Re: Basic kind of question
Sadly, it's not that easy (made no difference, and yes I reloaded postfix). It's still trying to deliver to itself. Only thing I've managed to do messing with this today is to get it to stop bouncing and now the tests are in the queue because they can't be delivered locally: 0130766 266 Wed Jul 17 17:18:30 r...@example.com (connect to example.com[10.166.5.182]:25: Connection timed out) example-test...@example.com On Wed, Jul 17, 2019 at 3:19 PM Robert Theisen wrote: > > I would set mydomain to smtp2.example.com . That should make the host do > a dns query to find the mx record of example.com . > > Robert > On Wednesday, July 17, 2019, 2:24:46 PM EDT, Rick Zeman > wrote: > > > I inherited a pair of postfix servers configured by someone else and I > think I've been a manager too long as I can't figure this one out because > I'm too rusty with postfix. > Scenario: > 2 identical postfix servers that only accept mail from mynetworks (other > local servers in its /16) with various From domains that are NOT mydomain > which direct deliver to the recipients wherever they are in the world. > That all works fine. What doesn't work fine is if the recipient is *@ > example.com which IS mydomain to which delivery is not local, but the > same domain. Then, postfix tries to deliver locally and bounces. Common > problem. > My expectation is that that when an email hits for *@example.com that > postfix would do an mx lookup for example.com and send to that MX > externally. > No twiddling with mydestination, transport maps, turning off local in > master.cf, or combinations thereof. There's no relayhost since they > deliver directly. Thoughts? Thanks! > > postconf -n > > alias_database = hash:/etc/aliases > alias_maps = hash:/etc/aliases > command_directory = /usr/sbin > config_directory = /etc/postfix > daemon_directory = /usr/libexec/postfix > data_directory = /var/lib/postfix > debug_peer_level = 2 > debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd > $daemon_directory/$process_name $process_id & sleep 5 > disable_vrfy_command = yes > html_directory = no > inet_interfaces = all > inet_protocols = all > local_recipient_maps = > local_transport = error:local mail delivery is disabled > mail_owner = postfix > mailq_path = /usr/bin/mailq.postfix > manpage_directory = /usr/share/man > mydestination = > mydomain = example.com > myhostname = smtp2.example.com > mynetworks = 127.0.0.0/8, 10.166.0.0/16 > myorigin = example.com > newaliases_path = /usr/bin/newaliases.postfix > postscreen_upstream_proxy_protocol = haproxy > queue_directory = /var/spool/postfix > readme_directory = /usr/share/doc/postfix-2.10.1/README_FILES > sample_directory = /usr/share/doc/postfix-2.10.1/samples > sendmail_path = /usr/sbin/sendmail.postfix > setgid_group = postdrop > smtp_tls_CAfile = /etc/pki/tls/certs/godaddy.certchain.crt > smtp_tls_ciphers = high > smtp_tls_exclude_ciphers = EXP, MEDIUM, LOW, DES, 3DES, SSLv2 > smtp_tls_mandatory_protocols = !SSLv2, !SSLv3 > smtp_tls_note_starttls_offer = yes > smtp_tls_protocols = !SSLv2, !SSLv3 > smtp_use_tls = yes > smtpd_helo_required = yes > smtpd_tls_auth_only = yes > smtpd_tls_cert_file = /etc/pki/tls/certs/example.com.crt > smtpd_tls_ciphers = high > smtpd_tls_dh1024_param_file = /etc/pki/tls/private/postfix.dh.param > smtpd_tls_exclude_ciphers = EXP, MEDIUM, LOW, DES, 3DES, SSLv2 > smtpd_tls_key_file = /etc/pki/tls/private/example.com.key > smtpd_tls_loglevel = 1 > smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3 > smtpd_tls_protocols = !SSLv2, !SSLv3 > smtpd_tls_security_level = may > smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_tls_cache > smtpd_tls_session_cache_timeout = 3600s > smtpd_use_tls = yes > tls_high_cipherlist = > kEECDH:+kEECDH+SHA:kEDH:+kEDH+SHA:+kEDH+CAMELLIA:kECDH:+kECDH+SHA:kRSA:+kRSA+SHA:+kRSA+CAMELLIA:!aNULL:!eNULL:!SSLv2:!RC4:!MD5:!DES:!EXP:!SEED:!IDEA:!3DES > tls_medium_cipherlist = > kEECDH:+kEECDH+SHA:kEDH:+kEDH+SHA:+kEDH+CAMELLIA:kECDH:+kECDH+SHA:kRSA:+kRSA+SHA:+kRSA+CAMELLIA:!aNULL:!eNULL:!SSLv2:!MD5:!DES:!EXP:!SEED:!IDEA:!3DES > tls_random_source = dev:/dev/urandom > unknown_local_recipient_reject_code = 550 > > #628 inet n - n - - qmqpd > pickupunix n - n 60 1 pickup > cleanup unix n - n - 0 cleanup > qmgr unix n - n 300 1 qmgr > #qmgr unix n - n 300 1 oqmgr > tlsmgrunix - - n 1000? 1 tlsmgr > rewrite unix - - n - - trivial-rewrite > boun
Basic kind of question
I inherited a pair of postfix servers configured by someone else and I think I've been a manager too long as I can't figure this one out because I'm too rusty with postfix. Scenario: 2 identical postfix servers that only accept mail from mynetworks (other local servers in its /16) with various From domains that are NOT mydomain which direct deliver to the recipients wherever they are in the world. That all works fine. What doesn't work fine is if the recipient is *@ example.com which IS mydomain to which delivery is not local, but the same domain. Then, postfix tries to deliver locally and bounces. Common problem. My expectation is that that when an email hits for *@example.com that postfix would do an mx lookup for example.com and send to that MX externally. No twiddling with mydestination, transport maps, turning off local in master.cf, or combinations thereof. There's no relayhost since they deliver directly. Thoughts? Thanks! postconf -n alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases command_directory = /usr/sbin config_directory = /etc/postfix daemon_directory = /usr/libexec/postfix data_directory = /var/lib/postfix debug_peer_level = 2 debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5 disable_vrfy_command = yes html_directory = no inet_interfaces = all inet_protocols = all local_recipient_maps = local_transport = error:local mail delivery is disabled mail_owner = postfix mailq_path = /usr/bin/mailq.postfix manpage_directory = /usr/share/man mydestination = mydomain = example.com myhostname = smtp2.example.com mynetworks = 127.0.0.0/8, 10.166.0.0/16 myorigin = example.com newaliases_path = /usr/bin/newaliases.postfix postscreen_upstream_proxy_protocol = haproxy queue_directory = /var/spool/postfix readme_directory = /usr/share/doc/postfix-2.10.1/README_FILES sample_directory = /usr/share/doc/postfix-2.10.1/samples sendmail_path = /usr/sbin/sendmail.postfix setgid_group = postdrop smtp_tls_CAfile = /etc/pki/tls/certs/godaddy.certchain.crt smtp_tls_ciphers = high smtp_tls_exclude_ciphers = EXP, MEDIUM, LOW, DES, 3DES, SSLv2 smtp_tls_mandatory_protocols = !SSLv2, !SSLv3 smtp_tls_note_starttls_offer = yes smtp_tls_protocols = !SSLv2, !SSLv3 smtp_use_tls = yes smtpd_helo_required = yes smtpd_tls_auth_only = yes smtpd_tls_cert_file = /etc/pki/tls/certs/example.com.crt smtpd_tls_ciphers = high smtpd_tls_dh1024_param_file = /etc/pki/tls/private/postfix.dh.param smtpd_tls_exclude_ciphers = EXP, MEDIUM, LOW, DES, 3DES, SSLv2 smtpd_tls_key_file = /etc/pki/tls/private/example.com.key smtpd_tls_loglevel = 1 smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3 smtpd_tls_protocols = !SSLv2, !SSLv3 smtpd_tls_security_level = may smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_tls_cache smtpd_tls_session_cache_timeout = 3600s smtpd_use_tls = yes tls_high_cipherlist = kEECDH:+kEECDH+SHA:kEDH:+kEDH+SHA:+kEDH+CAMELLIA:kECDH:+kECDH+SHA:kRSA:+kRSA+SHA:+kRSA+CAMELLIA:!aNULL:!eNULL:!SSLv2:!RC4:!MD5:!DES:!EXP:!SEED:!IDEA:!3DES tls_medium_cipherlist = kEECDH:+kEECDH+SHA:kEDH:+kEDH+SHA:+kEDH+CAMELLIA:kECDH:+kECDH+SHA:kRSA:+kRSA+SHA:+kRSA+CAMELLIA:!aNULL:!eNULL:!SSLv2:!MD5:!DES:!EXP:!SEED:!IDEA:!3DES tls_random_source = dev:/dev/urandom unknown_local_recipient_reject_code = 550 #628 inet n - n - - qmqpd pickupunix n - n 60 1 pickup cleanup unix n - n - 0 cleanup qmgr unix n - n 300 1 qmgr #qmgr unix n - n 300 1 oqmgr tlsmgrunix - - n 1000? 1 tlsmgr rewrite unix - - n - - trivial-rewrite bounceunix - - n - 0 bounce defer unix - - n - 0 bounce trace unix - - n - 0 bounce verifyunix - - n - 1 verify flush unix n - n 1000? 0 flush proxymap unix - - n - - proxymap proxywrite unix - - n - 1 proxymap smtp unix - - n - - smtp relay unix - - n - - smtp # -o smtp_helo_timeout=5 -o smtp_connect_timeout=5 showq unix n - n - - showq error unix - - n - - error retry unix - - n - - error discard unix - - n - - discard #local unix - n n - - local virtual unix - n n - - virtual lmtp unix - - n - - lmtp anvil unix - - n - 1 anvil scacheunix - - n - 1 scache
Re: Fallback to IPV4 in case of IPV6 is not available
On Sat, Mar 25, 2017 at 2:48 PM, Paul Cwrote: > I wish the world would use ipv6 enough for this to be worth doing, but > it's not going to have much benefit to you as there's almost no one > using it for smtp, from the last time I checked which was a few months > ago, google uses it perfectly, verizon too (maybe a few more cable > domains), yahoo looked like they were trying lol, website and some > services were v6 this year but smtp was not when I checked, hotmail > doesn't use it anywhere from what i can see, aol never will and almost > no self hosted mail server will have it. My guess is (unless gmail is > where most mail goes) that you might see a few percent like 1-5% of > mail ever use it. Not a bad research project or knowing v6, or if you > have other reasons, but actual sending out is just not happening any > time soon. Comcast, surprisingly, is way ahead of the residential game: Apr 1 16:17:12 miniserv postfix/smtp[79694]: Untrusted TLS connection established to smtp.comcast.net[2001:558:fe21:2a::5]:587: TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits) Apr 1 16:17:12 miniserv postfix/smtp[79694]: 252483CACE40: to= , relay=smtp.comcast.net[2001:558:fe21:2a::5]:587, delay=1.6, delays=0/0/1.3/0.25, dsn=2.0.0, status=sent (250 2.0.0 uPSRcVCa8qoNEuPSSchbjZ mail accepted for delivery) Apr 1 16:17:12 miniserv postfix/qmgr[62620]: 252483CACE40: removed
Re: New SASL generic failure
On Sat, Jul 9, 2016 at 9:57 AM, Viktor Dukhovni <postfix-us...@dukhovni.org> wrote: > >> On Jul 8, 2016, at 10:09 PM, Rick Zeman <rze...@gmail.com> wrote: >> >> How might 'filtering out that mechanism" be done, Viktor? Doesn't >> sound (or look like, based on SASL_README) that it's something done in >> postfix. > > The first occurrence of the word "filter" in SASL_README is the section > that describes filtering of SASL mechanisms in the Postfix SMTP client: > >http://www.postfix.org/SASL_README.html#client_sasl_filter > > You really should have been able to find this... You are entirely correct: I should have been able to find that (after all, I was so close, and that was the readme I used when I set up the damn thing), and I just missed it on my skim. Explicitly filtering in: smtp_sasl_mechanism_filter = plain, login did the trick. I didn't need to filter out XOAUTH2. As always, thank you, Viktor.
