Testing Postfix-3.3....0-RC1

[Christian Rößner]

Hi,

so far, the RC1 works. There is only one thing that is bad:

Start and stop do not like directories inside /etc/postfix*


rns root@mx  ~ # postfix stop
/usr/sbin/postconf: warning: read "ldap" configuration 
"/etc/postfix-submission/ldap": Is a directory
/usr/sbin/postconf: warning: read "ldap" configuration "/etc/postfix/ldap": Is 
a directory
postfix/postfix-script: stopping the Postfix mail system
/usr/sbin/postconf: warning: read "ldap" configuration "/etc/postfix/ldap": Is 
a directory
postfix/postfix-script: stopping the Postfix mail system
/usr/sbin/postconf: warning: read "ldap" configuration "/etc/postfix/ldap": Is 
a directory
postfix/postfix-script: stopping the Postfix mail system

rns root@mx  ~ # postfix start
/usr/sbin/postconf: warning: read "ldap" configuration 
"/etc/postfix-submission/ldap": Is a directory
/usr/sbin/postconf: warning: read "ldap" configuration "/etc/postfix/ldap": Is 
a directory
/usr/sbin/postconf: warning: read "ldap" configuration "/etc/postfix/ldap": Is 
a directory
/usr/sbin/postconf: warning: read "ldap" configuration "/etc/postfix/ldap": Is 
a directory
/usr/sbin/postconf: warning: read "ldap" configuration "/etc/postfix/ldap": Is 
a directory
/usr/sbin/postconf: warning: read "ldap" configuration "/etc/postfix/ldap": Is 
a directory
/usr/sbin/postconf: warning: read "ldap" configuration "/etc/postfix/ldap": Is 
a directory
/usr/sbin/postconf: warning: read "ldap" configuration "/etc/postfix/ldap": Is 
a directory
/usr/sbin/postconf: warning: read "ldap" configuration "/etc/postfix/ldap": Is 
a directory
/usr/sbin/postconf: warning: read "ldap" configuration "/etc/postfix/ldap": Is 
a directory
/usr/sbin/postconf: warning: read "ldap" configuration "/etc/postfix/ldap": Is 
a directory
/usr/sbin/postconf: warning: read "ldap" configuration "/etc/postfix/ldap": Is 
a directory
/usr/sbin/postconf: warning: read "ldap" configuration "/etc/postfix/ldap": Is 
a directory
/usr/sbin/postconf: warning: read "ldap" configuration "/etc/postfix/ldap": Is 
a directory
/usr/sbin/postconf: warning: read "ldap" configuration "/etc/postfix/ldap": Is 
a directory
/usr/sbin/postconf: warning: read "ldap" configuration "/etc/postfix/ldap": Is 
a directory
/usr/sbin/postconf: warning: read "ldap" configuration "/etc/postfix/ldap": Is 
a directory
/usr/sbin/postconf: warning: read "ldap" configuration "/etc/postfix/ldap": Is 
a directory
/usr/sbin/postconf: warning: read "ldap" configuration "/etc/postfix/ldap": Is 
a directory
/usr/sbin/postconf: warning: read "ldap" configuration "/etc/postfix/ldap": Is 
a directory
postfix/postfix-script: starting the Postfix mail system
/usr/sbin/postconf: warning: read "ldap" configuration "/etc/postfix/ldap": Is 
a directory
/usr/sbin/postconf: warning: read "ldap" configuration "/etc/postfix/ldap": Is 
a directory
/usr/sbin/postconf: warning: read "ldap" configuration "/etc/postfix/ldap": Is 
a directory
/usr/sbin/postconf: warning: read "ldap" configuration "/etc/postfix/ldap": Is 
a directory
postfix/postfix-script: starting the Postfix mail system
/usr/sbin/postconf: warning: read "ldap" configuration "/etc/postfix/ldap": Is 
a directory
/usr/sbin/postconf: warning: read "ldap" configuration "/etc/postfix/ldap": Is 
a directory
/usr/sbin/postconf: warning: read "ldap" configuration "/etc/postfix/ldap": Is 
a directory
/usr/sbin/postconf: warning: read "ldap" configuration 
"/etc/postfix-submission/ldap": Is a directory
/usr/sbin/postconf: warning: read "ldap" configuration 
"/etc/postfix-submission/ldap": Is a directory
/usr/sbin/postconf: warning: read "ldap" configuration 
"/etc/postfix-submission/ldap": Is a directory
/usr/sbin/postconf: warning: read "ldap" configuration 
"/etc/postfix-submission/ldap": Is a directory
/usr/sbin/postconf: warning: read "ldap" configuration 
"/etc/postfix-submission/ldap": Is a directory
/usr/sbin/postconf: warning: read "ldap" configuration 
"/etc/postfix-submission/ldap": Is a directory
/usr/sbin/postconf: warning: read "ldap" configuration 
"/etc/postfix-submission/ldap": Is a directory
/usr/sbin/postconf: warning: read "ldap" configuration 
"/etc/postfix-submission/ldap": Is a directory
/usr/sbin/postconf: warning: read "ldap" configuration 
"/etc/postfix-submission/ldap": Is a directory
/usr/sbin/postconf: warning: read "ldap" configuration 
"/etc/postfix-submission/ldap": Is a directory
/usr/sbin/postconf: warning: read "ldap" configuration 
"/etc/postfix-submission/ldap": Is a directory
/usr/sbin/postconf: warning: read "ldap" configuration 
"/etc/postfix-submission/ldap": Is a directory
/usr/sbin/postconf: warning: read "ldap" configuration 
"/etc/postfix-submission/ldap": Is a directory
/usr/sbin/postconf: warning: read "ldap" configuration 
"/etc/postfix-submission/ldap": Is a directory
/usr/sbin/postconf: warning: read "ldap" configuration 
"/etc/postfix-submission/ldap": Is a directory
/usr/sbin/postconf: warning: read "ldap" 

