January 4, 2016 
< | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | >
January 4, 2016 [00:02:38] <Poster> If you're referring to ssmtp on port 465, you may run into compatibility with remote SMTP systems which only listen on 25. If you wish to force encryption, I would recommend looking at TLS options instead of trying to force ssmtp.[00:04:49] <Andre483> how am I going to find a email server provider that will let me use their sendmail server?[00:06:36] <Poster> I would start with a google search[00:07:30] *** edux has joined #postfix[00:07:47] <Andre483> is smarthost and ssmtp the same thing?[00:08:39] <Poster> smarthost I believe is a sendmail term, meaning all delivery not specified otherwise goes to a specific SMTP server and does not perform a DNS lookup[00:09:11] <Poster> in the postfix world it's called relayhost[00:09:16] <Andre483> http://nramkumar.org/tech/blog/2014/02/06/sending-automated-mail-through-office365-from-ubuntu/ :)[00:10:16] <Andre483> I actually have an office 365 email account so this might be perfect right?[00:10:27] <Poster> ok yes ssmtp is also a package[00:11:33] <Andre483> I have a bad feeling it's not going to let me change the from email address though[00:12:44] *** edux has quit IRC[00:14:11] <Andre483> and another issue it's going to keep a record of the sent emails in my email account[00:14:55] *** cigarshark has joined #postfix[00:22:27] <Andre483> ssmtp: 550 5.7.60 SMTP; Client does not have permissions to send as this sender[00:23:34] <Andre483> my concerns were warranted :([00:25:17] *** samgoody has quit IRC[00:25:49] <Poster> yeah some email providers will restrict the sender[00:26:53] <Andre483> I am leaning towards now not doing ssmtp and just sending it directly from my server[00:27:11] <Poster> as long as your IP address is not on an RBL list you should be ok[00:27:21] <Poster> you may also consider sending it through your ISP SMTP systems, if they exist[00:27:33] <Andre483> the forward/reverse ip needs to match right?[00:28:32] *** infides has quit IRC[00:31:10] <Andre483> well it works howeever the email goes straight to my junk folder...[00:32:06] <pj> first off, there is no such thing as ssmtp, it's smtps, which is deprecated for something like 20 years now...[00:32:08] <pj> !smtps[00:32:08] <knoba> pj: "smtps" : Port 465 is smtps, SMTP over SSL, a deprecated means of submission. This means that smtps should *not* be used, and that this factoid exists for historical purposes only and should not be implemented. See !submission for smtps' successor. That being said, Postfix can implement smtps with a separate smtpd(8) listener with \"-o smtpd_tls_wrappermode=yes\". See the commented example in master.cf.[00:32:29] <Andre483> ssmtp.x86_64 : Extremely simple MTA to get mail off the system to a Mailhub[00:32:43] <pj> secondly it is for submission, not passing messages to another MX[00:32:55] <Andre483> umm this particular package does that[00:33:13] <pj> you use port 25, and configure STARTTLS for secure transmission to another MX...[00:33:14] <pj> !tls[00:33:14] <knoba> pj: "tls" : Transport Layer Security (RFC2246). Previously known as SSL, TLS adds a layer of encryption to protocols such as SMTP, submission, IMAP or POP3 to improve security during transmission over the Internet. TLS is implemented using the STARTTLS method, while the non-standard wrapper style of implementation is deprecated at this point. See http://www.postfix.org/TLS_README.html for more info.[00:33:25] <Andre483> you can paste all you want, it doesn't change anything lol[00:33:56] <pj> and thrdly, it doesn't affect how DNS works, or anti-spam measures...[00:34:02] <pj> !fcrdns[00:34:03] <knoba> pj: "fcrdns" : http://en.wikipedia.org/wiki/Forward_Confirmed_reverse_DNS : your IP address should resolve to $myhostname, which in turn should resolve back to your IP. This is very important if you want big sites to accept your mail. If you can't have it from your ISP, see !relayhost[00:35:23] <pj> right, ssmtp is a nullclient[00:35:26] <pj> !nullclient[00:35:26] <knoba> pj: "nullclient" : a null client is a computer that can only send mail. it receives no mail from the network, and it does not deliver any mail locally. while postfix can be configured to fill this role, it is often unnecessary overkill, and a much simpler software package is more appropriate. see !nullclient_software for more details.[00:35:38] <pj> and tbh, I recommend msmtp if that's what you want[00:35:41] <pj> !msmtp[00:35:41] <knoba> pj: "msmtp" : a nullclient program which provides a means for a computer to submit mail to an existing msa. see http://msmtp.sourceforge.net/ for more info. also see !nullclient_software, !nullclient and !msa[00:54:03] *** Andre483 has quit IRC[01:15:20] *** ek has quit IRC[01:27:53] *** cigarshark has quit IRC[01:39:06] *** t4me has quit IRC[01:41:41] *** guampa has joined #postfix[01:44:17] *** Lencl has joined #postfix[01:46:40] *** heroux has quit IRC[01:54:54] *** Lencl has quit IRC[02:04:10] *** heroux has joined #postfix[02:10:01] *** edux has joined #postfix[02:10:23] *** pozitrono has joined #postfix[02:15:31] *** edux has quit IRC[02:27:59] *** monkeynuts has joined #postfix[03:10:59] *** edux has joined #postfix[03:15:47] *** edux has quit IRC[03:18:03] *** rsx has joined #postfix[03:20:53] *** err-or_ has joined #postfix[03:24:09] *** nutron has joined #postfix[03:25:23] *** err-or has quit IRC[03:35:59] *** rsx has quit IRC[04:11:49] *** edux has joined #postfix[04:16:44] *** edux has quit IRC[04:38:51] *** namyzarc has quit IRC[05:03:54] *** HeavyMetal has quit IRC[05:10:11] *** TheFatherMind has joined #postfix[05:12:48] *** HeavyMetal has joined #postfix[05:12:49] *** HeavyMetal has joined #postfix[05:20:04] *** Tourist has quit IRC[05:20:14] *** Tourist has joined #postfix[05:20:14] *** Tourist has joined #postfix[05:33:28] *** MxyzptlkFishStix has quit IRC[05:34:23] *** MxyzptlkFishStix has joined #postfix[05:36:04] *** MxyzptlkFishStix has quit IRC[05:40:46] *** MxyzptlkFishStix has joined #postfix[05:49:02] *** JanC has quit IRC[05:55:30] *** sara2010 has quit IRC[06:01:24] *** armguy has quit IRC[06:03:20] *** JanC has joined #postfix[06:14:54] *** armguy has joined #postfix[06:42:45] *** phunyguy has joined #postfix[06:44:08] <phunyguy> hi, quick question, I currently have a VPS that acts as a mailrouter for my home server, as my ISP restricts incoming and outgoing mail on port 25. However, I want mail that originates from the VPS itself to get routed back to the home server, as currently it fails saying that mail routes back to itself. How can I do this?