Re: Switching to 587 submission
>> Is it alright to send on port 25 from Squirrelmail when it's on the >> same machine as postfix? > > OK, but not optimal. Better to leave on 465 to separate the traffic. > >> That way I can make 587 require TLS and >> authentication but not require that local Squirrelmail encrypt or >> authenticate. > > You can use SquirrelMail on 587. It doesn't work right now because > of your smtpd_security_level=encrypt. You could change your > submission restrictions to something like > -o smtpd_security_level=may > -o mynetworks=127.0.0.1 > -o smtpd_tls_auth_only=yes > -o > smtpd_recipient_restrictions=permit_mynetworks,reject_plaintext_session,permit_sasl_authenticated,reject > ... other stuff ... > > ie. allow localhost to submit mail plaintext with no auth; all > others require STARTTLS and auth. I've rearranged my config to the following. I don't think reject_plaintext_session is necessary given the rest of the config. Is there a situation I'm overlooking where it would come into play? Please consider everything else default. Is this OK? master.cf: submission inet n - n - - smtpd -o smtpd_sasl_auth_enable=yes -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject main.cf: smtpd_recipient_restrictions = reject_unauth_destination, permit smtpd_tls_security_level = may smtpd_tls_auth_only = yes - Grant
Re: Switching to 587 submission
On 12/8/11 5:33 PM, Reindl Harald wrote: > >> Got it. I misunderstood you before. May I ask why using 465 for >> Thunderbird and Squirrelmail would be better than 587 for Thunderbird >> and 25 for Squirrelmail talking to localhost? > > there is no better > configure a server as YOU need > Well, there *is* better. 587 is an IANA officially assigned port number. 465 never was. The Internet runs on people following specifications correctly. -Philip
Re: Switching to 587 submission
On 12/8/11 4:29 PM, Grant wrote: >>> Is it alright to send on port 25 from Squirrelmail when it's on the >>> same machine as postfix? That way I can make 587 require TLS and >>> authentication but not require that local Squirrelmail encrypt or >>> authenticate. >> >> No, I'd do exactly what I said we do here: run 587 on the loopback interface >> only, and not require authentication. > > I think I can't do that because I also need to connect to 587 from > Thunderbird in remote locations. See Noel's message. -Philip
Re: Switching to 587 submission
On 12/08/2011 05:18 PM, Grant wrote: I've boiled my config down to this. It is functional and I think it is secure and that it rejects any attempt to send messages from outside mynetworks unless authenticated. Am I correct? Please consider all other directives to be default. You're fine. If you want to be better than fine, you can implement Noel's suggestion: it forces STARTTLS and auth only when the client is not localhost. Since SquirrelMail is localhost, it can send without STARTTLS/auth. The result is that all of your outgoing mail can arrive on 587, which is nice when you have a lot of different restrictions for incoming/outgoing mail.
Re: Switching to 587 submission
>> Got it. I misunderstood you before. May I ask why using 465 for >> Thunderbird and Squirrelmail would be better than 587 for Thunderbird >> and 25 for Squirrelmail talking to localhost? > > I'm quite sure that he never said to use 465 for Thunderbird. The > reason you don't want to use port 25 for submission is because it > doesn't work ideally for submission. Port 25 generally needs to have > much more strict anti-spam, anti-virus, etc measures on it than you > would take with submission. This becomes very clear if you want to > start using postscreen which can completely screw up submission when > doing the post-greeting tests, or if you are greylisting. Certainly > there are many other reasons as well. I am using postscreen but it doesn't perform any checks on clients in mynetworks. The Squirrelmail client submitting to port 25 is on the same machine as postfix. Does postscreen only operate on port 25 by default or do I need to configure that? main.cf: postscreen_greet_action = enforce postscreen_pipelining_enable = yes postscreen_pipelining_action = enforce postscreen_non_smtp_command_enable = yes postscreen_non_smtp_command_action = enforce postscreen_bare_newline_enable = yes postscreen_bare_newline_action = enforce - Grant
memcache client for Postfix
This week I implemented a memcache client for Postfix in the hope that it would be useful to share postscreen(8) or verify(8) caches among multiple MTAs. The implementation is based on libmemcache. This was not too much work, given a few examples (libmemcache is under-documented). However, robustness tests (with a single memcache server) proved disappointing. * After failure to connect to the memcache server, libmemcache reports the error once. From then on it silently discards all updates and silently skips all lookups (returning "not found"), even when the memcache server comes back in the meantime. To avoid this, I destroy the memcache client and create a new one each time that libmemcache reports an error, so that it never gets to silently discard requests. * Even more problematic is that libmemcache will terminate the process when the memcache server connection is lost (the libmemcache error message is: "read(2) failed: Socket is already connected"). Unfortunately, telling libmemcache not to terminate the process will result in an assertion failure followed by core dump. Conclusion: if we want robust code, then Postfix should use its own memcache protocol implementation, instead of libmemcache. But that is a lot of work and I may not have that much time. Considering the robustness problems with the memcache client I would not bundle it with mainstream Postfix. However, there are patches floating around that implement Postfix memcache support without doing anything about the bugs that I described, especially the one where libmemcache silently discards all updates and silently skips all lookups (returning "not found") even when the memcache server has come back in the mean time. For the people who use those patches, what I have is a lot better (or less worse). Perhaps I'll make it available as a patch that sites can apply by hand. Wietse
Re: Switching to 587 submission
On 12/8/2011 6:11 PM, Grant wrote: > Got it. I misunderstood you before. May I ask why using 465 for > Thunderbird and Squirrelmail would be better than 587 for Thunderbird > and 25 for Squirrelmail talking to localhost? The good reason to not use port 25 for local user submissions is that it allows you to separate traffic. While not critical, it's good practice and likely to make your life easier in the long run. As for 465 vs. 587, there's nothing preventing you from using both; many people do. And I never said to move Thunderbird to 465 (although that's OK too). I still suggest leaving SquirrelMail on 465 since it works and there aren't any good reasons to change; switch to 587 when you get a newer version of SM. Continue to use Thunderbird on 587, or with a few changes you can switch SquirrelMail also, but that's not really necessary. And don't get too caught up in the 465/deprecated vs. 587 stuff. There are no security implication, just standards. The reality is that most sites with more than a handful of remote users enable both protocols. Use whatever works best for your environment. -- Noel Jones
Re: Switching to 587 submission
On 09/12/11 13:11, Grant wrote: > Got it. I misunderstood you before. May I ask why using 465 for > Thunderbird and Squirrelmail would be better than 587 for Thunderbird > and 25 for Squirrelmail talking to localhost? I'm quite sure that he never said to use 465 for Thunderbird. The reason you don't want to use port 25 for submission is because it doesn't work ideally for submission. Port 25 generally needs to have much more strict anti-spam, anti-virus, etc measures on it than you would take with submission. This becomes very clear if you want to start using postscreen which can completely screw up submission when doing the post-greeting tests, or if you are greylisting. Certainly there are many other reasons as well. Peter
Re: Switching to 587 submission
Am 09.12.2011 01:11, schrieb Grant: >>> I think I can't do that because I also need to connect to 587 from >>> Thunderbird in remote locations. >> >> You're making this way too complicated. >> >> Either continue to happily use 465 as you always have, or make the >> changes to submission I suggested a few minutes ago. These changes >> still allow thunderbird to securely submit from remote locations. >> >> Repeating myself: > > Got it. I misunderstood you before. May I ask why using 465 for > Thunderbird and Squirrelmail would be better than 587 for Thunderbird > and 25 for Squirrelmail talking to localhost? there is no better configure a server as YOU need signature.asc Description: OpenPGP digital signature
Re: Switching to 587 submission
>> I think I can't do that because I also need to connect to 587 from >> Thunderbird in remote locations. > > You're making this way too complicated. > > Either continue to happily use 465 as you always have, or make the > changes to submission I suggested a few minutes ago. These changes > still allow thunderbird to securely submit from remote locations. > > Repeating myself: Got it. I misunderstood you before. May I ask why using 465 for Thunderbird and Squirrelmail would be better than 587 for Thunderbird and 25 for Squirrelmail talking to localhost? - Grant >> You can use SquirrelMail on 587. It doesn't work right now because >> of your smtpd_security_level=encrypt. You could change your >> submission restrictions to something like >> -o smtpd_security_level=may >> -o mynetworks=127.0.0.1 >> -o smtpd_tls_auth_only=yes >> -o >> smtpd_recipient_restrictions=permit_mynetworks,reject_plaintext_session,permit_sasl_authenticated,reject >> ... other stuff ... >> >> ie. allow localhost to submit mail plaintext with no auth; all >> others require STARTTLS and auth.
