[pfx] Re: Troubleshooting roundcube connections to postfix

[Gary R. Schmidt via Postfix-users]

On 17/06/2024 11:54, Paul Schmehl via Postfix-users wrote:

I’m seeing this error in the roundcube logs:

[16-Jun-2024 20:28:58 -0500]:  SMTP Error: Authentication 
failure: mail.stovebolt.com



[SNIP]
/var/www/html/webmail/program/lib/Roundcube/rcube.php on line 1794 (POST 
/webmail/?_task=mail&_unlock=loading1718587737852&_framed=1&_action=send)


[16-Jun-2024 20:34:16 -0500]:  PHP Error: SMTP server does not 
support authentication (POST 
/webmail/?_task=mail&_unlock=loading1718588056454&_framed=1&_action=send)


[16-Jun-2024 20:34:16 -0500]:  SMTP Error: Authentication 
failure: mail.stovebolt.com

[SNIP]
> > The odd thing is, I don’t see any connection attempts at all in the 
mail
logs. However, this log entry has me wondering. PHP Error: SMTP server 
does not support authentication



Should postfix be announcing that it accepts AUTH LOGIN? If so, I may 
have missed something in the config. I’m wondering if roundcube is not 
even attempt auth because postfix isn’t announcing it as a service that 
it offers.



Have you set "$config['smtp_debug'] = true;" in config.inc.php?
That might give you some more information.

Also look at "defaults.inc.php" and see if anything jumps out at you.

I've been using Roundcube for a long time, but not using authentication 
for sending.  If they can login to the webserver then they can send mail.


Cheers,
GaryB-)

___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Troubleshooting roundcube connections to postfix

[Peter via Postfix-users]

On 17/06/24 16:49, Paul Schmehl via Postfix-users wrote:

Gmail rejects it, but I’ve altered my spf record to include localhost. I hope 
once that propagates my problems with be solved.


This will not do anythi9ng for you, you cannot put localhost in an SPF 
record.


There are many reasons why gmail might be rejecting your mail and 
playing guessing games like this will only make things worse, not better.


For google issues specifically see: 
https://support.google.com/mail/answer/81126


Other deliverability advice:

* Check your FCRDNS: 
https://en.wikipedia.org/wiki/Forward-confirmed_reverse_DNS


* Make sure that SPF, DKIM and DMARC are correctly configured.

* Sign up for www.dnswl.org

* Check for DNSRBL entries: http://multirbl.valli.org/


Peter
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Troubleshooting roundcube connections to postfix

[Peter via Postfix-users]

On 17/06/24 16:49, Paul Schmehl via Postfix-users wrote:

On Jun 16, 2024, at 10:30 PM, Peter via Postfix-users 
 wrote:



It's likely that roundcube is not configured for TLS and postfix is (as it 
should be) configured not to offer AUTH until TLS is established.


Yes, postfix is configured to use TLS, and no roundcube is not. When I 
configure roundcube to connect using TLS it can’t even connect to the server. I 
don’t understand what’s going on with roundcube, but it’s definitely not 
behavior I would expect. It’s had me pulling my hair out for two days, and I 
don’t even have any hair.


Without seeing logs and actual config settings I can only guess.  One 
thing to keep in mind is that there's two types of TLS connection, 
implicit TLS and explicit TLS.  Implicit TLS connects to a port 
dedicated to TLS connections, for submission this is the submissions 
(note the "s" on the end) port 465 (formerly called smtps) and is now 
the recommended service to submit mail to.  This is also controlled by 
the "wrappermode" setting in master.cf for the service.  Explicit TLS 
connects first in plain text then uses the STARTTLS command to establish 
a TLS session, this is how the submission (note no "s" on the end) 
service on port 587 works.  If you have wrappermode incorrectly set in 
postfix, or you have the wrong setting in roundcube then roundcube may 
be trying to connect with implicit TLS when postfix is expecting 
explicit TLS or vice-versa, either one will cause a failure at or 
shortly after connection time.


There are other possible reasons for TLS connection problems and without 
seeing logs and settings it's impossible to determine what the actual 
issue is.



