SNI and Letsencrypt wildcards.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi all, I am having some issues getting SNI working with postfix >3.4 with errors like: Feb 7 15:43:08 lutsk postfix/smtpd[4041166]: connect from localhost[127.0.0.1] Feb 7 15:43:08 lutsk postfix/smtpd[4041166]: warning: key at index 1 in SNI data for mx1.city8ball.org.au does not match next certificate Feb 7 15:43:08 lutsk postfix/smtpd[4041166]: warning: TLS library problem: error:1426D121:SSL routines:ssl_set_cert_and_key:not replacing certificate:../ssl/ssl_rsa.c:1107: Feb 7 15:43:08 lutsk postfix/smtpd[4041166]: warning: error loading private keys and certificates from: SNI data for mx1.city8ball.org.au: aborting TLS handshake Feb 7 15:43:08 lutsk postfix/smtpd[4041166]: SSL_accept error from localhost[127.0.0.1]: -1 Feb 7 15:43:08 lutsk postfix/smtpd[4041166]: warning: TLS library problem: error:1422E0EA:SSL routines:final_server_name:callback failed:../ssl/statem/extensions.c:1007: Feb 7 15:43:08 lutsk postfix/smtpd[4041166]: lost connection after STARTTLS from localhost[127.0.0.1] Feb 7 15:43:08 lutsk postfix/smtpd[4041166]: disconnect from localhost[127.0.0.1] ehlo=1 starttls=0/1 commands=1/2 The certificate file is a wildcard certificate issued by letsencrypt. The following are the pertinent fields from the x509 output of the certificate: Issuer: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 Subject: CN = city8ball.org.au X509v3 Subject Alternative Name: DNS:*.city8ball.org.au, DNS:city8ball.org.au These files work with apache, nginx, and dovecot for SNI. Really not sure why I can't get it working with postfix. - From "postconf -n": smtp_tls_mandatory_ciphers = high smtp_tls_mandatory_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL smtp_tls_mandatory_protocols = !SSLv2, !SSLv3 smtp_tls_protocols = !SSLv2, !SSLv3 smtp_tls_security_level = may smtpd_helo_required = yes smtpd_tls_always_issue_session_ids = yes smtpd_tls_chain_files = /etc/ssl/letsencrypt/lusan.id.au/lusan.id.au.key /etc/ssl/letsencrypt/lusan.id.au/fullchain.cer smtpd_tls_eecdh_grade = strong smtpd_tls_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL smtpd_tls_mandatory_ciphers = high smtpd_tls_mandatory_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3 smtpd_tls_protocols = !SSLv2, !SSLv3 smtpd_tls_security_level = may smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache tls_append_default_CA = no tls_daemon_random_bytes = 64 tls_high_cipherlist = EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:!CAMELLIA128:!AES128:!SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:!CAMELLIA128-SHA:!AES128-SHA tls_preempt_cipherlist = yes tls_random_bytes = 64 tls_random_exchange_name = /var/lib/postfix/prng_exch tls_random_prng_update_period = 3600s tls_random_reseed_period = 3600s tls_random_source = dev:/dev/urandom tls_server_sni_maps = hash:/etc/postfix/vmail_ssl.map Thanks - -- Nikolai Lusan Email: niko...@lusan.id.au Phone: 0425 661 620 -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEVfd4GW6z4nsBxdLo4ZaDRV2VL6QFAl48/uAACgkQ4ZaDRV2V L6QNGQ//boxWY3q4FjvMIG6JspSrvc6D3U86sDVUyhWf68l6Ynjz87pRmaaYcgca 9E5x04ZyjLCLmPvOsez8B8OGU39X+MP+m7e/zvB+pbnxFjvpjq8rgKhKqN5t5xC9 mUYmKD2CgAIaklGW9mIOKrn9L9MCesFaNltyYQ0XyJ/UqCgVAPc6xTDU9l9SdnTp MYymIRhpY36/GeWpDoNZuyAN/cIDsP/NU+l03iYStv5GOd5FX7jlvflPeO/6u1Mk AnrvWP7r0/ekOgwVuMQCayXz1Ga65LEIv3ReFEX2jL2kTLmsfCB/yrj03Nr4963s 3I1edln1yAW1THOOE94XBYCXHMA0GkY4CQXD/eiCD1H0P2mTm7L5nryhf451V2yv fzuO6Hc8/O4sYzhDfUe8kVFeNcePN4Tp5g7sx7RxQP3sq9W+s6clyX7pu/HtIcmK CD4XGySOiQcukoS9J2d6okxR+LJBdLRZm4sEDko6jU9APPCtMI8XpbJxOzVudqYr MclERL1pTM0t6J/DtnXW8+PPctyln5Uq3+XWWzHzGoB7v+XfUrW9iSMVm+/+L4ce u+91YWG84oL0OLn+zy2NxQE7q2PIYB3l7O/iooRwR1wLx1iF8OTv7ckHDrJr6XTA re4KNPEXOkd0KXqud7Nn0GOJAbCcl9dHartzUDvpMkN5is0Keh4= =MHqj -END PGP SIGNATURE-
Re: Postfix LDAP pipemap lookup tables and OctetStream
On Thu, Feb 06, 2020 at 08:44:36AM +0100, Luca Fornasari wrote: > I am using reject_sender_login_mismatch and I need to find out the > owner of an email address using smtpd_sender_login_maps. > The email address is present on a first AD server while user/owner is > on a second AD server ... what links the two is the SID (Exchange > linked mailbox). You'll need a less exotic schema to make this go. Provision a third LDAP server on which the join is directly available in a single object containing both the address and account name. > The idea is to use a pipemap of LDAP queries; the first LDAP query > using the email address as a key to retrieve the > msExchMasterAccountSid on the first AD and pipe it as input key as > objectSid to a second LDAP query to retrieve the SamAccountName. > > Since msExchMasterAccountSid is an OctetStream, I am wondering if this > will work ... does anyone already have experience on this? In Postfix, table lookup keys and result data are NUL-terminated C strings. So binary keys and values are not possible. const char *dict_lookup(dict_name, member) const char *dict_name; const char *member; Internally, the Postfix LDAP table assumes that all attributes returned in an LDAP query are NUL-terminated C-strings. OpenLDAP appends a final NUL even to binary data, but we don't check for absence of internal NULs. Also, the Postfix LDAP table folds keys to lower-case by default, and IIRC you don't generally get to disable that when defining tables. Bottom-line. Sorry, no non-textual keys or values. -- Viktor.
