Re: smtpd map support for per-IP config?
On Sat, Jul 04, 2015 at 01:53:06PM -0400, Matt Saladna wrote: > We have a multi-homed server with ~20 IP addresses that listen for incoming > mail connections. I'd like to setup a personalized SSL certificate for 1 IP > address over submission (non-SNI). I know this can be accomplished by adding > a custom service in master.cf that uses smtpd with a sample config "-o > smtp_bind_address=x.y.z -o smtpd_tls_cert_file=xyz". The "smtp_bind_address" setting is pointless (has no effect on smtpd(8)). The actual listen address is the one specified in master.cf. > This works, but if I specify 1 service, then I must likewise enumerate all > remaining IP addresses and define custom smtpd services in master.cf. This is not necessary, just add a host to /etc/hosts that resolves to all 19 addresses. Then use that hostname in master.cf. Make sure you have "multi on" in /etc/hosts.conf (IIRC) on any OS that needs such a settting to resolve a host to all its /etc/hosts addresses. -- Viktor.
smtpd map support for per-IP config?
Hi folks, We have a multi-homed server with ~20 IP addresses that listen for incoming mail connections. I'd like to setup a personalized SSL certificate for 1 IP address over submission (non-SNI). I know this can be accomplished by adding a custom service in master.cf that uses smtpd with a sample config "-o smtp_bind_address=x.y.z -o smtpd_tls_cert_file=xyz". This works, but if I specify 1 service, then I must likewise enumerate all remaining IP addresses and define custom smtpd services in master.cf. This can be done with Makefile, but it's a tedious process yielding quite a bit of service duplication when only 1 IP requires a custom configuration. I know that approach will work. But, is there a better solution? For example, a configuration parameter for Postfix to continue startup if it cannot bind to a particular address or IP address negation in smtp_bind_address, e.g. smtp_bind_address=!1.2.3.4 to bind to all addresses except 1.2.3.4? Either that or something like smtp_bind_dependent_maps and use a hash such as: 1.2.3.4 -o smtpd_tls_cert_file=/etc/pki/postfix.pem \ -o smtpd_enforce_tls=yes That would make configuration per-IP significantly more maintainable. - Matt
Re: reject_rbl_client applied to prior hosts in delivery chain?
On 7/3/2015 10:04 PM, Jim Garrison wrote: > I use > > reject_rbl_client zen.spamhaus.org, > reject_rbl_client b.barracudacentral.org, > reject_rbl_client cbl.abuseat.org, > > which I find catches about 98% of SPAM. > > I also receive mail at an address that is a forwarding mailbox and > sends mail to my Postfix server. The provider of that mailbox uses a > SPAM filtering service that is significantly less effective than my RBL > recipe above. Since, from my server's viewpoint, the client is the > forwarding service provider (which is trusted), all that SPAM makes it > into my mailbox. > > What I'd like to do is apply the same RBL client filtering to hosts > further back in the delivery chain than the immediate client. I.e. > given a chain of Received headers like this: > >> Received: from acmsmtp01.acm.org (ACMSMTP01.acm.org [64.238.147.78]) >> Received: from in-002.ord.mailroute.net >> Received: from localhost (localhost.localdomain [127.0.0.1]) >> Received: from in-002.ord.mailroute.net ([199.89.2.5]) >> Received: from theshoemart.wc09.net (theshoemart.wc09.net > [74.203.48.129]) >> Received: from arbt04.whatcounts.com (172.16.3.34) by theshoemart.wc09.net > > run all the hosts through the RBL lookup and reject if any of the > hosts get a positive result. Is this possible? > > -- Jim Garrison > Not possible in postfix. And generally unwise to reject relayed mail as it turns the upstream relay into a backscatter source. Your only real choice is to use some filtering solution such as SpamAssassin to tag-and-deliver ALL mail, possibly sorting unwanted mail into a junk folder. -- Noel Jones
Re: Postfix + OpenDKIM - milter reject, come back later
Ok, let's forget this since it's definitely an opendkim problem, not postfix. I connected to it as a unix socket, and it works that way. Still a mistery why TCP won't work, but ok.
RE: Setting up multiple destination e-mail servers using transport
I do like this: transport file: domain.com to_domain.com:[192.168.1.108] master.cf file: to_domain.com unix -- - - - smtp -o smtp_fallback_relay=[sub1-mx.hosts] Marius. -Original Message- From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] On Behalf Of Security Admin (NetSec) Sent: Saturday, July 4, 2015 6:25 AM To: postfix users Subject: Setting up multiple destination e-mail servers using transport I have a postfix mail gateway sitting in front of my internal Exchange 2013 mail servers. Currently have my "/etc/postfix/transport" file set to send mail to only one of those Exchange servers: "domain.comsmtp:192.168.1.108" Would like to setup multiple internal Exchange Server entries for failover purposes. I was thinking of doing something like this: "domain.comsmtp:sub1-mx.hosts" But I forget how and where to setup the "sub1-mx.hosts" file. Any help would be appreciated...Ed
Re: Postfix + OpenDKIM - milter reject, come back later
On 2015-07-03 22:14, Steve Jenkins wrote: On Friday, July 3, 2015, Istvan Prosinger wrote: What I can tell at this moment, is that I tried all that. Although I usually delete the mail queue and then try to send one mail with mailx, same thing happens. Nevertheless, it's not about the start sequence, I'm quite sure of that. This is something very odd. Now I even tried to recompile OpenDKIM from source and the same thing happens with it. Yeah for a start I'll check why there are no OpenDKIM logs. That one is equally odd as refusing miltering. I'm quite sure that there's some permission issue that I'm missing (yes, selinux is disabled...) You referenced SELinux, so I'll assume you're using RHEL or CentOS. If so, just follow these steps: http://www.stevejenkins.com/blog/2011/08/installing-opendkim-rpm-via-yum-with-postfix-or-sendmail-for-rhel-centos-fedora/ [1] SteveJ -- STEVE JENKINS _steve@stevejenkins.com_ [2] [3] [4] [5] [6] [7] [8] Nice tutorial, Steve. Look, I have one too (without ads though!) http://www.prosinger.net/index.php/opendkim-postfix/ Still, it doesn't solve my problem...