Re: SMTPS 465

2013-04-12 Thread DTNX Postmaster 
On Apr 13, 2013, at 00:50, b...@bitrate.net wrote:

> On Apr 12, 2013, at 15.25, Joan Moreau  wrote:
> 
>> Hi,
>> 
>> I am stuck with making my SSL SMTPS (port 465) works, while it was working 
>> fine since ever.
> 
> others have helped with the specifics of your question, so i'll address the 
> philosophical aspect of it :) .  while it may take some coordination to do so 
> if you have an existing user base using smtps, you should be using 
> submission+starttls instead.  smtps is a long since deprecated, never 
> standardized protocol, which now misappropriates a port which has been 
> formally assigned by iana to another protocol, for quite some time.

+1. Use port 587 with STARTTLS, require encryption.

HTH,
Jona

Re: New Postfix log analyzer tool, statistics, grapher, ... PostgreSQL DB 9.2.x based

2013-04-12 Thread Abhijeet Rastogi 
Any screenshots would be highly appreciated. I'm currently using
Elasticsearch to store all my logs and Kibana for search. I was wondering
how this tool will help more.


On Thu, Apr 11, 2013 at 6:59 PM, Nicolas HAHN  wrote:

>  Dear Postfix Community,
>
> I'm writing for the first time there but working in the area of SMTP
> messaging since a long time. With Postfix, that I really love.
>
> The goal of my e-mail today is just to let you know that I'm working since
> some time on my open source GPLv3 project dedicated to *real time*postfix log 
> analysis, but not only log analysis.
>
> This project need several components to work fine, primarily a Linux
> server running Apache, Php, Rsyslog, postgreSQL 9.2, SNMPD, ... A lot of
> things are described in the INSTALL file.
>
> If you are interested by such project, you can find it on Sourceforge
> there:
> https://sourceforge.net/projects/x-itools/files/X-Itools%20releases/E-mail%20Log%20Search%20Engine/
>
>
> The archive I just uploaded this morning deal with Postfix version >=2.8.x
> logs.
>
> This tool is used in the United Nations datacenters, for Messaging
> Services, where I'm currently working as a messaging architect consultant.
> Depending of the processing power of the server, it is able to work with a
> mail flow of 1 million e-mails a day in real time. The version deployed in
> the UN also process Exchange servers logs in real time. The version I've
> packaged on sourceforge is a little bit in late (I need time to commit all
> my code) and is able to process Postfix logs only as of today.
> Some (and me too :-)) say it is much more powerfull than what Postini from
> Google is offering, especially if we consider it is working in real time.
>
> Version available on sourceforge in the tar.gz archive is 0.9.10.
> Version starting to process Exchange Servers logs is 0.9.11. It is
> comming...
>
> Also, I kept my tool "secret" since 2004 despite the fact I decided to
> make it under GPL, using it for my own needs as a small provider myself. I
> decided to publish it on sourceforge in 2011, when UN shown a big interest
> in it, and then I restarted the development. It means the Wiki is empty,
> the doc is enclosed in my brain, ... and all of this needs to be publicly
> available. that will take time...
>
> So, if you're interested, I can answer questions and provide help. It can
> be quite complex to install because of the dependencies needed.
> This project also need, as you may know, volunteers and talents, people to
> debug, ... I'm not the most talented coder of the world of course :) PHP
> code I produce as a PHP newbie for example, could be greatly enhanced,
> secured, and so on. I'm learning PHP the same time I'm coding this tool and
> it's not easy as I'm an old school C/C++ coder.
>
> In brief, a continuous effort is needed as usual.
>
> *NOTE: I've removed the attached screenshot because e-mail size is
> limited to  4 characters.*
>
> Thanks for your attention
>
> Best regards,
> Nicolas
>



-- 
Regards,
Abhijeet Rastogi (shadyabhi)
http://blog.abhijeetr.com

Re: Setting up secure submission for remote users

2013-04-12 Thread LuKreme 
On Apr 12, 2013, at 7:10, btb  wrote:
> On 2013.04.12 07.01, LuKreme wrote:
>> In our previous episode (Thursday, 11-Apr-2013), b...@bitrate.net
>> said:
>>> you can certainly upgrade without breaking everything.  as with
>>> anything else, it just takes some care and consideration.  as far
>>> as procmail goes, i'd consider losing procmail to be a benefit.
>>> why do you think you need it?
>> 
>> Because I use it extensively.
> 
> that's a foregone conclusion.  the question is for what do you use it.  in 
> the vast majority of cases, sieve can do everything procmail can do.  if you 
> were to switch from courier to dovecot for imap, delivery via lmtp from 
> postfix to dovecot offers a number of benefits, only one of which is easy 
> integration of sieve.

I've never used sieve, but have been using procmail for 15 years or so. I use 
it to sort mail, of course, but also for adding headers, sending copies of 
certain mails, altering subject lines, and probably a  couple of other things 
I'm not think of. My procmail recipes tend to span 4 or 5 rc files and several 
hundred lines. It's not something I think I want to try to redo in sieve.

Re: SMTPS 465

2013-04-12 Thread btb 

On Apr 12, 2013, at 15.25, Joan Moreau  wrote:

> Hi,
> 
> I am stuck with making my SSL SMTPS (port 465) works, while it was working 
> fine since ever.

others have helped with the specifics of your question, so i'll address the 
philosophical aspect of it :) .  while it may take some coordination to do so 
if you have an existing user base using smtps, you should be using 
submission+starttls instead.  smtps is a long since deprecated, never 
standardized protocol, which now misappropriates a port which has been formally 
assigned by iana to another protocol, for quite some time.

-ben

Re: SMTPS 465

2013-04-12 Thread Quanah Gibson-Mount 
--On Friday, April 12, 2013 9:05 PM + Joan Moreau  
wrote:





Please don't top-post.


I do not understand




--Quanah



--

Quanah Gibson-Mount
Sr. Member of Technical Staff
Zimbra, Inc
A Division of VMware, Inc.

Zimbra ::  the leader in open source messaging and collaboration

Re: SMTPS 465

2013-04-12 Thread Joan Moreau 



Please don't top-post.


I do not understand



smtpd_tls_loglevel = 1 is sufficient for debugging.


ok


2013-04-12T21:49:03.160443+02:00 server postfix/smtpd[12238]: warning: 
TLS library problem: 12238:error:1409D08A:SSL 
routines:ssl3_setup_key_block:cipher or hash unavailable:s3_enc.c:423:


This suggests your TLS library is broken.



The TLS library being which one ?

I am using openSSL and all https web site are working fine. Is there 
another library involved ?


Thank you in advance

Joan

Re: SMTPS 465

2013-04-12 Thread Noel Jones 
On 4/12/2013 2:49 PM, Joan Moreau wrote:
> Actually, if type
> 
> openssl s_client*-CApath BKQSDQSD* -connect 127.0.0.1:465
> 
> (Ie. whatever in the CApath field), the connection works fine
> 
> but if not, I get an error.
> 
>  
> 
> Putting "log level" at 3 in postfix, I get :

Please don't top-post.

smtpd_tls_loglevel = 1 is sufficient for debugging. Higher log
levels tend to hide problems in the noise.

