Revision as of 13:56, 12 February 2024

Docs

Homepage

Postfix and smtp auth/sasl

Postfix and Network Solutions certificates

#The private key you created together with privkey.csr, readable for root only!
smtpd_tls_key_file = privkey.pem

#the certificate you received from NS
smtpd_tls_cert_file = /etc/ssl/MY.HOST.COM.crt

#NetworkSolutions_CA.crt and UTNAddTrustServer_CA.crt combined in a single file
smtpd_tls_CAfile = /etc/postfix/intermediate.pem

SASL authentication failed; cannot authenticate to server smtp.office365.com[52.97.201.66]: no mechanism available

install cyrus-sasl-plain

HOWTO

Test smtp with telnet or openssl

https://www.stevenrombauts.be/2018/12/test-smtp-with-telnet-or-openssl/

DANE compliant config

smtpd_tls_protocols = TLSv1.2, TLSv1.3 smtpd_tls_mandatory_protocols = TLSv1.2, TLSv1.3 smtpd_tls_exclude_ciphers =

     EXP, LOW, MEDIUM,
     aNULL, eNULL, SRP, PSK, kDH, DH, kRSA, DHE, DSS, RC4, DES, IDEA, SEED, ARIA, CAMELLIA, AESCCM8, 3DES,
     ECDHE-ECDSA-AES256-SHA384, ECDHE-ECDSA-AES128-SHA256, ECDHE-RSA-AES256-SHA384, ECDHE-RSA-AES128-SHA256,
     MD5, SHA

smtpd_tls_ciphers = high smtpd_tls_mandatory_ciphers = high smtpd_tls_dh1024_param_file = ${config_directory}/dh4096.pem

for tlsv1.2, implicit in 1.3

tls_ssl_options = NO_RENEGOTIATION smtpd_tls_eecdh_grade = ultra

Postfix and LDAP

Spam filtering

ldap and aliases

man ldap_table
man maildirquota

Send mail via relay with authentication

See SASL_README

Test relay authentication

openssl s_client -connect server:25 -starttls smtp (-crlf if exchange)

smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl/passwd
smtp_use_tls = yes
smtp_sasl_security_options = noanonymous
# if they use some self signed cert
smtp_tls_CAfile = /etc/postfix/cacert.crt

Exchange issues

# fixing "TLS library problem: error:0A000126:SSL routines::unexpected eof while reading" exchange feature?
tls_ssl_options = 0x80
#you might need this
smtp_sasl_mechanism_filter = !gssapi, !ntlm, static:rest
relayhost = [smtp.office365.com]:587

sasl_password

username:password

or

[relayname]:587 username:password

Relaying via office365

https://apiit.atlassian.net/wiki/spaces/ITSM/pages/1205567492/How+to+configure+postfix+relay+to+Office365+on+Ubuntu

/etc/postfix/sasl_passwd

[smtp.office365.com]:587 username@yourdomain:office365password

/etc/postfix/generic

root@whatever username@yourdomain

/etc/postfix/main.cf

relayhost = [smtp.office365.com]:587

smtp_tls_security_level=may
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_tls_security_level=may
smtp_generic_maps = hash:/etc/postfix/generic

Tools

Test-mail for DANE compliancy
postfwd

pflogsumm

Log analyzer

vimbadmin

Notes

postconf
postsuper

anti spam measures that work for me

smtpd_recipient_restrictions =
   permit_sasl_authenticated,
   reject_unverified_recipient,
   permit_mynetworks,
   reject_sender_login_mismatch,
   reject_invalid_hostname,
   reject_unknown_reverse_client_hostname,
   reject_non_fqdn_hostname,
   reject_non_fqdn_sender,
   reject_non_fqdn_recipient,
   reject_unknown_sender_domain,
   reject_unknown_recipient_domain,
   reject_unauth_destination,
   check_recipient_access  hash:/etc/postfix/recipient_access,
   reject_rbl_client bl.spamcop.net,

reject_rbl_client safe.dnsbl.sorbs.net,

   reject_rbl_client b.barracudacentral.org,
   permit

tls on outgoing mail

smtp_use_tls = yes
smtp_tls_security_level = may

TODO is all this really needed??

smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
smtp_tls_cert_file = /etc/postfix/ssl/domainname.com.pem
smtp_tls_key_file = /etc/postfix/ssl/domainname.com.key
smtp_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache
smtp_tls_loglevel = 1

CentOS packages

gf-plus repository or epel :)

FAQ

smtp vs smtpd

smtpd = incoming

smtp = outgoing

Stop trying to bounce to noreply@

In transport_maps set

noreply@example.com discard

and in main.cf

transport_maps = hash:/etc/postfix/transport_maps

remember to

postmap /etc/postfix/transport_maps

and

postfix reload

warning: no MX host for xxx has a valid address record

Probably means the defined MX record does not resolve

Limit CC

/etc/postfix/header_checks

/^To:([^@]*@){50,}/ REJECT Sorry, your message has too many recepients.
/^Cc:([^@]*@){50,}/ REJECT Sorry, your message has too many recepients.

fatal: bad string length 0 < 1: sendmail_path =

Looks like a debconf feature, install mailutils and

postconf sendmail_path=/usr/sbin/sendmail

and probably also

postconf mailq_path=/usr/bin/mailq
postconf newaliases_path=/usr/bin/newaliases

then

postfix reload

to check, maybe more broke

log subject

https://raymii.org/s/tutorials/Postfix_Log_message_from_to_and_subject_headers.html

Create file /etc/postfix/header_checks and put in:

/^[Ss]ubject:/  WARN

and in /etc/postfix/main.cf

header_checks = regexp:/etc/postfix/header_checks

rate limit outgoing mail

Probably start with

smtp_destination_rate_delay = 5s

this seems safe for outlook.

queue

Clean the postfix queue

mailq | grep ^[A-F0-9]| awk '{ print $1 }'| sed 's/*//' | while read i;do postsuper -d  ${i};done

Or simple:

postsuper -d ALL

View message in queue

postcat

Delete message from queue

postsuper -d

Requeue mails

postsuper -r ALL

or

postqueue -f

delivery temporarily suspended

Postfix as secondary MX

relay_domains = foo.com, bar.com
relay_recipient_maps =
          hash:/etc/postfix/relay_recipients

milter-reject 4.7.0 DNS timeout

Most likely caused by sid-filter, aka milter-sid, aka sid-milter. Try adding "-D" to the rc.conf or defaults or whatever file starting it.

postqueue: fatal: Connect to the Postfix showq service: Permission denied

postfix set-permissions

too many concurrent connections

If that's what you get sending to a server you don't control, check

initial_destination_limit (??)

smtp_destination_concurrency_limit

warning: SASL authentication failure: No worthy mechs found

could be missing cyrus-sasl-plain

Sender address rejected: need fully-qualified address

myorigin = /etc/mailname

If you're using mailutils, make sure fqdn is in /etc/hostname, double check with hostname -f See also

mail --config-help

about contents of /etc/mailutils.conf, and

man hostname

newaliases: fatal: bad string length 0 < 1: setgid_group =

Probably Ubuntu (Debian?), comment out the setgid_group line

warning: TLS library problem: error:1420918C:SSL routines:tls_early_post_process_client_hello:version too low:ssl/statem/statem_srvr.c:1686:

