Re: postfix/postfix-script[6735] error: unknown command: 'quiet-quick-start'

[xiedeacc]

you're right, I'm learning to write a systemd style script, but not familiar
with postmulti



--
Sent from: http://postfix.1071664.n5.nabble.com/Postfix-Users-f2.html

Re: postfix/postfix-script[6735] error: unknown command: 'quiet-quick-start'

[Christian Kivalo]

>I know was postmulti arguments problem, but I want to know is: is this
>postfix version difference or ubuntu make some change, or
>/etc/init.d/postfix has some special?
The Debian / Ubuntu start script probably expects some distribution specific 
configuration to be in place. 

Your best bet is to remove the existing init script for postfix and create a 
systemd unit for your needs. 
-- 
Christian Kivalo

Re: postfix/postfix-script[6735] error: unknown command: 'quiet-quick-start'

[xiedeacc]

I know, but I remove quiet-quick-start in /etc/init.d/postfix, still failed,
but now log was:

Sep 13 10:47:54 xiedeacc postmulti[7989]: fatal: Specify exactly one of
'-e', '-l', '-p', '-x'
Sep 13 10:48:33 xiedeacc postfix/postfix-script[8095]: error: unknown
command: ''
Sep 13 10:48:33 xiedeacc postfix/postfix-script[8096]: fatal: usage: postfix
start (or stop, reload, abort, flush, check, status, set-permissions,
upgrade-configuration)
Sep 13 10:48:45 xiedeacc postfix/postfix-script[8207]: error: unknown
command: ''
Sep 13 10:48:45 xiedeacc postfix/postfix-script[8208]: fatal: usage: postfix
start (or stop, reload, abort, flush, check, status, set-permissions,
upgrade-configuration)

I know was postmulti arguments problem, but I want to know is: is this
postfix version difference or ubuntu make some change, or
/etc/init.d/postfix has some special?



--
Sent from: http://postfix.1071664.n5.nabble.com/Postfix-Users-f2.html

Re: postfix/postfix-script[6735] error: unknown command: 'quiet-quick-start'

[Viktor Dukhovni]

On Tue, Sep 12, 2017 at 07:32:03PM -0700, xiedeacc wrote:

> hi all, use systemd start postfix faild, here is detail:
> 
> postfix/postfix-script[6735] error: unknown command: 'quiet-quick-start'
> postfix/postfix-script[6736] fatal: usage: postfix start (or stop, reload,
> abort, flush, check, status, set-permissions, upgrade-configuration)

This is quite clear.  The upstream postfix.org source distribution
does not have a "postfix quiet-quick-start" command.  See:

http://www.postfix.org/postfix.8.html

That particular command must be an Ubuntu or Debian extension for
systemd.  If you build your Postfix package, you need to provide
your own systemd configuration that matches that package.  The
upstream Postfix has no specific systemd support, that's up to the
O/S distribution package maintainers.

-- 
Viktor.

postfix/postfix-script[6735] error: unknown command: 'quiet-quick-start'

[xiedeacc]

hi all, use systemd start postfix faild, here is detail:

my os is ubuntu-gnome 16.04.03, first I use apt install postfix and other
software, for some reason, I reinstalled it by complied source code, version
was postfix-3.2.2, installed successfully, but when use systemctl start
postfix, it failed

postfix.service - LSB: Postfix Mail Transport Agent
   Loaded: loaded (/etc/init.d/postfix; bad; vendor preset: enabled)
  Drop-In: /run/systemd/generator/postfix.service.d
   └─50-postfix-$mail-transport-agent.conf
   Active: failed (Result: exit-code) since 三 2017-09-13 09:13:09 CST; 8s
ago
 Docs: man:systemd-sysv-generator(8)
  Process: 6642 ExecStart=/etc/init.d/postfix start (code=exited,
status=1/FAILURE)

9月 13 09:13:07 xiedeacc.com systemd[1]: Starting LSB: Postfix Mail Transport
Agent...
9月 13 09:13:07 xiedeacc.com postfix[6642]:  * Starting Postfix Mail
Transport Agent postfix
9月 13 09:13:08 xiedeacc.com postfix/postfix-script[6736]: fatal: usage:
postfix start (or stop, reload, abort, flush, check, status,
set-permissions, upgrade-configuration)
9月 13 09:13:09 xiedeacc.com postfix[6642]:...fail!
9月 13 09:13:09 xiedeacc.com systemd[1]: postfix.service: Control process
exited, code=exited status=1
9月 13 09:13:09 xiedeacc.com systemd[1]: Failed to start LSB: Postfix Mail
Transport Agent.
9月 13 09:13:09 xiedeacc.com systemd[1]: postfix.service: Unit entered failed
state.
9月 13 09:13:09 xiedeacc.com systemd[1]: postfix.service: Failed with result
'exit-code'.


