Re: recipient limit question

[Matus UHLAR - fantomas]

On 04.08.17 15:28, Fazzina, Angelo wrote:

When the limit is exceeded should the sender receive a bounce back email ?


postfix rejects additional recipients with temporary error, which means
that the client should retry those.
Proper SMTP clients retry remaining recipients until mail is sent to all of
them.


You say "find the error" is that the error you are talking about ?

To me it's sounding like I should ask sender to send emails with less than
1000 recipients and limit will not hit.


you can increase the limit for the client. Or, better, recommend using
specialized client.  Or, best, try offering mailing list or similar service.


It's too bad there is no way to know a sender has exceeded the setting
smtpd_recipient_limit = 1000


actually there is. The "452" error code is designed to tell sender that the
number of recipients was crossed and client should not try others, but retry
sending mail with the rest of recipients.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
WinError #9: Out of error messages.

Re: recipient limit question

[Noel Jones]

On 8/4/2017 10:12 AM, Fazzina, Angelo wrote:
> Thank you. I see it maybe me doing the limiting 
> 
> smtpd_recipient_limit (default: 1000)
> 
> The maximal number of recipients that the Postfix SMTP server accepts per 
> message delivery request.
> 
> 
> 
> Q1 = So, can I assume it does not matter if the recipients are in the TO, CC, 
> or BCC field,

Correct.  Postfix reads the envelope, not the headers.

> the hard limit is 1000 ?

This is a soft limit.  Postfix signals the sending client the limit
is exceeded, and the client should disconnect and and reconnect to
send the remaining recipients, or at least notify the human the send
failed.  If you're sending with Outlook, this is Outlook's
responsibility.

> Q2 = how do I search the logs for messages telling me I exceeded the limit ? 
> what is the postconf entry to check if I am logging this stuff in first place 
> ?

I believe postfix will log these as a reject: with a 4xx code, which
indicates the recipient was deferred and can be retried.

> 
> Q3 = is there danger in increasing limit so senders emails are delivered as 
> they should be ? 

You can increase the limit on the master.cf submission service by
adding:
  -o smtpd_recipient_limit=5000

> What other options are there ?

Use a better mail client that understands how to resend.




  -- Noel Jones

RE: recipient limit question

[Fazzina, Angelo]

Hi,
When the limit is exceeded should the sender receive a bounce back email ?
You say "find the error" is that the error you are talking about ?

To me it's sounding like I should ask sender to send emails with less than 1000 
recipients and limit will not hit.
It's too bad there is no way to know a sender has exceeded the setting 
smtpd_recipient_limit = 1000

thanks.
-ALF

-Angelo Fazzina
Operating Systems Programmer / Analyst 
University of Connecticut,  UITS, SSG, Server Systems
860-486-9075


-Original Message-
From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] 
On Behalf Of Bastian Blank
Sent: Friday, August 4, 2017 11:21 AM
To: postfix-users@postfix.org
Subject: Re: recipient limit question

On Fri, Aug 04, 2017 at 03:12:16PM +, Fazzina, Angelo wrote:
> Thank you. I see it maybe me doing the limiting 
> smtpd_recipient_limit (default: 1000)
> The maximal number of recipients that the Postfix SMTP server accepts per 
> message delivery request.
> Q1 = So, can I assume it does not matter if the recipients are in the TO, CC, 
> or BCC field, the hard limit is 1000 ?

Postfix is a MTA, it does not care about headers, like To, Cc, Bcc.  It
only cares about recipients, which are part of the envelope.

> Q2 = how do I search the logs for messages telling me I exceeded the limit ? 
> what is the postconf entry to check if I am logging this stuff in first place 
> ?

You can't, as it is the clients task to retry with the remaining
recipients and it is no hard error.

> Q3 = is there danger in increasing limit so senders emails are delivered as 
> they should be ? What other options are there ?

Find the error.  But guessing from the subject of the mail in question
you really want some specialized mailing list software like Mailman for
this task.

