Re: One certificate per port

2017-04-06 Thread Viktor Dukhovni 

> On Apr 6, 2017, at 5:02 PM, G. Schlisio  wrote:
> 
> I wonder if it is possible to have one cert per port postfix is serving
> on, eg one for 25 and one for 587.

Yes.

   master.cf:
 submission inet ... smtpd
   -o smtpd_tls_cert_file=$mua_tls_cert_file
   -o smtpd_tls_key_file=$mua_tls_key_file

   main.cf:
# Inbound MX certificate and key in a single file
smtpd_tls_cert_file = ...

# Submission certificate and key in a single file
mua_tls_cert_file = ...
mua_tls_key_file = $mua_tls_cert_file

> 
> Background of this:
> for user interaction (mainly on port 587) I would like to use my signed
> letsencrypt cert which changes fairly often.
> For interaction of servers I would like to use DANE, and so a long-lifed
> self-signed certificate would be beneficial to not break during
> automated renewal and avoid frequent rollovers.

It is also possible to avoid DANE TLSA changes while rolling over
Let's Encrypt keys:

   
http://postfix.1071664.n5.nabble.com/WoSign-StartCom-CA-in-the-news-td86436.html#a86444
   https://community.letsencrypt.org/t/new-certbot-client-and-csr-option/15766
   
https://www.internetsociety.org/deploy360/blog/2016/03/lets-encrypt-certificates-for-mail-servers-and-dane-part-2-of-2/
   
https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-records-with-le-certificates/7022

-- 
Viktor.

One certificate per port

2017-04-06 Thread G. Schlisio 
Hi all,

I wonder if it is possible to have one cert per port postfix is serving
on, eg one for 25 and one for 587.

Background of this:
for user interaction (mainly on port 587) I would like to use my signed
letsencrypt cert which changes fairly often.
For interaction of servers I would like to use DANE, and so a long-lifed
self-signed certificate would be beneficial to not break during
automated renewal and avoid frequent rollovers.

I hope my assumptions are correct.
Feedback much appreciated.

Thank you in advance
Georg

Re: Postfix impatient with mysql?

2017-04-06 Thread John Stoffel 
> "Robert" == Robert Moskowitz  writes:

Robert> On 04/06/2017 02:17 PM, John Stoffel wrote:
Robert> It seems postfix is impatient with connecting with mysql, as I see in
Robert> maillog entries like:
>> 
Robert> Apr  6 11:48:30 z9m9z dovecot: dict: Error: mysql(localhost): Connect
Robert> failed to database (postfix): Can't connect to local MySQL server
Robert> through socket '/var/lib/mysql/mysql.sock' (13) - waiting for 5 seconds
Robert> before retry
Robert> Apr  6 11:48:35 z9m9z dovecot: dict: Error: mysql(localhost): Connect
Robert> failed to database (postfix): Can't connect to local MySQL server
Robert> through socket '/var/lib/mysql/mysql.sock' (13) - waiting for 25 seconds
Robert> before retry
>> 
Robert> I suspect it does connect eventually.  This is a test system with only
Robert> 1GB of memory and free reports:
>> 
Robert> totalusedfree  shared buff/cache
Robert> available
Robert> Mem:1025484  696344   24556 21528  304584  
251552
Robert> Swap:524284   92168  432116
>> 
>> 
Robert> The production box has 2GB, so if the problem is mysql is
Robert> swapping out, that will be 'fixed', if it is processor, well
Robert> this is an ARMv7 duo core, as is the production box.  I am
Robert> considering buying the new quad core.
>> 
Robert> Is there anything I can do to get postfix more patient with
Robert> mysql, or just ignore there messages?
>> 
>> Just as a side note, I setup my home server with dovecot, postfix,
>> mysql and I ended up removing mysql because it was a memory pig for a
>> not-very big install.  In your case, if you're running on an ARMv7
>> dual CPU box, it also isn't too big so I'd prboably not bother.
>> sqlite or even flat files should be more than performant enough for
>> your needs.

Robert> I support virtual domains and use postfixadmin.

Can it work with sqlite instead?  

Robert> Granted not many domains and < 10,000 messages per day.

Like my home system, which is probably under 2,000/day messages.

Robert> I am currently running on a CubieTruck (duo core, 2GB, ARMv7)
Robert> with Redsleeve 6 (Centos 6 clone) and time-matching
Robert> componenets.

Robert> My development to replace it is on a Cubieboard2 (same as above, but 
Robert> 1GB) with Centos 7.

Robert> I don't get any of these messages on the current server.  So
Robert> perhaps it is just a memory thing.  I will start testing on
Robert> another CubieTruck soon and that will show if memory is the
Robert> bottleneck.

I suspect so.  Mysql is a bit of a pig for small memory systems, esp
if you're running other stuff like rspamd as well.