[06:59:06] <xpoint> add proxy interface on the homeserver it need to know not use mx from home[07:00:28] <xpoint> it should at home know all border ips to not send back to border[07:50:37] *** shal3r has quit IRC[08:18:28] *** carl- has joined #postfix[08:29:04] *** carl- has quit IRC[08:31:03] *** carl- has joined #postfix[08:35:24] *** joules has quit IRC[08:35:49] *** zorg1 has joined #postfix[09:11:40] *** SCHAAP137 has joined #postfix[09:20:13] *** infides has joined #postfix[09:22:04] *** anunnaki has quit IRC[09:23:30] *** Zeeshan_M has quit IRC[09:23:38] *** Zeeshan_M_ has joined #postfix[09:28:03] *** joules has joined #postfix[09:58:59] *** _val_ has quit IRC[10:02:00] *** d0nn1e has quit IRC[10:03:15] *** d0nn1e has joined #postfix[10:04:40] *** SCHAAP137 has quit IRC[10:05:15] *** TyrfingMjolnir has quit IRC[10:10:16] *** schrodinger_ is now known as schrodinger[10:10:17] *** sphenxes01 has quit IRC[10:14:38] *** SCHAAP137 has joined #postfix[10:16:17] *** edux has joined #postfix[10:16:32] *** skylite has joined #postfix[10:21:22] *** edux has quit IRC[10:31:01] *** bluenemo has joined #postfix[10:32:55] <bluenemo> hi guys. We have a spf record like "v=spf1 a mx ip4:52.123.123.123 include:trustpilotservice.com a:vwp1234.webpack.hosteurope.de -all". We send mails via trustpilot (some service for that). They complain that the mx is to much in our record and we should remove it. I'm not perfectly sure I get what the mx does. Does a and mx mean that if a IP is matched for any a or mx records, it is valid as of spf? If so, do I get this right that adding or re[10:32:55] <bluenemo> moving the mx string should not affect the include trustpilot.com?[10:46:46] <monkeynuts> the mx in your spf record includes all your mx records in the spf.. but i dont know how that would affect them[10:46:55] *** pozitrono has quit IRC[10:51:45] *** shmoon_ has left #postfix[10:53:35] *** joules has quit IRC[10:56:08] *** joules has joined #postfix[11:06:37] <bluenemo> monkeynuts, from what I understood it should not affect them weather I include or exclude my own mx's.. This page http://www.kitterman.com/getspf2.py however tells me " Record contains non-ASCII characters and is invalid." this sounds very odd.. non ascii in spf records? Can you guys verify that? my domain is fincallorca.de[11:09:43] *** infides has quit IRC[11:10:54] *** infides_afk has joined #postfix[11:17:03] *** edux has joined #postfix[11:21:15] *** edux has quit IRC[11:24:37] *** wmp has joined #postfix[11:24:43] <wmp> hello[11:25:11] <wmp> i have rejected mails by spamassassin, how can i delivery this mail force?[11:25:29] <wmp> now i have mail in /var/lib/amavis/virusmails/[11:25:30] *** rsx has joined #postfix[11:28:16] <Zerberus> wmp: amavisd-release[11:34:33] *** infides_afk has quit IRC[11:36:33] <wmp> Zerberus: thanks[11:38:35] *** infides_afk has joined #postfix[11:40:17] *** rsx has quit IRC[11:45:40] *** rsx has joined #postfix[11:51:54] *** pozitron has joined #postfix[12:14:15] *** quenode has quit IRC[12:17:38] *** edux has joined #postfix[12:22:38] *** edux has quit IRC[12:23:54] *** quenode has joined #postfix[12:27:48] *** Section1 has joined #postfix[12:44:17] *** sphenxes has joined #postfix[12:44:42] *** sphenxes has joined #postfix[12:53:08] <jelly> in other news, Outlook manages to generate a References header line of exactly 999 bytes, not counting CRLF[12:53:41] <nhooyr> is it possible to have amavisd listening on two sockets? one for lmtp and another for AM.PDP?[13:12:01] <Zerberus> nhooyr: not really the right channel to ask this[13:12:45] <nhooyr> this seems to be the only active channel for discussions like this.[13:14:04] <Zerberus> nhooyr: there is a mailing list for amavisd-new[13:14:22] <Zerberus> nhooyr: short answer: yes, it is possible what you asked[13:15:08] *** edux has joined #postfix[13:15:25] <nhooyr> alright sorry I just wanted a quick answer so I usually prefer IRC. i'll ask on the mailing list next time but could you please explain it anyway this time?[13:16:51] <Zerberus> nhooyr: see https://sys4.de/de/blog/2015/07/31/amavisd-milter-howto/[13:18:47] <nhooyr> alright i'll take a look thank you[13:27:38] *** zorg1 has quit IRC[13:31:06] *** Haudegen has quit IRC[13:37:10] *** equilibriumuk has joined #postfix[13:46:29] *** Haudegen has joined #postfix[13:51:21] <phunyguy> xpoint: thanks for the tip.[13:52:31] <nhooyr> Zerberus: that uses multiple inet connections. i meant multiple sockets and then apply a different policy to each for the protocol.[13:52:36] <nhooyr> multiple unix sockets*[13:52:47] <nhooyr> sorry for not specifiying that, earlier[13:56:09] *** zorg1 has joined #postfix[13:56:12] *** bluenemo has quit IRC[13:56:22] <phunyguy> xpoint: anything incoming to my home server user/email address should get processed by the homeserver. The problem is it never makes it there. The VPS root user, for example, creates a mail message to send home, and postfix on VPS should see that it is destined for a domain it handles, and send it there. Instead it fails because mail to "root@mx1" (itself) routes back itself. I have an alias set up to redirect mail to phunyguy at phunyguy dot com[13:56:22] <phunyguy> (obfuscated), but it never gets far enough to check the alias database.[13:57:10] <xpoint> border server should be backup mx[13:58:06] <xpoint> make the mx both with homeserver ip and border ip, this is standard[13:58:40] <phunyguy> Not sure I follow....[13:58:48] <xpoint> but note do not reject mail at home server ever[13:59:04] <phunyguy> I don't want any incoming mail to go directly to home server, as it will get processed there.[13:59:17] <phunyguy> and fail sometimes.[13:59:24] <phunyguy> hence external mail gateways[13:59:27] <xpoint> you say isp blocked port 25[13:59:33] <phunyguy> I said restrictions.[13:59:51] <phunyguy> they block 25 going out, and incoming I do not own the IP so some mail does not deliver from other places.[13:59:52] <xpoint> so no mail goes direct[13:59:55] <phunyguy> none.[14:01:02] <xpoint> setup your home server to listen eg on port 26, and firewall this port to only work from border servers[14:01:10] <phunyguy> (I mean I do not own the IP, as in I cannot set proper rDNS)[14:01:52] <phunyguy> that is how it works currently, but over submission port, with sasl auth.