Bastian

-- 
Oblivion together does not frighten me, beloved.
-- Thalassa (in Anne Mulhall's body), "Return to Tomorrow",
   stardate 4770.3.

Re: recipient limit question

[Bastian Blank]

On Fri, Aug 04, 2017 at 03:12:16PM +, Fazzina, Angelo wrote:
> Thank you. I see it maybe me doing the limiting 
> smtpd_recipient_limit (default: 1000)
> The maximal number of recipients that the Postfix SMTP server accepts per 
> message delivery request.
> Q1 = So, can I assume it does not matter if the recipients are in the TO, CC, 
> or BCC field, the hard limit is 1000 ?

Postfix is a MTA, it does not care about headers, like To, Cc, Bcc.  It
only cares about recipients, which are part of the envelope.

> Q2 = how do I search the logs for messages telling me I exceeded the limit ? 
> what is the postconf entry to check if I am logging this stuff in first place 
> ?

You can't, as it is the clients task to retry with the remaining
recipients and it is no hard error.

> Q3 = is there danger in increasing limit so senders emails are delivered as 
> they should be ? What other options are there ?

Find the error.  But guessing from the subject of the mail in question
you really want some specialized mailing list software like Mailman for
this task.

Bastian

-- 
Oblivion together does not frighten me, beloved.
-- Thalassa (in Anne Mulhall's body), "Return to Tomorrow",
   stardate 4770.3.

RE: recipient limit question

[Fazzina, Angelo]

Thank you. I see it maybe me doing the limiting 

smtpd_recipient_limit (default: 1000)

The maximal number of recipients that the Postfix SMTP server accepts per 
message delivery request.



Q1 = So, can I assume it does not matter if the recipients are in the TO, CC, 
or BCC field, the hard limit is 1000 ?
Q2 = how do I search the logs for messages telling me I exceeded the limit ? 
what is the postconf entry to check if I am logging this stuff in first place ?

Q3 = is there danger in increasing limit so senders emails are delivered as 
they should be ? What other options are there ?

Thank you.


-Angelo Fazzina
Operating Systems Programmer / Analyst 
University of Connecticut,  UITS, SSG, Server Systems
860-486-9075


-Original Message-
From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] 
On Behalf Of Bastian Blank
Sent: Friday, August 4, 2017 11:00 AM
To: postfix-users@postfix.org
Subject: Re: recipient limit question

On Fri, Aug 04, 2017 at 02:29:00PM +, Fazzina, Angelo wrote:
> Did my postfix instance limit the number of recipients in the email that was 
> sent ?

Yes, it restricts the amount of recipients to the number given.  Your
client needs to do another mail transaction with the remaining
recipients.  For more information see
https://tools.ietf.org/html/rfc5321#section-4.5.3.1.8

Bastian

-- 
Lots of people drink from the wrong bottle sometimes.
-- Edith Keeler, "The City on the Edge of Forever",
   stardate unknown

Re: recipient limit question

[Bastian Blank]

On Fri, Aug 04, 2017 at 02:29:00PM +, Fazzina, Angelo wrote:
> Did my postfix instance limit the number of recipients in the email that was 
> sent ?

Yes, it restricts the amount of recipients to the number given.  Your
client needs to do another mail transaction with the remaining
recipients.  For more information see
https://tools.ietf.org/html/rfc5321#section-4.5.3.1.8

Bastian

-- 
Lots of people drink from the wrong bottle sometimes.
-- Edith Keeler, "The City on the Edge of Forever",
   stardate unknown

RE: recipient limit question

[Fazzina, Angelo]

Isn't Systemd a RHEL 7 thing ?

I think I run rsyslog.

