Testing Postfix-3.3....0-RC1
Hi, so far, the RC1 works. There is only one thing that is bad: Start and stop do not like directories inside /etc/postfix* rns root@mx ~ # postfix stop /usr/sbin/postconf: warning: read "ldap" configuration "/etc/postfix-submission/ldap": Is a directory /usr/sbin/postconf: warning: read "ldap" configuration "/etc/postfix/ldap": Is a directory postfix/postfix-script: stopping the Postfix mail system /usr/sbin/postconf: warning: read "ldap" configuration "/etc/postfix/ldap": Is a directory postfix/postfix-script: stopping the Postfix mail system /usr/sbin/postconf: warning: read "ldap" configuration "/etc/postfix/ldap": Is a directory postfix/postfix-script: stopping the Postfix mail system rns root@mx ~ # postfix start /usr/sbin/postconf: warning: read "ldap" configuration "/etc/postfix-submission/ldap": Is a directory /usr/sbin/postconf: warning: read "ldap" configuration "/etc/postfix/ldap": Is a directory /usr/sbin/postconf: warning: read "ldap" configuration "/etc/postfix/ldap": Is a directory /usr/sbin/postconf: warning: read "ldap" configuration "/etc/postfix/ldap": Is a directory /usr/sbin/postconf: warning: read "ldap" configuration "/etc/postfix/ldap": Is a directory /usr/sbin/postconf: warning: read "ldap" configuration "/etc/postfix/ldap": Is a directory /usr/sbin/postconf: warning: read "ldap" configuration "/etc/postfix/ldap": Is a directory /usr/sbin/postconf: warning: read "ldap" configuration "/etc/postfix/ldap": Is a directory /usr/sbin/postconf: warning: read "ldap" configuration "/etc/postfix/ldap": Is a directory /usr/sbin/postconf: warning: read "ldap" configuration "/etc/postfix/ldap": Is a directory /usr/sbin/postconf: warning: read "ldap" configuration "/etc/postfix/ldap": Is a directory /usr/sbin/postconf: warning: read "ldap" configuration "/etc/postfix/ldap": Is a directory /usr/sbin/postconf: warning: read "ldap" configuration "/etc/postfix/ldap": Is a directory /usr/sbin/postconf: warning: read "ldap" configuration "/etc/postfix/ldap": Is a directory /usr/sbin/postconf: warning: read "ldap" configuration "/etc/postfix/ldap": Is a directory /usr/sbin/postconf: warning: read "ldap" configuration "/etc/postfix/ldap": Is a directory /usr/sbin/postconf: warning: read "ldap" configuration "/etc/postfix/ldap": Is a directory /usr/sbin/postconf: warning: read "ldap" configuration "/etc/postfix/ldap": Is a directory /usr/sbin/postconf: warning: read "ldap" configuration "/etc/postfix/ldap": Is a directory /usr/sbin/postconf: warning: read "ldap" configuration "/etc/postfix/ldap": Is a directory postfix/postfix-script: starting the Postfix mail system /usr/sbin/postconf: warning: read "ldap" configuration "/etc/postfix/ldap": Is a directory /usr/sbin/postconf: warning: read "ldap" configuration "/etc/postfix/ldap": Is a directory /usr/sbin/postconf: warning: read "ldap" configuration "/etc/postfix/ldap": Is a directory /usr/sbin/postconf: warning: read "ldap" configuration "/etc/postfix/ldap": Is a directory postfix/postfix-script: starting the Postfix mail system /usr/sbin/postconf: warning: read "ldap" configuration "/etc/postfix/ldap": Is a directory /usr/sbin/postconf: warning: read "ldap" configuration "/etc/postfix/ldap": Is a directory /usr/sbin/postconf: warning: read "ldap" configuration "/etc/postfix/ldap": Is a directory /usr/sbin/postconf: warning: read "ldap" configuration "/etc/postfix-submission/ldap": Is a directory /usr/sbin/postconf: warning: read "ldap" configuration "/etc/postfix-submission/ldap": Is a directory /usr/sbin/postconf: warning: read "ldap" configuration "/etc/postfix-submission/ldap": Is a directory /usr/sbin/postconf: warning: read "ldap" configuration "/etc/postfix-submission/ldap": Is a directory /usr/sbin/postconf: warning: read "ldap" configuration "/etc/postfix-submission/ldap": Is a