Re: Yet another relay access denied problem
On 12/31/2014 12:49 AM, li...@rhsoft.net wrote: Am 31.12.2014 um 05:58 schrieb Thom Miller: On 12/30/2014 09:35 PM, Jonathan Hermann wrote: Ok, then it's by design. So spamassassin/amavis will have to do. don't get me wrong but re-consider setup a complex, public reachable mailserver without have *basic* understanding how email works at all otherwise you would not wonder that gmail, hotmail and all the others don't need the auth credentials of each and every user to send him his mails from their users Am 28.12.2014 um 21:50 schrieb Wietse Venema: Jonathan Hermann: I can send mail from an external source (e.g. mail client on my notebook) to a local user (local on my mailserver) without authentication. I'm not sure, is this by design? By default, *any* system can send mail to a local address. Postfix normally requires client authentication only when a client wants to send mail to a remote address. If you don't want to receive any mail from other mail servers to your postfix, you could blacklist all ips with postscreen http://www.postfix.org/postscreen.8.html and make your authenticated connections to port 587 with Thunderbird or whatever clients you choose. Not certain if that's what you're looking for but I get the impression you do not expect incoming mail to Postfix uhm if you don't want to receive from outside then just don't open port 25 in the firewall or even remove the smtp line from master.cf so that postfix even don't listen on port 25 - but for no vali dreason start to configure postscreen or just require auth in main.cf globally smtpd_recipient_restrictions = permit_mynetworks reject_non_fqdn_recipient reject_non_fqdn_sender reject_unlisted_sender reject_authenticated_sender_login_mismatch permit_sasl_authenticated reject I think your solution is much easier, but since he's using Fetchmail which I believe uses SMTP to talk to his mail server, he'll need to leave the smtp line in master.cf. Blocking 25 at the firewall is fine. Requiring auth on 25 would require Fetchmail to be configured to authenticate to forward what it brings in, which I'm sure it can do. Postscreen only came to mind as a first thought because I was actively making changes to it right before I read the message. Blocking at the firewall is probably the best choice. -Thom
New year
Here is wishing you all a very happy and prosperous new year. -- John Allen KLaM -- Support bacteria. There are the only culture some people have.
Re: New year
Happy New Year everyone! Peter On 12/31/2014 11:45 PM, John wrote: Here is wishing you all a very happy and prosperous new year.
Re: New year
happy new year :) Am 31.12.2014 um 11:45 schrieb John: Here is wishing you all a very happy and prosperous new year.
Why is Sender address rejected ?
Hi This email is getting rejected. Dec 31 05:26:04 mailserver postfix/smtpd[776]: NOQUEUE: reject: RCPT from unknown[68.232.198.34]: 450 4.1.8 bounce-3984645_html-947564785-97845647-8946574...@bounce.email.ivyexec.com: Sender address rejected: Domain not found; from=bounce-3984645_html-947564785-97845647-8946574...@bounce.email.ivyexec.com to=r...@xxx.com proto=ESMTP helo=mta.email.ivyexec.com I can't understand why. It says Domain not found, but all the domains seem to be OK. whois 68.232.198.34 NetRange: 68.232.192.0 - 68.232.207.255 CIDR: 68.232.192.0/20 NetName:EXACT-IP-NET-2 NetHandle: NET-68-232-192-0-1 Parent: NET68 (NET-68-0-0-0-0) NetType:Direct Assignment OriginAS: Organization: ExactTarget, Inc. (EXACT-7) RegDate:2009-07-08 Updated:2012-03-02 Ref: http://whois.arin.net/rest/net/NET-68-232-192-0-1 host 68.232.198.34 34.198.232.68.in-addr.arpa domain name pointer mta.email.ivyexec.com. host mta.email.ivyexec.com mta.email.ivyexec.com has address 68.232.198.34 host bounce.email.ivyexec.com bounce.email.ivyexec.com mail is handled by 10 bounce-mx.exacttarget.com. Can someone please explain what I'm missing, and what to do to NOT reject this legit email? THanks! Roger
Re: Why is Sender address rejected ?
