Re: Restrict outgoing/submission to defined local or virtual users

[techlist06]

First time I've tried the inline map type.  And, I think the spaces may have
been what was hosing my earlier attempts.  Appreciate the pointer very much. 
Will give this a go.






--
Sent from: http://postfix.1071664.n5.nabble.com/Postfix-Users-f2.html

Re: Restrict outgoing/submission to defined local or virtual users

[techlist06]

Just what I was hoping for, the easy button.  Thank you.

What about the one (valid) sender I want to prevent?  I've got a IMAP
account setup for spam reporting, I want to be sure no one who has access to
it sends anything from that account.






--
Sent from: http://postfix.1071664.n5.nabble.com/Postfix-Users-f2.html

Restrict outgoing/submission to defined local or virtual users

[techlist06]

Postfix 3.2.2, Centos7.  All functioning as configured.  I have a few local 
accounts, several virtual addresses delivered to those accounts, and some 
domains relayed, the latter do not submit mail through this box.

All local accounts send via TLS authentication on 587.  Currently I don't think 
I have any restrictions on what an outbound address can be.  I do have some 
aliases so I do not want to restrict to logon names only.  

Is it possible to restrict outgoing mail to be from one of my "valid" local or 
virtual aliases?  And I want to restrict outbound from one address in 
particular.

I looked here:
http://www.postfix.org/RESTRICTION_CLASS_README.html
but if the answer is there I'd be grateful for some more help, I didn't get it. 
 On or off-list.

Right now my submission section of master.cf I sbelow.  I tried adding 
something here as -o o smtpd_sender_restrictions but didn't get that right.

submission   inetn   -   n   -   -   smtpd
## subsequent indented lines override main.cf settings.
  -o content_filter=
  -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
  -o smtpd_sasl_type=dovecot
  -o smtpd_sasl_path=private/auth
  -o smtpd_sasl_security_options=noanonymous
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o syslog_name=postfix-submission
  -o milter_macro_daemon_name=ORIGINATING

Happy to provide all the configs if needed.

Re: Deciphering maillog transaction that resulted in reply to spammer

[techlist06]

Instead of trying to decipher one with a problem, can someone check my laymen
descriptions of this single good message flow for me?  I've tried to do my
homework and get them right.  I think I have it, but would be grateful for
confirmation.

I have commented the steps of the full message flow with my descriptions of
what I understand is happening with that logged step.  I did not parse it
with the collate script but it is from my quiet server, nothing else
happening on it to muddy the waters.

I have after-que content filtering setup, using amavisd-new.  I have a
pre-cleanup and a regular cleanup service.  The steps I'm a little shaky on
I have prefixed with "???" in the comments.  

Just looking for some help understanding the log entries in this one message
flow, so I can better help myself on problems. 

(Posted via nabble, hopefully that prevents any wrapping issues)


### LOG START ###

# postscreen, whitelisted, and passes due to previous pass

Jul 30 11:18:12 mail1 postfix/postscreen[3483]: CONNECT from [1.1.1.1]:59992
to [2.2.2.2]:25
Jul 30 11:18:12 mail1 postfix/dnsblog[3488]: addr 1.1.1.1 listed by domain
list.dnswl.org as 127.0.4.0
Jul 30 11:18:12 mail1 postfix/postscreen[3483]: PASS OLD [1.1.1.1]:59992

# connect to main smtp. message QID? F1F5B14D5

Jul 30 11:18:12 mail1 postfix/smtpd[3491]: connect from
mail.myserver.com[1.1.1.1]
Jul 30 11:18:12 mail1 postfix/smtpd[3491]: F1F5B14D5:
client=mail.myserver.com[1.1.1.1]

# F1F5B14D5 to pre-cleanup

Jul 30 11:18:13 mail1 postfix/cleanup[3494]: F1F5B14D5:
message-id=<017101d3094f$6ef5df70$4ce19e50$@com>

# F1F5B14D5 into que manager

Jul 30 11:18:13 mail1 postfix/qmgr[3285]: F1F5B14D5:
from=, size=1022, nrcpt=1 (queue active)

# mainsmtp connection done, disconnect

Jul 30 11:18:13 mail1 postfix/smtpd[3491]: disconnect from
mail.myserver.com[1.1.1.1] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5

# amavis picks up item from queue via amavis-smtpd lmtp service

Jul 30 11:18:13 mail1 amavis[1006]: (01006-05) LMTP :10024
/var/spool/amavisd/tmp/amavis-20170730T100904-01006-thTdWRtM:
 ->  SIZE=1022 Received: from
mail1.myserver.com ([127.0.0.1]) by localhost (mail1.myserver.com
[127.0.0.1]) (amavisd-new, port 10024) with LMTP for
; Sun, 30 Jul 2017 11:18:13 -0500 (CDT)

# amavis reports it starts checking the message F1F5B14D5

Jul 30 11:18:13 mail1 amavis[1006]: (01006-05) Checking: er8IU5nNU-RL MYNETS
[1.1.1.1]  -> 

# ???  Postfix gets connection from amavis on normal smtpd to send filtered
message.  That message gets new QID? #230F69E7

Jul 30 11:18:13 mail1 postfix/smtpd[3498]: connect from localhost[127.0.0.1]
Jul 30 11:18:13 mail1 postfix/smtpd[3498]: 230F69E7:
client=localhost[127.0.0.1], orig_queue_id=F1F5B14D5,
orig_client=mail.myserver.com[1.1.1.1]

# after-filter cleanup on filtered message 230F69E7?

Jul 30 11:18:13 mail1 postfix/cleanup[3499]: 230F69E7:
message-id=<017101d3094f$6ef5df70$4ce19e50$@com>

# ??? new queue of filtered message #230F69E7 from amavis

Jul 30 11:18:13 mail1 postfix/qmgr[3285]: 230F69E7:
from=, size=1518, nrcpt=1 (queue active)

# amavis done talking to postfix, disconnects

Jul 30 11:18:13 mail1 postfix/smtpd[3498]: disconnect from
localhost[127.0.0.1] ehlo=1 xforward=1 mail=1 rcpt=1 data=1 quit=1
commands=6

# ??? meanwhile, the same amavis, PID [1006] just logging/reporting what was
done

Jul 30 11:18:13 mail1 amavis[1006]: (01006-05) er8IU5nNU-RL FWD from
 -> , BODY=7BIT 250 2.0.0
from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 230F69E7
Jul 30 11:18:13 mail1 amavis[1006]: (01006-05) Passed CLEAN
{RelayedInternal}, MYNETS LOCAL [1.1.1.1]:59992 [108.222.197.75]
 -> , Queue-ID: F1F5B14D5,
Message-ID: <017101d3094f$6ef5df70$4ce19e50$@com>, mail_id: er8IU5nNU-RL,
Hits: -, size: 1022, queued_as: 230F69E7, 136 ms

# ??? postfix reports it got a message via lmtp from amavis (10024), and it
has sent it, although I think it actually sent the filtered version 230F69E7
per local delivery log line that follows

Jul 30 11:18:13 mail1 postfix/lmtp[3495]: F1F5B14D5:
to=, relay=127.0.0.1[127.0.0.1]:10024,
delay=0.18, delays=0.03/0.01/0.01/0.13, dsn=2.0.0, status=sent (250 2.0.0
from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 230F69E7)

# qmgr removes the original message received F1F5B14D5 ?

Jul 30 11:18:13 mail1 postfix/qmgr[3285]: F1F5B14D5: removed

# delivers locally

Jul 30 11:18:13 mail1 postfix/local[3500]: 230F69E7:
to=, relay=local, delay=0.04,
delays=0.01/0.03/0/0, dsn=2.0.0, status=sent (delivered to mailbox)

# qmgr removes the filtered message received 230F69E7 ?

Jul 30 11:18:13 mail1 postfix/qmgr[3285]: 230F69E7: removed

 END 














--
View this message in 

Re: Deciphering maillog transaction that resulted in reply to spammer

[techlist06]

Bastian:  I know this is getting off list-subject.  I appreciate the pointer. 
That option is not in my amavisd.conf.  I'm looking to see how to get it
set.  The examples I see discussing aren't very clear (to me).

Once I understand what's going on at the postfix level I'll have a better
idea hopefully.





--
View this message in context: 
http://postfix.1071664.n5.nabble.com/RE-Deciphering-maillog-transaction-that-resulted-in-reply-to-spammer-tp91584p91593.html
Sent from the Postfix Users mailing list archive at Nabble.com.