here is /var/log/mail.log

postfix/postfix-script[6735] error: unknown command: 'quiet-quick-start'
postfix/postfix-script[6736] fatal: usage: postfix start (or stop, reload,
abort, flush, check, status, set-permissions, upgrade-configuration)




--
Sent from: http://postfix.1071664.n5.nabble.com/Postfix-Users-f2.html

Re: install postfix from source code, cannot start with systemd

[xiedeacc]

here is mail log, for the post title, I decide ask a new question

postfix/postfix-script[6735] error: unknown command: 'quiet-quick-start'
postfix/postfix-script[6736] fatal: usage: postfix start (or stop, reload,
abort, flush, check, status, set-permissions, upgrade-configuration)




--
Sent from: http://postfix.1071664.n5.nabble.com/Postfix-Users-f2.html

Re: Fail2ban integration questions

[Phil Stracchino]

On 09/12/17 14:19, Marat Khalili wrote:
> If your firewall is capable of running fail2ban, I'd consider sending 
> postscreen logs to it instead.

Hmm.  That's an option I hadn't considered.

The firewall is an embedded device (Ubiquiti EdgeRouter POE/5), so I
don't have a gigantic amount of RAM or storage to play with, and I've
already added Shorewall and a couple of supporting tools.


-- 
  Phil Stracchino
  Babylon Communications
  ph...@caerllewys.net
  p...@co.ordinate.org
  Landline: +1.603.293.8485
  Mobile:   +1.603.998.6958

Re: Fail2ban integration questions

[Marat Khalili]

On 12/09/17 18:19, Phil Stracchino wrote:

Has anyone set up fail2ban to trigger from postscreen rejections and apply 
blocks to a firewall on a separate host? And if so, any tips to share? 

Solved simpler task: separate host (container actually) but still iptables. 
Cloned iptables-multiport.conf and iptables-common.conf for this. Particularly 
problematic was the fact that hosts can be rebooted separately, and fail2ban 
tries to stop all filters on own exit and start again on own restart. Instead, 
you probably want rules to persist on non-fail2ban host when either host is 
rebooted. I don't have good solution for this, made it kinda work with series 
of kludges (good solution would probably require changing fail2ban source).

If your firewall is capable of running fail2ban, I'd consider sending 
postscreen logs to it instead.

--

With Best Regards,
Marat Khalili

Re: Fail2ban integration questions

[Phil Stracchino]

On 09/12/17 12:32, Noel Jones wrote:
> Tip #1: Ignore these.  The log entries are annoying, but other than
> logs this causes pretty close to zero impact on your system.

> Tip #4: Just ignore the log entries.  The same IP probably goes away
> fairly soon, so blocking the IP probably doesn't do much good.

Yeah, I know the mail system impact is minimal ...   it's just that if I
see something banging on SMTP and getting refused, I kinda don't want it
banging on anything else either.

If fail2ban can run any script then yeah, I should be able to pretty
easily have it connect to the firewall and send a 'shorewall drop
1.2.3.4'.  I haven't ever installed fail2ban yet which is why I was
asking if anyone had any tips to share.


-- 
  Phil Stracchino
  Babylon Communications
  ph...@caerllewys.net
  p...@co.ordinate.org
  Landline: +1.603.293.8485
  Mobile:   +1.603.998.6958

Re: Fail2ban integration questions

[Noel Jones]

