[pfx] Re: Troubleshooting roundcube connections to postfix

2024-06-18 Thread Benny Pedersen via Postfix-users 

Viktor Dukhovni via Postfix-users skrev den 2024-06-18 15:27:
On Tue, Jun 18, 2024 at 03:20:46PM +0200, Benny Pedersen via 
Postfix-users wrote:


xpoint@tux ~ $ posttls-finger -w -lsecure -C "www.stovebolt.com:465" 
"www.stovebolt.com"

posttls-finger: Connected to www.stovebolt.com[108.174.193.28]:465
posttls-finger: server certificate verification failed for 
www.stovebolt.com[108.174.193.28]:465: num=62:hostname mismatch


issue new cert to fix it

certbot --apache -d *.stovebolt.com -d stovebolt.com


There's nothing to fix, you're using the wrong hostname.


good, is why i use

$config['imap_host'] = 'ssl://localhost:993';
$config['imap_conn_options'] = array ( 'ssl' => array ( 'verify_peer' => 
false, 'verify_peer_name' => false, ), );


port 465 is not tls

$config['smtp_conn_options'] = array ( 'ssl' => array ( 'verify_peer' => 
false, 'verify_peer_name' => false, ), );

$config['smtp_host'] = 'tls://localhost:587';

op had imho

$config['smtp_host'] = 'tls://hostname:465';

with will fail








___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Troubleshooting roundcube connections to postfix

2024-06-18 Thread Benny Pedersen via Postfix-users 

Paul Schmehl via Postfix-users skrev den 2024-06-18 08:04:


posttls-finger: server certificate verification failed for
mail.stovebolt.com[108.174.193.29]:465: num=62:Hostname mismatch



This looks like it’s working correctly now, right?


hostname mismatch means still need to reissue new cert

mail is not www :=)

xpoint@tux ~ $ posttls-finger -w -lsecure -C "mail.stovebolt.com:465" 
"mail.stovebolt.com"

posttls-finger: Connected to mail.stovebolt.com[108.174.193.29]:465
posttls-finger: certificate verification failed for 
mail.stovebolt.com[108.174.193.29]:465: untrusted issuer 
/C=US/O=Internet Security Research Group/CN=ISRG Root X1


unsure why with it

___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Troubleshooting roundcube connections to postfix

2024-06-18 Thread Viktor Dukhovni via Postfix-users 
On Tue, Jun 18, 2024 at 03:20:46PM +0200, Benny Pedersen via Postfix-users 
wrote:

> xpoint@tux ~ $ posttls-finger -w -lsecure -C "www.stovebolt.com:465" 
> "www.stovebolt.com"
> posttls-finger: Connected to www.stovebolt.com[108.174.193.28]:465
> posttls-finger: server certificate verification failed for 
> www.stovebolt.com[108.174.193.28]:465: num=62:hostname mismatch
> 
> issue new cert to fix it
> 
> certbot --apache -d *.stovebolt.com -d stovebolt.com

There's nothing to fix, you're using the wrong hostname.

-- 
Viktor.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Troubleshooting roundcube connections to postfix

2024-06-18 Thread Benny Pedersen via Postfix-users 

Paul Schmehl via Postfix-users skrev den 2024-06-18 06:39:

On Jun 17, 2024, at 10:14 PM, Cowbay via Postfix-users
 wrote:
On 2024/6/18 10:43, Paul Schmehl via Postfix-users wrote:



The problem is neither tls nor ssl worked. No matter what config I
used, roundcube would always through an error. If I used
$config['smtp_host'] = ‘tls;//www.stovebolt.com'; or I used
$config['smtp_host'] = ’ssl;//www.stovebolt.com'; roundcube would


typo tls; ssl; its not valid, must be ssl: and tls:

xpoint@tux ~ $ posttls-finger -w -lsecure -C "www.stovebolt.com:465" 
"www.stovebolt.com"

posttls-finger: Connected to www.stovebolt.com[108.174.193.28]:465
posttls-finger: server certificate verification failed for 
www.stovebolt.com[108.174.193.28]:465: num=62:hostname mismatch


issue new cert to fix it

certbot --apache -d *.stovebolt.com -d stovebolt.com

if * is to be avoided add all valid hostnames with -d




___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Troubleshooting roundcube connections to postfix

2024-06-18 Thread Benny Pedersen via Postfix-users 

Peter via Postfix-users skrev den 2024-06-18 04:08:

On 18/06/24 13:00, Jeff Peng via Postfix-users wrote:

On 2024-06-18 07:30, Peter via Postfix-users wrote:

On 17/06/2024 17:28, Paul Schmehl wrote:


though it's a big offtopic, may I ask that, for roundcube, how to stop 
users adding their own sender identity? for example, when user login 
as u...@domain.com, they can add the identity in roundcube interface 
as f...@bar.com.


I don't know off the top of my head but roundcube is not necessarily 
the right place to do this.  Consider that someone can bypass roundcube 
and connect to the submission port directly then any limitations you 
put in roundcube won't matter.  It's better to put the limitations in 
postfix and dovecot so that no matter how the user connects they will 
be limited.


// Set identities access level:
// 0 - many identities with possibility to edit all params
// 1 - many identities with possibility to edit all params but not email 
address

// 2 - one identity with possibility to edit all params
// 3 - one identity with possibility to edit all params but not email 
address

// 4 - one identity with possibility to edit only signature
$config['identities_level'] = 0;

is what is possible in roundcube

this is just not make any limit when there is other muas then roundcube

for solving in roundcube it could be identities confimed with send a 
email to new email, its just not worth



___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Troubleshooting roundcube connections to postfix

2024-06-17 Thread Paul Schmehl via Postfix-users 
> On Jun 18, 2024, at 1:34 AM, Viktor Dukhovni via Postfix-users 
>  wrote:
> 
> On Tue, Jun 18, 2024 at 01:04:25AM -0500, Paul Schmehl via Postfix-users 
> wrote:
> 
>> # posttls-finger -w -lsecure -C "mail.stovebolt.com:465" "www.stovebolt.com"
> 
> Why the "www.stovebolt.com"???  What hostname is roundcube configured to
> connect to?  The certificate is for "mail.stovebolt.com".

