Re: need little help with DKIM, if possible.

[Doug]

On Thu, 3/16/17, Fazzina, Angelo  wrote:

 Subject: need little help with DKIM, if possible.
 To: "postfix-users@postfix.org" 
 Date: Thursday, March 16, 2017, 12:19 PM

 Hi,  I ran this. 
 opendkim-genkey -v -D /etc/opendkim/keys/uconn/ -d uconn.edu -s 
2017_uconn_DKIM 
 which created the private key and selector name 

[] That selector name is inappropriate. If you want to use something that long, 
use dashes instead of underscores. But there is no reason to use something that 
complicated. I just use 'dkim' for mine.  

 I am learning by reverse engineering 

[] Don't do that. :)  Different sites have different needs, and you really 
don't need anything as complex as Google's. 
    
This is a pretty good tutorial for a single domain:
https://help.ubuntu.com/community/Postfix/DKIM

Obviously you can ignore the Ubuntu-specific parts if you're not using Ubuntu. 
Also, I would not use autorestart, see the man page for why. If you are setting 
up multiple domains the configuration is slightly more complex, but still not 
that difficult. 

In regards to your DNS question, assuming you pick 'dkim' for your selector, 
and your domain is 'uconn.edu' you would want to put the following record in 
the uconn.edu zone file:

dkim._domainkey TXT ( "v=DKIM1; k=rsa; t=y;"
"p=;" )

When you're done testing you can remove t=y; from the above example. 

hope this helps,

Doug

Re: How to get mail relay to work

[D'Arcy Cain]

On 2017-03-16 09:34 PM, paul.greene.va wrote:

I've been given a task to get a freshly installed postfix server to
forward mail from an application - i.e. when changes are made to an
application, the application is supposed to send an email notification
to a specified email address.


I'm not sure that this is even a Postfix question.  I assume that there 
is some trigger in the application that handles changes.  That 
application just needs to send an email.  Whatever mail server you are 
using should be irrelevant.  In fact, you could punt elsewhere and not 
have a mail server at all.


Perhaps I am not understanding the challenge.

--
D'Arcy J.M. Cain
System Administrator, Vex.Net
http://www.Vex.Net/ IM:da...@vex.net
VoIP: sip:da...@vex.net

How to get mail relay to work

[paul.greene.va]

Hello All,

Apologies in advance - I'm brand new to postfix; hopefully this question 
won't be too newbish.


I've been given a task to get a freshly installed postfix server to 
forward mail from an application - i.e. when changes are made to an 
application, the application is supposed to send an email notification 
to a specified email address.


There is an existing functioning postfix server that this new one is 
replacing - the old one is running on redhat 6, postfix version 2.6; the 
new one is running on redhat 7, postfix version 2.10.


I grepped for all of the uncommented lines in /etc/postfix/main.cf on 
both the old and the new server and compared them; the configuration was 
the same on both. The "relayhost = " parameter and the "mynetworks =" 
parameter was the same on both


This mail server isn't being used as a general mail server where users 
are communicating with each other. It's only used for applications to 
send out notifications.


Besides /etc/postfix/main.cf, is there any other config files that need 
to be edited to enable this mail relaying?


Paul

Re: Execute linux commands after receive a mail...

[li...@lazygranch.com]

On Thu, 16 Mar 2017 11:29:56 -0500
Noel Jones  wrote:

> On 3/16/2017 11:18 AM, Gilberto Nunes wrote:
> > Hello folks...
> > 
> > I just need execute some command after receive a mail...
> > 
> > I found this site: 
> > 
> > https://www.thecodingmachine.com/triggering-a-php-script-when-your-postfix-server-receives-a-mail/
> > 
> > This can be achieve with shell script as well??  
> 
> The above site is an example of a simple content_filter using a PHP
> script.  The postfix docs contain a similar example using a shell
> script.
> http://www.postfix.org/FILTER_README.html#simple_filter
> 
> 

I had no idea you could receive email on any port. I wonder how many
ISPs allow this.

In any event, would this be THE scheme to use for an IOT application?
That is send an email to turn on/off a sprinker, light, etc. The idea
being postfix et all does all the security, AKA the hard part.

