September 3, 2010 
< | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | >
September 3, 2010 [00:00:28] <kad__> Aprogas, when i create then : virtual_mailbox_domains ( Does all users accounts in my Linux box will be part of the virtual domain ? or only the : virtual_mailbox_map) ?[00:01:37] <Aprogas> I never used virtual mailboxes, but I assume that for any domain in virtual_mailbox_domains not virtual_aliased to somewhere else and not having an actual virtual_mailbox, will result in virtual user unknown error.[00:02:12] <Aprogas> If you want most users in the domain to have a virtual mailbox, but some to have a local mailbox or a remote mailbox, use virtual aliases to rewrite their addresses.[00:03:55] *** EGreg__ has quit IRC[00:41:04] *** psilo2 has quit IRC[00:55:50] *** f3ew has quit IRC[00:58:31] *** f3ew has joined #postfix[01:05:46] *** brancaleone has quit IRC[01:06:00] *** forsberg is now known as fOrsberg[01:09:56] *** nb is now known as i[01:10:03] *** i is now known as i_[01:10:11] *** i_ is now known as nb_[01:10:13] *** nb_ is now known as nb|away[01:10:14] *** nb|away is now known as nb[01:15:50] *** GoGi has joined #postfix[01:19:46] *** psilo2 has joined #postfix[01:21:22] *** coin3d has quit IRC[01:22:58] *** pyther has joined #postfix[01:23:00] <pyther> Hello[01:23:15] <pyther> How can I create a certificate for TLS authentication?[01:23:41] <pyther> I found this command online openssl req -new -x509 -nodes -out smtpd.pem -keyout smtpd.pem -days 3650[01:24:13] <pyther> but I get postfix/smtpd[1572]: warning: No server certs available. TLS won't be enabled[01:27:18] <Dominian> !tls[01:27:19] <knoba> Dominian: "tls" : Short for Transport Layer Security (RFC2246). It adds an additional layer of encryption to protocols such as SMTP, POP3 or IMAP to improve security during transmission over the Internet. TLS features in Postfix are documented here: http://www.postfix.org/TLS_README.html[01:35:21] <pyther> this is way to hard :([01:49:41] *** loddafnir has quit IRC[01:57:13] <pyther> knoba: is there another guide the ca.pl script seems to be broken[02:28:08] <lunaphyte_> wow. if you think it's hard now, imagine how hard it will be when something breaks after things are in production, and you have no idea what is actually going on because you followed a howto instead of learning about how these various things actually work.[02:28:39] <pyther> lunaphyte_: to be fair the ca.pl script is busted on my system[02:29:04] <pyther> it crashes because it can't save to ./democert and I have a ./democert created[02:29:06] <lunaphyte_> i consider that script to be broken implicitely.[02:29:19] <pyther> lunaphyte_: what can I use as an alternative?[02:30:14] <lunaphyte_> i encourage reading of the documentation that accompanies the software you're using, and learning about what is happening.[02:30:28] <pyther> thanks for the help[02:31:11] <pyther> The documentation doesn't make a whole lot of sense to someone new to mail[02:31:41] <lunaphyte_> i'd suggest creating a root certificate, and then using that to sign a server certificate you create.[02:32:56] *** axisys has quit IRC[02:32:57] <pyther> ok thanks, that is more helpful[02:33:03] <pyther> I suppose I have some reading to do though[02:33:30] *** Internat has joined #postfix[02:33:31] <pyther> I have to many lose piece, is there a good guide for setting up tls authentication, maybe for newbies?[02:36:57] *** axisys has joined #postfix[02:47:05] *** mac- has quit IRC[02:52:17] *** tharkun has quit IRC[02:54:00] *** bluethundr has quit IRC[02:55:24] *** Matic`Makovec has joined #postfix[02:57:11] *** robotarmy has quit IRC[03:02:11] *** Captain has quit IRC[03:02:31] *** Captain has joined #postfix[03:18:42] <thumbs> e/36[03:19:41] <seekwill> f/42[03:31:13] <thumbs> seekwill: not funny[03:32:39] *** rooky_ has joined #postfix[03:36:07] *** rooky has quit IRC[03:36:09] *** rooky_ is now known as rooky[03:41:18] <lunaphyte> no. guides, howtos and tutorials aren't for newbies.[03:44:42] *** pyther has left #postfix[04:04:55] *** UNIXgod has quit IRC[04:08:05] <psilo2> I have an e38[04:21:18] *** rajijoom has joined #postfix[04:23:32] <Dominian> well[04:23:34] <Dominian> that was interesting[04:23:40] <Dominian> I found out why dkimproxy started failing...[04:23:49] <Dominian> apparently dkimproxy doesn't like the IO::Socket::INET6 perl module..[04:24:01] <Dominian> removed that, restarted dkimproxy, bingo.. works fine now[04:26:09] *** rajijoom has quit IRC[04:37:36] *** UNIXgod has joined #postfix[04:39:43] *** sherr has quit IRC[04:46:27] *** Verilium_ is now known as Verilium[04:47:38] *** mac- has joined #postfix[04:48:52] *** neorise-rider has quit IRC[04:59:19] *** rooky has quit IRC[05:06:03] *** leroux has quit IRC[05:10:53] *** MAAAAD has joined #postfix[05:13:45] *** MAAAAAD has quit IRC[05:18:11] *** kad__ has quit IRC[05:23:21] *** CrazyFoam has quit IRC[05:23:22] *** dogmeat has quit IRC[05:30:55] *** tharkun has joined #postfix[05:31:13] *** CrazyFoam has joined #postfix[05:32:28] *** dogmeat has joined #postfix[05:38:43] *** UNIXgod has quit IRC[05:45:38] *** Alagar has joined #postfix[05:58:18] <jim---> If I relay outbound mail through a smarthost, should my SPF records include my SMTP's IP, the smarthost's IP, or both?[05:58:49] <Dominian> wouldn't hurt to include both[05:58:59] <jim---> agreed, just wondering "technically"[05:59:37] *** _nalle has quit IRC[05:59:43] *** Zelest_ has quit IRC[05:59:55] <Dominian> technically.. the smarthost[06:00:02] <Dominian> unless of cousre the smarthost is checking SPF[06:00:03] <Dominian> then both[06:00:33] *** _nalle has joined #postfix[06:09:03] *** tharkun has quit IRC[06:20:25] *** Alagar has quit IRC[06:27:31] *** henriknj has joined #postfix[06:32:26] *** uqlev has joined #postfix[06:32:53] *** biggimat has joined #postfix[06:35:14] *** Matic`Makovec has quit IRC[06:38:06] *** JoKoT3 has quit IRC[06:40:43] *** rajijoom has joined #postfix[06:43:19] *** henriknj has quit IRC[06:43:31] *** henriknj has joined #postfix[06:44:31] *** weedar has quit IRC[06:48:26] *** henriknj_ has joined #postfix[06:49:42] *** henriknj has quit IRC[06:54:55] *** Motoko-chan has joined #postfix[06:55:30] *** henriknj has joined #postfix[06:57:39] *** henriknj_ has quit IRC[06:57:51] *** Zelest has joined #postfix[07:00:05] *** weedar has joined #postfix[07:06:54] *** henriknj_ has joined #postfix[07:07:13] *** henriknj_ has quit IRC[07:07:48] *** henriknj_ has joined #postfix[07:07:52] *** henriknj_ has joined #postfix[07:08:48] *** henriknj has quit IRC[07:21:05] *** henriknj_ has quit IRC[07:21:42] *** Jippi_mac has joined #postfix[07:26:09] *** uqlev has quit IRC[07:29:29] *** weedar has quit IRC[08:05:28] *** henriknj has joined #postfix[08:11:30] *** biggimat has quit IRC[08:19:02] *** HarryS has quit IRC[08:19:42] *** Jippi_mac has quit IRC[08:27:17] *** UQlev has joined #postfix[08:30:07] *** sherr has joined #postfix[08:35:03] *** HarryS has joined #postfix[08:36:26] <rcsheets`> i'm confused by the readme_directory config option. what does it actually do?[08:36:35] *** Lap_64 has joined #postfix[08:47:53] <zamba> alternative to postfixadmin to administrering virtual users, domains and admins?[08:52:31] <psilo2> zamba: VMM, though I didn't like it. I sent us back to PFA.[08:55:05] *** weedar has joined #postfix[08:55:17] *** Motoko-chan has quit IRC[08:59:16] <zamba> psilo2: ok, i'll check it out[08:59:19] <Aprogas> rcsheets`: I think it's meant for admins to find their readme directory. Just like mail_version is used to find the version.[08:59:37] <zamba> psilo2: what do you use for imap/pop3/auth? dovecot, courier og cyrus?[08:59:47] <psilo2> dovecot[09:00:23] <rcsheets`> Aprogas: so when i'm not sure where my docs are, i do 'postconf readme_directory' ?[09:00:36] <zamba> psilo2: what backend? mysql?[09:00:52] <psilo2> yes[09:01:12] <zamba> ah, vmm isn't web-based?[09:01:17] <zamba> it's cli-based?[09:05:09] <rcsheets`> on a mail system with no local users, can i safely disable the local daemon?