Problems with sender domain

[deconya]

Hi guys

Im a newbie using postfix and Im having problems with a domain. Im
having no more than 100 accounts subscribed using ldap + postfix, and
sometimes when users goes to send a message this arrives how a bad
subdomain, and always the same. User with domain u...@mydomain.com
arrives to other users how u...@imap.mydomain.com. I don't understand
how pass this, any idea?

Thanks for your time.

statistics about use of webmail

[deconya]

Hi guys

My boss said me to know the statistics about use of webmail, exactly
which users used webmail during a week. Any of yours know how to make
it?

Im using Postfix + Dovecot + openldap + rouncube. If you need more
info please comment me.

Thanks!!

About filtering mail with mailq

[deconya]

Hi

Im new postfix and Im learning how to use. My first problem is about the
spam because in my server are incoming mails with my domain but using bad
adresses and making copy to the aol.com domain. Im making:

#postqueue -p | grep ' Feb @aol.com' | sed 's/*//' | awk '{print $1}'
>spam.txt

but not appears de ID. I need to filter to domins in different lines, for
exemple:

ID -m...@mydomina.com
-m...@aol.com

How I can make this?

Thanks && Best Regards

upgrading amavisd

[deconya]

Hi!

Im upgrading a server with Postfix and in the part to upgrade the Amaisd
from 2.1.2 version to 2.6.1 it appears the next message when Im in the debug
part:

Problem in Amavis::DB or Amavis::DB::SNMP code: Can't locate loadable object
for module BerkeleyDB in @INC (@INC contains:
/usr/lib/perl5/5.8.0/i386-linux-thread-multi
/usr/lib/perl5/5.8.0 /usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi
/usr/lib/perl5/site_perl/5.8.0 /usr/lib/perl5/site_perl
/usr/lib/perl5/vendor_perl/5.8.0/i386-linux-thread-multi
/usr/lib/perl5/vendor_perl/5.8.0 /usr/lib/perl5/vendor_perl
/usr/lib/perl5/5.8.0/i386-linux-thread-multi /usr/lib/perl5/5.8.0) at (eval
34) line 19
Compilation failed in require at (eval 34) line 19.
BEGIN failed--compilation aborted at (eval 34) line 19.
Undefined subroutine &BerkeleyDB::Term::close_everything called at
/usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi/BerkeleyDB.pm line
1649.
END failed--call queue aborted.

Anyone can say me what Im making bad? Is the first time than I make and
upgrade and I don't know more.

Thanks and sorry if's not the correct list to make the question.

I need help with smtp configuration

[deconya]

Hi people

Im with a biggest problem in my postfix server because today the people
can't use the server to send any mail only receive. This error is produced
how to randomand every time in the logs appears the same

Mar 11 19:24:53 correo postfix/smtpd[27553]: NOQUEUE: reject: RCPT from
ip-89-102-95-183.karneval.cz[89.102.95.183]: 554 :
Relay access denied; from= to=<
ba...@otherdomain.com> proto=SMTP helo=

The problem starts to appear today and I don't know if there are the sender
resctrctions rules the problem. Actually are:

smtpd_sender_restrictions = reject_unknown_sender_domain,check_sender_access
hash:/etc/postfix/spammer,reject_non_fqdn_sender,permit

I can't understand wheres the problem, If any people understand why produces
this error Im very agreed for any help.

Best regards

Re: I need help with smtp configuration

[deconya]

HI

until yesterday all were good. In the main.cf my configuration actually is

smtpd_recipient_restrictions =
check_recipient_access hash:/etc/postfix/overquota
permit_mynetworks
permit_sasl_authenticated
check_client_access hash:/etc/postfix/clientes
reject_unauth_destination

Where clientes is an archive with the IPs blocked for spam. Im commented
this line but Im not sure if this is the problem

The message 554 where is configured?

in main.cf not appears and Im lost with this problem, is very strange
continues making. Any other idea?

Best Regards

On Wed, Mar 11, 2009 at 8:11 PM, Victor Duchovni <
victor.ducho...@morganstanley.com> wrote:

> On Wed, Mar 11, 2009 at 08:02:55PM +0100, deconya wrote:
>
> > Hi people
> >
> > Im with a biggest problem in my postfix server because today the people
> > can't use the server to send any mail only receive. This error is
> produced
> > how to randomand every time in the logs appears the same
> >
> > Mar 11 19:24:53 correo postfix/smtpd[27553]: NOQUEUE: reject: RCPT from
> > ip-89-102-95-183.karneval.cz[89.102.95.183]: 554  >:
> > Relay access denied; from= to=<
> > ba...@otherdomain.com> proto=SMTP helo=
> >
> > The problem starts to appear today and I don't know if there are the
> sender
> > resctrctions rules the problem. Actually are:
> >
> > smtpd_sender_restrictions =
> reject_unknown_sender_domain,check_sender_access
> > hash:/etc/postfix/spammer,reject_non_fqdn_sender,permit
>
> "Relay access denied" is produced by either "reject_unauth_destination"
> or the obsolete "check_relay_domains". These are typically found in
> smtpd_recipient_restrictions. Note, you should not take these out, they
> are needed on servers whose SMTP port can be reached by untrusted clients.
>
> Rather, add rules to permit trusted clients before blocking relaying by
> untrusted clients:
>
>smtpd_recipient_restrictions =
>permit_mynetworks,
>permit_sasl_authenticated,
>reject_unauth_destination,
>... UCE controls ...
>
> Do make sure "mynetworks" is defined correctly.
>
> --
>Viktor.
>
> Disclaimer: off-list followups get on-list replies or get ignored.
> Please do not ignore the "Reply-To" header.
>
> To unsubscribe from the postfix-users list, visit
> http://www.postfix.org/lists.html or click the link below:
> <mailto:majord...@postfix.org?body=unsubscribe%20postfix-users>
>
> If my response solves your problem, the best way to thank me is to not
> send an "it worked, thanks" follow-up. If you must respond, please put
> "It worked, thanks" in the "Subject" so I can delete these quickly.
>

how to create a filter in amavisd

[deconya]

Hi

Im configuring a server with postfix amavisd and spamassassin and appears a
problem with the antispam rules. There are one application that uses the
server to send to different clients mails but the amavisd detect howo to
spam this mails. How I can create an exception? I would like to create a
whitelist inside amavisd. It's possible?

Im grateful for any help.

Best Regards

Re: how to create a filter in amavisd

[deconya]

Hi

im using smtp to send but filtering all with amavisd. The solution of
content-filter needs to create in main.cf or in master.cf?

Thanks

On Fri, Mar 20, 2009 at 12:08 AM, mouss  wrote:

> deconya a écrit :
> > Hi
> >
> > Im configuring a server with postfix amavisd and spamassassin and
> > appears a problem with the antispam rules. There are one application
> > that uses the server to send to different clients mails but the amavisd
> > detect howo to spam this mails. How I can create an exception? I would
> > like to create a whitelist inside amavisd. It's possible?
> >
> how does your application pass mail to postfix?
>
> if it's with the sendmail command, the easy way is to skip amavisd-new
> for sendmail submitted mail by adding
>-o content_filter=
> under the pickup service (in master.cf)
>
>
> if it submits mail via smtp, check if you can configure it to use a
> specific port. then you can use the -o content_filter as above.
>
> otherwise, give more infos. and when you give infos, think of how to
> differentiate mail from uor app and other mail.
>

Re: I need help with smtp configuration

[deconya]

Hi

Recovering this thread, finally was commented  the check_client_access and
the service was recovered. But in this server are three domains accepted but
only checks if y use the most important domain smtp to validate. If I use
others appears the same message of error.

For example:

If I use to send smtp.thebaddomain.com appears the 554 relay access denied
error. If I use smtp.mygooddomain.com the connections to send are accepted.
The user is correct and validates fine (all users with this domain receives
well). Only pass with the smtp (not imap connections)

It's possible the value of permit_mynetworks is relaying the connections?

And the other question Im thinking, where I config the domains accepted to
validate in the server? in the relay_domains value?

Thanks && Best regards

On Wed, Mar 11, 2009 at 8:47 PM, Victor Duchovni <
victor.ducho...@morganstanley.com> wrote:

> On Wed, Mar 11, 2009 at 08:37:17PM +0100, deconya wrote:
>
> > smtpd_recipient_restrictions =
> > check_recipient_access hash:/etc/postfix/overquota
> > permit_mynetworks
> > permit_sasl_authenticated
> > check_client_access hash:/etc/postfix/clientes
> > reject_unauth_destination
> >
> > in main.cf not appears and Im lost with this problem, is very strange
> > continues making. Any other idea?
>
> No, the same idea. Your authorized senders are no longer allowed to
> relay via:
>
>> permit_mynetworks
>> permit_sasl_authenticated
>> check_client_access hash:/etc/postfix/clientes
>
> One of these has changed. Check that mynetworks is correct, SASL
> is still working and the "clientes" table and its postmapped version
> are correct. One of these is not correct. Figure out which one.
>
> Alternatively, your "smtpd_recipient_restrictions" is not what you
> believe it to be. Check "postconf -n" output and master.cf "-o ..."
> settings.
>
> --
> Viktor.
>
> Disclaimer: off-list followups get on-list replies or get ignored.
> Please do not ignore the "Reply-To" header.
>
> To unsubscribe from the postfix-users list, visit
> http://www.postfix.org/lists.html or click the link below:
> <mailto:majord...@postfix.org?body=unsubscribe%20postfix-users>
>
> If my response solves your problem, the best way to thank me is to not
> send an "it worked, thanks" follow-up. If you must respond, please put
> "It worked, thanks" in the "Subject" so I can delete these quickly.
>

problems with smtpd_sender_restrictions and smtpd_client_restrictions

[deconya]

Hi list

Im having problems with smtpd_sender_restrictions and
smtpd_client_restrictions options. Actually I have:

smtpd_sender_restrictions =
reject_unknown_sender_domain,
check_sender_access hash:/etc/postfix/spammer,
reject_non_fqdn_sender

smtpd_client_restrictions=
   hash:/etc/postfix/access,
   reject_unauth_destination,
   reject_unknown_client,
   reject_rbl_client sbl.spamhaus.org

If I use only smtpd_sender_restrictions all goes well, but when I active
smtpd_client_restrictions all the smtpd connections are refused. I don't
know If the order of the options affects because are in the last part of
main.cf, but is strange because my IP nots banned. Anyone has any idea
where's the problem?

Thanks && Best regards

Re: problems with smtpd_sender_restrictions and smtpd_client_restrictions

[deconya]

Thanks!

Well if I put reject_unknown_client, my client says " Client host rejected:
cannot find your hostname, [10.160.1.193].It's refer about $myhostname ??

Well the good news is if I put only

smtpd_client_restrictions=
check_client_access hash:/etc/postfix/access,
#   reject_unknown_client,
reject_rbl_client zen.spamhaus.org

goes right, one first step .-)

Other good blacklists?