Re: need little help with DKIM, if possible.

[Wietse Venema]

Fazzina, Angelo:
> Hi,
> I ran this.
> opendkim-genkey -v -D /etc/opendkim/keys/uconn/ -d uconn.edu -s 
> 2017_uconn_DKIM
> which created the private key and selector name
> 
> 
> I created an entry in DNS and it shows up when I run this.
> dig any mta4.uits.uconn.edu
> 
> My issue is how do I get this command to work ?
> dig 2017_uconn_DKIM._domainkey.mta4.uits.uconn.edu TXT

Works for me, and I tried all three hosts with the NS record for
uconn.edu.
>
> I am learning by reverse engineering the fact that I saw this
> worked.  dig google._domainkey.protodave.com TXT got it from here.
> https://protodave.com/security/checking-your-dkim-dns-record

Reverse engineering is not needed. All internet protocol specs are
on-line, available at no cost other than your Internet connection.

Wietse

need little help with DKIM, if possible.

[Fazzina, Angelo]

Hi,
I ran this.
opendkim-genkey -v -D /etc/opendkim/keys/uconn/ -d uconn.edu -s 2017_uconn_DKIM
which created the private key and selector name


I created an entry in DNS and it shows up when I run this.
dig any mta4.uits.uconn.edu

My issue is how do I get this command to work ?
dig 2017_uconn_DKIM._domainkey.mta4.uits.uconn.edu TXT


I am learning by reverse engineering the fact that I saw this worked.
dig google._domainkey.protodave.com TXT
got it from here. https://protodave.com/security/checking-your-dkim-dns-record/

Anyone with time to help thanks, if your too busy no problem.
-ALF

P.S. this is all POC stuff not in production.



-Angelo Fazzina
Operating Systems Programmer / Analyst
University of Connecticut,  UITS, SSG, Server Systems
860-486-9075

Re: cloud9 rejecting my mail

[Viktor Dukhovni]

> On Mar 16, 2017, at 2:37 PM, Wietse Venema  wrote:
> 
>> When trying to sign up for the list from my regular e-mail address
>> (served by my Postfix mail server, on a vhost at Arp Networks) I
>> got the following:
>> 
>> : host mail.cloud9.net[2604:8d00:0:1::4]
>> said: 554 5.7.1 : Helo command rejected: Access denied
>> (in reply to RCPT TO command)

Note the use of IPv6 here.  Many large providers have chosen to set the
bar higher for IPv6 than IPv4.  In particular:

  * PTR records are generally mandatory
  * SPF and/or DKIM records are often mandatory

sadly, while CSA records would have been much more appropriate here,

  https://tools.ietf.org/html/draft-crocker-csv-csa-00

that idea went nowhere, in the rush to "solve phishing", which of
course did not happen with SPF/DKIM/...

Anyway, it is quite possible that the problem is that Doug's server
has IPv6 connectivity, and he either needs to jump through more hoops...
or disable IPv6 in Postfix:

inet_protocols = ipv4.

-- 
Viktor.

Re: cloud9 rejecting my mail

[Doug]

Yes, the simple ways are usually best. :) 

My first message on this topic did CC the postmaster, but it got bounced from 
the list because it had the subsc word in it. Still waiting on a response. 

Doug


On Thu, 3/16/17, Wietse Venema  wrote:

 Subject: Re: cloud9 rejecting my mail
 To: "Postfix users" 
 Date: Thursday, March 16, 2017, 11:37 AM
 
 Doug:
 >
 When trying to sign up for the list from my regular e-mail
 address
 > (served by my Postfix mail
 server, on a vhost at Arp Networks) I
 >
 got the following:
 >
 >
 :
 host mail.cloud9.net[2604:8d00:0:1::4]
 >
 said: 554 5.7.1
 > 
    : Helo command rejected:
 Access denied (in reply
 > 
    to RCPT TO command)
 >
 > That's very odd, as for several years
 I've never had mail rejected
 >
 before. I have rDNS for my IPv4 and IPv6 addresses, SPF,
 DKIM,
 > DMARC, etc. (All working) I can
 send to big providers like Google
 > and
 Yahoo! with no issues as well.
 >
 > Can anyone point me in the right direction
 as to why cloud9.net
 > is shutting me
 down?  If there is a problem I'm happy to fix
 it.
 > :)
 
