Re: relay_recipient_maps with ldap not work
Guys any help.will he highly appreciated. On Dec 10, 2016 1:16 PM, "Muhammad Yousuf Khan" <sir...@gmail.com> wrote: > Hi, > > My postfix box working as a delivery agent to exchange Server, As per the > document said replay_reciepient_maps shoulw disallow all unknown mailboxes > however it is not happening. i am using ldap instead of hash but it does > not return any email to sender in case when mailbox is not find. in every > case it deliver the email on basis of relay_domains ip address. can you > please help i do not want email to receive email for unknown mailboxes. > here is my config > > alias_database = hash:/etc/aliases > alias_maps = hash:/etc/aliases > append_dot_mydomain = no > biff = no > config_directory = /etc/postfix > content_filter = smtp-amavis:[127.0.0.1]:10024 > disable_vrfy_command = yes > inet_interfaces = all > mailbox_size_limit = 0 > message_size_limit = 5110 > mydestination = exacto.creditexperts.org, localhost.creditexperts.org, > localhost > myhostname = legacylegalservice.com > mynetworks = 10.81.128.0/24, 127.0.0.0/8 > myorigin = /etc/mailname > recipient_delimiter = + > relay_domains = hash:/etc/postfix/exchange_domains > relay_recipient_maps = ldap:/etc/postfix/ldap-relay_recipients.cf > smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache > smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU) > smtpd_data_restrictions = reject_unauth_pipelining > smtpd_helo_required = yes > smtpd_helo_restrictions = permit_mynetworks, reject_invalid_hostname > smtpd_recipient_restrictions = permit_mynetworks, > reject_unauth_destination, reject_unauth_pipelining, check_client_access > hash:/etc/postfix/sender_checks, check_sender_access > hash:/etc/postfix/sender_checks, check_helo_access > hash:/etc/postfix/helo_checks, reject_invalid_hostname, > reject_non_fqdn_hostname, reject_non_fqdn_sender, > reject_non_fqdn_recipient, reject_unknown_sender_domain, > check_policy_service inet:127.0.0.1:6 > smtpd_sender_restrictions = permit_auth_destination, > reject_non_fqdn_sender, reject_unknown_sender_domain, > reject_unknown_recipient_domain > smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem > smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key > smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache > smtpd_use_tls = yes > strict_rfc821_envelopes = yes > transport_maps = hash:/etc/postfix/exchange_transport > > and here is my ldap cf file > > root@ajax:/etc/postfix# cat ldap-relay_recipients.cf > server_host = ldap://morpheus.company.mydomain.com > version = 3 > search_base = dc=company, dc=,mydomain, dc=com > query_filter = (&(objectClass=user)(mail=%s)) > result_attribute = > bind_dn = CN=Thomas R. Paige,CN=Users,DC=company,DC=mydomain,DC=com > #bind_dn = cn=postfix,ou=misc,dc=redflo,dc=de > bind_pw = skdii23k2399dldsw2 > domain = company.mydomain.com > debuglevel = 5 > >
relay_recipient_maps with ldap not work
Hi, My postfix box working as a delivery agent to exchange Server, As per the document said replay_reciepient_maps shoulw disallow all unknown mailboxes however it is not happening. i am using ldap instead of hash but it does not return any email to sender in case when mailbox is not find. in every case it deliver the email on basis of relay_domains ip address. can you please help i do not want email to receive email for unknown mailboxes. here is my config alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases append_dot_mydomain = no biff = no config_directory = /etc/postfix content_filter = smtp-amavis:[127.0.0.1]:10024 disable_vrfy_command = yes inet_interfaces = all mailbox_size_limit = 0 message_size_limit = 5110 mydestination = exacto.creditexperts.org, localhost.creditexperts.org, localhost myhostname = legacylegalservice.com mynetworks = 10.81.128.0/24, 127.0.0.0/8 myorigin = /etc/mailname recipient_delimiter = + relay_domains = hash:/etc/postfix/exchange_domains relay_recipient_maps = ldap:/etc/postfix/ldap-relay_recipients.cf smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU) smtpd_data_restrictions = reject_unauth_pipelining smtpd_helo_required = yes smtpd_helo_restrictions = permit_mynetworks, reject_invalid_hostname smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination, reject_unauth_pipelining, check_client_access hash:/etc/postfix/sender_checks, check_sender_access hash:/etc/postfix/sender_checks, check_helo_access hash:/etc/postfix/helo_checks, reject_invalid_hostname, reject_non_fqdn_hostname, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_sender_domain, check_policy_service inet:127.0.0.1:6 smtpd_sender_restrictions = permit_auth_destination, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unknown_recipient_domain smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache smtpd_use_tls = yes strict_rfc821_envelopes = yes transport_maps = hash:/etc/postfix/exchange_transport and here is my ldap cf file root@ajax:/etc/postfix# cat ldap-relay_recipients.cf server_host = ldap://morpheus.company.mydomain.com version = 3 search_base = dc=company, dc=,mydomain, dc=com query_filter = (&(objectClass=user)(mail=%s)) result_attribute = bind_dn = CN=Thomas R. Paige,CN=Users,DC=company,DC=mydomain,DC=com #bind_dn = cn=postfix,ou=misc,dc=redflo,dc=de bind_pw = skdii23k2399dldsw2 domain = company.mydomain.com debuglevel = 5
Postfix ldap issue
Dear All, I am trying to use ldap for recipents and domains for windows AD. i installed postfix ldap root@web:/etc/postfix# postconf -m btree cidr environ fail hash inline internal ldap memcache nis pipemap proxy randmap regexp socketmap static tcp tcp texthash unionmap unix root@web:/etc/postfix# but when i run the command postmap -q jos...@domain.org ldap:/etc/postfix/exchange_recipients_lls.cf it ends up with error postmap: warning: unsupported dictionary type: ldap (/usr/lib/postfix/dict_ldap.so: No such file or directory) postmap: fatal: unsupported dictionary type: ldap here is my configuration alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases append_dot_mydomain = no biff = no content_filter = smtp-amavis:[127.0.0.1]:10024 disable_vrfy_command = yes inet_interfaces = all mailbox_size_limit = 0 message_size_limit = 5110 mydestination = ajax, anitbridge.com, exacto.domain.org, localhost.creditexperts.org, localhost myhostname = legacylegalservice.com mynetworks = 10.81.128.0/24, 127.0.0.0/8 myorigin = /etc/mailname recipient_delimiter = + relay_domains = 'proxy:ldap:/etc/postfix/exchange_domains_lls.cf' relay_recipient_maps = 'proxy:ldap:/etc/postfix/exchange_recipients_lls.cf' smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU) smtpd_data_restrictions = reject_unauth_pipelining smtpd_helo_required = yes smtpd_helo_restrictions = permit_mynetworks, reject_invalid_hostname smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination, reject_unauth_pipelining, check_client_access hash:/etc/postfix/sender_checks, check_sender_access hash:/etc/postfix/sender_checks, check_helo_access hash:/etc/postfix/helo_checks, reject_invalid_hostname, reject_non_fqdn_hostname, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_sender_domain, smtpd_sender_restrictions = permit_auth_destination, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unknown_recipient_domain smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache smtpd_use_tls = yes strict_rfc821_envelopes = yes transport_maps = 'proxy:ldap:/etc/postfix/exchange_transport_lls.cf' virtual_alias_maps = hash:/etc/postfix/vdomains any advice will be highy appreciated. Thanks, Yousuf
Re: Confusion : smtp_tls_auth_only vs smtpd_tls_auth_only
Thanks Neol understood :) your knowledge really helped me and i appreciate that. Thanks again.
