The Wiert Corner – irregular stream of stuff

Jeroen W. Pluimers on .NET, C#, Delphi, databases, and personal interests

  • My badges

  • Twitter Updates

  • My Flickr Stream

  • Pages

  • All categories

  • Enter your email address to subscribe to this blog and receive notifications of new posts by email.

    Join 1,528 other followers

Archive for the ‘postfix’ Category

Postfix and blacklists

Posted by jpluimers on 2019/04/19

Still learning postfix configuration, below are some links on how to enable various blacklists that use the RBL DNS (aka [WayBack] DNSBL) way of operations.

They are centered around using the of the [WayBack] Postfix Documentation entry reject_rbl_client listings:

Basically reject_rbl_client is part of smtpd_client_restrictions.

TODO:

I need to dig further into some other blacklist options than reject_rbl_clientreject_rhsbl_client, reject_rhsbl_reverse_client, reject_rhsbl_sender or reject_rhsbl_recipient restriction.

Then I need to go through these links:

Some blacklist checking links:

–jeroen

Posted in *nix, *nix-tools, postfix, Power User | Leave a Comment »

mail-filters/Makefile at master · fumiyas/mail-filters

Posted by jpluimers on 2019/04/15

Cool tool if you use Postfix: mail-filters/Makefile at master · fumiyas/mail-filters.

You set it up like this:

cd /etc/postfix
wget https://raw.githubusercontent.com/fumiyas/mail-filters/master/postfix/Makefile

Then each time you change your postfix configuration:

cd /etc/postfix
make

In that directory, it will (re)generate a Makefile.postmapbased on the lines with hash in main.cf, then make each .db file from the source hash file.

After that you have to manually restart postfix, which depends on your Linux flavour.

Similar solutions:

–jeroen

Posted in *nix, *nix-tools, Development, Makefile, postfix, Power User, Scripting, Software Development | Leave a Comment »

Default OpenSuSE Postfix main.cf forgets to configure SASL for cyrus…

Posted by jpluimers on 2019/04/15

If you see the below in your Postfix log when trying to test your config, then the SASL configuration is empty. Oddly that seems the default on OpenSuSE for a while now, despite it providing cyrus SASL out of the box.

Sep 15 14:30:07 katrien postfix/smtpd[12719]: fatal: bad string length 0 < 1: smtpd_sasl_path =
Sep 15 14:30:08 katrien postfix/master[12400]: warning: process /usr/lib/postfix/smtpd pid 12719 exit status 1
Sep 15 14:30:08 katrien postfix/master[12400]: warning: /usr/lib/postfix/smtpd: bad command startup -- throttling

Prior OpenSuSE versions had this in /etc/postfix/main.cf:

# SASL stuff
############################################################
smtp_sasl_auth_enable = no
smtp_sasl_security_options =
smtp_sasl_password_maps =
smtpd_sasl_auth_enable = no
#smtpd_sasl_path = private/auth
#smtpd_sasl_type = dovecot

Newer OpenSuSE versions have this:

# SASL stuff
############################################################
smtp_sasl_auth_enable = no
smtp_sasl_security_options =
smtp_sasl_password_maps =
smtpd_sasl_auth_enable = no
# cyrus : smtpd_sasl_type = cyrus, smtpd_sasl_path = smtpd
# dovecot : smtpd_sasl_type = dovecot, smtpd_sasl_path = private/auth
smtpd_sasl_path =
smtpd_sasl_type = 

Despite the newer having these installed:

# rpm -qa | grep cyrus
cyrus-sasl-crammd5-2.1.26-14.2.aarch64
cyrus-sasl-2.1.26-14.2.aarch64
cyrus-sasl-plain-2.1.26-14.2.aarch64
cyrus-sasl-digestmd5-2.1.26-14.2.aarch64
cyrus-sasl-gssapi-2.1.26-14.2.aarch64

Solution:

smtpd_sasl_path = smtpd
smtpd_sasl_type = cyrus

Since the values for both lines are default, you could even comment them out; see the documentation:

–jeroen

Via: [WayBackpostfix IRC logs [July 26 – 2007]

Posted in *nix, *nix-tools, Linux, openSuSE, postfix, Power User, SuSE Linux, Tumbleweed | Leave a Comment »

Some Postfix configuration guidelines

Posted by jpluimers on 2019/02/08

Not just for Postfix are the first two guidelines:

  • Change one thing at a time
  • Save known working configurations

For the latter, I’m using etckeeper pushing to an external git repository hoster.

For Postfix are the others from [WayBackPostfix Configuration Guidelines.

One tip that’s missing, but saved my life numerous of times:

In /etc/postfix/main.cfg do not use this line ever:

inet_interfaces = $myhostname

If the resolving (through DNS or hosts file) of $myhostname fails for any reason in the future, then Postfix will not start at all, but in stead emit a fatal error like this:

/usr/sbin/postconf: fatal: parameter inet_interfaces: no local interface found for 127.0.0.2

Specify exact interfaces in stead, like any of these:

inet_interfaces = all

inet_interfaces = localhost

inet_interfaces = 192.168.24.68

–jeroen

Posted in *nix, *nix-tools, postfix, Power User | Leave a Comment »

‪Dear #lazyweb, can anyone point me to a modern email server setup (just emai…

Posted by jpluimers on 2019/02/01

Summary from [WayBack]‪ Dear #lazyweb, can anyone point me to a modern email server setup (just email) with letsencrypt, some spam filter, multi domain preferably on RHEL/Cent… – Jan Wildeboer – Google+

  • many SMTP servers on the interwebs do not have proper TLS setups, so do not require remote SMTP servers to deliver email with a proper certificate
  • delivering mail via SMTP using STARTTLS with a proper certificate yourself is a good step forward
  • postfix
  • dovecot
  • greylisting (although in practice it does not make much of a difference any more)
  • fail2ban
  • dnsbl (often called rbl)
  • spamassasin
  • rspamd (supports SPF, DKIM and many others)
  • letsencrypt automation can be tough, so here is a small wrapper: [WayBack] GitHub – DrGlitchMX/update-letsencrypt: Tiny script for updating “Let’s Encrypt!” certificates from cron
  • it helps having letsencrypt and the mail server to be on one machine:
    • multidomain let’s encrypt cert that has my webserver name and the mailserver in the Subject Alternative Names field. As both are on the same machine certbot can automatically update it and I just point Postfix and Dovecot to the LE files.
  • Hans-Martin Mosner SMTP as-is is just not suitable for the kind of decentralized mail that you would prefer. You need some mechanism to determine which mail senders to trust and which not. Cryptography is suitable at the MUA level and should be used much more, but at the MTA level, TLS for privacy and SPF(bleh) or DKIM(meh) for sender domain authentication are basically your only weapons -much too weak. The PGP web of trust must be considered a failed experiment – who of your mail contacts uses PGP properly or at all? Ironically the only secure messaging solutions for the masses are centralized.

Things to do:

  • find a proper multi-MX fallback setup guide for postfix

–jeroen

Read the rest of this entry »

Posted in *nix, *nix-tools, Communications Development, Development, Internet protocol suite, postfix, Power User, SMTP | Leave a Comment »

 
%d bloggers like this: