Re: LDAP related "postconf: warning" with most recent build
Ralf Hildebrandt: > % postconf -h queue_directory > > gives me a lot of LDAP related warnings: > > postconf: warning: ldap:/etc/postfix/laborberlin.com.cf: unused parameter: > query_filter=(proxyAddresses=smtp:%s) > postconf: warning: ldap:/etc/postfix/laborberlin.com.cf: unused parameter: > start_tls=yes > postconf: warning: ldap:/etc/postfix/laborberlin.com.cf: unused parameter: > bind_pw=xxx > postconf: warning: ldap:/etc/postfix/laborberlin.com.cf: unused parameter: > version=3 > postconf: warning: ldap:/etc/postfix/laborberlin.com.cf: unused parameter: > bind_dn=yyy > postconf: warning: ldap:/etc/postfix/laborberlin.com.cf: unused parameter: > server_host=10.28.0.31? 10.28.0.32 > postconf: warning: ldap:/etc/postfix/laborberlin.com.cf: unused parameter: > result_attribute=mail > postconf: warning: ldap:/etc/postfix/laborberlin.com.cf: unused parameter: > search_base=dc=laborberlin,dc=intern > > mail_version = 3.3-20170730 Does not reproduce when I create a file with those entries, and use it as alias_maps. % cat /etc/postfix/laborberlin.com.cf query_filter=(proxyAddresses=smtp:%s) start_tls=yes bind_pw=xxx version=3 bind_dn=yyy server_host=10.28.0.31? 10.28.0.32 result_attribute=mail search_base=dc=laborberlin,dc=intern foo=bar % postconf >/dev/null postconf: warning: /etc/postfix/main.cf, line 649: overriding earlier entry: alias_maps=proxy:hash:/etc/aliases postconf: warning: ldap:/etc/postfix/laborberlin.com.cf: unused parameter: foo=bar Wietse Wietse
Re: Restrict outgoing/submission to defined local or virtual users
First time I've tried the inline map type. And, I think the spaces may have been what was hosing my earlier attempts. Appreciate the pointer very much. Will give this a go. -- Sent from: http://postfix.1071664.n5.nabble.com/Postfix-Users-f2.html
Re: MX backup doesn't queue
Il 2017-09-01 22:57 Noel Jones ha scritto: [..] On the backup MX: [..] Well, finally we did it! Basically I think we can say that the backup server does not have to recognize as local, domains and addresses. This is what I did: "server1.org" the.backed-up.domain.tld (primary domain) "server2.org" the backup MX (secondary domain) 1) never list in mydomains/myhostname the primary server domain. 2) never list in virtual_alias_domains the primary server domain. I've commented it. 3) never list in mailbox_domains o in virtual_mailbox_domains the primary domain. I've commented it. 4) do not list in virtual_alias_maps the primary domain. I've commented it. 5) this is useless: smtpd_sender_login_maps. I've commented it. 6) myorigin = $myhostname 7) mydestination = server2.org, localhost.server2.org, localhost 8) always list in relay_domains every domains (virtual too) to do so via mysql add in main.cf the following files and their configurations: relay_domains = mysql:/etc/postfix/mysql-relay-domains.cf then create a file called: "/etc/postfix/mysql-relay-domains.cf" with content: user = user-db-postfix password = my-password hosts = 127.0.0.1 dbname = db-postfix-server query = SELECT name FROM virtual_domains WHERE name='%s' (the query content depend from the database structure) 9) then add in main.cf: relay_recipient_maps = mysql:/etc/postfix/mysql-relay-recipient-maps.cf create file "/etc/postfix/mysql-relay-recipient-maps.cf" with content: user = user-db-postfix password = my-password hosts = 127.0.0.1 dbname = db-postfix-server query = SELECT email FROM virtual_users WHERE email = '%s' (the query content depend from the database structure) 10) to ensure that aliases are also accepted (is it correct?): add in main.cf too: relay_recipient_maps = mysql:/etc/postfix/mysql-alias-relay-recipient-maps.cf (relay_recipient_maps = mysql:/etc/postfix/mysql-relay-recipient-maps.cf,mysql:/etc/postfix/mysql-alias-relay-recipient-maps.cf) create file: /etc/postfix/mysql-alias-relay-recipient-maps.cf whose content must be: user = user-db-postfix password = my-password hosts = 127.0.0.1 dbname = db-postfix-server query = SELECT source FROM virtual_aliases WHERE source = '%s' (the query content depend from the database structure) // I hope, if this is right, this scheme may be of help to others. // Thanks to all
Re: Restrict outgoing/submission to defined local or virtual users
