January 5, 2016 
< | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | >
January 5, 2016 [00:06:11] *** pozitrono has quit IRC[00:08:40] <phunyguy> *grumble* certificate not trusted.[00:10:52] *** gu1lle_ has quit IRC[00:15:43] *** pozitron has joined #postfix[00:18:40] <lunaphyte> you must give your phone your root cert[00:19:07] <lunaphyte> i wouldn't recommend using my config as reference. it's better to develop your own, which we can help with[00:19:08] <phunyguy> no, this is from home server -> relay[00:19:18] <lunaphyte> oh[00:20:15] <phunyguy> so, for both sides, I need to configure all three... cert/key/CA, right?[00:20:37] <phunyguy> I am completely lost in the documentation.[00:21:04] <lunaphyte> i will tell you though that i use a separate service [and thus port - in my case, 10023] for the "special" between vps and home[00:21:17] <phunyguy> yeah that's fine.[00:21:21] <lunaphyte> it depends on which way you're talking about relaying mail[00:21:24] <phunyguy> I can probably make heads or tails of that.[00:21:38] <lunaphyte> do you want to relay both ways, and do cert auth both ways?[00:21:38] <phunyguy> I need the cert auth to work from home server outbound to relay.[00:21:49] <phunyguy> incoming can go over port 25.[00:22:14] <lunaphyte> "outbound to relay" is too ambiguous[00:22:20] <lunaphyte> what does that actually mean?[00:23:01] <phunyguy> mail is received from client on home server, which has no outbound port 25 access. So it needs to encrypt/authenticate to relay via submission through my vps.[00:23:12] <lunaphyte> ok[00:23:20] <lunaphyte> that wouldn't be submission then[00:23:28] <phunyguy> /headdesk[00:23:53] <lunaphyte> submission is between mail clients and mail servers only[00:24:02] <lunaphyte> to be specific, mail client means an mua[00:24:13] <phunyguy> k9, not postfix[00:24:19] <lunaphyte> right[00:24:19] <phunyguy> right?[00:24:22] <phunyguy> ok.[00:25:14] <phunyguy> so, I would need an additional smtp service listed in master.conf, with tls required.[00:25:21] <phunyguy> and something other than port 25...[00:25:22] <lunaphyte> and, to be fair, in terms of your headache, there always exists some degree of contextual variation in the definitions of these terms[00:25:30] <lunaphyte> yes[00:25:54] <lunaphyte> for this, you definitely don't want 25 [and can't anyway], and you probably don't really want traditional submission/587[00:26:05] <phunyguy> alright... I will try that when I get home... which I need to drive to now. Blasted hour-long commute.[00:26:11] <phunyguy> if you keep talking I will get it when I get home[00:26:13] <lunaphyte> although some might offer a plausible argument as to why submission *could* be appropriate[00:26:51] <phunyguy> I will look into that option when I get to the other side. Thanks for the help and hopefully see you in a bit.,[00:27:46] <lunaphyte> in your example: home -> vps - both home and vps postfix needs to be configure with key and cert. both can be signed by your private ca. that's fine[00:28:57] <lunaphyte> first, get relay from home to vps working with encryption. vps postfix presents cert, home postfix trusts vps postfix [by way of being configured to know about the root cert], and mail relay is successful[00:29:22] <lunaphyte> then move on the configuring home postfix to present cert to vps postfix, and vps postfix trusting cert provided by home postfix[00:29:29] <lunaphyte> off for a bit bbl[00:30:00] <lunaphyte> i used to have an hour long commute. it was awful. i consider myself extremely fortunate now that i don't[00:31:35] *** wdp has quit IRC[00:42:15] *** Haudegen has quit IRC[00:44:33] *** TyrfingMjolnir has joined #postfix[00:52:31] *** Southron has quit IRC[01:02:44] *** huddy has joined #postfix[01:04:30] *** Haudegen has joined #postfix[01:17:04] *** namyzarc has joined #postfix[01:26:00] <phunyguy> lunaphyte: I will give it my best.[01:29:25] *** grossing has quit IRC[01:40:59] *** TyrfingMjolnir has quit IRC[01:42:13] *** monkeynuts has joined #postfix[01:44:59] *** [44]_ has joined #postfix[01:46:52] *** grossing has joined #postfix[01:46:56] *** grossing has quit IRC[01:46:56] *** grossing has joined #postfix[01:47:55] *** [44] has quit IRC[01:50:09] *** pozitrono has joined #postfix[01:52:23] *** pozitron has quit IRC[01:52:51] <phunyguy> lunaphyte: so if smtp_tls options are set for key and cert, and the message gets delivered, is it safe to assume that the client trusted the server? (RE: your first directive to me to get the home server to trust VPS for relaying)[02:19:16] *** ek has joined #postfix[02:23:42] *** ek has quit IRC[02:24:17] *** ek has joined #postfix[02:34:59] *** [44]_ has quit IRC[02:40:57] *** monkeynuts has quit IRC[02:43:02] <phunyguy> actually... I purposely commented out one of the cert files on the VPS, and the client refused to send. So there is one half.[02:48:06] *** monkeynuts_ has joined #postfix[02:49:40] *** monkeynuts has joined #postfix[02:52:39] *** monkeynuts_ has quit IRC[02:55:23] <phunyguy> uhm it worked?[02:55:53] <phunyguy> you are gonna laugh when I tell you what the problem was.....[02:56:17] <phunyguy> the home server was using a "server" cert to act as a client.