Thanks && Best Regards

On Thu, Apr 16, 2009 at 1:29 PM, Ralf Hildebrandt <
ralf.hildebra...@charite.de> wrote:

> * deconya :
> > Hi list
> >
> > Im having problems with smtpd_sender_restrictions and
> > smtpd_client_restrictions options. Actually I have:
> >
> > smtpd_sender_restrictions =
> > reject_unknown_sender_domain,
> > check_sender_access hash:/etc/postfix/spammer,
> > reject_non_fqdn_sender
> >
> > smtpd_client_restrictions=
> ---> make that check_client_access hash:/etc/postfix/access,
> > remove thatreject_unauth_destination,
> >reject_unknown_client,
> >reject_rbl_client sbl.spamhaus.org
>
> Make that reject_rbl_client zen.spamhaus.org
>
> --
> Ralf Hildebrandt
> Postfix - Einrichtung, Betrieb und Wartung   Tel. +49 (0)30-450 570-155
> http://www.computerbeschimpfung.de
> Die kuerzesten Computerwitze:
> 1) Muesste laufen.
>

Best blacklist

[deconya]

Hi list

I would like to make a question about the use of blacklists. I used
rbl.orbitrbl.com but has a bad refresh. Last friday y delete and IP and
appears how to blacklisted today (monday). Finally I must to delete this
blacklist inside the smtp_client_restrictions. Which are the best
blacklists.? I used the zen.spamhaus.org, but has too many false positives
too.

Other blacklists?

Thanks && Best Regards

Re: Best blacklist

[deconya]

Hi

Thanks for the information Im testing bl.spamcop.net to see the results. If
I would like to block and email only to send (it can receive), how I can
configure ? I put this options in main.cf

smtpd_sender_restrictions =
reject_unknown_sender_domain,
check_sender_access hash:/etc/postfix/spammer,
reject_non_fqdn_sender


I understand that all mails I put in spammer will be rejected when try to
send no?

Thanks && Best Regards

On Mon, Apr 20, 2009 at 1:47 PM, Daniel Luttermann  wrote:

> deconya wrote:
>
> > Hi list
>
> > I would like to make a question about the use of blacklists. I used
> > rbl.orbitrbl.com but has a bad refresh. Last friday y delete and IP
> > and appears how to blacklisted today (monday). Finally I must to
> > delete this blacklist inside the smtp_client_restrictions. Which are
> > the best blacklists.? I used the zen.spamhaus.org, but has too many
> false positives too.
>
> I think there's no "best" blacklist - every blacklist has pros and
> cons and if you block mails directly at the smtp level you can lost
> mails - no matter which one you use.
>
> Is it an option for you to use policyd-weight or postfwd to reduce
> mail lost and/or false-positives?
>
>
> --
> Daniel
>
>
>
>

Re: Best blacklist

[deconya]

Hi

When you says

Perhaps you forgot to prefix your RBL check with permit_mynetworks and/or
permit_sasl_authenticated.

where I need to put this options? Are in smtpd_recipient_restrictions but no
in smtpd_client_restrictions. I can put in the client_restrictions options¿?

For example:

smtpd_client_restrictions=
check_client_access hash:/etc/postfix/access,
* permit_sasl_authenticated,*
#   reject_unknown_client,
#   reject_rbl_client rbl.orbitrbl.com,
#   reject_rbl_client bl.spamcop.net,
reject_rbl_client whois.rfc-ignorant.org,
reject_rbl_client dnsbl.njabl.org,
reject_rbl_client zombie.dnsbl.sorbs.net

Is correct here?

Thanks

On Mon, Apr 20, 2009 at 2:27 PM, Noel Jones  wrote:

> deconya wrote:
>
>> Hi list
>>
>> I would like to make a question about the use of blacklists. I used
>> rbl.orbitrbl.com <http://rbl.orbitrbl.com> but has a bad refresh. Last
>> friday y delete and IP and appears how to blacklisted today (monday).
>> Finally I must to delete this blacklist inside the smtp_client_restrictions.
>> Which are the best blacklists.? I used the zen.spamhaus.org <
>> http://zen.spamhaus.org>, but has too many false positives too.
>>
>
> If zen.spamhaus.org has too many false positives for your environment,
> you'll probably have trouble finding one that suits your needs.
>
> Perhaps you forgot to prefix your RBL check with permit_mynetworks and/or
> permit_sasl_authenticated.
>
> Another possibility is using a policy service such as postfwd to "score"
> mail based on multiple RBL and other envelope checks.
>
>
>  -- Noel Jones
>

Re: Best blacklist

[deconya]

Yes but this server is used to connect the clients of my company and
generates too much spam. I prefer to have repeated the blacklists and
recheck mails. The level of spam was reduced in 90 % or more!!

This afternoon I will test permit_mynetwork and permit_sasl_authenticated.

Thanks && Best Regards

On Mon, Apr 20, 2009 at 3:12 PM, David Figuera wrote:

> > Perhaps you forgot to prefix your RBL check with permit_mynetworks and/or
> > permit_sasl_authenticated.
> >
> > where I need to put this options? Are in smtpd_recipient_restrictions but
> no
> > in smtpd_client_restrictions. I can put in the client_restrictions
> options¿?
>
>
> It's better to put these two options first under
> smtpd_recipient_restrictions
> and to move all restrictions to smtpd_recipient_restrictions, as noted
> several times
> on this list.
>

how to detect spam attacks

[deconya]

Hi list

Im with the next problem: I have and old server and Im in process to migrate
to a better machine, but actually Im having spam attacks in the server than
saturate it. For  the age of the server and because in two weeks is replaced
I can't install any program like spamity or similar to help to detect spam
attacks, but I need to understand the mail.log to deduce the Ips where comes
the attacks and stop it. Any people can help me what clues can help me to
deduce this Ips?

Actually Im using blacklists but nots detects this attacks. Any other option
to create estadistics using external programs?

Thanks && Best regards

Re: how to detect spam attacks

[deconya]

Hi list

The first thing to do will be a blacklist created for me. Im looking to make
it and is putting the line:

check_client_access hash:/etc/postfix/blacklist

but I have doubts. Where I need to put this? in smtp_recipient_restrictions
or in smtpd_client_restrictions?
The content inside the archive permit to put domains and Ips?
For example:
121.222.33.44 REJECT
domain.com REJECT

This is my configuration:

smtpd_recipient_restrictions =
check_recipient_access hash:/etc/postfix/overquota,
permit_mynetworks,
permit_sasl_authenticated,
reject_invalid_hostname,
reject_unauth_pipelining,
#check_client_accesshash:/etc/postfix/clientes #This is correct
reject_unauth_destination,
reject_rbl_client rbl.orbitrbl.com,
reject_rbl_client zen.spamhaus.org,
reject_rbl_client whois.rfc-ignorant.org,
reject_rbl_client dnsbl.njabl.org,
reject_rbl_client zombie.dnsbl.sorbs.net,
reject_rbl_client bl.spamcop.net,
permit

Other recommendations?

On Mon, Apr 27, 2009 at 12:39 AM, Terry Carmen  wrote:

>
> > Hi list
> >
> > Im with the next problem: I have and old server and Im in process to
> migrate
> > to a better machine, but actually Im having spam attacks in the server
> than
> > saturate it. For  the age of the server and because in two weeks is
> replaced
> > I can't install any program like spamity or similar to help to detect
> spam
> > attacks, but I need to understand the mail.log to deduce the Ips where
> comes
> > the attacks and stop it. Any people can help me what clues can help me to
> > deduce this Ips?
>
> There are a number of things you can do, including possibly using a better
> (or
> an additional) blacklist, rejecting incoming connections that have no
> reverse
> DNS entry, and on a more controversial, but very effective note, reject IP
> addresses that have a "dynamic looking" reverse DNS and rejecting messages
> that are for non-existent users.
>
> If you can you can post a few log entries for this spam, as well as the
> output
> from postconf -n, I'm sure you'll get a lot of good suggestions.
>
> Some well-chosen restrictions will let even a small machine handle a really
> significant volume of mail. The trick is to reject as much spam as possible
> during the initial SMTP connection.
>
> Terry
>
>
>
>
>

Re: how to detect spam attacks

[deconya]

Continuing with this thread I comment where I putted the options I can saw
the server refuses external connections. Finally I ned to comment
permit_mynetworks option and I think all is going right.

In the server the options are:

smtpd_recipient_restrictions =
check_recipient_access hash:/etc/postfix/overquota,
#   permit_mynetworks,
permit_sasl_authenticated,
reject_invalid_hostname,
reject_unauth_pipelining,
check_client_access hash:/etc/postfix/clientes
reject_unauth_destination,
Blacklists contra los buzones de correo###
reject_rbl_client rbl.orbitrbl.com,
#   reject_rbl_client zen.spamhaus.org,###demasiados falsos positivos de
telefonica
reject_rbl_client whois.rfc-ignorant.org,
reject_rbl_client dnsbl.njabl.org,
reject_rbl_client zombie.dnsbl.sorbs.net,
reject_rbl_client bl.spamcop.net,
reject_rbl_client cbl.abuseat.org,
reject_rbl_client psbl.surriel.com,
permit

Any idea where is the cause of external rejections?

Thanks && Best Regards

On Mon, Apr 27, 2009 at 11:26 AM, deconya  wrote:

> Hi list
>
> The first thing to do will be a blacklist created for me. Im looking to
> make it and is putting the line:
>
> check_client_access hash:/etc/postfix/blacklist
>
> but I have doubts. Where I need to put this? in smtp_recipient_restrictions
> or in smtpd_client_restrictions?
> The content inside the archive permit to put domains and Ips?
> For example:
> 121.222.33.44 REJECT
> domain.com REJECT
>
> This is my configuration:
>
> smtpd_recipient_restrictions =
> check_recipient_access hash:/etc/postfix/overquota,
> permit_mynetworks,
> permit_sasl_authenticated,
> reject_invalid_hostname,
> reject_unauth_pipelining,
> #check_client_accesshash:/etc/postfix/clientes #This is correct
>
> reject_unauth_destination,
> reject_rbl_client rbl.orbitrbl.com,
> reject_rbl_client zen.spamhaus.org,
> reject_rbl_client whois.rfc-ignorant.org,
> reject_rbl_client dnsbl.njabl.org,
> reject_rbl_client zombie.dnsbl.sorbs.net,
> reject_rbl_client bl.spamcop.net,
> permit
>
> Other recommendations?
>
>
> On Mon, Apr 27, 2009 at 12:39 AM, Terry Carmen wrote:
>
>>
>> > Hi list
>> >
>> > Im with the next problem: I have and old server and Im in process to
>> migrate
>> > to a better machine, but actually Im having spam attacks in the server
>> than
>> > saturate it. For  the age of the server and because in two weeks is
>> replaced
>> > I can't install any program like spamity or similar to help to detect
>> spam
>> > attacks, but I need to understand the mail.log to deduce the Ips where
>> comes
>> > the attacks and stop it. Any people can help me what clues can help me
>> to
>> > deduce this Ips?
>>
>> There are a number of things you can do, including possibly using a better
>> (or
>> an additional) blacklist, rejecting incoming connections that have no
>> reverse
>> DNS entry, and on a more controversial, but very effective note, reject IP
>> addresses that have a "dynamic looking" reverse DNS and rejecting messages
>> that are for non-existent users.
>>
>> If you can you can post a few log entries for this spam, as well as the
>> output
>> from postconf -n, I'm sure you'll get a lot of good suggestions.
>>
>> Some well-chosen restrictions will let even a small machine handle a
>> really
>> significant volume of mail. The trick is to reject as much spam as
>> possible
>> during the initial SMTP connection.
>>
>> Terry
>>
>>
>>
>>
>>
>

It's recommended to use reject_unknown_client

[deconya]

Hi list

Im looking diferent options to configure postfix main.cf and I see the
reject_unknown_client. I don't know if it's recomended because my postfix
server is used for external clients and more uses connections with dynamic
IP. If I put this, where goes, in  smtp_recipient_restrictions or
smtp_client_restrictions?

