Re: config check
> On Dec 10, 2019, at 12:40 PM, Fred Morris wrote: > > "Am I secure?" That's a philosophical question. Will I have enough for > retirement? Can I ever feel secure as long as there is a dolphin in danger on > the planet? Or... there's no point in trying, because a meteoroid will wipe > us all out. Go on, knock yourself out. This is not a productive direction for discussion, please don't take the bait. Thanks. If you have further specific questions about your configuration, that'd be the way to go. Otherwise this thread is done. -- Viktor.
Re: config check
There is a lot of flawed reasoning about security ...take for example: On Mon, 9 Dec 2019, LuKreme wrote: On Dec 9, 2019, at 12:58, Viktor Dukhovni wrote [...] unauthenticated loopback (and other "mynetworks") traffic is normal. The configuration as posted, and specifically the line I quoted directly above my comment, allowed unauthenticated traffic from anything on the LAN. This means random printers, IOT devices, android phones, etc were allowed to send mail unchecked. I consider that a security hole. "Am I secure?" That's a philosophical question. Will I have enough for retirement? Can I ever feel secure as long as there is a dolphin in danger on the planet? Or... there's no point in trying, because a meteoroid will wipe us all out. Go on, knock yourself out. "Do I know the ground on which I fight?" That is not a philosophical question. Have you prepared a welcome reception for unexpected guests? Do you know what they will find when they climb over that fence? Do you you know what it will look like if someone is actively nosing around? "Will they cry and wish for a job flipping burgers?" Good job! Very good job, indeed! But seriously now: what's the risk? What happens if that risk is realized (severity)? If someone sends unauthenticated mail outbound to my mail server, is that a problem? Doesn't that depend on where the mail is being delivered? Could mail be wrongly addressed (and hence wrongly delivered)? Will anything I do around authentication mitigate that? Case in point, (because journald hasn't solved the problem), I still find it convenient to send unencrypted logs with UDP and emailed system notifications to a central collector. If I didn't see email then eventually I'd notice and be suspicious enough to take a look. But really, experience shows that I'm more likely to notice a problem because there is something out of the ordinary in one of those ordinary emails. I really, really want to get those emails if they're being sent; I want them sooo bad, I don't want anything to get in the way of that. Like authentication. They're not encrypted, either. What's the danger if someone reads a system notification in transit or on the central collector? Seriously, this is a trick question; I'll wait while you formulate a mental answer. Ok ready? The danger is that they're in my fabric or collector! If I had people randomly showing up and attempting to send emails from random devices which I allowed to connect to the network I control, I'd have a different security posture. If I was providing this as a service to random personnel, I'd authenticate them; if they were supposed to have a clue however I'd pwn their network connection, after all, I have to determine who's really in control of that device. ;-) Further TTPs left to the imagination of the reader, because OpSec. Some may recall me as the author of TruAlias, which I run on localhost on my mail server. I'm seriously thinking of opening it up to other machines I (personally) expect people to send email from however, because it's handy to be able to test aliases (without sending email to them). Maybe I'll make it a web service: is it really that much different in practice from a corporate directory? Postfix's local(8) considers TCP maps for alias resolution a Security Risk To Be Prevented, even on loopback. I take all of this very seriously, since it prevents me from running TruAlias for local delivery. I take it so seriously, I disable the security checks which prevent it and recompile. More as a point of comic relief, I observe that altering the source code and recompiling means that exploits crafted against a widely distributed binary have a greatly diminished chance of functioning properly; but I really should hammer local(8) for pwnage this way some day. I run a copy of TruAlias naked exposed to the internet as a demo as well. Theoretically I suspect you could lock up a core, but it hasn't happened; I'd notice. It's the system's fault... -- Fred Morris
Re: config check
On 09/12/2019 20:54, Viktor Dukhovni wrote: On Dec 9, 2019, at 3:38 PM, LuKreme wrote: The configuration as posted, and specifically the line I quoted directly above my comment, allowed unauthenticated traffic from anything on the LAN. This means random printers, IOT devices, android phones, etc were allowed to send mail unchecked. I consider that a security hole. That's your take on your network, but many other networks use mynetworks to meet their requirements. Universal authenticated access is not always feasible, and more restrained language is appropriate when describing the tradeoffs. I agree, you are making assumptions as to what his "network" is. You can advise here, but the risk management depends on what his RFC1918 networks actually are. -- Giles Coochey
Re: config check
On 12/9/19 2:29 PM, @lbutlr wrote: On 09 Dec 2019, at 13:54, Viktor Dukhovni wrote: On Dec 9, 2019, at 3:38 PM, LuKreme wrote: The configuration as posted, and specifically the line I quoted directly above my comment, allowed unauthenticated traffic from anything on the LAN. This means random printers, IOT devices, android phones, etc were allowed to send mail unchecked. I consider that a security hole. That's your take on your network, but many other networks use mynetworks to meet their requirements. Universal authenticated access is not always feasible, and more restrained language is appropriate when describing the tradeoffs. “Restrained language”? Are you joking? Allowing unauthenticated mail sending *is* a security hole. It may be a security hole you are willing to live with, but it absolutely is a security hole. Especially when you have opened yourself up to any random device on your LAN-side IPs. Looking at his config he is probably on a home connection since he is relaying outbpund mail through his ISP, even more reason to dissuade someone from this kind of configuration. If you posted a config with a my networks like that I wouldn’t blink an aye. When I first started reading this thread, the first thought that came into mind was "custom milter" if the network is small, or a reasonable VLAN design for a larger network. For example, printers and IoT could live in a separate broadcast domain, easily blocked via standard ACLs/IPTBLES/whatall. Not sure what the problem is with Android (phones/tablets), but his network, his rules. The solution is relatively simple but tedious, and much of it resides outside the boundaries of this mailing list.
Re: config check
On 09 Dec 2019, at 13:54, Viktor Dukhovni wrote: > On Dec 9, 2019, at 3:38 PM, LuKreme wrote: >> The configuration as posted, and specifically the line I quoted directly >> above my comment, allowed unauthenticated traffic from anything on the LAN. >> This means random printers, IOT devices, android phones, etc were allowed to >> send mail unchecked. I consider that a security hole. > > That's your take on your network, but many other networks use mynetworks > to meet their requirements. Universal authenticated access is not always > feasible, and more restrained language is appropriate when describing the > tradeoffs. “Restrained language”? Are you joking? Allowing unauthenticated mail sending *is* a security hole. It may be a security hole you are willing to live with, but it absolutely is a security hole. Especially when you have opened yourself up to any random device on your LAN-side IPs. Looking at his config he is probably on a home connection since he is relaying outbpund mail through his ISP, even more reason to dissuade someone from this kind of configuration. If you posted a config with a my networks like that I wouldn’t blink an aye. -- Help me, Obi-wan Kenobi. You're my only hope.
Re: config check
> On Dec 9, 2019, at 3:38 PM, LuKreme wrote: > > The configuration as posted, and specifically the line I quoted directly > above my comment, allowed unauthenticated traffic from anything on the LAN. > This means random printers, IOT devices, android phones, etc were allowed to > send mail unchecked. I consider that a security hole. That's your take on your network, but many other networks use mynetworks to meet their requirements. Universal authenticated access is not always feasible, and more restrained language is appropriate when describing the tradeoffs. -- Viktor.
Re: config check
On Dec 9, 2019, at 12:58, Viktor Dukhovni wrote > Please don't impute false crises. There is no "security hole", though the > configuration is a mess, unauthenticated loopback (and other "mynetworks") > traffic is normal. The configuration as posted, and specifically the line I quoted directly above my comment, allowed unauthenticated traffic from anything on the LAN. This means random printers, IOT devices, android phones, etc were allowed to send mail unchecked. I consider that a security hole.
Re: config check
On Mon, Dec 09, 2019 at 01:02:23PM +, Felix Rubio wrote: > Thank you very much for your answer. I really appreciate the time you > took to go through it. The reason for having the tls/auth parameters > configured was, actually, a requirement I did not write (sorry for that, > I wrote the mail in a hurry :-/): You failed to understand my reply. The same port 587 services can both allow non-TLS/non-SASL traffic from loopback clients, AND require TLS and SASL from all other clients. You do not need and should not create the port 588 service. As mentioned last time, your more elaborate TLS parameter tweaks are counterproductive. -- Viktor.
Re: config check
On Mon, Dec 09, 2019 at 06:15:16AM -0700, @lbutlr wrote: > > On 09 Dec 2019, at 00:17, Felix Rubio wrote: > > > > Allow unencrypted/unauthenticated users to submit mail from local > > (127.0.0.x) connections Whether or not one is willing (or needs) to allow unauthenticated connections from 127.0.0.1, TLS encryption is certainly futile on the loopback interface. > There is no need for this, and it is dangerous. Just because a connection is > local doesn’t mean it is trustworthy. Perhaps not, but for many Postfix users it is entirely reasonable to permit loopback traffic without SASL or TLS auth. SMTP content filters generally run on loopback interfaces, and don't require authentication on either side. > I didn’t look any further because until you close this security hole, none of > the rest of your settings matter. Please don't impute false crises. There is no "security hole", though the configuration is a mess, unauthenticated loopback (and other "mynetworks") traffic is normal. -- Viktor.