 Maybe the old-fashioned way - ask
 postmaster@
 
    
 Wietse
 

Re: cloud9 rejecting my mail

[Wietse Venema]

Doug:
> When trying to sign up for the list from my regular e-mail address
> (served by my Postfix mail server, on a vhost at Arp Networks) I
> got the following:
>
> : host mail.cloud9.net[2604:8d00:0:1::4]
> said: 554 5.7.1
> : Helo command rejected: Access denied (in reply
> to RCPT TO command)
>
> That's very odd, as for several years I've never had mail rejected
> before. I have rDNS for my IPv4 and IPv6 addresses, SPF, DKIM,
> DMARC, etc. (All working) I can send to big providers like Google
> and Yahoo! with no issues as well.
>
> Can anyone point me in the right direction as to why cloud9.net
> is shutting me down?  If there is a problem I'm happy to fix it.
> :)

Maybe the old-fashioned way - ask postmaster@

Wietse

Re: Problems with lmtp

[Doug]

On Thu, 3/16/17, Viktor Dukhovni  wrote:

 Subject: Re: Problems with lmtp
 To: postfix-users@postfix.org
 Date: Thursday, March 16, 2017, 8:08 AM
 
 On Thu, Mar 16, 2017 at
 08:56:20AM +, Doug wrote:
 
 > >  The important thing to understand here is the difference between the
 > >  "local", "virtual alias" and "virtual mailbox" address classes, as
 > >  explained in ADDRESS_CLASS_README.
 >  
 > Yeah, I think it's coming clear. I read through that tonight, need to
 > read some more to digest better.  I see (or think I see) how the
 > virtual_alias_domains and virtual_alias_maps would work to do the same
 > thing I'm doing now.
 
 Indeed, all my domains are virtual alias domains, whose valid
 recipients are rewritten to the synthetic virtual mailbox domain
 "virtual.invalid", which is delivered to Dovecot.I don't use
local(8) for delivery, but it would be useful if I had to support
mailing lists, vacation, ...  That can always be added by rewriting
addresses to a "local.invalid" domain, and delivering only that
domain locally.

[] I am very interested in your example, and it looks like the way I want to 
go, even though I don't need virtual mailboxes. Thank you for sharing it. FWIW, 
Sieve has a notion of 'Vacation' that looks adequate, although I didn't dig 
into it much as it's not an issue for me. I'm impressed with the filtering 
capabilities so far though, and very glad to finally move that to server-side. 
:)
 
 >     - Domains listed in virtual_alias_domains are exclusively 
 >     designated as holding only aliases to other real domains. Don't
 >     make the mistake of assuming that a domain must   be listed here
 >     in order for virtual_alias_maps to happen.
 > 
 > [] Ok, I'll bite  what makes virtual_alias_maps happen? 
 
 The use of virtual alias maps happens for all recipients, as part
 of mail entering the queue via cleanup(8).  Not dependent on the
 address class. 

[] Ah, Ok, thanks. One less thing to be concerned about then. 
 
 > Ok, I think I'm getting it now. Once I solve the lmtp problem I will
 > tackle making this stuff more rational. It sounds like my plan is to do
 > the following:
 > 
 > 1. Keep all the domains in mydestination since I want them all locally 
 > delivered.
 
 Not required, see above.  Postfix has a notion of "final" domains,
 which subsumes "virtual alias", "virtual mailbox" and "local" domains.  You 
can use any
 combination of these for "locally delivered" mail.  I tend to keep 
mydestination
 empty.   See also the null-client walk-throgh in MULTI_INSTANCE_README.
 
[] Ok, thanks. 

 > 2. s/virtual_maps/virtual_alias_maps/
 > 3. virtual_alias_domains=
 
 Yes, or, if you prefer, make *all* the "real" domains virtual alias,
 and use synthetic domains for delivery.  See above.
 
[] Yeah, more homework to do. Thanks again. 

Doug

Re: Execute linux commands after receive a mail...