I’m hoping I have solved the problem. I have roundcube sending mail on port 25 
with no auth (all daemons are running on the same server), and it is sending 
mail. Gmail rejects it, but I’ve altered my spf record to include localhost. I 
hope once that propagates my problems with be solved.


You should not use port 25 for submission.  Port 25 should be for MX 
communication *only* and attempting to use it for submission will cause 
many many problems.  Use either submissions (465) or submission (587) 
instead.  Do note that the newest recommendations are to use submissions.



Peter
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: questions around the configuration

[Jeff Peng via Postfix-users]

Got it. Thanks Victor very much.

On 2024-06-17 12:18, Viktor Dukhovni via Postfix-users wrote:
On Mon, Jun 17, 2024 at 09:54:01AM +0800, Jeff Peng via Postfix-users 
wrote:



smtp_use_tls = yes


Obsolete, ignored when the preferred form below is specified.


smtp_tls_security_level = may


Keep this one.


smtpd_use_tls = yes


Obsolete, ignored when the preferred form below is specified.


smtpd_tls_security_level = may


Keep this one.


my questions include:

1. are "smtp_use_tls" and "smtp_tls_security_level" really needed?


Yes, for the latter.


2. shall "smtp_tls_session_cache_database" and
"smtpd_tls_session_cache_database" use a explicit database? or can i 
just

comment them out?


You typically only need the client-side cache, the server-side cache is
no longer needed since the introduction of TLS session tickets.

___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Troubleshooting roundcube connections to postfix

[Paul Schmehl via Postfix-users]

On Jun 16, 2024, at 10:30 PM, Peter via Postfix-users 
 wrote:
> 
> 
> It's likely that roundcube is not configured for TLS and postfix is (as it 
> should be) configured not to offer AUTH until TLS is established.
> 
Yes, postfix is configured to use TLS, and no roundcube is not. When I 
configure roundcube to connect using TLS it can’t even connect to the server. I 
don’t understand what’s going on with roundcube, but it’s definitely not 
behavior I would expect. It’s had me pulling my hair out for two days, and I 
don’t even have any hair.

I’m hoping I have solved the problem. I have roundcube sending mail on port 25 
with no auth (all daemons are running on the same server), and it is sending 
mail. Gmail rejects it, but I’ve altered my spf record to include localhost. I 
hope once that propagates my problems with be solved.

Paul Schmehl
paul.schm...@gmail.com
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: questions around the configuration

[Viktor Dukhovni via Postfix-users]

On Mon, Jun 17, 2024 at 09:54:01AM +0800, Jeff Peng via Postfix-users wrote:

> smtp_use_tls = yes

Obsolete, ignored when the preferred form below is specified.

> smtp_tls_security_level = may

Keep this one.

> smtpd_use_tls = yes

Obsolete, ignored when the preferred form below is specified.

> smtpd_tls_security_level = may

Keep this one.

> my questions include:
> 
> 1. are "smtp_use_tls" and "smtp_tls_security_level" really needed?

Yes, for the latter.

> 2. shall "smtp_tls_session_cache_database" and
> "smtpd_tls_session_cache_database" use a explicit database? or can i just
> comment them out?

You typically only need the client-side cache, the server-side cache is
no longer needed since the introduction of TLS session tickets.

-- 
Viktor.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Troubleshooting roundcube connections to postfix

[Peter via Postfix-users]

On 17/06/24 13:54, Paul Schmehl via Postfix-users wrote:

I’m seeing this error in the roundcube logs:

[16-Jun-2024 20:28:58 -0500]:  SMTP Error: Authentication 
failure: mail.stovebolt.com

PIPELINING
SIZE 9
VRFY
ETRN
STARTTLS
ENHANCEDSTATUSCODES
8BITMIME
DSN
SMTPUTF8
CHUNKING (Code: 250) in 
/var/www/html/webmail/program/lib/Roundcube/rcube.php on line 1794 (POST 
/webmail/?_task=mail&_unlock=loading1718587737852&_framed=1&_action=send)