Re: Confusion : smtp_tls_auth_only vs smtpd_tls_auth_only
Thanks Neol you cleared my big confusion i thought 25 is for MTA and 587 will never receive email from MTA. thanks for that. now one last question. my master.cf has set -o smtpd_tls_security_level=encrypt it is said that when parameters are set in master.cf they override main.cf parameter. now i set. main.cf parameters. smtp_tls_security_level=may smtpd_tls_security_level=may i believe that if master.cf parameter set as -o smtpd_tls_security_level=encrypt it should throw the same error as if this parameter set in main.cf however now my mails are properly working and master.cf not overriding it. can you please throw some light on this. Thanks, Yousuf
Confusion : smtp_tls_auth_only vs smtpd_tls_auth_only
it is written in books and on internet forums that in main.cf. - *smtp_tls_auth_only* for outgoing mails or to send mails to other Mailserver. - *smtpd_tls_auth_only *for clients/customers sending emails to my server. but my results are not like as mentioned. *Test1 *- (sending email from postfix to gmail server) smtp_tls_auth_only = may smtpd_tls_auth_only = may Result = Working fine. *Test2 *- (sending email from my postfix to gmail server) smtp_tls_auth_only = may smtpd_tls_auth_only = encrypt *Result = Fail with NDR* host 127.0.0.1[127.0.0.1] said: 530 5.7.0 id=21205-11 - Rejected by next-hop MTA on relaying, from MTA(smtp:[127.0.0.1]:10025): 530 5.7.0 Must issue a STARTTLS command first (in reply to end of DATA command) *comments : *since smtp_tls_auth_only is responsible for sending emails then why it is rejecting for encryption purpose. *Test3 *- (sending email from my postfix to gmail server) smtp_tls_auth_only = encrypt smtpd_tls_auth_only = may *Result = fail with no NDR. but with this log : *relay=127.0.0.1[127.0.0.1]:10024, delay=0.07, delays=0.06/0.01/0/0, dsn=4.7.4, status=deferred (TLS is required, but was not offered by host 127.0.0.1[127.0.0.1]) Comment : i know my email is not being deliver which is what i want as Google is not set to encrypt a channel with me. but it is showing error at my end 127.0.0.1 which is kinda confusing. -- MY GOAL: -- i want to Force client submission at 587 and MTA to MTA communication for 25 only. with any of the above settings in example my clients can still submit to port 25. which i dont want. --- master.cf -- smtp inet n - - - - smtpd #smtp inet n - - - 1 postscreen #smtpd pass - - - - - smtpd #dnsblog unix - - - - 0 dnsblog #tlsproxy unix - - - - 0 tlsproxy submission inet n - n - - smtpd -o syslog_name=postfix/submission # -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING #smtps inet n - - - - smtpd # -o syslog_name=postfix/smtps # -o smtpd_tls_wrappermode=yes # -o smtpd_sasl_auth_enable=yes # -o smtpd_client_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING - postconf -n - alias_database = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases alias_maps = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases append_dot_mydomain = no biff = no body_checks = regexp:/etc/postfix/body_checks broken_sasl_auth_clients = yes config_directory = /etc/postfix content_filter = amavis:[127.0.0.1]:10024 dovecot_destination_recipient_limit = 1 header_checks = regexp:/etc/postfix/header_checks html_directory = /usr/share/doc/postfix/html inet_interfaces = all inet_protocols = all mailbox_command = procmail -a $EXTENSION mailbox_size_limit = 0 maildrop_destination_concurrency_limit = 1 maildrop_destination_recipient_limit = 1 mime_header_checks = regexp:/etc/postfix/mime_header_checks mydestination = mail.anitbridge.com, localhost, localhost.localdomain myhostname = mail.anitbridge.com mynetworks = 127.0.0.0/8 [::1]/128 myorigin = /etc/mailname nested_header_checks = regexp:/etc/postfix/nested_header_checks owner_request_special = no proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks readme_directory = /usr/share/doc/postfix receive_override_options = no_address_mappings recipient_delimiter = + relay_domains = mysql:/etc/postfix/mysql-virtual_relaydomains.cf relay_recipient_maps = mysql:/etc/postfix/ mysql-virtual_relayrecipientmaps.cf relayhost = smtp_tls_protocols = !SSLv2,!SSLv3 smtp_tls_security_level = encrypt smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU) smtpd_client_message_rate_limit = 100 smtpd_client_restrictions = check_client_access mysql:/etc/postfix/ mysql-virtual_client.cf smtpd_recipient_restrictions = reject_rbl_client zen.spamhaus.org, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf smtpd_sasl_auth_enable = yes smtpd_sasl_authenticated_header = yes smtpd_sasl_path = private/auth smtpd_sasl_type = dovecot smtpd_sender_restrictions = check_sender_access mysql:/etc/postfix/ mysql-virtual_sender.cf smtpd_tls_auth_only = yes smtpd_tls_cert_file =
Re: Confusion : smtp_tls_auth_only vs smtpd_tls_auth_only
I really hate my self when i do some thing confidently and doing it very wrong. actually the parameter i typed in over all examples were wrong. the correct one is smtp_tls_security_level and smtpd_tls_security_level and ofcouse you may have notice them in my postconf -n. anyways mistake is a mistake. now can you please explain these wrong result in light of above Where's the port 25(smtp) inet service? do you mean this line smtp inet n - n - - smtpd -vsorry i missed it. it was at the top and i copied the lower end of the file. submission inet n - n - - smtpd -o syslog_name=postfix/submission # -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING Make that: submission inet n - n - - smtpd -o syslog_name=submission -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATIN Ok i also uncommitted as suggested. here are main.cf parameters that you wanted me to change # cat /etc/postfix/main.cf | grep level smtp_tls_security_level = may smtpd_tls_security_level = encrypt here is the master.cf that i uncommitted as per your suggestion. -o smtpd_tls_security_level=encrypt Now i am getting NDR like this. sir...@gmail.com: host 127.0.0.1[127.0.0.1] said: 530 5.7.0 id=30222-02 - Rejected by next-hop MTA on relaying, from MTA(smtp:[127.0.0.1]:10025): 530 5.7.0 Must issue a STARTTLS command first (in reply to end of DATA command) actually i am confused that in books it is said that smtp_tls_security_level is for MTA to MTA communication and smtpd_tls_security_level is for client to MTA communication. no matter if these are mention in master.conf the purpose remain the same. and i have set may on smtp not smtpd parameter. then why smtpd parameter value encrypt is colliding or messing the smtp work? This is my actual confusion maybe i am wrong with the concept or i am doing it wrong. the the point which is actually catching my attention is that when i change the value of smtpd_tls_security_level = may and smtp_tls_security_level = may (mean both set to may) and commit the line -o smtpd_tls_security_level = encrypt in master.cf every thing back to normal but my problem is on port 25 my client can connect and even sand email which i dont want i want my clients to force submission on port 587 only. any help will be highly appreciated. Thanks, Yousfu
Re: port 25 465 and 587 confusion.
Thanks Noel and Peter i learned alot from both of your posts. by Noel For new installations, it is strongly recommended to require your customers to use port 587 (or 465) and to disable AUTH on port 25. can you please refer any document on this or any link. actually this is what i also need but the document i am following is not specifically designed for mail server however i really want to learn Postfix server i know the main and big deal is Mailing server. By Peter - What you should be, at the very least, encouraging is STARTTLS over port 587. Whether you want to support some very old Outlook clients and offer TLS wrappermode over 465 is up to you but it is unlikely you will find anyone who still needs this old and deprecated form of submission. what do you mean by very least. is there any preferable way then STARTTLS. - is this possible i enforce users/clients to only submit mails on port 587 and i leave 25 for server to server communication only. and is this segregation is a good thought of mine or practical? - by the time i have enabled/uncommitted this line submission inet n - - - - smtpd since then my mail server is listening on 3 ports 25,465,587. root@mailsrv:~# netstat -ntlp | grep master tcp0 0 127.0.0.1:10025 0.0.0.0:* LISTEN 6799/master tcp0 0 0.0.0.0:587 0.0.0.0:* LISTEN 6799/master tcp0 0 0.0.0.0:465 0.0.0.0:* LISTEN 6799/master tcp0 0 0.0.0.0:25 0.0.0.0:* LISTEN 6799/master tcp6 0 0 :::587 :::*LISTEN 6799/master tcp6 0 0 :::465 :::*LISTEN 6799/master tcp6 0 0 :::25 :::*LISTEN 6799/master isn't 465 is useless and can i close this if yes then how? I really appreciate your help. Thanks, MYK Peter
Re: port 25 465 and 587 confusion.
Great! i got it now. you guys rocks. by this we will have 3 separate network classes. 1, unauth/local LAN 2. Auth but only to Allowed IP (such as Verison USA 108.44.155.0/24) 3. and rest of them will be excluded from relaying or blocked. yes i am aware of geo ip list. will try this too. Thanks again, MYK On Mon, Apr 6, 2015 at 5:43 PM, Sebastian Nielsen sebast...@sebbe.eu wrote: What I meant is that if your users are on a dynamic IP from a “outside” net, you can allow that net *in combination* with authentication. Thus, you will both need to be from the correct net, but also have a valid username and password. For example, lets say you have a internal company network on 192.168.0.0/16 and then all your external users have ISP accounts from Comhem Sweden. Then you put your internal company network inside “mynetworks” so internal users can relay without authentication. But then, you put the whole Comhem network ( 151.177.0.0/16 ) that “permit_sasl_authenticated, reject_unauth_destination” all users inside 151.177.0.0/16, and does only “reject_unauth_destination” those outside that net. This means that anyone from the comhem network will be able to authenticate relay (but not relay without authentication), but those outside comhem network wont be able to relay at all, not even as authenticated. Thus, a spammer hacker that does have a good dictionary list or a decent password cracking software, will not gain any success anyways, because it wont matter how much good accounts that hacker does have, he will still not be able to relay through that server because he must be from 151.177.0.0/16 aswell. If you know that all your users are from a specific country, you could download a GeoIP database and put into the access table. Basically, you set your server to: allow relay for internal users (192.168.0.0/16 or similiar) without authentication. allow relay for authenticated users but ONLY if the authenticated users come from a specific country or ISP network. Then you have a good protection against dictionary hackers/bruteforcers. Many ISPs in sweden do this, they BOTH require authentication, but you aswell need to use a IP from that particular ISP. Users outside that network simply has to use their webmail, which does have more protections in form of captchas and such. *From:* Muhammad Yousuf Khan sir...@gmail.com *Sent:* Monday, April 06, 2015 2:27 PM *To:* Peter pe...@pajamian.dhs.org *Cc:* Postfix users postfix-users@postfix.org *Subject:* Re: port 25 465 and 587 confusion. @Peter Right, you really should not be allowing submission on port 25 at all. and is this segregation is a good thought of mine or practical? Yes isn't 465 is useless and can i close this if yes then how? That depends on if you have users that have very old versions of Outlook which don't support STARTTLS. In this case you should encourage or even require them to upgrade to a newer email client, but in case you can't do that then you might have to support port 465 for them. You close it by commenting out the smtps section in master.cf. in light of your above suggestions. i enabled smtp inet n - - - - smtpd #smtp inet n - - - 1 postscreen #smtpd pass - - - - - smtpd #dnsblog unix - - - - 0 dnsblog #tlsproxy unix - - - - 0 tlsproxy submission inet n - - - - smtpd -o syslog_name=postfix/submission -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING #smtps inet n - - - - smtpd # -o syslog_name=postfix/smtps # -o smtpd_tls_wrappermode=yes # -o smtpd_sasl_auth_enable=yes # -o smtpd_client_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING main.cf, i enabled smtpd_tls_security_level=encrypt (i know master.cf entry will override but i set encryption in both files) by disabling smtps. i disabled the 465 port. and also forced submission by this line submission inet n - - - - smtpd however my clients can still submit emails on port 25. and also on 587 port. both work the same. can you please guide? @Sebastion Nielsen IMHO I find it better to only allow submission from trusted nets. Better to disable authentication completely, and completely disable mail submission (relaying) from the outside. Thus closing 587 completely. 465 can be good to allow old (or misconfigured) SMTPS servers to send incoming mail to you. Thanks its a good idea i will also read and try to implement this in separate environment though i think this approach is applicable when you know your client IPs. if they are dynamic
Re: port 25 465 and 587 confusion.