[root@mail5 home]# ps -ef |grep sys
root  1522 1  0 Jul11 ?00:01:36 /sbin/rsyslogd -i 
/var/run/syslogd.pid -c 5
dbus  1537 1  0 Jul11 ?00:00:00 dbus-daemon --system
root 30400 26453  0 10:51 pts/000:00:00 grep sys

[root@mail5 home]# uname -a
Linux mail5.uits.uconn.edu 2.6.32-696.3.1.el6.x86_64 #1 SMP Thu Apr 20 11:30:02 
EDT 2017 x86_64 x86_64 x86_64 GNU/Linux

[root@mail5 home]# more /etc/issue
Red Hat Enterprise Linux Server release 6.9 (Santiago)
Kernel \r on an \m





-Angelo Fazzina
Operating Systems Programmer / Analyst 
University of Connecticut,  UITS, SSG, Server Systems
860-486-9075

-Original Message-
From: Wietse Venema [mailto:wie...@porcupine.org] 
Sent: Friday, August 4, 2017 10:51 AM
To: Fazzina, Angelo 
Cc: Postfix users 
Subject: Re: recipient limit question

Fazzina, Angelo:
> Hi,
> 
> Did my postfix instance limit the number of recipients in the email
> that was sent ?

If you're missing recipients in the log, then that may be the result
of unhelpful systemd rate limiting. Systemd is not part of Postfix.

The Postfix scheduler has some safety features so that it will
process a large recipient list in smaller chunks, but it does not
throw them away.

wietse

Re: recipient limit question

[Wietse Venema]

Fazzina, Angelo:
> Hi,
> 
> Did my postfix instance limit the number of recipients in the email
> that was sent ?

If you're missing recipients in the log, then that may be the result
of unhelpful systemd rate limiting. Systemd is not part of Postfix.

The Postfix scheduler has some safety features so that it will
process a large recipient list in smaller chunks, but it does not
throw them away.

wietse

recipient limit question

[Fazzina, Angelo]

Hi,

Did my postfix instance limit the number of recipients in the email that was 
sent ?


I was reading this  at this link http://www.postfix.org/postconf.5.html

default_extra_recipient_limit (default: 1000)

The default value for the extra per-transport limit imposed on the number of 
in-memory recipients. This extra recipient space is reserved for the cases when 
the Postfix queue manager's scheduler preempts one message with another and 
suddenly needs some extra recipients slots for the chosen message in order to 
avoid performance degradation.

Use 
transport_extra_recipient_limit
 to specify a transport-specific override, where transport is the 
master.cf name of the message delivery 
transport.

I have an email that was sent to [I don't know how many, still waiting for an 
answer] but logs show it went to 1000, and I see 3 more users that
There is no record the email was sent.  ALL the users were in the BCC field of 
the screen shot if that is important, and FROM and TO are same address.

All I have so far is sender screen shot of outlook email. The account profile 
in Outlook is configured to send to my postfix server directly as seen in logs 
below.

Actual log entries:   $$=  me removing data

Jul 10 10:39:15 mail5 postfix/smtpd[29198]: D7E6522C: 
client=d115h207.public.uconn.edu[137.99.115.207], sasl_method=LOGIN, 
sasl_username= $$
Jul 10 10:39:17 mail5 postfix/cleanup[29188]: D7E6522C: warning: header 
Subject: Fall 2017 Important Reminder Emails  from 
d115h207.public.uconn.edu[137.99.115.207]; from= 
to= proto=ESMTP helo=<1GK4LC2>
Jul 10 10:39:17 mail5 postfix/cleanup[29188]: D7E6522C: 
message-id=<042c01d2f98a$4eb3e060$ec1ba120$@uconn.edu>
Jul 10 10:39:17 mail5 postfix/qmgr[1730]: D7E6522C: from=, 
size=10821, nrcpt=1000 (queue active)