[09:05:56] *** Wilkins has joined #postfix[09:06:30] *** cga has joined #postfix[09:09:09] <Aprogas> rcsheets`: Yes, but set local_transport to "error:some useful message"[09:09:32] <rcsheets`> k[09:11:32] *** war9407 has quit IRC[09:14:02] <Aprogas> I also like to empty alias_maps, local_recipient_maps and mydestination[09:14:42] <rcsheets`> 'mydestination = ' ?[09:15:43] *** fOrsberg is now known as forsberg[09:15:49] <Aprogas> If you really don't do any local delivery.[09:16:18] <rcsheets`> yeah. this is a front-end MX for lots of virtual domains.[09:16:43] <rcsheets`> there'd be no reason to send it mail[09:18:46] <rcsheets`> mail server configuration makes me hungry. brb.[09:19:50] <psilo2> zamba: it is web[09:23:46] <zamba> psilo2: oh? link?[09:24:52] <psilo2> zamba: you put me in a strange position because I am not advocating this :P http://sourceforge.net/projects/vmm/ [+][09:24:54] *** war9407 has joined #postfix[09:25:08] <psilo2> oh oops[09:25:57] <psilo2> now I see why you said that, hmm what was I actually thinking of[09:27:30] <zamba> User Interface:[09:27:31] <zamba> Command-line[09:27:42] <zamba> and postgresql as database-backend[09:27:48] <zamba> screw that, postfixadmin it is[09:28:37] <psilo2> yeah that's not the one[09:28:53] <psilo2> I am drawing a blank, but whatever it was we went back to PFA pretty quick anyway[09:29:11] <psilo2> PFA is.. well, I've seen worse PHP code. Also better :)[09:31:31] *** e-jones has joined #postfix[09:42:55] *** arossouw has left #postfix[09:44:30] *** feisar has joined #postfix[09:47:46] *** henriknj has quit IRC[09:50:19] <Aprogas> I'm running postfwd now in test-mode on my personal mailserver.[09:56:28] *** e-jones has quit IRC[09:56:51] *** e-jones has joined #postfix[09:59:51] *** JoKoT3 has joined #postfix[10:03:24] *** Lap_64 has quit IRC[10:12:16] *** cilly has joined #postfix[10:13:05] *** UNIXgod has joined #postfix[10:15:58] <zamba> question about hostnames: what should really /etc/hostname be? a fqdn? and what about $myhostname?[10:16:43] <rcsheets`> in my experience, /etc/hostname and $myhostname should both be the fqdn of the host[10:17:29] *** Twinkletoes has joined #postfix[10:17:31] <zamba> ok[10:18:17] <psilo2> /etc/hostname should be just the name[10:18:26] <psilo2> not fqdn[10:18:33] <rcsheets`> i'm sorry, that's right[10:18:37] <rcsheets`> i don't know what i was thinking[10:18:55] <psilo2> some details :) http://jblevins.org/computing/linux/hostname[10:18:55] <rcsheets`> /etc/hostname should just be the single-label hostname[10:19:14] <rcsheets`> i think i've been awake for too long[10:20:07] *** juergen_dose has joined #postfix[10:22:19] <zamba> but /etc/mailname should be the fqdn[10:23:11] <rcsheets`> i think i'll pretend that's what i had in mind[10:26:23] *** LowKey has quit IRC[10:27:22] *** LowKey has joined #postfix[10:31:17] <zamba> but mailname should point to the fqdn for the host? or should it be the mail that i want all emails from the system to originate from?[10:31:23] <zamba> so it could be a domain name?[10:33:23] *** LowKey has quit IRC[10:33:44] <Aprogas> Why read myhostname from a file instead of just specifying it?[10:34:15] <lennard> because debian wants you to[10:34:41] <rcsheets`> fewer places to change the hostname, if it changes[10:35:05] *** swombat has left #postfix[10:35:33] <Aprogas> Does anything else actually use /etc/mailname ?[10:35:39] <zamba> still didn't answer the question.. should it be the true fqdn of the system or should it be the domain name i want to advertise for everyone?[10:35:44] <psilo2> plus it's already configured for you by the time you get to setting up postfix[10:35:50] <zamba> psilo2: mutt uses it[10:35:57] <zamba> and exim as well[10:36:01] <psilo2> Aprogas: ^[10:36:25] <rcsheets`> mutt sucks[10:36:34] <zamba> mutt's ok[10:36:40] <zamba> don't bash mutt[10:36:48] <rcsheets`> i love mutt[10:36:57] <rcsheets`> but, according to the author, it sucks.[10:37:04] *** LowKey has joined #postfix[10:37:18] <psilo2> zamba: I think it should be the one you want to advertise, the one that has rdns back to the IP of the machine. Should make for better acceptance rates[10:37:51] *** UQlev has quit IRC[10:38:02] *** feisar has quit IRC[10:43:06] *** LowKey has quit IRC[10:44:45] *** LowKey has joined #postfix[10:44:46] *** feisar has joined #postfix[11:06:37] <Kirok> well all clients suck, Mutt just sucks less[11:08:53] *** loddafnir has joined #postfix[11:12:07] *** juergen_dose has left #postfix[11:12:11] *** shasta has joined #postfix[11:19:26] *** UQlev has joined #postfix[11:20:00] *** henriknj has joined #postfix[11:21:12] *** hever has joined #postfix[11:32:04] <zamba> which id should i use for the virtual users?[11:32:12] <zamba> uid and gid?[11:32:17] <zamba> just pick a random one?[11:32:21] <sep> a unused one[11:32:25] <Aprogas> Your package manager might have taken care of that.[11:32:41] <Aprogas> Your OS might attach some special meaning to uids and gids below 100 or below 1000.[11:32:53] <zamba> Aprogas: you mean by adding the virtual_gid_maps?[11:33:46] <Aprogas> No, I mean that package managers handle creating users/groups differently.[11:34:26] <zamba> well, it didn't add a new user/group for virtual mail[11:35:27] <Aprogas> Consult the documentation of your OS to see which ranges of uid/gid are reserved for special purposes.[11:35:45] <zamba> using ubuntu here[11:35:55] <Aprogas> Or just pick an arbitrary unused uid/gid above 1000 and you should probably be safe.[11:36:06] <Aprogas> How about 2525:2525[11:36:31] <zamba> i know i for a different system set the uid to the postfix user and the gid to the postdrop group[11:36:34] <zamba> is that a bad idea?[11:36:57] <Aprogas> I don't know, my package manager sets up Postfix correctly, and I never mess with those permissions.[11:37:20] <zamba> Aprogas: what system are you using?[11:37:24] <Aprogas> FreeBSD.[11:37:35] <zamba> aight[11:37:37] <Aprogas> Run "postfix check" it will warn if you broke stuff.[11:37:38] <zamba> should i use maildrop, btw?[11:37:59] <Aprogas> The maildrop queue or the maildrop LDA ?[11:38:05] <zamba> LDA[11:38:25] <zamba> installing maildrop added the postdrop group[11:38:30] <zamba> with gid 127[11:39:12] <Aprogas> I never used that maildrop.[11:39:22] <Aprogas> If the package did that, it is probably sensible.[11:44:48] *** cga has quit IRC[11:46:34] *** sysmonk has quit IRC[11:47:01] *** sysmonk has joined #postfix[11:49:11] *** sysmonk has quit IRC[11:49:11] *** sysmonk has joined #postfix[11:49:53] *** henriknj_ has joined #postfix[11:50:35] *** henriknj has quit IRC[11:51:59] *** hever has quit IRC[11:56:07] *** cga has joined #postfix[12:09:25] *** juergen_dose has joined #postfix[12:09:47] *** juergen_dose is now known as car[12:10:13] *** tjikkun has quit IRC[12:11:51] *** tjikkun has joined #postfix[12:18:56] *** henriknj_ has quit IRC[12:19:04] *** wdp has quit IRC[12:20:13] *** brancaleone has joined #postfix[12:31:34] *** xabbuh has joined #postfix[12:37:19] *** bezourox has quit IRC[12:37:29] *** bezourox has joined #postfix[12:38:32] *** lost_and_unfound has joined #postfix[12:42:01] <zamba> i'm looking for a cheap ssl/tls certificate to use both for my postfix and my dovecot authentication.. any suggestions?[12:43:08] <lost_and_unfound> greetings all, I just did a default postfix install on ubuntu. which value in main.cf do i have to configure to allow sending of email out side of my domain? when trying to send to domain-outside.com i get a 550 error Recipient address rejected. I just want to use postfix as a local smtp for development and try to stay clear from external relays. here ois my config: http://pastie.org/1135705[12:43:45] <lost_and_unfound> zamba: http://www.rapidssl.com/ ?[12:44:07] <UQlev> zamba: openssl gives you free[12:44:18] <zamba> UQlev: where? details?[12:44:19] <Trengo> selfsigned?[12:44:29] <lennard> lost_and_unfound: we generally prefer postconf -n ;)[12:44:38] <zamba> i'm not looking for a self-signed, no[12:44:39] <lost_and_unfound> lennard: coming right up =][12:45:08] <lennard> however, your need may be as simple as including your network in mynetworks[12:47:23] <lost_and_unfound> http://pastie.org/1135712[12:47:43] <lost_and_unfound> lennard: i also thing it is something simple i am missing[12:47:53] <UQlev> zamba: what do you need certificates for?