This is what I have in roundcube presently:

$config['smtp_host'] = 'tls://mail.stovebolt.com:465’;

> 
> Correctly configured, wrapper-mode TLS is working on port 465, but one
> of the subject alternative DNS names in the certificate needs to match
> the hostname used by roundcube, or conversely, roundcube needs to be
> configured to connect to one of those names.
> 
I think I’ve done that correctly now.

I have posted both postconf -nf and postconf -Mf to the web. You can view them 
here:

https://www.stovebolt.com/postconfnf.txt
https://www.stovebolt.com/postconfMf.txt

I’ve been using postfix for a long, long time. It’s entirely possible to I have 
out-of-date config stuff. I’m running 3.9.0-1 now.

Paul Schmehl
paul.schm...@gmail.com
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Troubleshooting roundcube connections to postfix

2024-06-17 Thread Viktor Dukhovni via Postfix-users 
On Tue, Jun 18, 2024 at 01:04:25AM -0500, Paul Schmehl via Postfix-users wrote:

> >> posttls-finger: warning: TLS library problem: error:1408F10B:SSL 
> >> routines:ssl3_get_record:wrong version number:ssl/record/ssl3_record.c:332:
> > 
> > Your port 465 "smtps" service is misconfigured, it is missing the
> > "-o smtpd_tls_wrapper_mode=yes" option.
>
> OK. wrappermode was commented out. I uncommented it, restarted the
> daemon, and ran finger again.

[ For future drawn-out threads, we really should not let these go on
  quite so long without requesting the "postconf -nf" and "postconf -Mf"
  outputs. ]

> # posttls-finger -w -lsecure -C "mail.stovebolt.com:465" "www.stovebolt.com"

Why the "www.stovebolt.com"???  What hostname is roundcube configured to
connect to?  The certificate is for "mail.stovebolt.com".

> posttls-finger: Connected to mail.stovebolt.com[108.174.193.29]:465
> posttls-finger: server certificate verification failed for 
> mail.stovebolt.com[108.174.193.29]:465: num=62:Hostname mismatch
> posttls-finger: mail.stovebolt.com[108.174.193.29]:465: 
> subject_CN=mail.stovebolt.com, issuer=R10, cert 
> fingerprint=B6:E5:61:8F:1D:B3:98:54:36:CF:09:A1:04:96:E4:14:21:8C:59:91:AB:C5:60:27:34:E5:61:66:68:1E:83:D5,
>  pkey 
> fingerprint=26:05:FB:BB:A6:40:3D:66:16:B3:85:3A:23:9F:97:42:7E:BA:E2:BA:FF:DB:DA:67:B2:87:9B:16:A7:83:3D:0D
> posttls-finger: Untrusted TLS connection established to 
> mail.stovebolt.com[108.174.193.29]:465: TLSv1.3 with cipher 
> TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature 
> RSA-PSS (4096 bits) server-digest SHA256

> This looks like it’s working correctly now, right?

Correctly configured, wrapper-mode TLS is working on port 465, but one
of the subject alternative DNS names in the certificate needs to match
the hostname used by roundcube, or conversely, roundcube needs to be
configured to connect to one of those names.

-- 
Viktor.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Troubleshooting roundcube connections to postfix

2024-06-17 Thread Paul Schmehl via Postfix-users 
> On Jun 18, 2024, at 12:38 AM, Viktor Dukhovni via Postfix-users 
>  wrote:
> 
> On Mon, Jun 17, 2024 at 11:39:27PM -0500, Paul Schmehl via Postfix-users 
> wrote:
> 
>> That might have uncovered a problem.
>> 
>> # posttls-finger -w -lsecure -C "www.stovebolt.com:465" “www.stovebolt.com"
>> 
>> posttls-finger: Connected to www.stovebolt.com[108.174.193.28]:465
>> posttls-finger: SSL_connect error to www.stovebolt.com[108.174.193.28]:465: 
>> -1
>> posttls-finger: warning: TLS library problem: error:1408F10B:SSL 
>> routines:ssl3_get_record:wrong version number:ssl/record/ssl3_record.c:332:
> 
> Your port 465 "smtps" service is misconfigured, it is missing the
> "-o smtpd_tls_wrapper_mode=yes" option.  For example:
> 
>465inet  n   -   n   -   -   smtpd
>-o smtpd_tls_wrappermode=yes
>-o smtpd_milters=
>-o syslog_name=postfix/smtps
>-o smtpd_sasl_auth_enable=yes
>-o {smtpd_client_restrictions=reject_rbl_client 
> zen.spamhaus.org=127.0.0.4}
>-o smtpd_helo_restrictions=
>-o smtpd_sender_restrictions=
>-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
>-o smtpd_recipient_restrictions=
>-o smtpd_data_restrictions=
>-o smtpd_end_of_data_restrictions=
>-o milter_macro_daemon_name=ORIGINATING
>-o smtpd_milters=$mua_milters
>-o always_add_missing_headers=yes
> 
OK. wrappermode was commented out. I uncommented it, restarted the daemon, and 
ran finger again.

# posttls-finger -w -lsecure -C "mail.stovebolt.com:465" "www.stovebolt.com"
posttls-finger: Connected to mail.stovebolt.com[108.174.193.29]:465
posttls-finger: server certificate verification failed for 
mail.stovebolt.com[108.174.193.29]:465: num=62:Hostname mismatch
posttls-finger: mail.stovebolt.com[108.174.193.29]:465: 
subject_CN=mail.stovebolt.com, issuer=R10, cert 
fingerprint=B6:E5:61:8F:1D:B3:98:54:36:CF:09:A1:04:96:E4:14:21:8C:59:91:AB:C5:60:27:34:E5:61:66:68:1E:83:D5,
 pkey 
fingerprint=26:05:FB:BB:A6:40:3D:66:16:B3:85:3A:23:9F:97:42:7E:BA:E2:BA:FF:DB:DA:67:B2:87:9B:16:A7:83:3D:0D
posttls-finger: Untrusted TLS connection established to 
mail.stovebolt.com[108.174.193.29]:465: TLSv1.3 with cipher 
TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature 
RSA-PSS (4096 bits) server-digest SHA256
posttls-finger: < 220 mail.stovebolt.com ESMTP Postfix
posttls-finger: > EHLO mail.stovebolt.com
posttls-finger: < 250-mail.stovebolt.com
posttls-finger: < 250-PIPELINING
posttls-finger: < 250-SIZE 9
posttls-finger: < 250-VRFY
posttls-finger: < 250-ETRN
posttls-finger: < 250-ENHANCEDSTATUSCODES
posttls-finger: < 250-8BITMIME
posttls-finger: < 250-DSN
posttls-finger: < 250-SMTPUTF8
posttls-finger: < 250 CHUNKING

---
Certificate chain
(I deleted all the cert stuff)

posttls-finger: > QUIT
posttls-finger: < 221 2.0.0 Bye

This looks like it’s working correctly now, right?

