postfix-users : Messages : 260230-260259 of 260259

Hi Viktor,

Thanks, that clears up a few things. It appears that this applies to individual
users via the $name parameter. It is not clear how to handle many users (surely
I can't list everyone) which may be on different servers. Is there a wild card
format and/or a default?

Can the path be set to a mounted filesystem that contains the user home
directories? If no mount, how does the user create/maintain the .forward file in
that alternate location?

On Nov 25, 2009, at 11:42 AM, Victor Duchovni wrote:

> On Wed, Nov 25, 2009 at 11:27:18AM -0500, Dennis Putnam wrote:
>
>> I am running Postfix/Cyrus
>
> I assume you mean Cyrus IMAP...
>
>> on the same server that contains user home directories.
>
> With the local(8) transport delegating delivery via mailbox_transport.
>
>> The forwarding mechanism (.forward) is, of course, working
>> and I understand it.
>
> This assumes "system users" who have passwd file entries, and so by
> definition have home directories.
>
>> What I don't understand is how this mechanism works, or even if it does,
>> when a user's home directory is on a different server than Postfix/Cyrus.
>
> A system user's home directory is never "on a different server", NFS, AFS
> and the like don't matter in this context, the home directory is still
> locally accessible.
>
> Perhaps you are looking to integrate Cyrus IMAP with virtual users.
>
>> In other words when Postfix/Cyrus does not have access to the user's
>> home directory. Or is there some other delivery mechanism involved that
>> I am missing?
>
> You can change the forward_path setting to create .forward files for users
> (each owned by the user in question, or local(8) will not trust it), in
> a location different from the user's home directory.
>
>    http://www.postfix.org/postconf.5.html#forward_path
>
> If the users don't have passwd file entries, then forwarding needs to be
> managed via aliases(5) or better yet virtual(5).
>
>    http://www.postfix.org/postconf.5.html#alias_maps
>    http://www.postfix.org/postconf.5.html#virtual_alias_maps
>    http://www.postfix.org/ADDRESS_REWRITING_README.html
>    http://www.postfix.org/VIRTUAL_README.html
>
> You can deliver to Cyrus IMAP via LMTP, after rewriting recipient
> addresses in virtual(5) into a domain that is routed to a suitable
> transport(5).
>
> --
>  Viktor.
>
> Disclaimer: off-list followups get on-list replies or get ignored.
> Please do not ignore the "Reply-To" header.
>
> To unsubscribe from the postfix-users list, visit
> http://www.postfix.org/lists.html or click the link below:
> <mailto:majordomo@...?body=unsubscribe%20postfix-users>
>
> If my response solves your problem, the best way to thank me is to not
> send an "it worked, thanks" follow-up. If you must respond, please put
> "It worked, thanks" in the "Subject" so I can delete these quickly.
>

Dennis Putnam
Sr. IT Systems Administrator
AIM Systems, Inc.
11675 Rainwater Dr., Suite 200
Alpharetta, GA  30009
Phone: 678-240-4112
Main Phone: 678-297-0700
FAX: 678-297-2666 or 770-576-1000
The information contained in this e-mail and any attachments is strictly
confidential. If you are not the intended recipient, any use, dissemination,
distribution, or duplication of any part of this e-mail or any attachment is
prohibited. If you are not the intended recipient, please notify the sender by
return e-mail and delete all copies, including the attachments.

#260232

From: Victor Duchovni <Victor.Duchovni@...>
Date: Wed Nov 25, 2009 5:12 pm
Subject: Re: Postfix/Cyrus Forwarding Question

Victor.Duchovni@...

On Wed, Nov 25, 2009 at 11:56:41AM -0500, Dennis Putnam wrote:

> Thanks, that clears up a few things. It appears that this applies to
> individual users via the $name parameter.

There is no "$name" parameter. That is a generic place-holder for any of
the parameters above it, to explain that you can use ${extension?foo}
or ${extension:bar} (for example) to handle the case when there is
(or is not) an address extension.

> It is not clear how to handle
> many users (surely I can't list everyone) which may be on different
> servers. Is there a wild card format and/or a default?

What do you mean "on different servers"? The forward_path specifies
a local file on the Postfix server's filesystem which contains
the ".forward" content for each user. Various ${parameters}, as part
of this setting, make the path user-dependent.

> Can the path be set to a mounted filesystem that contains the user
> home directories? If no mount, how does the user create/maintain the
> .forward file in that alternate location?

If you want users to edit their own .forward files with "vi", "emacs",
"ed", ... Give them home directories on the mail server, use NFS if
that's sufficiently reliable, and the security risk is acceptable.

[ Please don't top-post, and reply to each paragraph in-line with the
original text "quoted" with "> ", as above ].

--
	 Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:majordomo@...?body=unsubscribe%20postfix-users>

If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

#260233

From: Dennis Putnam <dennis.putnam@...>
Date: Wed Nov 25, 2009 5:41 pm
Subject: Re: Postfix/Cyrus Forwarding Question

dennis.putnam@...

Hi Viktor,

My bad, I was referring to this line in the documentation when I used $name:

$user
     The recipient's username.

In any case I think the light is starting to glow, albeit dimly.

The examples in the documentation are not very helpful. Is there someplace I can
look for better ones?

When I say on different servers, perhaps I need to better explain the
environment we plan. User home directories are on a SAN while the mail server is
not. The home directories are served out by a pair of SAN file servers and users
are distributed between them for some semblance of load balancing. While
ultimately all the home directories are on the same SAN LUN, the logical path to
them will be on different servers.

If I understand this correctly, I can set the forward_path to a directory on the
mail server (not sure what the syntax would look like based on the examples).
The hierarchy of that directory is not clear but one way or another each user
has a unique .forward file of some form. In order to maintain it I can create
scripts that access those files via 'ssh' or 'scp' or some such mechanism.

How far off am I?

On Nov 25, 2009, at 12:12 PM, Victor Duchovni wrote:

> On Wed, Nov 25, 2009 at 11:56:41AM -0500, Dennis Putnam wrote:
>
>> Thanks, that clears up a few things. It appears that this applies to
>> individual users via the $name parameter.
>
> There is no "$name" parameter. That is a generic place-holder for any of
> the parameters above it, to explain that you can use ${extension?foo}
> or ${extension:bar} (for example) to handle the case when there is
> (or is not) an address extension.
>
>> It is not clear how to handle
>> many users (surely I can't list everyone) which may be on different
>> servers. Is there a wild card format and/or a default?
>
> What do you mean "on different servers"? The forward_path specifies
> a local file on the Postfix server's filesystem which contains
> the ".forward" content for each user. Various ${parameters}, as part
> of this setting, make the path user-dependent.
>
>> Can the path be set to a mounted filesystem that contains the user
>> home directories? If no mount, how does the user create/maintain the
>> .forward file in that alternate location?
>
> If you want users to edit their own .forward files with "vi", "emacs",
> "ed", ... Give them home directories on the mail server, use NFS if
> that's sufficiently reliable, and the security risk is acceptable.
>
> [ Please don't top-post, and reply to each paragraph in-line with the
> original text "quoted" with "> ", as above ].
>
> --
>  Viktor.
>
> Disclaimer: off-list followups get on-list replies or get ignored.
> Please do not ignore the "Reply-To" header.
>
> To unsubscribe from the postfix-users list, visit
> http://www.postfix.org/lists.html or click the link below:
> <mailto:majordomo@...?body=unsubscribe%20postfix-users>
>
> If my response solves your problem, the best way to thank me is to not
> send an "it worked, thanks" follow-up. If you must respond, please put
> "It worked, thanks" in the "Subject" so I can delete these quickly.
>

Dennis Putnam
Sr. IT Systems Administrator
AIM Systems, Inc.
11675 Rainwater Dr., Suite 200
Alpharetta, GA  30009
Phone: 678-240-4112
Main Phone: 678-297-0700
FAX: 678-297-2666 or 770-576-1000
The information contained in this e-mail and any attachments is strictly
confidential. If you are not the intended recipient, any use, dissemination,
distribution, or duplication of any part of this e-mail or any attachment is
prohibited. If you are not the intended recipient, please notify the sender by
return e-mail and delete all copies, including the attachments.

#260234

From: Victor Duchovni <Victor.Duchovni@...>
Date: Wed Nov 25, 2009 5:51 pm
Subject: Re: Postfix/Cyrus Forwarding Question

Victor.Duchovni@...

