Nabble - Postfix

Re: startssl and CA autority

2009-11-28T18:03:19Z

On Sun, 29 Nov 2009 03:00:46 +0100, fakessh <fakessh@...> wrote:
> hi all
>
> hi postfix list
>
> I worked all day to develop my certificates
> with certificates free of startssl
>
> I based this document
>
http://translate.google.fr/translate?js=y&prev=_t&hl=fr&ie=UTF-8&u=http%3A%2F%2Fwww.grandville.net%2FOpenSSL%2FLigneDeCommande&sl=fr&tl=en
>
> I realized correctly signed certificates
>
> I read in the doc startssl the need to import this document among the
> certificates
>

to import the document
https://www.startssl.com/certs/sub.class1.client.ca.pem

>
> how to incorporate the certificates in postfix?
>
>
> thanks for all your feedback
>
> thanks all your
>
> thanks
>
> nb : je ne parle pas anglais

startssl and CA autority

2009-11-28T17:57:36Z

hi all

hi postfix list

I worked all day to develop my certificates
with certificates free of startssl

I based this document
http://translate.google.fr/translate?js=y&prev=_t&hl=fr&ie=UTF-8&u=http%3A%2F%2Fwww.grandville.net%2FOpenSSL%2FLigneDeCommande&sl=fr&tl=en

I realized correctly signed certificates

I read in the doc startssl the need to import this document among the
certificates

how to incorporate the certificates in postfix?

thanks for all your feedback

thanks all your

thanks

nb : je ne parle pas anglais

my problem is solved I'm not sending bounce

2009-11-28T17:40:08Z

Hi URGENT

my problem is solved I'm not sending bounce

double_bounce_sender=no
bounce_notice_recipient = postmaster

sorry

Re: Configuring Two Postfix mail servers behind HA Proxy load balancer.

2009-11-28T05:10:23Z

* Manoj Burande <manoj.burande@...>:
> I am trying to setup a Postfix Mail Server on Fedora10. I am trying
> to learn the basic process of setting up and manage a Postfix Mail
> Server.

Trying to learn Postfix by implementing a HA solution is not really a
suitable way, IMHO. In case nobody else is going to post those links:

http://www.postfix.org/BASIC_CONFIGURATION_README.html
http://www.postfix.org/STANDARD_CONFIGURATION_README.html

Perhaps you might want to set up a standard Postfix mailserver before
you work on an HA setup.

> Also trying to build a High-Available Postfix Mail Server
> set. I have already configured HA Proxy load balancer servers. I just
> wanted to place my two postfix mail server behind it.
>
> Is there ANYBODY help me to accomplish the same. Or please provide me
> online stuff to set up mail servers behind load balancer.

The way the SMTP protocl is designe, load balancers are almost always
unnecessary - even HA loadbalancers might reduce availability (if your
only MX entry points to the LB and the receiving Postfix server dies
mid-transaction).

What you want to look at when talking about a HA setup is the
availability to continuously process a mail queue even if one node
dies. You should have a very good reason to invest in such a setup,
for example, sending out large newsletters. If your mailservers
typically run with very small queues and a loss/delay of a single mail
is not a big deal, simply configure two mail servers (and make your
IMAP server/$WHATEVER clustered).

If you absolutely need to make sure that queued mails will be
processed even if the node that "owned" the queue dies, then - and
only then - try to setup a cluster.

So, a quick list of things you should get accomplished:

1. Get a HA storage solution. If e.g. it is some SAN/iSCSI stuff, get it
connected to you two nodes and configure a cluster filesystem (someone
might comment on why a queue on NFS is not a good idea).
Whatever you do, make sure both nodes can access the same filesystem.
2. Get a clustering software working and installed on your nodes.
Pacemaker/Corosync should do the job.
3. Configure two Postfix instances, each with it's own queue
directory. If you don't want to store it's binaries/configuration
files on the clustered filesystem, figure out a way to keep them in
sync on both nodes.
4. Write yourself a resource agent which is capable of stopping and
starting an instance.
5. In your clustering software, configure a "mailserver" resource
using the resource agents from the previous step, and add other
cluster resources (stonith devices, virtual IP addresses) as needed.

Once you are finished, when one of your nodes dies, the Postfix
instance will be started on the remaining node. Since the queue
directory will still be available (clustered filesystem, you
remember?), processing of the queue will continue.

All of this of course doesn't guarantee your users will have access to
your mails - you'll basically need to repeat the above steps for your
IMAP/POP3 server.

Ciao
Stefan
--
Stefan Förster http://www.incertum.net/ Public Key: 0xBBE2A9E9
Tapferkeit ist ein Anfall, der bei den meisten Menschen schnell vorübergeht.

Re: Postfix Deployment

2009-11-28T04:44:45Z

Stan Hoeppner:

> Wietse Venema put forth on 11/27/2009 5:17 PM:
> > Stan Hoeppner:
> >> I'm running my Postfix firewall behind NAT/PAT and the setup didn't
> >> require any non-default Postfix settings to make it work. I port
> >> forwarded TCP 25 from my router to my internal Postfix host IP and all
> >> worked without issue. What settings are you referring to?
> >
> > proxy_interfaces=external-ip-address, which is needed to avoid
> > "mail loops to myself" errors when you provide backup MX service,
> > and the primary is for some reason not available.
>
> Thanks for the heads up Wietse. What is the effect of proxy_interfaces
> on a NAT'd Postfix box if I'm not running a/as backup MX? (I'm not) Any?

All features that use $inet_interfaces to decide if an address
is local will also use $proxy_interfaces for that same purpose.

This includes MX elimination when sending mail via SMTP,
canonical/virtual/etc mapping with user@[ipaddres], accepting
user@[ipaddres] via SMTP, and more.

I was referring to FALSE alarms with BACKUP mx hosts that resolve
to $proxy_interfaces.