Re: New SASL generic failure
On Fri, Jul 8, 2016 at 9:17 PM, Viktor Dukhovniwrote: > >> On Jul 8, 2016, at 9:15 PM, Wietse Venema wrote: >> >> Your SASL library cannot authenticate with PLAIN or LOGIN. > > Another possibility is that it supports and prefers XOAUTH2, but lacks > the necessary credentials or configuration to do so. In that case filtering > out that mechanism might resolve the problem. It could be that the server > side has only recently enabled that mechanism. Answering Wietse here, too, but I haven't touched the config and it's been months since the config's been touched at all, and the server got rebooted a few weeks ago for a UPS replacement, so it seems likely that comcast changed something. According to https://www.iana.org/assignments/sasl-mechanisms/sasl-mechanisms.xml XOAUTH2 is totally obsolete and I can't imagine Comcast requiring that at this late date (I've been doing PLAIN over TLS for the last two years with this postfix instance). How might 'filtering out that mechanism" be done, Viktor? Doesn't sound (or look like, based on SASL_README) that it's something done in postfix. smtp sasl options in main.cf: smtp_sasl_auth_enable = yes smtp_sasl_password_maps = hash:/Library/Server/Mail/Config/postfix/sasl/passwd smtp_sasl_security_options = noanonymous
New SASL generic failure
Working system that suddenly started crapping out on SASL-authenticated connections to its relay. Nothing's changed for this 2.11.0 Apple-supplied postfix, and the username/password authenticates fine to smtp.comcast.com (relay). I'm not see what's wrong (must be what "generic" means lol). Thoughts? Thanks. Logs with smtp.comcast.com in debug_peer and real username changed to username and likewise to password for the password: Jul 8 20:32:21 miniserv postfix/smtp[2955]: smtp_stream_setup: maxtime=300 enable_deadline=0 Jul 8 20:32:21 miniserv postfix/smtp[2949]: smtp_stream_setup: maxtime=300 enable_deadline=0 Jul 8 20:32:21 miniserv postfix/smtp[2949]: < smtp.comcast.net[2001:558:fe21:2a::5]:587: 220 resomta-ch2-13v.sys.comcast.net comcast ESMTP server ready Jul 8 20:32:21 miniserv postfix/smtp[2949]: > smtp.comcast.net[2001:558:fe21:2a::5]:587: EHLO miniserv.pointyears.net Jul 8 20:32:21 miniserv postfix/smtp[2955]: < smtp.comcast.net[2001:558:fe21:2a::5]:587: 220 resomta-ch2-12v.sys.comcast.net comcast ESMTP server ready Jul 8 20:32:21 miniserv postfix/smtp[2955]: > smtp.comcast.net[2001:558:fe21:2a::5]:587: EHLO miniserv.pointyears.net Jul 8 20:32:21 miniserv postfix/smtp[2949]: < smtp.comcast.net[2001:558:fe21:2a::5]:587: 250-resomta-ch2-13v.sys.comcast.net hello [2601:982:8200:774f::162], pleased to meet you Jul 8 20:32:21 miniserv postfix/smtp[2949]: < smtp.comcast.net[2001:558:fe21:2a::5]:587: 250-HELP Jul 8 20:32:21 miniserv postfix/smtp[2949]: < smtp.comcast.net[2001:558:fe21:2a::5]:587: 250-AUTH LOGIN PLAIN XOAUTH2 Jul 8 20:32:21 miniserv postfix/smtp[2949]: < smtp.comcast.net[2001:558:fe21:2a::5]:587: 250-SIZE 36700160 Jul 8 20:32:21 miniserv postfix/smtp[2949]: < smtp.comcast.net[2001:558:fe21:2a::5]:587: 250-ENHANCEDSTATUSCODES Jul 8 20:32:21 miniserv postfix/smtp[2949]: < smtp.comcast.net[2001:558:fe21:2a::5]:587: 250-8BITMIME Jul 8 20:32:21 miniserv postfix/smtp[2949]: < smtp.comcast.net[2001:558:fe21:2a::5]:587: 250-STARTTLS Jul 8 20:32:21 miniserv postfix/smtp[2949]: < smtp.comcast.net[2001:558:fe21:2a::5]:587: 250 OK Jul 8 20:32:21 miniserv postfix/smtp[2949]: server features: 0x103b size 36700160 Jul 8 20:32:21 miniserv postfix/smtp[2949]: smtp_stream_setup: maxtime=300 enable_deadline=0 Jul 8 20:32:21 miniserv postfix/smtp[2949]: > smtp.comcast.net[2001:558:fe21:2a::5]:587: STARTTLS Jul 8 20:32:21 miniserv postfix/smtp[2955]: < smtp.comcast.net[2001:558:fe21:2a::5]:587: 250-resomta-ch2-12v.sys.comcast.net hello [2601:982:8200:774f::162], pleased to meet you Jul 8 20:32:21 miniserv postfix/smtp[2955]: < smtp.comcast.net[2001:558:fe21:2a::5]:587: 250-HELP Jul 8 20:32:21 miniserv postfix/smtp[2955]: < smtp.comcast.net[2001:558:fe21:2a::5]:587: 250-AUTH LOGIN PLAIN XOAUTH2 Jul 8 20:32:21 miniserv postfix/smtp[2955]: < smtp.comcast.net[2001:558:fe21:2a::5]:587: 250-SIZE 36700160 Jul 8 20:32:21 miniserv postfix/smtp[2955]: < smtp.comcast.net[2001:558:fe21:2a::5]:587: 250-ENHANCEDSTATUSCODES Jul 8 20:32:21 miniserv postfix/smtp[2955]: < smtp.comcast.net[2001:558:fe21:2a::5]:587: 250-8BITMIME Jul 8 20:32:21 miniserv postfix/smtp[2955]: < smtp.comcast.net[2001:558:fe21:2a::5]:587: 250-STARTTLS Jul 8 20:32:21 miniserv postfix/smtp[2955]: < smtp.comcast.net[2001:558:fe21:2a::5]:587: 250 OK Jul 8 20:32:21 miniserv postfix/smtp[2955]: server features: 0x103b size 36700160 Jul 8 20:32:21 miniserv postfix/smtp[2955]: smtp_stream_setup: maxtime=300 enable_deadline=0 Jul 8 20:32:21 miniserv postfix/smtp[2955]: > smtp.comcast.net[2001:558:fe21:2a::5]:587: STARTTLS Jul 8 20:32:21 miniserv postfix/smtp[2949]: < smtp.comcast.net[2001:558:fe21:2a::5]:587: 220 2.0.0 Ready to start TLS Jul 8 20:32:21 miniserv postfix/smtp[2949]: send attr request = seed Jul 8 20:32:21 miniserv postfix/smtp[2949]: send attr size = 32 Jul 8 20:32:21 miniserv postfix/smtp[2949]: private/tlsmgr: wanted attribute: status Jul 8 20:32:21 miniserv postfix/smtp[2949]: input attribute name: status Jul 8 20:32:21 miniserv postfix/smtp[2949]: input attribute value: 0 Jul 8 20:32:21 miniserv postfix/smtp[2949]: private/tlsmgr: wanted attribute: seed Jul 8 20:32:21 miniserv postfix/smtp[2949]: input attribute name: seed Jul 8 20:32:21 miniserv postfix/smtp[2949]: input attribute value: zppl+JDHdZFETR/Usnxz8Xs+6ccWx0OtD+/Kk7BbEA4= Jul 8 20:32:21 miniserv postfix/smtp[2949]: private/tlsmgr: wanted attribute: (list terminator) Jul 8 20:32:21 miniserv postfix/smtp[2949]: input attribute name: (end) Jul 8 20:32:21 miniserv postfix/smtp[2955]: < smtp.comcast.net[2001:558:fe21:2a::5]:587: 220 2.0.0 Ready to start TLS Jul 8 20:32:21 miniserv postfix/smtp[2955]: send attr request = seed Jul 8 20:32:21 miniserv postfix/smtp[2955]: send attr size = 32 Jul 8 20:32:21 miniserv postfix/smtp[2955]: private/tlsmgr: wanted attribute: status Jul 8 20:32:21 miniserv postfix/smtp[2955]: input attribute name: status Jul 8 20:32:21 miniserv postfix/smtp[2955]: input attribute value: 0 Jul 8 20:32:21 miniserv
Re: One more post-rebuild weirdness
On Tue, Mar 22, 2016 at 11:25 PM, Noel Jones <njo...@megan.vbhcs.org> wrote: > On 3/22/2016 10:03 PM, Rick Zeman wrote: >> Oops, knew I forgot something, Noel. This is a (soft) bounce f >> recipient that does exist on the destination system, but not on the >> postfix system, as the following telnet shows: >> >> Mar 22 22:32:32 miniserv postfix/smtpd[70673]: NOQUEUE: reject: RCPT >> from pmta1.delivery8.ore.mailhop.org[54.191.158.99]: 450 4.1.1 >> <t...@pointyears.net>: Recipient address rejected: User unknown in local >> recipient table; from=<rze...@gmail.com> to=<t...@pointyears.net> >> proto=ESMTP helo= >> > > You sure mydestination is empty? At any rate, > > #main.cf: > local_recipient_maps = > > should take care of this. It did, thanks, but I'm not sure I understand what had happened.
