Re: Issues creating makefile - lines commented out

[James Brown]

> On 25 Feb 2023, at 4:10 pm, Viktor Dukhovni  
> wrote:
> 
> On Sat, Feb 25, 2023 at 03:54:05PM +1100, James Brown wrote:
> 
>> % make -f Makefile.init makefiles CCARGS="-DUSE_TLS -DUSE_SASL_AUTH \
>> -DDEF_SERVER_SASL_TYPE="dovecot" \
> 
> Those should be 3-backslashes not 4.

That was it! Thanks Victor - works OK now!

Successfully got to the install questions.
> 
>> -DDEF_COMMAND_DIR=\\\"/usr/local/sbin\\\" \
>> -DDEF_CONFIG_DIR=\\\"/usr/local/etc/postfix\\\" \
>> -DDEF_DAEMON_DIR=\\\"/usr/local/libexec/postfix\\\" \
>> -DHAS_PCRE -I/opt/homebrew/include \
>> -DHAS_SSL -I/opt/homebrew/Cellar/openssl@3/3.0.8/include/ \
>> -DHAS_MYSQL -I/opt/homebrew/Cellar/mysql/8.0.32/include/mysql/ " \
>> AUXLIBS_MYSQL='-I/opt/homebrew/Cellar/mysql/8.0.32/include/mysql 
>> -lmysqlclient -lz -lm' \
>> AUXLIBS='-L/usr/local/lib -lpcre -L/opt/homebrew/opt/openssl@3/lib 
>> -L/opt/homebrew/lib -lssl -lcrypto'  sendmail_path=/usr/local/sbin/sendmail 
>> newaliases_path=/usr/local/bin/newaliases mailq_path=/usr/local/bin/mailq 
> 
> You have made the masochist choice (double quotes and multiple layers of
> escaping).  I tried to discourage this...  You'll probably get it
> working, but it will still remain a bad idea.
> 
> Because I run a custom dev version of OpenSSL, my build script is:
> 
>OSSLPATH=/usr/local/siteexec
>OSSLINC="-I${OSSLPATH}/include "
>OSSLLIB="-L${OSSLPATH}/lib "
>OSSLSHLIB="-Wl,-rpath,${OSSLPATH}/lib "
> 
>make -f Makefile.init dynamicmaps=yes shared=yes pie=yes \
>'CCARGS=-DDEF_MAIL_OWNER=\"postfix\" -DDEF_SGID_GROUP=\"maildrop\" 
> -DHAS_EAI -DUSE_SASL_AUTH '"$OSSLINC"'-I/usr/local/include -DHAS_PCRE=2 
> -DUSE_CYRUS_SASL -I/usr/local/include/sasl -DUSE_TLS -I/usr/local/include/db5 
> -DHAS_CDB -DHAS_LMDB' \
>"AUXLIBS=${OSSLLIB}${OSSLSHLIB}"'-L/usr/local/lib -lsasl2 -lpam 
> -lcrypt -Wl,-rpath,/usr/local/lib -fstack-protector-strong  -lssl -lcrypto 
> -L/usr/local/lib/db5 -ldb-5.3' \
>'AUXLIBS_CDB=-L/usr/local/lib -Wl,-R,/usr/local/lib -lcdb' \
>'AUXLIBS_PCRE=-L/usr/local/lib -Wl,-R/usr/local/lib -lpcre2-8' \
>'AUXLIBS_LMDB=-L/usr/local/lib -Wl,-R/usr/local/lib -llmdb' \
>command_directory=/usr/local/sbin \
>config_directory=/usr/local/etc/postfix \
>daemon_directory=/usr/local/libexec/postfix \
>data_directory=/var/db/postfix \
>mailq_path=/usr/local/bin/mailq \
>newaliases_path=/usr/local/bin/newaliases \
>queue_directory=/var/spool/postfix \
>sendmail_path=/usr/local/sbin/sendmail \
>shlib_directory=/usr/local/lib/postfix-MAIL_VERSION \
>html_directory=/usr/local/share/doc/postfix \
>manpage_directory=/usr/local/man \
>readme_directory=/usr/local/share/doc/postfix \
>makefiles
> 
> The "long lines" for each of CCARGS and AUXLIBS are not a problem.
> 
> -- 
>Viktor.

Yes, I can seen the variables make things a bit easier.


Thanks again everyone for your help.

James.
PS. Is there a place to go to support/donate to Postfix, or buymeacoffee.com 
link?

Re: Issues creating makefile - lines commented out

[James Brown]

> On 25 Feb 2023, at 12:09 pm, Wietse Venema  wrote:
> 
> James Brown:
>> Now it just has one error:
>> 
>> dict_mysql.c:171:10: fatal error: 'mysql.h' file not found
>> #include 
>> ^
>> 1 error generated.
>> make: *** [dict_mysql.o] Error 1
>> make: *** [update] Error 1
>> 
>> % locate mysql.h
>> /opt/homebrew/Cellar/mysql/8.0.32/include/mysql/mysql.h
>> 
>> Thanks so much for your help again.
> 
> I suspect a missing -I directive in CCARGS.
> 
>   Wietse

Thanks Wietse.

Not sure how to do that. I do feel very stupid with all this. 

Added ‘mysql’ to end of path for DHAS_MYSQL which seemed to help, got to an 
error saying it couldn’t find mysqlclient. Put ‘-L/opt/homebrew/lib’ in AUXLIBS:

 % make -f Makefile.init makefiles CCARGS="-DUSE_TLS -DUSE_SASL_AUTH \
-DDEF_SERVER_SASL_TYPE="dovecot" \
-DDEF_COMMAND_DIR=\\\"/usr/local/sbin\\\" \
-DDEF_CONFIG_DIR=\\\"/usr/local/etc/postfix\\\" \
-DDEF_DAEMON_DIR=\\\"/usr/local/libexec/postfix\\\" \
-DHAS_PCRE -I/opt/homebrew/include \
-DHAS_SSL -I/opt/homebrew/Cellar/openssl@3/3.0.8/include/ \
-DHAS_MYSQL -I/opt/homebrew/Cellar/mysql/8.0.32/include/mysql/ " \
AUXLIBS_MYSQL='-I/opt/homebrew/Cellar/mysql/8.0.32/include/mysql -lmysqlclient 
-lz -lm' \
AUXLIBS='-L/usr/local/lib -lpcre -L/opt/homebrew/opt/openssl@3/lib 
-L/opt/homebrew/lib -lssl -lcrypto'  sendmail_path=/usr/local/sbin/sendmail 
newaliases_path=/usr/local/bin/newaliases mailq_path=/usr/local/bin/mailq 

Now it gets to:

cp cleanup ../../libexec
[src/smtpd]
cc -I. -I../../include -DUSE_TLS -DUSE_SASL_AUTH 
-DDEF_SERVER_SASL_TYPE=\\dovecot\\ -DDEF_COMMAND_DIR=\"/usr/local/sbin\" 
-DDEF_CONFIG_DIR=\"/usr/local/etc/postfix\" 
-DDEF_DAEMON_DIR=\"/usr/local/libexec/postfix\" -DHAS_PCRE 
-I/opt/homebrew/include -DHAS_SSL 
-I/opt/homebrew/Cellar/openssl@3/3.0.8/include/ -DHAS_MYSQL 
-I/opt/homebrew/Cellar/mysql/8.0.32/include/mysql/ -DBIND_8_COMPAT -DNO_NETINFO 
-DRESOLVE_H_NEEDS_ARPA_NAMESER_COMPAT_H -DNO_EAI -DDEF_SMTPUTF8_ENABLE=\"no\" 
-DHAS_DEV_URANDOM -DDEF_MAILQ_PATH=\"/usr/local/bin/mailq\" 
-DDEF_NEWALIAS_PATH=\"/usr/local/bin/newaliases\" 
-DDEF_SENDMAIL_PATH=\"/usr/local/sbin/sendmail\" -UUSE_DYNAMIC_LIBS 
-DDEF_SHLIB_DIR=\"no\" -UUSE_DYNAMIC_MAPS -Wmissing-prototypes -Wformat 
-Wno-comment -fno-common -g -O -I. -I../../include -DMACOSX -c smtpd.c
smtpd.c:6562:23: error: expected expression
VAR_SMTPD_SASL_TYPE, DEF_SMTPD_SASL_TYPE, _smtpd_sasl_type, 1, 0,
 ^
../../include/mail_params.h:1700:29: note: expanded from macro 
'DEF_SMTPD_SASL_TYPE'
#define DEF_SMTPD_SASL_TYPE DEF_SERVER_SASL_TYPE
^
:3:30: note: expanded from here
#define DEF_SERVER_SASL_TYPE \dovecot\\
 ^
1 error generated.
make: *** [smtpd.o] Error 1
make: *** [update] Error 1

Definitely have to buy to few beers or bottles of wine when we get this working!

Thanks, James.

Re: Issues creating makefile - lines commented out

[James Brown]

> On 25 Feb 2023, at 2:41 am, Wietse Venema  wrote:
> 
> Wietse Venema:
>> James Brown:
>>>> On 24 Feb 2023, at 11:57 pm, Wietse Venema  wrote:
>>>> 
>>>> James Brown:
>>>>> Sorry if this is a bit of a basic question, but I?m trying to compile 
>>>>> from source on macOS 13.21.1 but the makefile has lines commented out.
>>>>> 
>>>>> I'm trying:
>>>>> 
>>>>> make -f Makefile.init makefiles \
>>>>> CCARGS='-DUSE_TLS -DUSE_SASL_AUTH \
>>>>   ...
>>>>> -DHAS_MYSQL -I/opt/homebrew/Cellar/mysql/8.0.32/include/' \
>>>>   ...
>>>> 
>>>> Try using " instead of '
>>>> 
>>>> Someone has "improved"(*) the shell and broke command examples that
>>>> I wrote 20+ years ago.
>>>> 
>>>>Wietse
>>>> 
>>>> (*) Or worse, some standard committee "improved" the spec.
>>>> 
>>> 
>>> Thanks for your help Wietse. (The shell is zsh)
>>> 
>>> % make -f Makefile.init makefiles CCARGS="-DUSE_TLS -DUSE_SASL_AUTH \
>>> -DDEF_SERVER_SASL_TYPE=\"dovecot\" \
>> 
>> Try:
>> 
>>make -f Makefile.init makefiles CCARGS="-DUSE_TLS -DUSE_SASL_AUTH \
>>  -DDEF_SERVER_SASL_TYPE=\\\"dovecot\\\" \
>>  ...
>> 
>> That's three backslashes where there was one.
> 
> I have to retract my comment aobut changes to shells. The behavior
> of backslash-newline inside 'string' (single quotes) is to preserve
> the backslash and the newline i.e. the backslash is mot special and
> that has not changed in the past 10+ years.
> 
> Thus, the form
> 
>make -f Makefile.init makefiles CCARGS="ccargs stuff \
>   more ccargs stuff" \
>   other stuff \
>   more other stuff
> 
> Is the form to use when CCARGS spans multiple lines, and you need
> \\\ to protect " quotes inside CCARGS.
> 
>   Wietse

Thanks Wietse, Viktor and Norton.

Looks like three backslashes instead of one was the answer:

% make -f Makefile.init makefiles CCARGS="-DUSE_TLS -DUSE_SASL_AUTH \
-DDEF_SERVER_SASL_TYPE="dovecot" \
-DDEF_COMMAND_DIR=\\\"/usr/local/sbin\\\" \
-DDEF_CONFIG_DIR=\\\"/usr/local/etc/postfix\\\" \
-DDEF_DAEMON_DIR=\\\"/usr/local/libexec/postfix\\\" \
-DHAS_PCRE -I/opt/homebrew/include \
-DHAS_SSL -I/opt/homebrew/Cellar/openssl@3/3.0.8/include/ \
-DHAS_MYSQL -I/opt/homebrew/Cellar/mysql/8.0.32/include/" \
AUXLIBS_MYSQL='-I/opt/homebrew/Cellar/mysql/8.0.32/include/mysql -lmysqlclient 
-lz -lm' \
AUXLIBS='-L/usr/local/lib -lpcre -L/opt/homebrew/opt/openssl@3/lib -lssl 
-lcrypto'  sendmail_path=/usr/local/sbin/sendmail 
newaliases_path=/usr/local/bin/newaliases mailq_path=/usr/local/bin/mailq

And start of makefile:

# Do not edit -- this file documents how Postfix was built for your machine.
#
# Start of summary of user-configurable 'make makefiles' options.
# CCARGS=-DUSE_TLS -DUSE_SASL_AUTH -DDEF_SERVER_SASL_TYPE=\dovecot\ 
-DDEF_COMMAND_DIR=\"/usr/local/sbin\" 
-DDEF_CONFIG_DIR=\"/usr/local/etc/postfix\" 
-DDEF_DAEMON_DIR=\"/usr/local/libexec/postfix\" -DHAS_PCRE 
-I/opt/homebrew/include -DHAS_SSL 
-I/opt/homebrew/Cellar/openssl@3/3.0.8/include/ -DHAS_MYSQL 
-I/opt/homebrew/Cellar/mysql/8.0.32/include/
# AUXLIBS=-L/usr/local/lib -lpcre -L/opt/homebrew/opt/openssl@3/lib -lssl 
-lcrypto
# AUXLIBS_MYSQL=-I/opt/homebrew/Cellar/mysql/8.0.32/include/mysql -lmysqlclient 
-lz -lm
# shared=
# dynamicmaps=
# pie=
# mailq_path=/usr/local/bin/mailq
# newaliases_path=/usr/local/bin/newaliases
# sendmail_path=/usr/local/sbin/sendmail
# End of summary of user-configurable 'make makefiles' options.
#--
# System-dependent settings and compiler/linker overrides.

Now it just has one error:

dict_mysql.c:171:10: fatal error: 'mysql.h' file not found
#include 
 ^
1 error generated.
make: *** [dict_mysql.o] Error 1
make: *** [update] Error 1

 % locate mysql.h
/opt/homebrew/Cellar/mysql/8.0.32/include/mysql/mysql.h


Thanks so much for your help again.

James.

Issues creating makefile - lines commented out

[James Brown]

Sorry if this is a bit of a basic question, but I’m trying to compile from 
source on macOS 13.21.1 but the makefile has lines commented out.

I’m trying:

make -f Makefile.init makefiles \
CCARGS='-DUSE_TLS -DUSE_SASL_AUTH \
-DDEF_SERVER_SASL_TYPE=\"dovecot\" \
-DDEF_COMMAND_DIR=\"/usr/local/sbin\" \
-DDEF_CONFIG_DIR=\"/usr/local/etc/postfix\" \
-DDEF_DAEMON_DIR=\"/usr/local/libexec/postfix\" \
-DHAS_PCRE -I/opt/homebrew//include \
-DHAS_SSL -I/opt/homebrew/Cellar/openssl@3/3.0.8/include/ \
-DHAS_MYSQL -I/opt/homebrew/Cellar/mysql/8.0.32/include/' \
AUXLIBS_MYSQL='-I/opt/homebrew/Cellar/mysql/8.0.32/include/mysql -lmysqlclient 
-lz -lm'\
AUXLIBS='-L/usr/local/lib -lpcre -L/opt/homebrew/opt/openssl@3/lib -lssl 
-lcrypto'  sendmail_path=/usr/local/sbin/sendmail 
newaliases_path=/usr/local/bin/newaliases mailq_path=/usr/local/bin/mailq

The makefile that gets created starts =:

# Do not edit -- this file documents how Postfix was built for your machine.
#
# Start of summary of user-configurable 'make makefiles' options.
# CCARGS=-DUSE_TLS -DUSE_SASL_AUTH \
-DDEF_SERVER_SASL_TYPE=\"dovecot\" \
-DDEF_COMMAND_DIR=\"/usr/local/sbin\" \
-DDEF_CONFIG_DIR=\"/usr/local/etc/postfix\" \
-DDEF_DAEMON_DIR=\"/usr/local/libexec/postfix\" \
-DHAS_PCRE -I/opt/homebrew//include \
-DHAS_SSL -I/opt/homebrew/Cellar/openssl@3/3.0.8/include/ \
-DHAS_MYSQL -I/opt/homebrew/Cellar/mysql/8.0.32/include/
# AUXLIBS=
# AUXLIBS_MYSQL=-I/opt/homebrew/Cellar/mysql/8.0.32/include/mysql -lmysqlclient 
-lz -lmAUXLIBS=-L/usr/local/lib -lpcre -L/opt/homebrew/opt/openssl@3/lib -lssl 
-lcrypto
# shared=
# dynamicmaps=
# pie=
# mailq_path=/usr/local/bin/mailq
# newaliases_path=/usr/local/bin/newaliases
# sendmail_path=/usr/local/sbin/sendmail
# End of summary of user-configurable 'make makefiles' options.
#--
# System-dependent settings and compiler/linker overrides.

I’m sure it something simple, but why are the CCARGS, AUXLIBS and AUXLIBS_MYSQL 
being commented out?

Thanks,

James.

