Re: need little help with DKIM, if possible.
On Thu, 3/16/17, Fazzina, Angelowrote: Subject: need little help with DKIM, if possible. To: "postfix-users@postfix.org" Date: Thursday, March 16, 2017, 12:19 PM Hi, I ran this. opendkim-genkey -v -D /etc/opendkim/keys/uconn/ -d uconn.edu -s 2017_uconn_DKIM which created the private key and selector name [] That selector name is inappropriate. If you want to use something that long, use dashes instead of underscores. But there is no reason to use something that complicated. I just use 'dkim' for mine. I am learning by reverse engineering [] Don't do that. :) Different sites have different needs, and you really don't need anything as complex as Google's. This is a pretty good tutorial for a single domain: https://help.ubuntu.com/community/Postfix/DKIM Obviously you can ignore the Ubuntu-specific parts if you're not using Ubuntu. Also, I would not use autorestart, see the man page for why. If you are setting up multiple domains the configuration is slightly more complex, but still not that difficult. In regards to your DNS question, assuming you pick 'dkim' for your selector, and your domain is 'uconn.edu' you would want to put the following record in the uconn.edu zone file: dkim._domainkey TXT ( "v=DKIM1; k=rsa; t=y;" "p=;" ) When you're done testing you can remove t=y; from the above example. hope this helps, Doug
Re: How to get mail relay to work
On 2017-03-16 09:34 PM, paul.greene.va wrote: I've been given a task to get a freshly installed postfix server to forward mail from an application - i.e. when changes are made to an application, the application is supposed to send an email notification to a specified email address. I'm not sure that this is even a Postfix question. I assume that there is some trigger in the application that handles changes. That application just needs to send an email. Whatever mail server you are using should be irrelevant. In fact, you could punt elsewhere and not have a mail server at all. Perhaps I am not understanding the challenge. -- D'Arcy J.M. Cain System Administrator, Vex.Net http://www.Vex.Net/ IM:da...@vex.net VoIP: sip:da...@vex.net
How to get mail relay to work
Hello All, Apologies in advance - I'm brand new to postfix; hopefully this question won't be too newbish. I've been given a task to get a freshly installed postfix server to forward mail from an application - i.e. when changes are made to an application, the application is supposed to send an email notification to a specified email address. There is an existing functioning postfix server that this new one is replacing - the old one is running on redhat 6, postfix version 2.6; the new one is running on redhat 7, postfix version 2.10. I grepped for all of the uncommented lines in /etc/postfix/main.cf on both the old and the new server and compared them; the configuration was the same on both. The "relayhost = " parameter and the "mynetworks =" parameter was the same on both This mail server isn't being used as a general mail server where users are communicating with each other. It's only used for applications to send out notifications. Besides /etc/postfix/main.cf, is there any other config files that need to be edited to enable this mail relaying? Paul
Re: Execute linux commands after receive a mail...
On Thu, 16 Mar 2017 11:29:56 -0500 Noel Joneswrote: > On 3/16/2017 11:18 AM, Gilberto Nunes wrote: > > Hello folks... > > > > I just need execute some command after receive a mail... > > > > I found this site: > > > > https://www.thecodingmachine.com/triggering-a-php-script-when-your-postfix-server-receives-a-mail/ > > > > This can be achieve with shell script as well?? > > The above site is an example of a simple content_filter using a PHP > script. The postfix docs contain a similar example using a shell > script. > http://www.postfix.org/FILTER_README.html#simple_filter > > I had no idea you could receive email on any port. I wonder how many ISPs allow this. In any event, would this be THE scheme to use for an IOT application? That is send an email to turn on/off a sprinker, light, etc. The idea being postfix et all does all the security, AKA the hard part.
Re: need little help with DKIM, if possible.
Fazzina, Angelo: > Hi, > I ran this. > opendkim-genkey -v -D /etc/opendkim/keys/uconn/ -d uconn.edu -s > 2017_uconn_DKIM > which created the private key and selector name > > > I created an entry in DNS and it shows up when I run this. > dig any mta4.uits.uconn.edu > > My issue is how do I get this command to work ? > dig 2017_uconn_DKIM._domainkey.mta4.uits.uconn.edu TXT Works for me, and I tried all three hosts with the NS record for uconn.edu. > > I am learning by reverse engineering the fact that I saw this > worked. dig google._domainkey.protodave.com TXT got it from here. > https://protodave.com/security/checking-your-dkim-dns-record Reverse engineering is not needed. All internet protocol specs are on-line, available at no cost other than your Internet connection. Wietse
need little help with DKIM, if possible.
