Outbound TLS
May i know how can i force postfix to use TLS if remote MTA advertises STARTTLS on port 25 to connect to remote server ? I am already using TLS and connecting from outlook is working perfectly, but when sending mail to google it now says TLS fail.
Re: Outbound TLS
Am 13. Februar 2016 11:10:25 MEZ, schrieb Joy : >May i know how can i force postfix to use TLS if remote MTA advertises >STARTTLS on port 25 to connect to remote server ? > >I am already using TLS and connecting from outlook is working >perfectly, >but when sending mail to google it now says TLS fail. Take a look at http://www.postfix.org/DEBUG_README.html#mail and provide all necessary information At least postconf -n / postconf -Mf and log output of the tls fail to google - Christian
Re: Outbound TLS
As far as I know Google use STARTTLS on port 587 and not port 25. Have a look at https://www.clearos.com/resources/documentation/clearos/content:en_us:kb_howtos_smtp_authentication_to_isp to see how to set up relaying via STARTTLS. A word of caution though. I believe Google rewrites the from header or reply-to header to the user name you use to authenticate. This means if you are sending for multiple users with different gmail accounts, you may need to investigate smtp_sender_dependent_authentication and sender_dependent_relayhost_maps. Nick On 13/02/2016 11:49, Christian Kivalo wrote: Am 13. Februar 2016 11:10:25 MEZ, schrieb Joy : May i know how can i force postfix to use TLS if remote MTA advertises STARTTLS on port 25 to connect to remote server ? I am already using TLS and connecting from outlook is working perfectly, but when sending mail to google it now says TLS fail. Take a look at http://www.postfix.org/DEBUG_README.html#mail and provide all necessary information At least postconf -n / postconf -Mf and log output of the tls fail to google - Christian
Re: Outbound TLS
Christian Kivalo: > > > Am 13. Februar 2016 11:10:25 MEZ, schrieb Joy : > >May i know how can i force postfix to use TLS if remote MTA advertises > >STARTTLS on port 25 to connect to remote server ? > > > >I am already using TLS and connecting from outlook is working > >perfectly, > >but when sending mail to google it now says TLS fail. > Take a look at http://www.postfix.org/DEBUG_README.html#mail and provide all > necessary information > > At least postconf -n / postconf -Mf and log output of the tls fail to google Indeed. google.com MX hosts support STARTTLS on port 25. If you must verify certificates issued from third-party issuers, see: http://www.postfix.org/postconf.5.html#tls_append_default_CA Wietse $ posttls-finger google.com posttls-finger: Connected to aspmx.l.google.com[2607:f8b0:400d:c07::1b]:25 posttls-finger: < 220 mx.google.com ESMTP 207si21470864qhw.106 - gsmtp posttls-finger: > EHLO tail.porcupine.org posttls-finger: < 250-mx.google.com at your service, [2604:8d00:189::3] posttls-finger: < 250-SIZE 35882577 posttls-finger: < 250-8BITMIME posttls-finger: < 250-STARTTLS posttls-finger: < 250-ENHANCEDSTATUSCODES posttls-finger: < 250-PIPELINING posttls-finger: < 250-CHUNKING posttls-finger: < 250 SMTPUTF8 posttls-finger: > STARTTLS posttls-finger: < 220 2.0.0 Ready to start TLS ..lotsa stuff.. posttls-finger: certificate verification failed for aspmx.l.google.com[2607:f8b0:400d:c07::1b]:25: untrusted issuer /C=US/O=Equifax/OU=Equifax Secure Certificate Authority posttls-finger: aspmx.l.google.com[2607:f8b0:400d:c07::1b]:25: subject_CN=aspmx.l.google.com, issuer_CN=Google Internet Authority G2, fingerprint=17:C3:E9:B6:EB:1C:7E:BB:95:67:BE:EA:E6:48:43:90:E0:24:95:03, pkey_fingerprint=AD:4B:02:AC:67:0F:96:F3:D1:85:C9:3D:E3:A2:04:B3:9A:0F:36:17 posttls-finger: Untrusted TLS connection established to aspmx.l.google.com[2607:f8b0:400d:c07::1b]:25: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits) posttls-finger: > EHLO tail.porcupine.org posttls-finger: < 250-mx.google.com at your service, [2604:8d00:189::3] posttls-finger: < 250-SIZE 35882577 posttls-finger: < 250-8BITMIME posttls-finger: < 250-ENHANCEDSTATUSCODES posttls-finger: < 250-PIPELINING posttls-finger: < 250-CHUNKING posttls-finger: < 250 SMTPUTF8 posttls-finger: > QUIT posttls-finger: < 221 2.0.0 closing connection 207si21470864qhw.106 - gsmtp
Virtual domains and mydestination
Hello, with a recent update I got confused about virtual domains and mydestination, as they seem to do different things with subdomains I had following setup: mydomain = stoecker.eu myhostname = mail.stoecker.eu mydestination = $myhostname, localhost.$mydomain, $mydomain virtual_alias_domains = ...a bunch of domains... virtual_alias_maps = pcre:/etc/postfix/virtual-sub where the virtual-sub assigns different mail addresses and groups of addresses to local users (including subdomains of stoecker.eu for each user). Each target is a local mailbox later delivered with dovecot. Now I got the Punycode variant of stoecker.eu (xn--stcker-xxa.eu) as well and wanted to add it to virtual_alias_domains like all the other domains. It did not work, as the subdomains have been rejected. I only used subdomains for stoecker.eu before, so I never noticed that there is a difference. Now I checked the postfix virtual domain documentation and parameter descriptions and I don't understand it much better. Is that intended behaviour, that mydestination includes subdomains and virtual_alias_domains not? I now added "xn--stcker-xxa.eu" to mydestination and it works as expected still I'd like to understand what I do. Ciao -- http://www.dstoecker.eu/ (PGP key available)
Re: Virtual domains and mydestination
> On Feb 13, 2016, at 3:49 PM, Dirk Stöcker wrote: > > Now I checked the postfix virtual domain documentation and parameter > descriptions and I don't understand it much better. Is that intended > behaviour, that mydestination includes subdomains and virtual_alias_domains > not? Neither includes sub-domains, however the default value of relay_domains include $mydestination. I always set relay_domains explicitly (either empty or to the desired domains). -- Viktor.