Re: Suggestions for less spam

[James Brown]

> On 23 Sep 2019, at 1:59 am, Dominic Raferd  wrote:
> 
> On Sun, 22 Sep 2019 at 14:36, Paul van der Vlis  wrote:
>> 
>> Hello,
>> 
>> I would like some suggestions on how to get less spam, I will paste my
>> configuration at the end of the mail.
>> 
>> Maybe somebody with a nice setup could post his/her setup?
>> 
>> As you can see, I am experimenting with reject_unknown_client_hostname.
>> What's your opinion about that setting?
>> 
>> I've never used greylisting. Are you using it?
> 
> I have been tweaking my settings for the last three years largely
> based on advice from this list. I give below my (slightly simplified)
> smtpd_recipient_restrictions settings for unauthenticated connections
> (suggestions for improvement very welcome). I also apply some
> header_checks and use spamassassin and clamav (via amavis) with some
> bespoke rules.
> 
> I think it is inadvisable to use reject_unknown_client_hostname (risk
> of fps) but I have found reject_unknown_reverse_client_hostname very
> effective. I tried greylisting but gave it up - it isn't necessary and
> the delays were very irritating to users (e.g. for password reset
> emails).
> 
> smtpd_recipient_restrictions =
>reject_unauth_pipelining
> 
> # localfile whitelists
>check_sender_access hash:/etc/postfix/sender_access_whitelist
>check_client_access hash:/etc/postfix/client_access_whitelist
>check_client_access cidr:/etc/postfix/client_access_whitelist.cidr
>check_helo_access hash:/etc/postfix/helo_access_whitelist
> 
># localfile blacklists
>check_sender_access hash:/etc/postfix/sender_access
>check_client_access hash:/etc/postfix/client_access
>check_helo_access hash:/etc/postfix/helo_access
>check_sender_access pcre:/etc/postfix/sender_access.pcre
> 
># reject clients without PTR
>reject_unknown_reverse_client_hostname
> 
># reject clients with dynamic ips
>reject_rbl_client dul.dnsbl.sorbs.net=127.0.0.10
> 
># rejections based on rbls for helo/sender/reverse_client
>reject_rhsbl_helo dbl.spamhaus.org
>reject_rhsbl_sender dbl.spamhaus.org
>reject_rhsbl_reverse_client dbl.spamhaus.org
>reject_rhsbl_sender fresh.fmb.la=127.2.0.[2;14]
> 
># ip-based remote whitelists
>permit_dnswl_client list.dnswl.org=127.0.[0..255].[1..3]
>permit_dnswl_client white.uribl.com
>permit_dnswl_client hostkarma.junkemailfilter.com=127.0.0.[1;3;5]
> 
># ip-based remote blacklists
>reject_rbl_client zen.spamhaus.org
>reject_rbl_client dyna.spamrats.com
>reject_rbl_client hostkarma.junkemailfilter.com=127.0.0.2
>reject_rbl_client truncate.gbudb.net
>reject_rbl_client dnsbl.cobion.com
>reject_rbl_client bl.fmb.la=127.0.0.2
>reject_rbl_client b.barracudacentral.org
> 
Just wondering if it is worth using Razor.

https://sourceforge.net/projects/razor/

Do people find it useful? Anyone using it?

Seems at bit dated.

Thanks, James.



smime.p7s
Description: S/MIME cryptographic signature

Re: Is it possible to run postfix in a container (e.g. docker, red-hot)?

[James Brown]

> On 7 Aug 2019, at 5:32 pm, Gerben Wierda  wrote:
> 
> Simple question:
> 
> Is it possible to run postfix in a container (e.g. docker, red-hot)? 
> 
> I’m looking into a new platform for my postfix as my current platform (macOS 
> High Sierra + Server with Apple-provided postfix) is end-of-life. I must 
> either get postfix to run on macOS Mojave natively, or get it to run on some 
> other platform. For other platforms, I am looking into platforms that will 
> self-update (a bit like macOS) such as RedHat Fedora Core to minimise 
> maintenance efforts. So I’m looking into running a VM on my macOS with some 
> sort of Linux, potentially using containers to facilitate more easy migration 
> in the future. Hence the question.
> 
> Gerben Wierda
> Chess and the Art of Enterprise Architecture 
> Mastering ArchiMate 
> Architecture for Real Enterprises 
>  at 
> InfoWorld
> On Slippery Ice  at EAPJ

I’ve got Postfix, Dovecot etc running on Mojave via Homebrew.

But it looks like MacPorts is a better way to go.

Post on Homebrew forum:

>   essandess  Steve Smith 
>  
> August 2
> I used MacPorts to provide a basic, working, configurable mail server on 
> macOS:
> 
> sudo port install mail-server
> port notes mail-server
> sudo port load mail-server
> This mail server uses postfix for the MTA, dovecot for the MDA, solr for fast 
> search, Rspamd for a milter, and clamav for email virus scanning. These are 
> all installed and configured automatically when mail-server is installed. 
> Surrogate TLS and DKIM configurations are created during the installation; 
> these must be changed prior to deployment. The configuration files in this 
> port are a combination of macOS Server version 5.7’s Mail server setup, with 
> many newer capabilities added. See the individual projects for configuration 
> details, as well as online guides, e.g. mail-server-guide 
> , and the MacPorts 
> mail-server Portfile itself:
> 
> port notes mail-server
> less `port file mail-server`
> port contents mail-server
> Users must reconfigure the mail-server installation for their own system, 
> network, and security model specifics by editing all necessary files and 
> checking file permissions. Full deployment also requires a working DNS 
> configuration on both the LAN and the internet (pre installed with 
> mail-server), including SPF, DMARC, and DKIM records, trusted TLS 
> certificates, port forwarding, possibly a mail relay, and more.
> 
> I looked into Homebrew and see that its security model is incompatible with 
> running a secure mail server. All of the tools in a mail server must be 
> installed and controlled securely at the system level with sudo. Homebrew 
> avoids sudo by taking over permissions in /usr/local. This won’t work in a 
> mail server.
> 
> For more details on the issues that can arise with Homebrew’s approach, I 
> agree with much of the criticism in this post: 
> https://saagarjha.com/blog/2019/04/26/thoughts-on-macos-package-managers/ 
> . 
> Take this into account when configuring your own mail server.
> 

Hope that helps.

James.

Re: Authentication attempts for x...@com.au addresses

[James Brown]

> On 3 Apr 2019, at 9:45 am, Curtis Maurand  > wrote:
> 
> 
> 
> On 4/2/19 5:39 PM, @lbutlr wrote:
>> On 2 Apr 2019, at 14:30, Esteban L > > wrote:
>>> The times are in seconds, so you'll need to calculate those times.
>> a month is 2629743 seconds. An hour, of course is 3600, but I prefer 86400 
>> which is one day.
>> 
>> BTW, pi seconds is very close to 1 nano century.
>> 
>> 
> I agree with @ibutr that 86400 is a good number. Now to find the where to 
> change the iptables rule to "-j DROP"
> 
> I like to just silently drop the connection. It becomes a sort of reverse DOS 
> in that they keep opening sockets, but you're effectively not listening.  
> It's been very effective in my experience.  To be sure, they will keep 
> changing sources once they realize the host is unreachable from any 
> particular source. If I end up blocking TOR or vpn users that are trying to 
> do nefarious things, then so be it.  I don't need to waste CPU cycles sending 
> responses. fail2ban is a resource hog as it is.
> 
> Cheers,
> Curtis

Thanks all for your replies. Increasing both Ban time and Find time are good 
and I’ll do that. Looking through the logs I can see some repeated IPs for IMAP 
failures, but over long times (eg maybe once or twice a day max).

We have Stunnel receive the traffic on port 465 and 587 and forward on to 
127.0.0.1 on port 25. So that is why I can’t write a Fail2ban rule for this log 
line:

auth-worker(42777): Info: sql(cont...@com.au 
,127.0.0.1): unknown user (given password: Password123)

as it would ban localhost, not the original IP that Stunnel received.

Thanks,

James.

Authentication attempts for x...@com.au addresses

[James Brown]

Not sure if this is a Dovecot or Postfix issue we use Dovecot for 
authentication for Postfix. Mailboxes are stored in MySQL.

Have noticed this today:

auth-worker(42777): Info: sql(cont...@com.au,127.0.0.1): unknown user (given 
password: someone123)

Also i...@com.au etc.

They are coming through on port 465.

Obviously my domain is not ‘com.au’ - how can I stop these attempts from even 
being considered?

I did update to Postfix 3.4.5 yesterday. Running Dovecot 2.3.5.

Thanks,

James.

Re: Change 451 Temp Lookup code to permanent 550 code for unknown local recipients

[James Brown]

> On 4 Mar 2019, at 4:40 pm, Viktor Dukhovni  wrote:
> 
> [ Just this once, I'm going to make an exception and send HTML email. It's 
> only
>new content is colour added to two snippets of the original text. ]
> 
>> On Mar 4, 2019, at 12:29 AM, James Brown  wrote:
>> 
>> 2019-03-04 15:52:00.949864+1100  localhost smtpd[25337]: connect from 
>> localhost[127.0.0.1]
>> 2019-03-04 15:52:01.246686+1100  localhost smtpd[12280]: warning: connect to 
>> mysql server 127.0.0.1: Access denied for user 'postfix'@'localhost' (using 
>> password: YES)
>> 2019-03-04 15:52:01.246723+1100  localhost smtpd[12280]: warning: 
>> mysql:/usr/local/etc/postfix/mysql_virtual_mailbox_maps.cf lookup error for 
>> "annie.cli...@bordo.com.au"
>> 2019-03-04 15:52:01.246747+1100  localhost smtpd[12280]: NOQUEUE: reject: 
>> RCPT from localhost[127.0.0.1]: 451 4.3.0 : 
>> Temporary lookup failure; from= 
>> to= proto=ESMTP 
>> helo=
> 
> [ For anyone reading this in mutt, pine, elm, ... the "mysql" table warnings
>   have been emphasized for the OP.  With a bit of luck he'll realize that 
> failure
>   to access the database is not an instance of "unknown local recipient". ]

Thanks Pau and Victor. Sorry about the HTML email.

The access denied warning has now been fixed - I had not changed the password 
in mysql_virtual_mailbox_maps.cf. No longer getting that error - thanks!

And sender is now getting a 550 error!

2019-03-04 17:38:35.647068+1100  localhost smtpd[75996]: connect from 
localhost[127.0.0.1]
2019-03-04 17:38:36.636562+1100  localhost smtpd[75996]: NOQUEUE: reject: RCPT 
from localhost[127.0.0.1]: 550 5.1.1 : Recipient 
address rejected: User unknown in virtual mailbox table; 
from= to= proto=ESMTP 
helo=
2019-03-04 17:38:36.914926+1100  localhost cleanup[79609]: CDAC911DFB34: 
message-id=<20190304063836.cdac911df...@mail.bordo.com.au>
2019-03-04 17:38:37.043967+1100  localhost smtpd[75996]: disconnect from 
localhost[127.0.0.1] ehlo=1 starttls=0/1 mail=1 rcpt=0/1 quit=1 commands=3/5

Thanks again,

James.


smime.p7s
Description: S/MIME cryptographic signature

Change 451 Temp Lookup code to permanent 550 code for unknown local recipients

[James Brown]

Postfix 3.4.0, using Dovecot for SASL authentication and MySQL.

I have set:

unknown_local_recipient_reject_code = 550

But when an email comes through to an unknown user, a 451 Temporary Lookup 
Failure code is given, not a 550:

2019-03-04 15:52:00.949864+1100  localhost smtpd[25337]: connect from 
localhost[127.0.0.1]
2019-03-04 15:52:01.246686+1100  localhost smtpd[12280]: warning: connect to 
mysql server 127.0.0.1: Access denied for user 'postfix'@'localhost' (using 
password: YES)
2019-03-04 15:52:01.246723+1100  localhost smtpd[12280]: warning: 
mysql:/usr/local/etc/postfix/mysql_virtual_mailbox_maps.cf lookup error for 
"annie.cli...@bordo.com.au "
2019-03-04 15:52:01.246747+1100  localhost smtpd[12280]: NOQUEUE: reject: RCPT 
from localhost[127.0.0.1]: 451 4.3.0 mailto:annie.cli...@bordo.com.au>>: Temporary lookup failure; 
from=mailto:purch...@thorintl.com>> 
to=mailto:annie.cli...@bordo.com.au>> proto=ESMTP 
helo=http://astaro1.bordo.com.au/>?-?192.168.1.2?-?mail.bordo.com.au 
?-?mail.bordo.com.au >

This causes the sending mail server to store the email and try several times.

This is the sort of thing the sending mail server sees:

Connected to mail.bordo.com.au .
Escape character is '^]'.
220 mail.bordo.com.au  ESMTP Postfix
EHLO me 
250-mail.bordo.com.au 
250-STARTTLS
250-SIZE 10240
250-AUTH PLAIN
250-AUTH=PLAIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-DSN
250 NOOP
mail from: jlbr...@bordo.com.au 
250 2.1.0 Ok
rcpt to: sdf...@bordo.com.au 
451 4.3.0 mailto:sdf...@bordo.com.au>>: Temporary lookup 
failure
Connection closed by foreign host.

How can I get it to send a permanent failure code?

Thanks,

James.

smime.p7s
Description: S/MIME cryptographic signature

Re: Postfix logging without syslogd

[James Brown]

On 22 Jan 2019, at 5:22 pm, James Brown mailto:jlbr...@bordo.com.au>> wrote:
> 
> On 22 Jan 2019, at 5:18 pm, Larry Stone  <mailto:lston...@stonejongleux.com>> wrote:
>> 
>> On Jan 21, 2019, at 6:04 PM, Wietse Venema > <mailto:wie...@porcupine.org>> wrote:
>>> 
>>> postfix-3.4-20190121-nonprod-logger has lightly-tested code for
>>> logging to file without using syslogd. 
>>> 
>> 
>> I just successfully built it on a Mojave system and so far, all looks good. 
>> One test email sent out (my Postfix is outgoing only) was properly logged. 
>> Have not tested anything yet involving log rotation. Unlike James Brown and 
>> his Unsupported Berkeley DB version, I do not have Berkeley DB on my system 
>> (unless a version comes with MacOS), do not use mySQL, and do not have 
>> anything from Homebrew on the system.
>> 
>> -- 
>> Larry Stone
>> lston...@stonejongleux.com <mailto:lston...@stonejongleux.com>
> 
> I’ll try removing Berkeley DB and give it another go. Thanks Larry.
> 
> James.

I removed Berkeley DB (via Homebrew uninstall) and it gets much further. Now 
stops on:

In file included from abounce.c:187:
./mail_params.h:20:10: fatal error: 'openssl/opensslv.h' file not found
#include/* OPENSSL_VERSION_NUMBER */
 ^~~~
1 error generated.

Shouldn’t this line in my make command find it?

-DHAS_SSL -I/usr/local/opt/openssl@1.1/1.1.1a/include

$locate openssl/opensslv.h
/usr/local/Cellar/openssl/1.0.2p/include/openssl/opensslv.h
/usr/local/Cellar/openssl/1.0.2q/include/openssl/opensslv.h
/usr/local/Cellar/openssl@1.1/1.1.1/include/openssl/opensslv.h
/usr/local/Cellar/openssl@1.1/1.1.1a/include/openssl/opensslv.h

Re: Postfix logging without syslogd

[James Brown]

On 22 Jan 2019, at 5:18 pm, Larry Stone  wrote:
> 
> On Jan 21, 2019, at 6:04 PM, Wietse Venema  wrote:
>> 
>> postfix-3.4-20190121-nonprod-logger has lightly-tested code for
>> logging to file without using syslogd. 
>> 
> 
> I just successfully built it on a Mojave system and so far, all looks good. 
> One test email sent out (my Postfix is outgoing only) was properly logged. 
> Have not tested anything yet involving log rotation. Unlike James Brown and 
> his Unsupported Berkeley DB version, I do not have Berkeley DB on my system 
> (unless a version comes with MacOS), do not use mySQL, and do not have 
> anything from Homebrew on the system.
> 
> -- 
> Larry Stone
> lston...@stonejongleux.com

I’ll try removing Berkeley DB and give it another go. Thanks Larry.

James.

Re: Postfix logging without syslogd

[James Brown]

On 22 Jan 2019, at 11:04 am, Wietse Venema mailto:wie...@porcupine.org>> wrote:
> 
> postfix-3.4-20190121-nonprod-logger has lightly-tested code for
> logging to file without using syslogd. 
> 
> This solves a usability problem in MacOS, may help to work around
> a logging bottleneck with systemd, and solves 99% of the problem
> for logging to stdout in a container (hopefully we have 100% soon).
> 
> Available from ftp://ftp.porcupine.org/mirrors/postfix-release/experimental 
> 
> 
>postfix-3.4-20190121-nonprod-logger.HISTORY
>postfix-3.4-20190121-nonprod-logger.RELEASE_NOTES
>postfix-3.4-20190121-nonprod-logger.tar.gz
>postfix-3.4-20190121-nonprod-logger.tar.gz.gpg1
>postfix-3.4-20190121-nonprod-logger.tar.gz.gpg2
>postfix-3.4-20190121-nonprod-logger.tar.gz.sig
> 
> See the RELEASE_NOTES file for instructions and limitations.
> 
>   Wietse

Thanks so much for doing this Wietse.