[14:02:07] <xpoint> ask the isp about ptr records, but that does not solve your home ip is dynamic[14:02:14] <phunyguy> right/[14:02:17] <phunyguy> right.*[14:02:42] <phunyguy> I apologize, I have to drive into work. 1 hour commute. I will see you soon hopefully.[14:02:54] <xpoint> you should read more about soho in postfix[14:03:03] <phunyguy> alrighty, thanks[14:03:26] <xpoint> no isp can block me :)[14:03:46] <xpoint> but is counts to be nice[14:06:32] <phunyguy> wait before I go... I think my answering your question gave me an idea[14:06:34] <phunyguy> I don't think I set my_destination on this thing.[14:07:04] <phunyguy> oh sorry, mydestination[14:08:11] <phunyguy> YES that was totally the problem. Thanks for the brainstorm session! Bye![14:08:42] *** sphenxes has quit IRC[14:17:25] *** monkeynuts has quit IRC[14:24:20] *** sphenxes has joined #postfix[14:24:41] *** prooz_ has left #postfix[14:24:44] *** lidenbrock has joined #postfix[14:25:33] <lidenbrock> hi. Are there alternatives to pymilter for writing mail filter on top of PostFix?[14:26:11] <lunaphyte> of course[14:26:45] *** prooz has joined #postfix[14:26:47] <lunaphyte> pymilter is just a milter implementation. it's not something magical[14:26:59] <lunaphyte> and of course, there's no rule a milter must be used either[14:31:07] *** sphenxes02 has quit IRC[14:33:41] <lidenbrock> lunaphyte: would you recommend another implementation?[14:34:08] <lunaphyte> they're all fine. whatever you prefer[14:34:55] *** sphenxes has quit IRC[14:35:10] *** lucascastro has joined #postfix[14:48:12] *** sphenxes02 has joined #postfix[14:50:09] *** sphenxes has joined #postfix[15:03:58] *** dstarh has joined #postfix[15:13:59] *** pozitron has quit IRC[15:15:35] *** Section1 has quit IRC[15:21:20] <easty> hi mailexperts :) what is the correct rDNS-name that i have to config at my server-hoster? is it domain.tld or anything.domain.tld or mail.domain.tld?[15:21:30] *** Section1 has joined #postfix[15:22:03] <lunaphyte> whatever the hostname of your mail server is[15:23:48] <jaybe> easty, the point is, forward and reverse dns for the mail server should match and be set up properly.[15:24:07] <easty> ok thx. it's mail.domain.tld but rDNS is actually set at srv1.domain.tld (both is set with A-record to my server-ip in the dns-settings)[15:24:21] <easty> mxtoolbox said Reverse DNS does not match SMTP Banner[15:24:22] <jaybe> you'll want/need them to match[15:25:52] *** morse has quit IRC[15:26:28] <easty> mxtb also shows 2 warnings. SOA Serial Number Format is Invalid & SOA Expire Value out of recommended range (don't know for now, what i have to change in dns-config at cloudflare...)[15:29:23] *** morse has joined #postfix[15:52:45] *** edux has quit IRC[16:11:31] *** lidenbrock has quit IRC[16:14:32] *** zorg1 has quit IRC[16:14:59] <phunyguy> I have another question. Remote postfix implementations for delivery of system messages (root to my email address via alias) all deliver to my home server, authenticating as a generic user. Currently my smtpd_relay_restrictions = permit_sasl_authenticated, reject. How can I restrict it so that the generic account only allows delivery and not relay? I need to have sasl_authenticated able to relay, EXCEPT for that account. Is this possible?[16:16:18] <phunyguy> .....or am I going about this the complete wrong direction....?[16:17:02] *** zorg1 has joined #postfix[16:17:43] <lunaphyte> don't alow relay at all[16:17:54] <lunaphyte> it's unlikely you'd need to[16:18:00] <phunyguy> I have to allow relay to sasl authenticated for users on that server...[16:18:11] <lunaphyte> why?[16:18:12] <phunyguy> or I lose outbound mail.[16:18:32] <phunyguy> phunyguy at phunyguy dot com needs to be able to send externally...[16:18:43] <phunyguy> maybe this is a job for smtps.[16:18:56] <lunaphyte> i guess i don't follow how that relates to delivery of system messages[16:18:56] <phunyguy> Yeah I think I am going about this the wrong way.[16:19:01] <lunaphyte> they're different things[16:19:48] <phunyguy> Sorry, let me clarify. root mail hits postfix, and aliases to phunyguy at phunyguy dot com, which sasl_authenticates to home server for local delivery.[16:20:19] <phunyguy> I think I am using the wrong thing with sasl authentication over submission. I think I need to use smtps specifically for this.[16:20:25] <lunaphyte> if your home server is configured to accept mail for that domain, there's no need for authentication[16:20:59] <lunaphyte> but if you have a client submitting mail, there's also nothing wrong with using submission[16:21:04] <lunaphyte> [and thus smtp auth, etc][16:21:19] <phunyguy> well my fear is having a generic account that is spread over multiple servers.[16:21:31] <phunyguy> that gets compromised and I become and open relay basically.[16:21:32] <lunaphyte> oh, heavens no. you wouldn't ever do that[16:21:40] <lunaphyte> use proper service accounts[16:21:58] <lunaphyte> computer_application[16:22:06] *** carl- has quit IRC[16:22:10] <phunyguy> ?[16:22:20] <lunaphyte> each application should be configured with a unique, separate service account[16:22:33] <phunyguy> oh, yes I get that.[16:22:37] <lunaphyte> unless you like generating headaches and work down the road[16:22:46] <phunyguy> but I still think I need to separate those from submission.[16:22:51] <lunaphyte> why?[16:22:59] *** edux has joined #postfix[16:23:18] <lunaphyte> they're still clients, so they use submission[16:23:28] <lunaphyte> i'm not sure what you mean separate them[16:23:29] <phunyguy> if anything, for organization? Service accounts use smtps, and users use submission?[16:23:38] <lunaphyte> huh?[16:23:48] <lunaphyte> are you talking about the protocol smtps? port 465?[16:23:51] <lunaphyte> if so, no[16:23:53] <phunyguy> yeah[16:23:56] <lunaphyte> smtps is not to be used[16:23:57] <phunyguy> harumph.[16:24:06] <phunyguy> ok then.[16:24:07] <lunaphyte> it has been deprecated now for over 15 years[16:24:10] <rob0> If an account doesn't authenticate, how else could you know it is that account?[16:24:27] <phunyguy> well I assumed I would use sasl over smtps also.[16:24:35] <phunyguy> just not via virtual mailbox maps[16:24:51] <lunaphyte> it sounds to me like what you are asking is about separating submission for "humans" from submission for "software"?[16:24:51] <phunyguy> guess not. Yeah submission is fine then.[16:24:57] <rob0> this is related to the #bind thing?