Paul Schmehl
paul.schm...@gmail.com



___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Troubleshooting roundcube connections to postfix

2024-06-17 Thread Viktor Dukhovni via Postfix-users 
On Mon, Jun 17, 2024 at 11:39:27PM -0500, Paul Schmehl via Postfix-users wrote:

> That might have uncovered a problem.
> 
> # posttls-finger -w -lsecure -C "www.stovebolt.com:465" “www.stovebolt.com"
> 
> posttls-finger: Connected to www.stovebolt.com[108.174.193.28]:465
> posttls-finger: SSL_connect error to www.stovebolt.com[108.174.193.28]:465: -1
> posttls-finger: warning: TLS library problem: error:1408F10B:SSL 
> routines:ssl3_get_record:wrong version number:ssl/record/ssl3_record.c:332:

Your port 465 "smtps" service is misconfigured, it is missing the
"-o smtpd_tls_wrapper_mode=yes" option.  For example:

465inet  n   -   n   -   -   smtpd
-o smtpd_tls_wrappermode=yes
-o smtpd_milters=
-o syslog_name=postfix/smtps
-o smtpd_sasl_auth_enable=yes
-o {smtpd_client_restrictions=reject_rbl_client 
zen.spamhaus.org=127.0.0.4}
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-o smtpd_recipient_restrictions=
-o smtpd_data_restrictions=
-o smtpd_end_of_data_restrictions=
-o milter_macro_daemon_name=ORIGINATING
-o smtpd_milters=$mua_milters
-o always_add_missing_headers=yes

-- 
Viktor.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Troubleshooting roundcube connections to postfix

2024-06-17 Thread Paul Schmehl via Postfix-users 
> On Jun 17, 2024, at 10:14 PM, Cowbay via Postfix-users 
>  wrote:
> 
> On 2024/6/18 10:43, Paul Schmehl via Postfix-users wrote:

> The problem is neither tls nor ssl worked. No matter what config I used, 
> roundcube would always through an error. If I used $config['smtp_host'] = 
> ‘tls;//www.stovebolt.com'; or I used $config['smtp_host'] = 
> ’ssl;//www.stovebolt.com'; roundcube would error out saying it couldn’t 
> connect to the server. If I removed them and used only the FQHN, it errored 
> out saying the postfix doesn’t support authentication.
>> 
>> I thought maybe it might be a cert issue (I was using a self-signed cert), 
>> so I switched to a letsencrypt cert, but that made no difference. No matter 
>> what I did, roundcube refused to send mail.
> I learned a tool to check this problem. You can try below command and check 
> the output:
> 
> posttls-finger -w -lsecure -C "www.stovebolt.com:465 
> " “www.stovebolt.com 
> ”

That might have uncovered a problem.

# posttls-finger -w -lsecure -C "www.stovebolt.com:465" “www.stovebolt.com"

posttls-finger: Connected to www.stovebolt.com[108.174.193.28]:465
posttls-finger: SSL_connect error to www.stovebolt.com[108.174.193.28]:465: -1
posttls-finger: warning: TLS library problem: error:1408F10B:SSL 
routines:ssl3_get_record:wrong version number:ssl/record/ssl3_record.c:332:

Paul Schmehl
paul.schm...@gmail.com



___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Troubleshooting roundcube connections to postfix

2024-06-17 Thread Jeff Peng via Postfix-users 

On 2024-06-18 10:40, postfix--- via Postfix-users wrote:
To be honest, you still likely want authentication.  Keep in mind 
that you don't need to authenticate as a single user for roundcube 
but rather you can have roundcube pass authentication through from 
it's own user login and therefore support multiple users while also 
allowing postfix to support those same multiple users and see their 
individual logins. The point of this is that you can then use 
settings such as smtpd_sender_login_maps and 
reject_sender_login_mismatch in postfix to control individual users 
from roundcube.


though it's a big offtopic, may I ask that, for roundcube, how to stop 
users adding their own sender identity? for example, when user login 
as u...@domain.com, they can add the identity in roundcube interface 
as f...@bar.com.


It is what the previous poster was explaining to you. It isn't turn key 
and requires some custom SQL queries or config if using flat files. But 
you use permit_sasl_authenticated on submission to make sure only 
authenticated users can send email, then you use 
reject_sender_login_mismatch to make sure they can only send email that 
has a from address belonging to whomever is logged in through 
permit_sasl_authenticated.


Postfix will not accept email through submission they are not 
authorized to send. When the user clicks the send email button they 
will see an error message to the effect they are not the owner of the 
address they are trying to use.


Another less secure option is roundcube has a setting that disables the 
ability of users to create or edit identities in the web interface 
keeping them stuck using only the From: address their roundcube account 
was created with.


  $config['identities_level'] = 3;
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org


Great to know the info.
Thanks Peter!
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Troubleshooting roundcube connections to postfix

2024-06-17 Thread Gary R. Schmidt via Postfix-users 

On 18/06/2024 12:43, Paul Schmehl via Postfix-users wrote:
[SNIP]

roundcube would always through an error. If I used $config['smtp_host'] 
= ‘tls;//www.stovebolt.com'; or I used $config['smtp_host'] = 
’ssl;//www.stovebolt.com'; roundcube would error out saying it couldn’t 

I hope the semi-colon characters above are a typo, not the actual lines!

Cheers,
GaryB-)
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Troubleshooting roundcube connections to postfix

2024-06-17 Thread Cowbay via Postfix-users 

On 2024/6/18 10:43, Paul Schmehl via Postfix-users wrote:

On Jun 17, 2024, at 6:30 PM, Peter via Postfix-users 
 wrote:


On 17/06/2024 17:28, Paul Schmehl wrote:

How do you set up roundcube to not use authentication? I really don’t need it 
since it’s on the same machine as the mail server. What config options do I 
need to use?