I was not referring to TRUE alarms when you tell Postfix to deliver
a domain not in mydestination etc. with a PRIMARY mx that resolves
to a local IP addres.

Wietse

Re: Multiple Mail domains for reverse ptr records? I'm confused

2009-11-27T18:01:00Z

At Fri, 27 Nov 2009 13:18:15 -0500 (EST), wietse@... (Wietse Venema) wrote:
Subject: Re: Multiple Mail domains for reverse ptr records? I'm confused

>
> Wietse Venema:
> > Greg A. Woods:
> > > There _should_ be one PTR for every _valid_ hostname using a given IP
> > > address.
> >
> > Statements such as above remind me of silly knights fighting windmills.
> >
> > There is a difference between "right" and "useful", and it even
> > depends on where they are used - server or client side.

Indeed -- I do not disagree. However I tried to emphasise the important
words above in what you quoted.

Also, don't forget the human use of the DNS either.

I.e. it is _always_ useful from _some_ perspective to have a valid PTR
for every valid hostname which may be considered to be legitimately
pointing to a given address.

Other hostnames which point to an address but which are not pointed to
by a corresponding PTR _may_ be useful in some context, however neither
man nor machine will be able to identify their validity from afar. Only
the legitimate "owner" of the IP address will be able to claim anything
about the validity of the hostnames which may be pointing to that
address, and by definition without using PTRs that cannot be done in the
context of the DNS.

> > Multiple server A records are useful. More in the case of HTTP,
> > less in the case of SMTP which uses indirection via MX records.
> > (For a discussion about domain-in-a-box applications, see some
> > actual measurements that I did earlier this year).
> >
> > One PTR per A record is not useful. The server end will not know
> > what client name to use.
>
> That is, one PTR per A record, in the case of multiple A records
> for the same IP address.

Well it all depends on how the client/server protocol interaction works,
doesn't it?

As you suggest, for SMTP the client tells the server which hostname it
should care about, so the server need not wonder which client name is
being used.

> > On the other hand, it is right when every PTR record has a matching
> > A record that resolves to (among others) the PTR record's address.

Indeed. Orthogonality goes both ways! :-)

--
Greg A. Woods

+1 416 218-0098 VE3TCP RoboHack <woods@...>
Planix, Inc. <woods@...> Secrets of the Weird <woods@...>

attachment0 (193 bytes) Download Attachment

Re: Multiple Mail domains for reverse ptr records? I'm confused

2009-11-27T17:46:54Z

At Sat, 28 Nov 2009 00:16:58 +0100, mouss <mouss@...> wrote:
Subject: Re: Multiple Mail domains for reverse ptr records? I'm confused
>
> Greg A. Woods a écrit :
> > At Wed, 25 Nov 2009 21:51:15 +0100, mouss <mouss@...> wrote:
> > Subject: Re: Multiple Mail domains for reverse ptr records? I'm confused
>
> I didn't wrote this. if you can't use a mailer correctly, try an easier
> sport.

I quoted the "Subject:" header field content of a message you wrote.
Please learn to read common-format attributions correctly. :-)

> PS. Next time, avoid CC-ing me.

Please set the "reply-to:" header field to a value which reflects your
expressed wishes. That way most software, including the software I use,
will do your bidding.

> > [snip]
> > A hostname cannot be verified, either manually or by machine, as "valid"
> > in the DNS unless a corresponding PTR points back at it.
>
> when you'll find the PTR that points back to www.ietf.org,

Yes, the ietf.org zone is very lame:

$ host -A www.ietf.org
*** Hostname www.ietf.org does not belong to address 64.170.98.32
*** Not all addresses for hostname www.ietf.org have a matching hostname.

Seems they think their WWW service hostname is most important.

Just because the ietf.org domain name is managed on behalf of the
organisation which helps coordinate development and publications of
Internet standards doesn't mean those who operate it will always do
everything possible to meet all best practises. I'm sure you know the
story about the cobbler's children who went barefoot. In fact it
appears the ietf.org zone is managed by a group that looks decidedly
less technical than you might have guessed.

They could easily fix the reverse DNS by adding just these few PTRs:

32.98.170.64.in-addr.arpa IN PTR ietf.org.
IN PTR ietf72.ietf.org.
IN PTR jabber.ietf.org.
IN PTR mail.ietf.org.
IN PTR rt.ietf.org.
IN PTR search.ietf.org.
IN PTR trustee.ietf.org.

> www.google.com

I'm not sure what you're talking about there -- that one is a CNAME.

> there is no PTR that resolves to www.netoyen.net and there will never
> be. The corresponding IP resolves to imlil.netoyen.net, which in turn
> resolves to the IP. That is what IP -> name -> IP double resolution
> (sometimes called FcrDNS) means. there is no need for the IP to resolve
> to all the names.

You are confused.

If a _client_ uses a hostname which does not have a PTR corresponding to
it, then the client's hostname CANNOT be assumed to be valid.

I.e. it all depends on what names are used, and from what perspective.

For HTTP the client never does not give its name -- but for SMTP it does.

(i.e., indeed there are perspectives of use where the validity of a
hostname base on the reverse DNS is less important.)

There's also the human "perspective" of the DNS, for what it's worth.

If I create a hostname such as:

it-is-all-mine.weird.com. IN A 91.121.103.130

are _you_ going to then believe that my use of that IP address is valid?

Why not?

Do you expect anyone else to believe my use of that IP address is valid?

Why not?

What if I use that hostname as my mailer's client name when sending mail?

Are you going to try to argue that there should be some algorithm which
tries to identify the invalid nature of my proposed hostname above just
because it somehow doesn't "match" the domain name which the PTR for
that address does point to? I defy you to even try to create such an
algorithm which will work in _every_ case, and which will be simpler
than if we all simply agree that the only valid hostnames pointing to an
address are those for which the address resolves in the reverse DNS to
corresponding PTRs.