Re: config check
Yes, because those ranges belonged to virtual interfaces I previously had on my machine. I removed that already. Thank you for the comment, though! On 2019-12-09 13:15, @lbutlr wrote: On 09 Dec 2019, at 00:17, Felix Rubio wrote: Allow unencrypted/unauthenticated users to submit mail from local (127.0.0.x) connections There is no need for this, and it is dangerous. Just because a connection is local doesn’t mean it is trustworthy. mynetworks = 127.0.0.0/24, 10.8.0.0/24, 172.17.0.0/16 You are allowing connections from not just the local machine, but also from two private blocks of Its, meaning you are trusting every device on your LAN to send unauthenticated mail. Don’t do this. I didn’t look any further because until you close this security hole, none of the rest of your settings matter. -- Don't believe what you are told. Double check.
Re: config check
> On 09 Dec 2019, at 00:17, Felix Rubio wrote: > > Allow unencrypted/unauthenticated users to submit mail from local > (127.0.0.x) connections There is no need for this, and it is dangerous. Just because a connection is local doesn’t mean it is trustworthy. >mynetworks = 127.0.0.0/24, 10.8.0.0/24, 172.17.0.0/16 You are allowing connections from not just the local machine, but also from two private blocks of Its, meaning you are trusting every device on your LAN to send unauthenticated mail. Don’t do this. I didn’t look any further because until you close this security hole, none of the rest of your settings matter. -- Dinosaurs are attacking! Throw a barrel!
Re: config check
Hi Viktor, Thank you very much for your answer. I really appreciate the time you took to go through it. The reason for having the tls/auth parameters configured was, actually, a requirement I did not write (sorry for that, I wrote the mail in a hurry :-/): - Require encrypted and authenticated user to submit mail from non-local (other than 127.0.0.x) connections - Allow unencrypted/unauthenticated users to submit mail from local (127.0.0.x) connections - Allow unencrypted/authenticated users to submit mail from local (127.0.0.x) connections With my current setup (so smtpd_tls_auth_only=yes in general, and disabling it for 127.0.0.1:588) I achieve exactly that. This way I can make sure that for any connection to 587 that want to send commands requiring AUTH will be encrypted, while local connections can authenticate without using TLS. I have applied all the changes you proposed, and so far all works (this is not lack of trust on you, but I have observed there are many knobs to turn on the configuration) but I still seem to need the smtpd service in 588. Might you know of any way to achieve this setup with a more simple approach? Thank you! Felix On 2019-12-09 07:44, Viktor Dukhovni wrote: On Mon, Dec 09, 2019 at 07:17:46AM +, Felix Rubio wrote: My requirements are: - Require encrypted and authenticated user to submit mail from non-local (other than 127.0.0.x) connections - Allow unencrypted/unauthenticated users to submit mail from local (127.0.0.x) connections mynetworks = 127.0.0.0/24, 10.8.0.0/24, 172.17.0.0/16 smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination Well, clearly your definition of "non-local" is broader than 127.0.0.x, it also include two RFC1918 address (sub)blocks. smtpd_tls_eecdh_grade = ultra With OpenSSL 1.0.2 and later, the default is "auto", and you very much SHOULD NOT override that. smtpd_tls_exclude_ciphers = aNULL, LOW, EXP, MEDIUM, ADH, AECDH, MD5, DSS, ECDSA, CAMELLIA128, 3DES, CAMELLIA256, RSA+AES, eNULL What on earth is all that? Just go with the default setting instead of pasting in random garbage from some clueless blog. smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1 I'd leave TLS 1.0 enabled for at least another year, safer than cleartext, and still used to some degree with SMTP. smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache Not needed, now that we have session tickets. tls_high_cipherlist = !aNULL:!eNULL:!CAMELLIA:HIGH:@STRENGTH Don't, the default is fine. tls_ssl_options = no_ticket, no_compression I doubt you can provide a good reasons to disable session tickets, don't disable them. To fulfill my requirements with respect to local/remote authentication and encryption settings, in master.cf I have: smtp inet n - y - - smtpd -o smtpd_sasl_auth_enable=no submission inet n - y - - smtpd -o smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject This is largely ineffective. See the stock Postfix master.cf file for a much better approach. 127.0.0.1:588 inet n - y - - smtpd -o smtpd_sasl_exceptions_networks= -o smtpd_tls_auth_only=no There's no reason for this. Just use a single port 587 submission service, then allow traffic from the loopback interface, and otherwise reject unencrypted sessions via "reject_plaintext_session". The below client access table should work. allow-loopback.cidr: 127.0.0.0/8 OK ::1 OK Then just: mua_client_restrictions = check_client_access cidr:${config_directory}/allow-loopback.cidr, reject_plaintext_session, permit_sasl_authenticated, reject Since the loopback clients won't need to authenticate, you don't need to set "smtpd_tls_auth_only = no". Your configuration looks much too dense with extraneous settings, I don't have the cycles to review them all. Resist the urge to over-customize, especially settings you don't fully understand. -- Don't believe what you are told. Double check.
Re: config check
On Mon, Dec 09, 2019 at 07:17:46AM +, Felix Rubio wrote: > My requirements are: > - Require encrypted and authenticated user to submit mail from non-local > (other than 127.0.0.x) connections > - Allow unencrypted/unauthenticated users to submit mail from local > (127.0.0.x) connections > mynetworks = 127.0.0.0/24, 10.8.0.0/24, 172.17.0.0/16 > smtpd_relay_restrictions = >permit_mynetworks >permit_sasl_authenticated >reject_unauth_destination Well, clearly your definition of "non-local" is broader than 127.0.0.x, it also include two RFC1918 address (sub)blocks. > smtpd_tls_eecdh_grade = ultra With OpenSSL 1.0.2 and later, the default is "auto", and you very much SHOULD NOT override that. > smtpd_tls_exclude_ciphers = aNULL, LOW, EXP, MEDIUM, ADH, AECDH, > MD5, DSS, ECDSA, CAMELLIA128, 3DES, CAMELLIA256, RSA+AES, eNULL What on earth is all that? Just go with the default setting instead of pasting in random garbage from some clueless blog. > smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1 I'd leave TLS 1.0 enabled for at least another year, safer than cleartext, and still used to some degree with SMTP. > smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache Not needed, now that we have session tickets. > tls_high_cipherlist = !aNULL:!eNULL:!CAMELLIA:HIGH:@STRENGTH Don't, the default is fine. > tls_ssl_options = no_ticket, no_compression I doubt you can provide a good reasons to disable session tickets, don't disable them. > To fulfill my requirements with respect to local/remote authentication > and encryption settings, in master.cf I have: > > smtp inet n - y - - smtpd > -o smtpd_sasl_auth_enable=no > submission inet n - y - - smtpd > -o > smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject This is largely ineffective. See the stock Postfix master.cf file for a much better approach. > 127.0.0.1:588 inet n - y - - smtpd >-o smtpd_sasl_exceptions_networks= >-o smtpd_tls_auth_only=no There's no reason for this. Just use a single port 587 submission service, then allow traffic from the loopback interface, and otherwise reject unencrypted sessions via "reject_plaintext_session". The below client access table should work. allow-loopback.cidr: 127.0.0.0/8 OK ::1 OK Then just: mua_client_restrictions = check_client_access cidr:${config_directory}/allow-loopback.cidr, reject_plaintext_session, permit_sasl_authenticated, reject Since the loopback clients won't need to authenticate, you don't need to set "smtpd_tls_auth_only = no". Your configuration looks much too dense with extraneous settings, I don't have the cycles to review them all. Resist the urge to over-customize, especially settings you don't fully understand. -- Viktor.
Re: config check - submission only system
you don't want reject_unknown_recipient_domain for submissions because a MUA can't handle a 4xx reject and the same for reject_unknown_sender_domain smtpd_sender_restrictions is not needed at all if you enforce auth and reject_authenticated_sender_login_mismatch for a submission-only server add that as only restriciton to main.cf because after that it don't matter with port, with or without TLS, you are enforcing SASL auth and forbid foreign unlisted senders smtpd_recipient_restrictions = permit_mynetworks reject_non_fqdn_recipient reject_non_fqdn_sender reject_unlisted_sender reject_authenticated_sender_login_mismatch reject_rbl_client dnsbl.thelounge.net permit_sasl_authenticated reject Am 31.12.2014 um 16:47 schrieb Dan Langille: I have a working solution for a submission-only system I’m setting up. It seems to be doing what I need. There will be no local delivery. Even the cronjobs on this system will be sent elsewhere. The configuration is shown below. I’ve disabled several services; I think they won’t be required. Suggestions and comments welcomed. # postconf -n alias_maps = hash:/etc/mail/aliases config_directory = /usr/local/etc/postfix debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id sleep 5 header_checks = pcre:/usr/local/etc/postfix/obscure_smtp_auth inet_protocols = ipv4 message_size_limit = 32768000 mynetworks = smtp_tls_CAfile = /usr/local/etc/ssl/root.startssl.com.pem smtp_tls_cert_file = /usr/local/etc/ssl/clavin.langille.org.pem smtp_tls_key_file = /usr/local/etc/ssl/clavin.langille.org.nopassword.key smtp_tls_loglevel = 1 smtp_tls_security_level = may smtp_tls_session_cache_database = btree:/var/db/postfix/smtp_scache smtpd_sasl_local_domain = $myhostname smtpd_sasl_path = private/auth smtpd_sender_login_maps = hash:/usr/local/etc/postfix/virtual smtpd_tls_CAfile = /usr/local/etc/ssl/root.startssl.com.pem smtpd_tls_cert_file = /usr/local/etc/ssl/clavin.langille.org.pem smtpd_tls_key_file = /usr/local/etc/ssl/clavin.langille.org.nopassword.key smtpd_tls_loglevel = 1 smtpd_tls_security_level = may smtpd_tls_session_cache_database = btree:/var/db/postfix/smtpd_scache # postconf postconf -Mf pickup unix n - n 60 1 pickup cleanupunix n - n - 0 cleanup qmgr unix n - n 300 1 qmgr tlsmgr unix - - n 1000? 1 tlsmgr rewriteunix - - n - - trivial-rewrite bounce unix - - n - 0 bounce defer unix - - n - 0 bounce trace unix - - n - 0 bounce verify unix - - n - 1 verify flush unix n - n 1000? 0 flush proxymap unix - - n - - proxymap proxywrite unix - - n - 1 proxymap smtp unix - - n - - smtp showq unix n - n - - showq error unix - - n - - error retry unix - - n - - error discardunix - - n - - discard anvil unix - - n - 1 anvil scache unix - - n - 1 scache submission inet n - n - - smtpd -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_recipient_restrictions=reject_sender_login_mismatch,reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated,reject -o smtpd_sender_restrictions=reject_non_fqdn_sender,reject_unknown_sender_domain,permit_sasl_authenticated,reject -o syslog_name=postfix/submission
Re: config check for proper use of proxy_interfaces?
