On Fri, 2 Sep 2011 09:45:53 -0400 (EDT)
Wietse Venema <wietse@...> wrote:

> J. Bakshi:
> > On Fri, 2 Sep 2011 09:22:44 -0400 (EDT)
> > Wietse Venema <wietse@...> wrote:
> >
> > > J. Bakshi:
> > > > > > Command died with status 2:
> > > > > >     "/usr/lib/mailman/mail/mailman request typo3". Command output:
Failure to
> > > > > >     exec script. WANTED gid 67, GOT gid 65533.
> > > > > > ```````````
> > > > > >
> > > > > > gid 67 is mailman group where 65533 is nobody. Don't know why it is
> > > > > > getting nobody...
> > > > >
> > > > > You failed to set the ownership of /var/lib/mailman/data/aliases
> > > > > and /var/lib/mailman/data/aliases.db.
> > > > >
> > > > > I suppose this would be mentioned in the mailman instructions.
> > > > >
> > > > >  Wietse
> > > >
> > > > I have not found any such instruction in suse mailman manual.
> > > > Checked the ownership and found they are set to mailman group
> > > > already
> > > >
> > > > -rw-rw-r-- 1 mailman mailman 12288 Sep  2 11:07
/var/lib/mailman/data/aliases.db
> > > >
> > > > -rw-rw---- 1 root mailman 1865 Sep  2 11:07
/var/lib/mailman/data/aliases
> > >
> > > You must set the OWNER to mailman, not the GROUP.
> > >
> > > Then, Postfix will is use the mailman group ID in the PASSWORD file.
> > > Postfix will not use the mailman group ID in the GROUP file.
> > >
> > >  Wietse
> >
> > OK, now I have the following
> >
> > -rw-rw---- 1 mailman root 1865 Sep  2 11:07 /var/lib/mailman/data/aliases
> >
> > but still the same error :-(  Also tried with mailman:mailman but no luck..
>
> I told you to set the ownership of TWO FILES.
>
> Since you are following SUSE instructions, I suggest that you ask
> them for help instead.
>
>  Wietse

The other one i.e.

/var/lib/mailman/data/aliases.db

already have mailman as owner...

On Fri, 02 Sep 2011 15:54:51 +0200
Reindl Harald <h.reindl@...> wrote:

>
>
> Am 02.09.2011 15:22, schrieb Wietse Venema:
> >> I have not found any such instruction in suse mailman manual.
> >> Checked the ownership and found they are set to mailman group
> >> already
> >>
> >> -rw-rw-r-- 1 mailman mailman 12288 Sep  2 11:07
/var/lib/mailman/data/aliases.db
> >>
> >> -rw-rw---- 1 root mailman 1865 Sep  2 11:07 /var/lib/mailman/data/aliases
> >
> > You must set the OWNER to mailman, not the GROUP.
> >
> > Then, Postfix will is use the mailman group ID in the PASSWORD file.
> > Postfix will not use the mailman group ID in the GROUP file
>
> you did not notice that "/var/lib/mailman/data/aliases.db" is the relevant
file
> and has the owner "mailman", "/var/lib/mailman/data/aliases" is the unhashed
>
>
That file too have the owner as mailman

-rw-rw-r-- 1 mailman mailman 12288 Sep  2 11:07 /var/lib/mailman/data/aliases.db

Am 02.09.2011 16:00, schrieb J. Bakshi:
> On Fri, 02 Sep 2011 15:54:51 +0200
> Reindl Harald <h.reindl@...> wrote:
>
>>
>> Am 02.09.2011 15:22, schrieb Wietse Venema:
>>>> I have not found any such instruction in suse mailman manual.
>>>> Checked the ownership and found they are set to mailman group
>>>> already
>>>>
>>>> -rw-rw-r-- 1 mailman mailman 12288 Sep  2 11:07
/var/lib/mailman/data/aliases.db
>>>>
>>>> -rw-rw---- 1 root mailman 1865 Sep  2 11:07 /var/lib/mailman/data/aliases
>>>
>>> You must set the OWNER to mailman, not the GROUP.
>>>
>>> Then, Postfix will is use the mailman group ID in the PASSWORD file.
>>> Postfix will not use the mailman group ID in the GROUP file
>>
>> you did not notice that "/var/lib/mailman/data/aliases.db" is the relevant
file
>> and has the owner "mailman", "/var/lib/mailman/data/aliases" is the unhashed
>>
>>
> That file too have the owner as mailman
>
> -rw-rw-r-- 1 mailman mailman 12288 Sep  2 11:07
/var/lib/mailman/data/aliases.db

i know and that is why i answered Wietse and not to you

On Fri, 2 Sep 2011 17:25:12 +0200
Amira Othman articulated:

> I want send mail to all users I have on my mail server I tried
> aliases but I failed to send mail. I am using virtual domains and i
> want to send to virtual users any one can help me?
>
> First when I didn't add mail box in my virtual mail box file I got
>
> relay=virtual, delay=0.55, delays=0.47/0.04/0/0.03, dsn=5.1.1,
> status=bounced (unknown user: "team@..."
>
> then when I added mail box for the list I have mail delivered to mail
> box not to mail list members although I added them in /etc/aliases

First, lost the HTML posting format. Plain ASCII is preferred.

Second, start here: <http://www.postfix.com/DEBUG_README.html>

"Reporting problems to postfix-users@..."

Output from "postconf -n". Please do not send your main.cf file, or
500+ lines of postconf output.

Better, provide output from the postfinger tool. This can be found at
http://ftp.wl0.org/SOURCES/postfinger.

If the problem is SASL related, consider including the output from the
saslfinger tool. This can be found at
http://postfix.state-of-mind.de/patrick.koetter/saslfinger/.

