Re: Changing SSL certificates - switching from self-signed to RapidSSL

[Charles Marcus]

Thanks for the response Victor...

On 4/18/2014 2:20 PM, Viktor Dukhovni  wrote:

On Fri, Apr 18, 2014 at 02:06:20PM -0400, Charles Marcus wrote:


Ok, been wanting to do this for a while, and I after the Heartbleed fiasco,
the boss finally agreed to let me buy some real certs...

Until now, we've been using self-signed certs with the following postfix
settings:

smtpd_tls_cert_file = /etc/ssl/ourCerts/smtp_crt.pem
smtpd_tls_key_file = /etc/ssl/ourCerts/smtp_key.pem



You seem to know how to specify a private-key / public-key-certificate
chain pair...


Well... I did this a looong time ago, and probably stumbled badly...

I would say I am capable of following detailed instructions *usually* 
without making a mistake, but I also don't really understand this stuff...


I don't even know the difference between a .pem and .crt, and definitaly 
don't have a clue when iti comes to chainming certs or anything.


I'm trying to follow the instructions from RapidSSL, but they only 
specifically document installs for web servers, and I did find an old 
knowledgebase article about installing them for dovecot...


Here are their instructions in the email I got with my cert (obviously 
NOT included):


1. INSTALL CERTIFICATE:
Install the X.509 version of your certificate included at the end of this 
e-mail.
For installation instructions for your SSL Certificate, go to:
https://knowledge.rapidssl.com/support/ssl-certificate-support/index?page=content&id=SO16226

2. INTERMEDIATE CERTIFICATE ADVISORY:
You MUST install the RapidSSL intermediate Certificate on your server together 
with your Certificate or it may not operate correctly.

** MICROSOFT IIS and TOMCAT USERS
Microsoft and Tomcat users are advised to download a PKCS #7 formatted 
certificate from the GeoTrust User Portal:
https://products.geotrust.com/orders/orderinformation/authentication.do. PKCS 
#7 is the default format used by these vendors during installation and includes 
the intermediate CA certificate.

You can get your RapidSSL Intermediate Certificates at:
https://knowledge.rapidssl.com/support/ssl-certificate-support/index?page=content&id=AR1548

I've downloaded the 'Intermediate Bundle' at the above link, and that is what I 
named RapidSSL_Intermediate.crt and referenced for the smtpd_tls_CAfile.


Now, I've created new keys/certs and the CSR, got the new certs from
RapidSSL (and also downloaded their Intermediate bundle), but can't find any
docs for installing with postfix.

 http://www.postfix.org/TLS_README.html#server_cert_key


Thanks, but, honestly, that is all over my head...


I did find some random stuff on the internet (ugh), which is why I'm asking
for confirmation here...

smtpd_tls_cert_file = /etc/ssl/ourNewCerts/smtp.ourdomain.com.crt
smtpd_tls_key_file = /etc/ssl/ourNewCerts/smtp.ourdomain.com.key
smtpd_tls_CAfile = /etc/ssl/ourNewCerts/RapidSSL_Intermediate.crt



No.  The correct approach is at:

 http://www.postfix.org/TLS_README.html#server_cert_key

 With legacy public CA trust verification, you can omit the root
 certificate from the "server.pem" certificate file. If the
 client trusts the root CA, it will already have a local copy
 of the root CA certificate. Omitting the root CA certificate
 reduces the size of the server TLS handshake.

% cat server_cert.pem intermediate_CA.pem > server.pem

linked from:

 http://www.postfix.org/TLS_README.html#server_tls

linked from the top set of topic links in:

 http://www.postfix.org/TLS_README.html


Thanks again, Victor, but again, that is all over my head.

--

Best regards,

Charles

Re: Changing SSL certificates - switching from self-signed to RapidSSL

[Charles Marcus]

On 4/18/2014 3:06 PM, Viktor Dukhovni  wrote:

On Fri, Apr 18, 2014 at 02:35:45PM -0400, Charles Marcus wrote:

No.  The correct approach is at:

 http://www.postfix.org/TLS_README.html#server_cert_key

 With legacy public CA trust verification, you can omit the root
 certificate from the "server.pem" certificate file. If the
 client trusts the root CA, it will already have a local copy
 of the root CA certificate. Omitting the root CA certificate
 reduces the size of the server TLS handshake.

% cat server_cert.pem intermediate_CA.pem > server.pem

Thanks again, Victor, but again, that is all over my head.

The "cat ... " command is too difficult?


No, not at all... I even recall doing that when I first added these 
years ago.


But I had found a guide, and it apparently was easier (or at least less 
confusing to me) when using self-signed certs...


Ok, if you are willing, could you check me?


X.509 certificates come in a few data formats:

 - Binary ASN.1 DER format containing a single certificate.
   Not directly usable by Postfix.

 - ASCII PEM format certificate which is the base64 encoding of the
   above DER form sandwiched between "BEGIN CERTIFICATE-" and
   "-END CERTIFICATE-" lines.


Ok, the cert I got from RapidSSL was a single cert in the email body, 
sandwiched between -BEGIN- and -END- lines.


So, that is the 'ASCII PEM format' cert above, and all I need to do is 
rename it from .crt to .pem and change the config reference? Or do I 
even need to rename it?



 - PEM certificate chain file.  Multiple certificates between
   BEGIN...END lines.  This is what Postfix needs for the server
   certificate, with the leaf (server) certificate first, and
   each issuer directly following its subject certificate.


And this would be the 'Intermediate' cert that I downloaded (it does 
already have two certs between the BEGIN...END lines)?


Now, my question is, what do you mean by the 'server_crt' in the cat 
command above?


Would that be the .key file I generated when I generated my new key and 
CSR I used to order the RapidSSL certs?


Thanks very much Victor, I know this is pretty lame for someone who 
deals with  this stuff at your level...


--

Best regards,

Charles

Re: Changing SSL certificates - switching from self-signed to RapidSSL

[Charles Marcus]

On 4/18/2014 3:50 PM, Viktor Dukhovni  wrote:

In the sample command, "server_cert.pem" is a plausible name for
a file that holds just the leaf server certificate.  While
"intermediate_CA.pem" is a plausible name for a file that hold one
or more intermediate CA issuer certificates (in the right order).

Once of you've concatenated all the certs together into some file,
say "mychain.jpg", you should be able to run the rather non-obvious:

$ openssl crl2pkcs7 -nocrl -certfile mychain.jpg |
openssl pkcs7 -print_certs -noout

which outputs something like (here the certificate chain for www.google.com):

 subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com
 issuer=/C=US/O=Google Inc/CN=Google Internet Authority G2

 subject=/C=US/O=Google Inc/CN=Google Internet Authority G2
 issuer=/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA

 subject=/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
 issuer=/C=US/O=Equifax/OU=Equifax Secure Certificate Authority

in which the first "subject" is the target server, and the second
"subject" is the "issuer" of the first "subject", the third "subject"
is the issuer of the second subject and so on.  The last issuer is
a "root CA", presumably trusted by the various submission clients
you want to support.  Above the last "subject" is different from
the last "issuer" so this chain does not include the actual root
CA, which is generally optional as explained in TLS_README.html.

If the chain file looks good, you can rename it to its production
name:

 # mv mychain.jpg /etc/postfix/smtpd-chain.pdf

also rename the new key file to its production name (making sure the
key is not worl-readable, i.e. owner "root", mode 0400):

 # mv mykey.pem /etc/postfix/smtpd-key.doc

and configure Postfix to use these:

smtpd_tls_cert_file = ${config_directory}/smtpd-chain.pdf
smtpd_tls_key_file = ${config_directory}/smtpd-key.doc

[ You'll probably pick less ridiculous file extensions, but they only
   enlighten or confuse the human user, the computer does not care. ]


Thanks very much Victor...

New certs installed and working well...

You're the man!