couple samples.
Jul 10 10:39:50 mail5 postfix/smtp[28794]: D7E6522C: 
to=, 
relay=d121027b.ess.barracudanetworks.com[64.235.154.140]:25, delay=34, 
delays=1.7/0.07/0.23/32, dsn=2.0.0, status=sent (250 OK 
(matthew.den...@uconn.edu:250 Ok: queued as 
68751F009D,matthew.g...@uconn.edu:250 Ok: queued as 68751F009D,matthew.ger...))
Jul 10 10:39:25 mail5 postfix/smtp[29000]: D7E6522C: 
to=, 
relay=d121027b.ess.barracudanetworks.com[64.235.153.2]:25, delay=9.8, 
delays=1.7/0.05/0.33/7.7, dsn=2.0.0, status=sent (250 OK 
(boyd.re...@uconn.edu:250 Ok: queued as 
44ECF2440093,brady.flana...@uconn.edu:250 Ok: queued as 
44ECF2440093,brendan.l...))
Jul 10 10:39:23 mail5 postfix/smtp[28999]: D7E6522C: 
to=, 
relay=d121027b.ess.barracudanetworks.com[64.235.150.252]:25, delay=7.8, 
delays=1.7/0.06/0.09/6, dsn=2.0.0, status=sent (250 OK 
(cassidy.o'l...@uconn.edu:250 Ok: queued as 
638D524400C1,cassie.radzano...@uconn.edu:250 Ok: queued as 638D524400C1,ca...))
 stops at the 1000th.

Jul 10 10:39:50 mail5 postfix/qmgr[1730]: D7E6522C: removed


Here is some config output of my 2.6.6 install

[root@mail5 home]# postconf |grep -i limit |grep -i recip
default_destination_recipient_limit = 50
default_extra_recipient_limit = 1000
default_recipient_limit = 2
default_recipient_refill_limit = 100
forward_path = $home/.forward${recipient_delimiter}${extension}, $home/.forward
lmtp_destination_recipient_limit = $default_destination_recipient_limit
local_destination_recipient_limit = 1
qmgr_message_recipient_limit = 2
recipient_delimiter =
relay_destination_recipient_limit = $default_destination_recipient_limit
smtp_destination_recipient_limit = $default_destination_recipient_limit
smtpd_client_recipient_rate_limit = 0
smtpd_recipient_limit = 1000
smtpd_recipient_overshoot_limit = 1000
virtual_destination_recipient_limit = $default_destination_recipient_limit


-Angelo Fazzina
Operating Systems Programmer / Analyst
University of Connecticut,  UITS, SSG, Server Systems
860-486-9075

Re: Why there is no `reject_rbl_sender` restriction?

[Matus UHLAR - fantomas]

You ask each dnsbl for client IP, now you will ask them for each A or MX
record. That means, number of DNSBL lookups will increase ad least two times
(for each dnsbl you already query).


On 03.08.17 17:04, Martin Jiřička wrote:

Hmm, I am not server administrator by profession, so maybe I do not
understand it enough, but I would only add one more restriction on
domain in MAIL FROM header, that would make one DNS lookup (getting IP
for the domain) and one DNSBL lookup (checking that IP in Spamhaus).
That are two lookups, aren't they? It is true that it is not clear
whether to get A or MX records for the domain. For my example the
blacklisted IP address is within A record. I guess there is usually
only one A record for each domain?


What I was trying to say is that (if there was 1 A record per domain), the
number of spamhaus lookups would increase two times.

If you check MX records, number of lookups can increase even more.


Note that some dnsbls require (payed) subscription if you use them too much.


This is my first mail server so I need to check which restrictions
work best. Then I will optimize number and order of restrictions.


hopefully you find it out before get blocked by spamhaus :-)

as Allen recommended, it's goot to have local whitelist for any kinds of
DNSBL lookups.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Christian Science Programming: "Let God Debug It!".

Re: Switch from LDA to Postfix - Dovecot LMTP delivery (with virtual users)

[Nikolaos Milas]

On 4/8/2017 1:59 μμ, Alex JOST wrote:

Dovecot needs to know about the user. What does 'doveadm user -u 
imaptes...@noa.gr' print?


Thank you Alex,

I just found the problem. After switching to LMTP, Dovecot receives from 
Postfix a fully qualified username, whereas with LDA it was receiving a 
'naked' username.


Thus, although I had %u (instead of %n, see below), it was working right 
with LDA.