[02:56:27] <phunyguy> /headdesk[03:08:02] <phunyguy> oh wow this works so good. Even enforcing tls coming back from the VPS.[03:19:53] *** err-or has joined #postfix[03:23:45] *** err-or_ has quit IRC[03:29:49] <phunyguy> Thanks guys, I think I have what I need now. Learned a ton of stuff today. I really appreciate it. Beer is owed. Can I DCC it?[04:17:27] *** penrod has left #postfix[04:17:41] *** penrod has joined #postfix[04:18:16] *** doppo has quit IRC[04:41:58] *** lemondom has joined #postfix[04:45:37] *** Batch has quit IRC[04:57:36] *** TheAvatar has quit IRC[04:59:57] *** gu1lle_ has joined #postfix[05:12:39] *** edux has quit IRC[05:19:11] *** d0nn1e has quit IRC[05:19:37] *** knoxyy has joined #postfix[05:19:37] *** edux has joined #postfix[05:19:54] *** lemondom has quit IRC[05:23:28] <lunaphyte> on the vps side, smtpd_tls_key_file, smtpd_tls_cert_file, smtpd_tls_security_level=secure, smtpd_tls_req_ccert=yes, and smtpd_tls_loglevel = 1 are your friends[05:23:42] *** d0nn1e has joined #postfix[05:24:19] *** edux has quit IRC[05:25:05] <lunaphyte> on the home server side, smtp_tls_key_file, smtp_tls_cert_file, smtp_tls_security_level=secure, smtp_tls_loglevel = 1 and smtp_tls_note_starttls_offer = yes are your friends[05:26:33] <lunaphyte> then on the vps, use check_ccert_access to allow the home server to authenticate for relay by presenting it's cert[05:27:01] <lunaphyte> i'd also recommend smtp_tls_fingerprint_digest = sha1 and smtpd_tls_fingerprint_digest = sha1, as a matter of course[05:27:32] <phunyguy> oh boy[05:27:33] <lunaphyte> if you've done all that, and it's working and the logs indicate encryption is activ,e then yes, you should be in good shape[05:27:34] <phunyguy> more toys![05:27:56] *** githogori has joined #postfix[05:27:58] * phunyguy checks what he has for smtpd_tls_security_level[05:28:24] <phunyguy> I have encrypt[05:28:35] <phunyguy> secure seemed a bit... too much...[05:28:53] <phunyguy> I'd have to look at what the requirements were.[05:29:08] <lunaphyte> there is no secure for smtpd_tls_security_level[05:29:23] <phunyguy> what[05:29:27] <phunyguy> you just said it[05:29:28] *** knoxyy has quit IRC[05:29:29] <lunaphyte> oh, sorry, i mistyped[05:29:47] <lunaphyte> that should have said smtpd_tls_security_level=encrypt[05:30:11] <phunyguy> yeah, that's what I have on both ends.[05:31:33] <phunyguy> so, on the vps, I don't have check_ccert_access[05:31:46] <phunyguy> or at home for that matter, since both sides are essentially doing the same thing now[05:32:08] <lunaphyte> check_ccert_access is how you control which certs can be used[05:32:41] <phunyguy> oh.... hang on[05:33:12] <phunyguy> I had planned on restricting that to specific certs when all is finished.,[05:33:17] <phunyguy> is that what you are talking about?[05:33:22] <lunaphyte> yes[05:33:44] * phunyguy scratches[05:33:54] <lunaphyte> permit_tls_all_clientcerts allows all certs which can be traced to a known root[05:34:07] <phunyguy> yep.. still too open, which I will fix.[05:34:20] <phunyguy> I want to get it all working first, then I can tweak.[05:34:38] <lunaphyte> psuedo effective, but rather open ended, potentially, and risks being disastrous given a simple config mistake[05:34:40] <phunyguy> a know root...[05:34:46] <phunyguy> known*[05:34:57] <phunyguy> that's the part that makes me nervous, but I know what you mean[05:35:02] <phunyguy> any cert in this chain can relay.[05:35:21] <phunyguy> and there is no CRL mechanism.[05:36:31] <phunyguy> lunaphyte: oh that was the other thing. -o smtpd_tls_req_ccert=yes[05:36:33] <lunaphyte> not only that, if you [as you generaly should] specify your system's root ca store in smtpd_tls_CAfile or smtpd_tls_CApath, then any cert isgned by any root can relay[05:36:46] <lunaphyte> *signed[05:37:05] <phunyguy> OH, yeah that would be bad.[05:37:12] <phunyguy> I didn't do that.[05:37:18] <phunyguy> ☺[05:38:04] *** joules has quit IRC[05:38:20] <phunyguy> This stuff is gonna give me an ulcer[05:38:26] <lunaphyte> :)[05:38:28] <lunaphyte> nah[05:38:54] <lunaphyte> not as big of an ulcer than you'd get were something to happen you could have prevented by doing this ;)[05:39:06] <phunyguy> yep... just have to load the necessary fingerprints, etc to restrict to certain ones.[05:39:25] <phunyguy> probably a job for tomorrow.[05:39:35] <phunyguy> My brain is now soup.[05:40:31] <phunyguy> and I am on my last inch of beer in the glass. (also fridge)[05:41:59] <lunaphyte> oif you haven't already, you'll likely also want to set up a separate transport on the home server for relaying to the vps, so you can make any fine tuning adjustments that may be desired without impacting the existing global elements of the config[05:42:09] <lunaphyte> *oh - if[05:42:57] <phunyguy> hmmm[05:43:08] <phunyguy> Yeah that is what I did[05:43:23] <phunyguy> specified all the stuff for each specific transport in /etc/postfix/master.cf[05:43:37] <phunyguy> with generic stuff like cert paths, etc, in main.cf[05:43:42] <lunaphyte> and - naturally, if it's not already occurring to you, you probably want to do this same exercise, in the other direction, for mail flowing from your vps to your home server - assuming there is mail flowing in that direction[05:44:08] <lunaphyte> well, sounds like you're on the right track then[05:44:16] <phunyguy> I did. no more port 25 action, except from VPS in/out to/from THE INTERWEBS[05:44:31] <phunyguy> all port 10025 now on separate transports.