Just tried it on MacOS Mojave machine. Sudo make install ends with:

cc -I. -I../../include -DUSE_TLS -DUSE_SASL_AUTH 
-DDEF_SERVER_SASL_TYPE=\"dovecot\" -DDEF_COMMAND_DIR=\"/usr/local/sbin\" 
-DDEF_CONFIG_DIR=\"/usr/local/etc/postfix\" 
-DDEF_DAEMON_DIR=\"/usr/local/libexec/postfix\" -DHAS_PCRE 
-I/usr/local/opt//include -DHAS_SSL -I/usr/local/opt/openssl@1.1/1.1.1a/include 
-DHAS_MYSQL -I/usr/local/opt/mysql@5.7/include/mysql -DBIND_8_COMPAT 
-DNO_NETINFO -DRESOLVE_H_NEEDS_ARPA_NAMESER_COMPAT_H -DNO_EAI 
-DDEF_SMTPUTF8_ENABLE=\"no\" -DHAS_DEV_URANDOM -DSNAPSHOT -DNONPROD 
-DDEF_MAILQ_PATH=\"/usr/local/bin/mailq\" 
-DDEF_NEWALIAS_PATH=\"/usr/local/bin/newaliases\" 
-DDEF_SENDMAIL_PATH=\"/usr/local/sbin/sendmail\" -UUSE_DYNAMIC_LIBS 
-DDEF_SHLIB_DIR=\"no\" -UUSE_DYNAMIC_MAPS -Wmissing-prototypes -Wformat 
-Wno-comment  -g -O -I. -DMACOSX -c dict_cidr.c
cc -I. -I../../include -DUSE_TLS -DUSE_SASL_AUTH 
-DDEF_SERVER_SASL_TYPE=\"dovecot\" -DDEF_COMMAND_DIR=\"/usr/local/sbin\" 
-DDEF_CONFIG_DIR=\"/usr/local/etc/postfix\" 
-DDEF_DAEMON_DIR=\"/usr/local/libexec/postfix\" -DHAS_PCRE 
-I/usr/local/opt//include -DHAS_SSL -I/usr/local/opt/openssl@1.1/1.1.1a/include 
-DHAS_MYSQL -I/usr/local/opt/mysql@5.7/include/mysql -DBIND_8_COMPAT 
-DNO_NETINFO -DRESOLVE_H_NEEDS_ARPA_NAMESER_COMPAT_H -DNO_EAI 
-DDEF_SMTPUTF8_ENABLE=\"no\" -DHAS_DEV_URANDOM -DSNAPSHOT -DNONPROD 
-DDEF_MAILQ_PATH=\"/usr/local/bin/mailq\" 
-DDEF_NEWALIAS_PATH=\"/usr/local/bin/newaliases\" 
-DDEF_SENDMAIL_PATH=\"/usr/local/sbin/sendmail\" -UUSE_DYNAMIC_LIBS 
-DDEF_SHLIB_DIR=\"no\" -UUSE_DYNAMIC_MAPS -Wmissing-prototypes -Wformat 
-Wno-comment  -g -O -I. -DMACOSX -c dict_db.c
dict_db.c:768:2: error: "Unsupported Berkeley DB version"
#error "Unsupported Berkeley DB version"
 ^
1 error generated.
make: *** [dict_db.o] Error 1
make: *** [update] Error 1


I used:

make -f Makefile.init makefiles CCARGS='-DUSE_TLS -DUSE_SASL_AUTH \
-DDEF_SERVER_SASL_TYPE=\"dovecot\" \
-DDEF_COMMAND_DIR=\"/usr/local/sbin\" \
-DDEF_CONFIG_DIR=\"/usr/local/etc/postfix\" \
-DDEF_DAEMON_DIR=\"/usr/local/libexec/postfix\" \
-DHAS_PCRE -I/usr/local/opt//include \
-DHAS_SSL -I/usr/local/opt/openssl@1.1/1.1.1a/include \
-DHAS_MYSQL -I/usr/local/opt/mysql@5.7/include/mysql' AUXLIBS='-L/usr/local/lib 
-lpcre -L/usr/local/Cellar/openssl@1.1/1.1.1a/lib -lssl -lcrypto 
-L/usr/local/opt/mysql@5.7/lib \
-lmysqlclient -lz -lm'  sendmail_path=/usr/local/sbin/sendmail 
newaliases_path=/usr/local/bin/newaliases mailq_path=/usr/local/bin/mail

I tried adding ‘-lda’ to the AUXLIBS string but got the same result.

I have berkeley-db version 18.1.25 installed via Homebrew.


Don’t think I had this issue with the previous version of Postfix.

Thanks,

James.

Re: Master.cf Transport type - piping to Perl. How can I specify path to Perl?

[James Brown]

On 21 Jan 2019, at 3:59 pm, James Brown  wrote:
> 
> I have Postfix Admin’s Vacation setup and would like to use the Perl at 
> /usr/local/bin/perl rather than /usr/bin/perl.
> 
> I have:
> 
> vacationunix-   n   n   -   -   pipe
>flags=DRhu user=_vacation argv="/usr/local/bin/perl 
> /var/spool/vacation/vacation.pl" -f ${sender} -- ${recipient}
> 
> But Iog shows:
> 
> 2019-01-21 15:48:09.726114+1100  localhost pipe[8806]: 8A484E5F63E: 
> to=, 
> orig_to=, relay=vacation, delay=0.25, 
> delays=0.21/0.02/0/0.03, dsn=4.3.0, status=deferred (temporary failure. 
> Command output: pipe: fatal: pipe_command: execvp "/usr/local/bin/perl: No 
> such file or directory )
> 
> Any suggestions on how to accomplish this?
> 
> Thanks,
> 
> James.

Ignore this, it worked just fine when I got rid of the quotes. Ie 

vacationunix-   n   n   -   -   pipe
flags=DRhu user=_vacation argv=/usr/local/bin/perl 
/var/spool/vacation/vacation.pl -f ${sender} -- ${recipient}

I suppose it just seemed too simple for that to work!

James.

Master.cf Transport type - piping to Perl. How can I specify path to Perl?

[James Brown]

I have Postfix Admin’s Vacation setup and would like to use the Perl at 
/usr/local/bin/perl rather than /usr/bin/perl.

I have:

vacationunix-   n   n   -   -   pipe
flags=DRhu user=_vacation argv="/usr/local/bin/perl 
/var/spool/vacation/vacation.pl" -f ${sender} -- ${recipient}

But Iog shows:

2019-01-21 15:48:09.726114+1100  localhost pipe[8806]: 8A484E5F63E: 
to=, 
orig_to=, relay=vacation, delay=0.25, 
delays=0.21/0.02/0/0.03, dsn=4.3.0, status=deferred (temporary failure. Command 
output: pipe: fatal: pipe_command: execvp "/usr/local/bin/perl: No such file or 
directory )

Any suggestions on how to accomplish this?

Thanks,

James.

Re: Upgraded to 3.4 today. All logging has Stopped?

[James Brown]

On 11 Jan 2019, at 4:08 am, Wietse Venema  wrote:
> 
> Larry Stone:
>>> # Log file to use for error messages. "syslog" logs to syslog,
>>> # /dev/stderr logs to stderr.
>>> #log_path = syslog
>>> log_path = /var/log/mail.log
>>> 
>>> So I?ve had to change this so that it writes directly to the file, and not 
>>> to syslog.
>> 
>> Ah. So Dovecot has the ability to write logs directly. I believe
>> Wietse has stated in the past that no such capability exists in
>> Postfix and it only logs to the syslog daemon. And it?s the changes
>> Apple has made to syslog that are the issue.
> 
> Is that better than Bill Cole's solution to run a log exporter at
> system startup?
> 
> If both Dovecot and Postfix write to the same logfile, that would
> be a disaster.
> 
> - The only way to make multiple logfile writers safe is that each
>  logfile writer flushes its own buffers after every log call, and
>  that would be disastrous for performance. See the Postfix
>  LINUX_README for a discussion. It may be OK for MacOS but it is
>  not good for real servers.
> 
> - If individual programs write directly to the logfile, flushing
>  after every log call is also required to avoid losing logs when
>  a program crashes, and that is when logs are needed most.
> 
> - The only way to make logging performant is to have a single writer
>  that has a limited-size write buffer (like syslogd and rsyslogd).
> 
> Therefore,
> 
> - Postfix and Dovecot cannot share logfiles. But there is nothing
>  to enforce that, because there are no mandatory locks.
> 
> - Postfix needs its own logger daemon, which brings major challenges
>  when Postfix is not (yet) running.
> 
>  - What happens with logging during Postfix startup?
>Hack the log client code to directly write to the logfile?  Will
>it even be allowed to write outside the Postfix queue? If every
>program opens the logfile as root, it has to make sure that the
>file is not a symlink, has no multiple hard links, etc.
> 
>  - What happens with logging from non-daemon programs when Postix
>is down? Unless the logfile is world-writable, those prograns
>will have nowhere to log. This affects programs that invoke
>/bin/mail before Postfix is up; we should not assume that such
>programs will always run as root.
> 
>  - Log rotation support. Postfix cannot keep appending to the
>same file forever. It may be OK for MacOS but it is not good
>for real servers. Basically re-invent the log rotation wheel.
> 
>   Wietse

Thanks Wietse, Larry, Robert and Bill. I really appreciate your help.

Wietse, thanks for pointing out all the problems of Postfix logging without 
syslog. 

I have created a script that runs Bill’s log command to send it to a file. Not 
the same log file that Dovecot is using. Created a LaunchDaemon to open the 
script at startup.

Seems to work perfectly, so thanks again everyone.

James.

Re: Upgraded to 3.4 today. All logging has Stopped?

[James Brown]

> On 10 Jan 2019, at 2:01 pm, Larry Stone  <mailto:lston...@stonejongleux.com>> wrote:
> 
> On Jan 9, 2019, at 19:01, James Brown  <mailto:jlbr...@bordo.com.au>> wrote:
>> 
>> Thanks Viktor. It would be great if Postfix would log to disk on newer 
>> versions of macOS X like it did before. My Mojave test mail server has 
>> Dovecot logging to /var/log/mail.log but Postfix doesn’t.
> 
> Is this a recent build of Dovecot or was it built on an older version of 
> MacOS before the logging changes? If the former, ask on the Dovecot list how 
> they did it. If the latter, it’s a meaningless data point until Dovecot is 
> rebuilt on a newer version of MacOS.
> 
>> Has anyone managed to do this? I’d rather not have to compile on old Mac and 
>> transfer. 
> 
> Not as far as any of us know. It’s been discussed here before and no solution 
> has been found.
> 
> — Larry Stone
>   lston...@stonejongleux.com <mailto:lston...@stonejongleux.com>

Hi Larry. It’s a recent build of Dovecot, compiled on Mojave. Steps to compile 
were:

export CPPFLAGS="-I/usr/local/opt/mysql@5.7/include/mysql 
-I/usr/local/Cellar/openssl@1.1/1.1.1/include"
export LDFLAGS="-L/usr/local/opt/mysql@5.7/lib -L/usr/local/opt/openssl@1.1/lib"

./configure --with-mysql --with-ssl=openssl

make

sudo make install

The setting file for logging, “etc/dovecot/conf.d/10-logging.conf” does have 
this:

##
## Log destination.
##

# Log file to use for error messages. "syslog" logs to syslog,
# /dev/stderr logs to stderr.
#log_path = syslog
log_path = /var/log/mail.log

So I’ve had to change this so that it writes directly to the file, and not to 
syslog.

James.

Re: Upgraded to 3.4 today. All logging has Stopped?

[James Brown]

> On 30 Nov 2018, at 4:07 am, Viktor Dukhovni  
> wrote:
> 
> 
>> On Nov 29, 2018, at 9:15 AM, Robert Chalmers  wrote:
>> 
>> I upgraded to and installed 3.4 today. It appears to be running, but all 
>> logging has stopped. The last entry in the log file was at the exact time I 
>> started the new version.
> 
> Apple changed the syslog API to use the os_log(3) interface, but apparently
> if you compile on a sufficiently old MacOS/X system, you get linked against
> the traditional syslog API.
> 
> So some people do that, but the os_log(3) stuff is configurable, so you
> should be able to configure the logs to be saved.  The in-memory logs
> can be queried with log(1).  For example:
> 
>  # postfix reload
>  postfix/postfix-script: refreshing the Postfix mail system
> 
>  # log show --info --style syslog --last 2m --predicate 'eventType == 
> logEvent'  | grep libpostfix-util
>  2018-11-29 12:02:26.765215-0500  localhost postlog[59348]: 
> (libpostfix-util.dylib) refreshing the Postfix mail system
>  2018-11-29 12:02:26.776443-0500  localhost master[33680]: 
> (libpostfix-util.dylib) reload -- version 3.4-20181125, configuration 
> /var/tmp/postfix/etc
> 
> Someone should figure out how create an asl.conf(5) configuration
> that causes appropriate Postfix logs to land on disk, and share
> the recipe.
> 
> I should note that the new API appears to strip everything up to
> the last "/" in the log name, so we're losing the "postfix/"
> prefixes.  Might need to change the code (on MacOS) to send
> 
>   postfix:master
> 
> rather than
> 
>   postfix/master
> 
> -- 
>   Viktor

Thanks Viktor. It would be great if Postfix would log to disk on newer versions 
of macOS X like it did before. My Mojave test mail server has Dovecot logging 
to /var/log/mail.log but Postfix doesn’t.

Has anyone managed to do this? I’d rather not have to compile on old Mac and 
transfer. 

Really need logging to disk for fail2ban to work with Postfix.

James.

Re: New install - Temporary lookup failures when trying to send

[James Brown]

> On 7 Dec 2018, at 1:23 am, Matus UHLAR - fantomas  wrote:
> 
> Anyway, sorry for the noise.
> 
> however, my questions weren't responded and still apply:
> 
> Are those cf files properly configured? Can postfix connect to the 
> database?
> What's in the logs?
> 
> and also the comment:
> 
>> Not sure where I’ve gone wrong. Copied most config details across from 
>> my working (older) mail server.
> often not a good idea, your postfix config file has too many options 
> where I
> believe many could be left default.


Wow, sorry to have caused such a kerfuffle with the email links!

I’m sending this one as Plain Text just to be sure. :-)

Yes, I’m using ASSP as an anti-spam mail proxy - 
https://sourceforge.net/projects/assp/

Anyway, I eventually got it working. I think the problem was that I did not 
have:

mysql_virtual_alias_maps.cf and
mysql_virtual_domains_maps.cf

In /usr/local/etc/postfix/ - once I put them it I think it worked. It’s all 
good now.

Thanks again everyone for your help.

James.

New install - Temporary lookup failures when trying to send

[James Brown]

I’m trying to set up a new mail server on macOS Mojave and it almost works. 
Dovecot for IMAP is working.

But when I try to send a message I get:

Escape character is '^]'.
220 mail.bordo.com.au  ESMTP Postfix
HELO me.bordo.com.au 
250 mail.bordo.com.au 
MAIL FROM: mailto:jlbr...@bordo.com.au>>
250 2.1.0 Ok
RCPT TO: mailto:jlbr...@bordo.com.au>>
451 4.3.0 mailto:jlbr...@bordo.com.au>>: Temporary 
lookup failure

Config:

$ postconf -n
broken_sasl_auth_clients = yes
command_directory = /usr/local/sbin
compatibility_level = 2
daemon_directory = /usr/local/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 7
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd 
$daemon_directory/$process_name $process_id & sleep 5
default_process_limit = 100
disable_vrfy_command = yes
dovecot_destination_recipient_limit = 1
html_directory = no
inet_protocols = ipv4
mail_owner = _postfix
mailbox_size_limit = 10240
mailq_path = /usr/local/bin/mailq
manpage_directory = /usr/local/man
message_size_limit = 10240
meta_directory = /usr/local/etc/postfix
mydomain = bordo.com.au 
myhostname = mail.bordo.com.au 
newaliases_path = /usr/local/bin/newaliases
queue_directory = /var/spool/postfix
readme_directory = no
sample_directory = /usr/local/etc/postfix
sendmail_path = /usr/local/sbin/sendmail
setgid_group = _postdrop
shlib_directory = no
smtpd_client_connection_count_limit = 100
smtpd_command_filter = pcre:/etc/postfix/command_filter.regex
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_enforce_tls = no
smtpd_etrn_restrictions = reject
smtpd_helo_required = yes
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, 
reject_unauth_pipelining, reject_unauth_destination, permit
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated 
defer_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_tls_cert_file = /usr/local/etc/dovecot/mail.bordo.com.au.pem
smtpd_tls_key_file = /usr/local/etc/dovecot/mail.bordo.com.au.pem
smtpd_tls_loglevel = 1
smtpd_use_tls = yes
tls_random_source = dev:/dev/urandom
transport_maps = hash:/usr/local/etc/postfix/transport
unknown_local_recipient_reject_code = 550
vacation_destination_recipient_limit = 1
virtual_alias_maps = mysql:/usr/local/etc/postfix/mysql_virtual_alias_maps.cf
virtual_gid_maps = static:102
virtual_mailbox_base = /usr/local/virtual/
virtual_mailbox_domains = 
mysql:/usr/local/etc/postfix/mysql_virtual_domains_maps.cf
virtual_mailbox_limit = 51200
virtual_mailbox_maps = 
mysql:/usr/local/etc/postfix/mysql_virtual_mailbox_maps.cf
virtual_minimum_uid = 102
virtual_transport = dovecot
virtual_uid_maps = static:102


Mailboxes are stored in MySQL.

I have in main.cf:

dovecot unix - n n - - pipe
  flags=DRhu user=_vmail argv=/usr/local/libexec/dovecot/deliver -f ${sender} 
-d ${recipient}

Not sure where I’ve gone wrong. Copied most config details across from my 
working (older) mail server.

Any suggestions where I should look? Anything wrong with the above 
configuration? 

Thanks in advance,

James.