To be honest, you still likely want authentication.  Keep in mind that you 
don't need to authenticate as a single user for roundcube but rather you can 
have roundcube pass authentication through from it's own user login and 
therefore support multiple users while also allowing postfix to support those 
same multiple users and see their individual logins. The point of this is that 
you can then use settings such as smtpd_sender_login_maps and 
reject_sender_login_mismatch in postfix to control individual users from 
roundcube.

http://www.postfix.org/postconf.5.html#smtpd_sender_login_maps
http://www.postfix.org/postconf.5.html#reject_sender_login_mismatch


The problem is neither tls nor ssl worked. No matter what config I used, 
roundcube would always through an error. If I used $config['smtp_host'] = 
‘tls;//www.stovebolt.com'; or I used $config['smtp_host'] = 
’ssl;//www.stovebolt.com'; roundcube would error out saying it couldn’t connect 
to the server. If I removed them and used only the FQHN, it errored out saying 
the postfix doesn’t support authentication.

I thought maybe it might be a cert issue (I was using a self-signed cert), so I 
switched to a letsencrypt cert, but that made no difference. No matter what I 
did, roundcube refused to send mail.


I learned a tool to check this problem. You can try below command and check the 
output:

posttls-finger -w -lsecure -C "www.stovebolt.com:465" "www.stovebolt.com"



Paul Schmehl
paul.schm...@gmail.com



___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Troubleshooting roundcube connections to postfix

2024-06-17 Thread Peter via Postfix-users 

On 18/06/24 14:43, Paul Schmehl via Postfix-users wrote:
If I used $config['smtp_host'] 
= ‘tls;//www.stovebolt.com'; or I used $config['smtp_host'] = 
’ssl;//www.stovebolt.com'; roundcube would error out saying it couldn’t 
connect to the server.

It's "tls://..." or "ssl://" with a colon (:) not a semicolon (;).


Peter
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Troubleshooting roundcube connections to postfix

2024-06-17 Thread Paul Schmehl via Postfix-users 
> On Jun 17, 2024, at 6:30 PM, Peter via Postfix-users 
>  wrote:
> 
>> On 17/06/2024 17:28, Paul Schmehl wrote:
>>> How do you set up roundcube to not use authentication? I really don’t need 
>>> it since it’s on the same machine as the mail server. What config options 
>>> do I need to use?
> 
> To be honest, you still likely want authentication.  Keep in mind that you 
> don't need to authenticate as a single user for roundcube but rather you can 
> have roundcube pass authentication through from it's own user login and 
> therefore support multiple users while also allowing postfix to support those 
> same multiple users and see their individual logins. The point of this is 
> that you can then use settings such as smtpd_sender_login_maps and 
> reject_sender_login_mismatch in postfix to control individual users from 
> roundcube.
> 
> http://www.postfix.org/postconf.5.html#smtpd_sender_login_maps
> http://www.postfix.org/postconf.5.html#reject_sender_login_mismatch

The problem is neither tls nor ssl worked. No matter what config I used, 
roundcube would always through an error. If I used $config['smtp_host'] = 
‘tls;//www.stovebolt.com'; or I used $config['smtp_host'] = 
’ssl;//www.stovebolt.com'; roundcube would error out saying it couldn’t connect 
to the server. If I removed them and used only the FQHN, it errored out saying 
the postfix doesn’t support authentication.

I thought maybe it might be a cert issue (I was using a self-signed cert), so I 
switched to a letsencrypt cert, but that made no difference. No matter what I 
did, roundcube refused to send mail.

Paul Schmehl
paul.schm...@gmail.com
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Troubleshooting roundcube connections to postfix

2024-06-17 Thread postfix--- via Postfix-users 

To be honest, you still likely want authentication.  Keep in mind that you 
don't need to authenticate as a single user for roundcube but rather you can 
have roundcube pass authentication through from it's own user login and 
therefore support multiple users while also allowing postfix to support those 
same multiple users and see their individual logins. The point of this is that 
you can then use settings such as smtpd_sender_login_maps and 
reject_sender_login_mismatch in postfix to control individual users from 
roundcube.



though it's a big offtopic, may I ask that, for roundcube, how to stop users 
adding their own sender identity? for example, when user login as 
u...@domain.com, they can add the identity in roundcube interface as 
f...@bar.com.


It is what the previous poster was explaining to you. It isn't turn key and 
requires some custom SQL queries or config if using flat files. But you use 
permit_sasl_authenticated on submission to make sure only authenticated users 
can send email, then you use reject_sender_login_mismatch to make sure they can 
only send email that has a from address belonging to whomever is logged in 
through permit_sasl_authenticated.

Postfix will not accept email through submission they are not authorized to 
send. When the user clicks the send email button they will see an error message 
to the effect they are not the owner of the address they are trying to use.

Another less secure option is roundcube has a setting that disables the ability 
of users to create or edit identities in the web interface keeping them stuck 
using only the From: address their roundcube account was created with.

  $config['identities_level'] = 3;
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Troubleshooting roundcube connections to postfix

2024-06-17 Thread Peter via Postfix-users 

On 18/06/24 13:00, Jeff Peng via Postfix-users wrote:

On 2024-06-18 07:30, Peter via Postfix-users wrote:

On 17/06/2024 17:28, Paul Schmehl wrote:
How do you set up roundcube to not use authentication? I really 
don’t need it since it’s on the same machine as the mail server. 
What config options do I need to use?


To be honest, you still likely want authentication.  Keep in mind that 
you don't need to authenticate as a single user for roundcube but 
rather you can have roundcube pass authentication through from it's 
own user login and therefore support multiple users while also 
allowing postfix to support those same multiple users and see their 
individual logins. The point of this is that you can then use settings 
such as smtpd_sender_login_maps and reject_sender_login_mismatch in 
postfix to control individual users from roundcube.




though it's a big offtopic, may I ask that, for roundcube, how to stop 
users adding their own sender identity? for example, when user login as 
u...@domain.com, they can add the identity in roundcube interface as 
f...@bar.com.


I don't know off the top of my head but roundcube is not necessarily the 
right place to do this.  Consider that someone can bypass roundcube and 
connect to the submission port directly then any limitations you put in 
roundcube won't matter.  It's better to put the limitations in postfix 
and dovecot so that no matter how the user connects they will be limited.