[05:44:44] <lunaphyte> sounds good[05:44:45] <phunyguy> no more submission on relays...[05:44:52] <phunyguy> only submission on home server for clients.[05:44:57] * phunyguy flexes[05:45:08] * phunyguy gulps down the last inch of beer[05:45:24] <lunaphyte> if i recall, there were some other areas of deficiency in your last pastebin i looked at that you may want to tend to[05:45:25] <phunyguy> you have been a fantastic help here.[05:45:50] <phunyguy> maybe if I am feeling froggy tomorrow I will pastebin home server and vps configs for you to eye over.[05:46:00] <phunyguy> see if same deficiencies exist.[05:46:20] <lunaphyte> it's time for sleep here though, so if you have any interest in that, or general critque of your current overall config, i'll be around tomorrow [and plenty of other very helpful folks will too i'm sure][05:46:27] <lunaphyte> *critique[05:46:36] <phunyguy> yes. That would be lovely. Sleep here too.[05:46:58] <lunaphyte> enjoy your pki nightmares[05:47:03] <phunyguy> ♥[05:47:05] <phunyguy> ditto.[05:49:34] *** namyzarc has quit IRC[05:51:11] *** penrod has left #postfix[06:58:38] *** joules has joined #postfix[06:59:45] *** edux has joined #postfix[07:05:52] *** edux has quit IRC[07:26:13] *** Tourist has joined #postfix[07:47:34] *** gu1lle_ has quit IRC[08:03:21] *** edux has joined #postfix[08:04:45] *** d0nn1e has quit IRC[08:08:04] *** d0nn1e has joined #postfix[08:08:04] *** edux has quit IRC[08:13:03] *** d0nn1e has quit IRC[08:17:34] *** d0nn1e has joined #postfix[08:18:13] *** carl- has joined #postfix[08:18:27] *** hdon has joined #postfix[08:19:16] <hdon> hi all :) i want to take a queued email and re-send it to another address. i can get it with postcat, but i am not sure what to do then in order to keep the email as pristine as possible.[08:39:25] *** hdon has quit IRC[08:45:57] *** zorg1 has joined #postfix[08:50:26] *** TheAvatar has joined #postfix[09:06:51] *** edux has joined #postfix[09:10:46] *** SCHAAP137 has joined #postfix[09:11:56] *** edux has quit IRC[09:20:21] *** irctc244 has joined #postfix[09:20:54] *** irctc244 has quit IRC[09:25:04] *** edux has joined #postfix[09:30:07] *** edux has quit IRC[09:41:24] *** shoonya has joined #postfix[09:43:18] *** edux has joined #postfix[09:45:53] *** TyrfingMjolnir has joined #postfix[09:47:57] *** TyrfingMjolnir_ has joined #postfix[09:47:59] *** edux has quit IRC[09:49:42] *** lrea has joined #postfix[09:50:36] *** TyrfingMjolnir has quit IRC[09:50:36] *** TyrfingMjolnir_ is now known as TyrfingMjolnir[09:57:48] <shoonya> facing a strange problem, a message is received from GMAIL by postifix and there is log entry for this in maillog, but this message is not going to amavis and and also no further info available in the maillog reg this msg[09:57:55] <shoonya> how to troubleshoot[09:59:04] <shoonya> this is happening in case of a particular sender only, other msgs received from GMAIL ids are properly working (received and delivered to local users)[09:59:18] <shoonya> can someone help me on this[10:02:24] <Zerberus> !tell shoonya getting_help[10:02:24] <knoba> shoonya: "getting_help" : before asking your question, read the !relevant_logs and !showconfig factoids, and prepare a single pastebin containing all of that data. if you don't understand what this means, or if you need help doing this, please let us know. also see !pastebin[10:06:48] *** samgoody has joined #postfix[10:10:15] *** pozitrono has quit IRC[10:19:50] *** skylite_ has joined #postfix[10:20:45] *** shoonya has quit IRC[10:37:47] *** edux has joined #postfix[10:42:35] *** edux has quit IRC[10:51:07] *** joules has quit IRC[10:51:38] *** joules has joined #postfix[10:51:43] *** infides_afk has joined #postfix[11:00:34] *** joules has quit IRC[11:02:05] *** teraflops has joined #postfix[11:03:16] <teraflops> hi, I need to check spam rules in a production server, is there a sane way of doing it? some email send thingy or something like that?[11:25:23] <pj> check in what way?[11:27:22] <pj> !tell teraflops gtube[11:27:22] <knoba> teraflops: "gtube" : Generic Test for Unsolicited Bulk Email - an eicar.com like spam signature that always should trigger spam filters. See http://spamassassin.apache.org/gtube/ or get the string here: !gtube_string[11:27:38] <pj> teraflops: is that what you want? ^^^^^[11:27:40] <teraflops> pj: ohh thanks[11:27:49] <pj> yw[11:27:53] <pj> there is also...[11:27:57] <pj> !eicar[11:27:57] <knoba> pj: "eicar" : A test signature that is detected by all common virus scanners. It is not a virus and thus completely harmless. Get the file from http://en.wikipedia.org/wiki/EICAR_test_file , or just !eicar_string[11:28:09] <samgoody> In the opendkim tutorial by digital ocean (https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-dkim-with-postfix-on-debian-wheezy) they suggest a format for the KeyTable:[11:28:22] <samgoody> mail._domainkey.example.com example.com:mail:/etc/opendkim/keys/example.com/mail.private[11:28:35] <teraflops> pj: thanks i was suscribing to all the shit i was able to find, your suggestions looks way better[11:28:59] <samgoody> Is that (_domainkey) supposed to resolve to a real domain name or host?