Re: Local user unknown - but should be virtual...
It was accidentally in both places. Removed from $mydestination it works fine. Sent from my iPhone > On Apr 10, 2022, at 4:01 PM, Wietse Venema wrote: > > Roger Klorese: >> When I mail to a list I now get: >> >> : host >> divine.onlinepolicy.net[216.252.162.112] said: 550 5.1.1 >> : Recipient address >> rejected: User unknown in local recipient table (in reply to RCPT TO >> command) > > The recipient domain matches $mydestination, therefore the > recipientc arddress is validated with $local_recipient_maps or > virtual_alias_maps. > > Maybe ask this on a Sympa forum? Surely someone uses it with Postfix. > >Wietse
Re: Local user unknown - but should be virtual...
Roger Klorese: > When I mail to a list I now get: > > : host > divine.onlinepolicy.net[216.252.162.112] said: 550 5.1.1 > : Recipient address > rejected: User unknown in local recipient table (in reply to RCPT TO > command) The recipient domain matches $mydestination, therefore the recipientc arddress is validated with $local_recipient_maps or virtual_alias_maps. Maybe ask this on a Sympa forum? Surely someone uses it with Postfix. Wietse
Re: Local user unknown - but should be virtual...
On 2022-04-10 at 14:29:20 UTC-0400 (Sun, 10 Apr 2022 11:29:20 -0700) Roger Klorese is rumored to have said: When I mail to a list I now get: : host divine.onlinepolicy.net[216.252.162.112] said: 550 5.1.1 : Recipient address rejected: User unknown in local recipient table (in reply to RCPT TO command) So Postfix believes that hosting.onlinepolicy.net is a LOCAL domain. See the ADDRESS_CLASS_README for details on how that can be. The problem is in $mydestination and/or parent_domain_matches_subdomains. ...but... [root@divine sympa]# grep virtual /etc/postfix/main.cf #myhostname = virtual.domain.tld # Do not specify the names of virtual domains - those domains are # /etc/passwd, /etc/aliases, or the $virtual_alias_maps files. # the $virtual_mailbox_maps files. # - destinations that match $virtual_alias_domains, # - destinations that match $virtual_mailbox_domains. # local(8), relocated(5) and virtual(5) for the effects this has on # aliases, canonical, virtual, relocated and .forward file lookups. *virtual_mailbox_domains = /etc/postfix/local-host-names* virtual_mailbox_maps = hash:/etc/sympa/transport.sympa, hash:/etc/sympa/virtual.sympa virtual_alias_maps = hash:/etc/sympa/virtual.sympa Please provide 'postfix -n' output rather than grepping main.cf. The relevant parameters aren't shown... [root@divine sympa]# grep hosting /etc/postfix/local-host-names hosting.onlinepolicy.net [root@divine sympa]# grep list-owners-announce /etc/sympa/transport.sympa list-owners-annou...@hosting.onlinepolicy.net sympa:list-owners-annou...@hosting.onlinepolicy.net If hosting.onlinepolicy.net is in $mydestination, none of that matters. -- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo and many *@billmail.scconsult.com addresses) Not Currently Available For Hire
Re: Allow anonymous login
On Sun, Apr 10, 2022 at 12:29:36PM -0700, Noah wrote: > I am working in a software test environment and need to allow anonymous > logins to postfix. What configuration knobs does postfix need? Use a test login. The "need" to allow anonymous logins seems unmotivated. What SASL mechanism are using? What prevents configuring a suitable test user? What is the nature of the test, why is a login required? ... -- Viktor.
Re: match empty sender in hash: sender access map?
On Sun, Apr 10, 2022 at 02:27:33PM -0400, Greg Klanderman wrote: > Quick question, what is the correct syntax to match an empty sender in > a hash: sender access map (i.e. check_sender_access)? This is naturally documented in access(5), and also in postconf(5) under: smtpd_null_access_lookup_key (default: <>) The lookup key to be used in SMTP access(5) tables instead of the null sender address. -- Viktor.
Re: match empty sender in hash: sender access map?