> 2013-04-12T21:49:03.160443+02:00 server postfix/smtpd[12238]: warning: TLS 
> library problem: 12238:error:1409D08A:SSL 
> routines:ssl3_setup_key_block:cipher or hash unavailable:s3_enc.c:423:

This suggests your TLS library is broken.


  -- Noel Jones

Re: SMTPS 465

2013-04-12 Thread Joan Moreau 


Actually, if type 

openssl s_client -CAPATH BKQSDQSD -connect 127.0.0.1:465 

(Ie. whatever in the CApath field), the connection works fine 

but if not, I get an error. 

Putting "log level" at 3 in postfix, I get : 

2013-04-12T21:49:03.25+02:00 server postfix/smtpd[12238]:
initializing the server-side TLS engine
2013-04-12T21:49:03.068492+02:00 server postfix/smtpd[12238]: connect
from unknown[41.137.65.121]
2013-04-12T21:49:03.068514+02:00 server postfix/smtpd[12238]: setting up
TLS connection from unknown[41.137.65.121]
2013-04-12T21:49:03.068639+02:00 server postfix/smtpd[12238]:
unknown[41.137.65.121]: TLS cipher list
"aNULL:-aNULL:ALL:!EXPORT:!LOW:+RC4:@STRENGTH"
2013-04-12T21:49:03.068872+02:00 server postfix/smtpd[12238]:
SSL_accept:before/accept initialization
2013-04-12T21:49:03.068964+02:00 server postfix/smtpd[12238]:
SSL_accept:SSLv3 read client hello A
2013-04-12T21:49:03.068973+02:00 server postfix/smtpd[12238]:
SSL_accept:SSLv3 write server hello A
2013-04-12T21:49:03.069102+02:00 server postfix/smtpd[12238]:
SSL_accept:SSLv3 write certificate A
2013-04-12T21:49:03.071683+02:00 server postfix/smtpd[12238]:
SSL_accept:SSLv3 write key exchange A
2013-04-12T21:49:03.071693+02:00 server postfix/smtpd[12238]:
SSL_accept:SSLv3 write server done A
2013-04-12T21:49:03.071697+02:00 server postfix/smtpd[12238]:
SSL_accept:SSLv3 flush data
2013-04-12T21:49:03.160413+02:00 server postfix/smtpd[12238]:
SSL_accept:SSLv3 read client key exchange A
2013-04-12T21:49:03.160429+02:00 server postfix/smtpd[12238]:
SSL_accept:error in SSLv3 read certificate verify A
2013-04-12T21:49:03.160431+02:00 server postfix/smtpd[12238]: SSL_accept
error from unknown[41.137.65.121]: -1
2013-04-12T21:49:03.160443+02:00 server postfix/smtpd[12238]: warning:
TLS library problem: 12238:error:1409D08A:SSL
routines:ssl3_setup_key_block:cipher or hash unavailable:s3_enc.c:423:
2013-04-12T21:49:03.165268+02:00 server postfix/smtpd[12238]: lost
connection after CONNECT from unknown[41.137.65.121]
2013-04-12T21:49:03.165281+02:00 server postfix/smtpd[12238]: disconnect
from unknown[41.137.65.121]

Le 12/04/2013 19:41, Joan Moreau a écrit : 

> Hi, 
> 
> I need to type 
> 
> server:~ # openssl s_client -CAPATH /ETC/SSL -connect 127.0.0.1:465 
> 
> to get a "OK" at the end. 
> 
> Is the the cause of the problem ? if yes, how to fix it in 'main.cf" ? 
> 
> CONNECTED(0003)
> depth=1 C = FR, O = GANDI SAS, CN = Gandi Standard SSL CA
> verify return:1
> depth=0 OU = Domain Control Validated, OU = Gandi Standard SSL, CN = 
> grosjo.net
> verify return:1
> write:errno=104
> ---
> Certificate chain
> 0 s:/OU=Domain Control Validated/OU=Gandi Standard SSL/CN=grosjo.net
> i:/C=FR/O=GANDI SAS/CN=Gandi Standard SSL CA
> 1 s:/C=FR/O=GANDI SAS/CN=Gandi Standard SSL CA
> i:/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST 
> Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware
> 2 s:/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST 
> Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware
> i:/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST 
> Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware
> ---
> Server certificate
> -BEGIN CERTIFICATE-
> MIIE1zCCA7+gAwIBAgIRAKEFB6KnYccTgVUT3bw3RGYwDQYJKoZIhvcNAQEFBQAw
> ...
> aNrCILvl6KKvIe04MKimkkB9HwN4hY9vb4hGYX2qqn5ihFgZEg6gyc3rzA==
> -END CERTIFICATE-
> subject=/OU=Domain Control Validated/OU=Gandi Standard SSL/CN=grosjo.net
> issuer=/C=FR/O=GANDI SAS/CN=Gandi Standard SSL CA
> ---
> No client certificate CA names sent
> Peer signing digest: SHA512
> Server Temp Key: ECDH, P-256, 256 bits
> ---
> SSL handshake has read 4017 bytes and written 135 bytes
> ---
> New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
> Server public key is 2048 bit
> Secure Renegotiation IS supported
> Compression: zlib compression
> Expansion: NONE
> SSL-Session:
> Protocol : TLSv1.2
> Cipher : ECDHE-RSA-AES256-GCM-SHA384
> Session-ID: 
> Session-ID-ctx: 
> Master-Key: 
> CE923A87CC6CC9B18C1B9C8F8B0A0BA05A96194501CC54EDD95A29F61D1C82D85E253F756E9D1568CF850C02D5DDBF9C
> Key-Arg : None
> PSK identity: None
> PSK identity hint: None
> SRP username: None
> Compression: 1 (zlib compression)
> Start Time: 1365795552
> Timeout : 300 (sec)
>   VERIFY RETURN CODE: 0 (OK)
> ---

Re: SMTPS 465

2013-04-12 Thread Joan Moreau 


Hi, 

I need to type 

server:~ # openssl s_client -CAPATH /ETC/SSL -connect 127.0.0.1:465 

to get a "OK" at the end. 

Is the the cause of the problem ? if yes, how to fix it in 'main.cf" ? 