On 8/11/2014 11:04 AM, terrygalant.li...@fastest.cc wrote: Greetings! I have 3 servers connected via lan vpn. SERVER-1 is a hosted VM in the cloud EXTIF eth0 (198.51.100.1, 198.51.100.2, 10.0.1.1) TUNIF tun1 (192.168.1.1) SERVER-2 is my LAN's router/firewall EXTIF eth0 (203.0.113.1) TUNIF tun1 (192.168.1.2) INTIF eth1 (10.0.2.1, 172.16.2.1) SERVER-3 is a server on the LAN. Postfix listens/binds on 10.0.2.47 EXTIF eth0 (10.0.2.47, 172.16.2.47) Policy routing + (D)NAT makes sure that outbound mail flows from Postfix on SERVER-3, through the router on SERVER-2 and over the VPN , and out via SERVER-1. Likewise, inbound mail flows the opposite direction. I've read http://www.postfix.org/postconf.5.html#proxy_interfaces, and, my postfix config has inet_interfaces = 10.0.2.47 inet_protocols = ipv4 mydestination = $myhostname, localhost.$mydomain, localhost mynetworks = 10.0.2.0/24 172.16.2.0/24 127.0.0.0/8 proxy_interfaces = 198.51.100.1, 198.51.100.2 smtp_bind_address = 10.0.2.47 So, mail's sending/receiving okay. But I don't completely understand use proxy_interfaces even after re-reading a couple times. With the servers setup like above is the proxy_interfaces correct enough? Mainly looking to prevent any loops/relays/etc that I haven't found in my testing so far. Just getting verification from someone more experienced would help out! Terry proxy_interfaces should list any external IPs that *this* postfix is connected to on the other side of a NAT. Any IPs that are not local on this box that connect to postfix should be listed here. HTH -- Noel Jones
Re: config check for proper use of proxy_interfaces?
Hi Noel On Mon, Aug 11, 2014, at 09:11 AM, Noel Jones wrote: proxy_interfaces should list any external IPs that *this* postfix is connected to on the other side of a NAT. Any IPs that are not local on this box that connect to postfix should be listed here. By 'connect' you do mean 'reponds at', via any IP routed/NAT path, right? From the outside world, telnet TO 198.51.100.1:25 or 198.51.100.2:25 on SERVER-1 gets a response from postfix on SERVER-3. And those are the ONLY 2 addresses that should respond. So, IIUC -- my guess at proxy_interfaces = 198.51.100.1, 198.51.100.2 is correct AND sufficient? Terry
Re: config check for proper use of proxy_interfaces?
On 8/11/2014 11:19 AM, terrygalant.li...@fastest.cc wrote: Hi Noel On Mon, Aug 11, 2014, at 09:11 AM, Noel Jones wrote: proxy_interfaces should list any external IPs that *this* postfix is connected to on the other side of a NAT. Any IPs that are not local on this box that connect to postfix should be listed here. By 'connect' you do mean 'reponds at', via any IP routed/NAT path, right? Right, any IP not on a local interface that you can telnet to and have postfix respond. From the outside world, telnet TO 198.51.100.1:25 or 198.51.100.2:25 on SERVER-1 gets a response from postfix on SERVER-3. And those are the ONLY 2 addresses that should respond. So, IIUC -- my guess at proxy_interfaces = 198.51.100.1, 198.51.100.2 is correct AND sufficient? Terry Yes, that sounds right. -- Noel Jones
Re: config check for proper use of proxy_interfaces?
Perfect, thanks! On Mon, Aug 11, 2014, at 09:26 AM, Noel Jones wrote: Yes, that sounds right.
Re: Config check for DKIM with Amavisd-new
Am 05.11.2013 12:41, schrieb mark hardwick: For this I followed some short instructions for postfix + amavisd-new here : http://blog.purrdeta.com/2012/06/guide-to-dkim-signing-with-amavisd-new-and-postfix/ This setup works only if the mail is delivered on the submission-port. If you would like to sign other mails from your domains (delviered on another port), you must tag them. regards Florian
Re: Config check for DKIM with Amavisd-new
On 11/5/2013 5:41 AM, mark hardwick wrote: Hi All I'm setting up a new email server and I'm fairly green so I just wanted someone to confirm I'm not doing anything stupid. First I've followed the instructions from Falco here: http://www.howtoforge.com/virtual-users-and-domains-with-postfix-courier-mysql-and-squirrelmail-debian-wheezy this worked fine. it's all tested and gives the correct responses. even sends email :) I altered it slightly to forward inbound mail to offered+[code]@domain.com to a script. (Thanks to Noel for helping me to get that working.) Next I wanted to add support for DKIM. For this I followed some short instructions for postfix + amavisd-new here : http://blog.purrdeta.com/2012/06/guide-to-dkim-signing-with-amavisd-new-and-postfix/ It required a bit of hacking of the amasid config and master.cf. My problem is I'm not 100% sure it's compatible with falcon's setup. I wondered if someone could scan this and tell me if and where it's broken? I don't want to accidentally create a relay or anything else nasty. The modifications to Amavisd seemed fine so I just went with what was in the post above, however I'm not 100% certain they're in the correct files. I changed the following; I don't see any obviously dangerous errors, but I don't have time to comb through a complex config looking for all possible errors. Try it and test it. If it doesn't behave as expected, feel free to come back with specific questions. -- Noel Jones 20-debian_defaults: $inet_socket_port = [10024,10026]; 25-amavisd-helpers ; ## ## Functionality required for amavis helpers like ## amavis-release. ## # Enable required AM.PDP protocol socket. # # this is incompatible with the old helpers, but one can # have multiple inet (not unix) sockets to overcome this # issue. Refer to the amavisd-new documentation for more # information $unix_socketname = /var/lib/amavis/amavisd.sock; $interface_policy{'SOCK'} = 'AM.PDP-SOCK'; $policy_bank{'AM.PDP-SOCK'} = { protocol = 'AM.PDP', auth_required_release = 0, # don't require secret-id for release }; #NEW policy for user with DKIM signing - not sure if this is the correct location? $interface_policy{'10026'} = 'ORIGINATING'; $policy_bank{'ORIGINATING'} = { # mail supposedly originating from our users originating = 1, # declare that mail was submitted by our smtp client allow_disclaimers = 1, # enables disclaimer insertion if available # notify administrator of locally originating malware virus_admin_maps = [virusalert\@$mydomain], spam_admin_maps = [virusalert\@$mydomain], warnbadhsender = 1, # forward to a smtpd service providing DKIM signing service forward_method = 'smtp:[127.0.0.1]:10027', # force MTA conversion to 7-bit (e.g. before DKIM signing) smtpd_discard_ehlo_keywords = ['8BITMIME'], bypass_banned_checks_maps = [1], # allow sending any file names and types terminate_dsn_on_notify_success = 0, # don’t remove NOTIFY=SUCCESS option }; 1; # ensure a defined return Then in the master.cf I have (the main change is at the bottom). Master.cf: # # Postfix master process configuration file. For details on the format # of the file, see the master(5) manual page (command: man 5 master). # # Do not forget to execute postfix reload after editing this file. # # == # service type private unpriv chroot wakeup maxproc command + args # (yes) (yes) (yes) (never) (100) # == smtp inet n - - - - smtpd #smtp inet n - - - 1 postscreen #smtpd pass - - - - - smtpd #dnsblog unix - - - - 0 dnsblog #tlsproxy unix - - - - 0 tlsproxy submission inet n - n - - smtpd # -o syslog_name=postfix/submission -o smtpd_tls_security_level=encrypt -o content_filter=amavis:[127.0.0.1]:10026 # -o smtpd_sasl_auth_enable=yes # -o smtpd_client_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING #smtps inet n - - - - smtpd # -o syslog_name=postfix/smtps # -o smtpd_tls_wrappermode=yes # -o smtpd_sasl_auth_enable=yes # -o smtpd_client_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING #628 inet n - - - - qmqpd #pickupfifo n - - 60 1 pickup pickup fifo n - - 60 1 pickup -o smtpd_tls_security_level=encrypt -o content_filter=smtp-amavis:[127.0.0.1]:10026 cleanup unix n - - - 0 cleanup qmgr fifo n - n 300 1 qmgr #qmgr fifo n
Re: Config check
On 2011-10-27 01:35, IT geek 31 wrote: I guess what I'm after is a way to whitelist certain senders. ie. if they're okay, then no further processing is needed - just deliver. Is this possible? If so, presumably smtpd_sender_restrictions = check_sender_access hash:/sender_access is the place to put it? No, since that will only whitelist the sender part; smtpd_recipient_restrictions may still reject the message or the recipient(s). Put the sender check in smtpd_recipient_restrictions instead. -- J.