Hi, I ran this. opendkim-genkey -v -D /etc/opendkim/keys/uconn/ -d uconn.edu -s 2017_uconn_DKIM which created the private key and selector name I created an entry in DNS and it shows up when I run this. dig any mta4.uits.uconn.edu My issue is how do I get this command to work ? dig 2017_uconn_DKIM._domainkey.mta4.uits.uconn.edu TXT I am learning by reverse engineering the fact that I saw this worked. dig google._domainkey.protodave.com TXT got it from here. https://protodave.com/security/checking-your-dkim-dns-record/ Anyone with time to help thanks, if your too busy no problem. -ALF P.S. this is all POC stuff not in production. -Angelo Fazzina Operating Systems Programmer / Analyst University of Connecticut, UITS, SSG, Server Systems 860-486-9075
Re: cloud9 rejecting my mail
> On Mar 16, 2017, at 2:37 PM, Wietse Venemawrote: > >> When trying to sign up for the list from my regular e-mail address >> (served by my Postfix mail server, on a vhost at Arp Networks) I >> got the following: >> >> : host mail.cloud9.net[2604:8d00:0:1::4] >> said: 554 5.7.1 : Helo command rejected: Access denied >> (in reply to RCPT TO command) Note the use of IPv6 here. Many large providers have chosen to set the bar higher for IPv6 than IPv4. In particular: * PTR records are generally mandatory * SPF and/or DKIM records are often mandatory sadly, while CSA records would have been much more appropriate here, https://tools.ietf.org/html/draft-crocker-csv-csa-00 that idea went nowhere, in the rush to "solve phishing", which of course did not happen with SPF/DKIM/... Anyway, it is quite possible that the problem is that Doug's server has IPv6 connectivity, and he either needs to jump through more hoops... or disable IPv6 in Postfix: inet_protocols = ipv4. -- Viktor.
Re: cloud9 rejecting my mail
Yes, the simple ways are usually best. :) My first message on this topic did CC the postmaster, but it got bounced from the list because it had the subsc word in it. Still waiting on a response. Doug On Thu, 3/16/17, Wietse Venemawrote: Subject: Re: cloud9 rejecting my mail To: "Postfix users" Date: Thursday, March 16, 2017, 11:37 AM Doug: > When trying to sign up for the list from my regular e-mail address > (served by my Postfix mail server, on a vhost at Arp Networks) I > got the following: > > : host mail.cloud9.net[2604:8d00:0:1::4] > said: 554 5.7.1 > : Helo command rejected: Access denied (in reply > to RCPT TO command) > > That's very odd, as for several years I've never had mail rejected > before. I have rDNS for my IPv4 and IPv6 addresses, SPF, DKIM, > DMARC, etc. (All working) I can send to big providers like Google > and Yahoo! with no issues as well. > > Can anyone point me in the right direction as to why cloud9.net > is shutting me down? If there is a problem I'm happy to fix it. > :) Maybe the old-fashioned way - ask postmaster@ Wietse
Re: cloud9 rejecting my mail
Doug: > When trying to sign up for the list from my regular e-mail address > (served by my Postfix mail server, on a vhost at Arp Networks) I > got the following: > >: host mail.cloud9.net[2604:8d00:0:1::4] > said: 554 5.7.1 > : Helo command rejected: Access denied (in reply > to RCPT TO command) > > That's very odd, as for several years I've never had mail rejected > before. I have rDNS for my IPv4 and IPv6 addresses, SPF, DKIM, > DMARC, etc. (All working) I can send to big providers like Google > and Yahoo! with no issues as well. > > Can anyone point me in the right direction as to why cloud9.net > is shutting me down? If there is a problem I'm happy to fix it. > :) Maybe the old-fashioned way - ask postmaster@ Wietse
Re: Problems with lmtp