Re: Changing SSL certificates - switching from self-signed to RapidSSL

[Charles Marcus]

On 4/18/2014 5:14 PM, Viktor Dukhovni  wrote:

Though many/most client implementations may not mind, the certificate
chain is not quite in the right order:

 $ posttls-finger -cC -Lsummary smtp.media-brokers.com:587 |
  openssl crl2pkcs7 -nocrl -certfile /dev/stdin |
  openssl pkcs7 -print_certs -noout


Tried this command after fixing the cert per your recommendation, but it 
isn't on my system... I'm guessing it is still not part of the official 
release?


Would you mind a quick check of both our smtp. and mail. (I'm guessing 
that I would need to do the same thing for dovecot's cert too)?


Thanks again Victor, without the support on this list many of us 
wanna-be admins would be in way over our heads...


--

Best regards,

Charles

Re: Changing SSL certificates - switching from self-signed to RapidSSL

[Charles Marcus]

On 4/19/2014 6:32 AM, Charles Marcus  wrote:
Thanks again Victor, without the support on this list many of us 
wanna-be admins would be in way over our heads...


One other question...

Would I be correct that the following error I'm now seeing since 
changing the certs could be caused by some people's clients configured 
to use an older hostname (imap.) we used to use a long time ago?


2014-04-19T06:39:25-04:00 myhost dovecot: imap-login: Disconnected (no 
auth attempts in 0 secs): user=<>, TLS: SSL_read() failed: 
error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate: 
SSL alert number 42, rip=24.126.163.180, lport=143


I'm seeing this for only a few of our users, and only on the dovecot 
side (we've always used smtp. for postfix), and it is every 3 minutes 
(the default polling time for our imap accounts)...


Thanks again,

--

Best regards,

Charles

SOLVED - Re: Changing SSL certificates - switching from self-signed to RapidSSL

[Charles Marcus]

On 4/18/2014 6:52 PM, li...@rhsoft.net  wrote:

cat whatever-filename.crt your-private.key intermediate-a.crt > your.pem

you are done, use that for*whatever*  sevrer-software (httpd, postfix, ATS, 
dovecot)
as key and or certificate file


Apparently not, if the certs you get are from RapidSSL...

I cat'd the two files together exactly as Victor described and for some 
reason (as Victor pointed out), the intermediate cert I got from 
rapidssl had the contents in the wrong order.


I had to manually swap the two keys in the intermediate cert before the 
cat command resulted in a correct chained cert.


Apparently their certs are generated specially for web servers? All I 
know is, in their order form, they specifically ask exactly what web 
server you are running, and what version of SSL, prior to generating the 
certs. There is no choice for smtp server, and they have no docs for 
installing their certs with postfix (and their docs for dovecot are wrong).


Anyway, this should be fixed up now, everything seems to be working well 
except for the few users who apparently are still talking to the old 
hostname (hoping Victor will confirm this when he has time, then I'll 
post a final SOLVED with what I had to do to get RapidSSL certs working 
with postfix (and dovecot).


--

Best regards,

Charles

Re: Changing SSL certificates - switching from self-signed to RapidSSL

[Charles Marcus]

On 4/19/2014 6:32 AM, Charles Marcus  wrote:
Would you mind a quick check of both our smtp. and mail. (I'm guessing 
that I would need to do the same thing for dovecot's cert too)?


Hi Victor,

I hate to keep imposing on you, but since I don't have the postfinger 
tool, and have a hard time interpreting the results anyway (it was very 
hard to be sure which cert issued which in the results you posted), 
could you check our sogo. as well?


This one is being used on a different host by Apache, and I didn't try 
to fix it yet, thinking that maybe, since these certs are specifically 
generated for Apache, they are correct as is?


Thanks again, even if you don't have time...

--

Best regards,

Charles

Re: Changing SSL certificates - switching from self-signed to RapidSSL

[Charles Marcus]

Thanks for the detailed explanation Victor.

I really appreciate both your confirming my submission cert is now 
correctly configured, and for taking the time to 'teach me to fish' 
rather than just giving me one... ;)


I believe that if I study this reply, and maybe go back and re-read the 
postfix docs a few times afterwards, I may actually gain a reasonable if 
not rudimentary understanding of how these pieces fit together.


Hope you're having a great holiday weekend!

Charles

On 4/19/2014 12:36 PM, Viktor Dukhovni  wrote:

On Sat, Apr 19, 2014 at 07:06:31AM -0400, Charles Marcus wrote:


I hate to keep imposing on you, but since I don't have the postfinger tool,

Your submission service configuration is now correct.  In each pair
of lines the "issuer" is the name of the certification authority
that signed the certificate and the "subject" is the certified name
of the owner of the public key in the certificate.

 
subject=/serialNumber=7XqE1Qv/zhjR5gwi8OBh94adXjYVaaDs/OU=GT32586886/OU=See 
www.rapidssl.com/resources/cps (c)14/OU=Domain Control Validated - 
RapidSSL(R)/CN=smtp.media-brokers.com
 issuer=/C=US/O=GeoTrust, Inc./CN=RapidSSL CA

 subject=/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
 issuer=/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA

 subject=/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
 issuer=/C=US/O=Equifax/OU=Equifax Secure Certificate Authority

In a well-formed chain (such as above), the subject in each pair
of lines after the first is the same as the issuer in the previous
pair lines.

If you don't have posttls-finger, for the purpose of examining the
peer certificate chain you get functionally equivalent output from:

 (sleep 2; echo QUIT) |
 openssl s_client -starttls smtp -showcerts \
-connect smtp.media-brokers.com:587 2>/dev/null | ...

In other words:

 (sleep 2; echo QUIT) |
openssl s_client -starttls smtp -showcerts \
-connect smtp.media-brokers.com:587 2>/dev/null |
openssl crl2pkcs7 -nocrl -certfile /dev/stdin |
openssl pkcs7 -print_certs -noout

The last two commands in the pipeline convert a sequence of PEM
certificates to PKCS#7 format for the sole purpose of printing the
subject and issuer of each one (without printing the actual
certificate content).  This PKCS#7 conversion is a work-around for
the absense of a multi-certificate input loop option in the x509(1)
sub-command of openssl(1), which currently will only print the
first certificate in the input file.

Note that since you have the complete chain in a file, you don't
have to connect to the server over the network with either
posttls-finger(1) or s_client(1).  Rather you can simply run:


 chainfile=/some/where/chain-filename.pem
 openssl crl2pkcs7 -nocrl -certfile "${chainfile}" |
openssl pkcs7 -print_certs -noout

Therefore, for any other software whose configuration supports
loading a PEM chain file (consult the documentation), you can verify
the correctness of the chain file locally.

For even more detail, you can append "-text" after the "-noout"
option, and see a fully decoded verbose output of each certificate
showing validity dates, and various X.509 extensions including any
"subject alternative names" you might expect in the leaf certificate
and subject and authority key identifiers that link the issuer and
subject more precisely than just the names in the concise output.




--

Best regards,

Charles Marcus
I.T. Director
Media Brokers International, Inc.
678.514.6224 | 678.514.6299 fax

Re: Troubleshooting a delivery failure

[Charles Marcus]

On 5/30/2014 3:52 PM, Tony Nelson  wrote:

And for completeness, the full bounce is at the end of this message.


Try again.

Your report won't be complete until you show the full logs for this 
event. The bounce notification, while not totally useless, is not necessary.



Best regards,

Charles

Re: How to block offering SASL auth to clients based on RBL

[Charles Marcus]

On 6/10/2014 1:24 PM, Kai Krakow  wrote:
> And those silly autodetection of older MUAs sticks to port 25 
unencrypted.  So even new customers who redo

> their installations on their own silently go back to port 25.

So... why on earth are you allowing UNENCRYPTED AUTH at ALL, let alone 
on port 25?

Re: 'aliasing' one domain to another?

[Charles Marcus]

On 7/31/2014 5:59 AM, li...@sbt.net.au  wrote:

I have Postfix 2.11.0 with virtual domains in mysql/postfixadmin, all
working well, as per setup below

user of the mydom.tld.au has also registered mydom.tld (to prevent
cybersquating)

sometimes they make mistakes and attempt to send emails to
a_u...@mydom.tld RATHER THAN (correct email) a_u...@mydom.tld.au

what is correct way/correct terminology to 'alias' (?) mydom.tld to
mydom.tld.au ?