Thanks

Re: It's recommended to use reject_unknown_client

[deconya]

thanks Noel

I don't like this option. too many risk.

Best Regards

On Mon, Apr 27, 2009 at 5:49 PM, Noel Jones  wrote:

> deconya wrote:
>
>> Hi list
>>
>> Im looking diferent options to configure postfix main.cf <http://main.cf>
>> and I see the reject_unknown_client. I don't know if it's recomended because
>> my postfix server is used for external clients and more uses connections
>> with dynamic IP. If I put this, where goes, in  smtp_recipient_restrictions
>> or smtp_client_restrictions?
>>
>> Thanks
>>
>
> {press the [plain text] button when posting from gmail}
>
> reject_unknown_client (with postfix < 2.3, named
> reject_unknown_client_hostname) is known to reject legit mail.  Use with
> caution.  You can try it out with:
>  warn_if_reject reject_unknown_client_hostname
> for a period of time to log clients what would be rejected, without
> actually rejecting them.
> http://www.postfix.org/postconf.5.html#reject_unknown_client_hostname
> http://www.postfix.org/postconf.5.html#warn_if_reject
>
> It can be used under any of the smtpd_*_restrictions.  The "best" place
> depends on your other restrictions and what you intend to accomplish.  A
> "typical" usage might look something like:
> smtpd_recipient_restrictions =
>  permit_mynetworks
>  permit_sasl_authenticated
>  reject_unauth_destination
>  reject_unknown_client_hostname
>  ... other UCE rules ...
>
>
>  -- Noel Jones
>

strange problem when I create users

[deconya]

Hi guys

Im viewing how to repair a problem using a postfix platform with openldap
and dovecot. This is the problem:

-When I create a new user inside openldap with mail account appears
correctly inside ldap but when I access first time appears inside
/var/spool/dovecot/ the folder of account bad. Not appears the name of uid,
appears the name of user mail, for ex:

drwx--   5 exemple Domain Users  4,0K 2011-03-04 13:28
exemple
drwx--   9 exemple Domain Users  4,0K 2011-03-04 13:29
exemple.usermail


Log filteered:

Mar  4 13:28:21 mailserver deliver(exemple): Loading modules from directory:
/usr/lib/dovecot/modules/lda
Mar  4 13:28:21 mailserver deliver(exemple): Module loaded:
/usr/lib/dovecot/modules/lda/lib10_quota_plugin.so
Mar  4 13:28:21 mailserver dovecot: auth(default): master in:
USER^I1^Iunesco^Iservice=deliver
Mar  4 13:28:21 mailserver dovecot: auth(default): prefetch(
exem...@mydomain.com): passdb didn't return userdb entries, trying the next
userdb
Mar  4 13:28:21 mailserver dovecot: auth(default): passwd(
exem...@mydomain.com): lookup
Mar  4 13:28:21 mailserver dovecot: auth(default): passwd(
exem...@mydomain.com): unknown user
Mar  4 13:28:21 mailserver dovecot: auth(default): ldap(exem...@mydomain.com):
user search: base=ou=Users, dc=ldap, dc=es scope=subtree
filter=(&(objectClass=posixAccount)(|(mail=exem...@mydomain.com)(uid=
exem...@mydomain.com)(uid=exemple)))
fields=homeDirectory,uidNumber,gidNumber,mailQuota
Mar  4 13:28:21 mailserver deliver(exemple): auth input: home=/home/exemple
Mar  4 13:28:21 mailserver deliver(exemple): auth input: uid=10017
Mar  4 13:28:21 mailserver deliver(exemple): auth input: gid=513
Mar  4 13:28:21 mailserver deliver(exemple): Home dir not found:
/home/exemple
Mar  4 13:28:21 mailserver deliver(exemple): Quota root: name=User quota
backend=maildir args=
Mar  4 13:28:21 mailserver deliver(exemple): Quota rule: root=User quota
mailbox=* bytes=52428800 messages=0
Mar  4 13:28:21 mailserver deliver(exemple): Quota rule: root=User quota
mailbox=Trash ignored
Mar  4 13:28:21 mailserver deliver(exemple): maildir:
data=/var/spool/dovecot/exemple/
Mar  4 13:28:21 mailserver deliver(exemple): maildir++:
root=/var/spool/dovecot/exemple, index=, control=,
inbox=/var/spool/dovecot/exemple
Mar  4 13:28:21 mailserver dovecot: auth(default): ldap(exem...@mydomain.com):
result: homeDirectory(home)=/home/exemple uidNumber(uid)=10017
gidNumber(gid)=513
Mar  4 13:28:21 mailserver dovecot: auth(default): master out: USER^I1^
iune...@mydomain.com^Ihome=/home/exemple^Iuid=10017^Igid=513
Mar  4 13:28:21 mailserver deliver(exemple):
msgid=<1299241700.26848.1.camel@infolinux>: saved mail to INBOX
Mar  4 13:28:21 mailserver postfix/pipe[29996]: 6191E26F95B: to=<
exem...@mydomain.com>, orig_to=,
relay=dovecot, delay=0.09, delays=0.03/0/0/0.06, dsn=2.0.0, status=sent
(delivered via dovecot service)
Mar  4 13:28:26 mailserver dovecot: auth-worker(default): pam(
exemplem...@mydomain.com,10.0.0.4): lookup service=dovecot
Mar  4 13:28:26 mailserver dovecot: auth-worker(default): pam(
exemplem...@mydomain.com,10.0.0.4): #1/1 style=1 msg=Password:
Mar  4 13:28:28 mailserver dovecot: auth-worker(default): pam(
exemplem...@mydomain.com,10.0.0.4): pam_authenticate() failed:
Authentication failure (password mismatch?)
Mar  4 13:28:28 mailserver dovecot: auth(default): ldap(
exemplem...@mydomain.com,10.0.0.4): bind search: base=ou=Users, dc=ldap,
dc=es filter=(&(objectClass=posixAccount)(|(mail=exemplem...@mydomain.com
)(uid=exemplem...@mydomain.com)))
Mar  4 13:28:28 mailserver dovecot: auth(default): auth(
exemplem...@mydomain.com,10.0.0.4): username changed
exemplem...@mydomain.com -> exemple
Mar  4 13:28:28 mailserver dovecot: auth(default): ldap(exemple,10.0.0.4):
result: homeDirectory(userdb_home)=/home/exemple uid(user)=exemple
uidNumber(userdb_uid)=10017 gidNumber(userdb_gid)=513
Mar  4 13:28:28 mailserver dovecot: auth(default): client out:
OK^I1^Iuser=exemple
Mar  4 13:28:28 mailserver dovecot: auth(default):
prefetch(exemple,10.0.0.4): success
Mar  4 13:28:28 mailserver dovecot: auth(default): master out: USER^I411619^
iunescochair.l...@mydomain.com^Ihome=/home/exemple^Iuid=10017^Igid=513
Mar  4 13:28:28 mailserver dovecot: imap-login: Login: user=,
method=PLAIN, rip=10.0.0.4, lip=10.0.0.5
Mar  4 13:28:28 mailserver dovecot: IMAP(exemplem...@mydomain.com): Loading
modules from directory: /usr/lib/dovecot/modules/imap
Mar  4 13:28:28 mailserver dovecot: IMAP(exemplem...@mydomain.com): Module
loaded: /usr/lib/dovecot/modules/imap/lib10_quota_plugin.so
Mar  4 13:28:28 mailserver dovecot: IMAP(exemplem...@mydomain.com): Module
loaded: /usr/lib/dovecot/modules/imap/lib11_imap_quota_plugin.so
Mar  4 13:28:28 mailserver dovecot: IMAP(exemplem...@mydomain.com):
Effective uid=10017, gid=513, home=/home/exemple
Mar  4 13:28:28 mailserver dovecot: IMAP(exemplem...@mydomain.com): Quota
root: name=User quota backend=maildir args=
Mar  4 13:28:28 mailserver

configuring server how multiple relayhost

[deconya]

Hi guys

Im looking in my postfix mail server to configure a relayhost filtering by
domain. Actually has different subdomains sub1.domain.com
sub2.domain.comand a unique relayhost putted appointing to the
Antispam IP server. I need
to configure a subdomain test.mydomain.com appointing to other relayhost.
It's possible to made this?

my main.cf is:

myhostname = mailserver
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = mydomain.com, test.mydomain.com, localhost
mynetworks = 127.0.0.0/8 [:::127.0.0.0]/104 [::1]/128 10.0.0.0/24
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
relayhost = 10.0.0.20

How I can especify different relayhost filtering by domain?

Thanks And Best Regards

Using transport_maps

[deconya]

Hi guys

I need to configure my server to relay domains to and antispam server but by
different hosts. I was looking and now I have doubts.In my configuration Im
using two variables, relayhost and mydestination. I need to change it and I
found to use transport_maps but I don't view examples to understand how it
works and If is the best option.Someone can help me ?

I need to map subdomains of the root domain to appoint to different servers.


For exemple:

sub1.domain,com:10.0.0.10
sub2.domain.com:10.0.0.11

Thanks for your time

Best Regards

Configuring multiple relays

[deconya]

Hi guys

Im looking how to make to config my postfix server to relay mails to other
antispam server but filtering by domain. Actually Im using relayhost
variable inside main.cf, but I need to mount different gateways for every
domain. I understand with this main.cf and using transport maps works fine?