Re: Deciphering maillog transaction that resulted in reply to spammer

[techlist06]

Sorry about the formatting.  Damn Outlook client I guess.  Hopefully below is
not messed up format wise.

Thanks for the pointer to Viktor's script.  It appears to just have the
postfix entries, not the handoffs back and forth.  Seems to pickup 6 of the
20+ realted lines.  I get that it's just doing postfix, but it did not
appear get all of postfix

## collate.pl output ##

Jul 26 19:05:56 mail1 postfix/smtpd[11088]: connect from
unknown[5.133.8.185]
Jul 26 19:05:56 mail1 postfix/smtpd[11088]: E58673D02:
client=unknown[5.133.8.185]
Jul 26 19:05:57 mail1 postfix/cleanup[11090]: E58673D02:
message-id=<5ad4d5216a4bc054e796b681c153b4ca.16322808.16275482@pearls.preal.us_jt0>
Jul 26 19:05:57 mail1 postfix/qmgr[910]: E58673D02:
from=, size=6760, nrcpt=1 (queue
active)
Jul 26 19:05:57 mail1 postfix/smtp[11091]: E58673D02:
to=, relay=127.0.0.1[127.0.0.1]:10024, delay=0.66,
delays=0.49/0.01/0.01/0.15, dsn=2.5.0, status=sent (250 2.5.0 Ok,
id=05520-17, BOUNCE)
Jul 26 19:05:57 mail1 postfix/qmgr[910]: E58673D02: removed

#  collate.pl end ##

Hopefully this is clean enough for some instruction on what these steps are. 

# log entries 
Jul 26 19:05:48 mail1 postfix/postscreen[11080]: CONNECT from
[5.133.8.185]:44150 to [pp.pp.pp.pp]:25
Jul 26 19:05:55 mail1 postfix/postscreen[11080]: NOQUEUE: reject: RCPT from
[5.133.8.185]:44150: 450 4.3.2 Service currently unavailable;
from=, to=,
proto=ESMTP, helo=
Jul 26 19:05:55 mail1 postfix/postscreen[11080]: PASS NEW
[5.133.8.185]:44150
Jul 26 19:05:55 mail1 postfix/postscreen[11080]: DISCONNECT
[5.133.8.185]:44150

# immediate retry on second connection to secondary IP:

Jul 26 19:05:55 mail1 postfix/postscreen[11080]: CONNECT from
[5.133.8.185]:33753 to [ss.ss.ss.ss]:25
Jul 26 19:05:55 mail1 postfix/postscreen[11080]: PASS OLD
[5.133.8.185]:33753
Jul 26 19:05:56 mail1 postfix/smtpd[11088]: warning: hostname
accept.rootp.us does not resolve to address 5.133.8.185: Name or service not
known
Jul 26 19:05:56 mail1 postfix/smtpd[11088]: connect from
unknown[5.133.8.185]
Jul 26 19:05:56 mail1 postfix/smtpd[11088]: E58673D02:
client=unknown[5.133.8.185]
Jul 26 19:05:57 mail1 postfix/cleanup[11090]: E58673D02:
message-id=<5ad4d5216a4bc054e796b681c153b4ca.16322808.16275482@pearls.preal.us_jt0>
Jul 26 19:05:57 mail1 postfix/qmgr[910]: E58673D02:
from=, size=6760, nrcpt=1 (queue
active)
Jul 26 19:05:57 mail1 amavis[5520]: (05520-17) ESMTP :10024
/var/spool/amavisd/tmp/amavis-20170726T133617-05520-rH4yYe3A:
 ->  SIZE=6760
BODY=8BITMIME RET=HDRS Received:
from mail1.myserver.com ([127.0.0.1]) by localhost (mail1.myserver.com
[127.0.0.1]) (amavisd-new, port 10024) with ESMTP for
; Wed, 26 Jul 2017 19:05:57 -0500 (CDT)
Jul 26 19:05:57 mail1 amavis[5520]: (05520-17) Checking: pqyogYJQxVad
[5.133.8.185]  ->

Jul 26 19:05:57 mail1 amavis[5520]: (05520-17) WARN: MIME::Parser error:
unexpected end of header; ; error: couldn't parse head; error near:; ; ;
error: part did not end with expected boundary; ; error: unexpected end of
parts before epilogue
Jul 26 19:05:57 mail1 clamd[788]: SelfCheck: Database status OK.
Jul 26 19:05:57 mail1 postfix/smtpd[11093]: connect from
localhost[127.0.0.1]
Jul 26 19:05:57 mail1 postfix/smtpd[11093]: 67FB13910:
client=localhost[127.0.0.1]
Jul 26 19:05:57 mail1 postfix/cleanup[11094]: 67FB13910:
message-id=
Jul 26 19:05:57 mail1 postfix/qmgr[910]: 67FB13910: from=<>, size=3222,
nrcpt=1 (queue active)
Jul 26 19:05:57 mail1 postfix/smtpd[11093]: disconnect from
localhost[127.0.0.1] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
Jul 26 19:05:57 mail1 amavis[5520]: (05520-17) waLiP0ZsHz9C(pqyogYJQxVad)
SEND from <> -> ,
ENVID=am.walip0zshz9c.20170727t0005...@mail1.myserver.com BODY=7BIT 250
2.0.0 from MTA(sm
tp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 67FB13910
Jul 26 19:05:57 mail1 amavis[5520]: (05520-17) Blocked BAD-HEADER-0
{BouncedInbound,Quarantined}, [5.133.8.185]:33753 [5.133.8.185]
 -> , Queue-ID:
E58673D02, Message-ID:
<5ad4d5216a4bc054e796b681c153b4ca.16322808.16275482@pearls.preal.us_jt0>,
mail_id: pqyogYJQxVad, Hits: -, size: 6763, 160 ms
Jul 26 19:05:57 mail1 postfix/smtp[11091]: E58673D02:
to=, relay=127.0.0.1[127.0.0.1]:10024, delay=0.66,
delays=0.49/0.01/0.01/0.15, dsn=2.5.0, status=sent (250 2.5.0 Ok,
id=05520-17, BOUNCE)

##





--
View this message in context: 
http://postfix.1071664.n5.nabble.com/RE-Deciphering-maillog-transaction-that-resulted-in-reply-to-spammer-tp91584p91592.html
Sent from the Postfix Users mailing list archive at 

List posting question

[techlist06]

I'm trying to post: a question, a copy of 20 lines or so of a maillog, and
the output of postconf -n .

The list does not seem to be accepting it.  Maybe because the log has some
IP's and and address of a spammer?  What should I do to sanitize it so it
will post?  Not sure what's triggering the block.  I tried posting it from
my server and from nabble.com as well.  Nabble stays at "...not accepted
yet"

Thanks, Scott






--
View this message in context: 
http://postfix.1071664.n5.nabble.com/List-posting-question-tp91580.html
Sent from the Postfix Users mailing list archive at Nabble.com.

postscreen dnsbl AND smtpd_recipient_restrictions rbl?

[techlist06]

I'm converting to use postscreen.  I have a question about dnsbl's in
postscreen vs smtpd_recipient_restrictions

Following threads here and a git by Steve Jenkins I was going to start with
this for postscreen:

postscreen_dnsbl_sites =
zen.spamhaus.org*3
bl.mailspike.net*2
b.barracudacentral.org*2
bl.spameatingmonkey.net
bl.spamcop.net
dnsbl.sorbs.net
psbl.surriel.com
swl.spamhaus.org*-4
list.dnswl.org=127.0.[2..15].0*-2
list.dnswl.org=127.0.[2..15].1*-3
list.dnswl.org=127.0.[2..15].[2..3]*-4
wl.mailspike.net=127.0.0.[17;18]*-1
wl.mailspike.net=127.0.0.[19;20]*-2

I had my smtpd_recipient_restrictions RBLs as:
  ...
  reject_rbl_client zen.spamhaus.org=127.0.0.[2..255],
  reject_rhsbl_client dbl.spamhaus.org=127.0.1.[2..99],
  reject_rhsbl_sender dbl.spamhaus.org=127.0.1.[2..99],
  reject_rhsbl_helo dbl.spamhaus.org=127.0.1.[2..99],
  reject_rbl_client bl.spamcop.net
  reject_rbl_client psbl.surriel.com
  reject_rbl_client cbl.abuseat.org,
  ...