Re: Compile error on Mojave (Postfix 3.3.2): 'openssl/opensslv.h' file not found

[James Brown]

> On 28 Nov 2018, at 11:20 pm, Herbert J. Skuhra  wrote:
> 
> On Wed, Nov 28, 2018 at 11:00:33PM +1100, James Brown wrote:
>> 
>> On Wed, Nov 28, 2018 at 09:55:02PM +1100, James Brown wrote:
>>> ...
>>> My Make script is:
>>> 
>>> $ make -f Makefile.init makefiles CCARGS='-DUSE_TLS -DUSE_SASL_AUTH \
>>> -DDEF_SERVER_SASL_TYPE=\"dovecot\" \
>>> -DDEF_COMMAND_DIR=\"/usr/local/sbin\" \
>>> -DDEF_CONFIG_DIR=\"/usr/local/etc/postfix\" \
>>> -DDEF_DAEMON_DIR=\"/usr/local/libexec/postfix\" \
>>> -DHAS_PCRE -I/usr/local/opt//include \
>>> -DHAS_SSL -I/usr/local/opt/openssl@1.1/1.1.1/include \
>>> -DHAS_MYSQL -I/usr/local/opt/mysql@5.7/include/mysql' 
>>> AUXLIBS='-L/usr/local/lib -lpcre -lssl -lcrypto 
>>> -L/usr/local/opt/mysql@5.7/lib \
>>> -lmysqlclient -lz -lm'  sendmail_path=/usr/local/sbin/sendmail 
>>> newaliases_path=/usr/local/bin/newaliases mailq_path=/usr/local/bin/mail
>>> 
>>> I’ve change the DHAS_SSL a few times but keep getting the exact same error. 
>>> I’m sure it’s a simple thing to fix, but can’t get it to work.
>>> 
>>> Any ideas?
>> 
>> ...
> 
>> Thanks Herbert.
>> 
>> Well, I thought that’s what I was using, but I’ve tried so many variations. 
>> Removed the ‘/openssl’ and now I get:
>> 
>> c/postfix\" -DHAS_PCRE -I/usr/local/opt//include -DHAS_SSL 
>> -I/usr/local/Cellar/openssl@1.1/1.1.1/include -DHAS_MYSQL 
>> -I/usr/local/opt/mysql@5.7/include/mysql -DBIND_8_COMPAT -DNO_NETINFO 
>> -DRESOLVE_H_NEEDS_ARPA_NAMESER_COMPAT_H -DNO_EAI 
>> -DDEF_SMTPUTF8_ENABLE=\"no\" -DHAS_DEV_URANDOM 
>> -DDEF_MAILQ_PATH=\"/usr/local/bin/mailq\" 
>> -DDEF_NEWALIAS_PATH=\"/usr/local/bin/newaliases\" 
>> -DDEF_SENDMAIL_PATH=\"/usr/local/sbin/sendmail\" -UUSE_DYNAMIC_LIBS 
>> -DDEF_SHLIB_DIR=\"no\" -UUSE_DYNAMIC_MAPS -Wmissing-prototypes -Wformat 
>> -Wno-comment -g -O -I. -I../../include -DMACOSX  -o master master.o 
>> master_conf.o master_ent.o master_sig.o master_avail.o master_spawn.o 
>> master_service.o master_status.o master_listen.o master_vars.o 
>> master_wakeup.o master_watch.o master_flow.o master_monitor.o 
>> ../../lib/libglobal.a ../../lib/libutil.a -L/usr/local/lib -lpcre -lssl 
>> -lcrypto -L/usr/local/opt/mysql@5.7/lib -lmysqlclient -lz -lm 
>> -flat_namespace -lresolv 
>> ld: library not found for -lssl
>> clang: error: linker command failed with exit code 1 (use -v to see 
>> invocation)
>> make: *** [master] Error 1
>> 
>> Homebrew installed openssl 1.0.2 when I installed either stunnel or 
>> MySQL@5.7 as Homebrew won’t let me uninstall that version as they are using 
>> it. Suppose I’ll have to work out how to have Homebrew install them with 
>> OpenSSL@1.1.1 somehow.
> 
> You also have to add -L/usr/local/Cellar/openssl@1.1/1.1.1/lib
> (in front of -lssl -lcrypto).
> 
> You probably should use Openssl 1.1.1a (instead of 1.1.1) because it includes 
> fixes
> for known vulnerabilities.
> 
> -- 
> Herbert
> 

Thanks Herbert, adding -L/usr/local/Cellar/openssl@1.1/1.1.1a/lib in front of 
-lssl worked! 

Changed 1.1.1 to 1.1.1a as well.  Pity it can’t just use the most recent one. 
Oh well, it works.

Huge relief to have this working - thanks Herbert.

James.

Re: Compile error on Mojave (Postfix 3.3.2): 'openssl/opensslv.h' file not found

[James Brown]

> On 28 Nov 2018, at 10:38 pm, Herbert J. Skuhra  <mailto:herb...@gojira.at>> wrote:
> 
> On Wed, Nov 28, 2018 at 09:55:02PM +1100, James Brown wrote:
>> I have installed OpenSSL v1.1.1 via Homebrew. I’m trying to install Postfix 
>> 3.3.2 but it always ends with:
>> 
>> cc -I. -I../../include -DUSE_TLS -DUSE_SASL_AUTH 
>> -DDEF_SERVER_SASL_TYPE=\"dovecot\" -DDEF_COMMAND_DIR=\"/usr/local/sbin\" 
>> -DDEF_CONFIG_DIR=\"/usr/local/etc/postfix\" 
>> -DDEF_DAEMON_DIR=\"/usr/local/libexec/postfix\" -DHAS_PCRE 
>> -I/usr/local/opt//include -DHAS_SSL 
>> -I/usr/local/Cellar/openssl@1.1/1.1.1/include/openssl -DHAS_MYSQL 
>> -I/usr/local/opt/mysql@5.7/include/mysql -DBIND_8_COMPAT -DNO_NETINFO 
>> -DRESOLVE_H_NEEDS_ARPA_NAMESER_COMPAT_H -DNO_EAI 
>> -DDEF_SMTPUTF8_ENABLE=\"no\" -DHAS_DEV_URANDOM 
>> -DDEF_MAILQ_PATH=\"/usr/local/bin/mailq\" 
>> -DDEF_NEWALIAS_PATH=\"/usr/local/bin/newaliases\" 
>> -DDEF_SENDMAIL_PATH=\"/usr/local/sbin/sendmail\" -UUSE_DYNAMIC_LIBS 
>> -DDEF_SHLIB_DIR=\"no\" -UUSE_DYNAMIC_MAPS -Wmissing-prototypes -Wformat 
>> -Wno-comment  -g -O -I. -I../../include -DMACOSX -c abounce.c
>> In file included from abounce.c:187:
>> ./mail_params.h:20:10: fatal error: 'openssl/opensslv.h' file not found
>> #include/* OPENSSL_VERSION_NUMBER */
>> ^~~~
>> 1 error generated.
>> make: *** [abounce.o] Error 1
>> 
>> opensslv.h is at:
>> 
>> $ locate opensslv.h
>> /usr/local/Cellar/openssl/1.0.2p/include/openssl/opensslv.h
>> /usr/local/Cellar/openssl/1.0.2q/include/openssl/opensslv.h
>> /usr/local/Cellar/openssl@1.1/1.1.1/include/openssl/opensslv.h
>> /usr/local/Cellar/openssl@1.1/1.1.1a/include/openssl/opensslv.h
>> 
>> My Make script is:
>> 
>> $ make -f Makefile.init makefiles CCARGS='-DUSE_TLS -DUSE_SASL_AUTH \
>> -DDEF_SERVER_SASL_TYPE=\"dovecot\" \
>> -DDEF_COMMAND_DIR=\"/usr/local/sbin\" \
>> -DDEF_CONFIG_DIR=\"/usr/local/etc/postfix\" \
>> -DDEF_DAEMON_DIR=\"/usr/local/libexec/postfix\" \
>> -DHAS_PCRE -I/usr/local/opt//include \
>> -DHAS_SSL -I/usr/local/opt/openssl@1.1/1.1.1/include \
>> -DHAS_MYSQL -I/usr/local/opt/mysql@5.7/include/mysql' 
>> AUXLIBS='-L/usr/local/lib -lpcre -lssl -lcrypto 
>> -L/usr/local/opt/mysql@5.7/lib \
>> -lmysqlclient -lz -lm'  sendmail_path=/usr/local/sbin/sendmail 
>> newaliases_path=/usr/local/bin/newaliases mailq_path=/usr/local/bin/mail
>> 
>> I’ve change the DHAS_SSL a few times but keep getting the exact same error. 
>> I’m sure it’s a simple thing to fix, but can’t get it to work.
>> 
>> Any ideas?
> 
> Have you really tried -I/usr/local/Cellar/openssl@1.1/1.1.1/include/ ?
> The build log shows -I/usr/local/Cellar/openssl@1.1/1.1.1/include/openssl.
> 
> And why do you have multiple versions of openssl (1.0.2p vs 1.0.2q and
> 1.1.1 vs. 1.1.1a) installed?

Thanks Herbert.

Well, I thought that’s what I was using, but I’ve tried so many variations. 
Removed the ‘/openssl’ and now I get:

c/postfix\" -DHAS_PCRE -I/usr/local/opt//include -DHAS_SSL 
-I/usr/local/Cellar/openssl@1.1/1.1.1/include -DHAS_MYSQL 
-I/usr/local/opt/mysql@5.7/include/mysql -DBIND_8_COMPAT -DNO_NETINFO 
-DRESOLVE_H_NEEDS_ARPA_NAMESER_COMPAT_H -DNO_EAI -DDEF_SMTPUTF8_ENABLE=\"no\" 
-DHAS_DEV_URANDOM -DDEF_MAILQ_PATH=\"/usr/local/bin/mailq\" 
-DDEF_NEWALIAS_PATH=\"/usr/local/bin/newaliases\" 
-DDEF_SENDMAIL_PATH=\"/usr/local/sbin/sendmail\" -UUSE_DYNAMIC_LIBS 
-DDEF_SHLIB_DIR=\"no\" -UUSE_DYNAMIC_MAPS -Wmissing-prototypes -Wformat 
-Wno-comment -g -O -I. -I../../include -DMACOSX  -o master master.o 
master_conf.o master_ent.o master_sig.o master_avail.o master_spawn.o 
master_service.o master_status.o master_listen.o master_vars.o master_wakeup.o 
master_watch.o master_flow.o master_monitor.o ../../lib/libglobal.a 
../../lib/libutil.a -L/usr/local/lib -lpcre -lssl -lcrypto 
-L/usr/local/opt/mysql@5.7/lib -lmysqlclient -lz -lm -flat_namespace -lresolv 
ld: library not found for -lssl
clang: error: linker command failed with exit code 1 (use -v to see invocation)
make: *** [master] Error 1

Homebrew installed openssl 1.0.2 when I installed either stunnel or MySQL@5.7 
as Homebrew won’t let me uninstall that version as they are using it. Suppose 
I’ll have to work out how to have Homebrew install them with OpenSSL@1.1.1 
somehow.

James.

Compile error on Mojave (Postfix 3.3.2): 'openssl/opensslv.h' file not found

[James Brown]

I have installed OpenSSL v1.1.1 via Homebrew. I’m trying to install Postfix 
3.3.2 but it always ends with:

cc -I. -I../../include -DUSE_TLS -DUSE_SASL_AUTH 
-DDEF_SERVER_SASL_TYPE=\"dovecot\" -DDEF_COMMAND_DIR=\"/usr/local/sbin\" 
-DDEF_CONFIG_DIR=\"/usr/local/etc/postfix\" 
-DDEF_DAEMON_DIR=\"/usr/local/libexec/postfix\" -DHAS_PCRE 
-I/usr/local/opt//include -DHAS_SSL 
-I/usr/local/Cellar/openssl@1.1/1.1.1/include/openssl -DHAS_MYSQL 
-I/usr/local/opt/mysql@5.7/include/mysql -DBIND_8_COMPAT -DNO_NETINFO 
-DRESOLVE_H_NEEDS_ARPA_NAMESER_COMPAT_H -DNO_EAI -DDEF_SMTPUTF8_ENABLE=\"no\" 
-DHAS_DEV_URANDOM -DDEF_MAILQ_PATH=\"/usr/local/bin/mailq\" 
-DDEF_NEWALIAS_PATH=\"/usr/local/bin/newaliases\" 
-DDEF_SENDMAIL_PATH=\"/usr/local/sbin/sendmail\" -UUSE_DYNAMIC_LIBS 
-DDEF_SHLIB_DIR=\"no\" -UUSE_DYNAMIC_MAPS -Wmissing-prototypes -Wformat 
-Wno-comment  -g -O -I. -I../../include -DMACOSX -c abounce.c
In file included from abounce.c:187:
./mail_params.h:20:10: fatal error: 'openssl/opensslv.h' file not found
#include/* OPENSSL_VERSION_NUMBER */
 ^~~~
1 error generated.
make: *** [abounce.o] Error 1

opensslv.h is at:

$ locate opensslv.h
/usr/local/Cellar/openssl/1.0.2p/include/openssl/opensslv.h
/usr/local/Cellar/openssl/1.0.2q/include/openssl/opensslv.h
/usr/local/Cellar/openssl@1.1/1.1.1/include/openssl/opensslv.h
/usr/local/Cellar/openssl@1.1/1.1.1a/include/openssl/opensslv.h

My Make script is:

$ make -f Makefile.init makefiles CCARGS='-DUSE_TLS -DUSE_SASL_AUTH \
-DDEF_SERVER_SASL_TYPE=\"dovecot\" \
-DDEF_COMMAND_DIR=\"/usr/local/sbin\" \
-DDEF_CONFIG_DIR=\"/usr/local/etc/postfix\" \
-DDEF_DAEMON_DIR=\"/usr/local/libexec/postfix\" \
-DHAS_PCRE -I/usr/local/opt//include \
-DHAS_SSL -I/usr/local/opt/openssl@1.1/1.1.1/include \
-DHAS_MYSQL -I/usr/local/opt/mysql@5.7/include/mysql' AUXLIBS='-L/usr/local/lib 
-lpcre -lssl -lcrypto -L/usr/local/opt/mysql@5.7/lib \
-lmysqlclient -lz -lm'  sendmail_path=/usr/local/sbin/sendmail 
newaliases_path=/usr/local/bin/newaliases mailq_path=/usr/local/bin/mail

I’ve change the DHAS_SSL a few times but keep getting the exact same error. I’m 
sure it’s a simple thing to fix, but can’t get it to work.

Any ideas?

Thanks,

James.

Re: Compiler error on 3.3.1. Mac Mojave

[James Brown]

On 8 Nov 2018, at 8:20 pm, Robert Chalmers  wrote:
> 
> 
> It’s almost through the build but failing on this.
> 
> Undefined symbols for architecture x86_64:
>  "_db_create", referenced from:
>  import-atom in libpostfix-util.dylib
>  "_db_env_create", referenced from:
>  import-atom in libpostfix-util.dylib
>  "_db_version", referenced from:
>  import-atom in libpostfix-util.dylib
> ld: symbol(s) not found for architecture x86_64
> clang: error: linker command failed with exit code 1 (use -v to see 
> invocation)
> make: *** [master] Error 1
> make: *** [update] Error 1
> make: *** [update] Error 2
> 
> 
> My Make script is this:
> 
> make -f Makefile.init dynamicmaps=yes CCARGS='-DHAS_MYSQL 
> -I/usr/local/include/mysql -DUSE_TLS -DUSE_SASL_AUTH -DUSE_CYRUS_SASL 
> -I/opt/local/include/sasl 
> -I/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX.sdk/usr/include/sasl
>  -DDEF_SERVER_SASL_TYPE=\"dovecot\" -DHAS_PCRE -I/opt/local/include 
> -DEF_COMMAND_DIR=\"/usr/local/sbin\" 
> -DEF_CONGIG_DIR=\"/usr/local/etc/postfix\" 
> -DEF_DAEMON_DIR=\"/usr/local/libexec/postfix\" 
> -DEF_DATA_DIR=\"/var/lib/postfix\" -DEF_MAILQ_PATH=\"/usr/local/bin/mailq\" 
> -DEF_HTML_DIR=\"/usr/share/doc/postfix/html\" 
> -DEF_MANPAGE_DIR=\"/usr/local/man\" 
> -DEF_NEWALIAS_PATH=\"/usr/local/bin/newaliases\" 
> -DEF_QUEUE_DIR=\"/private/var/spool/postfix\" 
> -DEF_README_DIR=\"/usr/share/doc/postfix\" 
> -DEF_SENDMAIL_PATH=\"/usr/local/sbin/sendmail\"' 'AUXLIBS=-L/usr/lib -lsasl2 
> -L/usr/local/opt/openssl/lib -lssl -lcrypto -L/usr/local/lib' 
> 'AUXLIBS_IUUC=-L/usr/local/Cellar/icu4c/62.1/lib -licuuc' 
> 'AUXLIBS_MYSQL=-L/usr/local/lib -lmysqlclient -lz -lm' 
> 'AUXLIBS_PCRE=-L/usr/local/lib -lpcre’
> 
> any ideas where to turn?
> Thanks
> Robert

Here’s my make script:

make -f Makefile.init makefiles CCARGS='-DUSE_TLS -DUSE_SASL_AUTH \
-DDEF_SERVER_SASL_TYPE=\"dovecot\" \
-DDEF_COMMAND_DIR=\"/usr/local/sbin\" \
-DDEF_CONFIG_DIR=\"/usr/local/etc/postfix\" \
-DDEF_DAEMON_DIR=\"/usr/local/libexec/postfix\" \
-DHAS_PCRE -I/usr/local/opt//include \
-DHAS_SSL -I/usr/local/opt/openssl@1.1 \
-DHAS_MYSQL -I/usr/local/opt/mysql@5.7/include/mysql' AUXLIBS='-L/usr/local/lib 
-lpcre -lssl -lcrypto -L/usr/local/opt/mysql@5.7/lib \
-lmysqlclient -lz -lm' sendmail_path=/usr/local/sbin/sendmail 
newaliases_path=/usr/local/bin/newaliases mailq_path=/usr/local/bin/mailq

Victor Dukhovni suggested this a week ago on this mailing list:


You can make the recipe cleaner:

set --  -DUSE_TLS
set -- "$@" -DUSE_SASL_AUTH '-DDEF_SERVER_SASL_TYPE=\"dovecot\"'
set -- "$@" -DHAS_PCRE -I/usr/local/opt/include
set -- "$@" -DHAS_SSL -I/usr/local/opt/openssl@1.1
set -- "$@" -DHAS_MYSQL -I/usr/local/opt/mysql@5.7/include/mysql
CCARGS="$@"

set --  -L/usr/local/lib
set -- "$@" -lpcre
set -- "$@" -lssl -lcrypto
set -- "$@" -L/usr/local/opt/mysql@5.7/lib -lmysqlclient -lz -lm
AUXLIBS="$@"

set --  config_directory=/usr/local/etc/postfix
set -- "$@" command_directory=/usr/local/sbin 
set -- "$@" daemon_directory=/usr/local/libexec/postfix
set -- "$@" sendmail_path=/usr/local/sbin/sendmail
set -- "$@" newaliases_path=/usr/local/bin/newaliases
set -- "$@" mailq_path=/usr/local/bin/mailq

make -f Makefile.init makefiles "$@" "CCARGS=${CCARGS}" "AUXLIBS=${AUXLIBS}"

Re: How do I turn on logging for postfix on mac

[James Brown]

I’ve been having the same issue. Apple changed their logging system a few 
releases ago (Sierra?) to use the Unified Logging System, which logs to RAM 
rather than disk files.