[16-Jun-2024 20:34:16 -0500]:  PHP Error: SMTP server does not 
support authentication (POST 
/webmail/?_task=mail&_unlock=loading1718588056454&_framed=1&_action=send)


[16-Jun-2024 20:34:16 -0500]:  SMTP Error: Authentication 
failure: mail.stovebolt.com

PIPELINING
SIZE 9
VRFY
ETRN
STARTTLS
ENHANCEDSTATUSCODES
8BITMIME
DSN
SMTPUTF8
CHUNKING (Code: 250) in 
/var/www/html/webmail/program/lib/Roundcube/rcube.php on line 1794 (POST 
/webmail/?_task=mail&_unlock=loading1718588056454&_framed=1&_action=send)


For starters these are not Postfix logs.  I do not know what roundcube 
logs are supposed to look like but you have shown two sets of what 
appear to be responses to the EHLO command.  Both of the above responses 
were made prior to or entirely without the issuance of a STARTTLS 
command so a well configured postfix will not show AUTH support until 
after STARTTLS is issued and a TLS session is established.


This leads me to the conclusion that you do not have Roundcube 
configured to use TLS and therefore postfix will not offer 
authentication to roundcube until you fix this.  There may be other 
issues as well which I cannot tell you until I see actual postfix logs 
and configuration as shown in the DEBUG_README file.


The odd thing is, I don’t see any connection attempts at all in the mail 
logs. However, this log entry has me wondering. PHP Error: SMTP server 
does not support authentication


Postfix will always show connection attempts in the mail logs.  If it is 
not then something is likely wrong with your syslog implelmentation. 
There can sometimes be issues with journald dropping log messages before 
they can get passed to rsyslog, assuming your system has such a setup 
then have a look at journald.conf(5) specifically at the 
RateLimitIntervalSec and RateLimitBurst configuration parameters to 
journald which have some rather unfortunate defaults.


I should note that if you're not seeing *any* postfix entries in maillog 
then it's likely that there are other issues such as rsyslog not being 
installed or not running or journald not being configured to pass log 
entries through to rsyslog.


Also note that if you cannot or do not wish to get journald and rsyslog 
properly configured then postfix can be configured to write directly to 
it's own log file rather than use the syslog facility, see:


http://www.postfix.org/postconf.5.html#maillog_file


Should postfix be announcing that it accepts AUTH LOGIN?


Probably not since the LOGIN mech is a poor implementation that was only 
ever needed to support some very old outlook express email clients. 
Postfix should, however, be announcing "AUTH PLAIN" support, but only 
after a TLS session is established, not before (see above).


If so, I may 
have missed something in the config. I’m wondering if roundcube is not 
even attempt auth because postfix isn’t announcing it as a service that 
it offers.


It's likely that roundcube is not configured for TLS and postfix is (as 
it should be) configured not to offer AUTH until TLS is established.



Peter
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Troubleshooting roundcube connections to postfix

[Paul Schmehl via Postfix-users]

I’m seeing this error in the roundcube logs:

[16-Jun-2024 20:28:58 -0500]:  SMTP Error: Authentication failure: 
mail.stovebolt.com
PIPELINING
SIZE 9
VRFY
ETRN
STARTTLS
ENHANCEDSTATUSCODES
8BITMIME
DSN
SMTPUTF8
CHUNKING (Code: 250) in /var/www/html/webmail/program/lib/Roundcube/rcube.php 
on line 1794 (POST 
/webmail/?_task=mail&_unlock=loading1718587737852&_framed=1&_action=send)
[16-Jun-2024 20:34:16 -0500]:  PHP Error: SMTP server does not 
support authentication (POST 
/webmail/?_task=mail&_unlock=loading1718588056454&_framed=1&_action=send)
[16-Jun-2024 20:34:16 -0500]:  SMTP Error: Authentication failure: 
mail.stovebolt.com
PIPELINING
SIZE 9
VRFY
ETRN
STARTTLS
ENHANCEDSTATUSCODES
8BITMIME
DSN
SMTPUTF8
CHUNKING (Code: 250) in /var/www/html/webmail/program/lib/Roundcube/rcube.php 
on line 1794 (POST 
/webmail/?_task=mail&_unlock=loading1718588056454&_framed=1&_action=send)

The odd thing is, I don’t see any connection attempts at all in the mail logs. 
However, this log entry has me wondering. PHP Error: SMTP server does not 
support authentication

Should postfix be announcing that it accepts AUTH LOGIN? If so, I may have 
missed something in the config. I’m wondering if roundcube is not even attempt 
auth because postfix isn’t announcing it as a service that it offers.

