from:"Rick Zeman"

Re: Basic kind of question

2019-07-17 Thread Rick Zeman

Sadly, it's not that easy (made no difference, and yes I reloaded
postfix).   It's still trying to deliver to itself.  Only thing I've
managed to do messing with this today is to get it to stop bouncing and now
the tests are in the queue because they can't be delivered locally:
0130766 266 Wed Jul 17 17:18:30  r...@example.com
   (connect to example.com[10.166.5.182]:25: Connection timed out)
 example-test...@example.com

On Wed, Jul 17, 2019 at 3:19 PM Robert Theisen  wrote:

>
> I would set mydomain to smtp2.example.com .  That should make the host do
> a dns query to find the mx record of example.com .
>
> Robert
> On Wednesday, July 17, 2019, 2:24:46 PM EDT, Rick Zeman 
> wrote:
>
>
> I inherited a pair of postfix servers configured by someone else and I
> think I've been a manager too long as I can't figure this one out because
> I'm too rusty with postfix.
> Scenario:
> 2 identical postfix servers that only accept mail from mynetworks (other
> local servers in its /16) with various From domains that are NOT mydomain
> which direct deliver to the recipients wherever they are in the world.
> That all works fine.  What doesn't work fine is if the recipient is *@
> example.com which IS mydomain to which delivery is not local, but the
> same domain.  Then, postfix tries to deliver locally and bounces.  Common
> problem.
> My expectation is that that when an email hits for *@example.com that
> postfix would do an mx lookup for example.com and send to that MX
> externally.
> No twiddling with mydestination, transport maps, turning off local in
> master.cf, or combinations thereof.  There's no relayhost since they
> deliver directly.   Thoughts?  Thanks!
>
> postconf -n
>
> alias_database = hash:/etc/aliases
> alias_maps = hash:/etc/aliases
> command_directory = /usr/sbin
> config_directory = /etc/postfix
> daemon_directory = /usr/libexec/postfix
> data_directory = /var/lib/postfix
> debug_peer_level = 2
> debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd
> $daemon_directory/$process_name $process_id & sleep 5
> disable_vrfy_command = yes
> html_directory = no
> inet_interfaces = all
> inet_protocols = all
> local_recipient_maps =
> local_transport = error:local mail delivery is disabled
> mail_owner = postfix
> mailq_path = /usr/bin/mailq.postfix
> manpage_directory = /usr/share/man
> mydestination =
> mydomain = example.com
> myhostname = smtp2.example.com
> mynetworks = 127.0.0.0/8, 10.166.0.0/16
> myorigin = example.com
> newaliases_path = /usr/bin/newaliases.postfix
> postscreen_upstream_proxy_protocol = haproxy
> queue_directory = /var/spool/postfix
> readme_directory = /usr/share/doc/postfix-2.10.1/README_FILES
> sample_directory = /usr/share/doc/postfix-2.10.1/samples
> sendmail_path = /usr/sbin/sendmail.postfix
> setgid_group = postdrop
> smtp_tls_CAfile = /etc/pki/tls/certs/godaddy.certchain.crt
> smtp_tls_ciphers = high
> smtp_tls_exclude_ciphers = EXP, MEDIUM, LOW, DES, 3DES, SSLv2
> smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
> smtp_tls_note_starttls_offer = yes
> smtp_tls_protocols = !SSLv2, !SSLv3
> smtp_use_tls = yes
> smtpd_helo_required = yes
> smtpd_tls_auth_only = yes
> smtpd_tls_cert_file = /etc/pki/tls/certs/example.com.crt
> smtpd_tls_ciphers = high
> smtpd_tls_dh1024_param_file = /etc/pki/tls/private/postfix.dh.param
> smtpd_tls_exclude_ciphers = EXP, MEDIUM, LOW, DES, 3DES, SSLv2
> smtpd_tls_key_file = /etc/pki/tls/private/example.com.key
> smtpd_tls_loglevel = 1
> smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
> smtpd_tls_protocols = !SSLv2, !SSLv3
> smtpd_tls_security_level = may
> smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_tls_cache
> smtpd_tls_session_cache_timeout = 3600s
> smtpd_use_tls = yes
> tls_high_cipherlist =
> kEECDH:+kEECDH+SHA:kEDH:+kEDH+SHA:+kEDH+CAMELLIA:kECDH:+kECDH+SHA:kRSA:+kRSA+SHA:+kRSA+CAMELLIA:!aNULL:!eNULL:!SSLv2:!RC4:!MD5:!DES:!EXP:!SEED:!IDEA:!3DES
> tls_medium_cipherlist =
> kEECDH:+kEECDH+SHA:kEDH:+kEDH+SHA:+kEDH+CAMELLIA:kECDH:+kECDH+SHA:kRSA:+kRSA+SHA:+kRSA+CAMELLIA:!aNULL:!eNULL:!SSLv2:!MD5:!DES:!EXP:!SEED:!IDEA:!3DES
> tls_random_source = dev:/dev/urandom
> unknown_local_recipient_reject_code = 550
>
> #628   inet  n   -   n   -   -   qmqpd
> pickupunix  n   -   n   60  1   pickup
> cleanup   unix  n   -   n   -   0   cleanup
> qmgr  unix  n   -   n   300 1   qmgr
> #qmgr unix  n   -   n   300 1   oqmgr
> tlsmgrunix  -   -   n   1000?   1   tlsmgr
> rewrite   unix  -   -   n   -   -   trivial-rewrite
> boun

Basic kind of question

2019-07-17 Thread Rick Zeman

I inherited a pair of postfix servers configured by someone else and I
think I've been a manager too long as I can't figure this one out because
I'm too rusty with postfix.
Scenario:
2 identical postfix servers that only accept mail from mynetworks (other
local servers in its /16) with various From domains that are NOT mydomain
which direct deliver to the recipients wherever they are in the world.
That all works fine.  What doesn't work fine is if the recipient is *@
example.com which IS mydomain to which delivery is not local, but the same
domain.  Then, postfix tries to deliver locally and bounces.  Common
problem.
My expectation is that that when an email hits for *@example.com that
postfix would do an mx lookup for example.com and send to that MX
externally.
No twiddling with mydestination, transport maps, turning off local in
master.cf, or combinations thereof.  There's no relayhost since they
deliver directly.   Thoughts?  Thanks!

postconf -n

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd
$daemon_directory/$process_name $process_id & sleep 5
disable_vrfy_command = yes
html_directory = no
inet_interfaces = all
inet_protocols = all
local_recipient_maps =
local_transport = error:local mail delivery is disabled
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
mydestination =
mydomain = example.com
myhostname = smtp2.example.com
mynetworks = 127.0.0.0/8, 10.166.0.0/16
myorigin = example.com
newaliases_path = /usr/bin/newaliases.postfix
postscreen_upstream_proxy_protocol = haproxy
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.10.1/README_FILES
sample_directory = /usr/share/doc/postfix-2.10.1/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp_tls_CAfile = /etc/pki/tls/certs/godaddy.certchain.crt
smtp_tls_ciphers = high
smtp_tls_exclude_ciphers = EXP, MEDIUM, LOW, DES, 3DES, SSLv2
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
smtp_tls_note_starttls_offer = yes
smtp_tls_protocols = !SSLv2, !SSLv3
smtp_use_tls = yes
smtpd_helo_required = yes
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/pki/tls/certs/example.com.crt
smtpd_tls_ciphers = high
smtpd_tls_dh1024_param_file = /etc/pki/tls/private/postfix.dh.param
smtpd_tls_exclude_ciphers = EXP, MEDIUM, LOW, DES, 3DES, SSLv2
smtpd_tls_key_file = /etc/pki/tls/private/example.com.key
smtpd_tls_loglevel = 1
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_protocols = !SSLv2, !SSLv3
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_tls_cache
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
tls_high_cipherlist =
kEECDH:+kEECDH+SHA:kEDH:+kEDH+SHA:+kEDH+CAMELLIA:kECDH:+kECDH+SHA:kRSA:+kRSA+SHA:+kRSA+CAMELLIA:!aNULL:!eNULL:!SSLv2:!RC4:!MD5:!DES:!EXP:!SEED:!IDEA:!3DES
tls_medium_cipherlist =
kEECDH:+kEECDH+SHA:kEDH:+kEDH+SHA:+kEDH+CAMELLIA:kECDH:+kECDH+SHA:kRSA:+kRSA+SHA:+kRSA+CAMELLIA:!aNULL:!eNULL:!SSLv2:!MD5:!DES:!EXP:!SEED:!IDEA:!3DES
tls_random_source = dev:/dev/urandom
unknown_local_recipient_reject_code = 550

#628   inet  n   -   n   -   -   qmqpd
pickupunix  n   -   n   60  1   pickup
cleanup   unix  n   -   n   -   0   cleanup
qmgr  unix  n   -   n   300 1   qmgr
#qmgr unix  n   -   n   300 1   oqmgr
tlsmgrunix  -   -   n   1000?   1   tlsmgr
rewrite   unix  -   -   n   -   -   trivial-rewrite
bounceunix  -   -   n   -   0   bounce
defer unix  -   -   n   -   0   bounce
trace unix  -   -   n   -   0   bounce
verifyunix  -   -   n   -   1   verify
flush unix  n   -   n   1000?   0   flush
proxymap  unix  -   -   n   -   -   proxymap
proxywrite unix -   -   n   -   1   proxymap
smtp  unix  -   -   n   -   -   smtp
relay unix  -   -   n   -   -   smtp
#   -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq unix  n   -   n   -   -   showq
error unix  -   -   n   -   -   error
retry unix  -   -   n   -   -   error
discard   unix  -   -   n   -   -   discard
#local unix  -   n   n   -   -   local
virtual   unix  -   n   n   -   -   virtual
lmtp  unix  -   -   n   -   -   lmtp
anvil unix  -   -   n   -   1   anvil
scacheunix  -   -   n   -   1   scache

Re: Fallback to IPV4 in case of IPV6 is not available

2017-04-01 Thread Rick Zeman

On Sat, Mar 25, 2017 at 2:48 PM, Paul C  wrote:
> I wish the world would use ipv6 enough for this to be worth doing, but
> it's not going to have much benefit to you as there's almost no one
> using it for smtp, from the last time I checked which was a few months
> ago, google uses it perfectly, verizon too (maybe a few more cable
> domains), yahoo looked like they were trying lol, website and some
> services were v6 this year but smtp was not when I checked, hotmail
> doesn't use it anywhere from what i can see, aol never will and almost
> no self hosted mail server will have it. My guess is (unless gmail is
> where most mail goes) that you might see a few percent like 1-5% of
> mail ever use it. Not a bad research project or knowing v6, or if you
> have other reasons, but actual sending out is just not happening any
> time soon.

Comcast, surprisingly, is way ahead of the residential game:

Apr  1 16:17:12 miniserv postfix/smtp[79694]: Untrusted TLS connection
established to smtp.comcast.net[2001:558:fe21:2a::5]:587: TLSv1.2 with
cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Apr  1 16:17:12 miniserv postfix/smtp[79694]: 252483CACE40:
to=, relay=smtp.comcast.net[2001:558:fe21:2a::5]:587,
delay=1.6, delays=0/0/1.3/0.25, dsn=2.0.0, status=sent (250 2.0.0
uPSRcVCa8qoNEuPSSchbjZ mail accepted for delivery)
Apr  1 16:17:12 miniserv postfix/qmgr[62620]: 252483CACE40: removed

Re: New SASL generic failure

2016-07-11 Thread Rick Zeman

On Sat, Jul 9, 2016 at 9:57 AM, Viktor Dukhovni
<postfix-us...@dukhovni.org> wrote:
>
>> On Jul 8, 2016, at 10:09 PM, Rick Zeman <rze...@gmail.com> wrote:
>>
>> How might 'filtering out that mechanism" be done, Viktor?  Doesn't
>> sound (or look like, based on SASL_README) that it's something done in
>> postfix.
>
> The first occurrence of the word "filter" in SASL_README is the section
> that describes filtering of SASL mechanisms in the Postfix SMTP client:
>
>http://www.postfix.org/SASL_README.html#client_sasl_filter
>
> You really should have been able to find this...