I can create the file at /var/log/mail.log, give it correct permissions, etc, 
but it remains at 0 bytes.

I have managed to get some info by running this command in a terminal window:

$ log stream --predicate '(process == "smtpd") || (process == "smtp") || 
(process == "master")' -info

I suppose the output could be piped to mail.log.

I have heard of someone compiling Postfix an an older Mac, then moving it 
across to Mojave and it then logs to /var/log/mail.log. 

Hopefully someone knows how to bring back the old functionality.

James.

> On 8 Nov 2018, at 6:57 pm, Robert Chalmers  > wrote:
> 
> I have been asked how I turn on /var/log/mail.log for postfix on a Mac 
> running Mohave.
> 
> I have it running on mine, but it always has - but I can’t remember if I had 
> to do anything special to turn it on. 
> The person asking has no /var/log/mail.log at all and now I’m curious.
> 
> thanks
> robert

Re: macOS X, Operation not permitted - rename sendmail

[James Brown]

On 2 Nov 2018, at 4:11 pm, Viktor Dukhovni mailto:postfix-us...@dukhovni.org>> wrote:
> 
> On Fri, Nov 02, 2018 at 03:09:02PM +1100, James Brown wrote:
> 
>> I run make with:
>> 
>> $ make -f Makefile.init makefiles CCARGS='-DUSE_TLS -DUSE_SASL_AUTH \
>> -DDEF_SERVER_SASL_TYPE=\"dovecot\" \
>> -DDEF_COMMAND_DIR=\"/usr/local/sbin\" \
>> -DDEF_CONFIG_DIR=\"/usr/local/etc/postfix\" \
>> -DDEF_DAEMON_DIR=\"/usr/local/libexec/postfix\" \
>> -DHAS_PCRE -I/usr/local/opt//include \
>> -DHAS_SSL -I/usr/local/opt/openssl@1.1 \
>> -DHAS_MYSQL -I/usr/local/opt/mysql@5.7/include/mysql' 
>> AUXLIBS='-L/usr/local/lib -lpcre -lssl -lcrypto 
>> -L/usr/local/opt/mysql@5.7/lib \
>> -lmysqlclient -lz -lm
>> 
>> How can I make it use /usr/local for sendmail?
> 
>http://www.postfix.org/INSTALL.html#build_over 
> <http://www.postfix.org/INSTALL.html#build_over>
> 
> -- 
>   Viktor.

That was it Viktor, I had already been there, but was using 
'-sendmail_path=/usr/local/sbin/‘. Ie putting a hyphen at the front out of 
habit.

Removed the hyphen and got:

Updating /usr/local/sbin/sendmail...
Updating /usr/bin/newaliases...
rm: /usr/bin/newaliases: Operation not permitted
make: *** [install] Error 1

So obviously I also needed to do a few more.

Anyway, finally got it to work with:

make -f Makefile.init makefiles CCARGS='-DUSE_TLS -DUSE_SASL_AUTH \
-DDEF_SERVER_SASL_TYPE=\"dovecot\" \
-DDEF_COMMAND_DIR=\"/usr/local/sbin\" \
-DDEF_CONFIG_DIR=\"/usr/local/etc/postfix\" \
-DDEF_DAEMON_DIR=\"/usr/local/libexec/postfix\" \
-DHAS_PCRE -I/usr/local/opt//include \
-DHAS_SSL -I/usr/local/opt/openssl@1.1 \
-DHAS_MYSQL -I/usr/local/opt/mysql@5.7/include/mysql' AUXLIBS='-L/usr/local/lib 
-lpcre -lssl -lcrypto -L/usr/local/opt/mysql@5.7/lib \
-lmysqlclient -lz -lm' sendmail_path=/usr/local/sbin/sendmail 
newaliases_path=/usr/local/bin/newaliases mailq_path=/usr/local/bin/mailq

Thanks heaps for your help Victor.

James.

Re: macOS X, Operation not permitted - rename sendmail

[James Brown]

> On 1 Oct 2018, at 6:13 pm, Viktor Dukhovni  <mailto:postfix-us...@dukhovni.org>> wrote:
> 
> On Mon, Oct 01, 2018 at 05:56:57PM +1000, James Brown wrote:
> 
>> I’ve just tired to install Postfix 3.3.1 on macOS X 10.13.6 High Sierra.
>> 
>> Sudo make install finishes with:
>> 
>> Updating /usr/sbin/sendmail...
> 
> In MacOSX /usr is immutable, except during upgrade reboots.  You
> can't install Postfix in /usr.  You need to build it for installation
> in /usr/local.  This also means you can't replace /usr/sbin/sendmail,
> but that should not be a problem, since the system-provided sendmail
> will write compatible queue files, and the Postfix you build in
> /usr/local can use the same queue-directory (owned by the "_postfix"
> user and group-writable by "_postdrop").

Thanks Victor.

I run make with:

$ make -f Makefile.init makefiles CCARGS='-DUSE_TLS -DUSE_SASL_AUTH \
-DDEF_SERVER_SASL_TYPE=\"dovecot\" \
-DDEF_COMMAND_DIR=\"/usr/local/sbin\" \
-DDEF_CONFIG_DIR=\"/usr/local/etc/postfix\" \
-DDEF_DAEMON_DIR=\"/usr/local/libexec/postfix\" \
-DHAS_PCRE -I/usr/local/opt//include \
-DHAS_SSL -I/usr/local/opt/openssl@1.1 \
-DHAS_MYSQL -I/usr/local/opt/mysql@5.7/include/mysql' AUXLIBS='-L/usr/local/lib 
-lpcre -lssl -lcrypto -L/usr/local/opt/mysql@5.7/lib \
-lmysqlclient -lz -lm

How can I make it use /usr/local for sendmail?

Thanks,

James.

macOS X, Operation not permitted - rename sendmail

[James Brown]

I’ve just tired to install Postfix 3.3.1 on macOS X 10.13.6 High Sierra.

Sudo make install finishes with:

Updating /usr/sbin/sendmail...
mv: rename /Users/jlbrown/Downloads/postfix-3.3.1/junk to /usr/sbin/sendmail: 
Operation not permitted
make: *** [install] Error 1

My make command was:

make -f Makefile.init makefiles CCARGS='-DUSE_TLS -DUSE_SASL_AUTH \
-DDEF_SERVER_SASL_TYPE=\"dovecot\" \
-DDEF_COMMAND_DIR=\"/usr/local/sbin\" \
-DDEF_CONFIG_DIR=\"/usr/local/etc/postfix\" \
-DDEF_DAEMON_DIR=\"/usr/local/libexec/postfix\" \
-DHAS_PCRE -I/usr/local/opt//include \
-DHAS_SSL -I/usr/local/opt/openssl@1.1 \
-DHAS_MYSQL -I/usr/local/opt/mysql@5.7/include/mysql' AUXLIBS='-L/usr/local/lib 
-lpcre -lssl -lcrypto -L/usr/local/opt/mysql@5.7/lib \


Is this a SIP thing?

Anyone come across this? How to fix?

(I’ve been using Homebrew to install the other bits, but there is no formula 
for Postfix)

Thanks,

James.

Re: HowTo AntiSpam for "Beginners"

[James Brown]

I use ASSP, which is incredibly comprehensive as an anti-malware solution for 
mail servers.

It integrates with clamav - make sure you get the third party signatures like 
SaneSecurity, as that will stop heaps more.

It’s under active development.

It has heaps of configuration options, so might seem intimidating, but the 
defaults have been carefully chosen so you won’t need to change them.

James.

> On 15 Jan 2016, at 9:17 AM, Dennis Steinkamp  wrote:
> 
> Hi,
> 
> its been a journey the last few weeks and i certainly learned a lot about 
> postifx and mail delivery in general.
> Let me take this oppourtunity to say thank you to all the people on the 
> mailing list who sacrifice some of their time on a daily basis to help others.
> I am sure it can be really annoying for some people to answer those 
> questions, especially if they occur repeatedly.
> 
> That being said i have of course a new question of my own for you guys out 
> there. :)
> 
> It appears to me, that the tricky part about mailservers lies within the vast 
> possibilities of defending spam and how to choose the right tool(s) for a 
> certain scenario.
> There is greylisting (postgrey), policyd-weight, postscreen, classical 
> content filters like spam assassin, anti virus tools like clamav, other 
> interfaces like amavisd-new
> that can be used to filter after queue or even before queue, not to mention 
> all the relay and access control options of postfix itself and i probably 
> missed a few others. ^^
> Some of these tools share (at least for me) some similarities or even seem 
> redundant and i honestly don`t know how to pick the right tool(s) to build a 
> solid defense for my own mailserver.
> I know there is probably no definite answer to this cause there are different 
> tools for different problems and circumstances but as a general rule of thumb 
> to build a mailserver in 2016, what
> anti spam tools can you recommend for my own (private) mailserver.
> 
> Is greylisting still something worth considering for general setups? Its 
> probably a huge debate but the information i gathered on this matter is 
> pretty controversial.
> Isn`t the anti spam effect of greylisting supposed to diminish anyway, 
> because the more people use it, the less effective it becomes due to the fact 
> that spammer are at some point forced to adapt to this.
> I tried to think about it as good as my limited knowledge allowed me to and 
> my approach therefor would be to use postscreen in conjunction with 
> policyd-weight and amavisd-new for after queue content filtering.
> Does this sound reasonable to you?
> 
> Thank you guys, i appreciate all your anwers. :)
> 
> Dennis



smime.p7s
Description: S/MIME cryptographic signature

Re: Postfix stable release 2.11.3 and legacy releases 2.10.5, 2.9.11, and 2.8.19

[James Brown]

 On 20 Oct 2014, at 3:12 pm, Viktor Dukhovni postfix-us...@dukhovni.org 
 wrote:
 
 On Mon, Oct 20, 2014 at 03:00:01PM +1100, James Brown wrote:
 
 * Portability fix for MacOS X 10.7.x (Darwin 11.x) build procedure.
 
 Doesn't seem to work for me. :-(
 
 Don't blame the messenger

I’m definitely not! Sorry if I came across that way.

 , your compilation environment is broken.
 
 $ make -f Makefile.init makefiles \
 CCARGS='-arch x86_64 -DUSE_TLS -DUSE_SASL_AUTH \
 -DDEF_SERVER_SASL_TYPE=\dovecot\ \
 -DDEF_COMMAND_DIR=\/usr/local/sbin\ \
 -DDEF_CONFIG_DIR=\/usr/local/etc/postfix\ \
 -DDEF_DAEMON_DIR=\/usr/local/libexec/postfix\ \
 -DHAS_PCRE -I/usr/local/include \
 -DHAS_MYSQL -I/usr/local/mysql/include' \
 AUXLIBS='-L/usr/local/lib -lpcre -lssl -lcrypto -L/usr/local/mysql/lib \
 -lmysqlclient -lz -lm -lresolv'
 
 You should no longer need to specify -lresolv (though it won't
 fix this problem), and should never have needed to specify -arch x86_64.
 
 In file included from /usr/include/stdlib.h:65:
 In file included from /usr/include/sys/wait.h:116:
 In file included from /usr/include/sys/signal.h:148:
 In file included from /usr/include/sys/_structs.h:57:
 In file included from /usr/include/machine/_structs.h:29:
 /usr/include/i386/_structs.h:38:10: fatal error: 'mach/i386/_structs.h' file 
 not found
 #include mach/i386/_structs.h
 ^
 1 error generated.
 make: *** [Makefiles] Error 1
 make: *** [makefiles] Error 2
 
 You'll find that 2.11.2 also no longer compiles.
 
 Nothing between 2.11.2 and 2.11.3 changed in this regard.  Did you
 upgrade your OS (to Yosemite)?

Nope, still on OS X 10.7. Updated iTunes, but that shouldn’t affect anything.

Opened Xcode, went to Preferences/Downloads and saw that there was an Install 
button next to “Command Line Tools”. Mystery solved!

Installing them now. 

The -arch x86_64 was needed in the past to stop it defaulting to a 32-bit 
install. Will remove that and the -lresolv, then have another go.

Thanks,

James.

smime.p7s
Description: S/MIME cryptographic signature

Re: Postfix stable release 2.11.3 and legacy releases 2.10.5, 2.9.11, and 2.8.19

[James Brown]

 On 20 Oct 2014, at 11:04 am, Wietse Venema wie...@porcupine.org wrote:
 
 Portability fix for Postfix 2.11:
 
  * Portability fix for MacOS X 10.7.x (Darwin 11.x) build procedure.

Doesn’t seem to work for me. :-(

$ cd postfix-2.11.3 
$ make -f Makefile.init makefiles \
 CCARGS='-arch x86_64 -DUSE_TLS -DUSE_SASL_AUTH \
 -DDEF_SERVER_SASL_TYPE=\dovecot\ \
 -DDEF_COMMAND_DIR=\/usr/local/sbin\ \
 -DDEF_CONFIG_DIR=\/usr/local/etc/postfix\ \
 -DDEF_DAEMON_DIR=\/usr/local/libexec/postfix\ \
 -DHAS_PCRE -I/usr/local/include \
 -DHAS_MYSQL -I/usr/local/mysql/include' \
 AUXLIBS='-L/usr/local/lib -lpcre -lssl -lcrypto -L/usr/local/mysql/lib \
 -lmysqlclient -lz -lm -lresolv'
make -f Makefile.in MAKELEVEL= Makefiles
(echo # Do not edit -- this file documents how Postfix was built for your 
machine.; /bin/sh makedefs) makedefs.tmp
In file included from makedefs.test.c:2:
In file included from /usr/include/stdlib.h:65:
In file included from /usr/include/sys/wait.h:116:
In file included from /usr/include/sys/signal.h:148:
In file included from /usr/include/sys/_structs.h:57:
In file included from /usr/include/machine/_structs.h:29:
/usr/include/i386/_structs.h:38:10: fatal error: 'mach/i386/_structs.h' file 
not found
#include mach/i386/_structs.h
 ^
1 error generated.
make: *** [Makefiles] Error 1
make: *** [makefiles] Error 2

The above make command got 2.11.2 to compile for me (thanks again to Viktor).

James.



smime.p7s
Description: S/MIME cryptographic signature

Re: Postfix stable release 2.11.3 and legacy releases 2.10.5, 2.9.11, and 2.8.19

[James Brown]

 On 20 Oct 2014, at 3:22 pm, Viktor Dukhovni postfix-us...@dukhovni.org 
 wrote:
 
 On Mon, Oct 20, 2014 at 04:12:00AM +, Viktor Dukhovni wrote:
 
 You'll find that 2.11.2 also no longer compiles.
 
 Nothing between 2.11.2 and 2.11.3 changed in this regard.  Did you
 upgrade your OS (to Yosemite)?  Or upgrade your compiler?  Your
 /usr/include/stdlib.h no longer compiles with default flags.
 
 I have:
 
$ cc -v
Apple LLVM version 6.0 (clang-600.0.51) (based on LLVM 3.5svn)
Target: x86_64-apple-darwin13.4.0
Thread model: posix
 
 What do you have?
 
 -- 
   Viktor.

$ cc -v
Apple clang version 3.1 (tags/Apple/clang-318.0.58) (based on LLVM 3.1svn)
Target: x86_64-apple-darwin11.4.2
Thread model: posix

(Still downloading the Command Line Tools).

