Re: Ask for Client Certificates
On lör 1 feb 2014 13:30:17, Bastian Blank wrote: > On Wed, Jan 29, 2014 at 11:39:09AM +0100, Patrik Båt wrote: >> I know this is a client problem, but have anyone seen any impact for >> enabling this? Is it a big problem now-days? > > I tried it once. The client will ask it's user for a usable > certificate. Yeah, ofc, but did you experience any problems? > >> And can you somehow explicitly set this to only specified clients to >> request client certificate? > > How would you differentiate them? I opted for using a different port. IP i guess... > > Bastian > signature.asc Description: OpenPGP digital signature
Re: SRS bounces not working in postfix
Hi Michael, I did some tweaks on pfixtools I will have to have a look and check for you (I use it too.) It's not the ideal method though and a milter is really the correct way to do SRS as the canonical filters, although giving almost desired effect, aren't ideal or intended for this. I'm eventually switching to srs-milter and will be improving it. Can you provide the pfixtools options you are using, and contents if the pfix-no-srs? Also the full bounce log entry including the user it showed could prove useful. Thanks Jason > On 2 Feb 2014, at 22:57, Michael McCallister > wrote: > > Hi, > > I am having some difficulty getting SRS to work properly with postfix and was > hoping someone here might be able to shed some light on my issue. Some quick > background on the problem: > > * Almost all email on this system just gets forwarded on elsewhere (no > local deliveries). This is implemented via virtual > (virtual_alias_domains and virtual_alias_maps). > * I am using pfix-srsd to handle envelope address rewriting: > https://github.com/Fruneau/pfixtools I am not sure if this is the > recommended tool to implement SRS within postfix - I am open to > alternatives. > * SRS deliveries work fine - it sends the email just like I would > expect and passes SPF tests > * The problem I am having is with SRS bounces (i.e. a SRS delivery > results in a bounce - which must then be sent back to the original > sender). Here is an example of the problem (please note that in the > below example, srsdomain.com is in mydestination): > > User 1 (us...@originaldomain.com) emails User 2 > (us...@forwardingdomain.com) where us...@forwardingdomain.com is > configured in virtual_alias_maps and forwardingdomain.com is > configured in virtual_alias_domains. pfix-srsd is running fine on > srsdomain.com (same result with or without -I). However, > us...@forwardingdomain.com forwards to badaddr...@gmail.com which > does not exist (will result in a 550 from gmail on attempted delivery). > o When us...@originaldomain.com sends an email to > us...@forwardingdomain.com, the sender address is rewritten to > srs0=pl7i=xe=originaldomain.com=us...@srsdomain.com as expected > o postfix determines, via virtual_alias_maps, to deliver the mail > to badaddr...@gmail.com > o The delivery to gmail.com results in a 550 and postfix then > bounces to srs0=pl7i=xe=originaldomain.com=us...@srsdomain.com > instead of us...@originaldomain.com. And here lies the problem - > I assumed it would bounce to us...@originaldomain.com (after > magically being rewritten by pfix-srsd) thereby alerting that > user of the problem, but instead when it delivers the bounce to > srs0=pl7i=xe=originaldomain.com=us...@srsdomain.com, postfix > issues a "status=bounced (unknown user:" error and deletes the > bounce. > * pfix-srsd is configured as such in main.cf > recipient_canonical_maps = cdb:/etc/postfix/pfix-no-srs.cf, > tcp:127.0.0.1:10002 > recipient_canonical_classes = envelope_recipient > sender_canonical_maps = cdb:/etc/postfix/pfix-no-srs.cf, > tcp:127.0.0.1:10001 > sender_canonical_classes = envelope_sender > > It of course should be noted that I am a postfix noob - I have always used > qmail in the past for my MTA needs, but I am required to use postfix for this > - seems like a nice MTA btw :-) > > Any advice on how to get bounces working? Am I using the wrong tool? It > seems to be the most widely referenced SRS option for postfix and has active > development so I went with it. I am running postfix 2.11 from source with > cdb db support added. Am I better off running an older version? > > Any help/advice is greatly appreciated. My apologies if I missed something > obvious - I tried multiple different options before asking the list. I of > course tried asking the pfixtools community about this first - but I think it > is really just one guy and have not heard anything back. > > Michael > >
Re: regexp using virtual_alias_maps does not work?
Thanks Viktor. I managed to get it working... Not sure why recursive address rewriting is required but it seems to be working now. Thanks Ray -- View this message in context: http://postfix.1071664.n5.nabble.com/regexp-using-virtual-alias-maps-does-not-work-tp64892p64894.html Sent from the Postfix Users mailing list archive at Nabble.com.
Re: regexp using virtual_alias_maps does not work?