Paul Schmehl
paul.schm...@gmail.com



___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] questions around the configuration

[Jeff Peng via Postfix-users]

Hello experts,

for my these settings,

smtp_use_tls = yes
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_use_tls = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache

my questions include:

1. are "smtp_use_tls" and "smtp_tls_security_level" really needed?
2. shall "smtp_tls_session_cache_database" and 
"smtpd_tls_session_cache_database" use a explicit database? or can i 
just comment them out?


Thanks.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Do I have sals authentication properly configured?

[Jeff Peng via Postfix-users]

- Did the client connect to port 25 or 578?



578



isn't the port 587?

:)
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Best practices?

[Jeff Peng via Postfix-users]

# SMTPd SERVER TLS/SSL Settings
tls_daemon_random_bytes = 64
tls_random_bytes = 64
smtpd_tls_cert_file = /etc/letsencrypt/live/email.broker/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/email.broker/privkey.pem
smtpd_tls_security_level = may
smtpd_tls_auth_only = yes
smtpd_tls_mandatory_ciphers = high
smtpd_tls_mandatory_exclude_ciphers = aNULL, MD5
smtpd_tls_mandatory_protocols = >=TLSv1.2
# SASL settings
smtpd_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = noanonymous
# Moved to master.cf
#smtpd_sasl_type = dovecot
#smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = no



for ssl stuff. is it better to use the system defaults?
I am also the postmaster of tls-mail.com. I have a suggestion that, for 
your homepage, can you add the protocol of SRS and AUC?


regards.
Jeff


___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Do I have sals authentication properly configured?

[Paul Schmehl via Postfix-users]

> On Jun 16, 2024, at 5:02 PM, Wietse Venema via Postfix-users 
>  wrote:
> 
> Paul Schmehl via Postfix-users:
>> I?m trying to sort out a problem with Roundcube failing to send email with 
>> an error message that says SMTP Error(): authentication failed. In the 
>> roundcube error log I find this:
>> 
>> [16-Jun-2024 13:58:24 -0500]: <5s9tomcd> PHP Error: SMTP server does not 
>> support authentication (POST 
>> /webmail/?_task=mail&_unlock=loading1718564304121&_framed=1&_action=send)
>> [16-Jun-2024 13:58:24 -0500]: <5s9tomcd> SMTP Error: Authentication failure: 
>> mail.stovebolt.com 
> 
> Look in Your logs.
> 
> - Did the client connect to port 25 or 578?
> 

578

> - Did the client send starttls? That is logged in the "disconnect
> from" line.
> 

I don’t see anything in the postfix logs (/var/log/maillog) from roundcube. I 
guess I need to enable debug.

> Do you have any "smtpd_tls_auth_only=yes" override in effect?

Yes.

> 
> For main.cf:
>postconf -n smtpd_tls_auth_only
> 
> For master.cf:
>postconf -P '*/*/smtpd_tls_auth_only'
> 
> If that is set to 'yes', Postfix will ananounce AUTH only after 
> the client sends STARTTLS.

Thank you.


___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Fastest way to mostly reject unwanted sender

[Viktor Dukhovni via Postfix-users]

On Sun, Jun 16, 2024 at 01:41:44PM -0400, John Levine via Postfix-users wrote:

> Turns out it's more complicated than I thought, they want a restricted
> sending address to be able to send only to particular recipients.
> Suggestions?

If the allowed recipients are the same for all restricted senders, this
fits reasonably well within existing built-in Postfix access(5)
facilities.

