Re: postfix/postfix-script[6735] error: unknown command: 'quiet-quick-start'
you're right, I'm learning to write a systemd style script, but not familiar with postmulti -- Sent from: http://postfix.1071664.n5.nabble.com/Postfix-Users-f2.html
Re: postfix/postfix-script[6735] error: unknown command: 'quiet-quick-start'
>I know was postmulti arguments problem, but I want to know is: is this >postfix version difference or ubuntu make some change, or >/etc/init.d/postfix has some special? The Debian / Ubuntu start script probably expects some distribution specific configuration to be in place. Your best bet is to remove the existing init script for postfix and create a systemd unit for your needs. -- Christian Kivalo
Re: postfix/postfix-script[6735] error: unknown command: 'quiet-quick-start'
I know, but I remove quiet-quick-start in /etc/init.d/postfix, still failed, but now log was: Sep 13 10:47:54 xiedeacc postmulti[7989]: fatal: Specify exactly one of '-e', '-l', '-p', '-x' Sep 13 10:48:33 xiedeacc postfix/postfix-script[8095]: error: unknown command: '' Sep 13 10:48:33 xiedeacc postfix/postfix-script[8096]: fatal: usage: postfix start (or stop, reload, abort, flush, check, status, set-permissions, upgrade-configuration) Sep 13 10:48:45 xiedeacc postfix/postfix-script[8207]: error: unknown command: '' Sep 13 10:48:45 xiedeacc postfix/postfix-script[8208]: fatal: usage: postfix start (or stop, reload, abort, flush, check, status, set-permissions, upgrade-configuration) I know was postmulti arguments problem, but I want to know is: is this postfix version difference or ubuntu make some change, or /etc/init.d/postfix has some special? -- Sent from: http://postfix.1071664.n5.nabble.com/Postfix-Users-f2.html
Re: postfix/postfix-script[6735] error: unknown command: 'quiet-quick-start'
On Tue, Sep 12, 2017 at 07:32:03PM -0700, xiedeacc wrote: > hi all, use systemd start postfix faild, here is detail: > > postfix/postfix-script[6735] error: unknown command: 'quiet-quick-start' > postfix/postfix-script[6736] fatal: usage: postfix start (or stop, reload, > abort, flush, check, status, set-permissions, upgrade-configuration) This is quite clear. The upstream postfix.org source distribution does not have a "postfix quiet-quick-start" command. See: http://www.postfix.org/postfix.8.html That particular command must be an Ubuntu or Debian extension for systemd. If you build your Postfix package, you need to provide your own systemd configuration that matches that package. The upstream Postfix has no specific systemd support, that's up to the O/S distribution package maintainers. -- Viktor.
postfix/postfix-script[6735] error: unknown command: 'quiet-quick-start'
hi all, use systemd start postfix faild, here is detail: my os is ubuntu-gnome 16.04.03, first I use apt install postfix and other software, for some reason, I reinstalled it by complied source code, version was postfix-3.2.2, installed successfully, but when use systemctl start postfix, it failed postfix.service - LSB: Postfix Mail Transport Agent Loaded: loaded (/etc/init.d/postfix; bad; vendor preset: enabled) Drop-In: /run/systemd/generator/postfix.service.d └─50-postfix-$mail-transport-agent.conf Active: failed (Result: exit-code) since 三 2017-09-13 09:13:09 CST; 8s ago Docs: man:systemd-sysv-generator(8) Process: 6642 ExecStart=/etc/init.d/postfix start (code=exited, status=1/FAILURE) 9月 13 09:13:07 xiedeacc.com systemd[1]: Starting LSB: Postfix Mail Transport Agent... 9月 13 09:13:07 xiedeacc.com postfix[6642]: * Starting Postfix Mail Transport Agent postfix 9月 13 09:13:08 xiedeacc.com postfix/postfix-script[6736]: fatal: usage: postfix start (or stop, reload, abort, flush, check, status, set-permissions, upgrade-configuration) 9月 13 09:13:09 xiedeacc.com postfix[6642]:...fail! 9月 13 09:13:09 xiedeacc.com systemd[1]: postfix.service: Control process exited, code=exited status=1 9月 13 09:13:09 xiedeacc.com systemd[1]: Failed to start LSB: Postfix Mail Transport Agent. 9月 13 09:13:09 xiedeacc.com systemd[1]: postfix.service: Unit entered failed state. 9月 13 09:13:09 xiedeacc.com systemd[1]: postfix.service: Failed with result 'exit-code'. here is /var/log/mail.log postfix/postfix-script[6735] error: unknown command: 'quiet-quick-start' postfix/postfix-script[6736] fatal: usage: postfix start (or stop, reload, abort, flush, check, status, set-permissions, upgrade-configuration) -- Sent from: http://postfix.1071664.n5.nabble.com/Postfix-Users-f2.html