[16:25:03] <phunyguy> well that was my initial thought[16:25:19] <phunyguy> rob0, somewhat, maybe indirectly? This is a different piece of that project.[16:25:24] <phunyguy> the bind stuff works perfect[16:25:28] <lunaphyte> fwiw, you are likely overengineering things[16:25:40] <phunyguy> me? NOOO... heh[16:26:15] <phunyguy> I will use proper service accounts with randomized passwords.[16:26:32] <phunyguy> but I still don't want those service accounts able to relay.[16:26:38] <phunyguy> that was my original question.[16:26:46] <phunyguy> Is there a way to prevent that?[16:26:48] <rob0> Now write that on the chalkboard 50 times.[16:26:51] <lunaphyte> one could argue there might be a benefit to partitioning human and non human submission, but there would need to then also be separate implementations handling relaying/delivery of this mail for there to be any sort of meaningul/practicla benefit[16:26:58] <rob0> I will use proper service accounts with randomized passwords.[16:26:59] <rob0> I will use proper service accounts with randomized passwords.[16:27:03] <lunaphyte> :D[16:27:04] <rob0> et c.[16:27:06] <phunyguy> heh[16:27:18] <phunyguy> but I still don't want those service accounts able to relay.[16:27:19] *** armguy has quit IRC[16:27:19] <phunyguy> but I still don't want those service accounts able to relay.[16:27:22] <phunyguy> etc.[16:27:33] <lunaphyte> interesting[16:28:05] <phunyguy> can probably set up a separate submission instance?[16:28:09] <phunyguy> instance/port[16:28:11] <lunaphyte> that woudl be one way, yes[16:28:14] <lunaphyte> *would[16:28:18] <phunyguy> is there an easier way?[16:28:30] <lunaphyte> well, there's a bit of a wrinkle here[16:28:48] <lunaphyte> because, pretty much, the whole point of submission is to relay[16:29:03] <phunyguy> right.[16:29:06] <lunaphyte> so, it's a reasonably fair argument to say that if you're not relaying, you don't need submission[16:29:27] <rob0> (but if a submission client sends to an internal address, it's not relayed)[16:29:28] <lunaphyte> but there's an sort of implicit contradiction within that concept[16:29:33] <lunaphyte> right[16:29:48] * phunyguy sips some coffee and ponders[16:29:54] <lunaphyte> here's where i'm going with this:[16:30:13] *** pti-jean_ has joined #postfix[16:30:41] <rob0> sigh, only one hour before the first of 4 meetings today :([16:30:47] <phunyguy> :([16:31:31] <lunaphyte> granted, *all* clients should always use submission. however - if, for some set of non technical constraints, you "know" a client is only ever going to send to your domain, then perhaps that client could be given an exemption, and just deliver its mail to port 25, as though it were some other server[16:31:57] <phunyguy> Actually, in this case, that might work.[16:32:15] <phunyguy> I can get through on port 25... just can't use it for /everything/.[16:32:19] <lunaphyte> there is a trade off to some extent in consistency here, of course, but you might argue that it is acceptable given the reduction of complexity in other areas[16:32:21] <phunyguy> So you have a valid point here.[16:32:22] <Tuxick> 4 meetings?[16:32:36] <Tuxick> sounds like a place where there's 4 manager for every clued person[16:32:54] <phunyguy> yeah consistency was one constraint, but it just might be a good tradeoff to keep it secure.[16:33:50] <lunaphyte> the benefits are that you avoid multiple submission services [or single, more complex submission services], and you avoid the need for any authentication [and its associated managmenet overhead][16:34:22] <lunaphyte> e.g. managing/monitoring/auditing/updating credentials[16:35:25] <lunaphyte> if you control both sides of this, then the justification for deviation from the defined standard can be better supported[16:37:28] <phunyguy> yep. This is excellent info. As always, thank yo.[16:37:31] <phunyguy> you*[16:38:26] <phunyguy> I can also apply this concept to the external mail relays I set up.. if they are relaying back to me just for my domains, they don't need to authenticate. I am glad we had this talk.[16:40:10] <phunyguy> So, with that said I never thought about using port 25... Can I still encrypt over that port for this?[16:40:21] <phunyguy> Probably not really needed, just curious.[16:41:44] <lunaphyte> of course[16:41:51] <lunaphyte> you jsut can't require it[16:41:53] <lunaphyte> *just[16:42:03] <phunyguy> is it even worth it?[16:42:11] <lunaphyte> of course[16:42:31] <lunaphyte> encryption is *always* worth it, if based on nothing other than principle[16:42:43] <phunyguy> actually, yeah now that I think about it, you are correct. Other servers out there support it as well I would imagine. (If available, use etc)[16:44:00] <phunyguy> Just gotta research into those config options to keep this as secure as possible.[16:44:22] <rob0> Tuxick, one of the meetings is not job-related. The other 3 are one-time things.[16:44:38] *** armguy has joined #postfix[16:45:48] <Tuxick> oh :)[16:46:15] *** skylite has quit IRC[16:46:34] <rob0> "community meeting about the future of the fire department"[16:46:36] <lunaphyte> if it were me though, i'd ensure that encryption were always used by requiring it amongst my hosts[16:46:47] <lunaphyte> the fire department of the future?![16:47:02] <rob0> and they're probably going to make me the new fire chief[16:47:09] <phunyguy> lunaphyte, I agree.[16:47:20] <rob0> (scary thought, that.)[16:47:31] <phunyguy> whoa[16:52:37] *** ek has joined #postfix[16:55:41] <phunyguy> lunaphyte, now you have me thinking about home server going outbound to mail relays... I am using password auth there over submission, with a local "incoming" mail account on the relay. Is that OK, or do you think that can be secured a little better?[16:57:17] <phunyguy> require a cert as well perhaps?[16:57:17] *** ek has quit IRC[16:57:26] <phunyguy> (A specific cert*)[16:57:46] *** ek has joined #postfix[17:11:11] <mage_> any idea for this https://gist.github.com/silenius/3592749556aa42d78325 ? I'm using Postfix with HAProxy in front (and the PROXY) protocol, receiving works fine, but when I send a mail with $> mail root it doesn't work[17:12:12] <rob0> !mail[17:12:12] <knoba> rob0: "mail" : mail(1) (also known as mailx(1) or bsd-mailx) is not a Postfix-provided command. For help with it, see its man page. More powerful, commonly available console- and CLI-based MUAs include mutt, alpine and heirloom mailx (likewise, not supported here.)[17:12:12] <mage_> is it expected ? maybe I should use the submission port 587 instead ?