On Wed, Nov 25, 2009 at 12:41:37PM -0500, Dennis Putnam wrote:

> If I understand this correctly, I can set the forward_path to a directory

No, not a directory a file, and not "a" file, but a set of files, one
for each user.

> The hierarchy of that directory is not clear

The construction of the .forward path is entirely up to you.

You can list multiple patterns, the first one found to exist will be used.
This allows extension-specific .forward files to be used when available.

--
	 Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:majordomo@...?body=unsubscribe%20postfix-users>

If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

#260235

From: wietse@... (Wietse Venema)
Date: Wed Nov 25, 2009 8:27 pm
Subject: Re: Postfix/Cyrus Forwarding Question

wietse@...

Victor Duchovni:
> On Wed, Nov 25, 2009 at 12:41:37PM -0500, Dennis Putnam wrote:
>
> > If I understand this correctly, I can set the forward_path to a directory
>
> No, not a directory a file, and not "a" file, but a set of files, one
> for each user.

For example I remember from historic times something like:

     forward_path = /var/forward/$user

With address extensions turned on, it would look like:

     forward_path = /var/forward/${user}${recipient_delimiter}${extension},
	 /var/forward/${user}

But, the latter is untested.

	 Wietse

#260236

From: mouss <mouss@...>
Date: Wed Nov 25, 2009 8:51 pm
Subject: Re: Multiple Mail domains for reverse ptr records? I'm confused

mouss@...

ML a �crit :
> Hi Wietse,
>
>>> I have some confusion about multiple reverse PTR records per IP.
>> You need only one.
>>
>> The name (from the address->name) lookup must resolve to the address.
>
> I am still confused.
>
> Like my example below, what happens if I want to setup a single mail server
that hosts mail for 20 different domains? I am told that 18 of those domains
will be blacklisted and SMTP will fail because the lookup wont grab the right
record.....
>

for a given IP, you only setup one PTR.

do not confuse this with "multihoming", where you assign multiple IPs to
a single name (that is, you use multiple A for a single name).

in short you only need somthing like this:

192.0.2.1 => sillywilly.example.com

sillywilly.example.com  => 192.0.2.1
mail1.example.com => 192.0.2.1
mail2.example.com => 192.0.2.1
mail3.example.com => 192.0.2.1
...

as you see in this example, the IP resolves to a single name (PTR), but
many names resolve to that IP.

finally, the IP and hostname of the box have nothing to do with the
domains you host mail for. Think about Postini, google, ...

Reply | Forward | Messages in this Topic (10)

#260237

From: Patrick Ben Koetter <p@...>
Date: Wed Nov 25, 2009 9:05 pm
Subject: Re: About SMTP Auth with Mysql

p@...

Vahriç,

* Vahriç Muhtaryan <vahric@...>:
> You can find out related out below.

thanks for the debug output. Your config looks okay. Your problem is - as I
understand it - you want Cyrus SASL to do something it can't do:

1. If you list more than one host with $sql_hostnames then those hosts will be
    queried in order listed from left to right.
2. The first host in the list that answers will be used. Any other host will
    not be queried.
3. It is not possible to query all hosts at the same time.

So, if you want to query several MySQL servers at the same time, it cannot be
done. All I can think of is moving your data to one SQL server instance.

OTOH maybe you can use mysql-proxy <http://forge.mysql.com/wiki/MySQL_Proxy>,
configure that to transform the query to query both servers and let SASL query
the mysql-proxy.