rogt3...@proinbox.com: Hi This email is getting rejected. Dec 31 05:26:04 mailserver postfix/smtpd[776]: NOQUEUE: reject: RCPT from unknown[68.232.198.34]: 450 4.1.8 bounce-3984645_html-947564785-97845647-8946574...@bounce.email.ivyexec.com: Sender address rejected: Domain not found; from=bounce-3984645_html-947564785-97845647-8946574...@bounce.email.ivyexec.com to=r...@xxx.com proto=ESMTP helo=mta.email.ivyexec.com http://www.postfix.org/DEBUG_README.html#no_chroot Try turning off chroot operation in master.cf A common mistake is to turn on chroot operation in the master.cf file without going through all the necessary steps to set up a chroot environment. This causes Postfix daemon processes to fail due to all kinds of missing files. The example below shows an SMTP server that is configured with chroot turned off: /etc/postfix/master.cf: # = # service type private unpriv chroot wakeup maxproc command # (yes) (yes) (yes) (never) (100) # = smtp inet n - n - - smtpd Inspect master.cf for any processes that have chroot operation not turned off. If you find any, save a copy of the master.cf file, and edit the entries in question. After executing the command postfix reload, see if the problem has gone away. If turning off chrooted operation made the problem go away, then congratulations. Leaving Postfix running in this way is adequate for most sites. Wietse
Re: New year
Holm Kapschitzki: happy new year :) As the 2015 dateline is racing across the globe, a prosperous 2015 to all. Wietse
Re: Why is Sender address rejected ?
Am 31.12.2014 um 16:07 schrieb rogt3...@proinbox.com: This email is getting rejected. Dec 31 05:26:04 mailserver postfix/smtpd[776]: NOQUEUE: reject: RCPT from unknown[68.232.198.34]: 450 4.1.8 bounce-3984645_html-947564785-97845647-8946574...@bounce.email.ivyexec.com: Sender address rejected: Domain not found; from=bounce-3984645_html-947564785-97845647-8946574...@bounce.email.ivyexec.com to=r...@xxx.com proto=ESMTP helo=mta.email.ivyexec.com I can't understand why. It says Domain not found, but all the domains seem to be OK 450 is a *temorary error* the DNS did not respond in the moment incoming mail arrived http://email.about.com/cs/standards/a/smtp_error_code.htm
Re: Why is Sender address rejected ?
On Wed, Dec 31, 2014, at 07:15 AM, Wietse Venema wrote: rogt3...@proinbox.com: Hi This email is getting rejected. Dec 31 05:26:04 mailserver postfix/smtpd[776]: NOQUEUE: reject: RCPT from unknown[68.232.198.34]: 450 4.1.8 bounce-3984645_html-947564785-97845647-8946574...@bounce.email.ivyexec.com: Sender address rejected: Domain not found; from=bounce-3984645_html-947564785-97845647-8946574...@bounce.email.ivyexec.com to=r...@xxx.com proto=ESMTP helo=mta.email.ivyexec.com http://www.postfix.org/DEBUG_README.html#no_chroot Try turning off chroot operation in master.cf I guess I don't understand what chroot has to do with this one domain when everything else is working fine. I have Postfix master process configuration file. For details on the format # of the file, see the Postfix master(5) manual page. # # == # service type private unpriv chroot wakeup maxproc command + args # (yes) (yes) (yes) (never) (100) # == smtp inet n - n - - smtpd None of the chroot columns in master.cf have a y, they all have a n. Roger
Re: Why is Sender address rejected ?