Re: FWIW, port 465 gets standards-track blessing from RFC8314

[Peter]

On 13/02/18 17:03, Viktor Dukhovni wrote:
> Sorry, you're right, the client has to enforce TLS, whether implicit
> or not.  Some clients try multiple ports and multiple operating modes,
> so might also try port 25 in the clear, 465 with TLS and 587 with or
> without STARTTLS.  Such clients are subject to MiTM.  The server
> should also insist on TLS, to better train its clients, but the
> primary burden to ensure security is on the client.

Right and here you're referring to the auto-configuration feature on
most modern clients.  If a server is correctly configured to not allow
plain text authentication in any means but a client's auto-configure
picks up a working auth on a plain text connection then it would seem to
me that a MITM is active.  This would become apparent as soon as the
plain text connection is attempted when the MITM is no longer there,
though as the auto-configured settings would be saved.

The main difference between this and the previously-mentioned
opportunistic STARTTLS that older clients offer is that those older
clients will fall back to plain text at any given time, not just during
auto-configuration.  This makes the attack vector more dangerous, imo
because it would not become apparent to the user that anything is wrong
when this happens or when the MITM goes away, it would all appear to
just work normally the entire time.


Peter

Re: FWIW, port 465 gets standards-track blessing from RFC8314

[Viktor Dukhovni]

> On Feb 12, 2018, at 10:58 PM, Peter  wrote:
> 
> There is one case that I can think of.  Older clients (Thunderbird comes
> to mind) offered an opportunistic STARTTLS setting, so that if the
> server offered TLS it would connect with TLS but if not it would
> continue to connect via plain text.  Such a client in this setting could
> be subject to a MITM attack even if the server is configured to only
> allow STARTTLS connections.  The MITM would simply connect to the server
> via STARTTLS but not offer the client the option.
> 
> Note that newer versions of Thunderbird (I believe for several years
> now) do not offer this opportunistic STARTTLS setting, so if you set it
> to connect via STARTTLS it will simply not work at all if STARTTLS is
> not offered, thereby mitigating this attack angle.  Also setting an
> older client to require encryption would mitigate it as well.

Sorry, you're right, the client has to enforce TLS, whether implicit
or not.  Some clients try multiple ports and multiple operating modes,
so might also try port 25 in the clear, 465 with TLS and 587 with or
without STARTTLS.  Such clients are subject to MiTM.  The server
should also insist on TLS, to better train its clients, but the
primary burden to ensure security is on the client.

-- 
-- 
Viktor.