[11:29:18] <pj> teraflops: it's a very basic test, it just tells you if the filters are working or not, it doesn't say anything about how effective they are against certain types of SPAM.[11:29:36] <pj> samgoody: no[11:29:40] <samgoody> And is "example.com" as used there, supposed to be the name of the domain or the name of the server?[11:29:56] <teraflops> pj: well seems ok, thanks[11:29:57] <pj> samgoody: probably, but that is off-topic discussion for #postfix[11:30:07] <samgoody> OK, thanks[11:31:44] <survietamine> of the domain[11:32:56] <pj> samgoody: also I never recommend 3rd-party tutorials, you should be using the docs taht come with postfix and opendkim for reference, not some tutorial.[11:33:04] *** sara2010 has joined #postfix[11:33:13] <sara2010> any one help me[11:33:27] <pj> !tell sara2010 welcome[11:33:27] <knoba> sara2010: "welcome" : Welcome to #postfix! If you're new here, or to IRC, first read the channel topic (/topic). It has important instructions on how to ask good questions. You will get more and better help if you follow those instructions. Good Luck![11:34:05] <sara2010> pj: nable to send emails to any domains[11:34:46] <pj> sara2010: yep, please follow these directions...[11:34:52] <pj> !tell sara2010 getting_help[11:34:52] <knoba> sara2010: "getting_help" : before asking your question, read the !relevant_logs and !showconfig factoids, and prepare a single pastebin containing all of that data. if you don't understand what this means, or if you need help doing this, please let us know. also see !pastebin[11:35:09] *** lemondom has joined #postfix[11:36:21] <sara2010> i don't understand[11:37:28] <pj> sara2010: I need more information to properly diagnose your problem, the instructions in that factoid will tell you how to provide that info.[11:38:08] <pj> !tell sara2010 factoid_read[11:38:09] <knoba> sara2010: "factoid_read" : If you're instructed to read a factoid you should type a ! followed by the name of the factoid into the channel and the bot will return the factoid text to you. For example to read the !relevant_logs factoid type !relevant_logs on a line by itself in the channel.[11:38:19] <sara2010> pj: what kinda information ![11:38:30] <pj> [23:34] <knoba> sara2010: "getting_help" : before asking your question, read the !relevant_logs and !showconfig factoids, and prepare a single pastebin containing all of that data. if you don't understand what this means, or if you need help doing this, please let us know. also see !pastebin[11:39:10] <samgoody> sara2010, You seem new to IRC. A few things that might help:[11:39:35] <sara2010> samgoody: yes i new :([11:40:24] <sara2010> samgoody: unable to send emails to any domains, locally its working[11:40:25] <samgoody> 1. Don't EVER post more than two lines of content. If you have a lot of content to show, go to a site like http://pastebin.ca/ and copy in the text (more on this in a minute)[11:40:53] <sara2010> samgoody: .. main.cf ?[11:41:03] <pj> sara2010: knoba is a bot, it pulls up informational text on demand, I have instructed the bot to give you some informational text which you need to follow.[11:41:30] <samgoody> 2. People at channels like postfix and the like are the top of their profession, and may somtimes be, um, abrasive to newbies. You are probably better starting off asking for help on a local genral community like #linode or #digitalocean[11:41:33] <sara2010> pj: my english is not good ![11:42:03] <pj> sara2010: yes, I can tell, but this is an english-speakign channel, so you will have to make do...[11:42:10] <pj> I will help you...[11:42:23] <pj> !relevant_logs[11:42:23] <knoba> pj: "relevant_logs" : Relevant logs are mail.* syslog Postfix logs (NOT verbose, see !verbose) which show the entire handling of a single mail which illustrates the issue with which you want help. Random selections from your mail log might not do. IMAP/POP3 daemons and external delivery agents typically log to the same facility (mail); those are usually not relevant here.[11:42:33] <samgoody> 3. In order to be able to help, we need to know your current settings. Typeing in postconf -nf is an example of the type of settings you will need. But again, never put the results here, but rather on a pasting site[11:42:37] <pj> sara2010: can you understand these instructions from knoba? ^^^^^[11:42:44] <sara2010> pj: i have to do .. can i paste main.cf on pastebin ?[11:42:59] <pj> sara2010: no, no where did I or the bot ask you for main.cf[11:43:04] <survietamine> you'd better pay someone if you cannot read/write basic english en follow instructions on IRC :/[11:43:08] <pj> it simply asked you to read some factoids.[11:43:23] <pj> !tell sara2010 showconfig[11:43:23] <knoba> sara2010: "showconfig" : when asked to provide your config, pastebin postconf -nf and postconf -Mf. if your version is too old for those commands to work (< 2.9), you should upgrade, but see !showconfig_old[11:43:26] <survietamine> because setup/configure a mail server is more difficult[11:43:39] <survietamine> s/en/and[11:43:45] <samgoody> Seriously, you would be better off in a general community. They are likely to be able to help if your problem is not too deep. Who is your hosting company?