Am 31.12.2014 um 16:28 schrieb rogt3...@proinbox.com: On Wed, Dec 31, 2014, at 07:15 AM, Wietse Venema wrote: rogt3...@proinbox.com: This email is getting rejected. Dec 31 05:26:04 mailserver postfix/smtpd[776]: NOQUEUE: reject: RCPT from unknown[68.232.198.34]: 450 4.1.8 bounce-3984645_html-947564785-97845647-8946574...@bounce.email.ivyexec.com: Sender address rejected: Domain not found; from=bounce-3984645_html-947564785-97845647-8946574...@bounce.email.ivyexec.com to=r...@xxx.com proto=ESMTP helo=mta.email.ivyexec.com http://www.postfix.org/DEBUG_README.html#no_chroot Try turning off chroot operation in master.cf I guess I don't understand what chroot has to do with this one domain when everything else is working fine. you didn't make clear if you are at building up a new server or if it only affects a single domain - chroot is a often made mistake and a wrong default in some distributions like Debian so since chroot is out of question why in the world do you bother about a *temporary 450 reject* at all? * it is temporary * a sane delivering server tries again * if not it was a zombie - be happy * you are not responsible for a foreign DNS * even if it is a 5xx code it would not be *your* problem I have Postfix master process configuration file. For details on the format # of the file, see the Postfix master(5) manual page. # # == # service type private unpriv chroot wakeup maxproc command + args # (yes) (yes) (yes) (never) (100) # == smtp inet n - n - - smtpd None of the chroot columns in master.cf have a y, they all have a n
Re: Why is Sender address rejected ?
rogt3...@proinbox.com: Try turning off chroot operation in master.cf I guess I don't understand what chroot has to do with this one domain when everything else is working fine. What you see can happen when chrooted Postfix uses a DIFFERENT resolv.conf file that points to a different DNS resolver. That's why I suggest turning off chroot as a quick check. Wietse
Re: Why is Sender address rejected ?
On Wed, Dec 31, 2014, at 07:35 AM, Wietse Venema wrote: rogt3...@proinbox.com: Try turning off chroot operation in master.cf I guess I don't understand what chroot has to do with this one domain when everything else is working fine. What you see can happen when chrooted Postfix uses a DIFFERENT resolv.conf file that points to a different DNS resolver. That's why I suggest turning off chroot as a quick check. Wietse Okay that makes sense. But I don't have chroot ON. So I think everything should be using the same resolv.conf and only the one DNS server I have in there. Roger
Re: Why is Sender address rejected ?
Am 31.12.2014 um 16:38 schrieb rogt3...@proinbox.com: On Wed, Dec 31, 2014, at 07:35 AM, Wietse Venema wrote: rogt3...@proinbox.com: Try turning off chroot operation in master.cf I guess I don't understand what chroot has to do with this one domain when everything else is working fine. What you see can happen when chrooted Postfix uses a DIFFERENT resolv.conf file that points to a different DNS resolver. That's why I suggest turning off chroot as a quick check. Wietse Okay that makes sense. But I don't have chroot ON. So I think everything should be using the same resolv.conf and only the one DNS server I have in there what about read other repsonses too? you are reporting a non-problem
[Solved]: They deliver packages, not email
On Wed, December 31, 2014 08:35, James B. Byrne wrote: One of our staff has requested that their United Parcel Service (UPS) account password be changed. They have not received the expected email providing the necessary ephemeral link to accomplish this. Checking the maillog I see these entries from yesterday and today: Never mind, I found sender_access. -- *** E-Mail is NOT a SECURE channel *** James B. Byrnemailto:byrn...@harte-lyne.ca Harte Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3
config check - submission only system