Re: One more post-rebuild weirdness
Oops, knew I forgot something, Noel. This is a (soft) bounce for a recipient that does exist on the destination system, but not on the postfix system, as the following telnet shows: Mar 22 22:32:32 miniserv postfix/smtpd[70673]: NOQUEUE: reject: RCPT from pmta1.delivery8.ore.mailhop.org[54.191.158.99]: 450 4.1.1 <t...@pointyears.net>: Recipient address rejected: User unknown in local recipient table; from=<rze...@gmail.com> to=<t...@pointyears.net> proto=ESMTP helo= $ telnet 192.168.1.5 587 Trying 192.168.1.5... Connected to 192.168.1.5. Escape character is '^]'. 220 nw6.pointyears.net ehlo gmail.com 250-nw6.pointyears.net 250-AUTH LOGIN 250-8BITMIME 250-SIZE 250-DSN 250 STARTTLS mail from:<rze...@gmail.com> 250 Ok rcpt to:<t...@pointyears.net> 250 Ok Data 354 Enter mail, end with "." on a line by itself This will be accepted. . 250 Ok This is accepted. * This is a successful delivery: Mar 22 22:55:23 miniserv postfix/smtpd[71355]: connect from pmta1.delivery7.ore.mailhop.org[54.186.27.61] Mar 22 22:55:24 miniserv postfix/smtpd[71355]: Anonymous TLS connection established from pmta1.delivery7.ore.mailhop.org[54.186.27.61]: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits) Mar 22 22:55:24 miniserv postfix/smtpd[71355]: 8BA43278ED90: client=pmta1.delivery7.ore.mailhop.org[54.186.27.61] Mar 22 22:55:24 miniserv postfix/cleanup[71361]: 8BA43278ED90: message-id=<CAN1dBq075WKYYv7f5U4+wGY+Yby-3Ng=xmgpgx-ni8ereyw...@mail.gmail.com> Mar 22 22:55:24 miniserv postfix/qmgr[68145]: 8BA43278ED90: from=<rze...@gmail.com>, size=2582, nrcpt=1 (queue active) Mar 22 22:55:24 miniserv postfix/smtpd[71355]: disconnect from pmta1.delivery7.ore.mailhop.org[54.186.27.61] Mar 22 22:55:25 miniserv postfix/smtpd[71365]: connect from localhost[127.0.0.1] Mar 22 22:55:25 miniserv postfix/smtpd[71365]: 48C83278ED96: client=localhost[127.0.0.1] Mar 22 22:55:25 miniserv postfix/cleanup[71361]: 48C83278ED96: message-id=<CAN1dBq075WKYYv7f5U4+wGY+Yby-3Ng=xmgpgx-ni8ereyw...@mail.gmail.com> Mar 22 22:55:25 miniserv postfix/smtpd[71365]: disconnect from localhost[127.0.0.1] Mar 22 22:55:25 miniserv postfix/qmgr[68145]: 48C83278ED96: from=<rze...@gmail.com>, size=3046, nrcpt=1 (queue active) Mar 22 22:55:25 miniserv postfix/smtp[71362]: 8BA43278ED90: to=<rze...@pointyears.net>, relay=127.0.0.1[127.0.0.1]:10024, delay=0.92, delays=0.5/0.09/0/0.33, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 48C83278ED96) Mar 22 22:55:25 miniserv postfix/qmgr[68145]: 8BA43278ED90: removed Mar 22 22:55:25 miniserv postfix/smtp[71366]: Untrusted TLS connection established to 192.168.1.5[192.168.1.5]:587: TLSv1 with cipher AES256-SHA (256/256 bits) Mar 22 22:55:25 miniserv postfix/smtp[71366]: 48C83278ED96: to=<rze...@pointyears.net>, relay=192.168.1.5[192.168.1.5]:587, delay=0.59, delays=0.01/0.03/0.54/0, dsn=2.0.0, status=sent (250 Ok) Mar 22 22:55:25 miniserv postfix/qmgr[68145]: 48C83278ED96: removed On Tue, Mar 22, 2016 at 10:17 PM, Noel Jones <njo...@megan.vbhcs.org> wrote: > On 3/22/2016 8:54 PM, Rick Zeman wrote: >> OS X Postfix system rebuilt as a relay with no local mailboxes, but >> we're not passing inbound mail to the final destination except for the >> few people who have local accounts on the postfix server. Soft bounce >> is onluckily (great safety net, Wietse). I have something that's >> negating reject_unverified_recipient and I don't see what it is. Can >> another set of eyes help? Thanks! >> > > What do you mean by negating? Do you have postfix logs (NOT debug > logs) demonstrating the unexpected behavior? > > >> mydestination = > > No local domains. OK. > >> mydomain = pointyears.net >> myhostname = miniserv.pointyears.net >> mynetworks = 127.0.0.0/8, [::1]/128 , 192.168.1.0/24 > >> relay_domains = pointyears.net pointyears.org > > relay_domains with no relay_recipient_maps, so any user should be > accepted, subject to later reject_unverified_recipient. > >> relayhost = smtp.comcast.net:587 >> smtp_generic_maps = regexp:/Library/Server/Mail/Config/postfix/generic.regexp > >> smtpd_client_restrictions = permit_mynetworks permit_sasl_authenticated >> permit > > The above is basically a no-op; permit anything. That's OK, you can > simplify by removing the line. > >> smtpd_recipient_restrictions = permit_sasl_authenticated >> permit_mynetworks reject_unauth_destination >> reject_unverified_recipient > > This looks reasonable. Addresses to a domain handled by postfix > will trigger a recipient probe, unless from mynetworks or SASL AUTH. > You testing from inside your network? > > >> soft_bounce = yes > > And any reject will be turned into a 4xx defer. > >> >> transport: >> pointyears.net smtp:[192.168.1.5]:587 >> pointyears.org smtp:[192.168.1.5]:587 >> > > > So what problem are you having? > > > > > -- Noel Jones
One more post-rebuild weirdness
OS X Postfix system rebuilt as a relay with no local mailboxes, but we're not passing inbound mail to the final destination except for the few people who have local accounts on the postfix server. Soft bounce is onluckily (great safety net, Wietse). I have something that's negating reject_unverified_recipient and I don't see what it is. Can another set of eyes help? Thanks! biff = no command_directory = /Applications/Server.app/Contents/ServerRoot/usr/sbin config_directory = /Library/Server/Mail/Config/postfix content_filter = smtp-amavis:[127.0.0.1]:10024 daemon_directory = /Applications/Server.app/Contents/ServerRoot/usr/libexec/postfix data_directory = /Library/Server/Mail/Data/mta debug_peer_level = 2 debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5 dovecot_destination_recipient_limit = 1 header_checks = html_directory = /Applications/Server.app/Contents/ServerRoot/usr/share/doc/postfix/html inet_interfaces = all inet_protocols = all local_transport = error:local mail delivery is disabled mail_owner = _postfix mailbox_size_limit = 0 mailbox_transport = dovecot mailq_path = /Applications/Server.app/Contents/ServerRoot/usr/bin/mailq manpage_directory = /Applications/Server.app/Contents/ServerRoot/usr/share/man message_size_limit = 20485760 mydestination = mydomain = pointyears.net myhostname = miniserv.pointyears.net mynetworks = 127.0.0.0/8, [::1]/128 , 192.168.1.0/24 newaliases_path = /Applications/Server.app/Contents/ServerRoot/usr/bin/newaliases queue_directory = /Library/Server/Mail/Data/spool readme_directory = /Applications/Server.app/Contents/ServerRoot/usr/share/doc/postfix recipient_delimiter = - relay_domains = pointyears.net pointyears.org relayhost = smtp.comcast.net:587 sample_directory = /Applications/Server.app/Contents/ServerRoot/usr/share/doc/postfix/examples sendmail_path = /Applications/Server.app/Contents/ServerRoot/usr/sbin/sendmail setgid_group = _postdrop smtp_generic_maps = regexp:/Library/Server/Mail/Config/postfix/generic.regexp smtp_sasl_auth_enable = yes smtp_sasl_password_maps = hash:/Library/Server/Mail/Config/postfix/sasl/passwd smtp_sasl_security_options = noanonymous smtp_tls_CAfile = /etc/certificates/miniserv.pointyears.net.B7E7A056237425F3ECE71E44A5CB862B07003F3D.chain.pem smtp_tls_cert_file = /etc/certificates/miniserv.pointyears.net.B7E7A056237425F3ECE71E44A5CB862B07003F3D.cert.pem smtp_tls_key_file = /etc/certificates/miniserv.pointyears.net.B7E7A056237425F3ECE71E44A5CB862B07003F3D.key.pem smtp_tls_loglevel = 1 smtp_tls_mandatory_protocols = !SSLv2, !SSLv3 smtp_tls_protocols = !SSLv2, !SSLv3 smtp_tls_security_level = may smtp_use_tls = yes smtpd_banner = $myhostname ESMTP $mail_name ($mail_version) smtpd_client_restrictions = permit_mynetworks permit_sasl_authenticated permit smtpd_enforce_tls = no smtpd_helo_required = yes smtpd_helo_restrictions = smtpd_recipient_restrictions = permit_sasl_authenticated permit_mynetworks reject_unauth_destination reject_unverified_recipient smtpd_sasl_auth_enable = yes smtpd_tls_CAfile = /etc/certificates/miniserv.pointyears.net.B7E7A056237425F3ECE71E44A5CB862B07003F3D.chain.pem smtpd_tls_cert_file = /etc/certificates/miniserv.pointyears.net.B7E7A056237425F3ECE71E44A5CB862B07003F3D.cert.pem smtpd_tls_ciphers = medium smtpd_tls_exclude_ciphers = SSLv2, aNULL, ADH, eNULL, EXPORT smtpd_tls_key_file = /etc/certificates/miniserv.pointyears.net.B7E7A056237425F3ECE71E44A5CB862B07003F3D.key.pem smtpd_tls_loglevel = 1 smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3 smtpd_tls_protocols = !SSLv2, !SSLv3 smtpd_tls_security_level = may smtpd_use_tls = yes soft_bounce = yes tls_random_source = dev:/dev/urandom transport_maps = hash:/Library/Server/Mail/Config/postfix/transport virtual_alias_domains = $virtual_alias_maps hash:/Library/Server/Mail/Config/postfix/virtual_domains virtual_alias_maps = $virtual_maps hash:/Library/Server/Mail/Config/postfix/virtual_users transport: pointyears.net smtp:[192.168.1.5]:587 pointyears.org smtp:[192.168.1.5]:587
TLS question on OS X