Re: FWIW, port 465 gets standards-track blessing from RFC8314

[Peter]

On 13/02/18 16:30, Viktor Dukhovni wrote:
> There's not much gain.  If both the client and the server are misconfigured
> on port 587, a client might send passwords and message content in the clear.
> If at least one insists on TLS, and the server does not offer SASL auth prior
> to TLS, there's no compelling reason for port 465.  Hence the case for 465 is
> not especially strong, but it now has "official" IETF blessing.

There is one case that I can think of.  Older clients (Thunderbird comes
to mind) offered an opportunistic STARTTLS setting, so that if the
server offered TLS it would connect with TLS but if not it would
continue to connect via plain text.  Such a client in this setting could
be subject to a MITM attack even if the server is configured to only
allow STARTTLS connections.  The MITM would simply connect to the server
via STARTTLS but not offer the client the option.

Note that newer versions of Thunderbird (I believe for several years
now) do not offer this opportunistic STARTTLS setting, so if you set it
to connect via STARTTLS it will simply not work at all if STARTTLS is
not offered, thereby mitigating this attack angle.  Also setting an
older client to require encryption would mitigate it as well.

This, I believe would be the strongest reason to prefer SMTPS
connections, but it only applies to older clients that are not well
configured.


Peter

Re: FWIW, port 465 gets standards-track blessing from RFC8314

[Viktor Dukhovni]

> On Feb 12, 2018, at 9:05 PM, @lbutlr  wrote:
> 
>> Compatability with the clients that only implement one?
> 
> Are there any? It's been a long time since I saw someone using an old enough 
> Outlook to require 465.

There's not much gain.  If both the client and the server are misconfigured
on port 587, a client might send passwords and message content in the clear.
If at least one insists on TLS, and the server does not offer SASL auth prior
to TLS, there's no compelling reason for port 465.  Hence the case for 465 is
not especially strong, but it now has "official" IETF blessing.

Nobody in the working group had strong enough objections to argue against
the authors' desire to make all the MUA protocols (IMAP, POP and submission)
look alike and support "implicit TLS".  With MUAs mostly doing implicit TLS
for IMAP and POP, doing the same for SMTP submission looks better on paper.

So make your judgements about what this means to you.  The main idea is to
require TLS, whether it is "implicit" or "STARTTLS" is rather secondary.

-- 
Viktor.

Re: FWIW, port 465 gets standards-track blessing from RFC8314

[Kevin A. McGrail]

On 2/12/2018 9:05 PM, @lbutlr wrote:

On 2018-02-12 (18:28 MST), Harald Koch  wrote:

I can't think of a single reason to have two submission ports.

Compatability with the clients that only implement one?

Are there any? It's been a long time since I saw someone using an old enough 
Outlook to require 465.


We support all the ports.  Stretching for a benefit, the only one I can 
see is that it's SSL from end to end without one bit of clear text.  I 
would suppose that would make it less likely to hijack.  I'll admit it's 
a stretch.


Regards,

kAM

Re: FWIW, port 465 gets standards-track blessing from RFC8314

[@lbutlr]

On 2018-02-12 (18:28 MST), Harald Koch  wrote:
> 
>> I can't think of a single reason to have two submission ports.
> 
> Compatability with the clients that only implement one?

Are there any? It's been a long time since I saw someone using an old enough 
Outlook to require 465.

-- 
The only reason for walking into the jaws of Death is so's you can steal
His gold teeth. --Colour of Magic

Re: FWIW, port 465 gets standards-track blessing from RFC8314

[Harald Koch]

>
> I can't think of a single reason to have two submission ports.
>

Compatability with the clients that only implement one?

Re: FWIW, port 465 gets standards-track blessing from RFC8314

[@lbutlr]

On 2018-02-11 (15:12 MST), Viktor Dukhovni  wrote:
> 
> It remains to be seen whether the new RFC actually changes practices in
> the field, but there is now some "official" support for the born-again
> port 465 "submissions" service.

I can't think of a single reason to have two submission ports.

-- 
May you live in interesting times

Re: How to best test from VM with port 25 closed by ISP

[Server Messages]

Will get back when I really know the definitive issue. Won't bother with 
infrastructure issues here.