directory /usr/sbin/postconf: warning: read "ldap" configuration "/etc/postfix-submission/ldap": Is a directory /usr/sbin/postconf: warning: read "ldap" configuration "/etc/postfix-submission/ldap": Is a directory /usr/sbin/postconf: warning: read "ldap" configuration "/etc/postfix-submission/ldap": Is a directory /usr/sbin/postconf: warning: read "ldap" configuration "/etc/postfix-submission/ldap": Is a directory /usr/sbin/postconf: warning: read "ldap" configuration "/etc/postfix-submission/ldap": Is a directory /usr/sbin/postconf: warning: read "ldap" configuration "/etc/postfix-submission/ldap": Is a directory /usr/sbin/postconf: warning: read "ldap" configuration "/etc/postfix-submission/ldap": Is a directory /usr/sbin/postconf: warning: read "ldap" configuration "/etc/postfix-submission/ldap": Is a directory /usr/sbin/postconf: warning: read "ldap" configuration "/etc/postfix-submission/ldap": Is a directory /usr/sbin/postconf: warning: read "ldap" configuration "/etc/postfix-submission/ldap": Is a directory /usr/sbin/postconf: warning: read "ldap"
Re: FWIW, port 465 gets standards-track blessing from RFC8314
On 13/02/18 17:03, Viktor Dukhovni wrote: > Sorry, you're right, the client has to enforce TLS, whether implicit > or not. Some clients try multiple ports and multiple operating modes, > so might also try port 25 in the clear, 465 with TLS and 587 with or > without STARTTLS. Such clients are subject to MiTM. The server > should also insist on TLS, to better train its clients, but the > primary burden to ensure security is on the client. Right and here you're referring to the auto-configuration feature on most modern clients. If a server is correctly configured to not allow plain text authentication in any means but a client's auto-configure picks up a working auth on a plain text connection then it would seem to me that a MITM is active. This would become apparent as soon as the plain text connection is attempted when the MITM is no longer there, though as the auto-configured settings would be saved. The main difference between this and the previously-mentioned opportunistic STARTTLS that older clients offer is that those older clients will fall back to plain text at any given time, not just during auto-configuration. This makes the attack vector more dangerous, imo because it would not become apparent to the user that anything is wrong when this happens or when the MITM goes away, it would all appear to just work normally the entire time. Peter
Re: FWIW, port 465 gets standards-track blessing from RFC8314
> On Feb 12, 2018, at 10:58 PM, Peterwrote: > > There is one case that I can think of. Older clients (Thunderbird comes > to mind) offered an opportunistic STARTTLS setting, so that if the > server offered TLS it would connect with TLS but if not it would > continue to connect via plain text. Such a client in this setting could > be subject to a MITM attack even if the server is configured to only > allow STARTTLS connections. The MITM would simply connect to the server > via STARTTLS but not offer the client the option. > > Note that newer versions of Thunderbird (I believe for several years > now) do not offer this opportunistic STARTTLS setting, so if you set it > to connect via STARTTLS it will simply not work at all if STARTTLS is > not offered, thereby mitigating this attack angle. Also setting an > older client to require encryption would mitigate it as well. Sorry, you're right, the client has to enforce TLS, whether implicit or not. Some clients try multiple ports and multiple operating modes, so might also try port 25 in the clear, 465 with TLS and 587 with or without STARTTLS. Such clients are subject to MiTM. The server should also insist on TLS, to better train its clients, but the primary burden to ensure security is on the client. -- -- Viktor.