@@ Line 1: / Line 1: @@
-==Docs==
+=Docs=
 *[http://www.postfix.org/ Homepage]
+*http://www.postfix.org/ADDRESS_CLASS_README.html
+*[http://www.freebsddiary.org/postfix.php Postfix on FreeBSD]
 *[http://www.zytrax.com/tech/survival/postfix.html Postfix survival guide]
 *[http://wiki.apache.org/spamassassin/IntegratedInPostfixWithAmavis Postfix and Amavis]
 *[http://www.akadia.com/services/postfix_spamassassin.html Postfix and SpamAssassin]
 *[http://hurring.com/howto/postfix_spamd/ postfix+spamd]
+*[http://www.irbs.net/internet/postfix/0609/1487.html postfix with spamassass-milter on freebsd]
 *[http://www.postfix.org/faq.html FAQ]
 *[http://wiki.linuxquestions.org/wiki/Postfix_with_clamav-milter Postfix with clamav-milter]
-*[http://postfixwiki.org/ Postfix wiki]
 *[[postfix dovecot]]
+*[[postfix amavisd-new freebsd]]
+*http://souptonuts.sourceforge.net/postfix_tutorial.html
+*[http://macnugget.org/projects/postfixrelaymaps/ Setting up automatic relay_recipient_maps in postfix]
+*http://wiki.kartbuilding.net/index.php/Postfix_SMTP#Blocking_Spam_with_spamhaus_and_Postfix
+*[[Postfix on Debian]]
+*http://www.postfix.org/VIRTUAL_README.html
+*https://skrilnetz.net/setup-your-own-mailserver/
+*[https://www.digitalocean.com/community/tutorials/how-to-configure-a-mail-server-using-postfix-dovecot-mysql-and-spamassassin How To Configure a Mail Server Using Postfix, Dovecot, MySQL, and SpamAssassin]
+*[https://www.sidn.nl/en/news-and-blogs/hands-on-implementing-spf-dkim-and-dmarc-in-postfix Hands-on: implementing SPF, DKIM and DMARC in Postfix]
+==Postfix and smtp auth/sasl==
+*http://www.postfix.org/SASL_README.html
+*[https://wiki.centos.org/HowTos/postfix_sasl Postfix/dovecot SASL and SSL/TLS guide on CentOS]
+*[https://www.linode.com/docs/guides/postfix-smtp-debian7/ Configure Postfix to Send Email Using External SMTP Servers]
+*[https://doc.dovecot.org/configuration_manual/howto/postfix_and_dovecot_sasl/ Postfix, dovecot and sasl]
+*http://adomas.org/2006/08/postfix-dovecot/
+*http://postfix.state-of-mind.de/patrick.koetter/smtpauth/smtp_auth_mailservers.html
+*http://forums.macosxhints.com/archive/index.php/t-96919.html
+*[https://www.sidn.nl/en/modern-internet-standards/hands-on-implementing-dane-in-postfix Implementing DANE in postfix]
+===Postfix and Network Solutions certificates===
+ #The private key you created together with privkey.csr, readable for root only!
+ smtpd_tls_key_file = privkey.pem
+ #the certificate you received from NS
+ smtpd_tls_cert_file = /etc/ssl/MY.HOST.COM.crt
+ #NetworkSolutions_CA.crt and UTNAddTrustServer_CA.crt combined in a single file
+ smtpd_tls_CAfile = /etc/postfix/intermediate.pem
+===SASL authentication failed; cannot authenticate to server smtp.office365.com[52.97.201.66]: no mechanism available===
+install cyrus-sasl-plain
+=HOWTO=
+==Test smtp with telnet or openssl==
+ https://www.stevenrombauts.be/2018/12/test-smtp-with-telnet-or-openssl/
+==DANE compliant config==
+smtpd_tls_protocols = TLSv1.2, TLSv1.3
+smtpd_tls_mandatory_protocols = TLSv1.2, TLSv1.3
+smtpd_tls_exclude_ciphers =
+      EXP, LOW, MEDIUM,
+      aNULL, eNULL, SRP, PSK, kDH, DH, kRSA, DHE, DSS, RC4, DES, IDEA, SEED, ARIA, CAMELLIA, AESCCM8, 3DES,
+      ECDHE-ECDSA-AES256-SHA384, ECDHE-ECDSA-AES128-SHA256, ECDHE-RSA-AES256-SHA384, ECDHE-RSA-AES128-SHA256,
+      MD5, SHA
+smtpd_tls_ciphers = high
+smtpd_tls_mandatory_ciphers = high
+smtpd_tls_dh1024_param_file = ${config_directory}/dh4096.pem
+#for tlsv1.2, implicit in 1.3
+tls_ssl_options = NO_RENEGOTIATION
+smtpd_tls_eecdh_grade = ultra
 ==Postfix and LDAP==
+*[[ Postfix LDAP ]]