I've seen in other threads configs that left some but not all rbl's in their
smtpd_recipient_restrictions.  If I'm going to reject no matter what at
smtpd_recipient_restrictions, it seems I should give that rbl a high score
in postscreen checks and not do the second check in
smtpd_recipient_restrictions?  I understood that the second lookup is "free"
since it's cached, but is there any advantage/disadvantage to having both?

Any advise appreciated.






--
View this message in context: 
http://postfix.1071664.n5.nabble.com/postscreen-dnsbl-AND-smtpd-recipient-restrictions-rbl-tp91307.html
Sent from the Postfix Users mailing list archive at Nabble.com.

Re: upgrade/compile options

[techlist06]

Thanks Peter, appreciate the nudge.  What the hell, I'm in .  I'll try
it on my test server.  It would be nice for me to stay in the yum update
world.




--
View this message in context: 
http://postfix.1071664.n5.nabble.com/upgrade-compile-options-tp91241p91262.html
Sent from the Postfix Users mailing list archive at Nabble.com.

Re: upgrade/compile options

[techlist06]

Hi Peter: 

> Why are you trying to upgrade from old to slightly less old?  The
> current stable of postfix is 3.2.2. 

Valid question.  It wasn't because of EOL concerns.  I was looking to add
the feature available in 2.11+:
postscreen_dnsbl_whitelist_threshold

Beyond that, I was just chicken of biting off too much at a time without
having a handle on it.  Baby steps.  v2.10 (and now 2.11) will be my first
use of postscreen and will have enough new to it vs. the old version I'm
upgrading from.  

Maybe an unfounded fear and I should go right to 3.2, but that's why I was
just moving to 2.11.  Once I'm comfy, maybe move up another few rungs to
3.2.







--
View this message in context: 
http://postfix.1071664.n5.nabble.com/upgrade-compile-options-tp91241p91250.html
Sent from the Postfix Users mailing list archive at Nabble.com.

Re: upgrade/compile options

[techlist06]

I removed the one Cyrus SASL path Victor pointed out.

For anyone else who may come on this searching... Google "Steve Jenkins
Building Postfix on RHEL / CentOS from Source" for detailed steps.  Except
for me I wanted TLS, Dovecot SASL (no Cyrus), the rest as normal for the
distribution.

On a stock centos7 install with functioning postfix 2.10, SASL and TLS,  I
did this to upgrade to 2.11:
- yum install gcc openssl-devel pcre pcre-devel dovecot-devel
- download source to /usr/local/src
- used this to build makefile on x64

make makefiles  CCARGS=' -fPIC -DUSE_TLS -DUSE_SSL -DUSE_SASL_AUTH
-DDEF_SERVER_SASL_TYPE=\"dovecot\"
 -DPREFIX=\"/usr\" -DHAS_PCRE -I/usr/include/openssl -I/usr/include/dovecot
-I/usr/include' AUXLIBS='
-L/usr/lib64 -L/usr/lib64/openssl -lssl -lcrypto -lpcre -lz -lm
-Wl,-rpath,/usr/lib64/openssl -pie -W
l,-z,relro' OPT='-O' DEBUG='-g'

Be sure to exclude postfix from yum updates so it doesn't get hosed if they
ever get around to updating.





--
View this message in context: 
http://postfix.1071664.n5.nabble.com/upgrade-compile-options-tp91241p91248.html
Sent from the Postfix Users mailing list archive at Nabble.com.

Re: upgrade/compile options

[techlist06]

Wietse:  

>If I correct your command for word-wrap breakage and spurious spaces,
>but otherwise leave all the unnecessary stuff in place, it produces
>a working build with Postfix 3.3 on Fedora Core 24. 

The reference I started with was one by Steve Jenkins for a Centos 7 system
(and others).  I'd be grateful to see the compile arguments without the
"unnecessary stuff".  

make makefiles  CCARGS=' -fPIC -DUSE_TLS -DUSE_SSL -DUSE_SASL_AUTH
-DDEF_SERVER_SASL_TYPE=\"dovecot\" -DPREFIX=\"/usr\" -DHAS_PCRE
-I/usr/include/openssl -I/usr/include/dovecot -I/usr/include'
AUXLIBS='-L/usr/lib64 -L/usr/lib64/openssl -lssl -lcrypto -L/usr/lib64/sasl2
-lpcre -lz -lm -Wl,-rpath,/usr/lib64/openssl -pie -Wl,-z,relro' OPT='-O'
DEBUG='-g' 

Anyway after make upgrade and a restart I didn't get the warnings this time
on test messages.  Apologies for the static.

I would be grateful for the "only necessary stuff" line

Thank you (Victor too).  







--
View this message in context: 
http://postfix.1071664.n5.nabble.com/upgrade-compile-options-tp91241p91247.html
Sent from the Postfix Users mailing list archive at Nabble.com.

upgrade/compile options

[techlist06]

I have a functioning install of 2.10 from rpm's on Centos7.  I'm trying to
upgrade the postfix to 2.11.

I don't use LDAP and I'm using Dovecot for SASL.  I use TLS.  Following the
postfix docs and other's directions, I've tried to pick the correct compile
options.  Unfortunately for me RedHat/Centos doesn't appear to include the
.out file I need to see how they compiled theirs.

This is the script I'm using to create the makefile and compile.  The
compile goes fine without any errors that I see:

make makefiles CCARGS=' -fPIC -DUSE_TLS -DUSE_SSL -DUSE_SASL_AUTH
-DDEF_SERVER_SASL_TYPE=\"dovecot\" -
DPREFIX=\\"/usr\\" -DHAS_PCRE -I/usr/include/openssl -I/usr/include/dovecot
-I/usr/include' AUXLIBS='-
L/usr/lib64 -L/usr/lib64/openssl -lssl -lcrypto -L/usr/lib64/sasl2 -lpcre
-lz -lm -Wl,-rpath, /usr/lib
64/openssl -pie -Wl,-z,relro' OPT='-O' DEBUG='-g'

But in the logs I have warnings about both TLS and SASL not being compiled
in:
   warning: smtpd_sasl_auth_enable is true, but SASL support is not compiled
in
   warning: TLS has been selected, but TLS support is not compiled in

I did add this include:  -I/usr/include/dovecot 
In lieu of a direction to use /usr/include/sasl which did not exist

Can someone help me with my compile options?  Do I have to keep the CYRUS
parts in there, too?  Figure I'm missing an option or path.

Thanks






--
View this message in context: 
http://postfix.1071664.n5.nabble.com/upgrade-compile-options-tp91241.html
Sent from the Postfix Users mailing list archive at Nabble.com.

Re: postscreen delay inprovement - multple IP addresses

[techlist06]

> http://www.postfix.org/POSTSCREEN_README.html#white_veto

Noel.  I had read that section of the manual but it didn't sink in.  Now I
get it perfectly.  Thanks again, much appreciated.  





--
View this message in context: 
http://postfix.1071664.n5.nabble.com/postscreen-delay-inprovement-multple-IP-addresses-tp91174p91224.html
Sent from the Postfix Users mailing list archive at Nabble.com.

Re: postscreen delay inprovement - multple IP addresses

[techlist06]

re "IP addresses, published in DNS as different IP addresses for the same MX
hostname or for different MX
hostnames. This avoids mail delivery delays with clients that reconnect
immediately from the same IP address. "

I understand now this had nothing to do with improving systems that
(re)connect from different IPs.  

Hopefully not too elementary of a question I would like to understand
how it helps for clients reconnecting immediately from the same IP.  Will
such a client immediately retry on the next available DNS configured MX (if
available) vs. some other delay to retry on the same IP?  As if the primary
was considered unavailable so it immediately tries the secondary?  That
would be great presuming the undesirables don't.

Thanks again, Scott





--
View this message in context: 
http://postfix.1071664.n5.nabble.com/postscreen-delay-inprovement-multple-IP-addresses-tp91174p91197.html
Sent from the Postfix Users mailing list archive at Nabble.com.

Re: postscreen with postgrey - can they cause a double reject?

[techlist06]

Thank you for the expert input.  I will heed your advise.

Scott





--
View this message in context: 
http://postfix.1071664.n5.nabble.com/postscreen-with-postgrey-can-they-cause-a-double-reject-tp91176p91183.html
Sent from the Postfix Users mailing list archive at Nabble.com.