@Peter Right, you really should not be allowing submission on port 25 at all. and is this segregation is a good thought of mine or practical? Yes isn't 465 is useless and can i close this if yes then how? That depends on if you have users that have very old versions of Outlook which don't support STARTTLS. In this case you should encourage or even require them to upgrade to a newer email client, but in case you can't do that then you might have to support port 465 for them. You close it by commenting out the smtps section in master.cf. in light of your above suggestions. i enabled smtp inet n - - - - smtpd #smtp inet n - - - 1 postscreen #smtpd pass - - - - - smtpd #dnsblog unix - - - - 0 dnsblog #tlsproxy unix - - - - 0 tlsproxy submission inet n - - - - smtpd -o syslog_name=postfix/submission -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING #smtps inet n - - - - smtpd # -o syslog_name=postfix/smtps # -o smtpd_tls_wrappermode=yes # -o smtpd_sasl_auth_enable=yes # -o smtpd_client_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING main.cf, i enabled smtpd_tls_security_level=encrypt (i know master.cf entry will override but i set encryption in both files) by disabling smtps. i disabled the 465 port. and also forced submission by this line submission inet n - - - - smtpd however my clients can still submit emails on port 25. and also on 587 port. both work the same. can you please guide? @Sebastion Nielsen IMHO I find it better to only allow submission from trusted nets. Better to disable authentication completely, and completely disable mail submission (relaying) from the outside. Thus closing 587 completely. 465 can be good to allow old (or misconfigured) SMTPS servers to send incoming mail to you. Thanks its a good idea i will also read and try to implement this in separate environment though i think this approach is applicable when you know your client IPs. if they are dynamic and can be anywhere thoughout the word it is a headache to note down and allow all the IP. i think simple TLS may do the job. i could be wrong but i am very new to mailing thing and this is the point which makeing me stop doing it.
port 25 465 and 587 confusion.
i am working on postfix and very new to it. just trying to learn but need to clear my confusion. i had read alot about all 3 ports and they are confusing me a bit now. please help me to understand conceptually how things are working differently on different ports. my mail server is listening on port 25 and 465 (TLS) now when i set my outlook client to communicate TLS on port 465. it says client can not communicate with the mail server however when i set it to port 25 with TLS it works. and i can send email as usual. now the confusion part is my concept. does port 25 and 465 work together like FTP. port 21 and 20. like 1 port is for negotiate and another port is for data? Please help me to understand. Thanks, MYK
Re: port 25 465 and 587 confusion.
Thanks Chirs, Please correct me if i am wrong. just sharing this if my concept is correct. port 25 is to send email b/w mailservers. if my client(e.g. outlook) wants to send email it must use port 465 and 587 for security. port 465 is for SSL Wraped SMTP port but can also be used with TLS however some clients does not support this method. thus may fail 465 with TLS setup. Since 587 port is the new standard and client are well aware of 587+TLS. therefore the good route to go is 586 with TLS. Please correct me if i am wrong. Thanks, MYK On Sun, Apr 5, 2015 at 7:28 PM, Chris Adams c...@cmadams.net wrote: Once upon a time, Muhammad Yousuf Khan sir...@gmail.com said: now the confusion part is my concept. does port 25 and 465 work together like FTP. port 21 and 20. like 1 port is for negotiate and another port is for data? Port 25 is tradtiotional SMTP, aimed at server-server communications now (and blocked by some consumer ISPs to reduce spam). It starts in the clear but can support STARTTLS to switch to encrypted communication. Port 587 is the submission port for SMTP. It works the same as port 25 (including clear communications and STARTTLS support), but is intended for client-server communication for initial message submission. It should require SMTP AUTH (so only authenticated mail can be submitted). Port 465 was an early (non-standard) SSL-wrapped SMTP port. All communication is encrypted (similar to port 443 for HTTP). This was never an IANA-assigned use, and not that many things support it. Its use is deprecated, but MS Outlook (at least some versions) only support SSL-wrapped SMTP on port 465 (they don't handle the standard way of connecting to 587 and then issuing STARTTLS). -- Chris Adams c...@cmadams.net
530 5.7.0 Must issue a STARTTLS command first
i am newbie to postfix i have just installed ispconfig and mails are working as expected.I am using a domain lets say xyz.com, email btw (local domain memebers) a...@xyz.com and 1...@xyz.com are working fine. even email i am able to receive email from gmail.com however one of my official email hosted on networksoultion.com can not send email to my mailserver. when ever i send email from my office id my server return this error The following addresses had permanent fatal errors - supp...@.com supp...@anitbridge.com (reason: 530 5.7.0 Must issue a STARTTLS command first) ... blah blah there is a long list of comments but sending you guys the reason-section only. here is my postconf -n alias_database = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases alias_maps = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases append_dot_mydomain = no biff = no body_checks = regexp:/etc/postfix/body_checks broken_sasl_auth_clients = yes config_directory = /etc/postfix content_filter = amavis:[127.0.0.1]:10024 dovecot_destination_recipient_limit = 1 header_checks = regexp:/etc/postfix/header_checks html_directory = /usr/share/doc/postfix/html inet_interfaces = all inet_protocols = all mailbox_command = procmail -a $EXTENSION mailbox_size_limit = 0 maildrop_destination_concurrency_limit = 1 maildrop_destination_recipient_limit = 1 mime_header_checks = regexp:/etc/postfix/mime_header_checks mydestination = mail.anitbridge.com, localhost, localhost.localdomain myhostname = mail.anitbridge.com mynetworks = 127.0.0.0/8 [::1]/128 myorigin = /etc/mailname nested_header_checks = regexp:/etc/postfix/nested_header_checks owner_request_special = no proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks readme_directory = /usr/share/doc/postfix receive_override_options = no_address_mappings recipient_delimiter = + relay_domains = mysql:/etc/postfix/mysql-virtual_relaydomains.cf relay_recipient_maps = mysql:/etc/postfix/ mysql-virtual_relayrecipientmaps.cf relayhost = smtp_tls_protocols = !SSLv2,!SSLv3 smtp_tls_security_level = may smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU) smtpd_client_message_rate_limit = 100 smtpd_client_restrictions = check_client_access mysql:/etc/postfix/ mysql-virtual_client.cf smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf smtpd_sasl_auth_enable = yes smtpd_sasl_authenticated_header = yes smtpd_sasl_path = private/auth smtpd_sasl_type = dovecot smtpd_sender_restrictions = check_sender_access mysql:/etc/postfix/ mysql-virtual_sender.cf smtpd_tls_auth_only = yes smtpd_tls_cert_file = /etc/postfix/smtpd.cert smtpd_tls_key_file = /etc/postfix/smtpd.key smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3 smtpd_tls_protocols = !SSLv2,!SSLv3 smtpd_tls_security_level = may smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache transport_maps = hash:/var/lib/mailman/data/transport-mailman, proxy:mysql:/etc/postfix/mysql-virtual_transports.cf virtual_alias_domains = virtual_alias_maps = hash:/var/lib/mailman/data/virtual-mailman, proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, proxy:mysql:/etc/postfix/mysql-virtual_email2email.cf virtual_gid_maps = static:5000 virtual_mailbox_base = /var/vmail virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf virtual_transport = dovecot virtual_uid_maps = static:5000 any help will be highly appreciated. Thanks, Myk
Re: 530 5.7.0 Must issue a STARTTLS command first
On which port are you trying to submit the message? Port 587? You likely are enforcing TLS on that port. my submitting port is set to 465. there are only 2 ports listening under Postfix process. 25 and 465 In any case either change the smtpd_tls_policy_level to 'may' or configure the client failing to use STARTTLS. my smtpd_tls_policy_level is already set to may. can you please explain or configure the client failing to use STARTTLS. sorry if you find my questions very beginner level i am very new and trying to learn. Thanks, Yousuf
Re: 530 5.7.0 Must issue a STARTTLS command first
BTW does it unsure my server if i comment out this like -o smtpd_tls_security_level=encrypt' On Sun, Apr 5, 2015 at 1:54 AM, Muhammad Yousuf Khan sir...@gmail.com wrote: Thanks Mathias Jeschke and Petrick. Issue is resolved as i commented out the said line. Thanks, yousuf On Sun, Apr 5, 2015 at 1:30 AM, Mathias Jeschke postfix-us...@0xaffe.de wrote: Hi, On 2015-04-0 at 22:17 Muhammad Yousuf Khan wrote: smtp inet n - - - - smtpd #smtp inet n - - - 1 postscreen #smtpd pass - - - - - smtpd #dnsblog unix - - - - 0 dnsblog #tlsproxy unix - - - - 0 tlsproxy #submission inet n - - - - smtpd -o syslog_name=postfix/submission -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes # -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING Here you go - due to the way how you commented out options you have set smtpd_tls_security_level=encrypt for smtpd (port 25), thus all clients on that port have to use STARTTLS to deliver mail. Typically admins tend to configure options in main.cf that are common for all postfix daemons and then override some options in master.cf. For example, in most setups no encryption is enforced on port 25 and enforce it for submission (or smtps). I recommend to comment again the lines below submission and reload postfix. Cheers, Mathias
Re: 530 5.7.0 Must issue a STARTTLS command first
Thanks for sharing this i think i have to read more about it. once again Thanks alot for your support. MYK On Sun, Apr 5, 2015 at 2:10 AM, Mathias Jeschke postfix-us...@0xaffe.de wrote: Hi Yousuf, On 2015-04-04 at 22:58 Muhammad Yousuf Khan wrote: BTW does it unsure my server if i comment out this like -o smtpd_tls_security_level=encrypt' It depends on your policy/topology/... Based on your setting in main.cf there is at least STARTTLS offered on port 25 (smtpd_tls_security_level=may). However, for clients that I can control - like in your case - I would always use port 587 for submission these days. Technically, it is the same to port 25 but you can enforce more strict rules for this port, like it's given in the default master.cf template: submission inet n - - - - smtpd -o syslog_name=postfix/submission -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject This allows only TLS-secured and authenticated delivery on port 587, everything else (i.e. spammers) gets blocked. If there are no other servers that deliver mails via SMTP based on your MX record in the DNS you could also turn off port 25 entirely. Cheers, Mathias.