[11:43:57] <sara2010> okay[11:44:19] <sara2010> now i understand knoba[11:44:23] <pj> ok, good[11:44:41] <sara2010> letme show on pastebin[11:44:52] <pj> so please read the !relevant_logs and !showconfig factoids from knoba and yes, show the resulting info in a pastebin.[11:45:04] <pj> I understand your lack of english so I will give yo some leeway.[11:45:31] <sara2010> thanks[11:46:45] <sara2010> http://pastebin.centos.org/37681/[11:47:38] <sara2010> http://pastebin.centos.org/37686/[11:47:50] <survietamine> lol[11:48:09] <pj> sara2010: you need to follow this instead...[11:48:13] <pj> !showconfig_old[11:48:13] <knoba> pj: "showconfig_old" : for versions of postfix < 2.9, pastebin postconf -n and the contents of master.cf with comments removed[11:50:39] <sara2010> http://pastebin.centos.org/37691/[11:51:46] <sara2010> http://pastebin.centos.org/37696/[11:51:47] <survietamine> pj, the most patient guy on #postfix :)[11:52:28] <sara2010> :([11:54:40] <survietamine> so, you sent mails with sasl authenticated and it was refused? Do you have log snippets?[11:56:13] <sara2010> survietamine: should i send you logs ?[11:57:39] <survietamine> not to me :)[11:57:42] <survietamine> !relevant_logs[11:57:43] <knoba> survietamine: "relevant_logs" : Relevant logs are mail.* syslog Postfix logs (NOT verbose, see !verbose) which show the entire handling of a single mail which illustrates the issue with which you want help. Random selections from your mail log might not do. IMAP/POP3 daemons and external delivery agents typically log to the same facility (mail); those are usually not relevant here.[11:58:21] <survietamine> paste it somewhere, anyway, I'm going to lunch and pj is more helpful than me[11:58:23] <pj> sara2010: sorry I had to go away for a bit, let me have a look at what you pasted and yes, please follow !relevant_logs.[11:58:59] <pj> the logs is actually the most important bit.[12:00:04] <sara2010> okay[12:03:15] <samgoody> Offtopic - does anyone here know if it is OK to use the same private key for multiple domains with opendkim?[12:03:40] <pj> samgoody: yep, that's fine.[12:03:56] <samgoody> thanks.[12:04:10] <sara2010> http://pastebin.centos.org/37701/[12:05:11] <pj> sara2010: two issues...[12:05:43] <pj> first off, is this server on a residential IP?[12:07:07] <sara2010> server have live ip[12:07:25] <pj> that's now what I asked.[12:07:28] <pj> *not[12:07:50] <sara2010> then[12:07:58] <pj> the server cannot make outbound connections on port 25[12:08:30] <pj> the error message indicates a network routing issue, but it could also be a firewall issue, or a port 25 block by your host.[12:08:37] <pj> !tell sara2010 port_25_block[12:08:38] <knoba> sara2010: "port_25_block" : Many consumer-grade ISPs (and some which claim to be for business, such as Godaddy) block outbound port 25/tcp traffic to prevent abuse from their network. If your ISP does this, you should see the !basic and !relayhost factoids. Or, upgrade to business-class service (or change ISP if you already had it.)[12:08:53] <pj> brb[12:09:01] <sara2010> tyt[12:09:06] <sara2010> i m here[12:10:32] *** samgoody has quit IRC[12:10:59] *** edux has joined #postfix[12:15:20] *** edux has quit IRC[12:19:16] <pj> sara2010: the other issue is you don't have TLS properly configured.[12:19:25] <pj> but you need to fix the networking issue first.[12:19:50] *** edux has joined #postfix[12:20:23] <pj> sara2010: what happens if you issue the following command on the server: telnet 192.254.186.200 25[12:24:31] <sara2010> http://pastebin.centos.org/37706/[12:24:47] *** edux has quit IRC[12:29:08] *** edux has joined #postfix[12:30:24] *** pti-jean_ has joined #postfix[12:31:37] <pj> sara2010: hrmmmm, I expected that not to work, one min...[12:32:56] <sara2010> pj: what is the issue .. you understand[12:33:00] <sysmonk> pj: different IP[12:33:50] *** edux has quit IRC[12:36:26] <pj> sysmonk: nope, the telnet command specified the IP[12:36:47] <pj> oh it is[12:36:59] <pj> sara2010: why did you put a differnet IP in your telnet command than I told you to?[12:39:01] <sara2010> pj: which ip should i put ?[12:39:30] <pj> [00:20] <pj> sara2010: what happens if you issue the following command on the server: telnet 192.254.186.200 25[12:39:32] <sara2010> telnet: connect to address 192.254.186.200: No route to host[12:40:01] <pj> right, that's what I thought, so what exactly is 180.9.50.20, then?[12:40:15] <pj> is that your hosts mail server?[12:40:54] <sara2010> that right ip is referent[12:41:12] <pj> sara2010: I dont' understand you[12:42:19] <sara2010> pj: if 25 port is block from ISP[12:42:35] <pj> sara2010: I believe it is in your case.[12:42:38] <sara2010> then i can't receive mail from others[12:43:02] <pj> no, a port 25 block means you can't *send* mail out to the general internet.[12:43:10] *** Haudegen has quit IRC[12:43:16] <pj> a properly implemented port 25 block will not prevent you from receiving mail.[12:44:31] <sara2010> pj: you right maybe post is block i will check it from ISP[12:44:43] <sara2010> pj: i will be with you soon ![12:45:01] <pj> sara2010: ok, once you get that fixed we will tackle your TLS issues.