> Can I do something like put check_recipient_access as the action in the 
> check_sender_access table?

As noted by others, http://www.postfix.org/RESTRICTION_CLASS_README.html
but only if there aren't too many distinct product sets of
sender+recipient policies.

Otherwise a custom policy service can consult a database keyed by sender
and recipient and barring a hit, just by sender to find a default
action.  http://www.postfix.org/SMTPD_POLICY_README.html

-- 
Viktor.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Best practices?

[Cody Millard via Postfix-users]

Hi list.

I am a novice postmaster that started a email server last year.

There is nothing wrong that I can currently tell but I am the only user 
and there is only so much that I can test.


Here are my config files, I am curious to know what seasoned postmasters 
think.



MAIN.CF-

|# General server settings
myhostname = EMAIL.BROKER
mydomain = EMAIL.BROKER
myorigin = EMAIL.BROKER
mydestination = localhost
mynetworks = 127.0.0.1
inet_interfaces = all
inet_protocols = ipv4
compatibility_level=3.6

# SMTPd SERVER Settings
smtpd_banner = EMAIL.BROKER ESMTP

# Error reporting
error_notice_recipient = postmaster@email.broker
notify_classes = bounce, delay, policy, protocol, resource, software

# SMTP CLIENT SETTINGS
smtp_tls_CApath=/etc/ssl/certs
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_tls_security_level = may

smtp_tls_loglevel = 1

# https://www.postfix.org/header_checks.5.html
# FILTERS WHILE DELIVERING MAIL
smtp_header_checks = regexp:/etc/postfix/outgoing_header_checks
smtp_mime_header_checks = regexp:/etc/postfix/outgoing_header_checks

# LMTP settings
lmtp_sasl_security_options= noanonymous

# SMTPd SERVER TLS/SSL Settings
tls_daemon_random_bytes = 64
tls_random_bytes = 64
smtpd_tls_cert_file = /etc/letsencrypt/live/email.broker/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/email.broker/privkey.pem
smtpd_tls_security_level = may
smtpd_tls_auth_only = yes
smtpd_tls_mandatory_ciphers = high
smtpd_tls_mandatory_exclude_ciphers = aNULL, MD5
smtpd_tls_mandatory_protocols = >=TLSv1.2
# SASL settings
smtpd_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = noanonymous
# Moved to master.cf
#smtpd_sasl_type = dovecot
#smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = no

# http://www.postfix.org/postconf.5.html#smtpd_forbid_bare_newline
smtpd_forbid_bare_newline = yes

# COMMENTED OUT: Supposed to be handled by RSPAMD.
#rbl_reply_maps = hash:/etc/postfix/dnsbl-reply-map

# INCOMING connection restrictions
# Client restrictions
smtpd_client_auth_rate_limit = 1
smtpd_client_restrictions =
    reject_unauth_pipelining,
# Supposed to be handled by RSPAMD.
#    reject_rhsbl_sender .dbl.dq.spamhaus.net=127.0.1.[2..99],
#    reject_rhsbl_helo .dbl.dq.spamhaus.net=127.0.1.[2..99],
#    reject_rhsbl_reverse_client 
.dbl.dq.spamhaus.net=127.0.1.[2..99],

#    reject_rhsbl_sender .zrd.dq.spamhaus.net=127.0.2.[2..24],
#    reject_rhsbl_helo .zrd.dq.spamhaus.net=127.0.2.[2..24],
#    reject_rhsbl_reverse_client 
.zrd.dq.spamhaus.net=127.0.2.[2..24],

#    reject_rbl_client .zen.dq.spamhaus.net=127.0.0.[2..255]
    reject_unknown_client_hostname,
    reject_unknown_reverse_client_hostname,
    reject_unauth_pipelining,
    check_reverse_client_hostname_access 
mysql:/etc/postfix/mysql-ptr_rejections.cf,

    check_client_access mysql:/etc/postfix/mysql-ptr_rejections.cf

# HELO restrictions
smtpd_helo_required = yes
smtpd_helo_restrictions =
    permit_mynetworks,
    reject_invalid_helo_hostname,
    reject_non_fqdn_helo_hostname,
    reject_unknown_helo_hostname,
    check_helo_access mysql:/etc/postfix/mysql-helo_access.cf