Howdy, Upgrading Apple server to Apple's postfix 2.11.0 and seeing this in the logs: Mar 20 12:12:53 miniserv postfix/smtpd[43174]: warning: TLS library problem: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol:/BuildRoot/Library/Caches/com.apple.xbs/Sources/OpenSSL098/OpenSSL098-59/src/ssl/s23_srvr.c:602: TLS seems to work otherwise. Thoughts? Thanks. $ postconf -n biff = no command_directory = /Applications/Server.app/Contents/ServerRoot/usr/sbin config_directory = /Library/Server/Mail/Config/postfix content_filter = smtp-amavis:[127.0.0.1]:10024 daemon_directory = /Applications/Server.app/Contents/ServerRoot/usr/libexec/postfix data_directory = /Library/Server/Mail/Data/mta debug_peer_level = 2 debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5 dovecot_destination_recipient_limit = 1 header_checks = pcre:/Library/Server/Mail/Config/postfix/custom_header_checks html_directory = /Applications/Server.app/Contents/ServerRoot/usr/share/doc/postfix/html inet_interfaces = all inet_protocols = all mail_owner = _postfix mailbox_size_limit = 0 mailbox_transport = dovecot mailq_path = /Applications/Server.app/Contents/ServerRoot/usr/bin/mailq manpage_directory = /Applications/Server.app/Contents/ServerRoot/usr/share/man message_size_limit = 20485760 mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain mydomain = pointyears.net myhostname = miniserv.pointyears.net mynetworks = 127.0.0.0/8, [::1]/128 , 192.168.1.024 newaliases_path = /Applications/Server.app/Contents/ServerRoot/usr/bin/newaliases queue_directory = /Library/Server/Mail/Data/spool readme_directory = /Applications/Server.app/Contents/ServerRoot/usr/share/doc/postfix recipient_delimiter = - relayhost = smtp.comcast.net sample_directory = /Applications/Server.app/Contents/ServerRoot/usr/share/doc/postfix/examples sendmail_path = /Applications/Server.app/Contents/ServerRoot/usr/sbin/sendmail setgid_group = _postdrop smtp_sasl_auth_enable = yes smtp_sasl_password_maps = hash:/Library/Server/Mail/Config/postfix/sasl/passwd smtp_tls_CAfile = /etc/certificates/miniserv.pointyears.net.B7E7A056237425F3ECE71E44A5CB862B07003F3D.chain.pem smtp_tls_cert_file = /etc/certificates/miniserv.pointyears.net.B7E7A056237425F3ECE71E44A5CB862B07003F3D.cert.pem smtp_tls_key_file = /etc/certificates/miniserv.pointyears.net.B7E7A056237425F3ECE71E44A5CB862B07003F3D.key.pem smtp_tls_loglevel = 1 smtp_tls_mandatory_protocols = !SSLv2, !SSLv3 smtp_tls_protocols = !SSLv2, !SSLv3 smtp_tls_security_level = may smtpd_banner = $myhostname ESMTP $mail_name ($mail_version) smtpd_client_restrictions = permit_mynetworks permit_sasl_authenticated permit smtpd_enforce_tls = no smtpd_helo_required = yes smtpd_helo_restrictions = reject_non_fqdn_helo_hostname reject_invalid_helo_hostname smtpd_recipient_restrictions = permit_sasl_authenticated smtpd_sasl_auth_enable = yes smtpd_tls_CAfile = /etc/certificates/miniserv.pointyears.net.B7E7A056237425F3ECE71E44A5CB862B07003F3D.chain.pem smtpd_tls_cert_file = /etc/certificates/miniserv.pointyears.net.B7E7A056237425F3ECE71E44A5CB862B07003F3D.cert.pem smtpd_tls_ciphers = medium smtpd_tls_exclude_ciphers = SSLv2, aNULL, ADH, eNULL, EXPORT smtpd_tls_key_file = /etc/certificates/miniserv.pointyears.net.B7E7A056237425F3ECE71E44A5CB862B07003F3D.key.pem smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3 smtpd_tls_protocols = !SSLv2, !SSLv3 smtpd_use_tls = yes soft_bounce = no tls_random_source = dev:/dev/urandom virtual_alias_domains = $virtual_alias_maps hash:/Library/Server/Mail/Config/postfix/virtual_domains virtual_alias_maps = $virtual_maps hash:/Library/Server/Mail/Config/postfix/virtual_users
Re: Why is postfix talking to aspmx.google spamexperts?
On Mon, Sep 15, 2014 at 5:42 PM, Marius Gologan marius.golo...@gmail.com wrote: Extract the queue-ids from the logs and hold those messages for later delivery: postsuper -h queue-id (or postsuper -h ALL to hold everything in the queue) to un-hold: postqueue -H queue-id (or postsuper -H ALL to un-hold everything in HOLD) Or postsuper -d ALL to delete the contents of the queue IF you're sure there are no good messages queued.
Re: Request help with SASL issue and postfix
On Sat, Aug 16, 2014 at 5:18 PM, Viktor Dukhovni postfix-us...@dukhovni.org wrote: [...] inet_protocols = all Set this to ipv4, you don't have ipv6 connectivity. I wouldn't be so hasty, Viktor. It looks like he is routing IPv6, as does Comcast (I know that from personal experience): Aug 16 13:38:13 RichCookHomeMac postfix/smtp[48905]: connect to smtp.comcast.net[2001:558:fe2d:70::30]:25: No route to host Aug 16 13:38:43 RichCookHomeMac postfix/smtp[48905]: connect to smtp.comcast.net[76.96.40.155]:25: Operation timed out Wrong port, but he's getting the lookup for smtp.comcast.net, and then postfix is falling back to ipv4, Shockingly, in most of the country, Comcast will give a /64 to anyone who wants it. % host -t mx smtp.comcast.net smtp.comcast.net is an alias for smtp.g.comcast.net. % host smtp.g.comcast.net smtp.g.comcast.net has address 68.87.26.155 smtp.g.comcast.net has IPv6 address 2001:558:fe14:70::30
/etc/postfix dependency?
Wietse: Begin quote from Postfix sendmail manpage -C config_file -C config_dir The path name of the Postfix main.cf file, or of its parent directory. This information is ignored with Postfix versions before 2.3. With all Postfix versions, you can specify a directory pathname with the MAIL_CONFIG environment variable to override the loca- tion of configuration files. End quote from Postfix sendmail manpage ** I'm using the Apple-compiled Postfix 2.9.4 that comes with Mac Mavericks server. One thing that made setup much harder than it needed to be for me is that Apple puts their postfix config files in a different location than the standard /etc/postfix, but yet the postfix helper apps in /usr/sbin (postmap, postconf, etc) default to looking in /etc/postfix for the config files unless overridden by the -c flag. I'd get misdirected by editing the Apple config files,running the commands without the -c and then find out that my changes didn't take effect, etc. Sooo, is this expected behavior that those always default to /etc/postfix unless told otherwise? Is there a way to override that behavior short of moving the working config files to /etc/postfix and changing the config_directory which I'm loathe to do since Apple's next upgrade might break a non-standard install? Is it a compile-time option that Apple didn't do? Something else? I realize that they have to default to looking somewhere for the config files, and it makes sense to default to the widest audience, but Thanks. $ pwd /Library/Server/Mail/Config/postfix $ postconf config_directory config_directory = /etc/hiWietse $ postconf -c /Library/Server/Mail/Config/postfix config_directory config_directory = /Library/Server/Mail/Config/postfix $ postconf -n | wc -l 63 $ postconf -c /Library/Server/Mail/Config/postfix -n | wc -l 65
Re: /etc/postfix dependency?
On Tue, Jun 3, 2014 at 11:18 AM, Viktor Dukhovni postfix-us...@dukhovni.org wrote: On Tue, Jun 03, 2014 at 10:31:34AM -0500, Rick Zeman wrote: I'm using the Apple-compiled Postfix 2.9.4 that comes with Mac Mavericks server. One thing that made setup much harder than it needed to be for me is that Apple puts their postfix config files in a different location than the standard /etc/postfix, but yet the postfix helper apps in /usr/sbin (postmap, postconf, etc) default to looking in /etc/postfix for the config files unless overridden by the -c flag. This is a vendor issue. They need to make up their mind. That is what I suspected. Wonder if anyone from Apple reads this list? So, is this expected behavior that those always default to /etc/postfix unless told otherwise? The default configuration direction is set at compile time. Apple can set this to any directory of their choice. Are you sure there isn't a second copy of the various binaries in an Apple-specific directory? The MAIL_CONFIG environment variable overrides the compiled in default. THAT is the answer I needed. Thanks. $ postconf config_directory config_directory = /etc/hiWietse That's not right. Don't manually override config_directory in main.cf. Of course that's not right. I changed the unused main.cf's value for illustrative purposes; otherwise it would have looked just like the used version.
Re: /etc/postfix dependency?
On Tue, Jun 3, 2014 at 12:04 PM, Wietse Venema wie...@porcupine.org wrote: Rick Zeman: I'm using the Apple-compiled Postfix 2.9.4 that comes with Mac Mavericks server. One thing that made setup much harder than it needed to be for me is that Apple puts their postfix config files in a different location than the standard /etc/postfix, but yet the postfix helper apps in /usr/sbin (postmap, postconf, etc) default to looking in /etc/postfix for the config files unless overridden by the -c flag. I suspect that you have programs from different Postfix builds on the same machine. Postfix would never work when some Postfix programs have a different built-in config_directory than other Postfix programs. Hi Wietse, That could well be (is there a way to verify with strings or somesuch?), but it's working and working well. But, as Viktor pointed it, it's (still) a vendor problem because Apple would have supplied any and all builds and configurations since this was a brand-new machine. One way or another it's on them; either through the stock install, or via the Server add-on.
Re: TLS issues (postfix says: UNTRUSTED but it is not)
On Tue, May 13, 2014 at 9:31 AM, Viktor Dukhovni postfix-us...@dukhovni.org wrote: The logging is misleading, it should say Anonymous rather than untrusted. This is fixed in 2.11.1 and 2.12 snapshots. I'm glad of that. That confused the heck out of me, too.
Re: postfix setup: machine with live ip forwarding traffic to home machine
On Mon, May 5, 2014 at 3:36 AM, hiren panchasara hiren.panchas...@gmail.com wrote: This is how it should work, afaik: Sending: Initiates from my home box and go out via VM. Receiving: VM receives it and forwards to home box. (I've also tried sending through my home machine on port 587 but the home comcast IP is blacklisted) There's really no good reason to not send via Comcast's authenticated relay unless you need the ability to pore through logs to be assured of delivery. That way, Comcast won't notice you sending to a non-Comcast destination and you won't get busted for running an illegal MTA. Adding to what Wietsie says about the Primary MX having to do all of the checks, I use Dyn's email gateway for home. They hold the MX, they do the spam filtering/white or blacklisting, and since they use Postfix, the address verification works just fine so I don't backscatter at all. Fly under the radar, dude. That's the best advice for home. If you want a lab, rent some cloud space.
Heartbleed via smtpd?