I have a working solution for a submission-only system I’m setting up. It seems to be doing what I need. There will be no local delivery. Even the cronjobs on this system will be sent elsewhere. The configuration is shown below. I’ve disabled several services; I think they won’t be required. Suggestions and comments welcomed. # postconf -n alias_maps = hash:/etc/mail/aliases config_directory = /usr/local/etc/postfix debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id sleep 5 header_checks = pcre:/usr/local/etc/postfix/obscure_smtp_auth inet_protocols = ipv4 message_size_limit = 32768000 mynetworks = smtp_tls_CAfile = /usr/local/etc/ssl/root.startssl.com.pem smtp_tls_cert_file = /usr/local/etc/ssl/clavin.langille.org.pem smtp_tls_key_file = /usr/local/etc/ssl/clavin.langille.org.nopassword.key smtp_tls_loglevel = 1 smtp_tls_security_level = may smtp_tls_session_cache_database = btree:/var/db/postfix/smtp_scache smtpd_sasl_local_domain = $myhostname smtpd_sasl_path = private/auth smtpd_sender_login_maps = hash:/usr/local/etc/postfix/virtual smtpd_tls_CAfile = /usr/local/etc/ssl/root.startssl.com.pem smtpd_tls_cert_file = /usr/local/etc/ssl/clavin.langille.org.pem smtpd_tls_key_file = /usr/local/etc/ssl/clavin.langille.org.nopassword.key smtpd_tls_loglevel = 1 smtpd_tls_security_level = may smtpd_tls_session_cache_database = btree:/var/db/postfix/smtpd_scache # postconf postconf -Mf pickup unix n - n 60 1 pickup cleanupunix n - n - 0 cleanup qmgr unix n - n 300 1 qmgr tlsmgr unix - - n 1000? 1 tlsmgr rewriteunix - - n - - trivial-rewrite bounce unix - - n - 0 bounce defer unix - - n - 0 bounce trace unix - - n - 0 bounce verify unix - - n - 1 verify flush unix n - n 1000? 0 flush proxymap unix - - n - - proxymap proxywrite unix - - n - 1 proxymap smtp unix - - n - - smtp showq unix n - n - - showq error unix - - n - - error retry unix - - n - - error discardunix - - n - - discard anvil unix - - n - 1 anvil scache unix - - n - 1 scache submission inet n - n - - smtpd -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_recipient_restrictions=reject_sender_login_mismatch,reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated,reject -o smtpd_sender_restrictions=reject_non_fqdn_sender,reject_unknown_sender_domain,permit_sasl_authenticated,reject -o syslog_name=postfix/submission — Dan Langille http://langille.org/
Re: config check - submission only system
you don't want reject_unknown_recipient_domain for submissions because a MUA can't handle a 4xx reject and the same for reject_unknown_sender_domain smtpd_sender_restrictions is not needed at all if you enforce auth and reject_authenticated_sender_login_mismatch for a submission-only server add that as only restriciton to main.cf because after that it don't matter with port, with or without TLS, you are enforcing SASL auth and forbid foreign unlisted senders smtpd_recipient_restrictions = permit_mynetworks reject_non_fqdn_recipient reject_non_fqdn_sender reject_unlisted_sender reject_authenticated_sender_login_mismatch reject_rbl_client dnsbl.thelounge.net permit_sasl_authenticated reject Am 31.12.2014 um 16:47 schrieb Dan Langille: I have a working solution for a submission-only system I’m setting up. It seems to be doing what I need. There will be no local delivery. Even the cronjobs on this system will be sent elsewhere. The configuration is shown below. I’ve disabled several services; I think they won’t be required. Suggestions and comments welcomed. # postconf -n alias_maps = hash:/etc/mail/aliases config_directory = /usr/local/etc/postfix debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id sleep 5 header_checks = pcre:/usr/local/etc/postfix/obscure_smtp_auth inet_protocols = ipv4 message_size_limit = 32768000 mynetworks = smtp_tls_CAfile = /usr/local/etc/ssl/root.startssl.com.pem smtp_tls_cert_file = /usr/local/etc/ssl/clavin.langille.org.pem smtp_tls_key_file = /usr/local/etc/ssl/clavin.langille.org.nopassword.key smtp_tls_loglevel = 1 smtp_tls_security_level = may smtp_tls_session_cache_database = btree:/var/db/postfix/smtp_scache smtpd_sasl_local_domain = $myhostname smtpd_sasl_path = private/auth smtpd_sender_login_maps = hash:/usr/local/etc/postfix/virtual smtpd_tls_CAfile = /usr/local/etc/ssl/root.startssl.com.pem smtpd_tls_cert_file = /usr/local/etc/ssl/clavin.langille.org.pem smtpd_tls_key_file = /usr/local/etc/ssl/clavin.langille.org.nopassword.key smtpd_tls_loglevel = 1 smtpd_tls_security_level = may smtpd_tls_session_cache_database = btree:/var/db/postfix/smtpd_scache # postconf postconf -Mf pickup unix n - n 60 1 pickup cleanupunix n - n - 0 cleanup qmgr unix n - n 300 1 qmgr tlsmgr unix - - n 1000? 1 tlsmgr rewriteunix - - n - - trivial-rewrite bounce unix - - n - 0 bounce defer unix - - n - 0 bounce trace unix - - n - 0 bounce verify unix - - n - 1 verify flush unix n - n 1000? 0 flush proxymap unix - - n - - proxymap proxywrite unix - - n - 1 proxymap smtp unix - - n - - smtp showq unix n - n - - showq error unix - - n - - error retry unix - - n - - error discardunix - - n - - discard anvil unix - - n - 1 anvil scache unix - - n - 1 scache submission inet n - n - - smtpd -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_recipient_restrictions=reject_sender_login_mismatch,reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated,reject -o smtpd_sender_restrictions=reject_non_fqdn_sender,reject_unknown_sender_domain,permit_sasl_authenticated,reject -o syslog_name=postfix/submission
They deliver packages, not email
One of our staff has requested that their United Parcel Service (UPS) account password be changed. They have not received the expected email providing the necessary ephemeral link to accomplish this. Checking the maillog I see these entries from yesterday and today: grep '@ups' /var/log/maillog Dec 30 14:27:55 inet08 postfix-p25/smtpd[24854]: NOQUEUE: reject: RCPT from upsmailer.acsbps.com[216.115.165.7]: 450 4.7.1 SUASMTP.upsdiv.com: Helo command rejected: Host not found; from=ica.servi...@upsdocs.com to=foste...@harte-lyne.ca proto=ESMTP helo=SUASMTP.upsdiv.com Dec 30 14:50:10 inet08 postfix-p25/smtpd[25348]: NOQUEUE: reject: RCPT from upsmailer.acsbps.com[216.115.165.7]: 450 4.7.1 SUASMTP.upsdiv.com: Helo command rejected: Host not found; from=ica.servi...@upsdocs.com to=foste...@harte-lyne.ca proto=ESMTP helo=SUASMTP.upsdiv.com Dec 31 07:46:53 inet08 postfix-p25/smtpd[14499]: warning: Unable to look up MX host upsdocs.com for Sender address ica.servi...@upsdocs.com: No address associated with hostname Dec 31 07:46:53 inet08 postfix-p25/smtpd[14499]: NOQUEUE: reject: RCPT from upsmailer.acsbps.com[216.115.165.7]: 450 4.1.8 ica.servi...@upsdocs.com: Sender address rejected: Domain not found; from=ica.servi...@upsdocs.com to=foste...@harte-lyne.ca proto=ESMTP helo=SUASMTP.upsdiv.com Dec 31 08:12:42 inet08 postfix/smtp[15547]: 18C0261041: to=postmas...@upsdocs.com, relay=none, delay=0.17, delays=0.14/0/0.03/0, dsn=5.4.4, status=undeliverable (Host or domain name not found. Name service error for name=upsdocs.com type=: Host found but no data record of requested type) Dec 31 08:13:08 inet08 postfix/smtp[15547]: 5327A61041: to=postmas...@upsdocs.com, relay=none, delay=0.13, delays=0.13/0/0.01/0, dsn=5.4.4, status=undeliverable (Host or domain name not found. Name service error for name=upsdocs.com type=: Host found but no data record of requested type) Checking with dig reveals this: ; DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6_6.1 upsdocs.com MX ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 62927 ;; flags: qr rd ra; QUERY: 2, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;upsdocs.com. IN A ;upsdocs.com. IN MX ;; AUTHORITY SECTION: upsdocs.com.600 IN SOA resolve01.sslra.com. internet.ups.com. 388909522 600 10800 604800 600 Attempting to send email to the postmaster achieves the expected failure given the above: This is the mail system at host inet08.hamilton.harte-lyne.ca. Enclosed is the mail delivery report that you requested. The mail system postmas...