You are entirely correct:  I should have been able to find that (after
all, I was so close, and that was the readme I used when I set up the
damn thing), and I just missed it on my skim.  Explicitly filtering
in:

smtp_sasl_mechanism_filter = plain, login

did the trick.  I didn't need to filter out XOAUTH2.

As always, thank you, Viktor.

Re: New SASL generic failure

2016-07-08 Thread Rick Zeman

On Fri, Jul 8, 2016 at 9:17 PM, Viktor Dukhovni
 wrote:
>
>> On Jul 8, 2016, at 9:15 PM, Wietse Venema  wrote:
>>
>> Your SASL library cannot authenticate with PLAIN or LOGIN.
>
> Another possibility is that it supports and prefers XOAUTH2, but lacks
> the necessary credentials or configuration to do so.  In that case filtering
> out that mechanism might resolve the problem.  It could be that the server
> side has only recently enabled that mechanism.

Answering Wietse here, too, but I haven't touched the config and it's
been months since the config's  been touched at all, and the server
got rebooted a few weeks ago for a UPS replacement, so it seems likely
that comcast changed something.  According to
https://www.iana.org/assignments/sasl-mechanisms/sasl-mechanisms.xml
XOAUTH2 is totally obsolete and I can't imagine Comcast requiring that
at this late date (I've been doing PLAIN over TLS for the last two
years with this postfix instance).

How might 'filtering out that mechanism" be done, Viktor?  Doesn't
sound (or look like, based on SASL_README) that it's something done in
postfix.

smtp sasl options in main.cf:

smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/Library/Server/Mail/Config/postfix/sasl/passwd
smtp_sasl_security_options = noanonymous

New SASL generic failure

2016-07-08 Thread Rick Zeman

Working system that suddenly started crapping out on
SASL-authenticated connections to its relay.  Nothing's changed for
this 2.11.0 Apple-supplied postfix, and the username/password
authenticates fine to smtp.comcast.com (relay).   I'm not see what's
wrong (must be what "generic" means lol).  Thoughts?  Thanks.

Logs with smtp.comcast.com in debug_peer and real username changed to
username and likewise to password for the password:

Jul  8 20:32:21 miniserv postfix/smtp[2955]: smtp_stream_setup:
maxtime=300 enable_deadline=0
Jul  8 20:32:21 miniserv postfix/smtp[2949]: smtp_stream_setup:
maxtime=300 enable_deadline=0
Jul  8 20:32:21 miniserv postfix/smtp[2949]: <
smtp.comcast.net[2001:558:fe21:2a::5]:587: 220
resomta-ch2-13v.sys.comcast.net comcast ESMTP server ready
Jul  8 20:32:21 miniserv postfix/smtp[2949]: >
smtp.comcast.net[2001:558:fe21:2a::5]:587: EHLO
miniserv.pointyears.net
Jul  8 20:32:21 miniserv postfix/smtp[2955]: <
smtp.comcast.net[2001:558:fe21:2a::5]:587: 220
resomta-ch2-12v.sys.comcast.net comcast ESMTP server ready
Jul  8 20:32:21 miniserv postfix/smtp[2955]: >
smtp.comcast.net[2001:558:fe21:2a::5]:587: EHLO
miniserv.pointyears.net
Jul  8 20:32:21 miniserv postfix/smtp[2949]: <
smtp.comcast.net[2001:558:fe21:2a::5]:587:
250-resomta-ch2-13v.sys.comcast.net hello [2601:982:8200:774f::162],
pleased to meet you
Jul  8 20:32:21 miniserv postfix/smtp[2949]: <
smtp.comcast.net[2001:558:fe21:2a::5]:587: 250-HELP
Jul  8 20:32:21 miniserv postfix/smtp[2949]: <
smtp.comcast.net[2001:558:fe21:2a::5]:587: 250-AUTH LOGIN PLAIN
XOAUTH2
Jul  8 20:32:21 miniserv postfix/smtp[2949]: <
smtp.comcast.net[2001:558:fe21:2a::5]:587: 250-SIZE 36700160
Jul  8 20:32:21 miniserv postfix/smtp[2949]: <
smtp.comcast.net[2001:558:fe21:2a::5]:587: 250-ENHANCEDSTATUSCODES
Jul  8 20:32:21 miniserv postfix/smtp[2949]: <
smtp.comcast.net[2001:558:fe21:2a::5]:587: 250-8BITMIME
Jul  8 20:32:21 miniserv postfix/smtp[2949]: <
smtp.comcast.net[2001:558:fe21:2a::5]:587: 250-STARTTLS
Jul  8 20:32:21 miniserv postfix/smtp[2949]: <
smtp.comcast.net[2001:558:fe21:2a::5]:587: 250 OK
Jul  8 20:32:21 miniserv postfix/smtp[2949]: server features: 0x103b
size 36700160
Jul  8 20:32:21 miniserv postfix/smtp[2949]: smtp_stream_setup:
maxtime=300 enable_deadline=0
Jul  8 20:32:21 miniserv postfix/smtp[2949]: >
smtp.comcast.net[2001:558:fe21:2a::5]:587: STARTTLS
Jul  8 20:32:21 miniserv postfix/smtp[2955]: <
smtp.comcast.net[2001:558:fe21:2a::5]:587:
250-resomta-ch2-12v.sys.comcast.net hello [2601:982:8200:774f::162],
pleased to meet you
Jul  8 20:32:21 miniserv postfix/smtp[2955]: <
smtp.comcast.net[2001:558:fe21:2a::5]:587: 250-HELP
Jul  8 20:32:21 miniserv postfix/smtp[2955]: <
smtp.comcast.net[2001:558:fe21:2a::5]:587: 250-AUTH LOGIN PLAIN
XOAUTH2
Jul  8 20:32:21 miniserv postfix/smtp[2955]: <
smtp.comcast.net[2001:558:fe21:2a::5]:587: 250-SIZE 36700160
Jul  8 20:32:21 miniserv postfix/smtp[2955]: <
smtp.comcast.net[2001:558:fe21:2a::5]:587: 250-ENHANCEDSTATUSCODES
Jul  8 20:32:21 miniserv postfix/smtp[2955]: <
smtp.comcast.net[2001:558:fe21:2a::5]:587: 250-8BITMIME
Jul  8 20:32:21 miniserv postfix/smtp[2955]: <
smtp.comcast.net[2001:558:fe21:2a::5]:587: 250-STARTTLS
Jul  8 20:32:21 miniserv postfix/smtp[2955]: <
smtp.comcast.net[2001:558:fe21:2a::5]:587: 250 OK
Jul  8 20:32:21 miniserv postfix/smtp[2955]: server features: 0x103b
size 36700160
Jul  8 20:32:21 miniserv postfix/smtp[2955]: smtp_stream_setup:
maxtime=300 enable_deadline=0
Jul  8 20:32:21 miniserv postfix/smtp[2955]: >
smtp.comcast.net[2001:558:fe21:2a::5]:587: STARTTLS
Jul  8 20:32:21 miniserv postfix/smtp[2949]: <
smtp.comcast.net[2001:558:fe21:2a::5]:587: 220 2.0.0 Ready to start
TLS
Jul  8 20:32:21 miniserv postfix/smtp[2949]: send attr request = seed
Jul  8 20:32:21 miniserv postfix/smtp[2949]: send attr size = 32
Jul  8 20:32:21 miniserv postfix/smtp[2949]: private/tlsmgr: wanted
attribute: status
Jul  8 20:32:21 miniserv postfix/smtp[2949]: input attribute name: status
Jul  8 20:32:21 miniserv postfix/smtp[2949]: input attribute value: 0
Jul  8 20:32:21 miniserv postfix/smtp[2949]: private/tlsmgr: wanted
attribute: seed
Jul  8 20:32:21 miniserv postfix/smtp[2949]: input attribute name: seed
Jul  8 20:32:21 miniserv postfix/smtp[2949]: input attribute value:
zppl+JDHdZFETR/Usnxz8Xs+6ccWx0OtD+/Kk7BbEA4=
Jul  8 20:32:21 miniserv postfix/smtp[2949]: private/tlsmgr: wanted
attribute: (list terminator)
Jul  8 20:32:21 miniserv postfix/smtp[2949]: input attribute name: (end)
Jul  8 20:32:21 miniserv postfix/smtp[2955]: <
smtp.comcast.net[2001:558:fe21:2a::5]:587: 220 2.0.0 Ready to start
TLS
Jul  8 20:32:21 miniserv postfix/smtp[2955]: send attr request = seed
Jul  8 20:32:21 miniserv postfix/smtp[2955]: send attr size = 32
Jul  8 20:32:21 miniserv postfix/smtp[2955]: private/tlsmgr: wanted
attribute: status
Jul  8 20:32:21 miniserv postfix/smtp[2955]: input attribute name: status
Jul  8 20:32:21 miniserv postfix/smtp[2955]: input attribute value: 0
Jul  8 20:32:21 miniserv

Re: One more post-rebuild weirdness

2016-03-23 Thread Rick Zeman

On Tue, Mar 22, 2016 at 11:25 PM, Noel Jones <njo...@megan.vbhcs.org> wrote:
> On 3/22/2016 10:03 PM, Rick Zeman wrote:
>> Oops, knew I forgot something, Noel.   This is a (soft) bounce f
>> recipient that does exist on the destination system, but not on the
>> postfix system, as the following telnet shows:
>>
>> Mar 22 22:32:32 miniserv postfix/smtpd[70673]: NOQUEUE: reject: RCPT
>> from pmta1.delivery8.ore.mailhop.org[54.191.158.99]: 450 4.1.1
>> <t...@pointyears.net>: Recipient address rejected: User unknown in local
>> recipient table; from=<rze...@gmail.com> to=<t...@pointyears.net>
>> proto=ESMTP helo=
>> 
>
> You sure mydestination is empty? At any rate,
>
> #main.cf:
> local_recipient_maps =
>
> should take care of this.

It did, thanks, but I'm not sure I understand what had happened.

Re: One more post-rebuild weirdness

2016-03-22 Thread Rick Zeman

Oops, knew I forgot something, Noel.   This is a (soft) bounce for a
recipient that does exist on the destination system, but not on the
postfix system, as the following telnet shows:

Mar 22 22:32:32 miniserv postfix/smtpd[70673]: NOQUEUE: reject: RCPT
from pmta1.delivery8.ore.mailhop.org[54.191.158.99]: 450 4.1.1
<t...@pointyears.net>: Recipient address rejected: User unknown in local
recipient table; from=<rze...@gmail.com> to=<t...@pointyears.net>
proto=ESMTP helo=


$ telnet 192.168.1.5 587
Trying 192.168.1.5...
Connected to 192.168.1.5.
Escape character is '^]'.