 *[http://www.akadia.com/services/postfix_separate_mailboxes.html Hosting Multiple Domains with Virtual Accounts]
 *[http://www.postfix.org/LDAP_README.html#example_alias LDAP Support in Postfix]
@@ Line 20: / Line 75: @@
 *http://gentoo-wiki.com/HOWTO_Postfix-LDAP_virtual_users_with_qmail_schema
 *http://www.ldapsource.com/content/ldap_postfix.html
+*http://www.boobah.info/howto/postfix-ldap.html
+==Spam filtering==
+*http://jimsun.linxnet.com/misc/postfix-anti-UCE.txt
+*[http://postfwd.org/ Postfwd]
+*[http://www.postfix.org/postscreen.8.html Postscreen]
+*[http://rob0.nodns4.us/postscreen.html Postscreen cheatsheet]
+*http://www.xnote.com/howto/postfix-spamassassin.html
+*http://www.akadia.com/services/postfix_spamassassin.html
+*[http://www.freesoftwaremagazine.com/articles/focus_spam_postfix/ Filtering spam with Postfix]
+*[http://www.malgouyres.fr/linux/spamass-milter_postfix_en.html Postfix and spamass-milter]
+==ldap and aliases==
+*http://www.postfix.org/LDAP_README.html
+*http://www.howtoforge.com/mandriva-directory-server-on-debian-etch-p3
-===ldap and aliases==
@@ Line 28: / Line 97: @@
   man maildirquota
-==Notes==
-*postconf
-*postsuper
-==FAQ==
+==Send mail via relay with authentication==
-===Clean the postfix queue===
+See [https://www.postfix.org/SASL_README.html SASL_README]
-  mailq | grep ^[A-F0-9]| awk '{ print $1 }'|  while read i;do postsuper -d  ${i};done
+===Test relay authentication===
+ openssl s_client -connect server:25 -starttls smtp (-crlf if exchange)
+ smtp_sasl_auth_enable = yes
+ smtp_sasl_password_maps = hash:/etc/postfix/sasl/passwd
+ smtp_use_tls = yes
+ smtp_sasl_security_options = noanonymous
+ # if they use some self signed cert
+ smtp_tls_CAfile = /etc/postfix/cacert.crt
+Exchange issues
+ # fixing "TLS library problem: error:0A000126:SSL routines::unexpected eof while reading" exchange feature?
+ tls_ssl_options = 0x80
+ #you might need this
+ smtp_sasl_mechanism_filter = !gssapi, !ntlm, static:rest
+ relayhost = [smtp.office365.com]:587
+===sasl_password===
+ username:password
+or
+ [relayname]:587 username:password
+===Relaying via office365===
+https://apiit.atlassian.net/wiki/spaces/ITSM/pages/1205567492/How+to+configure+postfix+relay+to+Office365+on+Ubuntu
+====/etc/postfix/sasl_passwd====
+ [smtp.office365.com]:587 username@yourdomain:office365password
+====/etc/postfix/generic====
+ root@whatever username@yourdomain
+====/etc/postfix/main.cf====
+ relayhost = [smtp.office365.com]:587
+ smtp_tls_security_level=may
+ smtp_sasl_auth_enable = yes
+ smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
+ smtp_sasl_security_options = noanonymous
+ smtp_tls_security_level=may
+ smtp_generic_maps = hash:/etc/postfix/generic
+=Tools=
+*[https://internet.nl/test-mail/ Test-mail for DANE compliancy]
+*postfwd
+==pflogsumm==
+Log analyzer
+==vimbadmin==
+[http://www.vimbadmin.net/ vimbadmin]
+= Notes =
+*postconf
+*postsuper
+== anti spam measures that work for me ==
+ smtpd_recipient_restrictions =
+    permit_sasl_authenticated,
+    reject_unverified_recipient,
+    permit_mynetworks,
+    reject_sender_login_mismatch,
+    reject_invalid_hostname,
+    reject_unknown_reverse_client_hostname,
+    reject_non_fqdn_hostname,
+    reject_non_fqdn_sender,
+    reject_non_fqdn_recipient,
+    reject_unknown_sender_domain,
+    reject_unknown_recipient_domain,
+    reject_unauth_destination,
+    check_recipient_access  hash:/etc/postfix/recipient_access,
+    reject_rbl_client bl.spamcop.net,
+#reject_rbl_client safe.dnsbl.sorbs.net,
+    reject_rbl_client b.barracudacentral.org,
+    permit
+== tls on outgoing mail ==
+ smtp_use_tls = yes