Re: install postfix from source code, cannot start with systemd
here is mail log, for the post title, I decide ask a new question postfix/postfix-script[6735] error: unknown command: 'quiet-quick-start' postfix/postfix-script[6736] fatal: usage: postfix start (or stop, reload, abort, flush, check, status, set-permissions, upgrade-configuration) -- Sent from: http://postfix.1071664.n5.nabble.com/Postfix-Users-f2.html
Re: Fail2ban integration questions
On 09/12/17 14:19, Marat Khalili wrote: > If your firewall is capable of running fail2ban, I'd consider sending > postscreen logs to it instead. Hmm. That's an option I hadn't considered. The firewall is an embedded device (Ubiquiti EdgeRouter POE/5), so I don't have a gigantic amount of RAM or storage to play with, and I've already added Shorewall and a couple of supporting tools. -- Phil Stracchino Babylon Communications ph...@caerllewys.net p...@co.ordinate.org Landline: +1.603.293.8485 Mobile: +1.603.998.6958
Re: Fail2ban integration questions
On 12/09/17 18:19, Phil Stracchino wrote: Has anyone set up fail2ban to trigger from postscreen rejections and apply blocks to a firewall on a separate host? And if so, any tips to share? Solved simpler task: separate host (container actually) but still iptables. Cloned iptables-multiport.conf and iptables-common.conf for this. Particularly problematic was the fact that hosts can be rebooted separately, and fail2ban tries to stop all filters on own exit and start again on own restart. Instead, you probably want rules to persist on non-fail2ban host when either host is rebooted. I don't have good solution for this, made it kinda work with series of kludges (good solution would probably require changing fail2ban source). If your firewall is capable of running fail2ban, I'd consider sending postscreen logs to it instead. -- With Best Regards, Marat Khalili
Re: Fail2ban integration questions
On 09/12/17 12:32, Noel Jones wrote: > Tip #1: Ignore these. The log entries are annoying, but other than > logs this causes pretty close to zero impact on your system. > Tip #4: Just ignore the log entries. The same IP probably goes away > fairly soon, so blocking the IP probably doesn't do much good. Yeah, I know the mail system impact is minimal ... it's just that if I see something banging on SMTP and getting refused, I kinda don't want it banging on anything else either. If fail2ban can run any script then yeah, I should be able to pretty easily have it connect to the firewall and send a 'shorewall drop 1.2.3.4'. I haven't ever installed fail2ban yet which is why I was asking if anyone had any tips to share. -- Phil Stracchino Babylon Communications ph...@caerllewys.net p...@co.ordinate.org Landline: +1.603.293.8485 Mobile: +1.603.998.6958
Re: Fail2ban integration questions
On 9/12/2017 10:19 AM, Phil Stracchino wrote: > This is semi-hypothetical ... > > I often see spews of failed connect attempts logged by postscreen: > > Sep 12 11:13:09 minbar postfix/postscreen[9238]: CONNECT from > [70.39.115.203]:54708 to [10.24.32.15]:25 > Sep 12 11:13:09 minbar postfix/postscreen[9238]: PREGREET 14 after 0.12 > from [70.39.115.203]:54708: EHLO ylmf-pc\r\n > Sep 12 11:13:10 minbar postfix/postscreen[9238]: HANGUP after 0.24 from > [70.39.115.203]:54708 in tests after SMTP handshake > Sep 12 11:13:10 minbar postfix/postscreen[9238]: DISCONNECT > [70.39.115.203]:54708 > Sep 12 11:13:10 minbar postfix/postscreen[9238]: CONNECT from > [70.39.115.203]:54865 to [10.24.32.15]:25 > Sep 12 11:13:10 minbar postfix/postscreen[9238]: PREGREET 14 after 0.12 > from [70.39.115.203]:54865: EHLO ylmf-pc\r\n > Sep 12 11:13:10 minbar postfix/postscreen[9238]: HANGUP after 0.24 from > [70.39.115.203]:54865 in tests after SMTP handshake > Sep 12 11:13:10 minbar postfix/postscreen[9238]: DISCONNECT > [70.39.115.203]:54865 > > and so on. It would be nice to be able to automatically block these IPs > temporarily, and that's what fail2ban does. However, I think fail2ban > makes the assumption that the firewall in use is iptables and that it's > running on the same host. My firewall is in front of all the internal > servers, and runs shorewall as a front-end to iptables. > > Has anyone set up fail2ban to trigger from postscreen rejections and > apply blocks to a firewall on a separate host? And if so, any tips to > share? > > > Tip #1: Ignore these. The log entries are annoying, but other than logs this causes pretty close to zero impact on your system. Tip #2: If you just can't make yourself look away, remember that fail2ban can run any script when it triggers. Can you script updates to the external firewall? Put that in fail2ban as the action. (although remote control of firewall settings sounds like a generally bad idea unless implemented very carefully) Tip #3: It will probably be easier to activate the firewall on your mail server and block connections locally rather than controlling an external firewall. Tip #4: Just ignore the log entries. The same IP probably goes away fairly soon, so blocking the IP probably doesn't do much good. -- Noel Jones
Re: Different certs on different interfaces
> On Sep 12, 2017, at 10:35 AM, Luciano Mannucci> wrote: > > I have a running postfix 2.11.10 that binds to several interfaces, on > some of which I whish to enable TLS. I have a different certificate > for each interface; is that supported or I have to run two different > postfixes? http://www.postfix.org/master.5.html http://www.postfix.org/smtpd.8.html http://www.postfix.org/postconf.5.html#smtpd_tls_cert_file http://www.postfix.org/postconf.5.html#smtpd_tls_key_file From master(5): Command name + arguments The command to be executed. Characters that are special to the shell such as ">" or "|" have no special meaning here, and quotes cannot be used to protect arguments containing white- space. To protect whitespace, use "{" and "}" as described below. The command name is relative to the Postfix daemon directory (pathname is controlled by the daemon_directory configuration variable). The command argument syntax for specific commands is specified in the respective daemon manual page. The following command-line options have the same effect for all daemon programs: -D Run the daemon under control by the command specified with the debugger_command variable in the main.cf config- uration file. See DEBUG_README for hints and tips. -o { name = value } (long form, Postfix >= 3.0) -o name=value (short form) Override the named main.cf configuration parameter. The parameter value can refer to other parameters as $name etc., just like in main.cf. See postconf(5) for syntax. NOTE 1: With the "long form" shown above, whitespace after "{", around "=", and before "}" is ignored, and whitespace within the parameter value is preserved. NOTE 2: with the "short form" shown above, do not specify whitespace around the "=" or in parameter values. To specify a parameter value that contains whitespace, use the long form described above, or use commas instead of spaces, or specify the value in main.cf. Example: /etc/postfix/master.cf: submission inet smtpd -o smtpd_xxx_yyy=$submission_xxx_yyy /etc/postfix/main.cf submission_xxx_yyy = text with whitespace... NOTE 3: Over-zealous use of parameter overrides makes the Postfix configuration hard to understand and maintain. At a certain point, it might be easier to configure mul- tiple instances of Postfix, instead of configuring multi- ple personalities via master.cf. -- Viktor.