So, I had to change my dovecot ldap component so that it uses only the 
username, i.e.:


   hosts = localhost
   tls = no
   base = ou=people, dc=noa, dc=gr
   scope = onelevel
   ldap_version = 3
   dn = uid=auth,ou=Sys,dc=noa,dc=gr
   dnpass = secret
   auth_bind = yes
   user_filter = (uid=%n)
   pass_filter = (uid=%n)
   pass_attrs = uid=user,userPassword=password
   auth_bind_userdn = uid=%n,ou=people,dc=noa,dc=gr
   user_attrs = roomNumber=quota_rule=*:bytes=%$,uid=home=/home/vmail/%n
   iterate_filter = (objectClass=*)

Cheers,
Nick

Re: Switch from LDA to Postfix - Dovecot LMTP delivery (with virtual users)

[Alex JOST]

Am 04.08.2017 um 11:37 schrieb Nikolaos Milas:

Hello,

I am setting up a new box with Postfix 3.2.2 and Dovecot.

Until now I have been using LDA delivery successfully. On the new server 
LDA setup works fine too, but I am considering to move to LMTP.


IMPORTANT NOTE: It is important in my setup to keep functional all 
virtual_alias_maps & virtual_mailbox_maps.


I've followed the directions at: 
https://wiki.dovecot.org/HowTo/PostfixDovecotLMTP but LMTP delivery does 
not work.


Here is a session:

Aug  4 12:19:42 vmail2 postfix/lmtp[3151]: 64EF58EE1BCBE: 
to=, relay=vmail2.noa.gr[private/dovecot-lmtp], 
delay=0.21, delays=0.17/0.015/0.01/0.015, dsn=5.1.1, status=bounced 
(host vmail2.noa.gr[private/dovecot-lmtp] said: 550 5.1.1 
 User doesn't exist: imaptes...@noa.gr (in reply to 
RCPT TO command))


Dovecot needs to know about the user. What does 'doveadm user -u 
imaptes...@noa.gr' print?


--
Alex JOST

Re: Why there is no `reject_rbl_sender` restriction?

[Martin Jiřička]

> It seems natural (for me at least) to introduce a new map type
> dnsbl: that maps those IP addresses to an action.

That would be amazing! If I get it right this would also deprecate
e.g. `reject_rhsbl_client` and `reject_rbl_client`. As a Postfix
novice I would appreciate the reduction of configuration parameters,
it is sometimes quite confusing to look at a long list of parameters
that all do similar thing and trying to spot a difference in its
description.


MJ

Switch from LDA to Postfix - Dovecot LMTP delivery (with virtual users)

[Nikolaos Milas]

Hello,

I am setting up a new box with Postfix 3.2.2 and Dovecot.

Until now I have been using LDA delivery successfully. On the new server 
LDA setup works fine too, but I am considering to move to LMTP.


IMPORTANT NOTE: It is important in my setup to keep functional all 
virtual_alias_maps & virtual_mailbox_maps.


I've followed the directions at: 
https://wiki.dovecot.org/HowTo/PostfixDovecotLMTP but LMTP delivery does 
not work.


Here is a session:

Aug  4 12:19:42 vmail2 postfix/submission/smtpd[3145]: connect from 
admin3.astro.noa.gr[195.251.202.163]
Aug  4 12:19:42 vmail2 postfix/submission/smtpd[3145]: Anonymous TLS 
connection established from admin3.astro.noa.gr[195.251.202.163]: 
TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Aug  4 12:19:42 vmail2 postfix/submission/smtpd[3145]: 64EF58EE1BCBE: 
client=admin3.astro.noa.gr[195.251.202.163], sasl_method=PLAIN, 
sasl_username=nmilas
Aug  4 12:19:42 vmail2 postfix/cleanup[3150]: 64EF58EE1BCBE: 
message-id=
Aug  4 12:19:42 vmail2 opendkim[20675]: 64EF58EE1BCBE: DKIM-Signature 
field added (s=default, d=noa.gr)
Aug  4 12:19:42 vmail2 postfix/qmgr[3131]: 64EF58EE1BCBE: 
from=, size=821, nrcpt=1 (queue active)
Aug  4 12:19:42 vmail2 postfix/lmtp[3151]: 64EF58EE1BCBE: 
to=, relay=vmail2.noa.gr[private/dovecot-lmtp], 
delay=0.21, delays=0.17/0.015/0.01/0.015, dsn=5.1.1, status=bounced 
(host vmail2.noa.gr[private/dovecot-lmtp] said: 550 5.1.1 
 User doesn't exist: imaptes...@noa.gr (in reply to 
RCPT TO command))
Aug  4 12:19:42 vmail2 postfix/cleanup[3150]: 8DDF28EE1BCC6: 
message-id=<20170804091942.8ddf28ee1b...@vmail2.noa.gr>
Aug  4 12:19:42 vmail2 postfix/qmgr[3131]: 8DDF28EE1BCC6: from=<>, 
size=3275, nrcpt=1 (queue active)
Aug  4 12:19:42 vmail2 postfix/bounce[3153]: 64EF58EE1BCBE: sender 
non-delivery notification: 8DDF28EE1BCC6