--
Jerry ✌
postfix-user@...
_____________________________________________________________________
TO REPORT A PROBLEM see http://www.postfix.org/DEBUG_README.html#mail
TO (UN)SUBSCRIBE see http://www.postfix.org/lists.html

Output of postconf  -n

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
disable_dns_lookups = yes
disable_vrfy_command = yes
home_mailbox = Maildir/
html_directory = no
inet_interfaces = all
local_recipient_maps = proxy:unix:passwd.byname,
$alias_maps,$virtual_mailbox_maps
local_transport = local
mail_owner = postfix
mail_spool_directory = /var/spool/mail
mailbox_command = /usr/bin/procmail-wrapper -o -a $DOMAIN -d $LOGNAME
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
mydestination = localhost
mydomain = myserver.com
myhostname = mail.mysever.com
mynetworks = 192.168.56.0/24, 127.0.0.0/8
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases
queue_directory = /var/spool/postfix
relay_domains =
setgid_group = postdrop
smtp_host_lookup = native
smtp_tls_note_starttls_offer = yes
smtp_use_tls = yes
smtpd_banner = $myhostname ESMTP
smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated
reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtpd_tls_auth_only = no
smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
tls_random_source = dev:/dev/urandom
unknown_local_recipient_reject_code = 450
virtual_alias_maps = hash:/etc/postfix/virtual
virtual_gid_maps = static:501
virtual_mailbox_base = /home/vmail/
virtual_mailbox_domains = myserver.com,tech-vm.com
virtual_mailbox_maps = hash:/etc/postfix/vmailbox
virtual_minimum_uid = 500
virtual_transport = virtual
virtual_uid_maps = static:501

-----Original Message-----
From: owner-postfix-users@... [mailto:owner-postfix-users@...]
On Behalf Of Jerry
Sent: Friday, September 02, 2011 5:44 PM
To: postfix-users@...
Subject: Re: mail list

On Fri, 2 Sep 2011 17:25:12 +0200
Amira Othman articulated:

> I want send mail to all users I have on my mail server I tried
> aliases but I failed to send mail. I am using virtual domains and i
> want to send to virtual users any one can help me?
>
> First when I didn't add mail box in my virtual mail box file I got
>
> relay=virtual, delay=0.55, delays=0.47/0.04/0/0.03, dsn=5.1.1,
> status=bounced (unknown user: "team@..."
>
> then when I added mail box for the list I have mail delivered to mail
> box not to mail list members although I added them in /etc/aliases

First, lost the HTML posting format. Plain ASCII is preferred.

Second, start here: <http://www.postfix.com/DEBUG_README.html>

"Reporting problems to postfix-users@..."

Output from "postconf -n". Please do not send your main.cf file, or
500+ lines of postconf output.

Better, provide output from the postfinger tool. This can be found at
http://ftp.wl0.org/SOURCES/postfinger.

If the problem is SASL related, consider including the output from the
saslfinger tool. This can be found at
http://postfix.state-of-mind.de/patrick.koetter/saslfinger/.

--
Jerry ✌
postfix-user@...
_____________________________________________________________________
TO REPORT A PROBLEM see http://www.postfix.org/DEBUG_README.html#mail
TO (UN)SUBSCRIBE see http://www.postfix.org/lists.html

On 9/2/2011 11:53 AM, Amira Othman wrote:
> Output of postconf  -n
>
> alias_database = hash:/etc/aliases
> alias_maps = hash:/etc/aliases
[cut]
> mydestination = localhost
[cut]
> relay_domains =
[cut]
> virtual_alias_maps = hash:/etc/postfix/virtual
> virtual_gid_maps = static:501
> virtual_mailbox_base = /home/vmail/
> virtual_mailbox_domains = myserver.com,tech-vm.com
> virtual_mailbox_maps = hash:/etc/postfix/vmailbox

alias_maps affects locations in mydestination when delivered by local(8)
virtual_alias_maps is global and affects virtual and local users.

Do NOT put them in alias_maps for virtual users instead use your current
virtual alias map.
Or, add an additional map for ease of administration.
Please remember, virtual alias maps are recursive.

Brian

> -----Original Message-----
> From: owner-postfix-users@... [mailto:owner-postfix-users@...]
On Behalf Of Jerry
> Sent: Friday, September 02, 2011 5:44 PM
> To: postfix-users@...
> Subject: Re: mail list
>
> On Fri, 2 Sep 2011 17:25:12 +0200
> Amira Othman articulated:
>
>> I want send mail to all users I have on my mail server I tried
>> aliases but I failed to send mail. I am using virtual domains and i
>> want to send to virtual users any one can help me?
>>
>> First when I didn't add mail box in my virtual mail box file I got
>>
>> relay=virtual, delay=0.55, delays=0.47/0.04/0/0.03, dsn=5.1.1,
>> status=bounced (unknown user: "team@..."
>>
>> then when I added mail box for the list I have mail delivered to mail
>> box not to mail list members although I added them in /etc/aliases
>

Hello,

I am using postfix 2.3 on CentOS and I would like to disable SSLv2. If
I do the following:

smtpd_tls_mandatory_protocols = SSLv3, TLSv1
smtpd_tls_mandatory_ciphers = medium, high

but despite the fact that this configuration has been posted and
reposted about the WWW, it does not actually work. I can still
negotiate SSLv2:

$ openssl s_client -connect xxxx.xxxxxxx.xxx:25 -starttls smtp -ssl2

If I add smtpd_tls_security_level = encrypt it then works but then
plaintext clients cannot connect and it is very unfortunate to find
that real customers still use agents that create plaintext
connections.