# DELAYS
# Limit errors allowed by clients before slowing down server responses.
smtpd_soft_error_limit = 3
smtpd_hard_error_limit = 5
smtpd_error_sleep_time = 10
#  Wait until the RCPT TO command before evaluating 
$smtpd_client_restrictions, $smtpd_helo_restrictions and 
$smtpd_sender_restrictions, or wait until the ETRN command before 
evaluating $sm>

smtpd_delay_reject = no
# Postpone the start of an SMTP mail transaction until a valid RCPT TO 
command is received.

smtpd_delay_open_until_valid_rcpt = no
# The maximal number of connection attempts any client is allowed to 
make to this service per time unit.

smtpd_client_connection_rate_limit = 10
# The maximal number of new (i.e., uncached) TLS sessions that a remote 
SMTP client is allowed to negotiate with this service per time unit.

smtpd_client_new_tls_session_rate_limit = 5

# Alias settings
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
recipient_delimiter = +

# Virtual Mailbox settings
virtual_mailbox_base = /var/vmail/
virtual_alias_maps = mysql:/etc/postfix/mysql-virtual-alias-maps.cf,
    mysql:/etc/postfix/mysql-email2email.cf
virtual_mailbox_domains = 
mysql:/etc/postfix/mysql-virtual-mailbox-domains.cf

virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf
virtual_transport = lmtp:unix:private/dovecot-lmtp
smtpd_sender_login_maps = mysql:/etc/postfix/mysql-email2email.cf,
    mysql:/etc/postfix/mysql-virtual-alias-maps.cf

# RSPAMD Intergration
smtpd_milters = inet:127.0.0.1:11332
non_smtpd_milters = inet:127.0.0.1:11332
milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen}

# Increase the maximal number of error/delivery retries
maximal_queue_lifetime = 7d
bounce_queue_lifetime = 7d
maximal_backoff_time = 4h
minimal_backoff_time = 15m

# Leave enabled.

[pfx] Re: Do I have sals authentication properly configured?

[Wietse Venema via Postfix-users]

Paul Schmehl via Postfix-users:
> I?m trying to sort out a problem with Roundcube failing to send email with an 
> error message that says SMTP Error(): authentication failed. In the roundcube 
> error log I find this:
> 
> [16-Jun-2024 13:58:24 -0500]: <5s9tomcd> PHP Error: SMTP server does not 
> support authentication (POST 
> /webmail/?_task=mail&_unlock=loading1718564304121&_framed=1&_action=send)
> [16-Jun-2024 13:58:24 -0500]: <5s9tomcd> SMTP Error: Authentication failure: 
> mail.stovebolt.com 

Look in Your logs.

- Did the client connect to port 25 or 578?

- Did the client send starttls? That is logged in the "disconnect
from" line.

Do you have any "smtpd_tls_auth_only=yes" override in effect?

For main.cf:
postconf -n smtpd_tls_auth_only

For master.cf:
postconf -P '*/*/smtpd_tls_auth_only'

If that is set to 'yes', Postfix will ananounce AUTH only after 
the client sends STARTTLS. 

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Do I have sals authentication properly configured?

[Paul Schmehl via Postfix-users]

I’m trying to sort out a problem with Roundcube failing to send email with an 
error message that says SMTP Error(): authentication failed. In the roundcube 
error log I find this:

[16-Jun-2024 13:58:24 -0500]: <5s9tomcd> PHP Error: SMTP server does not 
support authentication (POST 
/webmail/?_task=mail&_unlock=loading1718564304121&_framed=1&_action=send)
[16-Jun-2024 13:58:24 -0500]: <5s9tomcd> SMTP Error: Authentication failure: 
mail.stovebolt.com 

I was pretty sure that I had authentication enabled and working on Postix.

grep smtpd_sasl /etc/postfix/main.cf
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $myhostname

To test this I used openssl s_client to connect to postfix. I typed EHLO, then 
typed AUTH LOGIN. I was prompted for a username (converted to base 64), which I 
entered, and then for a password, which I entered. I was then able to type 
commands as expected.