Re: FWIW, port 465 gets standards-track blessing from RFC8314
On 13/02/18 16:30, Viktor Dukhovni wrote: > There's not much gain. If both the client and the server are misconfigured > on port 587, a client might send passwords and message content in the clear. > If at least one insists on TLS, and the server does not offer SASL auth prior > to TLS, there's no compelling reason for port 465. Hence the case for 465 is > not especially strong, but it now has "official" IETF blessing. There is one case that I can think of. Older clients (Thunderbird comes to mind) offered an opportunistic STARTTLS setting, so that if the server offered TLS it would connect with TLS but if not it would continue to connect via plain text. Such a client in this setting could be subject to a MITM attack even if the server is configured to only allow STARTTLS connections. The MITM would simply connect to the server via STARTTLS but not offer the client the option. Note that newer versions of Thunderbird (I believe for several years now) do not offer this opportunistic STARTTLS setting, so if you set it to connect via STARTTLS it will simply not work at all if STARTTLS is not offered, thereby mitigating this attack angle. Also setting an older client to require encryption would mitigate it as well. This, I believe would be the strongest reason to prefer SMTPS connections, but it only applies to older clients that are not well configured. Peter
Re: FWIW, port 465 gets standards-track blessing from RFC8314
> On Feb 12, 2018, at 9:05 PM, @lbutlrwrote: > >> Compatability with the clients that only implement one? > > Are there any? It's been a long time since I saw someone using an old enough > Outlook to require 465. There's not much gain. If both the client and the server are misconfigured on port 587, a client might send passwords and message content in the clear. If at least one insists on TLS, and the server does not offer SASL auth prior to TLS, there's no compelling reason for port 465. Hence the case for 465 is not especially strong, but it now has "official" IETF blessing. Nobody in the working group had strong enough objections to argue against the authors' desire to make all the MUA protocols (IMAP, POP and submission) look alike and support "implicit TLS". With MUAs mostly doing implicit TLS for IMAP and POP, doing the same for SMTP submission looks better on paper. So make your judgements about what this means to you. The main idea is to require TLS, whether it is "implicit" or "STARTTLS" is rather secondary. -- Viktor.
Re: FWIW, port 465 gets standards-track blessing from RFC8314
On 2/12/2018 9:05 PM, @lbutlr wrote: On 2018-02-12 (18:28 MST), Harald Kochwrote: I can't think of a single reason to have two submission ports. Compatability with the clients that only implement one? Are there any? It's been a long time since I saw someone using an old enough Outlook to require 465. We support all the ports. Stretching for a benefit, the only one I can see is that it's SSL from end to end without one bit of clear text. I would suppose that would make it less likely to hijack. I'll admit it's a stretch. Regards, kAM
Re: FWIW, port 465 gets standards-track blessing from RFC8314
On 2018-02-12 (18:28 MST), Harald Kochwrote: > >> I can't think of a single reason to have two submission ports. > > Compatability with the clients that only implement one? Are there any? It's been a long time since I saw someone using an old enough Outlook to require 465. -- The only reason for walking into the jaws of Death is so's you can steal His gold teeth. --Colour of Magic
Re: FWIW, port 465 gets standards-track blessing from RFC8314
> > I can't think of a single reason to have two submission ports. > Compatability with the clients that only implement one?