Aug  4 12:19:42 vmail2 postfix/qmgr[3131]: 64EF58EE1BCBE: removed
Aug  4 12:19:42 vmail2 postfix/lmtp[3151]: 8DDF28EE1BCC6: 
to=, relay=vmail2.noa.gr[private/dovecot-lmtp], 
delay=0.015, delays=0.004/0.001/0.001/0.01, dsn=5.1.1, status=bounced 
(host vmail2.noa.gr[private/dovecot-lmtp] said: 550 5.1.1 
 User doesn't exist: nmi...@noa.gr (in reply to RCPT TO 
command))

Aug  4 12:19:42 vmail2 postfix/qmgr[3131]: 8DDF28EE1BCC6: removed
Aug  4 12:19:42 vmail2 postfix/submission/smtpd[3145]: disconnect from 
admin3.astro.noa.gr[195.251.202.163] ehlo=2 starttls=1 auth=1 mail=1 
rcpt=1 data=1 quit=1 commands=8


Can you please help me with figuring out what I am doing wrong?

The setup (postconf -n) with LDA, follows below (working correctly).

# postconf -n
alias_database = hash:/etc/postfix/aliases, 
hash:/etc/postfix/aliases.d/virtual_aliases

alias_maps = hash:/etc/aliases
allowed_gein = check_client_access 
cidr:/etc/postfix/gein_admin_ips.cidr,reject
allowed_iaasars = check_client_access 
cidr:/etc/postfix/iaasars_admin_ips.cidr,reject
allowed_list1 = check_sasl_access 
hash:/etc/postfix/allowed_groupmail_users,reject
allowed_list2 = check_sasl_access 
hash:/etc/postfix/allowed_groupmail_users2,reject
allowed_meteo = check_client_access 
cidr:/etc/postfix/meteo_admin_ips.cidr,reject

broken_sasl_auth_clients = yes
command_directory = /usr/sbin
controlled_senders = check_sender_access hash:/etc/postfix/blocked_senders
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin 
xxgdb $daemon_directory/$process_name $process_id & sleep 5

default_process_limit = 25
delay_logging_resolution_limit = 3
deliver_lock_attempts = 40
dovecot_destination_recipient_limit = 1
gwcheck = reject_unverified_recipient, reject_unauth_destination
home_mailbox = Maildir/
html_directory = no
inet_interfaces = all
inet_protocols = ipv4, ipv6
local_header_rewrite_clients = static:all
mail_name = NOA Mail Srv XAPITI XPICTOY
mail_owner = postfix
mailbox_command = /usr/lib/dovecot/deliver
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
message_size_limit = 41943040
milter_default_action = accept
mydestination = $myhostname, localhost.$mydomain, localhost
mydomain = noa.gr
myhostname = vmail2.noa.gr
mynetworks = 195.251.204.0/24, 195.251.202.0/23, 194.177.194.0/23, 
127.0.0.0/8, 10.201.0.0/16, [2001:648:2011::]/48, 83.212.5.24/29, 
[2001:648:2ffc:1115::]/64, 62.217.124.0/29, [2001:648:2ffc:126::]/64

myorigin = $mydomain
newaliases_path = /usr/bin/newaliases.postfix
non_smtpd_milters = $smtpd_milters
parent_domain_matches_subdomains =
postfwdcheck = check_policy_service inet:127.0.0.1:10040
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES
recipient_canonical_maps = hash:/etc/postfix/domainrecipientmap
relay_domains = $mydestination
sample_directory = /usr/share/doc/postfix-2.3.3/samples
sender_canonical_maps = hash:/etc/postfix/domainsendermap
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp_tls_security_level = may
smtpd_client_restric