My main.cf (most important part):

myhostname = postfixserver
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = mydomain.com, sub1.mydomain.com ,
sub2.mydomain.com  test.mydomain.com, localhost
mynetworks = 127.0.0.0/8 [:::127.0.0.0]/104 [::1]/128 10.0.0.0/24
192.168.10.0/24
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all

virtual_mailbox_base = /var/spool/dovecot/
virtual_create_mailbox_dirsize = yes
virtual_mailbox_extended = yes

virtual_alias_maps = ldap:/etc/postfix/ldap_aliases.cf,ldap:/etc/postfix/
ldap_aliases2.cf
virtual_mailbox_maps = ldap:/etc/postfix/ldap_aliases.cf,ldap:/etc/postfix/
ldap_aliases2.cf
smtpd_sender_login_maps = ldap:/etc/postfix/ldap_aliases.cf
,ldap:/etc/postfix/ldap_aliases2.cf


mailbox_transport = dovecot
mailbox_command = /usr/lib/dovecot/deliver
dovecot_destination_concurrency_limit = 1
dovecot_destination_recipient_limit = 1
virtual_transport = dovecot

recipient_bcc_maps = hash:/etc/postfix/recipient_bcc
transport_maps = hash:/etc/postfix/transport
mailman_destination_recipient_limit = 1
home_mailbox =

# MESSAGE SIZE #
message_size_limit = 2024

-

And transport

mydomain.comrelay:[10.0.0.10]
sub1.mydomain.comrelay:[10.0.0.10]
sub2.mydomain.comrelay:[10.0.0.10]
test.mydomain.comrelay:[10.0.0.11] 

I need to config more things? If I send a message to test@test.mydomain,com
is necessary to config any in master.cf?

Thanks and Best Regards

problem using postfix and mailman

[deconya]

Hi list

I have diferent mailman lists mounted and I detected a problem making tests
to access, If I use telnet using other mailserver (mailserver.es) I receive
this information:

telnet mail.mydomain.com 25
Trying 84.88.68.66...
Connected to mail.mydomain.com.
Escape character is '^]'.
220 jupiter.mydomain.com ESMTP Postfix (Ubuntu)
ehlo hola
250-jupiter.mydomain.com
250-PIPELINING
250-SIZE 2024
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
mail from: 
250 2.1.0 Ok
rcpt to: 
250 2.1.5 Ok
data
354 End data with .
subject: test
test
.
250 2.0.0 Ok: queued as 078C028A502
quit
221 2.0.0 Bye
Connection closed by foreign host.

but wronglist not exist. How it's possible this? Im using postfix making a
relay, I post my postconf -n:

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
broken_sasl_auth_clients = no
config_directory = /etc/postfix
debug_peer_level = 1
debug_peer_list = 127.0.0.1
delay_warning_time = 1h
home_mailbox =
inet_interfaces = all
mailbox_command = /usr/lib/dovecot/deliver
mailbox_size_limit = 0
mailbox_transport = dovecot
message_size_limit = 2024
mydestination = mydomain.com, alum.mydomain.com, admi.mydomain.com,
prof.mydomain.com, aalum.mydomain.com, test.mydomain.com,
localhost.mydomain.com, localhost
myhostname = jupiter.mydomain.com
mynetworks = 127.0.0.0/8 [:::127.0.0.0]/104 [::1]/128 10.0.0.0/24
192.168.10.0/24 193.145.56.0/24 84.88.68.64/28
myorigin = /etc/mailname
readme_directory = no
recipient_bcc_maps = hash:/etc/postfix/recipient_bcc
recipient_delimiter = +
relay_domains = lists.mydomain.com, autoreply.mydomain.com
relayhost = 10.0.0.10
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_use_tls = yes
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination
smtpd_sasl_auth_enable = no
smtpd_sasl_authenticated_header = no
smtpd_sasl_local_domain =
smtpd_sasl_path = smtpd
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = cyrus
smtpd_sender_login_maps = ldap:/etc/postfix/ldap_aliases.cf
,ldap:/etc/postfix/ldap_aliases2.cf
smtpd_sender_restrictions =
smtpd_tls_auth_only = no
smtpd_tls_cert_file = /etc/ssl/certs/venus.crt
smtpd_tls_key_file = /etc/ssl/private/venus.key
smtpd_tls_mandatory_ciphers = medium
smtpd_tls_mandatory_protocols = SSLv3, TLSv1
smtpd_tls_received_header = no
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
tls_random_source = dev:/dev/urandom
transport_maps = hash:/etc/postfix/transport
unknown_local_recipient_reject_code = 550
virtual_alias_maps = ldap:/etc/postfix/ldap_aliases.cf,ldap:/etc/postfix/
ldap_aliases2.cf
virtual_mailbox_base = /var/spool/dovecot/
virtual_mailbox_maps = ldap:/etc/postfix/ldap_aliases.cf,ldap:/etc/postfix/
ldap_aliases2.cf
virtual_transport = dovecot


Thanks

Re: problem using postfix and mailman

[deconya]

Hi

I dont understand, I wrote something bad¿?

Thanks

2011/4/7 Daniel Bromberg 

> On 4/7/2011 4:11 AM, deconya wrote:
>
>> Hi list
>>
>> I have diferent mailman lists mounted and I detected a problem making
>> tests
>> to access, If I use telnet using other mailserver (mailserver.es) I
>> receive
>> this information:
>>
>> telnet mail.mydomain.com 25
>> Trying 84.88.68.66...
>> [SNIP]
>>
>> 354 End data with.
>> subject: test
>> test
>>
> Again the quoting problem of literal SMTP conversations embedded in a
> message that is actually its own SMTP transaction. Move the trailing '.' in
> by one space in order to not cut off your own message.
>
> -Daniel
>
>

Re: problem using postfix and mailman

[deconya]

HI

First of all, sorry for the inconvenience, I didn't know that I send
mails in html format. I change it for next mails.

For my problem Im using this guide

https://help.ubuntu.com/community/Mailman

but im viewing that uses relay_domains and I don't know If this point
is necessary. If I use $mydestination and aliases, not's the same?

Last question, If I use relay_recipient_maps what format needs to has
the file? Not appears (or I can't view it)

Thanks

2011/4/7 Matthias Andree 
>
> Am 07.04.2011 10:11, schrieb deconya:
> > Hi list
> >
> > I have diferent mailman lists mounted and I detected a problem making
> > tests to access, If I use telnet using other mailserver (mailserver.es
> > <http://mailserver.es/>) I receive this information:
> >
> > telnet mail.mydomain.com <http://mail.mydomain.com/> 25
> ...
>
> > rcpt to:  > <mailto:wrongl...@lists.mydomain.com>>
> > 250 2.1.5 Ok
> > data
> > 354 End data with .
> > subject: test
> > test
> > .
> > 250 2.0.0 Ok: queued as 078C028A502
> > quit
> > 221 2.0.0 Bye
> > Connection closed by foreign host.
> >
> > but wronglist not exist. How it's possible this? Im using postfix making
>
> > a relay, I post my postconf -n:
>
> ...
>
> > relay_domains = lists.mydomain.com <http://lists.mydomain.com>,
> > autoreply.mydomain.com <http://autoreply.mydomain.com>
>
> #1 please don't post HTML or enriched format to mailing lists
>
> #2 To solve the actual problem, you can add relay_recipient_maps with
> proper content. See http://www.postfix.org/ADDRESS_CLASS_README.html

Re: problem using postfix and mailman

[deconya]

Hi

Other doubt, If I use relay_recipient_maps, users that has accounts
using ldap, can be affected? All mails when are validated goes to
antispam server. How mailman needs to validate users,I don't know if
creating this variable all users can be rejected.

Thanks

2011/4/7 Matthias Andree :
> Am 07.04.2011 10:11, schrieb deconya:
>> Hi list
>>
>> I have diferent mailman lists mounted and I detected a problem making
>> tests to access, If I use telnet using other mailserver (mailserver.es
>> <http://mailserver.es/>) I receive this information:
>>
>> telnet mail.mydomain.com <http://mail.mydomain.com/> 25
> ...
>
>> rcpt to: > <mailto:wrongl...@lists.mydomain.com>>
>> 250 2.1.5 Ok
>> data
>> 354 End data with .
>> subject: test
>> test
>> .
>> 250 2.0.0 Ok: queued as 078C028A502
>> quit
>> 221 2.0.0 Bye
>> Connection closed by foreign host.
>>
>> but wronglist not exist. How it's possible this? Im using postfix making
>
>> a relay, I post my postconf -n:
>
> ...
>
>> relay_domains = lists.mydomain.com <http://lists.mydomain.com>,
>> autoreply.mydomain.com <http://autoreply.mydomain.com>
>
> #1 please don't post HTML or enriched format to mailing lists
>
> #2 To solve the actual problem, you can add relay_recipient_maps with
> proper content. See http://www.postfix.org/ADDRESS_CLASS_README.html
>

how to configure gnarwl with openldap

[deconya]

Hi

I need to config gnarwl how autoresponder [1] , and Im using postfix
2.2 +Openldap +dovecot. I need to config aliases because when I
receive user1@mydomain forward to user1@autoreply.mydomain. And this
step I don't know how to make. Im looking aliases but inside openldap
I can only make alias for cn, and I need that only pass inside mails.
Is possible to config this inside aliases.db? And with what format?

[1]http://www.onyxbits.de/gnarwl

Thanks

problem configuring autentication sending mails

[deconya]

HI list

Im working in a Postfix+openldap+dovecot platform, and now Im checking
how to activate autentication sending mails using dovecot. All this time
only was a relay and now I need to the a complete server. 

my main.cf is:

# TLS parameters
smtpd_use_tls = yes
smtpd_tls_key_file = /etc/ssl/private/mycert.pem
smtpd_tls_cert_file = /etc/ssl/mycert.crt
smtpd_tls_CAfile = /etc/ssl/TERENASSL_PATH.pem
smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache

#SASL
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous

smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth

broken_sasl_auth_clients = yes
smtpd_sender_login_maps = ldap:/etc/postfix/ldap_aliases.cf
smtpd_tls_loglevel = 2
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s 
smtpd_recipient_restrictions = 
   permit_sasl_authenticated, 
   permit_mynetworks 
   reject_unauth_destination
smtp_sasl_password_maps = hash:/etc/postfix/relay_passwd

relayhost = [smtp.server.com]:25

Somebody has experience to config dovecot how LDA to send mails using
openldap? I was checking in google for howtos but are confused about
parameters

Any idea?

Thanks & Best Regards

Re: problem configuring autentication sending mails

[deconya]

Hi

The problem is that in logs not marks mail how autenticated, but user
and password is required to send.

Thanks

-Mensaje original-
De: deconya 
Para: Postfix users 
Asunto: problem configuring autentication sending mails
Fecha: Wed, 06 Feb 2013 16:38:42 +0100

HI list

Im working in a Postfix+openldap+dovecot platform, and now Im checking
how to activate autentication sending mails using dovecot. All this time
only was a relay and now I need to the a complete server. 

my main.cf is:

# TLS parameters
smtpd_use_tls = yes
smtpd_tls_key_file = /etc/ssl/private/mycert.pem
smtpd_tls_cert_file = /etc/ssl/mycert.crt
smtpd_tls_CAfile = /etc/ssl/TERENASSL_PATH.pem
smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache

#SASL
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous

smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth

broken_sasl_auth_clients = yes
smtpd_sender_login_maps = ldap:/etc/postfix/ldap_aliases.cf
smtpd_tls_loglevel = 2
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s 
smtpd_recipient_restrictions = 
   permit_sasl_authenticated, 
   permit_mynetworks 
   reject_unauth_destination
smtp_sasl_password_maps = hash:/etc/postfix/relay_passwd

relayhost = [smtp.server.com]:25

Somebody has experience to config dovecot how LDA to send mails using
openldap? I was checking in google for howtos but are confused about
parameters

Any idea?

