Re: manually testing postfix submission on port 587
On Thu, Aug 14, 2014 at 02:07:29PM -0700, Quanah Gibson-Mount wrote: I'm trying to validate some sender restriction maps, but I'm unable to even send out a basic email over 587 for manual testing even before I set the restriction maps, and I'm not clear why. Any insight appreciated. [zimbra@zre-ldap003 ~]$ openssl s_client -CApath /opt/zimbra/conf/ca -connect zre-ldap003.eng.zimbra.com:587 -starttls smtp Wrong tool for the job, s_client is not netcat. RCPT TO:testus...@zre-ldap003.eng.zimbra.com RENEGOTIATING There's your problem. s_client(1) treates R and Q at the beginnings of lines specially. You can try 'rcpt to:' (lower-case) to work-around the issue. You need something more transparent that takes cleartext in and sends TLS out, but can negotiate via SMTP STARTTLS. -- Viktor.
Re: manually testing postfix submission on port 587
--On Thursday, August 14, 2014 10:13 PM + Viktor Dukhovni postfix-us...@dukhovni.org wrote: There's your problem. s_client(1) treates R and Q at the beginnings of lines specially. You can try 'rcpt to:' (lower-case) to work-around the issue. I knew it had to be something simple, thank you. :) Sadly, it appears there's an issue with my sender login maps. :( 235 2.7.0 Authentication successful mail from:testus...@zre-ldap003.eng.zimbra.com 250 2.1.0 Ok rcpt to:testus...@zre-ldap002.eng.zimbra.com 553 5.7.1 testus...@zre-ldap003.eng.zimbra.com: Sender address rejected: not owned by user testus...@zre-ldap003.eng.zimbra.com So I'll need to debug that next. :) --Quanah -- Quanah Gibson-Mount Server Architect Zimbra, Inc. Zimbra :: the leader in open source messaging and collaboration
Re: manually testing postfix submission on port 587
On Thu, Aug 14, 2014 at 02:32:47PM -0700, Quanah Gibson-Mount wrote: --On Thursday, August 14, 2014 10:13 PM + Viktor Dukhovni postfix-us...@dukhovni.org wrote: There's your problem. s_client(1) treates R and Q at the beginnings of lines specially. You can try 'rcpt to:' (lower-case) to work-around the issue. I knew it had to be something simple, thank you. :) Sadly, it appears there's an issue with my sender login maps. :( 235 2.7.0 Authentication successful mail from:testus...@zre-ldap003.eng.zimbra.com 250 2.1.0 Ok rcpt to:testus...@zre-ldap002.eng.zimbra.com By the way, RFC5321, 2821 and 821 all require: mail from:testus...@zre-ldap003.eng.zimbra.com rcpt to:testus...@zre-ldap002.eng.zimbra.com with around the reverse path and forward path. Postfix by default accepts your looser syntax for Sendmail compatibility, but you should not rely on this. 553 5.7.1 testus...@zre-ldap003.eng.zimbra.com: Sender address rejected: not owned by user testus...@zre-ldap003.eng.zimbra.com So I'll need to debug that next. :) Good luck. -- Viktor.
Re: manually testing postfix submission on port 587
--On Thursday, August 14, 2014 3:32 PM -0700 Quanah Gibson-Mount qua...@zimbra.com wrote: 235 2.7.0 Authentication successful mail from:testus...@zre-ldap003.eng.zimbra.com 250 2.1.0 Ok rcpt to:testus...@zre-ldap002.eng.zimbra.com 553 5.7.1 testus...@zre-ldap003.eng.zimbra.com: Sender address rejected: not owned by user testus...@zre-ldap003.eng.zimbra.com So I'll need to debug that next. :) Ok, this is because I have (among other things) smtpd_sender_restrictions = reject_authenticated_sender_login_mismatch but nothing set for: smtpd_sender_login_maps It does seem odd to me, that with it set to reject mismatched logins, it rejects a matching login when no maps are defined. --Quanah -- Quanah Gibson-Mount Server Architect Zimbra, Inc. Zimbra :: the leader in open source messaging and collaboration
Re: manually testing postfix submission on port 587
--On Thursday, August 14, 2014 10:42 PM + Viktor Dukhovni postfix-us...@dukhovni.org wrote: By the way, RFC5321, 2821 and 821 all require: mail from:testus...@zre-ldap003.eng.zimbra.com rcpt to:testus...@zre-ldap002.eng.zimbra.com with around the reverse path and forward path. Postfix by default accepts your looser syntax for Sendmail compatibility, but you should not rely on this. I usually do use the 's. Like: mail from:testus...@zre-ldap003.eng.zimbra.com 250 2.1.0 Ok rcpt to:testus...@zre-ldap003.eng.zimbra.com 553 5.7.1 testus...@zre-ldap003.eng.zimbra.com: Sender address rejected: not owned by user testus...@zre-ldap003.eng.zimbra.com quit ;) I was trying both with and without them just to ensure it wasn't something stupid about the 's. ;) --Quanah -- Quanah Gibson-Mount Server Architect Zimbra, Inc. Zimbra :: the leader in open source messaging and collaboration
Re: manually testing postfix submission on port 587
On Thu, Aug 14, 2014 at 02:45:33PM -0700, Quanah Gibson-Mount wrote:
235 2.7.0 Authentication successful
mail from:testus...@zre-ldap003.eng.zimbra.com
250 2.1.0 Ok
rcpt to:testus...@zre-ldap002.eng.zimbra.com
553 5.7.1 testus...@zre-ldap003.eng.zimbra.com: Sender address
rejected: not owned by user testus...@zre-ldap003.eng.zimbra.com
So I'll need to debug that next. :)
Ok, this is because I have (among other things)
smtpd_sender_restrictions = reject_authenticated_sender_login_mismatch
but nothing set for:
smtpd_sender_login_maps
It does seem odd to me, that with it set to reject mismatched logins, it
rejects a matching login when no maps are defined.
Your notion of matching is too naive. Mere coincidence of email
address and SASL login name is not a match. A match is a lookup
result from a table that returns the SASL login as one of the owner
logins.
If you like, you could try:
main.cf:
smtpd_sender_login_maps = pcre:${config_directory}/identity.pcre
identity.pcre:
# Sender addres as SASL user is automatically an owner
/^(.+)$/${1}
--
Viktor.
Re: manually testing postfix submission on port 587
--On Thursday, August 14, 2014 10:56 PM + Viktor Dukhovni postfix-us...@dukhovni.org wrote: Your notion of matching is too naive. Mere coincidence of email address and SASL login name is not a match. Good point. Having smtpd_sender_login_maps emtpy and smtpd_sender_restrictions=reject_authenticated_sender_login_mismatch is not a configuration we officially support anyway. Once I have it configured per our supported bits (doing lookups out of ldap) it behaves correctly. Thanks! --Quanah -- Quanah Gibson-Mount Server Architect Zimbra, Inc. Zimbra :: the leader in open source messaging and collaboration