Peter
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Troubleshooting roundcube connections to postfix

2024-06-17 Thread Jeff Peng via Postfix-users 

On 2024-06-18 07:30, Peter via Postfix-users wrote:

On 17/06/2024 17:28, Paul Schmehl wrote:
How do you set up roundcube to not use authentication? I really don’t 
need it since it’s on the same machine as the mail server. What 
config options do I need to use?


To be honest, you still likely want authentication.  Keep in mind that 
you don't need to authenticate as a single user for roundcube but 
rather you can have roundcube pass authentication through from it's own 
user login and therefore support multiple users while also allowing 
postfix to support those same multiple users and see their individual 
logins. The point of this is that you can then use settings such as 
smtpd_sender_login_maps and reject_sender_login_mismatch in postfix to 
control individual users from roundcube.




though it's a big offtopic, may I ask that, for roundcube, how to stop 
users adding their own sender identity? for example, when user login as 
u...@domain.com, they can add the identity in roundcube interface as 
f...@bar.com.


Thanks.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Troubleshooting roundcube connections to postfix

2024-06-17 Thread Peter via Postfix-users 

On 17/06/2024 17:28, Paul Schmehl wrote:
How do you set up roundcube to not use authentication? I really don’t 
need it since it’s on the same machine as the mail server. What config 
options do I need to use?


To be honest, you still likely want authentication.  Keep in mind that 
you don't need to authenticate as a single user for roundcube but rather 
you can have roundcube pass authentication through from it's own user 
login and therefore support multiple users while also allowing postfix 
to support those same multiple users and see their individual logins. 
The point of this is that you can then use settings such as 
smtpd_sender_login_maps and reject_sender_login_mismatch in postfix to 
control individual users from roundcube.


http://www.postfix.org/postconf.5.html#smtpd_sender_login_maps
http://www.postfix.org/postconf.5.html#reject_sender_login_mismatch


Peter
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Troubleshooting roundcube connections to postfix

2024-06-17 Thread Peter via Postfix-users 

On 17/06/24 17:16, Peter via Postfix-users wrote:
Without seeing logs and actual config settings I can only guess.  One 
thing to keep in mind is that there's two types of TLS connection, 
implicit TLS and explicit TLS.  Implicit TLS connects to a port 
dedicated to TLS connections, for submission this is the submissions 
(note the "s" on the end) port 465 (formerly called smtps) and is now 
the recommended service to submit mail to.  This is also controlled by 
the "wrappermode" setting in master.cf for the service.  Explicit TLS 
connects first in plain text then uses the STARTTLS command to establish 
a TLS session, this is how the submission (note no "s" on the end) 
service on port 587 works.  If you have wrappermode incorrectly set in 
postfix, or you have the wrong setting in roundcube then roundcube may 
be trying to connect with implicit TLS when postfix is expecting 
explicit TLS or vice-versa, either one will cause a failure at or 
shortly after connection time.


Just to help clarify, roundcube uses a prefix of "ssl://" to indicate 
implicit TLS and "tls://" to indicate explicit TLS (using STARTTLS) so 
for the submission service (587, no wrappermode in the master.cf config) 
you should be using "tls://" in roundcube for the smtp_server setting 
and set the smtp_port to 587.  For the submissions service (465, 
wrappermode set in master.cf) you should be using "ssl://" for 
smtp_server and 465 for smtp_port.



Peter
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Troubleshooting roundcube connections to postfix

2024-06-17 Thread Wietse Venema via Postfix-users 
Paul Schmehl via Postfix-users:
> > On Jun 17, 2024, at 4:43?AM, Jaroslaw Rafa via Postfix-users 
> >  wrote:
> > 
> > Dnia 16.06.2024 o godz. 20:54:34 Paul Schmehl via Postfix-users pisze:
> >> 
> >> The odd thing is, I don't see any connection attempts at all in the mail
> >> logs.
> > 
> > May seem a strange question, but it's always first thing I check in case I
> > don't see any connection attempt in logs: Is your Roundcube really
> > connecting to the correct server? It's worth to double-check this.
> 
> It is: 
> 
> [17-Jun-2024 14:54:50 -0500]:  Connecting to 
> mail.stovebolt.com:25...
> [17-Jun-2024 14:54:50 -0500]:  Recv: 220 mail.stovebolt.com ESMTP 
> Postfix
> [17-Jun-2024 14:54:50 -0500]:  Send: EHLO www.stovebolt.com
> [17-Jun-2024 14:54:50 -0500]:  Recv: 250-mail.stovebolt.com

In that case you must also have Postfix logging.

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Troubleshooting roundcube connections to postfix

2024-06-17 Thread Paul Schmehl via Postfix-users 
> On Jun 17, 2024, at 4:43 AM, Jaroslaw Rafa via Postfix-users 
>  wrote:
> 
> Dnia 16.06.2024 o godz. 20:54:34 Paul Schmehl via Postfix-users pisze:
>> 
>> The odd thing is, I don’t see any connection attempts at all in the mail
>> logs.
> 
> May seem a strange question, but it's always first thing I check in case I
> don't see any connection attempt in logs: Is your Roundcube really
> connecting to the correct server? It's worth to double-check this.

It is: 

[17-Jun-2024 14:54:50 -0500]:  Connecting to mail.stovebolt.com:25...
[17-Jun-2024 14:54:50 -0500]:  Recv: 220 mail.stovebolt.com ESMTP 
Postfix
[17-Jun-2024 14:54:50 -0500]:  Send: EHLO www.stovebolt.com
[17-Jun-2024 14:54:50 -0500]:  Recv: 250-mail.stovebolt.com

Paul Schmehl
paul.schm...@gmail.com



___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Troubleshooting roundcube connections to postfix

2024-06-17 Thread Benny Pedersen via Postfix-users 

Jeff Peng via Postfix-users skrev den 2024-06-17 14:18:


$config['imap_host'] = 'ssl://localhost:993';

then RC will connect to server failed due to mis-configured certs.


$config['imap_conn_options'] = array ( 'ssl' => array ( 'verify_peer' => 
false, 'verify_peer_name' => false, ), );


but fair to have cert verify aswell, here on localhost is imho no sense 
to ensure it, its just wasted resources, where it works as wanted



___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Troubleshooting roundcube connections to postfix

2024-06-17 Thread Bill Cole via Postfix-users 

On 2024-06-16 at 21:54:34 UTC-0400 (Sun, 16 Jun 2024 20:54:34 -0500)
Paul Schmehl via Postfix-users 
is rumored to have said:


I’m seeing this error in the roundcube logs:

[16-Jun-2024 20:28:58 -0500]:  SMTP Error: Authentication 
failure: mail.stovebolt.com

PIPELINING
SIZE 9
VRFY
ETRN
STARTTLS
ENHANCEDSTATUSCODES
8BITMIME
DSN
SMTPUTF8
CHUNKING


That is the response to RC's EHLO command. It is a list of supported 
SMTP extensions.