Of course I know what someone is going to say: Why disable SSLv2 if
clients can connect using plaintext? The reason is because of
something called PCI DSS which is a security standard for the credit
card processing industry. If you want to process credit card numbers
on your server without being extra liable for exposing them to bad
guys, you have to pass PCI compliance and the vulnerability companies
that scan servers for compliance mindlessly flag anything that does
SSLv2 as bad (it is mindless because of course they cannot flag
accepting plaintext connections as bad because then the server could
not accept a significant amount of email and if customers cannot pass
their vulnerability scan they wiill not purchase their service).

So, is there any way to disable SSLv2 without requiring encryption?

Mike

On 9/2/2011 12:28 PM, Michael B Allen wrote:
> Hello,
>
> I am using postfix 2.3 on CentOS and I would like to disable SSLv2. If
> I do the following:
>
> smtpd_tls_mandatory_protocols = SSLv3, TLSv1
> smtpd_tls_mandatory_ciphers = medium, high
>
> but despite the fact that this configuration has been posted and
> reposted about the WWW, it does not actually work. I can still
> negotiate SSLv2:
>
> $ openssl s_client -connect xxxx.xxxxxxx.xxx:25 -starttls smtp -ssl2
>
> If I add smtpd_tls_security_level = encrypt it then works but then
> plaintext clients cannot connect and it is very unfortunate to find
> that real customers still use agents that create plaintext
> connections.
>
Please read the documentation:
http://www.postfix.org/postconf.5.html#smtpd_tls_protocols  -- this one
is for opportunistic i.e. "may" and requires Postfix 2.6 or later.
http://www.postfix.org/postconf.5.html#smtpd_mandatory_tls_protocols --
this one is for mandatory i.e. "encrypt"

Brian

Michael B Allen:
> Hello,
>
> I am using postfix 2.3 on CentOS and I would like to disable SSLv2. If
> I do the following:
>
> smtpd_tls_mandatory_protocols = SSLv3, TLSv1
> smtpd_tls_mandatory_ciphers = medium, high

This is for mandatory TLS.

> If I add smtpd_tls_security_level = encrypt it then works but then

You are using opportunistic TLS instead of mandatory TLS. As
documented, that is controlled with smtpd_tls_protocols/ciphers.

	 Wietse

On Fri, Sep 2, 2011 at 12:41 PM, Wietse Venema <wietse@...> wrote:
> Michael B Allen:
>> Hello,
>>
>> I am using postfix 2.3 on CentOS and I would like to disable SSLv2. If
>> I do the following:
>>
>> smtpd_tls_mandatory_protocols = SSLv3, TLSv1
>> smtpd_tls_mandatory_ciphers = medium, high
>
> This is for mandatory TLS.
>
>> If I add smtpd_tls_security_level = encrypt it then works but then
>
> You are using opportunistic TLS instead of mandatory TLS. As
> documented, that is controlled with smtpd_tls_protocols/ciphers.

Hi Wietse,

But it seems the smtpd_tls_protocols/ciphers directives are specific to 2.6?

Is there any way to disable SSLv2 in postfix 2.3?

I have to stick to the CentOS package so that I get updates.

Mike

On 9/2/2011 1:25 PM, Michael B Allen wrote:
> Hi Wietse,
>
> But it seems the smtpd_tls_protocols/ciphers directives are specific to 2.6?
>
> Is there any way to disable SSLv2 in postfix 2.3?
>
> I have to stick to the CentOS package so that I get updates.

There are alternative packages to the CentOS 5 version.
They have been discussed many times on this list.

Alternatively, if you must stay with pure CentOS, version 6 includes
Postfix 2.6.6 (http://distrowatch.com/table.php?distribution=centos).

Version 2.3.x (and 2.4.x) has expired in support for development updates.

If you need a new feature, there are few choices except to move forward.

Brian

Michael B Allen:
> On Fri, Sep 2, 2011 at 12:41 PM, Wietse Venema <wietse@...> wrote:
> > Michael B Allen:
> >> Hello,
> >>
> >> I am using postfix 2.3 on CentOS and I would like to disable SSLv2. If
> >> I do the following:
> >>
> >> smtpd_tls_mandatory_protocols = SSLv3, TLSv1
> >> smtpd_tls_mandatory_ciphers = medium, high
> >
> > This is for mandatory TLS.
> >
> >> If I add smtpd_tls_security_level = encrypt it then works but then
> >
> > You are using opportunistic TLS instead of mandatory TLS. As
> > documented, that is controlled with smtpd_tls_protocols/ciphers.
>
> Hi Wietse,
>
> But it seems the smtpd_tls_protocols/ciphers directives are specific to 2.6?
>
> Is there any way to disable SSLv2 in postfix 2.3?

If you use opportunistic TLS then you are willing to accept plaintext,
i.e. no security. Under those conditions, it does not matter what
cipher or crypto protocol the client uses.

BTW, Postfix 2.3 was developed in 2005, released in 2006, and support
was terminated in 2009.

	 Wietse

On Fri, Sep 2, 2011 at 1:51 PM, Wietse Venema <wietse@...> wrote:
> Michael B Allen:
>> On Fri, Sep 2, 2011 at 12:41 PM, Wietse Venema <wietse@...> wrote:
>> > Michael B Allen:
>> >> Hello,
>> >>
>> >> I am using postfix 2.3 on CentOS and I would like to disable SSLv2. If
>> >> I do the following:
>> >>
>> >> smtpd_tls_mandatory_protocols = SSLv3, TLSv1
>> >> smtpd_tls_mandatory_ciphers = medium, high
>> >
>> > This is for mandatory TLS.
>> >
>> >> If I add smtpd_tls_security_level = encrypt it then works but then
>> >
>> > You are using opportunistic TLS instead of mandatory TLS. As
>> > documented, that is controlled with smtpd_tls_protocols/ciphers.
>>
>> Hi Wietse,
>>
>> But it seems the smtpd_tls_protocols/ciphers directives are specific to 2.6?
>>
>> Is there any way to disable SSLv2 in postfix 2.3?
>
> If you use opportunistic TLS then you are willing to accept plaintext,
> i.e. no security. Under those conditions, it does not matter what
> cipher or crypto protocol the client uses.