Am 13. Februar 2018 02:04:20 schrieb Server Messages :


I also have to check if my receiving server might be rejecting cause there
are not all dns settings correct on the vm or sort of things. I hate vm
testing but as i am working on a complete and a bit complex server setup i
decided to don't hassle with a live server. But maybe a small cheap cloud
server would be a betterway to go as i could configure DNS and everything
more production near.

Thomas


Am 13. Februar 2018 01:57:22 schrieb Server Messages :


The thing here is my main line is connected to a vpn through a pfsense
firewall so i have to check why i cannot send through port 25 (it is open
of course) or what causes that the mail is not received. To be honest I did
not look really deep into it until now so i have to do some thorough
checks. The VM i am using uses bridged adapter to the main box which hangs
on the pfsense wall.

Thomas


Am 13. Februar 2018 01:35:54 schrieb Wietse Venema :


Server Messages:

Hm as you mention it i am connected through a VPN so there has to be
something else. Have to check that again.


Surely you can run more than one VPN?

Wietse

Re: How to best test from VM with port 25 closed by ISP

[Server Messages]

I also have to check if my receiving server might be rejecting cause there 
are not all dns settings correct on the vm or sort of things. I hate vm 
testing but as i am working on a complete and a bit complex server setup i 
decided to don't hassle with a live server. But maybe a small cheap cloud 
server would be a betterway to go as i could configure DNS and everything 
more production near.


Thomas


Am 13. Februar 2018 01:57:22 schrieb Server Messages :


The thing here is my main line is connected to a vpn through a pfsense
firewall so i have to check why i cannot send through port 25 (it is open
of course) or what causes that the mail is not received. To be honest I did
not look really deep into it until now so i have to do some thorough
checks. The VM i am using uses bridged adapter to the main box which hangs
on the pfsense wall.

Thomas


Am 13. Februar 2018 01:35:54 schrieb Wietse Venema :


Server Messages:

Hm as you mention it i am connected through a VPN so there has to be
something else. Have to check that again.


Surely you can run more than one VPN?

Wietse

Re: How to best test from VM with port 25 closed by ISP

[Server Messages]

The thing here is my main line is connected to a vpn through a pfsense 
firewall so i have to check why i cannot send through port 25 (it is open 
of course) or what causes that the mail is not received. To be honest I did 
not look really deep into it until now so i have to do some thorough 
checks. The VM i am using uses bridged adapter to the main box which hangs 
on the pfsense wall.


Thomas


Am 13. Februar 2018 01:35:54 schrieb Wietse Venema :


Server Messages:

Hm as you mention it i am connected through a VPN so there has to be
something else. Have to check that again.


Surely you can run more than one VPN?

Wietse

Re: How to best test from VM with port 25 closed by ISP

[Wietse Venema]

Server Messages:
> Hm as you mention it i am connected through a VPN so there has to be 
> something else. Have to check that again.

Surely you can run more than one VPN?

Wietse

Re: How to best test from VM with port 25 closed by ISP

[Server Messages]

Hm as you mention it i am connected through a VPN so there has to be 
something else. Have to check that again.


Thanks


Am 13. Februar 2018 01:03:39 schrieb Wietse Venema :


TG Servers:

Hi,

how can I best test postfix delivery from a local VM if port 25 is
blocked by ISP.
My only intention is to setup another VM and make a network between them
and then send mails between them.


Use a VPN?

Wietse


Or is there any other solution how I could get postfix from a VM to the
"world"?

Thanks!

Re: How to best test from VM with port 25 closed by ISP

[Wietse Venema]

TG Servers:
> Hi,
> 
> how can I best test postfix delivery from a local VM if port 25 is
> blocked by ISP.
> My only intention is to setup another VM and make a network between them
> and then send mails between them.

Use a VPN?

Wietse

> Or is there any other solution how I could get postfix from a VM to the
> "world"?
> 
> Thanks!

How to best test from VM with port 25 closed by ISP

[TG Servers]

Hi,

how can I best test postfix delivery from a local VM if port 25 is
blocked by ISP.
My only intention is to setup another VM and make a network between them
and then send mails between them.
Or is there any other solution how I could get postfix from a VM to the
"world"?

Thanks!