CONNECTED(0003)
depth=1 C = FR, O = GANDI SAS, CN = Gandi Standard SSL CA
verify return:1
depth=0 OU = Domain Control Validated, OU = Gandi Standard SSL, CN =
grosjo.net
verify return:1
write:errno=104
---
Certificate chain
0 s:/OU=Domain Control Validated/OU=Gandi Standard SSL/CN=grosjo.net
i:/C=FR/O=GANDI SAS/CN=Gandi Standard SSL CA
1 s:/C=FR/O=GANDI SAS/CN=Gandi Standard SSL CA
i:/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST
Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware
2 s:/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST
Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware
i:/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST
Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware
---
Server certificate
-BEGIN CERTIFICATE-
MIIE1zCCA7+gAwIBAgIRAKEFB6KnYccTgVUT3bw3RGYwDQYJKoZIhvcNAQEFBQAw
...
aNrCILvl6KKvIe04MKimkkB9HwN4hY9vb4hGYX2qqn5ihFgZEg6gyc3rzA==
-END CERTIFICATE-
subject=/OU=Domain Control Validated/OU=Gandi Standard SSL/CN=grosjo.net
issuer=/C=FR/O=GANDI SAS/CN=Gandi Standard SSL CA
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 4017 bytes and written 135 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: zlib compression
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 
Session-ID-ctx: 
Master-Key:
CE923A87CC6CC9B18C1B9C8F8B0A0BA05A96194501CC54EDD95A29F61D1C82D85E253F756E9D1568CF850C02D5DDBF9C
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Compression: 1 (zlib compression)
Start Time: 1365795552
Timeout : 300 (sec)
  VERIFY RETURN CODE: 0 (OK)
---

Re: SMTPS 465

2013-04-12 Thread Noel Jones 
On 4/12/2013 2:25 PM, Joan Moreau wrote:
> Hi,
> 
> I am stuck with making my SSL SMTPS (port 465) works, while it was
> working fine since ever.
> 
> I upgraded my kernel to 3.8.6 and since then, nothing works :(
> 
>  


What happens when you test it?
# openssl s_client -connect 127.0.0.1:465

What does postfix log?
http://www.postfix.org/DEBUG_README.html#logging



  -- Noel Jones





> 
> Here my postconf -n
> 
> alias_maps = hash:/etc/aliases
> biff = no
> bounce_queue_lifetime = 6h
> broken_sasl_auth_clients = yes
> canonical_maps = hash:/etc/postfix/canonical
> command_directory = /usr/sbin
> config_directory = /etc/postfix
> daemon_directory = /usr/lib/postfix
> data_directory = /var/lib/postfix
> defer_transports =
> delay_warning_time = 1h
> disable_dns_lookups = no
> disable_mime_output_conversion = no
> dovecot_destination_recipient_limit = 1
> header_checks = pcre:/etc/postfix/smtp_header_checks
> html_directory = no
> inet_interfaces = all
> inet_protocols = ipv4
> local_recipient_maps =
> mail_owner = postfix
> mail_spool_directory = /var/spool/mail
> mailbox_size_limit = 0
> mailbox_transport = dovecot
> mailq_path = /usr/bin/mailq
> manpage_directory = /usr/share/man
> masquerade_classes = envelope_sender, header_sender, header_recipient
> masquerade_domains =
> masquerade_exceptions = root
> maximal_queue_lifetime = 1d
> message_size_limit = 20480
> mydestination = $myhostname, localhost.$mydomain
> mydomain = grosjo.net
> myhostname = grosjo.net
> mynetworks = 127.0.0.0/8 204.93.196.46/32
> myorigin = $mydomain
> newaliases_path = /usr/bin/newaliases
> proxy_read_maps = $virtual_mailbox_domains $local_recipient_maps
> $mydestination $virtual_alias_maps $virtual_alias_domains
> $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps
> $relay_domains $canonical_maps $sender_canonical_maps
> $recipient_canonical_maps $relocated_maps $transport_maps
> $mynetworks $virtual_mailbox_limit_maps
> queue_directory = /var/spool/postfix
> readme_directory = no
> relayhost =
> relocated_maps = hash:/etc/postfix/relocated
> sample_directory = /usr/share/doc/packages/postfix/samples
> sender_canonical_maps = hash:/etc/postfix/sender_canonical
> sendmail_path = /usr/sbin/sendmail
> setgid_group = maildrop
> slow_destination_concurrency_limit = 2
> slow_destination_recipient_limit = 1
> smtp_header_checks = pcre:/etc/postfix/smtp_header_checks
> smtp_sasl_auth_enable = no
> smtp_tls_CAfile = /etc/ssl/ca-bundle.crt
> smtp_tls_cert_file = /etc/ssl/certs/gjnet.crt
> smtp_tls_key_file = /etc/ssl/certs/gjnet.key
> smtp_tls_session_cache_database = hash:/var/lib/postfix/smtp_scache
> smtp_use_tls = no
> smtpd_banner = $myhostname ESMTP $mail_name ($mail_version)
> smtpd_client_restrictions = permit_mynetworks,
> permit_sasl_authenticated, reject_unauth_destination, permit
> smtpd_helo_required = no
> smtpd_helo_restrictions =
> smtpd_recipient_restrictions =
> permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination,reject_non_fqdn_hostname,reject_non_fqdn_sender,reject_non_fqdn_recipient,reject_unauth_destination,reject_unauth_pipelining,reject_invalid_hostname,reject_rbl_client
> bl.spamcop.net,reject_rbl_client
> sbl-xbl.spamhaus.org,check_policy_service inet:127.0.0.1:10023
> smtpd_relay_restrictions = permit_mynetworks
> permit_sasl_authenticated defer_unauth_destination
> smtpd_sasl_auth_enable = no
> smtpd_sasl_local_domain = $mydomain
> smtpd_sasl_path = smtpd
> smtpd_sasl_security_options = noanonymous
> smtpd_sender_restrictions = permit_sasl_authenticated
> smtpd_tls_CAfile = /etc/ssl/ca-bundle.crt
> smtpd_tls_CApath = /etc/ssl/certs
> smtpd_tls_cert_file = /etc/ssl/certs/gjnet.crt
> smtpd_tls_key_file = /etc/ssl/certs/gjnet.key
> smtpd_tls_loglevel = 3
> strict_8bitmime = no
> strict_rfc821_envelopes = no
> transport_maps = hash:/etc/postfix/transport
> unknown_local_recipient_reject_code = 550
> virtual_alias_maps = mysql:/etc/postfix/mysql_virtual_alias_maps.cf
> virtual_gid_maps = static:1002
> virtual_mailbox_base = /data/mail
> virtual_mailbox_domains =
> mysql:/etc/postfix/mysql_virtual_domains_maps.cf
> virtual_mailbox_limit = 0
> virtual_mailbox_limit_maps =
> mysql:/etc/postfix/mysql_virtual_mailbox_limit_maps.cf
> virtual_mailbox_maps = mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf
> virtual_minimum_uid = 10001
> virtual_transport = dovecot
> virtual_uid_maps = static:10001
> 
> my master.cf
> 
> mtp  inet  n   -   n   -   -   smtpd
> # -o content_filter=spamassassin
> #smtps inet  n   -   n   -   -   smtpd -o
> smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes
> smtps inet  n   -   n   -   -   smtpd -o
> smtpd_sasl_auth_enable=yes -o smtpd_tls_wrappermode=yes
> submission inet n   -   n   -   -   smtpd -o
> smtpd_enforce_tls=yes
> pickupfifo  n   -   n   60  1   pickup
> cleanup   unix  n   -   n   -   0   cleanup

SMTPS 465

2013-04-12 Thread Joan Moreau 


Hi, 

I am stuck with making my SSL SMTPS (port 465) works, while it was
working fine since ever. 