Re: SMTP hangs when MySQL is down
* Wietse Venema [2011-12-09 01:01]: > > And that is where I disagree. IMHO a mailsystem should respond with a > > temporary error if it is experiencing a temporary error (like a lookup > > table not being availabe) not simply hang there and do.. nothing. > > We know that. What are you going to do about it besides whining? Well, at the moment I'm trying to convince you and the other people here to perhaps consider changing the way this is handled today. Not very successfully it seems so I'll stop "whining" as you put it and just live with it the way it is. Thanks for your answers. Sebastian -- New GPG Key: 0x93A0B9CE (F4F6 B1A3 866B 26E9 450A 9D82 58A2 D94A 93A0 B9CE) Old GPG Key-ID: 0x76B79F20 (0x1B6034F476B79F20) 'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE. -- Terry Pratchett, The Fifth Elephant
Re: SMTP hangs when MySQL is down
Sebastian Wiesinger: > * lst_ho...@kwsoft.de [2011-12-08 14:46]: > > >And I had hoped that perhaps this would be an improvement to postfix. > > >Sadly it seems it was some kind of blasphemy to question the way > > >postfix does handle this stuff. > > > > No, it means until now no one needs this so important to step up > > with code/patches to improve it. If you really need a reliable > > mailsystem you simply have to use reliable parts. If your mailsystem > > respond with 4xx or simply hang in case it is not able to move any > > mail is just a matter of taste. > > And that is where I disagree. IMHO a mailsystem should respond with a > temporary error if it is experiencing a temporary error (like a lookup > table not being availabe) not simply hang there and do.. nothing. We know that. What are you going to do about it besides whining? Wietse
Re: SMTP hangs when MySQL is down
* lst_ho...@kwsoft.de [2011-12-08 14:46]: > >And I had hoped that perhaps this would be an improvement to postfix. > >Sadly it seems it was some kind of blasphemy to question the way > >postfix does handle this stuff. > > No, it means until now no one needs this so important to step up > with code/patches to improve it. If you really need a reliable > mailsystem you simply have to use reliable parts. If your mailsystem > respond with 4xx or simply hang in case it is not able to move any > mail is just a matter of taste. And that is where I disagree. IMHO a mailsystem should respond with a temporary error if it is experiencing a temporary error (like a lookup table not being availabe) not simply hang there and do.. nothing. > >But perhaps I'm only getting the wrong impression here. > > Yes > > Help is always welcome, simply demand how things could be better is useless. I'm not demanding anything (at least I hope I'm not doing it) but I'm not too happy with a simple "don't do it" and no explanation (but that's my problem, isn't it?). When I try to understand why postfix behaves the way it does I get no reply either. I hoped that on this ML someone would know enough about the inner postfix workings to explain it to me. I'm still waiting for the "use the source" shouts. Noone even told me that they think it is fine as it is now and that a 4xx error would be the wrong thing. The only think I've been told is "don't do it". At the moment it seems pretty simple (on a high level) to me without knowing any of the code: When the trivial-rewrite daemon fails (which postfix can clearly detect, it states it in the logfile), return a 4xx error. Would it be simple to implement? No idea, that's why I'm here on this list to ask people who probably know the code. Am I demanding it to be implemented? No! Would I be happy if it would be implemented? Yes! I like postfix very much, I think it's a great program but I also like it to get better, or at least what I think of being better. Regards Sebastian -- New GPG Key: 0x93A0B9CE (F4F6 B1A3 866B 26E9 450A 9D82 58A2 D94A 93A0 B9CE) Old GPG Key-ID: 0x76B79F20 (0x1B6034F476B79F20) 'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE. -- Terry Pratchett, The Fifth Elephant
Re: Switching to 587 submission
On 12/8/2011 5:29 PM, Grant wrote: > I think I can't do that because I also need to connect to 587 from > Thunderbird in remote locations. You're making this way too complicated. Either continue to happily use 465 as you always have, or make the changes to submission I suggested a few minutes ago. These changes still allow thunderbird to securely submit from remote locations. Repeating myself: > You can use SquirrelMail on 587. It doesn't work right now because > of your smtpd_security_level=encrypt. You could change your > submission restrictions to something like > -o smtpd_security_level=may > -o mynetworks=127.0.0.1 > -o smtpd_tls_auth_only=yes > -o > smtpd_recipient_restrictions=permit_mynetworks,reject_plaintext_session,permit_sasl_authenticated,reject > ... other stuff ... > > ie. allow localhost to submit mail plaintext with no auth; all > others require STARTTLS and auth. -- Noel Jones
Re: Switching to 587 submission
> 25 is used by your MTA to receive *incoming* messages from other > administrative domains (organizations). Port 25 is never used to submit outbound messages? If not, I'm confused as to why Squirrelmail describes its "SMTP Port" setting this way: This is the port to connect to for SMTP. Usually 25. >>> >>> It *was* used to submit outbound messages, but this has proven susceptible >>> to open-relay exploits, etc. >>> >>> You're really better off using 587 exclusively. >> >> Is it alright to send on port 25 from Squirrelmail when it's on the >> same machine as postfix? That way I can make 587 require TLS and >> authentication but not require that local Squirrelmail encrypt or >> authenticate. > > No, I'd do exactly what I said we do here: run 587 on the loopback interface > only, and not require authentication. I think I can't do that because I also need to connect to 587 from Thunderbird in remote locations. >> Also, should I have some sort of config that prevents the port 25 >> open-relay exploit you mentioned? >> >> - Grant > > You already have it in the form of the $relay_domains list. OK, I just have the default: #relay_domains = $mydestination - Grant
Re: Switching to 587 submission
On 12/8/11 1:49 PM, Grant wrote: 25 is used by your MTA to receive *incoming* messages from other administrative domains (organizations). >>> >>> Port 25 is never used to submit outbound messages? If not, I'm >>> confused as to why Squirrelmail describes its "SMTP Port" setting this >>> way: >>> >>> This is the port to connect to for SMTP. Usually 25. >> >> It *was* used to submit outbound messages, but this has proven susceptible >> to open-relay exploits, etc. >> >> You're really better off using 587 exclusively. > > Is it alright to send on port 25 from Squirrelmail when it's on the > same machine as postfix? That way I can make 587 require TLS and > authentication but not require that local Squirrelmail encrypt or > authenticate. No, I'd do exactly what I said we do here: run 587 on the loopback interface only, and not require authentication. > Also, should I have some sort of config that prevents the port 25 > open-relay exploit you mentioned? > > - Grant You already have it in the form of the $relay_domains list. -Philip
Re: Switching to 587 submission
>> So I should specify smtpd_client_restrictions or >> smtpd_recipient_restrictions, but not both? >> > > I think most people find it easier to put all of the restrictions under > smtpd_recipient_restrictions, since you can just read them top-to-bottom > with smtpd_delay_reject = yes (the default). > > But no, you probably wouldn't need it in both places unless you had some > default restrictions you wanted to override in both places. I've boiled my config down to this. It is functional and I think it is secure and that it rejects any attempt to send messages from outside mynetworks unless authenticated. Am I correct? Please consider all other directives to be default. master.cf: submission inet n - n - - smtpd -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes main.cf: smtpd_tls_security_level = may smtpd_tls_auth_only = yes smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, permit - Grant
Re: Switching to 587 submission
On 12/8/2011 2:49 PM, Grant wrote: > Is it alright to send on port 25 from Squirrelmail when it's on the > same machine as postfix? OK, but not optimal. Better to leave on 465 to separate the traffic. > That way I can make 587 require TLS and > authentication but not require that local Squirrelmail encrypt or > authenticate. You can use SquirrelMail on 587. It doesn't work right now because of your smtpd_security_level=encrypt. You could change your submission restrictions to something like -o smtpd_security_level=may -o mynetworks=127.0.0.1 -o smtpd_tls_auth_only=yes -o smtpd_recipient_restrictions=permit_mynetworks,reject_plaintext_session,permit_sasl_authenticated,reject ... other stuff ... ie. allow localhost to submit mail plaintext with no auth; all others require STARTTLS and auth. -- Noel Jones