Hi Wietse,

My objectives are not driven by or based on logic. They are based on
the requirements of a consortium of credit card companies and banks.

I will look at alternative packages for CentOS. Or maybe I will have
to move to CentOS 6.

> BTW, Postfix 2.3 was developed in 2005, released in 2006, and support
> was terminated in 2009.

This is off-topic but you may know that CentOS (which is RedHat
repackaged without the branding) backports all fixes. Meaning an issue
identified in 2.6 would be addressed as a patch in their 2.3 package
(if necessary). So they do not solely rely on upstream support. They
are going for stability and longevity. That is why I use CentOS /
RedHat and I suspect that is why you continue to get this question on
the list. Unlike most Linux distributions, they continue to update
packages for 4 years or so because that is about how long it takes for
hardware to become obsolete or breakdown. Some very popular
distributions like Ubuntu and Fedora almost always stop updating after
only a year or so. This is one reason why I believe that Linux is not
going to gain market share over other operating systems.

Mike

Michael B Allen:
> > BTW, Postfix 2.3 was developed in 2005, released in 2006, and support
> > was terminated in 2009.
>
> This is off-topic but you may know that CentOS (which is RedHat
> repackaged without the branding) backports all fixes. Meaning an issue
> identified in 2.6 would be addressed as a patch in their 2.3 package
> (if necessary). So they do not solely rely on upstream support. They
> are going for stability and longevity. That is why I use CentOS /
> RedHat and I suspect that is why you continue to get this question on
> the list. Unlike most Linux distributions, they continue to update
> packages for 4 years or so because that is about how long it takes for
> hardware to become obsolete or breakdown. Some very popular
> distributions like Ubuntu and Fedora almost always stop updating after
> only a year or so. This is one reason why I believe that Linux is not
> going to gain market share over other operating systems.

I already provide routine updates for four stable Postfix releases,
so there really is no need to fall behind so much like RedHat does.

	 Wietse

Hello, List!

OK, I´m trying to migrate from a (really very, very) old mailserver to a
new one, and besides the fact that the old one has options that do not
even exist anymore, at all, the new setup ist a bit different from the
current one.
so if anyone could look over this, and tell me if anything is horribly
wrong, i´d really appreciate it. Because, of cause, this is a live
system, with no backup worth mentioning and it´s just about 550 user,
and this is my first try at something of that scale =) (also, the old
server is something i ...inherited, so to speak, of cause without a docu..)

ok, the plan goes like:
two servers, one called cleany from here on, the other maily.
cleany is the one who gets the mails from the internet, cleans them via
greylists, checks if the recipient adress exists, etc and then sends
them to maily.
at maily, postfix only takes mails that come from cleany and delivers
them to the mailboxes. maily is the target for any action coming from
the clients, be it reading via IMAP or sending mail.
Any mails that are written, postfix checks if the recipient is another
of its clients, and if not, then it sends the mail to cleany.
cleany then checks, if everything is ok with this mail and throws it
into the internet.

I poked through some of the howtos and docus, and it seemed a good idea
to use multiple instances of postfix on cleany, while maily seems
peaceful enough to keep it normal. to this is what i came up with,
please tell me if something is wrong or if i left out something that´s
supposed to be there =)
also, there were some options i´m really unsure about, those are
commented out, together with the question.

  I) on cleany:
1) the default-instance of postfix is supposed to only deliver locally
generated mail to itself:
myhostname = cleany
mydestination = localhost.localdomain, localhost, cleany, cleany.mydomain.org
relayhost =
mynetworks = 127.0.0.1
mynetworks_style = host
recipient_delimiter = +
inet_interfaces = loopback-only
default_transport = error: Local delivery only!
multi_instance_wrapper = ${command_directory}/postmulti -p --
multi_instance_enable = yes
multi_instance_directories = /etc/postfix-out, /etc/postfix-in

2) postfix-out should accept only mails from maily, check if they are ok
and send them off into the internet:
mydomain = mydomain.org
myorigin = $mydomain
mydestination =
mydestination = nothing, because the mydestination parameter specifies
# what domains this machine will deliver locally, instead of forwarding
# to another machine, and it should deliver everything into the internet
mynetworks = 127.0.0.0/8 maily.mydomain.org (or it´s ip? whats better?)
relay_domains = all
# (because it should relay/send to anywhere in the internet?
relayhost =
#empty, because it´s the sender already..
proxy_interfaces = gatewayIP
# is this needed for sending or receiving or both?
myhostname = cleany.mydomain.org
inet_interfaces = cleanysIP, 127.0.0.1 (or all? *confused*)
content_filter = smtp:cleanyIP:10024 or smtp:127.0.0.1:1024 ?
# does it matter?
# mime_header_checks, header_checks and body_checks will
# be copied from the old server, same as smtpd_tls_key_file,
# ..cert_file und ..CAfile. Do the have to be in all instances on
# all servers?
message_size_limit = 20480000
strict_rfc821_envelopes = no
smtpd_sender_restrictions =
smtpd_recipient_restrictions =
	 reject_non_fqdn_sender,
	 reject_non_fqdn_recipient,
	 reject_unknown_sender_domain,
	 reject_unknown_recipient_domain,
	 permit_mynetworks
	 reject_unverified_recipient,
	 permit