[17:12:23] <rob0> mail uses sendmail(1)[17:12:32] <mage_> yep I know that :)[17:12:45] <rob0> okay[17:13:21] <mage_> is there a postfix replacement for mail ?[17:15:14] <mage_> another stupdi question, if I use postscren should I also set smtpd_upstream_proxy_protocol = haproxy ? or postscreen_upstream_proxy_protocol = haproxy is sufficient ?[17:16:39] *** D-Boy has quit IRC[17:18:41] *** nevstah has joined #postfix[17:20:52] <nevstah> hi, quick question on spam filters, do they check or care whether website is hosted on a blacklisted IP if the mail is sent/received from a completely different IP?[17:25:36] *** dstarh has quit IRC[17:26:20] *** [NoClan]GoAway has quit IRC[17:28:16] *** Darcidride has joined #postfix[17:29:38] *** robinho86 has joined #postfix[17:29:53] *** SCHAAP137 has quit IRC[17:32:03] <rob0> Postfix does not provide any sort of MUA.[17:38:34] *** [NoClan]GoAway has joined #postfix[17:39:09] *** drewland- has quit IRC[17:39:38] <nevstah> i realise that, but hoped there might be someone where who knew the answer[17:40:33] <rob0> That was not an answer to your question![17:41:30] <rob0> Spam filters vary widely. (That *is* a partial answer to your question.)[17:41:36] <nevstah> i realise that too! sorry, i misread what you said because i was just reading an article about MUA's :)[17:41:46] <nevstah> ok[17:41:46] <rob0> There is no quick answer.[17:43:17] <nevstah> thats probably enough of an answer for what i need, that its not black and white - thanks[17:44:26] <rob0> URIBL checking is very effective, but it's only applicable in content-based filtering.[17:50:15] *** edux has quit IRC[17:53:24] *** nyloc has quit IRC[17:54:04] *** nyloc has joined #postfix[17:54:38] *** D-Boy has joined #postfix[17:59:04] *** Jikan has quit IRC[18:03:08] <lunaphyte> phunyguy: i'm not sure if it answers your question, but i use certificate authentication for communication between my vps and home mail servers[18:04:31] *** zorg1 has quit IRC[18:09:18] *** Jikan has joined #postfix[18:14:03] *** gu1lle_ has joined #postfix[18:19:22] *** Southron has joined #postfix[18:29:55] *** Haudegen has quit IRC[18:34:35] *** ek has quit IRC[18:34:46] *** timdau has joined #postfix[18:35:01] <timdau> Any way to milter email that is already queued?[18:35:41] <timdau> postsuper -r specifically does not do it[18:35:53] <Tuxick> seems a bit late[18:39:16] <mage_> what's the best postfix book ?[18:39:33] <Tuxick> one that burns longest?[18:40:04] <mage_> the Book of Postfix looks qui old (2005), is it still up to date?[18:40:10] <Tuxick> never seen a postfix book[18:40:16] <Tuxick> got a batbook though[18:41:02] <Tuxick> that was quite informative, didn't know there were so many reasons to avoid sendmail :)[18:41:22] <mage_> there is "Postfix the definitive guide" and "the book of postfix", both of them are old (2004 and 2005)[18:42:57] <Tuxick> that's too old[18:43:59] <lunaphyte> i generally discourage using printed books[18:44:13] <lunaphyte> is there a particular reason you think you need one?[18:45:33] <mage_> nop, just that I prefer to learn with a book[18:46:01] <lunaphyte> fwiw, you'll be doing yourself a disservice[18:46:11] <lunaphyte> my advice would be to get over that preference ;)[18:46:22] <mage_> :)[18:46:25] <lunaphyte> the benefits you enjoy will be well worth it[18:47:01] <Tuxick> it beats video tutorials![18:54:22] <rob0> Dead trees can't keep up, simple as that.[18:54:56] <Tuxick> idd[19:00:37] <phunyguy> lunaphyte, what is the general idea behind it? Self-signed, with each end being part of the same cert chain, or?[19:03:07] *** Haudegen has joined #postfix[19:03:10] *** sarri has quit IRC[19:03:55] *** sarri has joined #postfix[19:04:40] <phunyguy> lunaphyte, this actually sounds vaguely familiar. I think my earliest iterations of this setup were just that. Unfortunately I can't remember any more than that.[19:07:18] <phunyguy> And for openvpn reasons, I actually have a self signing CA set up on home server. Would be pretty straight forward to create a few additional, and load up the cert chain.[19:07:25] *** rsx has quit IRC[19:09:19] *** penrod has joined #postfix[19:15:19] <phunyguy> lunaphyte, I also assume this takes dovecot sasl out of the equation?[19:25:44] <lunaphyte> phunyguy: never self signed, no[19:26:08] <phunyguy> why not?[19:28:01] <phunyguy> actually, would I need a cert on the remote relays? Or do I just need to verification chain?[19:28:13] <phunyguy> need a verification chain*[19:28:24] <phunyguy> because I do have a startssl one I can use.[19:28:59] <lunaphyte> yes, always create a dedicated ca cert, and then separate server specific certs[19:29:15] <lunaphyte> there's no need to use a commercial cert though[19:29:19] *** puzzled has joined #postfix[19:30:02] <phunyguy> oh well that is what I have already... however I do have a commercial cert for my domain, and I use it for client connectivity. My train of thought was using that same one on home server, and have the relays verify it is valid with the startssl chain.[19:30:15] <lunaphyte> i wouldn't[19:30:23] <phunyguy> harumph.[19:30:49] <lunaphyte> unless you want to allow anyone who has a cert issued by startcom to be able to relay ;)[19:30:50] <phunyguy> ok then, yeah I have a self signing CA already.[19:31:00] <lunaphyte> self signing ca?[19:31:09] <phunyguy> OH right yea, that would be bad. I was assuming you coudl restrict to a certain cert.[19:31:12] <lunaphyte> that's not a thing[19:31:25] <phunyguy> cut me some slack here.[19:31:26] <phunyguy> heh[19:31:34] <lunaphyte> yes, you can restrict to a certain cert, in which case the chain of trust is irrelevant[19:31:43] <phunyguy> gotcha.[19:31:45] <lunaphyte> no slack ;) terminology matters :)[19:32:07] *** anunnaki has joined #postfix[19:32:08] <lunaphyte> a self signed cert is just that. a cert signed by some other cert is, by definition, not self signed[19:32:15] <phunyguy> so, like I said before, I use a self signed cert for clients, which involved creating a CA locally and using that to sign...[19:32:26] <lunaphyte> that's a private cert. not a self signed cert[19:32:29] <phunyguy> if that is what you are referring to.[19:32:32] <lunaphyte> yes[19:32:36] <phunyguy> okay.[19:32:48] <phunyguy> yes I am using a private certificate...[19:33:12] <lunaphyte> no need for sasl then if certificate auth is used, yes.[19:33:17] <phunyguy> and in this scenario, everyone with a valid cert would be able to relay mail.