[Gilberto Nunes]

Thanks a lot Noel
It will be useful

2017-03-16 13:29 GMT-03:00 Noel Jones :

> On 3/16/2017 11:18 AM, Gilberto Nunes wrote:
> > Hello folks...
> >
> > I just need execute some command after receive a mail...
> >
> > I found this site:
> >
> > https://www.thecodingmachine.com/triggering-a-php-script-
> when-your-postfix-server-receives-a-mail/
> >
> > This can be achieve with shell script as well??
>
> The above site is an example of a simple content_filter using a PHP
> script.  The postfix docs contain a similar example using a shell
> script.
> http://www.postfix.org/FILTER_README.html#simple_filter
>
>
>


-- 
Obrigado

Cordialmente


Gilberto Ferreira

Consultoria em Servidores e Serviços Linux | Virtualização Proxmox |
Zentyal Server | Zimbra Mail Server

(47) 3025-5907
(47) 99676-7530

Skype: konnectati


www.konnectati.com.br

Re: Execute linux commands after receive a mail...

[Noel Jones]

On 3/16/2017 11:18 AM, Gilberto Nunes wrote:
> Hello folks...
> 
> I just need execute some command after receive a mail...
> 
> I found this site: 
> 
> https://www.thecodingmachine.com/triggering-a-php-script-when-your-postfix-server-receives-a-mail/
> 
> This can be achieve with shell script as well??

The above site is an example of a simple content_filter using a PHP
script.  The postfix docs contain a similar example using a shell
script.
http://www.postfix.org/FILTER_README.html#simple_filter

Execute linux commands after receive a mail...

[Gilberto Nunes]

Hello folks...

I just need execute some command after receive a mail...

I found this site:

https://www.thecodingmachine.com/triggering-a-php-script-when-your-postfix-server-receives-a-mail/

This can be achieve with shell script as well??

Thanks a lot...

-- 
Obrigado

Cordialmente


Gilberto Ferreira

Consultoria em Servidores e Serviços Linux | Virtualização Proxmox |
Zentyal Server | Zimbra Mail Server

(47) 3025-5907
(47) 99676-7530

Skype: konnectati


www.konnectati.com.br

Re: Problems with lmtp

[Viktor Dukhovni]

On Thu, Mar 16, 2017 at 08:56:20AM +, Doug wrote:

> >  >      $ postconf -d mail_version
> >  >  
> >  > Yes, 3.1.0, thank you. 
> >  
> >  Cool.  I would expect that this likely contains backports of later
> >  patches, but unfortunately the Linux distros tend to avoid backporting
> >  upstream version number updates, so it is difficult to tell whether you
> >  have all the fixes from 3.1.0 to 3.1.4, but it is quite possible that
> >  you do.
>
> [] Yeah, there are a lot of things I like about the way debian and its
> derivatives handle packaging, but this not one of them. :-/

Turns out (per Scott Kitterman that Ubuntu may not in general
backport fixes from Postfix patch releases.  That's a shame.
Relevant post-release updates include:

20160310

Bugfix (introduced: Postfix 2.6): the Milter SMFIR_CHGFROM
(replace sender) request lost the sender_bcc_maps address.
Fixed by moving some record keeping to the sender output
function.  Files: cleanup/cleanup_envelope.c,
cleanup/cleanup_addr.c, cleanup/cleanup_milter.c,
cleanup/cleanup.h, regression tests.

20160410

Bugfix (introduced: Postfix 2.6): the "bad filetype"
header_checks pattern falsely rejected Content-Mumble headers
with ``name="example"; x-apple-part-url="example.com"''.
Fixed by respecting the ";" separator between content
attribute values.  Reported by Cedric Knight.  File:
proto/header_checks.

20160619

Bugfix (introduced: 20091121): with the introduction of
sender_dependent_default_transport_maps, the SMTP daemon
was not updated. This resulted in false rejects with
sender-dependent "error" transports. Based on a fix by
Russell Yanofsky.  Files: global/resolve_clnt.c,
global/resolve_clnt.h, smtpd/smtpd_check.c, smtpd/smtpd_check.h,
smtpd/smtpd_milter.c, smtpd/smtpd_resolve.c, 
smtpd/smtpd_resolve.h.

