smtp_enforce_tls on submission tcp/587 only
I am trying to force submission (with SMTP auth via SASL) clients on tcp/587 to use TLS. Is there anyway to do this? I ran across smtp_enforce_tls, but this seems to force any and all SMTP clients to use TLS which is not what I want (this is a public facing machine). Will I need to implement some type of submission policy like this or am I understanding the policy structure incorrectly? snip from http://www.postfix.org/TLS_README.html /etc/postfix/main.cf: smtp_tls_policy_maps = hash:/etc/postfix/tls_policy /etc/services: submission 587/tcp msa # mail message submission /etc/postfix/tls_policy: [example.net]:587 encrypt protocols=TLSv1 ciphers=high [example.net]:msa encrypt protocols=TLSv1 ciphers=high [example.net]:submission encrypt protocols=TLSv1 ciphers=high /snip from http://www.postfix.org/TLS_README.html kind regards, Terry
Re: smtp_enforce_tls on submission tcp/587 only
Terry L. Inzauro wrote: I am trying to force submission (with SMTP auth via SASL) clients on tcp/587 to use TLS. Is there anyway to do this? I ran across smtp_enforce_tls, but this seems to force any and all SMTP clients to use TLS which is not what I want (this is a public facing machine). Will I need to implement some type of submission policy like this or am I understanding the policy structure incorrectly? snip from http://www.postfix.org/TLS_README.html /etc/postfix/main.cf: smtp_tls_policy_maps = hash:/etc/postfix/tls_policy /etc/services: submission 587/tcp msa # mail message submission /etc/postfix/tls_policy: [example.net]:587 encrypt protocols=TLSv1 ciphers=high [example.net]:msa encrypt protocols=TLSv1 ciphers=high [example.net]:submission encrypt protocols=TLSv1 ciphers=high /snip from http://www.postfix.org/TLS_README.html kind regards, Terry never mind. i asked too soon. looks like smtpd_tls_auth_only = yes does the trick. Thanks for the great product and stellar community support. Keep up the good work. Happy Holidays to all. _Terry
Re: OT: need some advice as to distro
John wrote: Sorry to bring this here, but we are having trouble setting up a Postfix/dovecot mail system. Background: We are a bunch of retirees, so cost is a factor in any decision. We all have IT experience, some of going back decades, however the world of Linux and its software is new to us all. We used the cook book approach to setting up our first mail system. It uses Postfix/Dovecot on top of Fedora 8 and so far it works like a charm. While the cook-book approach got up and running fairly easily I think we missed out on the learning side of things. However, there is a growing concern about the basic OS slipping too far behind on important changes, the same goes for some of the packages we are planning on using, so we have started looking at alternatives. Fedora - a little too dynamic for use as a server. This is to be expected as it is a development system which I don't think is aimed at a production like environment, plus the latest release seems very desktop oriented. Centos 5.4 - while it looks like a good choice, there has been some political infighting going on recently which makes us a little nervous about its future. In addition we have found that a number of the core packages we wish to use are out of date (postfix, dovecot, amavisd-new among them). Ubuntu 9.10 Server edition - I am not sure what to say here. While at first glance it seems to be an ideal solution a, free server distribution with a Canonical backing it up. However, the setup of some packages seems to us odd, overly complicated and arbitrary. openSUSE - not tied, but some concerns over the Novel /Microsoft deal. Thanks in advance John A Personally, Debian Stable (currently Lenny) is my Linux of choice for production system. Package management via apt is second to none and everything is very well documented with a willing and able community for support. Why restate whats already written: http://www.debian.org/intro/why_debian When it comes down to it, the best distro is the one you know how to use. I would start with a distro that you are most comfortable with and know how to use the best. Good luck and kind regards, _Terry
Re: What Is Causing This Failure
