Re: postscreen_whitelist_interfaces behind proxy
Hi, On 10/14/2016 02:30 PM, Dave wrote: I'm running multiple Postfix MX servers behind HAProxy load balancer. I was just configuring "MX Policy test" in postscreen and I couldn't get it work. please clarify whether you are using the haproxy PROXY protocol (See: http://permalink.gmane.org/gmane.comp.web.haproxy/8881 / http://www.postfix.org/postconf.5.html#postscreen_upstream_proxy_protocol)? Because in that case it would definitely be expected for postfix to be using the connection information from the frontend. Mit freundlichen Gruessen, Lukas Erlacher -- Rechnerbetriebsgruppe der Fakultäten Mathematik und Informatik Raum 00.05.042 Tel. 089-289-18258 erlac...@in.tum.de Technische Universität München - Boltzmannstr. 3 - 85748 Garching smime.p7s Description: S/MIME Cryptographic Signature
BUG: Typo in postscreen manpage
Prompted by the "gmail servers requiring postscreen_access whitelisting" thread I looked at http://www.postfix.org/postscreen.8.html. There is an erroneous (right??) double negative: >The optional "after 220 server greeting" tests involve postscreen(8)'s >built-in SMTP protocol engine. When these tests succeed, postscreen(8) >adds the client to the temporary whitelist, but it cannot not hand off ^^ >the "live" connection to a Postfix SMTP server process in the middle of >a session. Instead, postscreen(8) defers attempts to deliver mail with >a 4XX status, and waits for the client to disconnect. When the client >connects again, postscreen(8) will allow the client to talk to a Post- >fix SMTP server process (provided that the whitelist status has not >expired). postscreen(8) mitigates the impact of this limitation by >giving the "after 220 server greeting" tests a long expiration time. Best, Luke smime.p7s Description: S/MIME Cryptographic Signature
Re: postfix/dovecot - [private/dovecot-lmtp]: No such file or directory
Hi,
this is not a postfix problem. Furthermore it is fully covered in the
dovecot docs.
You need to put the dovecot-lmtp socket into /var/spool/postfix/private.
This means the unix_listener must get the path to that. See here:
http://wiki2.dovecot.org/HowTo/PostfixDovecotLMTP
Also note that you will need to either cut off the domain name of local
recipient addresses in postfix somehow, or get dovecot to resolve
addresses with domains properly. userdb { driver=passwd } won't do that,
driver=passwd-file will do it if configured properly.
Best,
Luke
On 02/22/2016 03:03 AM, soko.tica wrote:
Hello list,
I am trying to send a mail message from root to a system user on the same
box. While postfix functions without dovecot properly, once dovecot is
installed, I get the message from logs as set in the subject line - that
postfix/lmpt cannot connect to [private/dovecot-lmtp]: No such file or
directory
Also, user's ~/.Maildir aren't created, although there is such instructions
in dovecot. Finally, doveconf -n says there is no ssl enabled, although I
explicitly set it in /conf.d/10-ssl.conf
Below are dmesg, postconf -n, doveconf -n and a snippet from
/var/log/mail.log
Please advise. Thanks in advance.