[12:45:30] <sara2010> thanks[12:45:33] *** samgoody has joined #postfix[12:45:34] <pj> sysmonk: thanks for pointing out the IP discrepancy, I missed that.[12:46:52] <sysmonk> pj: you need bigger glasses, the 5cm thick don't do the job anymore![12:46:53] <sysmonk> :)[12:47:14] *** edux has joined #postfix[12:47:28] <pj> sysmonk: I need to get my eyes checked, certainly, my eyesight is starting to fail.[12:47:53] <pj> been having a lot of difficulty reading fine print that I used to be able to read in the past.[12:48:01] <sysmonk> yeah, i might need to do that aswell. so far everything was good, didn't need glasses. but you know, getting old :([12:48:37] <pj> sysmonk: yep, I turn 43 at the end of this month, so just getting old.[12:48:54] * sysmonk hides with his 29[12:48:58] <pj> hehehe[12:49:17] <pj> well, I've been lucky to live up to this point in my life without needing glasses.[12:49:38] <sysmonk> yep, last year i had something wrong with my eyes for a few weeks[12:49:51] <sysmonk> but i was out in japan, so i didn't want to go doc's in .jp[12:49:59] <sysmonk> but by the time i got back it started to get better[12:50:22] <pj> hehehe, must've just been because you were in jp[12:50:38] <sysmonk> nah, it started in the morning before my trip[12:50:43] <sysmonk> the best timing, as always[12:51:34] <Laban> Stop poking your eyes with chopsticks! Pro Tip.[12:51:47] *** edux has quit IRC[12:51:50] <sysmonk> pj: well, at least we're not old as some other guys out here![12:51:53] * sysmonk looks for cpm[12:52:02] <pj> hehehe[12:52:22] <sysmonk> Laban: those are for ears, not eyes. i'm not stupid.[12:52:50] <sysmonk> k, back to work![12:53:41] <Laban> :)[12:53:55] <pj> and I think I'll be heading to bed soon.[13:01:45] *** lucascastro has joined #postfix[13:01:58] *** infides_afk has quit IRC[13:03:34] *** infides_afk has joined #postfix[13:10:18] *** samgoody has quit IRC[13:15:08] *** ikonia has quit IRC[13:17:38] *** Haudegen has joined #postfix[13:19:56] *** ikonia has joined #postfix[13:24:07] *** sara2010 has quit IRC[13:31:43] *** davlefouAMD has joined #postfix[13:35:46] *** d0nn1e has quit IRC[13:37:02] *** d0nn1e has joined #postfix[13:41:35] *** edux has joined #postfix[13:42:53] *** TyrfingMjolnir has quit IRC[13:46:18] *** edux has quit IRC[13:48:25] *** Ssquidly has quit IRC[13:49:16] *** Ssquidly has joined #postfix[13:50:53] *** edux has joined #postfix[13:52:12] *** Ssquidly has quit IRC[13:53:04] *** Ssquidly has joined #postfix[13:55:05] *** edux has quit IRC[13:59:49] *** edux has joined #postfix[14:04:26] *** edux has quit IRC[14:09:02] *** edux has joined #postfix[14:13:29] *** edux has quit IRC[14:21:19] *** TyrfingMjolnir has joined #postfix[14:25:00] <thumbs> pj in jp[14:30:32] *** Batch has joined #postfix[14:35:22] *** edux has joined #postfix[14:36:42] <Tuxick> since after holidays i keep getting "enabling PIX workarounds"[14:36:54] <Tuxick> some automagic feature?[14:37:07] *** oktaya has joined #postfix[14:37:18] <Tuxick> looks like govt sexchange clowns replaced the broken ironport with pix :)[14:37:27] <lunaphyte> !smtp_pix_workarounds[14:37:28] <knoba> lunaphyte: Error: "smtp_pix_workarounds" is not a valid command.[14:37:31] <lunaphyte> yes it is[14:37:36] <Tuxick> nice[14:37:40] <lunaphyte> anyway, see man 5 postconf - smtp_pix_workarounds[14:37:42] <lunaphyte> and friends[14:38:24] <Tuxick> menice[14:38:25] <Dominian> !pix[14:38:25] <knoba> Dominian: "pix" : see !cisco_pix[14:38:27] <Tuxick> nice[14:38:28] *** oktaya has quit IRC[14:38:32] <Dominian> !cisco_pix[14:38:33] <knoba> Dominian: "cisco_pix" : The Cisco PIX and ASA firewall has a SMTP proxy feature called SMTP Fixup which breaks ESMTP. If your Postfix server is behind such a firewall you should disable this feature.[14:38:37] <Tuxick> those guys are unbelievable[14:38:45] <lunaphyte> yes. awful products[14:38:56] <Tuxick> i'd had to think of workarounds for their incompetence for 7 years now[14:38:58] <Dominian> They aren't bad as lon gas you remember to turn off fixup[14:39:06] <Tuxick> and they manage to find another screwup[14:39:11] <lunaphyte> that factoid should probaby be brought up to date though, now that they have "rebranded" many features[14:39:20] <lunaphyte> err, s/features/behaviors/[14:40:45] <Dominian> yeah..[14:40:50] <Dominian> PIX = fixup ASA = inspect[14:41:01] *** lucascastro has quit IRC[14:41:29] <Tuxick> i'm a bit pissed off though, it's also my tax money wasted on those incompetents[14:41:46] <Dominian> I must've missed something[14:42:37] <Tuxick> it's government mail service been wasting my time for years now[14:43:35] <Tuxick> first needed smtp_tls_policy_maps because they used broken ironport[14:43:41] <Tuxick> with default certs[14:44:50] <Dominian> ahhh[14:45:17] <Tuxick> i don't even want to know how much money they wast on/because of those clowns[14:45:21] <Tuxick> waste[14:45:38] *** ThomasKeller has quit IRC[14:49:15] *** dstarh has joined #postfix[14:55:17] *** edux__ has joined #postfix[14:58:58] *** edux has quit IRC[14:59:55] *** lucascastro has joined #postfix[15:08:51] *** nh2 has joined #postfix[15:10:03] <nh2> hi, on http://www.postfix.org/MYSQL_README.html the query looks like `query = SELECT forw_addr FROM mxaliases WHERE alias='%s'`.