220 nw6.pointyears.net
ehlo gmail.com
250-nw6.pointyears.net
250-AUTH LOGIN
250-8BITMIME
250-SIZE
250-DSN
250 STARTTLS
mail from:<rze...@gmail.com>
250 Ok
rcpt to:<t...@pointyears.net>
250 Ok
Data
354 Enter mail, end with "." on a line by itself
This will be accepted.
.
250 Ok


This is accepted.

*
This is a successful delivery:

Mar 22 22:55:23 miniserv postfix/smtpd[71355]: connect from
pmta1.delivery7.ore.mailhop.org[54.186.27.61]
Mar 22 22:55:24 miniserv postfix/smtpd[71355]: Anonymous TLS
connection established from
pmta1.delivery7.ore.mailhop.org[54.186.27.61]: TLSv1 with cipher
DHE-RSA-AES256-SHA (256/256 bits)
Mar 22 22:55:24 miniserv postfix/smtpd[71355]: 8BA43278ED90:
client=pmta1.delivery7.ore.mailhop.org[54.186.27.61]
Mar 22 22:55:24 miniserv postfix/cleanup[71361]: 8BA43278ED90:
message-id=<CAN1dBq075WKYYv7f5U4+wGY+Yby-3Ng=xmgpgx-ni8ereyw...@mail.gmail.com>
Mar 22 22:55:24 miniserv postfix/qmgr[68145]: 8BA43278ED90:
from=<rze...@gmail.com>, size=2582, nrcpt=1 (queue active)
Mar 22 22:55:24 miniserv postfix/smtpd[71355]: disconnect from
pmta1.delivery7.ore.mailhop.org[54.186.27.61]
Mar 22 22:55:25 miniserv postfix/smtpd[71365]: connect from localhost[127.0.0.1]
Mar 22 22:55:25 miniserv postfix/smtpd[71365]: 48C83278ED96:
client=localhost[127.0.0.1]
Mar 22 22:55:25 miniserv postfix/cleanup[71361]: 48C83278ED96:
message-id=<CAN1dBq075WKYYv7f5U4+wGY+Yby-3Ng=xmgpgx-ni8ereyw...@mail.gmail.com>
Mar 22 22:55:25 miniserv postfix/smtpd[71365]: disconnect from
localhost[127.0.0.1]
Mar 22 22:55:25 miniserv postfix/qmgr[68145]: 48C83278ED96:
from=<rze...@gmail.com>, size=3046, nrcpt=1 (queue active)
Mar 22 22:55:25 miniserv postfix/smtp[71362]: 8BA43278ED90:
to=<rze...@pointyears.net>, relay=127.0.0.1[127.0.0.1]:10024,
delay=0.92, delays=0.5/0.09/0/0.33, dsn=2.0.0, status=sent (250 2.0.0
from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as
48C83278ED96)
Mar 22 22:55:25 miniserv postfix/qmgr[68145]: 8BA43278ED90: removed
Mar 22 22:55:25 miniserv postfix/smtp[71366]: Untrusted TLS connection
established to 192.168.1.5[192.168.1.5]:587: TLSv1 with cipher
AES256-SHA (256/256 bits)
Mar 22 22:55:25 miniserv postfix/smtp[71366]: 48C83278ED96:
to=<rze...@pointyears.net>, relay=192.168.1.5[192.168.1.5]:587,
delay=0.59, delays=0.01/0.03/0.54/0, dsn=2.0.0, status=sent (250 Ok)
Mar 22 22:55:25 miniserv postfix/qmgr[68145]: 48C83278ED96: removed

On Tue, Mar 22, 2016 at 10:17 PM, Noel Jones <njo...@megan.vbhcs.org> wrote:
> On 3/22/2016 8:54 PM, Rick Zeman wrote:
>> OS X Postfix system rebuilt as a relay with no local mailboxes, but
>> we're not passing inbound mail to the final destination except for the
>> few people who have local accounts on the postfix server.  Soft bounce
>> is onluckily (great safety net, Wietse).   I have something that's
>> negating reject_unverified_recipient and I don't see what it is.  Can
>> another set of eyes help?  Thanks!
>>
>
> What do you mean by negating?  Do you have postfix logs (NOT debug
> logs) demonstrating the unexpected behavior?
>
>
>> mydestination =
>
> No local domains. OK.
>
>> mydomain = pointyears.net
>> myhostname = miniserv.pointyears.net
>> mynetworks = 127.0.0.0/8, [::1]/128 , 192.168.1.0/24
>
>> relay_domains = pointyears.net pointyears.org
>
> relay_domains with no relay_recipient_maps, so any user should be
> accepted, subject to later reject_unverified_recipient.
>
>> relayhost = smtp.comcast.net:587
>> smtp_generic_maps = regexp:/Library/Server/Mail/Config/postfix/generic.regexp
>
>> smtpd_client_restrictions = permit_mynetworks permit_sasl_authenticated 
>> permit
>
> The above is basically a no-op; permit anything.  That's OK, you can
> simplify by removing the line.
>
>> smtpd_recipient_restrictions = permit_sasl_authenticated
>> permit_mynetworks reject_unauth_destination
>> reject_unverified_recipient
>
> This looks reasonable.  Addresses to a domain handled by postfix
> will trigger a recipient probe, unless from mynetworks or SASL AUTH.
>  You testing from inside your network?
>
>
>> soft_bounce = yes
>
> And any reject will be turned into a 4xx defer.
>
>>
>> transport:
>> pointyears.net smtp:[192.168.1.5]:587
>> pointyears.org smtp:[192.168.1.5]:587
>>
>
>
> So what problem are you having?
>
>
>
>
>   -- Noel Jones

One more post-rebuild weirdness

2016-03-22 Thread Rick Zeman

OS X Postfix system rebuilt as a relay with no local mailboxes, but
we're not passing inbound mail to the final destination except for the
few people who have local accounts on the postfix server.  Soft bounce
is onluckily (great safety net, Wietse).   I have something that's
negating reject_unverified_recipient and I don't see what it is.  Can
another set of eyes help?  Thanks!

biff = no
command_directory = /Applications/Server.app/Contents/ServerRoot/usr/sbin
config_directory = /Library/Server/Mail/Config/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
daemon_directory =
/Applications/Server.app/Contents/ServerRoot/usr/libexec/postfix
data_directory = /Library/Server/Mail/Data/mta
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
ddd $daemon_directory/$process_name $process_id & sleep 5
dovecot_destination_recipient_limit = 1
header_checks =
html_directory =
/Applications/Server.app/Contents/ServerRoot/usr/share/doc/postfix/html
inet_interfaces = all
inet_protocols = all
local_transport = error:local mail delivery is disabled
mail_owner = _postfix
mailbox_size_limit = 0
mailbox_transport = dovecot
mailq_path = /Applications/Server.app/Contents/ServerRoot/usr/bin/mailq
manpage_directory = /Applications/Server.app/Contents/ServerRoot/usr/share/man
message_size_limit = 20485760
mydestination =
mydomain = pointyears.net
myhostname = miniserv.pointyears.net
mynetworks = 127.0.0.0/8, [::1]/128 , 192.168.1.0/24
newaliases_path =
/Applications/Server.app/Contents/ServerRoot/usr/bin/newaliases
queue_directory = /Library/Server/Mail/Data/spool
readme_directory =
/Applications/Server.app/Contents/ServerRoot/usr/share/doc/postfix
recipient_delimiter = -
relay_domains = pointyears.net pointyears.org
relayhost = smtp.comcast.net:587
sample_directory =
/Applications/Server.app/Contents/ServerRoot/usr/share/doc/postfix/examples
sendmail_path = /Applications/Server.app/Contents/ServerRoot/usr/sbin/sendmail
setgid_group = _postdrop
smtp_generic_maps = regexp:/Library/Server/Mail/Config/postfix/generic.regexp
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/Library/Server/Mail/Config/postfix/sasl/passwd
smtp_sasl_security_options = noanonymous
smtp_tls_CAfile =
/etc/certificates/miniserv.pointyears.net.B7E7A056237425F3ECE71E44A5CB862B07003F3D.chain.pem
smtp_tls_cert_file =
/etc/certificates/miniserv.pointyears.net.B7E7A056237425F3ECE71E44A5CB862B07003F3D.cert.pem
smtp_tls_key_file =
/etc/certificates/miniserv.pointyears.net.B7E7A056237425F3ECE71E44A5CB862B07003F3D.key.pem
smtp_tls_loglevel = 1
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
smtp_tls_protocols = !SSLv2, !SSLv3
smtp_tls_security_level = may
smtp_use_tls = yes
smtpd_banner = $myhostname ESMTP $mail_name ($mail_version)
smtpd_client_restrictions = permit_mynetworks permit_sasl_authenticated permit
smtpd_enforce_tls = no
smtpd_helo_required = yes
smtpd_helo_restrictions =
smtpd_recipient_restrictions = permit_sasl_authenticated
permit_mynetworks reject_unauth_destination
reject_unverified_recipient
smtpd_sasl_auth_enable = yes
smtpd_tls_CAfile =
/etc/certificates/miniserv.pointyears.net.B7E7A056237425F3ECE71E44A5CB862B07003F3D.chain.pem
smtpd_tls_cert_file =
/etc/certificates/miniserv.pointyears.net.B7E7A056237425F3ECE71E44A5CB862B07003F3D.cert.pem
smtpd_tls_ciphers = medium
smtpd_tls_exclude_ciphers = SSLv2, aNULL, ADH, eNULL, EXPORT
smtpd_tls_key_file =
/etc/certificates/miniserv.pointyears.net.B7E7A056237425F3ECE71E44A5CB862B07003F3D.key.pem
smtpd_tls_loglevel = 1
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_protocols = !SSLv2, !SSLv3
smtpd_tls_security_level = may
smtpd_use_tls = yes
soft_bounce = yes
tls_random_source = dev:/dev/urandom
transport_maps = hash:/Library/Server/Mail/Config/postfix/transport
virtual_alias_domains = $virtual_alias_maps
hash:/Library/Server/Mail/Config/postfix/virtual_domains
virtual_alias_maps = $virtual_maps
hash:/Library/Server/Mail/Config/postfix/virtual_users

transport:
pointyears.net smtp:[192.168.1.5]:587
pointyears.org smtp:[192.168.1.5]:587

TLS question on OS X

2016-03-20 Thread Rick Zeman

Howdy,

Upgrading Apple server to Apple's postfix 2.11.0 and seeing this in the logs:

Mar 20 12:12:53 miniserv postfix/smtpd[43174]: warning: TLS library
problem: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown
protocol:/BuildRoot/Library/Caches/com.apple.xbs/Sources/OpenSSL098/OpenSSL098-59/src/ssl/s23_srvr.c:602:

TLS seems to work otherwise.  Thoughts?  Thanks.