Re: install postfix from source code, cannot start with systemd
my os is ubuntu 16.04, when make install I have choose /usr/lib/postfix/sbin -- Sent from: http://postfix.1071664.n5.nabble.com/Postfix-Users-f2.html
install postfix from source code, cannot start with systemd
first I install postfix use apt install postfix, everything goes right, can use systemctl start postfix, but I want change some code, so I reinstall postfix by compiling postfix, then use systemctl start postfix, it complaint: I have googled, but failed to solve it. does anybody know it ? systemctl status postfix.service ● postfix.service - LSB: Postfix Mail Transport Agent Loaded: loaded (/etc/init.d/postfix; bad; vendor preset: enabled) Drop-In: /run/systemd/generator/postfix.service.d └─50-postfix-$mail-transport-agent.conf Active: failed (Result: exit-code) since 二 2017-09-12 23:16:07 CST; 12s ago Docs: man:systemd-sysv-generator(8) Process: 6339 ExecStop=/etc/init.d/postfix stop (code=exited, status=0/SUCCESS) Process: 12075 ExecStart=/etc/init.d/postfix start (code=exited, status=1/FAILURE) Tasks: 4 Memory: 5.5M CPU: 260ms CGroup: /system.slice/postfix.service ├─1930 /usr/lib/postfix/sbin/master ├─1932 qmgr -l -t unix -u ├─4281 tlsmgr -l -t unix -u -c └─7779 pickup -l -t unix -u -c -o content_filter= -o receive_override_options=no_header_body_checks 9月 12 23:16:06 xiedeacc.com systemd[1]: Starting LSB: Postfix Mail Transport Agent... 9月 12 23:16:06 xiedeacc.com postfix[12075]: * Starting Postfix Mail Transport Agent postfix 9月 12 23:16:06 xiedeacc.com postfix/postfix-script[12168]: fatal: usage: postfix start (or stop, reload, abort, flush, check, status, set-permissions, upgrade-configuratio 9月 12 23:16:07 xiedeacc.com postfix[12075]:...fail! 9月 12 23:16:07 xiedeacc.com systemd[1]: postfix.service: Control process exited, code=exited status=1 9月 12 23:16:07 xiedeacc.com systemd[1]: Failed to start LSB: Postfix Mail Transport Agent. 9月 12 23:16:07 xiedeacc.com systemd[1]: postfix.service: Unit entered failed state. 9月 12 23:16:07 xiedeacc.com systemd[1]: postfix.service: Failed with result 'exit-code'. -- Sent from: http://postfix.1071664.n5.nabble.com/Postfix-Users-f2.html
Fail2ban integration questions
This is semi-hypothetical ... I often see spews of failed connect attempts logged by postscreen: Sep 12 11:13:09 minbar postfix/postscreen[9238]: CONNECT from [70.39.115.203]:54708 to [10.24.32.15]:25 Sep 12 11:13:09 minbar postfix/postscreen[9238]: PREGREET 14 after 0.12 from [70.39.115.203]:54708: EHLO ylmf-pc\r\n Sep 12 11:13:10 minbar postfix/postscreen[9238]: HANGUP after 0.24 from [70.39.115.203]:54708 in tests after SMTP handshake Sep 12 11:13:10 minbar postfix/postscreen[9238]: DISCONNECT [70.39.115.203]:54708 Sep 12 11:13:10 minbar postfix/postscreen[9238]: CONNECT from [70.39.115.203]:54865 to [10.24.32.15]:25 Sep 12 11:13:10 minbar postfix/postscreen[9238]: PREGREET 14 after 0.12 from [70.39.115.203]:54865: EHLO ylmf-pc\r\n Sep 12 11:13:10 minbar postfix/postscreen[9238]: HANGUP after 0.24 from [70.39.115.203]:54865 in tests after SMTP handshake Sep 12 11:13:10 minbar postfix/postscreen[9238]: DISCONNECT [70.39.115.203]:54865 and so on. It would be nice to be able to automatically block these IPs temporarily, and that's what fail2ban does. However, I think fail2ban makes the assumption that the firewall in use is iptables and that it's running on the same host. My firewall is in front of all the internal servers, and runs shorewall as a front-end to iptables. Has anyone set up fail2ban to trigger from postscreen rejections and apply blocks to a firewall on a separate host? And if so, any tips to share? -- Phil Stracchino Babylon Communications ph...@caerllewys.net p...@co.ordinate.org Landline: +1.603.293.8485 Mobile: +1.603.998.6958
Different certs on different interfaces
I have a running postfix 2.11.10 that binds to several interfaces, on some of which I whish to enable TLS. I have a different certificate for each interface; is that supported or I have to run two different postfixes? Thanks to everybody, Luciano. -- /"\ /Via A. Salaino, 7 - 20144 Milano (Italy) \ / ASCII RIBBON CAMPAIGN / PHONE : +39 2 485781 FAX: +39 2 48578250 X AGAINST HTML MAIL/ E-MAIL: posthams...@sublink.sublink.org / \ AND POSTINGS/ WWW: http://www.lesassaie.IT/