Re: postscreen delay inprovement - multple IP addresses

[techlist06]

Thanks guys, I understand now.  Much appreciated.




--
View this message in context: 
http://postfix.1071664.n5.nabble.com/postscreen-delay-inprovement-multple-IP-addresses-tp91174p91182.html
Sent from the Postfix Users mailing list archive at Nabble.com.

postscreen with postgrey - can they cause a double reject?

[techlist06]

- postscreen with postgrey - can they cause a double reject?

I searched for answers regarding using both postscreen and greylisting.  I
saw some differing opinions.  But I did not see this point covered.

Assuming a clients first connection to me to deliver and
Assuming that postscreen is configured for deep protocol tests, and the
connection passes all tests.

I understand postscreen will temporary whitelist the IP but the client must
reconnect in order to deliver.  

On that second connection, postscreen hands off to postfix due to the
temporary whitelist.

If I have greylisting configured, as I have done it in the past in main.cf:

  smtpd_recipient_restrictions 
  ...
  check_policy_service unix:postgrey/socket
  permit

Won't this second connection get temp rejected by my normal greylisting a
second time?  The regular greylisting won't know about the postscreen's
recent pass.  So won't the client would have to connect for a 3rd time to
deliver?

That would seem to me to be an argument against using both, or at least
using both with postscreen's deep protocol tests enabled.

I'd be grateful to be straightened out if I have it wrong.  

postscreen delay inprovement - multple IP addresses

[techlist06]

I'm working on converting to using postscreen.  Studying the details.  I
have a question from the docs related to the delays due to the effective
greylisting caused by "Tests after the 220 SMTP server greeting".  I believe
my server would qualify as a small site receiving mail for just a few
hundred users.

Snippet from the Howto:
" The following measures may help to avoid email delays:   Small sites:
Configure postscreen(8) to listen on multiple IP addresses, published in DNS
as different IP addresses for the same MX hostname or for different MX
hostnames. This avoids mail delivery delays with clients that reconnect
immediately from the same IP address.

Can someone help me understand why this helps?  If I add an IP to the server
and configure it as a second instance of the MX hostname, how does that help
with a server that may reconnect from a different IP?  I though tthat if it
reconnected immediately from the same IP, that would be a good thing.  Or
maybe I misunderstood "immediately".  I took it to mean immediately after
getting a 4xx response and drop.  I assume this doesn't do anything to help
with servers like Google that will connect from a different server?

Anyway, I'd apprecaite it if someone could elaboate so I understand this
detail.

Thank you, Scott

RE: Unable to get TLS working with Outlook

[techlist06]

>The last "master.cf" should be "main.cf".
Check.

> specify mua_client_restrictions, mua_helo_restrictions, and
mua_sender_restrictions in master.cf.
Done.

And I finally got a message to pass via submission from Outlook.  

What are good/reasonable restrictions to add for the submission service?  I
will only have typical consumer useers using Windows Outlook and iPhone's to
send mail through that port once authenticated.  On my old box I only have 

smtpd_recipient_restrictions=permit_sasl_authenticated,reject

And that was working fine.  Anything else I need to add to the mua
restrictions while I'm at it.  

I'm so relieved to get this past this Outlook-send hurdle.


=
postconf -n
=
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd
$daemon_directory/$process_name $process_id & sleep 5
disable_vrfy_command = yes
home_mailbox = mail/inbox
html_directory = no
inet_interfaces = $myhostname, localhost
inet_protocols = ipv4
local_recipient_maps = hash:/etc/postfix/local_recipient
mail_owner = postfix
mail_spool_directory = /var/spool/mail
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
# New

mua_client_restrictions = permit_sasl_authenticated, reject
mua_helo_restrictions =
mua_sender_restrictions =
###
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
mydomain = tn2.myserver.com
myhostname = tn2.myserver.com
mynetworks = localhost, $mydomain, x.x.x.x/32, y.y.y.y/32
myorigin = $myhostname
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.10.1/README_FILES
relay_domains = xxx.com
relay_recipient_maps = hash:/etc/postfix/relay_recipients
sample_directory = /usr/share/doc/postfix-2.10.1/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtpd_data_restrictions = reject_unauth_pipelining, permit
smtpd_helo_required = yes
smtpd_recipient_limit = 2500
smtpd_recipient_restrictions = reject_invalid_hostname,
reject_non_fqdn_hostname, reject_non_fqdn_sender, reject_non_fqdn_recipient,
reject_unknown_sender_domain, reject_unknown_recipient_domain,
permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination,
check_recipient_access pcre:/etc/postfix/recipient_checks.pcre,
check_helo_access hash:/etc/postfix/helo_checks, check_sender_access
hash:/etc/postfix/sender_checks, check_client_access
hash:/etc/postfix/client_checks, check_client_access
pcre:/etc/postfix/client_checks.pcre, check_recipient_access
hash:/etc/postfix/access, reject_rbl_client zen.spamhaus.org
reject_rbl_client psbl.surriel.com, reject_rbl_client bl.spamcop.net,
check_policy_service unix:postgrey/socket, permit
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain =
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = $smtpd_sasl_security_options
smtpd_sasl_type = dovecot
smtpd_tls_CAfile = /etc/postfix/certs/cacert.pem
smtpd_tls_cert_file = /etc/postfix/certs/tn2.myserver.com.crt
smtpd_tls_key_file = /etc/postfix/certs/tn2.myserver.com.key
smtpd_tls_loglevel = 1
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
soft_bounce = no
tls_random_source = dev:/dev/urandom
unknown_local_recipient_reject_code = 550


=
Master.cf
=
submission inet n   -   n   -   -   smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_reject_unlisted_recipient=no
  -o smtpd_sasl_type=dovecot
  -o smtpd_sasl_path=private/auth
  -o smtpd_sasl_security_options=noanonymous
  -o smtpd_sasl_local_domain=$myhostname
  -o smtpd_client_restrictions=$mua_client_restrictions
  -o smtpd_helo_restrictions=$mua_helo_restrictions
  -o smtpd_sender_restrictions=$mua_sender_restrictions
  -o smtpd_recipient_restrictions=
  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
  -o milter_macro_daemon_name=ORIGINATING

smtp-amavis unix -   -   n   -   3   smtp -o
disable_dns_lookups=yes -o smtp_send_xforward_command=yes
smtp   inet  n   -   n   -   -   smtpd -v -o
cleanup_service_name=pre-cleanup
pickup fifo  n   -   n   60  1   pickup -o
cleanup_service_name=pre-cleanup
pre-cleanup unix n   -   n   -   0   cleanup -o
virtual_alias_maps= -o canonical_maps= -o 

RE: Unable to get TLS working with Outlook

[techlist06]

>Otherwise, the absense of "AUTH" in the EHLO reply might be a configuration
>issue with dovecot, or is rather mysterious.

Well, at least no AUTH was something to go on, thanks, I missed that detail.
Checked the socket path setting and the file permissions, all looked good
there.

I Found what I hope is the main issue and cure.  Since I was able to send a
message to the server from an iPhone, I'm getting close.

Noob error but its something I haven't set in a while, didn't realize it was
there.  An Outlook drop down for "Use the following type of encrypted
connection:  None, SSL, TLS, or Auto.  It was set to none.  Fixed.

Now if I try to connect I get the AUTH

But the message is rejected with recipient address restrictions: 

Jul 24 15:35:28 tn2 postfix/smtpd[10358]: >>> START Recipient address
RESTRICTIONS <<<
Jul 24 15:35:28 tn2 postfix/smtpd[10358]: generic_checks:
name=reject_invalid_hostname
Jul 24 15:35:28 tn2 postfix/smtpd[10358]: reject_invalid_hostname: HDPLEX2
Jul 24 15:35:28 tn2 postfix/smtpd[10358]: generic_checks:
name=reject_invalid_hostname status=0
Jul 24 15:35:28 tn2 postfix/smtpd[10358]: generic_checks:
name=reject_non_fqdn_hostname
Jul 24 15:35:28 tn2 postfix/smtpd[10358]: reject_non_fqdn_hostname: HDPLEX2
Jul 24 15:35:28 tn2 postfix/smtpd[10358]: NOQUEUE: reject: RCPT from
hh-hh-hh-hh.lightspeed.nsvltn.sbcglobal.net[hh.hh.hh.hh]: 504 5.5.2
: Helo command rejected: need fully-qualified hostname;
from= to= proto=ESMTP
helo=
Jul 24 15:35:28 tn2 postfix/smtpd[10358]: generic_checks:
name=reject_non_fqdn_hostname status=2
Jul 24 15:35:28 tn2 postfix/smtpd[10358]: >>> END Recipient address
RESTRICTIONS <<<


The client PC's "name" is HDPLEX2.  Is there a (safe) workaround to this
without changing all my Windows PC's to FQDN names?