(Code: 250) in /var/www/html/webmail/program/lib/Roundcube/rcube.php 
on line 1794 (POST 
/webmail/?_task=mail&_unlock=loading1718587737852&_framed=1&_action=send)
[16-Jun-2024 20:34:16 -0500]:  PHP Error: SMTP server does 
not support authentication


RC is correct in saying that the server does not support authentication, 
because there is no AUTH line in that list.


This is proper because if you support PLAIN or LOGIN mechanisms, AUTH 
should only be offered after TLS has been started. So RC should be 
giving a STARTTLS command here, but it is not.


Configure Roundcube to use TLS and your problem should be solved.



(POST 
/webmail/?_task=mail&_unlock=loading1718588056454&_framed=1&_action=send)
[16-Jun-2024 20:34:16 -0500]:  SMTP Error: Authentication 
failure: mail.stovebolt.com

PIPELINING
SIZE 9
VRFY
ETRN
STARTTLS
ENHANCEDSTATUSCODES
8BITMIME
DSN
SMTPUTF8
CHUNKING (Code: 250) in 
/var/www/html/webmail/program/lib/Roundcube/rcube.php on line 1794 
(POST 
/webmail/?_task=mail&_unlock=loading1718588056454&_framed=1&_action=send)


The odd thing is, I don’t see any connection attempts at all in the 
mail logs. However, this log entry has me wondering. PHP Error: SMTP 
server does not support authentication


Should postfix be announcing that it accepts AUTH LOGIN?


Not on an insecure unencrypted session. After starting TLS, a second 
EHLO is sent and that will include AUTH.



--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo@toad.social and many *@billmail.scconsult.com 
addresses)

Not Currently Available For Hire
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Troubleshooting roundcube connections to postfix

2024-06-17 Thread Jeff Peng via Postfix-users 

I am also using roundcube + postfix + dovecot.
the host configuration for roundcube should be FQDN.
for example, mine is:

$config['imap_host'] = 'ssl://mail.tls-mail.com:993';
$config['smtp_host'] = 'ssl://mail.tls-mail.com:465';

you can't use something like:

$config['imap_host'] = 'ssl://localhost:993';

then RC will connect to server failed due to mis-configured certs.

regards.
Jeff
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Troubleshooting roundcube connections to postfix

2024-06-17 Thread Gary R. Schmidt via Postfix-users 

On 17/06/2024 17:28, Paul Schmehl wrote:
[SNIP]
How do you set up roundcube to not use authentication? I really don’t 
need it since it’s on the same machine as the mail server. What config 
options do I need to use?
That's how it works out of the box, or was when I set up up, just take 
the defaults and don't faff around with TLS because it's all on the same 
server.


Also, please do not reply directly, only to the list.

Cheers,
GaryB-)
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Troubleshooting roundcube connections to postfix

2024-06-17 Thread Jaroslaw Rafa via Postfix-users 
Dnia 16.06.2024 o godz. 20:54:34 Paul Schmehl via Postfix-users pisze:
> 
> The odd thing is, I don’t see any connection attempts at all in the mail
> logs.

May seem a strange question, but it's always first thing I check in case I
don't see any connection attempt in logs: Is your Roundcube really
connecting to the correct server? It's worth to double-check this.
-- 
Regards,
   Jaroslaw Rafa
   r...@rafa.eu.org
--
"In a million years, when kids go to school, they're gonna know: once there
was a Hushpuppy, and she lived with her daddy in the Bathtub."
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Troubleshooting roundcube connections to postfix

2024-06-16 Thread Benny Pedersen via Postfix-users 

Paul Schmehl via Postfix-users skrev den 2024-06-17 06:49:

I’m hoping I have solved the problem. I have roundcube sending mail on 
port 25 with no auth (all daemons are running on the same server), and 
it is sending mail. Gmail rejects it, but I’ve altered my spf record to 
include localhost. I hope once that propagates my problems with be 
solved.


$config['imap_conn_options'] = array ( 'ssl' => array ( 'verify_peer' => 
false, 'verify_peer_name' => false, ), );

$config['imap_host'] = 'ssl://localhost:993';
$config['imap_vendor'] = 'dovecot';
$config['smtp_conn_options'] = array ( 'ssl' => array ( 'verify_peer' => 
false, 'verify_peer_name' => false, ), );

$config['smtp_helo_host'] = 'localhost.example.org';
$config['smtp_host'] = 'tls://localhost:587';

does not need port 25 at all
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Troubleshooting roundcube connections to postfix

2024-06-16 Thread Paul Schmehl via Postfix-users 

> On Jun 17, 2024, at 12:16 AM, Peter via Postfix-users 
>  wrote:
> 
> On 17/06/24 16:49, Paul Schmehl via Postfix-users wrote:
>> On Jun 16, 2024, at 10:30 PM, Peter via Postfix-users 
>>  wrote:
>>> 
>>> 
>>> It's likely that roundcube is not configured for TLS and postfix is (as it 
>>> should be) configured not to offer AUTH until TLS is established.
>>> 
>> Yes, postfix is configured to use TLS, and no roundcube is not. When I 
>> configure roundcube to connect using TLS it can’t even connect to the 
>> server. I don’t understand what’s going on with roundcube, but it’s 
>> definitely not behavior I would expect. It’s had me pulling my hair out for 
>> two days, and I don’t even have any hair.
> 
> Without seeing logs and actual config settings I can only guess.  One thing 
> to keep in mind is that there's two types of TLS connection, implicit TLS and 
> explicit TLS.  Implicit TLS connects to a port dedicated to TLS connections, 
> for submission this is the submissions (note the "s" on the end) port 465 
> (formerly called smtps) and is now the recommended service to submit mail to. 
>  This is also controlled by the "wrappermode" setting in master.cf for the 
> service.  Explicit TLS connects first in plain text then uses the STARTTLS 
> command to establish a TLS session, this is how the submission (note no "s" 
> on the end) service on port 587 works.  If you have wrappermode incorrectly 
> set in postfix, or you have the wrong setting in roundcube then roundcube may 
> be trying to connect with implicit TLS when postfix is expecting explicit TLS 
> or vice-versa, either one will cause a failure at or shortly after connection 
> time.
> 
> There are other possible reasons for TLS connection problems and without 
> seeing logs and settings it's impossible to determine what the actual issue 
> is.
> 
>> I’m hoping I have solved the problem. I have roundcube sending mail on port 
>> 25 with no auth (all daemons are running on the same server), and it is 
>> sending mail. Gmail rejects it, but I’ve altered my spf record to include 
>> localhost. I hope once that propagates my problems with be solved.
> 
> You should not use port 25 for submission.  Port 25 should be for MX 
> communication *only* and attempting to use it for submission will cause many 
> many problems.  Use either submissions (465) or submission (587) instead.  Do 
> note that the newest recommendations are to use submissions.