I upgraded my kernel to 3.8.6 and since then, nothing works :( 

Here my postconf -n 

alias_maps = hash:/etc/aliases
biff = no
bounce_queue_lifetime = 6h
broken_sasl_auth_clients = yes
canonical_maps = hash:/etc/postfix/canonical
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/lib/postfix
data_directory = /var/lib/postfix
defer_transports =
delay_warning_time = 1h
disable_dns_lookups = no
disable_mime_output_conversion = no
dovecot_destination_recipient_limit = 1
header_checks = pcre:/etc/postfix/smtp_header_checks
html_directory = no
inet_interfaces = all
inet_protocols = ipv4
local_recipient_maps =
mail_owner = postfix
mail_spool_directory = /var/spool/mail
mailbox_size_limit = 0
mailbox_transport = dovecot
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
masquerade_classes = envelope_sender, header_sender, header_recipient
masquerade_domains =
masquerade_exceptions = root
maximal_queue_lifetime = 1d
message_size_limit = 20480
mydestination = $myhostname, localhost.$mydomain
mydomain = grosjo.net
myhostname = grosjo.net
mynetworks = 127.0.0.0/8 204.93.196.46/32
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases
proxy_read_maps = $virtual_mailbox_domains $local_recipient_maps
$mydestination $virtual_alias_maps $virtual_alias_domains
$virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps
$relay_domains $canonical_maps $sender_canonical_maps
$recipient_canonical_maps $relocated_maps $transport_maps $mynetworks
$virtual_mailbox_limit_maps
queue_directory = /var/spool/postfix
readme_directory = no
relayhost =
relocated_maps = hash:/etc/postfix/relocated
sample_directory = /usr/share/doc/packages/postfix/samples
sender_canonical_maps = hash:/etc/postfix/sender_canonical
sendmail_path = /usr/sbin/sendmail
setgid_group = maildrop
slow_destination_concurrency_limit = 2
slow_destination_recipient_limit = 1
smtp_header_checks = pcre:/etc/postfix/smtp_header_checks
smtp_sasl_auth_enable = no
smtp_tls_CAfile = /etc/ssl/ca-bundle.crt
smtp_tls_cert_file = /etc/ssl/certs/gjnet.crt
smtp_tls_key_file = /etc/ssl/certs/gjnet.key
smtp_tls_session_cache_database = hash:/var/lib/postfix/smtp_scache
smtp_use_tls = no
smtpd_banner = $myhostname ESMTP $mail_name ($mail_version)
smtpd_client_restrictions = permit_mynetworks,
permit_sasl_authenticated, reject_unauth_destination, permit
smtpd_helo_required = no
smtpd_helo_restrictions =
smtpd_recipient_restrictions =
permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination,reject_non_fqdn_hostname,reject_non_fqdn_sender,reject_non_fqdn_recipient,reject_unauth_destination,reject_unauth_pipelining,reject_invalid_hostname,reject_rbl_client
bl.spamcop.net,reject_rbl_client
sbl-xbl.spamhaus.org,check_policy_service inet:127.0.0.1:10023
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated
defer_unauth_destination
smtpd_sasl_auth_enable = no
smtpd_sasl_local_domain = $mydomain
smtpd_sasl_path = smtpd
smtpd_sasl_security_options = noanonymous
smtpd_sender_restrictions = permit_sasl_authenticated
smtpd_tls_CAfile = /etc/ssl/ca-bundle.crt
smtpd_tls_CApath = /etc/ssl/certs
smtpd_tls_cert_file = /etc/ssl/certs/gjnet.crt
smtpd_tls_key_file = /etc/ssl/certs/gjnet.key
smtpd_tls_loglevel = 3
strict_8bitmime = no
strict_rfc821_envelopes = no
transport_maps = hash:/etc/postfix/transport
unknown_local_recipient_reject_code = 550
virtual_alias_maps = mysql:/etc/postfix/mysql_virtual_alias_maps.cf
virtual_gid_maps = static:1002
virtual_mailbox_base = /data/mail
virtual_mailbox_domains =
mysql:/etc/postfix/mysql_virtual_domains_maps.cf
virtual_mailbox_limit = 0
virtual_mailbox_limit_maps =
mysql:/etc/postfix/mysql_virtual_mailbox_limit_maps.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf
virtual_minimum_uid = 10001
virtual_transport = dovecot
virtual_uid_maps = static:10001

my master.cf 

mtp inet n - n - - smtpd
# -o content_filter=spamassassin
#smtps inet n - n - - smtpd -o smtpd_tls_wrappermode=yes -o
smtpd_sasl_auth_enable=yes
smtps inet n - n - - smtpd -o smtpd_sasl_auth_enable=yes -o
smtpd_tls_wrappermode=yes
submission inet n - n - - smtpd -o smtpd_enforce_tls=yes
pickup fifo n - n 60 1 pickup
cleanup unix n - n - 0 cleanup
qmgr fifo n - n 300 1 qmgr
rewrite unix - - n - - trivial-rewrite
bounce unix - - n - 0 bounce
defer unix - - n - 0 bounce
trace unix - - n - 0 bounce
verify unix - - n - 1 verify
flush unix n - n 1000? 0 flush
tlsmgr unix - - n 1000? 1 tlsmgr
proxymap unix - - n - - proxymap
smtp unix - - n - - smtp
relay unix - - n - - smtp -o smtp_helo_timeout=5 -o
smtp_connect_timeout=5
showq unix n - n - - showq
error unix - - n - - error
discard unix - - n - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
scache unix - - n - 1 scache
# spamassassin unix - n n - - pipe flags=DRhu use

SMTPS 465

2013-04-12 Thread Joan Moreau 


Hi, 

I am stuck with making my SSL SMTPS (port 465) works, while it was
working fine since ever. 