+ smtp_tls_security_level = may
+TODO is all this really needed??
+ smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
+ smtp_tls_cert_file = /etc/postfix/ssl/domainname.com.pem
+ smtp_tls_key_file = /etc/postfix/ssl/domainname.com.key
+ smtp_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache
+ smtp_tls_loglevel = 1
+=CentOS packages=
+gf-plus repository
+or epel :)
+= FAQ =
+==smtp vs smtpd==
+smtpd = incoming
+smtp = outgoing
+==Stop trying to bounce to noreply@==
+In '''transport_maps''' set
+ noreply@example.com discard
+and in '''main.cf'''
+ transport_maps = hash:/etc/postfix/transport_maps
+remember to
+ postmap /etc/postfix/transport_maps
+and
+ postfix reload
+==warning: no MX host for xxx has a valid address record==
+Probably means the defined MX record does not resolve
+=== Limit CC ===
+/etc/postfix/header_checks
+ /^To:([^@]*@){50,}/ REJECT Sorry, your message has too many recepients.
+ /^Cc:([^@]*@){50,}/ REJECT Sorry, your message has too many recepients.
+== fatal: bad string length 0 < 1: sendmail_path =  ==
+Looks like a debconf feature, install mailutils and
+ postconf sendmail_path=/usr/sbin/sendmail
+and probably also
+ postconf mailq_path=/usr/bin/mailq
+ postconf newaliases_path=/usr/bin/newaliases
+then
+ postfix reload
+to check, maybe more broke
+== log subject ==
+https://raymii.org/s/tutorials/Postfix_Log_message_from_to_and_subject_headers.html
+Create file /etc/postfix/header_checks and put in:
+ /^[Ss]ubject:/  WARN
+and in /etc/postfix/main.cf
+ header_checks = regexp:/etc/postfix/header_checks
+&nbsp;
+=== rate limit outgoing mail ===
+*[http://steam.io/2013/04/01/postfix-rate-limiting/ Postfix rate limiting – Politeness goes a long way DEAD LINK]
+*[https://wiki.deimos.fr/Postfix:_limit_outgoing_mail_throttling.html limit by domain]
+Probably start with
+ smtp_destination_rate_delay = 5s
+this seems safe for outlook.
+== queue ==
+=== Clean the postfix queue ===
+  mailq | grep ^[A-F0-9]| awk '{ print $1 }'| sed 's/*//' | while read i;do postsuper -d  ${i};done
+Or simple:
+ postsuper -d ALL
+=== View message in queue ===
+ postcat
+=== Delete message from queue ===
+ postsuper -d
+=== Requeue mails ===
+ postsuper -r ALL
+or
+ postqueue -f
+===delivery temporarily suspended===
+== Postfix as secondary MX ==
+ relay_domains = foo.com, bar.com
+ relay_recipient_maps =
+           hash:/etc/postfix/relay_recipients
+&nbsp;
+== milter-reject 4.7.0 DNS timeout ==
+Most likely caused by sid-filter, aka milter-sid, aka sid-milter. Try adding "-D" to the rc.conf or defaults or whatever file starting it.
+== postqueue: fatal: Connect to the Postfix showq service: Permission denied ==
+ postfix set-permissions
+== too many concurrent connections ==
+If that's what you get sending to a server you don't control, check
+ initial_destination_limit (??)
+ smtp_destination_concurrency_limit
+&nbsp;
+== warning: SASL authentication failure: No worthy mechs found ==
+could be missing cyrus-sasl-plain
+&nbsp;
+== Sender address rejected: need fully-qualified address ==
+ myorigin = /etc/mailname
+If you're using mailutils, make sure fqdn is in /etc/hostname, double check with '''hostname -f'''
+See also
+ mail --config-help
+about contents of /etc/mailutils.conf, and
+ man hostname
+==newaliases: fatal: bad string length 0 < 1: setgid_group ===
+Probably Ubuntu (Debian?), comment out the setgid_group line
+==warning: TLS library problem: error:1420918C:SSL routines:tls_early_post_process_client_hello:version too low:ssl/statem/statem_srvr.c:1686:==
+  [[Category:Mail]]

Anonymous

Search

Postfix: Difference between revisions