Re: Config check
No, since that will only whitelist the sender part; smtpd_recipient_restrictions may still reject the message or the recipient(s). Put the sender check in smtpd_recipient_restrictions instead. So would this work: smtpd_recipient_restrictions = permit_sasl_authenticated, check_sender_access hash:/usr/pkg/etc/postfix/sender_access, reject_unauth_destination, reject_unauth_pipelining, reject_rbl_client zen.spamhaus.org, check_policy_service inet:127.0.0.1:10023, permit As in the minute it discovered an ok'd email address in sender_access it would stop processing the rest of the checks and permit it? -Mark
Re: Config check
On Thursday 27 October 2011 03:43:26 IT geek 31 wrote: No, since that will only whitelist the sender part; smtpd_recipient_restrictions may still reject the message or the recipient(s). Put the sender check in smtpd_recipient_restrictions instead. So would this work: smtpd_recipient_restrictions = permit_sasl_authenticated, check_sender_access hash:/usr/pkg/etc/postfix/sender_access, reject_unauth_destination, reject_unauth_pipelining, Sure it works, but it is not safe, as per the dangerous use issue mentioned yesterday: http://www.postfix.org/SMTPD_ACCESS_README.html#danger At the very least, this must come after reject_unauth_destination. A similar effect can be achieved using permit_auth_destination as the check_sender_access result, rather than permit or OK. reject_rbl_client zen.spamhaus.org, check_policy_service inet:127.0.0.1:10023, permit As in the minute it discovered an ok'd email address in sender_access it would stop processing the rest of the checks and permit it? Whitelisting by sender address is not safe, because the vast majority of all spam is sent using forged sender addresses. If you can find a better way to manage your whitelist, do. Or better yet, reduce the need for whitelisting by using only safe restrictions. -- Offlist mail to this address is discarded unless /dev/rob0 or not-spam is in Subject: header
Re: Config check
On Wednesday 26 October 2011 16:28:43 IT geek 31 wrote: I'm trying to achieve the following: Stop spammers (obviously) Permit relaying when I'm outside the network (using SASL) After reading through postconf, to prevent duplicate checks I removed a number of checks from smtpd_sender_restrictions, so that it now looks like this: smtpd_sender_restrictions = reject_unknown_sender_domain, reject_non_fqdn_sender, permit smtpd_recipient_restrictions = permit_sasl_authenticated, reject_unauth_destination, For simplicity, you could insert the reject_* sender restrictions here, and eliminate smtpd_sender_restrictions. check_recipient_access hash:/usr/pkg/etc/postfix/access, access is a bad name for this. Since you're checking recipient addresses, I would suggest a name of rcpt_access, or similar. reject_unauth_pipelining, reject_non_fqdn_recipient, reject_unknown_recipient_domain, These two will do nothing useful. They don't hurt, but it might be useful for you to consider what they are. Spammers are going to be hitting you with addresses@your.actual.domains. They are probably not trying to hit addresses@localhost and the like. reject_rbl_client zen.spamhaus.org, check_policy_service inet:127.0.0.1:10023, permit I have also set smtpd_delay_reject = yes There is no need to set that, as yes is the default value. However my access file does not appear to be being used (specifies an address to be rejected, but it isn't). I don't suppose we can help with that without the relevant logs and portions of /usr/pkg/etc/postfix/access that you think should have matched. But before you post again, note again that it is called as a *recipient* address lookup. It will not be searched for client, helo, nor sender addresses. Please can someone sanity check the smtpd_recipient_restrictions line for me and verify the order is correct. I'm looking to move to 2.8, but I want to make sure my config is correct before I do. postconf -n attached. smtpd_helo_restrictions = check_helo_access hash:/usr/pkg/etc/postfix/helo_access, reject_non_fqdn_hostname, reject_invalid_hostname, reject_unknown_hostname, permit This check_helo_access file, /usr/pkg/etc/postfix/helo_access, has a better name. You are using the old syntax for reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, and reject_unknown_helo_hostname, but that is not a problem. Do, however, consider that the latter will block a great deal of non- spam. There are many MTAs behind NAT which will use a HELO name which does not resolve in the global DNS. (The non-FQDN and invalid checks are safe and effective.) Finally, you likewise might consider it easier to consolidate these into the recipient restriction stage, but do not do that if you're using helo_access as a whitelist. This is covered in the SMTPD_ACCESS_README, dangerous use of smtpd_recipient_restrictions section. -- Offlist mail to this address is discarded unless /dev/rob0 or not-spam is in Subject: header
Re: Config check
Hi Rob Thanks for your reply - that's certainly cleared a few things up! check_recipient_access hash:/usr/pkg/etc/postfix/access, access is a bad name for this. Since you're checking recipient addresses, I would suggest a name of rcpt_access, or similar. I've renamed this to sender_access (see below). reject_unauth_pipelining, reject_non_fqdn_recipient, reject_unknown_recipient_domain, These two will do nothing useful. They don't hurt, but it might be useful for you to consider what they are. Spammers are going to be hitting you with addresses@your.actual.domains. They are probably not trying to hit addresses@localhost and the like. Removed. I have also set smtpd_delay_reject = yes There is no need to set that, as yes is the default value. Removed. However my access file does not appear to be being used (specifies an address to be rejected, but it isn't). My access file actually listed senders, so that's why that obviously didn't work. I don't suppose we can help with that without the relevant logs and portions of /usr/pkg/etc/postfix/access that you think should have matched. But before you post again, note again that it is called as a *recipient* address lookup. It will not be searched for client, helo, nor sender addresses. I guess what I'm after is a way to whitelist certain senders. ie. if they're okay, then no further processing is needed - just deliver. Is this possible? If so, presumably smtpd_sender_restrictions = check_sender_access hash:/sender_access is the place to put it? This check_helo_access file, /usr/pkg/etc/postfix/helo_access, has a better name. You are using the old syntax for reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, and reject_unknown_helo_hostname, but that is not a problem. I have replaced these with up-to-date syntax. Fresh postconf -n attached.
Re: Config check
I couldn't find any 2.8.0-1 SRPMS.
Re: Config check
take the latest srpm of your distributions version as base and remove patches from the SPEC-File Am 24.01.2011 10:01, schrieb Walter Pinto: I couldn't find any 2.8.0-1 SRPMS. -- Mit besten Grüßen, Reindl Harald the lounge interactive design GmbH A-1060 Vienna, Hofmühlgasse 17 CTO / software-development / cms-solutions p: +43 (1) 595 3999 33, m: +43 (676) 40 221 40 icq: 154546673, http://www.thelounge.net/ signature.asc Description: OpenPGP digital signature
Re: Config check
I used the following to build from source after backing up my config dir: make makefiles \ CCARGS='-fPIC -DUSE_TLS -DUSE_SSL \ -DHAS_MYSQL -I/usr/include/mysql -DPREFIX=\/usr\ \ -DSNAPSHOT -I/usr/include/openssl \ -I/usr/include' \ AUXLIBS='-L/usr/lib64 -L/usr/lib/openssl -lssl -lcrypto \ -lz -lm -L/usr/lib64/mysql -lmysqlclient -lz -lm \ -Wl,-rpath,/usr/lib/openssl -pie -Wl,-z,relro' \ OPT='-O' \ DEBUG='-g' Then used checkinstall to build an RPM. Copying files to the temporary directory...OK Stripping ELF binaries...OK Compressing man pages...OK Building file list...OK Building RPM package...OK NOTE: The package will not be installed Erasing temporary files...OK Deleting temp dir...OK Done. The new package has been saved to /usr/src/redhat/RPMS/x86_64/postfix-2.8.0-1.x86_64.rpm You can install it in your system anytime using: rpm -Uhv postfix-2.8.0-1.x86_64.rpm
Re: Config check
On Sun, Jan 23, 2011 at 06:56:09PM -0800, Walter Pinto wrote: make makefiles \ CCARGS='-fPIC -DUSE_TLS -DUSE_SSL \ -DHAS_MYSQL -I/usr/include/mysql -DPREFIX=\/usr\ \ -DSNAPSHOT -I/usr/include/openssl \ -I/usr/include' \ AUXLIBS='-L/usr/lib64 -L/usr/lib/openssl -lssl -lcrypto \ -lz -lm -L/usr/lib64/mysql -lmysqlclient -lz -lm \ -Wl,-rpath,/usr/lib/openssl -pie -Wl,-z,relro' \ OPT='-O' \ DEBUG='-g' Done. The new package has been saved to /usr/src/redhat/RPMS/x86_64/postfix-2.8.0-1.x86_64.rpm You can install it in your system anytime using: A Postfix RPM needs to: - Not overwrite locally-modifiable files in /etc/postfix, as specified in postfix-files - As a post-install action upgrade permissions and configuration files via: # postfix set-permissions upgrade-configuration If your RPM does not do this, you should consider using one of the SRPM packages maintained by one of the usual suspects. -- Viktor.