On 2022-04-10 at 14:27:33 UTC-0400 (Sun, 10 Apr 2022 14:27:33 -0400) Greg Klanderman is rumored to have said: Hi all, Quick question, what is the correct syntax to match an empty sender in a hash: sender access map (i.e. check_sender_access)? Somewhat related, if I have a regexp: map (header checks), like so: /^Subject:.*foo bar/ REJECT /^Subject:.*foo baz/ REJECT when it is postmap'd, it warns about a "duplicate entry", because it is apparently seeing the first (key) token end with space. Right, because you do not need to run 'postmap' on regex or pcre maps. The text format ios what Postfix uses for those types. (Yes, I know I could combine the two lines) Is this the correct syntax for these two regexps? Or is the regexp really being treated as ending at the first space? If I'm using the correct syntax, it seems the postmap warning is spurious; how can I inhibit it? Simple: do not run postmap on regex, pcre, or cidr tables. -- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo and many *@billmail.scconsult.com addresses) Not Currently Available For Hire
Allow anonymous login
Hi there, I am working in a software test environment and need to allow anonymous logins to postfix. What configuration knobs does postfix need? Cheers error message from the log: --- snip --- status=bounced (host localhost[127.0.0.1] said: 502 5.7.0 anonymous login not supported (in reply to MAIL FROM command)) --- snip --- mail_version = 3.2.2 milter_macro_v = $mail_name $mail_version --- /etc/postfix/main.cf --- egrep -v "^$|^[[:space:]]*#" /etc/postfix/main.cf compatibility_level = 2 queue_directory = /private/var/spool/postfix command_directory = /usr/sbin daemon_directory = /usr/libexec/postfix data_directory = /var/lib/postfix mail_owner = _postfix unknown_local_recipient_reject_code = 550 debug_peer_level = 2 debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5 sendmail_path = /usr/sbin/sendmail newaliases_path = /usr/bin/newaliases mailq_path = /usr/bin/mailq setgid_group = _postdrop html_directory = /usr/share/doc/postfix/html manpage_directory = /usr/share/man sample_directory = /usr/share/doc/postfix/examples readme_directory = /usr/share/doc/postfix inet_protocols = all message_size_limit = 10485760 mailbox_size_limit = 0 biff = no mynetworks = 127.0.0.0/8, [::1]/128, /24 smtpd_client_restrictions = permit_mynetworks permit recipient_delimiter = + tls_random_source = dev:/dev/urandom smtpd_tls_ciphers = medium inet_interfaces = loopback-only smtpd_sasl_auth_enable = no smtpd_sasl_security_options = anonymous smtpd_relay_restrictions = permit_mynetworks smtpd_sasl_exceptions_networks = $mynetworks myhostname = localhost relayhost = [localhost]: --- snip --- Cheers, Noah
Re: Postfix 3.5.9 SSL accept error Microsoft Exchange
On Sun, Apr 10, 2022 at 10:44:05AM +0200, Admin Beckspaced wrote: > Dehydrated has the option for different certificate types so I went with > ECDSA and RSA > > https://github.com/dehydrated-io/dehydrated/blob/master/docs/domains_txt.md > > Added the following to main.cf > > # RSA default > smtp_tls_cert_file = > /etc/dehydrated/certs/mail-beckspaced-com-rsa/fullchain.pem > smtp_tls_key_file = /etc/dehydrated/certs/mail-beckspaced-com-rsa/privkey.pem > > # ECDSA optional > smtp_tls_eccert_file = > /etc/dehydrated/certs/mail-beckspaced-com-ecdsa/fullchain.pem > smtp_tls_eckey_file = > /etc/dehydrated/certs/mail-beckspaced-com-ecdsa/privkey.pem > > postfix docs recommend to use smtpd_tls_chain_files > > https://www.postfix.org/postconf.5.html#smtpd_tls_chain_files > > would it be as easy to just add the following to main.cf to use the > reommended setting? > > smtpd_tls_chain_files = > /etc/dehydrated/certs/mail-beckspaced-com-rsa/privkey.pem > /etc/dehydrated/certs/mail-beckspaced-com-rsa/fullchain.pem > /etc/dehydrated/certs/mail-beckspaced-com-ecdsa/privkey.pem > /etc/dehydrated/certs/mail-beckspaced-com-ecdsa/fullchain.pem Yes, and once that works, you can drop the legacy parameters. Note that loading the key and certificate from separate files introduces a narrow race condition if the files are being updated from cron while a Postfix smtpd(8) process is loading keys + certs. A more robust implementation would follow up the key rotation from cron with code that combines the key and cert into a single file that is checked for a matching key + cert prior to an atomic rename into place. I don't know whether dehydrated supports creation of a "combo" PEM file that contains key + cert chain all in one. If not, I'd suggest opening an issue against the project repo. -- Viktor.
