Re: postscreen_whitelist_interfaces behind proxy
Hi, On 10/14/2016 02:30 PM, Dave wrote: I'm running multiple Postfix MX servers behind HAProxy load balancer. I was just configuring "MX Policy test" in postscreen and I couldn't get it work. please clarify whether you are using the haproxy PROXY protocol (See: http://permalink.gmane.org/gmane.comp.web.haproxy/8881 / http://www.postfix.org/postconf.5.html#postscreen_upstream_proxy_protocol)? Because in that case it would definitely be expected for postfix to be using the connection information from the frontend. Mit freundlichen Gruessen, Lukas Erlacher -- Rechnerbetriebsgruppe der Fakultäten Mathematik und Informatik Raum 00.05.042 Tel. 089-289-18258 erlac...@in.tum.de Technische Universität München - Boltzmannstr. 3 - 85748 Garching smime.p7s Description: S/MIME Cryptographic Signature
BUG: Typo in postscreen manpage
Prompted by the "gmail servers requiring postscreen_access whitelisting" thread I looked at http://www.postfix.org/postscreen.8.html. There is an erroneous (right??) double negative: >The optional "after 220 server greeting" tests involve postscreen(8)'s >built-in SMTP protocol engine. When these tests succeed, postscreen(8) >adds the client to the temporary whitelist, but it cannot not hand off ^^ >the "live" connection to a Postfix SMTP server process in the middle of >a session. Instead, postscreen(8) defers attempts to deliver mail with >a 4XX status, and waits for the client to disconnect. When the client >connects again, postscreen(8) will allow the client to talk to a Post- >fix SMTP server process (provided that the whitelist status has not >expired). postscreen(8) mitigates the impact of this limitation by >giving the "after 220 server greeting" tests a long expiration time. Best, Luke smime.p7s Description: S/MIME Cryptographic Signature
Re: postfix/dovecot - [private/dovecot-lmtp]: No such file or directory
Hi, this is not a postfix problem. Furthermore it is fully covered in the dovecot docs. You need to put the dovecot-lmtp socket into /var/spool/postfix/private. This means the unix_listener must get the path to that. See here: http://wiki2.dovecot.org/HowTo/PostfixDovecotLMTP Also note that you will need to either cut off the domain name of local recipient addresses in postfix somehow, or get dovecot to resolve addresses with domains properly. userdb { driver=passwd } won't do that, driver=passwd-file will do it if configured properly. Best, Luke On 02/22/2016 03:03 AM, soko.tica wrote: Hello list, I am trying to send a mail message from root to a system user on the same box. While postfix functions without dovecot properly, once dovecot is installed, I get the message from logs as set in the subject line - that postfix/lmpt cannot connect to [private/dovecot-lmtp]: No such file or directory Also, user's ~/.Maildir aren't created, although there is such instructions in dovecot. Finally, doveconf -n says there is no ssl enabled, although I explicitly set it in /conf.d/10-ssl.conf Below are dmesg, postconf -n, doveconf -n and a snippet from /var/log/mail.log Please advise. Thanks in advance. $dmesg [0.00] Linux version 3.18.26-x1-64 (r...@dev0001.support.domain.tld) (gcc version 4.4.5 (Debian 4.4.5-8) ) #1 SMP Mon Feb 8 11:43:41 GMT 2016 [0.740773] pps_core: LinuxPPS API ver. 1 registered $ postconf -n alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases append_dot_mydomain = no biff = no config_directory = /etc/postfix default_transport = error delay_warning_time = 4h inet_interfaces = loopback-only mailbox_size_limit = 0 mailbox_transport = lmtp:unix:private/dovecot-lmtp mydestination = $myhostname localhost.