On Thu, 3/16/17, Viktor Dukhovniwrote: Subject: Re: Problems with lmtp To: postfix-users@postfix.org Date: Thursday, March 16, 2017, 8:08 AM On Thu, Mar 16, 2017 at 08:56:20AM +, Doug wrote: > > The important thing to understand here is the difference between the > > "local", "virtual alias" and "virtual mailbox" address classes, as > > explained in ADDRESS_CLASS_README. > > Yeah, I think it's coming clear. I read through that tonight, need to > read some more to digest better. I see (or think I see) how the > virtual_alias_domains and virtual_alias_maps would work to do the same > thing I'm doing now. Indeed, all my domains are virtual alias domains, whose valid recipients are rewritten to the synthetic virtual mailbox domain "virtual.invalid", which is delivered to Dovecot.I don't use local(8) for delivery, but it would be useful if I had to support mailing lists, vacation, ... That can always be added by rewriting addresses to a "local.invalid" domain, and delivering only that domain locally. [] I am very interested in your example, and it looks like the way I want to go, even though I don't need virtual mailboxes. Thank you for sharing it. FWIW, Sieve has a notion of 'Vacation' that looks adequate, although I didn't dig into it much as it's not an issue for me. I'm impressed with the filtering capabilities so far though, and very glad to finally move that to server-side. :) > - Domains listed in virtual_alias_domains are exclusively > designated as holding only aliases to other real domains. Don't > make the mistake of assuming that a domain must be listed here > in order for virtual_alias_maps to happen. > > [] Ok, I'll bite what makes virtual_alias_maps happen? The use of virtual alias maps happens for all recipients, as part of mail entering the queue via cleanup(8). Not dependent on the address class. [] Ah, Ok, thanks. One less thing to be concerned about then. > Ok, I think I'm getting it now. Once I solve the lmtp problem I will > tackle making this stuff more rational. It sounds like my plan is to do > the following: > > 1. Keep all the domains in mydestination since I want them all locally > delivered. Not required, see above. Postfix has a notion of "final" domains, which subsumes "virtual alias", "virtual mailbox" and "local" domains. You can use any combination of these for "locally delivered" mail. I tend to keep mydestination empty. See also the null-client walk-throgh in MULTI_INSTANCE_README. [] Ok, thanks. > 2. s/virtual_maps/virtual_alias_maps/ > 3. virtual_alias_domains= Yes, or, if you prefer, make *all* the "real" domains virtual alias, and use synthetic domains for delivery. See above. [] Yeah, more homework to do. Thanks again. Doug
Re: Execute linux commands after receive a mail...
Thanks a lot Noel It will be useful 2017-03-16 13:29 GMT-03:00 Noel Jones: > On 3/16/2017 11:18 AM, Gilberto Nunes wrote: > > Hello folks... > > > > I just need execute some command after receive a mail... > > > > I found this site: > > > > https://www.thecodingmachine.com/triggering-a-php-script- > when-your-postfix-server-receives-a-mail/ > > > > This can be achieve with shell script as well?? > > The above site is an example of a simple content_filter using a PHP > script. The postfix docs contain a similar example using a shell > script. > http://www.postfix.org/FILTER_README.html#simple_filter > > > -- Obrigado Cordialmente Gilberto Ferreira Consultoria em Servidores e Serviços Linux | Virtualização Proxmox | Zentyal Server | Zimbra Mail Server (47) 3025-5907 (47) 99676-7530 Skype: konnectati www.konnectati.com.br
Re: Execute linux commands after receive a mail...
On 3/16/2017 11:18 AM, Gilberto Nunes wrote: > Hello folks... > > I just need execute some command after receive a mail... > > I found this site: > > https://www.thecodingmachine.com/triggering-a-php-script-when-your-postfix-server-receives-a-mail/ > > This can be achieve with shell script as well?? The above site is an example of a simple content_filter using a PHP script. The postfix docs contain a similar example using a shell script. http://www.postfix.org/FILTER_README.html#simple_filter
Execute linux commands after receive a mail...