[12:48:02] <zamba> UQlev: secure authentication[12:48:08] <zamba> UQlev: don't want to send passwords in clear text[12:48:21] <lennard> ~ off to work, back in 15 :)[12:48:29] <zamba> UQlev: and my users aren't really tech-savvy, so then get stuck when they get errors about self-signed certs[12:48:37] <UQlev> zamba: why do you need 3dr party to sign them?[12:49:12] <UQlev> zamba: establish your CA and sign them[12:49:12] <zamba> UQlev: if not i have to set up my own CA and distribute the certificates to my clients manually.. will be a complete and utter hassle[12:49:23] <sep> zamba, you can use cacert.[12:49:28] <zamba> sep: what's taht?[12:49:37] <sep> free ca certh authority.[12:49:38] <zamba> ah[12:49:41] <Trengo> its the same thing[12:49:55] <Trengo> and you will get errors in outlook at least[12:49:59] <sep> but keep in mind that all free cert authorities usualy do not have root certs in browsers[12:50:07] <zamba> sep: exactly[12:50:13] <zamba> sep: so then i'm back to square one[12:50:18] <sep> so instead of adding your cert in outlook/browsers you will add their cert[12:50:22] <zamba> = my users get warnings[12:50:23] <sep> zamba, then you have to pay[12:50:27] <zamba> sep: sure, i can pay[12:50:38] <zamba> sep: but still, that's why i was asking for a cheap one :)[12:51:00] <sep> dont think protection racket is cheap no matter how you look at it.[12:51:00] *** henriknj has joined #postfix[12:51:12] <Trengo> godaddy had some cheap ones[12:51:27] <Trengo> check if the extensions they provide are enough for mail[12:51:28] <UQlev> zamba: their CA cert must be already imported to Outlook[12:51:30] <sep> it's all "give us money regularly or we scare away your users"[12:52:58] <zamba> what is really the difference between a https certificate and a pop3s and imaps cert?[12:53:16] *** car has left #postfix[12:53:21] <UQlev> zamba: no difference[12:53:28] <zamba> then why "extension"?[12:53:32] <zamba> as Trengo said?[12:54:18] <UQlev> zamba: same pem certificate you may use for all[12:58:37] *** tjikkun has quit IRC[12:58:50] <zamba> ok[12:58:55] <zamba> let's make a self-signed for now[13:00:56] <UQlev> zamba: create your CA, and sign all your certs, your users will need to import only once your CAcert[13:01:07] *** tjikkun has joined #postfix[13:01:39] <zamba> what software is easiest to implement this CA in?[13:01:50] <UQlev> openssl[13:02:44] <zamba> i need some abstraction here :)[13:03:08] <UQlev> zamba: very easy: CA.pl -newreq-nodes && CA.pl -sign[13:06:28] *** tjikkun has quit IRC[13:08:08] *** tjikkun has joined #postfix[13:12:29] *** UQlev has quit IRC[13:18:15] <Aprogas> tinyCA is graphical and simple[13:18:30] <Aprogas> But you could also just go for self-signed certs.[13:21:08] <lunaphyte> no need to use self sign certs just because you don't use tiny ca. creating a basic private pki is trivial.[13:22:13] <lunaphyte> also, startssl offers free certificates.[13:22:13] <Aprogas> Yeah, I make private CA all the time, then I lose their master-key and have to create a new one when the certs expire.[13:23:19] <lost_and_unfound> i would like to know if it is possible. Instead of me using an exteranl SMTP server I want to use postfix locally for all my email sending. I want to do this for 2 reasons. a: i work in various networks with my laptop b: a single development environment. I have installed postfix and can send mail locally (to/on my pc) but I am unable to send mail externally. It must be something simple I am missing. any advise, Thanks in ad[13:23:21] <lost_and_unfound> http://pastie.org/1135712[13:24:57] <Aprogas> lost_and_unfound: Your ISP might let you securely login to their mailserver from anywhere in the world; and if they don't they should.[13:25:07] <Aprogas> Otherwise e.g. Google offers such a service.[13:25:43] *** henriknj has quit IRC[13:25:51] <Aprogas> Do you still want to run your own mailserver?[13:25:54] <lost_and_unfound> Aprogas: ok, will look at integrating gmail smtp as my relayhost on postfix[13:25:54] <lunaphyte> no, that's not practical. direct delivery is often not possible due to restrictions imposed by the network, and is a bad idea anyway. mail clients should not be delivering mail directly to mxes.[13:26:11] <lost_and_unfound> Aprogas: preferable yes i want to run my own server[13:26:14] <lunaphyte> use an msa that is reachable from where you might be.[13:26:43] <lunaphyte> whether that is provided by your isp, google, or you does not really matter.[13:27:18] <Aprogas> Yeah, that's what I meant, login to some MSA with TLS+SASL from anywhere. Of course the MSA should allow/support it.[13:28:38] <Aprogas> So just configure that MSA in your mailclient (MUA), most MUAs are smart enough to detect when they are offline and will just queue up outgoing emails themselves, until they can connect again and then they send the batch.[13:28:47] <lost_and_unfound> thanks ... got some articles on using gmail, will follow up on that =] thanks for the advise[13:28:47] <Aprogas> No need for an extra mailserver in between.[13:49:37] *** echelog has joined #postfix[13:50:53] *** robotarmy has quit IRC[13:58:32] <Aprogas> !postfwd[13:58:33] <knoba> Aprogas: Error: "postfwd" is not a valid command.[13:58:47] <Aprogas> !policyd-weight[13:58:47] <knoba> Aprogas: "policyd-weight" : http://www.policyd-weight.org/ : A Postfix policy daemon for checking multiple RBL's, HELO/rDNS/sender domain agreement. See also http://www.postfix.org/SMTPD_POLICY_README.html .[14:00:27] <Aprogas> !learn postfwd as http://postfwd.org/ : A Postfix policy daemon to combine complex restrictions in a ruleset. See also http://www.postfix.org/SMTPD_POLICY_README.html[14:01:12] *** bhagat has quit IRC[14:03:27] *** wjimenez5271 has joined #postfix[14:03:38] *** uqlev has joined #postfix[14:04:01] *** hever has joined #postfix[14:04:24] <wjimenez5271> hello[14:04:40] <Aprogas> !tell wjimenez5271 welcome[14:04:41] <knoba> wjimenez5271: "welcome" : welcome to #postfix! if you're joining for the first time, or are new to irc, the first thing you'll want to do is read the channel topic (/topic). it includes crucial instructions on how to effectively ask for help here, and what data you should include with your questions. the degree of success you'll have is directly related to how effectively you're able to follow those guidelines.[14:05:17] *** Klem_ has joined #postfix[14:16:17] *** echelog has joined #postfix[14:16:29] <Aprogas> wjimenez5271: If you configure only one domain in Postfix, Postfix will only accept mail for that domain. (with the exceptions of mails from clients allowed to relay)[14:16:52] <Klem> Why don't you want to help me ?[14:17:05] <Aprogas> Klem: We do.[14:17:25] <Aprogas> Klem: In our opinion advicing people to do something the simple way rather than the overly complicated way, is helping them.[14:17:26] <wjimenez5271> Thanks Aprogas, is it possible to restrict the domains that a postfix MTA can send to though?[14:17:32] <Klem> ho, please, stop this[14:17:46] <Aprogas> Klem: If you describe in more detail what the requirements of your setup are, we are happy to help you.[14:17:51] <Klem> yeah, I agree with that[14:17:59] <wjimenez5271> i.e. not allowing a mail server that runs on a web service to email to other domains besides my own?[14:18:49] <Klem> ok, imagine then I have 5 clients, one server, and 5 ip address.. I want one postfix by client, then one IP by client too[14:19:05] <Klem> is this stupid ?[14:19:05] <alcohol> Klem: yes.[14:19:10] <Klem> what else ?[14:19:18] <alcohol> Klem: 1 server, 1 postfix instance.[14:19:31] <Klem> why ?[14:19:42] <Aprogas> Klem: Hard to assess, since you're not describing why you want this. It is perfectly valid to have mail.aprogas.net also deliver mails with From * at aprogas dot eu[14:19:49] <alcohol> Klem: I do not care to debate my reasoning. you merely asked for an answer.