07.11.2011 10:46, schrieb Robert Schetterer:
> Am 07.11.2011 10:39, schrieb Josef Karliak:
>>   Good morning,
>>   I configured dkim-milter (2.7.2-x) to postfix (2.7.2-x) on opensuse
>> 11.4 64-bit, generated keys (named "mail"). In the dkim-milter config I
>> defined my options:
>> DKIM_MODES="sv"
>> DKIM_DOMAIN="ajetaci.cz"
>> DKIM_SELECTOR="mail"
>> DKIM_CANON="simple"
>> DKIM_REJECTION="bad=a,dns=t,no=a,sec=t"
>> DKIM_EXTRA_ARGS="-l -h -D"
>> DKIM_SIGNALG="rsa-sha256"
>>
>> and in the main.cf I've :
>> milter_protocol = 2
>> smtpd_milters = inet:localhost:8891
>> non_smtpd_milters = inet:localhost:8891
>> milter_default_action = accept
>>
>>   I tried this over unix socket too.
>>
>>   Where is an error ? Any kicks to the right way ? :-/
>>   Thanks and best regards
>>   J.K.
>>
>>
> 
> perhaps this helps
> 
> Mode (string)
>   Selects operating modes.  The string is a concatenation of
> characters which indicate which mode(s) of operation are desired.  Valid
> modes are s  (signer)  and  v
>   (verifier).  The default is sv except in test mode (see
> the dkim-filter(8) man page) in which case the default is v.
> 
> so configure your
> 
> DKIM_MODES="sv" as you want it

ups sorry, guess that was not what you asked for

what exactly does not work
do you have any logs?


-- 
Best Regards

MfG Robert Schetterer

Germany/Munich/Bavaria

Re: dkim-milter verify, but don't sign.

[Robert Schetterer]

Am 07.11.2011 10:39, schrieb Josef Karliak:
>   Good morning,
>   I configured dkim-milter (2.7.2-x) to postfix (2.7.2-x) on opensuse
> 11.4 64-bit, generated keys (named "mail"). In the dkim-milter config I
> defined my options:
> DKIM_MODES="sv"
> DKIM_DOMAIN="ajetaci.cz"
> DKIM_SELECTOR="mail"
> DKIM_CANON="simple"
> DKIM_REJECTION="bad=a,dns=t,no=a,sec=t"
> DKIM_EXTRA_ARGS="-l -h -D"
> DKIM_SIGNALG="rsa-sha256"
> 
> and in the main.cf I've :
> milter_protocol = 2
> smtpd_milters = inet:localhost:8891
> non_smtpd_milters = inet:localhost:8891
> milter_default_action = accept
> 
>   I tried this over unix socket too.
> 
>   Where is an error ? Any kicks to the right way ? :-/
>   Thanks and best regards
>   J.K.
> 
> 

perhaps this helps

Mode (string)
  Selects operating modes.  The string is a concatenation of
characters which indicate which mode(s) of operation are desired.  Valid
modes are s  (signer)  and  v
  (verifier).  The default is sv except in test mode (see
the dkim-filter(8) man page) in which case the default is v.

so configure your

DKIM_MODES="sv" as you want it
-- 
Best Regards

MfG Robert Schetterer

Germany/Munich/Bavaria

dkim-milter verify, but don't sign.

[Josef Karliak]

  Good morning,
  I configured dkim-milter (2.7.2-x) to postfix (2.7.2-x) on opensuse  
11.4 64-bit, generated keys (named "mail"). In the dkim-milter config  
I defined my options:

DKIM_MODES="sv"
DKIM_DOMAIN="ajetaci.cz"
DKIM_SELECTOR="mail"
DKIM_CANON="simple"
DKIM_REJECTION="bad=a,dns=t,no=a,sec=t"
DKIM_EXTRA_ARGS="-l -h -D"
DKIM_SIGNALG="rsa-sha256"

and in the main.cf I've :
milter_protocol = 2
smtpd_milters = inet:localhost:8891
non_smtpd_milters = inet:localhost:8891
milter_default_action = accept

  I tried this over unix socket too.

  Where is an error ? Any kicks to the right way ? :-/
  Thanks and best regards
  J.K.


--
Ma domena pouziva zabezpeceni a kontrolu SPF (www.openspf.org) a  
DomainKeys/DKIM (with ADSP) . Pokud mate problemy s dorucenim emailu,  
zacnete pouzivat metody overeni puvody emailu zminene vyse. Dekuji.
My domain use SPF (www.openspf.org) and DomainKeys/DKIM (with ADSP)  
policy and check. If you've problem with sending emails to me, start  
using email origin methods mentioned above. Thank you.



This message was sent using IMP, the Internet Messaging Program.



bin65sT3qy3JH.bin
Description: Veřejný PGP klíč

Re: sasldb or PAM

[Patrick Ben Koetter]

* gaby :
>  I use PAM authentication method for send emal via postfix with Cyrus Sasl.
>  If use sasldb2 method instead PAM,it is more secure, or more  Ok?Sasdb is
>  more usable?

There are two sections you need to pay attention for:

1. Transmission of identification data over the network
2. Storage of authentication data in a backend, where libsasl can access and
   verify the identification data.

The most secure method with regular clients is 1) to use PLAIN and LOGIN over
a TLS secured transport layer and 2) store authentication data crypted. sasldb
can do that and PAM can do that too.

Everything else means a tradeoff. If you use 1) CRAM-MD5 and NTLM you can send
identification data over a transport layer that isn't TLS protected, but you
will have to store passwords in plaintext, because the mechanisms CRAM-MD5 and
NTLM require access to plaintext password for comparison.

p@rick


-- 
All technical questions asked privately will be automatically answered on the
list and archived for public access unless privacy is explicitely required and
justified.

saslfinger (debugging SMTP AUTH):

sasldb or PAM

[gaby]

Hi
 I use PAM authentication method for send emal via postfix with Cyrus Sasl.
  If use sasldb2 method instead PAM,it is more secure, or more  Ok?Sasdb is 
more usable?


Thanks