Re: 530 5.7.0 Must issue a STARTTLS command first
external delivery methods. # ifmailunix - n n - - pipe flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient) bsmtp unix - n n - - pipe flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient scalemail-backend unix - n n - 2 pipe flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension} mailman unix - n n - - pipe flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py ${nexthop} ${user} dovecot unix - n n - - pipe flags=DRhu user=vmail:vmail argv=/usr/lib/dovecot/deliver -f ${sender} -d ${user}@${nexthop} amavis unix - - - - 2 smtp -o smtp_data_done_timeout=1200 -o smtp_send_xforward_command=yes 127.0.0.1:10025 inet n - - - - smtpd -o content_filter= -o local_recipient_maps= -o relay_recipient_maps= -o smtpd_restriction_classes= -o smtpd_client_restrictions= -o smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o mynetworks=127.0.0.0/8 -o strict_rfc821_envelopes=yes -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks On Sun, Apr 5, 2015 at 1:03 AM, Mathias Jeschke postfix-us...@0xaffe.de wrote: Hi, On 2015-04-04 at 21:52 Muhammad Yousuf Khan wrote: my submitting port is set to 465. there are only 2 ports listening under Postfix process. 25 and 465 In any case either change the smtpd_tls_policy_level to 'may' or configure the client failing to use STARTTLS. my smtpd_tls_policy_level is already set to may. can you please explain or configure the client failing to use STARTTLS. The contents of your master.cf are also important here - I guess the policy/config is overridden there. Cheers, Mathias.
Re: 530 5.7.0 Must issue a STARTTLS command first
That's how we all start. Don't worry about that. Thanks :) On which port does your client connect? Once we have that, we can check the config on Postfix's end. my client is set for port 25 and authentication mode is AUTO client is outlook. btw issue is not at client side i believe that issue is at MTA level Connection diagram is like this ___Network Solution Mailserver/MTA | Outlook2007 client == |MY VPS MTA/Mailserver. my outlook client is set with two accounts. 1 Network Solution company's Mailserver and 2nd my own VPS Mailserver. my own VPS is seems to be working fine and can receive emails from gmail, hotmail, and yahoo. but when Network solution mailserver/MTA send this email to MY VPS MTA (which is actually generated from my own outlook client faild to send and end up with mantioned error. and on server side i only see these two lines and nothing else. Apr 5 01:27:03 FirstDebian postfix/submission/smtpd[20582]: connect from atl4mhob16.myregisteredsite.com[209.17.115.109] Apr 5 01:27:05 FirstDebian postfix/submission/smtpd[20582]: disconnect from atl4mhob16.myregisteredsite.com[209.17.115.109] Thanks, Yousuf
Re: 530 5.7.0 Must issue a STARTTLS command first
Thanks Mathias Jeschke and Petrick. Issue is resolved as i commented out the said line. Thanks, yousuf On Sun, Apr 5, 2015 at 1:30 AM, Mathias Jeschke postfix-us...@0xaffe.de wrote: Hi, On 2015-04-0 at 22:17 Muhammad Yousuf Khan wrote: smtp inet n - - - - smtpd #smtp inet n - - - 1 postscreen #smtpd pass - - - - - smtpd #dnsblog unix - - - - 0 dnsblog #tlsproxy unix - - - - 0 tlsproxy #submission inet n - - - - smtpd -o syslog_name=postfix/submission -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes # -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING Here you go - due to the way how you commented out options you have set smtpd_tls_security_level=encrypt for smtpd (port 25), thus all clients on that port have to use STARTTLS to deliver mail. Typically admins tend to configure options in main.cf that are common for all postfix daemons and then override some options in master.cf. For example, in most setups no encryption is enforced on port 25 and enforce it for submission (or smtps). I recommend to comment again the lines below submission and reload postfix. Cheers, Mathias
Re: How to use only flat-file for passwords when using non-system users for a hosted, virtual domain?
Postfix is an MTA only. for IMAP and POP you need dovecot or courier combined with Postfix. Thanks, Yousuf On Thu, Jul 10, 2014 at 11:21 AM, Arun arun_v_sanj...@yahoo.com wrote: Hello, I am just starting to build up my Postfix server. I have been reading the many docs. I decided to set up with virtual_domains. For a simple first step I am not using the MySQL database tables yet, only flat files. In my main.cf configuration file I put /usr/local/etc/postfix/main.cf ... virtual_mailbox_domains = mx.testdomain.loc virtual_mailbox_base = /var/mail/vhosts virtual_mailbox_maps = /usr/local/etc/postfix/vmailbox virtual_minimum_uid = 100 virtual_uid_maps = static:5000 virtual_gid_maps = static:5000 And then I put just one user in it /usr/local/etc/postfix/vmailbox a...@mx.testdomain.loc mx.testdomain.loc/arun/ From my reading I thinkg this will work okay. What I do not understand is how to put in a password for the only one user in a flatfile, not a database. There are many docs for the database approach to it. But I have not found one for just a flatfile. How do I add a password for the a...@mx.testdomain.loc that I would use in my mail client program, like Thunderbird, to access the account? Both for sending and receiving? Thank you for your help. Arun
any book for all in one postfix, roundcube ldap dovecot mysql
is there any book which contains all the postfix features and third party components like roundcube, ldap,dovecot mysql, spamfilter etc Thanks, Myk
Re: need advice
Thanks, i sincerely appreciate all the suggestions that will help me to choose a good option for our requirement. Regards Myk On Tue, Apr 2, 2013 at 1:56 AM, Robert Schetterer r...@sys4.de wrote: Am 01.04.2013 16:59, schrieb Muhammad Yousuf Khan: i have been working on Postfix dovecot etc for couple of months and suddenly my my management ask the question that they want to sync mobile device calendar along with i map. i am sure about IMAP i can implement this with no issues but calendar sync is something that i am looking for. so the criteria is to sync all calender items on android and iphone and outlook etc. so what you please have to suggest. and obviously no option of third party like google calender etc. we are looking for some centralized solution Thanks MYk calender sync is no imap or smtp function its most http based ,go Horde webmail or i.e sogo your question is off topic postfix or i.e dovecot http://www.horde.org/apps/kronolith/screenshots http://www.sogo.nu/english.html Best Regards MfG Robert Schetterer -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer Aufsichtsratsvorsitzender: Joerg Heidrich
need advice
i have been working on Postfix dovecot etc for couple of months and suddenly my my management ask the question that they want to sync mobile device calendar along with i map. i am sure about IMAP i can implement this with no issues but calendar sync is something that i am looking for. so the criteria is to sync all calender items on android and iphone and outlook etc. so what you please have to suggest. and obviously no option of third party like google calender etc. we are looking for some centralized solution Thanks MYk
Re: Migration from Microsoft Exchange Server
i am sure u will receive emails saying you can not compare the two, because posfix is an MTA. at some point when i was very new and was asking the same. it is correct that postfix is an MTA but it is also correct that postfix can work far more better then Exchange by combining add-ons. i suggest you to read more about followings. Postfix (MTA) configuration concept and Maildir Dovecot (LDA) config configuration for support of POP, IMAP and SASL authencitaion Virtual domains configuration concept virtual users configuration and concept or Ldap auth for integration with active directory. spamassasin with antivirus ability (but an overhead normally not required) Thanks Yousuf On Wed, Mar 20, 2013 at 4:12 PM, Ashok Kumar J ashok.jagathe...@gmail.comwrote: Hi All, I want to migrate from Microsoft Exchange Server to Postfix mail server. please give your valuable suggestion. -- with regards Ashok Kumar J
Re: Migration from Microsoft Exchange Server
And if you dont wana go command line alot (which i prefer not) then go for some collaboration suite like Zimbra (opensource), citadel, kolab and many others. On Wed, Mar 20, 2013 at 4:41 PM, Muhammad Yousuf Khan sir...@gmail.comwrote: i am sure u will receive emails saying you can not compare the two, because posfix is an MTA. at some point when i was very new and was asking the same. it is correct that postfix is an MTA but it is also correct that postfix can work far more better then Exchange by combining add-ons. i suggest you to read more about followings. Postfix (MTA) configuration concept and Maildir Dovecot (LDA) config configuration for support of POP, IMAP and SASL authencitaion Virtual domains configuration concept virtual users configuration and concept or Ldap auth for integration with active directory. spamassasin with antivirus ability (but an overhead normally not required) Thanks Yousuf On Wed, Mar 20, 2013 at 4:12 PM, Ashok Kumar J ashok.jagathe...@gmail.com wrote: Hi All, I want to migrate from Microsoft Exchange Server to Postfix mail server. please give your valuable suggestion. -- with regards Ashok Kumar J
LDA understanding
i was just trying to understand LDA my understanding with postfix is that postfix is an MTA and procmail is an LDA to deliver email however i am using postfix alone and it is working great. it work with both system user and virtual users with no issue. it receive email and drop it to virtual user directory or system user directory. so my question if postfix delivering the message to all the users then what is the need of procmail/LDA?