Re: FWIW, port 465 gets standards-track blessing from RFC8314
On 2018-02-11 (15:12 MST), Viktor Dukhovniwrote: > > It remains to be seen whether the new RFC actually changes practices in > the field, but there is now some "official" support for the born-again > port 465 "submissions" service. I can't think of a single reason to have two submission ports. -- May you live in interesting times
Re: How to best test from VM with port 25 closed by ISP
Will get back when I really know the definitive issue. Won't bother with infrastructure issues here. Am 13. Februar 2018 02:04:20 schrieb Server Messages: I also have to check if my receiving server might be rejecting cause there are not all dns settings correct on the vm or sort of things. I hate vm testing but as i am working on a complete and a bit complex server setup i decided to don't hassle with a live server. But maybe a small cheap cloud server would be a betterway to go as i could configure DNS and everything more production near. Thomas Am 13. Februar 2018 01:57:22 schrieb Server Messages : The thing here is my main line is connected to a vpn through a pfsense firewall so i have to check why i cannot send through port 25 (it is open of course) or what causes that the mail is not received. To be honest I did not look really deep into it until now so i have to do some thorough checks. The VM i am using uses bridged adapter to the main box which hangs on the pfsense wall. Thomas Am 13. Februar 2018 01:35:54 schrieb Wietse Venema : Server Messages: Hm as you mention it i am connected through a VPN so there has to be something else. Have to check that again. Surely you can run more than one VPN? Wietse
Re: How to best test from VM with port 25 closed by ISP
I also have to check if my receiving server might be rejecting cause there are not all dns settings correct on the vm or sort of things. I hate vm testing but as i am working on a complete and a bit complex server setup i decided to don't hassle with a live server. But maybe a small cheap cloud server would be a betterway to go as i could configure DNS and everything more production near. Thomas Am 13. Februar 2018 01:57:22 schrieb Server Messages: The thing here is my main line is connected to a vpn through a pfsense firewall so i have to check why i cannot send through port 25 (it is open of course) or what causes that the mail is not received. To be honest I did not look really deep into it until now so i have to do some thorough checks. The VM i am using uses bridged adapter to the main box which hangs on the pfsense wall. Thomas Am 13. Februar 2018 01:35:54 schrieb Wietse Venema : Server Messages: Hm as you mention it i am connected through a VPN so there has to be something else. Have to check that again. Surely you can run more than one VPN? Wietse
Re: How to best test from VM with port 25 closed by ISP
The thing here is my main line is connected to a vpn through a pfsense firewall so i have to check why i cannot send through port 25 (it is open of course) or what causes that the mail is not received. To be honest I did not look really deep into it until now so i have to do some thorough checks. The VM i am using uses bridged adapter to the main box which hangs on the pfsense wall. Thomas Am 13. Februar 2018 01:35:54 schrieb Wietse Venema: Server Messages: Hm as you mention it i am connected through a VPN so there has to be something else. Have to check that again. Surely you can run more than one VPN? Wietse
Re: How to best test from VM with port 25 closed by ISP
Server Messages: > Hm as you mention it i am connected through a VPN so there has to be > something else. Have to check that again. Surely you can run more than one VPN? Wietse
Re: How to best test from VM with port 25 closed by ISP
Hm as you mention it i am connected through a VPN so there has to be something else. Have to check that again. Thanks Am 13. Februar 2018 01:03:39 schrieb Wietse Venema: TG Servers: Hi, how can I best test postfix delivery from a local VM if port 25 is blocked by ISP. My only intention is to setup another VM and make a network between them and then send mails between them. Use a VPN? Wietse Or is there any other solution how I could get postfix from a VM to the "world"? Thanks!
Re: How to best test from VM with port 25 closed by ISP
TG Servers: > Hi, > > how can I best test postfix delivery from a local VM if port 25 is > blocked by ISP. > My only intention is to setup another VM and make a network between them > and then send mails between them. Use a VPN? Wietse > Or is there any other solution how I could get postfix from a VM to the > "world"? > > Thanks!
How to best test from VM with port 25 closed by ISP
Hi, how can I best test postfix delivery from a local VM if port 25 is blocked by ISP. My only intention is to setup another VM and make a network between them and then send mails between them. Or is there any other solution how I could get postfix from a VM to the "world"? Thanks!