Frog wrote: Perhaps your mail server is on a DNSBL? Regards Frog - Original Message - From: Carlos Williams carlosw...@gmail.com To: postfix-users@postfix.org Sent: Tuesday, 1 December, 2009 4:05:25 PM Subject: Re: What Is Causing This Failure On Tue, Dec 1, 2009 at 10:43 AM, Ralf Hildebrandt ralf.hildebra...@charite.de wrote: What is the output of traceroute 198.186.193.20 ? I get no results from my mail server: traceroute to 198.186.193.20 (198.186.193.20), 30 hops max, 40 byte packets 1 * * * 2 * * * 3 * * * 4 * * * 5 * * * . . . 29 * * * 30 * * * Strange... why all the off topic posts today? --- chances are a router along the way is not forwarding icmp probes/responses correctly.. [10:39:23 r...@allover:~]# tcptraceroute 198.186.193.20 25 Selected device eth0, address 10.123.0.250, port 56230 for outgoing packets Tracing the path to 198.186.193.20 on TCP port 25 (smtp), 30 hops max 1 10.123.0.252 0.302 ms 0.133 ms 0.128 ms 2 bizXX.sta.linkcity.org.XX.22.72.in-addr.arpa (72.22.XX.XX) 0.412 ms 0.315 ms 0.312 ms 3 10.200.100.1 6.961 ms 0.499 ms 0.474 ms 4 sl-gw16-kc-3-1.sprintlink.net (160.81.151.109) 0.564 ms 0.437 ms 0.491 ms 5 sl-crs1-kc-0-5-0-0.sprintlink.net (144.232.11.152) 1.073 ms 0.827 ms 0.737 ms 6 sl-crs1-chi-0-1-0-3.sprintlink.net (144.232.18.214) 12.008 ms 12.409 ms 11.996 ms 7 sl-st20-chi-13-0-0.sprintlink.net (144.232.20.3) 11.603 ms 11.579 ms 11.569 ms 8 144.232.8.114 11.715 ms 11.777 ms 11.657 ms 9 ae-32-52.ebr2.Chicago1.Level3.net (4.68.101.62) 12.476 ms 21.324 ms 18.234 ms 10 ae-5.ebr2.Chicago2.Level3.net (4.69.140.194) 12.354 ms 12.639 ms 12.676 ms 11 ae-2-2.ebr2.Washington1.Level3.net (4.69.132.70) 33.594 ms 33.414 ms 33.252 ms 12 ae-62-62.csw1.Washington1.Level3.net (4.69.134.146) 46.577 ms 39.840 ms 35.910 ms 13 ae-1-69.edge2.Washington4.Level3.net (4.68.17.19) 33.635 ms 33.585 ms 33.636 ms 14 xe-0-2-0.cr1.iad1.us.nlayer.net (4.79.168.74) 33.761 ms 33.292 ms 73.096 ms 15 vl74.ar1.iad1.us.nlayer.net (69.31.31.190) 33.976 ms 33.986 ms 34.315 ms 16 as6450.vl134.ar1.iad1.us.nlayer.net (69.31.31.115) 33.968 ms 33.436 ms 33.511 ms 17 dns5.docforge.org (198.186.193.20) [open] 33.906 ms 33.987 ms 34.153 ms [10:39:25 r...@allover:~]#
Re: [Postfix] Wrong Time
Jacopo Cappelli wrote: On log i have the wrong time(-6h) but the date is ok. I read that i copy /etc/localtime to the chroot of postfix and i try but don't work... cp -p /etc/localtime /var/spool/postfix/etc/localtime and reload postfix don't work... I use Debian 5.0.3 tzdata and locales is ok and configured. Thanks, Jacopo what is the UTC setting in /etc/default/rcS?
Re: Postfix SMTP Auth and OpenLDAP
Jose Ildefonso Camargo Tolosa wrote: Hi! On Tue, Jul 7, 2009 at 3:16 PM, Victor Duchovni victor.ducho...@morganstanley.com mailto:victor.ducho...@morganstanley.com wrote: On Mon, Jul 06, 2009 at 09:36:17PM +0200, Patrick Ben Koetter wrote: * Terry L. Inzauro tinza...@ha-solutions.net mailto:tinza...@ha-solutions.net: What is the recommended and most scalable method for implementing SMTP Auth against OpenLDAP that currently manages all IMAP accounts? Cyrus SASL ldapdb plugin: The ldapdb auxprop plugin provides access to credentials stored in an OpenLDAP LDAP server. It is the only plugin that implements proxy authorization. Proxy authorization in this context means: The ldapdb plugin must SASL authenticate with the OpenLDAP server. The server then decides if the ldapdb plugin should be authorized to read the authenticating users password. Once the ldapdb plugin has gone through proxy authorization it may proceed and authenticate the submitted credentials. Is there another plugin which authenticates users by binding to LDAP *as the user*, and using the success/failure of that to decide whether a user's password is valid? This could perhaps also be accomplished via a suitable PAM stack or via indirect mechanisms such as rimap or dovecot auth. I actually use: postfix -- SASL -- dovecot -- PAM -- LDAP There is no particular reason why you can't do: postfix -- dovecot -- LDAP You just need to check dovecot's documentation, I used pam because I was already using it. Ildefonso Camargo -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly. can you elaborate a little more on the postfix - dovecot - ldap setup? is there a specifc reason why dovecot was used? can courier imap be used?
Postfix SMTP Auth and OpenLDAP
What is the recommended and most scalable method for implementing SMTP Auth against OpenLDAP that currently manages all IMAP accounts? kind regards, _Terry
backup mx and with header checks
List, I operate a backup mx for one of my customers. In doing so, I have run into an issue where I must accept all email regardless of weather or not the messages is destined for a valid email account in my customers email system (which is MS Exchange 2003). I thought about asking my customer is they would export a list of email addresses for which they want backup MX service for so I can place that in a relay_recipient_map, but that process requires ongoing admin time and might not appeal to them. The majority of the junk mail I am seeing is in the form of From: u...@domain and RCPT: u...@domain which is obviously forged. Would a header_check be the way to go here in order to match and discard the junk mail in this case? If so, what would the pcre check look like? I understand that legitimate users wouldn't be able to send themselves email, but that fine with me. best regards, _Terry