Re: Config check
This is the config for my SMTP server, anything stand out? anvil_rate_time_unit = 180s body_checks = regexp:/etc/postfix/body_checks bounce_size_limit = 1500 broken_sasl_auth_clients = yes default_destination_concurrency_limit = 5 disable_vrfy_command = yes header_checks = regexp:/etc/postfix/header_checks html_directory = /var/www/html/postfix initial_destination_concurrency = 5 local_destination_concurrency_limit = 5 local_transport = error:local mail delivery disabled maximal_backoff_time = 90m message_size_limit = 1450 mydomain = smtp1.example.net myhostname = smtp1.example.net mynetworks = 127.0.0.0/8 myorigin = example.net readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES relocated_maps = hash:/etc/postfix/relocated smtp_connect_timeout = 45s smtpd_data_restrictions = reject_multi_recipient_bounce smtpd_error_sleep_time = 0 smtpd_etrn_restrictions = reject smtpd_helo_required = yes smtpd_recipient_restrictions = reject_unauth_destination reject_non_fqdn_recipient reject_non_fqdn_sender reject_unlisted_recipient reject_invalid_hostname reject_unknown_sender_domain reject_unknown_recipient_domain smtpd_reject_unlisted_sender = yes smtpd_sasl_auth_enable = yes smtpd_sasl_local_domain = $myhostname smtpd_sender_login_maps = mysql:/etc/postfix/sql/relay_recipient_map.conf smtpd_sender_restrictions = permit_sasl_authenticated check_policy_service inet:127.0.0.1:10031 reject_sender_login_mismatch reject_unauth_destination reject_non_fqdn_recipient reject_non_fqdn_sender reject_unlisted_recipient reject_invalid_hostname reject_unknown_sender_domain reject_unknown_recipient_domain smtpd_tls_CAfile = /usr/share/ssl/certs/ca-bundle.crt smtpd_tls_cert_file = /etc/postfix/certs/smtp1.example.net.cert smtpd_tls_key_file = /etc/postfix/certs/smtp1.example.net.key smtpd_tls_received_header = yes smtpd_tls_session_cache_database = btree:/etc/postfix/smtpd_scache smtpd_tls_session_cache_timeout = 7200s smtpd_use_tls = yes transport_maps = hash:/etc/postfix/transport virtual_alias_maps = hash:/etc/postfix/domains/localhost hash:/etc/postfix/domains/example.com hash:/etc/postfix/domains/example.net hash:/etc/postfix/domains/example.org
Re: Config check
On 1/22/2011 2:58 AM, Walter Pinto wrote: This is the config for my SMTP server, anything stand out? anvil_rate_time_unit = 180s body_checks = regexp:/etc/postfix/body_checks bounce_size_limit = 1500 broken_sasl_auth_clients = yes default_destination_concurrency_limit = 5 disable_vrfy_command = yes header_checks = regexp:/etc/postfix/header_checks html_directory = /var/www/html/postfix initial_destination_concurrency = 5 local_destination_concurrency_limit = 5 local_transport = error:local mail delivery disabled maximal_backoff_time = 90m message_size_limit = 1450 mydomain = smtp1.example.net myhostname = smtp1.example.net mynetworks = 127.0.0.0/8 myorigin = example.net readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES relocated_maps = hash:/etc/postfix/relocated smtp_connect_timeout = 45s smtpd_data_restrictions = reject_multi_recipient_bounce smtpd_error_sleep_time = 0 smtpd_etrn_restrictions = reject smtpd_helo_required = yes smtpd_recipient_restrictions = reject_unauth_destination reject_non_fqdn_recipient reject_non_fqdn_sender reject_unlisted_recipient reject_invalid_hostname reject_unknown_sender_domain reject_unknown_recipient_domain smtpd_reject_unlisted_sender = yes smtpd_sasl_auth_enable = yes smtpd_sasl_local_domain = $myhostname smtpd_sender_login_maps = mysql:/etc/postfix/sql/relay_recipient_map.conf smtpd_sender_restrictions = permit_sasl_authenticated check_policy_service inet:127.0.0.1:10031 reject_sender_login_mismatch reject_unauth_destination reject_non_fqdn_recipient reject_non_fqdn_sender reject_unlisted_recipient reject_invalid_hostname reject_unknown_sender_domain reject_unknown_recipient_domain I would usually expect reject_sender_login_mismatch to be before permit_sasl_authenticated. Remember, authenticated clients won't trigger any tests below permit_sasl_authenticated. Ditto for the policy service if it's a quota check or something else that should run on all mail. They are OK as-is if they are doing what you expect. When reject_unknown_recipient_domain is after reject_unauth_destination, the only things it can possibly reject are: - invalid subdomains of your domains. - your own domain when your DNS hiccups. Make sure it's doing what you want. smtpd_tls_CAfile = /usr/share/ssl/certs/ca-bundle.crt smtpd_tls_cert_file = /etc/postfix/certs/smtp1.example.net.cert smtpd_tls_key_file = /etc/postfix/certs/smtp1.example.net.key smtpd_tls_received_header = yes smtpd_tls_session_cache_database = btree:/etc/postfix/smtpd_scache smtpd_tls_session_cache_timeout = 7200s smtpd_use_tls = yes transport_maps = hash:/etc/postfix/transport virtual_alias_maps = hash:/etc/postfix/domains/localhost hash:/etc/postfix/domains/example.com hash:/etc/postfix/domains/example.net hash:/etc/postfix/domains/example.org OK. -- Noel Jones
Re: Config check
Walter Pinto put forth on 1/21/2011 10:57 PM: I used the following command to determine what needed to be removed from my main.cf: postconf -d defaultcfg postconf -n customcfg perl -ne 'print if ($seen{$_} .= @ARGV) =~ /10$/' customcfg defaultcfg Then I made the suggested changes and I'm left with: That method doesn't seem to strip all the default junk, such as some of my markups below: anvil_rate_time_unit = 180s body_checks = regexp:/etc/postfix/body_checks bounce_size_limit = 1500 broken_sasl_auth_clients = yes config_directory = /etc/postfix -- **remove this, default default_destination_concurrency_limit = 10 disable_vrfy_command = yes header_checks = regexp:/etc/postfix/header_checks html_directory = /var/www/html/postfix -- **Is this _needed_ in main.cf? inet_protocols = all -- **Remove this unless you're using IPv6 initial_destination_concurrency = 10 -- **Are these two _needed_ local_destination_concurrency_limit = 10 default settings didn't work? local_recipient_maps = error:local mail delivery disabled local_transport = error:local mail delivery disabled maximal_backoff_time = 90m -- **Same here, _needed_ ? message_size_limit = 1450 mydomain = mx.example.net myhostname = mx.example.net mynetworks = 127.0.0.0/8 myorigin = example.net readme_directory = /var/www/html/postfix -- **Is this needed in main.cf? relay_domains = mysql:/etc/postfix/sql/relay_transport_map.conf relay_recipient_maps = mysql:/etc/postfix/sql/relay_recipient_map.conf relocated_maps = hash:/etc/postfix/relocated smtp_connect_timeout = 45s -- **unless this is _needed_ remove the line, default is 30s smtpd_data_restrictions = reject_multi_recipient_bounce reject_unauth_pipelining smtpd_error_sleep_time = 0 -- The default is 1s. Do you _need_ this at zero? smtpd_helo_required = yes smtpd_helo_restrictions = permit_mynetworks reject_non_fqdn_hostname reject_invalid_hostname smtpd_recipient_restrictions = permit_mynetworks reject_unauth_destination reject_invalid_hostname reject_non_fqdn_hostname reject_non_fqdn_sender reject_non_fqdn_recipient reject_unknown_sender_domain reject_unknown_recipient_domain reject_unlisted_recipient check_recipient_access hash:/etc/postfix/whitelist reject_rbl_client zen.spamhaus.orgreject_rbl_client b.barracudacentral.org reject_rbl_client bl.spamcop.net check_policy_service inet:127.0.0.1:10031 check_policy_service inet:127.0.0.1:10023 smtpd_reject_unlisted_sender = yes smtpd_sasl_local_domain = $myhostname smtpd_tls_CAfile = /etc/postfix/certs/ca-bundle.crt smtpd_tls_cert_file = /etc/postfix/certs/mx.example.net.cert smtpd_tls_key_file = /etc/postfix/certs/mx.example.net.key smtpd_tls_received_header = yes smtpd_tls_session_cache_database = btree:/etc/postfix/smtpd_scache smtpd_tls_session_cache_timeout = 7200s smtpd_use_tls = yes transport_maps = mysql:/etc/postfix/sql/relay_transport_map.conf virtual_alias_maps = hash:/etc/postfix/domains/localhost hash:/etc/postfix/domains/example.com hash:/etc/postfix/domains/example.net hash:/etc/postfix/domains/example.org How does that look now? A little more consolidated, looks better. Note my markups. You can go a little further. As a general rule, don't change anything or add anything that's not _necessary_ to make Postfix function correctly in your environment. Having more than necessary simply clutters main.cf/postconf -n output making it more difficult to read/troubleshoot down the road, as Noel mentioned. -- Stan
Re: Config check