Re: sender AND recipient based routing
> On Feb 12, 2018, at 3:27 PM, flymikewrote: > > With the milter option, can I still use transport_maps to set the custom > nexthop? Yes. > I'm wondering if smtp_generic_maps are applied after or before > transport_maps? Milters happen on input when messages are received, transport lookups when messages enter the active queue, and smtp_generic_maps (naturally) on output, in the SMTP delivery agent. -- Viktor.
Re: sender AND recipient based routing
Thanks, Viktor. With the milter option, can I still use transport_maps to set the custom nexthop? I'm wondering if smtp_generic_maps are applied after or before transport_maps? -- Sent from: http://postfix.1071664.n5.nabble.com/Postfix-Users-f2.html
Re: Postfix queue
I am generally using postfix-logwatch for tracking log files. However, I was thinking about something that is working in real time, scripts can be run by cron in some period time. Then the best solution could be write some syslog phraser or redirect syslog to some application eg. written in Java to interpret log file in realtime. Maybe someone has a better idea?
Re: sender AND recipient based routing
> On Feb 12, 2018, at 12:10 PM, flymikewrote: > > I have a requirement to deliver via 'X' when sender = 'A' /and/ recipient = > 'B', else deliver via configured defaults. > I see how I could use sender_dependent_default_transport_maps to set nexthop > to 'X' when sender = 'A' but I still need to deal with the additional > condition that recipient = 'B'. > It's like I need multiple transport tables, dependent upon sender. > Is there any way to fulfill this requirement within the postfix framework? Not within a single Postfix instance. With multiple instances (and much complexity) you could use "sender A" select a different downstream instance, where B is routed to the desired transport. This scales poorly, but if the exceptions are few enough, and the need great, then you can do it. Another option is to use a proxy filter, or milter to rewrite B to some special recipient address B' when the sender is A, then route B' to a custom nexthop, and use smtp_generic_maps to transform B' back to B on output. This works in a single Postfix instance with a proxy filter or milter. -- Viktor.
Re: Postfix queue
I am generalny using postfix-logwatch for tracking log files. However, I was thinking about something that is working in real time, scripts can be run by cron in some period time. Then the best could be write some syslog phraser or redirect syslog to some application eg. written in Java to interpret log file in realtime. 2018-02-12 17:59 GMT+01:00 Wietse Venema: > j.emerlik: > > I would like have policy service that will be able to write do data base > > some information eg. when exactly message was sent, message ID, DSN if > > soemthing goes wrong. That means it should be working with Postfix queue. > > You can use "postqueue -j" to get a machine-readable queue listing > with arrival time, and why mail is still in the queue. > > However for historical information of past deliveries you will have > to rely on Postfix logs. > > Wiietse >
Re: [postfix-users] FWIW, port 465 gets standards-track blessing from RFC8314
On 11.02.18 20:26, Harald Koch wrote: Is this change in long-standing opinion of the IETF only because existing implementations so often ignore STARTTLS, or is there actually a security issue with STARTTLS (instead of implicit TLS)? I guess it's about firewalls - you can run service without TLS on 587 unnoticed (e.g. autnentication accepted without it). you can't on 465 (implicit TLS fails) -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. "To Boot or not to Boot, that's the question." [WD1270 Caviar]
sender AND recipient based routing