Local user unknown - but should be virtual...
When I mail to a list I now get: : host divine.onlinepolicy.net[216.252.162.112] said: 550 5.1.1 : Recipient address rejected: User unknown in local recipient table (in reply to RCPT TO command) ...but... [root@divine sympa]# grep virtual /etc/postfix/main.cf #myhostname = virtual.domain.tld # Do not specify the names of virtual domains - those domains are # /etc/passwd, /etc/aliases, or the $virtual_alias_maps files. # the $virtual_mailbox_maps files. # - destinations that match $virtual_alias_domains, # - destinations that match $virtual_mailbox_domains. # local(8), relocated(5) and virtual(5) for the effects this has on # aliases, canonical, virtual, relocated and .forward file lookups. *virtual_mailbox_domains = /etc/postfix/local-host-names* virtual_mailbox_maps = hash:/etc/sympa/transport.sympa, hash:/etc/sympa/virtual.sympa virtual_alias_maps = hash:/etc/sympa/virtual.sympa [root@divine sympa]# grep hosting /etc/postfix/local-host-names hosting.onlinepolicy.net [root@divine sympa]# grep list-owners-announce /etc/sympa/transport.sympa list-owners-annou...@hosting.onlinepolicy.net sympa:list-owners-annou...@hosting.onlinepolicy.net
match empty sender in hash: sender access map?
Hi all, Quick question, what is the correct syntax to match an empty sender in a hash: sender access map (i.e. check_sender_access)? Somewhat related, if I have a regexp: map (header checks), like so: /^Subject:.*foo bar/ REJECT /^Subject:.*foo baz/ REJECT when it is postmap'd, it warns about a "duplicate entry", because it is apparently seeing the first (key) token end with space. (Yes, I know I could combine the two lines) Is this the correct syntax for these two regexps? Or is the regexp really being treated as ending at the first space? If I'm using the correct syntax, it seems the postmap warning is spurious; how can I inhibit it? thank you, Greg
Re: Postfix 3.5.9 SSL accept error Microsoft Exchange
Or switch my cert to RSA for better compatibility? This is my recommendation. On Sat, Apr 09, 2022 at 11:15:37AM +0200, Josef Vybíhal wrote: smtpd_tls_cert_file = /etc/postfix/tls/rsa/_.acme.com.rsa.fullchain.pem smtpd_tls_eccert_file = /etc/postfix/tls/ecc/_.acme.com.ecc.fullchain.pem smtpd_tls_eckey_file = /etc/postfix/tls/ecc/_.acme.com.ecc.key smtpd_tls_key_file = /etc/postfix/tls/rsa/_.acme.com.rsa.key Dual certificates require some skill to maintain. I don't recommend this at present. This is an advanced use case that most users would best avoid. Hello Viktor, thanks again for your time & explanations. you guys are really doing a more than great job giving support on the postfix mailing list. Thumbs up! I use letsencrypt for the certs and the ACME client dehydrated to get and renew the certs. Dehydrated has the option for different certificate types so I went with ECDSA and RSA https://github.com/dehydrated-io/dehydrated/blob/master/docs/domains_txt.md Added the following to main.cf # RSA default smtp_tls_cert_file = /etc/dehydrated/certs/mail-beckspaced-com-rsa/fullchain.pem smtp_tls_key_file = /etc/dehydrated/certs/mail-beckspaced-com-rsa/privkey.pem # ECDSA optional smtp_tls_eccert_file = /etc/dehydrated/certs/mail-beckspaced-com-ecdsa/fullchain.pem smtp_tls_eckey_file = /etc/dehydrated/certs/mail-beckspaced-com-ecdsa/privkey.pem postfix docs recommend to use smtpd_tls_chain_files https://www.postfix.org/postconf.5.html#smtpd_tls_chain_files would it be as easy to just add the following to main.cf to use the reommended setting? smtpd_tls_chain_files = /etc/dehydrated/certs/mail-beckspaced-com-rsa/privkey.pem /etc/dehydrated/certs/mail-beckspaced-com-rsa/fullchain.pem /etc/dehydrated/certs/mail-beckspaced-com-ecdsa/privkey.pem /etc/dehydrated/certs/mail-beckspaced-com-ecdsa/fullchain.pem thanks & greetings Becki