On 1/22/2011 11:10 AM, Stan Hoeppner wrote: Walter Pinto put forth on 1/21/2011 10:57 PM: I used the following command to determine what needed to be removed from my main.cf: postconf -d defaultcfg postconf -n customcfg perl -ne 'print if ($seen{$_} .= @ARGV) =~ /10$/' customcfg defaultcfg Then I made the suggested changes and I'm left with: That method doesn't seem to strip all the default junk, such as some of my markups below: anvil_rate_time_unit = 180s body_checks = regexp:/etc/postfix/body_checks bounce_size_limit = 1500 broken_sasl_auth_clients = yes config_directory = /etc/postfix-- **remove this, default default_destination_concurrency_limit = 10 disable_vrfy_command = yes header_checks = regexp:/etc/postfix/header_checks html_directory = /var/www/html/postfix-- **Is this _needed_ in main.cf? inet_protocols = all-- **Remove this unless you're using IPv6 initial_destination_concurrency = 10-- **Are these two _needed_ local_destination_concurrency_limit = 10 default settings didn't work? local_recipient_maps = error:local mail delivery disabled local_transport = error:local mail delivery disabled maximal_backoff_time = 90m-- **Same here, _needed_ ? Nothing wrong with increasing the max backoff to 90m, particularly with a short/default min backoff. message_size_limit = 1450 mydomain = mx.example.net myhostname = mx.example.net mynetworks = 127.0.0.0/8 myorigin = example.net readme_directory = /var/www/html/postfix-- **Is this needed in main.cf? relay_domains = mysql:/etc/postfix/sql/relay_transport_map.conf relay_recipient_maps = mysql:/etc/postfix/sql/relay_recipient_map.conf relocated_maps = hash:/etc/postfix/relocated smtp_connect_timeout = 45s-- **unless this is _needed_ remove the line, default is 30s I'm not sure the postfix 2.3 default is 30s. Anyway, 45s is close enough and probably won't cause problems. smtpd_data_restrictions = reject_multi_recipient_bounce reject_unauth_pipelining smtpd_error_sleep_time = 0-- The default is 1s. Do you _need_ this at zero? Setting smtpd_error_sleep_time = 0 is good to help postfix handle more rejections per second. Leave it in if you want. Other than that, looks fine. -- Noel Jones smtpd_helo_required = yes smtpd_helo_restrictions = permit_mynetworks reject_non_fqdn_hostname reject_invalid_hostname smtpd_recipient_restrictions = permit_mynetworks reject_unauth_destination reject_invalid_hostname reject_non_fqdn_hostname reject_non_fqdn_sender reject_non_fqdn_recipient reject_unknown_sender_domain reject_unknown_recipient_domain reject_unlisted_recipient check_recipient_access hash:/etc/postfix/whitelist reject_rbl_client zen.spamhaus.orgreject_rbl_client b.barracudacentral.org reject_rbl_client bl.spamcop.net check_policy_service inet:127.0.0.1:10031 check_policy_service inet:127.0.0.1:10023 smtpd_reject_unlisted_sender = yes smtpd_sasl_local_domain = $myhostname smtpd_tls_CAfile = /etc/postfix/certs/ca-bundle.crt smtpd_tls_cert_file = /etc/postfix/certs/mx.example.net.cert smtpd_tls_key_file = /etc/postfix/certs/mx.example.net.key smtpd_tls_received_header = yes smtpd_tls_session_cache_database = btree:/etc/postfix/smtpd_scache smtpd_tls_session_cache_timeout = 7200s smtpd_use_tls = yes transport_maps = mysql:/etc/postfix/sql/relay_transport_map.conf virtual_alias_maps = hash:/etc/postfix/domains/localhost hash:/etc/postfix/domains/example.com hash:/etc/postfix/domains/example.net hash:/etc/postfix/domains/example.org How does that look now? A little more consolidated, looks better. Note my markups. You can go a little further. As a general rule, don't change anything or add anything that's not _necessary_ to make Postfix function correctly in your environment. Having more than necessary simply clutters main.cf/postconf -n output making it more difficult to read/troubleshoot down the road, as Noel mentioned.
Re: Config check
Thanks guys. My relay server has been upgraded to 2.7.2 and smtp server to 2.4.13 inet_protocols = all Had to add this due to some SPF records now using ip6: entries reject_sender_login_mismatch before permit_sasl_authenticated --- Results in the following unwanted result: Jan 22 14:30:32 smtp1 postfix/smtpd[8000]: NOQUEUE: reject: RCPT from unknown[92.11.56.77]: 553 5.7.1 u...@example.com: Sender address rejected: not owned by user u...@example.com; from=u...@exmaple.com to=recipi...@destination.com proto=ESMTP helo=GENERIC Below are the current postconf -n for both servers. SMTP: alias_maps = anvil_rate_time_unit = 180s body_checks = regexp:/etc/postfix/body_checks bounce_size_limit = 1500 broken_sasl_auth_clients = yes config_directory = /etc/postfix default_destination_concurrency_limit = 5 disable_vrfy_command = yes header_checks = regexp:/etc/postfix/header_checks initial_destination_concurrency = 5 local_destination_concurrency_limit = 5 local_transport = error:local mail delivery disabled maximal_backoff_time = 90m message_size_limit = 1450 mydomain = smtp1.example.net myhostname = smtp1.example.net mynetworks = 127.0.0.0/8 myorigin = example.net relocated_maps = hash:/etc/postfix/relocated smtpd_data_restrictions = reject_multi_recipient_bounce smtpd_error_sleep_time = 0 smtpd_etrn_restrictions = reject smtpd_helo_required = yes smtpd_recipient_restrictions = permit_sasl_authenticated reject_unauth_destination reject_non_fqdn_recipient reject_non_fqdn_sender reject_unlisted_recipient reject_invalid_hostname reject_unknown_sender_domain reject_unknown_recipient_domain smtpd_reject_unlisted_sender = yes smtpd_sasl_auth_enable = yes smtpd_sasl_local_domain = $myhostname smtpd_sender_login_maps = mysql:/etc/postfix/sql/relay_recipient_map.conf smtpd_sender_restrictions = check_policy_service inet:127.0.0.1:10031 permit_sasl_authenticated reject_unauth_destination reject_non_fqdn_recipient reject_non_fqdn_sender reject_unlisted_recipient reject_invalid_hostname reject_unknown_sender_domain smtpd_tls_CAfile = /usr/share/ssl/certs/ca-bundle.crt smtpd_tls_cert_file = /etc/postfix/certs/smtp1.example.net.cert smtpd_tls_key_file = /etc/postfix/certs/smtp1.example.net.key smtpd_tls_received_header = yes smtpd_tls_session_cache_database = btree:/etc/postfix/smtpd_scache smtpd_tls_session_cache_timeout = 7200s smtpd_use_tls = yes transport_maps = hash:/etc/postfix/transport virtual_alias_maps = hash:/etc/postfix/domains/localhost hash:/etc/postfix/domains/example.com hash:/etc/postfix/domains/example.net hash:/etc/postfix/domains/example.org RELAY: anvil_rate_time_unit = 180s body_checks = regexp:/etc/postfix/body_checks bounce_size_limit = 1500 broken_sasl_auth_clients = yes config_directory = /etc/postfix disable_vrfy_command = yes header_checks = regexp:/etc/postfix/header_checks inet_protocols = all local_transport = error:local mail delivery disabled maximal_backoff_time = 90m message_size_limit = 1450 mydomain = mx11.example.net myhostname = mx11.example.net mynetworks = 127.0.0.0/8 myorigin = example.net relay_domains = mysql:/etc/postfix/sql/relay_transport_map.conf relay_recipient_maps = mysql:/etc/postfix/sql/relay_recipient_map.conf relocated_maps = hash:/etc/postfix/relocated smtpd_data_restrictions = reject_multi_recipient_bounce reject_unauth_pipelining smtpd_error_sleep_time = 0 smtpd_helo_required = yes smtpd_helo_restrictions = permit_mynetworks reject_non_fqdn_hostname reject_invalid_hostname smtpd_recipient_restrictions = permit_mynetworks reject_unauth_destination reject_invalid_hostname reject_non_fqdn_hostname reject_non_fqdn_sender reject_non_fqdn_recipient reject_unknown_sender_domain reject_unknown_recipient_domain reject_unlisted_recipient check_recipient_access hash:/etc/postfix/whitelist reject_rbl_client zen.spamhaus.orgreject_rbl_client b.barracudacentral.org reject_rbl_client bl.spamcop.net check_policy_service inet:127.0.0.1:10031 check_policy_service inet:127.0.0.1:10023 smtpd_reject_unlisted_sender = yes smtpd_sasl_local_domain = $myhostname smtpd_tls_CAfile = /etc/postfix/certs/ca-bundle.crt smtpd_tls_cert_file = /etc/postfix/certs/mx11.example.net.cert smtpd_tls_key_file = /etc/postfix/certs/mx11.example.net.key smtpd_tls_received_header = yes smtpd_tls_session_cache_database = btree:/etc/postfix/smtpd_scache smtpd_tls_session_cache_timeout = 7200s smtpd_use_tls = yes transport_maps = mysql:/etc/postfix/sql/relay_transport_map.conf virtual_alias_maps = hash:/etc/postfix/domains/localhost hash:/etc/postfix/domains/example.com hash:/etc/postfix/domains/example.net hash:/etc/postfix/domains/example.org
Re: Config check
On 1/22/2011 4:46 PM, Walter Pinto wrote: Thanks guys. My relay server has been upgraded to 2.7.2 and smtp server to 2.4.13 inet_protocols = all Had to add this due to some SPF records now using ip6: entries reject_sender_login_mismatch before permit_sasl_authenticated--- Results in the following unwanted result: Jan 22 14:30:32 smtp1 postfix/smtpd[8000]: NOQUEUE: reject: RCPT from unknown[92.11.56.77]: 553 5.7.1u...@example.com: Sender address rejected: not owned by user u...@example.com; from=u...@exmaple.com to=recipi...@destination.com proto=ESMTP helo=GENERIC OK. Something is correct when it behaves as you expect. Below are the current postconf -n for both servers. -- Noel Jones SMTP: smtpd_sender_restrictions = check_policy_service inet:127.0.0.1:10031 permit_sasl_authenticated reject_unauth_destination reject_non_fqdn_recipient reject_non_fqdn_sender reject_unlisted_recipient reject_invalid_hostname reject_unknown_sender_domain smtpd_sender_restrictions can be *only* your policy service. smtpd_sender_restrictions = check_policy_service inet:127.0.0.1:10031 All the other checks are run with smtpd_recipient_restrictions. No need to duplicate everything here. RELAY: Looks OK. -- Noel Jones
Re: Config check
Noel, You're correct about reject_sender_login_mismatch , the problem is with my smtpd_sender_login_maps query and not the restriction itself., I'll have to revisit that at a later time. Thanks for all your help.