I'm guessing since I've received a bunch of these over the past few days that these are Heartbleed scrape attempts, especially since these IPs belongs to our friends in the former Soviet Union. Agreed? (It's an Apple server so it uses its own goto fail TLS library, and only has an older version of openssl (0.9.8y) on it so I'm safe--from this, at least.) Apr 11 22:10:13 miniserv.private postfix/smtpd[90051]: connect from unknown[37.45.1.153] Apr 11 22:10:14 miniserv.private postfix/smtpd[90054]: connect from unknown[93.157.46.40] Apr 11 22:10:14 miniserv.private postfix/smtpd[90051]: warning: unknown[37.45.1.153]: SASL LOGIN authentication failed Apr 11 22:10:14 miniserv.private postfix/smtpd[90051]: lost connection after AUTH from unknown[37.45.1.153] Apr 11 22:10:14 miniserv.private postfix/smtpd[90051]: disconnect from unknown[37.45.1.153] Apr 11 22:10:15 miniserv.private postfix/smtpd[90054]: SSL_accept error from unknown[93.157.46.40]: 0 Apr 11 22:10:15 miniserv.private postfix/smtpd[90054]: warning: TLS library problem: 90054:error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown:/SourceCache/OpenSSL098/OpenSSL098-50/src/ssl/s3_pkt.c:1106:SSL alert number 46: Apr 11 22:10:15 miniserv.private postfix/smtpd[90054]: lost connection after STARTTLS from unknown[93.157.46.40] Apr 11 22:10:15 miniserv.private postfix/smtpd[90054]: disconnect from unknown[93.157.46.40] Apr 11 22:10:16 miniserv.private postfix/smtpd[90056]: warning: TLS library problem: 90056:error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown:/SourceCache/OpenSSL098/OpenSSL098-50/src/ssl/s3_pkt.c:1106:SSL alert number 46: Apr 11 22:10:17 miniserv.private postfix/smtpd[90051]: connect from unknown[93.153.183.18] Apr 11 22:10:18 miniserv.private postfix/smtpd[90051]: SSL_accept error from unknown[93.153.183.18]: 0 Apr 11 22:10:18 miniserv.private postfix/smtpd[90051]: warning: TLS library problem: 90051:error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown:/SourceCache/OpenSSL098/OpenSSL098-50/src/ssl/s3_pkt.c:1106:SSL alert number 46: Apr 11 22:10:18 miniserv.private postfix/smtpd[90051]: lost connection after STARTTLS from unknown[93.153.183.18] Apr 11 22:10:18 miniserv.private postfix/smtpd[90051]: disconnect from unknown[93.153.183.18]
Re: value of zero not documented for message_size_limit
On Fri, Apr 11, 2014 at 7:14 AM, Wietse Venema wie...@porcupine.org wrote: Markus Sch?nhaber: Hi, while the documentation for mailbox_size_limit http://www.postfix.org/postconf.5.html#mailbox_size_limit explicitly states [...] or zero (no limit)., the doc for message_size_limit http://www.postfix.org/postconf.5.html#message_size_limit doesn't mention that it's possible to turn off the limit by setting this parameter to zero. Shouldn't that be documented for message_size_limit too? The documentation specifies supported behavior. Setting the limit to zero is a really really really bad idea. A non-zero message size limit is the last defense against total mayhem. Tell that to Apple whose default config sets that value to 0.
IPv6 to IPv4 fallback
Howdy, I now have IPv6 routing working along with inet_protocols = all in my main.cf (Postfix 2.9.4). I've noticed that using my outbound relay (which is load balanced across many machines) will connect with either protocol with no discernible pattern even to the same destination. Going by the below from the documentation: The address type (ipv6, ipv4 or any) that the Postfix SMTP client will try first, when a destination has IPv6 and IPv4 addresses with equal MX preference. This feature has no effect unless the inet_protocols setting enables both IPv4 and IPv6. With Postfix 2.8 the default is ipv6. What would dictate the smtp client's fallback (for lack of a better word) to ipv4 assuming the same destination supports both protocols (confirmed with telnet when I round-robined back to the same smtp server)? Thanks! (these examples could have been to same destination machine or different) Apr 6 13:49:53 miniserv.private postfix/smtp[6208]: Untrusted TLS connection established to smtp.comcast.net[2001:558:fe2d:70::30]:587: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits) Apr 6 13:49:54 miniserv.private postfix/smtp[6208]: 905CA3553DE: to=f...@example.com, relay=smtp.comcast.net[2001:558:fe2d:70::30]:587, delay=1.9, delays=0/0.01/1.3/0.59, dsn=2.0.0, status=sent (250 2.0.0 mhpz1n00E46N1nS8jhq0d6 mail accepted for delivery) Apr 6 13:49:54 miniserv.private postfix/qmgr[101]: 905CA3553DE: removed (snip) Apr 6 13:53:41 miniserv.private postfix/smtp[6560]: Untrusted TLS connection established to smtp.comcast.net[76.96.40.155]:587: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits) Apr 6 13:53:43 miniserv.private postfix/smtp[6560]: C46013554A8: to=b...@example.com, relay=smtp.comcast.net[76.96.40.155]:587, delay=2.5, delays=0/0.01/1.6/0.91, dsn=2.0.0, status=sent (250 2.0.0 mhto1n0061Cv1Ze8ahtpip mail accepted for delivery) Apr 6 13:53:43 miniserv.private postfix/qmgr[101]: C46013554A8: removed
Re: Using transport only if local user exists
On Sat, Mar 15, 2014 at 11:34 PM, Noel Jones njo...@megan.vbhcs.org wrote: On 3/15/2014 5:08 PM, Rick Zeman wrote: I've started working on my bastard Mac postfix relay. For delivery to the local domain, it will only relay to the internal mail server defined in transport if the user exists locally on the postfix When relaying to an inside server, the domain should be specified in relay_domains, not mydestination. Valid recipients should be listed in relay_recipient_maps. You can override the users to be delivered locally by using a transport_maps entry pointing those users to the local: delivery transport. http://www.postfix.org/ADDRESS_CLASS_README.html http://www.postfix.org/BASIC_CONFIGURATION_README.html http://www.postfix.org/STANDARD_CONFIGURATION_README.html And turn off the debug logging -- it's rarely useful for any but the most obscure errors, and the big errors get lost in the noise. Oy. Got it, thanks. One last question. I have recipient_delimiters = - and also reject_unverified_recipient in the smtpd recipient restrictions. It looks like postfix (on my system, at least) does the smtp probe to the destination before the re-write of user-foo@ to user@ so it's effectively useless. Are they mutually exclusive, or is there a way to force the rewrite to happen before the probe? I didn't see anything under either common in the docs that addressed this scenario.
Re: Using transport only if local user exists
On Sun, Mar 16, 2014 at 9:43 AM, Noel Jones njo...@megan.vbhcs.org wrote: On 3/16/2014 8:31 AM, Rick Zeman wrote: On Sat, Mar 15, 2014 at 11:34 PM, Noel Jones njo...@megan.vbhcs.org wrote: On 3/15/2014 5:08 PM, Rick Zeman wrote: I've started working on my bastard Mac postfix relay. For delivery to the local domain, it will only relay to the internal mail server defined in transport if the user exists locally on the postfix When relaying to an inside server, the domain should be specified in relay_domains, not mydestination. Valid recipients should be listed in relay_recipient_maps. You can override the users to be delivered locally by using a transport_maps entry pointing those users to the local: delivery transport. http://www.postfix.org/ADDRESS_CLASS_README.html http://www.postfix.org/BASIC_CONFIGURATION_README.html http://www.postfix.org/STANDARD_CONFIGURATION_README.html And turn off the debug logging -- it's rarely useful for any but the most obscure errors, and the big errors get lost in the noise. Oy. Got it, thanks. One last question. I have recipient_delimiters = - and also reject_unverified_recipient in the smtpd recipient restrictions. It looks like postfix (on my system, at least) does the smtp probe to the destination before the re-write of user-foo@ to user@ so it's effectively useless. Are they mutually exclusive, or is there a way to force the rewrite to happen before the probe? I didn't see anything under either common in the docs that addressed this scenario. Postfix does not rewrite user-...@example.com to u...@example.com. Rather, postfix will use fake lookups of u...@example.com for select table lookups as documented elsewhere, and carefully preserve the -foo extension during delivery. Recipient address verification probes are always sent using the exact address as supplied by the client. If the remote system doesn't accept user-foo@ as a valid address then the probe will fail, as it should. If you need to strip the address extension, you could use smtp_generic_maps to remove the extension during delivery. The reading that I just did (generic, canonical) suggests that using a canonical table so cleanup(8) will rewrite the address before the inbound mail is queued vs generic_maps which would rewrite after it's queued. Is that the only fundamental difference? In reading both doc pages, however, I really didn't see any examples that would remap user-...@example.com to u...@example.com. Nor could I find a good example by googling.