[19:33:23] <lunaphyte> right[19:33:29] <phunyguy> seems reasonable.[19:33:32] <lunaphyte> fsvo valid, of course[19:33:42] <phunyguy> right.[19:34:13] <lunaphyte> it's generally undesirable overhead for use with human users/clients, but if both ends are being managed by the admin, that dynamic changes[19:34:21] <phunyguy> Maybe self-signed is used too loosely out there on the interwebs, which is where I picked up that bad habit.[19:34:38] <lunaphyte> yes, it's a bad habit term thrown around all over the place, unfortunately[19:35:03] * rob0 throws thumbs all over the place[19:35:09] <phunyguy> yes, that is my thought exactly. This will only be home server -> vps. Clients connect client -> home server.[19:36:00] <phunyguy> by the way, mail incoming from VPS is now encrypted over port 25 with no auth. Relay disabled.[19:36:10] <phunyguy> works gr8,.[19:37:09] <phunyguy> also means other places can connect directly should they so choose, but they would have to do that manually, and my MX records don't tell it to. But it would still work, and reject_unauth_destination.[19:37:44] <lunaphyte> yo uset up an additional interface/service?[19:37:59] <phunyguy> yes. smtp/25, with clients still using submission.[19:38:45] <phunyguy> I should say, I uncommented smtp in master.cf and added an -o smtp_relay_restrictions=reject.[19:40:02] <phunyguy> and under submission in master.cf, I have -o smtpd_relay_restrictions=permit_sasl_authenticated,reject - all of this not defined in main.cf[19:42:09] <phunyguy> then `smtpd_client_restrictions = reject_unauth_destination, reject_rbl_client blah blah blah (x3), permit` in main.cf - seems okay... no?[19:42:35] <lunaphyte> i couldn't say with just those small references[19:42:37] <lunaphyte> !showconfig[19:42:38] <knoba> lunaphyte: "showconfig" : when asked to provide your config, pastebin postconf -nf and postconf -Mf. if your version is too old for those commands to work (< 2.9), you should upgrade, but see !showconfig_old[19:45:11] *** [ddmp] has joined #postfix[19:46:14] <phunyguy> lunaphyte, http://paste.ubuntu.com/14402412/[19:46:20] <phunyguy> that is home server.[19:46:51] <phunyguy> might have some redundant stuff under submission.[19:46:54] <phunyguy> meh[19:50:36] *** edux has joined #postfix[19:52:12] *** Section1 has quit IRC[19:57:27] *** blackro0t has quit IRC[20:02:35] *** [ddmp] has quit IRC[20:06:36] *** [ddmp] has joined #postfix[20:07:07] *** [ddmp] has quit IRC[20:07:32] *** [ddmp] has joined #postfix[20:12:37] *** ek has joined #postfix[20:18:12] *** [ddmp] has quit IRC[20:20:22] *** ek has quit IRC[20:21:07] *** ek has joined #postfix[20:26:32] *** wdp has joined #postfix[20:26:33] *** wdp has joined #postfix[20:26:34] *** ktosiek has quit IRC[20:32:14] *** ktosiek has joined #postfix[20:32:19] *** [ddmp] has joined #postfix[20:34:36] *** [ddmp] has quit IRC[20:35:18] *** zapata has quit IRC[20:35:45] *** [ddmp] has joined #postfix[20:37:31] *** [ddmp] has joined #postfix[20:44:39] *** [dmp] has quit IRC[20:44:54] *** [ddmp] is now known as [dmp][20:51:25] *** Guest61502 has joined #postfix[20:51:32] *** armguy has quit IRC[20:56:36] *** armguy has joined #postfix[20:59:14] *** rsx has joined #postfix[21:07:56] *** rsx has quit IRC[21:10:09] *** rsx has joined #postfix[21:11:44] *** mattsah has joined #postfix[21:12:14] <mattsah> Hello all. I'm wondering if it's possible to include the "To" headers in a message/rfc822 attachment.[21:13:52] *** rsx has quit IRC[21:13:59] *** robinho86 has quit IRC[21:14:26] <mattsah> for a bounce[21:20:26] *** Guest61502 has quit IRC[21:20:40] *** jhass is now known as jazz[21:21:10] *** jazz is now known as Guest92640[21:21:18] *** Guest92640 is now known as jhass[21:21:19] *** rsx has joined #postfix[21:21:26] *** Tourist has quit IRC[21:23:24] *** rsx has quit IRC[21:23:35] *** ek has quit IRC[21:26:14] *** Haudegen has quit IRC[21:30:58] <phunyguy> lunaphyte, my brain hurts. :([21:31:42] *** Darcidride has quit IRC[21:33:15] *** dstarh has joined #postfix[21:35:22] *** sphenxes01 has joined #postfix[21:38:35] *** sphenxes has quit IRC[21:38:42] *** sphenxes has joined #postfix[21:38:59] *** sphenxes02 has quit IRC[21:41:26] *** pozitrono has joined #postfix[21:45:51] <mattsah> apparently not[21:45:55] *** mattsah has quit IRC[21:59:18] *** Haudegen has joined #postfix[22:01:02] *** skylite has joined #postfix[22:11:04] *** samgoody has joined #postfix[22:11:36] *** lucascastro has quit IRC[22:11:48] *** jancoow has joined #postfix[22:12:31] <jancoow> Hi guys. Do you guys have a idea why all the mail i send comes inside my spamfolder?[22:12:41] <jancoow> (if i send a mail to my gmail adres)[22:12:56] <phunyguy> yeah, configure proper SPF records and OpenDKIM[22:13:24] <jancoow> uh[22:13:29] <jancoow> could u tell me some more details?[22:14:02] <phunyguy> OpenDKIM: https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-dkim-with-postfix-on-debian-wheezy[22:15:01] <samgoody> Hello all. I was recommended (by the amazing lunaphyte) to make changes to my configs. Would like to understand the "why", if someone can help:[22:15:03] <phunyguy> SPF, and these are namecheap specific instructions, but follow along loosely to get the idea. https://www.namecheap.com/support/knowledgebase/article.aspx/317[22:15:13] <lunaphyte> he's an idiot[22:15:16] <jancoow> thanks, i will try that[22:15:39] <jancoow> i've a namescheap domain so the namescheap link is also very helpfull i think[22:15:50] <samgoody> Remove smtp_use_tls and smtpd_use_tls: These have been deprecated and now should use smtp_tls_security_level[22:16:23] <phunyguy> lunaphyte, which one>?[22:16:29] <samgoody> If that's what goes for an idiot on this channel, I have no hope :([22:16:37] <phunyguy> oh.[22:16:56] <lunaphyte> whoever helped samgoody :)[22:17:17] <samgoody> Seriously appreciate the help, you should know.[22:17:48] <phunyguy> oh. yeah, lunaphyte is awful.[22:17:50] <phunyguy> ;)[22:18:26] <samgoody> mailbox_size_limit should not be set to 0, because if the account is compromised, it can destroy the computer (and allow overflow attacks)[22:18:44] <phunyguy> lunaphyte, now I would be awfully grateful if you could help me out with this one... I generated a cert for my home server, which has a key and crt, plus ca.crt file. But I am getting this error: warning: TLS library problem: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown:s3_pkt.c:1262:SSL alert number 46:[22:19:08] <phunyguy> that is when a client (my phone) attempts to connect over submission port.