@upsdocs.com: Host or domain name not found. Name service error for name=upsdocs.com type=: Host found but no data record of requested type So my question is: How do I deal with these dolts in a constructive manner? I have to let this traffic through but I am not going to open the floodgates to the rest of the world. I tried modifying our helo_checks.prce which successfully dealt with the initial connection problem, but I am perplexed as to how to best handle the invalid sender in this case. What is the recommended procedure, if any? -- *** E-Mail is NOT a SECURE channel *** James B. Byrnemailto:byrn...@harte-lyne.ca Harte Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3
Re: New year
Happy New Year my friends!!! Am 31.12.2014 um 16:17 schrieb Wietse Venema: Holm Kapschitzki: happy new year :) As the 2015 dateline is racing across the globe, a prosperous 2015 to all. Wietse
Re: They deliver packages, not email
On Wed, December 31, 2014 08:35, James B. Byrne wrote: One of our staff has requested that their United Parcel Service (UPS) account password be changed. They have not received the expected email providing the necessary ephemeral link to accomplish this. Checking the maillog I see these entries from yesterday and today: Forgot to add this: Postfix-2.11.1 # postconf -n alias_maps = hash:/etc/aliases broken_sasl_auth_clients = yes command_directory = /usr/sbin config_directory = /etc/postfix content_filter = smtp-amavis:[127.0.0.1]:10024 daemon_directory = /usr/libexec/postfix data_directory = /var/lib/postfix debug_peer_level = 32 debug_peer_list = 216.185.71.25 debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id sleep 5 delay_warning_time = 30m disable_vrfy_command = yes header_checks = regexp:/etc/postfix/header_checks.regexp home_mailbox = Maildir/ html_directory = no ignore_mx_lookup_error = no inet_interfaces = localhost, inet08.hamilton.harte-lyne.ca inet_protocols = all mail_spool_directory = /var/spool/mail mailman_destination_recipient_limit = 1 mailq_path = /usr/bin/mailq.postfix manpage_directory = /usr/share/man message_size_limit = 2048 milter_default_action = accept milter_protocol = 2 mydestination = mynetworks = 216.185.71.0/26, 209.47.176.0/26, 127.0.0.0/8 newaliases_path = /usr/bin/newaliases.postfix non_smtpd_milters = $smtpd_milters policyd-spf_time_limit = 3600 queue_minfree = 4096 rbl_reply_maps = hash:/etc/postfix/rbl_reply readme_directory = /usr/share/doc/postfix-2.11.1/README_FILES recipient_delimiter = + relay_clientcerts = hash:/etc/postfix/relay_clientcerts relay_domains = hash:/etc/postfix/relay_domains sample_directory = /usr/share/doc/postfix-2.11.1/samples sendmail_path = /usr/sbin/sendmail.postfix setgid_group = postdrop smtp_dns_support_level = dnssec smtp_host_lookup = dns smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt smtp_tls_cert_file = /etc/pki/tls/certs/ca.harte-lyne.hamilton.smtp.crt smtp_tls_key_file = /etc/pki/tls/private/ca.harte-lyne.hamilton.smtp.key smtp_tls_security_level = dane smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_scache smtp_tls_session_cache_timeout = 3600s smtp_use_tls = yes smtpd_client_restrictions = permit smtpd_data_restrictions = permit_mynetworks, reject_multi_recipient_bounce, reject_unauth_pipelining, permit smtpd_helo_required = yes smtpd_helo_restrictions = permit_mynetworks, check_helo_access pcre:/etc/postfix/helo_checks.pcre, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, reject_unknown_helo_hostname, permit smtpd_milters = inet:127.0.0.1:8891 smtpd_proxy_timeout = 300s smtpd_recipient_restrictions = reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_non_fqdn_sender, reject_unknown_sender_domain, permit_mynetworks, permit_sasl_authenticated, reject_invalid_hostname, reject_unauth_destination, reject_unauth_pipelining, check_policy_service unix:/var/spool/postfix/postgrey/socket, check_policy_service unix:private/policyd-spf, sleep 1, permit smtpd_sasl_auth_enable = yes smtpd_sasl_path = smtpd smtpd_sender_restrictions = permit_mynetworks, check_sender_access hash:/etc/postfix/sender_access, check_sender_mx_access hash:/etc/postfix/sender_mx_access, check_sender_ns_access hash:/etc/postfix/sender_ns_access, permit_sasl_authenticated, reject_non_fqdn_sender, reject_unknown_sender_domain, permit smtpd_starttls_timeout = ${stress?10}${stress:120}s smtpd_timeout = ${stress?10}${stress:120}s smtpd_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt smtpd_tls_ask_ccert = yes smtpd_tls_auth_only = yes smtpd_tls_cert_file = /etc/pki/tls/certs/ca.harte-lyne.hamilton.smtp.crt smtpd_tls_fingerprint_digest = sha1 smtpd_tls_key_file = /etc/pki/tls/private/ca.harte-lyne.hamilton.smtp.key smtpd_tls_received_header = yes smtpd_tls_security_level = may smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache smtpd_tls_session_cache_timeout = 3600s smtpd_use_tls = yes soft_bounce = no strict_rfc821_envelopes = yes tls_random_source = dev:/dev/urandom transport_maps = hash:/etc/postfix/transport unknown_local_recipient_reject_code = 550 virtual_alias_maps = hash:/etc/postfix/virtual, regexp:/etc/postfix/virtual.regexp -- *** E-Mail is NOT a SECURE channel *** James B. Byrnemailto:byrn...@harte-lyne.ca Harte Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3
Re: They deliver packages, not email
James B. Byrne: One of our staff has requested that their United Parcel Service (UPS) account password be changed. They have not received the expected email providing the necessary ephemeral link to accomplish this. Checking the maillog I see these entries from yesterday and today: grep '@ups' /var/log/maillog Dec 30 14:27:55 inet08 postfix-p25/smtpd[24854]: NOQUEUE: reject: RCPT from upsmailer.acsbps.com[216.115.165.7]: 450 4.7.1 SUASMTP.upsdiv.com: Helo command rejected: Host not found; from=ica.servi...@upsdocs.com to=foste...@harte-lyne.ca proto=ESMTP helo=SUASMTP.upsdiv.com upsdocs.com has no MX, A, or record. Thus, they fail the reject_unknown_sender_domain test. They do have an NS record, though, and You could put check_sender_ns_access before reject_unknown_sender_domain, and permit all domains with an ups.com DNS server... /etc/postfix/main.cf: smtpd_sender_restrictions = check_sender_ns_access hash:/etc/postfix/ns_access reject_unknown_sender_domain /etc/postfix/ns_access: ups.com permit Wietse
Re: They deliver packages, not email
On Wed, Dec 31, 2014 at 11:20:09AM -0500, Wietse Venema wrote: Dec 30 14:27:55 inet08 postfix-p25/smtpd[24854]: NOQUEUE: reject: RCPT from upsmailer.acsbps.com[216.115.165.7]: 450 4.7.1 SUASMTP.upsdiv.com: Helo command rejected: Host not found; from=ica.servi...@upsdocs.com to=foste...@harte-lyne.ca proto=ESMTP helo=SUASMTP.upsdiv.com upsdocs.com has no MX, A, or record. Thus, they fail the reject_unknown_sender_domain test. They do have an NS record, though, and You could put check_sender_ns_access before reject_unknown_sender_domain, and permit all domains with an ups.com DNS server... /etc/postfix/main.cf: smtpd_sender_restrictions = check_sender_ns_access hash:/etc/postfix/ns_access reject_unknown_sender_domain /etc/postfix/ns_access: ups.com permit UPS messed up, they publish SPF records, but have no MX, A or records. ;upsdocs.com. ANY upsdocs.com. SOA resolve01.sslra.com. internet.ups.com. 388909522 600 10800 604800 600 upsdocs.com. NS nsa.ups.com. upsdocs.com. NS nsb.ups.com. upsdocs.com. TXT v=spf1 ip4:216.115.165.7 ~all You can also exempt their sole authorized IP address, or the domain itself from reject_unknown_sender_domain via one of: check_client_access check_sender_access -- Viktor.