--
Greg A. Woods

+1 416 218-0098 VE3TCP RoboHack <woods@...>
Planix, Inc. <woods@...> Secrets of the Weird <woods@...>

attachment0 (193 bytes) Download Attachment

Re: Postfix Deployment

2009-11-27T17:21:23Z

Wietse Venema put forth on 11/27/2009 5:17 PM:
> Stan Hoeppner:
>> I'm running my Postfix firewall behind NAT/PAT and the setup didn't
>> require any non-default Postfix settings to make it work. I port
>> forwarded TCP 25 from my router to my internal Postfix host IP and all
>> worked without issue. What settings are you referring to?
>
> proxy_interfaces=external-ip-address, which is needed to avoid
> "mail loops to myself" errors when you provide backup MX service,
> and the primary is for some reason not available.

Thanks for the heads up Wietse. What is the effect of proxy_interfaces
on a NAT'd Postfix box if I'm not running a/as backup MX? (I'm not) Any?

Speaking of mail loops, note the first entry below:

uribl.com. 43200 IN MX 10 mx.
uribl.com. 43200 IN MX 10 mx.uribl.com.
uribl.com. 43200 IN MX 100 mx2.
uribl.com. 43200 IN MX 100 mx2.uribl.com.

uribl.com is the only site I've ever mailed to that has a non-fqdn
hostname for an MX record. When I attempt to send mail to
*****@uribl.com, I get the following:

Nov 27 19:10:00 greer postfix/smtpd[8196]: connect from
gffx.hardwarefreak.com[192.168.100.53]
Nov 27 19:10:00 greer postfix/smtpd[8196]: 84D913DA123:
client=gffx.hardwarefreak.com[192.168.100.53]
Nov 27 19:10:00 greer postfix/cleanup[8199]: 84D913DA123:
message-id=<4B107868.5060907@...>
Nov 27 19:10:00 greer postfix/qmgr[8172]: 84D913DA123:
from=<stan@...>, size=701, nrcpt=1 (queue active)
Nov 27 19:10:00 greer postfix/smtpd[8196]: disconnect from
gffx.hardwarefreak.com[192.168.100.53]
Nov 27 19:10:01 greer postfix/smtp[8200]: 84D913DA123:
to=<*****@uribl.com>, relay=none, delay=1.2, delays=0.1/0.03/1/0,
dsn=5.4.6, status=bounced (mail for uribl.com loops back to myself)
Nov 27 19:10:01 greer postfix/cleanup[8199]: B18AF3DA124:
message-id=<20091128011001.B18AF3DA124@...>
Nov 27 19:10:01 greer postfix/qmgr[8172]: B18AF3DA124: from=<>,
size=2537, nrcpt=1 (queue active)
Nov 27 19:10:01 greer postfix/bounce[8201]: 84D913DA123: sender
non-delivery notification: B18AF3DA124
Nov 27 19:10:01 greer postfix/qmgr[8172]: 84D913DA123: removed
Nov 27 19:10:01 greer postfix/smtp[8200]: B18AF3DA124:
to=<stan@...>, relay=192.168.100.2[192.168.100.2]:25,
delay=0.1 1, delays=0.02/0/0.02/0.07, dsn=2.0.0, status=sent (250 OK)
Nov 27 19:10:01 greer postfix/qmgr[8172]: B18AF3DA124: removed

I added proxy_interfaces = 65.41.216.221 to main.cf and reloaded before
sending the above test message. It doesn't seem to affect/fix this
particular mail loop issue I have with uribl.com.

Any ideas what's causing this, or how to fix it? This is the first and
only domain I've ever had this problem with when attempting delivery.

--
Stan

value in an alias_maps map to short circuit subsequent maps and deliver locally?

2009-11-27T17:18:04Z

I have two maps, ldap:/etc/postfix/ldap-mailRoutingAddress.cf and
ldap:/etc/postfix/ldap-mail.cf

alias_maps = hash:/etc/aliases, ldap:/etc/postfix/ldap-mailRoutingAddress.cf, ldap:/etc/postfix/ldap-mail.cf

sender_canonical_maps = ldap:/etc/postfix/ldap-mail.cf

This way,

* For users without an entry in either map, mail is delivered locally
and is canonicalized as username@$myorigin
* For users with an entry in just ldap-mailRoutingAddress.cf, mail is
delivered to that address but is still canonicalized as username@
$myorigin
* For users with an entry in just ldap-mail.cf, mail is delivered to
that address and is canonicalized as that address
* For users with an entry in each map, mail is delivered to the address
from ldap-mailRoutingAddress.cf and is canonicalized as the address from
ldap-mail.cf

This is great, except I now have one unusual case where mail must be
delivered locally, but must be canonicalized as the address from
ldap-mail.cf

- but with an address in ldap-mail.cf, mail isn't delivered locally,
it's delivered to that address instead : (

Can I put some value in the ldap-mailRoutingAddress.cf map which will
cause mail to be delivered locally? thereby stopping the lookup before
getting to ldap-mail.cf?

Any other suggestions?

Re: CMD tool to check if next SMTP hop can use TLS for messages?