Hello folks... I just need execute some command after receive a mail... I found this site: https://www.thecodingmachine.com/triggering-a-php-script-when-your-postfix-server-receives-a-mail/ This can be achieve with shell script as well?? Thanks a lot... -- Obrigado Cordialmente Gilberto Ferreira Consultoria em Servidores e Serviços Linux | Virtualização Proxmox | Zentyal Server | Zimbra Mail Server (47) 3025-5907 (47) 99676-7530 Skype: konnectati www.konnectati.com.br
Re: Problems with lmtp
On Thu, Mar 16, 2017 at 08:56:20AM +, Doug wrote: > > > $ postconf -d mail_version > > > > > > Yes, 3.1.0, thank you. > > > > Cool. I would expect that this likely contains backports of later > > patches, but unfortunately the Linux distros tend to avoid backporting > > upstream version number updates, so it is difficult to tell whether you > > have all the fixes from 3.1.0 to 3.1.4, but it is quite possible that > > you do. > > [] Yeah, there are a lot of things I like about the way debian and its > derivatives handle packaging, but this not one of them. :-/ Turns out (per Scott Kitterman that Ubuntu may not in general backport fixes from Postfix patch releases. That's a shame. Relevant post-release updates include: 20160310 Bugfix (introduced: Postfix 2.6): the Milter SMFIR_CHGFROM (replace sender) request lost the sender_bcc_maps address. Fixed by moving some record keeping to the sender output function. Files: cleanup/cleanup_envelope.c, cleanup/cleanup_addr.c, cleanup/cleanup_milter.c, cleanup/cleanup.h, regression tests. 20160410 Bugfix (introduced: Postfix 2.6): the "bad filetype" header_checks pattern falsely rejected Content-Mumble headers with ``name="example"; x-apple-part-url="example.com"''. Fixed by respecting the ";" separator between content attribute values. Reported by Cedric Knight. File: proto/header_checks. 20160619 Bugfix (introduced: 20091121): with the introduction of sender_dependent_default_transport_maps, the SMTP daemon was not updated. This resulted in false rejects with sender-dependent "error" transports. Based on a fix by Russell Yanofsky. Files: global/resolve_clnt.c, global/resolve_clnt.h, smtpd/smtpd_check.c, smtpd/smtpd_check.h, smtpd/smtpd_milter.c, smtpd/smtpd_resolve.c, smtpd/smtpd_resolve.h. 20160717 Bugfix (introduced: Postfix 1.1): the virtual(8) delivery agent discarded the error result from vstream_fseek(). File: virtual/mailbox.c. 20160730 Bugfix (introduced: 20090614): with concurrent connections from the same client IP address, and after-220 tests enabled, postscreen could overwrite the cached "all tests completed" result of one connection that completed the after-220 tests, with the "some tests not completed" result of a concurrent connection where the client hung up later, without completing the after-220 tests. 20160821 Bugfix (introduced: Postfix 3.0): the tls_session_ticket_cipher documentation says aes-256-cbc, but the implementation was using aes-128-cbc (note that Postfix session ticket keys are rotated after 1/2 hour, to limit the impact of attacks on session ticket keys). 20160911 Bugfix (introduced: Postfix 3.0): the SMTP daemon did not reset a previous session's command counts before rejecting a client that exceeds request or concurrency rates. File: smtpd/smtpd.c. 20160917 Bugfix (introduced: Postfix 3.0): the unionmap did not propagate table lookup errors. Based on patch by Roel van Meer. Files: util/dict_union.c, util/dict_union_test.*. 20160925 Workaround (problem introduced: Postfix 2.11): to avoid false "not found" errors with MySQL map queries that contain UTF8-encoded text, specify "option_group = client" in Postfix MySQL configuration files. This will be the default setting with Postfix 3.2 and later. 20161105 Bugfix (introduced: Postfix 1.1): the postsuper command did not count a successful rename operation after error recovery. Problem reported by Markus Schönhaber. File: postsuper/postsuper.c. 20161204 Bugfix (introduced: Postfix 3.1): cut-and-paste error in the "postfix tls deploy-server-cert" command, causing the wrong certfile and keyfile to be used. Viktor Dukhovni. File: conf/postfix-tls-script. Robustness: create a new keyfile when "postfix tls new-server-cert" is invoked and main.cf specifies a non-existent keyfile. Viktor
Updating Postfix was: Re: Problems with lmtp
On March 16, 2017 1:15:54 AM EDT, Viktor Dukhovniwrote: >On Thu, Mar 16, 2017 at 04:02:58AM +, Doug wrote: > >> $ postconf -d mail_version >> >> Yes, 3.1.0, thank you. > >Cool. I would expect that this likely contains backports of later >patches, but unfortunately the Linux distros tend to avoid backporting >upstream version number updates, so it is difficult to tell whether >you have all the fixes from 3.1.0 to 3.1.4, but it is quite possible >that you do. ... He doesn't (not that it turned out to matter this time). There's nothing added to the package Ubuntu got from Debian that related to upstream fixes. That said, back when I was involved in Ubuntu development, I did secure special permission to update Postfix for third digit updates based on the demonstrated history of such updates being confined to actual bug fixes and being high quality with low regression risk. Since I stopped working on Ubuntu, no one has done the work. I know there are more than a few Ubuntu users here. If you want the distribution to deliver post-release updates of Postfix, then all it takes is someone volunteering to do the work. I don't have time to do much in the way of training, but if anyone is interested in taking this up, feel free to contact me off list and I will point you in the right direction. Scott K