You have to have a 1-1 mapping for each valid user.

Postfixadmin (sql based administrative tool for managing email user 
accounts for postfix) supports domain aliases out of the box (does the 
1-1 user mapping with SQL magic)...

Re: 'aliasing' one domain to another?

[Charles Marcus]

On 7/31/2014 7:21 AM, li...@sbt.net.au  wrote:

On Thu, July 31, 2014 8:55 pm, Charles Marcus wrote:


You have to have a 1-1 mapping for each valid user.


Postfixadmin (sql based administrative tool for managing email user
accounts for postfix) supports domain aliases out of the box (does the 1-1
user mapping with SQL magic)...

Charles,

thanks !

so I simply duplicate and point MX record at the mail host, and, jump to

https://mailhost/postfixadmin/create-alias-domain.php?target_domain=mydom.com

Mirror addresses of one of your domains to another.
Alias Domain:   The domain that mails come in for.
Target Domain:  The domain where mails should go

(I've used it in the past, wanted to make sure that's the 'correct' way to
go, thanks again)


I actually have never needed to use the feature (just aware that it is 
there), but yes, that looks correct to me...

Re: MTA Rejection Explanation Needed

[Charles Marcus]

On 7/28/2008 5:03 PM, Rich Shepard wrote:

Postfix is rejecting mail from an address that should be allowed in. The
mail log tells me:

Jul 28 13:11:58 salmo postfix/smtpd[17243]: NOQUEUE: reject: RCPT from
wsip-xx-xxx-xx-xx.ph.ph.cox.net[xx.xxx.xx.xxx]: 450 4.1.7
<[EMAIL PROTECTED]>: Sender address rejected: unverified
address: Address verification in progress;
from=<[EMAIL PROTECTED]> to=<[EMAIL PROTECTED]>
proto=ESMTP helo=

The IP address for cox.net is correct.


It said SENDER address rejected... cox.net was the CLIENT address. The 
SENDER was <[EMAIL PROTECTED]>


Post output of postconf -n

Are you doing SAV (Sender Address Verification)? You should NOT use SAV 
for general mail reception, you should only do SAV probes for sending 
domains you control and/or have gotten explicit permission to do SAV for.



I've added the 'someserver'.com and hotmail addresses to
/etc/postfix/rhsbl_sender_exceptions with an explicit 'OK'.

Which address of the three is unverified, and how do I fix this
problem?


Disable SAV... you will never be able to receive mail from the big 
vendors (gmail, hotmail, yahoo) if you are doing SAV probes all the time...


So

--

Best regards,

Charles

Re: Email delays

[Charles Marcus]

On 8/1/2008, Tait Grove ([EMAIL PROTECTED]) wrote:
Make sure your system does not accept 
mail to undeliverable or invalid recipients.



How can I ensure that?


You could start by reading the answers you are getting and complying...

You apparently missed this:

For definite answers rather than guesses, please provide more
> information; postconf -n, qshape, mailq, log entries of
> delayed deliveries, etc.
> http://www.postfix.org/DEBUG_README.html#mail

It does actually require you to read, AND comply with the instructions 
there... so far you have not...


--

Best regards,

Charles

Re: Problem sending to email, getting sender verify failed

[Charles Marcus]

On 8/4/2008, fajar ([EMAIL PROTECTED]) wrote:

The following message to <[EMAIL PROTECTED]> was undeliverable.

The reason for the problem:

5.4.7 - Delivery expired (message too old) [Default] 451-'Sender verify
failed'


Why are you using sender verification? You should NOT use SAV for all 
messages, only for messages destined to domains that you control or have 
already gotten permission to do SAV for, or you WILL evenutally get 
blacklisted.


Please post postconf -n output...

--

Best regards,

Charles

Re: Whitelist a host using check_client_access before the rbl check?

[Charles Marcus]

Let me give this one a try... I *think* i see the problem...

On 8/4/2008, Nicolas KOWALSKI ([EMAIL PROTECTED]) wrote:

Aug  4 14:17:18 petole postfix/smtpd[23545]: NOQUEUE: reject: RCPT
from 225.96.68-86.rev.gaoland.net[86.68.96.225]: 554 5.7.1 Service
unavailable; Client host [86.68.96.225] blocked using
zen.spamhaus.org;


THAT was the client...

 http://www.spamhaus.org/query/bl?ip=86.68.96.225;

from=<[EMAIL PROTECTED]> to=<[EMAIL PROTECTED]>
proto=ESMTP helo=


THAT was the helo...

So, you're trying to whitelist a client using its helo...

Either use a helo access check, or use the right client, but only if you 
are sure the client won't change (it is, after all, on a dynamic block)...


--

Best regards,

Charles

Re: vacation problem

[Charles Marcus]

On 8/4/2008 11:00 AM, oxy wrote:

i am using postfixadmin with virtual vacation script and i have a
little problem here.. after set up virtual vacation as postfixadmin
decribes i have actually two kind of problems, first:

when i set virtual vacation the mailbox sends back one 'i am on 
vacation' mail, but NOT storing the received mail... i see 
"[EMAIL PROTECTED]" in the mysql alias table


the other what can happen is the following: after setting 'i am on 
vacation' the mailbox sends back two copy of 'i am on vacation' and

storing the received mail as it should.. when it works like this i
see "[EMAIL PROTECTED], [EMAIL PROTECTED]" in the
mysql alias table

my goal is the following: store one copy of received mail in the
mailbox and send back one 'i am on vacation' mail please help, it
turns me crazy :)


This is a postfixadmin issue... you'd probably have better luck asking 
there...


But... are you saying that for some people it works, and for others, it 
doesn't?


--

Best regards,

Charles

Re: Problem sending to email, getting sender verify failed

[Charles Marcus]

On 8/4/2008 9:10 PM, fajar wrote:

Why are you using sender verification? You should NOT use SAV for all
messages, only for messages destined to domains that you control or have
already gotten permission to do SAV for, or you WILL evenutally get
blacklisted.

Please post postconf -n output...



This response wasn't generated by our postfix server, but, by remote
destination mail server, and I believe it is Exim mail server. Our postfix
mail server is working fine. It can send to other mail server without
problem. Thanks.


Sorry... I thought that was from your logs...

Obviously, then, THEY are trying to perform sender verification on you 
AFTER they have already accepted your message for delivery - which means 
they are engaging in backscatter.


Still no postconf -n output - how do you expect anyone to help?

--

Best regards,

Charles

Simple transport change

[Charles Marcus]

Hi,

I know this is simple, but I never had to do it, so wanna check myself...

For outbound mail, do transport entries supersede the relayhost 
parameter in main.cf?


The reason I ask is, currently, I relay all outbound mail through our 
outsourced anti-spam service (smtp.example1.com).


We are having a problem sending to one domain, and until we get this 
resolved, I want to relay just mail destined for that one domain through 
our ISP (example2.com) - the rest should still go through our current 
relay, smtp.example1.com.


Currently, in main.cf I simply have:

relayhost = [smtp.example1.com]

I think all I need to do is add a single entry to my transport file, as:

problem-destination.com   relay:[smtp.example2.com]

Is this correct?

Or should I comment out the relayhost parameter altogether, and add two 
entries to my transport table, as:


problem-destination.com   relay:[smtp.example2.com]
* relay:[smtp.example1.com]

?

Tia...

--

Best regards,

Charles

Re: Simple transport change

[Charles Marcus]

On 8/8/2008 2:15 PM, Ralf Hildebrandt wrote:
The reason I ask is, currently, I relay all outbound mail through our  
outsourced anti-spam service (smtp.example1.com).



Why? Are you afraid you're sending spam?


Nope, just another layer of security - they provide the service as part 
of the standard account, so I'm using it.


--

Best regards,

Charles

Re: Simple transport change

[Charles Marcus]

On 8/8/2008, Noel Jones ([EMAIL PROTECTED]) wrote:

It looks as if you already consulted the documentation and just want
to confirm your interpretation of it.  That's good, but say so next
time or you'll just be pointed back to the docs.