3) postfix-in should receive mails from the internet, clean it and send
the valid mails to maily:
mydomain = mydomain.org
myorigin = $mydomain
mydestination =
# empty, because it should relay everything to maily?
mynetworks = 127.0.0.0/8
relay_domains = $mydomain
relayhost = maily.mydomain.org (or it´s IP? same diff?)
proxy_interfaces = gatewayIP (again: needed?)
myhostname = cleany.mydomain.org
inet_interfaces = cleanysIP, 127.0.0.1
# or should i leave it at "all"?
virtual_alias_maps = <mysql-query that delivers the account/user-name>
# should be ok, if everything received and cleaned gets relayed to maily?
virtual_alias_domains = <delivers only one domain, and the one adress
using it is also listed in virtual_alias_maps, so it can be left out?>
content_filter = smtp:cleanysIP:10024 or smtp:127.0.0.1:10024 ?
# again: is there a difference?
# again copy body_checks, header_checks and mime_header_checks
# from the old server, same question for the tls-key/cert/CA
message_size_limit = 20480000
strict_rfc821_envelopes = no
smtpd_sender_restrictions =
smtpd_recipient_restrictions =
	 reject_non_fqdn_sender,
	 reject_non_fqdn_recipient,
	 reject_unknown_sender_domain,
	 reject_unknown_recipient_domain,
	 reject_rbl_client zen.spamhaus.org
	 reject_rbl_client ix.dnsbl.manitu.net
	 reject_rbl_client bl.spamcop.net
	 reject_rbl_client dnsbl.njabl.org
	 reject_rbl_client inputs.relays.osirusoft.com
	 reject_rbl_client dialups.relays.osirusoft.com
	 reject_rbl_client spews.relays.osirusoft.com
	 reject_rhsbl_sender dsn.rfc-ignorant.org
	 check_policy_service inet:127.0.0.1:10023
	 reject_unverified_recipient,
	 permit_mx_backup
	 reject_unauth_destination
	 permit


  II) maily should accept only from cleany and the clients, check if
mails it handles are in the mysql-db and if they aren´t, send them to
cleany:
mydomain = mydomain.org
myorigin = $mydomain
mydestination = $mydomain, $myhostname, localhost localhost.$mydomain
# maybe some alias-thingy for the other domain mentioned above?
mynetworks = 192.168.10.0/24, 127.0.0.0/8
relay_domains = all ?
relayhost = cleany.mydomain.org (or it´s IP)
myhostname = maily.mydomain.org
inet_interfaces = mailysIP? 127.0.0.1? all?
virtual_alias_maps =
# not needed if cleany delivers them already changed to the
# account/user-name?
virtual_alias_domains =
# not needed?
masquerade_domains = $mydomain
unknown_local_recipient_reject_code = 550
mailbox_size_limit = 0
message_size_limit = 20480000
alias_maps = <copy the old contents?>
# unfortunately i have no clue if they are relevant or used, and is
# there a way to find out what´s stored in e.g. hash:/etc/aliases?
# then i might be able to find out...^^;
# same problem/question for canonical_maps, relocated_maps
# transport_maps and sender_canonical_maps.
# smtpd_tls_key_file, cert_file and CAfile copied here as well?

whew..if you read all the way to here: thank you already for that, any
hints and answers will be greatly appreciated.

best regards
silvana

On 9/2/2011 3:49 PM, Wietse Venema wrote:
> Michael B Allen:
>>> BTW, Postfix 2.3 was developed in 2005, released in 2006, and support
>>> was terminated in 2009.
>>
>> This is off-topic but you may know that CentOS (which is RedHat
>> repackaged without the branding) backports all fixes. Meaning an issue
>> identified in 2.6 would be addressed as a patch in their 2.3 package
>> (if necessary). So they do not solely rely on upstream support. They
>> are going for stability and longevity. That is why I use CentOS /
>> RedHat and I suspect that is why you continue to get this question on
>> the list. Unlike most Linux distributions, they continue to update
>> packages for 4 years or so because that is about how long it takes for
>> hardware to become obsolete or breakdown. Some very popular
>> distributions like Ubuntu and Fedora almost always stop updating after
>> only a year or so. This is one reason why I believe that Linux is not
>> going to gain market share over other operating systems.
>
> I already provide routine updates for four stable Postfix releases,
> so there really is no need to fall behind so much like RedHat does.

Red Hat is a commercial distro.  They will always do things differently,
things that seem strange and sometimes simply stupid to the rest of us.
   Which is one of the many reasons I don't use a commercial distro.  Red
Hat cherry picks patches from up and down the kernel source tree and
backports them, all the way from 2.6.30 to 3.1 rc1.  Many such kernel
patches are contributed by RH.  I don't know if they do this with
applications, but it stands to reason that they would, given what they
do with the kernel.

--
Stan

Red Hat is a commercial distro.  They will always do things differently, things that seem strange and sometimes simply stupid to the rest of us.  Which is one of the many reasons I don't use a commercial distro.  Red Hat cherry picks patches from up and down the kernel source tree and backports them, all the way from 2.6.30 to 3.1 rc1.  Many such kernel patches are contributed by RH.  I don't know if they do this with applications, but it stands to reason that they would, given what they do with the kernel.

We have Head Office and Small Office.

In Head Office, we have Mac OS X 10.6.7 Mail server (i.e. postfix).  For people
in Head Office, traffic to and from the mail server is over the fast LAN - no
problems.

In Small Office, we have two employees, let's call them Snail and Shoe.

Currently Snail and Shoe use the mail server in Head Office.  When Snail emails
Shoe, the message travels all the way to Head Office saturing the slow link
upstream.  Shoe then downloads the email from Head Office, which then saturates
the slow link downstream.