2009-11-27T15:55:08Z

Harakiri:

> > 1) Configure the Postfix SMTP client to REQUIRE TLS.
> >
> > ? ? smtp_tls_security_level=encrypt
>
> no - as i said, my filer has own rules and can be based on recipient, sender, or a combination of both - postfix cant do this, or at least not without different policy servers
>
> >
> > 2) Configure the Postfix SMTP server to reject mail that
> > ???cannot be delivered via SMTP-over-TLS.
> >
> > ? ? smtpd_recipient_restrictions =
> > ??? reject_unverified_recipient
> > ??? permit_mynetworks
> > ??? reject_unauth_destination
>
> again, doesnt work - as i said i want this policy based in an existing filter - therefor i asked for a CMD app to check the existing of TLS myself

Given this:

> I know about all the difficulties with MX lookup etc, the original
> goal would be - that i have a policy for external domains - and
> that for certain domains a message should only be sent if TLS is
> available - if a message to a certain domain is sent which does
> not support TLS - it should be blocked -

You can configure reject_unverified_recipient to use a message
delivery transport that requires TLS, even when normal mail deliveries
don't require it:

/etc/postfix/main.cf:
address_verify_transport_maps = hash:/etc/postfix/verify_transport

/etc/postfix/verify_transport:
example.com smtp-tls-required:

/etc/postfix/master.cf:
smtp-tls-required unix - - - - - smtp
-o smtp_tls_security_level=encrypt

Then, you can invoke reject_unverified_recipient SELECTIVELY
for the domains that need TLS.

Wietse

Re: CMD tool to check if next SMTP hop can use TLS for messages?

2009-11-27T15:21:02Z

--- On Fri, 11/27/09, Wietse Venema <wietse@...> wrote:

> From: Wietse Venema <wietse@...>
> Subject: Re: CMD tool to check if next SMTP hop can use TLS for messages?
> To: "Postfix users" <postfix-users@...>
> Date: Friday, November 27, 2009, 11:14 AM
> Harakiri:

>
> 1) Configure the Postfix SMTP client to REQUIRE TLS.
>
> smtp_tls_security_level=encrypt

no - as i said, my filer has own rules and can be based on recipient, sender, or a combination of both - postfix cant do this, or at least not without different policy servers

>
> 2) Configure the Postfix SMTP server to reject mail that
>    cannot be delivered via SMTP-over-TLS.
>
> smtpd_recipient_restrictions =
>     reject_unverified_recipient
>     permit_mynetworks
>     reject_unauth_destination

again, doesnt work - as i said i want this policy based in an existing filter - therefor i asked for a CMD app to check the existing of TLS myself

Re: Postfix Deployment

2009-11-27T15:17:47Z

Stan Hoeppner:
> I'm running my Postfix firewall behind NAT/PAT and the setup didn't
> require any non-default Postfix settings to make it work. I port
> forwarded TCP 25 from my router to my internal Postfix host IP and all
> worked without issue. What settings are you referring to?

proxy_interfaces=external-ip-address, which is needed to avoid
"mail loops to myself" errors when you provide backup MX service,
and the primary is for some reason not available.

Wietse

Re: Multiple Mail domains for reverse ptr records? I'm confused

2009-11-27T15:16:58Z

Greg A. Woods a écrit :
> At Wed, 25 Nov 2009 21:51:15 +0100, mouss <mouss@...> wrote:
> Subject: Re: Multiple Mail domains for reverse ptr records? I'm confused

I didn't wrote this. if you can't use a mailer correctly, try an easier
sport. A friend of mine recently told me bowling is easy. I'm not sure,
but it's worth a try.

PS. Next time, avoid CC-ing me.

> [snip]
> A hostname cannot be verified, either manually or by machine, as "valid"
> in the DNS unless a corresponding PTR points back at it.

when you'll find the PTR that points back to www.ietf.org,
www.google.com, ... etc, I'll accept to talk with you. Until then, give
yourself some rest. If you want pointers on DNS, ask friendly and you'll
get help.

> [snip]
>
> If you do not control your own reverse DNS zones, and the people who do
> control your reverse DNS zones are so lame as to not offer you the
> ability to specify a reasonable number of PTR records for each of the IP
> addresses you use, then you should _seriously_ consider changing to a
> provider where you will have the necessary control over your reverse DNS.
>

you are totally confused.

there is no PTR that resolves to www.netoyen.net and there will never
be. The corresponding IP resolves to imlil.netoyen.net, which in turn
resolves to the IP. That is what IP -> name -> IP double resolution
(sometimes called FcrDNS) means. there is no need for the IP to resolve
to all the names.

Postfix Deployment

2009-11-27T15:10:42Z

/dev/rob0 put forth on 11/27/2009 3:13 PM:

> I am equally at a loss, and could turn the question back at you: is
> there any reason why I would want to run Postfix behind NAT?

Inbound NAT/PAT are often confused, because they're implemented (from an
admin's standpoint) in an almost identical way. Depends on your
firewall/router and its language and/or config GUI. Very few people
actually implement a full inbound NAT these days, almost exclusively
using selective PAT instead. Many/most, those using the technology, do
implement a full outbound NAT however, selectively closing often abused
outbound ports. I should have stated inbound PAT only, omitting NAT
from my original statement, since it is what is applicable in this
discussion.

The major benefit is the same as with other systems: NAT/PAT acts as a
natural inbound packet filter/firewall. There's nothing else to
configure except to punch PAT holes into it for internal servers. Many
admins don't have the time or skill to become real firewall monkeys,
pounding out dozens or hundreds of lines of access control rules to
accomplish the same thing with live address networks.

> Perhaps there are different assumptions about NAT and its place in
> our world. For me, it's always ugly, but sometimes a necessity to
> work around the scarcity of IP addresses. For you it seems to be
> desirable as an end in itself.

I find NAT/PAT quite an elegant solution to multiple issues. Today
NAT/PAT is more about network edge security setup ease of use than it is
about saving IP addresses, esp for small orgs, although the latter is a
concern for many sites. You also have to look at portability. If your
org doesn't have its own ARIN netblock, and switches from one pipe
provider to another, losing one set of IPs and gaining another set, then
you have to renumber your entire network, both inside and out. CEOs
would readily fire CIOs and managers for creating a cost of this
magnitude. Again, any org without a direct ARIN netblock assignment
should be using RFC 1918 space internally. Period. If you're a small
outfit with just a few colo'd machines to readdress, that's a different
story, and much more manageable. Your only real issue here would be
TTLs on your dns records.