HTH,

p@rick




> Regards
> Vahric
>
> [root@postfix-auth1 ~]# ./saslfinger-1.0.3/saslfinger -s
> saslfinger - postfix Cyrus sasl configuration Wed Nov 25 18:47:20 EET 2009
> version: 1.0.2
> mode: server-side SMTP AUTH
>
> -- basics --
> Postfix: 2.5.9
> System: CentOS release 5.4 (Final)
>
> -- smtpd is linked to --
>         libsasl2.so.2 => /usr/lib64/libsasl2.so.2 (0x0000003dfba00000)
>
> -- active SMTP AUTH and TLS parameters for smtpd --
> broken_sasl_auth_clients = yes
> smtpd_sasl_auth_enable = yes
>
>
> -- listing of /usr/lib64/sasl2 --
> total 3500
> drwxr-xr-x  2 root root   4096 Nov 22 23:17 .
> drwxr-xr-x 55 root root  36864 Nov 21 04:03 ..
> -rwxr-xr-x  1 root root    890 Sep  4 03:04 libanonymous.la
> -rwxr-xr-x  1 root root  15880 Sep  4 03:05 libanonymous.so
> -rwxr-xr-x  1 root root  15880 Sep  4 03:05 libanonymous.so.2
> -rwxr-xr-x  1 root root  15880 Sep  4 03:05 libanonymous.so.2.0.22
> -rwxr-xr-x  1 root root    876 Sep  4 03:04 libcrammd5.la
> -rwxr-xr-x  1 root root  19264 Sep  4 03:05 libcrammd5.so
> -rwxr-xr-x  1 root root  19264 Sep  4 03:05 libcrammd5.so.2
> -rwxr-xr-x  1 root root  19264 Sep  4 03:05 libcrammd5.so.2.0.22
> -rwxr-xr-x  1 root root    899 Sep  4 03:04 libdigestmd5.la
> -rwxr-xr-x  1 root root  48520 Sep  4 03:05 libdigestmd5.so
> -rwxr-xr-x  1 root root  48520 Sep  4 03:05 libdigestmd5.so.2
> -rwxr-xr-x  1 root root  48520 Sep  4 03:05 libdigestmd5.so.2.0.22
> -rwxr-xr-x  1 root root    939 Sep  4 03:04 libgssapiv2.la
> -rwxr-xr-x  1 root root  28096 Sep  4 03:05 libgssapiv2.so
> -rwxr-xr-x  1 root root  28096 Sep  4 03:05 libgssapiv2.so.2
> -rwxr-xr-x  1 root root  28096 Sep  4 03:05 libgssapiv2.so.2.0.22
> -rwxr-xr-x  1 root root    883 Sep  4 03:04 libldapdb.la
> -rwxr-xr-x  1 root root  17736 Sep  4 03:05 libldapdb.so
> -rwxr-xr-x  1 root root  17736 Sep  4 03:05 libldapdb.so.2
> -rwxr-xr-x  1 root root  17736 Sep  4 03:05 libldapdb.so.2.0.22
> -rwxr-xr-x  1 root root    862 Sep  4 03:04 liblogin.la
> -rwxr-xr-x  1 root root  16448 Sep  4 03:05 liblogin.so
> -rwxr-xr-x  1 root root  16448 Sep  4 03:05 liblogin.so.2
> -rwxr-xr-x  1 root root  16448 Sep  4 03:05 liblogin.so.2.0.22
> -rwxr-xr-x  1 root root    864 Sep  4 03:04 libntlm.la
> -rwxr-xr-x  1 root root  32704 Sep  4 03:05 libntlm.so
> -rwxr-xr-x  1 root root  32704 Sep  4 03:05 libntlm.so.2
> -rwxr-xr-x  1 root root  32704 Sep  4 03:05 libntlm.so.2.0.22
> -rwxr-xr-x  1 root root    862 Sep  4 03:04 libplain.la
> -rwxr-xr-x  1 root root  16416 Sep  4 03:05 libplain.so
> -rwxr-xr-x  1 root root  16416 Sep  4 03:05 libplain.so.2
> -rwxr-xr-x  1 root root  16416 Sep  4 03:05 libplain.so.2.0.22
> -rwxr-xr-x  1 root root    936 Sep  4 03:04 libsasldb.la
> -rwxr-xr-x  1 root root 893304 Sep  4 03:05 libsasldb.so
> -rwxr-xr-x  1 root root 893304 Sep  4 03:05 libsasldb.so.2
> -rwxr-xr-x  1 root root 893304 Sep  4 03:05 libsasldb.so.2.0.22
> -rwxr-xr-x  1 root root    878 Sep  4 03:04 libsql.la
> -rwxr-xr-x  1 root root  24808 Sep  4 03:05 libsql.so
> -rwxr-xr-x  1 root root  24808 Sep  4 03:05 libsql.so.2
> -rwxr-xr-x  1 root root  24808 Sep  4 03:05 libsql.so.2.0.22
> -rw-r--r--  1 root root     25 Mar 15  2007 Sendmail.conf
> -rw-r--r--  1 root root    280 Nov 22 23:17 smtpd.conf
>
> -- listing of /usr/lib/sasl2 --
> total 3440
> drwxr-xr-x  2 root root   4096 Nov 20 13:43 .
> drwxr-xr-x 50 root root  28672 Nov 20 13:43 ..
> -rwxr-xr-x  1 root root    884 Sep  4 03:04 libanonymous.la
> -rwxr-xr-x  1 root root  14372 Sep  4 03:04 libanonymous.so
> -rwxr-xr-x  1 root root  14372 Sep  4 03:04 libanonymous.so.2
> -rwxr-xr-x  1 root root  14372 Sep  4 03:04 libanonymous.so.2.0.22
> -rwxr-xr-x  1 root root    870 Sep  4 03:04 libcrammd5.la
> -rwxr-xr-x  1 root root  16832 Sep  4 03:04 libcrammd5.so
> -rwxr-xr-x  1 root root  16832 Sep  4 03:04 libcrammd5.so.2
> -rwxr-xr-x  1 root root  16832 Sep  4 03:04 libcrammd5.so.2.0.22
> -rwxr-xr-x  1 root root    893 Sep  4 03:04 libdigestmd5.la
> -rwxr-xr-x  1 root root  47172 Sep  4 03:04 libdigestmd5.so
> -rwxr-xr-x  1 root root  47172 Sep  4 03:04 libdigestmd5.so.2
> -rwxr-xr-x  1 root root  47172 Sep  4 03:04 libdigestmd5.so.2.0.22
> -rwxr-xr-x  1 root root    933 Sep  4 03:04 libgssapiv2.la
> -rwxr-xr-x  1 root root  26496 Sep  4 03:04 libgssapiv2.so
> -rwxr-xr-x  1 root root  26496 Sep  4 03:04 libgssapiv2.so.2
> -rwxr-xr-x  1 root root  26496 Sep  4 03:04 libgssapiv2.so.2.0.22
> -rwxr-xr-x  1 root root    877 Sep  4 03:04 libldapdb.la
> -rwxr-xr-x  1 root root  15484 Sep  4 03:04 libldapdb.so
> -rwxr-xr-x  1 root root  15484 Sep  4 03:04 libldapdb.so.2
> -rwxr-xr-x  1 root root  15484 Sep  4 03:04 libldapdb.so.2.0.22
> -rwxr-xr-x  1 root root    856 Sep  4 03:04 liblogin.la
> -rwxr-xr-x  1 root root  14752 Sep  4 03:04 liblogin.so
> -rwxr-xr-x  1 root root  14752 Sep  4 03:04 liblogin.so.2
> -rwxr-xr-x  1 root root  14752 Sep  4 03:04 liblogin.so.2.0.22
> -rwxr-xr-x  1 root root    858 Sep  4 03:04 libntlm.la
> -rwxr-xr-x  1 root root  31548 Sep  4 03:04 libntlm.so
> -rwxr-xr-x  1 root root  31548 Sep  4 03:04 libntlm.so.2
> -rwxr-xr-x  1 root root  31548 Sep  4 03:04 libntlm.so.2.0.22
> -rwxr-xr-x  1 root root    856 Sep  4 03:04 libplain.la
> -rwxr-xr-x  1 root root  14848 Sep  4 03:04 libplain.so
> -rwxr-xr-x  1 root root  14848 Sep  4 03:04 libplain.so.2
> -rwxr-xr-x  1 root root  14848 Sep  4 03:04 libplain.so.2.0.22
> -rwxr-xr-x  1 root root    930 Sep  4 03:04 libsasldb.la
> -rwxr-xr-x  1 root root 905200 Sep  4 03:04 libsasldb.so
> -rwxr-xr-x  1 root root 905200 Sep  4 03:04 libsasldb.so.2
> -rwxr-xr-x  1 root root 905200 Sep  4 03:04 libsasldb.so.2.0.22
> -rwxr-xr-x  1 root root    878 Sep  4 03:04 libsql.la
> -rwxr-xr-x  1 root root  23080 Sep  4 03:04 libsql.so
> -rwxr-xr-x  1 root root  23080 Sep  4 03:04 libsql.so.2
> -rwxr-xr-x  1 root root  23080 Sep  4 03:04 libsql.so.2.0.22
>
> -- listing of /etc/sasl2 --
> total 16
> drwxr-xr-x  2 root root 4096 Nov 20 13:43 .
> drwxr-xr-x 82 root root 4096 Nov 25 18:20 ..
>
>
>
>
> -- content of /usr/lib64/sasl2/smtpd.conf --
> log_level: 7
> pwcheck_method: auxprop
> auxprop_plugin: sql
> mech_list: plain login
> sql_engine: mysql
> sql_hostnames: (212.58.4.184:3306,212.58.4.247:3306)
> sql_user: --- replaced ---
> sql_passwd: --- replaced ---
> sql_database: postfix
> sql_select: select clear from postfix_smtp where email='%u@%r'
>
>
> -- active services in /etc/postfix/master.cf --
> # service type  private unpriv  chroot  wakeup  maxproc command + args
> #               (yes)   (yes)   (yes)   (never) (100)
> smtp      inet  n       -       n       -       -       smtpd
> pickup    fifo  n       -       n       60      1       pickup
> cleanup   unix  n       -       n       -       0       cleanup
> qmgr      fifo  n       -       n       300     1       qmgr
> tlsmgr    unix  -       -       n       1000?   1       tlsmgr
> rewrite   unix  -       -       n       -       -       trivial-rewrite
> bounce    unix  -       -       n       -       0       bounce
> defer     unix  -       -       n       -       0       bounce
> trace     unix  -       -       n       -       0       bounce
> verify    unix  -       -       n       -       1       verify
> flush     unix  n       -       n       1000?   0       flush
> proxymap  unix  -       -       n       -       -       proxymap
> proxywrite unix -       -       n       -       1       proxymap
> smtp      unix  -       -       n       -       -       smtp
> relay     unix  -       -       n       -       -       smtp
>         -o smtp_fallback_relay=
> showq     unix  n       -       n       -       -       showq
> error     unix  -       -       n       -       -       error
> retry     unix  -       -       n       -       -       error
> discard   unix  -       -       n       -       -       discard
> local     unix  -       n       n       -       -       local
> virtual   unix  -       n       n       -       -       virtual
> lmtp      unix  -       -       n       -       -       lmtp
> anvil     unix  -       -       n       -       1       anvil
> scache    unix  -       -       n       -       1       scache
>
> -- mechanisms on localhost --
> 250-AUTH LOGIN PLAIN
> 250-AUTH=LOGIN PLAIN
>
>
> -- end of saslfinger output --
>
> -----Original Message-----
> From: owner-postfix-users@... [mailto:owner-postfix-users@...]
On Behalf Of Patrick Ben Koetter
> Sent: Tuesday, November 24, 2009 11:08 PM
> To: postfix-users@...
> Subject: Re: About SMTP Auth with Mysql
>
> * Vahriç Muhtaryan <vahric@...>:
> > Any postfix guy have a knowledge about this issue
> > Really I would like to solve this and debug
> > Actually smtp -v do not show the problem also verbose mode to for sasl
> > Any idea ?
>
> It is the Postfix smtpd-daemon and not the smtp-client. If you debug add "-v"
> to smtpd, not smtp.
>
> Download saslfinger and run it:
>
> saslfinger (debugging SMTP AUTH):
> <http://postfix.state-of-mind.de/patrick.koetter/saslfinger/>
>
> Send debug output to the list.
>
> > -----Original Message-----
> > From: owner-postfix-users@...
> > [mailto:owner-postfix-users@...] On Behalf Of Vahriç Muhtaryan
> > Sent: Sunday, November 22, 2009 11:21 PM
> > To: 'Patrick Ben Koetter'; postfix-users@...
> > Subject: RE: About SMTP Auth with Mysql
> >
> > I hope that until find the right mailbox and pass it should query each
> > setted mysql server but not !
> > For to be sure I'm sending different mailbox name and password and wait
> > postfix make query step by step but not.
> > I told you before with different syntax postfix do differnt actions
> > I don't know this is really postfix problem our cyrus problem but I couldn'T
> > find any solution
> > When you check cyrus docs my sytax is ok but its not working
> > İts drive me crazy
>
> Sorry, but I don't understand what you write.
>
> p@rick
>
>
>
>
>
> >
> > Regards
> > Vahric
> >
> > -----Original Message-----
> > From: owner-postfix-users@...
> > [mailto:owner-postfix-users@...] On Behalf Of Patrick Ben Koetter
> > Sent: Sunday, November 22, 2009 4:44 PM
> > To: postfix-users@...
> > Subject: Re: About SMTP Auth with Mysql
> >
> > * Vahriç Muhtaryan <vahric@...>:
> > > Hi,
> > >
> > > (212.58.4.184,212.58.4.247) not worked
> > > (212.58.4.184:3306,212.58.4.247:3306)query arrive to 4.247 but not to 184
> > > 212.58.4.184:3306,212.58.4.247:3306 query arrive to 4.184 but not to 247
> > > 212.58.4.184:3306 212.58.4.247:3306 query arrive to 4.184 but not to 247
> > > sql_hostnames: 212.58.4.184 212.58.4.247 query arrive to 4.184 but not to
> > > 247
> >
> > How did you test?
> >
> > Just in case you think it should query both servers at the same time: No,
> > it's
> > not supposed to do that.
> >
> > If the 1st server in the list is inaccessible, it should try the second.
> >
> > Have you tested that?
> >
> > p@rick
> >
> > --
> > All technical questions asked privately will be automatically answered on
> > the
> > list and archived for public access unless privacy is explicitely required
> > and
> > justified.
> >
> > saslfinger (debugging SMTP AUTH):
> > <http://postfix.state-of-mind.de/patrick.koetter/saslfinger/>
> >
>
> --
> All technical questions asked privately will be automatically answered on the
> list and archived for public access unless privacy is explicitely required and
> justified.
>
> saslfinger (debugging SMTP AUTH):
> <http://postfix.state-of-mind.de/patrick.koetter/saslfinger/>
>