$dmesg
[0.00] Linux version 3.18.26-x1-64 (r...@dev0001.support.domain.tld)
(gcc version 4.4.5 (Debian 4.4.5-8) ) #1 SMP Mon Feb 8 11:43:41 GMT 2016
[0.740773] pps_core: LinuxPPS API ver. 1 registered
$ postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
config_directory = /etc/postfix
default_transport = error
delay_warning_time = 4h
inet_interfaces = loopback-only
mailbox_size_limit = 0
mailbox_transport = lmtp:unix:private/dovecot-lmtp
mydestination = $myhostname localhost.$mydomain localhost $mydomain
myhostname = mail.domain.tld
mynetworks = [:::127.0.0.0]/104 [::1]/128
myorigin = $myhostname
notify_classes = resource, software
readme_directory = no
recipient_delimiter = +
relay_domains = $mydestination
relay_transport = error
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
==
$ doveconf -n
# 2.2.13: /etc/dovecot/dovecot.conf
# OS: Linux 3.18.26-x1-64 x86_64 Debian 8.3
hostname = mail.domain.tld
lda_mailbox_autocreate = yes
lda_mailbox_autosubscribe = yes
lda_original_recipient_header = X-Original-To
mail_location = maildir:~/Maildir
maildir_very_dirty_syncs = yes
namespace inbox {
inbox = yes
location =
mailbox Drafts {
special_use = \Drafts
}
mailbox Junk {
special_use = \Junk
}
mailbox Sent {
special_use = \Sent
}
mailbox "Sent Messages" {
special_use = \Sent
}
mailbox Trash {
special_use = \Trash
}
prefix =
separator = /
type = private
}
passdb {
driver = pam
}
passdb {
driver = pam
}
plugin {
sieve = ~/.dovecot.sieve
sieve_dir = ~/sieve
}
postmaster_address = postmas...@mail.domain.tld
protocols = lmtp
service lmtp {
unix_listener lmtp {
group = postfix
mode = 0600
user = postfix
}
}
ssl = no
ssl_cert =
Feb 21 23:22:28 boxname postfix/cleanup[32177]: EA06822140:
message-id=<20160221232228.ea06822...@mail.domain.tld>
Feb 21 23:22:28 boxname postfix/qmgr[32139]: EA06822140:
from=, size=333, nrcpt=1 (queue active)
Feb 21 23:22:29 boxname postfix/lmtp[32180]: EA06822140:
to=, orig_to=, relay=none, delay=0.06,
delays=0.02/0.01/0.04/0, dsn=4.4.1, status=deferred (connect to
mail.domain.tld[private/dovecot-lmtp]: No such file or directory)
Re: PATCH: smtpd_upstream_proxy_protocol + smtpd_tls_wrappermode
Hi, Please try this. Wietse [patch] Works like a charm! I couldn't just patch our live server of course but I grabbed the ubuntu 14.04 postfix 2.11.0 source package on a VM, and the haproxy1.5 from trusty-backports and it works. Thanks for the prompt support! Will you be merging this? Best, Luke smime.p7s Description: S/MIME Cryptographic Signature
Re: PATCH: smtpd_upstream_proxy_protocol + smtpd_tls_wrappermode
Thanks, I will try that! Best, Luke
Re: PATCH: smtpd_upstream_proxy_protocol + smtpd_tls_wrappermode
Thanks for the prompt support! Will you be merging this? In the next 3.1 development release, and in a month or so, in the next stable releases (2.9 .. 3.0). Wietse That's great to hear! Best, Luke smime.p7s Description: S/MIME Cryptographic Signature
smtpd_upstream_proxy_protocol + smtpd_tls_wrappermode
Hello, I am trying to put haproxy in front of postfix and utilise the proxy protocol to get accurate client IPs. This works fine for all unencrypted / starttls based listeners, but not for tls-wrapped listeners using smtpd_tls_wrappermode. This is the haproxy configuration: frontend ft_smtps bind 0.0.0.0 timeout client 1m log global option tcplog default_backend bk_postfix_smtps backend bk_postfix_smtps option smtpchk HELO localhost log global option tcplog timeout server 1m timeout connect 5s server mailbackend mail:10464 send-proxy And this is the postfix master.cf configuration: 10464 inet n - - - - smtpd -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes -o smtpd_upstream_proxy_protocol=haproxy I am testing this using openssl s_client -connect localhost:465 and expect to get a 220 message from the postfix, but the connection just hangs until I close it. Something goes wrong with establishing the SSL session: Aug 31 09:52:47 mail postfix-from-user/smtpd[2416]: connect from a-mua.informatik.tu-muenchen.de[xxx.xxx.42.153] Aug 31 09:52:49 mail postfix-from-user/smtpd[2416]: SSL_accept error from mailclient[xxx.xxx.42.153]: lost connection Aug 31 09:52:49 mail postfix-from-user/smtpd[2416]: lost connection after CONNECT from mailclient[xxx.xxx.42.153] Aug 31 09:52:49 mail postfix-from-user/smtpd[2416]: disconnect from mailclient[xxx.xxx.42.153] Is this implemented in postfix? If it is, what is the right configuration to make it work?