Re: sender AND recipient based routing

[Viktor Dukhovni]

> On Feb 12, 2018, at 3:27 PM, flymike  wrote:
> 
> With the milter option, can I still use transport_maps to set the custom
> nexthop?

Yes.

> I'm wondering if smtp_generic_maps are applied after or before
> transport_maps?

Milters happen on input when messages are received, transport
lookups when messages enter the active queue, and smtp_generic_maps
(naturally) on output, in the SMTP delivery agent.

-- 
Viktor.

Re: sender AND recipient based routing

[flymike]

Thanks, Viktor.
With the milter option, can I still use transport_maps to set the custom
nexthop?  I'm wondering if smtp_generic_maps are applied after or before
transport_maps?



--
Sent from: http://postfix.1071664.n5.nabble.com/Postfix-Users-f2.html

Re: Postfix queue

[j.emerlik]

I am generally using postfix-logwatch for tracking log files.

However, I was thinking about something that is working in real time,
scripts can be run by cron in some period time.
Then the best solution could be write some syslog phraser or redirect
syslog to some
application eg. written in Java to interpret log file in realtime.

Maybe someone has a better idea?

Re: sender AND recipient based routing

[Viktor Dukhovni]

> On Feb 12, 2018, at 12:10 PM, flymike  wrote:
> 
> I have a requirement to deliver via 'X' when sender = 'A' /and/ recipient =
> 'B', else deliver via configured defaults.
> I see how I could use sender_dependent_default_transport_maps to set nexthop
> to 'X' when sender = 'A' but I still need to deal with the additional
> condition that recipient = 'B'.
> It's like I need multiple transport tables, dependent upon sender.
> Is there any way to fulfill this requirement within the postfix framework?

Not within a single Postfix instance.  With multiple instances (and much
complexity) you could use "sender A" select a different downstream instance,
where B is routed to the desired transport.  This scales poorly, but if the
exceptions are few enough, and the need great, then you can do it.

Another option is to use a proxy filter, or milter to rewrite B to some
special recipient address B' when the sender is A, then route B' to a
custom nexthop, and use smtp_generic_maps to transform B' back to B
on output.  This works in a single Postfix instance with a proxy filter
or milter.

-- 
Viktor.

Re: Postfix queue

[j.emerlik]

I am generalny using postfix-logwatch for tracking log files.

However, I was thinking about something that is working in real time,
scripts can be run by cron in some period time.
Then the best could be write some syslog phraser or redirect syslog to some
application eg. written in Java to interpret log file in realtime.


2018-02-12 17:59 GMT+01:00 Wietse Venema :

> j.emerlik:
> > I would like have policy service that will be able to write do data base
> > some information eg. when exactly  message was sent, message ID, DSN if
> > soemthing goes wrong. That means it should be working with Postfix queue.
>
> You can use "postqueue -j" to get a machine-readable queue listing
> with arrival time, and why mail is still in the queue.
>
> However for historical information of past deliveries you will have
> to rely on Postfix logs.
>
> Wiietse
>

Re: [postfix-users] FWIW, port 465 gets standards-track blessing from RFC8314

[Matus UHLAR - fantomas]

On 11.02.18 20:26, Harald Koch wrote:

Is this change in long-standing opinion of the IETF only because existing
implementations so often ignore STARTTLS, or is there actually a security
issue with STARTTLS (instead of implicit TLS)?


I guess it's about firewalls - you can run service without TLS on 587
unnoticed (e.g. autnentication accepted without it).
you can't on 465 (implicit TLS fails)
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
"To Boot or not to Boot, that's the question." [WD1270 Caviar]

sender AND recipient based routing

[flymike]

I have a requirement to deliver via 'X' when sender = 'A' /and/ recipient =
'B', else deliver via configured defaults.
I see how I could use sender_dependent_default_transport_maps to set nexthop
to 'X' when sender = 'A' but I still need to deal with the additional
condition that recipient = 'B'.
It's like I need multiple transport tables, dependent upon sender.
Is there any way to fulfill this requirement within the postfix framework?



--
Sent from: http://postfix.1071664.n5.nabble.com/Postfix-Users-f2.html

Re: Postfix queue

[Wietse Venema]

j.emerlik:
> I would like have policy service that will be able to write do data base
> some information eg. when exactly  message was sent, message ID, DSN if
> soemthing goes wrong. That means it should be working with Postfix queue.