Re: LDA understanding
Thanks guys, i am using dovecot but i didn't knew in technical term we call it LDA :P. but i thought procmail delivers emails to the user-folder only, which i misunderstood , if dovecot, procmail and courier are LDAs as i perceive from you emails. so no problem in understanding the functionality of procmail as i am already using dovecot. Thanks, On Thu, Mar 14, 2013 at 3:15 PM, Jerry postfix-u...@seibercom.net wrote: On Thu, 14 Mar 2013 14:44:26 +0500 Muhammad Yousuf Khan articulated: i was just trying to understand LDA my understanding with postfix is that postfix is an MTA and procmail is an LDA to deliver email however i am using postfix alone and it is working great. it work with both system user and virtual users with no issue. it receive email and drop it to virtual user directory or system user directory. so my question if postfix delivering the message to all the users then what is the need of procmail/LDA? Personally, I have no idea why anyone uses procmail. For relatively fine grain sorting of mail upon delivery, I use Dovecot and Sieve. From what I can ascertain, procmail hasn't even been maintained in over a decade. Just my 2¢ on the matter. -- Jerry ✌ postfix-u...@seibercom.net _ TO REPORT A PROBLEM see http://www.postfix.org/DEBUG_README.html#mail TO (UN)SUBSCRIBE see http://www.postfix.org/lists.html
Re: Getmail
On Thu, Feb 28, 2013 at 3:17 AM, /dev/rob0 r...@gmx.co.uk wrote: On Wed, Feb 27, 2013 at 05:51:08PM +0500, Muhammad Yousuf Khan wrote: i am using virtual users and domains, where i have 2 virtual domains and few users in both. i would like getmail to fetch email via pop3 First, I'll note that this is mostly off topic. Postfix has little to do with this, only incidentally. yes, i agree but i would be thankful for every peace of help. :) You'll have to run getmail as the system user/group who owns the mailbox. The Postfix settings which might apply are virtual_uid_maps and virtual_gid_maps. This user (or users, as the case may be) must have a valid shell (which you generally would not want in the case of virtual delivery.) our users are not that good in Linux they can not manage this file by them selves i think i have to define all users in one file if possible and manage it by user Root. It looks like you made a $HOME for your virtual users; that's good. You can keep your files in /maildb/vmail/$domain/$user/.getmail, or perhaps even in /maildb/vmail/.getmail if it's all one user, as it is in almost every case. You can make a cron job for the user[s] to getmail. Refer to the examples as provided by Robert. actually i want to define all users in one file. by user root and by cron job i will fetch all the messages. is it possible defining all the users and their destination in /maildb/vmail/.getmail as shared by you. sorry for my newbie question i am very new with getmail so before getting involve with it i am trying to make a good ground. You have weakened the security of your virtual system by providing this user a real shell and having it call out to the Internet. Thus why I say this should be done by a system user. If your virtual user is compromised, all your mail might be at stake. If a system user is compromised, only that user's mail (and other files) is at risk. i think security will not be an issue. since i haven't published my postfix box and our internal users are not that smart :) they just need their emails one way or another. Thanks -- http://rob0.nodns4.us/ -- system administration and consulting Offlist GMX mail is seen only if /dev/rob0 is in the Subject:
Getmail
i am using virtual users and domains, where i have 2 virtual domains and few users in both. i would like getmail to fetch email via pop3 from our hosting servers and copy it directly to our Maildir Base, here is the path of my virtual users mailbox base. /maildb/vmail/$domain/$user/Maildir is there anyone can guide me with the getmail settings. Thanks, MYK
Maildir format nor working
Hi all, it is set home_mailbox = Maildir/ in my main.cf and i am using virtual maps and virtual domains in testing environment. i can receive emails but not in maildir format rather ASCII text format. here is an example, sahmad is a username and it showed up as a file not a directory file sahmad sahmad: ASCII mail text however as per the Maildir/ format it suppose to be in Maildir directory structure. would you please help me to find out the issue. i am following this https://help.ubuntu.com/community/PostfixVirtualMailBoxClamSmtpHowto and using debian version 6.0.4 here is my postconf -n alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases append_dot_mydomain = no biff = no config_directory = /etc/postfix home_mailbox = Maildir/ inet_interfaces = all mailbox_size_limit = 0 myhostname = localhost mynetworks = 127.0.0.0/8, 10.0.0.0/24 myorigin = $myhostname recipient_delimiter = + smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu/GNU) virtual_gid_maps = static:5000 virtual_mailbox_base = /maildb/vmail virtual_mailbox_domains = /etc/postfix/vhosts virtual_mailbox_maps = hash:/etc/postfix/vmaps virtual_minimum_uid = 1000 virtual_uid_maps = static:5000
Re: Maildir format nor working
the error is resolved. it was the issue of virtual host maps. it seems like document is a bit older though there is too much to learn from it. good document. i had to define it like $user $mail-base/$domain.com/$user/Maildir in my virtual_mailbox_maps other wise mails are received in mbox format (which is not maildir) home_mailbox only works for local users not for virtual users/mailboxes On Wed, Feb 6, 2013 at 3:34 PM, Muhammad Yousuf Khan sir...@gmail.com wrote: Hi all, it is set home_mailbox = Maildir/ in my main.cf and i am using virtual maps and virtual domains in testing environment. i can receive emails but not in maildir format rather ASCII text format. here is an example, sahmad is a username and it showed up as a file not a directory file sahmad sahmad: ASCII mail text however as per the Maildir/ format it suppose to be in Maildir directory structure. would you please help me to find out the issue. i am following this https://help.ubuntu.com/community/PostfixVirtualMailBoxClamSmtpHowto and using debian version 6.0.4 here is my postconf -n alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases append_dot_mydomain = no biff = no config_directory = /etc/postfix home_mailbox = Maildir/ inet_interfaces = all mailbox_size_limit = 0 myhostname = localhost mynetworks = 127.0.0.0/8, 10.0.0.0/24 myorigin = $myhostname recipient_delimiter = + smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu/GNU) virtual_gid_maps = static:5000 virtual_mailbox_base = /maildb/vmail virtual_mailbox_domains = /etc/postfix/vhosts virtual_mailbox_maps = hash:/etc/postfix/vmaps virtual_minimum_uid = 1000 virtual_uid_maps = static:5000
Re: clamd with clamsmtp vs mailscanner
On Thu, Jan 31, 2013 at 5:33 PM, Noel Jones njo...@megan.vbhcs.org wrote: On 1/31/2013 5:59 AM, Muhammad Yousuf Khan wrote: i wanted to have an experienced suggestion from Pros. i have been going through from different steps deploying clamav and spamassassin, one is mailscanner and seccond one is clamd with clamsmtp in your expert opinion which one is the right track to choose. like which one is efficient in perspective of hardware utilization / resources utilization , complexity and more appropriate approach towards stable deployment. Thanks Neither. If you only want to do virus scanning, use the clamav-milter included with clamav. Mailscanner is not recommended for use with postfix. clamsmtp is more complicated than using the bundled clamav-milter. since i am new and just trying to explore things so would you please share why not mailscanner? for my learning Thanks, clamav-milter integrates easily with postfix, is reliable, and has fewer third-party dependencies compared to the other choices. Also consider using the add-on Sanesecurity anti-spam signatures for clamav. I've found them to be quite useful with very low false positives. http://www.sanesecurity.com/ -- Noel Jones
Re: clamd with clamsmtp vs mailscanner
Thanks all for all your support :) its been very helpful On Fri, Feb 1, 2013 at 1:29 AM, John Allen j...@klam.ca wrote: On 31/01/2013 6:59 AM, Muhammad Yousuf Khan wrote: i wanted to have an experienced suggestion from Pros. i have been going through from different steps deploying clamav and spamassassin, one is mailscanner and seccond one is clamd with clamsmtp in your expert opinion which one is the right track to choose. like which one is efficient in perspective of hardware utilization / resources utilization , complexity and more appropriate approach towards stable deployment. Thanks Why not use Amavis-new as the mail scanner. It will handle the hand off to spamassassin and clamav and the return of scanned mail to postfix and there are several very good How tos on setting it up. Today's mighty Oak is yesterday's nut that held it's ground. - Margaret Bailey Sent using Mozilla Thunderbird
Re: Backup server
On Thu, Jan 17, 2013 at 1:59 PM, Robert Schetterer r...@sys4.de wrote: Am 17.01.2013 07:59, schrieb Muhammad Yousuf Khan: i want to plan a backup postfix server for minimizing the downtime. i have read about MX record entry to use as backup server . but this if for pure postfix only in my case i will be running round cube, dovecot for IMAP storage. how is that possible that i just have to change the DNS entry and people start accessing same settings same view of round cube with in just 1 or 2 minutes of delay. is there anyone can help me? DRBD is kinda complex. just for your knowledge i am using local hard drive as storage not external storage. Thanks, dns loadbalancing does not play very well, so you want no traditional mx backup mailserver instead you want some HA Setup with all mail related stuff ( smtp/pop3/imap/webmail ), using drbd/nfs and loadbalancer/directors are the way you have to go, postfix isnt the harder part for that, so better ask and serach for HA setup with dovecot first, i.e on dovecot list etc Thanks i got your point Best Regards MfG Robert Schetterer -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer Aufsichtsratsvorsitzender: Joerg Heidrich