Re: Problems with lmtp
Good news is that I solved the short term problem (delivery via lmtp now works). More below. Lots of snipping to strip out what turned out to be the irrelevant bits. On Wed, 3/15/17, Viktor Dukhovniwrote: Subject: Re: Problems with lmtp To: postfix-users@postfix.org Date: Wednesday, March 15, 2017, 10:15 PM On Thu, Mar 16, 2017 at 04:02:58AM +, Doug wrote: > $ postconf -d mail_version > > Yes, 3.1.0, thank you. Cool. I would expect that this likely contains backports of later patches, but unfortunately the Linux distros tend to avoid backporting upstream version number updates, so it is difficult to tell whether you have all the fixes from 3.1.0 to 3.1.4, but it is quite possible that you do. [] Yeah, there are a lot of things I like about the way debian and its derivatives handle packaging, but this not one of them. :-/ > On my mail host I have 1 normal user. I have postfix configured to accept > mail for several different domains, and each domain has a lot of different > mail usernames (I use this for mailing lists and such). I use the > virtual_maps feature of postfix, and have a map file that looks like this: > All of this works great, and mail for all the different usernames and > domains gets delivered into my one real user's Maildir, and I can see the > mail with my IMAP clients. The important thing to understand here is the difference between the "local", "virtual alias" and "virtual mailbox" address classes, as explained in ADDRESS_CLASS_README. [] Yeah, I think it's coming clear. I read through that tonight, need to read some more to digest better. I see (or think I see) how the virtual_alias_domains and virtual_alias_maps would work to do the same thing I'm doing now. - Domains listed in virtual_alias_domains are exclusively designated as holding only aliases to other real domains. Don't make the mistake of assuming that a domain must be listed here in order for virtual_alias_maps to happen. [] Ok, I'll bite what makes virtual_alias_maps happen? > So according to all the tutorials I've read my assumption is that my next > step is this in postfix' main.cf: > > virtual_transport = lmtp:unix:private/dovecot-lmtp The reason this failed for you, is that your domains are "local" (listed in mydestination) so their delivery is controlled via $local_transport not $virtual_transport. [] Yes, I've grasped that now, thank you for confirming. > I have since learned that I probably don't want virtual_transport for > this, but I probably do want local_transport. The problem is that if I > put in local_transport = lmtp:unix:private/dovecot-lmtp I get a bounce > every time: > Mar 15 18:01:20 dougbarton postfix/lmtp[11793]: 8BCD38F: > to= ,relay=dougbarton.us[private/dovecot-lmtp], > delay=0.03, delays=0.01/0/0/0.01, dsn=5.1.1, status=bounced (host > dougbarton.us[private/dovecot-lmtp] said: 550 5.1.1 > User doesn't exist: u...@dougbarton.us (in reply to RCPT TO command)) So Dovecot has no idea how to deliver , if that's the correct mailbox address, then your problem is with Dovecot [] After a lot more testing tonight that was the problem. Short version is (as I understand it) that lmtp expects a full address (u...@domain.tld), which is what postfix is feeding it. The problem is then getting dovecot to understand what to do with that fully qualified user once it gets it. For my case, since the 'user' that postfix is mapping to is the same as the local Unix user I want it delivered to, the answer is to put this in dovecot.conf: auth_username_format=%n That tells dovecot to only deal with the username portion, not the whole string. > Here is postconf -n with security-related and boring items removed. > > alias_maps = hash:/etc/aliases Check this for any relevant mappings. [] Nothing exciting, just the default postmaster:root > home_mailbox = Maildir/ This makes Postfix deliver mail to "local" user accounts to $HOME/Maildir unless preempted by other settings. [] Yeah, been thinking that was going to be redundant when I get things working. > virtual_maps = hash:/etc/postfix/virtual_addresses This is best expressed as: virtual_alias_maps = hash:/etc/postfix/virtual_addresses and either: virtual_alias_domains = or perhaps if you need to accept additional domains and rewrite to dougbarton.us via virtual_alias_maps: virtual_alias_domains = dougbarton.net, dougb.net, supersetsolutions.com, dougbarton.email in any case I strongly recommand separating virtual_alias_domains from virtual_alias_maps. [] Ok, I think I'm getting it now. Once I solve the lmtp problem I will tackle making this stuff more rational. It sounds like my plan is to do the following: 1. Keep all the domains in mydestination since I want