On 9/5/2017 3:39 PM, techlist06 wrote: > Just what I was hoping for, the easy button. Thank you. > > What about the one (valid) sender I want to prevent? I've got a IMAP > account setup for spam reporting, I want to be sure no one who has access to > it sends anything from that account. > > > > > > > -- > Sent from: http://postfix.1071664.n5.nabble.com/Postfix-Users-f2.html > Use a check_sender_access map to reject that one sender. You can't use spaces in master.cf, so do something like: main.cf: submission_sender_restrictions = reject_unlisted_sender, check_sender_access inline:{ s...@example.com=REJECT } master.cf: ... submission ... -o smtpd_sender_restrictions=$submission_sender_restrictions My example uses the inline: map type, which is great for simple tables with few elements, but any postfix map type may be used. http://www.postfix.org/DATABASE_README.html#types -- Noel Jones
Re: Restrict outgoing/submission to defined local or virtual users
Just what I was hoping for, the easy button. Thank you. What about the one (valid) sender I want to prevent? I've got a IMAP account setup for spam reporting, I want to be sure no one who has access to it sends anything from that account. -- Sent from: http://postfix.1071664.n5.nabble.com/Postfix-Users-f2.html
Re: Restrict outgoing/submission to defined local or virtual users
On 9/5/2017 2:48 PM, techlist06 wrote: > Postfix 3.2.2, Centos7. All functioning as configured. I have a few local > accounts, several virtual addresses delivered to those accounts, and some > domains relayed, the latter do not submit mail through this box. > > All local accounts send via TLS authentication on 587. Currently I don't > think I have any restrictions on what an outbound address can be. I do have > some aliases so I do not want to restrict to logon names only. > > Is it possible to restrict outgoing mail to be from one of my "valid" local > or virtual aliases? And I want to restrict outbound from one address in > particular. > > I looked here: > http://www.postfix.org/RESTRICTION_CLASS_README.html > but if the answer is there I'd be grateful for some more help, I didn't get > it. On or off-list. > > Right now my submission section of master.cf I sbelow. I tried adding > something here as -o o smtpd_sender_restrictions but didn't get that right. > > submission inetn - n - - smtpd > ## subsequent indented lines override main.cf settings. > -o content_filter= > -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject > -o smtpd_sasl_type=dovecot > -o smtpd_sasl_path=private/auth > -o smtpd_sasl_security_options=noanonymous > -o smtpd_tls_security_level=encrypt > -o smtpd_sasl_auth_enable=yes > -o syslog_name=postfix-submission > -o milter_macro_daemon_name=ORIGINATING > > Happy to provide all the configs if needed. > > > The easiest way would be to add -o smtpd_sender_restrictions=reject_unlisted_sender http://www.postfix.org/postconf.5.html#reject_unlisted_sender -- Noel Jones
Restrict outgoing/submission to defined local or virtual users
Postfix 3.2.2, Centos7. All functioning as configured. I have a few local accounts, several virtual addresses delivered to those accounts, and some domains relayed, the latter do not submit mail through this box. All local accounts send via TLS authentication on 587. Currently I don't think I have any restrictions on what an outbound address can be. I do have some aliases so I do not want to restrict to logon names only. Is it possible to restrict outgoing mail to be from one of my "valid" local or virtual aliases? And I want to restrict outbound from one address in particular. I looked here: http://www.postfix.org/RESTRICTION_CLASS_README.html but if the answer is there I'd be grateful for some more help, I didn't get it. On or off-list. Right now my submission section of master.cf I sbelow. I tried adding something here as -o o smtpd_sender_restrictions but didn't get that right. submission inetn - n - - smtpd ## subsequent indented lines override main.cf settings. -o content_filter= -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject -o smtpd_sasl_type=dovecot -o smtpd_sasl_path=private/auth -o smtpd_sasl_security_options=noanonymous -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o syslog_name=postfix-submission -o milter_macro_daemon_name=ORIGINATING Happy to provide all the configs if needed.