> By all means, if you gain a benefit from having your Postfix behind
> NAT, run it behind NAT. Do note that a few more non-default settings
> are needed, but indeed as you observed, not a big deal. Also note
> that routers vary, and some, like the Cisco PIX, are proxying your
> SMTP traffic, not doing NAT. Consult your router documentation and
> vendor for support, and then Postfix documentation for workarounds
> should they prove necessary.

I'm running my Postfix firewall behind NAT/PAT and the setup didn't
require any non-default Postfix settings to make it work. I port
forwarded TCP 25 from my router to my internal Postfix host IP and all
worked without issue. What settings are you referring to?

I concur with your router/firewall statement above. NAT/PAT
implementations can and do vary, so one should read up on the docs and
be ready for possible functionality oddities. For instance, I've seen a
few NAT/PAT implementations that mask the real source IP in the packets,
replacing it with the internal private interface IP of the router. This
obviously wreaks havoc on Postfix smtpd, making client IP checks
impossible, and making connection logging useless, amongst other things.
So, if you run across a router with such a NAT implementation, toss it
and get one that passes source IPs correctly (IIRC this came up not all
that long ago, and Wietse's advice was the same--ditch the crappy
router). That said, even many of the cheapest consumer broadband
routers handle this correctly these days, most have since at least 2004,
so I can't imagine you'd run into this today. Anything's possible though.

--
Stan

Re: Postfix Deployment

2009-11-27T13:13:16Z

On Fri, Nov 27, 2009 at 03:42:56PM -0500, Roman Gelfand wrote:

> On Fri, Nov 27, 2009 at 1:48 PM, Stan Hoeppner <stan@...> wrote:
> > Ralf Hildebrandt put forth on 11/27/2009 6:20 AM:
> >
> >> Then it of course needs a publich IP addresses
> >
> > Or, at least, a public IP NAT/PAT'd to it by your firewall. It will
> > also obviously need PTR, A, and MX records.
> >
> > Also, this may be helpful:
> >
> > http://www.postfix.org/STANDARD_CONFIGURATION_README.html#firewall
> >
>
> I am at a loss here. This article seems to say that it is possible, I
> mean in the way it was designed to run, to run postfix in NATed
> network. In this case, is there still a reason why I would want to
> run postfix on public ip machine?

I am equally at a loss, and could turn the question back at you: is
there any reason why I would want to run Postfix behind NAT?

Perhaps there are different assumptions about NAT and its place in
our world. For me, it's always ugly, but sometimes a necessity to
work around the scarcity of IP addresses. For you it seems to be
desirable as an end in itself.

By all means, if you gain a benefit from having your Postfix behind
NAT, run it behind NAT. Do note that a few more non-default settings
are needed, but indeed as you observed, not a big deal. Also note
that routers vary, and some, like the Cisco PIX, are proxying your
SMTP traffic, not doing NAT. Consult your router documentation and
vendor for support, and then Postfix documentation for workarounds
should they prove necessary.
--
Offlist mail to this address is discarded unless
"/dev/rob0" or "not-spam" is in Subject: header

Re: Postfix Deployment

2009-11-27T12:57:22Z

Well, I see no reason to have a MTA running on a public IP. As stated
above in the thread, as long as your server is HELO'ing out as the
name associated with the PTR record for its SRC-NAT, then you should
be fine.

On Fri, Nov 27, 2009 at 3:42 PM, Roman Gelfand <rgelfand2@...> wrote:

> On Fri, Nov 27, 2009 at 1:48 PM, Stan Hoeppner <stan@...> wrote:
>> Ralf Hildebrandt put forth on 11/27/2009 6:20 AM:
>>
>>> Then it of course needs a publich IP addresses
>>
>> Or, at least, a public IP NAT/PAT'd to it by your firewall. It will
>> also obviously need PTR, A, and MX records.
>>
>> Also, this may be helpful:
>>
>> http://www.postfix.org/STANDARD_CONFIGURATION_README.html#firewall
>>
>
> I am at a loss here. This article seems to say that it is possible, I
> mean in the way it was designed to run, to run postfix in NATed
> network. In this case, is there still a reason why I would want to
> run postfix on public ip machine?
>
> Thanks again
>> --
>> Stan
>>
>
>

Re: Postfix Deployment

2009-11-27T12:42:56Z

On Fri, Nov 27, 2009 at 1:48 PM, Stan Hoeppner <stan@...> wrote:

> Ralf Hildebrandt put forth on 11/27/2009 6:20 AM:
>
>> Then it of course needs a publich IP addresses
>
> Or, at least, a public IP NAT/PAT'd to it by your firewall. It will
> also obviously need PTR, A, and MX records.
>
> Also, this may be helpful:
>
> http://www.postfix.org/STANDARD_CONFIGURATION_README.html#firewall
>

I am at a loss here. This article seems to say that it is possible, I
mean in the way it was designed to run, to run postfix in NATed
network. In this case, is there still a reason why I would want to
run postfix on public ip machine?

Thanks again
> --
> Stan
>

Re: Configuring Two Postfix mail servers behind HA Proxy load balancer.

2009-11-27T12:12:51Z

Brian Mathis put forth on 11/27/2009 7:49 AM:

> I'm sure others can help with the HA setup, but I must say that you
> should not be building a server (especially an HA one!) based on any
> Fedora distro. Fedora is Redhat's testbed where they use very beta
> software and is also mainly targeted for dekstop users. It is
> absolutely inappropriate for a server setup. Please look at CentOS
> for a server-grade Linux distro that is Redhat-based and suitable for
> running a server on.

Or better yet, go with Debian Stable or FreeBSD. Both are better server
choices than CentOS, IMHO, unless you're an RPM freak. Aptitude and
Ports are both better package management systems than the RPM model,
especially aptitude, especially WRT dependency resolution.