Thank you Peter. I’ll have to chew on this for a while.
> 

Paul Schmehl
paul.schm...@gmail.com___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Troubleshooting roundcube connections to postfix

2024-06-16 Thread Alexander Leidinger via Postfix-users 

Am 2024-06-17 06:49, schrieb Paul Schmehl via Postfix-users:
On Jun 16, 2024, at 10:30 PM, Peter via Postfix-users 
 wrote:



It's likely that roundcube is not configured for TLS and postfix is 
(as it should be) configured not to offer AUTH until TLS is 
established.


Yes, postfix is configured to use TLS, and no roundcube is not. When I 
configure roundcube to connect using TLS it can’t even connect to the 
server. I don’t understand what’s going on with roundcube, but it’s 
definitely not behavior I would expect. It’s had me pulling my hair out 
for two days, and I don’t even have any hair.



This makes roundcube use STARTTLS on port 587 (submission):
---snip---
$config['smtp_host'] = 'tls://your.smtp.server';
$config['smtp_port'] = 587;
---snip---

Other useful stuff for roundcube:
---snip---
// SMTP username (if required) if you use %u as the username Roundcube
// will use the current username for login
$config['smtp_user'] = '%u';

// SMTP password (if required) if you use %p as the password Roundcube
// will use the current user's password for login
$config['smtp_pass'] = '%p';

// Log sent messages to /sendmail.log or to syslog
$config['smtp_log'] = true;
---snip---

I’m hoping I have solved the problem. I have roundcube sending mail on 
port 25 with no auth (all daemons are running on the same server), and 
it is sending mail. Gmail rejects it, but I’ve altered my spf record to 
include localhost. I hope once that propagates my problems with be 
solved.


Probably not related to the gmail issue: you may want to remove some 
headers. I have those header checks to not expose some stuff from 
roundcube:


main.cf:
---snip---
smtp_header_checks = pcre:$config_directory/header_checks
---snip---

$config_directory/header_checks:
---snip---
/^Received: by your\.smtp\.server .*from userid [0-9]+\)/ IGNORE
/^Received: from www \(uid 80.*/ IGNORE
/^(Received: from your\.roundcube\.server)[^\n]*(.*)/ REPLACE $1 
(localhost [127.0.0.1])$2

---snip---

Bye,
Alexander.

--
http://www.Leidinger.net alexan...@leidinger.net: PGP 0x8F31830F9F2772BF
http://www.FreeBSD.orgnetch...@freebsd.org  : PGP 0x8F31830F9F2772BF


signature.asc
Description: OpenPGP digital signature
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Troubleshooting roundcube connections to postfix

2024-06-16 Thread Gary R. Schmidt via Postfix-users 

On 17/06/2024 11:54, Paul Schmehl via Postfix-users wrote:

I’m seeing this error in the roundcube logs:

[16-Jun-2024 20:28:58 -0500]:  SMTP Error: Authentication 
failure: mail.stovebolt.com



[SNIP]
/var/www/html/webmail/program/lib/Roundcube/rcube.php on line 1794 (POST 
/webmail/?_task=mail&_unlock=loading1718587737852&_framed=1&_action=send)


[16-Jun-2024 20:34:16 -0500]:  PHP Error: SMTP server does not 
support authentication (POST 
/webmail/?_task=mail&_unlock=loading1718588056454&_framed=1&_action=send)


[16-Jun-2024 20:34:16 -0500]:  SMTP Error: Authentication 
failure: mail.stovebolt.com

[SNIP]
> > The odd thing is, I don’t see any connection attempts at all in the 
mail
logs. However, this log entry has me wondering. PHP Error: SMTP server 
does not support authentication



Should postfix be announcing that it accepts AUTH LOGIN? If so, I may 
have missed something in the config. I’m wondering if roundcube is not 
even attempt auth because postfix isn’t announcing it as a service that 
it offers.



Have you set "$config['smtp_debug'] = true;" in config.inc.php?
That might give you some more information.

Also look at "defaults.inc.php" and see if anything jumps out at you.

I've been using Roundcube for a long time, but not using authentication 
for sending.  If they can login to the webserver then they can send mail.


Cheers,
GaryB-)

___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Troubleshooting roundcube connections to postfix

2024-06-16 Thread Peter via Postfix-users 

On 17/06/24 16:49, Paul Schmehl via Postfix-users wrote:

Gmail rejects it, but I’ve altered my spf record to include localhost. I hope 
once that propagates my problems with be solved.


This will not do anythi9ng for you, you cannot put localhost in an SPF 
record.


There are many reasons why gmail might be rejecting your mail and 
playing guessing games like this will only make things worse, not better.


For google issues specifically see: 
https://support.google.com/mail/answer/81126


Other deliverability advice:

* Check your FCRDNS: 
https://en.wikipedia.org/wiki/Forward-confirmed_reverse_DNS


* Make sure that SPF, DKIM and DMARC are correctly configured.

* Sign up for www.dnswl.org

* Check for DNSRBL entries: http://multirbl.valli.org/


Peter
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Troubleshooting roundcube connections to postfix

2024-06-16 Thread Peter via Postfix-users 

On 17/06/24 16:49, Paul Schmehl via Postfix-users wrote:

On Jun 16, 2024, at 10:30 PM, Peter via Postfix-users 
 wrote:



It's likely that roundcube is not configured for TLS and postfix is (as it 
should be) configured not to offer AUTH until TLS is established.