Using transport only if local user exists
I've started working on my bastard Mac postfix relay. For delivery to the local domain, it will only relay to the internal mail server defined in transport if the user exists locally on the postfix box...and I can't figure out why (luckily, the 450 safety net is there!). I could see how it would deliver locally OR relay, but not a conditional as it is. I would imagine this is also why recipient delimiters aren't being acknowledged, and the smtp recipient probe for reject_unverified_recipient. Below is a snippet from the mail logs, followed by postconf -n (specifying the working directory since postconf defaults to /etc/postfix on Mavericks server even though that's not where Apple's implementation puts its config files), and transport. Any thoughts? Thanks. Logging: Mar 15 17:50:36 miniserv.private postfix/smtpd[36549]: START Recipient address RESTRICTIONS Mar 15 17:50:36 miniserv.private postfix/smtpd[36549]: generic_checks: name=permit_sasl_authenticated Mar 15 17:50:36 miniserv.private postfix/smtpd[36549]: generic_checks: name=permit_sasl_authenticated status=0 Mar 15 17:50:36 miniserv.private postfix/smtpd[36549]: generic_checks: name=permit_mynetworks Mar 15 17:50:36 miniserv.private postfix/smtpd[36549]: permit_mynetworks: mxout-044-pao.mailhop.org 216.146.32.44 Mar 15 17:50:36 miniserv.private postfix/smtpd[36549]: match_hostname: mxout-044-pao.mailhop.org ~? 127.0.0.0/8 Mar 15 17:50:36 miniserv.private postfix/smtpd[36549]: match_hostaddr: 216.146.32.44 ~? 127.0.0.0/8 Mar 15 17:50:36 miniserv.private postfix/smtpd[36549]: match_hostname: mxout-044-pao.mailhop.org ~? [::1]/128 Mar 15 17:50:36 miniserv.private postfix/smtpd[36549]: match_hostaddr: 216.146.32.44 ~? [::1]/128 Mar 15 17:50:36 miniserv.private postfix/smtpd[36549]: match_hostname: mxout-044-pao.mailhop.org ~? 192.168.1.0/24 Mar 15 17:50:36 miniserv.private postfix/smtpd[36549]: match_hostaddr: 216.146.32.44 ~? 192.168.1.0/24 Mar 15 17:50:36 miniserv.private postfix/smtpd[36549]: match_list_match: mxout-044-pao.mailhop.org: no match Mar 15 17:50:36 miniserv.private postfix/smtpd[36549]: match_list_match: 216.146.32.44: no match Mar 15 17:50:36 miniserv.private postfix/smtpd[36549]: generic_checks: name=permit_mynetworks status=0 Mar 15 17:50:36 miniserv.private postfix/smtpd[36549]: generic_checks: name=reject_unauth_destination Mar 15 17:50:36 miniserv.private postfix/smtpd[36549]: reject_unauth_destination: dom...@pointyears.net Mar 15 17:50:36 miniserv.private postfix/smtpd[36549]: permit_auth_destination: dom...@pointyears.net Mar 15 17:50:36 miniserv.private postfix/smtpd[36549]: ctable_locate: leave existing entry key dom...@pointyears.net Mar 15 17:50:36 miniserv.private postfix/smtpd[36549]: generic_checks: name=reject_unauth_destination status=0 Mar 15 17:50:36 miniserv.private postfix/smtpd[36549]: generic_checks: name=reject_unknown_recipient_domain Mar 15 17:50:36 miniserv.private postfix/smtpd[36549]: reject_unknown_address: dom...@pointyears.net Mar 15 17:50:36 miniserv.private postfix/smtpd[36549]: ctable_locate: leave existing entry key dom...@pointyears.net Mar 15 17:50:36 miniserv.private postfix/smtpd[36549]: generic_checks: name=reject_unknown_recipient_domain status=0 Mar 15 17:50:36 miniserv.private postfix/smtpd[36549]: generic_checks: name=reject_unverified_recipient Mar 15 17:50:36 miniserv.private postfix/smtpd[36549]: reject_unverified_address: dom...@pointyears.net Mar 15 17:50:36 miniserv.private postfix/smtpd[36549]: connect to subsystem private/verify Mar 15 17:50:36 miniserv.private postfix/smtpd[36549]: send attr request = query Mar 15 17:50:36 miniserv.private postfix/smtpd[36549]: send attr address = dom...@pointyears.net Mar 15 17:50:36 miniserv.private postfix/smtpd[36549]: private/verify socket: wanted attribute: status Mar 15 17:50:36 miniserv.private postfix/smtpd[36549]: input attribute name: status Mar 15 17:50:36 miniserv.private postfix/smtpd[36549]: input attribute value: 0 Mar 15 17:50:36 miniserv.private postfix/smtpd[36549]: private/verify socket: wanted attribute: recipient_status Mar 15 17:50:36 miniserv.private postfix/smtpd[36549]: input attribute name: recipient_status Mar 15 17:50:36 miniserv.private postfix/smtpd[36549]: input attribute value: 0 Mar 15 17:50:36 miniserv.private postfix/smtpd[36549]: private/verify socket: wanted attribute: reason Mar 15 17:50:36 miniserv.private postfix/smtpd[36549]: input attribute name: reason Mar 15 17:50:36 miniserv.private postfix/smtpd[36549]: input attribute value: 250 Ok Mar 15 17:50:36 miniserv.private postfix/smtpd[36549]: private/verify socket: wanted attribute: (list terminator) Mar 15 17:50:36 miniserv.private postfix/smtpd[36549]: input attribute name: (end) Mar 15 17:50:36 miniserv.private postfix/smtpd[36549]: generic_checks: name=reject_unverified_recipient status=0 Mar 15 17:50:36 miniserv.private postfix/smtpd[36549]: END Recipient address RESTRICTIONS Mar 15 17:50:36 miniserv.private postfix/smtpd[36549]: CHECKING
Re: Mac Postfix gateway local delivering.
I On Sat, Mar 1, 2014 at 8:46 PM, Wietse Venema wie...@porcupine.org wrote: What is in this file? I've got delivery to the relay host working, and delivery to the local mail destination; however it only works from the server's command line Connections for mail coming outside of $mynetwork just seems to be dropped (debug level 2 below) wanting the sender to startlls even though I've commented out the smtpd_use_tls = yes out (postconf -n at the bottom), added smtpd_enforce_tls = no, and restarted postfix. Any thoughts? Mar 2 15:04:03 miniserv.private postfix/smtpd[35096]: connect from mxout-032-pao.mailhop.org[216.146.32.32] Mar 2 15:04:03 miniserv.private postfix/smtpd[35096]: smtp_stream_setup: maxtime=300 enable_deadline=0 Mar 2 15:04:03 miniserv.private postfix/smtpd[35096]: match_hostname: mxout-032-pao.mailhop.org ~? 127.0.0.0/8 Mar 2 15:04:03 miniserv.private postfix/smtpd[35096]: match_hostaddr: 216.146.32.32 ~? 127.0.0.0/8 Mar 2 15:04:03 miniserv.private postfix/smtpd[35096]: match_hostname: mxout-032-pao.mailhop.org ~? [::1]/128 Mar 2 15:04:03 miniserv.private postfix/smtpd[35096]: match_hostaddr: 216.146.32.32 ~? [::1]/128 Mar 2 15:04:03 miniserv.private postfix/smtpd[35096]: match_hostname: mxout-032-pao.mailhop.org ~? 192.168.1.0/24 Mar 2 15:04:03 miniserv.private postfix/smtpd[35096]: match_hostaddr: 216.146.32.32 ~? 192.168.1.0/24 Mar 2 15:04:03 miniserv.private postfix/smtpd[35096]: match_list_match: mxout-032-pao.mailhop.org: no match Mar 2 15:04:03 miniserv.private postfix/smtpd[35096]: match_list_match: 216.146.32.32: no match Mar 2 15:04:03 miniserv.private postfix/smtpd[35096]: auto_clnt_open: connected to private/anvil Mar 2 15:04:03 miniserv.private postfix/smtpd[35096]: send attr request = connect Mar 2 15:04:03 miniserv.private postfix/smtpd[35096]: send attr ident = submission:216.146.32.32 Mar 2 15:04:03 miniserv.private postfix/smtpd[35096]: private/anvil: wanted attribute: status Mar 2 15:04:03 miniserv.private postfix/smtpd[35096]: input attribute name: status Mar 2 15:04:03 miniserv.private postfix/smtpd[35096]: input attribute value: 0 Mar 2 15:04:03 miniserv.private postfix/smtpd[35096]: private/anvil: wanted attribute: count Mar 2 15:04:03 miniserv.private postfix/smtpd[35096]: input attribute name: count Mar 2 15:04:03 miniserv.private postfix/smtpd[35096]: input attribute value: 1 Mar 2 15:04:03 miniserv.private postfix/smtpd[35096]: private/anvil: wanted attribute: rate Mar 2 15:04:03 miniserv.private postfix/smtpd[35096]: input attribute name: rate Mar 2 15:04:03 miniserv.private postfix/smtpd[35096]: input attribute value: 1 Mar 2 15:04:03 miniserv.private postfix/smtpd[35096]: private/anvil: wanted attribute: (list terminator) Mar 2 15:04:03 miniserv.private postfix/smtpd[35096]: input attribute name: (end) Mar 2 15:04:03 miniserv.private postfix/smtpd[35096]: mxout-032-pao.mailhop.org[216.146.32.32]: 220 pointyears.net ESMTP Postfix (2.9.4) Mar 2 15:04:03 miniserv.private postfix/smtpd[35096]: watchdog_pat: 0x7ff759f00800 Mar 2 15:04:03 miniserv.private postfix/smtpd[35096]: mxout-032-pao.mailhop.org[216.146.32.32]: EHLO mail-11-pao.dyndns.com Mar 2 15:04:03 miniserv.private postfix/smtpd[35096]: match_list_match: mxout-032-pao.mailhop.org: no match Mar 2 15:04:03 miniserv.private postfix/smtpd[35096]: match_list_match: 216.146.32.32: no match Mar 2 15:04:03 miniserv.private postfix/smtpd[35096]: mxout-032-pao.mailhop.org[216.146.32.32]: 250-pointyears.net Mar 2 15:04:03 miniserv.private postfix/smtpd[35096]: mxout-032-pao.mailhop.org[216.146.32.32]: 250-PIPELINING Mar 2 15:04:03 miniserv.private postfix/smtpd[35096]: mxout-032-pao.mailhop.org[216.146.32.32]: 250-SIZE 20485760 Mar 2 15:04:03 miniserv.private postfix/smtpd[35096]: mxout-032-pao.mailhop.org[216.146.32.32]: 250-VRFY Mar 2 15:04:03 miniserv.private postfix/smtpd[35096]: mxout-032-pao.mailhop.org[216.146.32.32]: 250-ETRN Mar 2 15:04:03 miniserv.private postfix/smtpd[35096]: mxout-032-pao.mailhop.org[216.146.32.32]: 250-STARTTLS Mar 2 15:04:03 miniserv.private postfix/smtpd[35096]: mxout-032-pao.mailhop.org[216.146.32.32]: 250-ENHANCEDSTATUSCODES Mar 2 15:04:03 miniserv.private postfix/smtpd[35096]: mxout-032-pao.mailhop.org[216.146.32.32]: 250-8BITMIME Mar 2 15:04:03 miniserv.private postfix/smtpd[35096]: mxout-032-pao.mailhop.org[216.146.32.32]: 250-DSN Mar 2 15:04:03 miniserv.private postfix/smtpd[35096]: mxout-032-pao.mailhop.org[216.146.32.32]: 250-BINARYMIME Mar 2 15:04:03 miniserv.private postfix/smtpd[35096]: mxout-032-pao.mailhop.org[216.146.32.32]: 250 CHUNKING Mar 2 15:04:03 miniserv.private postfix/smtpd[35096]: watchdog_pat: 0x7ff759f00800 Mar 2 15:04:03 miniserv.private postfix/smtpd[35096]: mxout-032-pao.mailhop.org[216.146.32.32]: MAIL FROM:rze...@outlook.com SIZE=10263 Mar 2 15:04:03 miniserv.private postfix/smtpd[35096]:
Re: Mac Postfix gateway local delivering.
On Sun, Mar 2, 2014 at 4:38 PM, Wietse Venema wie...@porcupine.org wrote: Wietse: mydestination = local_transport = error:local mail delivery is disabled Nevertheless, you have some mail going to the local delivery agent. transport_maps = hash:/etc/postfix/transport What is in this file? Rick Zeman: pointyears.net smtp:[192.168.1.5]:587 Based on the configuration details that you have given in earlier .email, Postfix cannot invoke the local delivery agent. Therefore, what you have shown is not the configuration that Postfix uses. Yes, thanks. Apple has postfix config files in both /etc/postfix and in /Library/Server/Mail/Config/postfix. As a person who'd only used postfix on linux I was editing the former while the system was using the latter. Now, I've graduated to bigger and better problems (the TLS expected when it looked like it shouldn't be as I posted in my next message in this saga).