Re: Config check
On Fri, Jan 21, 2011 at 6:50 PM, Walter Pinto wal...@amhosting.com wrote: CentOS 5.5 mail_version = 2.3.3 Hi Walter, I realize that 2.3.3 is the version of Postfix that is installed by the default CentOS repos, but as already recommended on this thread, you may want to consider the jump to a newer version. I recently upgraded directly from 2.3.3 to 2.8.0 on three of our CentOS 5.5 boxes, and wrote a detailed how-to here (it's a very painless process that takes less than 5 mins and keeps all your existing config files intact): http://stevejenkins.com/blog/2011/01/building-postfix-2-8-on-rhel5-centos-5-from-source/ From the looks of your config, you'll need to modify the make makefiles command from my how-to slightly to compile in MySQL support, but if you have it running with 2.3.3 currently, then you probably already know how to do that. :) Best, SteveJ
Re: Config check
On 1/21/2011 7:11 PM, Walter Pinto wrote: I've been somewhat satisfied with the config I've had in place for a while, but I thought it wouldn't hurt to have the experts take a look and see if I've fubared something. Would the preferred method be a postconf -n or snippets from main.cf? You're welcome to show your postconf -n for comments. The only main.cf snippets we would care about are things that (by design) don't show up in postconf, such as restriction class definitions, or per-transport settings. -- Noel Jones
Re: Config check
Thanks Noel. Let me know if I'm missing anything. This server is supposed to act just as a relay. postconf -n alias_maps = anvil_rate_time_unit = 180s body_checks = regexp:/etc/postfix/body_checks bounce_size_limit = 1500 broken_sasl_auth_clients = yes command_directory = /usr/sbin config_directory = /etc/postfix daemon_directory = /usr/libexec/postfix debug_peer_level = 2 default_destination_concurrency_limit = 10 disable_vrfy_command = yes header_checks = regexp:/etc/postfix/header_checks html_directory = /var/www/html/postfix in_flow_delay = 0 inet_protocols = all initial_destination_concurrency = 10 local_destination_concurrency_limit = 10 local_recipient_maps = local_transport = error:local mail delivery disabled mail_owner = postfix mailq_path = /usr/bin/mailq manpage_directory = /usr/local/man maximal_backoff_time = 90m maximal_queue_lifetime = 5d message_size_limit = 1450 mime_header_checks = $header_checks minimal_backoff_time = 45m mydestination = mydomain = mx.example.net myhostname = mx.example.net mynetworks = 127.0.0.0/16 myorigin = example.net nested_header_checks = newaliases_path = /usr/bin/newaliases queue_directory = /var/spool/postfix queue_run_delay = 120s readme_directory = /var/www/html/postfix relay_domains = mysql:/etc/postfix/sql/relay_transport_map.conf relay_recipient_maps = mysql:/etc/postfix/sql/relay_recipient_map.conf relocated_maps = hash:/etc/postfix/relocated sample_directory = /etc/postfix sendmail_path = /usr/sbin/sendmail setgid_group = postdrop smtp_connect_timeout = 45s smtpd_data_restrictions = reject_multi_recipient_bounce reject_unauth_pipelining smtpd_delay_reject = yes smtpd_error_sleep_time = 0 smtpd_helo_required = yes smtpd_helo_restrictions = permit_mynetworks reject_non_fqdn_hostname reject_invalid_hostname smtpd_recipient_restrictions = reject_invalid_hostname reject_non_fqdn_hostname reject_non_fqdn_sender reject_non_fqdn_recipient reject_unknown_sender_domain reject_unknown_recipient_domain reject_unlisted_recipient check_policy_service inet:127.0.0.1:10031 permit_mynetworks reject_unauth_destination check_recipient_access hash:/etc/postfix/whitelist reject_rbl_client zen.spamhaus.org reject_rbl_client b.barracudacentral.org reject_rbl_client bl.spamcop.net check_policy_service inet:127.0.0.1:10023 smtpd_reject_unlisted_sender = yes smtpd_sasl_auth_enable = no smtpd_sasl_local_domain = $myhostname smtpd_sasl_security_options = noanonymous smtpd_tls_CAfile = /etc/postfix/certs/ca-bundle.crt smtpd_tls_cert_file = /etc/postfix/certs/mx.example.net.cert smtpd_tls_key_file = /etc/postfix/certs/mx.example.net.key smtpd_tls_loglevel = 0 smtpd_tls_received_header = yes smtpd_tls_session_cache_database = btree:/etc/postfix/smtpd_scache smtpd_tls_session_cache_timeout = 7200s smtpd_use_tls = yes tls_random_source = dev:/dev/urandom transport_maps = mysql:/etc/postfix/sql/relay_transport_map.conf unknown_local_recipient_reject_code = 550 virtual_alias_maps = hash:/etc/postfix/domains/localhost hash:/etc/postfix/domains/example.com hash:/etc/postfix/domains/example.net hash:/etc/postfix/domains/example.org /etc/postfix/sql/relay_transport_map.conf user = user password = password dbname = postfix table = relay_transport_map select_field = y where_field= x query = SELECT y FROM relay_transport_map WHERE x='%s' Example: mysql SELECT * - FROM `relay_transport_map` - WHERE `x` - REGEXP CONVERT( _utf8 'enduser.com' - USING latin1 ) - COLLATE latin1_swedish_ci - LIMIT 0 , 30 - \g ++++ | x | y | ip | ++++ | enduser.com | cpanel:[x.x.x.x]:26 | x.x.x.x | ++++ sql/relay_recipient_map.conf user = user password = password dbname = postfix query = SELECT y FROM relay_recipient_map WHERE x='%s' Example: - SELECT * - FROM `relay_recipient_map` - WHERE `x` - REGEXP CONVERT( _utf8 'enduser.com' - USING latin1 ) - COLLATE latin1_swedish_ci - LIMIT 0 , 30 - \g +--+--++ | x| y| ip | +--+--++ | exam...@enduser.com | OK | x.x.x.x |
Re: Config check
Walter Pinto put forth on 1/21/2011 7:42 PM: Thanks Noel. Let me know if I'm missing anything. This server is supposed to act just as a relay. It sure would read a lot easier if you didn't manually declare all those default settings. Which Linux distro is this? Whoever packages Postfix with such a default/example main.cf should be larted -- Stan postconf -n alias_maps = anvil_rate_time_unit = 180s body_checks = regexp:/etc/postfix/body_checks bounce_size_limit = 1500 broken_sasl_auth_clients = yes command_directory = /usr/sbin config_directory = /etc/postfix daemon_directory = /usr/libexec/postfix debug_peer_level = 2 default_destination_concurrency_limit = 10 disable_vrfy_command = yes header_checks = regexp:/etc/postfix/header_checks html_directory = /var/www/html/postfix in_flow_delay = 0 inet_protocols = all initial_destination_concurrency = 10 local_destination_concurrency_limit = 10 local_recipient_maps = local_transport = error:local mail delivery disabled mail_owner = postfix mailq_path = /usr/bin/mailq manpage_directory = /usr/local/man maximal_backoff_time = 90m maximal_queue_lifetime = 5d message_size_limit = 1450 mime_header_checks = $header_checks minimal_backoff_time = 45m mydestination = mydomain = mx.example.net myhostname = mx.example.net mynetworks = 127.0.0.0/16 myorigin = example.net nested_header_checks = newaliases_path = /usr/bin/newaliases queue_directory = /var/spool/postfix queue_run_delay = 120s readme_directory = /var/www/html/postfix relay_domains = mysql:/etc/postfix/sql/relay_transport_map.conf relay_recipient_maps = mysql:/etc/postfix/sql/relay_recipient_map.conf relocated_maps = hash:/etc/postfix/relocated sample_directory = /etc/postfix sendmail_path = /usr/sbin/sendmail setgid_group = postdrop smtp_connect_timeout = 45s smtpd_data_restrictions = reject_multi_recipient_bounce reject_unauth_pipelining smtpd_delay_reject = yes smtpd_error_sleep_time = 0 smtpd_helo_required = yes smtpd_helo_restrictions = permit_mynetworks reject_non_fqdn_hostname reject_invalid_hostname smtpd_recipient_restrictions = reject_invalid_hostname reject_non_fqdn_hostname reject_non_fqdn_sender reject_non_fqdn_recipient reject_unknown_sender_domain reject_unknown_recipient_domain reject_unlisted_recipient check_policy_service inet:127.0.0.1:10031 permit_mynetworks reject_unauth_destination check_recipient_access hash:/etc/postfix/whitelist reject_rbl_client zen.spamhaus.org reject_rbl_client b.barracudacentral.org reject_rbl_client bl.spamcop.net check_policy_service