$ postconf -n
biff = no
command_directory = /Applications/Server.app/Contents/ServerRoot/usr/sbin
config_directory = /Library/Server/Mail/Config/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
daemon_directory =
/Applications/Server.app/Contents/ServerRoot/usr/libexec/postfix
data_directory = /Library/Server/Mail/Data/mta
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
ddd $daemon_directory/$process_name $process_id & sleep 5
dovecot_destination_recipient_limit = 1
header_checks = pcre:/Library/Server/Mail/Config/postfix/custom_header_checks
html_directory =
/Applications/Server.app/Contents/ServerRoot/usr/share/doc/postfix/html
inet_interfaces = all
inet_protocols = all
mail_owner = _postfix
mailbox_size_limit = 0
mailbox_transport = dovecot
mailq_path = /Applications/Server.app/Contents/ServerRoot/usr/bin/mailq
manpage_directory = /Applications/Server.app/Contents/ServerRoot/usr/share/man
message_size_limit = 20485760
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
mydomain = pointyears.net
myhostname = miniserv.pointyears.net
mynetworks = 127.0.0.0/8, [::1]/128 , 192.168.1.024
newaliases_path =
/Applications/Server.app/Contents/ServerRoot/usr/bin/newaliases
queue_directory = /Library/Server/Mail/Data/spool
readme_directory =
/Applications/Server.app/Contents/ServerRoot/usr/share/doc/postfix
recipient_delimiter = -
relayhost = smtp.comcast.net
sample_directory =
/Applications/Server.app/Contents/ServerRoot/usr/share/doc/postfix/examples
sendmail_path = /Applications/Server.app/Contents/ServerRoot/usr/sbin/sendmail
setgid_group = _postdrop
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/Library/Server/Mail/Config/postfix/sasl/passwd
smtp_tls_CAfile =
/etc/certificates/miniserv.pointyears.net.B7E7A056237425F3ECE71E44A5CB862B07003F3D.chain.pem
smtp_tls_cert_file =
/etc/certificates/miniserv.pointyears.net.B7E7A056237425F3ECE71E44A5CB862B07003F3D.cert.pem
smtp_tls_key_file =
/etc/certificates/miniserv.pointyears.net.B7E7A056237425F3ECE71E44A5CB862B07003F3D.key.pem
smtp_tls_loglevel = 1
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
smtp_tls_protocols = !SSLv2, !SSLv3
smtp_tls_security_level = may
smtpd_banner = $myhostname ESMTP $mail_name ($mail_version)
smtpd_client_restrictions = permit_mynetworks permit_sasl_authenticated permit
smtpd_enforce_tls = no
smtpd_helo_required = yes
smtpd_helo_restrictions = reject_non_fqdn_helo_hostname
reject_invalid_helo_hostname
smtpd_recipient_restrictions = permit_sasl_authenticated
smtpd_sasl_auth_enable = yes
smtpd_tls_CAfile =
/etc/certificates/miniserv.pointyears.net.B7E7A056237425F3ECE71E44A5CB862B07003F3D.chain.pem
smtpd_tls_cert_file =
/etc/certificates/miniserv.pointyears.net.B7E7A056237425F3ECE71E44A5CB862B07003F3D.cert.pem
smtpd_tls_ciphers = medium
smtpd_tls_exclude_ciphers = SSLv2, aNULL, ADH, eNULL, EXPORT
smtpd_tls_key_file =
/etc/certificates/miniserv.pointyears.net.B7E7A056237425F3ECE71E44A5CB862B07003F3D.key.pem
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_protocols = !SSLv2, !SSLv3
smtpd_use_tls = yes
soft_bounce = no
tls_random_source = dev:/dev/urandom
virtual_alias_domains = $virtual_alias_maps
hash:/Library/Server/Mail/Config/postfix/virtual_domains
virtual_alias_maps = $virtual_maps
hash:/Library/Server/Mail/Config/postfix/virtual_users

Re: Why is postfix talking to aspmx.google spamexperts?

2014-09-15 Thread Rick Zeman

On Mon, Sep 15, 2014 at 5:42 PM, Marius Gologan
marius.golo...@gmail.com wrote:
 Extract the queue-ids from the logs and hold those messages for later
 delivery:
 postsuper -h queue-id (or postsuper -h ALL to hold everything in the queue)
 to un-hold:
 postqueue -H queue-id (or postsuper -H ALL to un-hold everything in HOLD)

Or postsuper -d ALL to delete the contents of the queue IF you're sure
there are no good messages queued.

Re: Request help with SASL issue and postfix

2014-08-16 Thread Rick Zeman

On Sat, Aug 16, 2014 at 5:18 PM, Viktor Dukhovni
postfix-us...@dukhovni.org wrote:
[...]

 inet_protocols = all

 Set this to ipv4, you don't have ipv6 connectivity.

I wouldn't be so hasty, Viktor.   It looks like he is routing IPv6, as
does Comcast (I know that from personal experience):

Aug 16 13:38:13 RichCookHomeMac postfix/smtp[48905]: connect to
smtp.comcast.net[2001:558:fe2d:70::30]:25: No route to host
Aug 16 13:38:43 RichCookHomeMac postfix/smtp[48905]: connect to
smtp.comcast.net[76.96.40.155]:25: Operation timed out

Wrong port, but he's getting the  lookup for smtp.comcast.net, and
then postfix is falling back to ipv4,  Shockingly, in most of the
country, Comcast will give a /64 to anyone who wants it.

% host -t mx smtp.comcast.net
smtp.comcast.net is an alias for smtp.g.comcast.net.
% host smtp.g.comcast.net
smtp.g.comcast.net has address 68.87.26.155
smtp.g.comcast.net has IPv6 address 2001:558:fe14:70::30

/etc/postfix dependency?

2014-06-03 Thread Rick Zeman

Wietse:
Begin quote from Postfix sendmail manpage
   -C config_file

   -C config_dir
  The path name of the Postfix main.cf  file,  or  of  its  parent
  directory.  This  information  is  ignored with Postfix versions
  before 2.3.

  With all Postfix versions, you can specify a directory  pathname
  with  the MAIL_CONFIG environment variable to override the loca-
  tion of configuration files.
End quote from Postfix sendmail manpage

**
I'm using the Apple-compiled Postfix 2.9.4 that comes with Mac
Mavericks server.  One thing that made setup much harder than it
needed to be for me is that Apple puts their postfix config files in a
different location than the standard /etc/postfix, but yet the
postfix helper apps in /usr/sbin (postmap, postconf, etc) default to
looking in /etc/postfix for the config files unless overridden by the
-c flag.  I'd get misdirected by editing the Apple config
files,running the commands without the -c and then find out that my
changes didn't take effect, etc.

Sooo, is this expected behavior that those always default to
/etc/postfix unless told otherwise?  Is there a way to override that
behavior short of moving the working config files to /etc/postfix and
changing the config_directory which I'm loathe to do since Apple's
next upgrade might break a non-standard install?  Is it a compile-time
option that Apple didn't do? Something else?  I realize that they have
to default to looking somewhere for the config files, and it makes
sense to default to the widest audience, but

Thanks.

$ pwd
/Library/Server/Mail/Config/postfix

$ postconf config_directory
config_directory = /etc/hiWietse

$ postconf -c /Library/Server/Mail/Config/postfix config_directory
config_directory = /Library/Server/Mail/Config/postfix

$ postconf -n | wc -l
  63

$ postconf -c /Library/Server/Mail/Config/postfix -n | wc -l
  65

Re: /etc/postfix dependency?

2014-06-03 Thread Rick Zeman

On Tue, Jun 3, 2014 at 11:18 AM, Viktor Dukhovni
postfix-us...@dukhovni.org wrote:
 On Tue, Jun 03, 2014 at 10:31:34AM -0500, Rick Zeman wrote:

 I'm using the Apple-compiled Postfix 2.9.4 that comes with Mac
 Mavericks server.  One thing that made setup much harder than it
 needed to be for me is that Apple puts their postfix config files in a
 different location than the standard /etc/postfix, but yet the
 postfix helper apps in /usr/sbin (postmap, postconf, etc) default to
 looking in /etc/postfix for the config files unless overridden by the
 -c flag.

 This is a vendor issue.  They need to make up their mind.

That is what I suspected.  Wonder if anyone from Apple reads this list?


 So, is this expected behavior that those always default to
 /etc/postfix unless told otherwise?

 The default configuration direction is set at compile time.  Apple
 can set this to any directory of their choice.  Are you sure there
 isn't a second copy of the various binaries in an Apple-specific
 directory?

 The MAIL_CONFIG environment variable overrides the compiled in default.

THAT is the answer I needed.   Thanks.


 $ postconf config_directory
 config_directory = /etc/hiWietse

 That's not right.  Don't manually override config_directory in
 main.cf.

Of course that's not right.  I changed the unused main.cf's value for
illustrative purposes; otherwise it would have looked just like the
used version.

Re: /etc/postfix dependency?

2014-06-03 Thread Rick Zeman

On Tue, Jun 3, 2014 at 12:04 PM, Wietse Venema wie...@porcupine.org wrote:
 Rick Zeman:
 I'm using the Apple-compiled Postfix 2.9.4 that comes with Mac
 Mavericks server.  One thing that made setup much harder than it
 needed to be for me is that Apple puts their postfix config files in a
 different location than the standard /etc/postfix, but yet the
 postfix helper apps in /usr/sbin (postmap, postconf, etc) default to
 looking in /etc/postfix for the config files unless overridden by the
 -c flag.

 I suspect that you have programs from different Postfix builds
 on the same machine.

 Postfix would never work when some Postfix programs have a different
 built-in config_directory than other Postfix programs.

Hi Wietse,

That could well be (is there a way to verify with strings or
somesuch?), but it's working and working well.  But, as Viktor pointed
it, it's (still) a vendor problem because Apple would have supplied
any and all builds and configurations since this was a brand-new
machine.  One way or another it's on them; either through the stock
install, or via the Server add-on.

Re: TLS issues (postfix says: UNTRUSTED but it is not)

2014-05-13 Thread Rick Zeman

On Tue, May 13, 2014 at 9:31 AM, Viktor Dukhovni
postfix-us...@dukhovni.org wrote:

 The logging is misleading, it should say Anonymous rather than
 untrusted.  This is fixed in 2.11.1 and 2.12 snapshots.

I'm glad of that.  That confused the heck out of me, too.

Re: postfix setup: machine with live ip forwarding traffic to home machine

2014-05-05 Thread Rick Zeman

On Mon, May 5, 2014 at 3:36 AM, hiren panchasara
hiren.panchas...@gmail.com wrote:

 This is how it should work, afaik:
 Sending: Initiates from my home box and go out via VM.
 Receiving: VM receives it and forwards to home box.

 (I've also tried sending through my home machine on port 587 but the
 home comcast IP is blacklisted)

There's really no good reason to not send via Comcast's authenticated
relay unless you need the ability to pore through logs to be assured
of delivery.  That way, Comcast won't notice you sending to a
non-Comcast destination and you won't get busted for running an
illegal MTA.

Adding to what Wietsie says about the Primary MX having to do all of
the checks, I use Dyn's email gateway for home.  They hold the MX,
they do the spam filtering/white or blacklisting, and since they use
Postfix, the address verification works just fine so I don't
backscatter at all.

Fly under the radar, dude.  That's the best advice for home.  If you
want a lab, rent some cloud space.

Heartbleed via smtpd?

2014-04-12 Thread Rick Zeman

I'm guessing since I've received a bunch of these over the past few
days that these are Heartbleed scrape attempts, especially since these
IPs belongs to our friends in the former Soviet Union.  Agreed?  (It's
an Apple server so it uses its own goto fail TLS library, and only
has an older version of openssl (0.9.8y) on it so I'm safe--from this,
at least.)