Re: Switching to 587 submission
Am 08.12.2011 21:49, schrieb Grant: 25 is used by your MTA to receive *incoming* messages from other administrative domains (organizations). >>> >>> Port 25 is never used to submit outbound messages? If not, I'm >>> confused as to why Squirrelmail describes its "SMTP Port" setting this >>> way: >>> >>> This is the port to connect to for SMTP. Usually 25. >> >> It *was* used to submit outbound messages, but this has proven susceptible >> to open-relay exploits, etc. >> >> You're really better off using 587 exclusively. > > Is it alright to send on port 25 from Squirrelmail when it's on the > same machine as postfix? That way I can make 587 require TLS and > authentication but not require that local Squirrelmail encrypt or > authenticate. jesus christ it is YOUR decision as you are maintain both parts so if 127.0.0.1 is in mynetworks it can be used without restrictions and if you decide to open "10030" on localhost for Squirrelmail do it this is an example to allow only a spamfirewall with no restirctions submit messages on port 10026, usually you act the same way for amavis 10.0.0.15:10026 inet n - n - - smtpd -o mynetworks=10.0.0.20 -o smtpd_client_connection_count_limit=75 -o smtpd_recipient_restrictions=permit_mynetworks, reject -o receive_override_options=no_header_body_checks,no_milters -o local_header_rewrite_clients= -o sender_dependent_relayhost_maps= -o content_filter= -o smtpd_delay_reject=no -o smtpd_client_restrictions= -o smtpd_helo_restrictions= -o smtpd_helo_required=no -o smtpd_sender_restrictions= -o smtpd_sender_login_maps= -o smtpd_data_restrictions= -o smtpd_end_of_data_restrictions= -o smtpd_restriction_classes= -o smtpd_error_sleep_time=0 -o smtpd_soft_error_limit=1001 -o smtpd_hard_error_limit=1000 -o smtpd_client_connection_rate_limit=0 -o smtpd_peername_lookup=no -o smtpd_use_tls=no -o smtpd_tls_security_level=none -o smtpd_sasl_auth_enable=no -o smtpd_reject_footer= -o max_idle=1h -o max_use=1000 > Also, should I have some sort of config that prevents the port 25 > open-relay exploit you mentioned? reject any try to send messages from outside mynetworks to foreign domains this is mandatory on any mailserver smtpd_recipient_restrictions = permit_mynetworks reject_non_fqdn_recipient reject_non_fqdn_sender reject_unlisted_sender permit_sasl_authenticated reject_unauth_destination reject_unknown_sender_domain reject_unknown_recipient_domain reject_invalid_hostname reject_unknown_reverse_client_hostname reject_unauth_pipelining signature.asc Description: OpenPGP digital signature
Re: Stress Test Postfix
Zitat von Peter Tselios : Hallo, I have 2 postfix setup with openLDAP as back ends. I need to stress test my configuration. I tried with the smtp-source but I don't know it is OK to test with 1 connection or more. How is postfix handles the connections with the smtp-source? Is it reliable? I mean, if I use 200 connections on the smtp-source, does that mean that I simulate 200 concurrent connections, from different users, on the postfix? You should use a many connections as your hardwae is able to handle and only as many as your process limit for smtpd is set in master.cf. With only one smtp-source process you only stress the filesystem to some extend. Furthermore testing with smtp-source will not test your DNS (RBLs etc.) and not your LDAP server performance. If you need more insight what your mailserver is able to handle you might have a look at postal (http://doc.coker.com.au/projects/postal/) or something similar. Regards Andreas smime.p7s Description: S/MIME Cryptographic Signature
Re: Switching to 587 submission
>>> 25 is used by your MTA to receive *incoming* messages from other >>> administrative domains (organizations). >> >> Port 25 is never used to submit outbound messages? If not, I'm >> confused as to why Squirrelmail describes its "SMTP Port" setting this >> way: >> >> This is the port to connect to for SMTP. Usually 25. > > It *was* used to submit outbound messages, but this has proven susceptible to > open-relay exploits, etc. > > You're really better off using 587 exclusively. Is it alright to send on port 25 from Squirrelmail when it's on the same machine as postfix? That way I can make 587 require TLS and authentication but not require that local Squirrelmail encrypt or authenticate. Also, should I have some sort of config that prevents the port 25 open-relay exploit you mentioned? - Grant
RE: SMTP hangs when MySQL is down
> Hi, > > I'm using Postfix with MySQL via proxy:mysql maps. The documentation > states that mails should get deferred if no mysql server is reachable. > > However when I shut down MySQL, SMTP transaction freeze after I enter > the "MAIL FROM:<...>" statement. > > Any ideas how I can change that? There seems to be no timeout, I left > the SMTP dialog open for a few minutes at least. > Sebastian, Sorry for the delayed response, but I thought you might find this useful. I used to love the flexability of the mysql maps but I ran into similar problems with performance and such. Though I'm a smaller shop now I've gone away from mysql on the frontend. That's not to say I don't use it, I just changed the methodology. What I do instead is I export all of the records out into a file, one for domains and the other for aliases, and I have a batch job that runs every 1 minute and updates an internal site with these, then on the frontend postfix servers I run do a pull every one minute as well and get the latest. The implementation is much better than what I presented above, and it seems to solve all of those cases where mysql is offline for maintenance, updates, whatever. We've also extended it to push static updates (such as holds, rejects, mynetwork exclusions, etc). I think if you look into something like that you'd be much happier with the performance. Best thing is that when there is an update to the database there usually only a 60 second delay. Only thing I had to do is setup an apache server (any web server will do) and a bash script that uses basic bash commands. If you are interested, I can email you some sample scripts of the backend/frontend. The SQL is tweaked for our database format but that should be simple enough to figure out. Gary Smith
Re: postfix skipping bad MXs ??
Em 07/12/11 13:58, Noel Jones escreveu: On 12/7/2011 6:03 AM, Leonardo Rodrigues wrote: Anyway, i'm having hard times trying to figure out why, for some messages, like the queueid i posted the full log, postfix is apparently not even trying to delivery to the primary MX for some large periods of time. Postfix does not include the QUEUEID on log entries of failed connections. If the connection to the primary fails, you won't see it grepping the log for the QUEUEID. To find all failed connections, grep the logs for the process id of the smtp delivery process that reported the deferred delivery. Hi Noel, It turns out that postfix was not even doing connections attempts, because that specific domain was in postfix's temporary "dead" site list, as pointed by Wietse. http://www.postfix.org/TUNING_README.html#hammer this 'temporary dead site list' was something i was looking for since the beggining. I was imaging something like this was happening, but i couldnt find the correct name and, thus, i couldnt find on my searches. -- Atenciosamente / Sincerily, Leonardo Rodrigues Solutti Tecnologia http://www.solutti.com.br Minha armadilha de SPAM, NÃO mandem email gertru...@solutti.com.br My SPAMTRAP, do not email it
Re: Switching to 587 submission
On 12/08/2011 03:24 PM, Grant wrote: So I should specify smtpd_client_restrictions or smtpd_recipient_restrictions, but not both? I think most people find it easier to put all of the restrictions under smtpd_recipient_restrictions, since you can just read them top-to-bottom with smtpd_delay_reject = yes (the default). But no, you probably wouldn't need it in both places unless you had some default restrictions you wanted to override in both places. Squirrelmail and postfix are on the same machine. I've changed Squirrelmail to send to port 25 with no authentication and no TLS and it works! It must have been failing before because it was trying to authenticate? So this is working because Squirrelmail is part of $mynetworks (localhost) and there are no security implications or any need to enable authentication or TLS as long as Squirrelmail remains on the same machine as postfix? That's a nice way around the Squirrelmail STARTTLS problem. It's a lot simpler with SquirrelMail on the same machine. Your localhost should be in $mynetworks, so it can send on port 25 thanks to permit_mynetworks. There's no need to encrypt anything, since the traffic travels over the loopback interface.