On Sun, Feb 02, 2014 at 04:34:53PM -0800, Ray wrote: > In this thread someone mentions that the regexp is recursive but I can't > find this in the online documentation. No, virtual alias rewriting is recursive, regardless of the underlying map type. http://www.postfix.org/ADDRESS_REWRITING_README.html#virtual Addresses found in virtual alias maps are subjected to another iteration of virtual aliasing, but are not subjected to canonical mapping, in order to avoid loops. http://www.postfix.org/virtual.5.html The optional virtual(5) alias table rewrites recipient addresses for all local, all virtual, and all remote mail destinations. This is unlike the aliases(5) table which is used only for local(8) delivery. Virtual aliasing is recursive, and is implemented by the Postfix cleanup(8) daemon before mail is queued. > The online documentation actually states that as soon as a match is found > the search terminates with the result. That's the wrong layer, regular expression tables indeed do that, but virtual expansion takes that result and processes it recursively. > This is consistent with the postmap -q key statement. > When I run the postmap -q regexp:valias it get exactly the results I > am looking for. However when running through postfix it doesn't work. Again wrong layer. Table lookup is not virtual expansion which performs multiple table lookups. -- Viktor.
regexp using virtual_alias_maps does not work?
Hi all, I am trying to create a LAB setup using postfix 2.8.12. I have problems using the virtual_alias_maps and the regexp table (similar) to the virtual-regex problem thread. I have tried to implement the suggestions in this thread but I can't get it to work. In this thread someone mentions that the regexp is recursive but I can't find this in the online documentation. The online documentation actually states that as soon as a match is found the search terminates with the result. This is consistent with the postmap -q key statement. When I run the postmap -q regexp:valias it get exactly the results I am looking for. However when running through postfix it doesn't work. I am trying to capture all external email addresses into 1 local mailbox (on the mailserver) and relay for some local addresses. This is to prevent email going to our customers in our dev and test systems. my main.cf looks like this: virtual_alias_domain=regexp:/etc/postfix/valias the valias file looks like this: /ray@ourdomain\.com\.au/ @ourdomain.local /.*/ mailtest/ mailtest is a local mailbox in the maildir format. Any help is appreciated. I do not necessary need to use the virtual-alias-maps but any setup that does what I need would be great. Thanks in advance for any responses. Ray -- View this message in context: http://postfix.1071664.n5.nabble.com/regexp-using-virtual-alias-maps-does-not-work-tp64892.html Sent from the Postfix Users mailing list archive at Nabble.com.
SRS bounces not working in postfix
Hi, I am having some difficulty getting SRS to work properly with postfix and was hoping someone here might be able to shed some light on my issue. Some quick background on the problem: * Almost all email on this system just gets forwarded on elsewhere (no local deliveries). This is implemented via virtual (virtual_alias_domains and virtual_alias_maps). * I am using pfix-srsd to handle envelope address rewriting: https://github.com/Fruneau/pfixtools I am not sure if this is the recommended tool to implement SRS within postfix - I am open to alternatives. * SRS deliveries work fine - it sends the email just like I would expect and passes SPF tests * The problem I am having is with SRS bounces (i.e. a SRS delivery results in a bounce - which must then be sent back to the original sender). Here is an example of the problem (please note that in the below example, srsdomain.com is in mydestination): User 1 (us...@originaldomain.com) emails User 2 (us...@forwardingdomain.com) where us...@forwardingdomain.com is configured in virtual_alias_maps and forwardingdomain.com is configured in virtual_alias_domains. pfix-srsd is running fine on srsdomain.com (same result with or without -I). However, us...@forwardingdomain.com forwards to badaddr...@gmail.com which does not exist (will result in a 550 from gmail on attempted delivery). o When us...@originaldomain.com sends an email to us...@forwardingdomain.com, the sender address is rewritten to srs0=pl7i=xe=originaldomain.com=us...@srsdomain.com as expected o postfix determines, via virtual_alias_maps, to deliver the mail to badaddr...@gmail.com o The delivery to gmail.com results in a 550 and postfix then bounces to srs0=pl7i=xe=originaldomain.com=us...@srsdomain.com instead of us...@originaldomain.com. And here lies the problem - I assumed it would bounce to us...@originaldomain.com (after magically being rewritten by pfix-srsd) thereby alerting that user of the problem, but instead when it delivers the bounce to srs0=pl7i=xe=originaldomain.com=us...@srsdomain.com, postfix issues a "status=bounced (unknown user:" error and deletes the bounce. * pfix-srsd is configured as such in main.cf recipient_canonical_maps = cdb:/etc/postfix/pfix-no-srs.cf, tcp:127.0.0.1:10002 recipient_canonical_classes = envelope_recipient sender_canonical_maps = cdb:/etc/postfix/pfix-no-srs.cf, tcp:127.0.0.1:10001 sender_canonical_classes = envelope_sender It of course should be noted that I am a postfix noob - I have always used qmail in the past for my MTA needs, but I am required to use postfix for this - seems like a nice MTA btw :-) Any advice on how to get bounces working? Am I using the wrong tool? It seems to be the most widely referenced SRS option for postfix and has active development so I went with it. I am running postfix 2.11 from source with cdb db support added. Am I better off running an older version? Any help/advice is greatly appreciated. My apologies if I missed something obvious - I tried multiple different options before asking the list. I of course tried asking the pfixtools community about this first - but I think it is really just one guy and have not heard anything back. Michael
Re: Changing domain name and certificates
Noel Jones:
Probably the minimum is myhostname and the key/cert files. Something
like:
# master.cf
10.0.0.101:25 inet n -n - - smtpd
-o myhostname=old.example.com
-o smtpd_tls_key_file=/path/to/old.key
-o smtpd_tls_cert_file=/path/to/old.cert
10.0.0.102:25 inet n -n - - smtpd
-o myhostname=new.example.com
-o smtpd_tls_key_file=/path/to/new.key
-o smtpd_tls_cert_file=/path/to/new.cert
use macros!