James.



smime.p7s
Description: S/MIME cryptographic signature

Re: Compile errors on Mac Undefined symbols for architecture x86_64: _pcre_free_study

[James Brown]

 On 14 Oct 2014, at 4:13 pm, Viktor Dukhovni postfix-us...@dukhovni.org 
 wrote:
 
 On Tue, Oct 14, 2014 at 03:16:17PM +1100, James Brown wrote:
 
 Victor, changing the order so that it is:
 
 make -f Makefile.init makefiles \
 CCARGS='-arch x86_64 -DUSE_TLS -DUSE_SASL_AUTH \
 -DDEF_SERVER_SASL_TYPE=\dovecot\ \
 -DDEF_COMMAND_DIR=\/usr/local/sbin\ \
 -DDEF_CONFIG_DIR=\/usr/local/etc/postfix\ \
 -DDEF_DAEMON_DIR=\/usr/local/libexec/postfix\ \
 -DHAS_PCRE -I/usr/local/include \
 -DHAS_SSL -I/usr/include/openssl \
 -DHAS_MYSQL -I/usr/local/mysql/include' \
 AUXLIBS='-L/usr/local/lib -llber -lresolv -L/usr/lib \
 -L/usr/local/lib -lpcre -lssl -L/usr/local/mysql/lib \
 -lmysqlclient -lz -lm?
 
 and it stopped the errors re PCRE.
 
 What's -llber for?  It is a support library for libldap, but
 you're not using LDAP.  And you still have much too much complexity
 and inconsitent preference between /usr and /usr/local for headers
 vs. libraries.
 
 Much more likely to work is:
 
 $ make -f Makefile.init makefiles \
CCARGS='-arch x86_64 -DUSE_TLS -DUSE_SASL_AUTH
   -DDEF_SERVER_SASL_TYPE=\dovecot\
   -DDEF_COMMAND_DIR=\/usr/local/sbin\
   -DDEF_CONFIG_DIR=\/usr/local/etc/postfix\
   -DDEF_DAEMON_DIR=\/usr/local/libexec/postfix\
   -DHAS_PCRE -I/usr/local/include
   -DHAS_MYSQL -I/usr/local/mysql/include' \
AUXLIBS='-L/usr/local/lib -lpcre -lssl -lcrypto
   -L/usr/local/mysql/lib -lmysqlclient -lz -lm'


Thanks for your help Victor.

make -f Makefile.init makefiles \
CCARGS='-arch x86_64 -DUSE_TLS -DUSE_SASL_AUTH \
-DDEF_SERVER_SASL_TYPE=\dovecot\ \
-DDEF_COMMAND_DIR=\/usr/local/sbin\ \
-DDEF_CONFIG_DIR=\/usr/local/etc/postfix\ \
-DDEF_DAEMON_DIR=\/usr/local/libexec/postfix\ \
-DHAS_PCRE -I/usr/local/include \
-DHAS_MYSQL -I/usr/local/mysql/include' \
AUXLIBS='-L/usr/local/lib -lpcre -lssl -lcrypto -L/usr/local/mysql/lib \
-lmysqlclient -lz -lm’

gives me:

Undefined symbols for architecture x86_64:
  _res_9_init, referenced from:
  _dns_lookup_r in libdns.a(dns_lookup.o)
  _res_9_search, referenced from:
  _dns_lookup_r in libdns.a(dns_lookup.o)
  _res_9_dn_expand, referenced from:
  _dns_lookup_r in libdns.a(dns_lookup.o)
  _valid_rr_name in libdns.a(dns_lookup.o)
ld: symbol(s) not found for architecture x86_64
clang: error: linker command failed with exit code 1 (use -v to see invocation)
make: *** [smtpd] Error 1
make: *** [update] Error 1

:-(

Agree that simpler is better!

James.



smime.p7s
Description: S/MIME cryptographic signature

Re: Compile errors on Mac Undefined symbols for architecture x86_64: _pcre_free_study

[James Brown]

 On 14 Oct 2014, at 5:26 pm, Viktor Dukhovni postfix-us...@dukhovni.org 
 wrote:
 
 On Tue, Oct 14, 2014 at 05:19:34PM +1100, James Brown wrote:
 
 Thanks for your help Victor.
 
 make -f Makefile.init makefiles \
 CCARGS='-arch x86_64 -DUSE_TLS -DUSE_SASL_AUTH \
 -DDEF_SERVER_SASL_TYPE=\dovecot\ \
 -DDEF_COMMAND_DIR=\/usr/local/sbin\ \
 -DDEF_CONFIG_DIR=\/usr/local/etc/postfix\ \
 -DDEF_DAEMON_DIR=\/usr/local/libexec/postfix\ \
 -DHAS_PCRE -I/usr/local/include \
 -DHAS_MYSQL -I/usr/local/mysql/include' \
 AUXLIBS='-L/usr/local/lib -lpcre -lssl -lcrypto -L/usr/local/mysql/lib \
 -lmysqlclient -lz -lm?
 
 gives me:
 
 Undefined symbols for architecture x86_64:
  _res_9_init, referenced from:
  _dns_lookup_r in libdns.a(dns_lookup.o)
  _res_9_search, referenced from:
  _dns_lookup_r in libdns.a(dns_lookup.o)
  _res_9_dn_expand, referenced from:
  _dns_lookup_r in libdns.a(dns_lookup.o)
  _valid_rr_name in libdns.a(dns_lookup.o)
 ld: symbol(s) not found for architecture x86_64
 clang: error: linker command failed with exit code 1 (use -v to see 
 invocation)
 make: *** [smtpd] Error 1
 make: *** [update] Error 1
 
 What version of MacOSX are you running?  (Post the output of uname
 -sr.)  The Postfix makedefs script has:
 
   # Darwin 12.x (MacOS X 10.8.x), maybe earlier, needs libresolv.
   case $RELEASE in
   ?.*|1[0-1].*) ;;
  *) SYSLIBS=$SYSLIBS -lresolv;;
   esac
 
 Perhaps you have one of those maybe eariler systems.  If you have
 a non-system libresolv in /usr/local or similar, remove it, you
 should be using the Apple provided libresolv.
 
 -- 
   Viktor.

Mac OS X 10.7.4.

$ uname -sr
Darwin 11.4.2

I have:

/usr/lib/libresolv.9.dylib
/usr/lib/libresolv.dylib

but I haven’t (knowingly!) installed or moved it.

Thanks,

James.

smime.p7s
Description: S/MIME cryptographic signature

Re: Compile errors on Mac Undefined symbols for architecture x86_64: _pcre_free_study

[James Brown]

 On 15 Oct 2014, at 4:19 am, Viktor Dukhovni postfix-us...@dukhovni.org 
 wrote:
 
 On Tue, Oct 14, 2014 at 09:13:41PM +1100, James Brown wrote:
 
 What version of MacOSX are you running?  (Post the output of uname
 -sr.)  The Postfix makedefs script has:
 
 # Darwin 12.x (MacOS X 10.8.x), maybe earlier, needs libresolv.
 case $RELEASE in
 ?.*|1[0-1].*) ;;
*) SYSLIBS=$SYSLIBS -lresolv;;
 esac
 
 Perhaps you have one of those maybe eariler systems.  If you have
 a non-system libresolv in /usr/local or similar, remove it, you
 should be using the Apple provided libresolv.
 
 Mac OS X 10.7.4.
 
 $ uname -sr
 Darwin 11.4.2
 
 I have:
 
 /usr/lib/libresolv.9.dylib
 /usr/lib/libresolv.dylib
 
 Ah, so you do have one of the maybe earlier systems and -lresolv
 is also needed for Darwin 11.  Append -lresolv to AUXLIBS.  Or
 else apply this patch with Postfix 2.11 or later:
 
 diff --git a/makedefs b/makedefs
 index 1566b95..910ddbb 100644
 --- a/makedefs
 +++ b/makedefs
 @@ -576,9 +576,9 @@ ReliantUNIX-?.5.43) SYSTYPE=ReliantUnix543
?.*) CCARGS=$CCARGS -DRESOLVE_H_NEEDS_NAMESER8_COMPAT_H;;
  *) CCARGS=$CCARGS 
 -DRESOLVE_H_NEEDS_ARPA_NAMESER_COMPAT_H;;
   esac
 - # Darwin 12.x (MacOS X 10.8.x), maybe earlier, needs libresolv.
 + # Darwin 11.x (MacOS X 10.7.x), maybe earlier, needs libresolv.
   case $RELEASE in
 - ?.*|1[0-1].*) ;;
 + ?.*|10.*) ;;
  *) SYSLIBS=$SYSLIBS -lresolv;;
   esac
   # kqueue and/or poll are broken in MacOS X 10.5 (Darwin 9).
 
 -- 
   Viktor.

Thanks Viktor - that worked!

I added -lresolv to AUXLIBS:

make -f Makefile.init makefiles \
CCARGS='-arch x86_64 -DUSE_TLS -DUSE_SASL_AUTH \
-DDEF_SERVER_SASL_TYPE=\dovecot\ \
-DDEF_COMMAND_DIR=\/usr/local/sbin\ \
-DDEF_CONFIG_DIR=\/usr/local/etc/postfix\ \
-DDEF_DAEMON_DIR=\/usr/local/libexec/postfix\ \
-DHAS_PCRE -I/usr/local/include \
-DHAS_MYSQL -I/usr/local/mysql/include' \
AUXLIBS='-L/usr/local/lib -lpcre -lssl -lcrypto -L/usr/local/mysql/lib \
-lmysqlclient -lz -lm -lresolv’

Hopefully new Mac Minis will be released tomorrow and then I’ll bring my mail 
server to Yosemite and this won’t be a problem going forward.

Thanks again for all your help,

James.

smime.p7s
Description: S/MIME cryptographic signature

Re: Compile errors on Mac Undefined symbols for architecture x86_64: _pcre_free_study

[James Brown]

 On 17 Jul 2014, at 11:41 am, James Brown jlbr...@bordo.com.au wrote:
 
 
 On 16 Jul 2014, at 5:10 pm, Viktor Dukhovni postfix-us...@dukhovni.org 
 wrote:
 
 On Wed, Jul 16, 2014 at 04:49:49PM +1000, James Brown wrote:
 
 So change to:
 
 AUXLIBS=?-L/usr/local/lib -llber -lresolv -L/usr/lib ? ?
 
 Something like that.  Since you're using headers from /usr/local/include,
 you need the libpcre from /usr/local/lib.
 
 Victor, changing the order so that it is:
 
 make -f Makefile.init makefiles \
 CCARGS='-arch x86_64 -DUSE_TLS -DUSE_SASL_AUTH \
 -DDEF_SERVER_SASL_TYPE=\dovecot\ \
 -DDEF_COMMAND_DIR=\/usr/local/sbin\ \
 -DDEF_CONFIG_DIR=\/usr/local/etc/postfix\ \
 -DDEF_DAEMON_DIR=\/usr/local/libexec/postfix\ \
 -DHAS_PCRE -I/usr/local/include \
 -DHAS_SSL -I/usr/include/openssl \
 -DHAS_MYSQL -I/usr/local/mysql/include' \
 AUXLIBS='-L/usr/local/lib -llber -lresolv -L/usr/lib \
 -L/usr/local/lib -lpcre -lssl -L/usr/local/mysql/lib \
 -lmysqlclient -lz -lm’
 
 and it stopped the errors re PCRE.
 
 I get other errors re FIPS, but I’ll start another thread for that.
 
 Thanks for your help.
 
 James.

Just downloaded 2.11.2 and the command I used for 2.11.1 before (see above) no 
longer works.

Ends in:

 -llber -lresolv -L/usr/local/lib -L/usr/local/lib -lpcre -lssl 
-L/usr/local/mysql/lib -lmysqlclient -lz -lm -flat_namespace
Undefined symbols for architecture x86_64:
  _pcre_free_study, referenced from:
  _dict_pcre_open in libutil.a(dict_pcre.o)
  _dict_pcre_close in libutil.a(dict_pcre.o)
ld: symbol(s) not found for architecture x86_64
clang: error: linker command failed with exit code 1 (use -v to see invocation)
make: *** [sendmail] Error 1
make: *** [update] Error 1

Have upgraded bash since successfully installing 2.11.1

Searching for libpcre finds:

/usr/lib/libpcre.0.dylib
/usr/lib/libpcre.dylib
/usr/lib/libpcreposix.0.dylib
/usr/lib/libpcreposix.dylib
/usr/lib/pkgconfig/libpcre.pc
/usr/lib/pkgconfig/libpcreposix.pc
/usr/local/lib/libpcre.0.dylib
/usr/local/lib/libpcre.1.dylib
/usr/local/lib/libpcre.a
/usr/local/lib/libpcre.dylib
/usr/local/lib/libpcre.la
/usr/local/lib/libpcrecpp.0.dylib
/usr/local/lib/libpcrecpp.a
/usr/local/lib/libpcrecpp.dylib
/usr/local/lib/libpcrecpp.la
/usr/local/lib/libpcreposix.0.dylib
/usr/local/lib/libpcreposix.a
/usr/local/lib/libpcreposix.dylib
/usr/local/lib/libpcreposix.la
/usr/local/lib/pkgconfig/libpcre.pc
/usr/local/lib/pkgconfig/libpcrecpp.pc
/usr/local/lib/pkgconfig/libpcreposix.pc

Any suggestions?

Thanks,

James.





smime.p7s
Description: S/MIME cryptographic signature

Re: Compile errors on Mac: Undefined symbols for architecture x86_64: _FIPS_md_ctx_create

[James Brown]

 On 17 Jul 2014, at 3:37 pm, Viktor Dukhovni postfix-us...@dukhovni.org 
 wrote:
 
 On Thu, Jul 17, 2014 at 03:22:28PM +1000, James Brown wrote:
 
 $ locate lib/libssl
 /usr/lib/libssl.0.9.7.dylib
 /usr/lib/libssl.0.9.8.dylib
 /usr/lib/libssl.1.0.0.dylib
 /usr/lib/libssl.a
 /usr/lib/libssl.dylib
 /usr/local/ssl/lib/libssl.a
 
 I expected that you only had static libs in /usr/local, and the
 linker searched the path for dynamic libs first.   Turns out that's
 only part of the story, the libraries are /usr/local/ssl/lib/ (any
 symlinks from /usr/local/lib?  locate(1) may be telling the whole
 story).

No mention of ssl in /usr/local/lib

 
 I'm guessing ssl directory at /usr/local/ is the problem?
 If so, mv everything from /usr/local/ssl/ to corresponding place in 
 /usr/local?
 
 No, rather adjust AUXLIBS to match the correct install location.   But
 you built static OpenSSL libraries, and should have build shared ones.

OK. Will rebuild OpenSSL as per your ./Configure, and then I won’t have to 
change AUXLIBS, correct?
 
 The Makefile from my OpenSSL 1.0.1h directory has:
 
 PLATFORM=darwin64-x86_64-cc
 OPTIONS=--prefix=/usr/local --with-fipsdir=/usr/local fips 
 no-ec_nistp_64_gcc_128 no-gmp no-jpake no-krb5 no-md2 no-rc5 no-rfc3779 
 no-rsax no-sctp no-shared no-store no-zlib no-zlib-dynamic static-engine
 
 Why no-shared”?

No idea.

 Why fips?  Nobody in their right mind wants
 fips unless forced to sell to the USG, or forced to use by USG.

Because new version (5.02) of Stunnel was not giving the error configure: 
WARNING: OpenSSL fips header not found”. No longer needed in the 5.03 beta:

The idea is that you need an OpenSSL library built with a FIPS canister.
stunnel then only uses this library, and not directly the canister.

Consequently, the FIPS header file is no longer used by stunnel.
I removed the dead code.  Please try:
 https://www.stunnel.org/downloads/beta/stunnel-5.03b1.tar.gz 
-Mike Trojnara


 
 I think I just used ./configure  darwin64-x86_64-cc
 
./Configure --prefix=/usr/local shared darwin64-x86_64-cc

Will do.

 
 But you really should consider homebrew or macports.  The only
 downside of homebrew is that the libraries belong to a non-root
 user.  So if that user is compromised, so is root.  On a typical
 personal system, that's not much of an issue.  In any case you need
 to choose a package management system (homebrew, macports, pkgsrc,
 ...) and use it consistently.  You're having too much trouble
 doing the integration from the ground up.

This is definitely something I need to look into!

Thanks,

James.

smime.p7s
Description: S/MIME cryptographic signature

Re: Compile errors on Mac: Undefined symbols for architecture x86_64: _FIPS_md_ctx_create

[James Brown]

./Configure --prefix=/usr/local shared darwin64-x86_64-cc

Configured OpenSSL using this, then was able to use:

make -f Makefile.init makefiles \
CCARGS='-arch x86_64 -DUSE_TLS -DUSE_SASL_AUTH \
-DDEF_SERVER_SASL_TYPE=\dovecot\ \
-DDEF_COMMAND_DIR=\/usr/local/sbin\ \
-DDEF_CONFIG_DIR=\/usr/local/etc/postfix\ \
-DDEF_DAEMON_DIR=\/usr/local/libexec/postfix\ \
-DHAS_PCRE -I/usr/local/include \
-DHAS_MYSQL -I/usr/local/mysql/include' \
AUXLIBS='-L/usr/local/lib -L/usr/lib  -L/usr/local/mysql/lib \
-llber -lresolv -lpcre -lssl -lcrypto -lmysqlclient -lz -lm’

and sudo make install.