Thanks & Best Regards

questions about functions in postfix

[deconya]

Hi list

Im looking to activate a smarthost in my postfix, and for this I need to
use the function smtp_sasl_password_maps. I have and old server 2.5.5
and Im not sure if was supported in this old version. Where can I see
the changelogs to confirm this?

Thanks

Re: questions about functions in postfix

[deconya]

ilter = \t\40!"#$%&'()*
+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\
\]^_`abcdefghijklmnopqrstuvwxyz{|}~
smtpd_forbidden_commands = CONNECT GET POST
smtpd_hard_error_limit = 20
smtpd_helo_required = no
smtpd_helo_restrictions = 
smtpd_history_flush_threshold = 100
smtpd_junk_command_limit = 100
smtpd_milters = 
smtpd_noop_commands = 
smtpd_null_access_lookup_key = <>
smtpd_peername_lookup = yes
smtpd_policy_service_max_idle = 300s
smtpd_policy_service_max_ttl = 1000s
smtpd_policy_service_timeout = 100s
smtpd_proxy_ehlo = $myhostname
smtpd_proxy_filter = 
smtpd_proxy_timeout = 100s
smtpd_recipient_limit = 1000
smtpd_recipient_overshoot_limit = 1000
smtpd_recipient_restrictions = permit_sasl_authenticated,
permit_mynetworksreject_unauth_destination
smtpd_reject_unlisted_recipient = yes
smtpd_reject_unlisted_sender = no
smtpd_restriction_classes = 
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = no
smtpd_sasl_exceptions_networks = 
smtpd_sasl_local_domain = 
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = $smtpd_sasl_security_options
smtpd_sasl_type = dovecot
smtpd_sender_login_maps = ldap:/etc/postfix/ldap_aliases.cf
smtpd_sender_restrictions = 
smtpd_soft_error_limit = 10
smtpd_starttls_timeout = 300s
smtpd_timeout = 300s
smtpd_tls_CAfile = /etc/ssl/TERENASSL_PATH.pem
smtpd_tls_CApath = 
smtpd_tls_always_issue_session_ids = yes
smtpd_tls_ask_ccert = no
smtpd_tls_auth_only = no
smtpd_tls_ccert_verifydepth = 9
smtpd_tls_cert_file = /etc/ssl/mydomain.crt
smtpd_tls_dcert_file = 
smtpd_tls_dh1024_param_file = 
smtpd_tls_dh512_param_file = 
smtpd_tls_dkey_file = $smtpd_tls_dcert_file
smtpd_tls_exclude_ciphers = 
smtpd_tls_fingerprint_digest = md5
smtpd_tls_key_file = /etc/ssl/private/jupiter_mydomain.pem
smtpd_tls_loglevel = 2
smtpd_tls_mandatory_ciphers = medium
smtpd_tls_mandatory_exclude_ciphers = 
smtpd_tls_mandatory_protocols = SSLv3, TLSv1
smtpd_tls_received_header = yes
smtpd_tls_req_ccert = no
smtpd_tls_security_level = 
smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
smtpd_tls_session_cache_timeout = 3600s
smtpd_tls_wrappermode = no
smtpd_use_tls = yes

Any idea to not accept password_maps?

Thanks

-Mensaje original-
De: Ralf Hildebrandt 
Para: postfix-users@postfix.org
Asunto: Re: questions about functions in postfix
Fecha: Thu, 7 Feb 2013 16:32:37 +0100


* deconya :
> Hi list
> 
> Im looking to activate a smarthost in my postfix, and for this I need to
> use the function smtp_sasl_password_maps. I have and old server 2.5.5
> and Im not sure if was supported in this old version. Where can I see
> the changelogs to confirm this?

postconf smtp_sasl_password_maps

is displaying what?

Re: questions about functions in postfix

[deconya]

Hi

Thanks for your help Viktor, i comment inside mail:

El 07/02/13 19:15, Viktor Dukhovni escribió:
> On Thu, Feb 07, 2013 at 06:22:40PM +0100, deconya wrote:
>
>> smtp_sasl_password_maps = hash:/etc/postfix/relay_passwd
>>
>> relayhost = [smtp.puc.rediris.es]:25
> Don't append :25 set:
>
>   relayhost = [smtp.puc.rediris.es]
Ok
>> smtp_sasl_auth_enable = no
> You've disabled SASL.
In main.cf appears

smtpd_sasl_auth_enable = yes, why can appear no?
>> smtp_sasl_password_maps = hash:/etc/postfix/relay_passwd
> In this table the lookup key should be the verbatim setting of
> relayhost:
>
>   [smtp.puc.rediris.es]   user:pass
>
>> smtp_sasl_security_options = noplaintext, noanonymous
>> smtp_sasl_tls_security_options = $smtp_sasl_security_options
>> smtp_sasl_tls_verified_security_options =
Other strange rule, I have

smtpd_sasl_security_options = noanonymous

> You only enable plaintext mechanisms (e.g. passwords) with verified
> TLS. Are you able to verify the relay's TLS certificate?

>> smtp_sasl_type = cyrus
>> smtp_sender_dependent_authentication = yes
> With this, the password table lookup key is the sender address. Is
> that what you're using?
NO, exist a special user and password inside relay_passwd
>> smtp_tls_CAfile = 
>> smtp_tls_CApath = 
> How do you expect to verify the peer certificate? And without
> verification, how do you expect to authenticate?
This rules are misspelled? I have this in main.cf

smtpd_tls_key_file = /etc/ssl/private/server_key.pem
smtpd_tls_cert_file = /etc/ssl/server.crt
smtpd_tls_CAfile = /etc/ssl/TERENASSL_PATH.pem
>> smtp_tls_enforce_peername = yes
>> smtp_use_tls = no
>> smtp_tls_security_level = 
> The first two settings are obsolete. Set "smtp_tls_security_level = secure"
> or at least "may" (and then enforce TLS for the relay via the policy table).
>
>> smtp_tls_loglevel = 0
I have

smtpd_tls_loglevel = 2

Why is not active? I don't understand why main.cf is having this
problems.More rules are not active because are with smtpd, is normal this?

Thanks for your time

Best Regards
> If you're using TLS, the recommended level is 1.
>
>> smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache
> The session cache database should be in ${data_directory}.
>
> The "smtp_sasl_password_maps" parameter was introduced in snapshot-2316,
> (prior to Postfix 1.0), while "smtp_sender_dependent_authentication"
> was introducted in postfix-2.3-20051125 (which later evolved into Postfix 
> 2.3).
>

Re: questions about functions in postfix

[deconya]

Hi

Well, thanks to advise me about the diference. But how I can change it?

I understand taht all my rules are misspelled and I need to correct all
of this with smtp_ ?

Thanks for your time and patience :-)

El 07/02/13 23:03, Viktor Dukhovni escribió:
> On Thu, Feb 07, 2013 at 09:34:00PM +0100, deconya wrote:
>
>>>> smtp_sasl_auth_enable = no
>>> You've disabled SASL.
>> In main.cf appears
>>
>> smtpd_sasl_auth_enable = yes, why can appear no?
> You're not paying attention:
>
>   "smtpd" != "smtp"
>
>>>> smtp_sasl_password_maps = hash:/etc/postfix/relay_passwd
>>> In this table the lookup key should be the verbatim setting of
>>> relayhost:
>>>
>>> [smtp.puc.rediris.es]   user:pass
>>>
>>>> smtp_sasl_security_options = noplaintext, noanonymous
>>>> smtp_sasl_tls_security_options = $smtp_sasl_security_options
>>>> smtp_sasl_tls_verified_security_options =
>> Other strange rule, I have
>>
>> smtpd_sasl_security_options = noanonymous
> You're still not paying attention:
>
>   "smtpd" != "smtp"
>
>>>> smtp_tls_CAfile = 
>>>> smtp_tls_CApath = 
>>> How do you expect to verify the peer certificate? And without
>>> verification, how do you expect to authenticate?
>> This rules are misspelled? I have this in main.cf
>>
>> smtpd_tls_key_file = /etc/ssl/private/server_key.pem
>> smtpd_tls_cert_file = /etc/ssl/server.crt
>> smtpd_tls_CAfile = /etc/ssl/TERENASSL_PATH.pem
> That attention thing is a real problem...
>
>>>> smtp_tls_enforce_peername = yes
>>>> smtp_use_tls = no
>>>> smtp_tls_security_level = 
>>> The first two settings are obsolete. Set "smtp_tls_security_level = secure"
>>> or at least "may" (and then enforce TLS for the relay via the policy table).
>>>
>>>> smtp_tls_loglevel = 0
>> I have
>>
>> smtpd_tls_loglevel = 2
> Broken record...
>

Re: questions about functions in postfix

[deconya]

Hi Viktor

Thanks for all, at now Im with other problema, how to config CA file in
postfix using Comodo certificates but is other thread :-)

THanks

-Mensaje original-
De: Viktor Dukhovni 
Reply-to: postfix-users@postfix.org
Para: postfix-users@postfix.org
Asunto: Re: questions about functions in postfix
Fecha: Fri, 8 Feb 2013 02:29:43 +


On Thu, Feb 07, 2013 at 11:08:11PM +0100, deconya wrote:

> Well, thanks to advice me about the diference. But how I can change it?

When configuring the Postfix SMTP client set the parameters documented
to work with smtp(8) and not those documented to work with smtpd(8).

Don't confuse the two sets of parameters. When sending mail via a relay
host none of the "smtpd_..." parameters apply, they are relevant only
when receiving mail.

<>

problem with certificate server

[deconya]

Hi list

At now Im configuring the TLS function in my postfix 2.5.5 and Im having
a new problem. 