If Snail and Shoe are on the same LAN in the small office, there shouldn't be
any reason for the message to travel all the way back to head office, so my
question is:

How do I set up a local email server in Small Office using the same email
domain?

If Snail sends an email to Shoe, it would go to a local email server in Small
Office.  The local email server in Small Office would then check if Shoe is
located in Small Office, if not, it would pass the message on the Head Office,
but in this case, seeing that Shoe is in the local Small Office, the local mail
server would then keep the message in Small Office.  Shoe will then download it
from Small Office's local mail server, saving the slow link from saturation.

How do I do set up the servers this way?

On 9/2/2011 2:17 PM, Michael B Allen wrote:
> My objectives are not driven by or based on logic. They are based on
> the requirements of a consortium of credit card companies and banks.

Do they require you to offer STARTTLS on port 25?  ISTR that they
don't; I think they only require that if TLS is offered, SSLv2 is
not.  If that's true, just disable opportunistic STARTTLS.

If you have eg. clients that require TLS for submission, enable port
587/submission (and/or legacy 465/smtps) and use mandatory
encryption on that port.


   -- Noel Jones

Hi Geert, it's an engineering office and people constantly email big drawings,
e.g. 20Mb to each other.  Sure email is not a file transfer protocol, but
customers email in these drawings and staff would then forward these emails on
to each other - separating attachments out and ftp'ing them would slow down the
workflow.

There must be a way to set up distributed domains in postfix?  I know it is
possible in MS Exchange.  Kerio Connect can also do this
(http://www.kerio.co.uk/blog/distributed-domain-bringing-offices-together).

If possible, though, I would like to do this with postfix - it's open source and
free so preferable to previously mentioned paid products.

I am surprised there's so little information available on this topic.  Someone
must know how to set this up?


On 03/09/2011, at 11:55 , Geert Mak wrote:

> On 03.09.2011, at 02:40, Daniel Mare <dmare@...> wrote:
>
>> saving the slow link from saturation.
>
> I am surprised that there still exist connections so slow that to justify
administration like this :)

On Saturday 03 September 2011 6:10:54 am Daniel Mare wrote:
> We have Head Office and Small Office.
>
> In Head Office, we have Mac OS X 10.6.7 Mail server (i.e. postfix).  For
> people in Head Office, traffic to and from the mail server is over the fast
> LAN - no problems.
>
> In Small Office, we have two employees, let's call them Snail and Shoe.
>
> Currently Snail and Shoe use the mail server in Head Office.  When Snail
> emails Shoe, the message travels all the way to Head Office saturing the
> slow link upstream.  Shoe then downloads the email from Head Office, which
> then saturates the slow link downstream.
>
> If Snail and Shoe are on the same LAN in the small office, there shouldn't
> be any reason for the message to travel all the way back to head office, so
> my question is:
>
> How do I set up a local email server in Small Office using the same email
> domain?
>
> If Snail sends an email to Shoe, it would go to a local email server in
> Small Office.  The local email server in Small Office would then check if
> Shoe is located in Small Office, if not, it would pass the message on the
> Head Office, but in this case, seeing that Shoe is in the local Small
> Office, the local mail server would then keep the message in Small Office.
> Shoe will then download it from Small Office's local mail server, saving
> the slow link from saturation.
>
> How do I do set up the servers this way?

Use sub domains with aliases created for the branch office accounts in the
main domain.
You'll need transport maps set for each branch office subdomain as well.

> How do I do set up the servers this way?
>
U can use per-user transport_maps

--
Simone Caruso
IT Consultant8

On 2011-09-03 02:40, Daniel Mare wrote:
> We have Head Office and Small Office.
>
> In Head Office, we have Mac OS X 10.6.7 Mail server (i.e. postfix).  For
people in Head Office, traffic to and from the mail server is over the fast LAN
- no problems.
>
> In Small Office, we have two employees, let's call them Snail and Shoe.
>
> Currently Snail and Shoe use the mail server in Head Office.  When Snail
emails Shoe, the message travels all the way to Head Office saturing the slow
link upstream.  Shoe then downloads the email from Head Office, which then
saturates the slow link downstream.
>
> If Snail and Shoe are on the same LAN in the small office, there shouldn't be
any reason for the message to travel all the way back to head office, so my
question is:
>
> How do I set up a local email server in Small Office using the same email
domain?
>
> If Snail sends an email to Shoe, it would go to a local email server in Small
Office.  The local email server in Small Office would then check if Shoe is
located in Small Office, if not, it would pass the message on the Head Office,
but in this case, seeing that Shoe is in the local Small Office, the local mail
server would then keep the message in Small Office.  Shoe will then download it
from Small Office's local mail server, saving the slow link from saturation.
>
> How do I do set up the servers this way?

Install a new postfix server at the satellite location, and either give
it its own mail domain (and MX record), or set up transports to those
two users.

In case the former is unpractical, or impossible, for instance because
the second server is on an internal LAN only (think VPN), you can use
transport_maps on the main mail server to deliver mail for those two
users to the satellite office.

The satellite mail server should be configured to accept mail for its
local users, and route mail for other users back to the main server; the
simplest way to do this is to alias the valid users to a separate
mailbox domain, and relay the original domain back to the main server.

However, even the above can be achieved in half a dozen distinct ways,
and there is no single correct solution; it depends on additional
requirements, such as: will the satellite system send its own external
mail ? and: is there a centralized user database available for use by
both systems ?

More information can be found in the documentation, such as
http://www.postfix.org/STANDARD_CONFIGURATION_README.html#some_local and
http://www.postfix.org/ADDRESS_REWRITING_README.html

--
J.