You can use "postqueue -j" to get a machine-readable queue listing
with arrival time, and why mail is still in the queue.

However for historical information of past deliveries you will have
to rely on Postfix logs.

Wiietse

Re: Postfix queue

[Wietse Venema]

Viktor Dukhovni:
> 
> 
> > On Feb 12, 2018, at 10:06 AM, j.emerlik  wrote:
> > 
> > It is possible to write some policy service that will be working with 
> > postfix queue ?
> 
> No.  That's a bad idea anyway.  To track message flow, parse the logs.

The closest that comes to this is a daemon that responds to
transport_maps queries. If you must do that, I suggest using a
socketmap table.

http://www.postfix.org/transport.5.html
http://www.postfix.org/socket_table.5.html

But, it will drain performance.

Wietse

Re: Postfix queue

[Ralph Seichter]

On 12.02.2018 16:44, j.emerlik wrote:

> I would like have database and there information : Message ID, Sent
> Date (or last date of send trying), DSN, number of send attempts,
> Mail_From, RCPT_TO.

That type of information should be extracted from the Postfix logs,
as existing tools like 'pflogsumm' do.

-Ralph

Re: aquamail connecting to postfix

[john]

Hi dav,

My internet was down overnight, snow plough hit encapsulation point.

These are my postfix config files, plus my dovecot stuff.

Hope it helps.

John A



On 2018-02-11 06:12 PM, David Mehler wrote:

Hello,

Does anyone have Android's aquamail app successfully connecting to a
Postfix server? If so, w hat settings did you use? I keep getting an
authentication denied error. I've tried for authentication choose
automatically, sasl plain, sasl login. For server security I've tried
ssl strict check, ssl accept any (both on port 465), and starttls
strict check and starttls accept any (port 587).

Thanks.
Dave.


alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
bounce_size_limit = 65536
compatibility_level = 2
content_filter = smtp-amavis:[127.0.0.1]:10024
default_process_limit = 20
delay_warning_time = 12h
disable_vrfy_command = yes
header_size_limit = 32768
home_mailbox = Maildir/
html_directory = /usr/share/doc/postfix/html
inet_protocols = all
mailbox_transport = lmtp:unix:private/dovecot-lmtp
message_size_limit = 32768000
mime_header_checks = pcre:/etc/postfix/maps/mime_header_checks.pcre
mydestination = localhost, localhost.localdomain, localdomain
mydomain = klam.ca
myhostname = smtp.$mydomain
mynetworks = 127.0.0.0/8, [::1]/128
myorigin = $mydomain
postscreen_access_list = permit_mynetworks
postscreen_bare_newline_action = enforce
postscreen_bare_newline_enable = yes
postscreen_blacklist_action = drop
postscreen_disable_vrfy_command = $disable_vrfy_command
postscreen_dnsbl_action = enforce
postscreen_dnsbl_sites = zen.spamhaus.org*3 b.barracudacentral.org*2 
bl.spameatingmonkey.net*2 bl.ipv6.spameatingmonkey.net*2 bl.spamcop.net 
dnsbl.sorbs.net psbl.surriel.com bl.mailspike.net swl.spamhaus.org*-4 
list.dnswl.org=127.[0..255].[0..255].0*-2 
list.dnswl.org=127.[0..255].[0..255].1*-3 
list.dnswl.org=127.[0..255].[0..255].[2..255]*-4
postscreen_dnsbl_threshold = 3
postscreen_dnsbl_whitelist_threshold = -1
postscreen_enforce_tls = $smtpd_enforce_tls
postscreen_greet_action = enforce
postscreen_helo_required = yes
postscreen_non_smtp_command_enable = yes
postscreen_pipelining_enable = yes
postscreen_use_tls = $smtpd_use_tls
readme_directory = /usr/share/doc/postfix
recipient_delimiter = +
relocated_maps = hash:/etc/postfix/maps/relocated
smtp_dns_support_level = dnssec
smtp_tls_ciphers = high
smtp_tls_exclude_ciphers = DES, MD5, RC2, RC4, RC5, IDEA, SRP, PSK, aDSS, 
kECDhe, kECDhr, kDHd, kDHr, SEED, LOW, EXPORT
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
smtp_tls_protocols = !SSLv2, !SSLv3
smtp_tls_security_level = dane
smtpd_banner = $myhostname ESMTP
smtpd_client_restrictions = reject_unknown_reverse_client_hostname, 
reject_rbl_client zen.spamhaus.org, reject_rbl_client b.barracudacentral.org, 
reject_rbl_client bl.spameatingmonkey.net, reject_rbl_client 
bl.ipv6.spameatingmonkey.net, reject_rbl_client bl.spamcop.net
smtpd_data_restrictions = reject_multi_recipient_bounce, 
reject_unauth_pipelining
smtpd_delay_reject = yes
smtpd_error_sleep_time = 1s
smtpd_etrn_restrictions = reject
smtpd_helo_required = yes
smtpd_helo_restrictions = reject_invalid_helo_hostname, 
reject_non_fqdn_helo_hostname, check_helo_access 
pcre:/etc/postfix/maps/helo_checks.pcre
smtpd_recipient_limit = 128
smtpd_recipient_restrictions = reject_non_fqdn_recipient, 
reject_unknown_recipient_domain, check_recipient_access 
pcre:/etc/postfix/maps/recipient_checks.pcre, check_recipient_access 
hash:/etc/postfix/maps/recipient_checks
smtpd_relay_restrictions = reject_unauth_destination
smtpd_sasl_auth_enable = no
smtpd_sender_restrictions = reject_non_fqdn_sender, 
reject_unknown_sender_domain, check_sender_access 
hash:/etc/postfix/maps/sender_checks
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/letsencrypt/live/mail.klam.ca/fullchain.pem
smtpd_tls_ciphers = high
smtpd_tls_eecdh_grade = auto
smtpd_tls_exclude_ciphers = $smtp_tls_exclude_ciphers
smtpd_tls_key_file = /etc/letsencrypt/live/mail.klam.ca/privkey.pem
smtpd_tls_mandatory_protocols = $smtp_tls_mandatory_protocols
smtpd_tls_protocols = $smtp_tls_protocols
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
strict_rfc821_envelopes = yes
transport_maps = hash:/etc/postfix/maps/transport
virtual_alias_maps = proxy:pgsql:/etc/postfix/sql/virtual_alias_map.sql, 
proxy:pgsql:/etc/postfix/sql/virtual_alias_domain_map.sql
virtual_mailbox_domains = proxy:pgsql:/etc/postfix/sql/virtual_domain_map.sql
virtual_mailbox_maps = proxy:pgsql:/etc/postfix/sql/virtual_mailbox_map.sql, 
proxy:pgsql:/etc/postfix/sql/virtual_alias_domain_mailbox_map.sql
virtual_transport = lmtp:unix:private/dovecot-lmtp
smtp   inet  n   -   n   -   1   postscreen
smtpd  pass  -   -   n   -   -   smtpd -o 
cleanup_service_name=pre-cleanup
pickup fifo  n   -   n   60  1   pickup -o 
cleanup_service_name=pre-cleanup
submission inet  n   -   n   -   30  smtpd -o 

Re: Postfix queue

[j.emerlik]

I would like have database and there information : Message ID, Sent Date
(or last date of send trying), DSN, number of send attempts, Mail_From,
RCPT_TO.

It would be helpful to create statistics  or check exacly what happened
with the messages sent, eg, six months ago.



2018-02-12 16:22 GMT+01:00 Ralph Seichter :

> On 12.02.2018 16:06, j.emerlik wrote:
>
> > I would like have policy service that will be able to write do data
> > base some information eg. when exactly message was sent, message ID,
> > DSN if soemthing goes wrong. That means it should be working with
> > Postfix queue.
>
> That's not really a specific description of your needs or design goals,
> so you can expect answers to be similarly vague. ;-) Have you looked
> into postqueue(1) and/or showq(8) yet?
>
> -Ralph
>
>

Re: Postfix queue

[Viktor Dukhovni]

> On Feb 12, 2018, at 10:06 AM, j.emerlik  wrote:
> 
> It is possible to write some policy service that will be working with postfix 
> queue ?

No.  That's a bad idea anyway.  To track message flow, parse the logs.

-- 
Viktor.