20160717

Bugfix (introduced: Postfix 1.1): the virtual(8) delivery
agent discarded the error result from vstream_fseek().
File: virtual/mailbox.c.

20160730

Bugfix (introduced: 20090614): with concurrent connections
from the same client IP address, and after-220 tests enabled,
postscreen could overwrite the cached "all tests completed"
result of one connection that completed the after-220 tests,
with the "some tests not completed" result of a concurrent
connection where the client hung up later, without completing
the after-220 tests.

20160821

Bugfix (introduced: Postfix 3.0): the tls_session_ticket_cipher
documentation says aes-256-cbc, but the implementation was
using aes-128-cbc (note that Postfix session ticket keys
are rotated after 1/2 hour, to limit the impact of attacks
on session ticket keys).

20160911

Bugfix (introduced: Postfix 3.0): the SMTP daemon did not
reset a previous session's command counts before rejecting
a client that exceeds request or concurrency rates. File:
smtpd/smtpd.c.

20160917

Bugfix (introduced: Postfix 3.0): the unionmap did not
propagate table lookup errors.  Based on patch by Roel van
Meer.  Files: util/dict_union.c, util/dict_union_test.*.

20160925

Workaround (problem introduced: Postfix 2.11): to avoid
false "not found" errors with MySQL map queries that contain
UTF8-encoded text, specify "option_group = client" in Postfix
MySQL configuration files.  This will be the default setting
with Postfix 3.2 and later.

20161105

Bugfix (introduced: Postfix 1.1): the postsuper command did
not count a successful rename operation after error recovery.
Problem reported by Markus Schönhaber. File: 
postsuper/postsuper.c.

20161204

Bugfix (introduced: Postfix 3.1): cut-and-paste error in
the "postfix tls deploy-server-cert" command, causing the
wrong certfile and keyfile to be used. Viktor Dukhovni.
File: conf/postfix-tls-script.

Robustness: create a new keyfile when "postfix tls
new-server-cert" is invoked and main.cf specifies a
non-existent keyfile. Viktor 

Updating Postfix was: Re: Problems with lmtp

[Scott Kitterman]

On March 16, 2017 1:15:54 AM EDT, Viktor Dukhovni  
wrote:
>On Thu, Mar 16, 2017 at 04:02:58AM +, Doug wrote:
>
>>      $ postconf -d mail_version
>>  
>> Yes, 3.1.0, thank you. 
>
>Cool.  I would expect that this likely contains backports of later
>patches, but unfortunately the Linux distros tend to avoid backporting
>upstream version number updates, so it is difficult to tell whether
>you have all the fixes from 3.1.0 to 3.1.4, but it is quite possible
>that you do.

...

He doesn't (not that it turned out to matter this time).  There's nothing added 
to the package Ubuntu got from Debian that related to upstream fixes.

That said, back when I was involved in Ubuntu development, I did secure special 
permission to update Postfix for third digit updates based on the demonstrated 
history of such updates being confined to actual bug fixes and being high 
quality with low regression risk.

Since I stopped working on Ubuntu, no one has done the work.  I know there are 
more than a few Ubuntu users here.  If you want the distribution to deliver 
post-release updates of Postfix, then all it takes is someone volunteering to 
do the work.

I don't have time to do much in the way of training, but if anyone is 
interested in taking this up, feel free to contact me off list and I will point 
you in the right direction.

Scott K

Re: Problems with lmtp

[Doug]

Good news is that I solved the short term problem (delivery via lmtp now 
works).  More below. Lots of snipping to strip out what turned out to be the 
irrelevant bits. 


On Wed, 3/15/17, Viktor Dukhovni  wrote:

 Subject: Re: Problems with lmtp
 To: postfix-users@postfix.org
 Date: Wednesday, March 15, 2017, 10:15 PM
 
 On Thu, Mar 16, 2017 at
 04:02:58AM +, Doug wrote:
 
 >      $ postconf -d mail_version
 >  
 > Yes, 3.1.0, thank you. 
 
 Cool.  I would expect that this likely contains backports of later
 patches, but unfortunately the Linux distros
 tend to avoid backporting upstream version
 number updates, so it is difficult to tell whether
 you have all the fixes from 3.1.0 to 3.1.4, but
 it is quite possible that you do.
 