Re: Switching to 587 submission
On Thursday 08 December 2011 14:24:00 Grant wrote: > Squirrelmail and postfix are on the same machine. I've changed > Squirrelmail to send to port 25 with no authentication and no TLS > and it works! It must have been failing before because it was > trying to authenticate? > > So this is working because Squirrelmail is part of $mynetworks > (localhost) and there are no security implications or any need to > enable authentication or TLS as long as Squirrelmail remains on the > same machine as postfix? That's a nice way around the Squirrelmail > STARTTLS problem. Reindl Harald asked about this last night, 01:16 UTC. What a wild goose/squirrel chase this was! (I'm sure there is a Boris Badenov / Natasha joke in there somewhere: "Ees kaput for goose and squirrel!") -- Offlist mail to this address is discarded unless "/dev/rob0" or "not-spam" is in Subject: header
Re: Switching to 587 submission
On 12/8/11 1:06 PM, Grant wrote: >> I don't think you're really getting the significance of port 587 vs. port 25. > > I think you're right. > >> 587 can be used encrypted or unencrypted, authenticated (preferably) or >> not... you could for instance just limit 587 connections from a particular >> subnet, etc. > > Why then won't Squirrelmail send mail on port 587 unencrypted with > "Secure SMTP (TLS) : false"? I get: > > 530 5.7.0 Must issue a STARTTLS command first Squirrelmail seems perfectly happy to send unencrypted email on 587... but your smtpd instance doesn't like that. We use 587 without TLS here, but only on the loopback interface: 127.0.0.1:submission inet n - n - - smtpd -o milter_macro_daemon_name=ORIGINATING >> But the main difference is this: >> >> 587 is used by MUA's (i.e. clients) to submit *outbound* messages to your >> MTA (relay). >> >> 25 is used by your MTA to receive *incoming* messages from other >> administrative domains (organizations). > > Port 25 is never used to submit outbound messages? If not, I'm > confused as to why Squirrelmail describes its "SMTP Port" setting this > way: > > This is the port to connect to for SMTP. Usually 25. It *was* used to submit outbound messages, but this has proven susceptible to open-relay exploits, etc. You're really better off using 587 exclusively. -Philip > - Grant
Re: Switching to 587 submission
>>> You don't really need the permit_sasl_authenticated, since you shouldn't >>> be >>> trying to auth on port 25. It doesn't hurt, though. >> >> >> I just noticed that I can't send mail from Thunderbird unless I >> include permit_sasl_authenticated in the above >> smtpd_recipient_restrictions block. I get relay access denied >> otherwise. > > > Oh, sorry. You have this in master.cf: > > >> submission inet n - n - - smtpd >> -o smtpd_tls_security_level=encrypt >> -o smtpd_sasl_auth_enable=yes >> -o smtpd_client_restrictions=permit_sasl_authenticated,reject > > > The -o smtpd_foo_restrictions here is supposed to override the restrictions > in main.cf: > > >> smtpd_recipient_restrictions = >> permit_sasl_authenticated, >> permit_mynetworks, >> reject_unauth_destination, >> permit > > > So you should change 'client' to 'recipient' in master.cf before you remove > the 'permit_sasl_authenticated' in main.cf. So I should specify smtpd_client_restrictions or smtpd_recipient_restrictions, but not both? > At that point, SquirrelMail (or anything else) won't be able to send mail > unless it authenticates on port 587, sends to one of your domains on port > 25, or is in $mynetworks and sends on port 25. > > The path of least resistance is probably to add the SquirrelMail box to > $mynetworks, and have it send to port 25. If someone can gain control of the > SquirrelMail box, you're screwed mail-wise anyway, so I don't think you lose > any security that way. Squirrelmail and postfix are on the same machine. I've changed Squirrelmail to send to port 25 with no authentication and no TLS and it works! It must have been failing before because it was trying to authenticate? So this is working because Squirrelmail is part of $mynetworks (localhost) and there are no security implications or any need to enable authentication or TLS as long as Squirrelmail remains on the same machine as postfix? That's a nice way around the Squirrelmail STARTTLS problem. - Grant > The alternative that you had working was letting SquirrelMail auth in plain > text on port 25, which is, should someone compromise the SquirrelMail box, > not going to save you.
Re: Switching to 587 submission
On Thursday 08 December 2011 14:06:15 Grant wrote: Philip: > > 587 can be used encrypted or unencrypted, authenticated > > (preferably) or not... you could for instance just limit 587 > > connections from a particular subnet, etc. > > Why then won't Squirrelmail send mail on port 587 unencrypted with > "Secure SMTP (TLS) : false"? I get: > > 530 5.7.0 Must issue a STARTTLS command first Sounds like you are requiring TLS for AUTH, a good idea. http://www.postfix.org/SASL_README.html#smtpd_sasl_security_options http://www.postfix.org/TLS_README.html#server_tls_auth http://www.postfix.org/postconf.5.html#smtpd_tls_auth_only > > But the main difference is this: > > > > 587 is used by MUA's (i.e. clients) to submit *outbound* messages > > to your MTA (relay). > > > > 25 is used by your MTA to receive *incoming* messages from other > > administrative domains (organizations). > > Port 25 is never used to submit outbound messages? If not, I'm > confused as to why Squirrelmail describes its "SMTP Port" setting > this way: > > This is the port to connect to for SMTP. Usually 25. Much of the world thinks this is so. They are wrong. We are not. You should keep submission separate from mail exchange, and port 587 is the standard means for doing so. BTW I think Noel had the ultimate answer to this thread: just stick with your smtps on 465 until Squirrelmail catches up and implements STARTTLS. -- Offlist mail to this address is discarded unless "/dev/rob0" or "not-spam" is in Subject: header
Re: Virtual Aliasing for any user
On 12/8/2011 2:13 PM, James Day wrote: > Thanks Noel. > > I'm forwarding the aliased mail to catch all Pop3 boxes to prevent back > scatter. I don't have a valid recipient list for all these domains hence the > request for a wild card type solution. I gather this function isn't built in > so maybe, as you suggest, a script is the way to go. > Use recipient verification to reject unknown recipients. http://www.postfix.org/ADDRESS_VERIFICATION_README.html -- Noel Jones
Re: Virtual Aliasing for any user
Thanks Noel. I'm forwarding the aliased mail to catch all Pop3 boxes to prevent back scatter. I don't have a valid recipient list for all these domains hence the request for a wild card type solution. I gather this function isn't built in so maybe, as you suggest, a script is the way to go. ***Sent via RoadSync® for Android™ -Original Message- From: Noel Jones Sent: Dec 08, 2011 7:56 PM To: James Day, postfix-users@postfix.org Subject: Re: Virtual Aliasing for any user On 12/8/2011 6:45 AM, James Day wrote: > Hello, > > First post to the list, I would really appreciate any help/advice. > > In my current setup I act as a Spam and Virus filter for several domains. > Mail is then relayed to their local Exchange servers once it has been scanned. > > In the event that their Exchange server is down and they require emergency > access to their emails I have configured virtual_alias_maps as below: > > user@domain user@domain,user@otherdomain > > This way the original mail is still cached in the queue for delivery to > Exchange and a copy is sent to the same user at anotherdomain (an > IMAP/Webmail server). > Yes, that's the correct procedure. > My question is: Rather than setting up each user and their alias individually > can I use a wildcard to accept for anyuser and forward to the same username > on the other domain. Using wildcards will cause postfix to accept mail for undeliverable recipients, so that's not a good solution. Use a script to generate the mappings you need. The size of the resulting file is not a concern, hash maps can handle millions of entries efficiently. -- Noel Jones
Re: smtpd_recipient_restrictions -- Best Practices
On 12/8/2011 1:17 PM, Peter L. Berghold wrote: > smtpd_recipient_restrictions = > permit_mynetworks, OK. > permit_auth_destination, Permits all mail handled by your server. > reject_unauth_destination, Rejects all mail not handled by your server. Nothing left after that... None of the following rules are currently being used. Probably should remove the permit_auth_destination. > check_sender_access hash:/etc/postfix/access, > permit_sasl_authenticated, This is too late for sasl auth. Move this to just after permit_mynetworks. > reject_unauth_pipelining, > reject_non_fqdn_sender, > reject_non_fqdn_recipient, > reject_unknown_recipient_domain, Since you've already rejected mail for domains not handled by your server, the only possible unknown recipient domain is your own when your DNS hiccups. > reject_unkown_helo_hostname, > reject_invalid_hostname, > reject_unknown_hostname, reject_unknown_hostname is likely to reject legit mail. Use with caution. > reject_rbl_client blackholes.easynet.nl, dead rbl. It's important to review your RBLs every once in a while to make sure they are still active and that their policies still seem reasonable to you. > reject_rbl_client bl.spamcop.net, > reject_rbl_client cbl.abuseat.org, >reject_rbl_client cbl.abuseat.org, repeated. > reject_rbl_client dnsbl.njabl.org, >reject_rbl_client dul.dnsbl.sorbs.net, > reject_rbl_client hostkarma.junkemailfilter.com=127.0.0.2, > reject_rbl_client list.dsbl.org, >reject_rbl_client list.dsbl.org, dead. > reject_rbl_client multihop.dsbl.org, > reject_rbl_client opm.blitzed.org, > reject_rbl_client sbl.spamhaus.org, >reject_rbl_client sbl-xbl.spamhaus.org, repeated. Use zen.spamhaus.org instead. > permit > -- Noel Jones