--
Stan

Re: multiple content filter settings

2009-11-27T11:08:55Z

On Fri, Nov 27, 2009 at 12:58 PM, Sharma, Ashish <ashish.sharma3@...> wrote:
> Peter,
>
> I don't know how to do it, please post some sample for doing what you are suggesting.

Read an Amavis document, and instead of pointing it to the postfix
reinjection port, send it to your other content filter.

Postfix Deployment

2009-11-27T10:48:02Z

Ralf Hildebrandt put forth on 11/27/2009 6:20 AM:

> Then it of course needs a publich IP addresses

Or, at least, a public IP NAT/PAT'd to it by your firewall. It will
also obviously need PTR, A, and MX records.

Also, this may be helpful:

http://www.postfix.org/STANDARD_CONFIGURATION_README.html#firewall

--
Stan

Re: Multiple Mail domains for reverse ptr records? I'm confused

2009-11-27T10:18:15Z

Wietse Venema:

> Greg A. Woods:
> > There _should_ be one PTR for every _valid_ hostname using a given IP
> > address.
>
> Statements such as above remind me of silly knights fighting windmills.
>
> There is a difference between "right" and "useful", and it even
> depends on where they are used - server or client side.
>
> Multiple server A records are useful. More in the case of HTTP,
> less in the case of SMTP which uses indirection via MX records.
> (For a discussion about domain-in-a-box applications, see some
> actual measurements that I did earlier this year).
>
> One PTR per A record is not useful. The server end will not know
> what client name to use.

That is, one PTR per A record, in the case of multiple A records
for the same IP address.

> On the other hand, it is right when every PTR record has a matching
> A record that resolves to (among others) the PTR record's address.
>
> Wietse
>
>

Re: Multiple Mail domains for reverse ptr records? I'm confused

2009-11-27T10:09:34Z

Greg A. Woods:
> There _should_ be one PTR for every _valid_ hostname using a given IP
> address.

Statements such as above remind me of silly knights fighting windmills.

There is a difference between "right" and "useful", and it even
depends on where they are used - server or client side.

Multiple server A records are useful. More in the case of HTTP,
less in the case of SMTP which uses indirection via MX records.
(For a discussion about domain-in-a-box applications, see some
actual measurements that I did earlier this year).

One PTR per A record is not useful. The server end will not know
what client name to use.

On the other hand, it is right when every PTR record has a matching
A record that resolves to (among others) the PTR record's address.

Wietse

RE: multiple content filter settings

2009-11-27T09:58:08Z

Peter,

I don't know how to do it, please post some sample for doing what you are suggesting.

Ashish

-----Original Message-----
From: petermblair@... [mailto:petermblair@...] On Behalf Of Peter Blair
Sent: Friday, November 27, 2009 11:23 PM
To: Sharma, Ashish
Cc: postfix users list
Subject: Re: multiple content filter settings

On Fri, Nov 27, 2009 at 12:14 PM, Sharma, Ashish <ashish.sharma3@...> wrote:
> I have a Postfix mail server that needs to be set for two content filters as
> I have two content filters.
>
> One from AmaVis and another a custom content filter.

Can you not have amavis feed to your second content filter, which will
in turn feed back to postfix?

Re: multiple content filter settings

2009-11-27T09:53:03Z

On Fri, Nov 27, 2009 at 12:14 PM, Sharma, Ashish <ashish.sharma3@...> wrote:
> I have a Postfix mail server that needs to be set for two content filters as
> I have two content filters.
>
> One from AmaVis and another a custom content filter.

Can you not have amavis feed to your second content filter, which will
in turn feed back to postfix?

Re: Multiple Mail domains for reverse ptr records? I'm confused

2009-11-27T09:43:32Z

At Wed, 25 Nov 2009 21:51:15 +0100, mouss <mouss@...> wrote:
Subject: Re: Multiple Mail domains for reverse ptr records? I'm confused
>
> do not confuse this with "multihoming", where you assign multiple IPs to
> a single name (that is, you use multiple A for a single name).

Why d so many people who should know better keep giving BAD advice like
this!?!?!?!

Are you really trying to shoot for the lowest common uselessness of
reverse DNS?

PLEASE let us at least advise people to always at least attempt for the
most ideal situation.

There _should_ be one PTR for every _valid_ hostname using a given IP
address.

A hostname cannot be verified, either manually or by machine, as "valid"
in the DNS unless a corresponding PTR points back at it. It's that
simple. What "valid" means depends on many factors that are not exactly
important at this point in the discussion. It is sufficient at this
point to know that there exists a mechanism in the DNS as we use it
today to specify every known "valid" user of a given IP address.

If you do not control your own reverse DNS zones, and the people who do
control your reverse DNS zones are so lame as to not offer you the
ability to specify a reasonable number of PTR records for each of the IP
addresses you use, then you should _seriously_ consider changing to a
provider where you will have the necessary control over your reverse DNS.

--
Greg A. Woods

+1 416 218-0098 VE3TCP RoboHack <woods@...>
Planix, Inc. <woods@...> Secrets of the Weird <woods@...>

attachment0 (193 bytes) Download Attachment

multiple content filter settings

2009-11-27T09:14:22Z

Hello,

I have a Postfix mail server that needs to be set for two content filters as I have two content filters.

One from AmaVis and another a custom content filter.

Please suggest some idea for configuring both on same Postfix.

Is it possible too?

Thanks in advance.

Ashish Sharma

Re: CMD tool to check if next SMTP hop can use TLS for messages?

2009-11-27T08:14:11Z

Harakiri:
> I know about all the difficulties with MX lookup etc, the original
> goal would be - that i have a policy for external domains - and
> that for certain domains a message should only be sent if TLS is
> available - if a message to a certain domain is sent which does
> not support TLS - it should be blocked - i know i could probably

In that case, everything you need already exists.