Apr 11 22:10:13 miniserv.private postfix/smtpd[90051]: connect from
unknown[37.45.1.153]
Apr 11 22:10:14 miniserv.private postfix/smtpd[90054]: connect from
unknown[93.157.46.40]
Apr 11 22:10:14 miniserv.private postfix/smtpd[90051]: warning:
unknown[37.45.1.153]: SASL LOGIN authentication failed
Apr 11 22:10:14 miniserv.private postfix/smtpd[90051]: lost connection
after AUTH from unknown[37.45.1.153]
Apr 11 22:10:14 miniserv.private postfix/smtpd[90051]: disconnect from
unknown[37.45.1.153]
Apr 11 22:10:15 miniserv.private postfix/smtpd[90054]: SSL_accept
error from unknown[93.157.46.40]: 0
Apr 11 22:10:15 miniserv.private postfix/smtpd[90054]: warning: TLS
library problem: 90054:error:14094416:SSL
routines:SSL3_READ_BYTES:sslv3 alert certificate
unknown:/SourceCache/OpenSSL098/OpenSSL098-50/src/ssl/s3_pkt.c:1106:SSL
alert number 46:
Apr 11 22:10:15 miniserv.private postfix/smtpd[90054]: lost connection
after STARTTLS from unknown[93.157.46.40]
Apr 11 22:10:15 miniserv.private postfix/smtpd[90054]: disconnect from
unknown[93.157.46.40]
Apr 11 22:10:16 miniserv.private postfix/smtpd[90056]: warning: TLS
library problem: 90056:error:14094416:SSL
routines:SSL3_READ_BYTES:sslv3 alert certificate
unknown:/SourceCache/OpenSSL098/OpenSSL098-50/src/ssl/s3_pkt.c:1106:SSL
alert number 46:
Apr 11 22:10:17 miniserv.private postfix/smtpd[90051]: connect from
unknown[93.153.183.18]
Apr 11 22:10:18 miniserv.private postfix/smtpd[90051]: SSL_accept
error from unknown[93.153.183.18]: 0
Apr 11 22:10:18 miniserv.private postfix/smtpd[90051]: warning: TLS
library problem: 90051:error:14094416:SSL
routines:SSL3_READ_BYTES:sslv3 alert certificate
unknown:/SourceCache/OpenSSL098/OpenSSL098-50/src/ssl/s3_pkt.c:1106:SSL
alert number 46:
Apr 11 22:10:18 miniserv.private postfix/smtpd[90051]: lost connection
after STARTTLS from unknown[93.153.183.18]
Apr 11 22:10:18 miniserv.private postfix/smtpd[90051]: disconnect from
unknown[93.153.183.18]

Re: value of zero not documented for message_size_limit

2014-04-11 Thread Rick Zeman

On Fri, Apr 11, 2014 at 7:14 AM, Wietse Venema wie...@porcupine.org wrote:
 Markus Sch?nhaber:
 Hi,

 while the documentation for mailbox_size_limit
 http://www.postfix.org/postconf.5.html#mailbox_size_limit
 explicitly states [...] or zero (no limit)., the doc for
 message_size_limit
 http://www.postfix.org/postconf.5.html#message_size_limit
 doesn't mention that it's possible to turn off the limit by setting this
 parameter to zero. Shouldn't that be documented for message_size_limit too?

 The documentation specifies supported behavior.  Setting the limit
 to zero is a really really really bad idea.  A non-zero message
 size limit is the last defense against total mayhem.

Tell that to Apple whose default config sets that value to 0.

IPv6 to IPv4 fallback

2014-04-06 Thread Rick Zeman

Howdy,

I now have IPv6 routing working along with inet_protocols = all in
my main.cf (Postfix 2.9.4).  I've noticed that using my outbound relay
(which is load balanced across many machines) will connect with either
protocol with no discernible pattern even to the same destination.

Going by the below from the documentation:

The address type (ipv6, ipv4 or any) that the Postfix SMTP
client will try first, when a destination has IPv6 and IPv4 addresses
with equal MX preference. This feature has no effect unless the
inet_protocols setting enables both IPv4 and IPv6. With Postfix 2.8
the default is ipv6.

What would dictate the smtp client's fallback (for lack of a better
word) to ipv4 assuming the same destination supports both protocols
(confirmed with telnet when I round-robined back to the same smtp
server)?

Thanks!


(these examples could have been to same destination machine or different)

Apr  6 13:49:53 miniserv.private postfix/smtp[6208]: Untrusted TLS
connection established to smtp.comcast.net[2001:558:fe2d:70::30]:587:
TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)
Apr  6 13:49:54 miniserv.private postfix/smtp[6208]: 905CA3553DE:
to=f...@example.com,
relay=smtp.comcast.net[2001:558:fe2d:70::30]:587, delay=1.9,
delays=0/0.01/1.3/0.59, dsn=2.0.0, status=sent (250 2.0.0
mhpz1n00E46N1nS8jhq0d6 mail accepted for delivery)
Apr  6 13:49:54 miniserv.private postfix/qmgr[101]: 905CA3553DE: removed

(snip)

Apr  6 13:53:41 miniserv.private postfix/smtp[6560]: Untrusted TLS
connection established to smtp.comcast.net[76.96.40.155]:587: TLSv1
with cipher DHE-RSA-AES256-SHA (256/256 bits)
Apr  6 13:53:43 miniserv.private postfix/smtp[6560]: C46013554A8:
to=b...@example.com, relay=smtp.comcast.net[76.96.40.155]:587,
delay=2.5, delays=0/0.01/1.6/0.91, dsn=2.0.0, status=sent (250 2.0.0
mhto1n0061Cv1Ze8ahtpip mail accepted for delivery)
Apr  6 13:53:43 miniserv.private postfix/qmgr[101]: C46013554A8: removed

Re: Using transport only if local user exists

2014-03-16 Thread Rick Zeman

On Sat, Mar 15, 2014 at 11:34 PM, Noel Jones njo...@megan.vbhcs.org wrote:
 On 3/15/2014 5:08 PM, Rick Zeman wrote:
 I've started working on my bastard Mac postfix relay.  For delivery to
 the local domain, it will only relay to the internal mail server
 defined in transport if the user exists locally on the postfix

 When relaying to an inside server, the domain should be specified in
 relay_domains, not mydestination.

 Valid recipients should be listed in relay_recipient_maps.

 You can override the users to be delivered locally by using a
 transport_maps entry pointing those users to the local: delivery
 transport.

 http://www.postfix.org/ADDRESS_CLASS_README.html
 http://www.postfix.org/BASIC_CONFIGURATION_README.html
 http://www.postfix.org/STANDARD_CONFIGURATION_README.html


 And turn off the debug logging -- it's rarely useful for any but the
 most obscure errors, and the big errors get lost in the noise.


Oy.  Got it, thanks.  One last question.  I have recipient_delimiters
= - and also reject_unverified_recipient in the smtpd recipient
restrictions.  It looks like postfix (on my system, at least) does the
smtp probe to the destination before the re-write of user-foo@ to
user@ so it's effectively useless.  Are they mutually exclusive, or is
there a way to force the rewrite to happen before the probe?  I didn't
see anything under either common in the docs that addressed this
scenario.

Re: Using transport only if local user exists

2014-03-16 Thread Rick Zeman

On Sun, Mar 16, 2014 at 9:43 AM, Noel Jones njo...@megan.vbhcs.org wrote:
 On 3/16/2014 8:31 AM, Rick Zeman wrote:
 On Sat, Mar 15, 2014 at 11:34 PM, Noel Jones njo...@megan.vbhcs.org wrote:
 On 3/15/2014 5:08 PM, Rick Zeman wrote:
 I've started working on my bastard Mac postfix relay.  For delivery to
 the local domain, it will only relay to the internal mail server
 defined in transport if the user exists locally on the postfix

 When relaying to an inside server, the domain should be specified in
 relay_domains, not mydestination.

 Valid recipients should be listed in relay_recipient_maps.

 You can override the users to be delivered locally by using a
 transport_maps entry pointing those users to the local: delivery
 transport.

 http://www.postfix.org/ADDRESS_CLASS_README.html
 http://www.postfix.org/BASIC_CONFIGURATION_README.html
 http://www.postfix.org/STANDARD_CONFIGURATION_README.html


 And turn off the debug logging -- it's rarely useful for any but the
 most obscure errors, and the big errors get lost in the noise.


 Oy.  Got it, thanks.  One last question.  I have recipient_delimiters
 = - and also reject_unverified_recipient in the smtpd recipient
 restrictions.  It looks like postfix (on my system, at least) does the
 smtp probe to the destination before the re-write of user-foo@ to
 user@ so it's effectively useless.  Are they mutually exclusive, or is
 there a way to force the rewrite to happen before the probe?  I didn't
 see anything under either common in the docs that addressed this
 scenario.


 Postfix does not rewrite user-...@example.com to u...@example.com.
 Rather, postfix will use fake lookups of u...@example.com for
 select table lookups as documented elsewhere, and carefully preserve
 the -foo extension during delivery.

 Recipient address verification probes are always sent using the
 exact address as supplied by the client.  If the remote system
 doesn't accept user-foo@ as a valid address then the probe will
 fail, as it should.

 If you need to strip the address extension, you could use
 smtp_generic_maps to remove the extension during delivery.

The reading that I just did (generic, canonical) suggests that using a
canonical table so cleanup(8) will rewrite the address before the
inbound mail is queued vs generic_maps which would rewrite after it's
queued.  Is that the only fundamental difference?  In reading both doc
pages, however, I really didn't see any examples that would remap
user-...@example.com to u...@example.com.  Nor could I find a good
example by googling.

Using transport only if local user exists

2014-03-15 Thread Rick Zeman

I've started working on my bastard Mac postfix relay.  For delivery to
the local domain, it will only relay to the internal mail server
defined in transport if the user exists locally on the postfix
box...and I can't figure out why (luckily, the 450 safety net is
there!).  I could see how it would deliver locally OR relay, but not a
conditional as it is.  I would imagine this is also why recipient
delimiters aren't being acknowledged, and the smtp recipient probe for
reject_unverified_recipient.
Below is a snippet from the mail logs, followed by postconf -n
(specifying the working directory since postconf defaults to
/etc/postfix on Mavericks server even though that's not where Apple's
implementation puts its config files), and transport.

Any thoughts?  Thanks.