I also tested using an incorrect password, and the login was rejected. So, it 
appears to me that postfix is working correctly

Paul Schmehl
paul.schm...@gmail.com



___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Fastest way to mostly reject unwanted sender

[Wietse Venema via Postfix-users]

John Levine via Postfix-users:
> Turns out it's more complicated than I thought, they want a restricted
> sending address to be able to send only to particular recipients.
> Suggestions?

Here is a non-intuitive solution, based on
https://www.postfix.org/RESTRICTION_CLASS_README.html

/etc/postfix/main.cf:
smtpd_sender_restrictions =
check_sender_access hash:/etc/postfix/restricted_senders

smtpd_restriction_classes = joe_user_acl
joe_user_acl = 
check_recipient_access hash:/etc/postfix/joe_user_recipients, reject

/etc/postfix/restricted_senders:
joe_user@some.example  joe_user_acl

/etc/postfix/joe_user_recipients:
foo@one.example OK
bar@two.example OK

But this is non-intuitive and gives me a headache.

If milter-regex or postfwd can handle your use case, then that would
be more intuitive.

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Fastest way to mostly reject unwanted sender

[Matus UHLAR - fantomas via Postfix-users]

It appears that Matus UHLAR - fantomas via Postfix-users  
said:

If one of recipients wants to accept mail from a sender while another
recipient doesn't, teoretically you can reject that sender at recipient
level, but that complicates configuration (but it's possible).
This would mean that for single mail to more recipients, sendes gets
accepted and different recipients get refused.


On 16.06.24 13:41, John Levine via Postfix-users wrote:

Turns out it's more complicated than I thought, they want a restricted
sending address to be able to send only to particular recipients.
Suggestions?

Can I do something like put check_recipient_access as the action in the 
check_sender_access table?


you can use smtpd_restriction_classes to define class for each such sender 
and disable recipients in those classes:


http://www.postfix.org/RESTRICTION_CLASS_README.html

However that lists should be maintained by you, so I would think twice 
before providing users such service.


I advise you doing this at spam filter level.

Other possibilities are using separate milters or policy filters that would 
make this work - I don't know any



--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
"Two words: Windows survives." - Craig Mundie, Microsoft senior strategist
"So does syphillis. Good thing we have penicillin." - Matthew Alton
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Fastest way to mostly reject unwanted sender

[John Levine via Postfix-users]

It appears that Matus UHLAR - fantomas via Postfix-users  
said:
>If one of recipients wants to accept mail from a sender while another 
>recipient doesn't, teoretically you can reject that sender at recipient 
>level, but that complicates configuration (but it's possible).
>This would mean that for single mail to more recipients, sendes gets 
>accepted and different recipients get refused. 

Turns out it's more complicated than I thought, they want a restricted
sending address to be able to send only to particular recipients.
Suggestions?

Can I do something like put check_recipient_access as the action in the 
check_sender_access table?

R's,
John
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Fastest way to reject unwanted sender

[Noel Jones via Postfix-users]

On 6/16/2024 9:06 AM, Wietse Venema via Postfix-users wrote:

# Don't indent text between IF and ENDIF.
IF /^MAIL FROM:/
/^MAIL FROM:/ QUIT
/^MAIL FROM:/ QUIT
...
ENDIF




Seems like if this is talking to a real MTA this would be a 
connection amplifier. The sending MTA would see this as a non-fatal 
error and keep retrying until their queue expires, possibly hundreds 
of times over several days. In that case a regular old access table, 
maybe with smtpd_delay_reject=no, would be a better choice.