--
state of mind
Digitale Kommunikation

http://www.state-of-mind.de

Franziskanerstraße 15      Telefon +49 89 3090 4664
81669 München              Telefax +49 89 3090 4666

Amtsgericht München        Partnerschaftsregister PR 563

Reply | Forward | Messages in this Topic (12)

#260238

From: Peter Koinange <peter.koinange@...>
Date: Thu Nov 26, 2009 6:23 am
Subject: Re: Postfix/Cyrus Forwarding Question

peter.koinange@...

I belive the best way to way to to this is to use sieve

k
----- "Dennis Putnam" <Dennis.Putnam@...> wrote:

> I'm not sure if this is the right forum for this question but I don't
> know where else to start.
>
> I am running Postfix/Cyrus on the same server that contains user home
> directories. The forwarding mechanism (.forward) is, of course,
> working and I understand it. What I don't understand is how this
> mechanism works, or even if it does, when a user's home directory is
> on a different server than Postfix/Cyrus. In other words when
> Postfix/Cyrus does not have access to the user's home directory. Or is
> there some other delivery mechanism involved that I am missing?
> Thanks.
>
> Can someone explain if this can work and if, so how. If not, what do
> users do in that case?
>
> Thanks.
>
> Dennis Putnam
> Sr. IT Systems Administrator
> AIM Systems, Inc.
> 11675 Rainwater Dr., Suite 200
> Alpharetta, GA  30009
> Phone: 678-240-4112
> Main Phone: 678-297-0700
> FAX: 678-297-2666 or 770-576-1000
> The information contained in this e-mail and any attachments is
> strictly confidential. If you are not the intended recipient, any use,
> dissemination, distribution, or duplication of any part of this e-mail
> or any attachment is prohibited. If you are not the intended
> recipient, please notify the sender by return e-mail and delete all
> copies, including the attachments.

#260239

From: Vahriç Muhtaryan <vahric@...>
Date: Thu Nov 26, 2009 7:04 am
Subject: RE: About SMTP Auth with Mysql

vahric@...

Thanks for answer I will check mysql proxy

-----Original Message-----
From: owner-postfix-users@... [mailto:owner-postfix-users@...]
On Behalf Of Patrick Ben Koetter
Sent: Wednesday, November 25, 2009 11:06 PM
To: postfix-users@...
Subject: Re: About SMTP Auth with Mysql

Vahriç,

* Vahriç Muhtaryan <vahric@...>:
> You can find out related out below.

thanks for the debug output. Your config looks okay. Your problem is - as I
understand it - you want Cyrus SASL to do something it can't do:

1. If you list more than one host with $sql_hostnames then those hosts will be
    queried in order listed from left to right.
2. The first host in the list that answers will be used. Any other host will
    not be queried.
3. It is not possible to query all hosts at the same time.

So, if you want to query several MySQL servers at the same time, it cannot be
done. All I can think of is moving your data to one SQL server instance.

OTOH maybe you can use mysql-proxy <http://forge.mysql.com/wiki/MySQL_Proxy>,
configure that to transform the query to query both servers and let SASL query
the mysql-proxy.