Re: smtpd_recipient_restrictions -- Best Practices
Where did you find this list? There are major issues here. On Thursday 08 December 2011 13:17:44 Peter L. Berghold wrote: > smtpd_recipient_restrictions = > permit_mynetworks, fine ... > permit_auth_destination, "If the destination is served by this host, accept the mail." > reject_unauth_destination, "If the destination is NOT hosted here, reject the mail." Nothing goes past this point, ever. > check_sender_access hash:/etc/postfix/access, Bad practice to use a file name "access"; name it for the function it serves and/or the type of lookup: "sender_access" makes sense. Furthermore, sender address lookups are very ineffective against spam, if that was the goal in having it here; and unsafe in whitelisting, if that was the goal. > permit_sasl_authenticated, Needs to come before reject_unauth_destination, if it is to have any use. > reject_unauth_pipelining, Okay, except per above that this is never evaluated, > reject_non_fqdn_sender, > reject_non_fqdn_recipient, > reject_unknown_recipient_domain, Even if these were evaluated, you'd never see such messages at this point. > reject_unkown_helo_hostname, Misspelled, and risky even if spelled right. > reject_invalid_hostname, Old syntax, but okay. reject_non_fqdn_helo_hostname might help more. > reject_unknown_hostname, This is the old syntax for the one you misspelled. > reject_rbl_client blackholes.easynet.nl, I'm not familiar with the policies of this list. Are you? > reject_rbl_client bl.spamcop.net, Spamcop recommends against being used for outright rejection, it WILL block some non-spam sometime, because of their automated procedures. Always ALWAYS know the policies of any third-party service you are trusting to block mail for you. > reject_rbl_client cbl.abuseat.org, >reject_rbl_client cbl.abuseat.org, "It's déjà vu all over again" > reject_rbl_client dnsbl.njabl.org, >reject_rbl_client dul.dnsbl.sorbs.net, These two are probably okay, but did you know that? > reject_rbl_client hostkarma.junkemailfilter.com=127.0.0.2, What does this do? > reject_rbl_client list.dsbl.org, >reject_rbl_client list.dsbl.org, > reject_rbl_client multihop.dsbl.org, "It's déjà vu all over again", and what's worse, DSBL shut down in 2008, over three years ago! Were you following some old howto? That does not work in email land. Spammers change frequently, as do the antispam tools at our disposal. > reject_rbl_client opm.blitzed.org, I can't remember when this one closed. Before DSBL, I think. > reject_rbl_client sbl.spamhaus.org, >reject_rbl_client sbl-xbl.spamhaus.org, SBL is included in SBL-XBL, and CBL (above) is included in the latter. In addition, all of these are included in the newer (and recommended) Zen list. > permit The answer to your original question is that permit_auth_destination prevents any other restrictions from being used. -- Offlist mail to this address is discarded unless "/dev/rob0" or "not-spam" is in Subject: header
Re: smtpd_recipient_restrictions -- Best Practices
On 12/8/2011 2:17 PM, Peter L. Berghold wrote: > smtpd_recipient_restrictions = > permit_mynetworks, > permit_auth_destination, This restriction at this location will IGNORE all RBL lookups when mail is destined for your system. I suggest removing it as it is implied if reject_unauth_destination fails to reject. > reject_unauth_destination, > check_sender_access hash:/etc/postfix/access, > permit_sasl_authenticated, This placement of permit_sasl_authenticated will only skip checks below it. Is this what you intend? > reject_unauth_pipelining, > reject_non_fqdn_sender, > reject_non_fqdn_recipient, > reject_unknown_recipient_domain, > reject_unkown_helo_hostname, > reject_invalid_hostname, > reject_unknown_hostname, > reject_rbl_client blackholes.easynet.nl, > reject_rbl_client bl.spamcop.net, > reject_rbl_client cbl.abuseat.org, >reject_rbl_client cbl.abuseat.org, Listing an RBL twice won't increase the chance of it being caught. > reject_rbl_client dnsbl.njabl.org, >reject_rbl_client dul.dnsbl.sorbs.net, > reject_rbl_client hostkarma.junkemailfilter.com=127.0.0.2, > reject_rbl_client list.dsbl.org, >reject_rbl_client list.dsbl.org, Ditto on last comment, plus dsbl.org has been dead a while > reject_rbl_client multihop.dsbl.org, > reject_rbl_client opm.blitzed.org, > reject_rbl_client sbl.spamhaus.org, >reject_rbl_client sbl-xbl.spamhaus.org, > permit Permit at then end is harmless as it is also implied if all others pass. Suggest reviewing all RBLs. Some are dead, and some can be combined. zen.spamhaus.org will include (sbl|xbl|pbl).spamhaus.org xbl.spamhaus.org includes cbl.abuseat.org Brian
Re: Switching to 587 submission
I don't see why local Squirrelmail won't send mail over 587, but remote Thunderbird will. Squirrelmail also won't send mail over port 25, but it will send mail over 465. >>> >>> >>> Do you have a new-enough SquirrelMail? From the looks of it, the only >>> version >= 1.5.1 is the development snapshot. (Do you know about Roundcube?) >> >> OK, that must be why Squirrelmail can't send mail over 587. I'm on >> the latest version in Portage. You spelled it out for me before but I >> didn't pick up on it. Since 587 uses STARTTLS, I would have thought I >> could connect unencrypted but apparently encryption is required there? >> >> Is Squirrelmail failing to send mail over port 25 because >> authentication isn't allowed on port 25? If so, do I need a dedicated >> port for unencrypted local Squirrelmail mail? > > I don't think you're really getting the significance of port 587 vs. port 25. I think you're right. > 587 can be used encrypted or unencrypted, authenticated (preferably) or > not... you could for instance just limit 587 connections from a particular > subnet, etc. Why then won't Squirrelmail send mail on port 587 unencrypted with "Secure SMTP (TLS) : false"? I get: 530 5.7.0 Must issue a STARTTLS command first > But the main difference is this: > > 587 is used by MUA's (i.e. clients) to submit *outbound* messages to your MTA > (relay). > > 25 is used by your MTA to receive *incoming* messages from other > administrative domains (organizations). Port 25 is never used to submit outbound messages? If not, I'm confused as to why Squirrelmail describes its "SMTP Port" setting this way: This is the port to connect to for SMTP. Usually 25. - Grant
Re: Switching to 587 submission
On 12/8/2011 1:28 PM, Michael Orlitzky wrote: > On 12/08/2011 02:21 PM, Gary Smith wrote: >> >> Wouldn't it be smarter to just tell SquirrelMail to use port 587 and >> pass through authentication? This way if the server is compromised >> or has another exploit there isn't a simple internal email server to >> send all that spam from. >> >> This is exactly what we do for both horde and roundcube. >> > > That was my first suggestion, but the stable version of SquirrelMail > (and the one supplied by Gentoo) doesn't support STARTTLS. I suggest staying on smtps/465 until SM stable supports STARTTLS. There's nothing that says you need to stop using 465, and no security implications to continuing to use it. -- Noel Jones
Re: smtpd_recipient_restrictions -- Best Practices
On Thursday, December 08, 2011 at 19:17:44 UTC, pe...@berghold.net confabulated: > smtpd_recipient_restrictions = > permit_mynetworks, > permit_auth_destination, > reject_unauth_destination, > check_sender_access hash:/etc/postfix/access, > permit_sasl_authenticated, > reject_unauth_pipelining, > reject_non_fqdn_sender, > reject_non_fqdn_recipient, > reject_unknown_recipient_domain, > reject_unkown_helo_hostname, > reject_invalid_hostname, > reject_unknown_hostname, > reject_rbl_client blackholes.easynet.nl, > reject_rbl_client bl.spamcop.net, > reject_rbl_client cbl.abuseat.org, >reject_rbl_client cbl.abuseat.org, No need to check cbl.abuseat.org twice? You can remove it as it is included in zen.spamhaus.org which you have below. > reject_rbl_client dnsbl.njabl.org, >reject_rbl_client dul.dnsbl.sorbs.net, > reject_rbl_client hostkarma.junkemailfilter.com=127.0.0.2, > reject_rbl_client list.dsbl.org, >reject_rbl_client list.dsbl.org, > reject_rbl_client multihop.dsbl.org, dsbl.org has been dead since June of 2008. > reject_rbl_client opm.blitzed.org, opm.blized.org ended in May of 2006. > reject_rbl_client sbl.spamhaus.org, >reject_rbl_client sbl-xbl.spamhaus.org, These both are included in zen.spamhaus.org. > permit -- There are 10 kinds of people in the world... Those who understand binary, and those who don't.