Re: Postfix LDAP pipemap lookup tables and OctetStream
Hello Luca sadly I am stuck to a version of Postfix that not yet support "pipemap" lookup table, so I am forced to ask here instead of simply trying ... Well you can always compile the latest version of postfix on your machine and/or on the server in question, create the ldap files needed and test the pipemap using postmap -q. E.g. $ /path/to/postfix_bin/postmap -q em...@domain.tld 'pipemap:{ ldap:/path/to/first_map, ldap:/path/to/second_map, }' Of course you should be able to reach the LDAP servers from the machine you run postmap from, although a few well-placed ssh-forwarded connections would get you there anyway. I am using reject_sender_login_mismatch and I need to find out the owner of an email address using smtpd_sender_login_maps. The email address is present on a first AD server while user/owner is on a second AD server ... what links the two is the SID (Exchange linked mailbox). The idea is to use a pipemap of LDAP queries; the first LDAP query using the email address as a key to retrieve the msExchMasterAccountSid on the first AD and pipe it as input key as objectSid to a second LDAP query to retrieve the SamAccountName. Be aware that creative combinations of unionmap, pipemap and pcre tables (the latter to rewrite/combine outputs from other maps) can get you pretty far, so if you have other keys or combinations of them which might provide you a different join field through some degree of rewriting it could be possible to use them. Since msExchMasterAccountSid is an OctetStream, I am wondering if this will work ... does anyone already have experience on this? ldap_table(5) says the RFC 2254 quoting is used when expanding %s in the search filter, but although I've made pipemap/unionmap combinations a few levels deep I've never used binary values as keys, so I guess you should just try. Anyone did it with a custom script? What about performances? Performances are not usually an issue in my experience, but it depends on the size of your infrastructure/mailflow and on how often the ldap lookups are performed in your final flow. Never tried a custom script. Regards, Fulvio
Re: Same QueueID if recipients belong to the same domain?
FYI I solved adding fixcc_destination_recipient_limit=1 in main.cf Bye Il giorno mer 5 feb 2020 alle ore 13:12 Wietse Venema ha scritto: > ego...@gmail.com: > > Feb 5 11:35:48 AZN-POSTIFX postfix/smtpd[55568]: connect from > > mail-am5eur03lp2053.outbound.protection.outlook.com[104.47.8.53] > > Feb 5 11:35:48 AZN-POSTIFX postfix/smtpd[55568]: 641C6401EF: client= > > mail-am5eur03lp2053.outbound.protection.outlook.com[104.47.8.53] > > Feb 5 11:35:48 AZN-POSTIFX postfix/cleanup[55571]: 641C6401EF: > message-id=< > > > am0p195mb074014bc4ed377dba3bacdde89...@am0p195mb0740.eurp195.prod.outlook.com > > > > > Feb 5 11:35:48 AZN-POSTIFX postfix/qmgr[55479]: 641C6401EF: from=< > > us...@senderdomain.com>, size=10524, nrcpt=2 (queue active) > > Feb 5 11:35:48 AZN-POSTIFX postfix/smtpd[55568]: disconnect from > > mail-am5eur03lp2053.outbound.protection.outlook.com[104.47.8.53] > > Postfix received a message with TWO RECIPIENTS. > > > Feb 5 11:35:48 AZN-POSTIFX postfix/pickup[55478]: 7738740269: uid=1001 > > from= > > Feb 5 11:35:48 AZN-POSTIFX postfix/pipe[55572]: 641C6401EF: to=< > > recipie...@gmail.com>, relay=fixcc, delay=0.09, delays=0.03/0.01/0/0.05, > > dsn=2.0.0, status=sent (delivered via fixcc service) > > Feb 5 11:35:48 AZN-POSTIFX postfix/pipe[55572]: 641C6401EF: to=< > > recipie...