1) Configure the Postfix SMTP client to REQUIRE TLS.

smtp_tls_security_level=encrypt

2) Configure the Postfix SMTP server to reject mail that
cannot be delivered via SMTP-over-TLS.

smtpd_recipient_restrictions =
reject_unverified_recipient
permit_mynetworks
reject_unauth_destination

See also:
http://www.postfix.org/ADDRESS_VERIFICATION_README.html#recipient
http://www.postfix.org/ADDRESS_VERIFICATION_README.html#caching

Wietse

Re: CMD tool to check if next SMTP hop can use TLS for messages?

2009-11-27T08:05:54Z

On Fri, Nov 27, 2009 at 06:56:16AM -0800, Harakiri wrote:
> > What problem are you actually trying to solve?
>
> I know about all the difficulties with MX lookup etc, the original
> goal would be - that i have a policy for external domains - and that
> for certain domains a message should only be sent if TLS is
> available - if a message to a certain domain is sent which does not
> support TLS - it should be blocked

This sounds quite similar to
http://www.postfix.org/TLS_README.html#client_tls_policy

> - i know i could probably do this
> with a policy server but i already have a custom 'filter' with an
> existing policy system - so thats why i asked if there is a tool
> which could query a server for TLS support -

There is no Postfix reason why you couldn't run more than one policy
service, FWIW.

> also i would like to
> visualize in my graphical mail log that the message has been sent
> using TLS.

Check out the #client_logging anchor in the above-linked document.
It's left to you, of course, to translate the actual syslog into
graphics.
--
Offlist mail to this address is discarded unless
"/dev/rob0" or "not-spam" is in Subject: header

Re: SSL_accept error from unknown[x.x.x.]: -1

2009-11-27T06:58:50Z

On 11/26/2009 9:43 PM, sosogh wrote:

> Hi list
> I am running two postfix on two servers.One acts as smtp tls client,
> the other one acts as smtpd tls server.
> I tried to send mails from smtp tls client to smtpd tls server
>
> -----------------------------------------------------------------------
>
> IP are:
> smtp tls client:1.1.1.1 (postfix version 2.3.8 OpenSSL 0.9.8c 05 Sep 2006)
> smtpd tls server:2.2.2.2 (postfix version 2.5.5 OpenSSL 0.9.8g 19 Oct 2007)
>
> configuration are:
> (1)smtp tls client:
> In main.cf:
> default_transport = smtp-tls:[2.2.2.2]:465

The postfix smtp client doesn't support the long deprecated
smtps wrappermode.

You should abandon wrappermode and configure postfix to use
STARTTLS on port 587 or port 25.
http://www.postfix.org/TLS_README.html#server_tls

If you feel you must use smtps, please see
http://www.postfix.org/TLS_README.html#client_smtps

-- Noel Jones

Re: CMD tool to check if next SMTP hop can use TLS for messages?

2009-11-27T06:56:16Z

--- On Thu, 11/26/09, Victor Duchovni <Victor.Duchovni@...> wrote:

> From: Victor Duchovni <Victor.Duchovni@...>
> Subject: Re: CMD tool to check if next SMTP hop can use TLS for messages?
> To: postfix-users@...
> Date: Thursday, November 26, 2009, 3:33 PM
> On Thu, Nov 26, 2009 at 05:02:33AM
> -0800, Harakiri wrote:

> I have an unreleased utility to probe the TLS support of
> remote TLS
> servers, but it is NOT intended for use during message
> delivery or
> by content filters. Rather, the purpose is to determine the
> available
> security options for a tls policy entry for the
> destination.
>
> - Is TLS available at all
> - What ciphers
> - What certificate issuer(s), subject CN and
> altNames.

sound interesting - is there a CMD app available?

> What problem are you actually trying to solve?

I know about all the difficulties with MX lookup etc, the original goal would be - that i have a policy for external domains - and that for certain domains a message should only be sent if TLS is available - if a message to a certain domain is sent which does not support TLS - it should be blocked - i know i could probably do this with a policy server but i already have a custom 'filter' with an existing policy system - so thats why i asked if there is a tool which could query a server for TLS support - also i would like to visualize in my graphical mail log that the message has been sent using TLS.

Thanks

Re: AW: postfix - postgrey - lost connection after RSET

2009-11-27T06:48:05Z

Zitat von Eero Volotinen <eero.volotinen@...>:

> Braun Björn wrote:
>> My logs (mail.log)
>>
>> Nov 5 10:07:56 grey2 postfix/smtpd[7153]: connect from
>> unknown[ddd.dd.ddd.dd]
>> Nov 5 10:07:56 grey2 postfix/smtpd[7153]: NOQUEUE: reject: RCPT
>> from unknown[ddd.dd.ddd.dd]: 450 4.7.1 <aaa@...>: Recipient
>> address rejected: Greylisted, see
>> http://isg.ee.ethz.ch/tools/postgrey/help/aaa.DE.html;
>> from=<bbb@...> to=<aaa@...> proto=ESMTP helo=<mail.bbb.com>
>> Nov 5 10:07:56 grey2 postfix/smtpd[7153]: lost connection after
>> RSET from unknown[ddd.dd.ddd.dd]
>> Nov 5 10:07:56 grey2 postfix/smtpd[7153]: disconnect from
>> unknown[ddd.dd.ddd.dd]
>>
>> Or are these the wrong logs?
>
> Well, looks like spammer is connecting from ddd.dd.ddd.dd and after
> graylisting (45X temporary error) spammer software just drops
> connection.

This depends if "aaa@..." is missing a mail from "bbb@..." and
"ddd.dd.ddd.dd" is a valid mailserver for "bbb.com" then the problem
is worth to investigate.