# main.cf:
smtpd_tls_key_file = /etc/ssl/${myhostname}/key.pem
smtpd_tls_cert_file = /etc/ssl/${myhostname}/cert+intermediate.pem
# master.cf
10.0.0.101:25 inet n -n - - smtpd
-o myhostname=old.example.com
10.0.0.102:25 inet n -n - - smtpd
-o myhostname=new.example.com
Filesystem:
/etc/ssl/old.example.com/key.pem
/etc/ssl/old.example.com/cert+intermediate.pem
/etc/ssl/new.example.com/key.pem
/etc/ssl/new.example.com/cert+intermediate.pem
Andreas
Re: Address Rewriting vs Aliasing - I need all recipients to see each other
On Sun, Feb 02, 2014 at 09:06:03AM -0500, Charles Marcus wrote: > I want to set up an email alias for my domain, ie: > > facilit...@example.com > > That sends the email to two (or more) external addresses: > > us...@example2.com > us...@example2.com > > Currently, if I set up the alias, each recipient only sees > themselves as the recipient, How's that done? Generally, the message headers are unchanged and all you see is the alias. So not sure what you mean by "only sees themselves". > but I need all recipients to see each > other, so each knows the other received it. s/received it/was another recipient/ > I'd also like for one the be added as 'To:', and the other as 'CC:', > but again, not really that important, as long as they will each see > the other got it. They can't know the other recipient got the message, they can only know that it was alleged to have been sent to the other recipient, and for this it is sufficient for them to know that they're both targets of the alias. The requirement you have is rather strange, it appears to be appeasing someone's confusion rather than enlightened interest. All that said, Postfix has no facilities for 1-to-many header recipient rewriting. This would need to be done via procmail or other external filter. -- Viktor.
Re: Address Rewriting vs Aliasing - I need all recipients to see each other
Thanks for the reply Dominik, but... On 2014-02-02 9:17 AM, Dominik George wrote: Currently, if I set up the alias, each recipient only sees themselves as the recipient, but I need all recipients to see each other, so each knows the other received it. I do not quite understand that. Normally, when you use a simple alias, no adresses are rewritten, so the original headers should be preserved - resulting in all recipients seeing the alias rather than any of the resulting addresses. That is precisely what is happening with my normal alias - but as I said in my email, that is NOT what I want. I WANT each recipient to see ALL of the other recipients (I honestly don't see how that was unclear)... Also - why did I receive no less than three copies of your email? Please keep traffic on list, and I don't need to be CC'd, as I'm on the list. Thanks again, -- Best regards, Charles
Re: Address Rewriting vs Aliasing - I need all recipients to see each other
Hi Charles, > Currently, if I set up the alias, each recipient only sees > themselves as the recipient, but I need all recipients to see each > other, so each knows the other received it. I do not quite understand that. Normally, when you use a simple alias, no adresses are rewritten, so the original headers should be preserved - resulting in all recipients seeing the alias rather than any of the resulting addresses. Maybe there are canonical rewrites in place somewhere already? Cheers, Nik -- * concerning Mozilla code leaking assertion failures to tty without D-BUS * That means, D-BUS is a tool that makes software look better than it actually is. PGP-Fingerprint: 3C9D 54A4 7575 C026 FB17 FD26 B79A 3C16 A0C4 F296 signature.asc Description: Digital signature
Address Rewriting vs Aliasing - I need all recipients to see each other
Hi all, I'm under the gun, and reading furiously, but I'm hoping someone will help point me in the right direction... I want to set up an email alias for my domain, ie: facilit...@example.com That sends the email to two (or more) external addresses: us...@example2.com us...@example2.com Currently, if I set up the alias, each recipient only sees themselves as the recipient, but I need all recipients to see each other, so each knows the other received it. I would prefer they not see the original alias, but it isn't that important. I'd also like for one the be added as 'To:', and the other as 'CC:', but again, not really that important, as long as they will each see the other got it. I'm guessing I need to use Address Rewriting rather than just an alias, but I'm not sure which method or how to accomplish it. Thanks, Charles