Heh... yeah, should have said so... but thanks for reading between the 
lines and for the confirmation... works great...


And thanks to Brian for pointing me to the correct docs (which would 
have provided the answer otherwise)...


--

Best regards,

Charles

Re: Block postmaster and mailer-daemon messages

[Charles Marcus]

On 8/11/2008 6:38 AM, junior.listas wrote:

Hi all,
I have a user that receives a  lot of spam mail comming from postmaster 
and mailer-daemon,  but they did not send this emails for this errors, 
how can i block/redirect this kind of email to another account??


http://www.postfix.org/BACKSCATTER_README.html

But no need to redirect it, just block it...

--

Best regards,

Charles

Re: Block postmaster and mailer-daemon messages

[Charles Marcus]

On 8/11/2008, Charles Marcus ([EMAIL PROTECTED]) wrote:
But no need to redirect it, just block it... 


That should have read 'reject', not block...


--

Best regards,

Charles

Re: mail aliases & spam

[Charles Marcus]

On 8/14/2008 11:54 AM, John Heim wrote:
> Get it? Somebody tries to spam [EMAIL PROTECTED] and user12 has his
> mail forwarded to his gmail account. Gmail detects the spam, rejects the
> message and my mta then generates a bounce back to the original forged
> from address.
> 
> I don't see anything in the backscatter howto about this. I believe my
> machine is properly configured to not generate normal (for lack of a
> better term) backscatter. I mean, it doesn't bounce incoming spam. But
> this is almost like spam coming from inside my own system.

This is one of the problems with auto-forwarders and auto-responders.

It looks to me like the main problem is why so much actual spam is
getting through to your users - what anti-spam measures do you take?

-- 

Best regards,

Charles

Re: mail aliases & spam

[Charles Marcus]

On 8/14/2008, John Heim ([EMAIL PROTECTED]) wrote:
> Exactly! Except that the reason our anti-spam measures are
> ineffective is that the addresses are aliased.

?? What difference does an alias make? Either a recipient is valid or not...

> We have 2 MTAs running postfix with pre-queue spam filters and then a
> delivery machine running postfix, spamassassin, & dovecot. The
> pre-queue spam filter gets about 50% of incoming spam. Of course,
> that means that about 50% gets through.

Thats ridiculous... ;)

A properly configured postfix ALL BY ITSELF should stop 90+% with
virtually ZERO false positives...

Fix your system... and asking questions here (posting postconf -n
output) is a good starting place... :)

-- 

Best regards,

Charles

Re: How Can I Tell How Postfix Was Installed?

[Charles Marcus]

On 8/20/2008, Blake Carver ([EMAIL PROTECTED]) wrote:
> So a few other details I've grabbed didn't provide yesterday-
> These numbers don't seem to add up.
>  My big question is how do I get this system upgraded without breaking it?
> 
> postconf -d | grep mail_version
> mail_version = 2.4.5
> 
> and also
> 
> rpm -qa | grep postfix
> postfix-2.3.3-2.el5.centos.mysql_pgsql
> postfix-pflogsumm-2.3.3-2

I've seen your messages here and on the dovecot list...

although it shouyld be possible to get these two sorted, personally, I
wouldn't trust the system, I'd do a full reinstall from scratch (on a
new box, obviously)...

-- 

Best regards,

Charles

Re: Why is this hostname failing?

[Charles Marcus]

On 8/20/2008, John Baker ([EMAIL PROTECTED]) wrote:
> bmmail.cwf.org returns a valid result from a dns check. What am I
> missing here?

This: helo=

helo hostnames should be FQDN's...

-- 

Best regards,

Charles

Re: smtp_recipient_restrictions not applied to local email

[Charles Marcus]

On 8/25/2008, Aaron D. Bennett ([EMAIL PROTECTED]) wrote:
> html_directory = /usr/share/doc/postfix-2.1.4-documentation/html
> readme_directory = /usr/share/doc/postfix-2.0.16/README_FILES
> sample_directory = /usr/share/doc/postfix-2.0.16/samples

So what version is this?

2.0.16? 2.1.4? Something else?

If either of those, you really should upgrade...

-- 

Best regards,

Charles

Re: smtp_recipient_restrictions not applied to local email

[Charles Marcus]

On 8/25/2008 11:48 AM, Aaron Bennett wrote:
>> So what version is this?
>>
>> 2.0.16? 2.1.4? Something else?
>>
>> If either of those, you really should upgrade...

> no it's 2.3.2, those config statements are just cruft from a few upgrades.

Still old and worth upgrading...

-- 

Best regards,

Charles

Re: [OT] Using [EMAIL PROTECTED] [was: best way for website sending emails]

[Charles Marcus]

On 8/26/2008, Robert Schetterer ([EMAIL PROTECTED]) wrote:
> as far i know
> blacklist reputation
> is only related to
> answering hostmaster@
> postmaster@
> abuse@
> webmaster@
> by rfc 

My understanding is the RFC only requires postmaster and abuse to be
valid, NOT webmaster - and I've NEVER used hostmaster for anything...

-- 

Best regards,

Charles

Re: smtpd client restrictions.

[Charles Marcus]

On 9/1/2008 12:15 PM, Erik Paulsen Skaalerud wrote:
> I have a postfix-pop3/imap4 server at our office who gets incoming
> smtp mail from either 2 fixed IP adresses (antispam-company), from my
> local network or from clients authenticated via SASL.
> Is it possible to restrict smtp access so that unknown smtp clients
> gets refused? I only want the hosts/networks mentioned above to be
> able to use the smtpd!

Just use the following in smtpd_recipient_restrictions:

smtpd_recipient_restrictions =
   permit_mynetworks,
   permit_sasl_authenticated,
   reject_unauth_destination,
   check_client_access cidr:/etc/postfix/allowed_clients.cidr,

where allowed_clients.cidr contains the netblocks of your outsourced
anti-spam service (we use webroot):

*** allowed_clients.cidr 

# webroot netblocks
###.##.###.0/28   dunno
###.###.##.0/26   dunno
###.###.###.0/23  dunno

# reject all clients not matching anything above, and be sure
# there is no final reject under recipient_restrictions
#
0.0.0.0/0 reject unauthorized client, please use our MX

*** allowed_clients.cidr 

We use additional checks to provide custom rejects for x-employees, and
for blocking specific senders (rarely use it, but the boss has asked me
to do it occasionally), so use 'dunno' in the webroot netblocks above.
If you don't need any additional checks, you could use OK instead of dunno.

-- 

Best regards,

Charles

Re: First Time Configuration assistance

[Charles Marcus]

On 9/5/2008, Paul Cocker ([EMAIL PROTECTED]) wrote:
> I'm setting up a postfix 2.3.3 mail server

Why use something so old if you're setting up a new server?

-- 

Best regards,

Charles

Re: SV: How to handle bounced messages?

[Charles Marcus]

On 9/5/2008 12:46 PM, Joakim Ohlsson wrote:
>>> This is first time I use this mailing-list, so please let me know if I do
>>> anything wrong.
>>>
>>> My problem is that I want to send bounced messages to an different mail
>>> address than the mail-address in the MAIL FROM: field.

>> This is by definition (i.e. RFC 821 and RFC 2821) the address
>> where delivery status notifications are sent.
>> 
>> Perhaps you can describe the problem you are trying to solve,
>> instead of describing your solution (modify bounce delivery).

> Thank you for your respons!
> 
> My problem is that I want to receive bounced messages to a different
> mail-address than the address in MAIL FROM: field.

Ahem... that is not a definition of a PROBLEM. That is simply an
expression of a DESIRE.

WHY do you want to do this... in other words, what is it that you think
you will accomplish by doing this?

-- 

Best regards,

Charles

Re: Proposing postfix to mgmt as an Exchange replacement

[Charles Marcus]

On 9/9/2008, Adam Tauno Williams ([EMAIL PROTECTED]) wrote:
> Yes, Thunderbird works with roaming profiles;  albeit rather badly.
> Thunderbird has no auto-configuration mechanism so every user's
> account(s) need to be setup manually and it is prone to making HUGE
> cache files if not setup carefully.