HTH,

p@rick




> Regards
> Vahric
>
> [root@postfix-auth1 ~]# ./saslfinger-1.0.3/saslfinger -s
> saslfinger - postfix Cyrus sasl configuration Wed Nov 25 18:47:20 EET 2009
> version: 1.0.2
> mode: server-side SMTP AUTH
>
> -- basics --
> Postfix: 2.5.9
> System: CentOS release 5.4 (Final)
>
> -- smtpd is linked to --
>         libsasl2.so.2 => /usr/lib64/libsasl2.so.2 (0x0000003dfba00000)
>
> -- active SMTP AUTH and TLS parameters for smtpd --
> broken_sasl_auth_clients = yes
> smtpd_sasl_auth_enable = yes
>
>
> -- listing of /usr/lib64/sasl2 --
> total 3500
> drwxr-xr-x  2 root root   4096 Nov 22 23:17 .
> drwxr-xr-x 55 root root  36864 Nov 21 04:03 ..
> -rwxr-xr-x  1 root root    890 Sep  4 03:04 libanonymous.la
> -rwxr-xr-x  1 root root  15880 Sep  4 03:05 libanonymous.so
> -rwxr-xr-x  1 root root  15880 Sep  4 03:05 libanonymous.so.2
> -rwxr-xr-x  1 root root  15880 Sep  4 03:05 libanonymous.so.2.0.22
> -rwxr-xr-x  1 root root    876 Sep  4 03:04 libcrammd5.la
> -rwxr-xr-x  1 root root  19264 Sep  4 03:05 libcrammd5.so
> -rwxr-xr-x  1 root root  19264 Sep  4 03:05 libcrammd5.so.2
> -rwxr-xr-x  1 root root  19264 Sep  4 03:05 libcrammd5.so.2.0.22
> -rwxr-xr-x  1 root root    899 Sep  4 03:04 libdigestmd5.la
> -rwxr-xr-x  1 root root  48520 Sep  4 03:05 libdigestmd5.so
> -rwxr-xr-x  1 root root  48520 Sep  4 03:05 libdigestmd5.so.2
> -rwxr-xr-x  1 root root  48520 Sep  4 03:05 libdigestmd5.so.2.0.22
> -rwxr-xr-x  1 root root    939 Sep  4 03:04 libgssapiv2.la
> -rwxr-xr-x  1 root root  28096 Sep  4 03:05 libgssapiv2.so
> -rwxr-xr-x  1 root root  28096 Sep  4 03:05 libgssapiv2.so.2
> -rwxr-xr-x  1 root root  28096 Sep  4 03:05 libgssapiv2.so.2.0.22
> -rwxr-xr-x  1 root root    883 Sep  4 03:04 libldapdb.la
> -rwxr-xr-x  1 root root  17736 Sep  4 03:05 libldapdb.so
> -rwxr-xr-x  1 root root  17736 Sep  4 03:05 libldapdb.so.2
> -rwxr-xr-x  1 root root  17736 Sep  4 03:05 libldapdb.so.2.0.22
> -rwxr-xr-x  1 root root    862 Sep  4 03:04 liblogin.la
> -rwxr-xr-x  1 root root  16448 Sep  4 03:05 liblogin.so
> -rwxr-xr-x  1 root root  16448 Sep  4 03:05 liblogin.so.2
> -rwxr-xr-x  1 root root  16448 Sep  4 03:05 liblogin.so.2.0.22
> -rwxr-xr-x  1 root root    864 Sep  4 03:04 libntlm.la
> -rwxr-xr-x  1 root root  32704 Sep  4 03:05 libntlm.so
> -rwxr-xr-x  1 root root  32704 Sep  4 03:05 libntlm.so.2
> -rwxr-xr-x  1 root root  32704 Sep  4 03:05 libntlm.so.2.0.22
> -rwxr-xr-x  1 root root    862 Sep  4 03:04 libplain.la
> -rwxr-xr-x  1 root root  16416 Sep  4 03:05 libplain.so
> -rwxr-xr-x  1 root root  16416 Sep  4 03:05 libplain.so.2
> -rwxr-xr-x  1 root root  16416 Sep  4 03:05 libplain.so.2.0.22
> -rwxr-xr-x  1 root root    936 Sep  4 03:04 libsasldb.la
> -rwxr-xr-x  1 root root 893304 Sep  4 03:05 libsasldb.so
> -rwxr-xr-x  1 root root 893304 Sep  4 03:05 libsasldb.so.2
> -rwxr-xr-x  1 root root 893304 Sep  4 03:05 libsasldb.so.2.0.22
> -rwxr-xr-x  1 root root    878 Sep  4 03:04 libsql.la
> -rwxr-xr-x  1 root root  24808 Sep  4 03:05 libsql.so
> -rwxr-xr-x  1 root root  24808 Sep  4 03:05 libsql.so.2
> -rwxr-xr-x  1 root root  24808 Sep  4 03:05 libsql.so.2.0.22
> -rw-r--r--  1 root root     25 Mar 15  2007 Sendmail.conf
> -rw-r--r--  1 root root    280 Nov 22 23:17 smtpd.conf
>
> -- listing of /usr/lib/sasl2 --
> total 3440
> drwxr-xr-x  2 root root   4096 Nov 20 13:43 .
> drwxr-xr-x 50 root root  28672 Nov 20 13:43 ..
> -rwxr-xr-x  1 root root    884 Sep  4 03:04 libanonymous.la
> -rwxr-xr-x  1 root root  14372 Sep  4 03:04 libanonymous.so
> -rwxr-xr-x  1 root root  14372 Sep  4 03:04 libanonymous.so.2
> -rwxr-xr-x  1 root root  14372 Sep  4 03:04 libanonymous.so.2.0.22
> -rwxr-xr-x  1 root root    870 Sep  4 03:04 libcrammd5.la
> -rwxr-xr-x  1 root root  16832 Sep  4 03:04 libcrammd5.so
> -rwxr-xr-x  1 root root  16832 Sep  4 03:04 libcrammd5.so.2
> -rwxr-xr-x  1 root root  16832 Sep  4 03:04 libcrammd5.so.2.0.22
> -rwxr-xr-x  1 root root    893 Sep  4 03:04 libdigestmd5.la
> -rwxr-xr-x  1 root root  47172 Sep  4 03:04 libdigestmd5.so
> -rwxr-xr-x  1 root root  47172 Sep  4 03:04 libdigestmd5.so.2
> -rwxr-xr-x  1 root root  47172 Sep  4 03:04 libdigestmd5.so.2.0.22
> -rwxr-xr-x  1 root root    933 Sep  4 03:04 libgssapiv2.la
> -rwxr-xr-x  1 root root  26496 Sep  4 03:04 libgssapiv2.so
> -rwxr-xr-x  1 root root  26496 Sep  4 03:04 libgssapiv2.so.2
> -rwxr-xr-x  1 root root  26496 Sep  4 03:04 libgssapiv2.so.2.0.22
> -rwxr-xr-x  1 root root    877 Sep  4 03:04 libldapdb.la
> -rwxr-xr-x  1 root root  15484 Sep  4 03:04 libldapdb.so
> -rwxr-xr-x  1 root root  15484 Sep  4 03:04 libldapdb.so.2
> -rwxr-xr-x  1 root root  15484 Sep  4 03:04 libldapdb.so.2.0.22
> -rwxr-xr-x  1 root root    856 Sep  4 03:04 liblogin.la
> -rwxr-xr-x  1 root root  14752 Sep  4 03:04 liblogin.so
> -rwxr-xr-x  1 root root  14752 Sep  4 03:04 liblogin.so.2
> -rwxr-xr-x  1 root root  14752 Sep  4 03:04 liblogin.so.2.0.22
> -rwxr-xr-x  1 root root    858 Sep  4 03:04 libntlm.la
> -rwxr-xr-x  1 root root  31548 Sep  4 03:04 libntlm.so
> -rwxr-xr-x  1 root root  31548 Sep  4 03:04 libntlm.so.2
> -rwxr-xr-x  1 root root  31548 Sep  4 03:04 libntlm.so.2.0.22
> -rwxr-xr-x  1 root root    856 Sep  4 03:04 libplain.la
> -rwxr-xr-x  1 root root  14848 Sep  4 03:04 libplain.so
> -rwxr-xr-x  1 root root  14848 Sep  4 03:04 libplain.so.2
> -rwxr-xr-x  1 root root  14848 Sep  4 03:04 libplain.so.2.0.22
> -rwxr-xr-x  1 root root    930 Sep  4 03:04 libsasldb.la
> -rwxr-xr-x  1 root root 905200 Sep  4 03:04 libsasldb.so
> -rwxr-xr-x  1 root root 905200 Sep  4 03:04 libsasldb.so.2
> -rwxr-xr-x  1 root root 905200 Sep  4 03:04 libsasldb.so.2.0.22
> -rwxr-xr-x  1 root root    878 Sep  4 03:04 libsql.la
> -rwxr-xr-x  1 root root  23080 Sep  4 03:04 libsql.so
> -rwxr-xr-x  1 root root  23080 Sep  4 03:04 libsql.so.2
> -rwxr-xr-x  1 root root  23080 Sep  4 03:04 libsql.so.2.0.22
>
> -- listing of /etc/sasl2 --
> total 16
> drwxr-xr-x  2 root root 4096 Nov 20 13:43 .
> drwxr-xr-x 82 root root 4096 Nov 25 18:20 ..
>
>
>
>
> -- content of /usr/lib64/sasl2/smtpd.conf --
> log_level: 7
> pwcheck_method: auxprop
> auxprop_plugin: sql
> mech_list: plain login
> sql_engine: mysql
> sql_hostnames: (212.58.4.184:3306,212.58.4.247:3306)
> sql_user: --- replaced ---
> sql_passwd: --- replaced ---
> sql_database: postfix
> sql_select: select clear from postfix_smtp where email='%u@%r'
>
>
> -- active services in /etc/postfix/master.cf --
> # service type  private unpriv  chroot  wakeup  maxproc command + args
> #               (yes)   (yes)   (yes)   (never) (100)
> smtp      inet  n       -       n       -       -       smtpd
> pickup    fifo  n       -       n       60      1       pickup
> cleanup   unix  n       -       n       -       0       cleanup
> qmgr      fifo  n       -       n       300     1       qmgr
> tlsmgr    unix  -       -       n       1000?   1       tlsmgr
> rewrite   unix  -       -       n       -       -       trivial-rewrite
> bounce    unix  -       -       n       -       0       bounce
> defer     unix  -       -       n       -       0       bounce
> trace     unix  -       -       n       -       0       bounce
> verify    unix  -       -       n       -       1       verify
> flush     unix  n       -       n       1000?   0       flush
> proxymap  unix  -       -       n       -       -       proxymap
> proxywrite unix -       -       n       -       1       proxymap
> smtp      unix  -       -       n       -       -       smtp
> relay     unix  -       -       n       -       -       smtp
>         -o smtp_fallback_relay=
> showq     unix  n       -       n       -       -       showq
> error     unix  -       -       n       -       -       error
> retry     unix  -       -       n       -       -       error
> discard   unix  -       -       n       -       -       discard
> local     unix  -       n       n       -       -       local
> virtual   unix  -       n       n       -       -       virtual
> lmtp      unix  -       -       n       -       -       lmtp
> anvil     unix  -       -       n       -       1       anvil
> scache    unix  -       -       n       -       1       scache
>
> -- mechanisms on localhost --
> 250-AUTH LOGIN PLAIN
> 250-AUTH=LOGIN PLAIN
>
>
> -- end of saslfinger output --
>
> -----Original Message-----
> From: owner-postfix-users@... [mailto:owner-postfix-users@...]
On Behalf Of Patrick Ben Koetter
> Sent: Tuesday, November 24, 2009 11:08 PM
> To: postfix-users@...
> Subject: Re: About SMTP Auth with Mysql
>
> * Vahriç Muhtaryan <vahric@...>:
> > Any postfix guy have a knowledge about this issue
> > Really I would like to solve this and debug
> > Actually smtp -v do not show the problem also verbose mode to for sasl
> > Any idea ?
>
> It is the Postfix smtpd-daemon and not the smtp-client. If you debug add "-v"
> to smtpd, not smtp.
>
> Download saslfinger and run it:
>
> saslfinger (debugging SMTP AUTH):
> <http://postfix.state-of-mind.de/patrick.koetter/saslfinger/>
>
> Send debug output to the list.
>
> > -----Original Message-----
> > From: owner-postfix-users@...
> > [mailto:owner-postfix-users@...] On Behalf Of Vahriç Muhtaryan
> > Sent: Sunday, November 22, 2009 11:21 PM
> > To: 'Patrick Ben Koetter'; postfix-users@...
> > Subject: RE: About SMTP Auth with Mysql
> >
> > I hope that until find the right mailbox and pass it should query each
> > setted mysql server but not !
> > For to be sure I'm sending different mailbox name and password and wait
> > postfix make query step by step but not.
> > I told you before with different syntax postfix do differnt actions
> > I don't know this is really postfix problem our cyrus problem but I couldn'T
> > find any solution
> > When you check cyrus docs my sytax is ok but its not working
> > İts drive me crazy
>
> Sorry, but I don't understand what you write.
>
> p@rick
>
>
>
>
>
> >
> > Regards
> > Vahric
> >
> > -----Original Message-----
> > From: owner-postfix-users@...
> > [mailto:owner-postfix-users@...] On Behalf Of Patrick Ben Koetter
> > Sent: Sunday, November 22, 2009 4:44 PM
> > To: postfix-users@...
> > Subject: Re: About SMTP Auth with Mysql
> >
> > * Vahriç Muhtaryan <vahric@...>:
> > > Hi,
> > >
> > > (212.58.4.184,212.58.4.247) not worked
> > > (212.58.4.184:3306,212.58.4.247:3306)query arrive to 4.247 but not to 184
> > > 212.58.4.184:3306,212.58.4.247:3306 query arrive to 4.184 but not to 247
> > > 212.58.4.184:3306 212.58.4.247:3306 query arrive to 4.184 but not to 247
> > > sql_hostnames: 212.58.4.184 212.58.4.247 query arrive to 4.184 but not to
> > > 247
> >
> > How did you test?
> >
> > Just in case you think it should query both servers at the same time: No,
> > it's
> > not supposed to do that.
> >
> > If the 1st server in the list is inaccessible, it should try the second.
> >
> > Have you tested that?
> >
> > p@rick
> >
> > --
> > All technical questions asked privately will be automatically answered on
> > the
> > list and archived for public access unless privacy is explicitely required
> > and
> > justified.
> >
> > saslfinger (debugging SMTP AUTH):
> > <http://postfix.state-of-mind.de/patrick.koetter/saslfinger/>
> >
>
> --
> All technical questions asked privately will be automatically answered on the
> list and archived for public access unless privacy is explicitely required and
> justified.
>
> saslfinger (debugging SMTP AUTH):
> <http://postfix.state-of-mind.de/patrick.koetter/saslfinger/>
>