[An on-line version of this announcement will be available at
http://www.postfix.org/announcements/postfix-2.8.5.html]

Postfix stable release 2.8.5, 2.7.6, 2.6.12, and 2.5.15 are available.
These contain fixes and workarounds for the Postfix Milter client
that were already included with the Postfix 2.9 experimental release.

     * The Postfix Milter client logged a "milter miltername: malformed
       reply" error when a Milter sent an SMTP response without
       enhanced status code (i.e. "XXX Text" instead of "XXX X.X.X
       Text").

     * The Postfix Milter client sent a random {client_connections}
       macro value when the remote SMTP client was not subject to
       any smtpd_client_* limit. As a workaround, it now sends a
       zero value instead.

You can find the updated Postfix source code at the mirrors listed
at http://www.postfix.org/.

	 Wietse

Daniel Mare:
> Hi Geert, it's an engineering office and people constantly email
> big drawings, e.g. 20Mb to each other.  Sure email is not a file
> transfer protocol, but customers email in these drawings and staff
> would then forward these emails on to each other - separating
> attachments out and ftp'ing them would slow down the workflow.
>
> There must be a way to set up distributed domains in postfix?  I

Sure.  I did that years before I wrote Postfix. The idea is to use
location-independent email addresses (user@...) for the
population.

The mail domain is distributed across multiple physical servers,
some of which may also be primary MX for the distributed domain.
Each mail server forwards mail to the "right" physical server
using a shared alias database.

/etc/postfix/main.cf:
     myorigin = $mydomain
     mydestination = $myhostname $mydomain localhost.$mydomain localhost
     virtual_alias_maps = some replicated database

In the replicated database:
     #lookup value    lookup result
     user1@... user@...
     user2@... user@...

The replicated database has one record for all recipients including
root, postmaster, and so on. Replication can be done with rsync,
LDAP, *SQL, and so on.

To receive some email addresses on the server itself, see:
http://www.postfix.org/STANDARD_CONFIGURATION_README.html#some_local

In addition, each mail server needs to have a local database table
for its own users. Those users can be the UNIX system password file,
a Postfix virtual alias domain, or a Postfix virtual mailbox domain.

	 Wietse

Hi all,

On a CentOS 6 box with postfix-2.6.6-2.1.el6_0 I'm trying to setup a
virtual_mailbox_domain that is fed into Zarafa (the Open Source Exchange
replacement). I can't seem to get past the helo_access and relay denied
errors. So clearly I am doing something wrong but the postfix book and
online docs have not been able to enlighten me. Could anyone please give
me a hint where I need to look?

Example helo_access error:

Sep  3 18:17:51 cronos postfix/smtpd[4962]: connect from localhost[::1]
Sep  3 18:17:51 cronos postfix/smtpd[4962]: NOQUEUE: reject: RCPT from
localhost[::1]: 554 5.7.1 <cronos.puzzled.xs4all.nl>: Helo command
rejected: You are not puzzled.xs4all.nl (helo_access);
from=<patrick@...> to=<patrick@...> proto=ESMTP
helo=<cronos.puzzled.xs4all.nl>
Sep  3 18:17:51 cronos postfix/smtpd[4962]: disconnect from localhost[::1]

Example relay_denied error:

Sep  3 17:53:11 cronos postfix/smtpd[4309]: connect from localhost[::1]
Sep  3 17:53:11 cronos postfix/smtpd[4309]: NOQUEUE: reject: RCPT from
localhost[::1]: 554 5.7.1 <patrick@...>: Relay access denied;
from=<patrick@...> to=<patrick@...> proto=ESMTP
helo=<cronos.puzzled.xs4all.nl>
Sep  3 17:53:11 cronos postfix/smtpd[4309]: disconnect from localhost[::1]

******************************************************
$ postconf -n

alias_database = hash:/etc/postfix/aliases
alias_maps = hash:/etc/postfix/aliases
bounce_size_limit = 1024
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
disable_vrfy_command = yes
home_mailbox = Maildir/
html_directory = no
inet_interfaces = all
inet_protocols = all
mail_owner = postfix
mail_spool_directory = /var/spool/mail
mailbox_size_limit = 0
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
message_size_limit = 900000000
mydestination = $myhostname, localhost.$mydomain, localhost
mydomain = puzzled.xs4all.nl
myhostname = cronos.puzzled.xs4all.nl
mynetworks = 127.0.0.0/8, 10.0.0.0/24, 10.0.1.0/24
myorigin = $myhostname
newaliases_path = /usr/bin/newaliases.postfix
proxy_interfaces = 83.163.53.136
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES
sample_directory = /usr/share/doc/postfix-2.6.6/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
show_user_unknown_table_name = no
smtpd_client_restrictions = permit_mynetworks,
permit_sasl_authenticated, reject_unknown_reverse_client_hostname,
check_client_access pcre:/etc/postfix/fqrdns.pcre
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated
smtpd_recipient_restrictions = permit_mynetworks,
permit_sasl_authenticated, reject_unlisted_recipient,
reject_unauth_destination, reject_unknown_recipient_domain,
reject_non_fqdn_recipient, reject_rbl_client zen.spamhaus.org,
reject_rbl_client backscatter.spameatingmonkey.net, reject_rbl_client
bl.spameatingmonkey.net, reject_rhsbl_sender
fresh15.spameatingmonkey.net, reject_rhsbl_client
fresh15.spameatingmonkey.net, reject_rhsbl_sender
urired.spameatingmonkey.net, reject_rhsbl_client urired.spameatingmonkey.net
smtpd_sender_restrictions = permit_mynetworks,
permit_sasl_authenticated, reject_unauth_destination,
reject_unknown_sender_domain, reject_non_fqdn_sender
unknown_address_reject_code = 554
unknown_client_reject_code = 554
unknown_hostname_reject_code = 554
unknown_local_recipient_reject_code = 550
unverified_recipient_reject_code = 550
unverified_sender_reject_code = 550
virtual_alias_maps = hash:/etc/postfix/virtual
virtual_mailbox_domains = mailguard.nl
virtual_mailbox_maps = hash:/etc/postfix/vmailbox
virtual_transport = lmtp:127.0.0.1:2003