  -- Noel Jones
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Fastest way to reject unwanted sender

[Wietse Venema via Postfix-users]

Viktor Dukhovni via Postfix-users:
> On Sun, Jun 16, 2024 at 10:06:41AM -0400, Wietse Venema via Postfix-users 
> wrote:
> > John R. Levine via Postfix-users:
> > > On Sat, 15 Jun 2024, Jeff Peng wrote:
> > > > I think postscreen can block them easily.
> > > 
> > > I'm looking at the postscreen man page and I don't see anything about 
> > > mail 
> > > addresses.  Am I missing something?
> > 
> > That is a bad suggestion, please ignore.
> > 
> > > I do see smtpd_command_filter.  How about if I map MAIL FROM: to 
> > > QUIT?
> > 
> > That would do the job. With regexp: or pcre: tables you may save
> > some CPU cycles with:
> > 
> > # Don't indent text between IF and ENDIF.
> > IF /^MAIL FROM:/
> > /^MAIL FROM:/ QUIT
> > /^MAIL FROM:/ QUIT
> > ...
> > ENDIF
> 
> What's wrong with simple literall access(5) checks on the envelope
> sender, one then also gets to log the rejected recipients assuming the
> default setting of "smtpd_delay_reject = yes".

True as a more general solution, but I don't think
that is required here.

> Regular expressions are much too fragile in the hands of most users.

I think that John has the competence to make that decision.

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Fastest way to reject unwanted sender

[Viktor Dukhovni via Postfix-users]

On Sun, Jun 16, 2024 at 10:06:41AM -0400, Wietse Venema via Postfix-users wrote:
> John R. Levine via Postfix-users:
> > On Sat, 15 Jun 2024, Jeff Peng wrote:
> > > I think postscreen can block them easily.
> > 
> > I'm looking at the postscreen man page and I don't see anything about mail 
> > addresses.  Am I missing something?
> 
> That is a bad suggestion, please ignore.
> 
> > I do see smtpd_command_filter.  How about if I map MAIL FROM: to 
> > QUIT?
> 
> That would do the job. With regexp: or pcre: tables you may save
> some CPU cycles with:
> 
> # Don't indent text between IF and ENDIF.
> IF /^MAIL FROM:/
> /^MAIL FROM:/ QUIT
> /^MAIL FROM:/ QUIT
> ...
> ENDIF

What's wrong with simple literall access(5) checks on the envelope
sender, one then also gets to log the rejected recipients assuming the
default setting of "smtpd_delay_reject = yes".

Regular expressions are much too fragile in the hands of most users.

-- 
Viktor.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Fastest way to reject unwanted sender

[Wietse Venema via Postfix-users]

John R. Levine via Postfix-users:
> On Sat, 15 Jun 2024, Jeff Peng wrote:
> > I think postscreen can block them easily.
> 
> I'm looking at the postscreen man page and I don't see anything about mail 
> addresses.  Am I missing something?

That is a bad suggestion, please ignore.

> I do see smtpd_command_filter.  How about if I map MAIL FROM: to 
> QUIT?

That would do the job. With regexp: or pcre: tables you may save
some CPU cycles with:

# Don't indent text between IF and ENDIF.
IF /^MAIL FROM:/
/^MAIL FROM:/ QUIT
/^MAIL FROM:/ QUIT
...
ENDIF

If the list is short, this 'optimization' won't be worthwhile.

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Fastest way to reject unwanted sender

[Benny Pedersen via Postfix-users]

John R. Levine via Postfix-users skrev den 2024-06-16 15:18:

I'm looking at the postscreen man page and I don't see anything about 
mail addresses.  Am I missing something?


postscreen is not smtpd

I do see smtpd_command_filter.  How about if I map MAIL FROM: 
to QUIT?


so this needs smtpd

milter-regex is your friend



___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Fastest way to reject unwanted sender

[John R. Levine via Postfix-users]

On Sat, 15 Jun 2024, Jeff Peng wrote:

I think postscreen can block them easily.


I'm looking at the postscreen man page and I don't see anything about mail 
addresses.  Am I missing something?


I do see smtpd_command_filter.  How about if I map MAIL FROM: to QUIT?

Regards,
John Levine, jo...@taugh.com, Primary Perpetrator of "The Internet for Dummies",
Please consider the environment before reading this e-mail. https://jl.ly
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org