--
state of mind
Digitale Kommunikation

http://www.state-of-mind.de

Franziskanerstraße 15      Telefon +49 89 3090 4664
81669 München              Telefax +49 89 3090 4666

Amtsgericht München        Partnerschaftsregister PR 563

Reply | Forward | Messages in this Topic (12)

#260240

From: Tudod Ki <tudodki88@...>
Date: Thu Nov 26, 2009 9:50 am
Subject: postfix+sasl+dovecot script help!

tudodki88@...

postfix+sasl+dovecot script help!

Hi everybody!

I am trying to get the solution for days now, and I don't know what to do really :S

I just want to write a script, what does automatically install postfix, dovecot, and it configures sasl authentication for the clients.

I'm here right now [the script!!]:

####################

http://pastebin.ca/1687824

[I have written the reference howto in the script.]

####################

I run it after a fresh Lenny netinstall, on VirtualBox.

If someone knows, what am I missing, please help me :\

I can see with "netstat -tulpn", that the server is listeing on port 993,955,25.

####################

1.) But: when I want to get the e-mails through imap, with Thunderbird, on another machine, it just waits, and waits, and waits...[and finally it gives this: "Connection to server debian.lan timed out."] :\

logs:
mail.info log: http://pastebin.com/f6c486374
mail.log: http://pastebin.com/f6e60f9b
other logs are empty

####################

2.) When I want to send a message from a testuser to a testuser, with Thunderbird, on the client, it just keeps asking for the password, when I want click send. :S

logs:
mail.info: http://pastebin.com/f1bca774f
mail.log: http://pastebin.com/f5c0be27c
mail.warn: http://pastebin.com/f46806d2f
other logs are empty

####################

Info about the os & softwares [e.g.: "dpkg -l | grep postfix"]: http://pastebin.com/f1d0cefd2

192.168.56.4 is the client
192.168.56.5 is the server
[VirtualBox, Host-Only networking, they can ping each other]

####################

Later I want to use it with Squirrel Mail [plus spam filtering + antivirus], but first, I just want to get it work :(

Thank you for any help :S [_good_ docs, howtos, solution, or anything please! :S :( ]

#260241

From: Eero Volotinen <eero.volotinen@...>
Date: Thu Nov 26, 2009 10:04 am
Subject: Re: postfix+sasl+dovecot script help!

eero.volotinen@...

Quoting Tudod Ki <tudodki88@...>:

> postfix+sasl+dovecot script help!
>
> Hi everybody!
>
> I am trying to get the solution for days now, and I don't know what
> to do really :S

See url for postfix+dovecot sasl configration:

http://wiki.dovecot.org/HowTo/PostfixAndDovecotSASL

--
Eero

#260242

From: Harakiri <harakiri_23@...>
Date: Thu Nov 26, 2009 1:02 pm
Subject: CMD tool to check if next SMTP hop can use TLS for messages?

harakiri_23@...

Hi,

i have a filter which does some things to outgoing mail, now i would like to
check if this mail will possibly sent using TLS (config is, try TLS if
available, if not just sent plain). Is there a tool (except openssl) from
postfix to verify if a message could be sent via TLS to a host? I like to save a
status for each message in a log file i already created.

Thanks

#260243

From: Zohan <29e8c6f5@...>
Date: Thu Nov 26, 2009 1:57 pm
Subject: Incoming mail archiving with Postfix

29e8c6f5@...

Hi,

I need to archive all incoming mail for my virtual domains (by copying mail to
dedicated archive mailbox) and then sort it according to address it has been
delivered to.

One major drawback of existing milter-based solutions, as well as of virtual
aliasing and BCC maps, is that in some cases neither "To:" header nor
envelope-to contain actual recipient address. This can be the case of our local
(virtual) address receiving forwarded mail from outside, or delivery address
being result of address rewrite or alias expansion. In either case, we state
that the actual delivery address is known only since the moment of virtual
transport invocation (right?). In my case pipe(8) to Dovecot LDA is used as
virtual transport.

The question is, how do I organize mail copying simultaneously with virtual
transport invocation (delivery), and how do I pass actual delivery address to
mail archival system? This can be some message header or "plus" address.

Thank you!
Zohan

#260244

From: wietse@... (Wietse Venema)
Date: Thu Nov 26, 2009 2:22 pm
Subject: Re: Incoming mail archiving with Postfix

wietse@...

Zohan:
> Hi,
>
> I need to archive all incoming mail for my virtual domains (by
> copying mail to dedicated archive mailbox) and then sort it
> according to address it has been delivered to.

Postfix local/pipe/virtual delivery agents record the delivered
to address in the Delivered-To: header.

> One major drawback of existing milter-based solutions, as well as
> of virtual aliasing and BCC maps, is that in some cases neither
> "To:" header nor envelope-to contain actual recipient address.