First was that said untrusted issuer because not detect the
certificates. At now the message every time you sends is

status=deferred (Server certificate not verified)

I was configuring using a howto that says to do

-
mkdir /var/spool/postfix/certs

cp -R /etc/ssl/certs/* /var/spool/postfix/certs
mkdir -p /var/spool/postfix/usr/share/ca-certificates
cp -R /usr/share/ca-certificates /var/spool/postfix/usr/share/ca-certificates


Then, in main.cf, change the smtp_tls_security_level line and add an
smtp_tls_CApath line as follows: 


smtp_tls_security_level=verify
smtp_tls_CApath=/certs

-

And now the postconf for help:

default_transport = smtp
lmtp_pix_workarounds = disable_esmtp,delay_dotcrlf
non_smtpd_milters = 
parent_domain_matches_subdomains = 
debug_peer_list,fast_flush_domains,mynetworks,permit_mx_backup_networks,qmqpd_authorized_clients,smtpd_access_maps
proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps 
$virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains 
$relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps 
$recipient_canonical_maps $relocated_maps $transport_maps $mynetworks 
$sender_bcc_maps $recipient_bcc_maps $smtp_generic_maps $lmtp_generic_maps
proxy_write_maps = $smtp_sasl_auth_cache_name $lmtp_sasl_auth_cache_name
relayhost = smtp.puc.mysmarthost.es
smtp_always_send_ehlo = yes
smtp_bind_address = 
smtp_bind_address6 = 
smtp_body_checks = 
smtp_cname_overrides_servername = no
smtp_connect_timeout = 30s
smtp_connection_cache_destinations = 
smtp_connection_cache_on_demand = yes
smtp_connection_cache_time_limit = 2s
smtp_connection_reuse_time_limit = 300s
smtp_data_done_timeout = 600s
smtp_data_init_timeout = 120s
smtp_data_xfer_timeout = 180s
smtp_defer_if_no_mx_address_found = no
smtp_destination_concurrency_failed_cohort_limit = 
$default_destination_concurrency_failed_cohort_limit
smtp_destination_concurrency_limit = $default_destination_concurrency_limit
smtp_destination_concurrency_negative_feedback = 
$default_destination_concurrency_negative_feedback
smtp_destination_concurrency_positive_feedback = 
$default_destination_concurrency_positive_feedback
smtp_destination_rate_delay = $default_destination_rate_delay
smtp_destination_recipient_limit = $default_destination_recipient_limit
smtp_discard_ehlo_keyword_address_maps = 
smtp_discard_ehlo_keywords = 
smtp_enforce_tls = no
smtp_fallback_relay = $fallback_relay
smtp_generic_maps = 
smtp_header_checks = 
smtp_helo_name = $myhostname
smtp_helo_timeout = 300s
smtp_host_lookup = dns
smtp_initial_destination_concurrency = $initial_destination_concurrency
smtp_line_length_limit = 990
smtp_mail_timeout = 300s
smtp_mime_header_checks = 
smtp_mx_address_limit = 5
smtp_mx_session_limit = 2
smtp_nested_header_checks = 
smtp_never_send_ehlo = no
smtp_pix_workaround_delay_time = 10s
smtp_pix_workaround_maps = 
smtp_pix_workaround_threshold_time = 500s
smtp_pix_workarounds = disable_esmtp,delay_dotcrlf
smtp_quit_timeout = 300s
smtp_quote_rfc821_envelope = yes
smtp_randomize_addresses = yes
smtp_rcpt_timeout = 300s
smtp_rset_timeout = 20s
smtp_sasl_auth_cache_name = 
smtp_sasl_auth_cache_time = 90d
smtp_sasl_auth_enable = no
smtp_sasl_auth_soft_bounce = yes
smtp_sasl_mechanism_filter = 
smtp_sasl_password_maps = hash:/etc/postfix/relay_passwd
smtp_sasl_path = 
smtp_sasl_security_options = noanonymous
smtp_sasl_tls_security_options = $smtp_sasl_security_options
smtp_sasl_tls_verified_security_options = $smtp_sasl_tls_security_options
smtp_sasl_type = cyrus
smtp_send_xforward_command = no
smtp_sender_dependent_authentication = no
smtp_skip_5xx_greeting = yes
smtp_skip_quit_response = yes
smtp_starttls_timeout = 300s
smtp_tls_CAfile = 
smtp_tls_CApath = /certs
smtp_tls_cert_file = 
smtp_tls_dcert_file = 
smtp_tls_dkey_file = $smtp_tls_dcert_file
smtp_tls_enforce_peername = yes
smtp_tls_exclude_ciphers = 
smtp_tls_fingerprint_cert_match = 
smtp_tls_fingerprint_digest = md5
smtp_tls_key_file = $smtp_tls_cert_file
smtp_tls_loglevel = 0
smtp_tls_mandatory_ciphers = medium
smtp_tls_mandatory_exclude_ciphers = 
smtp_tls_mandatory_protocols = SSLv3, TLSv1
smtp_tls_note_starttls_offer = yes
smtp_tls_per_site = 
smtp_tls_policy_maps = 
smtp_tls_scert_verifydepth = 9
smtp_tls_secure_cert_match = nexthop, dot-nexthop
smtp_tls_security_level = verify
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_tls_session_cache_timeout = 3600s
smtp_tls_verify_cert_match = hostname
smtp_use_tls = yes
smtp_xforward_timeout = 300s
smtpd_authorized_verp_clients = $authorized_verp_clients
smtpd_authorized_xclient_hosts = 
smtpd_authorized_xforward_hosts = 
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
smtpd_client_connection_count_limit = 50
smtpd_client_connection_rate_limit = 0
smtpd_client_event_limit_exceptions = 
${smtpd_client_connection_limit

error using certificate server

[deconya]

Hi list

At now Im configuring the TLS function in my postfix 2.5.5 and Im having a new 
problem. 

First was that said untrusted issuer because not detect the certificates. At 
now the message every time you sends is

status=deferred (Server certificate not verified)

I was configuring using a howto that says to do

-
mkdir /var/spool/postfix/certs
cp -R /etc/ssl/certs/* /var/spool/postfix/certs
mkdir -p /var/spool/postfix/usr/share/ca-certificates
cp -R /usr/share/ca-certificates /var/spool/postfix/usr/share/ca-certificates

Then, in main.cf, change the smtp_tls_security_level line and add an 
smtp_tls_CApath line as follows: 

smtp_tls_security_level=verify
smtp_tls_CApath=/certs

-

And now the postconf for help:

default_transport = smtp
lmtp_pix_workarounds = disable_esmtp,delay_dotcrlf
non_smtpd_milters = 
parent_domain_matches_subdomains = 
debug_peer_list,fast_flush_domains,mynetworks,permit_mx_backup_networks,qmqpd_authorized_clients,smtpd_access_maps
proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps 
$virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains 
$relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps 
$recipient_canonical_maps $relocated_maps $transport_maps $mynetworks 
$sender_bcc_maps $recipient_bcc_maps $smtp_generic_maps $lmtp_generic_maps
proxy_write_maps = $smtp_sasl_auth_cache_name $lmtp_sasl_auth_cache_name
relayhost = smtp.puc.mysmarthost.es
smtp_always_send_ehlo = yes
smtp_bind_address = 
smtp_bind_address6 = 
smtp_body_checks = 
smtp_cname_overrides_servername = no
smtp_connect_timeout = 30s
smtp_connection_cache_destinations = 
smtp_connection_cache_on_demand = yes
smtp_connection_cache_time_limit = 2s
smtp_connection_reuse_time_limit = 300s
smtp_data_done_timeout = 600s
smtp_data_init_timeout = 120s
smtp_data_xfer_timeout = 180s
smtp_defer_if_no_mx_address_found = no
smtp_destination_concurrency_failed_cohort_limit = 
$default_destination_concurrency_failed_cohort_limit
smtp_destination_concurrency_limit = $default_destination_concurrency_limit
smtp_destination_concurrency_negative_feedback = 
$default_destination_concurrency_negative_feedback
smtp_destination_concurrency_positive_feedback = 
$default_destination_concurrency_positive_feedback
smtp_destination_rate_delay = $default_destination_rate_delay
smtp_destination_recipient_limit = $default_destination_recipient_limit
smtp_discard_ehlo_keyword_address_maps = 
smtp_discard_ehlo_keywords = 
smtp_enforce_tls = no
smtp_fallback_relay = $fallback_relay
smtp_generic_maps = 
smtp_header_checks = 
smtp_helo_name = $myhostname
smtp_helo_timeout = 300s
smtp_host_lookup = dns
smtp_initial_destination_concurrency = $initial_destination_concurrency
smtp_line_length_limit = 990
smtp_mail_timeout = 300s
smtp_mime_header_checks = 
smtp_mx_address_limit = 5
smtp_mx_session_limit = 2
smtp_nested_header_checks = 
smtp_never_send_ehlo = no
smtp_pix_workaround_delay_time = 10s
smtp_pix_workaround_maps = 
smtp_pix_workaround_threshold_time = 500s
smtp_pix_workarounds = disable_esmtp,delay_dotcrlf
smtp_quit_timeout = 300s
smtp_quote_rfc821_envelope = yes
smtp_randomize_addresses = yes
smtp_rcpt_timeout = 300s
smtp_rset_timeout = 20s
smtp_sasl_auth_cache_name = 
smtp_sasl_auth_cache_time = 90d
smtp_sasl_auth_enable = no
smtp_sasl_auth_soft_bounce = yes
smtp_sasl_mechanism_filter = 
smtp_sasl_password_maps = hash:/etc/postfix/relay_passwd
smtp_sasl_path = 
smtp_sasl_security_options = noanonymous
smtp_sasl_tls_security_options = $smtp_sasl_security_options
smtp_sasl_tls_verified_security_options = $smtp_sasl_tls_security_options
smtp_sasl_type = cyrus
smtp_send_xforward_command = no
smtp_sender_dependent_authentication = no
smtp_skip_5xx_greeting = yes
smtp_skip_quit_response = yes
smtp_starttls_timeout = 300s
smtp_tls_CAfile = 
smtp_tls_CApath = /certs
smtp_tls_cert_file = 
smtp_tls_dcert_file = 
smtp_tls_dkey_file = $smtp_tls_dcert_file
smtp_tls_enforce_peername = yes
smtp_tls_exclude_ciphers = 
smtp_tls_fingerprint_cert_match = 
smtp_tls_fingerprint_digest = md5
smtp_tls_key_file = $smtp_tls_cert_file
smtp_tls_loglevel = 0
smtp_tls_mandatory_ciphers = medium
smtp_tls_mandatory_exclude_ciphers = 
smtp_tls_mandatory_protocols = SSLv3, TLSv1
smtp_tls_note_starttls_offer = yes
smtp_tls_per_site = 
smtp_tls_policy_maps = 
smtp_tls_scert_verifydepth = 9
smtp_tls_secure_cert_match = nexthop, dot-nexthop
smtp_tls_security_level = verify
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_tls_session_cache_timeout = 3600s
smtp_tls_verify_cert_match = hostname
smtp_use_tls = yes
smtp_xforward_timeout = 300s
smtpd_authorized_verp_clients = $authorized_verp_clients
smtpd_authorized_xclient_hosts = 
smtpd_authorized_xforward_hosts = 
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
smtpd_client_connection_count_limit = 50
smtpd_client_connection_rate_limit = 0
smtpd_client_event_limit_exceptions = 
${smtpd_client_connection_lim

problem with certificate server

[deconya]

Hi list

At now Im configuring the TLS function in my postfix 2.5.5 and Im having
a new problem. 