And it all worked perfectly:

postfix/master[33781]: daemon started -- version 2.11.1, configuration 
/usr/local/etc/postfix

Thanks heaps for all your patience and help Victor and Wietse,

James.

smime.p7s
Description: S/MIME cryptographic signature

Compile errors on Mac Undefined symbols for architecture x86_64: _pcre_free_study

[James Brown]

I’ve tried to upgrade my installation of Postfix from 2.10 to 2.11 (and to 
2.11.1), but get this error:

Undefined symbols for architecture x86_64:
 _pcre_free_study, referenced from:
 _dict_pcre_open in libutil.a(dict_pcre.o)
 _dict_pcre_close in libutil.a(dict_pcre.o)
ld: symbol(s) not found for architecture x86_64
clang: error: linker command failed with exit code 1 (use -v to see invocation)
make: *** [sendmail] Error 1
make: *** [update] Error 1

I’m using this command to compile:


make -f Makefile.init makefiles \
CCARGS='-arch x86_64 -DUSE_TLS -DUSE_SASL_AUTH \
-DDEF_SERVER_SASL_TYPE=\dovecot\ \
-DDEF_COMMAND_DIR=\/usr/local/sbin\ \
-DDEF_CONFIG_DIR=\/usr/local/etc/postfix\ \
-DDEF_DAEMON_DIR=\/usr/local/libexec/postfix\ \
-DHAS_PCRE -I/usr/local/include \
-DHAS_SSL -I/usr/include/openssl \
-DHAS_MYSQL -I/usr/local/mysql/include' \
AUXLIBS='-L/usr/lib -llber -lresolv -L/usr/local/lib \
-L/usr/local/lib -lpcre -lssl -L/usr/local/mysql/lib \
-lmysqlclient -lz -lm’

after installing PCRE library using:

CFLAGS=-arch x86_64 \
CXXFLAGS=-arch x86_64
./configure
make
sudo make install

OS is Mac OS X 10.7.5

Any suggestions?

Thanks,

James.

smime.p7s
Description: S/MIME cryptographic signature

Re: Compile errors on Mac Undefined symbols for architecture x86_64: _pcre_free_study

[James Brown]

Thanks Viktor.

 On 16 Jul 2014, at 4:23 pm, Viktor Dukhovni postfix-us...@dukhovni.org 
 wrote:
 
 On Wed, Jul 16, 2014 at 04:04:27PM +1000, James Brown wrote:
 
 I've tried to upgrade my installation of Postfix from 2.10 to
 2.11 (and to 2.11.1), but get this error:
 
 Undefined symbols for architecture x86_64:
 _pcre_free_study, referenced from:
 _dict_pcre_open in libutil.a(dict_pcre.o)
 _dict_pcre_close in libutil.a(dict_pcre.o)
 ld: symbol(s) not found for architecture x86_64
 clang: error: linker command failed with exit code 1 (use -v to see 
 invocation)
 
 Your PCRE headers don't match the library, they define
 PCRE_STUDY_JIT_COMPILE, which was introduced at the same time as
 pcre_free_study().
 
 -DHAS_PCRE -I/usr/local/include \
 AUXLIBS='-L/usr/lib -llber -lresolv -L/usr/local/lib \
 
 In CCARGS /usr/local/include is first. In AUXLIBS /usr/lib is first.

So change to:

AUXLIBS=‘-L/usr/local/lib -llber -lresolv -L/usr/lib … ?
 
 Is there a libpcre in /usr/lib?

In /usr/lib there is:

-rwxr-xr-x   1 root  wheel390528  3 Jul  2011 libpcre.0.dylib
lrwxr-xr-x   1 root  wheel15  3 Jul  2011 libpcre.dylib - 
libpcre.0.dylib
-rwxr-xr-x   1 root  wheel 34672  3 Jul  2011 libpcreposix.0.dylib
lrwxr-xr-x   1 root  wheel20  3 Jul  2011 libpcreposix.dylib - 
libpcreposix.0.dylib

James.

smime.p7s
Description: S/MIME cryptographic signature

Re: Compile errors on Mac Undefined symbols for architecture x86_64: _pcre_free_study

[James Brown]

 On 16 Jul 2014, at 5:10 pm, Viktor Dukhovni postfix-us...@dukhovni.org 
 wrote:
 
 On Wed, Jul 16, 2014 at 04:49:49PM +1000, James Brown wrote:
 
 So change to:
 
 AUXLIBS=?-L/usr/local/lib -llber -lresolv -L/usr/lib ? ?
 
 Something like that.  Since you're using headers from /usr/local/include,
 you need the libpcre from /usr/local/lib.

Victor, changing the order so that it is:

make -f Makefile.init makefiles \
CCARGS='-arch x86_64 -DUSE_TLS -DUSE_SASL_AUTH \
-DDEF_SERVER_SASL_TYPE=\dovecot\ \
-DDEF_COMMAND_DIR=\/usr/local/sbin\ \
-DDEF_CONFIG_DIR=\/usr/local/etc/postfix\ \
-DDEF_DAEMON_DIR=\/usr/local/libexec/postfix\ \
-DHAS_PCRE -I/usr/local/include \
-DHAS_SSL -I/usr/include/openssl \
-DHAS_MYSQL -I/usr/local/mysql/include' \
AUXLIBS='-L/usr/local/lib -llber -lresolv -L/usr/lib \
-L/usr/local/lib -lpcre -lssl -L/usr/local/mysql/lib \
-lmysqlclient -lz -lm’

and it stopped the errors re PCRE.

I get other errors re FIPS, but I’ll start another thread for that.

Thanks for your help.

James.



smime.p7s
Description: S/MIME cryptographic signature

Compile errors on Mac: Undefined symbols for architecture x86_64: _FIPS_md_ctx_create

[James Brown]

When compiling on Mac OS 10.7.5 using:


make -f Makefile.init makefiles \
CCARGS='-arch x86_64 -DUSE_TLS -DUSE_SASL_AUTH \
-DDEF_SERVER_SASL_TYPE=\dovecot\ \
-DDEF_COMMAND_DIR=\/usr/local/sbin\ \
-DDEF_CONFIG_DIR=\/usr/local/etc/postfix\ \
-DDEF_DAEMON_DIR=\/usr/local/libexec/postfix\ \
-DHAS_PCRE -I/usr/local/include \
-DHAS_SSL -I/usr/include/openssl \
-DHAS_MYSQL -I/usr/local/mysql/include' \
AUXLIBS='-L/usr/local/lib -llber -lresolv -L/usr/lib \
-L/usr/local/lib -lpcre -lssl -L/usr/local/mysql/lib \
-lmysqlclient -lz -lm'

It finishes with:

cc -I. -I../../include -arch x86_64 -DUSE_TLS -DUSE_SASL_AUTH 
-DDEF_SERVER_SASL_TYPE=\dovecot\ -DDEF_COMMAND_DIR=\/usr/local/sbin\ 
-DDEF_CONFIG_DIR=\/usr/local/etc/postfix\ 
-DDEF_DAEMON_DIR=\/usr/local/libexec/postfix\ -DHAS_PCRE -I/usr/local/include 
-DHAS_SSL -I/usr/include/openssl -DHAS_MYSQL -I/usr/local/mysql/include 
-Wmissing-prototypes -Wformat -Wno-comment -DBIND_8_COMPAT -DNO_NETINFO 
-DRESOLVE_H_NEEDS_ARPA_NAMESER_COMPAT_H -DNO_KQUEUE -g -O -I. -I../../include 
-DMACOSX -o smtpd smtpd.o smtpd_token.o smtpd_check.o smtpd_chat.o 
smtpd_state.o smtpd_peer.o smtpd_sasl_proto.o smtpd_sasl_glue.o smtpd_proxy.o 
smtpd_xforward.o smtpd_dsn_fix.o smtpd_milter.o smtpd_resolve.o smtpd_expand.o 
smtpd_haproxy.o ../../lib/libmaster.a ../../lib/libtls.a ../../lib/libdns.a 
../../lib/libxsasl.a ../../lib/libmilter.a ../../lib/libdns.a 
../../lib/libglobal.a ../../lib/libutil.a -L/usr/local/lib -llber -lresolv 
-L/usr/lib -L/usr/local/lib -lpcre -lssl -L/usr/local/mysql/lib -lmysqlclient 
-lz -lm -flat_namespace
Undefined symbols for architecture x86_64:
  _FIPS_md_ctx_create, referenced from:
  _tls_serverid_digest in libtls.a(tls_fprint.o)
  _tls_data_fprint in libtls.a(tls_fprint.o)
  _FIPS_digestinit, referenced from:
  _tls_serverid_digest in libtls.a(tls_fprint.o)
  _tls_data_fprint in libtls.a(tls_fprint.o)
  _FIPS_digestupdate, referenced from:
  _tls_serverid_digest in libtls.a(tls_fprint.o)
  _tls_data_fprint in libtls.a(tls_fprint.o)
  _FIPS_digestfinal, referenced from:
  _tls_serverid_digest in libtls.a(tls_fprint.o)
  _tls_data_fprint in libtls.a(tls_fprint.o)
  _FIPS_md_ctx_destroy, referenced from:
  _tls_serverid_digest in libtls.a(tls_fprint.o)
  _tls_data_fprint in libtls.a(tls_fprint.o)
  _FIPS_evp_sha224, referenced from:
  _tls_validate_digest in libtls.a(tls_misc.o)
  _FIPS_evp_sha384, referenced from:
  _tls_validate_digest in libtls.a(tls_misc.o)
  _FIPS_evp_sha512, referenced from:
  _tls_validate_digest in libtls.a(tls_misc.o)
  _FIPS_bn_bin2bn, referenced from:
  _tls_get_dh in libtls.a(tls_dh.o)
  _FIPS_ec_key_new_by_curve_name, referenced from:
  _tls_set_eecdh_curve in libtls.a(tls_dh.o)
  _FIPS_bn_new, referenced from:
  _tls_tmp_rsa_cb in libtls.a(tls_rsa.o)
  _fips_bn_set_word, referenced from:
  _tls_tmp_rsa_cb in libtls.a(tls_rsa.o)
  _FIPS_rsa_generate_key_ex, referenced from:
  _tls_tmp_rsa_cb in libtls.a(tls_rsa.o)
  _FIPS_bn_free, referenced from:
  _tls_tmp_rsa_cb in libtls.a(tls_rsa.o)
  _FIPS_add_lock, referenced from:
  _tls_verify_certificate_callback in libtls.a(tls_verify.o)
  _FIPS_free, referenced from:
  _tls_text_name in libtls.a(tls_verify.o)
  _FIPS_evp_sha256, referenced from:
  _ticket_cb in libtls.a(tls_server.o)
  _tls_validate_digest in libtls.a(tls_misc.o)
  _FIPS_evp_aes_128_cbc, referenced from:
  _ticket_cb in libtls.a(tls_server.o)
  _FIPS_rand_bytes, referenced from:
  _ticket_cb in libtls.a(tls_server.o)
  _FIPS_hmac_init_ex, referenced from:
  _ticket_cb in libtls.a(tls_server.o)
  _FIPS_rand_seed, referenced from:
  _tls_int_seed in libtls.a(tls_seed.o)
  _tls_ext_seed in libtls.a(tls_seed.o)
ld: symbol(s) not found for architecture x86_64
clang: error: linker command failed with exit code 1 (use -v to see invocation)
make: *** [smtpd] Error 1
make: *** [update] Error 1

I’m pretty sure I’ve installed OpenSSL-FIPS 2.0.5. Running OpenSSL 1.0.1h.

Searching for fips gives me:

locate fips
/usr/local/bin/fips_standalone_sha1
/usr/local/bin/fipsld
/usr/local/include/openssl/fips.h
/usr/local/include/openssl/fips_rand.h
/usr/local/include/openssl/fipssyms.h
/usr/local/lib/fips_premain.c
/usr/local/lib/fips_premain.c.sha1
/usr/local/lib/fipscanister.o
/usr/local/lib/fipscanister.o.sha1

Thanks,

James.



smime.p7s
Description: S/MIME cryptographic signature

Re: Compile errors on Mac: Undefined symbols for architecture x86_64: _FIPS_md_ctx_create

[James Brown]

On 17 Jul 2014, at 1:14 pm, Viktor Dukhovni postfix-us...@dukhovni.org wrote:
 
 This is silly, the placement of -L options is irrelevant, only
 their relative order matters.  To not get confused, list all -L
 options before  all -lsomelib options, no point in listing
 anything twice.
 
AUXLIBS='-L/usr/local/lib -L/usr/lib  -L/usr/local/mysql/lib \
   -llber -lresolv -lpcre -lssl -lcrypto -lmysqlclient -lz -lm'
 
 you left out -lcrypto, Postfix needs both libssl and libcrypto.
 
 Why on earth -I/usr/include/openssl, that's wrong, remove it.
 
 -- 
   Viktor.

OK, have made those changes, but still get the error.

make command is now:

make -f Makefile.init makefiles \
CCARGS='-arch x86_64 -DUSE_TLS -DUSE_SASL_AUTH \
-DDEF_SERVER_SASL_TYPE=\dovecot\ \
-DDEF_COMMAND_DIR=\/usr/local/sbin\ \
-DDEF_CONFIG_DIR=\/usr/local/etc/postfix\ \
-DDEF_DAEMON_DIR=\/usr/local/libexec/postfix\ \
-DHAS_PCRE -I/usr/local/include \
-DHAS_MYSQL -I/usr/local/mysql/include' \
AUXLIBS='-L/usr/local/lib -L/usr/lib  -L/usr/local/mysql/lib \
-llber -lresolv -lpcre -lssl -lcrypto -lmysqlclient -lz -lm’

make install fails again with:

Undefined symbols for architecture x86_64:
  _FIPS_md_ctx_create, referenced from:
  _tls_serverid_digest in libtls.a(tls_fprint.o)
  _tls_data_fprint in libtls.a(tls_fprint.o)
  _FIPS_digestinit, referenced from:
  _tls_serverid_digest in libtls.a(tls_fprint.o)
  _tls_data_fprint in libtls.a(tls_fprint.o)
etc.


Yes Wietse, OpenSSL is in two places:

locate bin/openssl
/usr/bin/openssl
/usr/local/ssl/bin/openssl

I usually install things in /usr/local/ as this stops any updates from Apple 
overwriting my installs and configurations.

I apologise if I’ve made stupid mistakes in the configuration!

Thanks,

James.

smime.p7s
Description: S/MIME cryptographic signature

Re: Compile errors on Mac: Undefined symbols for architecture x86_64: _FIPS_md_ctx_create

[James Brown]

On 17 Jul 2014, at 1:54 pm, Viktor Dukhovni postfix-us...@dukhovni.org wrote:
 
 On Thu, Jul 17, 2014 at 01:38:39PM +1000, James Brown wrote:
 
 make command is now:
 
 make -f Makefile.init makefiles \
 CCARGS='-arch x86_64 -DUSE_TLS -DUSE_SASL_AUTH \
 -DDEF_SERVER_SASL_TYPE=\dovecot\ \
 -DDEF_COMMAND_DIR=\/usr/local/sbin\ \
 -DDEF_CONFIG_DIR=\/usr/local/etc/postfix\ \
 -DDEF_DAEMON_DIR=\/usr/local/libexec/postfix\ \
 -DHAS_PCRE -I/usr/local/include \
 -DHAS_MYSQL -I/usr/local/mysql/include' \
 AUXLIBS='-L/usr/local/lib -L/usr/lib  -L/usr/local/mysql/lib \
 -llber -lresolv -lpcre -lssl -lcrypto -lmysqlclient -lz -lm?
 
 
 Better, provided you have SSL libraries in /usr/local/lib.
 
 Undefined symbols for architecture x86_64:
  _FIPS_md_ctx_create, referenced from:
  _tls_serverid_digest in libtls.a(tls_fprint.o)
  _tls_data_fprint in libtls.a(tls_fprint.o)
  _FIPS_digestinit, referenced from:
  _tls_serverid_digest in libtls.a(tls_fprint.o)
  _tls_data_fprint in libtls.a(tls_fprint.o)
 etc.
 
 And yet you're linking with libraries that don't match the headers.
 
 Yes Wietse, OpenSSL is in two places:
 
 locate bin/openssl
 /usr/bin/openssl
 /usr/local/ssl/bin/openssl
 
 The openssl(1) command is not relevant, we're talking about OpenSSL
 *libraries*, that should be rather clear.

I know, it was a lazy way of me finding out where openssl was installed.
 
  Show what openssl libraries are in /usr/lib and in /usr/local/lib:
 
 In /usr/lib I have:
 
/usr/lib/libssl.0.9.7.dylib
/usr/lib/libssl.0.9.8.dylib
/usr/lib/libssl.dylib
/usr/lib/libcrypto.0.9.7.dylib
/usr/lib/libcrypto.0.9.8.dylib
/usr/lib/libcrypto.dylib

$ locate lib/libssl
/usr/lib/libssl.0.9.7.dylib
/usr/lib/libssl.0.9.8.dylib
/usr/lib/libssl.1.0.0.dylib
/usr/lib/libssl.a
/usr/lib/libssl.dylib
/usr/local/ssl/lib/libssl.a

and $locate libcrypto
/usr/lib/libcrypto.0.9.7.dylib
/usr/lib/libcrypto.0.9.8.dylib
/usr/lib/libcrypto.1.0.0.dylib
/usr/lib/libcrypto.a
/usr/lib/libcrypto.dylib
/usr/lib/pkgconfig/libcrypto.pc
/usr/local/ssl/lib/libcrypto.a
/usr/local/ssl/lib/pkgconfig/libcrypto.pc

I’m guessing ssl directory at /usr/local/ is the problem? If so, mv everything 
from /usr/local/ssl/ to corresponding place in /usr/local?