Regards

Andreas

Re: AW: postfix - postgrey - lost connection after RSET

2009-11-27T06:43:58Z

Braun Björn wrote:
> My logs (mail.log)
>
> Nov 5 10:07:56 grey2 postfix/smtpd[7153]: connect from unknown[ddd.dd.ddd.dd]
> Nov 5 10:07:56 grey2 postfix/smtpd[7153]: NOQUEUE: reject: RCPT from unknown[ddd.dd.ddd.dd]: 450 4.7.1 <aaa@...>: Recipient address rejected: Greylisted, see http://isg.ee.ethz.ch/tools/postgrey/help/aaa.DE.html; from=<bbb@...> to=<aaa@...> proto=ESMTP helo=<mail.bbb.com>
> Nov 5 10:07:56 grey2 postfix/smtpd[7153]: lost connection after RSET from unknown[ddd.dd.ddd.dd]
> Nov 5 10:07:56 grey2 postfix/smtpd[7153]: disconnect from unknown[ddd.dd.ddd.dd]
>
> Or are these the wrong logs?

Well, looks like spammer is connecting from ddd.dd.ddd.dd and after
graylisting (45X temporary error) spammer software just drops connection.

--
Eero

Re: AW: postfix - postgrey - lost connection after RSET

2009-11-27T06:42:52Z

Zitat von Braun Björn <bjoern.braun@...>:

> My logs (mail.log)
>
> Nov 5 10:07:56 grey2 postfix/smtpd[7153]: connect from
> unknown[ddd.dd.ddd.dd]
> Nov 5 10:07:56 grey2 postfix/smtpd[7153]: NOQUEUE: reject: RCPT
> from unknown[ddd.dd.ddd.dd]: 450 4.7.1 <aaa@...>: Recipient
> address rejected: Greylisted, see
> http://isg.ee.ethz.ch/tools/postgrey/help/aaa.DE.html;
> from=<bbb@...> to=<aaa@...> proto=ESMTP helo=<mail.bbb.com>
> Nov 5 10:07:56 grey2 postfix/smtpd[7153]: lost connection after
> RSET from unknown[ddd.dd.ddd.dd]
> Nov 5 10:07:56 grey2 postfix/smtpd[7153]: disconnect from
> unknown[ddd.dd.ddd.dd]
>
> Or are these the wrong logs?

If "bbb@..." is the sender in question, no. You should have a look
if there are additional attempts for "bbb@...", if not the remote
mailserver is not RFC compliant and your only chances are:

- Inform the remote postmaster and see if he/she can be triggered to
use a working mailserver setup
- Exclude (whitelist) the mailserver in question from greylisting
- Use restriction_classes with and without greylisting and let your
users choose what they prefer

>
> Thanks
> B.
>
> PS: Etiquette: Do I usually reply just _hoe02@... or the List?

To make the discussion searchable in the archives you should always
reply to the list.

Regards

Andreas

smime.p7s (8K) Download Attachment

AW: postfix - postgrey - lost connection after RSET

2009-11-27T06:11:35Z

My logs (mail.log)

Nov 5 10:07:56 grey2 postfix/smtpd[7153]: connect from unknown[ddd.dd.ddd.dd]
Nov 5 10:07:56 grey2 postfix/smtpd[7153]: NOQUEUE: reject: RCPT from unknown[ddd.dd.ddd.dd]: 450 4.7.1 <aaa@...>: Recipient address rejected: Greylisted, see http://isg.ee.ethz.ch/tools/postgrey/help/aaa.DE.html; from=<bbb@...> to=<aaa@...> proto=ESMTP helo=<mail.bbb.com>
Nov 5 10:07:56 grey2 postfix/smtpd[7153]: lost connection after RSET from unknown[ddd.dd.ddd.dd]
Nov 5 10:07:56 grey2 postfix/smtpd[7153]: disconnect from unknown[ddd.dd.ddd.dd]

Or are these the wrong logs?

Thanks
B.

PS: Etiquette: Do I usually reply just _hoe02@... or the List?

-----Ursprüngliche Nachricht-----
Von: owner-postfix-users@... [mailto:owner-postfix-users@...] Im Auftrag von lst_hoe02@...
Gesendet: Freitag, 27. November 2009 13:17
An: postfix-users@...
Betreff: Re: postfix - postgrey - lost connection after RSET

Zitat von Braun Björn <bjoern.braun@...>:

> Hiho,
>
> I'm using debian 4.0r6 / postfix / postgrey ...
>
> This works really fine for 99+% of emailsenders
>
> From time to time I get
>
> Nov 11 09:01:54 grey2 postfix/smtpd[28926]: lost connection after
> RSET from unknown[xxx.xxx.xxx.xxx]

This has probably nothing to do with your problem....
Most of the time these are simply spammers cutting the connection
after "RSET".

> ... and users complaining about not being able to receive email from
> certain senders.

Ask the users for the *sender* address and grep your logs for failed
delievery attempts from this address.

Regards

Andreas

Re: Configuring Two Postfix mail servers behind HA Proxy load balancer.

2009-11-27T05:49:12Z

On Fri, Nov 27, 2009 at 2:51 AM, Manoj Burande
<manoj.burande@...> wrote:

> Hello All,
>
> I am trying to setup a Postfix Mail Server on Fedora10. I am trying
> to learn the basic process of setting up and manage a Postfix Mail
> Server. Also trying to build a High-Available Postfix Mail Server
> set. I have already configured HA Proxy load balancer servers. I just
> wanted to place my two postfix mail server behind it.
>
> Is there ANYBODY help me to accomplish the same. Or please provide me
> online stuff to set up mail servers behind load balancer.
>
> --
> Manoj M. Burande,
> Artificial Machines Pvt Ltd,
> System Administrator.

I'm sure others can help with the HA setup, but I must say that you
should not be building a server (especially an HA one!) based on any
Fedora distro. Fedora is Redhat's testbed where they use very beta
software and is also mainly targeted for dekstop users. It is
absolutely inappropriate for a server setup. Please look at CentOS
for a server-grade Linux distro that is Redhat-based and suitable for
running a server on.