On 9/12/2017 10:19 AM, Phil Stracchino wrote:
> This is semi-hypothetical ...
> 
> I often see spews of failed connect attempts logged by postscreen:
> 
> Sep 12 11:13:09 minbar postfix/postscreen[9238]: CONNECT from
> [70.39.115.203]:54708 to [10.24.32.15]:25
> Sep 12 11:13:09 minbar postfix/postscreen[9238]: PREGREET 14 after 0.12
> from [70.39.115.203]:54708: EHLO ylmf-pc\r\n
> Sep 12 11:13:10 minbar postfix/postscreen[9238]: HANGUP after 0.24 from
> [70.39.115.203]:54708 in tests after SMTP handshake
> Sep 12 11:13:10 minbar postfix/postscreen[9238]: DISCONNECT
> [70.39.115.203]:54708
> Sep 12 11:13:10 minbar postfix/postscreen[9238]: CONNECT from
> [70.39.115.203]:54865 to [10.24.32.15]:25
> Sep 12 11:13:10 minbar postfix/postscreen[9238]: PREGREET 14 after 0.12
> from [70.39.115.203]:54865: EHLO ylmf-pc\r\n
> Sep 12 11:13:10 minbar postfix/postscreen[9238]: HANGUP after 0.24 from
> [70.39.115.203]:54865 in tests after SMTP handshake
> Sep 12 11:13:10 minbar postfix/postscreen[9238]: DISCONNECT
> [70.39.115.203]:54865
> 
> and so on.  It would be nice to be able to automatically block these IPs
> temporarily, and that's what fail2ban does.  However, I think fail2ban
> makes the assumption that the firewall in use is iptables and that it's
> running on the same host.  My firewall is in front of all the internal
> servers, and runs shorewall as a front-end to iptables.
> 
> Has anyone set up fail2ban to trigger from postscreen rejections and
> apply blocks to a firewall on a separate host?  And if so, any tips to
> share?
> 
> 
> 


Tip #1: Ignore these.  The log entries are annoying, but other than
logs this causes pretty close to zero impact on your system.

Tip #2: If you just can't make yourself look away, remember that
fail2ban can run any script when it triggers. Can you script updates
to the external firewall?  Put that in fail2ban as the action.
(although remote control of firewall settings sounds like a
generally bad idea unless implemented very carefully)

Tip #3: It will probably be easier to activate the firewall on your
mail server and block connections locally rather than controlling an
external firewall.

Tip #4: Just ignore the log entries.  The same IP probably goes away
fairly soon, so blocking the IP probably doesn't do much good.



  -- Noel Jones

Re: Different certs on different interfaces

[Viktor Dukhovni]

> On Sep 12, 2017, at 10:35 AM, Luciano Mannucci  
> wrote:
> 
> I have a running postfix 2.11.10 that binds to several interfaces, on
> some of which I whish to enable TLS. I have a different certificate
> for each interface; is that supported or I have to run two different
> postfixes?

http://www.postfix.org/master.5.html
http://www.postfix.org/smtpd.8.html
http://www.postfix.org/postconf.5.html#smtpd_tls_cert_file
http://www.postfix.org/postconf.5.html#smtpd_tls_key_file

From master(5):

   Command name + arguments

  The command to be executed.  Characters that are special to  the
  shell  such  as  ">"  or  "|"  have no special meaning here, and
  quotes cannot be used to  protect  arguments  containing  white-
  space.  To  protect  whitespace,  use  "{"  and "}" as described
  below.

  The command name is relative to  the  Postfix  daemon  directory
  (pathname  is  controlled  by the daemon_directory configuration
  variable).

  The command argument syntax for specific commands  is  specified
  in the respective daemon manual page.

  The  following command-line options have the same effect for all
  daemon programs:

  
  -D Run the daemon under control  by  the  command  specified
 with the debugger_command variable in the main.cf config-
 uration file.  See DEBUG_README for hints and tips.

  -o { name = value } (long form, Postfix >= 3.0)

  -o name=value (short form)
 Override the named main.cf configuration  parameter.  The
 parameter  value  can  refer to other parameters as $name
 etc., just like in main.cf.  See postconf(5) for  syntax.

 NOTE  1:  With  the  "long  form" shown above, whitespace
 after "{", around "=", and before  "}"  is  ignored,  and
 whitespace within the parameter value is preserved.

 NOTE 2: with the "short form" shown above, do not specify
 whitespace around the "="  or  in  parameter  values.  To
 specify  a  parameter value that contains whitespace, use
 the long form described above, or use commas  instead  of
 spaces, or specify the value in main.cf. Example:

 /etc/postfix/master.cf:
 submission inet  smtpd
 -o smtpd_xxx_yyy=$submission_xxx_yyy

 /etc/postfix/main.cf

 submission_xxx_yyy = text with whitespace...

 NOTE 3: Over-zealous use of parameter overrides makes the
 Postfix configuration hard to  understand  and  maintain.
 At  a certain point, it might be easier to configure mul-
 tiple instances of Postfix, instead of configuring multi-
 ple personalities via master.cf.

-- 
Viktor.