******************************************************

$ cat /etc/postfix/vmailbox

patrick@...  whatever

******************************************************

$ cat /etc/postfix/virtual

<empty>


******************************************************

$ cat /etc/postfix/helo_access

puzzled.xs4all.nl REJECT You are not puzzled.xs4all.nl (helo_access)
83.163.53.136  REJECT You are not 83.163.53.136 (helo_access)
mailguard.nl  REJECT You are not mailguard.nl (helo_access)


******************************************************

$ cat /etc/postfix/sender_access

puzzled.xs4all.nl REJECT You are not puzzled.xs4all.nl (sender_access)
83.163.53.136  REJECT You are not 83.163.53.136 (sender_access)
mailguard.nl  REJECT You are not mailguard.nl (sender_access)


Thanks!
Patrick

Am 03.09.2011 18:22, schrieb Patrick Lists:
> Hi all,
>
> On a CentOS 6 box with postfix-2.6.6-2.1.el6_0 I'm trying to setup a
virtual_mailbox_domain that is fed into
> Zarafa (the Open Source Exchange replacement). I can't seem to get past the
helo_access and relay denied errors.
> So clearly I am doing something wrong but the postfix book and online docs
have not been able to enlighten me.
> Could anyone please give me a hint where I need to look?
>
> Example helo_access error:
>
> Sep  3 18:17:51 cronos postfix/smtpd[4962]: connect from localhost[::1]
> Sep  3 18:17:51 cronos postfix/smtpd[4962]: NOQUEUE: reject: RCPT from
localhost[::1]: 554 5.7.1
> <cronos.puzzled.xs4all.nl>: Helo command rejected: You are not
puzzled.xs4all.nl (helo_access);
> from=<patrick@...> to=<patrick@...> proto=ESMTP
helo=<cronos.puzzled.xs4all.nl>
> Sep  3 18:17:51 cronos postfix/smtpd[4962]: disconnect from localhost[::1]
>
$ cat /etc/postfix/helo_access
puzzled.xs4all.nl    REJECT You are not puzzled.xs4all.nl (helo_access)

so what do you expect if something is using "puzzled.xs4all.nl" as helo?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 9/3/2011 11:22 AM, Patrick Lists wrote:
> Hi all,
>
> On a CentOS 6 box with postfix-2.6.6-2.1.el6_0 I'm trying to
> setup a virtual_mailbox_domain that is fed into Zarafa (the
> Open Source Exchange replacement). I can't seem to get past the
> helo_access and relay denied errors. So clearly I am doing
> something wrong but the postfix book and online docs have not
> been able to enlighten me. Could anyone please give me a hint
> where I need to look?
>
> Example helo_access error:
>
> Sep  3 18:17:51 cronos postfix/smtpd[4962]: connect from
> localhost[::1] Sep  3 18:17:51 cronos postfix/smtpd[4962]:
> NOQUEUE: reject: RCPT from localhost[::1]: 554 5.7.1
> <cronos.puzzled.xs4all.nl>: Helo command rejected: You are not
> puzzled.xs4all.nl (helo_access); from=<patrick@...>
> to=<patrick@...> proto=ESMTP
> helo=<cronos.puzzled.xs4all.nl> Sep  3 18:17:51 cronos
> postfix/smtpd[4962]: disconnect from localhost[::1]
>
> Example relay_denied error:
>
> Sep  3 17:53:11 cronos postfix/smtpd[4309]: connect from
> localhost[::1] Sep  3 17:53:11 cronos postfix/smtpd[4309]:
> NOQUEUE: reject: RCPT from localhost[::1]: 554 5.7.1
> <patrick@...>: Relay access denied;
> from=<patrick@...> to=<patrick@...> proto=ESMTP
> helo=<cronos.puzzled.xs4all.nl> Sep  3 17:53:11 cronos
> postfix/smtpd[4309]: disconnect from localhost[::1]
>

Both the connections above are reported as from [::1] ip6 localhost.

> ****************************************************** $
> postconf -n
...

> mynetworks = 127.0.0.0/8, 10.0.0.0/24, 10.0.1.0/24

Oops, mynetworks contains only ip4 addresses.

Solution is to either disable ip6:
inet_protocols = ipv4
or add ip6 localhost to mynetworks:
mynetworks = [::1]/128 127.0.0.0/8, 10.0.0.0/24, 10.0.1.0/24


   -- Noel Jones
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJOYnHQAAoJEJGRUHb5Oh6gtqEH/10Gc27sIGicSfXUmUSzt4Me
4F8lsBHU08PeSKSNBdCjyrXbiroyLKkhrUdpBLP3i0KVZj9e7y+bh7eX1jLbYT1L
R+BaDUApbRqQROfVX2fpe1C7iHPpXw8Xb8yKJFZszFGF5/sEDRuj7KztjacKhQf0
nK8UCn57LiWq/5DOwSBT2kShE3a+SYSfX2BNOLZE7hhqh9LVl4IJETXz2vkkzLbl
6ZcPeHliAb9vwLD9Y6AqB7J2WuRJk9rggG/hhvHqPHs1b27RbQzu88L8gU+lS8Yv
P+EfqygW/RSPkoVkH7RbpFJM8M5+cDX8kCRCN0Uq0yAf5OM/ZuNzzqvQ3rZkMbo=
=3fud
-----END PGP SIGNATURE-----