[15:10:04] <nh2> Is this a literal input for sprintf(), or is there something in Postfix that guards against an SQL injection here?[15:16:17] *** robinho86 has joined #postfix[15:17:30] *** stemid has joined #postfix[15:18:04] <stemid> does anyone know how to get smtpd-policy.pl? some tutorials online mention this as being bundled with postfix, but it's not on my system and I can't find it available in the package manager. rhel 6. goal is to use it for spf.[15:18:32] <Tuxick> what is your goal?[15:18:42] <stemid> goal is to use it for spf.[15:18:45] <Tuxick> oh, rhel, so goal is pain[15:18:53] <stemid> life is pain[15:19:32] <Tuxick> just spf?[15:19:40] <Tuxick> that won't help you much[15:19:53] <stemid> greylist.pl was included in the package[15:19:58] <stemid> so I'm not missing that[15:20:48] <Tuxick> i think you're be a lot better off simply using amavis or spamassasin[15:21:04] <Tuxick> perhaps postscreen[15:24:19] <stemid> well it might not matter because I will likely try to use the postfix-policyd-spf package from openspf.org instead.[15:24:28] *** doppo has joined #postfix[15:25:04] *** doppo has quit IRC[15:25:25] *** doppo has joined #postfix[15:26:59] *** daemon has joined #postfix[15:27:07] <daemon> hey all im following a guide: http://www.code2control.com/2013/12/setup-postfix-zoho-mail-ubuntu/[15:27:20] <daemon> but when I get to: sudo postmap sasl_passwd[15:27:34] <daemon> I get: postmap: fatal: open sasl_passwd: No such file or directory[15:27:45] <daemon> does that mean I am missing some binary[15:27:48] <daemon> or some software[15:27:57] <lunaphyte> first, stop using sudo for that[15:28:16] <lunaphyte> second no guides please[15:28:50] <stemid> daemon: you missed a step in part 2[15:29:12] <lunaphyte> lastly, does that file exist?[15:29:42] <daemon> yes[15:30:16] <daemon> http://paste.ee/p/TE3oG[15:31:43] <daemon> I have it specified in main.cf[15:31:45] <daemon> as smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd[15:31:59] <lunaphyte> become root, then do cd /etc/postfix, then do postmap sasl_passwd[15:32:36] <daemon> no error[15:32:39] <daemon> let me try a test mail[15:33:07] <lunaphyte> doesn't zoho just support regular submission? why are they still telling people to use smtps, which has been deprecated now for over 15 years?[15:34:07] <daemon> Jan 5 14:32:21 ip-172-31-32-243 postfix/smtp[5027]: warning: hash:/etc/postfix/sasl_passwd lookup error for "127.0.0.1"[15:34:10] <daemon> odd[15:34:18] <daemon> there is a deffinate map for 127.0.0.1[15:34:30] <lunaphyte> test with postmap -q[15:34:31] <daemon> lunaphyte, nope smtps only[15:35:49] <lunaphyte> that is really awful[15:42:13] *** FinboySlick has joined #postfix[15:45:21] *** ThomasKeller has joined #postfix[15:52:05] *** zapata has joined #postfix[15:53:02] *** carl- has quit IRC[15:56:29] *** carl- has joined #postfix[15:58:50] *** Batch has quit IRC[15:59:58] <phunyguy> lunaphyte: one of the two (identical) VPSs: http://paste.ubuntu.com/14411039/, and home server: http://paste.ubuntu.com/14411083/ - feel free to critique. (anyone else too)[16:01:09] <phunyguy> I suppose I could move the smtpd_tls_security_level=encrypt to main.cf...[16:01:43] <phunyguy> plus I still have bad file extensions for the certs[16:05:30] <lunaphyte> !tell phunyguy duplicates[16:05:30] <knoba> phunyguy: "duplicates" : the following can be used to list redundant settings defined in main.cf: (postconf -d; postconf -n) | sort | uniq -d - also see !compare[16:05:46] <lunaphyte> looks like you have redundant values in main.cf which are already the defaults[16:05:53] <lunaphyte> hmm, maybe that's a better term for that factoid[16:06:15] <lunaphyte> duplicates seems to sometimes confuse people into thinking it means they have it twice in main.cf[16:06:31] <daemon> hey all redmine is using sendmail to send emails[16:06:42] <daemon> but its obsessed it wants to add ' at example dot net' as the host[16:06:51] <daemon> can I tell postfix to overwrite example.net with my host[16:06:56] *** lrea has left #postfix[16:07:03] <daemon> when iots called directly[16:07:27] <phunyguy> lunaphyte: hmm. I will take a look[16:07:33] <phunyguy> anything that makes the config easier[16:07:56] <lunaphyte> mailbox_size_limit = 0 ; bad. don't do that[16:08:11] <lunaphyte> smtp_use_tls = yes; deprepcated, remove[16:08:15] <lunaphyte> ugh[16:08:19] <lunaphyte> *deprecated[16:09:09] <phunyguy> the mailbox one I think was default.[16:09:11] *** carl- has quit IRC[16:09:15] <phunyguy> could be mistaken though[16:09:30] <phunyguy> I probably am[16:09:49] <phunyguy> forgot this was a frankensteined gentoo config.[16:09:50] <lunaphyte> that would be alarming, and should immediately have a high severity bug filed against the package if that is the case[16:10:36] <lunaphyte> tls_append_default_CA is not likely to be something you want[16:11:51] <lunaphyte> also, i prefer to put thing in smtpd_recipient_restrictions, and leave smtpd_relay_restrictions set to empty[16:12:03] <lunaphyte> smtpd_client_restrictions should just be smtpd_recipient_restrictions[16:12:44] <phunyguy> smtpd_relay_restrictions has some sane defaults then I imagine[16:13:08] <lunaphyte> well, perhaps, but i meant literally set it to the empty string[16:13:24] <phunyguy> oh[16:13:32] <lunaphyte> it's defaults are sane, but it interferes with things when it's not needed/wanted[16:13:59] <lunaphyte> on your home server, don't use postscreen [all mail traffic is coming from muas and the vos, right]?