Re: install postfix from source code, cannot start with systemd

[xiedeacc]

my os is ubuntu 16.04, when make install I have choose /usr/lib/postfix/sbin



--
Sent from: http://postfix.1071664.n5.nabble.com/Postfix-Users-f2.html

install postfix from source code, cannot start with systemd

[xiedeacc]

first I install postfix use apt install postfix, everything goes right, can
use systemctl start postfix, but I want change some code, so I reinstall
postfix by compiling postfix, then use systemctl start postfix, it
complaint: I have googled, but failed to solve it. does anybody know it ?

systemctl status postfix.service
● postfix.service - LSB: Postfix Mail Transport Agent
   Loaded: loaded (/etc/init.d/postfix; bad; vendor preset: enabled)
  Drop-In: /run/systemd/generator/postfix.service.d
   └─50-postfix-$mail-transport-agent.conf
   Active: failed (Result: exit-code) since 二 2017-09-12 23:16:07 CST; 12s
ago
 Docs: man:systemd-sysv-generator(8)
  Process: 6339 ExecStop=/etc/init.d/postfix stop (code=exited,
status=0/SUCCESS)
  Process: 12075 ExecStart=/etc/init.d/postfix start (code=exited,
status=1/FAILURE)
Tasks: 4
   Memory: 5.5M
  CPU: 260ms
   CGroup: /system.slice/postfix.service
   ├─1930 /usr/lib/postfix/sbin/master
   ├─1932 qmgr -l -t unix -u
   ├─4281 tlsmgr -l -t unix -u -c
   └─7779 pickup -l -t unix -u -c -o content_filter= -o
receive_override_options=no_header_body_checks

9月 12 23:16:06 xiedeacc.com systemd[1]: Starting LSB: Postfix Mail Transport
Agent...
9月 12 23:16:06 xiedeacc.com postfix[12075]:  * Starting Postfix Mail
Transport Agent postfix
9月 12 23:16:06 xiedeacc.com postfix/postfix-script[12168]: fatal: usage:
postfix start (or stop, reload, abort, flush, check, status,
set-permissions, upgrade-configuratio
9月 12 23:16:07 xiedeacc.com postfix[12075]:...fail!
9月 12 23:16:07 xiedeacc.com systemd[1]: postfix.service: Control process
exited, code=exited status=1
9月 12 23:16:07 xiedeacc.com systemd[1]: Failed to start LSB: Postfix Mail
Transport Agent.
9月 12 23:16:07 xiedeacc.com systemd[1]: postfix.service: Unit entered failed
state.
9月 12 23:16:07 xiedeacc.com systemd[1]: postfix.service: Failed with result
'exit-code'.




--
Sent from: http://postfix.1071664.n5.nabble.com/Postfix-Users-f2.html

Fail2ban integration questions

[Phil Stracchino]

This is semi-hypothetical ...

I often see spews of failed connect attempts logged by postscreen:

Sep 12 11:13:09 minbar postfix/postscreen[9238]: CONNECT from
[70.39.115.203]:54708 to [10.24.32.15]:25
Sep 12 11:13:09 minbar postfix/postscreen[9238]: PREGREET 14 after 0.12
from [70.39.115.203]:54708: EHLO ylmf-pc\r\n
Sep 12 11:13:10 minbar postfix/postscreen[9238]: HANGUP after 0.24 from
[70.39.115.203]:54708 in tests after SMTP handshake
Sep 12 11:13:10 minbar postfix/postscreen[9238]: DISCONNECT
[70.39.115.203]:54708
Sep 12 11:13:10 minbar postfix/postscreen[9238]: CONNECT from
[70.39.115.203]:54865 to [10.24.32.15]:25
Sep 12 11:13:10 minbar postfix/postscreen[9238]: PREGREET 14 after 0.12
from [70.39.115.203]:54865: EHLO ylmf-pc\r\n
Sep 12 11:13:10 minbar postfix/postscreen[9238]: HANGUP after 0.24 from
[70.39.115.203]:54865 in tests after SMTP handshake
Sep 12 11:13:10 minbar postfix/postscreen[9238]: DISCONNECT
[70.39.115.203]:54865

and so on.  It would be nice to be able to automatically block these IPs
temporarily, and that's what fail2ban does.  However, I think fail2ban
makes the assumption that the firewall in use is iptables and that it's
running on the same host.  My firewall is in front of all the internal
servers, and runs shorewall as a front-end to iptables.

Has anyone set up fail2ban to trigger from postscreen rejections and
apply blocks to a firewall on a separate host?  And if so, any tips to
share?