RE: Unable to get TLS working with Outlook

[techlist06]

The problem is occurring with MS Outlook 2007.  Can't get it to work on 465
or 587.  

For the 587/submission port I changed it to the settings from Patrick
Koetter's guide
(http://postfix.state-of-mind.de/patrick.koetter/smtpauth/postfix_tls_suppor
t.html)

## TLS
#  Transport Layer Security
smtpd_use_tls = yes
smtpd_tls_key_file = /etc/postfix/certs/tn2.myserver.com.key
smtpd_tls_cert_file = /etc/postfix/certs/tn2.myserver.com.crt
smtpd_tls_CAfile = /etc/postfix/certs/cacert.pem
smtpd_tls_loglevel = 1
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom


In master.cf I changed submission section to below for testing, Commented
some restrictions for now to test.

submission   inetn   -   n   -   -   smtpd -v
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_sasl_type=dovecot
  -o smtpd_sasl_path=private/auth
#  -o smtpd_sasl_security_options=noanonymous
  -o smtpd_sasl_local_domain=$myhostname
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  -o smtpd_sender_login_maps=hash:/etc/postfix/virtual_users
#  -o smtpd_sender_restrictions=reject_sender_login_mismatch
#  -o
smtpd_recipient_restrictions=reject_non_fqdn_recipient,reject_unknown_recipi
ent_domain,permit_sasl_authenticated,reject


I can send a mail via telnet from a different server to 587 (or 465)
including SASL authentication using:
openssl s_client -connect tn2.myserver.com:587 -starttls smtp -crlf
I used 
echo -ne '\0myusername\0thatpassword' | openssl enc -base64 
to generate the credentials for AUTH PLAIN

I'm shown the certificate then I ehlo through quit and the server delivers
the message to the local account I sent it to.  The Outlook box retrieves it
via POP.

I also tried the same command above from a linux machine on the same
(home)IP as my desktop Outlook PC, it too will let me send a message through
the submission port 587 using the openssl comand above.

But if I try to send from Outlook to port 587, the connection fails.

Outlook's "Test account settings" reports: "Send test e-mail message: None
of the authentication methods supported by this client are supported by your
server."

The log from the Outlook connection here: hh.hh.hh.hh is my home/Outlook
PC's IP address

Jul 24 13:35:11 tn2 postfix/smtpd[9553]: name_mask: ipv4
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: inet_addr_local: configured 2 IPv4
addresses
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: process generation: 102 (102)
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: match_string: mynetworks ~?
debug_peer_list
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: match_string: mynetworks ~?
fast_flush_domains
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: match_string: mynetworks ~?
mynetworks
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: match_string: relay_domains ~?
debug_peer_list
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: match_string: relay_domains ~?
fast_flush_domains
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: match_string: relay_domains ~?
mynetworks
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: match_string: relay_domains ~?
permit_mx_backup_networks
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: match_string: relay_domains ~?
qmqpd_authorized_clients
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: match_string: relay_domains ~?
relay_domains
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: match_string:
permit_mx_backup_networks ~? debug_peer_list
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: match_string:
permit_mx_backup_networks ~? fast_flush_domains
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: match_string:
permit_mx_backup_networks ~? mynetworks
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: match_string:
permit_mx_backup_networks ~? permit_mx_backup_networks
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: Compiled against Berkeley DB:
5.3.21?
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: Run-time linked against Berkeley
DB: 5.3.21?
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: dict_open:
hash:/etc/postfix/local_recipient
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: Compiled against Berkeley DB:
5.3.21?
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: Run-time linked against Berkeley
DB: 5.3.21?
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: dict_open:
hash:/etc/postfix/relay_recipients
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: match_string: smtpd_access_maps ~?
debug_peer_list
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: match_string: smtpd_access_maps ~?
fast_flush_domains
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: match_string: smtpd_access_maps ~?
mynetworks
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: match_string: smtpd_access_maps ~?
permit_mx_backup_networks
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: match_string: smtpd_access_maps ~?
qmqpd_authorized_clients
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: match_string: smtpd_access_maps ~?
relay_domains
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: match_string: smtpd_access_maps ~?
smtpd_access_maps
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: Compiled against Berkeley DB:
5.3.21?
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: 

RE: Unable to get TLS working with Outlook

[techlist06]

>Don't waste our time posting configuration data from the wrong machine.

I won't.  I didn't.  The posted configs are from the box I'm working on now.
Was just mentioning the other one to explain the commented line.  Thank you
for the advice on that line in any case.

>If you have mail clients that only support port 465 wrapper-mode SSL rather
>than STARTTLS, you'll the port 465 service.  Strident views to the contrary
>don't change the facts.  Good luck.

I do not have any such clients unless Outlook 2007 is one of them?  If it is
I can upgrade that.  Anyway, I understand the point, thank you.

> re: ...Oriley...
I misspoke from being tired.  The book I used was yours and Patrick's (Book
of Postfix 2005), had almost forgot about it.  Last time I had to do this
was 2010.  Had no trouble then.

Excuse my digression, back to my issue then...

RE: Unable to get TLS working with Outlook

[techlist06]

>> #port 465
>> # my inbound mail comes here
>> smtpsinet  n   -   n   -   -   smtpd -v
>> # next line below so I don't filter the mail I send in via 465 # -o
>> content_filter= # -o
>> smtpd_recipient_restrictions=permit_sasl_authenticated,reject
>> # -o smtpd_sasl_auth_enable=yes
>> # -o smtpd_tls_wrappermode=yes
>> # -o syslog_name=postfix/smtps
>>  -o smtpd_tls_security_level=encrypt
>>  -o smtpd_sasl_auth_enable=yes
>>  -o smtpd_sasl_type=dovecot
>>  -o smtpd_sasl_path=private/auth
>>  -o smtpd_sasl_security_options=noanonymous
>>  -o smtpd_sasl_local_domain=$myhostname
>>  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
>>  -o smtpd_sender_login_maps=hash:/etc/postfix/virtual
>>  -o smtpd_sender_restrictions=reject_sender_login_mismatch
>>  -o
>> smtpd_recipient_restrictions=reject_non_fqdn_recipient,reject_unknown_
>> recipi ent_domain,permit_sasl_authenticated,reject
>
>Commenting out "-o smtpd_tls_wrappermode=yes" is rather unwise for port
>465

Thanks Victor.  It's probably where I was turning off things on this new box
to troubleshoot, or following some howto on the web in desperation.  It is
un-commented on my production box.

I understand I don't need the 465 port anymore from a different poster.  My
production box was set up a long time ago.  I used the Oriley book, a
popular guide from HughesJR.com (gone now), and Jim Seymours Postfix
anti-UCE configuration, and notes from the occasional question on this
maillist a long time ago.  I'd like to get back to that setup as it has
worked very well for many years.  Just can't seem to get it all working on
Centos 7. :(

Thanks,
Scott

RE: Unable to get TLS working with Outlook

[techlist06]

>> test tunneled TLS connections to port 465
>>  openssl s_client -connect tn2.myserver.com:465 Appears to work
>> -
>> From remote server
>> test STARTTLS connections on port 25 or 587 with:
>>  openssl s_client -connect tn2.myserver.com:587 -starttls smtp
>appears
>> to work, shows a bunch of info and the certificate text.
>> Nothing
>> that looks like errors except a line that says:
>>  verify error:num=18:self signed certificate
>>  verify return:1
>> -
>
>You can confirm or refute on your "appears to work" conclusions 2 ways:
>
>1. Look in your server logs for lines with content like this:
>
>  postfix/smtpd[123]: Anonymous TLS connection established from
>host.example.com[192.0.2.1]: TLSv1 with cipher DHE-RSA-AES256-SHA


>2. When using openssl s_client, you should be left connected in a SMTP
>session so you can issue a EHLO command and should get a reasonable
>reply. If not, there's something wrong.