Postfix local/pipe/virtual delivery agents record the original
recipient address in the X-Original-To: header.

man 8 local
man 8 pipe
man 8 virtual

	 Wietse

#260245

From: wietse@... (Wietse Venema)
Date: Thu Nov 26, 2009 2:42 pm
Subject: Re: Impact of SSL renegotiation attacks on SMTP mail

wietse@...

gmx:
> In-Reply-To-Message-ID:  20091109012901.6D90F1F3EA7@...
>
> Hi Wietse and Victor,
>
> Thank you very much for your analyses
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555 .
>
> As a practitioner, the following question arises as we are in a business
> partner context as you describe in
> http://www.porcupine.org/postfix-mirror/smtp-renegotiate.pdf p. 6:
>
> 1) will
>   a) smtpd_tls_ask_ccert,
>   b) smtpd_tls_wrappermode,
>   c) smtpd_use_tls,
>   d) smtpd_enforce_tls
> still work with the new openssl 0.9.8l
> http://marc.info/?l=openssl-users&m=125751806022186&w=2 ?
> 2) should I upgrade the openssl on the MTA to that version?

They will break if some REMOTE system wants to renegotiate TLS, using
a protocol that is not supported by the LOCAL TLS implementation.

Note that it says: "remote system wants to renegotiate". Postfix
does not request renegotiation, as far as I know.

> 3) on p. 11, you say <<Wietse and Victor concocted detection mechanisms and
> workarounds. Some may even end up in Postfix.>> - will they still be needed
> with the new openssl that disables renegotiation altogether?

These CLIENT-SIDE workarounds detect some attacks when you are
talking to servers with vulnerable SSL implementations.

	 Wietse

Reply | Forward | Messages in this Topic (15)

#260246

From: /dev/rob0 <rob0@...>
Date: Thu Nov 26, 2009 3:50 pm
Subject: Re: postfix+sasl+dovecot script help!

rob0@...

On Thu, Nov 26, 2009 at 01:50:14AM -0800, Tudod Ki wrote:
> postfix+sasl+dovecot script help!
snip
> I run it after a fresh Lenny netinstall, on VirtualBox.
>
> If someone knows, what am I missing, please help me :\

Missing the right forum, for one thing. It seems that you want a
Debian automated install script using Debian-specific tools? You
should be asking in a Debian forum.

> 1.) But: when I want to get the e-mails through imap, ...
[truncated non-wrapped line]

IMAP is not a Postfix issue. But I looked here anyway:
> mail.log: http://pastebin.com/f6e60f9b

And there is no IMAP logging, only Postfix. Why Dovecot is not
logging would be a Dovecot question.

> 2.) When I want to send a message from a testuser to a testuser,
> with Thunderbird, on the client, it just keeps asking for the
> password, when I want click send. :S
>
> logs:
> mail.info: http://pastebin.com/f1bca774f
> mail.log: http://pastebin.com/f5c0be27c

I didn't chase these all down. Not being a Debian user, I'm assuming
that mail.log is mail.* logging, and all it said was that PLAIN and
LOGIN AUTH attempts failed. Again, nothing from Dovecot saying why.
Postfix is merely the middleman between the MUA and the SASL backend,
and when your AUTH fails you have to check the SASL backend. So you
are not yet on topic here.

> Thank you for any help :S [_good_ docs, howtos, solution, or
> anything please! :S :( ]

I know that there is extensive information about Dovecot at the
Dovecot wiki, and they have a very active mailing list of their own.
I'm sure Debian also has extensive information, documentation, and
forums available.
--
     Offlist mail to this address is discarded unless
     "/dev/rob0" or "not-spam" is in Subject: header

#260247

From: Zohan <29e8c6f5@...>
Date: Thu Nov 26, 2009 3:56 pm
Subject: Re[2]: Incoming mail archiving with Postfix

29e8c6f5@...

Wietse, thank you,

> Postfix local/pipe/virtual delivery agents record the delivered
> to address in the Delivered-To: header

Then, in which way would you recommend to copy such a message to special
archive@mydomain mailbox, retaining Delivered-To: header? (and not replacing it
with "archive@mydomain", to allow further sorting) Is it possible to do it with
Postfix? I guess this can be done with Dovecot LDA + Sieve, by storing
Delivered-To: into some other header and redirecting message to archive mailbox,
but that doesnt' seem to be very elegant.

#260248

From: "gmx" <ralfhauser@...>
Date: Thu Nov 26, 2009 4:14 pm
Subject: Re: Impact of SSL renegotiation attacks on SMTP mail - REMOTE system compatibility with openssl 0.9.8l

ralfhauser@...

>> 1) will
>>   a) smtpd_tls_ask_ccert,
>>   b) smtpd_tls_wrappermode,
>>   c) smtpd_use_tls,
>>   d) smtpd_enforce_tls
>> still work with the new openssl 0.9.8l
>> http://marc.info/?l=openssl-users&m=125751806022186&w=2 ?
> 2) should I upgrade the openssl on the MTA to that version?
>
> They will break if some REMOTE system wants to renegotiate TLS, using
> a protocol that is not supported by the LOCAL TLS implementation.
>
> Note that it says: "remote system wants to renegotiate". Postfix
> does not request renegotiation, as far as I know.
Anybody on the list has practical experience - e.g.
4) with MS-Outlook and
5) Thunderbird directly connecting to postfix or
6) MS-Exchange
7) Any of the usual gateway suspects like IronPort, Borderware, ...
or does any of them regularly attempt TLS renegotiation?

Many thanks for any hints in advance

     Ralf

Reply | Forward | Messages in this Topic (2)

#260249

From: suomi <postfix@...>
Date: Thu Nov 26, 2009 4:18 pm
Subject: Re: CMD tool to check if next SMTP hop can use TLS for messages?

postfix@...

EHLO reply

suomi

On 2009-11-26 14:02, Harakiri wrote:
> Hi,
>
> i have a filter which does some things to outgoing mail, now i would like to
check if this mail will possibly sent using TLS (config is, try TLS if
available, if not just sent plain). Is there a tool (except openssl) from
postfix to verify if a message could be sent via TLS to a host? I like to save a
status for each message in a log file i already created.
>
> Thanks
>
>
>

#260250

From: "Marco Giardini" <m.g@...>
Date: Thu Nov 26, 2009 4:30 pm
Subject: sender check

m.g@...

I have a barracuda server that receives mails, filter them and forward to a linux system running postfix.

Both machine have a public IP (static).

The linux system is configured to be used as SMTP for sasl authenticated users as well, besides to be used as SMTP for the people on $mynetworks (permit_mynetworks in the smtpd_recipient_restrictions).

Unfortunatley, some spammers, have found it and use to spam local recipients using the linux machine, avoiding so to be filtered through the barracuda system.

I’m wondering if there is a way to allow OLNY local users or users belonging to the domains hosted by the linux server to use SMTP.

Thanks

#260251

From: wietse@... (Wietse Venema)
Date: Thu Nov 26, 2009 4:30 pm
Subject: Re: Re[2]: Incoming mail archiving with Postfix

wietse@...

Zohan:
> Wietse, thank you,
>
> > Postfix local/pipe/virtual delivery agents record the delivered
> > to address in the Delivered-To: header

That is, the final recipient address after alias processing and
forwarding. All mail that is delivered to the same mailbox has the
same Delivered-To: address.

Postfix local/pipe/virtual delivery agents record the original
recipient in the X-Original-To: header. That is, the recipient
address before alias processing and forwarding.

You can embed the original recipient as an extension to the final
recipient address, if you must insist on using the Delivered-To:
header.

Using pcre-based recipient_bcc_maps:

/^(.+)@([^@]+)$/ archive+$1+$2@...

	 Wietse

#260252

From: wietse@... (Wietse Venema)
Date: Thu Nov 26, 2009 5:20 pm
Subject: Re: sender check

wietse@...

Marco Giardini:
> I have a barracuda server that receives mails, filter them  and forward to a
> linux system running postfix.
>
> Both machine have a public IP (static).
>
> The linux system is configured to be used as SMTP for sasl authenticated
> users as well, besides to be used as SMTP for the people on $mynetworks
> (permit_mynetworks in the smtpd_recipient_restrictions).
>
> Unfortunatley, some spammers, have found it and use to spam local recipients
> using the linux machine, avoiding so to be filtered through the barracuda
> system.
>
> I'm wondering if there is a way to allow OLNY local users or users belonging
> to the domains hosted by the linux server to use SMTP.

To permit only local systems (incl. barracuda box), or users that
have a relationship with your server:

smtpd_recipient_restrictions =
     permit_mynetworks permit_sasl_authenticated reject

	 Wietse

#260253

From: Luis Daniel Lucio Quiroz <luis.daniel.lucio@...>
Date: Thu Nov 26, 2009 5:29 pm
Subject: Altermime breaks with quotes (maybe OT)

luis.daniel.lucio@...

I hope altermime author could read this.