[14:20:00] <Aprogas> wjimenez5271: It is possible, but a bit more tricky if the mail is submitted locally via the sendmail binary.[14:20:02] <Klem> lol[14:20:13] <Aprogas> wjimenez5271: Are you trying to limit e.g. the PHP mail() function ?[14:20:20] <Klem> it's just no sense to act as it[14:20:36] <wjimenez5271> sure, that would actually work since the application that would be sending mail is PHP[14:20:46] <lunaphyte_> lost_and_unfound: you're not giving up, you're moving forward, uncovering the appropriate solution to your dilemna.[14:21:00] <alcohol> Klem: my postfix instance handles about 60 domains. why would this not make sense?[14:21:16] <Aprogas> wjimenez5271: It is easier to enforce restrictions on mails submitted via SMTP than via the sendmail binary.[14:21:21] <Klem> It is not to receive mails[14:21:28] <Klem> it is about outgoing smtp[14:21:30] <alcohol> Klem: mine sends and receives.[14:21:31] <wjimenez5271> Aprogas: gotcha[14:21:42] <sep> Klem, you have 5 spamming users. and dont want to get them all blacklisted at the same time ?[14:21:56] <Aprogas> Klem: Hardly anybody looks at Received-headers.[14:21:59] <wjimenez5271> Aprogas: so maybe setting restrictions through PHP would be best?[14:22:00] *** wdp has joined #postfix[14:22:00] <Klem> ho right[14:22:05] <Klem> really boring[14:22:19] <lunaphyte_> none of this matters anyway. the number of addresses a server uses in one form or another simply has nothing to do with needing postmulti.[14:22:26] <Aprogas> wjimenez5271: That is an option. Another option would be restricting the use of the local sendmail binary, and forcing PHP mail() to talk SMTP with localhost.[14:22:38] <Aprogas> wjimenez5271: If you do the latter, you can use regular smtpd restrictions.[14:22:40] <Klem> I act to send clean mails, and I'm a spamer[14:23:07] <sep> that made no sense[14:23:28] <Aprogas> I think Klem is upset that someone implied he might send spam.[14:23:41] <wjimenez5271> Aprogas: understood.....that makes a lot of sense why I was setting restriction paramaters and it was affecting applicaiton messages :-)[14:23:46] <wjimenez5271> thanks a bunch[14:23:47] <Klem> I need to protect each outgoing issue against stupid SORBS bots who are fucking stupid :)[14:24:04] <Aprogas> Klem: You can use smtp_bind_address to choose which source IP-address the smtp-service binds to for an outgoing connection.[14:24:06] <Klem> are you happy yhen ?[14:24:08] <Aprogas> Klem: Will that cover your needs?[14:24:35] <Klem> I can use only one source with smtp_bind_address ?[14:24:41] <Klem> or many ?[14:24:43] <Aprogas> SORBS does have a delisting process, but they are indeed a bit zealous.[14:24:49] <lunaphyte_> ffs.[14:24:54] <lunaphyte_> like i said...[14:24:58] <lunaphyte_> none of this matters anyway. the number of addresses a server uses in one form or another simply has nothing to do with needing postmulti.[14:24:58] <Klem> they're fucking stupid.[14:25:16] <Klem> lunaphyte, ok, I thought it was what I need[14:25:19] <Klem> I apologize ![14:26:30] *** wjimenez5271 has left #postfix[14:30:00] <Aprogas> I guess you could define multiple smtp services, each specifying one of the smtp_bind_addresses, and use sender_dependent_transport_maps to sort out which one has to get used. Or run 5 smtpd's on different ports, and override the default_transport of each.[14:30:16] <Aprogas> I have no personal experience with such a thing, so my proposed solution might not be the best.[14:30:24] <Aprogas> This is just a guess from the top of my head.[14:30:27] <Aprogas> !tell Klem master.cf[14:30:27] <knoba> Klem: "master.cf" : the process configuration file. Each logical line describes how a Postfix service will be run. See "man 8 pipe" for more information.[14:31:21] <Klem> Aprogas, thank you, really[14:32:20] *** jY has left #postfix[14:33:54] <Aprogas> Klem: Personally I'd take the opposite approach though, move all outgoing mail to the same IP-address and guard that one with my life. Get it whitelisted and all that, and make sure none of my clients are abusive.[14:35:17] <Klem> I can't be sure that my clients won't be abusive :([14:37:17] *** wdp_ has joined #postfix[14:39:07] <Aprogas> They might be abusive by accident (e.g. infected Windows hosts) but not many clients are abusive on purpose.[14:40:51] *** wdp has quit IRC[14:43:45] *** ssureshot has joined #postfix[14:46:59] *** wdp_ has quit IRC[14:57:15] *** Dingofest2 has joined #postfix[15:01:47] *** sunta has joined #postfix[15:02:02] <sunta> !welcome[15:02:02] <knoba> sunta: "welcome" : welcome to #postfix! if you're joining for the first time, or are new to irc, the first thing you'll want to do is read the channel topic (/topic). it includes crucial instructions on how to effectively ask for help here, and what data you should include with your questions. the degree of success you'll have is directly related to how effectively you're able to follow those guidelines.[15:02:47] <sunta> hello, how can I bounce certain emailadress from being processed by postfix? I got 1email that keeps sending applications[15:04:10] <uqlev> !regexp[15:04:11] <knoba> uqlev: Error: "regexp" is not a valid command.[15:04:33] <Aprogas> sunta: Can you provide an example?[15:04:35] *** lost_and_unfound has quit IRC[15:04:55] <sunta> will try "/^From:.*abuser at domain\ dot tld$/ REJECT" in header_checks.pcre[15:05:31] <Aprogas> If this client provides proper envelope-from, you can use check_sender_access[15:05:37] <Aprogas> !tell sunta check_sender_access[15:05:38] <knoba> sunta: "check_sender_access" : Search the specified access(5) database for the MAIL FROM address, domain, parent domains, or localpart@, and execute the corresponding action.[15:06:44] <sunta> thanks for that hint[15:06:45] *** uqlev has quit IRC[15:10:38] <Klem> mmh[15:10:49] <Klem> how to remove multiple instances of postfix ? :)[15:11:13] <sunta> Klem, disable them?[15:11:15] <Klem> I can't use postfix without having postmuli troubleshooting[15:11:16] <Aprogas> I guess do the reverse of the multiple instance readme. Or just pkill[15:11:39] <Klem> it's not running[15:11:52] <Klem> sunta, how ? :([15:12:09] <Klem> postmulti -i postfix-myinst -p stop[15:12:11] <Klem> or disable[15:12:15] <Klem> it doesn't work[15:12:56] *** helper has joined #postfix[15:13:44] <Klem> root@xxx:/etc# postmulti -i postfix-2 -p stop[15:13:44] <Klem> postmulti: fatal: instance /etc/postfix-2, queue_directory=/var/spool/postfix conflicts with instance /etc/postfix, queue_directory=/var/spool/postfix[15:13:44] <Klem> root@xxx:/etc#[15:13:54] <Klem> each postmulti command say me this..[15:14:03] *** henriknj has joined #postfix[15:14:05] <helper> heyss!! i've installed: Mailscanner , Clamav with my "postfix", everytime i send msg or receive got this msg at logs: MailScanner[13874]: File checker failed with real error: Insecure dependency in exec while running with -T switch at /usr/share/MailScanner//MailScanner/SweepOther.pm line 365 => anyone know about it or have seen this and how to fix it[15:16:19] <Aprogas> Klem: If no Postfix processes are running, if your configs don't contain anything multi-instance-ish, and if your startup script doesn't start Postfix multiple times; you won't run a multiple instance.[15:19:56] <Klem> right[15:19:56] <sunta> Aprogas, check_sender_access works like a charm. many thanks[15:19:57] <Klem> sorry.[15:20:39] *** wdp has joined #postfix[15:21:37] <sunta> everyone have a nice weekend[15:22:35] *** sunta has left #postfix[15:26:49] *** JoKoT3 has quit IRC[15:29:01] <Klem> ok i'm done[15:29:03] <Klem> it works[15:29:07] <Klem> thanks Aprogas[15:29:13] <Klem> & others btw :)[15:31:03] *** jim_SFU has joined #postfix[15:31:18] <Aprogas> So which approach did you end up using?[15:31:42] <lunaphyte_> bat and crowbar[15:32:20] <Aprogas> flying mammal bat, or wooden club bat?[15:32:40] <lunaphyte_> ah, good question. composite club bat.[15:33:02] *** UQlev has joined #postfix[15:33:56] *** zooz has joined #postfix[15:34:05] <zooz> is there some alternative to amavisd-new ?