First was that said untrusted issuer because not detect the
certificates. At now the message every time you sends is

status=deferred (Server certificate not verified)

I was configuring using a howto that says to do

-
mkdir /var/spool/postfix/certs

cp -R /etc/ssl/certs/* /var/spool/postfix/certs
mkdir -p /var/spool/postfix/usr/share/ca-certificates
cp -R /usr/share/ca-certificates /var/spool/postfix/usr/share/ca-certificates


Then, in main.cf, change the smtp_tls_security_level line and add an
smtp_tls_CApath line as follows: 


smtp_tls_security_level=verify
smtp_tls_CApath=/certs

-

And now the postconf for help:

default_transport = smtp
lmtp_pix_workarounds = disable_esmtp,delay_dotcrlf
non_smtpd_milters = 
parent_domain_matches_subdomains = 
debug_peer_list,fast_flush_domains,mynetworks,permit_mx_backup_networks,qmqpd_authorized_clients,smtpd_access_maps
proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps 
$virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains 
$relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps 
$recipient_canonical_maps $relocated_maps $transport_maps $mynetworks 
$sender_bcc_maps $recipient_bcc_maps $smtp_generic_maps $lmtp_generic_maps
proxy_write_maps = $smtp_sasl_auth_cache_name $lmtp_sasl_auth_cache_name
relayhost = smtp.puc.mysmarthost.es
smtp_always_send_ehlo = yes
smtp_bind_address = 
smtp_bind_address6 = 
smtp_body_checks = 
smtp_cname_overrides_servername = no
smtp_connect_timeout = 30s
smtp_connection_cache_destinations = 
smtp_connection_cache_on_demand = yes
smtp_connection_cache_time_limit = 2s
smtp_connection_reuse_time_limit = 300s
smtp_data_done_timeout = 600s
smtp_data_init_timeout = 120s
smtp_data_xfer_timeout = 180s
smtp_defer_if_no_mx_address_found = no
smtp_destination_concurrency_failed_cohort_limit = 
$default_destination_concurrency_failed_cohort_limit
smtp_destination_concurrency_limit = $default_destination_concurrency_limit
smtp_destination_concurrency_negative_feedback = 
$default_destination_concurrency_negative_feedback
smtp_destination_concurrency_positive_feedback = 
$default_destination_concurrency_positive_feedback
smtp_destination_rate_delay = $default_destination_rate_delay
smtp_destination_recipient_limit = $default_destination_recipient_limit
smtp_discard_ehlo_keyword_address_maps = 
smtp_discard_ehlo_keywords = 
smtp_enforce_tls = no
smtp_fallback_relay = $fallback_relay
smtp_generic_maps = 
smtp_header_checks = 
smtp_helo_name = $myhostname
smtp_helo_timeout = 300s
smtp_host_lookup = dns
smtp_initial_destination_concurrency = $initial_destination_concurrency
smtp_line_length_limit = 990
smtp_mail_timeout = 300s
smtp_mime_header_checks = 
smtp_mx_address_limit = 5
smtp_mx_session_limit = 2
smtp_nested_header_checks = 
smtp_never_send_ehlo = no
smtp_pix_workaround_delay_time = 10s
smtp_pix_workaround_maps = 
smtp_pix_workaround_threshold_time = 500s
smtp_pix_workarounds = disable_esmtp,delay_dotcrlf
smtp_quit_timeout = 300s
smtp_quote_rfc821_envelope = yes
smtp_randomize_addresses = yes
smtp_rcpt_timeout = 300s
smtp_rset_timeout = 20s
smtp_sasl_auth_cache_name = 
smtp_sasl_auth_cache_time = 90d
smtp_sasl_auth_enable = no
smtp_sasl_auth_soft_bounce = yes
smtp_sasl_mechanism_filter = 
smtp_sasl_password_maps = hash:/etc/postfix/relay_passwd
smtp_sasl_path = 
smtp_sasl_security_options = noanonymous
smtp_sasl_tls_security_options = $smtp_sasl_security_options
smtp_sasl_tls_verified_security_options = $smtp_sasl_tls_security_options
smtp_sasl_type = cyrus
smtp_send_xforward_command = no
smtp_sender_dependent_authentication = no
smtp_skip_5xx_greeting = yes
smtp_skip_quit_response = yes
smtp_starttls_timeout = 300s
smtp_tls_CAfile = 
smtp_tls_CApath = /certs
smtp_tls_cert_file = 
smtp_tls_dcert_file = 
smtp_tls_dkey_file = $smtp_tls_dcert_file
smtp_tls_enforce_peername = yes
smtp_tls_exclude_ciphers = 
smtp_tls_fingerprint_cert_match = 
smtp_tls_fingerprint_digest = md5
smtp_tls_key_file = $smtp_tls_cert_file
smtp_tls_loglevel = 0
smtp_tls_mandatory_ciphers = medium
smtp_tls_mandatory_exclude_ciphers = 
smtp_tls_mandatory_protocols = SSLv3, TLSv1
smtp_tls_note_starttls_offer = yes
smtp_tls_per_site = 
smtp_tls_policy_maps = 
smtp_tls_scert_verifydepth = 9
smtp_tls_secure_cert_match = nexthop, dot-nexthop
smtp_tls_security_level = verify
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_tls_session_cache_timeout = 3600s
smtp_tls_verify_cert_match = hostname
smtp_use_tls = yes
smtp_xforward_timeout = 300s
smtpd_authorized_verp_clients = $authorized_verp_clients
smtpd_authorized_xclient_hosts = 
smtpd_authorized_xforward_hosts = 
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
smtpd_client_connection_count_limit = 50
smtpd_client_connection_rate_limit = 0
smtpd_client_event_limit_exceptions = 
${smtpd_client_connection_limit

Re: error using certificate server

[deconya]

Hi 

Apologies for triplicate the mailing, my mail client blocks and send for
and error two times the mail. The third was using webmail. 

If i use smtp_tls_security_level=may the smarthost not will accept mails
because needs to use autentication using TLS inside relay_passwd 

In main.cf I not configure smtpd_tls_CAfile, this is default option, I
need to change?

Any idea to correct the problem of verification?

Thanks

-Mensaje original-
De: Reindl Harald 
Para: postfix-users@postfix.org
Asunto: Re: error using certificate server
Fecha: Fri, 08 Feb 2013 20:13:07 +0100



Am 08.02.2013 20:07, schrieb deco...@riseup.net:
> At now Im configuring the TLS function in my postfix 2.5.5 and Im having a 
> new problem.
> First was that said untrusted issuer because not detect the certificates.

how often and with hom many subjects yiu will
start the thread again?

> Please is critical to solve this problem, all messages are being deferred!!!
> smtp_tls_security_level=verify

so why do you not change it to "may" instead "verify" in the first front?

> smtp_tls_CApath=/certs

and what is there?

smtpd_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt

works fine on redhat systems

[root@mail:~]$ stat /etc/pki/tls/certs/ca-bundle.crt
  Datei: „/etc/pki/tls/certs/ca-bundle.crt“
  Größe: 711830 Blöcke: 1392   EA Block: 4096   reguläre Datei
Gerät: 811h/2065d   Inode: 82289   Verknüpfungen: 1
Zugriff: (0644/-rw-r--r--)  Uid: (0/root)   Gid: (0/root)
Zugriff: 2013-01-04 19:08:55.0 +0100
Modifiziert: 2013-01-04 19:08:55.0 +0100
Geändert   : 2013-01-06 20:21:48.027334833 +0100
 Geburt: -

Re: error using certificate server

[deconya]

Hi

-Mensaje original-
De: Reindl Harald 
Para: postfix-users@postfix.org
Asunto: Re: error using certificate server
Fecha: Fri, 08 Feb 2013 20:34:47 +0100



Am 08.02.2013 20:22, schrieb deconya:
> Hi
> 
> Apologies for triplicate the mailing, my mail client blocks and send for and 
> error two times the mail. The third
> was using webmail.
> 
> If i use smtp_tls_security_level=may the smarthost not will accept mails 
> because needs to use autentication using
> TLS inside relay_passwd
> 
> In main.cf I not configure smtpd_tls_CAfile, this is default option, I need 
> to change?

  smtp_tls_CApath=/certs
  you copied random stuff there and nobody knows your environment

Amb using postfix 2.5.5 inside ubuntu server. I discovered in a howto that to 
activate certificates this was one parameters to activate in main.cf, because 
by default postfix not recognice certificates. 


i do not know your OS, as said on Fedors/Redhat
smtpd_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
i have no "smtp_tls_CApath" in use

I have not defined this parameter in main.cf, is included by default

however, i posted the wrong one
smtp_ is relevant for you, not smtpd
but hoewever,, the bundle is fine for both

smtpd_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
smtp_tls_CAfile  = /etc/pki/tls/certs/ca-bundle.crt

> cp -R /etc/ssl/certs/* /var/spool/postfix/certs
> cp -R /usr/share/ca-certificates /var/spool/postfix/usr/share/ca-certificates
what is in this folders?
what is it supposed to do?
why do you copy stuff around?
how do you imagine to update this stuff

This was the howto explaining how to move all certificates to postfix folder. 

And now why can appear the error Server certificated not verified 

Thanks
> -Mensaje original-
> *De*: Reindl Harald  <mailto:reindl%20harald%20%3ch.rei...@thelounge.net%3e>>
> *Para*: postfix-users@postfix.org <mailto:postfix-users@postfix.org>
> *Asunto*: Re: error using certificate server
> *Fecha*: Fri, 08 Feb 2013 20:13:07 +0100
> 
> 
> Am 08.02.2013 20:07, schrieb deco...@riseup.net <mailto:deco...@riseup.net>:
>> At now Im configuring the TLS function in my postfix 2.5.5 and Im having a 
>> new problem.
>> First was that said untrusted issuer because not detect the certificates.
> 
> how often and with hom many subjects yiu will
> start the thread again?
> 
>> Please is critical to solve this problem, all messages are being deferred!!!
>> smtp_tls_security_level=verify
> 
> so why do you not change it to "may" instead "verify" in the first front?
> 
>> smtp_tls_CApath=/certs
> 
> and what is there?
> 
> smtpd_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
> 
> works fine on redhat systems
> 
> [root@mail:~]$ stat /etc/pki/tls/certs/ca-bundle.crt
>   Datei: „/etc/pki/tls/certs/ca-bundle.crt“
>   Größe: 711830 Blöcke: 1392   EA Block: 4096   reguläre Datei
> Gerät: 811h/2065d   Inode: 82289   Verknüpfungen: 1
> Zugriff: (0644/-rw-r--r--)  Uid: (0/root)   Gid: (0/root)
> Zugriff: 2013-01-04 19:08:55.0 +0100
> Modifiziert: 2013-01-04 19:08:55.0 +0100
> Geändert   : 2013-01-06 20:21:48.027334833 +0100
>  Geburt: -
> 

Re: error using certificate server

[deconya]

Hi

Recovering this thread Im configuring the CA certificates to validate
the smarthost used to filter spam. At now the connection works but
appears the message

status=deferred (Server certificate not verified)

I was looking all the information about it in howots, and seems that the
problem is when my server exchanges credentials with smarthost. It seems
that not recognizes the CA certificates from destination, and Im with
two questions

-What file is looking for smtp_tls_CApath=/certs, all? (Im refering the
name of file), needs to use a special name? At now for recomedation of
you and using howto of postfix I change this to

smtp_tls_CApath = /var/spool/postfix/certs
smtpd_tls_CApath = /var/spool/postfix/certs

And now I don't know If I need to do something more to accept connection
when sends to this smarthost, ideas?