John

Re: Postfix impatient with mysql?

2017-04-06 Thread Robert Moskowitz 



On 04/06/2017 02:17 PM, John Stoffel wrote:

Robert> It seems postfix is impatient with connecting with mysql, as I see in
Robert> maillog entries like:

Robert> Apr  6 11:48:30 z9m9z dovecot: dict: Error: mysql(localhost): Connect
Robert> failed to database (postfix): Can't connect to local MySQL server
Robert> through socket '/var/lib/mysql/mysql.sock' (13) - waiting for 5 seconds
Robert> before retry
Robert> Apr  6 11:48:35 z9m9z dovecot: dict: Error: mysql(localhost): Connect
Robert> failed to database (postfix): Can't connect to local MySQL server
Robert> through socket '/var/lib/mysql/mysql.sock' (13) - waiting for 25 seconds
Robert> before retry

Robert> I suspect it does connect eventually.  This is a test system with only
Robert> 1GB of memory and free reports:

Robert>totalusedfree  shared buff/cache
Robert> available
Robert> Mem:1025484  696344   24556 21528  304584  
251552
Robert> Swap:524284   92168  432116


Robert> The production box has 2GB, so if the problem is mysql is
Robert> swapping out, that will be 'fixed', if it is processor, well
Robert> this is an ARMv7 duo core, as is the production box.  I am
Robert> considering buying the new quad core.

Robert> Is there anything I can do to get postfix more patient with
Robert> mysql, or just ignore there messages?

Just as a side note, I setup my home server with dovecot, postfix,
mysql and I ended up removing mysql because it was a memory pig for a
not-very big install.  In your case, if you're running on an ARMv7
dual CPU box, it also isn't too big so I'd prboably not bother.
sqlite or even flat files should be more than performant enough for
your needs.


I support virtual domains and use postfixadmin.

Granted not many domains and < 10,000 messages per day.

I am currently running on a CubieTruck (duo core, 2GB, ARMv7) with 
Redsleeve 6 (Centos 6 clone) and time-matching componenets.


My development to replace it is on a Cubieboard2 (same as above, but 
1GB) with Centos 7.


I don't get any of these messages on the current server.  So perhaps it 
is just a memory thing.  I will start testing on another CubieTruck soon 
and that will show if memory is the bottleneck.

Re: Postfix impatient with mysql?

2017-04-06 Thread John Stoffel 

Robert> It seems postfix is impatient with connecting with mysql, as I see in 
Robert> maillog entries like:

Robert> Apr  6 11:48:30 z9m9z dovecot: dict: Error: mysql(localhost): Connect 
Robert> failed to database (postfix): Can't connect to local MySQL server 
Robert> through socket '/var/lib/mysql/mysql.sock' (13) - waiting for 5 seconds 
Robert> before retry
Robert> Apr  6 11:48:35 z9m9z dovecot: dict: Error: mysql(localhost): Connect 
Robert> failed to database (postfix): Can't connect to local MySQL server 
Robert> through socket '/var/lib/mysql/mysql.sock' (13) - waiting for 25 
seconds 
Robert> before retry

Robert> I suspect it does connect eventually.  This is a test system with only 
Robert> 1GB of memory and free reports:

Robert>totalusedfree  shared buff/cache   
Robert> available
Robert> Mem:1025484  696344   24556 21528  304584  
251552
Robert> Swap:524284   92168  432116


Robert> The production box has 2GB, so if the problem is mysql is
Robert> swapping out, that will be 'fixed', if it is processor, well
Robert> this is an ARMv7 duo core, as is the production box.  I am
Robert> considering buying the new quad core.

Robert> Is there anything I can do to get postfix more patient with
Robert> mysql, or just ignore there messages?

Just as a side note, I setup my home server with dovecot, postfix,
mysql and I ended up removing mysql because it was a memory pig for a
not-very big install.  In your case, if you're running on an ARMv7
dual CPU box, it also isn't too big so I'd prboably not bother.
sqlite or even flat files should be more than performant enough for
your needs.

John

Oops - Re: Postfix impatient with mysql?

2017-04-06 Thread Robert Moskowitz 

I should get new glasses...

That is database postfix by dovecot.  Sigh.

On 04/06/2017 12:01 PM, wilfried.es...@essignetz.de wrote:

Possibly you should ask some dovecot people. The loglines you provided,
show processname "dovecot", not postfix.