[15:34:47] <UQlev> zooz: depends on backend[15:34:54] <lunaphyte_> !tell zooz poll[15:34:55] <knoba> zooz: "poll" : please do not ask if anyone uses some program or postfix feature. Instead ask your real question.[15:35:34] <zooz> what is wrong my question, knoba ?[15:35:44] <zooz> it is a real world question[15:35:51] <UQlev> zooz: amavisd-new only interface between scanners and postfix[15:36:02] <zooz> UQlev: thanks[15:36:14] <thumbs> zooz: it's a dumb question? Do you have an issue with amavisd-new?[15:36:38] <zooz> thumbs: no, I do not, I was just wondering if there is an alternative to that[15:37:09] *** zooz has left #postfix[15:37:14] <thumbs> zooz: one would normally look for an alternative if he has issues with the solution he's using.[15:38:05] <UQlev> thumbs: he might has been writing a review ;)[15:38:27] <thumbs> UQlev: then he needs to say so.[15:38:44] <thumbs> UQlev: it was still a dumb question.[15:39:26] <UQlev> thumbs: I am not going to protect him or his question[15:39:28] <lunaphyte_> what's wrong with your question? seriously? how about the fact the the answer to is it most obviously yes. not only that, google could have told you that. furthermore, we all know full well that it will just lead to another question.[15:39:53] <thumbs> UQlev: no, I was simply venting, so to speak. Sorry.[15:40:29] <cga> hi all, if i get this kind of error "Failed, id=31570-02, from MTA([127.0.0.1]:10025): 530 5.7.0 Must issue a STARTTLS command first (in reply to end of DATA command))" (more details here w/postconf -n: http://pastebin.com/ex6CswJy ) does that mean the postfix is properly configured for TSL but client can't issue STARTTLS ?[15:40:40] <lunaphyte_> let me ask a question - you are just wondering if there is an alternative? that's perfectly fine - but *why* are you wondering?[15:40:51] <Dominian> cga: what port was that on?[15:40:59] <thumbs> lunaphyte_: I share the same opinions as you do.[15:41:01] <Dominian> oh 10025[15:41:03] <Dominian> wth.[15:41:10] <Dominian> what's running on port 10025 cga ?[15:41:19] <cga> policyd-weigth[15:41:20] <thumbs> I recognise the port.[15:41:37] <Dominian> cga: Is that the port that is used to reinject email into postfix?[15:45:43] *** echelog` has joined #postfix[15:45:51] <rob0> nm ... there's data :)[15:45:59] <rob0> line 30 of your paste[15:46:13] <cga> idfma? isn't postconf adn logs enough?[15:46:13] *** echelog` is now known as echelog[15:46:30] <Aprogas> cga: pastebin your master.cf[15:46:36] <cga> ok[15:46:43] <rob0> line 30 of the EXISTING paste[15:46:44] <Aprogas> And describe what sort of filters you are using.[15:46:55] <rob0> !tls[15:46:55] <knoba> rob0: "tls" : Short for Transport Layer Security (RFC2246). It adds an additional layer of encryption to protocols such as SMTP, POP3 or IMAP to improve security during transmission over the Internet. TLS features in Postfix are documented here: http://www.postfix.org/TLS_README.html[15:47:54] <cga> rob0: i *am* following/reading postfix docs. but i start to get confused and that's why i ask for support here (too)[15:48:22] *** hparker has joined #postfix[15:48:46] <cga> Aprogas: master cff http://pastebin.com/RpEjSw8f[15:48:54] *** brancaleone has joined #postfix[15:48:57] <Aprogas> You must not enforce TLS on a port 25 smtpd.[15:49:01] <rob0> I have nothing more to add, sorry.[15:49:20] <Aprogas> Seems you don't run a port 25 smtpd.[15:49:52] <Aprogas> But what rob0 said still applies.[15:50:08] <Aprogas> You are enforcing TLS also for services where you don't want to enforce them.[15:50:53] <Aprogas> I recommend putting the TLS settings only for the submission services, like in the example master.cf[15:51:16] <Aprogas> Encrypting traffic between localhost is pointless.[15:57:18] *** echelog has joined #postfix[15:57:18] -anthony.freenode.net- [freenode-info] channel flooding and no channel staff around to help? Please check with freenode support: http://freenode.net/faq.shtml#gettinghelp[15:57:22] *** Mazon has joined #postfix[16:01:47] *** Tadej__ has joined #postfix[16:05:06] *** hyper_ch has joined #postfix[16:05:38] *** Tadej_ has quit IRC[16:08:39] <hyper_ch> hello there, to filter out spam, I have subscribed to several RBLs and now it seems that one of them (SORBS) put at least one Hotmail server on it's black list. I wonder how do I need to configure postfix so that I can whitelist hotmail (or any other domains) despite what the RBLs says? Could I whitelist it in the check_sender_access and then it wouldn't be bothered by the RBLs check anymore? My config: http://www.pastebin.ca/1931796[16:08:46] *** bluethundr has joined #postfix[16:09:14] <cga> Aprogas: so basically i should enable smtp adn submission only , by using the suggested -o in master.cf ? it was not my intention to force encryption locally. that *is* iodiotic but it's not done on purpose. i'm in kind of a trial and error phase of my mail server configuration. especially on the TLS part.[16:11:14] <Aprogas> cga: Mailservers should never be setup by trial&error.[16:11:50] <lunaphyte_> well - locally, in a controlled environment, i'd be ok with trial and error. it can be a very important effective part of learning.[16:11:52] <cga> Aprogas: it's not a critical one, it's my server that i use to learn things. i wouldn't do that at work.[16:11:56] <hyper_ch> cga: what distro do you use?[16:12:04] <cga> debian for my server[16:12:18] <cga> rhel e sles at work[16:12:26] <hyper_ch> cga: for setting up postfix with tls and stuff I usually follow falko's perfect server howtos at howtoforge.com[16:12:41] <hyper_ch> and from that on I then start modifying it :)[16:13:04] <cga> hyper_ch: i don't like falko's. i followed Haas' one. (which is what falko's is based on)[16:13:29] <cga> hyper_ch: and i'm at the "mod after howto" stage too[16:13:38] *** hever has joined #postfix[16:13:44] <Aprogas> lunaphyte_: Still there's a big difference between !tias and !wag but both could be considered trial&error.[16:13:49] <cga> hyper_ch: but thanks for suggetsion =)[16:16:38] *** jelly has joined #postfix[16:16:39] <hyper_ch> cga: good luck[16:16:50] <hyper_ch> cga: any idea to my question? ^^[16:16:56] <Aprogas> Most Postfix tutorials aren't very good, and most are more complicated than what the person really needs.[16:17:41] <Aprogas> !tell hyper_ch policyd-weight[16:17:42] <knoba> hyper_ch: "policyd-weight" : http://www.policyd-weight.org/ : A Postfix policy daemon for checking multiple RBL's, HELO/rDNS/sender domain agreement. See also http://www.postfix.org/SMTPD_POLICY_README.html .[16:17:45] <Aprogas> !tell hyper_ch postfwd[16:17:45] <knoba> hyper_ch: "postfwd" : http://postfwd.org/ : A Postfix policy daemon to combine complex restrictions in a ruleset. See also http://www.postfix.org/SMTPD_POLICY_README.html[16:18:00] <hyper_ch> Aprogas: thx, will have a look at that[16:18:10] <cga> Aprogas: Haas's is good to understand what mail server involves and it doesn't pose as "do as i say and you'll have a perfect mailserver in 15 minutes" kond of thing.[16:18:17] <hyper_ch> this far I was content if one restriction came in effect that the mail was refused...[16:18:25] <Aprogas> intra2net claims SORBS has a 32% accuracy and 16% inaccuracy, I'd consider it not very useful as a blacklist.[16:18:29] <Aprogas> Maybe safe.dnsbl.sorbs.net[16:18:52] <Aprogas> zen.spamhaus.org seems pretty good, and hostkarma.junkemailfilter.com is interesting too.[16:19:16] <Aprogas> Servers like gmail, hotmail, yahoo, etc. send a mix of ham and spam; IP-based restrictions aren't very useful on those servers; JMF calls this a yellowlist[16:19:39] *** smica has joined #postfix[16:20:09] <Aprogas> Let me rephrase that: with yellowlisted servers, the IP-address isn't considered to be a useful clue to the spamminess of the email.[16:20:14] <hyper_ch> here's the "mail server" part - http://www.howtoforge.com/perfect-server-debian-lenny-ispconfig2-p4 - that usually works just fine[16:20:40] *** denysonique has joined #postfix[16:20:43] <Aprogas> http://www200.pair.com/mecham/spam/spamfilter20090215.html there, have some tutorial[16:20:52] <hyper_ch> thx :)[16:20:57] <denysonique> hi[16:20:58] <Aprogas> 310 kB of HTML, have fun.