-- 
  Phil Stracchino
  Babylon Communications
  ph...@caerllewys.net
  p...@co.ordinate.org
  Landline: +1.603.293.8485
  Mobile:   +1.603.998.6958

Different certs on different interfaces

[Luciano Mannucci]

I have a running postfix 2.11.10 that binds to several interfaces, on
some of which I whish to enable TLS. I have a different certificate
for each interface; is that supported or I have to run two different
postfixes?

Thanks to everybody,

Luciano.
-- 
 /"\ /Via A. Salaino, 7 - 20144 Milano (Italy)
 \ /  ASCII RIBBON CAMPAIGN / PHONE : +39 2 485781 FAX: +39 2 48578250
  X   AGAINST HTML MAIL/  E-MAIL: posthams...@sublink.sublink.org
 / \  AND POSTINGS/   WWW: http://www.lesassaie.IT/

RE: smtpd_discard_ehlo_keyword_address_maps support for hostnames

[Nik Kostaras]

Hi Wietse,

Yeap, another very valid point.
I do agree that the risks of using the hostnames to exclude features are not 
insignificant,
in which case I'd ask if the use of hostnames to include features (whitelisting 
rather than blacklisting) would be more acceptable in terms of risk?

If the resolution of a hostname fails or is not the expected one (for whatever 
reason) the client will not be offered some of the features,
which can lead to transmission failures (failure to accept the messages) rather 
than mail loss.

I also think that it's a good idea to add these examples against using the 
hostnames in the documentation, as it makes the reasons of this decision 
clearer.

Many thanks,
Nik

-Original Message-
From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] 
On Behalf Of Wietse Venema
Sent: 11 September 2017 21:51
To: Postfix users 
Subject: Re: smtpd_discard_ehlo_keyword_address_maps support for hostnames

Oh, and what should happen when the host has multiple PTR records that properly 
satisfy the reverse/forward name check?  Postfix picks only one, and it may not 
pick the same one every time..

Writing code is easy, what about writing first the documentation how this is 
supposed to behave?

If a feature needs more text for its limitations than for its functionality, 
then perhaps that is a sign of a problematic feature?

Wietse

Nik Kostaras:
> Hi Wietse,
> 
> Very good question!
> >From my point of view I'd like to have the ability to chose whether 
> >to enable this filtering option (separately from the existing IP 
> >filtering),
> acknowledging the risks of mail loss (with a "Here be dragons" warning in the 
> documentation).
> 
>  If you are interested I can send a patch with a new config option.
> 
> Many thanks,
> Nik Kostaras
> 
> -Original Message-
> From: owner-postfix-us...@postfix.org 
> [mailto:owner-postfix-us...@postfix.org] On Behalf Of Wietse Venema
> Sent: 11 September 2017 16:57
> To: Postfix users 
> Subject: Re: smtpd_discard_ehlo_keyword_address_maps support for 
> hostnames
> 
> Nik Kostaras:
> > Hi all,
> > 
> > Postfix documentation mentions (for 
> > smtpd_discard_ehlo_keyword_address_maps):
> > 
> > ?The tables are not searched by hostname for robustness reasons.?
> > 
> > Is it possible to describe what these reasons are? (performance
> > related?)
> 
> Ask the question: if DNS lookup does not work, even if only for a brief time, 
> would that result in the loss of mail?
> 
> The purpose of this feature is to prevent a server from announcing a feature 
> to an SMTP client, for example because it would result in the loss of mail (a 
> client has a problem with that feature).
> 
> What should happen:
> 
> a) Don't suppress keywords based on hostname, and risk losing mail.
> 
> b) Don't accept mail, to avoid loss of mail.
> 
> c) Something else?
> 
>   Wietse
> 
> --
>  Message Processed by the Clearswift R 
> Dogfood Secure Email Gateway V4.7.0
> 
> This e-mail and any files transmitted with it are strictly confidential, may 
> be privileged and are intended only for use by the addressee unless otherwise 
> indicated.  If you are not the intended recipient any use, dissemination, 
> printing or copying is strictly prohibited and may be unlawful.  If you have 
> received this e-mail in error, please delete it immediately and contact the 
> sender as soon as possible.  Clearswift cannot be held liable for delays in 
> receipt of an email or any errors in its content. Clearswift accepts no 
> responsibility once an e-mail and any attachments leave us. Unless expressly 
> stated, opinions in this message are those of the individual sender and not 
> of Clearswift.
> 
> This email message has been inspected by Clearswift for inappropriate content 
> and security threats. 
> 
> To find out more about Clearswift?s solutions please visit 
> www.clearswift.com
> 
>