[22:19:12] <samgoody> 3. broken_sasl_auth_clients: Not needed since 100 years ago, when Outlook express 4 roamed the net.[22:20:05] <samgoody> 4. Remove smtpd_tls_ask_ccert = yes. Haven't found anyone explaining hy yes or why no on Google. So need help with that.[22:21:29] *** [44] has joined #postfix[22:21:35] <samgoody> 5. Remove smtpd_sasl_auth_enable = yes and broken_sasl_auth_clients = yes. I'm assuming that I don't need these, since we use submission for sending instead of the smtp daemon (smtpd). But I am not sure, and don't really get that, so any more explanation would be useful[22:24:56] <[44]> !welcome[22:24:57] <knoba> [44]: "welcome" : Welcome to #postfix! If you're new here, or to IRC, first read the channel topic (/topic). It has important instructions on how to ask good questions. You will get more and better help if you follow those instructions. Good Luck![22:24:59] <samgoody> 6. Remove permit_mynetworks, permit_sasl_authenticated from the smtpd_recipient_restrictions. This seems to go against all the tutorials. Which is 100% OK, but it makes it hard finding any explanation online. So, any explanation would be helpful.[22:26:25] <phunyguy> I can answer #6. You don't need to authenticate to send mail to a server that is destined for that server.[22:27:23] <jancoow> phynyguy: i did al the steps i only doesn't understand which part i should place at namecheap[22:27:38] <jancoow> phynyguy: can you look at my mail.txt?[22:27:46] <jancoow> have a look *[22:27:50] <phunyguy> what is mail.txt?[22:28:17] <jancoow> the generated public key[22:28:29] <phunyguy> oh, for dkim ?[22:28:39] <jancoow> yes![22:30:44] <phunyguy> jancoow, that doesn't look right. Would perfer you pastebin it so others can see and help, rather than PM.[22:30:47] <phunyguy> prefer*[22:30:57] <phunyguy> the dkim public key is public..... so pastebin is fine[22:31:14] <jancoow> oh ofc its the public key... yeah i though it was private lol[22:32:30] <jancoow> https://jancokock.me/f/7f04c/ I created this according https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-dkim-with-postfix-on-debian-wheezy this tutorial[22:32:39] <jancoow> and i think i need to add it to namecheap[22:32:48] <jancoow> but i don't get which part i should place in a txt record[22:34:49] <phunyguy> jancoow, it should be a txt record named mail._domainkey, with the contents: http://paste.ubuntu.com/14404494/[22:35:16] <phunyguy> include quotes iirc.[22:36:14] <phunyguy> jancoow, if you want to verify it works, send a blank email to check-auth at verifier dot port25.com[22:36:29] <phunyguy> you should get a response with pass/fail on things like SPF/DKIM[22:37:07] <lunaphyte> samgoody: smtpd_tls_ask_ccert only applies if clients are providing certificates. this is quite unlikely in virtually all typical/pedestrian deployments[22:38:02] <lunaphyte> samgoody: that's 4. ^[22:38:35] * phunyguy takes note for his remote relays on #4[22:38:36] <lunaphyte> 5. smtp auth [e.g. sasl] should not be enabled in the global config. it should be enabled only for the submission service.[22:39:21] <lunaphyte> 5b. broken_sasl_auth_clients is a compensation mechanism for crappy [e.g. microsoft] software. do not use it[22:39:46] <lunaphyte> or, more to the point, do not start with it[22:40:39] <lunaphyte> if, at some point, you find you actually have some old crappy clent which cannot do proper sasl, then first fix it, and if for some actual reason, you cannot, then you can consider enabling that setting[22:40:57] <lunaphyte> but encouraging people to use old broken clients is not helping the email community[22:41:54] <samgoody> is it bad to enable sasl in the global config, or just unneccesary? (trying to understand, not challenging you)[22:42:17] *** Batch has joined #postfix[22:42:24] <lunaphyte> both[22:42:32] <lunaphyte> it's bad, because it's unnecessary[22:42:33] <phunyguy> probably a security no-no[22:43:04] <lunaphyte> if authentication is not needed, then offering it does nothing beyond another vector for abuse/exploit[22:49:18] <samgoody> phunyguy, I see that permit_mynetworks, permit_sasl_authenticated are part of the default main.cf as installed by apt. If not needed, why would it be the default?[22:49:34] <phunyguy> because terrible package managers are terrible.[22:49:37] <phunyguy> maintainers*[22:51:30] <jancoow> phunyguy: mm i think its good now[22:51:49] <phunyguy> I think it is one of those things, where it works for everyone, and is easy, but maybe not the best idea.[22:52:34] <jancoow> phunyguy: this looks good right? http://mxtoolbox.com/SuperTool.aspx?action=smtp%3ajancokock.me&run=toolpage[22:53:40] <phunyguy> jancoow, I am not the best person to ask on that stuff, but I also don't see any SPF or DKIM stuff.[22:56:08] <jancoow> phunyguy: well so far really thank you for asisting me[22:56:20] <phunyguy> you're welcome.[22:56:23] <jancoow> the tools says that my spf is online.. so it should be good now[22:58:43] <jancoow> nice emails dont come in my spam folder anymore[22:58:43] <jancoow> naice[23:00:25] <lunaphyte> there are many reasons for defaults. quite often those reasons are not because the defaults are the most secure[23:02:21] <pj> most secure != best[23:02:33] <lunaphyte> and there's subjectivity too[23:03:23] <pj> the ost secure thing you can do is to unplug your server, but that is certainly not best.[23:03:52] *** samgoody has quit IRC[23:04:29] <lunaphyte> wrt permit_mynetworks and permit_sasl_authenticated, the reasons those are there is largely "backwards compatibility"[23:04:39] <lunaphyte> doh. too slow :([23:04:49] <phunyguy> doh.[23:05:26] <lunaphyte> and, as you alluded to - note that those are not in fact defaults - but rather, modifications made by packagers[23:05:38] <phunyguy> yep.[23:05:48] <pj> yep. Well, personally I think that both should be removed from the shipped main.cf files.[23:05:58] <lunaphyte> i agree[23:06:16] <phunyguy> ok. Good discussion. I am still having a weird cert issue.[23:06:40] <lunaphyte> pastebin your current config[23:06:46] <phunyguy> sure.[23:07:05] <phunyguy> both postconf commands?[23:07:08] <lunaphyte> yes[23:07:13] <lunaphyte> always[23:07:15] <pj> also tbh, weitse tends to have a penchant for trying to continue to support allowing both submission and MX on port 25, eg: the addition of smtpd_relay_restrictions a couple years ago.