Mac Postfix gateway local delivering.
Howdy, I'm trying to set up a Mac version of postfix (2.9.4) as a mail gateway. It's been many years since I've set up a postfix instance, and being extremely rusty I've gotten myself stuck. I've got things working so that mail destined for outside the domain gets delivered to the relay host on an alternate port using SASL, so that's all working well. However, mail destined for the local domain isn't being being relayed to the mail server (at least using mail from the command line), it's apparently being handled by dovecot even though I commented out the dovecot section of the master.cf and restarted postfix: Mar 1 18:58:58 miniserv.private postfix/pickup[16740]: 3AC89A009B: uid=501 from=rzeman Mar 1 18:58:58 miniserv.private postfix/cleanup[16758]: 3AC89A009B: message-id=20140301235858.3ac89a0...@pointyears.net Mar 1 18:58:58 miniserv.private postfix/qmgr[16741]: 3AC89A009B: from= rze...@pointyears.net, size=295, nrcpt=1 (queue active) Mar 1 18:58:58 miniserv.private postfix/smtpd[16786]: 4D42BA00A2: client=localhost[127.0.0.1] Mar 1 18:58:58 miniserv.private postfix/cleanup[16758]: 4D42BA00A2: message-id=20140301235858.3ac89a0...@pointyears.net Mar 1 18:58:58 miniserv.private postfix/smtpd[16786]: disconnect from localhost[127.0.0.1] Mar 1 18:58:58 miniserv.private postfix/qmgr[16741]: 4D42BA00A2: from= rze...@pointyears.net, size=728, nrcpt=1 (queue active) Mar 1 18:58:58 miniserv.private postfix/smtp[16760]: 3AC89A009B: to= r...@pointyears.net, relay=127.0.0.1[127.0.0.1]:10024, delay=0.08, delays=0.02/0/0/0.06, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 4D42BA00A2) Mar 1 18:58:58 miniserv.private postfix/qmgr[16741]: 3AC89A009B: removed Mar 1 18:58:58 miniserv.private postfix/local[17006]: error: od[getpwnam_ext]: no record for user rick Mar 1 18:58:58 miniserv.private postfix/pipe[17007]: 4D42BA00A2: to= r...@pointyears.net, relay=dovecot, delay=0.1, delays=0/0.01/0/0.09, dsn=5.1.1, status=bounced (user unknown) Mar 1 18:58:58 miniserv.private postfix/cleanup[16758]: 659D6A00A7: message-id=20140301235858.659d6a0...@pointyears.net Mar 1 18:58:58 miniserv.private postfix/qmgr[16741]: 659D6A00A7: from=, size=2529, nrcpt=1 (queue active) Mar 1 18:58:58 miniserv.private postfix/bounce[17016]: 4D42BA00A2: sender non-delivery notification: 659D6A00A7 Mar 1 18:58:58 miniserv.private postfix/qmgr[16741]: 4D42BA00A2: removed Mar 1 18:58:58 miniserv.private postfix/pipe[17007]: 659D6A00A7: to= rze...@pointyears.net, relay=dovecot, delay=0.03, delays=0/0/0/0.03, dsn=2.0.0, status=sent (delivered via dovecot service) Mar 1 18:58:58 miniserv.private postfix/qmgr[16741]: 659D6A00A7: removed I've added the internal server to transport (pointyears.net :[192.168.1.5]), postmapped it, and added it to the master.cf. So I'm confused a) why postfix is still trying to deliver locally and why it still thinks that dovecot is in play here, but I've never dealt with that and postfix before. Also, it seems to be ignoring myhostname I've specified. Is that an Apple thing? I've pretty much ignored the GUI since it's so basic and buggy. Thoughts? Thanks! * postconf -n: biff = no command_directory = /usr/sbin config_directory = /Library/Server/Mail/Config/postfix daemon_directory = /usr/libexec/postfix data_directory = /Library/Server/Mail/Data/mta debug_peer_level = 2 debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin xxgdb $daemon_directory/$process_name $process_id sleep 5 dovecot_destination_recipient_limit = 1 html_directory = /usr/share/doc/postfix/html imap_submit_cred_file = /Library/Server/Mail/Config/postfix/submit.cred inet_interfaces = loopback-only inet_protocols = all local_recipient_maps = local_transport = error:local mail delivery is disabled mail_owner = _postfix mailbox_size_limit = 0 mailq_path = /usr/bin/mailq manpage_directory = /usr/share/man message_size_limit = 20485760 mydestination = mydomain_fallback = localhost myhostname = miniserv.pointyears.net mynetworks = 127.0.0.0/8, [::1]/128, 192.168.1.5 newaliases_path = /usr/bin/newaliases queue_directory = /Library/Server/Mail/Data/spool readme_directory = /usr/share/doc/postfix recipient_delimiter = - relay_domains = pointyears.net relayhost = [192.168.1.5] sample_directory = /usr/share/doc/postfix/examples sendmail_path = /usr/sbin/sendmail setgid_group = _postdrop smtpd_client_restrictions = permit_mynetworks permit_sasl_authenticated permit smtpd_recipient_restrictions = permit_mynetworks reject_unauth_destination smtpd_tls_ciphers = medium smtpd_tls_exclude_ciphers = SSLv2, aNULL, ADH, eNULL tls_random_source = dev:/dev/urandom transport_maps = hash:/etc/postfix/transport unknown_local_recipient_reject_code = 550 use_sacl_cache = yes
Re: Mac Postfix gateway local delivering.
On Sat, Mar 1, 2014 at 7:50 PM, li...@rhsoft.net li...@rhsoft.net wrote: Am 02.03.2014 01:08, schrieb Rick Zeman: Howdy, I'm trying to set up a Mac version of postfix (2.9.4) as a mail gateway. It's been many years since I've set up a postfix instance, and being extremely rusty I've gotten myself stuck. I've got things working so that mail destined for outside the domain gets delivered to the relay host on an alternate port using SASL, so that's all working well. However, mail destined for the local domain isn't being being relayed to the mail server (at least using mail from the command line), it's apparently being handled by dovecot even though I commented out the dovecot section of the master.cf and restarted postfix: Mar 1 18:58:58 miniserv.private postfix/smtp[16760]: 3AC89A009B: to= r...@pointyears.net mailto:r...@pointyears.net, relay=127.0.0.1[127.0.0.1]:10024, delay=0.08, delays=0.02/0/0/0.06, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 4D42BA00A2) transport_maps = hash:/etc/postfix/transport so what is local - if you have a transport than it happens to get used Local = what of what domain postfix is part of (domain part of $myhostname) . This is all that's in transport: pointyears.net smtp:[192.168.1.5]
Re: Mac Postfix gateway local delivering.
I'm sure everyone else knows this, but OS X keeps has two complete sets of postfix config files. Guess who, based on linux experience, was using /etc/postfix? On Sat, Mar 1, 2014 at 8:10 PM, Rick Zeman rze...@gmail.com wrote: On Sat, Mar 1, 2014 at 7:50 PM, li...@rhsoft.net li...@rhsoft.net wrote: Am 02.03.2014 01:08, schrieb Rick Zeman: Howdy, I'm trying to set up a Mac version of postfix (2.9.4) as a mail gateway. It's been many years since I've set up a postfix instance, and being extremely rusty I've gotten myself stuck. I've got things working so that mail destined for outside the domain gets delivered to the relay host on an alternate port using SASL, so that's all working well. However, mail destined for the local domain isn't being being relayed to the mail server (at least using mail from the command line), it's apparently being handled by dovecot even though I commented out the dovecot section of the master.cf and restarted postfix: Mar 1 18:58:58 miniserv.private postfix/smtp[16760]: 3AC89A009B: to= r...@pointyears.net mailto:r...@pointyears.net, relay=127.0.0.1[127.0.0.1]:10024, delay=0.08, delays=0.02/0/0/0.06, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 4D42BA00A2) transport_maps = hash:/etc/postfix/transport so what is local - if you have a transport than it happens to get used Local = what of what domain postfix is part of (domain part of $myhostname) . This is all that's in transport: pointyears.net smtp:[192.168.1.5]
Re: Mac Postfix gateway local delivering.
On Sat, Mar 1, 2014 at 8:46 PM, Wietse Venema wie...@porcupine.org wrote: Rick Zeman: mydestination = local_transport = error:local mail delivery is disabled Nevertheless, you have some mail going to the local delivery agent. transport_maps = hash:/etc/postfix/transport What is in this file? Wietse Hi Wietse, pointyears.net smtp:[192.168.1.5]:587
Post upgrade problem(?)