Logging:
Mar 15 17:50:36 miniserv.private postfix/smtpd[36549]:  START
Recipient address RESTRICTIONS 
Mar 15 17:50:36 miniserv.private postfix/smtpd[36549]: generic_checks:
name=permit_sasl_authenticated
Mar 15 17:50:36 miniserv.private postfix/smtpd[36549]: generic_checks:
name=permit_sasl_authenticated status=0
Mar 15 17:50:36 miniserv.private postfix/smtpd[36549]: generic_checks:
name=permit_mynetworks
Mar 15 17:50:36 miniserv.private postfix/smtpd[36549]:
permit_mynetworks: mxout-044-pao.mailhop.org 216.146.32.44
Mar 15 17:50:36 miniserv.private postfix/smtpd[36549]: match_hostname:
mxout-044-pao.mailhop.org ~? 127.0.0.0/8
Mar 15 17:50:36 miniserv.private postfix/smtpd[36549]: match_hostaddr:
216.146.32.44 ~? 127.0.0.0/8
Mar 15 17:50:36 miniserv.private postfix/smtpd[36549]: match_hostname:
mxout-044-pao.mailhop.org ~? [::1]/128
Mar 15 17:50:36 miniserv.private postfix/smtpd[36549]: match_hostaddr:
216.146.32.44 ~? [::1]/128
Mar 15 17:50:36 miniserv.private postfix/smtpd[36549]: match_hostname:
mxout-044-pao.mailhop.org ~? 192.168.1.0/24
Mar 15 17:50:36 miniserv.private postfix/smtpd[36549]: match_hostaddr:
216.146.32.44 ~? 192.168.1.0/24
Mar 15 17:50:36 miniserv.private postfix/smtpd[36549]:
match_list_match: mxout-044-pao.mailhop.org: no match
Mar 15 17:50:36 miniserv.private postfix/smtpd[36549]:
match_list_match: 216.146.32.44: no match
Mar 15 17:50:36 miniserv.private postfix/smtpd[36549]: generic_checks:
name=permit_mynetworks status=0
Mar 15 17:50:36 miniserv.private postfix/smtpd[36549]: generic_checks:
name=reject_unauth_destination
Mar 15 17:50:36 miniserv.private postfix/smtpd[36549]:
reject_unauth_destination: dom...@pointyears.net
Mar 15 17:50:36 miniserv.private postfix/smtpd[36549]:
permit_auth_destination: dom...@pointyears.net
Mar 15 17:50:36 miniserv.private postfix/smtpd[36549]: ctable_locate:
leave existing entry key dom...@pointyears.net
Mar 15 17:50:36 miniserv.private postfix/smtpd[36549]: generic_checks:
name=reject_unauth_destination status=0
Mar 15 17:50:36 miniserv.private postfix/smtpd[36549]: generic_checks:
name=reject_unknown_recipient_domain
Mar 15 17:50:36 miniserv.private postfix/smtpd[36549]:
reject_unknown_address: dom...@pointyears.net
Mar 15 17:50:36 miniserv.private postfix/smtpd[36549]: ctable_locate:
leave existing entry key dom...@pointyears.net
Mar 15 17:50:36 miniserv.private postfix/smtpd[36549]: generic_checks:
name=reject_unknown_recipient_domain status=0
Mar 15 17:50:36 miniserv.private postfix/smtpd[36549]: generic_checks:
name=reject_unverified_recipient
Mar 15 17:50:36 miniserv.private postfix/smtpd[36549]:
reject_unverified_address: dom...@pointyears.net
Mar 15 17:50:36 miniserv.private postfix/smtpd[36549]: connect to
subsystem private/verify
Mar 15 17:50:36 miniserv.private postfix/smtpd[36549]: send attr request = query
Mar 15 17:50:36 miniserv.private postfix/smtpd[36549]: send attr
address = dom...@pointyears.net
Mar 15 17:50:36 miniserv.private postfix/smtpd[36549]: private/verify
socket: wanted attribute: status
Mar 15 17:50:36 miniserv.private postfix/smtpd[36549]: input attribute
name: status
Mar 15 17:50:36 miniserv.private postfix/smtpd[36549]: input attribute value: 0
Mar 15 17:50:36 miniserv.private postfix/smtpd[36549]: private/verify
socket: wanted attribute: recipient_status
Mar 15 17:50:36 miniserv.private postfix/smtpd[36549]: input attribute
name: recipient_status
Mar 15 17:50:36 miniserv.private postfix/smtpd[36549]: input attribute value: 0
Mar 15 17:50:36 miniserv.private postfix/smtpd[36549]: private/verify
socket: wanted attribute: reason
Mar 15 17:50:36 miniserv.private postfix/smtpd[36549]: input attribute
name: reason
Mar 15 17:50:36 miniserv.private postfix/smtpd[36549]: input attribute
value: 250 Ok
Mar 15 17:50:36 miniserv.private postfix/smtpd[36549]: private/verify
socket: wanted attribute: (list terminator)
Mar 15 17:50:36 miniserv.private postfix/smtpd[36549]: input attribute
name: (end)
Mar 15 17:50:36 miniserv.private postfix/smtpd[36549]: generic_checks:
name=reject_unverified_recipient status=0
Mar 15 17:50:36 miniserv.private postfix/smtpd[36549]:  END
Recipient address RESTRICTIONS 
Mar 15 17:50:36 miniserv.private postfix/smtpd[36549]:  CHECKING

Re: Mac Postfix gateway local delivering.

2014-03-02 Thread Rick Zeman

I
On Sat, Mar 1, 2014 at 8:46 PM, Wietse Venema wie...@porcupine.org wrote:

 
 What is in this file?



 I've got delivery to the relay host working, and delivery to the local
 mail destination; however it only works from the server's command line
 Connections for mail coming outside of $mynetwork just seems to be dropped
 (debug level 2 below) wanting the sender to startlls even though I've
 commented out the  smtpd_use_tls = yes out (postconf -n at the bottom),
 added smtpd_enforce_tls = no, and restarted postfix.  Any thoughts?


 Mar  2 15:04:03 miniserv.private postfix/smtpd[35096]: connect from
 mxout-032-pao.mailhop.org[216.146.32.32]
 Mar  2 15:04:03 miniserv.private postfix/smtpd[35096]: smtp_stream_setup:
 maxtime=300 enable_deadline=0
 Mar  2 15:04:03 miniserv.private postfix/smtpd[35096]: match_hostname:
 mxout-032-pao.mailhop.org ~? 127.0.0.0/8
 Mar  2 15:04:03 miniserv.private postfix/smtpd[35096]: match_hostaddr:
 216.146.32.32 ~? 127.0.0.0/8
 Mar  2 15:04:03 miniserv.private postfix/smtpd[35096]: match_hostname:
 mxout-032-pao.mailhop.org ~? [::1]/128
 Mar  2 15:04:03 miniserv.private postfix/smtpd[35096]: match_hostaddr:
 216.146.32.32 ~? [::1]/128
 Mar  2 15:04:03 miniserv.private postfix/smtpd[35096]: match_hostname:
 mxout-032-pao.mailhop.org ~? 192.168.1.0/24
 Mar  2 15:04:03 miniserv.private postfix/smtpd[35096]: match_hostaddr:
 216.146.32.32 ~? 192.168.1.0/24
 Mar  2 15:04:03 miniserv.private postfix/smtpd[35096]: match_list_match:
 mxout-032-pao.mailhop.org: no match
 Mar  2 15:04:03 miniserv.private postfix/smtpd[35096]: match_list_match:
 216.146.32.32: no match
 Mar  2 15:04:03 miniserv.private postfix/smtpd[35096]: auto_clnt_open:
 connected to private/anvil
 Mar  2 15:04:03 miniserv.private postfix/smtpd[35096]: send attr request =
 connect
 Mar  2 15:04:03 miniserv.private postfix/smtpd[35096]: send attr ident =
 submission:216.146.32.32
 Mar  2 15:04:03 miniserv.private postfix/smtpd[35096]: private/anvil:
 wanted attribute: status
 Mar  2 15:04:03 miniserv.private postfix/smtpd[35096]: input attribute
 name: status
 Mar  2 15:04:03 miniserv.private postfix/smtpd[35096]: input attribute
 value: 0
 Mar  2 15:04:03 miniserv.private postfix/smtpd[35096]: private/anvil:
 wanted attribute: count
 Mar  2 15:04:03 miniserv.private postfix/smtpd[35096]: input attribute
 name: count
 Mar  2 15:04:03 miniserv.private postfix/smtpd[35096]: input attribute
 value: 1
 Mar  2 15:04:03 miniserv.private postfix/smtpd[35096]: private/anvil:
 wanted attribute: rate
 Mar  2 15:04:03 miniserv.private postfix/smtpd[35096]: input attribute
 name: rate
 Mar  2 15:04:03 miniserv.private postfix/smtpd[35096]: input attribute
 value: 1
 Mar  2 15:04:03 miniserv.private postfix/smtpd[35096]: private/anvil:
 wanted attribute: (list terminator)
 Mar  2 15:04:03 miniserv.private postfix/smtpd[35096]: input attribute
 name: (end)
 Mar  2 15:04:03 miniserv.private postfix/smtpd[35096]: 
 mxout-032-pao.mailhop.org[216.146.32.32]: 220 pointyears.net ESMTP
 Postfix (2.9.4)
 Mar  2 15:04:03 miniserv.private postfix/smtpd[35096]: watchdog_pat:
 0x7ff759f00800
 Mar  2 15:04:03 miniserv.private postfix/smtpd[35096]: 
 mxout-032-pao.mailhop.org[216.146.32.32]: EHLO mail-11-pao.dyndns.com
 Mar  2 15:04:03 miniserv.private postfix/smtpd[35096]: match_list_match:
 mxout-032-pao.mailhop.org: no match
 Mar  2 15:04:03 miniserv.private postfix/smtpd[35096]: match_list_match:
 216.146.32.32: no match
 Mar  2 15:04:03 miniserv.private postfix/smtpd[35096]: 
 mxout-032-pao.mailhop.org[216.146.32.32]: 250-pointyears.net
 Mar  2 15:04:03 miniserv.private postfix/smtpd[35096]: 
 mxout-032-pao.mailhop.org[216.146.32.32]: 250-PIPELINING
 Mar  2 15:04:03 miniserv.private postfix/smtpd[35096]: 
 mxout-032-pao.mailhop.org[216.146.32.32]: 250-SIZE 20485760
 Mar  2 15:04:03 miniserv.private postfix/smtpd[35096]: 
 mxout-032-pao.mailhop.org[216.146.32.32]: 250-VRFY
 Mar  2 15:04:03 miniserv.private postfix/smtpd[35096]: 
 mxout-032-pao.mailhop.org[216.146.32.32]: 250-ETRN
 Mar  2 15:04:03 miniserv.private postfix/smtpd[35096]: 
 mxout-032-pao.mailhop.org[216.146.32.32]: 250-STARTTLS
 Mar  2 15:04:03 miniserv.private postfix/smtpd[35096]: 
 mxout-032-pao.mailhop.org[216.146.32.32]: 250-ENHANCEDSTATUSCODES
 Mar  2 15:04:03 miniserv.private postfix/smtpd[35096]: 
 mxout-032-pao.mailhop.org[216.146.32.32]: 250-8BITMIME
 Mar  2 15:04:03 miniserv.private postfix/smtpd[35096]: 
 mxout-032-pao.mailhop.org[216.146.32.32]: 250-DSN
 Mar  2 15:04:03 miniserv.private postfix/smtpd[35096]: 
 mxout-032-pao.mailhop.org[216.146.32.32]: 250-BINARYMIME
 Mar  2 15:04:03 miniserv.private postfix/smtpd[35096]: 
 mxout-032-pao.mailhop.org[216.146.32.32]: 250 CHUNKING
 Mar  2 15:04:03 miniserv.private postfix/smtpd[35096]: watchdog_pat:
 0x7ff759f00800
 Mar  2 15:04:03 miniserv.private postfix/smtpd[35096]: 
 mxout-032-pao.mailhop.org[216.146.32.32]: MAIL FROM:rze...@outlook.com
 SIZE=10263
 Mar  2 15:04:03 miniserv.private postfix/smtpd[35096]:

Re: Mac Postfix gateway local delivering.

2014-03-02 Thread Rick Zeman

On Sun, Mar 2, 2014 at 4:38 PM, Wietse Venema wie...@porcupine.org wrote:

 Wietse:
   mydestination =
   local_transport = error:local mail delivery is disabled
 
  Nevertheless, you have some mail going to the local delivery agent.
 
   transport_maps = hash:/etc/postfix/transport
 
  What is in this file?

 Rick Zeman:
  pointyears.net smtp:[192.168.1.5]:587

 Based on the configuration details that you have given in earlier
 .email, Postfix cannot invoke the local delivery agent.  Therefore,
 what you have shown is not the configuration that Postfix uses.

Yes, thanks.  Apple has postfix config files in both /etc/postfix and
in /Library/Server/Mail/Config/postfix.  As a person who'd only used
postfix on linux I was editing the former while the system was using
the latter.  Now, I've graduated to bigger and better problems (the
TLS expected when it looked like it shouldn't be as I posted in my
next message in this saga).