Well crap.  Something I've done has caused the first test to port 465 to
stop working.  I'm nearly positive it was working.

[root@tn1] # openssl s_client -connect tn2.myserver.com:465
CONNECTED(0003)
26351:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown
protocol:s23_clnt.c:475:


When I run this command Anonymous is there.
openssl s_client -connect tn2.companypostoffice.com:587 -starttls smtp

Jul 23 19:23:59 tn2 postfix/smtpd[2007]: Anonymous TLS connection
established from tn1.myserver.com[xx.xx.xx.xx]: TLSv1 with cipher
DHE-RSA-AES256-SHA (256/256 bits)

I can also ehlo and issue smtp commands after above.

>> --
>>
>> MS Outlook is happy using port 587 (SASL only I think)
>

>> I can deliver a test
>> message.  POP also works and it will retrive same.
>
>POP and IMAP are irrelevant here, since they are not part of Postfix, but
it's
>good to know that you don't seem to have any issues with Dovecot
>complicating things and obscuring your Postfix issues...

Well, I spoke too soon there.  I'm using Outlooks utilty to "test settings"
where it sends the message.  If I send a message locally I can then get it
via POP.  
I can only send the message via port 587 (no TLS I don't' think, about to
fix that).  I can send and then POP a message using that port as is.

I had Dovecot jacked for a min trying to get mbox format to work, finally
got setting in each of them they were happy with.  POPing again now.  Can
fine tune that another day (want them in /var/spool/mail/user, have them in
HOME/mail/inbox).  


>Serious question: why do you care? Port 465 SSL-wrapped SMTP was never
>made a standard and correctly never will be. No software that I'm aware of
>can use that botch and cannot use STARTTLS except for a few clients so
>outdated as to be inherently unsafe (e.g. antique versions of
>Outlook.) Make sure Outlook is using STARTTLS on port 587 and be happy
>with that: it's a service defined by a RFC which is supported by any client
>software that isn't a danger to its users. Since port 465 service owes its
>zombie existence to an early draft for SSLv3 that was never made into any
>sort of standard, it is formally improper to offer ANY TLS version over it,
while
>all versions of SSL should be treated as broken and obsolete. Do you see
the
>problem?
>
>Assuming you have a concrete need (e.g. The Boss uses Outlook Express on
>Windows ME and won't upgrade,) if s_client is working to port 465 and
>Outlook is not, you have an Outlook problem. Talk to your vendor about
that.
>Since you've not included your master.cf configuration for the smtps (port
>465) service, there's no hope of diagnosis here at present.

Re why do I care:  I do not and will defer to your experience on this point
for sure.  I was just replicating (trying to) what I had.  If it's not
needed anymore I'm ALL FOR getting rid of it and making it simpler.  I only
have a few local accounts on the box.  Everything else is relayed .  Old OL
versions are not an issue

So I need to get rid of the 465 setupand get 587 working right...Check.
But, I'm not sure how to do that right :(

So, here's my master.cf below.  I'd be extremely grateful for any
pruning/editing

>1. Back off smtpd_tls_loglevel to 1. All of the above happened within a
>second and provides no useful clues.

How do I change the level?  I only know how to add the -v

>2. Without knowing the config of the smtps service (i.e. the relevant lines
>from master.cf) it is impossible to do anything more than make wild
guesses.
>I'm going to make the wild guess that you didn't uncomment all of the
>essential continuation lines after the first one for smtps:
>the indented ones starting with '-o'.

I've been using my original config that I've used for years, and editing it
as I go trying to get it to work.  I'm a little lost at this point.  I'll
post what I have in its current state

>Side note on this:
>
>> Telnet to the server and STARTTLS seems happy:
>> 220 tn2.myserver.com ESMTP Postfix
>> ehlo sample.com
>> 250-tn2.myserver.com
>> 

Unable to get TLS working with Outlook

[techlist06]

I'm building a new server to replace an old one in production.  I've never
had trouble in the past, but it's been a while and it is not going smoothly
this time.  I've spent a week trying and not getting it going.  I gave up
getting Cyrus-sasl to work, moved to Dovecot.  Got farther but stuck now.
Eyes crossed. :)

This is on Centos 7, Postfix 2.10.1 from stock rpm, Dovecot 2.2.10.  

I have my self signed certificates made and entered in main.cf and
/etc/dovecot/conf.d/10-ssl.conf  I am no certificate guru, I think I have
them right.

I've checked everything best I can figure out how:

-
test tunneled TLS connections to port 465
openssl s_client -connect tn2.myserver.com:465
Appears to work
-
>From remote server
test STARTTLS connections on port 25 or 587 with:
openssl s_client -connect tn2.myserver.com:587 -starttls smtp
appears to work, shows a bunch of info and the certificate text.  Nothing
that looks like errors except a line that says:
verify error:num=18:self signed certificate
verify return:1
-
>From remote server
Tested my cacert.pem certificate with
openssl x509 -in cacert.pem -inform pem -noout -text
It did not ask for a PW, displayed contents, so I think that' s good (happy
to post output if it helps)
-
checked if the cert and key match 
(openssl x509 -noout -modulus -in /etc/certs/tn2.myserver.com.crt |
openssl md5 ;openssl rsa -noout -modulus -in
/etc/certs/tn2.myserver.com.key | openssl md5) | uniq
I only get one match so I think that' s good.

Telnet to the server and STARTTLS seems happy:
220 tn2.myserver.com ESMTP Postfix
ehlo sample.com
250-tn2.myserver.com
250-PIPELINING
250-SIZE 1024
250-ETRN
250-STARTTLS
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
STARTTLS
220 2.0.0 Ready to start TLS

---

My postfix config is:

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd
$daemon_directory/$process_name $process_id & sleep 5
disable_vrfy_command = yes
home_mailbox = Maildir/
html_directory = no
inet_interfaces = $myhostname, localhost
inet_protocols = ipv4
local_recipient_maps = hash:/etc/postfix/local_recipient
mail_owner = postfix
mail_spool_directory = /var/spool/mail
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
mydomain = tn2.myserver.com
myhostname = tn2.myserver.com
mynetworks = localhost, $mydomain, xx.xx.xx.xx/32
myorigin = $myhostname
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.10.1/README_FILES
relay_domains = mlec.com
relay_recipient_maps = hash:/etc/postfix/relay_recipients
sample_directory = /usr/share/doc/postfix-2.10.1/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtpd_data_restrictions = reject_unauth_pipelining, permit
smtpd_helo_required = yes
smtpd_recipient_limit = 2500
smtpd_recipient_restrictions = reject_invalid_hostname,
reject_non_fqdn_hostname, reject_non_fqdn_sender, reject_non_fqdn_recipient,
reject_unknown_sender_domain, reject_unknown_recipient_domain,
permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination,
check_recipient_access pcre:/etc/postfix/recipient_checks.pcre,
check_helo_access hash:/etc/postfix/helo_checks, check_sender_access
hash:/etc/postfix/sender_checks, check_client_access
hash:/etc/postfix/client_checks, check_client_access
pcre:/etc/postfix/client_checks.pcre, check_recipient_access
hash:/etc/postfix/access, reject_rbl_client zen.spamhaus.org
reject_rbl_client psbl.surriel.com, reject_rbl_client bl.spamcop.net,
check_policy_service unix:postgrey/socket, permit
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain =
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = $smtpd_sasl_security_options
smtpd_sasl_type = dovecot
smtpd_tls_CAfile = /etc/postfix/certs/cacert.pem
smtpd_tls_cert_file = /etc/postfix/certs/tn2.myserver.com.crt
smtpd_tls_key_file = /etc/postfix/certs/tn2.myserver.com.key
smtpd_tls_loglevel = 2
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
soft_bounce = no
tls_random_source = dev:/dev/urandom
unknown_local_recipient_reject_code = 550

--

MS Outlook is happy using port 587 (SASL only I think)  I can deliver a test
message.  POP also works and it will retrive same.

But with Outlook set to use port 465 it will not work.  Times out.



The maillog for the timed out test shows below.  It gets to that last line
and just hangs.

Jul 23 

RE: Bounce a particular recipient address with specified reject message

[techlist06]

You are NOT 'rejecting', you are ACCEPTING, then BOUNCING, which  you
should never do if you can possibly help it. Reject it at smtp time.

Why waste system resources scanning messages you will later bounce?