Re: Virtual Aliasing for any user
On 12/8/2011 6:45 AM, James Day wrote: > Hello, > > First post to the list, I would really appreciate any help/advice. > > In my current setup I act as a Spam and Virus filter for several domains. > Mail is then relayed to their local Exchange servers once it has been scanned. > > In the event that their Exchange server is down and they require emergency > access to their emails I have configured virtual_alias_maps as below: > > user@domain user@domain,user@otherdomain > > This way the original mail is still cached in the queue for delivery to > Exchange and a copy is sent to the same user at anotherdomain (an > IMAP/Webmail server). > Yes, that's the correct procedure. > My question is: Rather than setting up each user and their alias individually > can I use a wildcard to accept for anyuser and forward to the same username > on the other domain. Using wildcards will cause postfix to accept mail for undeliverable recipients, so that's not a good solution. Use a script to generate the mappings you need. The size of the resulting file is not a concern, hash maps can handle millions of entries efficiently. -- Noel Jones
Re: Switching to 587 submission
On 12/8/11 8:46 AM, Grant wrote: >>> I don't see why local Squirrelmail won't send mail over 587, >>> but remote Thunderbird will. Squirrelmail also won't send mail over >>> port 25, but it will send mail over 465. >> >> >> Do you have a new-enough SquirrelMail? From the looks of it, the only >> version >= 1.5.1 is the development snapshot. (Do you know about Roundcube?) > > OK, that must be why Squirrelmail can't send mail over 587. I'm on > the latest version in Portage. You spelled it out for me before but I > didn't pick up on it. Since 587 uses STARTTLS, I would have thought I > could connect unencrypted but apparently encryption is required there? > > Is Squirrelmail failing to send mail over port 25 because > authentication isn't allowed on port 25? If so, do I need a dedicated > port for unencrypted local Squirrelmail mail? I don't think you're really getting the significance of port 587 vs. port 25. 587 can be used encrypted or unencrypted, authenticated (preferably) or not... you could for instance just limit 587 connections from a particular subnet, etc. But the main difference is this: 587 is used by MUA's (i.e. clients) to submit *outbound* messages to your MTA (relay). 25 is used by your MTA to receive *incoming* messages from other administrative domains (organizations). -Philip > Javascript gives me the creeps (yeah I use Gmail anyway) so I'm happy > to stick with Squirrelmail over Roundcube. > > - Grant
Re: Switching to 587 submission
On 12/08/2011 02:21 PM, Gary Smith wrote: Wouldn't it be smarter to just tell SquirrelMail to use port 587 and pass through authentication? This way if the server is compromised or has another exploit there isn't a simple internal email server to send all that spam from. This is exactly what we do for both horde and roundcube. That was my first suggestion, but the stable version of SquirrelMail (and the one supplied by Gentoo) doesn't support STARTTLS.
RE: Switching to 587 submission
> So you should change 'client' to 'recipient' in master.cf before you > remove the 'permit_sasl_authenticated' in main.cf. > > At that point, SquirrelMail (or anything else) won't be able to send > mail unless it authenticates on port 587, sends to one of your domains > on port 25, or is in $mynetworks and sends on port 25. > > The path of least resistance is probably to add the SquirrelMail box to > $mynetworks, and have it send to port 25. If someone can gain control of > the SquirrelMail box, you're screwed mail-wise anyway, so I don't think > you lose any security that way. Wouldn't it be smarter to just tell SquirrelMail to use port 587 and pass through authentication? This way if the server is compromised or has another exploit there isn't a simple internal email server to send all that spam from. This is exactly what we do for both horde and roundcube.
Re: smtpd_recipient_restrictions -- Best Practices
smtpd_recipient_restrictions = permit_mynetworks, permit_auth_destination, reject_unauth_destination, check_sender_access hash:/etc/postfix/access, permit_sasl_authenticated, reject_unauth_pipelining, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_unkown_helo_hostname, reject_invalid_hostname, reject_unknown_hostname, reject_rbl_client blackholes.easynet.nl, reject_rbl_client bl.spamcop.net, reject_rbl_client cbl.abuseat.org, reject_rbl_client cbl.abuseat.org, reject_rbl_client dnsbl.njabl.org, reject_rbl_client dul.dnsbl.sorbs.net, reject_rbl_client hostkarma.junkemailfilter.com=127.0.0.2, reject_rbl_client list.dsbl.org, reject_rbl_client list.dsbl.org, reject_rbl_client multihop.dsbl.org, reject_rbl_client opm.blitzed.org, reject_rbl_client sbl.spamhaus.org, reject_rbl_client sbl-xbl.spamhaus.org, permit -- Peter L. Berghold
Re: smtpd_recipient_restrictions -- Best Practices
On Thursday 08 December 2011 13:04:13 Peter L. Berghold wrote: > Is there are "best practice" concerning the ordering of the > directives to the right hand side of the "=" for > smtpd_recipient_restrictions? Consider the relative costs of the restrictions. For example, a hash: table access(5) lookup will have very little cost, whereas a reject_rbl_client restriction incurs the delay and bandwidth of a DNS lookup. Furthermore, be aware of the potential problem of 'permit' results allowing open relay: http://www.postfix.org/SMTPD_ACCESS_README.html#danger > The reason I'm asking is I added a set of lines for RBL reverse DNS > and they don't seem to be having any effect. The "real" question lacks adequate information to answer. See: http://www.postfix.org/DEBUG_README.html#mail -- Offlist mail to this address is discarded unless "/dev/rob0" or "not-spam" is in Subject: header
Re: Switching to 587 submission
On 12/08/2011 11:24 AM, Grant wrote: You don't really need the permit_sasl_authenticated, since you shouldn't be trying to auth on port 25. It doesn't hurt, though. I just noticed that I can't send mail from Thunderbird unless I include permit_sasl_authenticated in the above smtpd_recipient_restrictions block. I get relay access denied otherwise. Oh, sorry. You have this in master.cf: submission inet n - n - - smtpd -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject The -o smtpd_foo_restrictions here is supposed to override the restrictions in main.cf: smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, permit So you should change 'client' to 'recipient' in master.cf before you remove the 'permit_sasl_authenticated' in main.cf. At that point, SquirrelMail (or anything else) won't be able to send mail unless it authenticates on port 587, sends to one of your domains on port 25, or is in $mynetworks and sends on port 25. The path of least resistance is probably to add the SquirrelMail box to $mynetworks, and have it send to port 25. If someone can gain control of the SquirrelMail box, you're screwed mail-wise anyway, so I don't think you lose any security that way. The alternative that you had working was letting SquirrelMail auth in plain text on port 25, which is, should someone compromise the SquirrelMail box, not going to save you.