[] Yeah, there are a lot of things I like about the way debian and its 
derivatives handle packaging, but this not one of them. :-/  

 > On my mail host I have 1 normal user. I have postfix configured to accept
 > mail for several different domains, and each domain has a lot of different
 > mail usernames (I use this for mailing lists and such). I use the
 > virtual_maps feature of postfix, and have a map file that looks like this:
 
 > All of this works great, and mail for all the different usernames and
 > domains gets delivered into my one real user's Maildir, and I can see the
 > mail with my IMAP clients.
 
 The important thing to understand here is the difference between the "local", 
"virtual alias" and "virtual mailbox" address classes, as explained in 
ADDRESS_CLASS_README.
 
[] Yeah, I think it's coming clear. I read through that tonight, need to read 
some more to digest better.  I see (or think I see) how the 
virtual_alias_domains and virtual_alias_maps would work to do the same thing 
I'm doing now. 
 
     - Domains listed in virtual_alias_domains are exclusively  designated as 
holding only aliases to other real domains. Don't make the mistake of assuming 
that a domain must   be listed here in order for virtual_alias_maps to happen.

[] Ok, I'll bite  what makes virtual_alias_maps happen? 

 > So according to all the tutorials I've read my assumption is that my next
 > step is this in postfix' main.cf:
 > 
 >     virtual_transport = lmtp:unix:private/dovecot-lmtp
 
 The reason this failed for you, is that your domains are "local"
 (listed in mydestination) so their delivery is controlled via
 $local_transport not $virtual_transport.
 
[] Yes, I've grasped that now, thank you for confirming. 

 > I have since learned that I probably don't want virtual_transport for
 > this, but I probably do want local_transport. The problem is that if I
 > put in local_transport = lmtp:unix:private/dovecot-lmtp I get a bounce
 > every time:
 > Mar 15 18:01:20 dougbarton postfix/lmtp[11793]: 8BCD38F:
 > to=,relay=dougbarton.us[private/dovecot-lmtp],
 > delay=0.03, delays=0.01/0/0/0.01, dsn=5.1.1, status=bounced (host
 > dougbarton.us[private/dovecot-lmtp] said: 550 5.1.1 
 > User doesn't exist: u...@dougbarton.us (in reply to RCPT TO command))
 
 So Dovecot has no idea how to deliver , if
 that's the correct mailbox address, then your problem is with
 Dovecot

[] After a lot more testing tonight that was the problem. Short version is (as 
I understand it) that lmtp expects a full address (u...@domain.tld), which is 
what postfix is feeding it. The problem is then getting dovecot to understand 
what to do with that fully qualified user once it gets it. For my case, since 
the 'user' that postfix is mapping to is the same as the local Unix user I want 
it delivered to, the answer is to put this in dovecot.conf: 
auth_username_format=%n

That tells dovecot to only deal with the username portion, not the whole 
string. 
 
 > Here is postconf -n with security-related and boring items removed.
 > 
 > alias_maps = hash:/etc/aliases
 
 Check this for any relevant mappings.

[] Nothing exciting, just the default postmaster:root
 
 > home_mailbox = Maildir/
 
 This makes Postfix deliver mail to "local" user accounts to
 $HOME/Maildir unless preempted by other settings.
 
[] Yeah, been thinking that was going to be redundant when I get things 
working. 

 > virtual_maps = hash:/etc/postfix/virtual_addresses
 
 This is best expressed as:
 
     virtual_alias_maps = hash:/etc/postfix/virtual_addresses
 
 and either:
 
   virtual_alias_domains =
 
 or perhaps if you need to accept additional domains and rewrite to
 dougbarton.us via virtual_alias_maps:
 
 virtual_alias_domains = dougbarton.net, dougb.net, supersetsolutions.com, 
dougbarton.email
 
 in any case I strongly recommand separating
 virtual_alias_domains from virtual_alias_maps.

[] Ok, I think I'm getting it now. Once I solve the lmtp problem I will tackle 
making this stuff more rational. It sounds like my plan is to do the following:

1. Keep all the domains in mydestination since I want