I upgraded my kernel to 3.8.6 and since then, nothing works :( 

Here my postconf -n 

alias_maps = hash:/etc/aliases
biff = no
bounce_queue_lifetime = 6h
broken_sasl_auth_clients = yes
canonical_maps = hash:/etc/postfix/canonical
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/lib/postfix
data_directory = /var/lib/postfix
defer_transports =
delay_warning_time = 1h
disable_dns_lookups = no
disable_mime_output_conversion = no
dovecot_destination_recipient_limit = 1
header_checks = pcre:/etc/postfix/smtp_header_checks
html_directory = no
inet_interfaces = all
inet_protocols = ipv4
local_recipient_maps =
mail_owner = postfix
mail_spool_directory = /var/spool/mail
mailbox_size_limit = 0
mailbox_transport = dovecot
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
masquerade_classes = envelope_sender, header_sender, header_recipient
masquerade_domains =
masquerade_exceptions = root
maximal_queue_lifetime = 1d
message_size_limit = 20480
mydestination = $myhostname, localhost.$mydomain
mydomain = grosjo.net
myhostname = grosjo.net
mynetworks = 127.0.0.0/8 204.93.196.46/32
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases
proxy_read_maps = $virtual_mailbox_domains $local_recipient_maps
$mydestination $virtual_alias_maps $virtual_alias_domains
$virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps
$relay_domains $canonical_maps $sender_canonical_maps
$recipient_canonical_maps $relocated_maps $transport_maps $mynetworks
$virtual_mailbox_limit_maps
queue_directory = /var/spool/postfix
readme_directory = no
relayhost =
relocated_maps = hash:/etc/postfix/relocated
sample_directory = /usr/share/doc/packages/postfix/samples
sender_canonical_maps = hash:/etc/postfix/sender_canonical
sendmail_path = /usr/sbin/sendmail
setgid_group = maildrop
slow_destination_concurrency_limit = 2
slow_destination_recipient_limit = 1
smtp_header_checks = pcre:/etc/postfix/smtp_header_checks
smtp_sasl_auth_enable = no
smtp_tls_CAfile = /etc/ssl/ca-bundle.crt
smtp_tls_cert_file = /etc/ssl/certs/gjnet.crt
smtp_tls_key_file = /etc/ssl/certs/gjnet.key
smtp_tls_session_cache_database = hash:/var/lib/postfix/smtp_scache
smtp_use_tls = no
smtpd_banner = $myhostname ESMTP $mail_name ($mail_version)
smtpd_client_restrictions = permit_mynetworks,
permit_sasl_authenticated, reject_unauth_destination, permit
smtpd_helo_required = no
smtpd_helo_restrictions =
smtpd_recipient_restrictions =
permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination,reject_non_fqdn_hostname,reject_non_fqdn_sender,reject_non_fqdn_recipient,reject_unauth_destination,reject_unauth_pipelining,reject_invalid_hostname,reject_rbl_client
bl.spamcop.net,reject_rbl_client
sbl-xbl.spamhaus.org,check_policy_service inet:127.0.0.1:10023
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated
defer_unauth_destination
smtpd_sasl_auth_enable = no
smtpd_sasl_local_domain = $mydomain
smtpd_sasl_path = smtpd
smtpd_sasl_security_options = noanonymous
smtpd_sender_restrictions = permit_sasl_authenticated
smtpd_tls_CAfile = /etc/ssl/ca-bundle.crt
smtpd_tls_CApath = /etc/ssl/certs
smtpd_tls_cert_file = /etc/ssl/certs/gjnet.crt
smtpd_tls_key_file = /etc/ssl/certs/gjnet.key
smtpd_tls_loglevel = 3
strict_8bitmime = no
strict_rfc821_envelopes = no
transport_maps = hash:/etc/postfix/transport
unknown_local_recipient_reject_code = 550
virtual_alias_maps = mysql:/etc/postfix/mysql_virtual_alias_maps.cf
virtual_gid_maps = static:1002
virtual_mailbox_base = /data/mail
virtual_mailbox_domains =
mysql:/etc/postfix/mysql_virtual_domains_maps.cf
virtual_mailbox_limit = 0
virtual_mailbox_limit_maps =
mysql:/etc/postfix/mysql_virtual_mailbox_limit_maps.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf
virtual_minimum_uid = 10001
virtual_transport = dovecot
virtual_uid_maps = static:10001

my master.cf 

mtp inet n - n - - smtpd
# -o content_filter=spamassassin
#smtps inet n - n - - smtpd -o smtpd_tls_wrappermode=yes -o
smtpd_sasl_auth_enable=yes
smtps inet n - n - - smtpd -o smtpd_sasl_auth_enable=yes -o
smtpd_tls_wrappermode=yes
submission inet n - n - - smtpd -o smtpd_enforce_tls=yes
pickup fifo n - n 60 1 pickup
cleanup unix n - n - 0 cleanup
qmgr fifo n - n 300 1 qmgr
rewrite unix - - n - - trivial-rewrite
bounce unix - - n - 0 bounce
defer unix - - n - 0 bounce
trace unix - - n - 0 bounce
verify unix - - n - 1 verify
flush unix n - n 1000? 0 flush
tlsmgr unix - - n 1000? 1 tlsmgr
proxymap unix - - n - - proxymap
smtp unix - - n - - smtp
relay unix - - n - - smtp -o smtp_helo_timeout=5 -o
smtp_connect_timeout=5
showq unix n - n - - showq
error unix - - n - - error
discard unix - - n - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
scache unix - - n - 1 scache
# spamassassin unix - n n - - pipe flags=DRhu use

Re: Stripping Received: headers

2013-04-12 Thread Wietse Venema 
Geoff Shang:
> On Fri, 12 Apr 2013, Wietse Venema wrote:
> 
> > You need to do "postfix reload" after editing master.cf.
> 
> I did.  I did it again for good measure - no difference.

Are you using receive_override_options? in main.cf or master.cf?

Wietse

[meta] Postfix List Archives

2013-04-12 Thread grarpamp 
Though I've used postfix for a while, I'm pretty new to the
list. There seem to be some good ideas and solutions
going through here. So I'd like to see what all I've missed :)
Unfortunately online http 'archives' aren't at all useful or flexible.
So are there plain text archives available I can download for
use with local client search and reading? Maildir or mbox is fine.
Or perhaps like FreeBSD does with their lists (mbox ftp/rsync),
the Postfix project can make theirs available as well? I'd rather
not have to scrape and parse just to search and read efficiently
locally.

For those who will invariably cry about spam in response, please
realize spammers have already subscribed and have also scraped
mailman/pipermail for years. Install a better filter :)

Re: Stripping Received: headers

2013-04-12 Thread /dev/rob0 
A word at the outset here: I predict this will come back to bite you 
in a most painful way. As Noel suggested, you're going to run afoul 
of some clueless spam checks. Some years back I know that Hotmail/MSN 
actually *discarded* such mail silently!

Note also that Postfix itself uses Received: headers as a protection 
against mail loops. Let's hope you don't get a loop going!

On Fri, Apr 12, 2013 at 05:49:47PM +0300, Geoff Shang wrote:
> Is there any way I can be sure that the special cleanup agent
> is running? I see the socket
> /var/spool/postfix/public/submission_cleanup

It's running. To see what it does:

> master.cf:

> submission_cleanup   unix  n----cleanup
>   # Strip Received: lines from authenticated mail
>   -o header_checks=pcre:/etc/postfix/header_checks
-o syslog_name=postfix/submission/cleanup

Every non-default service should have its own syslog_name to enhance 
your log searches.