RE: Postfix queue

[Fazzina, Angelo]

Hi, I would think you could write a script to do what you need ?

Here is one I use that is in Python.


[root@mta3 alf02013]# Summary


   Usage:  Summary -s -h {-|POSTFIX_LOG} [ POSTFIX_LOG .. ]

   Summarize postfix mail log.  Gzipped files are OK.

   Print one line for each delivered email, with these columns

  TIME_RECEIVED   TIME_SENT   ELAPSED QUEUEID  SOURCE_IP
   AUTHENTICATE_USER  FINAL_STATUS  FROM_ADDR  TO_ADDRS

   OPTIONS
 -h  Print column headers
 -s  Include email subject (if in Postfix log)




-ANGELO FAZZINA

ITS Service Manager:
Spam and Virus Prevention
Mass Mailing
G Suite/Gmail

ang...@uconn.edu
University of Connecticut,  ITS, SSG, Server Systems
860-486-9075

From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] 
On Behalf Of j.emerlik
Sent: Monday, February 12, 2018 10:07 AM
To: postfix-users@postfix.org
Subject: Postfix queue

Lately I wrote in python postfix policy service that can do something for me 
what I want.
Now I am thinking about next service butI don't know maybe it is not possible.
That is my question:
There is posssible write some service similar  to eg.

check_policy_service unix:private/policy-spf
It is possible to write some policy service that will be working with postfix 
queue ?

I would like have policy service that will be able to write do data base some 
information eg. when exactly  message was sent, message ID, DSN if soemthing 
goes wrong. That means it should be working with Postfix queue.
But policy services can be configured with smtpd_sender_restrictions and 
smtpd_recipient_restrictions.
It 's possible configure some policy service with postfix queue ?
Regards,
MattX

Re: Postfix queue

[Ralph Seichter]

On 12.02.2018 16:06, j.emerlik wrote:

> I would like have policy service that will be able to write do data
> base some information eg. when exactly message was sent, message ID,
> DSN if soemthing goes wrong. That means it should be working with
> Postfix queue.

That's not really a specific description of your needs or design goals,
so you can expect answers to be similarly vague. ;-) Have you looked
into postqueue(1) and/or showq(8) yet?

-Ralph

Re: aquamail connecting to postfix

[David Mehler]

Hello,

My thanks to those who suggested the debug document. While that wasn't
it, the issue wasn't with postfix at all, it did get me looking at
Dovecot. Postfix does Sasl authentication using Dovecot. Dovecot gets
it's username and password from a MySQL database. The query Dovecot
was sending was wrong and it only showed up on outgoing connections,
incoming authentication worked fine.

Again my thanks.
Dave.


On 2/11/18, Bill Cole  wrote:
> On 11 Feb 2018, at 18:12, David Mehler wrote:
>
>> Hello,
>>
>> Does anyone have Android's aquamail app successfully connecting to a
>> Postfix server? If so, w hat settings did you use? I keep getting an
>> authentication denied error. I've tried for authentication choose
>> automatically, sasl plain, sasl login. For server security I've tried
>> ssl strict check, ssl accept any (both on port 465), and starttls
>> strict check and starttls accept any (port 587).
>
> This reads as if you haven't tried simply telling Postfix to not request
> client certs at all. Unless you are using X.509 certs for user
> authentication, it is best to leave smtpd_tls_CAfile and
> smtpd_tls_CApath at their defaults (empty) and smtpd_tls_ask_ccert at
> its default (no)
>
>
> And as always: if you want detailed and specific Postfix help here, you
> should follow the advice in the last section of the Postfix DEBUG_README
> file.
>

Postfix queue

[j.emerlik]

 Lately I wrote in python postfix policy service that can do something for
me what I want.
Now I am thinking about next service butI don't know maybe it is not
possible.

That is my question:

There is posssible write some service similar  to eg.

check_policy_service unix:private/policy-spf

It is possible to write some policy service that will be working with
postfix queue ?

I would like have policy service that will be able to write do data base
some information eg. when exactly  message was sent, message ID, DSN if
soemthing goes wrong. That means it should be working with Postfix queue.

But policy services can be configured with smtpd_sender_restrictions and
smtpd_recipient_restrictions.
It 's possible configure some policy service with postfix queue ?

Regards,
MattX