Re: smtpd_recipient_restrictions -- Best Practices
On 12/8/2011 2:04 PM, Peter L. Berghold wrote: Hi folks, Hope this isn't too dumb a question, but here goes: Is there are "best practice" concerning the ordering of the directives to the right hand side of the "=" for smtpd_recipient_restrictions? The reason I'm asking is I added a set of lines for RBL reverse DNS and they don't seem to be having any effect. Peter, Can you send us the smtpd_recipient_restrictions line from your main.cf? Might help to see how you have them ordered and what else you may be able to add to help benefit you. -Matt
smtpd_recipient_restrictions -- Best Practices
Hi folks, Hope this isn't too dumb a question, but here goes: Is there are "best practice" concerning the ordering of the directives to the right hand side of the "=" for smtpd_recipient_restrictions? The reason I'm asking is I added a set of lines for RBL reverse DNS and they don't seem to be having any effect. -- Peter L. Berghold
Re: postfix-pgsql on centos6
Le 08.12.2011 16:50, Kwasi Gyasi - Agyei a écrit : The building of postfix with pgsql is proving to be rather complicated, I think it doesn't like my Kernel (echo "# Do not edit -- this file documents how Postfix was built for your machine."; /bin/sh makedefs) >makedefs.tmp ATTENTION: ATTENTION: Unknown system type: Linux 3.0.4-linode38 ATTENTION: make: *** [Makefiles] Error 1 make: *** [makefiles] Error 2 error: Bad exit status from /var/tmp/rpm-tmp.OnGA25 (%build) RPM build errors: Bad exit status from /var/tmp/rpm-tmp.OnGA25 (%build) it seems that you are using a kernel 3 .* I do not know if the compilation of Simon J Mudd rpm is possible in such a case. do with SJMudd and Wietse On Thu, Dec 8, 2011 at 3:40 PM, ml wrote: Le jeudi 08 décembre 2011 à 15:33 +1300, Peter a écrit : On 08/12/11 15:28, Kwasi Gyasi - Agyei wrote: > Thanks, where can I get src.rpm for v2.6.6, the highest version from > here http://postfix.wl0.org/en/available-packages/ is 2.5. ...picking a CentOS mirror at random: http://mirrors.usc.edu/pub/linux/distributions/centos/6/os/SRPMS/Packages/postfix-2.6.6-2.el6.src.rpm its easy to recompile the source rpm of simon J Mudd for centos 6 see the documentation -- http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x092164A7 gpg --keyserver pgp.mit.edu --recv-key 092164A7 http://urlshort.eu fakessh @ http://gplus.to/fakessh http://gplus.to/john.swilting
Re: Switching to 587 submission
>>> You've probably got permit_mynetworks near the top of your >>> smtpd_foo_restrictions, which are inherited by default. The "-o >> >> >> The only smtpd_foo_restrictions I have in main.cf are: >> >> smtpd_recipient_restrictions = >> permit_sasl_authenticated, >> permit_mynetworks, >> reject_unauth_destination, >> permit > > > You don't really need the permit_sasl_authenticated, since you shouldn't be > trying to auth on port 25. It doesn't hurt, though. I just noticed that I can't send mail from Thunderbird unless I include permit_sasl_authenticated in the above smtpd_recipient_restrictions block. I get relay access denied otherwise. - Grant
Re: Switching to 587 submission
>> I don't see why local Squirrelmail won't send mail over 587, >> but remote Thunderbird will. Squirrelmail also won't send mail over >> port 25, but it will send mail over 465. > > > Do you have a new-enough SquirrelMail? From the looks of it, the only > version >= 1.5.1 is the development snapshot. (Do you know about Roundcube?) OK, that must be why Squirrelmail can't send mail over 587. I'm on the latest version in Portage. You spelled it out for me before but I didn't pick up on it. Since 587 uses STARTTLS, I would have thought I could connect unencrypted but apparently encryption is required there? Is Squirrelmail failing to send mail over port 25 because authentication isn't allowed on port 25? If so, do I need a dedicated port for unencrypted local Squirrelmail mail? Javascript gives me the creeps (yeah I use Gmail anyway) so I'm happy to stick with Squirrelmail over Roundcube. - Grant
Re: SMTP hangs when MySQL is down
Am 08.12.2011 15:15, schrieb lst_ho...@kwsoft.de: > Zitat von Reindl Harald : > >> Am 08.12.2011 14:45, schrieb lst_ho...@kwsoft.de: >> >>> Help is always welcome, simply demand how things could be better is useless >> >> you have a bad attitude! >> >> demand how things could be better is useful, everywhere >> because it is a hint what can be improved > > You have missed the difference between "point out " and "demand". If you got > something for free *demanding* to get > something other is useless and will ever be. > > You really should check your attitude... oh yes, come on and nail a non-native speaker down on one single word if you are feeling better than - if you would want you could understand what i meant signature.asc Description: OpenPGP digital signature
Re: SMTP hangs when MySQL is down
Zitat von Reindl Harald : Am 08.12.2011 14:45, schrieb lst_ho...@kwsoft.de: Help is always welcome, simply demand how things could be better is useless you have a bad attitude! demand how things could be better is useful, everywhere because it is a hint what can be improved You have missed the difference between "point out " and "demand". If you got something for free *demanding* to get something other is useless and will ever be. You really should check your attitude... Regards Andreas smime.p7s Description: S/MIME Cryptographic Signature
Re: SMTP hangs when MySQL is down
Am 08.12.2011 14:45, schrieb lst_ho...@kwsoft.de: > Help is always welcome, simply demand how things could be better is useless you have a bad attitude! demand how things could be better is useful, everywhere because it is a hint what can be improved you need not always to be able making things better to give hints for imporvements and this hints can often result in a brainstorming of developers and possibly with a small change in the code be optimized from peopole who are knowing how to do calling user-feedback "useless" and "why do you not patch it yourself" was, is and will always be a bad attitude signature.asc Description: OpenPGP digital signature
Re: SMTP hangs when MySQL is down
Zitat von Sebastian Wiesinger : * Wietse Venema [2011-12-08 13:09]: Sebastian Wiesinger: > I really would like to know if it is not possible to have a temporary > error when trivial-rewrite fails to access the MySQL database. I don't > see any apparent reason for it. If there is one I would like to know. You have the right to ask these questions. I recommend that you spend the energy to make your MySQL server more redundant, if you care so much about email performance. I just don't want to have connections hang when there could be a temporary error which would close down these connections. I don't care so much about mail performance more about (again, in my opinion) better error handling. And I had hoped that perhaps this would be an improvement to postfix. Sadly it seems it was some kind of blasphemy to question the way postfix does handle this stuff. No, it means until now no one needs this so important to step up with code/patches to improve it. If you really need a reliable mailsystem you simply have to use reliable parts. If your mailsystem respond with 4xx or simply hang in case it is not able to move any mail is just a matter of taste. But perhaps I'm only getting the wrong impression here. Yes Help is always welcome, simply demand how things could be better is useless. Regards Andreas smime.p7s Description: S/MIME Cryptographic Signature
Re: postfix-pgsql on centos6
Le jeudi 08 décembre 2011 à 15:33 +1300, Peter a écrit : > On 08/12/11 15:28, Kwasi Gyasi - Agyei wrote: > > Thanks, where can I get src.rpm for v2.6.6, the highest version from > > here http://postfix.wl0.org/en/available-packages/ is 2.5. > > ...picking a CentOS mirror at random: > http://mirrors.usc.edu/pub/linux/distributions/centos/6/os/SRPMS/Packages/postfix-2.6.6-2.el6.src.rpm its easy to recompile the source rpm of simon J Mudd for centos 6 see the documentation
Re: SMTP hangs when MySQL is down