Willi


Am 06.04.2017 um 17:54 schrieb Robert Moskowitz:

It seems postfix is impatient with connecting with mysql, as I see in
maillog entries like:

Apr  6 11:48:30 z9m9z dovecot: dict: Error: mysql(localhost): Connect
failed to database (postfix): Can't connect to local MySQL server
through socket '/var/lib/mysql/mysql.sock' (13) - waiting for 5 seconds
before retry
Apr  6 11:48:35 z9m9z dovecot: dict: Error: mysql(localhost): Connect
failed to database (postfix): Can't connect to local MySQL server
through socket '/var/lib/mysql/mysql.sock' (13) - waiting for 25 seconds
before retry

I suspect it does connect eventually.  This is a test system with only
1GB of memory and free reports:

totalusedfree  shared buff/cache
available
Mem:1025484  696344   24556 21528  304584  251552
Swap:524284   92168  432116


The production box has 2GB, so if the problem is mysql is swapping out,
that will be 'fixed', if it is processor, well this is an ARMv7 duo
core, as is the production box.  I am considering buying the new quad core.

Is there anything I can do to get postfix more patient with mysql, or
just ignore there messages?

thank you

Re: Postfix impatient with mysql?

2017-04-06 Thread wilfried.es...@essignetz.de 
Possibly you should ask some dovecot people. The loglines you provided,
show processname "dovecot", not postfix.


Willi


Am 06.04.2017 um 17:54 schrieb Robert Moskowitz:
> It seems postfix is impatient with connecting with mysql, as I see in 
> maillog entries like:
> 
> Apr  6 11:48:30 z9m9z dovecot: dict: Error: mysql(localhost): Connect 
> failed to database (postfix): Can't connect to local MySQL server 
> through socket '/var/lib/mysql/mysql.sock' (13) - waiting for 5 seconds 
> before retry
> Apr  6 11:48:35 z9m9z dovecot: dict: Error: mysql(localhost): Connect 
> failed to database (postfix): Can't connect to local MySQL server 
> through socket '/var/lib/mysql/mysql.sock' (13) - waiting for 25 seconds 
> before retry
> 
> I suspect it does connect eventually.  This is a test system with only 
> 1GB of memory and free reports:
> 
>totalusedfree  shared buff/cache   
> available
> Mem:1025484  696344   24556 21528  304584  251552
> Swap:524284   92168  432116
> 
> 
> The production box has 2GB, so if the problem is mysql is swapping out, 
> that will be 'fixed', if it is processor, well this is an ARMv7 duo 
> core, as is the production box.  I am considering buying the new quad core.
> 
> Is there anything I can do to get postfix more patient with mysql, or 
> just ignore there messages?
> 
> thank you
> 
> 
>

Postfix impatient with mysql?

2017-04-06 Thread Robert Moskowitz 
It seems postfix is impatient with connecting with mysql, as I see in 
maillog entries like:


Apr  6 11:48:30 z9m9z dovecot: dict: Error: mysql(localhost): Connect 
failed to database (postfix): Can't connect to local MySQL server 
through socket '/var/lib/mysql/mysql.sock' (13) - waiting for 5 seconds 
before retry
Apr  6 11:48:35 z9m9z dovecot: dict: Error: mysql(localhost): Connect 
failed to database (postfix): Can't connect to local MySQL server 
through socket '/var/lib/mysql/mysql.sock' (13) - waiting for 25 seconds 
before retry


I suspect it does connect eventually.  This is a test system with only 
1GB of memory and free reports:


  totalusedfree  shared buff/cache   
available

Mem:1025484  696344   24556 21528  304584  251552
Swap:524284   92168  432116


The production box has 2GB, so if the problem is mysql is swapping out, 
that will be 'fixed', if it is processor, well this is an ARMv7 duo 
core, as is the production box.  I am considering buying the new quad core.


Is there anything I can do to get postfix more patient with mysql, or 
just ignore there messages?


thank you

Re: problem with protection.outlook.com released spam getting bounced

2017-04-06 Thread John Stoffel 

They handle all our incoming email... so I might instead do something
where I handle internal email on a seperate setup.  What a pain...

Mike> Assuming the header check works, I'd run that on a different
Mike> instance of postfix and route the specific outside servers to
Mike> that instance via the firewall...

Mike> Quoting John Stoffel :

>> Well, I've confirmed that EOP (protection.outloko.com, our external
>> Spam filter provider) is adding in the "Delivered-To:" head when
>> emails that have been quarrantined are released to be delivered in to
>> us.
>> 
>> I'm amazed others haven't seen this problem yet, but maybe we're
>> strange.  In any case, now I need to figure out a way to fix this.
>> 
>> Would it be enough to simply remove the header if it arrives from
>> them?  I know it's a bad idea... but my customers are complaining
>> about this.
>> 
>> So a simple header_check like this might be what I want:
>> 
>> /^Delivered-To: (.*$)/ REPLACE EOP-Delivered-To: "$1"
>> 
>> But I only want this replamcent to happen for email that comes from a
>> specific set of outside servers.  I think I might have to run my own
>> milter here to do this.   I really can't depend on the headers not
>> being forged somehow, but I can depend on the host which connects to
>> me being who it says.
>> 
>> To a degree.
>> 
>> Am I making sense?
>> John