HISTORY file typo

[John Fawcett]

Hi

Just saw this comment in the HISTORY file and noticed that the original
and replaced values look just the same.

20170704

Typos (introduced: Postfix 2.10): in comments about
IPv4-in-IPv6 addresses, replace :::1.2.3.4 with the
correct form :::1.2.3.4. Incorrect or misleading comments
are worse than no comments. Files: smtpd/smtpd_haproxy.c,
postscreen/postscreen_haproxy.c.

In the smtpd_haproxy.c file itself the new value is :::1.2.3.4

John

Re: postfix-tls error

[hyndavirapuru]

> On Thu, Aug 03, 2017 at 12:19:55PM +0530, hyndavirap...@bel.co.in wrote:
>
>> > He's not posted the configuration of the sending system or
>> > its logs.  This is a waste of everyone's time.
>
> The relevant logging is the TLS-related logging from the sending
> postfix/smtp client process that happens *before* the message is
> finally deferred and is enabled via smtp_tls_loglevel=1.
>
>> smtp_enforce_tls = yes
>
> Instead, "smtp_tls_security_level = encrypt".
>
>> smtp_tls_loglevel = 1
>> smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
>
> Post the relevant tls policy table entry.
>
>> smtp_use_tls = yes
>
> This is unnecessary.
>
>> transport_maps = hash:/etc/postfix/transportmap
>>
>> Aug  3 12:11:54 AHQ postfix/smtp[8325]: 4B68168543FC:
>> to=, orig_to=,
>> relay=201.123.1.4[201.123.1.4]:25, delay=34, delays=34/0/0/0, dsn=4.7.5,
>> status=deferred (Server certificate not verified)
>
> The server certificate failed to verify.  Perhaps expired, perhaps
> not issued by the CA you've configured, or a missing intermediate
> certificate, or the certificate is not suitable for TLS (maybe it
> has some other extended key usage), or ...
>
>> Can you help me to solve this problem
>
> Not without the requested logging, and copy of the server and CA
> certificates.
>
> --
>   Viktor.
>