Some mail servers sends emails with invalid quoites, like this:

To: Complete Name <'user@domain'>

Look quoites.  Postfix works okay with that and it can deal but altermime
breaks.  I know this is a bug of altermime, but I wonder if there is a way to
workarround this with postfix.

TIA

LD

Reply | Forward | Messages in this Topic (1)

#260254

From: Marco Giardini <m.g@...>
Date: Thu Nov 26, 2009 5:29 pm
Subject: Re: sender check

m.g@...

* Wietse Venema <wietse@...> [2009-11-26 12:20:19 -0500]:

> Marco Giardini:
> > I have a barracuda server that receives mails, filter them  and forward to a
> > linux system running postfix.
> >
> > Both machine have a public IP (static).
> >
> > The linux system is configured to be used as SMTP for sasl authenticated
> > users as well, besides to be used as SMTP for the people on $mynetworks
> > (permit_mynetworks in the smtpd_recipient_restrictions).
> >
> > Unfortunatley, some spammers, have found it and use to spam local recipients
> > using the linux machine, avoiding so to be filtered through the barracuda
> > system.
> >
> > I'm wondering if there is a way to allow OLNY local users or users belonging
> > to the domains hosted by the linux server to use SMTP.
>
> To permit only local systems (incl. barracuda box), or users that
> have a relationship with your server:
>
> smtpd_recipient_restrictions =
>     permit_mynetworks permit_sasl_authenticated reject
>
>  Wietse

i do use:
smtpd_recipient_restrictions =
         permit_mynetworks
         permit_sasl_authenticated
         reject_unauth_destination

but it seems from the log that spammer still send me and to other
local users spam mails.
Humm...strange....

mg

#260255

From: John Peach <postfix@...>
Date: Thu Nov 26, 2009 5:32 pm
Subject: Re: sender check

postfix@...

On Thu, 26 Nov 2009 18:29:00 +0100
Marco Giardini <m.g@...> wrote:

> * Wietse Venema <wietse@...> [2009-11-26 12:20:19 -0500]:
>
> > Marco Giardini:
> > > I have a barracuda server that receives mails, filter them  and forward to
a
> > > linux system running postfix.
> > >
> > > Both machine have a public IP (static).
> > >
> > > The linux system is configured to be used as SMTP for sasl authenticated
> > > users as well, besides to be used as SMTP for the people on $mynetworks
> > > (permit_mynetworks in the smtpd_recipient_restrictions).
> > >
> > > Unfortunatley, some spammers, have found it and use to spam local
recipients
> > > using the linux machine, avoiding so to be filtered through the barracuda
> > > system.
> > >
> > > I'm wondering if there is a way to allow OLNY local users or users
belonging
> > > to the domains hosted by the linux server to use SMTP.
> >
> > To permit only local systems (incl. barracuda box), or users that
> > have a relationship with your server:
> >
> > smtpd_recipient_restrictions =
> >     permit_mynetworks permit_sasl_authenticated reject
> >
> >  Wietse
>
> i do use:
> smtpd_recipient_restrictions =
>         permit_mynetworks
>         permit_sasl_authenticated
>         reject_unauth_destination
>
> but it seems from the log that spammer still send me and to other
> local users spam mails.
> Humm...strange....

Not at all; try reading what Wietse wrote.

reject, NOT reject_unauth_destination.

>
> mg
>
>
>


--
John

#260256

From: wietse@... (Wietse Venema)
Date: Thu Nov 26, 2009 5:48 pm
Subject: Re: sender check

wietse@...

Marco Giardini:
> * Wietse Venema <wietse@...> [2009-11-26 12:20:19 -0500]:
>
> > Marco Giardini:
> > > I have a barracuda server that receives mails, filter them  and forward to
a
> > > linux system running postfix.
> > >
> > > Both machine have a public IP (static).
> > >
> > > The linux system is configured to be used as SMTP for sasl authenticated
> > > users as well, besides to be used as SMTP for the people on $mynetworks
> > > (permit_mynetworks in the smtpd_recipient_restrictions).
> > >
> > > Unfortunatley, some spammers, have found it and use to spam local
recipients
> > > using the linux machine, avoiding so to be filtered through the barracuda
> > > system.
> > >
> > > I'm wondering if there is a way to allow OLNY local users or users
belonging
> > > to the domains hosted by the linux server to use SMTP.
> >
> > To permit only local systems (incl. barracuda box), or users that
> > have a relationship with your server:
> >
> > smtpd_recipient_restrictions =
> >     permit_mynetworks permit_sasl_authenticated reject
> >
> >  Wietse
>
> i do use:
> smtpd_recipient_restrictions =
>         permit_mynetworks
>         permit_sasl_authenticated
>         reject_unauth_destination

I wrote:

                                             vvvvvv
permit_mynetworks permit_sasl_authenticated reject
                                             ^^^^^^
	 Wietse

#260257

From: Ralf Hildebrandt <Ralf.Hildebrandt@...>
Date: Thu Nov 26, 2009 7:24 pm
Subject: Re: sender check

Ralf.Hildebrandt@...

* Marco Giardini <m.g@...>:

> > smtpd_recipient_restrictions =
> >     permit_mynetworks permit_sasl_authenticated reject
> >
> >  Wietse
>
> i do use:
> smtpd_recipient_restrictions =
>         permit_mynetworks
>         permit_sasl_authenticated
>         reject_unauth_destination
>
> but it seems from the log that spammer still send me and to other
> local users spam mails.
> Humm...strange....

Not strange. Look at the difference in the two configs.
The solution is right there.

--
Ralf Hildebrandt
   Geschäftsbereich IT | Abteilung Netzwerk
   Charité - Universitätsmedizin Berlin
   Campus Benjamin Franklin
   Hindenburgdamm 30 | D-12203 Berlin
   Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962
   ralf.hildebrandt@... | http://www.charite.de

#260258

From: Victor Duchovni <Victor.Duchovni@...>
Date: Thu Nov 26, 2009 8:19 pm
Subject: Re: Impact of SSL renegotiation attacks on SMTP mail - REMOTE system compatibility with openssl 0.9.8l

Victor.Duchovni@...

On Thu, Nov 26, 2009 at 04:21:29PM +0100, gmx wrote:

> Anybody on the list has practical experience - e.g.
> 4) with MS-Outlook and
> 5) Thunderbird directly connecting to postfix or
> 6) MS-Exchange
> 7) Any of the usual gateway suspects like IronPort, Borderware, ...
> or does any of them regularly attempt TLS renegotiation?

I would be very surprised to find any SMTP client or server that
initiates a TLS re-negotiation after STARTTLS. It *should* be safe
to disable re-negotiation. This said, my life has not been entirely
without surprises.

--
	 Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:majordomo@...?body=unsubscribe%20postfix-users>

If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

Reply | Forward | Messages in this Topic (2)

#260259

From: Victor Duchovni <Victor.Duchovni@...>
Date: Thu Nov 26, 2009 8:33 pm
Subject: Re: CMD tool to check if next SMTP hop can use TLS for messages?

Victor.Duchovni@...

On Thu, Nov 26, 2009 at 05:02:33AM -0800, Harakiri wrote:

> I have a filter which does some things to outgoing mail, now i would
> like to check if this mail will possibly sent using TLS (config is,
> try TLS if available, if not just sent plain).

What will you do differently if the remote server supports STARTTLS?

What will you do if some of the MX hosts for the destination support
STARTTLS and some don't? How much effort do you want to expend to
discover this? What about MX hosts behind load balancers, with only
some supporting TLS (probably a misconfiguration on the remote side,
but not unprecedented).

> Is there a tool (except openssl) from Postfix to verify whether a
> message could be sent via TLS to a host? I like to save a status
> for each message in a log file I already created.

What's wrong with "openssl s_client -starttls smtp -connect host:25"?

I have an unreleased utility to probe the TLS support of remote TLS
servers, but it is NOT intended for use during message delivery or
by content filters. Rather, the purpose is to determine the available
security options for a tls policy entry for the destination.

     - Is TLS available at all
     - What ciphers
     - What certificate issuer(s), subject CN and altNames.

Unfortunately, some code refactoring in the Postfix SMTP client is
needed to make the utility a more organic fit with the Postfix code,
so it is fit for public release.

Even then, using it in the way you seem to propose would be a mistake.
What problem are you actually trying to solve?

--
	 Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:majordomo@...?body=unsubscribe%20postfix-users>

If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.