Re: Exploring DANE and Postfix
On Fri, Jul 31, 2015 at 12:07:02PM -0400, Mike wrote: > > The key success metric will be whether you'll still remember that > > you published TLSA records when it is tme to deploy a new SSL > > certificate. > > > > https://dane.sys4.de/common_mistakes#3 > > https://dane.sys4.de/common_mistakes > > > > At present indeed both of your domains are configured correctly. > > Good luck. > > > > I had read the "common mistakes" page previously. Good, helpful stuff > therein. > > Even before I read it, though, I modified the script I use to publish my > certs to show a reminder prompt about adding/removing the TLSA records > (with multiple TTL periods elapsed) *before* the new certs are published. Excellent. I'm already looking forward to not having to send you a failure notice! :-) -- Viktor.
Re: Exploring DANE and Postfix
On 7/31/2015 11:54 AM, Viktor Dukhovni wrote: > On Fri, Jul 31, 2015 at 11:47:55AM -0400, Mike wrote: > >> To test the server's configuration, I found this site: >> https://dane.sys4.de/ >> that lets me know if Postfix server DANE (along with DNSSEC and TLSA) is >> working as expected. So far, everything is working quite well. > > The key success metric will be whether you'll still remember that > you published TLSA records when it is tme to deploy a new SSL > certificate. > > https://dane.sys4.de/common_mistakes#3 > https://dane.sys4.de/common_mistakes > > At present indeed both of your domains are configured correctly. > Good luck. > I had read the "common mistakes" page previously. Good, helpful stuff therein. Even before I read it, though, I modified the script I use to publish my certs to show a reminder prompt about adding/removing the TLSA records (with multiple TTL periods elapsed) *before* the new certs are published. Thanks.
Re: Exploring DANE and Postfix
On Fri, Jul 31, 2015 at 11:47:55AM -0400, Mike wrote: > To test the server's configuration, I found this site: > https://dane.sys4.de/ > that lets me know if Postfix server DANE (along with DNSSEC and TLSA) is > working as expected. So far, everything is working quite well. The key success metric will be whether you'll still remember that you published TLSA records when it is tme to deploy a new SSL certificate. https://dane.sys4.de/common_mistakes#3 https://dane.sys4.de/common_mistakes At present indeed both of your domains are configured correctly. Good luck. -- Viktor.
Re: Exploring DANE and Postfix
On 7/26/2015 2:11 PM, Wietse Venema wrote: > Mike: >> Postfix 2.11.5 on FreeBSD 10.1 AMD64 >> >> I'm starting to look at implementing DANE on Postfix, and I have a >> question or two... >> >> Reading the info here: >> http://www.postfix.org/TLS_README.html#client_tls_dane >> >> I see the following prerequisite: >> "A compile-time DNS resolver library that supports DNSSEC. Postfix >> binaries built on an older system will not support DNSSEC even if >> deployed on a system with an updated resolver library." > > Postfix needs to be build on a system where libresolv supports > DNSSEC. This is already available in a FreeBSD 7.2 virtual machine > that I have lying around. > > freebsd72% grep RES_USE_DNSSEC /usr/include/resolv.h > #define RES_USE_DNSSEC 0x0020 /*%< use DNSSEC using OK bit in OPT */ > >> I'm running unbound as my local resolver, but I don't know what Postfix >> was compiled with, as I installed it from a FreeBSD package. Is there a >> way to see if this prerequisite has been satisfied by the version of >> Postfix I am running on my system. > > % strings /usr/libexec/postfix/smtp | grep -i tlsa > lmtp_tls_force_insecure_host_tlsa_lookup > smtp_tls_force_insecure_host_tlsa_lookup > TLSA lookup error for %s:%u > no TLSA records found > TLSA records unusable > >> Another question - let's suppose I have succeeded in implementing DANE. >> Will I see any evidence of that success in the Postfix logs or message >> headers (such as I see for TLS)? > > With opportunistic TLSA, I suppose it will say something. > > Wietse > Bringing this thread to closure The domain in question has migrated to the new registrar and now has DNSSEC enabled. In the logs for Postfix client I see the "Verified" as I noted in another email. To test the server's configuration, I found this site: https://dane.sys4.de/ that lets me know if Postfix server DANE (along with DNSSEC and TLSA) is working as expected. So far, everything is working quite well. Thanks for the assist. (Now on to the next project)
Re: check_policy_service not working - need a 4eye method or..
On Fri, Jul 31, 2015 at 02:28:35PM +0200, Istvan Prosinger wrote: > On 2015-07-30 17:23, wie...@porcupine.org wrote: > >Istvan Prosinger: > >>Hello everyone, > >> > >>I have this im main.cf (I'ts actually an attempt to implement > >>cluebringer/policyd) > >> > >>smtpd_recipient_restrictions = check_policy_service > >>inet:127.0.0.1:10031, > >> permit_mynetworks, > >> permit_sasl_authenticated, > >> reject_unauth_destination You say that's what it is set to, but show no hard evidence. Try: postconf -n | mail -s "postconf -n output" "" Then forward the body of that email to the list (as untouched as possible, do not rewrap lines, avoid Outlook and HTML, ...). -- Viktor.
Re: check_policy_service not working - need a 4eye method or..