hi Viktor,


TLS logging is as below,


Aug  4 11:52:29 AHQ postfix/smtp[11652]: initializing the client-side TLS
engine
Aug  4 11:52:29 AHQ postfix/smtp[11652]: 201.123.1.4[201.123.1.4]:25: TLS
cipher list "aNULL:-aNULL:ALL:!EXPORT:!LOW:+RC4:@STRENGTH:!aNULL"
Aug  4 11:52:29 AHQ postfix/smtp[11652]: SSL_connect:before/connect
initialization
Aug  4 11:52:29 AHQ postfix/smtp[11652]: SSL_connect:SSLv2/v3 write client
hello A
Aug  4 11:52:29 AHQ postfix/smtp[11652]: SSL_connect:SSLv3 read server
hello A
Aug  4 11:52:29 AHQ postfix/smtp[11652]: 201.123.1.4[201.123.1.4]:25:
certificate verification depth=1 verify=1
subject=/C=IN/ST=KARNATAKA/L=BANGALORE/O=BEL/OU=CRL/CN=CA/emailAddress=ca_ad...@bel.co.in
Aug  4 11:52:29 AHQ postfix/smtp[11652]: 201.123.1.4[201.123.1.4]:25:
certificate verification depth=0 verify=1
subject=/C=IN/ST=KARNATAKA/L=BANGALORE/O=BEL/OU=CRL/CN=1CorpHQ/emailaddress=1corphq_smtp_ad...@tcs.mil.in
Aug  4 11:52:29 AHQ postfix/smtp[11652]: SSL_connect:SSLv3 read server
certificate A
Aug  4 11:52:29 AHQ postfix/smtp[11652]: SSL_connect:SSLv3 read server key
exchange A
Aug  4 11:52:29 AHQ postfix/smtp[11652]: SSL_connect:SSLv3 read server done A
Aug  4 11:52:29 AHQ postfix/smtp[11652]: SSL_connect:SSLv3 write client
key exchange A
Aug  4 11:52:29 AHQ postfix/smtp[11652]: SSL_connect:SSLv3 write change
cipher spec A
Aug  4 11:52:29 AHQ postfix/smtp[11652]: SSL_connect:SSLv3 write finished A
Aug  4 11:52:29 AHQ postfix/smtp[11652]: SSL_connect:SSLv3 flush data
Aug  4 11:52:29 AHQ postfix/smtp[11652]: SSL_connect:SSLv3 read server
session ticket A
Aug  4 11:52:29 AHQ postfix/smtp[11652]: SSL_connect:SSLv3 read finished A
Aug  4 11:52:29 AHQ postfix/smtp[11652]: 201.123.1.4[201.123.1.4]:25
CommonName 1CorpHQ/emailaddress=1corphq_smtp_ad...@tcs.mil.in
Aug  4 11:52:29 AHQ postfix/smtp[11652]: 201.123.1.4[201.123.1.4]:25:
subject_CN=1CorpHQ/emailaddress=1corphq_smtp_ad...@tcs.mil.in,
issuer_CN=CA/emailAddress=ca_ad...@bel.co.in,
fingerprint=99:EE:C4:42:4B:89:4F:1D:4C:93:18:48:7B:EA:90:9D,
pkey_fingerprint=5D:0D:58:AF:8B:A8:2C:D5:5F:9F:D2:DB:29:89:57:BD
Aug  4 11:52:29 AHQ postfix/smtp[11652]: Trusted TLS connection
established to 201.123.1.4[201.123.1.4]:25: TLSv1.2 with cipher
ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Aug  4 11:52:29 AHQ postfix/smtp[11652]: 249ED60E5225:
to=, orig_to=,
relay=201.123.1.4[201.123.1.4]:25, delay=0.05, delays=0.04/0.01/0.01/0,
dsn=4.7.5, status=deferred (Server certificate not verified)


tls_policy entry is given below

[201.123.1.4]:25secure  match=1CorpHQ


I have checked server certificate against ca cert using openssl command.
it is fine

[root@AHQ certs]# openssl verify -verbose -CAfile cacert.pem
1corphq_smtp_ad...@tcs.mil.in.pem
1corphq_smtp_ad...@tcs.mil.in.pem: OK

and the same ca certificate is existing in ca-bundle.crt


I'm attaching 1CorpHQ server certificate details with the mail

-- 
Thanks & Regards
Hyndavi rapuru
Member( Research Staff)
Central Research Laboratory
Bharat Electronics Ltd
Jalahalli
Bangalore- 560 013

Int Ph No: 134
Off Ph No: 080-28381125
Off Fax No: 28381168


कागज़ के 3000 पन्नों के लिए एक पेड़ को काटा जाता है... पेड़ बचाएँ... पेड़ों का 
संरक्षण करें... हरियाली लाएँ... इस मेल का या इसकी किसी फाइल का प्रिंट तब तक न 
लें जब तक सचमुच ज़रूरत न हो 
 

Every 3000 Sheets of paper costs us a tree.. Save trees... Conserve 
Trees. Don't print this email or any Files unless you really need to 

Confidentiality Notice/गोपनीय सूचना 

इस इलेक्ट्रॉनिक संदेश में शामिल जानकारी और इस संदेश के साथ दिया गया संलग्नक 
केवल 
प्रेषिती के अनन्य इस्तेमाल के लिए है और इसमें गोपनीय या विशेषाधिकार प्राप्त 
जानकारी
शामिल हो सकती है । यदि आप आशयित प्राप्तकर्ता नह