$mydomain localhost $mydomain myhostname = mail.domain.tld mynetworks = [:::127.0.0.0]/104 [::1]/128 myorigin = $myhostname notify_classes = resource, software readme_directory = no recipient_delimiter = + relay_domains = $mydestination relay_transport = error smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU) smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtpd_use_tls = yes == $ doveconf -n # 2.2.13: /etc/dovecot/dovecot.conf # OS: Linux 3.18.26-x1-64 x86_64 Debian 8.3 hostname = mail.domain.tld lda_mailbox_autocreate = yes lda_mailbox_autosubscribe = yes lda_original_recipient_header = X-Original-To mail_location = maildir:~/Maildir maildir_very_dirty_syncs = yes namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = separator = / type = private } passdb { driver = pam } passdb { driver = pam } plugin { sieve = ~/.dovecot.sieve sieve_dir = ~/sieve } postmaster_address = postmas...@mail.domain.tld protocols = lmtp service lmtp { unix_listener lmtp { group = postfix mode = 0600 user = postfix } } ssl = no ssl_cert = Feb 21 23:22:28 boxname postfix/cleanup[32177]: EA06822140: message-id=<20160221232228.ea06822...@mail.domain.tld> Feb 21 23:22:28 boxname postfix/qmgr[32139]: EA06822140: from=, size=333, nrcpt=1 (queue active) Feb 21 23:22:29 boxname postfix/lmtp[32180]: EA06822140: to= , orig_to=, relay=none, delay=0.06, delays=0.02/0.01/0.04/0, dsn=4.4.1, status=deferred (connect to mail.domain.tld[private/dovecot-lmtp]: No such file or directory)
Re: PATCH: smtpd_upstream_proxy_protocol + smtpd_tls_wrappermode
Hi, Please try this. Wietse [patch] Works like a charm! I couldn't just patch our live server of course but I grabbed the ubuntu 14.04 postfix 2.11.0 source package on a VM, and the haproxy1.5 from trusty-backports and it works. Thanks for the prompt support! Will you be merging this? Best, Luke smime.p7s Description: S/MIME Cryptographic Signature
Re: PATCH: smtpd_upstream_proxy_protocol + smtpd_tls_wrappermode
Thanks, I will try that! Best, Luke
Re: PATCH: smtpd_upstream_proxy_protocol + smtpd_tls_wrappermode
Thanks for the prompt support! Will you be merging this? In the next 3.1 development release, and in a month or so, in the next stable releases (2.9 .. 3.0). Wietse That's great to hear! Best, Luke smime.p7s Description: S/MIME Cryptographic Signature
smtpd_upstream_proxy_protocol + smtpd_tls_wrappermode
Hello, I am trying to put haproxy in front of postfix and utilise the proxy protocol to get accurate client IPs. This works fine for all unencrypted / starttls based listeners, but not for tls-wrapped listeners using smtpd_tls_wrappermode. This is the haproxy configuration: frontend ft_smtps bind 0.0.0.0 timeout client 1m log global option tcplog default_backend bk_postfix_smtps backend bk_postfix_smtps option smtpchk HELO localhost log global option tcplog timeout server 1m timeout connect 5s server mailbackend mail:10464 send-proxy And this is the postfix master.cf configuration: 10464 inet n - - - - smtpd -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes -o smtpd_upstream_proxy_protocol=haproxy I am testing this using openssl s_client -connect localhost:465 and expect to get a 220 message from the postfix, but the connection just hangs until I close it. Something goes wrong with establishing the SSL session: Aug 31 09:52:47 mail postfix-from-user/smtpd[2416]: connect from a-mua.informatik.tu-muenchen.de[xxx.xxx.42.153] Aug 31 09:52:49 mail postfix-from-user/smtpd[2416]: SSL_accept error from mailclient[xxx.xxx.42.153]: lost connection Aug 31 09:52:49 mail postfix-from-user/smtpd[2416]: lost connection after CONNECT from mailclient[xxx.xxx.42.153] Aug 31 09:52:49 mail postfix-from-user/smtpd[2416]: disconnect from mailclient[xxx.xxx.42.153] Is this implemented in postfix? If it is, what is the right configuration to make it work?