I have a requirement to deliver via 'X' when sender = 'A' /and/ recipient = 'B', else deliver via configured defaults. I see how I could use sender_dependent_default_transport_maps to set nexthop to 'X' when sender = 'A' but I still need to deal with the additional condition that recipient = 'B'. It's like I need multiple transport tables, dependent upon sender. Is there any way to fulfill this requirement within the postfix framework? -- Sent from: http://postfix.1071664.n5.nabble.com/Postfix-Users-f2.html
Re: Postfix queue
j.emerlik: > I would like have policy service that will be able to write do data base > some information eg. when exactly message was sent, message ID, DSN if > soemthing goes wrong. That means it should be working with Postfix queue. You can use "postqueue -j" to get a machine-readable queue listing with arrival time, and why mail is still in the queue. However for historical information of past deliveries you will have to rely on Postfix logs. Wiietse
Re: Postfix queue
Viktor Dukhovni: > > > > On Feb 12, 2018, at 10:06 AM, j.emerlikwrote: > > > > It is possible to write some policy service that will be working with > > postfix queue ? > > No. That's a bad idea anyway. To track message flow, parse the logs. The closest that comes to this is a daemon that responds to transport_maps queries. If you must do that, I suggest using a socketmap table. http://www.postfix.org/transport.5.html http://www.postfix.org/socket_table.5.html But, it will drain performance. Wietse
Re: Postfix queue
On 12.02.2018 16:44, j.emerlik wrote: > I would like have database and there information : Message ID, Sent > Date (or last date of send trying), DSN, number of send attempts, > Mail_From, RCPT_TO. That type of information should be extracted from the Postfix logs, as existing tools like 'pflogsumm' do. -Ralph
Re: aquamail connecting to postfix
Hi dav, My internet was down overnight, snow plough hit encapsulation point. These are my postfix config files, plus my dovecot stuff. Hope it helps. John A On 2018-02-11 06:12 PM, David Mehler wrote: Hello, Does anyone have Android's aquamail app successfully connecting to a Postfix server? If so, w hat settings did you use? I keep getting an authentication denied error. I've tried for authentication choose automatically, sasl plain, sasl login. For server security I've tried ssl strict check, ssl accept any (both on port 465), and starttls strict check and starttls accept any (port 587). Thanks. Dave. alias_maps = hash:/etc/aliases append_dot_mydomain = no biff = no bounce_size_limit = 65536 compatibility_level = 2 content_filter = smtp-amavis:[127.0.0.1]:10024 default_process_limit = 20 delay_warning_time = 12h disable_vrfy_command = yes header_size_limit = 32768 home_mailbox = Maildir/ html_directory = /usr/share/doc/postfix/html inet_protocols = all mailbox_transport = lmtp:unix:private/dovecot-lmtp message_size_limit = 32768000 mime_header_checks = pcre:/etc/postfix/maps/mime_header_checks.pcre mydestination = localhost, localhost.localdomain, localdomain mydomain = klam.ca myhostname = smtp.$mydomain mynetworks = 127.0.0.0/8, [::1]/128 myorigin = $mydomain postscreen_access_list = permit_mynetworks postscreen_bare_newline_action = enforce postscreen_bare_newline_enable = yes postscreen_blacklist_action = drop postscreen_disable_vrfy_command = $disable_vrfy_command postscreen_dnsbl_action = enforce postscreen_dnsbl_sites = zen.spamhaus.org*3 b.barracudacentral.org*2 bl.spameatingmonkey.net*2 bl.ipv6.spameatingmonkey.net*2 bl.spamcop.net dnsbl.sorbs.net psbl.surriel.com bl.mailspike.net swl.spamhaus.org*-4 list.dnswl.org=127.[0..255].[0..255].0*-2 list.dnswl.org=127.[0..255].[0..255].1*-3 list.dnswl.org=127.[0..255].[0..255].