Re: RoundCube vs squirrelmail (pros and cons)
On Fri, Dec 28, 2012 at 3:14 AM, mouss mo...@ml.netoyen.net wrote: Le 27/12/2012 22:16, Benny Pedersen a écrit : mouss skrev den 2012-12-27 16:09: both are reasonablechoices. I personally prefer RoundCube. +1 The real problem with webmail is password theft, webmail have password problems no other mailclient have ? well, actually, the problme is between connect from random box (a browser and you're there) and connect from individual box (for good or bad reasons, settings up a standard MUA requires some work...). of course, if a motivated luser configures a MUA in a lost cyber bar, ... your statement just confuses me, do you mean threats like brute-force, man-in-the-middle or you are talking about the mistake that people usually make by saving their password in browser? i mean how come password theft is possible in roundcube or squirrelmail ? or did you mean in general? and this is independent of which solution you use. +1
Re: RoundCube vs squirrelmail (pros and cons)
On Fri, Dec 28, 2012 at 1:53 AM, Stan Hoeppner s...@hardwarefreak.com wrote: On 12/27/2012 12:38 AM, Muhammad Yousuf Khan wrote: i want a web interface for our email access. To me roundcube seems more attractive/better then squirrel-mail (look wise) however i dont want to overlook better options/features if there are any in squirrelmail. so my question to all the users who have experience with both UI. would you please suggest me which one to pick and which one is good/better/stable to use? Have you looked at SoGo? Advanced Ajax interface, with right click context sensitive drop downs, drag drop, etc, like a normal desktop mail client. It's not just webmail but a full groupware server like MS Exchange. Full LDAP support, shared calenders, etc. In addition to the web interface it supports fat Thunderbird/Lightning and Outlook clients. It also supports Android/iPhone/Blackberry. Includes an admin plugin for Webmin. In short it's very feature rich. The one downside is that it requires more system resources on both the client and server, but with modern hardware this shouldn't be an issue. http://www.sogo.nu/ Thanks, i have been through with this ( i mean an overview) but what i am interested in is combining together all the elements by my self. its kinda fun and it will give me the opportunity to learn more. and i love when i type commands in black and white (X console) of Linux and my manager and people around watching me that i am doing some kind of a black magic :P -- Stan
RoundCube vs squirrelmail (pros and cons)
i want a web interface for our email access. To me roundcube seems more attractive/better then squirrel-mail (look wise) however i dont want to overlook better options/features if there are any in squirrelmail. so my question to all the users who have experience with both UI. would you please suggest me which one to pick and which one is good/better/stable to use? Thanks,
Re: Directive mynetwork and mynetwork_style
Thanks :) On Fri, Dec 14, 2012 at 1:35 PM, Will w...@lathrios.net wrote: On 12/14/12 01:43, Muhammad Yousuf Khan wrote: i am confuse about the utilization of directives: mynetwork and mynetwork_style is mynetwork directive completely dependent on mynetwork_style. can i use only mynetwork for relaying messages or i always have to use mynetwork_style along with mynetwork to allow relaying to particular host or subnet. thanks in advance. mynetworks and mynetworks_style are essentially mutually exclusive; you use either one or the other. If you specify mynetworks, mynetworks_style is ignored. Each is used to specify SMTP clients that are trusted by the server based on their IP address. mynetworks_style is used to specify trusted clients based on their relationship to the server's IP address, while mynetworks is specifies trusted clients by explicitly giving their IP addresses or an IP address range. For example, specifying mynetworks_style = subnet indicates that all clients in that subnet are trusted, while mynetworks = 50.116.33.0/24 might be used instead to say the same thing (if 50.116.33.0/24 describes your subnet). These clients are trusted because the mynetworks (or mynetworks_style) parameter is used by smtpd to determine who is allowed to relay mail when the smtpd_relay_restrictions parameter contains permit_mynetworks. If you haven't changed smtpd_relay_restrictions in your config, it defaults to permit_mynetworks, reject_unauth_destination, which will allow those clients listed in mynetworks (or mynetworks_style) to relay mail. You only need to use mynetworks OR mynetworks_style (but not both) to enable relaying from certain clients. Read the documentation when you get confused. It is explained quite clearly here: http://www.postfix.org/postconf.5.html#mynetworks http://www.postfix.org/postconf.5.html#mynetworks_style http://www.postfix.org/postconf.5.html#smtpd_relay_restrictions -Will
Directive mynetwork and mynetwork_style
i am confuse about the utilization of directives: mynetwork and mynetwork_style is mynetwork directive completely dependent on mynetwork_style. can i use only mynetwork for relaying messages or i always have to use mynetwork_style along with mynetwork to allow relaying to particular host or subnet. thanks in advance.
difference b/w /etc/aliases and virtual_alias_maps
i was testing /etc/aliases and virtual_alias_maps define in /etc/postfix/main.cf both works fine for me. however the confusion part is i can not understand the difference b/w them. like in which case i can use virtual_alias_maps or /etc/aliases file. Thanks in advance for any help .
Re: send specified email to a public folder.
On Thu, Nov 29, 2012 at 6:42 PM, Noel Jones njo...@megan.vbhcs.org wrote: On 11/29/2012 6:18 AM, Muhammad Yousuf Khan wrote: i created a public namespace in dovecot on root (/public) there are two folders inside public. /public/HR and /public/News i want, when only HR send email to hr.annou...@mydomain.com it will deliver to the /public/HR when other users try to send email to hr.annou...@mydomain.com their access must denied. To control in postfix what users can send to what address, see the examples here: http://www.postfix.org/RESTRICTION_CLASS_README.html Thanks, Very helpful for further studies. To deliver mail to a specific folder, see the dovecot list. -- Noel Jones
send specified email to a public folder.
i created a public namespace in dovecot on root (/public) there are two folders inside public. /public/HR and /public/News i want, when only HR send email to hr.annou...@mydomain.com it will deliver to the /public/HR when other users try to send email to hr.annou...@mydomain.com their access must denied. i know this can be done by virtual users i am already using virtual users for controlling emails flow. however i do not know how to send specific emails to a very specific accounts only by privileged user. any help would be appreciated. Thanks,
Public folder
i have got a working dovecot+postfix (with maildir + sasl ) now i want a public folder for users so that HR related or other announcements should be shared with read only rights. i followed dovecot official document for public share but didnt worked # User's private mail location mail_location = maildir:~/Maildir # When creating any namespaces, you must also have a private namespace: namespace private { separator = / prefix = #location defaults to mail_location. inbox = yes } namespace public { separator = / prefix = Public/ location = maildir:/var/mail/public subscriptions = no # v1.1+ (http://wiki.dovecot.org/SharedMailboxes/Public#Public_Mailboxes) this is what official document looks like. i even created folder /var/mail/public with 777 rights and all the folders mentioned in above doc however it does not showed up in the IMAP account. is there any thing i should do more to achieve this. my current mailbox location is home folder. Thanks
Postfix with Active directory
Newbie Alert! :) i am using Postfix with maildir and i want my mailboxes to be integrated with my active directly windows 2003 server. i don't want to recreate all the accounts and home directories in Linux which are already created in active directory. i am already familiar and using winbind with samba. however i do not know the better approach with postfix. need help. Thanks,
Re: Postfix with Active directory
On Tue, Nov 27, 2012 at 1:17 PM, Erwan David er...@rail.eu.org wrote: On Tue, Nov 27, 2012 at 09:03:56AM CET, Muhammad Yousuf Khan sir...@gmail.com said: Newbie Alert! :) i am using Postfix with maildir and i want my mailboxes to be integrated with my active directly windows 2003 server. i don't want to recreate all the accounts and home directories in Linux which are already created in active directory. i am already familiar and using winbind with samba. however i do not know the better approach with postfix. need help. You can use active directory as a ldap server, the ldap schema is rather specific, but you can get all the information you want from it. And postfix works great with ldap. would you please recommend any howto for LDAP with postfix? secondly, do i have to create home folder manually or is there any procedure or work around for this? I did not try Kerberos authentication with postfix, but for authenticating senders, it is a way you may want to explore.