Yes, postfix is configured to use TLS, and no roundcube is not. When I 
configure roundcube to connect using TLS it can’t even connect to the server. I 
don’t understand what’s going on with roundcube, but it’s definitely not 
behavior I would expect. It’s had me pulling my hair out for two days, and I 
don’t even have any hair.


Without seeing logs and actual config settings I can only guess.  One 
thing to keep in mind is that there's two types of TLS connection, 
implicit TLS and explicit TLS.  Implicit TLS connects to a port 
dedicated to TLS connections, for submission this is the submissions 
(note the "s" on the end) port 465 (formerly called smtps) and is now 
the recommended service to submit mail to.  This is also controlled by 
the "wrappermode" setting in master.cf for the service.  Explicit TLS 
connects first in plain text then uses the STARTTLS command to establish 
a TLS session, this is how the submission (note no "s" on the end) 
service on port 587 works.  If you have wrappermode incorrectly set in 
postfix, or you have the wrong setting in roundcube then roundcube may 
be trying to connect with implicit TLS when postfix is expecting 
explicit TLS or vice-versa, either one will cause a failure at or 
shortly after connection time.


There are other possible reasons for TLS connection problems and without 
seeing logs and settings it's impossible to determine what the actual 
issue is.



I’m hoping I have solved the problem. I have roundcube sending mail on port 25 
with no auth (all daemons are running on the same server), and it is sending 
mail. Gmail rejects it, but I’ve altered my spf record to include localhost. I 
hope once that propagates my problems with be solved.


You should not use port 25 for submission.  Port 25 should be for MX 
communication *only* and attempting to use it for submission will cause 
many many problems.  Use either submissions (465) or submission (587) 
instead.  Do note that the newest recommendations are to use submissions.



Peter
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Troubleshooting roundcube connections to postfix

2024-06-16 Thread Paul Schmehl via Postfix-users 
On Jun 16, 2024, at 10:30 PM, Peter via Postfix-users 
 wrote:
> 
> 
> It's likely that roundcube is not configured for TLS and postfix is (as it 
> should be) configured not to offer AUTH until TLS is established.
> 
Yes, postfix is configured to use TLS, and no roundcube is not. When I 
configure roundcube to connect using TLS it can’t even connect to the server. I 
don’t understand what’s going on with roundcube, but it’s definitely not 
behavior I would expect. It’s had me pulling my hair out for two days, and I 
don’t even have any hair.

I’m hoping I have solved the problem. I have roundcube sending mail on port 25 
with no auth (all daemons are running on the same server), and it is sending 
mail. Gmail rejects it, but I’ve altered my spf record to include localhost. I 
hope once that propagates my problems with be solved.

Paul Schmehl
paul.schm...@gmail.com
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Troubleshooting roundcube connections to postfix

2024-06-16 Thread Peter via Postfix-users 

On 17/06/24 13:54, Paul Schmehl via Postfix-users wrote:

I’m seeing this error in the roundcube logs:

[16-Jun-2024 20:28:58 -0500]:  SMTP Error: Authentication 
failure: mail.stovebolt.com

PIPELINING
SIZE 9
VRFY
ETRN
STARTTLS
ENHANCEDSTATUSCODES
8BITMIME
DSN
SMTPUTF8
CHUNKING (Code: 250) in 
/var/www/html/webmail/program/lib/Roundcube/rcube.php on line 1794 (POST 
/webmail/?_task=mail&_unlock=loading1718587737852&_framed=1&_action=send)


[16-Jun-2024 20:34:16 -0500]:  PHP Error: SMTP server does not 
support authentication (POST 
/webmail/?_task=mail&_unlock=loading1718588056454&_framed=1&_action=send)


[16-Jun-2024 20:34:16 -0500]:  SMTP Error: Authentication 
failure: mail.stovebolt.com

PIPELINING
SIZE 9
VRFY
ETRN
STARTTLS
ENHANCEDSTATUSCODES
8BITMIME
DSN
SMTPUTF8
CHUNKING (Code: 250) in 
/var/www/html/webmail/program/lib/Roundcube/rcube.php on line 1794 (POST 
/webmail/?_task=mail&_unlock=loading1718588056454&_framed=1&_action=send)


For starters these are not Postfix logs.  I do not know what roundcube 
logs are supposed to look like but you have shown two sets of what 
appear to be responses to the EHLO command.  Both of the above responses 
were made prior to or entirely without the issuance of a STARTTLS 
command so a well configured postfix will not show AUTH support until 
after STARTTLS is issued and a TLS session is established.


This leads me to the conclusion that you do not have Roundcube 
configured to use TLS and therefore postfix will not offer 
authentication to roundcube until you fix this.  There may be other 
issues as well which I cannot tell you until I see actual postfix logs 
and configuration as shown in the DEBUG_README file.


The odd thing is, I don’t see any connection attempts at all in the mail 
logs. However, this log entry has me wondering. PHP Error: SMTP server 
does not support authentication


Postfix will always show connection attempts in the mail logs.  If it is 
not then something is likely wrong with your syslog implelmentation. 
There can sometimes be issues with journald dropping log messages before 
they can get passed to rsyslog, assuming your system has such a setup 
then have a look at journald.conf(5) specifically at the 
RateLimitIntervalSec and RateLimitBurst configuration parameters to 
journald which have some rather unfortunate defaults.


I should note that if you're not seeing *any* postfix entries in maillog 
then it's likely that there are other issues such as rsyslog not being 
installed or not running or journald not being configured to pass log 
entries through to rsyslog.


Also note that if you cannot or do not wish to get journald and rsyslog 
properly configured then postfix can be configured to write directly to 
it's own log file rather than use the syslog facility, see:


http://www.postfix.org/postconf.5.html#maillog_file


Should postfix be announcing that it accepts AUTH LOGIN?


Probably not since the LOGIN mech is a poor implementation that was only 
ever needed to support some very old outlook express email clients. 
Postfix should, however, be announcing "AUTH PLAIN" support, but only 
after a TLS session is established, not before (see above).


If so, I may 
have missed something in the config. I’m wondering if roundcube is not 
even attempt auth because postfix isn’t announcing it as a service that 
it offers.


It's likely that roundcube is not configured for TLS and postfix is (as 
it should be) configured not to offer AUTH until TLS is established.



Peter
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org