RE: smtpd_discard_ehlo_keyword_address_maps support for hostnames
Hi Wietse, Yeap, another very valid point. I do agree that the risks of using the hostnames to exclude features are not insignificant, in which case I'd ask if the use of hostnames to include features (whitelisting rather than blacklisting) would be more acceptable in terms of risk? If the resolution of a hostname fails or is not the expected one (for whatever reason) the client will not be offered some of the features, which can lead to transmission failures (failure to accept the messages) rather than mail loss. I also think that it's a good idea to add these examples against using the hostnames in the documentation, as it makes the reasons of this decision clearer. Many thanks, Nik -Original Message- From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] On Behalf Of Wietse Venema Sent: 11 September 2017 21:51 To: Postfix usersSubject: Re: smtpd_discard_ehlo_keyword_address_maps support for hostnames Oh, and what should happen when the host has multiple PTR records that properly satisfy the reverse/forward name check? Postfix picks only one, and it may not pick the same one every time.. Writing code is easy, what about writing first the documentation how this is supposed to behave? If a feature needs more text for its limitations than for its functionality, then perhaps that is a sign of a problematic feature? Wietse Nik Kostaras: > Hi Wietse, > > Very good question! > >From my point of view I'd like to have the ability to chose whether > >to enable this filtering option (separately from the existing IP > >filtering), > acknowledging the risks of mail loss (with a "Here be dragons" warning in the > documentation). > > If you are interested I can send a patch with a new config option. > > Many thanks, > Nik Kostaras > > -Original Message- > From: owner-postfix-us...@postfix.org > [mailto:owner-postfix-us...@postfix.org] On Behalf Of Wietse Venema > Sent: 11 September 2017 16:57 > To: Postfix users > Subject: Re: smtpd_discard_ehlo_keyword_address_maps support for > hostnames > > Nik Kostaras: > > Hi all, > > > > Postfix documentation mentions (for > > smtpd_discard_ehlo_keyword_address_maps): > > > > ?The tables are not searched by hostname for robustness reasons.? > > > > Is it possible to describe what these reasons are? (performance > > related?) > > Ask the question: if DNS lookup does not work, even if only for a brief time, > would that result in the loss of mail? > > The purpose of this feature is to prevent a server from announcing a feature > to an SMTP client, for example because it would result in the loss of mail (a > client has a problem with that feature). > > What should happen: > > a) Don't suppress keywords based on hostname, and risk losing mail. > > b) Don't accept mail, to avoid loss of mail. > > c) Something else? > > Wietse > > -- > Message Processed by the Clearswift R > Dogfood Secure Email Gateway V4.7.0 > > This e-mail and any files transmitted with it are strictly confidential, may > be privileged and are intended only for use by the addressee unless otherwise > indicated. If you are not the intended recipient any use, dissemination, > printing or copying is strictly prohibited and may be unlawful. If you have > received this e-mail in error, please delete it immediately and contact the > sender as soon as possible. Clearswift cannot be held liable for delays in > receipt of an email or any errors in its content. Clearswift accepts no > responsibility once an e-mail and any attachments leave us. Unless expressly > stated, opinions in this message are those of the individual sender and not > of Clearswift. > > This email message has been inspected by Clearswift for inappropriate content > and security threats. > > To find out more about Clearswift?s solutions please visit > www.clearswift.com > >