Re: NDR not received while relaying
yes it seems, so actually i just set my outlook smtp to my ISP relay. waiting for the NDR if not received (hopefully) then will discuss this with ISP. thanks for your help. On Thu, Nov 22, 2012 at 1:00 PM, Ralf Hildebrandt r...@sys4.de wrote: * Muhammad Yousuf Khan sir...@gmail.com: i am using my ISP relay. and i don't receive NDRs for any invalid or unknown account. is this default. or i must be doing some config mistakes. Maybe your ISP relay is blocking bounces. however, in log files i can see that my message has been relayed to the ISP smtp. but i do not receive any NDR. any idea. please help? Ask your ISP. -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer Aufsichtsratsvorsitzender: Joerg Heidrich
Re: reporting
On Thu, Nov 22, 2012 at 12:58 PM, Ralf Hildebrandt r...@sys4.de wrote: * Muhammad Yousuf Khan sir...@gmail.com: and mime_header_checks with: /filename=\(.*)\.(...)\$/ WARN Attachment $1.$2 Thanks for the help. but any suggestion for the attachment size. Not possible with postfix alone. If you put Amavis in the loop, you get to see the attachment names sizes at loglevel 2 Thanks, i am already planning to integrate Amavis with postfix after some basic tests -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer Aufsichtsratsvorsitzender: Joerg Heidrich
reporting
Please help your experience advice is required. my management is interested to see some reports from postfix logs, is there any way that i can collect reports in which i can check who is the sender who is the receiver what was the mail subject, if there is any attachment then what was the size and what was the file name. Thanks
Re: reporting
[cut] Postfix has built-in WARN actions in header_checks that can log message subjects and attachment names, but there is no built-in support to log details such as attachment sizes. if not built-in then any workaround would you like to suggest. [cut]
Re: reporting
On Wed, Nov 21, 2012 at 9:13 PM, Ralf Hildebrandt r...@sys4.de wrote: * Muhammad Yousuf Khan sir...@gmail.com: is there any way that i can collect reports in which i can check who is the sender who is the receiver what was the mail subject, if You can log this using header_checks with: /^Subject:/ WARN and mime_header_checks with: /filename=\(.*)\.(...)\$/ WARN Attachment $1.$2 Thanks for the help. but any suggestion for the attachment size. -- [*] sys4 AG
NDR not received while relaying
i am using my ISP relay. and i don't receive NDRs for any invalid or unknown account. is this default. or i must be doing some config mistakes. however, in log files i can see that my message has been relayed to the ISP smtp. but i do not receive any NDR. any idea. please help? Thanks MYK
cache MX record
due to some reason my primary DNS (windows 2003) is not giving me an MX record. even i have created one manually for my mailserver and afterwords it points to A record of my mailserver i think there is some thing going in side my DNS below is the result of nslookup with type=MX primary name server = sr-dc.mydomain.com responsible mail addr = hostmaster serial = 2286 refresh = 900 (15 mins) retry = 600 (10 mins) expire = 86400 (1 day) default TTL = 3600 (1 hour) so instead of messing up with 2003 DNS is there anyway to make a cache record just like we have /etc/hosts for A records. Thanks.
Re: cache MX record
thanks for your guidance issue resolved
Re: smtp Auth.
On Tue, Nov 13, 2012 at 12:54 PM, Patrick Ben Koetter p...@sys4.de wrote: * Muhammad Yousuf Khan sir...@gmail.com: i have been through several articles and howtos for configuring smtpd to accept credential for authenticantion but all of them are fail. postfix relay email anonymusly no matter what i configure. here is the configuration of /etc/postfix/main.cf smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key smtpd_use_tls=yes smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache myhostname = mailsrv.mydomain.com alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases myorigin = /etc/mailname mydestination = localhost.localdomain, localhost, mydomain.com relayhost = #mynetworks = 127.0.0.0/8, 10.XX.XX.0/24 mailbox_command = mailbox_size_limit = 0 recipient_delimiter = + inet_interfaces = all home_mailbox = Maildir/ inet_protocols = all smtpd_sasl_auth_enable = yes smtpd_sasl_security_options = noanonymous smtpd_sasl_local_domain = $myhostname broken_sasl_auth_clients = yes smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, check_relay_domains it does not affect even if I comment “mynetworks” or “permit_mynetwork” as you can see the settings mynetworks is comment out. However I am sure that SASL is configured properly because my outlook client has received SSL certificate when I created the account. Again: SSL is not related to SASL. Show log that prooves your case. Fmaster in the log is my user. here you go with the logs. /var/log/mail.info Nov 13 17:44:18 mailsrv dovecot: imap-login: Login: user=fmaster, method=PLAIN, rip=10.XX.XX.240, lip=10.XX.XX.100, TLS Nov 13 17:44:19 mailsrv dovecot: IMAP(fmaster): Disconnected in IDLE bytes=9/298 Nov 13 17:44:19 mailsrv postfix/smtpd[8756]: connect from ws-ykhan.mydomain.com[10.XX.XX.240] Nov 13 17:44:19 mailsrv postfix/smtpd[8756]: 0AEF838306: client=ws-ykhan.mydomain.com[10.XX.XX.240], sasl_method=LOGIN, sasl_username=fmas...@mailsrv.mydomain.com Nov 13 17:44:19 mailsrv postfix/cleanup[8760]: 0AEF838306: message-id= Nov 13 17:44:19 mailsrv postfix/qmgr[8258]: 0AEF838306: from=fmas...@mydomain.com, size=649, nrcpt=1 (queue active) Nov 13 17:44:19 mailsrv postfix/smtpd[8756]: disconnect from ws-ykhan.mydomain.com[10.XX.XX.240] Nov 13 17:44:19 mailsrv postfix/local[8762]: 0AEF838306: to=fmas...@mydomain.com, relay=local, delay=0.17, delays=0.16/0/0/0, dsn=2.0.0, status=sent (delivered to maildir) Nov 13 17:44:19 mailsrv postfix/qmgr[8258]: 0AEF838306: removed /var/log/mail.warn Nov 12 17:57:48 mailsrv postfix/smtpd[5379]: fatal: parameter smtpd_recipient_restrictions: specify at least one working instance of: check_relay_domains, reject_unauth_destination, reject, defer or defer_if_permit Nov 12 17:57:49 mailsrv postfix/master[5277]: warning: process /usr/lib/postfix/smtpd pid 5379 exit status 1 Nov 12 17:57:49 mailsrv postfix/master[5277]: warning: /usr/lib/postfix/smtpd: bad command startup -- throttling Nov 12 17:58:49 mailsrv postfix/smtpd[5425]: fatal: parameter smtpd_recipient_restrictions: specify at least one working instance of: check_relay_domains, reject_unauth_destination, reject, defer or defer_if_permit Nov 12 17:58:50 mailsrv postfix/master[5277]: warning: process /usr/lib/postfix/smtpd pid 5425 exit status 1 Nov 12 17:58:50 mailsrv postfix/master[5277]: warning: /usr/lib/postfix/smtpd: bad command startup -- throttling Nov 12 18:32:49 mailsrv dovecot: dovecot: Killed with signal 15 (by pid=6196 uid=0 code=kill) Nov 13 11:58:49 mailsrv postfix/smtpd[8262]: warning: support for restriction check_relay_domains will be removed from Postfix; use reject_unauth_destination instead Nov 13 12:00:09 mailsrv dovecot: dovecot: Killed with signal 15 (by pid=8272 uid=0 code=kill) Nov 13 17:46:44 mailsrv postfix/smtpd[8785]: warning: support for restriction check_relay_domains will be removed from Postfix; use reject_unauth_destination instead /var/log/mail.err Nov 12 17:58:49 mailsrv postfix/smtpd[5425]: fatal: parameter smtpd_recipient_restrictions: specify at least one working instance of: check_relay_domains, reject_unauth_destination, reject, defer or defer_if_permit /var/log/mail.log Nov 13 17:52:00 mailsrv postfix/anvil[8758]: statistics: max connection count 1 for (smtp:10.XX.XX.240) at Nov 13 17:43:20 Nov 13 17:52:00 mailsrv postfix/anvil[8758]: statistics: max cache size 1 at Nov 13 17:43:20 Nov 13 17:54:00 mailsrv dovecot: imap-login: Login: user=fmaster, method=PLAIN, rip=10.XX.XX.240, lip=10.XX.XX.100, TLS Nov 13 17:54:00 mailsrv dovecot: imap-login: Login: user=fmaster, method=PLAIN, rip=10.XX.XX.240, lip=10.XX.XX.100, TLS Nov 13 17:54:34 mailsrv dovecot: IMAP(fmaster): Disconnected: Logged out bytes=336/1833 Nov 13 17:54:34 mailsrv dovecot: IMAP(fmaster): Disconnected: Logged out bytes=63/477 Nov 13
pop client for postfix.
i want to pop emails from a main server which is hosted in US and i want to pop all the email from all the accounts to our local LAN accounts in postfix. like the features once available in MailerDeaman. called domain pop and multipop so is there any options in postfix. Thanks,
Re: pop client for postfix.