@gmail.com>, relay=fixcc, delay=0.09, delays=0.03/0.01/0/0.05, > > dsn=2.0.0, status=sent (delivered via fixcc service) > > Feb 5 11:35:48 AZN-POSTIFX postfix/qmgr[55479]: 641C6401EF: removed > > Postfix delivered a message with TWO RECIPIENTS to the fixcc service. > > > Feb 5 11:35:48 AZN-POSTIFX postfix/cleanup[55571]: 7738740269: > message-id=< > > > am0p195mb074014bc4ed377dba3bacdde89...@am0p195mb0740.eurp195.prod.outlook.com > > > > > Feb 5 11:35:48 AZN-POSTIFX postfix/qmgr[55479]: 7738740269: from=< > > us...@senderdomain.com>, size=10642, nrcpt=1 (queue active) > > Feb 5 11:35:48 AZN-POSTIFX postfix/smtp[55578]: 7738740269: to=< > > recipie...@gmail.com>, relay=gmail-smtp-in.l.google.com > [173.194.79.26]:25, > > delay=0.39, delays=0.02/0.02/0.14/0.21, dsn=2.0.0, status=sent (250 2.0.0 > > OK 1580898948 cn3si15321822edb.537 - gsmtp) > > Feb 5 11:35:48 AZN-POSTIFX postfix/qmgr[55479]: 7738740269: removed > > The fixcc service fucked up and lost the second recipient. > > Wietse >
Re: message-id empty
On 05.02.20 04:25, mami64 wrote: >Some times i found in logs (smtp outgoing) empty message-id like > >Feb 5 12:20:18 smtp1 postfix/cleanup[21270]: 48CJy70T20z3xcS: message-id=<> >Feb 5 12:20:20 smtp1 postfix/cleanup[21265]: 48CJyD3tzNz3y0m: message-id=<> >Feb 5 12:20:20 smtp1 postfix/cleanup[19334]: 48CJyD4yKCz3xvB: message-id=<> >Feb 5 12:20:23 smtp1 postfix/cleanup[19285]: 48CJyH2nYjz3y1b: message-id=<> >Feb 5 12:20:24 smtp1 postfix/cleanup[17592]: 48CJyH6tV0z3xNL: message-id=<> >Feb 5 12:20:25 smtp1 postfix/cleanup[19334]: 48CJyK1Yg7z3y2C: message-id=<> > >In rfc 822 message-id is not required but I dont known why some times i get >message-id and sometimes not and what it depends on On Wed, Feb 5, 2020 at 12:41 PM Matus UHLAR - fantomas wrote: apparently the client did not create Message-Id: header. it's up to the client to generate it. On 06.02.20 09:31, Luca Fornasari wrote: You can use "always_add_missing_headers = yes" in main.cf in case you need to reproduce older Postfix behaviour note that this can break DKIM, spam scanning etc. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Nothing is fool-proof to a talented fool.
send alternate destination based on Cc / Subject / body
Hi, My name is Mihaly Fazekas. Sorry, my english is not good. Ho can i do this: Send mail to Cc insted of To? (replace To with Cc for specified Cc/Subject, then remove origial Cc) With header_checks can change To field, but send mail to original destination. Inside header_checks: can use option REDIRECT, but this option is not perfect. (RT use To field, not the Return-Path?) My "original problem" is: We are using RT (Request Tracker), and i want to controlling RT vie email, but evolution mailer templates not replace the To filed (can replace: Cc, Subject, body,... BUT cannot replace To field. -> brrr.). -- mailto:mich...@telkp.bme.hu
Re: message-id empty
On Wed, Feb 5, 2020 at 12:41 PM Matus UHLAR - fantomas wrote: > > On 05.02.20 04:25, mami64 wrote: > >Some times i found in logs (smtp outgoing) empty message-id like > > > >Feb 5 12:20:18 smtp1 postfix/cleanup[21270]: 48CJy70T20z3xcS: message-id=<> > >Feb 5 12:20:20 smtp1 postfix/cleanup[21265]: 48CJyD3tzNz3y0m: message-id=<> > >Feb 5 12:20:20 smtp1 postfix/cleanup[19334]: 48CJyD4yKCz3xvB: message-id=<> > >Feb 5 12:20:23 smtp1 postfix/cleanup[19285]: 48CJyH2nYjz3y1b: message-id=<> > >Feb 5 12:20:24 smtp1 postfix/cleanup[17592]: 48CJyH6tV0z3xNL: message-id=<> > >Feb 5 12:20:25 smtp1 postfix/cleanup[19334]: 48CJyK1Yg7z3y2C: message-id=<> > > > >In rfc 822 message-id is not required but I dont known why some times i get > >message-id and sometimes not and what it depends on > > apparently the client did not create Message-Id: header. > it's up to the client to generate it. You can use "always_add_missing_headers = yes" in main.cf in case you need to reproduce older Postfix behaviour Luca