[16:21:15] *** tjikkun has quit IRC[16:21:16] * hyper_ch personally thinks that everybody using hotmail should be not be allowed to access the internet anyway[16:22:23] <hyper_ch> there was a time where I tried TMDA... I think it is a rather interesting approach[16:23:08] <Aprogas> http://en.wikipedia.org/wiki/Comparison_of_DNS_blacklists especially the reference links are useful[16:23:26] <hyper_ch> Aprogas: do you have any experience with TMDA?[16:23:46] <rob0> !c/r[16:23:46] <knoba> rob0: "c/r" : Challenge/response spam filtering, a discredited idea, see http://en.wikipedia.org/wiki/Challenge-response_spam_filtering#cite_note-2[16:25:03] *** wdp has quit IRC[16:25:14] <Aprogas> With policyd-weight at default settings I reduced incoming spam from 200-300 to 10; I am now building a custom postfwd configuration.[16:26:15] <hyper_ch> well, looking at mailgraph during the last 12 months there were 533k rejected emails and 28k accepted ones[16:26:20] <UQlev> hyper_ch: TMDA is interesting but challenge/response is useless[16:26:51] <lunaphyte_> and insanely annoying.[16:27:07] <hyper_ch> UQlev: why useless?[16:27:15] <UQlev> yes, you can be blacklisted for it[16:27:37] <Aprogas> Employing a combination of HELO, revDNS, DNSBLs and RHSBLs will work fine in rejecting large amounts of dumb spammers, with little to no false positives; and all false positives get notified their message wasn't accepted.[16:28:03] <UQlev> hyper_ch: I had to say "harmful"[16:28:12] <lunaphyte_> also underfed guard dogs.[16:28:19] *** e-jones has quit IRC[16:29:13] <hyper_ch> is there no way to truly eliminate spam?[16:29:16] *** Sieg has quit IRC[16:29:26] <lunaphyte_> sure.[16:29:31] <lunaphyte_> eliminate email.[16:29:40] <lunaphyte_> turn your server off.[16:29:45] <lunaphyte_> go live in the woods.[16:30:07] <hyper_ch> ... while still getting valid email?[16:31:19] *** Sieg has joined #postfix[16:31:48] <lunaphyte_> no. spam is a social problem. there are a plethora of technical attempts to either abate or diminish spam, but social diseases can't be fixed with a technical cure.[16:32:39] <rob0> It's pretty easy to get spam into the "minor annoyance" category. It's not possible to eliminate it from Internet mail.[16:33:09] <rob0> C/R is not just useless, it's wrong. Fight spam by becoming a spammer? Insane.[16:34:59] <Aprogas> hyper_ch: I am satisfied with my setup so far. Spam is quite containable so long as false negatives are less than a few per day, and false positives less than a few per month/year (and never a silent drop).[16:35:18] *** pif has left #postfix[16:35:25] <lunaphyte_> !mantras[16:35:25] <knoba> lunaphyte_: "mantras" : 1. do not accept mail that you do not intend to deliver. 2. do not drop mail. 3. do not use wildcards or catchalls.[16:36:03] <Aprogas> !tell lunaphyte_ rfc5321[16:36:04] <knoba> Aprogas: Error: No factoid matches that key.[16:36:12] <hyper_ch> Aprogas: :) lucky you[16:37:41] *** peritus has joined #postfix[16:41:48] <peritus> i have setup virtual_alias_{maps,domains}. postfix accepts (and delivers to my local users according to virtual_alias_maps) when i put the client smtp address in mynetworks, but refuse it otherwise, what is the problem? i want everyone to be able to send mail to those listed in virtual_alias_maps...[16:42:06] <UQlev> spam is behavioral problem: don't walk nude and you will reduce risk of being raped[16:44:11] <Aprogas> !tell peritus welcome[16:44:11] <knoba> peritus: "welcome" : welcome to #postfix! if you're joining for the first time, or are new to irc, the first thing you'll want to do is read the channel topic (/topic). it includes crucial instructions on how to effectively ask for help here, and what data you should include with your questions. the degree of success you'll have is directly related to how effectively you're able to follow those guidelines.[16:47:38] <peritus> Aprogas: thanks... i figured out the problem with postconf -n.. virtual_alias_domains was misspelled[16:49:04] <Aprogas> Yeah, I had that recently, couldn't figure out why my virtual_alias_maps didn't work, turned out I had put banaaan at jd dot test instead of banaan at jd dot test[16:51:18] *** Section1 has joined #postfix[16:53:57] <hyper_ch> UQlev: depending on your stature you could walk nude and by doing so reducing the risk of being raped :=[16:55:44] <UQlev> hyper_ch: then your server must be really ugly handicap[16:56:05] <hyper_ch> UQlev: :)[16:59:05] *** rcsheets has quit IRC[16:59:05] *** fbh has quit IRC[16:59:05] *** Aprogas has quit IRC[16:59:05] *** Aprogas has joined #postfix[16:59:05] *** sysmonk has quit IRC[16:59:09] *** helper has quit IRC[16:59:10] *** _bugz_ has quit IRC[16:59:36] *** fbh has joined #postfix[16:59:38] *** helper has joined #postfix[17:00:04] *** Sieg has quit IRC[17:00:07] *** helper is now known as Guest28807[17:02:28] *** sysmonk has joined #postfix[17:03:51] *** ironmunk has quit IRC[17:04:39] *** johe|work has quit IRC[17:09:32] *** Tadej_ has joined #postfix[17:11:01] *** _bugz_ has joined #postfix[17:11:09] *** Tom-B has quit IRC[17:12:58] *** Tadej__ has quit IRC[17:14:17] *** tharkun has joined #postfix[17:19:17] *** Alagar1 has joined #postfix[17:23:12] *** robotarmy has joined #postfix[17:27:12] *** hever has quit IRC[17:28:27] *** robotarmy has quit IRC[17:31:24] *** UQlev has quit IRC[17:32:58] *** leobaillard_ has joined #postfix[17:33:34] *** leobaillard_ is now known as leobaillard[17:33:46] <leobaillard> Hi ![17:34:09] *** AstralStorm has joined #postfix[17:34:13] <AstralStorm> hello[17:34:21] <AstralStorm> how can I run postfix as a sufficiently empowered user?[17:34:33] <AstralStorm> seems it's checking for UID 0[17:35:07] <rob0> postfix(1) is hard-coded to only be run by the superuser, IIRC[17:35:16] <AstralStorm> isn't that stupid?[17:35:32] <rob0> heh, well, go tell Wietse that. Have fun.[17:35:33] <AstralStorm> now I get to remove caps from it instead of adding one CAP_NET_BIND_SERVICE to an user[17:35:43] <AstralStorm> gah[17:37:20] <leobaillard> I have a problem with postfix and virtual aliases. I used to have a working installation of Postfix but I had to reinstall my box recently. Though I copied back my postfix configuration file, I seem unable to send emails to my MySQL aliases. I get a "unknown_user" each time I try. I spend 2h this afternoon trying to figure out what was the problem, looking at the documentation and tutorials, but I was unsuccessful... I[17:37:22] <leobaillard> know that the solution might be obvious, but I can't find it... Any ideas ?[17:37:44] <AstralStorm> checked the log yet?[17:37:50] <lunaphyte_> sure. read the channel /topic and provide the details as requested.[17:38:00] <leobaillard> will do[17:40:13] *** confound has joined #postfix[17:40:42] <AstralStorm> so now I get to use a capsh hack... oh well[17:41:08] <AstralStorm> anything else postfix may need except cap_net_bind_service?[17:41:23] <AstralStorm> chown?[17:41:49] <rob0> Yes, master(8) needs to be able to invoke local(8) as the recipient.[17:42:11] <AstralStorm> hmmm[17:42:16] <AstralStorm> that's setuid[17:42:29] <AstralStorm> ugh[17:42:48] <AstralStorm> better than letting it have dac_override :)[17:42:57] <Aprogas> leobaillard: You can use postmap to test table-lookups.[17:43:18] <Aprogas> AstralStorm: What is your goal? What are you working towards?[17:43:19] <leobaillard> Aprogas: they work, I already tried[17:43:31] <AstralStorm> securing this postfix some more in a chroot[17:44:14] <AstralStorm> see, giving it mount permissions and dac override is a recipe for a disaster (if there's a bad enough bug, that is)[17:44:15] <Aprogas> leobaillard: postmap isn't a 100% equivalent test to a real running Postfix though.[17:44:29] <Aprogas> AstralStorm: What OS do you use?[17:44:36] <leobaillard> Aprogas: yes, unfortunately :([17:44:45] <AstralStorm> hmm, Linux? (none other supports POSIX 1003.e caps I think)[17:45:20] <Aprogas> AstralStorm: On FreeBSD you could have run Postfix in a jail (which is like a chroot++); installing a hypervisor and running in a VPS might still be an option.