inet:127.0.0.1:10023 smtpd_reject_unlisted_sender = yes smtpd_sasl_auth_enable = no smtpd_sasl_local_domain = $myhostname smtpd_sasl_security_options = noanonymous smtpd_tls_CAfile = /etc/postfix/certs/ca-bundle.crt smtpd_tls_cert_file = /etc/postfix/certs/mx.example.net.cert smtpd_tls_key_file = /etc/postfix/certs/mx.example.net.key smtpd_tls_loglevel = 0 smtpd_tls_received_header = yes smtpd_tls_session_cache_database = btree:/etc/postfix/smtpd_scache smtpd_tls_session_cache_timeout = 7200s smtpd_use_tls = yes tls_random_source = dev:/dev/urandom transport_maps = mysql:/etc/postfix/sql/relay_transport_map.conf unknown_local_recipient_reject_code = 550 virtual_alias_maps = hash:/etc/postfix/domains/localhost hash:/etc/postfix/domains/example.com hash:/etc/postfix/domains/example.net hash:/etc/postfix/domains/example.org /etc/postfix/sql/relay_transport_map.conf user = user password = password dbname = postfix table = relay_transport_map select_field = y where_field= x query = SELECT y FROM relay_transport_map WHERE x='%s' Example: mysql SELECT * - FROM `relay_transport_map` - WHERE `x` - REGEXP CONVERT( _utf8 'enduser.com' - USING latin1 ) - COLLATE latin1_swedish_ci - LIMIT 0 , 30 - \g ++++ | x | y | ip | ++++ | enduser.com | cpanel:[x.x.x.x]:26 | x.x.x.x | ++++ sql/relay_recipient_map.conf user = user password = password dbname = postfix query = SELECT y FROM relay_recipient_map WHERE x='%s' Example: - SELECT * - FROM `relay_recipient_map` - WHERE `x` - REGEXP CONVERT( _utf8 'enduser.com' - USING latin1 ) - COLLATE latin1_swedish_ci - LIMIT 0 , 30 - \g +--+--++ | x| y| ip | +--+--++ | exam...@enduser.com | OK | x.x.x.x |
Re: Config check
CentOS 5.5 mail_version = 2.3.3
Re: Config check
On 1/21/2011 7:42 PM, Walter Pinto wrote: Thanks Noel. Let me know if I'm missing anything. This server is supposed to act just as a relay. postconf -n alias_maps = anvil_rate_time_unit = 180s body_checks = regexp:/etc/postfix/body_checks bounce_size_limit = 1500 broken_sasl_auth_clients = yes command_directory = /usr/sbin config_directory = /etc/postfix daemon_directory = /usr/libexec/postfix debug_peer_level = 2 default_destination_concurrency_limit = 10 disable_vrfy_command = yes header_checks = regexp:/etc/postfix/header_checks html_directory = /var/www/html/postfix OK so far. in_flow_delay = 0 in_flow_delay should probably be left at the default. inet_protocols = all initial_destination_concurrency = 10 local_destination_concurrency_limit = 10 local_recipient_maps = local_transport = error:local mail delivery disabled OK. mail_owner = postfix mailq_path = /usr/bin/mailq manpage_directory = /usr/local/man maximal_backoff_time = 90m maximal_queue_lifetime = 5d message_size_limit = 1450 mime_header_checks = $header_checks minimal_backoff_time = 45m That seems high for a minimal backoff (especially with a 120s queue run delay). A min backoff of 2~15 minutes is common; 5m is the default. mydestination = mydomain = mx.example.net myhostname = mx.example.net mynetworks = 127.0.0.0/16 Usually that should be /8, but I can't imagine /16 will cause any problems... myorigin = example.net nested_header_checks = newaliases_path = /usr/bin/newaliases queue_directory = /var/spool/postfix queue_run_delay = 120s The default is 300s and is probably appropriate for most sites. If your queue has lots of deferred mail, frequent runs will slow postfix down. readme_directory = /var/www/html/postfix relay_domains = mysql:/etc/postfix/sql/relay_transport_map.conf relay_recipient_maps = mysql:/etc/postfix/sql/relay_recipient_map.confer looks as if you have a list of valid recipients. Very good. relocated_maps = hash:/etc/postfix/relocated sample_directory = /etc/postfix sendmail_path = /usr/sbin/sendmail setgid_group = postdrop smtp_connect_timeout = 45s smtpd_data_restrictions = reject_multi_recipient_bounce reject_unauth_pipelining smtpd_delay_reject = yes smtpd_error_sleep_time = 0 smtpd_helo_required = yes smtpd_helo_restrictions = permit_mynetworks reject_non_fqdn_hostname reject_invalid_hostname smtpd_recipient_restrictions = reject_invalid_hostname reject_non_fqdn_hostname reject_non_fqdn_sender reject_non_fqdn_recipient reject_unknown_sender_domain reject_unknown_recipient_domain reject_unlisted_recipient check_policy_service inet:127.0.0.1:10031 permit_mynetworks reject_unauth_destination check_recipient_access hash:/etc/postfix/whitelist reject_rbl_client zen.spamhaus.org reject_rbl_client b.barracudacentral.org reject_rbl_client bl.spamcop.net check_policy_service inet:127.0.0.1:10023 I would expect permit_mynetworks, reject_unauth_destination to be the first entries here. If your :10031 policy service must run before reject_unauth_destination, move it to smtpd_sender_restrictions so that it can't accidentally cause an open relay. (Not likely, but better safe...) smtpd_reject_unlisted_sender = yes smtpd_sasl_auth_enable = no smtpd_sasl_local_domain = $myhostname smtpd_sasl_security_options = noanonymous smtpd_tls_CAfile = /etc/postfix/certs/ca-bundle.crt smtpd_tls_cert_file = /etc/postfix/certs/mx.example.net.cert smtpd_tls_key_file = /etc/postfix/certs/mx.example.net.key smtpd_tls_loglevel = 0 smtpd_tls_received_header = yes smtpd_tls_session_cache_database = btree:/etc/postfix/smtpd_scache smtpd_tls_session_cache_timeout = 7200s smtpd_use_tls = yes tls_random_source = dev:/dev/urandom transport_maps = mysql:/etc/postfix/sql/relay_transport_map.conf unknown_local_recipient_reject_code = 550 virtual_alias_maps = hash:/etc/postfix/domains/localhost hash:/etc/postfix/domains/example.com hash:/etc/postfix/domains/example.net hash:/etc/postfix/domains/example.org OK, no glaring errors. I don't use SQL, so I won't comment on that part. Note that postfix 2.3 is no longer supported. Postfix 2.3.19 is the last patchlevel of that version, so 2.3.3 is *way* behind. As Stan mentioned, there are lots of entries above that are defaults. It would clean up your config and make your postconf -n easier to examine for errors if you remove default entries from main.cf. -- Noel Jones /etc/postfix/sql/relay_transport_map.conf user = user password = password dbname = postfix table = relay_transport_map select_field = y where_field= x query = SELECT y FROM relay_transport_map WHERE x='%s' Example: mysql SELECT * - FROM `relay_transport_map` - WHERE `x` - REGEXP CONVERT( _utf8 'enduser.com' - USING latin1 ) - COLLATE latin1_swedish_ci - LIMIT 0 , 30 - \g ++++ | x | y
Re: Config check
Thanks Noel, I will make the suggested changes along with cleaning out the defaults. As far as the check policy goes, I shouldnt have any issues moving it on this server because all I have enabled is HELO and SPF checking. Now on my SMTP server, I have to have it before or else the quota checking doesn't work.
Re: Config check
On 1/21/2011 9:46 PM, Walter Pinto wrote: Thanks Noel, I will make the suggested changes along with cleaning out the defaults. As far as the check policy goes, I shouldnt have any issues moving it on this server because all I have enabled is HELO and SPF checking. Now on my SMTP server, I have to have it before or else the quota checking doesn't work. You should be able to move your quota check to smtpd_sender_restrictions to insure against open relay accidents. With the default smtpd_delay_reject=yes, all the client/sender/recipient information is available during smtpd_sender_restrictions without exposing external relay rights. -- Noel Jones
Re: Config check
On Fri, 2011-01-21 at 20:57:18 -0800, Walter Pinto wrote: I used the following command to determine what needed to be removed from my main.cf: postconf -d defaultcfg postconf -n customcfg perl -ne 'print if ($seen{$_} .= @ARGV) =~ /10$/' customcfg defaultcfg FWIW, an untested, less verbose alternative: % (postconf -d ; postconf -n) | sort | uniq -d -- Sahil Tandon sa...@freebsd.org
Re: Config check
Sahil, I tested your command and it worked, thanks for that.