Re: What user should be specified for the opendikm -u UID option?
Tom Browder: Does everyone agree with pgndev's detailed cookbook recipe? On 03.09.17 14:55, Wietse Venema wrote: No, that advice is incorrect. 1) Specify the opendkim '-u' option with an account that is not used by anything else. Not postfix. Not . Not your personal account. 2) Make opendkim files/directories owned by root and writable only by root. what about readable by opendkim? 3) Start opendkim as root (DO NOT use systemd user/group settings), with the above, starting under opendkim:opendkim should be fine. Of course, unless someone other has access to the opendkim group -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. On the other hand, you have different fingers.
unknown mime types for some websites' postfix-3.2.2.RELEASE_NOTES & postfix-3.2.2.HISTORY?
On the web site, when the links for ReleaseNotes or History are https://archive.mgm51.com/mirrors/postfix-source/official/postfix-3.2.2.RELEASE_NOTES https://archive.mgm51.com/mirrors/postfix-source/official/postfix-3.2.2.HISTORY When I click on one of these, the link doesn't open the page in the browser to read. Instead it tries to DL it as a ".BIN" filetype. No option is given for saving the FileType in the browser as far as I see. I think this is because some of the servers don't set the mime type for those extensions. Other hosts, like https://de.postfix.org/ftpmirror/official/postfix-3.2.2.RELEASE_NOTES work OK. The files open & display right in the browser. I don't know what the solution is for the servers. Maybe those links could be rewritten to "postfix-3.2.2.RELEASE_NOTES.txt" to get around broken servers?
LDAP related "postconf: warning" with most recent build
% postconf -h queue_directory gives me a lot of LDAP related warnings: postconf: warning: ldap:/etc/postfix/laborberlin.com.cf: unused parameter: query_filter=(proxyAddresses=smtp:%s) postconf: warning: ldap:/etc/postfix/laborberlin.com.cf: unused parameter: start_tls=yes postconf: warning: ldap:/etc/postfix/laborberlin.com.cf: unused parameter: bind_pw=xxx postconf: warning: ldap:/etc/postfix/laborberlin.com.cf: unused parameter: version=3 postconf: warning: ldap:/etc/postfix/laborberlin.com.cf: unused parameter: bind_dn=yyy postconf: warning: ldap:/etc/postfix/laborberlin.com.cf: unused parameter: server_host=10.28.0.31? 10.28.0.32 postconf: warning: ldap:/etc/postfix/laborberlin.com.cf: unused parameter: result_attribute=mail postconf: warning: ldap:/etc/postfix/laborberlin.com.cf: unused parameter: search_base=dc=laborberlin,dc=intern mail_version = 3.3-20170730 -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64 Schleißheimer Straße 26/MG, 80333 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
Specify DNSBL reject code in postscreen reply map?
I'm trying to understand reply maps' use. Specifically postscreen's. If I set up config in main.cf as default_rbl_reply = $rbl_code [P4] Service unavailable; $rbl_class [$rbl_what] blocked using $rbl_domain${rbl_reason?; $rbl_reason} postscreen_dnsbl_reply_map = pcre:/etc/postfix/postscreen_dnsbl_reply_map.pcre rbl_reply_maps = ${stress?lmdb:/etc/postfix/rbl_reply_maps} and /etc/postfix/rbl_reply_maps b.barracudacentral.org=127.0.0.2 521 4.7.1 Service unavailable; $rbl_class [TEST1] [$rbl_what] blocked using $rbl_domain${rbl_reason?; $rbl_reason} /etc/postfix/postscreen_dnsbl_reply_map.pcre /barracudacentral\.org$/[TEST2] DNSBL[Barracuda] When postscreen hits on a Barracuda DNSBL, my logs show Sep 3 02:12:55 virt1 postfix/postscreen[53233]: NOQUEUE: reject: RCPT from [37.49.226.131]:5897: 550 5.7.1 Service unavailable; client [37.49.226.131] blocked using [TEST2] DNSBL[Barracuda]; from=, to=, proto=SMTP, helo= So obviously the postscreen_dnsbl_reply_map is kicking in. But it's rejecting with the default "550 5.7.1". What do I need to edit if I want to postscreen to reject -- in this example -- Barracuda hits with "521 4.7.1", leaving the default as-is?