Re: Virtual domains and mydestination
On Sat, 13 Feb 2016, Viktor Dukhovni wrote: Now I checked the postfix virtual domain documentation and parameter descriptions and I don't understand it much better. Is that intended behaviour, that mydestination includes subdomains and virtual_alias_domains not? Neither includes sub-domains, however the default value of relay_domains include $mydestination. I always set relay_domains explicitly (either empty or to the desired domains). Ah, so because of that default they get accepted and because they are delivered to a local user the relay has no effect? Am I right that "domains (and subdomains thereof)" is only true for relay_domains and that for virtual_alias_domains I always need to specify all the subdomains individually? But after reading docs a bit more I think I can drop the virtual_alias_domains completely and let the PCRE based virtual_alias_maps do all the work? Ciao -- http://www.dstoecker.eu/ (PGP key available)
Re: Virtual domains and mydestination
> On Feb 13, 2016, at 4:33 PM, Dirk Stöcker wrote:
>
> Am I right that "domains (and subdomains thereof)" is only true for
> relay_domains and that for virtual_alias_domains I always need to specify all
> the subdomains individually?
Yes, but see:
http://www.postfix.org/postconf.5.html#parent_domain_matches_subdomains
http://www.postfix.org/postconf.5.html#relay_domains
http://www.postfix.org/postconf.5.html#virtual_alias_domains
> But after reading docs a bit more I think I can drop the
> virtual_alias_domains completely and let the PCRE based virtual_alias_maps do
> all the work?
Well, whether or not you define virtual_domains is completely indepdent
of how rewriting is done. And you can use regexp or similar tables for
virtual alias domains as well as virtual_alias_maps.
If a domain is a virtual alias domain (i.e. no valid mailboxes, just
rewrites to other domains) then say so. If not, then don't. If you
want virtual alias sub-domains you can do that, but it is a sign that
you're doing something very unusual and potentially wrong.
virtual_domains = pcre:${config_directory}/virtual-domains.pcre
virtual-domains.pcre
/(^|\.)example\.com$/ virtual
--
Viktor.
Re: Deliver all mail from one domain to two servers [Solved]
Hi Sebastian, and Noel, On 09/02/16 16:06, Sebastian Nielsen wrote: > Try a recipient_bcc_maps using pcre: > Eg, something like this: > /^([^\@]*)\@yourdomain\.com$/ $1...@new.server.com > > (first part is "match anything that does not contain a @", second is a > literal @, and the final part is the external domain that your border server > receives mail on) > (Note, test around with the map on a test server connected to 2 other test > server instances to "simulate" your setup before deploying this to a > production server) > > And then you use a transport map to deliver the new domain to the new server. I had a look at Noel's solution, and while it gives great flexibility, it looked like a lot of work to implement. (We hope this will be very temporary and that we'll soon be cutting over to the new server permanently.) I first gave this a try on the new box, thinking I'd get it to forward its mail to the old one. The new one hosts the users as virtual domains, and so recipient_bcc_maps didn't seem to work. A few variations on the regex didn't seem to fix it. Last night riding home after a 10 hour stint doing the migration of the network, I thought to try configuring the old server to BCC its mail to the new one. I've tried that, and this seems to be working -- possibly because the old server (based on the Zentyal groupware stack; Ubuntu 10.04, Postfix and Zarafa) considers its users as local ones. The new server uses an LDAP query that checks userPrincipalName which is of the form u...@activedirectory.example.com and is created for all users as well as checking for mail and otherMail attributes that match. So I'm about to uncork the border router mail server which should open the floodgates and let all the mail for our office flood to the newly configured mail infrastructure. Many thanks. Regards, -- Stuart Longland (aka Redhatter, VK4MSL) I haven't lost my mind... ...it's backed up on a tape somewhere. signature.asc Description: OpenPGP digital signature