Re: They deliver packages, not email
On 12/31/2014 10:20 AM, Wietse Venema wrote: James B. Byrne: One of our staff has requested that their United Parcel Service (UPS) account password be changed. They have not received the expected email providing the necessary ephemeral link to accomplish this. Checking the maillog I see these entries from yesterday and today: grep '@ups' /var/log/maillog Dec 30 14:27:55 inet08 postfix-p25/smtpd[24854]: NOQUEUE: reject: RCPT from upsmailer.acsbps.com[216.115.165.7]: 450 4.7.1 SUASMTP.upsdiv.com: Helo command rejected: Host not found; from=ica.servi...@upsdocs.com to=foste...@harte-lyne.ca proto=ESMTP helo=SUASMTP.upsdiv.com upsdocs.com has no MX, A, or record. Thus, they fail the reject_unknown_sender_domain test. They do have an NS record, though, and You could put check_sender_ns_access before reject_unknown_sender_domain, and permit all domains with an ups.com DNS server... /etc/postfix/main.cf: smtpd_sender_restrictions = check_sender_ns_access hash:/etc/postfix/ns_access reject_unknown_sender_domain /etc/postfix/ns_access: ups.com permit Wietse Sadly, check_sender_ns_access does not allow permit or OK. The OP will need to use check_sender_access or check_client_access. -- Noel Jones
Re: DNSSEC - DANE
On Wed, Dec 31, 2014 at 12:45:20AM -0500, John wrote: https://tools.ietf.org/draft-ietf-dane-ops-07#section-8.1 https://tools.ietf.org/draft-ietf-dane-ops-07#section-8.4 Sorry, https://tools.ietf.org/html/draft-ietf-dane-ops-07#section-8.1 https://tools.ietf.org/html/draft-ietf-dane-ops-07#section-8.4 Both of the above return object not found I assume that as they are both draft docs they come and go as the editors update them. Well, no, IETF documents are retained indefinitely. -- Viktor.
Re: DNSSEC - DANE
On Wed, Dec 31, 2014 at 12:23:16AM -0500, John wrote: smtpd_use_tls = yes smtpd_tls_security_level = may Just so I get this right /smtpd_tls_security_level = dane/ is acceptable, No, DANE TLS is for the sending (verifying) MTA only. -- Viktor.
Re: New year
Happy New Year. On Dec 31, 2014, at 11:13 AM, Rene Diem | rds360.at d...@rds360.at wrote: Happy New Year my friends!!! Am 31.12.2014 um 16:17 schrieb Wietse Venema: Holm Kapschitzki: happy new year :) As the 2015 dateline is racing across the globe, a prosperous 2015 to all. Wietse
Re: DNSSEC - DANE
On December 31, 2014 12:37:52 PM Viktor Dukhovni postfix-us...@dukhovni.org wrote: On Wed, Dec 31, 2014 at 12:45:20AM -0500, John wrote: https://tools.ietf.org/draft-ietf-dane-ops-07#section-8.1 https://tools.ietf.org/draft-ietf-dane-ops-07#section-8.4 Sorry, Don't worry about it. https://tools.ietf.org/html/draft-ietf-dane-ops-07#section-8.1 https://tools.ietf.org/html/draft-ietf-dane-ops-07#section-8.4 Both of the above return object not found I assume that as they are both draft docs they come and go as the editors update them. Well, no, IETF documents are retained indefinitely. -- Viktor.