So set it up correctly... ;)

I always set the local imap mail store to the Local Settings folder so
it doesn't get copied with the roaming profile. Worst case scenario is
their pc dies and they have to re-download all of the message headers
the first time they access their mail again. No biggie.

I also use www.scheduleworld.com to keep tbird contacts/calendar in sync
across multiple machines (home/work) and phones... works very well, and
their is an OTA client for almost all phones.

> All-in-all it is a rather lousy IMAP client compared to others.

In my opinion, Outlook is MUCH worse IMAP client than Thunderbird. We've
been using Thunderbird exclusively on 60+ machines for years, *with*
roaming profiles*, with nary a hiccup.

I keep copies of Outlook (2003) and Outlook Express because I do support
these for people who want to use them from home, and frankly, these are
the only clients I ever get complaints about, and if the user takes me
up on my standard 'why don't you try Thunderbird' response, they always
are happy they did.

I have heard that Outlook 2007 has improved IMAP support (*finally* has
direct support for saving Sent messages to the IMAP server), but have no
experience with it.

Thunderbird ain't perfect, but it is an EXCELLENT IMAP client.

> Why not just stick with Outlook? Your likely to have a much easier
> time with the users if they are used to Outlook (and you already paid
> for it anyway).

You are correct that one drawback is there is no way to config TBird
using Active Directory Group Policies... I'd dearly love to see support
for this someday for bith TBird and Firefox - and a proper signature
manager too.

As for IMAP servers, I much prefer dovecot to Cyrus - MUCH easier to
setup, and better performance too imho... Cyrus has more features - FOR
NOW (dovecot is catching up very fast, and will probably surpass it
within a year or two), but is 'not fun' to install/configure/support for
anyone new to it.

I totally agree with the rest of the comments though. We don't use
Exchange here because the boss refused to pay for Server/Exchange/Office
many years ago (back in 2000), and told me to 'find an alternative' (to
the $40,000 it would have cost for licenses for everything for 50+
users). That was my forced introduction to the world of free software.

If I were the OP, and assuming he already has Exchange (and the Exchange
CALs) and Office, I'd stick with what he has (the licenses for just
Server and CALs won't be too bad).

On the other hand - if he is using pirated software, and it might cost
$20k+ to get legal, then using postfix+dovecot+thunderbird/lightning, or
even one of the groupware alternatives, might be worth considering.

-- 

Best regards,

Charles

Re: ASSP - POSTFIX - pop-before-smtp

[Charles Marcus]

On 9/18/2008, Marcel Grandemange ([EMAIL PROTECTED]) wrote:
> I have pop-before-smtp running for relaying from outside.

This is extremely unwise.

Use smtp auth instead. popb4smtp is very insecure, and will most likely
result in your server becoming compromised - its not a matter of if, but
when.

-- 

Best regards,

Charles

Re: Big Distribution List

[Charles Marcus]

On 9/22/2008, Victor Duchovni ([EMAIL PROTECTED]) wrote:
> By default Postfix truncates virtual(5) expansion at 1000 recipients.
> For lists this large you MUST not use virtual(5), rather use a ":include:"
> valued local alias, AND set an "owner-list" alias to make sure that
> bounces are NOT send to the sender.

Or better, use a real mail list server like mailman...

-- 

Best regards,

Charles

Re: Mail server in loopback network (fairly common?)

[Charles Marcus]

On 9/26/2008, Henrik K ([EMAIL PROTECTED]) wrote:
> Ok that's true. But it still doesn't make it right to have a non-working
> envelope sender.

What is 'right' and what is reality are often very different things.

-- 

Best regards,

Charles

Re: Postfix 2.3.2 ignores return codes on send?

[Charles Marcus]

On 9/26/2008, Michael Monnerie ([EMAIL PROTECTED]) wrote:
> Could/Should the behaviour of postfix be changed to just send that 
> warning every 15 or 30 minutes, not per message? That would be better 
> for everybody I think, as it doesn't help to get 50 or 5000 messages 
> that your disk is almost full.

If 5000 messages fills up your disk, then you need to add storage -
unless each message has a 10+ MB attachment...

-- 

Best regards,

Charles

Re: Postfix 2.3.2 ignores return codes on send?

[Charles Marcus]

On 9/26/2008 7:56 AM, PauAmma wrote:
>>> Could/Should the behaviour of postfix be changed to just send that
>>> warning every 15 or 30 minutes, not per message? That would be better
>>> for everybody I think, as it doesn't help to get 50 or 5000 messages
>>> that your disk is almost full.

>> If 5000 messages fills up your disk, then you need to add storage -
>> unless each message has a 10+ MB attachment...

> I think the OP means "50 or 5000 messages that your disk is almost full
> (if you can't free up space quickly enough after whatever causes the
> shortage)".

Erm... need ... coffee...

-- 

Best regards,

Charles

Re: New Postfix install

[Charles Marcus]

On 10/1/2008, Ujjval K ([EMAIL PROTECTED]) wrote:
> The geniuses at Comcast (my ISP; no, I don't have any choice) have
> suddenly decided that I am a source of spam and hence require me to
> send e-mail to port 587 instead of port 25.

Or maybe you should consider whether you ARE a source of spam.

Are you an open relay?

Since you have so far refused to follow the instructions provided in the
welcome message you received when joining this list, it is impossible to
say.

Please at least provide output of postconf -n

-- 

Best regards,

Charles

Retry - temp fail ndr?

[Charles Marcus]

Hello,

I probably am using bad terminology, but...

I have set the delay_warning_time to 15m on my system (boss demanded
it), and now the boss wants more than just the one notification...

Is there any way to configure postfix to send more than just the
one/first 'problem' notification to the sender as configured by
delay_warning_time?

Thanks,

-- 

Best regards,

Charles

Re: Retry - temp fail ndr?

[Charles Marcus]

On 10/6/2008 12:40 PM, Wietse Venema wrote:
>> I probably am using bad terminology, but...
>>
>> I have set the delay_warning_time to 15m on my system (boss demanded
>> it), and now the boss wants more than just the one notification...

> This is not implemented.

Bummer...

> However, Postfix 2.3+ can send a positive delivery status notification
> on request. This requested via the user agent.

It looks like TBird doesn't support this, so I guess the answer is to
tell him no, and if whatever it is is important, and he gets the
warning, to follow the message up with a phone call (he should be doing
that anyway for anything mission critical, but getting some people to
understand that email is not a 100% reliable communication medium is
sometimes difficult.

Thanks for the response...

-- 

Best regards,

Charles

Virtual domain uncertainty...

[Charles Marcus]

Hello,

I've been tasked with adding a few more domains for handling mail. This
server has been running flawlessly for about 5 years (and survived many
updates), but this will be my first implementation of virtual hosting,
so before I actually start changing config settings, I thought I'd ask
for clarification. I've read the virtual config docs, and I think I
understand most everything (hopefully I won't find out otherwise) except...

Currently, I simply have our one domain referenced in mydomain, and have
the hostname set accordingly (see postconf -n below), and am not using
virtual_mailbox_domains.

Does simply adding the additional domain example2.com in
virtual_mailbox_domains allow me to use the additional hostname
smtp.example2.com (in client configurations) for sending mail, assuming
example2.com is listed in virtual_mailbox_domains and have appropriate
DNS & MX records for the additional domain(s) pointed to the appropriate IP?

Tia...