[2..255]*-4 postscreen_dnsbl_threshold = 3 postscreen_dnsbl_whitelist_threshold = -1 postscreen_enforce_tls = $smtpd_enforce_tls postscreen_greet_action = enforce postscreen_helo_required = yes postscreen_non_smtp_command_enable = yes postscreen_pipelining_enable = yes postscreen_use_tls = $smtpd_use_tls readme_directory = /usr/share/doc/postfix recipient_delimiter = + relocated_maps = hash:/etc/postfix/maps/relocated smtp_dns_support_level = dnssec smtp_tls_ciphers = high smtp_tls_exclude_ciphers = DES, MD5, RC2, RC4, RC5, IDEA, SRP, PSK, aDSS, kECDhe, kECDhr, kDHd, kDHr, SEED, LOW, EXPORT smtp_tls_mandatory_protocols = !SSLv2, !SSLv3 smtp_tls_protocols = !SSLv2, !SSLv3 smtp_tls_security_level = dane smtpd_banner = $myhostname ESMTP smtpd_client_restrictions = reject_unknown_reverse_client_hostname, reject_rbl_client zen.spamhaus.org, reject_rbl_client b.barracudacentral.org, reject_rbl_client bl.spameatingmonkey.net, reject_rbl_client bl.ipv6.spameatingmonkey.net, reject_rbl_client bl.spamcop.net smtpd_data_restrictions = reject_multi_recipient_bounce, reject_unauth_pipelining smtpd_delay_reject = yes smtpd_error_sleep_time = 1s smtpd_etrn_restrictions = reject smtpd_helo_required = yes smtpd_helo_restrictions = reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, check_helo_access pcre:/etc/postfix/maps/helo_checks.pcre smtpd_recipient_limit = 128 smtpd_recipient_restrictions = reject_non_fqdn_recipient, reject_unknown_recipient_domain, check_recipient_access pcre:/etc/postfix/maps/recipient_checks.pcre, check_recipient_access hash:/etc/postfix/maps/recipient_checks smtpd_relay_restrictions = reject_unauth_destination smtpd_sasl_auth_enable = no smtpd_sender_restrictions = reject_non_fqdn_sender, reject_unknown_sender_domain, check_sender_access hash:/etc/postfix/maps/sender_checks smtpd_tls_auth_only = yes smtpd_tls_cert_file = /etc/letsencrypt/live/mail.klam.ca/fullchain.pem smtpd_tls_ciphers = high smtpd_tls_eecdh_grade = auto smtpd_tls_exclude_ciphers = $smtp_tls_exclude_ciphers smtpd_tls_key_file = /etc/letsencrypt/live/mail.klam.ca/privkey.pem smtpd_tls_mandatory_protocols = $smtp_tls_mandatory_protocols smtpd_tls_protocols = $smtp_tls_protocols smtpd_tls_received_header = yes smtpd_tls_security_level = may strict_rfc821_envelopes = yes transport_maps = hash:/etc/postfix/maps/transport virtual_alias_maps = proxy:pgsql:/etc/postfix/sql/virtual_alias_map.sql, proxy:pgsql:/etc/postfix/sql/virtual_alias_domain_map.sql virtual_mailbox_domains = proxy:pgsql:/etc/postfix/sql/virtual_domain_map.sql virtual_mailbox_maps = proxy:pgsql:/etc/postfix/sql/virtual_mailbox_map.sql, proxy:pgsql:/etc/postfix/sql/virtual_alias_domain_mailbox_map.sql virtual_transport = lmtp:unix:private/dovecot-lmtp smtp inet n - n - 1 postscreen smtpd pass - - n - - smtpd -o cleanup_service_name=pre-cleanup pickup fifo n - n 60 1 pickup -o cleanup_service_name=pre-cleanup submission inet n - n - 30 smtpd -o
Re: Postfix queue
I would like have database and there information : Message ID, Sent Date (or last date of send trying), DSN, number of send attempts, Mail_From, RCPT_TO. It would be helpful to create statistics or check exacly what happened with the messages sent, eg, six months ago. 2018-02-12 16:22 GMT+01:00 Ralph Seichter: > On 12.02.2018 16:06, j.emerlik wrote: > > > I would like have policy service that will be able to write do data > > base some information eg. when exactly message was sent, message ID, > > DSN if soemthing goes wrong. That means it should be working with > > Postfix queue. > > That's not really a specific description of your needs or design goals, > so you can expect answers to be similarly vague. ;-) Have you looked > into postqueue(1) and/or showq(8) yet? > > -Ralph > >
Re: Postfix queue
> On Feb 12, 2018, at 10:06 AM, j.emerlikwrote: > > It is possible to write some policy service that will be working with postfix > queue ? No. That's a bad idea anyway. To track message flow, parse the logs. -- Viktor.