Istvan Prosinger: On 2015-07-30 17:23, wie...@porcupine.org wrote: > Istvan Prosinger: >> Hello everyone, >> >> I have this im main.cf (I'ts actually an attempt to implement >> cluebringer/policyd) >> >> smtpd_recipient_restrictions = check_policy_service >> inet:127.0.0.1:10031, >> permit_mynetworks, >> permit_sasl_authenticated, >> reject_unauth_destination >> >> For some reason Postfix is ignoring the 1st row (the >> check_policy_service one) - there's no trace in policyd log that >> postfix >> even tried to contact it, while it works fine when I telnet to it. > > Well maybe policyd is lying. > >Wietse I don't think so. I've tried to give false parameters here to Postfix that sould produce an error in the maillog, but Postfix is all happy, carrying on... What is the output from: find / -name main.cf Wietse Yeah thoght of that one. [root@top ~]# find / -name main.cf /etc/postfix/main.cf /usr/libexec/postfix/main.cf
Re: check_policy_service not working - need a 4eye method or..
Istvan Prosinger: > On 2015-07-30 17:23, wie...@porcupine.org wrote: > > Istvan Prosinger: > >> Hello everyone, > >> > >> I have this im main.cf (I'ts actually an attempt to implement > >> cluebringer/policyd) > >> > >> smtpd_recipient_restrictions = check_policy_service > >> inet:127.0.0.1:10031, > >> permit_mynetworks, > >> permit_sasl_authenticated, > >> reject_unauth_destination > >> > >> For some reason Postfix is ignoring the 1st row (the > >> check_policy_service one) - there's no trace in policyd log that > >> postfix > >> even tried to contact it, while it works fine when I telnet to it. > > > > Well maybe policyd is lying. > > > > Wietse > > I don't think so. I've tried to give false parameters here to Postfix > that sould produce an error in the maillog, but Postfix is all happy, > carrying on... What is the output from: find / -name main.cf Wietse
Re: Postfix doesn't reject hard bounced emails
post...@pd.lv: > Dear Postfix community, > I'm having problem with Postfix and I can't figure out what's wrong.. > > I have configured Postfix to send and receive emails, but there is an > issue with HARD bounced emails - they are not rejected and Postfix > repeats sending them every x minutes and user receives "Undelivered Mail > Returned to Sender" multiple times. > > In mail.log I see: [..] delay=5.2, delays=0.11/0.01/0.07/5, dsn=4.3.0, > status=deferred (bounce or trace service failure) Unfortunately the verbose logging is irrelevant. All that is needed is the SMTP client talking to the bounce service. Did you make any improvements to Postfix source code? Does the problem go away when you TURN OFF SELINUX, or whatever "security" software is present on your system? Wietse
Re: check_policy_service not working - need a 4eye method or..
On Fri, 31 Jul 2015 14:28:35 +0200 Istvan Prosinger wrote: > I don't think so. I've tried to give false parameters here to Postfix > that sould produce an error in the maillog, but Postfix is all happy, > carrying on... what false parameters you tried? share with us your conf.
Re: check_policy_service not working - need a 4eye method or..
On 2015-07-30 17:23, wie...@porcupine.org wrote: Istvan Prosinger: Hello everyone, I have this im main.cf (I'ts actually an attempt to implement cluebringer/policyd) smtpd_recipient_restrictions = check_policy_service inet:127.0.0.1:10031, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination For some reason Postfix is ignoring the 1st row (the check_policy_service one) - there's no trace in policyd log that postfix even tried to contact it, while it works fine when I telnet to it. Well maybe policyd is lying. Wietse I don't think so. I've tried to give false parameters here to Postfix that sould produce an error in the maillog, but Postfix is all happy, carrying on...
Re: Tr : SMTP Error (451) Temporary lookup failure
Francois Martin: > Hello, > > > > I have a VM on a CentOS 7 OpenVZ and i have install Kolab. > I just follow the procedure to make the Kolab multi-domain server with the > following pages: > https://docs.kolab.org/howtos/multi-domain.html#amavisd-changes > http://kolab.org/blog/cornelius-hald/2015/01/05/kolab-3.3-multi-domain-setup-centos-7 > > I can connect with users in new domains and send mail locally. > > When I try to send mail (with roundcube) to the outside, the following error > message appears in the webmail: > SMTP Error (451): failed when adding the recipient "ad...@mail.zimbra.com" > (4.3.0 : Temporary lookup failure) > > > What should I do to correct this? Look In The LOG. Wietse
Tr : SMTP Error (451) Temporary lookup failure
Hello, I have a VM on a CentOS 7 OpenVZ and i have install Kolab. I just follow the procedure to make the Kolab multi-domain server with the following pages: https://docs.kolab.org/howtos/multi-domain.html#amavisd-changes http://kolab.org/blog/cornelius-hald/2015/01/05/kolab-3.3-multi-domain-setup-centos-7 I can connect with users in new domains and send mail locally. When I try to send mail (with roundcube) to the outside, the following error message appears in the webmail: SMTP Error (451): failed when adding the recipient "ad...@mail.zimbra.com" (4.3.0 : Temporary lookup failure) What should I do to correct this? thank you in advance ! :-)
Postfix doesn't reject hard bounced emails
Dear Postfix community, I'm having problem with Postfix and I can't figure out what's wrong.. I have configured Postfix to send and receive emails, but there is an issue with HARD bounced emails - they are not rejected and Postfix repeats sending them every x minutes and user receives "Undelivered Mail Returned to Sender" multiple times. In mail.log I see: [..] delay=5.2, delays=0.11/0.01/0.07/5, dsn=4.3.0, status=deferred (bounce or trace service failure) I added -v to bounce, qmgr daemons in master.cf, but still I can't figure out what is wrong. Here is full log: http://pastebin.com/bsFDsFB9 And here is my config (below config there is master.cf config): http://pastebin.com/u75w2qQ3 Could there be an issue with my config or there is a bug in Postfix 2.11.0? I posted same question in serverfault, but there are no answers: http://serverfault.com/questions/709741/postfix-hard-bounced-emails-are-not-rejected I would appreciate if any could help me solving this.. Thanks! With regard, Agris