**

myhost ~ # postconf -n
alias_maps = hash:/etc/mail/aliases, hash:/var/lib/mailman/data/aliases
anvil_rate_time_unit = 360s
anvil_status_update_time = 3600s
bounce_size_limit = 1
broken_sasl_auth_clients = yes
config_directory = /etc/postfix
delay_warning_time = 15m
home_mailbox = .maildir/
message_size_limit = 5120
mydomain = example.com
myhostname = smtp.example.com
mynetworks = 127.0.0.0/8
parent_domain_matches_subdomains =
recipient_delimiter = +
relay_domains =
relayhost = [mail.example3.com]
smtp_fallback_relay = [smtp.example4.net]
smtpd_hard_error_limit = 3
smtpd_recipient_limit = 100
smtpd_recipient_restrictions = permit_mynetworks,
permit_sasl_authenticated,  reject_unauth_destination,
check_client_access cidr:/etc/postfix/allowed_clients.cidr,
check_recipient_access hash:/etc/postfix/x-employees,
check_sender_access hash:/etc/postfix/blocked_senders
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $myhostname
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/ssl/wildcard.crt
smtpd_tls_key_file = /etc/ssl/wildcard.key
smtpd_use_tls = yes
transport_maps = hash:/etc/postfix/transport
virtual_alias_maps = mysql:/etc/postfix/mysql_vam.cf,
hash:/var/lib/mailman/data/virtual-mailman
virtual_gid_maps = static:207
virtual_mailbox_base = /var/virtual/mail
virtual_mailbox_limit = 5120
virtual_mailbox_maps = mysql:/etc/postfix/mysql_vmm.cf
virtual_minimum_uid = 207
virtual_uid_maps = static:207
myhost ~ #

Re: Virtual domain uncertainty...

[Charles Marcus]

On 10/6/2008 2:29 PM, mouss wrote:
>> Currently, I simply have our one domain referenced in mydomain, and
>> have the hostname set accordingly (see postconf -n below), and am
>> not using virtual_mailbox_domains.

> currently, you have domains in mydestination even if you didn't specify
> that. you can test with
> $ postconf mydestination
> mydestination = $myhostname, localhost.$mydomain, localhost

Ok, but only one (virtual) domain I'm concerned with

> This means that the listed domains are "local" domains (they are
> delivered to unix accounts).

And the only real accounts I care about are aliased to my virtual admin
account...

>> Does simply adding the additional domain example2.com in 
>> virtual_mailbox_domains allow me to use the additional hostname 
>> smtp.example2.com (in client configurations) for sending mail,
>> assuming example2.com is listed in virtual_mailbox_domains and have
>> appropriate DNS & MX records for the additional domain(s) pointed
>> to the appropriate IP?

> receiving mail has nothing to do with sending mail.

I know... thats why I was asking about how virtual hosting works with
respect to SENDING mail via CLIENTS (MUAs).

I'm going to be writing up instructions for users who will be using
these new domains how to set up their mail clients (Thunderbird mainly,
but I also include instructions for the Microsoft clients)... so I
wanted to confirm that I can use the hosts 'smtp.example1.com' and
'smtp.example2.com' for their SMTP (outbound) server setting in their
clients.

> when you send mail, the hostname is used as the HELO (EHLO) argument.

I'm not talking about HELO commands issued between MTAs... I'm talking
about hostnames used by MUAs for SENDING mail...

> This identifies the _server_ that sends mail. It has nothing to do with
> the domains you host.

Well... it does, if I want users getting mail at example1.com to be able
to reference smtp.example1.com in their client settings.

It will be awkward to tell a user to put smtp.fred.com for their
outbound server setting, if their email address is [EMAIL PROTECTED], don't
you think?

> you can set the virtual transport to dovecot (which is what you use
> if my my two neurons are still working),

Not for this client... still trying to get them to let me switch them to
dovecot.

-- 

Best regards,

Charles

Re: Virtual domain uncertainty...

[Charles Marcus]

On 10/6/2008, Brian Evans - Postfix List ([EMAIL PROTECTED]) wrote:
>> I'm going to be writing up instructions for users who will be using
>> these new domains how to set up their mail clients (Thunderbird mainly,
>> but I also include instructions for the Microsoft clients)... so I
>> wanted to confirm that I can use the hosts 'smtp.example1.com' and
>> 'smtp.example2.com' for their SMTP (outbound) server setting in their
>> clients.

> This depends if you permit_mynetworks and permit_sasl_authenticated
> before any reject actions.

According to the postconf -n output I included, yes I do...

>> It will be awkward to tell a user to put smtp.fred.com for their
>> outbound server setting, if their email address is [EMAIL PROTECTED], don't
>> you think?

> Think hosted domain.  Server can only have one name, but serves several. 
> MXs that check only care if the sending domain matches in DNS as being
> responsible, preferably an A or MX record.
> 
> Will bogus mails get rejected at the source? Maybe, though some
> postmasters care not, some actually do check.

I was just wanting some clarification - I know the answer has to be yes
(look at how many shared hosting solutions are out there) - so why is it
not possible to just get a yes or no answer?

Can I set up DNS (and MX records) for several different domains to point
to the same postfix instance/host/IP address and reference that same
postfix instance/host/IP by different DNS host names (smtp.example1.com,
smtp.example2.com, etc), and have everything just work?

I'm guessing, 'Of COURSE, dummy!' is the right answer?

I guess the question is just too simplistic and basic, so my apologies...

-- 

Best regards,

Charles

Re: Virtual domain uncertainty...

[Charles Marcus]

On 10/6/2008, Jorey Bump ([EMAIL PROTECTED]) wrote:
> If the name resolves, they'll connect to your server. However, if you're
> going to offer STARTTLS, you have a problem. How are you going to
> support all of these different domains in a single certificate?
> Currently, you can't, so you'll need to pick a name (mail.example.com)
> for your SMTP/IMAP/POP3 server and stick with it. Otherwise, you'll need
> to use a more complicated approach, such as multiple instances each with
> their own certificate.
> 
> Users can't infer the server settings from an email address, so you'll
> have to explicitly provide it, anyway. The problems caused by the wrong
> certificate are likely to create more support calls.

Ok, thanks, that was my next speed bump.

I use self-signed certs, and since my instructions already explain in
detail about the 'warning' (man, I really hate how Firefox 3 reacts to
self-signed certs now), I was hoping that it wouldn't matter that the
domain name didn't match, that TBird would react the same way (warning
me, but letting me accept the cert anyway).

If it won't, you're right, I'll have to just make do with a single
server name (no problem really, but I'd prefer to use domain specific
ones if possible)... so lets go see...

Cool, it works... :) guess there's no better answer available that just
trying it out won't give...

Now all thats left is to try it from outside the network, and I have to
wait for the MX records te get set up (using outsourced anti-spam
provider for incoming mail)...

-- 

Best regards,

Charles

Re: Virtual domain uncertainty...

[Charles Marcus]

On 10/7/2008, Wietse Venema ([EMAIL PROTECTED]) wrote:
>> But the virtual how-to says the opposite... "never list a
>> virtual_mailbox_domain in mydestination"...

> If you list smtp.example.com as a virtual domain, then do not list
> it in mydestination.

Ok... more confusion...

1. 'smtp.example.com' is not a 'domain', it is a host name.

2. My system has been setup forever with the following:

mydomain = example.com
mydestination = $myhostname, localhost.$mydomain, localhost
myhostname = smtp.example.com

(as per previously supplied postconf -n outpput)

but, example.com (the domain, not the hostname) is also listed in
virtual_mailbox_domains via the mysql lookup...

Is this OK/normal? I'm thinking yes, because:

'smtp.example.com' != 'example.com'

and the host/system has to have one (and only one?) FQDN?

Thanks, and I appreciate your patience in helping me to understand the
ramifications of adding virtual domains to my production system.

-- 

Best regards,

Charles

Re: Default 'delay_warning_time'

[Charles Marcus]

On 10/7/2008 9:26 AM, Ralf Hildebrandt wrote:
>> Does the default:
>>
>> delay_warning_time = 0h
>>
>> really mean that the sender would get the warning immediately if the
>> message wasn't able to be delivered immediately?

> Please read the docs carefully:
> 
> To enable this feature, specify a non-zero time value (an integral
> value plus an optional one-letter suffix that specifies the time unit). 
> Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
> The default time unit is h (hours).
> 
> Meaning: It's disabled.

 I'm really getting tired of getting hit in the head by cluesticks...

Thanks Ralf...

-- 

Best regards,

Charles

Re: Virtual domain uncertainty...

[Charles Marcus]

On 10/6/2008 7:18 PM, Wietse Venema wrote:
>> Can I set up DNS (and MX records) for several different domains to
>> point to the same postfix instance/host/IP address and reference
>> that same postfix instance/host/IP by different DNS host names
>> (smtp.example1.com, smtp.example2.com, etc), and have everything
>> just work?