I understand your point.  Thank you for correcting my syntax.  FWIW, this
will only happen to a relatively minuscule number of inbound messages.  I
don't *think* it will take much in the way of resources.  For my specific
purpose, this check is to deal with the occasional, but fairly regular
incorrect replies to the announcement list.  The access map check is likely
to only have to deal with such an accept, then bounce a few times a week.
So I figured instead of testing thousands per day of unrelated inbound
messages against this access check that I know will get hit rarely, I
figured it would be better to put the check nearer the end of my UCE checks.
Which will cause the occasional accept then bounce.  

Mainly I was apprehensive about moving the restriction on my main.cf.  I
have tried to carefully select respected authorities books and one
particular UCE guide to build my main.cf.  And it works very, very well
(thanks Ralf).  Not being an expert, I don't want to accidentally break
anything that is there and screw it up.  If you have a suggestion on where
to put the access map restriction in my setup, I'm all ears.  

Thanks!

RE: Bounce a particular recipient address with specified reject message

[techlist06]

Sahil, et.al:

Use an access(5) or transport(5) map:

It appears that using an access map would best meet my need.  I do not
currently use an access map.  Can you/anyone assist me with the proper
placement of 
 check_client_access hash:/etc/postfix/access
in my setup?  I don't want to screw up my restrictions which otherwise work
properly.

I *think* putting it last, after my greylisting line (see comment in
postconf output below) would be appropriate.  I think I'd want them to pass
all other spam checks before rejecting semi-legitimate mail to this
particular address with my specific reject message.

Thanks,
Scott


postconf -n:

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
daemon_directory = /usr/libexec/postfix
debug_peer_level = 2
disable_vrfy_command = yes
html_directory = no
inet_interfaces = $myhostname, localhost
local_recipient_maps = hash:/etc/postfix/local_recipient
mail_owner = postfix
mail_spool_directory = /var/spool/mail
mailbox_size_limit = 483886080
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
message_size_limit = 10485760
mydestination = $myhostname,  localhost.$mydomain,  localhost,  $mydomain
mydomain = companypostoffice.com
myhostname = tn1.companypostoffice.com
mynetworks = localhost,$localdomain, xx.xx.xx.xx/32, xx.xx.xx.xx/32
myorigin = $myhostname
newaliases_path = /usr/bin/newaliases.postfix
parent_domain_matches_subdomains = smtpd_access_maps
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.2.10/README_FILES
recipient_bcc_maps = hash:/etc/postfix/recipient_bcc
relay_domains = differentdomain.com
relay_recipient_maps = hash:/etc/postfix/relay_recipients
sample_directory = /usr/share/doc/postfix-2.2.10/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtpd_data_restrictions = reject_unauth_pipelining,  permit
smtpd_helo_required = yes
smtpd_recipient_limit = 1500
smtpd_recipient_restrictions = reject_invalid_hostname,
reject_non_fqdn_hostname,  reject_non_fqdn_sender,
reject_non_fqdn_recipient,  permit_mynetworks,  reject_unauth_destination,
check_recipient_mx_access hash:/etc/postfix/mx_access,
check_sender_mx_access hash:/etc/postfix/mx_access,
reject_unknown_sender_domain,  check_recipient_access
pcre:/etc/postfix/recipient_checks.pcre,  check_helo_access
hash:/etc/postfix/helo_checks,  check_sender_access
hash:/etc/postfix/sender_checks,  check_client_access
hash:/etc/postfix/client_checks,  check_client_access
pcre:/etc/postfix/client_checks.pcre,  reject_rbl_client list.dsbl.org,
reject_rbl_client zen.spamhaus.org,  reject_rbl_client dnsbl.sorbs.net,
reject_rbl_client psbl.surriel.com,  reject_rbl_client bl.spamcop.net,
check_policy_service unix:postgrey/socket,  permit

## access map check here ??

smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_security_options = noanonymous
smtpd_tls_CAfile = /etc/postfix/certs/cacert.pem
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/postfix/certs/postfix_public_cert.pem
smtpd_tls_key_file = /etc/postfix/certs/postfix_private_key.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
soft_bounce = no
tls_random_source = dev:/dev/urandom
transport_maps = hash:/etc/postfix/transport
unknown_local_recipient_reject_code = 550
virtual_alias_domains = hash:/etc/postfix/virtual_domains
virtual_alias_maps = hash:/etc/postfix/virtual_users

RE: Bounce a particular recipient address with specified reject message

[techlist06]

I tried to setup an access map and reject a specific user.  But the mails to
that user are not rejected.  I tried adding the access map in a few
different places in the configuration, so far none worked.  It shows up in
the smtpd_recipient_restrictions line below.   Can anyone see what I did
wrong?:

My access map file has:
mailli...@mydomain.com  550 REJECT 

The corresponding access.db file is built and fresh

But mails to mailli...@mydomain.com get through without issue.


postconf -n:

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
daemon_directory = /usr/libexec/postfix
debug_peer_level = 2
disable_vrfy_command = yes
html_directory = no
inet_interfaces = $myhostname, localhost
local_recipient_maps = hash:/etc/postfix/local_recipient
mail_owner = postfix
mail_spool_directory = /var/spool/mail
mailbox_size_limit = xxx
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
message_size_limit = x
mydestination = $myhostname,  localhost.$mydomain,  localhost,  $mydomain
mydomain = companypostoffice.com
myhostname = tn1.companypostoffice.com
mynetworks = localhost,$localdomain, xx.xx.xx.xx/32, xx.xx.xx.xx/32
myorigin = $myhostname
newaliases_path = /usr/bin/newaliases.postfix
parent_domain_matches_subdomains = smtpd_access_maps
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.2.10/README_FILES
recipient_bcc_maps = hash:/etc/postfix/recipient_bcc
relay_domains = differentdomain.com
relay_recipient_maps = hash:/etc/postfix/relay_recipients
sample_directory = /usr/share/doc/postfix-2.2.10/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtpd_data_restrictions = reject_unauth_pipelining,  permit
smtpd_helo_required = yes
smtpd_recipient_limit = 1500
smtpd_recipient_restrictions = reject_invalid_hostname,
reject_non_fqdn_hostname,  reject_non_fqdn_sender,
reject_non_fqdn_recipient,  permit_mynetworks,  reject_unauth_destination,
check_recipient_mx_access hash:/etc/postfix/mx_access,
check_sender_mx_access hash:/etc/postfix/mx_access,
reject_unknown_sender_domain,  check_recipient_access
pcre:/etc/postfix/recipient_checks.pcre,  check_helo_access
hash:/etc/postfix/helo_checks,  check_sender_access
hash:/etc/postfix/sender_checks,  check_client_access
hash:/etc/postfix/client_checks,  check_client_access
pcre:/etc/postfix/client_checks.pcre,  check_client_access
hash:/etc/postfix/access  reject_rbl_client list.dsbl.org,
reject_rbl_client zen.spamhaus.org,  reject_rbl_client dnsbl.sorbs.net,
reject_rbl_client psbl.surriel.com,  reject_rbl_client bl.spamcop.net,
check_policy_service unix:postgrey/socket,  permit
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_security_options = noanonymous
smtpd_tls_CAfile = /etc/postfix/certs/cacert.pem
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/postfix/certs/postfix_public_cert.pem
smtpd_tls_key_file = /etc/postfix/certs/postfix_private_key.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
soft_bounce = no
tls_random_source = dev:/dev/urandom
transport_maps = hash:/etc/postfix/transport
unknown_local_recipient_reject_code = 550
virtual_alias_domains = hash:/etc/postfix/virtual_domains
virtual_alias_maps = hash:/etc/postfix/virtual_users



 

-Original Message-
From: owner-postfix-us...@postfix.org 
[mailto:owner-postfix-us...@postfix.org] On Behalf Of techlist06
Sent: Tuesday, November 24, 2009 8:14 AM
To: postfix-users@postfix.org
Subject: Bounce a particular recipient address with specified 
reject message

Greetings:

I have what I expect is a simple question for you guys.  
Thanks to Ralphs
book and the help here I have a many-year stable postfix 
configuration, love
it, don't mess with it.

I have a very small hobby-based mailing list I maintain 
manually in Outlook.
Although all maillist messages I send out include a footer asking the
recipients to not reply to that maillist messages, the users 
will reply to
the maillist messages occasionally and I would prefer they 
only reply to my
other addresses.  I can change the reply to address in Outlook 
to an invalid
one, and it will reject it back to the sender with not in virtual user
table but I don't wan that bounce message for this particular case.