[23:07:29] <lunaphyte> yeah[23:08:00] <lunaphyte> i can appreciate the impetus for that, but i also have reservations about the concessions made just for the sake of that compatibility[23:08:10] <lunaphyte> so it was nice to see compatibility_level added[23:08:40] <pj> Personally I find that distasteful. I think that spending time adding features to support such a broken configuration only helps to encourage people to use postfix that way.[23:08:57] <lunaphyte> yeah[23:09:14] <lunaphyte> oh, you mean compatibility_level?[23:09:27] <pj> no, I mean smtpd_relay...[23:09:36] <lunaphyte> oh. yeah, definitely.[23:09:37] <pj> compatibility_level is a good thing.[23:10:24] <phunyguy> lunaphyte, http://paste.ubuntu.com/14404828/[23:11:04] <phunyguy> probably a mess... but I am almost at my mental capacity here.[23:11:35] <phunyguy> brb... loo...[23:11:35] <lunaphyte> test your key and cert files with openssl [or gnutls] commands[23:11:43] <phunyguy> hang on, gimme 5 mins.[23:12:17] <lunaphyte> and on a side note, please use proper extensions for those files - hostname.tld-key.pem, hostname-tld-cert.pem[23:12:52] <lunaphyte> yes, that's another "self signed certificate" terminology pedantry[23:15:01] <phunyguy> okay.[23:15:10] <phunyguy> when you say test them...[23:15:25] <phunyguy> I do know they work for other things. I stole them from my openvpn instance.[23:15:54] <lunaphyte> with the key, openssl rsa -noout -text -in <filename>[23:15:58] <phunyguy> it is the server cert for the service.[23:16:22] <lunaphyte> with the cert, openssl x509 -in <filename> -noout -text[23:16:41] <lunaphyte> both commands should not return errors or otherwise fail, and should return human readable output[23:17:11] <lunaphyte> be it a modulus/etc for the key, subject/issuer/extensions/etc for the cert, so on[23:18:05] *** pti-jean_ has quit IRC[23:18:26] <phunyguy> yeah both look fine.[23:18:45] <lunaphyte> then test with s_client[23:19:05] <phunyguy> s_client...?[23:19:08] <phunyguy> sorry, new one to me[23:19:15] <lunaphyte> giyf[23:19:26] <phunyguy> I see you rolling your eyes over there. :P[23:20:06] <lunaphyte> not for unfamiliarity with a term. only for asking here instead of using your computer ;)[23:20:12] <lunaphyte> !encyclopedia[23:20:12] <knoba> lunaphyte: "encyclopedia" : please don't treat the people here as encyclopedias. if a term or concept is introduced that you're not familiar with, then use your favorite search engine and go read about it. do *not* immediately ask what is <newterm>?[23:20:44] <phunyguy> what is encyclopedia?[23:20:46] * phunyguy ducks[23:20:55] <lunaphyte> heh[23:22:30] <phunyguy> lunaphyte, http://paste.ubuntu.com/14404956/[23:23:02] <lunaphyte> flawed command[23:23:08] <phunyguy> probably[23:24:01] <lunaphyte> unless explcitely configured otherwise, postfix uses starttls for encryption negotiation. s_client, however, does not.[23:24:10] <lunaphyte> *explicitely[23:24:24] <phunyguy> ahh hang on[23:25:03] <phunyguy> is it safe to pastebin this output?[23:25:23] <phunyguy> eeek lots of pertinents in there.[23:25:49] <lunaphyte> it's not something i'd worry about. if you are concerned, use a pastebin which can be marked as private and with an expiration[23:26:04] <phunyguy> eah, just domain names and stuff in there.[23:26:06] <phunyguy> yeah*[23:26:38] <phunyguy> I'm weird about that stuff. But I can say that it is returning a cert, but it isn't trusted.[23:27:07] <lunaphyte> specify your root cert in your s_client command[23:27:17] <lunaphyte> or root cert bundle, etc[23:27:24] <phunyguy> root cert being CA?[23:27:41] <phunyguy> sorry[23:27:44] <phunyguy> goog;e[23:27:46] <phunyguy> google[23:28:07] <lunaphyte> yes, in a simple environment, those two terms are synonymous[23:28:42] <phunyguy> verify return:1[23:28:47] <phunyguy> looks okay?[23:29:49] <lunaphyte> in more complex environments [or for example with many/most commercial/public certificate providers], the ca cert is not necessarily the root cert[23:30:07] <lunaphyte> i don't have the output of s_client memorized[23:30:10] *** jancoow has quit IRC[23:30:15] <phunyguy> ahh, yeah that makes sense. Like startssl with their sub.class.something.or.other[23:30:22] <lunaphyte> right[23:30:38] <phunyguy> well I am not seeing any obvious errors.[23:30:50] <lunaphyte> can you perform a short smtp conversation?[23:30:59] <lunaphyte> ehlo [...]; quit; ?[23:31:15] <phunyguy> yes[23:32:09] <phunyguy> so, this is not a postfix problem it appears.[23:32:35] <lunaphyte> what is the client generating the postfix errors?[23:32:49] <phunyguy> android gmail client[23:32:59] <phunyguy> with this account mapped as imap/smtp[23:33:00] *** dstarh has quit IRC[23:33:16] <lunaphyte> i'd recommend testing functionality with k9[23:33:24] <phunyguy> best I can do here as thunderbird won't connect out[23:33:45] <lunaphyte> then, once you demonstrate it works, you can debate trying to convince other [possibly less functional] clients to work[23:35:32] <phunyguy> ooooh this actually is a client issue. I may have to delete it and readd it[23:35:58] <phunyguy> got an error while validating settings saying that the PublicKey has changed since initial connection. Which it has.[23:40:09] *** infides_afk has quit IRC[23:41:25] <phunyguy> oh boy, now my phone is hung.[23:43:55] <rob0> tmi![23:47:49] <phunyguy> alright, we are getting farther. It is now trying the external relay. I think I have a bum option... hang on.[23:50:54] *** d0nn1e has quit IRC[23:51:42] <phunyguy> lunaphyte, would you mind sharing the portion of your configs (home and relay) related to smtp_ (home) and smtpd_ (relay) ?[23:51:49] <phunyguy> so I can cross reference?[23:52:09] <phunyguy> if not, no worries.[23:53:08] *** d0nn1e has joined #postfix[23:53:48] <rob0> TLS certificate auth is covered in a section of this very long document:[23:53:52] <rob0> !tls[23:53:53] <knoba> rob0: "tls" : Transport Layer Security (RFC2246). Previously known as SSL, TLS adds a layer of encryption to protocols such as SMTP, submission, IMAP or POP3 to improve security during transmission over the Internet. TLS is implemented using the STARTTLS method, while the non-standard wrapper style of implementation is deprecated at this point. See http://www.postfix.org/TLS_README.html for more info.[23:54:05] <rob0> see the hyperlinks near the top[23:54:21] <rob0> to get to what you need quickly[23:54:48] <phunyguy> oh yay[23:57:38] <phunyguy> wow, k9 mail sure likes to fill ip/user slots