Just upgraded to 3.93 from 3.62 from source (amazingly smooth make upgrade after skipping 3 years of interim versions. Easier than using an rpm!). I fixed the TLS database location warnings that cropped up in the logs, but I'm also seeing: Jul 8 21:51:51 tux postfix/verify[28749]: close database /var/lib/postfix/verify_cache.db: No such file or directory (possible Berkeley DB bug) Looking in /var/lib/postfix I see: -rw-r--r--1 postfix postfix 8192 Jul 8 22:00 verify_cache.db Any suggestions on what else to look at? Thanks. * %postconf -n address_verify_sender = alias_database = hash:/etc/postfix/aliases alias_maps = hash:/etc/postfix/aliases, hash:/var/lib/mailman/data/aliases body_checks = regexp:/etc/postfix/body_checks command_directory = /usr/sbin config_directory = /etc/postfix daemon_directory = /usr/lib/postfix data_directory = /var/lib/postfix debug_peer_level = 2 debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin xxgdb $daemon_directory/$process_name $process_id sleep 5 delay_warning_time = 4 disable_vrfy_command = yes html_directory = /usr/share/doc/postfix/html inet_protocols = ipv4 mail_owner = postfix mail_spool_directory = /var/spool/mail mailq_path = /usr/bin/mailq.postfix manpage_directory = /usr/share/man message_size_limit = 3058 mydestination = $myhostname, localhost.$mydomain $mydomain mynetworks = 127.0.0.0/8, 192.168.1.0/24 myorigin = $mydomain newaliases_path = /usr/bin/newaliases.postfix queue_directory = /var/spool/postfix readme_directory = no recipient_delimiter = - relayhost = [smtp.comcast.net]:submission sample_directory = /etc/postfix sendmail_path = /usr/sbin/sendmail.postfix setgid_group = postdrop smtp_sasl_auth_enable = yes smtp_sasl_password_maps = hash:/etc/postfix/sasl_password smtp_sasl_security_options = smtp_tls_CAfile = /etc/postfix/cacert.pem smtp_tls_loglevel = 0 smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_tls_session_cache smtp_use_tls = yes smtpd_banner = mail.pointyears.net ESMTP: $mail_name $mail_version smtpd_client_restrictions = permit_mynetworks reject_rbl_client sbl-xbl.spamhaus.org permit smtpd_data_restrictions = reject_unauth_pipelining, permit smtpd_hard_error_limit = 5 smtpd_helo_required = yes smtpd_helo_restrictions = permit_mynetworks reject_invalid_hostname check_helo_access hash:/etc/postfix/helo_access permit smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination check_recipient_access hash:/etc/postfix/deniedusers reject_unverified_recipient check_policy_service unix:private/tumgreyspf permit smtpd_tls_CAfile = /etc/postfix/cacert.pem smtpd_tls_cert_file = /etc/postfix/FOO-cert.pem smtpd_tls_key_file = /etc/postfix/FOO-key.pem smtpd_tls_loglevel = 0 smtpd_tls_received_header = yes smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_tls_session_cache smtpd_use_tls = yes soft_bounce = no tls_random_source = dev:/dev/urandom transport_maps = hash:/etc/postfix/transport tumgreyspf_time_limit = 3600 unknown_local_recipient_reject_code = 550 unverified_recipient_reject_code = 550
quick and dirty SASL
Howdy, I have sasl installed and postfix uses it for its outbound relay just fine. I need now for a smart phone or two to use postfix to send mail. Am I correct that there's no mechanism like smtp_sasl_password_maps = hash:/etc/postfix/sasl_password for smtpd? Just need a quick and dirty one or two username auth. What do you experts thing is the best/easiest (yes, might not be the same thing!) way to do this? Thanks! $ postconf -n address_verify_sender = alias_database = hash:/etc/postfix/aliases alias_maps = hash:/etc/postfix/aliases, hash:/var/lib/mailman/data/aliases body_checks = regexp:/etc/postfix/body_checks command_directory = /usr/sbin config_directory = /etc/postfix content_filter = smtp2:127.0.0.1:10025 daemon_directory = /usr/lib/postfix data_directory = /var/lib/postfix debug_peer_level = 2 delay_warning_time = 4 disable_vrfy_command = yes html_directory = /usr/share/doc/postfix/html mail_owner = postfix mail_spool_directory = /var/spool/mail mailq_path = /usr/bin/mailq.postfix manpage_directory = /usr/share/man message_size_limit = 3058 mydestination = $myhostname, localhost.$mydomain $mydomain mynetworks = 127.0.0.0/8, 192.168.1.0/24 myorigin = $mydomain newaliases_path = /usr/bin/newaliases.postfix queue_directory = /var/spool/postfix readme_directory = no recipient_delimiter = - relayhost = [outgoing.verizon.net] sample_directory = /etc/postfix sendmail_path = /usr/sbin/sendmail.postfix setgid_group = postdrop smtp_sasl_auth_enable = yes smtp_sasl_password_maps = hash:/etc/postfix/sasl_password smtp_sasl_security_options = smtp_tls_CAfile = /etc/postfix/cacert.pem smtp_tls_loglevel = 0 smtp_tls_session_cache_database = btree:/var/spool/postfix/smtp_tls_session_cache smtp_use_tls = yes smtpd_banner = mail.pointyears.net ESMTP: $mail_name $mail_version smtpd_client_restrictions = permit_mynetworksreject_rbl_client sbl-xbl.spamhaus.orgpermit smtpd_data_restrictions = reject_unauth_pipelining, permit smtpd_hard_error_limit = 5 smtpd_helo_required = yes smtpd_helo_restrictions = permit_mynetworks reject_invalid_hostname check_helo_access hash:/etc/postfix/helo_access permit smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination check_recipient_access hash:/etc/postfix/deniedusers reject_unverified_recipient check_policy_service unix:private/tumgreyspf permit smtpd_tls_CAfile = /etc/postfix/cacert.pem smtpd_tls_cert_file = /etc/postfix/FOO-cert.pem smtpd_tls_key_file = /etc/postfix/FOO-key.pem smtpd_tls_loglevel = 0 smtpd_tls_received_header = yes smtpd_tls_session_cache_database = btree:/var/spool/postfix/smtpd_tls_session_cache smtpd_use_tls = yes soft_bounce = no tls_random_source = dev:/dev/urandom transport_maps = hash:/etc/postfix/transport unknown_local_recipient_reject_code = 550 unverified_recipient_reject_code = 550
Re: quick and dirty SASL
On Wed, Nov 11, 2009 at 11:06 AM, Eero Volotinen eero.voloti...@iki.fi wrote: Rick Zeman wrote: Howdy, I have sasl installed and postfix uses it for its outbound relay just fine. I need now for a smart phone or two to use postfix to send mail. Am I correct that there's no mechanism like smtp_sasl_password_maps = hash:/etc/postfix/sasl_password for smtpd? Just need a quick and dirty one or two username auth. What do you experts thing is the best/easiest (yes, might not be the same thing!) way to do this? Dovecot sasl: http://wiki.dovecot.org/HowTo/PostfixAndDovecotSASL Whoops...been so long since I set that up that I should have mentioned I have cyrus sasl installed.
Re: Interesting tumgreyspf/postfix/gmail problem
On Tue, Oct 14, 2008 at 11:41 PM, Henrik K [EMAIL PROTECTED] wrote: On Tue, Oct 14, 2008 at 05:32:56PM -0400, Rick Zeman wrote: Just discovered that gmail is now retrying greylisted email from not only multiple servers, but from multiple servers located within different subnets...which totally breaks breaks tumgreyspf greylisting implementation. I kind of like it cuz it uses the filesystem to store its data. However, there's no way to whitelist every one of their smtp servers. Of course there is, add client table before policy server: .google.com OK Hmm, that didn't work for me--still got greylisted.. Relevant section below. smtpd_recipient_restrictions = permit_mynetworks reject_unauth_destination reject_unverified_recipient check_recipient_access hash:/etc/postfix/always_allowed check_recipient_access hash:/etc/postfix/not_accepted check_policy_service unix:private/tumgreyspf cat /etc/postfix/always_allowed abuse@ OK postmaster@ OK .google.com OK and postmap WAS run.
Interesting tumgreyspf/postfix/gmail problem
Just discovered that gmail is now retrying greylisted email from not only multiple servers, but from multiple servers located within different subnets...which totally breaks breaks tumgreyspf greylisting implementation. I kind of like it cuz it uses the filesystem to store its data. However, there's no way to whitelist every one of their smtp servers. This leaves is with 4 options: a) do nothing and hope it's a crapshoot that gmail will retry from the same smtp server within a reasonable timeframe (if at all!) Not a good option. b) turn off greylisting entirely. (It still stops a lot of spam...just not as much as before. Not a good option) c) switch to another greylisting implementation (uses a database...not the preferred option) d) have postfix bypass that policy service if the sender's smtp connection/envelope sender (vs the from) is from gmail. I have no idea how to do that--if possible--hence this request to the list. Is that possible? Thanks! postconf -n address_verify_negative_cache = yes address_verify_negative_expire_time = 1d address_verify_positive_refresh_time = 2d address_verify_sender = alias_maps = hash:/etc/aliases biff = no body_checks = regexp:/etc/postfix/body_checks bounce_template_file = /etc/postfix/bounce.cf canonical_maps = hash:/etc/postfix/canonical command_directory = /usr/sbin config_directory = /etc/postfix content_filter = amavisfeed:[127.0.0.1]:10024 daemon_directory = /usr/lib/postfix data_directory = /var/lib/postfix debug_peer_level = 2 delay_warning_time = 4h disable_dns_lookups = no disable_vrfy_command = yes html_directory = /usr/share/doc/packages/postfix/html local_recipient_maps = local_transport = error:local mail delivery is disabled mail_owner = postfix mail_spool_directory = /var/mail mailbox_command = mailbox_transport = mailq_path = /usr/bin/mailq manpage_directory = /usr/share/man masquerade_classes = envelope_sender, header_sender, header_recipient masquerade_domains = masquerade_exceptions = root message_size_limit = 2568 mime_header_checks = regexp:/etc/postfix/mime_header_checks mydestination = myhostname = mail.melwood.org mynetworks = 127.0.0.0/8 192.168.1.0/24 myorigin = $mydomain newaliases_path = /usr/bin/newaliases parent_domain_matches_subdomains = debug_peer_list smtpd_access_maps queue_directory = /var/spool/postfix readme_directory = /usr/share/doc/packages/postfix/README_FILES relay_domains = melwood.com, melwood.org, melwoodgardencenter.com relay_recipient_maps = relocated_maps = hash:/etc/postfix/relocated sample_directory = /usr/share/doc/packages/postfix/samples sender_canonical_maps = hash:/etc/postfix/sender_canonical sendmail_path = /usr/sbin/sendmail setgid_group = maildrop smtp_tls_CAfile = /etc/postfix/certs/cacert.pem smtp_tls_cert_file = /etc/postfix/certs/postfix_public_cert.pem smtp_tls_key_file = /etc/postfix/certs/postfix_private_key.pem smtp_tls_loglevel = 0 smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_tls_session_cache smtp_use_tls = yes smtpd_banner = mail.melwood.org ESMTP - All use subject to Melwood's Internet Use Policy. smtpd_client_restrictions = permit_mynetworks reject_rbl_client zen.spamhaus.orgreject_rbl_client list.dsbl.org reject_rbl_client combined.njabl.orgpermit smtpd_data_restrictions = reject_unauth_pipelining, permit smtpd_delay_reject = yes smtpd_error_sleep_time = 3s smtpd_hard_error_limit = 4 smtpd_helo_required = yes smtpd_helo_restrictions = permit_mynetworks reject_invalid_hostnamecheck_helo_access hash:/etc/postfix/helo_access permit smtpd_recipient_restrictions = permit_mynetworks reject_unauth_destinationreject_unverified_recipient check_recipient_access hash:/etc/postfix/always_allowed check_recipient_access hash:/etc/postfix/not_accepted check_policy_service unix:private/tumgreyspf smtpd_sasl_auth_enable = no smtpd_sender_restrictions = hash:/etc/postfix/access smtpd_tls_CAfile = /etc/postfix/certs/cacert.pem smtpd_tls_cert_file = /etc/postfix/certs/postfix_public_cert.pem smtpd_tls_key_file = /etc/postfix/certs/postfix_private_key.pem smtpd_tls_loglevel = 0 smtpd_tls_received_header = yes smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_tls_session_cache smtpd_use_tls = yes soft_bounce = no strict_rfc821_envelopes = no transport_maps = hash:/etc/postfix/transport unknown_local_recipient_reject_code = 550 unverified_recipient_reject_code = 550