Instead, I would like to setup postfix so it has a more 
friendly reject for
mail sent to (via replys to my messages) maill...@mydomain.com with a
particular reject message that instructs the user on what 
address(es) to use
to better contact me.  Something similar to :

550 reject The email address maill...@mydomain.com does not 
accept inbound
mail.  Please use one of these addresses for contacting us: maillist
unsubsubscribe: rem...@mydomain.com, support issues: 
supp...@mydomain.com,
other i...@mydomain.com, etc

RE: Bounce a particular recipient address with specified reject message

[techlist06]

 You have:
check_client_access hash:/etc/postfix/access
which is wrong for matching email addresses:

Thanks, that fixed my error.

check_recipient_access hash:/etc/postfix/access
BTW, if you are trying to block all access to this email address, why
not just remove it from your list(s) of valid recipients?  Did I miss
something earlier in the thread?

I was wanting to give a specific reject message for a particular address.
It's a small, manually maintained maillist.  I don't want the subscribers to
reply to the reply to address, but I didn't want to reject mails without a
friendlier explanation of where they should reply.  An auto-reply with
reject I guess.

I expect there is a better way to do same, this seems to work OK.

RE: Bounce a particular recipient address with specified reject message

[techlist06]

So, lemme get this straight.  You changed the list address, but instead
of just sending an email to the list addresses telling all users of the
list address change, you just decided to, in essence, inform 
them via an
NDR when they send mail to the list?  There have got to be at 
least 1000
list management how-to's on the web, and not a one would recommend you
do this in this way, and probably all 1000 would say _never_ manage a
list this way...yikes.

No I didn't change the list address.  It is not a mail list like this one,
more of an announcement list.  It is not a 2-way mailing list.  The
subscribers don't send anything to it for other subscribers to see.  It's
used rarely to send announcements of event cancellations, etc.  About 1000
subscribers manually maintained.  But, the users tend to start a (unrelated)
communication with us  via replying to that announcement list's reply to
address since that is where they last received a message from us.  And so
their message does not go to the right person, it goes to the source address
of the announcement and we have to sort through them and direct the message
to where it should have gone to start with.  We just want to let subscriber
who incorrectly sends to the announcement list address to use one of the
correct addresses to communicate with us, not via replying to the
announcement list.  See?  FWIW, we tell them not to do it with a footer and
header on every announcement email, but they do it anyway.  I'm sure there
is a better way, this seemed easy enough to implement.   Perhaps and
auto-reply type setup to that particular address.  I looked at those and
they looked more difficult to set up.  I'd be grateful for better
suggestions. I'll look for a better way to notify them. 

Thanks very much for the help.

RE: Bounce a particular recipient address with specified reject message

[techlist06]

Noel:

Thank you.

The envelope sender where delivery problems are reported can 
be different from the From: header displayed in most email 
clients, which can also be different from the Reply-To: header 
where most mail clients will send if you hit the Reply button.

You mustn't block the mail list's envelope sender address; you 
must be able to receive non-delivery notifications.

There's nothing wrong with rejecting incoming mail addressed 
to the mail list From: address for an announce-only list.

I believe I understand and that was exactly what I was setting up, I think.
This is what I had setup to do:
The original message is actually sent from maill...@mydomain.com.  The
envelope sender as I understand it.  

I NEED to know when a announcement message bounces, because that is how I
maintain the list manually, and remove any invalid entries.  When they
bounce, I know they are bad, or I can decide if they've had too many
mailbox full replies, etc. and I then I remove the bounced address from
the distribution list.  So I have not blocked the envelope sender.

For announcements I send, I have the Reply to set to a different, but
similar address which is: maillist_nore...@mydomain.com (still trying to get
their attention to not reply to the address).  This is the address I have
blocked in my new access table.

So, if they click on reply in their client, the reply message should be
sent to maillist_nore...@mydomain.com.  My end accepts it (through spam
filters), but then rejects the address with my custom reject message via my
new access table with:
maillist_nore...@mydomain.com 550 Do not reply to this address, instead do
this.

I did not add all that detail in my original post to avoid confusing my
original question.  Thanks for the detailed reply and helping me be sure I
wasn't doing something wrong/improper.

Best,
Scott

Bounce a particular recipient address with specified reject message

[techlist06]

Greetings:

I have what I expect is a simple question for you guys.  Thanks to Ralphs
book and the help here I have a many-year stable postfix configuration, love
it, don't mess with it.

I have a very small hobby-based mailing list I maintain manually in Outlook.
Although all maillist messages I send out include a footer asking the
recipients to not reply to that maillist messages, the users will reply to
the maillist messages occasionally and I would prefer they only reply to my
other addresses.  I can change the reply to address in Outlook to an invalid
one, and it will reject it back to the sender with not in virtual user
table but I don't wan that bounce message for this particular case.

Instead, I would like to setup postfix so it has a more friendly reject for
mail sent to (via replys to my messages) maill...@mydomain.com with a
particular reject message that instructs the user on what address(es) to use
to better contact me.  Something similar to :

550 reject The email address maill...@mydomain.com does not accept inbound
mail.  Please use one of these addresses for contacting us: maillist
unsubsubscribe: rem...@mydomain.com, support issues: supp...@mydomain.com,
other i...@mydomain.com, etc.

I thought maybe adding the address maill...@mydomain.com to the
recipient_checks.pcre?  But I don't know how to write the re if that's the
right place to do this.

Can someone help and tell me where is the best place to set this up?

Thanks as always,
Scott


postconf -n:

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
daemon_directory = /usr/libexec/postfix
debug_peer_level = 2
disable_vrfy_command = yes
html_directory = no
inet_interfaces = $myhostname, localhost
local_recipient_maps = hash:/etc/postfix/local_recipient
mail_owner = postfix
mail_spool_directory = /var/spool/mail
mailbox_size_limit = 483886080
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
message_size_limit = 10485760
mydestination = $myhostname,  localhost.$mydomain,  localhost,  $mydomain
mydomain = companypostoffice.com
myhostname = tn1.companypostoffice.com
mynetworks = localhost,$localdomain, xx.xx.xx.xx/32, xx.xx.xx.xx/32
myorigin = $myhostname
newaliases_path = /usr/bin/newaliases.postfix
parent_domain_matches_subdomains = smtpd_access_maps
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.2.10/README_FILES
recipient_bcc_maps = hash:/etc/postfix/recipient_bcc
relay_domains = differentdomain.com
relay_recipient_maps = hash:/etc/postfix/relay_recipients
sample_directory = /usr/share/doc/postfix-2.2.10/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtpd_data_restrictions = reject_unauth_pipelining,  permit
smtpd_helo_required = yes
smtpd_recipient_limit = 1500
smtpd_recipient_restrictions = reject_invalid_hostname,
reject_non_fqdn_hostname,  reject_non_fqdn_sender,
reject_non_fqdn_recipient,  permit_mynetworks,  reject_unauth_destination,
check_recipient_mx_access hash:/etc/postfix/mx_access,
check_sender_mx_access hash:/etc/postfix/mx_access,
reject_unknown_sender_domain,  check_recipient_access
pcre:/etc/postfix/recipient_checks.pcre,  check_helo_access
hash:/etc/postfix/helo_checks,  check_sender_access
hash:/etc/postfix/sender_checks,  check_client_access
hash:/etc/postfix/client_checks,  check_client_access
pcre:/etc/postfix/client_checks.pcre,  reject_rbl_client list.dsbl.org,
reject_rbl_client zen.spamhaus.org,  reject_rbl_client dnsbl.sorbs.net,
reject_rbl_client psbl.surriel.com,  reject_rbl_client bl.spamcop.net,
check_policy_service unix:postgrey/socket,  permit
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_security_options = noanonymous
smtpd_tls_CAfile = /etc/postfix/certs/cacert.pem
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/postfix/certs/postfix_public_cert.pem
smtpd_tls_key_file = /etc/postfix/certs/postfix_private_key.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
soft_bounce = no
tls_random_source = dev:/dev/urandom
transport_maps = hash:/etc/postfix/transport
unknown_local_recipient_reject_code = 550
virtual_alias_domains = hash:/etc/postfix/virtual_domains
virtual_alias_maps = hash:/etc/postfix/virtual_users