Mac Postfix gateway local delivering.

2014-03-01 Thread Rick Zeman

Howdy, I'm trying to set up a Mac version of postfix (2.9.4) as a mail
gateway.  It's been many years since I've set up a postfix instance, and
being extremely rusty I've gotten myself stuck.  I've got things working so
that mail destined for outside the domain gets delivered to the relay host
on an alternate port using SASL, so that's all working well.
However, mail destined for the local domain isn't being being relayed to
the mail server (at least using mail from the command line), it's
apparently being handled by dovecot even though I commented out the dovecot
section of the master.cf and restarted postfix:

Mar  1 18:58:58 miniserv.private postfix/pickup[16740]: 3AC89A009B: uid=501
from=rzeman
Mar  1 18:58:58 miniserv.private postfix/cleanup[16758]: 3AC89A009B:
message-id=20140301235858.3ac89a0...@pointyears.net
Mar  1 18:58:58 miniserv.private postfix/qmgr[16741]: 3AC89A009B: from=
rze...@pointyears.net, size=295, nrcpt=1 (queue active)
Mar  1 18:58:58 miniserv.private postfix/smtpd[16786]: 4D42BA00A2:
client=localhost[127.0.0.1]
Mar  1 18:58:58 miniserv.private postfix/cleanup[16758]: 4D42BA00A2:
message-id=20140301235858.3ac89a0...@pointyears.net
Mar  1 18:58:58 miniserv.private postfix/smtpd[16786]: disconnect from
localhost[127.0.0.1]
Mar  1 18:58:58 miniserv.private postfix/qmgr[16741]: 4D42BA00A2: from=
rze...@pointyears.net, size=728, nrcpt=1 (queue active)
Mar  1 18:58:58 miniserv.private postfix/smtp[16760]: 3AC89A009B: to=
r...@pointyears.net, relay=127.0.0.1[127.0.0.1]:10024, delay=0.08,
delays=0.02/0/0/0.06, dsn=2.0.0, status=sent (250 2.0.0 from
MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 4D42BA00A2)
Mar  1 18:58:58 miniserv.private postfix/qmgr[16741]: 3AC89A009B: removed
Mar  1 18:58:58 miniserv.private postfix/local[17006]: error:
od[getpwnam_ext]: no record for user rick
Mar  1 18:58:58 miniserv.private postfix/pipe[17007]: 4D42BA00A2: to=
r...@pointyears.net, relay=dovecot, delay=0.1, delays=0/0.01/0/0.09,
dsn=5.1.1, status=bounced (user unknown)
Mar  1 18:58:58 miniserv.private postfix/cleanup[16758]: 659D6A00A7:
message-id=20140301235858.659d6a0...@pointyears.net
Mar  1 18:58:58 miniserv.private postfix/qmgr[16741]: 659D6A00A7: from=,
size=2529, nrcpt=1 (queue active)
Mar  1 18:58:58 miniserv.private postfix/bounce[17016]: 4D42BA00A2: sender
non-delivery notification: 659D6A00A7
Mar  1 18:58:58 miniserv.private postfix/qmgr[16741]: 4D42BA00A2: removed
Mar  1 18:58:58 miniserv.private postfix/pipe[17007]: 659D6A00A7: to=
rze...@pointyears.net, relay=dovecot, delay=0.03, delays=0/0/0/0.03,
dsn=2.0.0, status=sent (delivered via dovecot service)
Mar  1 18:58:58 miniserv.private postfix/qmgr[16741]: 659D6A00A7: removed

I've added the internal server to transport (pointyears.net :[192.168.1.5]),
postmapped it, and added it to the master.cf.

So I'm confused a) why postfix is still trying to deliver locally and why
it still thinks that dovecot is in play here, but I've never dealt with
that and postfix before.  Also, it seems to be ignoring myhostname I've
specified.  Is that an Apple thing?  I've pretty much ignored the GUI since
it's so basic and buggy.

Thoughts?
Thanks!

*
postconf -n:

biff = no
command_directory = /usr/sbin
config_directory = /Library/Server/Mail/Config/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /Library/Server/Mail/Data/mta
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin xxgdb
$daemon_directory/$process_name $process_id  sleep 5
dovecot_destination_recipient_limit = 1
html_directory = /usr/share/doc/postfix/html
imap_submit_cred_file = /Library/Server/Mail/Config/postfix/submit.cred
inet_interfaces = loopback-only
inet_protocols = all
local_recipient_maps =
local_transport = error:local mail delivery is disabled
mail_owner = _postfix
mailbox_size_limit = 0
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
message_size_limit = 20485760
mydestination =
mydomain_fallback = localhost
myhostname = miniserv.pointyears.net
mynetworks = 127.0.0.0/8, [::1]/128, 192.168.1.5
newaliases_path = /usr/bin/newaliases
queue_directory = /Library/Server/Mail/Data/spool
readme_directory = /usr/share/doc/postfix
recipient_delimiter = -
relay_domains = pointyears.net
relayhost = [192.168.1.5]
sample_directory = /usr/share/doc/postfix/examples
sendmail_path = /usr/sbin/sendmail
setgid_group = _postdrop
smtpd_client_restrictions = permit_mynetworks permit_sasl_authenticated
permit
smtpd_recipient_restrictions = permit_mynetworks reject_unauth_destination
smtpd_tls_ciphers = medium
smtpd_tls_exclude_ciphers = SSLv2, aNULL, ADH, eNULL
tls_random_source = dev:/dev/urandom
transport_maps = hash:/etc/postfix/transport
unknown_local_recipient_reject_code = 550
use_sacl_cache = yes

Re: Mac Postfix gateway local delivering.

2014-03-01 Thread Rick Zeman

On Sat, Mar 1, 2014 at 7:50 PM, li...@rhsoft.net li...@rhsoft.net wrote:



 Am 02.03.2014 01:08, schrieb Rick Zeman:
  Howdy, I'm trying to set up a Mac version of postfix (2.9.4) as a mail
 gateway.  It's been many years since I've
  set up a postfix instance, and being extremely rusty I've gotten myself
 stuck.  I've got things working so that
  mail destined for outside the domain gets delivered to the relay host on
 an alternate port using SASL, so that's
  all working well.
  However, mail destined for the local domain isn't being being relayed to
 the mail server (at least using mail from
  the command line), it's apparently being handled by dovecot even though
 I commented out the dovecot section of the
  master.cf and restarted postfix:

  Mar  1 18:58:58 miniserv.private postfix/smtp[16760]: 3AC89A009B: to=
 r...@pointyears.net
  mailto:r...@pointyears.net, relay=127.0.0.1[127.0.0.1]:10024,
 delay=0.08, delays=0.02/0/0/0.06, dsn=2.0.0,
  status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok:
 queued as 4D42BA00A2)

 transport_maps = hash:/etc/postfix/transport
 so what is local - if you have a transport than it happens to get used


Local = what of what domain postfix is part of (domain part of
$myhostname) .

This is all that's in transport:
pointyears.net smtp:[192.168.1.5]

Re: Mac Postfix gateway local delivering.

2014-03-01 Thread Rick Zeman

I'm sure everyone else knows this, but OS X keeps has two complete sets of
postfix config files.  Guess who, based on linux experience, was using
/etc/postfix?


On Sat, Mar 1, 2014 at 8:10 PM, Rick Zeman rze...@gmail.com wrote:

 On Sat, Mar 1, 2014 at 7:50 PM, li...@rhsoft.net li...@rhsoft.net wrote:



 Am 02.03.2014 01:08, schrieb Rick Zeman:
  Howdy, I'm trying to set up a Mac version of postfix (2.9.4) as a mail
 gateway.  It's been many years since I've
  set up a postfix instance, and being extremely rusty I've gotten myself
 stuck.  I've got things working so that
  mail destined for outside the domain gets delivered to the relay host
 on an alternate port using SASL, so that's
  all working well.
  However, mail destined for the local domain isn't being being relayed
 to the mail server (at least using mail from
  the command line), it's apparently being handled by dovecot even though
 I commented out the dovecot section of the
  master.cf and restarted postfix:

  Mar  1 18:58:58 miniserv.private postfix/smtp[16760]: 3AC89A009B: to=
 r...@pointyears.net
  mailto:r...@pointyears.net, relay=127.0.0.1[127.0.0.1]:10024,
 delay=0.08, delays=0.02/0/0/0.06, dsn=2.0.0,
  status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok:
 queued as 4D42BA00A2)

 transport_maps = hash:/etc/postfix/transport
 so what is local - if you have a transport than it happens to get used


 Local = what of what domain postfix is part of (domain part of
 $myhostname) .

 This is all that's in transport:
 pointyears.net smtp:[192.168.1.5]

Re: Mac Postfix gateway local delivering.

2014-03-01 Thread Rick Zeman

On Sat, Mar 1, 2014 at 8:46 PM, Wietse Venema wie...@porcupine.org wrote:

 Rick Zeman:
  mydestination =
  local_transport = error:local mail delivery is disabled

 Nevertheless, you have some mail going to the local delivery agent.

  transport_maps = hash:/etc/postfix/transport

 What is in this file?

 Wietse


Hi Wietse,

pointyears.net smtp:[192.168.1.5]:587

Post upgrade problem(?)

2012-07-08 Thread Rick Zeman

Just upgraded to 3.93 from 3.62 from source (amazingly smooth make
upgrade after skipping 3 years of interim versions.  Easier than
using an rpm!).  I fixed the TLS database location warnings that
cropped up in the logs, but I'm also seeing:

Jul  8 21:51:51 tux postfix/verify[28749]: close database
/var/lib/postfix/verify_cache.db: No such file or directory (possible
Berkeley DB bug)

Looking in /var/lib/postfix I see:
-rw-r--r--1 postfix  postfix  8192 Jul  8 22:00 verify_cache.db

Any suggestions on what else to look at?

Thanks.

*
%postconf -n

address_verify_sender = 
alias_database = hash:/etc/postfix/aliases
alias_maps = hash:/etc/postfix/aliases, hash:/var/lib/mailman/data/aliases
body_checks = regexp:/etc/postfix/body_checks
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/lib/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
xxgdb $daemon_directory/$process_name $process_id  sleep 5
delay_warning_time = 4
disable_vrfy_command = yes
html_directory = /usr/share/doc/postfix/html
inet_protocols = ipv4
mail_owner = postfix
mail_spool_directory = /var/spool/mail
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
message_size_limit = 3058
mydestination = $myhostname, localhost.$mydomain $mydomain
mynetworks = 127.0.0.0/8, 192.168.1.0/24
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = no
recipient_delimiter = -
relayhost = [smtp.comcast.net]:submission
sample_directory = /etc/postfix
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_password
smtp_sasl_security_options =
smtp_tls_CAfile = /etc/postfix/cacert.pem
smtp_tls_loglevel = 0
smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_tls_session_cache
smtp_use_tls = yes
smtpd_banner = mail.pointyears.net ESMTP: $mail_name $mail_version
smtpd_client_restrictions = permit_mynetworks reject_rbl_client
sbl-xbl.spamhaus.org permit
smtpd_data_restrictions = reject_unauth_pipelining, permit
smtpd_hard_error_limit = 5
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks reject_invalid_hostname
check_helo_access hash:/etc/postfix/helo_access permit
smtpd_recipient_restrictions = permit_mynetworks
permit_sasl_authenticated reject_unauth_destination
check_recipient_access hash:/etc/postfix/deniedusers
reject_unverified_recipient check_policy_service
unix:private/tumgreyspf permit
smtpd_tls_CAfile = /etc/postfix/cacert.pem
smtpd_tls_cert_file = /etc/postfix/FOO-cert.pem
smtpd_tls_key_file = /etc/postfix/FOO-key.pem
smtpd_tls_loglevel = 0
smtpd_tls_received_header = yes
smtpd_tls_session_cache_database =
btree:/var/lib/postfix/smtpd_tls_session_cache
smtpd_use_tls = yes
soft_bounce = no
tls_random_source = dev:/dev/urandom
transport_maps = hash:/etc/postfix/transport
tumgreyspf_time_limit = 3600
unknown_local_recipient_reject_code = 550
unverified_recipient_reject_code = 550

quick and dirty SASL

2009-11-11 Thread Rick Zeman

Howdy,

I have sasl installed and postfix uses it for its outbound relay just
fine.  I need now for a smart phone or two to use postfix to send
mail.  Am I correct that there's no mechanism like
smtp_sasl_password_maps = hash:/etc/postfix/sasl_password for smtpd?
 Just need a quick and dirty one or two username auth.
What do you experts thing is the best/easiest (yes, might not be the
same thing!) way to do this?