i know Postfix is an SMTP and as far as fatchmail concern it is written in the document that it does not support maildir. it is written that By design Fetchmail's only means of delivering messages is by submitting them to the local MTA; delivering directly to mail folders such as maildir is not supported. actually i configured Postfix with maildir + dovecat + sasl for internal/outside mailing. but due to the reason that our Internet bandwidth is not high and scalable enough therefore we purchase a mail hosting solution from a company in US. but the problem is all of our emails goes to Internet even if they are intraoffice emails. so i wanted to trim down extra email traffic on internet and for that reason i am trying to design internal mail server. my questions are 1. i have to download email from US mailbox via POP and save it down to postfix Local maildir formate, account vise. so i need to know the utility for that. because this option is available in exchange server, mailerdeamon. so i am certain that this would be available for postfix for maildir formate. 2. my second question is not related to this issue but also a critical one. actually there are few accounts that are reside in US hosted mail server which i dont want to pop email in local mail server because those users are living in US and i dont want there traffic to be routed to office. so the problem comes when i send email to a US user who has an account in US mail server but not in our local office. when email reach our local server it do not pass it on to internet and then to US mail server, instead the email return from our local server that mailbox not found which is true infect but what i want is that when email account not found in local postfix mail server. postfix should route the email to US mailserver where it probably be reside there and if it doesn't found eventually it should return the message mailbox not found. Thanks, On Mon, Nov 12, 2012 at 1:30 PM, Patrick Ben Koetter p...@sys4.de wrote: * Muhammad Yousuf Khan sir...@gmail.com: i want to pop emails from a main server which is hosted in US and i want to pop all the email from all the accounts to our local LAN accounts in postfix. like the features once available in MailerDeaman. called domain pop and multipop so is there any options in postfix. Postfix is an SMTP server. It cannot do POP. -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer Aufsichtsratsvorsitzender: Joerg Heidrich
Re: smtp authentication
On Mon, Nov 12, 2012 at 1:22 AM, Wietse Venema wie...@porcupine.org wrote: Muhammad Yousuf Khan: Thanks for the nice informative message. so the question is how come i accomplish my required settings. ssince i am very new to postfix need your help. if i delete the parameter permit_mynetworks will i accomplish this or i do have to edit or insert some more settings As documented, with smtpd_recipient_restrictions = permit_sasl_authenticated reject ok i made the changes. its kinda work but now it is asking for password and it is not authenticating with email sender user and password. what kind of password does it requires? all clients must authenticate. If there are clients that must not authenticate, then that will require further configuration. Wietse
Re: smtp authentication
On Mon, Nov 12, 2012 at 4:44 PM, Wietse Venema wie...@porcupine.org wrote: Muhammad Yousuf Khan: On Mon, Nov 12, 2012 at 1:22 AM, Wietse Venema wie...@porcupine.org wrote: Muhammad Yousuf Khan: Thanks for the nice informative message. so the question is how come i accomplish my required settings. ssince i am very new to postfix need your help. if i delete the parameter permit_mynetworks will i accomplish this or i do have to edit or insert some more settings As documented, with smtpd_recipient_restrictions = permit_sasl_authenticated reject ok i made the changes. its kinda work but now it is asking for password and it is not authenticating with email sender user and password. what kind of password does it requires? http://www.postfix.org/SASL_README.html thanks for the document but for a person like me very new and fresh it is way too much complex document to understand. actually the point is i already configured mail server i can send receive emails. and i thought posfix should have prompt me for PAM password and i could also authenticate all the user for smtp password like all the ISPs are doing.. however it does not happened. even after SASL. what is the purpose of SASL my outlook got a certificate and now password is working only for IMAP not for smtp. what is the benefit of it. sorry for asking the same question but actually it is very difficult to understand the wholedocument it is bringing down my moral. and already i have invested a whole week just to configure postfix+dovecat+sasl :(
Re: smtp authentication
On Mon, Nov 12, 2012 at 4:44 PM, Wietse Venema wie...@porcupine.org wrote: Muhammad Yousuf Khan: On Mon, Nov 12, 2012 at 1:22 AM, Wietse Venema wie...@porcupine.org wrote: Muhammad Yousuf Khan: Thanks for the nice informative message. so the question is how come i accomplish my required settings. ssince i am very new to postfix need your help. if i delete the parameter permit_mynetworks will i accomplish this or i do have to edit or insert some more settings As documented, with smtpd_recipient_restrictions = permit_sasl_authenticated reject ok i made the changes. its kinda work but now it is asking for password and it is not authenticating with email sender user and password. what kind of password does it requires? http://www.postfix.org/SASL_README.html thanks for the document but for a person like me very new and fresh it is way too much complex document to understand. actually the point is i already configured mail server i can send receive emails. and i thought posfix should have prompt me for PAM password and i can authenticate all the user for smtp password like all the ISPs are doing.. however it do not happened. what is the purpose of SASL my outlook got a certificate and now password is working only for IMAP not for smtp. what is the benefit of it.
Re: pop client for postfix.
On Mon, Nov 12, 2012 at 7:52 PM, /dev/rob0 r...@gmx.co.uk wrote: On Mon, Nov 12, 2012 at 12:02:02PM +0100, Robert Schetterer wrote: Am 12.11.2012 11:21, schrieb Muhammad Yousuf Khan: my questions are 1. i have to download email from US mailbox via POP and save it it down to postfix Local maildir formate, account vise. so i need to know the utility for that. because this option is available in exchange server, mailerdeamon. so i am certain that this would be available for postfix for maildir formate. forget fetchmail use getmail I'll add my +1 to this comment, and throw in a why POP3? question. Who is your provider, gmail? POP3 should have died out a decade ago. The replacement is IMAP, and lo and behold, Getmail as well as every other MUA/MUU supports it fully. It's hard to imagine a significant mail service which has POP3 but not IMAP service. Another thing worth mention: Postfix != MSexchange. The latter is a suite of software which implements (misimplements in many cases, it seems, although to be fair I think that is more commonly a case of administrator incompetence) other protocols to present the user with a complete mail server solution. Postfix is a MTA (mail transfer agent.) The MTA is just one of many parts a complete mail server would require. And perhaps you (the OP, I mean) should discuss your ultimate goal here. From what this and your other thread showed us, I am doubtful that you want or need a MTA at all. Actually what i need is not MTA you are correct but i knowo that combining postfix with extra addons like dovecat, spamassasin etc. we can make it more secure and reliable then other microsoft base platforms. here is the scenario and goals that i want to achieve. we already have 1 mail server hosted in US. now the problem is even if we have to send local emails it has to reach our US mail server which means extra bandwidth and as our users are growing i need to find a better solution to trim down extra email traffic. and for my learning i select postfix and a whole solution. we do have other solutions like citadel and zimbra but they are limited secondly they are very heavy on resources. so my goals are. 1. Local storage of emails, so none of the emails go to internet or US mail serer for inside communication 2. i need to provide imap facility to all the users for connecting from there smartphones and laptops. 3. want to multipop (mailerdemaon terminoligy to sync mailboxes) email to sync mail boxes in US and my local server. 4. some of the users still use US mail server. therefore email for same domain (but users who are not present in local mailserver) shell be sent to US office. 5. spam filter. virus scan. 6. backup and restore. i do have an option of backing up email by backup the whole Virtual machine. however if i can find a utility which can backup whole setting with out problem would be more helpful. after my research i found out that what i am planning is possible. here is the document but the problem is there howto is based on MySQL but what i need is maildir setup. http://workaround.org/ispmail/squeeze Thanks, http://pyropus.ca/software/getmail/ config like i.e this [retriever] type = SimplePOP3Retriever P.S.: Getmail also supports TLS/SSL. :) -- http://rob0.nodns4.us/ -- system administration and consulting Offlist GMX mail is seen only if /dev/rob0 is in the Subject:
smtp authentication
after a week of struggling with postfix i finally manage to configure Dovecat+sasl+postfix i can send and receive emails now the problem that i am facing is i can use sasl for SSL IMAP however i can not secure my SMTP so that no one can send mail bombing and spamming through my mailserver. i know i can setup smtp with authentication so when every user sends email smtp will authenticate username and password then accept email but i can send email with out authentication. so please guide me for the required facility. actually one of my service provided providing us a mail facility and they are authenticating with the same user ID password for smtp as the credentials are created on main server. so i want to authanticate emails in same way. please help please accept my appology for my poor english here are my details;;; /etc/postfix/main.cf myhostname = mailsrv.example.com alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases myorigin = /etc/mailname mydestination = localhost.localdomain, localhost, example.com relayhost = mynetworks = 127.0.0.0/8, 10.51.100.0/24 mailbox_command = mailbox_size_limit = 0 recipient_delimiter = + inet_interfaces = all home_mailbox = Maildir/ inet_protocols = all smtpd_sasl_auth_enable = yes smtpd_sasl_security_options = noanonymous smtpd_sasl_local_domain = $myhostname broken_sasl_auth_clients = yes smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_desti$ /etc/dovecat/dovecat.conf protocols = imap imaps protocol imap { listen = *:143 ssl_listen = *:993 } mail_location = maildir:~/Maildir/ auth default { mechanisms = plain login passdb pam { } userdb passwd { } socket listen { client { path = /var/spool/postfix/private/auth mode = 0660 user = postfix group = postfix } } } Thank you,
Re: smtp authentication
Thanks for the nice informative message. so the question is how come i accomplish my required settings. ssince i am very new to postfix need your help. if i delete the parameter permit_mynetworks will i accomplish this or i do have to edit or insert some more settings Thanks alot. On Sun, Nov 11, 2012 at 11:01 AM, Wietse Venema wie...@porcupine.org wrote: Muhammad Yousuf Khan: smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_desti$ As documented permit_mynetworks accepts mail from clients that match the mynetworks parameter value. See: http://www.postfix.org/postconf.5.html#permit_mynetworks As documented by listing permit_mynetworks before permit_sasl_authenticated you do not require authentication from clients in mynetworks. See: http://www.postfix.org/postconf.5.html#smtpd_recipient_restrictions http://www.postfix.org/SMTPD_ACCESS_README.html#lists Wietse
Re: smtp authentication
On Sun, Nov 11, 2012 at 12:22 PM, Wietse Venema wie...@porcupine.org wrote: Muhammad Yousuf Khan: Thanks for the nice informative message. so the question is how come i accomplish my required settings. ssince i am very new to postfix need your help. if i delete the parameter permit_mynetworks will i accomplish this or i do have to edit or insert some more settings As documented, with smtpd_recipient_restrictions = permit_sasl_authenticated reject Thanks you, actually my idea behind authenticating clients because in my last company we had 100 users and some time virus starts to bomb mail server and to resolve the issue i had to authenticate. do you think for that reason this is a good idea to go with. all clients must authenticate. If there are clients that must not authenticate, then that will require further configuration. Wietse
Re: smtp authentication
Thanks for the help :) On Sun, Nov 11, 2012 at 1:12 PM, Wietse Venema wie...@porcupine.org wrote: Muhammad Yousuf Khan: On Sun, Nov 11, 2012 at 12:22 PM, Wietse Venema wie...@porcupine.org wrote: Muhammad Yousuf Khan: Thanks for the nice informative message. so the question is how come i accomplish my required settings. ssince i am very new to postfix need your help. if i delete the parameter permit_mynetworks will i accomplish this or i do have to edit or insert some more settings As documented, with smtpd_recipient_restrictions = permit_sasl_authenticated reject Thanks you, actually my idea behind authenticating clients because in my last company we had 100 users and some time virus starts to bomb mail server and to resolve the issue i had to authenticate. do you think for that reason this is a good idea to go with. That is something that only you can decide. I have no experience with virus infections. Wietse all clients must authenticate. If there are clients that must not authenticate, then that will require further configuration. Wietse