> Not unless you also list smtp.example1.com in $mydestination,
> otherwise mail will loop.

?!

But the virtual how-to says the opposite... "never list a
virtual_mailbox_domain in mydestination"...

Obviously I'm missing something totally obvious to everyone else...

:(

> You could also keep it simple and list the real hostname in the MX
> records.

Hmmm... ok, and even if I do that, I can still tell user to configure
their clients with smtp.example1.com as their outbound server?

If the answer is yes, this is starting to make sense...

-- 

Best regards,

Charles

Default 'delay_warning_time'

[Charles Marcus]

Hi,

What is probably a *very* obvious question...

Does the default:

delay_warning_time = 0h

really mean that the sender would get the warning immediately if the
message wasn't able to be delivered immediately?

-- 

Best regards,

Charles

Re: Virtual domain uncertainty...

[Charles Marcus]

On 10/7/2008 3:09 PM, mouss wrote:
>> but, example.com (the domain, not the hostname) is also listed in
>> virtual_mailbox_domains via the mysql lookup...
>>
>> Is this OK/normal? I'm thinking yes, because:

> yes, it's ok.

Ok, good... :)

> Note that both smtp.example.com and example.com are FQDN.

Right, but the latter can never be a _host_ name...

> "virtual domains" is ambiguous. you are talking about virtual mailbox
> domains (contrast with virtual alias domains).

True, and thanks for pointing that out... I do know how important it is
to be precise when discussing things like this...

> - you can have a per mailbox uid:gid or use a single uid:gid for all
> mailboxes (the maps are then: static:1234, where 1234 is the uid or gid).

Is there any place that discusses the pros/cons of per mailbox vs static
udi/gid? I'm usng static now, but not sure if there is any advantage one
way or another. I'm mostly concerned with security and simplicity (I'm
lazy and don't like cleaning up messes or managing complicated
configurations)...

> since you use mysql, take a look at the howto on workaround.org for
> inspiration.

Thanks, I will... :)

-- 

Best regards,

Charles

Re: Virtual domain uncertainty...

[Charles Marcus]

On 10/7/2008, Victor Duchovni ([EMAIL PROTECTED]) wrote:
> This is false. DNS allows SOA, NS and A (or ) records to exist at
> the same level (for the same domain name). So a delegated domain name
> (zone cut) can also be a host. What is not legal is CNAME records in
> combination with NS or SOA, so a zone cut cannot be a CNAME.

Heh... as always, thanks (mouss, Victor and Bill) for the correction...

Maybe one day I'll learn not to speak unless/until I know what I'm
talking about (guess I won't be speaking again any time soon)... ;)

-- 

Best regards,

Charles

Re: query re setup

[Charles Marcus]

On 10/7/2008, Lists ([EMAIL PROTECTED]) wrote:
> I like the setup that allows the client to use pop details to
> authenticate - I even managed to get that working  ;)

If you're talking about pop-b4-smtp, then you should know that it is
insecure and likely to cause you trouble.

Just go with smtpauth (using sasl)... its not hard to set up, and much
more secure.

-- 

Best regards,

Charles

Re: query re setup

[Charles Marcus]

On 10/8/2008, Lists ([EMAIL PROTECTED]) wrote:
> I mean where the person in the mail client checks my server requires
> authentication and then selects use same credentials as pop server
> (thereby using username and password)

Ok then... just making sure... :)

-- 

Best regards,

Charles

Re: Test mysql virtual_mailbox_maps?

[Charles Marcus]

On 10/10/2008 8:21 AM, Ralf Hildebrandt wrote:
>> Is there a simple way to test the returned value of a mysql based
>> virtual mailbox map from the command line using the postconf command or
>> something similar?

> man postmap (option -q)

I'm blind... thanks Ralf...

-- 

Best regards,

Charles

Using proxy: for mysql maps

[Charles Marcus]

Hi,

Currently my virtual_mailbox_maps are being accessed by:

virtual_mailbox_domains = mysql:/etc/postfix/mysql_vmd.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql_vmm.cf

It has been said here many times that it is better to use proxy:mysql:
instead, but I'm confused about implementation...

Is it simply a matter of adding the proxy: prefix to the map location?
Or do I need to do something else (in main.cf or master.cf) to set up
the proxy service?

Reading http://www.postfix.org/proxymap.8.html doesn't really say what
is needed to be done to actually *implement* this or switch an existing
system to using it, other than simply adding the proxy: prefix...

Thanks,

-- 

Best regards,

Charles

Re: About steps to setup virtual mailbox domain class

[Charles Marcus]

On 10/10/2008, Stephen Liu ([EMAIL PROTECTED]) wrote:
> # postmap -q [EMAIL PROTECTED]
> /etc/postfix/mysql-virtual_mailbox_limit_maps.cf
> postmap: fatal: open database
> /etc/postfix/mysql-virtual_mailbox_limit_maps.cf.db: No such file or
> directory

Fix this...

If mysql-virtual_mailbox_limit_maps.cf is the actual name of the file, then:

/etc/postfix/mysql-virtual_mailbox_limit_maps.cf

should be

/etc/postfix/mysql:mysql-virtual_mailbox_limit_maps.cf

or

/etc/postfix/proxy:mysql:mysql-virtual_mailbox_limit_maps.cf

Otherwise, postconf -n output?

-- 

Best regards,

Charles

Re: About steps to setup virtual mailbox domain class

[Charles Marcus]

On 10/10/2008 9:19 AM, Brian Evans - Postfix List wrote:
> No.. it should be 'postmap -q 
> mysql:/etc/postfix/mysql-virtual_mailbox_limit_maps.cf'
> 
> It goes type:table, not path/type:table.

Right, sorry for the noise...

-- 

Best regards,

Charles

Re: Using proxy: for mysql maps

[Charles Marcus]

On 10/10/2008, Wietse Venema ([EMAIL PROTECTED]) wrote:
>> Is it simply a matter of adding the proxy: prefix to the map
>> location?

> Yes. I thought that the examples are sufficient. But if you are more
> comfortable with more formal Backus-Naur syntax then I suppose could
> provide that too.

No, no... I was just making sure that I wasn't overlooking something...
burned myself many times by using poor docs that make lots of assumptions...

That said, postfix docs are generally some of the best I've used (thanks
for that!) - its my eyes/brain that are my biggest problem...

-- 

Best regards,

Charles

Test mysql virtual_mailbox_maps?

[Charles Marcus]

Hello,

Googling didn't reveal the answer (I probably didn't hit the right terms)...

Is there a simple way to test the returned value of a mysql based
virtual mailbox map from the command line using the postconf command or
something similar?

-- 

Best regards,

Charles

SQL DB/query change - concatenating fields

[Charles Marcus]

Hello,

Currently my virtual users are not organized by domain, and the
directory layout is:

/var/virtual/mail/[EMAIL PROTECTED]

with the following query to get the mailbox locations for virtual users:

query = SELECT maildir FROM mailbox WHERE username='%s'

I am planning on migrating everything to a new server and rearranging
things so that users are grouped by domain, ie:

/var/virtual/mail/example.com/user1

I will have to add a new field to the Table that will contain the local
part of the users username (email address), and obviously I will need to
modify the above query to concatenate the two different fields, but I am
not well versed with SQL.

Assuming the fieldnames are as specified ('domain' contains the domain
only, and 'local' contains the local part of the users email), my first
attempt will be:

query = SELECT CONCAT(domain, '/', local) WHERE username='%s'

Does this look even close?

I know I'll have to mv the maildirs around, and I will of course test
this once I get the new system up and ready, but I just want to check
myself...

Thanks...

Re: Finally blocking some spam

[Charles Marcus]

On 10/13/2008, Joey ([EMAIL PROTECTED]) wrote:
> Somewhere government ( which I dont want them to control, but is the
> only one that can step in ) has to step in and setup hard and fast
> laws and rules based on a committee of knowledgable people ( Wietse
> etc ) to create a system which requires registration and has
> accountability for when spam is sent through your equipment. At this
> point though I think of that as a pipe dream and we each as admins
> have to take whatever methods work for us to accomplish the goal.