[17:45:26] <AstralStorm> yeah yeah[17:45:29] <Aprogas> If you really need to isolate Postfix for security reasons. :)[17:45:32] <AstralStorm> it's a VPS, so, nope[17:46:17] <AstralStorm> I'd love the jail module of Linux of course, but that's for the VPS admins to fix[17:46:24] <AstralStorm> for now I get to use what I have[17:46:43] <AstralStorm> (pid and network namespaces aren't supported either, unfortunately, too old kernel)[17:46:57] <leobaillard> here is the postconf -n : http://pastebin.com/Dnub6EHc , and here is the log output when I try to send an email to a virtual alias : http://pastebin.com/3WBFKbDY[17:48:19] <AstralStorm> now the only other thing I have to stop is the network bind to all other interfaces.[17:49:03] <AstralStorm> (I'd have it bind to a dummy for full jail experience ;) )[17:49:16] *** Hawk|- has quit IRC[17:49:49] <Aprogas> leobaillard: is domain2.tld in virtual_domains ?[17:49:53] <Aprogas> !tell leobaillard have2mung[17:49:53] <knoba> leobaillard: "have2mung" : if you absolutely have to mung details, such as anonymizing domains, email and IP addresses etc., try to do so in a minimal, consistent and meaningful way. Keep in mind that this is our first look at your particular configuration and or log details and we do not have the benefit you posses about your existing configuration.[17:50:53] <AstralStorm> I recommend sed for munging them[17:51:40] <rob0> I recommend NOT munging domains when trying to troubleshoot mail routing/delivery issues.[17:51:58] <leobaillard> Aprogas: well, I guess I munged it because I'm used to it rather than because it is very important for me... so if you need details, just ask :) domain2.tld is in virtual_mailbox_domains[17:52:00] <rob0> anyway ...[17:52:06] *** cga has quit IRC[17:52:08] <rob0> !unknown_virtual[17:52:08] <knoba> rob0: "unknown_virtual" : \"User unknown in virtual $X table\" means that the recipient domain was found in $virtual_$X_domains but the username@domain was not found in $virtual_$X_maps. ("$X" can be either alias or mailbox .)[17:52:22] <Aprogas> leobaillard: It is confusing for my to read domain.tld and domain2.tld[17:52:41] <leobaillard> Aprogas: should I repost the files then ?[17:52:54] <rob0> you should read the factoid.[17:53:18] <Aprogas> Report without munging would useful.[17:53:28] <Aprogas> s/Report/Repost/[17:53:51] *** hyper_ch has left #postfix[17:54:29] <leobaillard> rob0: but I have "User unknown" not "User unknown in virtual $X table". are these erros the same in my context ? (please excuse my ignorance)[17:55:31] *** tjikkun has joined #postfix[17:55:32] <leobaillard> Aprogas: http://pastebin.com/p3BWsj4G and http://pastebin.com/ihGUq3pF[17:55:37] <rob0> virtual(8) gave you the error. The domain is in virtual_mailbox_domains and the user@domain is NOT in virtual_mailbox_maps.[17:55:59] <leobaillard> oh, I see[17:56:47] <Aprogas> rob0: Does it have to be if virtual_alias_maps rewrites it to some other place?[17:56:49] <leobaillard> but the user Postfix is trying to look for is an alias[17:58:06] <leobaillard> the problem seems very odd to me :s I must have change an option without noticing it :s[17:58:41] <rob0> Here's where you munged it beyond all use, but if in fact it was virtually aliased, it was rewritten to a virtual mailbox address.[18:00:48] <leobaillard> I'm not sure that I understand you completely rob0. You mean that postfix is trying to get a virtual mailbox using the alias instead of finding the destinatino of the alias ?[18:01:29] *** wdp has joined #postfix[18:05:56] <rob0> I mean: if in fact it was virtually aliased, it was rewritten to a virtual mailbox address. The alias destination domain is in virtual_mailbox_domains, but the alias destination user@domain is NOT in virtual_mailbox_maps.[18:09:27] <leobaillard> so the solution would be to add user@domain in the virtual_mailbox_maps ?[18:10:11] <seekwill> spam[18:11:02] *** cilly has quit IRC[18:11:03] <leobaillard> I'm confused because user@domain (the destination address of the alias) is already in it. In fact, it's the address with which I'm sending the email (could it be aproblem ?)[18:14:41] *** peritus has left #postfix[18:14:49] <leobaillard> I just tried to send an email to the alias with an other address and it didn't change a thing, so I guess that's not my problem :s[18:15:48] *** hever has joined #postfix[18:16:10] *** hparker has quit IRC[18:19:13] *** Matic`Makovec has joined #postfix[18:21:38] *** hever has quit IRC[18:22:00] *** Wilkins has quit IRC[18:23:08] <leobaillard> coul I have forget important options like some stuff related to the aliases, the transport maps or stuff like that ?[18:25:10] *** Matic`Makovec has quit IRC[18:26:20] <lunaphyte_> taking a poll?[18:27:41] *** Matic`Makovec has joined #postfix[18:37:39] *** echelog has joined #postfix[18:39:07] *** weedar has joined #postfix[18:39:41] <leobaillard> Aprogas: in fact, the alias points towards the address I was using to send the mail[18:39:52] <Aprogas> leobaillard: I have no idea which address is which anymore.[18:40:01] <leobaillard> :þ[18:40:18] <leobaillard> I can tell you with /msg if you allow me[18:41:50] <Aprogas> Mail must have a final destination, this can be remote, virtual or local. If you rewrite to something that cannot get delivered you can get "unknown user"[18:42:21] <leobaillard> I know that, but the destination address exists and work[18:43:06] <leobaillard> and mail is delivered to it without any problem[18:44:14] <Aprogas> pastebin the results of a postmap on alias_maps with this address, to prove it gets rewritten correctly; and then the result of a postmap on mailbox_maps to prove the mailbox exists.[18:44:38] <leobaillard> okay, will do[18:44:48] <Aprogas> Why are you specifying mailbox.cf also in alias_maps ?[18:45:23] <Aprogas> That could rewrite email-addresses to a filename.[18:49:06] *** cga has joined #postfix[18:50:23] <leobaillard> Aprogas: I'm not sure if that's what you want but here : http://pastebin.com/4ugFBbYL[19:02:10] <sedstapler> I'm currently using postfix + dovecot as an LDA with dovecot-sasl. I want to redirect mail for "root" to "user at domain dot tld". this works for local mail with an entry in /etc/aliases but does not work for incoming mail with virtual_alias_maps (root: user at domain dot tld). What could I be missing?[19:02:23] <Aprogas> leobaillard: That seems right. Now I am a bit confused.[19:02:48] <Aprogas> leobaillard: I am still curious why you specify two virtual_alias_maps though.[19:03:55] *** dogmeat has quit IRC[19:03:55] *** dogmeat has joined #postfix[19:04:43] <sedstapler> incoming mail to root at domain dot tld bounces with “user unknown” despite the entry in virtual_alias_Maps[19:06:30] <Aprogas> virtual_alias_maps has a slightly different format.[19:07:16] <Aprogas> You seperate by whitespace without a colon, and it is usually better to also use qualified addresses on the left-hand side of the table.[19:08:28] <Aprogas> Use postmap -q to test your table.[19:08:30] <MAAAAD> hm, LDAP or MySQL as a user resource?[19:08:36] <sedstapler> thanks Aprogas[19:11:28] <tharkun> Aprogas: does the postmap -q uses the same code as master to do the actual queries or master just delegates the query to posmap ?[19:11:53] <Aprogas> postmap -q isn't a 100% accurate test.[19:12:11] <tharkun> Aprogas: ok i get the idea[19:14:00] <AstralStorm> where does postfix write except /var/spool/postfix?[19:14:08] <AstralStorm> assume virtual domains.[19:14:19] <AstralStorm> *uh, virtual users[19:15:06] <Aprogas> data_directory too I guess[19:16:38] <sedstapler> excellent, works now, Aprogas. the problem was that i assumed a syntax like /etc/aliases and used postalias instead of postmap[19:16:49] <Aprogas> !tell sedstapler virtual[19:16:49] <knoba> sedstapler: "virtual" : a way to configure additional domains and user accounts (that do not need to exist in your /etc/passwd). See: http://www.postfix.org/VIRTUAL_README.html[19:17:10] <Aprogas> You might have made other mistakes, such as putting domains in the wrong address class.