> /etc/postfix/header_checks:
> 
> # Remove any Received: headers from authenticated mail.
> /^Received:/IGNORE
/./ WARN

That might get too noisy in the logs, but at least you will know your 
alternate cleanup service is being used.
-- 
  http://rob0.nodns4.us/ -- system administration and consulting
  Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:

Re: [feature request] Subzero postscreen/dnsblog score to bypass after-220 tests?

2013-04-12 Thread Reindl Harald 


Am 12.04.2013 16:52, schrieb /dev/rob0:
> I believe that DNS-based whitelisting will grow in importance, 
> especially in the IPv6 world. I expect to move into IPv6 with a 
> default-deny policy, where non-whitelisted hosts are rejected

how do you imagine this working?

in this case it would be better you stay at ipv4 at all instead
answer AAA dns-requests which may be preferred from dual-stack
machines try to deliver to your customer

it does not work that anybody who wants to send you e-mail he
must prove that he is no spammer, really this does not work



signature.asc
Description: OpenPGP digital signature

Re: [feature request] Subzero postscreen/dnsblog score to bypass after-220 tests?

2013-04-12 Thread /dev/rob0 
On Fri, Apr 12, 2013 at 04:39:29AM -0500, Stan Hoeppner wrote
   Re: scripting a list of Google outbound CIDRs:
> This seems quite a bit less effort than Wietse adding the feature 
> you requested.  The end result is nearly identical, at least for 
> the Google case, and can easily be extended to cover other domains.

I did think of this, and yes, it would save us the pain which seems 
to hit every 30 days, as the after-220 tests for gmail expire. But 
extending it to cover other domains would not scale well. Which 
domains? What's the structure of their SPF records?

When you "easily extend" this idea it becomes much more onerous. And 
still sitting out there are those unused DNSWL scores.

Yes, unused. As it stands I could drop those checks from my config 
without noticing a change. There is very little overlap between the 
DNSWLs (I currently use SWL and dnswl.org) and reasonable, well-run 
DNSBLs. In my experience a few of the spamtrap-driven automated 
DNSBLs occasionally list a dnswl.org whitelisted host, but I don't 
recall having seen an instance where whitelisting prevented a 
rejection. And I have never found a blacklist entry for the (much 
smaller, I think) SWL zone.

A DNSWL entry says two things:
1. This is a real MTA, not a zombie
2. At one point someone trustworthy thought it was not
   spammer-controlled

Case 1 mostly entitles it to speak to smtpd, unless of course 
offsetting DNSBL scores overcome the whitelist score. By continuing 
on to check DNSBLs, Case 2 is addressed.

I believe that DNS-based whitelisting will grow in importance, 
especially in the IPv6 world. I expect to move into IPv6 with a 
default-deny policy, where non-whitelisted hosts are rejected.

> And with this method the Google outbounds skip all Postscreen 
> processing entirely, not just the after 220 tests.

I wouldn't want that. :) If one of these providers is seriously 
compromised, they'll be blacklisted, and I would want to check for 
that. I don't give Google my absolute trust. I think they may have 
improved, but I know they're not infallible.
-- 
  http://rob0.nodns4.us/ -- system administration and consulting
  Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:

Re: Stripping Received: headers

2013-04-12 Thread Geoff Shang 

On Fri, 12 Apr 2013, Wietse Venema wrote:


You need to do "postfix reload" after editing master.cf.


I did.  I did it again for good measure - no difference.


The submission_cleanup service will see the Received: header that
was prepended by the submission server.


Is there any way I can be sure that the special cleanup agent is running? 
I see the socket /var/spool/postfix/public/submission_cleanup



However, if your Milter adds headers then those aren't seen by
header_checks; you would need to use milter_header_checks.


We don't appear to be using any milters, despite the 
'milter_macro_daemon_name=ORIGINATING'


Here's what I did in case I messed up:

master.cf:

# service type  private unpriv  chroot  wakeup  maxproc command + args
#   (yes)   (yes)   (yes)   (never) (100)
# 
==

smtp  inet  n   -   -   -   -   smtpd
submission inet n   -   -   -   -   smtpd
  -o smtpd_enforce_tls=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  -o milter_macro_daemon_name=ORIGINATING
  # Use a special cleanup service so we can strip headers.
  -o cleanup_service=submission_cleanup

smtps inet  n   -   -   -   -   smtpd
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  -o milter_macro_daemon_name=ORIGINATING
  # Use a special cleanup service so we can strip headers.
  -o cleanup_service=submission_cleanup

submission_cleanup   unix  n   -   -   -   -   cleanup
  # Strip Received: lines from authenticated mail
  -o header_checks=pcre:/etc/postfix/header_checks



/etc/postfix/header_checks:

# Remove any Received: headers from authenticated mail.
/^Received:/IGNORE



An example message.  The line is matched if I run it through postmap. 
Some details have to be obscured, sorry.  I'm on holiday so I'm not 
worried about letting the hostname through, you can all get it from my 
headers anyway.  Obviously I'm not posting from my work address.


Return-Path: 
X-Original-To: my.addr...@example.com
Delivered-To: my.addr...@example.com
Received: from [192.168.0.20] (dsl-mlibrasgw2-50de1c-161.dhcp.inet.fi 
[80.222.28.161])

by mail.example.com (Postfix) with ESMTPSA id DED281C40E9
for ; Fri, 12 Apr 2013 14:35:47 
+ (UTC)

Date: Fri, 12 Apr 2013 17:35:44 +0300 (EEST)
From: Geoff Shang 
X-X-Sender: ge...@my-pc.home
To: my.addr...@example.com
Subject: test
Message-ID: 
User-Agent: Alpine 2.02 (DEB 1266 2009-07-14)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII

 Geoff.\

Re: Stripping Received: headers

2013-04-12 Thread Wietse Venema 
Geoff Shang:
> On Fri, 12 Apr 2013, Geoff Shang wrote:
> 
> >>submission inet n   -   -   -   -   smtpd
> >>-o cleanup_service=submission_cleanup
> >>
> >>submission_cleanup unix n   cleanup
> >>-o header_checks=pcre:/etc/postfix/header_checks
> >> 
> >> would do the job.
> >
> > Thanks Wietse.  I think I will opt for this latter option.
> 
> hmm.  This didn't work.  I'm a bit stuck as to why.  I thought that 
> perhaps it might be running before the Received: header is created, but in 
> that case, I don't know why the example I linked to earlier that searches 
> for an authenticated header would work, while this would not.

You need to do "postfix reload" after editing master.cf.

The submission_cleanup service will see the Received: header that
was prepended by the submission server.

However, if your Milter adds headers then those aren't seen by
header_checks; you would need to use milter_header_checks.

Wietse

Re: Stripping Received: headers

2013-04-12 Thread Geoff Shang 

On Fri, 12 Apr 2013, Geoff Shang wrote:


   submission inet n   -   -   -   -   smtpd
-o cleanup_service=submission_cleanup

   submission_cleanup unix n   cleanup
-o header_checks=pcre:/etc/postfix/header_checks

would do the job.


Thanks Wietse.  I think I will opt for this latter option.


hmm.  This didn't work.  I'm a bit stuck as to why.  I thought that 
perhaps it might be running before the Received: header is created, but in 
that case, I don't know why the example I linked to earlier that searches 
for an authenticated header would work, while this would not.


Geoff.

Re: Serving Dovecot mailbox quota status to Postfix

2013-04-12 Thread Titanus Eramius 
Fri, 12 Apr 2013 15:27:26 +0200 skrev Ralf Hildebrandt :

> * Titanus Eramius :
> 
> > Very useful, thank you for writing and sharing. May I suggest the
> > english Wiki-article for background on backscatter?
> 
> URL?
> 

Sorry, off course
http://en.wikipedia.org/wiki/Backscatter_(email)

Re: Serving Dovecot mailbox quota status to Postfix

2013-04-12 Thread Ralf Hildebrandt 
* Titanus Eramius :

> Very useful, thank you for writing and sharing. May I suggest the
> english Wiki-article for background on backscatter?

URL?

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer
Aufsichtsratsvorsitzender: Joerg Heidrich

Re: Setting up secure submission for remote users

2013-04-12 Thread btb 

On 2013.04.12 07.01, LuKreme wrote:

In our previous episode (Thursday, 11-Apr-2013), b...@bitrate.net
said:

you can certainly upgrade without breaking everything.  as with
anything else, it just takes some care and consideration.  as far
as procmail goes, i'd consider losing procmail to be a benefit.
why do you think you need it?


Because I use it extensively.


that's a foregone conclusion.  the question is for what do you use it.  in the 
vast majority of cases, sieve can do everything procmail can do.  if you were 
to switch from courier to dovecot for imap, delivery via lmtp from postfix to 
dovecot offers a number of benefits, only one of which is easy integration of 
sieve.

-ben

Re: Stripping Received: headers

2013-04-12 Thread Geoff Shang 

On Thu, 11 Apr 2013, Wietse Venema wrote:


Geoff Shang:

submission inet n   -   -   -   -   smtpd
   -o smtpd_enforce_tls=yes
   -o smtpd_sasl_auth_enable=yes
   -o smtpd_client_restrictions=permit_sasl_authenticated,reject
   -o milter_macro_daemon_name=ORIGINATING
   -o header_checks=pcre:/etc/postfix/header_checks


As documented header_checks is not an smtpd(8) feature, it is
a cleanup(8) feature.


Oh duh!  Thanks for pointing this out.


The easiest way to give separate treatment to mail from the
internal network versus mail from outside is to use separate
Postfix instances.

Otherwise,

   submission inet n   -   -   -   -   smtpd
-o cleanup_service=submission_cleanup

   submission_cleanup unix n   cleanup
-o header_checks=pcre:/etc/postfix/header_checks

would do the job.


Thanks Wietse.  I think I will opt for this latter option.

Some have suggested smtp_header_checks, and I may use this in some places. 
But since this box will deliver some mail locally as well as externally, I 
think I will implement the separate cleanup process.


Thanks everyone for your input.

Geoff.

Re: Serving Dovecot mailbox quota status to Postfix

2013-04-12 Thread Robert Schetterer 
Am 12.04.2013 13:24, schrieb Titanus Eramius:
> Thu, 11 Apr 2013 22:58:36 +0200 skrev Ralf Hildebrandt :
> 
>> I wrote a little something about how to prevent delivery to mailboxes
>> over quota while still being in the SMTP dialogue:
>> http://sys4.de/en/blog/2013/04/08/postfix-dovecot-mailbox-quota/
>> (Postfix/Dovecot)
>>
> 
> Very useful, thank you for writing and sharing. May I suggest the
> english Wiki-article for background on backscatter?

hm, it has no description to the special backscatter quota smtp design
problem..., but however feel free answer in Ralfs blog to link it

> 
> Cheers
> 



Best Regards
MfG Robert Schetterer

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer
Aufsichtsratsvorsitzender: Joerg Heidrich

Re: Serving Dovecot mailbox quota status to Postfix

2013-04-12 Thread Wietse Venema 
Ralf Hildebrandt:
> * Ralf Hildebrandt :
> > I wrote a little something about how to prevent delivery to mailboxes
> > over quota while still being in the SMTP dialogue:
> > http://sys4.de/en/blog/2013/04/08/postfix-dovecot-mailbox-quota/
> > (Postfix/Dovecot)
> 
> To be precise: Postfix/Dovecot-2.2

Very useful.

Wietse

Re: Serving Dovecot mailbox quota status to Postfix

2013-04-12 Thread Titanus Eramius 
Thu, 11 Apr 2013 22:58:36 +0200 skrev Ralf Hildebrandt :

> I wrote a little something about how to prevent delivery to mailboxes
> over quota while still being in the SMTP dialogue:
> http://sys4.de/en/blog/2013/04/08/postfix-dovecot-mailbox-quota/
> (Postfix/Dovecot)
> 

Very useful, thank you for writing and sharing. May I suggest the
english Wiki-article for background on backscatter?

Cheers

Re: postfix and Berkeley DB

2013-04-12 Thread Wietse Venema 
LuKreme:
[ Charset windows-1252 unsupported, converting... ]
> In our previous episode (Thursday, 11-Apr-2013), Reindl Harald said:
> > i can not imagine that this file is created by the postfix
> > of which you posted the ld-output because it is not linked
> > against it
> 
> I assure you it is. This is exactly why I am puzzled, though Sahil may have 
> provided the answer (see below)
> 
> I built postfix with:
> 
> make -f Makefile.init makefiles 'CCARGS=-DHAS_MYSQL -DUSE_TLS -DUSE_SASL_AUTH 
> -DUSE_CYRUS_SASL  -I/usr/local/include/mysql -I/usr/local/include/sasl'  
> 'AUXLIBS=-L/usr/local/lib/mysql -lmysqlclient -lz -lm -lssl -lcrypto 
> -L/usr/local/lib -lsasl2'
> 

Which on FreeBSD uses the system berkeley DB 1.85.

> Then which of the libdb.so files on the system is postfix using?
> 
> # locate libdb.so
> /usr/local/lib/db42/libdb.so
> /usr/local/lib/db44/libdb.so
> /usr/local/lib/db48/libdb.so
> 
> I can recompile linking against the db48 version, as I assume that is the 
> best choice.
> 

Yes if Postfix has to inter-operate with programs that insist on db48.

FreeBSD supports multiple Berkeley DB versions in the same program
(each version uses distinct function names internally, so there are
no DLL hell problems).