Thanks!

$ postconf -n
address_verify_sender = 
alias_database = hash:/etc/postfix/aliases
alias_maps = hash:/etc/postfix/aliases, hash:/var/lib/mailman/data/aliases
body_checks = regexp:/etc/postfix/body_checks
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = smtp2:127.0.0.1:10025
daemon_directory = /usr/lib/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
delay_warning_time = 4
disable_vrfy_command = yes
html_directory = /usr/share/doc/postfix/html
mail_owner = postfix
mail_spool_directory = /var/spool/mail
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
message_size_limit = 3058
mydestination = $myhostname, localhost.$mydomain $mydomain
mynetworks = 127.0.0.0/8, 192.168.1.0/24
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = no
recipient_delimiter = -
relayhost = [outgoing.verizon.net]
sample_directory = /etc/postfix
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_password
smtp_sasl_security_options =
smtp_tls_CAfile = /etc/postfix/cacert.pem
smtp_tls_loglevel = 0
smtp_tls_session_cache_database =
btree:/var/spool/postfix/smtp_tls_session_cache
smtp_use_tls = yes
smtpd_banner = mail.pointyears.net ESMTP: $mail_name $mail_version
smtpd_client_restrictions = permit_mynetworksreject_rbl_client
sbl-xbl.spamhaus.orgpermit
smtpd_data_restrictions = reject_unauth_pipelining, permit
smtpd_hard_error_limit = 5
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks   reject_invalid_hostname
check_helo_access hash:/etc/postfix/helo_access  permit
smtpd_recipient_restrictions = permit_mynetworks
permit_sasl_authenticated   reject_unauth_destination   
check_recipient_access
hash:/etc/postfix/deniedusers
reject_unverified_recipient check_policy_service
unix:private/tumgreyspf permit
smtpd_tls_CAfile = /etc/postfix/cacert.pem
smtpd_tls_cert_file = /etc/postfix/FOO-cert.pem
smtpd_tls_key_file = /etc/postfix/FOO-key.pem
smtpd_tls_loglevel = 0
smtpd_tls_received_header = yes
smtpd_tls_session_cache_database =
btree:/var/spool/postfix/smtpd_tls_session_cache
smtpd_use_tls = yes
soft_bounce = no
tls_random_source = dev:/dev/urandom
transport_maps = hash:/etc/postfix/transport
unknown_local_recipient_reject_code = 550
unverified_recipient_reject_code = 550

Re: quick and dirty SASL

2009-11-11 Thread Rick Zeman

On Wed, Nov 11, 2009 at 11:06 AM, Eero Volotinen eero.voloti...@iki.fi wrote:
 Rick Zeman wrote:

 Howdy,

 I have sasl installed and postfix uses it for its outbound relay just
 fine.  I need now for a smart phone or two to use postfix to send
 mail.  Am I correct that there's no mechanism like
 smtp_sasl_password_maps = hash:/etc/postfix/sasl_password for smtpd?
  Just need a quick and dirty one or two username auth.
 What do you experts thing is the best/easiest (yes, might not be the
 same thing!) way to do this?


 Dovecot sasl:

 http://wiki.dovecot.org/HowTo/PostfixAndDovecotSASL

Whoops...been so long since I set that up that I should have mentioned
I have cyrus sasl installed.

Re: Interesting tumgreyspf/postfix/gmail problem

2008-10-15 Thread Rick Zeman

On Tue, Oct 14, 2008 at 11:41 PM, Henrik K [EMAIL PROTECTED] wrote:
 On Tue, Oct 14, 2008 at 05:32:56PM -0400, Rick Zeman wrote:
 Just discovered that gmail is now retrying greylisted email from not
 only multiple servers, but from multiple servers located within
 different subnets...which totally breaks breaks tumgreyspf greylisting
 implementation.  I kind of like it cuz it uses the filesystem to store
 its data.  However, there's no way to whitelist every one of their
 smtp servers.

 Of course there is, add client table before policy server:

 .google.com OK

Hmm, that didn't work for me--still got greylisted..  Relevant section below.

smtpd_recipient_restrictions =
permit_mynetworks
reject_unauth_destination
reject_unverified_recipient
check_recipient_access hash:/etc/postfix/always_allowed
check_recipient_access hash:/etc/postfix/not_accepted
check_policy_service unix:private/tumgreyspf

cat /etc/postfix/always_allowed
abuse@ OK
postmaster@ OK
.google.com OK

and postmap WAS run.

Interesting tumgreyspf/postfix/gmail problem

2008-10-14 Thread Rick Zeman

Just discovered that gmail is now retrying greylisted email from not
only multiple servers, but from multiple servers located within
different subnets...which totally breaks breaks tumgreyspf greylisting
implementation.  I kind of like it cuz it uses the filesystem to store
its data.  However, there's no way to whitelist every one of their
smtp servers.

This leaves is with 4 options:

a)  do nothing and hope it's a crapshoot that gmail will retry from
the same smtp server within a reasonable timeframe (if at all!)  Not a
good option.
b)  turn off greylisting entirely.  (It still stops a lot of
spam...just not as much as before.  Not a good option)
c)  switch to another greylisting implementation  (uses a
database...not the preferred option)
d)  have postfix bypass that policy service if the sender's smtp
connection/envelope sender (vs the from)  is from gmail.   I have no
idea how to do that--if possible--hence this request to the list.  Is
that possible?

Thanks!

postconf -n
address_verify_negative_cache = yes
address_verify_negative_expire_time = 1d
address_verify_positive_refresh_time = 2d
address_verify_sender = 
alias_maps = hash:/etc/aliases
biff = no
body_checks = regexp:/etc/postfix/body_checks
bounce_template_file = /etc/postfix/bounce.cf
canonical_maps = hash:/etc/postfix/canonical
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = amavisfeed:[127.0.0.1]:10024
daemon_directory = /usr/lib/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
delay_warning_time = 4h
disable_dns_lookups = no
disable_vrfy_command = yes
html_directory = /usr/share/doc/packages/postfix/html
local_recipient_maps =
local_transport = error:local mail delivery is disabled
mail_owner = postfix
mail_spool_directory = /var/mail
mailbox_command =
mailbox_transport =
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
masquerade_classes = envelope_sender, header_sender, header_recipient
masquerade_domains =
masquerade_exceptions = root
message_size_limit = 2568
mime_header_checks = regexp:/etc/postfix/mime_header_checks
mydestination =
myhostname = mail.melwood.org
mynetworks = 127.0.0.0/8 192.168.1.0/24
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases
parent_domain_matches_subdomains = debug_peer_list smtpd_access_maps
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/packages/postfix/README_FILES
relay_domains = melwood.com, melwood.org, melwoodgardencenter.com
relay_recipient_maps =
relocated_maps = hash:/etc/postfix/relocated
sample_directory = /usr/share/doc/packages/postfix/samples
sender_canonical_maps = hash:/etc/postfix/sender_canonical
sendmail_path = /usr/sbin/sendmail
setgid_group = maildrop
smtp_tls_CAfile = /etc/postfix/certs/cacert.pem
smtp_tls_cert_file = /etc/postfix/certs/postfix_public_cert.pem
smtp_tls_key_file = /etc/postfix/certs/postfix_private_key.pem
smtp_tls_loglevel = 0
smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_tls_session_cache
smtp_use_tls = yes
smtpd_banner = mail.melwood.org ESMTP - All use subject to Melwood's
Internet Use Policy.
smtpd_client_restrictions = permit_mynetworks   reject_rbl_client
zen.spamhaus.orgreject_rbl_client list.dsbl.org reject_rbl_client
combined.njabl.orgpermit
smtpd_data_restrictions = reject_unauth_pipelining, permit
smtpd_delay_reject = yes
smtpd_error_sleep_time = 3s
smtpd_hard_error_limit = 4
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks
reject_invalid_hostnamecheck_helo_access
hash:/etc/postfix/helo_access  permit
smtpd_recipient_restrictions = permit_mynetworks
reject_unauth_destinationreject_unverified_recipient
check_recipient_access hash:/etc/postfix/always_allowed
check_recipient_access hash:/etc/postfix/not_accepted
check_policy_service unix:private/tumgreyspf
smtpd_sasl_auth_enable = no
smtpd_sender_restrictions = hash:/etc/postfix/access
smtpd_tls_CAfile = /etc/postfix/certs/cacert.pem
smtpd_tls_cert_file = /etc/postfix/certs/postfix_public_cert.pem
smtpd_tls_key_file = /etc/postfix/certs/postfix_private_key.pem
smtpd_tls_loglevel = 0
smtpd_tls_received_header = yes
smtpd_tls_session_cache_database =
btree:/var/lib/postfix/smtpd_tls_session_cache
smtpd_use_tls = yes
soft_bounce = no
strict_rfc821_envelopes = no
transport_maps = hash:/etc/postfix/transport
unknown_local_recipient_reject_code = 550
unverified_recipient_reject_code = 550

Re: Basic kind of question

Basic kind of question

Re: Fallback to IPV4 in case of IPV6 is not available

Re: New SASL generic failure

Re: New SASL generic failure

New SASL generic failure

Re: One more post-rebuild weirdness

Re: One more post-rebuild weirdness

One more post-rebuild weirdness

TLS question on OS X

Re: Why is postfix talking to aspmx.google spamexperts?

Re: Request help with SASL issue and postfix

/etc/postfix dependency?

Re: /etc/postfix dependency?

Re: /etc/postfix dependency?

Re: TLS issues (postfix says: UNTRUSTED but it is not)

Re: postfix setup: machine with live ip forwarding traffic to home machine

Heartbleed via smtpd?

Re: value of zero not documented for message_size_limit

IPv6 to IPv4 fallback

Re: Using transport only if local user exists

Re: Using transport only if local user exists

Using transport only if local user exists

Re: Mac Postfix gateway local delivering.

Re: Mac Postfix gateway local delivering.

Mac Postfix gateway local delivering.

Re: Mac Postfix gateway local delivering.

Re: Mac Postfix gateway local delivering.

Re: Mac Postfix gateway local delivering.

Post upgrade problem(?)

quick and dirty SASL

Re: quick and dirty SASL

Re: Interesting tumgreyspf/postfix/gmail problem

Interesting tumgreyspf/postfix/gmail problem

34 matches

Site Navigation

Mail list logo

Footer information