"If ye love wealth better than liberty, the tranquility of servitude
better than the animating contest of freedom, go home from us in peace.
We ask not your counsels or arms. Crouch down and lick the hands which
feed you. May your chains set lightly upon you, and may posterity forget
that ye were our countrymen."

-Samuel Adams, speech at the Philadelphia State House, August 1, 1776

I prefer the animating contest of freedom (and that includes learning
how to deal with spam, rather than give over absolute despotic control
of the internet to any government agency, which is what you are in
essence 'pipe-dreaming' about.

-- 

Best regards,

Charles

Re: Finally blocking some spam

[Charles Marcus]

On 10/13/2008 5:33 PM, Joey wrote:
>> I prefer the animating contest of freedom (and that includes learning
>> how to deal with spam), rather than give over absolute despotic control
>> of the internet to any government agency, which is what you are in
>> essence 'pipe-dreaming' about.

> Agreed, how would you mandate all Admins to follow the rules? ( I'm
> sure this is 75% of the problem today ).

? Thats just it - the point was, it is *impossible* to mandate, without
giving over absolute despotic control. The best we can do is educate
those who are educatable.

-- 

Best regards,

Charles

Re: Courier-imap Trash empty not working

[Charles Marcus]

Wrong list... this has absolutely zero to do with postfix.

On 10/16/2008 4:38 AM, Gejo Paul wrote:
> Dear All,
> 
> I am using  postfix + perdition + courier + ldap+ maildir (mail quota)
> on my mail servers.most of my clients are using squirrelmail for 
> checking  mails.
> All the functions are working fine on the server except one small issue
> on my backend servers.
> 
>  I enabled the followin parametrs in file /usr/lib/courier-imap/etc/imapd
> IMAP_TRASHFOLDERNAME=Trash
> IMAP_EMPTYTRASH=Trash:7
> 
> But the mails are not deteing from the Trash Folder after 7 days.
> These are the contents of Maildir folder.
>  Maildir]# ls -a
> .   courierimaphieracl   courierimapsubscribed  courierpop3dsizelist 
> .Drafts   maildirsize  newtmp
> ..  courierimapkeywords  courierimapuiddb   cur  
> .INBOX.Trash  maildirsize_old  .Sent  .Trash
> 
> Any suggestions or ideas are most welcome

Ask on the courier list...

-- 

Best regards,

Charles

Re: Finally blocking some spam

[Charles Marcus]

On 10/20/2008, Joey ([EMAIL PROTECTED]) wrote:
> Running spamassasin on every domain we support will kill the server
> CPU wise and again as in my messages before it's about reducing
> overhead.  I am abusing some RBL's in some cases so I need to reduce
> connections.

I highly recommend checking out ASSP...

http://assp.sourceforge.net/

The current published 'stable' version is behind the times though. If
you decide to try it out, I highly recommend joining the 'test' list and
using one of the dev versions (1.4.x - and the new 2.0.x is
multi-threaded)...

http://sourceforge.net/mail/?group_id=69172

-- 

Best regards,

Charles

Re: Likely Spam.

[Charles Marcus]

On 10/20/2008 Linux Addict wrote:

mynetworks = /etc/postfix/network_table


Contents of this file could be instructive...

Re: Cannot relocate queue_directory

[Charles Marcus]

postconf -n?

-- 

Best regards,

Charles

Re: Which FileSystem do you use on your postfix server?

[Charles Marcus]

On 10/29/2008, Joe Sloan ([EMAIL PROTECTED]) wrote:
> All our production boxes are 100% reiserfs, and have been for some
> years, based on performance testing. They have been rock solid, and most
> of them have 800 day uptimes at this point. I did some performance
> comparisons a few months ago and reiser still has a large lead over
> ext3. As reiser has always been the default filesystem on suse
> enterprise linux, it stands to reason that it has been well vetted.

I'd have to say 'me too' here, although I only use it for our maildirs...

My understanding is reiserfs' big weak point is unclean shutdowns, which
can be minimized/eliminated by using good UPS's and hardware RAID cards
with battery backup for the cache...

Mine survived one unclean shutdown (extended power outage in the middle
of the night) with no problems...

I've also hear people who have had nightmares with ext3...

No filesystem is perfect.

-- 

Best regards,

Charles

Re: Can Anyone Make Sense of This Log Entry?

[Charles Marcus]

On 10/31/2008, Asai ([EMAIL PROTECTED]) wrote:
> smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, 
> reject_non_fqdn_sender, reject_unknown_sender_domain, permit

I do believe this makes you an open relay...

-- 

Best regards,

Charles

Re: Can Anyone Make Sense of This Log Entry?

[Charles Marcus]

On 10/31/2008 12:37 PM, Charles Marcus wrote:
> On 10/31/2008, Asai ([EMAIL PROTECTED]) wrote:
>> smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, 
>> reject_non_fqdn_sender, reject_unknown_sender_domain, permit

> I do believe this makes you an open relay...

Oh...

add 'reject_unauth_destination BEFORE the permit...

-- 

Best regards,

Charles

Re: Can Anyone Make Sense of This Log Entry?

[Charles Marcus]

On 10/31/2008 12:54 PM, Brian Evans - Postfix List wrote:
> Charles Marcus wrote:
>> On 10/31/2008, Asai ([EMAIL PROTECTED]) wrote:
>>   
>>> smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, 
>>> reject_non_fqdn_sender, reject_unknown_sender_domain, permit

>> I do believe this makes you an open relay...

> No... smtpd_sender_restrictions cannot make you an open relay omitting
> unauth_destination.
> OP has reject_unauth_destination in smtpd_recipient_restrictions which
> is correct.

Ack... I was in a hurry and jumped the gun...

Sorry Asai...
-- 

Best regards,

Charles

Re: Use discard in a check_recipient_access

[Charles Marcus]

On 11/4/2008, Lluis Ribes ([EMAIL PROTECTED]) wrote:
> If I want to avoid that the spammer wouldn't receive a response like this:
> 
> "but it was rejected by the recipient domain. We recommend contacting
> the other email provider for further information about the cause of
> this error. The error that the other server returned was: 554 554
> 5.7.1 <[EMAIL PROTECTED]>: Recipient address rejected: Access
> denied (state 14).

He most likely won't, because the sending machine is most likely a
botnet not capable of generating NDRs.

NDRs are not generated by your postfix, but by the original sending MTA...

So, don't worry about it - just use REJECT like mouss suggested...

-- 

Best regards,

Charles

Re: Delete port 465 in master.cf

[Charles Marcus]

On 11/7/2008 3:59 AM, Josep M. wrote:
> I have Postfix running since some years ago and always ok, now when
> upgraded to Debian Lenny started giving to me these error messages when
> tested port 465
> 
> Nov  7 09:15:57 140 postfix/smtpd[26674]: fatal: bad boolean
> configuration: smtpd_tls_auth_only =
> Nov  7 09:15:58 140 postfix/master[11065]: warning: process
> /usr/lib/postfix/smtpd pid 26674 exit status 1
> Nov  7 09:15:58 140 postfix/master[11065]: warning:
> /usr/lib/postfix/smtpd: bad command startup -- throttling



> #smtps inet  n   -   n   -   -   smtpd  -o
> smtpd_tls_wrappermode=yes -o smtp
> d_sasl_auth_enable=yes -o smtpd_tls_auth_only = yes  -o
> smtpd_client_restrictions=permit_sasl_authen
> ticated,reject

I think you're getting this error because spaces are not allowed in
master.cf config options, so, you could continue to support port 465 if
you changed:

-o smtpd_tls_auth_only = yes

to

-o smtpd_tls_auth_only=yes

But yes, use of 465/SMTPS is deprecated in favor of submission port
(587+TLS), and only needed if you need/want to support older clients
that do not support TLS (old versions of Outlook, Outlook Express, and
maybe some older mobile/phone clients)...

-- 

Best regards,

Charles