Wietse

Re: postfix and Berkeley DB

2013-04-12 Thread LuKreme 
In our previous episode (Thursday, 11-Apr-2013), Reindl Harald said:
> i can not imagine that this file is created by the postfix
> of which you posted the ld-output because it is not linked
> against it

I assure you it is. This is exactly why I am puzzled, though Sahil may have 
provided the answer (see below)

I built postfix with:

make -f Makefile.init makefiles 'CCARGS=-DHAS_MYSQL -DUSE_TLS -DUSE_SASL_AUTH 
-DUSE_CYRUS_SASL  -I/usr/local/include/mysql -I/usr/local/include/sasl'  
'AUXLIBS=-L/usr/local/lib/mysql -lmysqlclient -lz -lm -lssl -lcrypto 
-L/usr/local/lib -lsasl2'

# postconf -m
btree
cidr
environ
hash
internal
mysql
pcre
proxy
regexp
static
tcp
texthash
unix

In our previous episode (Thursday, 11-Apr-2013), Sahil Tandon said:
> As documented, Postfix uses the default Berkeley DB version that ships
> with your system, which I am assuming is FreeBSD. 

Yes, FreeBSD VeryOld-stable.

Then which of the libdb.so files on the system is postfix using?

# locate libdb.so
/usr/local/lib/db42/libdb.so
/usr/local/lib/db44/libdb.so
/usr/local/lib/db48/libdb.so

I can recompile linking against the db48 version, as I assume that is the best 
choice.

-- 
'And I promise you this,' he [Carrot] shouted, 'if we succeed, no-one
will remember. And if we fail, no one will forget!'

Re: Setting up secure submission for remote users

2013-04-12 Thread LuKreme 
In our previous episode (Thursday, 11-Apr-2013), b...@bitrate.net said:
> you can certainly upgrade without breaking everything.  as with anything 
> else, it just takes some care and consideration.  as far as procmail goes, 
> i'd consider losing procmail to be a benefit.  why do you think you need it?

Because I use it extensively.

>> I’m also wondering if I can set dovecot up to only work with port 587 and 
>> keep cyrus-sasl for port 993, at least for now. I know it seems redundant, 
>> and it would be a stepping stone to ensure that current users are able to 
>> connect as they do now. (IMAP-SSL with “Password” for either local users or 
>> mysql users).
> 
> does this mean that you want to use dovecot sasl with postfix, for 
> submission, and cyrus sasl with your imap software?  it's certainly possible, 
> but i question the actual benefit.

The only benefit is that it would not change the current login procedures for 
Courier-IMAP.

-- 
"Eureka," he said. "Going to have a bath then?"

Re: Forwarding from a particular email address

2013-04-12 Thread Jerry 
On Thu, 11 Apr 2013 17:41:25 -0400 (EDT)
Wietse Venema articulated:

> Mark Alan:
> > On Thu, 11 Apr 2013 06:56:13 -0400 (EDT), Wietse Venema
> >  wrote:
> > 
> > > That should be:
> > > 
> > > us...@example1.com us...@example1.com us...@example2.com
> > > us...@example3.com us...@example3.com us...@example4.com
> > 
> > Makes sense and perhaps it seems obvious for the postfix
> > developers, but I do not remember seeing such usage case
> > (a /etc/postfix/virtual file with user1 -> user1 user2) in the
> > postfix documentation, namely, neither at:
> > http://www.postfix.org/ADDRESS_REWRITING_README.html
> > nor at:
> > http://www.postfix.org/VIRTUAL_README.html.
> 
> This is in an unexpected place:
> 
> TABLE SEARCH ORDER
>With lookups from indexed files such as DB or DBM,  or  from
> networked tables  such  as  NIS,  LDAP or SQL, patterns are tried in
> the order as listed below:
> 
>user@domain address, address, ...
>   Redirect mail for user@domain to address.   This  form
> has  the highest precedence.
> 
>...other examples omitted...
> 
> The text under "TABLE FORMAT" needs some tweaking.
> 
>pattern result
>   When  pattern  matches  a mail address, replace it by
> the corre- sponding result.
> 
> Maybe:
> 
>pattern address, address, ... 
>   When  pattern  matches  a mail address, replace it by
> the corre- sponding address(es).
> 
> Would do the job.

Yes, that is a much clearer description of how the option works.

-- 
Jerry ✌
postfix-u...@seibercom.net
_
TO REPORT A PROBLEM see http://www.postfix.org/DEBUG_README.html#mail
TO (UN)SUBSCRIBE see http://www.postfix.org/lists.html

Re: [feature request] Subzero postscreen/dnsblog score to bypass after-220 tests?

2013-04-12 Thread Wietse Venema 
/dev/rob0:
> I finally got around to my upgrade to 2.11-20130405 and was watching 
> logs. A gmail message fell afoul of the after-220 tests; each time it 
> came from a different host. Each one got a "PASS NEW" and of course 
> the "450 4.3.2 Service currently unavailable" rejection.
> 
> These gmail outbounds are all listed in list.dnswl.org as 127.0.5.1, 
> and I give that a negative score in my postscreen_dnsbl_sites. So 
> with no offsetting DNSBL scores, these hosts all got a subzero score.
> It would be nice if we could put those whitelist scores to work, and 
> not have to maintain so big of a postscreen_access_list whitelist.

Disabling tests based on DNSWL score would make sense (currently
they "disable" DNSBL tests only). Perhaps this needs a "disable"
flag in the postscreen cache.

Wietse

Re: problem talking to server private/tlsmgr: Resource temporarily unavailable

2013-04-12 Thread Glòria Martínez 
Thanks! We're already using /dev/urandom. We've installed haveged, to
increase the available entropy. Let's see if this works...

On Wed, Apr 10, 2013 at 1:58 PM, Wietse Venema  wrote:
>
> gloriamh:
> > We're experiencing the same kind of problem. Did you find the cause of the
> > problem? Is there some log we can activate to help us diagnose it?
>
> The most likely explanation is that tls_random_source uses a blocking
> random device (traditionally named as /dev/random).  Postfix needs
> a non-blocking random device (traditionally named as /dev/urandom).
>
> Wietse

Re: [feature request] Subzero postscreen/dnsblog score to bypass after-220 tests?

2013-04-12 Thread Stan Hoeppner 
On 4/12/2013 12:58 AM, /dev/rob0 wrote:
...
> So here's my idea (I think the parameter names are lousy, but it's 
> the best I could come up with this late at night):
...

Or

Maybe you could bash script this:

dig +short txt _netblocks.google.com|sed s/ip4://g \
|mawk '{for(i=2; i<=(NF-1); i++){print($i)}}'

which yields this formatted list of Google outbound CIDRs:

216.239.32.0/19
64.233.160.0/19
66.249.80.0/20
72.14.192.0/18
209.85.128.0/17
66.102.0.0/20
74.125.0.0/16
64.18.0.0/20
207.126.144.0/20
173.194.0.0/16

then diff this against your postscreen whitelist and append any new
entries.  You'd cron this to a $suitable_interval, say nightly.  If/when
Google adds any new outbound networks you're covered.

This seems quite a bit less effort than Wietse adding the feature you
requested.  The end result is nearly identical, at least for the Google
case, and can easily be extended to cover other domains.  And with this
method the Google outbounds skip all Postscreen processing entirely, not
just the after 220 tests.

-- 
Stan