* Wietse Venema [2011-12-08 13:09]: > Sebastian Wiesinger: > > I really would like to know if it is not possible to have a temporary > > error when trivial-rewrite fails to access the MySQL database. I don't > > see any apparent reason for it. If there is one I would like to know. > > You have the right to ask these questions. I recommend that you > spend the energy to make your MySQL server more redundant, if you > care so much about email performance. I just don't want to have connections hang when there could be a temporary error which would close down these connections. I don't care so much about mail performance more about (again, in my opinion) better error handling. And I had hoped that perhaps this would be an improvement to postfix. Sadly it seems it was some kind of blasphemy to question the way postfix does handle this stuff. But perhaps I'm only getting the wrong impression here. Regards Sebastian -- New GPG Key: 0x93A0B9CE (F4F6 B1A3 866B 26E9 450A 9D82 58A2 D94A 93A0 B9CE) Old GPG Key-ID: 0x76B79F20 (0x1B6034F476B79F20) 'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE. -- Terry Pratchett, The Fifth Elephant
Virtual Aliasing for any user
Hello, First post to the list, I would really appreciate any help/advice. In my current setup I act as a Spam and Virus filter for several domains. Mail is then relayed to their local Exchange servers once it has been scanned. In the event that their Exchange server is down and they require emergency access to their emails I have configured virtual_alias_maps as below: user@domain user@domain,user@otherdomain This way the original mail is still cached in the queue for delivery to Exchange and a copy is sent to the same user at anotherdomain (an IMAP/Webmail server). My question is: Rather than setting up each user and their alias individually can I use a wildcard to accept for anyuser and forward to the same username on the other domain. Rather than use virtual_alias_maps: @domain catchall@otherdomain I would like virtual_alias_maps: %anything%@domain %anything%@otherdomain I hope I have explained that clearly enough . I did attempt to configure virtual_alias_maps like this: @domain @otherdomain But this tries to literally forward to @otherdomain (as an address without the user portion). Thanks in advance. James
Re: SMTP hangs when MySQL is down
Wietse Venema: > Sebastian Wiesinger: > > I really would like to know if it is not possible to have a temporary > > error when trivial-rewrite fails to access the MySQL database. I don't > > see any apparent reason for it. If there is one I would like to know. > > You have the right to ask these questions. I recommend that you > spend the energy to make your MySQL server more redundant, if you > care so much about email performance. OK, one reply. In Postfix do not spend a lot of time on optimizing the handling of internal errors such as broken MySQL servers. Wietse
Re: SMTP hangs when MySQL is down
Sebastian Wiesinger: > I really would like to know if it is not possible to have a temporary > error when trivial-rewrite fails to access the MySQL database. I don't > see any apparent reason for it. If there is one I would like to know. You have the right to ask these questions. I recommend that you spend the energy to make your MySQL server more redundant, if you care so much about email performance. Wietse
Stress Test Postfix
Hallo, I have 2 postfix setup with openLDAP as back ends. I need to stress test my configuration. I tried with the smtp-source but I don't know it is OK to test with 1 connection or more. How is postfix handles the connections with the smtp-source? Is it reliable? I mean, if I use 200 connections on the smtp-source, does that mean that I simulate 200 concurrent connections, from different users, on the postfix? B/R Peter.
Re: CISCO breaks DKIM on their ASA/PIX (again)
Am 08.12.2011 09:53, schrieb Ralf Hildebrandt: > Over the last few days I discussed SMTP delivery problems with a czech > site which was using Postfix and a CISCO ASA with "smtp protocol > fixup" enabled. > > I was able to work around the delivery problems by stripping the DKIM > headers on outgoing mails (as so often). > > Some interesting info got out: > > I've also discussed these results with local Cisco support and they > confirmed it's a known bug (not published) with DKIM and smtp inspection > engine in latest IOS versions. > > This should be fixed in some newer IOS version (8.4(10)) which is not > public yet (latest is 8.4(2)). > so now its public *g there really should be a public inform by cisco and we all have to look at it *g any big mailers known for this bug? -- Best Regards MfG Robert Schetterer Germany/Munich/Bavaria
Re: SMTP hangs when MySQL is down
* Wietse Venema [2011-12-07 17:20]: > Yes it was. I point the attention to the RIGHT problem, which is > fixing the suboptimal configuration that does domain queries from > SQL. Hi, with all due respect but for me the important thing at the moment would be to understand why it works the way it works. I understand that it is apparently not the "right" way to do it but to be honest there is not a lot information to point that out. * There is no information regarding this limitation in trivial-rewrite(8), MYSQL_README or mysql_table(5). Maybe it's somewhere else where I did not find it. * Every setup guide or how-to regarding MySQL and postfix that I found set up the domain alias table and domain table in MySQL. So people are using it. * Doing a Google Search for "virtual_mailbox_domains = proxy:mysql:" returns 74k results, "virtual_mailbox_domains = mysql:" returns 41k results. So there are probably a few people using it. * From my standpoint it makes no sense to have everything in a central database and then leave out the domain and domain alias tables. (But that is debatable) * SMTP is not realtime messaging but customers/users nowadays expect that the configuration gets active at the same time they enter it into the system. If you can't provide that they go elsewere. I really would like to know if it is not possible to have a temporary error when trivial-rewrite fails to access the MySQL database. I don't see any apparent reason for it. If there is one I would like to know. Last but not least I would really appreciate it if that capability would be added (make it optional by all means). I think that at least a few people would benefit from it. Regards, Sebastian -- New GPG Key: 0x93A0B9CE (F4F6 B1A3 866B 26E9 450A 9D82 58A2 D94A 93A0 B9CE) Old GPG Key-ID: 0x76B79F20 (0x1B6034F476B79F20) 'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE. -- Terry Pratchett, The Fifth Elephant
Re: CISCO breaks DKIM on their ASA/PIX (again)
* Rolf E. Sonneveld : > >I was able to work around the delivery problems by stripping the DKIM > >headers on outgoing mails (as so often). > > Do you mean a Cisco ASA/PIX firewall with 'smtp protocol fixup' > effectively blocks _any_ message carrying a DKIM-signature header? No, it's blocking SOME, but in order to make those pass, I had to strip off the DKIM Headers, and suddenly they would go through: smtp_header_checks=pcre:/etc/postfix/no_dkim.pcre /^DKIM-Signature:/ IGNORE # this strips a DKIM Signature > I've always wondered why they call it 'smtp protocol fixup', they'd > better call it 'smtp protocol breakdown'. One really has to wonder about this. -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | http://www.charite.de
Re: CISCO breaks DKIM on their ASA/PIX (again)
Hi, Ralf, On 12/8/11 9:53 AM, Ralf Hildebrandt wrote: Over the last few days I discussed SMTP delivery problems with a czech site which was using Postfix and a CISCO ASA with "smtp protocol fixup" enabled. I was able to work around the delivery problems by stripping the DKIM headers on outgoing mails (as so often). Do you mean a Cisco ASA/PIX firewall with 'smtp protocol fixup' effectively blocks _any_ message carrying a DKIM-signature header? Some interesting info got out: I've also discussed these results with local Cisco support and they confirmed it's a known bug (not published) with DKIM and smtp inspection engine in latest IOS versions. This should be fixed in some newer IOS version (8.4(10)) which is not public yet (latest is 8.4(2)). I've always wondered why they call it 'smtp protocol fixup', they'd better call it 'smtp protocol breakdown'. /rolf
CISCO breaks DKIM on their ASA/PIX (again)
Over the last few days I discussed SMTP delivery problems with a czech site which was using Postfix and a CISCO ASA with "smtp protocol fixup" enabled. I was able to work around the delivery problems by stripping the DKIM headers on outgoing mails (as so often). Some interesting info got out: I've also discussed these results with local Cisco support and they confirmed it's a known bug (not published) with DKIM and smtp inspection engine in latest IOS versions. This should be fixed in some newer IOS version (8.4(10)) which is not public yet (latest is 8.4(2)). -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | http://www.charite.de