Best Regards
 
El 08/02/13 20:07, deco...@riseup.net escribió:
>
> Hi list
>
> At now Im configuring the TLS function in my postfix 2.5.5 and Im
> having a new problem.
>
> First was that said untrusted issuer because not detect the
> certificates. At now the message every time you sends is
>
> status=deferred (Server certificate not verified)
>
> I was configuring using a howto that says to do
>
> -
> mkdir /var/spool/postfix/certs
> cp -R /etc/ssl/certs/* /var/spool/postfix/certs
> mkdir -p /var/spool/postfix/usr/share/ca-certificates
> cp -R /usr/share/ca-certificates
> /var/spool/postfix/usr/share/ca-certificates
>
> Then, in main.cf, change the smtp_tls_security_level line and add an
> smtp_tls_CApath line as follows:
>
> smtp_tls_security_level=verify
> smtp_tls_CApath=/certs
>
> -
>
> And now the postconf for help:
>
> default_transport = smtp
> lmtp_pix_workarounds = disable_esmtp,delay_dotcrlf
> non_smtpd_milters =
> parent_domain_matches_subdomains =
> debug_peer_list,fast_flush_domains,mynetworks,permit_mx_backup_networks,qmqpd_authorized_clients,smtpd_access_maps
> proxy_read_maps = $local_recipient_maps $mydestination
> $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps
> $virtual_mailbox_domains $relay_recipient_maps $relay_domains
> $canonical_maps $sender_canonical_maps $recipient_canonical_maps
> $relocated_maps $transport_maps $mynetworks $sender_bcc_maps
> $recipient_bcc_maps $smtp_generic_maps $lmtp_generic_maps
> proxy_write_maps = $smtp_sasl_auth_cache_name $lmtp_sasl_auth_cache_name
> relayhost = smtp.puc.mysmarthost.es
> smtp_always_send_ehlo = yes
> smtp_bind_address =
> smtp_bind_address6 =
> smtp_body_checks =
> smtp_cname_overrides_servername = no
> smtp_connect_timeout = 30s
> smtp_connection_cache_destinations =
> smtp_connection_cache_on_demand = yes
> smtp_connection_cache_time_limit = 2s
> smtp_connection_reuse_time_limit = 300s
> smtp_data_done_timeout = 600s
> smtp_data_init_timeout = 120s
> smtp_data_xfer_timeout = 180s
> smtp_defer_if_no_mx_address_found = no
> smtp_destination_concurrency_failed_cohort_limit =
> $default_destination_concurrency_failed_cohort_limit
> smtp_destination_concurrency_limit =
> $default_destination_concurrency_limit
> smtp_destination_concurrency_negative_feedback =
> $default_destination_concurrency_negative_feedback
> smtp_destination_concurrency_positive_feedback =
> $default_destination_concurrency_positive_feedback
> smtp_destination_rate_delay = $default_destination_rate_delay
> smtp_destination_recipient_limit = $default_destination_recipient_limit
> smtp_discard_ehlo_keyword_address_maps =
> smtp_discard_ehlo_keywords =
> smtp_enforce_tls = no
> smtp_fallback_relay = $fallback_relay
> smtp_generic_maps =
> smtp_header_checks =
> smtp_helo_name = $myhostname
> smtp_helo_timeout = 300s
> smtp_host_lookup = dns
> smtp_initial_destination_concurrency = $initial_destination_concurrency
> smtp_line_length_limit = 990
> smtp_mail_timeout = 300s
> smtp_mime_header_checks =
> smtp_mx_address_limit = 5
> smtp_mx_session_limit = 2
> smtp_nested_header_checks =
> smtp_never_send_ehlo = no
> smtp_pix_workaround_delay_time = 10s
> smtp_pix_workaround_maps =
> smtp_pix_workaround_threshold_time = 500s
> smtp_pix_workarounds = disable_esmtp,delay_dotcrlf
> smtp_quit_timeout = 300s
> smtp_quote_rfc821_envelope = yes
> smtp_randomize_addresses = yes
> smtp_rcpt_timeout = 300s
> smtp_rset_timeout = 20s
> smtp_sasl_auth_cache_name =
> smtp_sasl_auth_cache_time = 90d
> smtp_sasl_auth_enable = no
> smtp_sasl_auth_soft_bounce = yes
> smtp_sasl_mechanism_filter =
> smtp_sasl_password_maps = hash:/etc/postfix/relay_passwd
> smtp_sasl_path =
> smtp_sasl_security_options = noanonymous
> smtp_sasl_tls_security_options = $smtp_sasl_security_options
> smtp_sasl_tls_verified_security_options = $smtp_sasl_tls_security_options
> smtp_sasl_type = cyrus
> smtp_send_xforward_command = no
> smtp_sender_dependent_authentication = no
> smtp_skip_5xx_greeting = yes
> smtp_skip_quit_response = yes
> smtp_starttls_timeout = 300s
> smtp_tls_CAfile =
> smtp_tls_CApath = /certs
> smtp_tls_cert_file =
> smtp_tls

Re: error using certificate server

[deconya]

is maddening :-(

Best Regards

El 10/02/13 18:59, Viktor Dukhovni escribió:
> On Sun, Feb 10, 2013 at 01:46:59PM +0100, deconya wrote:
>
>> status=deferred (Server certificate not verified)
>>
>> I was looking all the information about it in howots, and seems that the
>> problem is when my server exchanges credentials with smarthost. It seems
>> that not recognizes the CA certificates from destination, and Im with
>> two questions
>>
>> -What file is looking for smtp_tls_CApath=/certs, all? (Im refering the
>> name of file), needs to use a special name? At now for recomedation of
>> you and using howto of postfix I change this to
> Configuring CApath is a lot more complicated than setting up a CAfile.
> When you have exactly one root CA to verify (the one used by the ISP's
> relay) there is little benefit in managing a "herd" (choose your
> favourite collective noun) of certificates via CApath.
>
>> smtp_tls_CApath = /var/spool/postfix/certs
>> smtpd_tls_CApath = /var/spool/postfix/certs
> Instead:
>
> /etc/postfix/main.cf:
>   # Empty
>   smtpd_tls_CApath =
>   smtpd_tls_CAfile =
>   smtp_tls_CApath =
>
>   # Copy PEM format root CA cert into this file
>   smtp_tls_CAfile = ${config_directory}/smtp_CAfile
>
> /etc/postfix/smtp_CAfile:
>   -BEGIN CERTIFICATE-
>   ...
>   -END CERTIFICATE-
>
> Obtain the root CA certificate for the relay's smtp server in PEM
> format (base64-encoded text between -BEGIN, -END line pairs)
> from a trusted source and copy it into the CA file. Verify that
> the file is well-formed by running:
>
>   openssl x509 -in /etc/postfix/smtp_CAfile -noout \
>   -subject -issuer -dates -sha1 -fingerprint
>
> This must produce no errors and report the DN of the expected root
> CA as both subject and issuer. The certificate must not be expired,
> and typically is valid for 10-20 years. You can usually "google"
> the sha1 fingerprint to find various online copies of the same CA
> certificate. 
>
> You can store multiple trusted roots in a single CAfile, just
> concatenate individual files with PEM format trusted root CA certs.
>

Re: error using certificate server

[deconya]

Hi Victor

I understand that only is needed to use smtp_tls_security_level? O not
need two options?

In main.cf I have:

#TLS SMTPD PARAMTERES
smtpd_use_tls = yes
smtpd_tls_CAfile = /etc/ssl/certs/TERENASSL_PATH.pem
smtpd_tls_key_file = /etc/ssl/private/jupiter_mydomain.pem
smtpd_tls_cert_file = /etc/ssl/mydomain.crt
smtpd_tls_CApath = /etc/ssl/certs
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_tls_loglevel = 2
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
#smtpd_tls_security_level = verify

smtp_use_tls = yes
smtp_tls_CAfile = /etc/ssl/certs/TERENASSL_PATH.pem
smtp_tls_security_level = verify
smtp_tls_key_file = /etc/ssl/private/jupiter_mydomain.pem
smtp_tls_cert_file = /etc/ssl/mydomain.crt
smtp_tls_CApath = /etc/ssl/certs
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
#smtp_tls_note_starttls_offer = yes


#SASL
relayhost = smtp.myrelayhost
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtp_sasl_password_maps = hash:/etc/postfix/relay_passwd
smtp_sasl_security_options = noanonymous
smtpd_sasl_security_options = noanonymous
#smtpd_sasl_local_domain =
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth

broken_sasl_auth_clients = yes
smtpd_sender_login_maps = ldap:/etc/postfix/ldap_aliases.cf
smtpd_recipient_restrictions =
permit_sasl_authenticated,
permit_mynetworks,
reject_unauth_destination

tls_random_source = dev:/dev/urandom

smtpd_delay_reject = yes

What can I do to accept the connection to myrelayhost?

Best Regards


-Mensaje original-
De: Viktor Dukhovni 
Reply-to: postfix-users@postfix.org
Para: postfix-users@postfix.org
Asunto: Re: error using certificate server
Fecha: Tue, 12 Feb 2013 07:01:24 +


On Tue, Feb 12, 2013 at 01:36:15AM +0100, deconya wrote:

> Thanks for you answers
> 
> I continue with the problem and I don't know where I can check more. At
> now the situation is
> 
> -Sends mails deferred
> 
> -In logs appears:
> 
> Feb 12 01:20:50 mailserver postfix/smtpd[16653]: warning:
> smtpd_tls_security_level: unsupported TLS level "verify", using "encrypt"
> Feb 12 01:20:50 mailserver postfix/smtpd[16653]: initializing the
> server-side TLS engine

I give up, you still can't pay attention long enough to distinguish
"smtp_tls_security_level" from "smtpd_tls_security_level". Good luck,
over and out.

--
Viktor.

configuring relay server

[deconya]

Hi list

Im in the second part of my adventures configuring postfix servers :-).

This time my idea is to do a frontend relay server where only receives
mail and relay to the backend data server. I discovered the filter
$relayhost variable (to send mail), but for incoming mail I don't know
how to relay mail (is filtered, all is valid mail) to the backend server
using IP. I discover $transport_maps  

http://www.postfix.org/STANDARD_CONFIGURATION_README.html

but only I need to relay any mail to other IP, how I can do this? Or
only exist this option to config this?

And last question, $relayhost affects incoming mail?

Any other suggestions to do better relay? cache?

Best Regards