The Makefile from my OpenSSL 1.0.1h directory has:

PLATFORM=darwin64-x86_64-cc
OPTIONS=--prefix=/usr/local --with-fipsdir=/usr/local fips 
no-ec_nistp_64_gcc_128 no-gmp no-jpake no-krb5 no-md2 no-rc5 no-rfc3779 no-rsax 
no-sctp no-shared no-store no-zlib no-zlib-dynamic static-engine
CONFIGURE_ARGS=--prefix=/usr/local --with-fipsdir=/usr/local fips 
darwin64-x86_64-cc
SHLIB_TARGET=darwin-shared

I think I just used ./configure  darwin64-x86_64-cc

James.



smime.p7s
Description: S/MIME cryptographic signature

Re: Make install or upgrade for new install location

[James Brown]

On 01/05/2013, at 3:02 AM, Larry Stone lston...@stonejongleux.com wrote:

 I have been running Postfix under Mac OS X for a number of years (now on OS X 
 10.7.latest (Lion)). I am working on moving away from the Apple provided and 
 customized Postfix to real Postfix built from sources. I've successfully 
 built Postfix but not yet tested. To avoid having it overwritten by Apple 
 updates to Postfix, I'm planning to install in /usr/local/ (e.g. 
 /usr/local/etc/postfix, /usr/local/sbin, and /usr/local/libexec/postfix).
 
 When it comes time to install, do I do make install or make upgrade? It's 
 not clear to me if make upgrade will work when the upgrade is in a 
 different location than the previous version.
 
 -- Larry Stone
   lston...@stonejongleux.com

Have you had a look at http://diymacserver.com/ ?

Go to the Documentation page.

It shows you how to install Postifx (and Dovecot, etc) independently of Apple's 
installation. Following this you can run Apple updates without fear of your 
Postfix settings being messed up.

It's been absolutely essential for me.

James.

smime.p7s
Description: S/MIME cryptographic signature

Re: Best anti-spam

[James Brown]

On 22/10/2008, at 9:29 AM, Jim Balo wrote:


Hi,

I am currently using Postfix w/ Amavis-new, Pyzor, DCC and Clam.
I have trained the Bayesian Classifier with over 2,000 ham and 2,000
spam, but I am still getting quite a bit of spam.

I am about to install a new mail server and I wonder if there is
something better than SpamAssassin that works well with Postfix?
The whole combination of Amavis, Pyzor, DCC, etc. seems a bit
complex and it also uses quite a bit of system resources.

I saw someone recommend policy-weightd, but that is no longer
developed since February 2008.  I also came across ASSP, but I do
not know much about it yet.

Could someone recommend a really good open source or affordable
commercial anti-spam solution?

Thanks,
JB

Ps. Maybe it is just that I need to tweak SpamAssassin better?
Some good links on this would be helpful as well.



ASSP with ClamAV (make sure you use the Sane Security sigs!) will cut  
your spam to practically none.


James.

smime.p7s
Description: S/MIME cryptographic signature

Re: [OFF]: DKIM broken by certain email clients

[James Brown]

Robert Schetterer wrote:

James Brown schrieb:
Would anyone who checks DKIM sigs on incoming mails mind if I send 
them an email directly?


That way I can make sure it is not just the DKIM reflector that's 
giving false results somehow.


Thanks,

James.


have you allready tried Sender Auth Test Service [EMAIL PROTECTED] ?


Yes thanks Robert, Wietse suggested it to me. It gives the same result:

Authentication System:   DomainKeys Identified Mail
 Result:   DKIM signature confirmed BAD
 Description:  Signature verification failed, message may 
have been tampered with or corrupted
 Reporting host:   sendmail.net 

I'm sending this reply using Thunderbird rather than Mail.app to see how 
the headers differ.


I've tried sending without going through the ASSP anti-spam proxy to no 
avail. Likewise using amavisd-new.


Thanks,

James.


smime.p7s
Description: S/MIME cryptographic signature

Re: [OFF]: DKIM broken by certain email clients

[James Brown]

On 25/09/2008, at 11:03 PM, Mark Martinec wrote:


James,


I'll have to work out how to turn off going through amavisd-new next.


amavisd-new is DKIM-clean, it will not break a signature.
Something else is modifying your Mime-Version header field.

 Mark


Yes, I thought it must be DKIM-clean, but took it out of the traffic  
flow and I still had problems. I did the same with ASSP. So that  
leaves either a faulty setup or bug in: the mail client, Postfix or  
Astaro. Given how robust Postfix I doubt if there is a bug there. But  
something being misconfigured by me is highly likely.


Examining the headers of the email I sent to this list:
1. Received: 	from [192.168.1.10] ([127.0.0.1] helo=[192.168.1.10]) by  
ASSP-nospam; 25 Sep 2008 11:30:43 +1000


OK. This is from my computer to ASSP (running on the mail server).

2. Received: 	from [192.168.1.10] (localhost [127.0.0.1]) by  
mail.bordo.com.au (Postfix) with ESMTP id F1C65438F9BB for postfix-users@postfix.org 
;Thu, 25 Sep 2008 11:30:43 +1000 (EST)


ASSP sends it to Postfix.

3. Received: 	from mail.bordo.com.au ([127.0.0.1]) by localhost  
(mail.bordo.com.au [127.0.0.1]) (amavisd-new, port 10024) with ESMTP  
id pW2vMuVVzAvF for postfix-users@postfix.org; Thu, 25 Sep 2008  
11:30:44 +1000 (EST)


Postfix sends it to amavisd-new on port 10024.

4. Received: 	from localhost (localhost [127.0.0.1]) by  
mail.bordo.com.au (Postfix) with ESMTP id 937DC438F9DE for postfix-users@postfix.org 
; Thu, 25 Sep 2008 11:30:48 +1000 (EST)


amavisd-new re-injects it back into Postfix queue.

5. Received: 	from [192.168.1.9] (port=62062 helo=mail.bordo.com.au)  
by astaro1.bordo.com.au with esmtp (Exim 4.69) (envelope-from [EMAIL PROTECTED] 
) id 1Kifh5-0007BX-2h for postfix-users@postfix.org; Thu, 25 Sep  
2008 11:30:59 +1000


Postfix sends it to the Astaro box. This should be where it gets DKIM  
signed and sent to the internet. Nothing suspicious up to now, correct?


6. Received: 	from [192.168.1.10] ([127.0.0.1] helo=[192.168.1.10]) by  
ASSP-nospam; 25 Sep 2008 11:30:43 +1000


? My computer sends the email again?? We are back at the start for  
some reason!


7. Received: 	from [192.168.1.10] (localhost [127.0.0.1]) by  
mail.bordo.com.au (Postfix) with ESMTP id F1C65438F9BB for postfix-users@postfix.org 
; Thu, 25 Sep 2008 11:30:43 +1000 (EST)


ASSP sending to Postfix.

8. Received: 	from mail.bordo.com.au ([127.0.0.1]) by localhost  
(mail.bordo.com.au [127.0.0.1]) (amavisd-new, port 10024) with ESMTP  
id pW2vMuVVzAvF for postfix-users@postfix.org; Thu, 25 Sep 2008  
11:30:44 +1000 (EST)


Postfix to amavisd-new.

9. Received: 	from localhost (localhost [127.0.0.1]) by  
mail.bordo.com.au (Postfix) with ESMTP id 937DC438F9DE for postfix-users@postfix.org 
; Thu, 25 Sep 2008 11:30:48 +1000 (EST)


Postfix reinjection.

10. Received: 	from [192.168.1.9] (port=62062 helo=mail.bordo.com.au)  
by astaro1.bordo.com.au with esmtp (Exim 4.69) (envelope-from [EMAIL PROTECTED] 
) id 1Kifh5-0007BX-2h for postfix-users@postfix.org; Thu, 25 Sep  
2008 11:30:59 +1000


Postfix to Astaro. Don't know if Astaro re DKIM signs it here or now.

11. 	Received: 	from astaro1.bordo.com.au  
(203-206-204-254.perm.iinet.net.au [203.206.204.254]) by english- 
breakfast.cloud9.net (Postfix) with ESMTP id 11BCEC9911 for postfix-users@postfix.org 
; Wed, 24 Sep 2008 21:31:02 -0400 (EDT)


Message delivered to destination mail server.



How can this happen??



The Astaro box is doing S/MIME signing and encrypting, but I got the  
same DKIM failure with it turned off.


Same for Mail.app using SSL on port 465. Same error when I turned that  
off. (I'll send this on without SSL).


This has me totally mystified.



James.



























I still don't understand how using a different mail client can affect  
things.







smime.p7s
Description: S/MIME cryptographic signature

Re: [OFF]: DKIM broken by certain email clients

[James Brown]

On 24/09/2008, at 12:00 PM, Victor Duchovni wrote:


On Wed, Sep 24, 2008 at 11:05:21AM +1000, James Brown wrote:

I've just set up DKIM on my mail system (via Astaro Security  
Gateway).


If I send an email to [EMAIL PROTECTED] to comes back
saying:

DKIM check details:
Result: fail (signature doesn't verify)

The same thing happens sending from my iPhone.

But it works fine sending from the same computer using Thunderbird.  
Or

if I use webmail (Roundcube or Ilohamail) to send the email.

All are sending through the same mail server (Postfix), same account,
with and without SSL.

Has anyone had any similar problems with DKIM and Mail.app?


Is the incoming message 8-bit MIME? Is it signed first and down- 
converted

to 7-bit later?

The MX host for verifier.port25.com seems to offer 8BITMIME, how does
your mail get there after it is signed?

smtp-finger:  220 verifier.port25.com (PowerMTA(TM) v3.5r1) ESMTP  
service ready

smtp-finger:  EHLO amnesiac.example.com
smtp-finger:  250-verifier.port25.com says hello
smtp-finger:  250-ENHANCEDSTATUSCODES
smtp-finger:  250-PIPELINING
smtp-finger:  250-CHUNKING
smtp-finger:  250-8BITMIME
smtp-finger:  250-AUTH CRAM-MD5
smtp-finger:  250-AUTH=CRAM-MD5
smtp-finger:  250-XACK
smtp-finger:  250-SIZE 0
smtp-finger:  250-VERP
smtp-finger:  250 DSN

--
Viktor.


Thanks Viktor.

When I telnet in from home to my work mail server I get:

telnet mail.bordo.com.au 2525
Trying 203.206.204.254...
Connected to mail.bordo.com.au.
Escape character is '^]'.
220 mail.bordo.com.au ESMTP Postfix
ehlo me
250-mail.bordo.com.au
250-SIZE 10240
250-ETRN
250-STARTTLS
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN

But this goes directly to my postfix server, bypassing the Astaro SMTP  
Proxy as I'm using port 2525 - my ISP blocks port 25 accept to their  
mail server). Would you mind telnetting in on port 25 and see what it  
says?


How can I tell if I'm sending as 8-bit or 7-bit MIME?

Thanks,

James.




smime.p7s
Description: S/MIME cryptographic signature

Re: [OFF]: DKIM broken by certain email clients

[James Brown]

On 24/09/2008, at 1:54 PM, Benny Pedersen wrote:


On Wed, September 24, 2008 03:05, James Brown wrote:

I've just set up DKIM on my mail system (via Astaro Security Gateway).


X-Amavis-Alert: BAD HEADER SECTION Duplicate header field: MIME-Version


Thanks Benny. I'll send my reply using Thunderbird and see if has the 
duplicate header field.


James.




smime.p7s
Description: S/MIME cryptographic signature

Re: [OFF]: DKIM broken by certain email clients

[James Brown]

On 24/09/2008, at 9:33 PM, Mark Martinec wrote:


James,


If I send an email to [EMAIL PROTECTED] to comes back
saying:
 DKIM check details:
 Result: fail (signature doesn't verify)
The same thing happens sending from my iPhone.
But it works fine sending from the same computer using Thunderbird.  
Or

if I use webmail (Roundcube or Ilohamail) to send the email.
All are sending through the same mail server (Postfix), same account,
with and without SSL.
Has anyone had any similar problems with DKIM and Mail.app?


Your signer signed the following header section:

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=bordo.com.au; s=mail; h=Message-Id:From:To:In-Reply-To:
Mime-Version:Subject:Date:References:MIME-Version:Content-Type;
bh=FBGlG3/lg4Qa0cw6oM9LAu83D6E9uxKw+uQSQmKN7EQ=; b=D8uXGWZusRopo
0Dx4TQeApJbajiayRIpN/Q+GTgn/MPv7Qj+Cq5EOcwr75ZXv/GV+MRpo+qGiOfv0
fJtqDvR1TwbjuvSuRTHgQVCc1+AY3T4iDEQ5f4EGJ0NPR56rPqrKGDi1AwCGjvVD
sieq86AnRWfredZLTHzXvzq5neSGOE=
Message-Id: [EMAIL PROTECTED]
From: James Brown [EMAIL PROTECTED]
To: postfix-users@postfix.org
In-Reply-To: [EMAIL PROTECTED]
MIME-Version: 1.0
Subject: Re: [OFF]: DKIM broken by certain email clients
Date: Wed, 24 Sep 2008 17:42:40 +1000
References: [EMAIL PROTECTED] [EMAIL PROTECTED] 


MIME-Version: 1.0
Content-Type: multipart/signed; protocol=application/x-pkcs7- 
signature; micalg=sha1;  
boundary=31313EF4F437E4210E9DC5F9C2D9A7A1


Note the double occurrence MIME-Version, but this is not in itself
a reason for DKIM validation failure.

The above header section was modified on its way out from your site,
replacing the first MIME-Version: 1.0 of the two with a
 Mime-Version: 1.0 (Apple Message framework v929.2)
thus breaking the signature.

So it seems you have two problems here: why are there two MIME-Version
header fields in the first place, and why is one of them modified  
AFTER signing.


Thanks Mark.

The flow of my email is:

Mail.app - ASSP - Postfix - amavisd-new - Postfix - Astarto  
Gateway - Internet


I think :-)

I'm at home now so can't check. I intent to stop going through amavid- 
new when sending, but haven't got round to it yet. Perhaps this is the  
problem?


My postfix settings are:

$postconf -n
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = amavisd-new:[127.0.0.1]:10024
daemon_directory = /usr/libexec/postfix
debug_peer_level = 7
default_process_limit = 100
disable_vrfy_command = yes
html_directory = no
mail_owner = postfix
mailbox_size_limit = 10240
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
message_size_limit = 10240
mydomain = bordo.com.au
myhostname = mail.bordo.com.au
newaliases_path = /usr/bin/newaliases
queue_directory = /private/var/spool/postfix
readme_directory = /usr/share/doc/postfix
relayhost = astaro1.bordo.com.au
sample_directory = /usr/share/doc/postfix/examples
sendmail_path = /usr/sbin/sendmail
setgid_group = postdrop
smtpd_client_connection_count_limit = 100
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_enforce_tls = no
smtpd_etrn_restrictions = reject
smtpd_helo_required = yes
smtpd_recipient_restrictions = permit_mynetworks,
permit_sasl_authenticated,   reject_unauth_pipelining,
reject_unauth_destination,   permit

smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_security_options = noanonymous
smtpd_tls_cert_file = /etc/postfix/smtpd.cert
smtpd_tls_key_file = /etc/postfix/smtpd.key
smtpd_tls_loglevel = 1
smtpd_use_tls = yes
tls_random_source = dev:/dev/urandom
transport_maps = hash:/etc/postfix/transport
unknown_local_recipient_reject_code = 550
virtual_alias_maps = mysql:/etc/postfix/mysql_virtual_alias_maps.cf
virtual_gid_maps = static:27
virtual_mailbox_base = /usr/local/virtual/
virtual_mailbox_domains = mysql:/etc/postfix/ 
mysql_virtual_domains_maps.cf

virtual_mailbox_limit = 512000
virtual_mailbox_maps = mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf
virtual_minimum_uid = 27
virtual_transport = virtual
virtual_uid_maps = static:27

The Astaro box is setup as a smarthost (relayhost =  
astaro1.bordo.com.au). It should be the final link before the  
internet, so nothing should therefore interfere with the message after  
it has been signed.


And why would it work fine for Thunderbird? And when my web server  
sends the email (ie using webmail)?


Thanks for your help.

James.




smime.p7s
Description: S/MIME cryptographic signature

Re: [OFF]: DKIM broken by certain email clients

[James Brown]

Would anyone who checks DKIM sigs on incoming mails mind if I send  
them an email directly?


That way I can make sure it is not just the DKIM reflector that's  
giving false results somehow.


Thanks,

James.


smime.p7s
Description: S/MIME cryptographic signature

Re: [OFF]: DKIM broken by certain email clients

[James Brown]

On 25/09/2008, at 12:01 AM, Wietse Venema wrote:


James Brown:

The flow of my email is:

Mail.app - ASSP - Postfix - amavisd-new - Postfix - Astarto
Gateway - Internet

I think :-)


Your mail is modified AFTER the DKIM signature is computed. Therefore,
the source of the message not breaking the signature.

However, you can use this source to send the same test message
repeatedly, and to find out what your email looks like at different
points AFTER it is signed. This will reveal what is making the
change that breaks the DKIM signature.

Wietse


I sent an email from Mail.app to port 10026 of my mail server  
directly, so it bypassed ASSP.


DKIM checks still came back saying that the signature did not match.  
So I can rule out ASSP.


I'll have to work out how to turn off going through amavisd-new next.

James.


smime.p7s
Description: S/MIME cryptographic signature

[OFF]: DKIM broken by certain email clients

[James Brown]

I've just set up DKIM on my mail system (via Astaro Security Gateway).

If I send an email to [EMAIL PROTECTED] to comes back  
saying:


DKIM check details:
Result: fail (signature doesn't verify)

The same thing happens sending from my iPhone.

But it works fine sending from the same computer using Thunderbird. Or  
if I use webmail (Roundcube or Ilohamail) to send the email.


All are sending through the same mail server (Postfix), same account,  
with and without SSL.


Has anyone had any similar problems with DKIM and Mail.app?

Any suggestions?

Thanks,

James. 

smime.p7s
Description: S/MIME cryptographic signature