[19:19:47] <sedstapler> Yes, I'm checking everything again now[19:20:18] <AstralStorm> Aprogas: anything less obvious? anything it will read too except those and /etc/postfix?[19:20:23] <sedstapler> before I break everything again with postgrey and amavis[19:20:42] <AstralStorm> any /tmp necessary?[19:21:03] <Aprogas> AstralStorm: postconf | egrep 'directory|path'[19:21:31] <AstralStorm> mhm[19:21:35] <AstralStorm> thanks[19:22:26] *** KB1JWQ has quit IRC[19:23:35] *** brancaleone has quit IRC[19:38:03] *** Twinkletoes has quit IRC[19:40:14] *** Tadej__ has joined #postfix[19:43:33] *** Tadej_ has quit IRC[19:44:44] *** rajijoom has quit IRC[19:46:35] *** wdp has quit IRC[19:49:20] *** zoo_ has joined #postfix[19:58:51] *** ssureshot has joined #postfix[20:01:36] *** robotarmy has joined #postfix[20:04:29] *** ssureshot has quit IRC[20:04:58] *** ssureshot has joined #postfix[20:06:13] *** wdp has joined #postfix[20:15:20] *** cga has quit IRC[20:21:32] *** Nombrandue has joined #postfix[20:24:43] *** brancaleone has joined #postfix[20:25:44] *** Guest28807 is now known as helper[20:31:55] <Nombrandue> ok, I am working with postfix authenticated against a Wk8 Active directory server, and I have one issue with LDAPS, where postfix claims it cannot connect to the server[20:32:02] <Nombrandue> it doesn't appear that Postfix supports SASL signing of the LDAP requests, so I am stuck trying to use SSL on the queries[20:36:21] * Aprogas only just discovered a policyd can return a restriction class[20:36:58] <Aprogas> I don't fully understand your setup, but Postfix doesn't implement SASL itself, it uses Cyrus or Dovecot as backend.[20:37:35] <Nombrandue> I have dovecot running, and postfix, both doing LDAP queries for account setups, against an Active Directory Domain Controller[20:40:02] <Nombrandue> what my issue is, is based off this: http://support.microsoft.com/kb/935834, and getting the plaintext binds to be SASL signed, or for ldaps to work (Which claims constantly it cannot connect, when indeed it does connect based off tcpdumps on the server)[20:42:46] <lunaphyte_> just us tls[20:42:56] *** jim_SFU has quit IRC[20:44:07] <Nombrandue> TLS does about the same thing, either Start_TLS fails (Cannot connect) or SSL fails with the cannot connect message[20:48:41] <lunaphyte_> get things working with ldapsearch against your dsa first.[20:50:02] <lunaphyte_> once that works, you will be able to make your sasl software work in the same manner.[20:51:04] <lunaphyte_> but - as Aprogas alludes to above, your question is vague. what *specifically* is not working?[21:01:59] *** master_of_master has quit IRC[21:03:46] *** master_of_master has joined #postfix[21:07:25] *** Linex has joined #postfix[21:17:25] *** cga has joined #postfix[21:21:03] *** brancaleone has quit IRC[21:47:35] *** lunaphyte_ has quit IRC[21:50:37] <adaptr> "sasl signed" ? who gave this man his TLA certificate[21:55:08] *** rcsheets has joined #postfix[21:56:17] *** ssureshot has quit IRC[21:59:16] *** lunaphyte_ has joined #postfix[22:00:42] *** ssureshot has joined #postfix[22:16:21] *** ssureshot has quit IRC[22:18:11] *** feisar has quit IRC[22:27:39] *** cga has quit IRC[22:31:42] *** grobe0ba is now known as grobe0ba|piss|of[22:31:57] *** grobe0ba|piss|of is now known as grobe0ba|jackass[22:38:50] <thumbs> adaptr: apparently the postfix box I built a year ago is not filtering spam any more.[22:39:15] <thumbs> adaptr: the customer using it just felt it was ok not to tell me for 8 months.[22:40:52] <Aprogas> Using a now defunct blacklist?[22:41:02] <thumbs> perhaps.[22:41:13] <thumbs> I have to remember what the root password is, and ssh in.[22:42:14] <Aprogas> Leave behind your SSH key after you remember the password for next time.[22:42:34] <thumbs> yeah.[22:43:21] <seekwill> thumbs: gimme your ssh key[22:43:25] <thumbs> seekwill: no.[22:43:28] <seekwill> thumbs: gimme your ssh key[22:43:33] <thumbs> seekwill: no.[22:43:37] <seekwill> why?[22:43:52] <thumbs> seekwill: because you would do evil things with it.[22:44:04] <seekwill> I do evil things anyways[22:44:22] <thumbs> I'd rather not be blamed for them.[22:47:34] *** brancaleone has joined #postfix[22:51:32] *** SnYDer has joined #postfix[22:53:42] <SnYDer> cite: thanks for the yesterday's solution! (for preventing locally submitted e-mails from being send to the outside world)[22:56:07] <SnYDer> cite: it works! :) I just didn't do " And replace "smtp transport" with "smtpd demone" " as I wasn't sure what you mean (and what would be that for) and especially because without doing that it works fine :)[22:57:39] *** AstralStorm is now known as AStorm[22:59:01] *** AStorm is now known as AstralStorm[23:02:02] *** swombat has quit IRC[23:04:38] *** uqlev has joined #postfix[23:05:41] <denysonique> can both postalias and newaliases be use for /etc/aliases?[23:07:05] <Aprogas> Why?[23:16:03] *** gabrieLwnt has quit IRC[23:38:01] <denysonique> Aprogas, I am learning postfix.[23:38:39] <Aprogas> If you use the correct newaliases command, it shouldn't break things.[23:38:58] <Aprogas> I don't use /etc/aliases though, and instead created a seperate aliases file within my $config_directory[23:39:08] <denysonique> Aprogas, Can postalias serv for the same purpose?[23:39:35] *** uqlev has quit IRC[23:39:38] <denysonique> and how does newaliases actaully work?[23:39:47] <Aprogas> It's for sendmail-compatibility.[23:40:56] <denysonique> How does it actually work. What happens after the execution of the command?[23:41:18] <Aprogas> I don't know; you don't have to use it if you don't want to; postalias is enough.[23:41:55] <denysonique> Aprogas, Thanks. Do you know what postalias exactly does when updating the aliases file?[23:42:44] <Aprogas> It makes a hash-table.[23:44:50] *** officecase has joined #postfix[23:45:08] <adaptr> does it put the aliases in the db file ?[23:45:14] <adaptr> and the lotion in the basket ?[23:45:31] <tharkun> denysonique: execerpt from man 1 postalias "The postalias(1) command creates or queries one or more Postfix alias databases, or updates an existing one. The input and output file formats are expected to be compatible with Sendmail version 8, and are expected to be suitable for the use as NIS alias maps."[23:45:56] <Aprogas> Yes, you should definitely use NIS, no serious mailserver can live without it.[23:46:44] <officecase> Can anyone recommend a log analyzer for postfix? I want to be able to search on an email address or domain and get back email stats.[23:46:52] <tharkun> Aprogas: isn't that a nice and polite way of saying rtfm[23:46:54] <tharkun> ??[23:47:13] <Aprogas> tharkun: No, it is a recommendation that NIS is awesome.[23:47:27] <seekwill> NIS sucks![23:47:32] <Aprogas> officecase: cat /var/log/mail.log | sed -nr '/reject:/s/.*from=<([^>]*)>.*/\1/p' | sort | uniq -c | sort -n[23:47:37] <Aprogas> I've been using that myself lately.[23:47:41] <seekwill> I know many "serious mailservers" that don't use NIS...[23:48:03] <Aprogas> I'm just doing some pre-sleep sarcasm-thingie.[23:48:09] <denysonique> Where is the result of postalias stored?[23:48:25] <Aprogas> denysonique: aliases.db in same directory as aliases[23:48:29] <adaptr> denysonique: you're not reading the documentation. you have to start reading the documentation NOW.[23:48:50] <denysonique> I am reading. http://postfix.org ;p[23:49:28] <officecase> Thanks Aprogas I will write that down. Unfortunately I need an end user type of interface for a client.[23:50:24] <Aprogas> officecase: Have a look in the addon software list, might be something there.[23:50:39] <adaptr> denysonique: nothing there. however, www.postfix.org/documentation has many fine documents[23:52:42] <officecase> Aprogas: I did a brief check on the postfix site. I was hoping someone would give me a good recommendation on one.[23:54:00] <adaptr> officecase: I use awstats[23:54:39] <tharkun> lire on this end[23:56:55] *** leobaillard has quit IRC[23:57:02] *** Section1 has quit IRC