RE: Postfix queue
Hi, I would think you could write a script to do what you need ? Here is one I use that is in Python. [root@mta3 alf02013]# Summary Usage: Summary -s -h {-|POSTFIX_LOG} [ POSTFIX_LOG .. ] Summarize postfix mail log. Gzipped files are OK. Print one line for each delivered email, with these columns TIME_RECEIVED TIME_SENT ELAPSED QUEUEID SOURCE_IP AUTHENTICATE_USER FINAL_STATUS FROM_ADDR TO_ADDRS OPTIONS -h Print column headers -s Include email subject (if in Postfix log) -ANGELO FAZZINA ITS Service Manager: Spam and Virus Prevention Mass Mailing G Suite/Gmail ang...@uconn.edu University of Connecticut, ITS, SSG, Server Systems 860-486-9075 From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] On Behalf Of j.emerlik Sent: Monday, February 12, 2018 10:07 AM To: postfix-users@postfix.org Subject: Postfix queue Lately I wrote in python postfix policy service that can do something for me what I want. Now I am thinking about next service butI don't know maybe it is not possible. That is my question: There is posssible write some service similar to eg. check_policy_service unix:private/policy-spf It is possible to write some policy service that will be working with postfix queue ? I would like have policy service that will be able to write do data base some information eg. when exactly message was sent, message ID, DSN if soemthing goes wrong. That means it should be working with Postfix queue. But policy services can be configured with smtpd_sender_restrictions and smtpd_recipient_restrictions. It 's possible configure some policy service with postfix queue ? Regards, MattX
Re: Postfix queue
On 12.02.2018 16:06, j.emerlik wrote: > I would like have policy service that will be able to write do data > base some information eg. when exactly message was sent, message ID, > DSN if soemthing goes wrong. That means it should be working with > Postfix queue. That's not really a specific description of your needs or design goals, so you can expect answers to be similarly vague. ;-) Have you looked into postqueue(1) and/or showq(8) yet? -Ralph
Re: aquamail connecting to postfix
Hello, My thanks to those who suggested the debug document. While that wasn't it, the issue wasn't with postfix at all, it did get me looking at Dovecot. Postfix does Sasl authentication using Dovecot. Dovecot gets it's username and password from a MySQL database. The query Dovecot was sending was wrong and it only showed up on outgoing connections, incoming authentication worked fine. Again my thanks. Dave. On 2/11/18, Bill Colewrote: > On 11 Feb 2018, at 18:12, David Mehler wrote: > >> Hello, >> >> Does anyone have Android's aquamail app successfully connecting to a >> Postfix server? If so, w hat settings did you use? I keep getting an >> authentication denied error. I've tried for authentication choose >> automatically, sasl plain, sasl login. For server security I've tried >> ssl strict check, ssl accept any (both on port 465), and starttls >> strict check and starttls accept any (port 587). > > This reads as if you haven't tried simply telling Postfix to not request > client certs at all. Unless you are using X.509 certs for user > authentication, it is best to leave smtpd_tls_CAfile and > smtpd_tls_CApath at their defaults (empty) and smtpd_tls_ask_ccert at > its default (no) > > > And as always: if you want detailed and specific Postfix help here, you > should follow the advice in the last section of the Postfix DEBUG_README > file. >
Postfix queue
Lately I wrote in python postfix policy service that can do something for me what I want. Now I am thinking about next service butI don't know maybe it is not possible. That is my question: There is posssible write some service similar to eg. check_policy_service unix:private/policy-spf It is possible to write some policy service that will be working with postfix queue ? I would like have policy service that will be able to write do data base some information eg. when exactly message was sent, message ID, DSN if soemthing goes wrong. That means it should be working with Postfix queue. But policy services can be configured with smtpd_sender_restrictions and smtpd_recipient_restrictions. It 's possible configure some policy service with postfix queue ? Regards, MattX