[16:14:13] <rob0> it's defaults are sane, but it interferes with things when its not needed/wanted[16:14:21] <phunyguy> ahh yep, missed that[16:14:31] <lunaphyte> smtpd_use_tls = yes deprecated like its partner[16:15:50] <lunaphyte> i would also recommend submission overrides for all smtpd_*_restrictions[16:15:52] <daemon> so anyway at all?[16:17:17] <phunyguy> lunaphyte: overrides as in less restrictive?[16:17:27] <rob0> daemon, the question doesn't make sense, because generally the sender address is set by the MUA. But you can look at:[16:17:34] <rob0> !myorigin[16:17:34] <knoba> rob0: "myorigin" : a configuration parameter in the main.cf: The default domain name that locally-posted mail appears to come from, and that locally posted mail is delivered to. The default $myhostname, which is fine for small sites. If you run a domain with multiple machines, you should (1) change this to $mydomain and (2) set up a domain-wide alias database that aliases each user to user at that dot users.mailhost.[16:17:35] <lunaphyte> as in -o [smtpd[...]][16:17:43] <rob0> and also:[16:17:48] <rob0> !rewrite[16:17:48] <knoba> rob0: "rewrite" : Postfix Address Rewriting features, see http://www.postfix.org/ADDRESS_REWRITING_README.html[16:17:50] <phunyguy> lunaphyte: yeah I get that much[16:17:55] <daemon> rob0, thank you[16:18:09] <lunaphyte> phunyguy: oh. as in set to empty, except recipient[16:18:30] <lunaphyte> so global changes don't inadvertantly impact the submission service[16:19:03] <phunyguy> recipient should be the same as relay?[16:19:11] <lunaphyte> i'd set relay to empty[16:19:14] <lunaphyte> only use recipient[16:19:22] <phunyguy> hmm I don't understand that one[16:19:57] <lunaphyte> life began [mostly] with client/helo/sender/recipient/ restrictions.[16:19:57] <rob0> smtpd_relay_restrictions controls relaying (to domains which are not yours)[16:20:16] <phunyguy> rob0: yes and I want to allow that on submission port[16:20:27] <rob0> If smtpd_relay_restrictions are set empty, smtpd_recipient_restrictions control relaying.[16:20:35] <rob0> !tell phunyguy access[16:20:36] <knoba> phunyguy: "access" : http://www.postfix.org/SMTPD_ACCESS_README.html : An overview of access(5) controls in the Postfix smtpd(8) SMTP server.[16:20:40] <phunyguy> ahhh[16:20:41] <rob0> ^^ has a chart[16:20:52] <lunaphyte> recently, relay was added, but it was to deal with people who use port 25 for both mx and submission [which is huge no no], and also configure things shitty[16:21:15] <phunyguy> gasp you said a swear[16:21:22] <phunyguy> (lol ubuntu)[16:22:26] *** CyberDems has quit IRC[16:22:36] <phunyguy> This is good info[16:22:52] *** CyberDems has joined #postfix[16:23:38] <lunaphyte> i prefer to keep things simple, and not use a settings that exists only for idiots[16:23:42] <phunyguy> so so to recap for that piece, on submission, all smtpd_*_restrictions set blank, except for recipient, which should be permit_sasl_authenticated,reject[16:23:52] <lunaphyte> yes[16:23:57] <phunyguy> got it.[16:24:09] <lunaphyte> and you should include some other basic restrictions as well, imho[16:24:41] <phunyguy> on port 10025, -o smtpd_recipient_restrictions=permit_tls_all_clientcerts,reject - and -o smtpd_client_restrictions=$smtpd_recipient_restrictions ?[16:24:58] <phunyguy> hmmm[16:27:56] <phunyguy> oh lunaphyte, on port 10025 on home server... wouldn't that allow relaying then for machines in and out of my network set to send system mail to my account? I wanted to avoid doing that.[16:29:16] <phunyguy> don't need some malware abusing the mta locally on that box.[16:29:26] <phunyguy> (on the boxes that send system mail out)[16:29:29] <mage_> hello, I have an HAProxy in front of my Postfix servers and I've activated the "check" option in HAProxy which result in a lot of https://gist.github.com/silenius/a1e87e0ac693f9f3edd7 ... (every second) is there a way to avoid that ?[16:30:47] <lunaphyte> phunyguy: i'm having trouble parsing that[16:30:54] *** dstarh has quit IRC[16:31:04] <phunyguy> sorry, I am still coffeeing.[16:31:23] <lunaphyte> mage_: avoid what exactly?[16:31:41] *** skylite_ has quit IRC[16:31:43] <lunaphyte> you told haproxy to continuously connect to postfix. how is postfix supposed to avoid that?[16:32:11] <mage_> avoid those 7 lines in my logs every second[16:32:16] <phunyguy> So, the idea was to use port 10025 for other systems to send their messages to the root account, to my mailbox. If I allow relaying in that direction, anything on that box that wants to send mail out.. can...[16:32:22] <phunyguy> or am I off-kilter there?[16:32:37] <lunaphyte> mage_: use a syslog daemon which can selectively discard those lines[16:32:39] <mage_> lunaphyte: sorry I was not clear.. I just want to avoid the info in the postfix logs[16:33:06] <mage_> ok.. I'm using FreeBSD I'll take a look if this is supported[16:33:33] <phunyguy> lunaphyte: I am running through the scenario in my head, and it seems like a bad idea.[16:33:33] <lunaphyte> phunyguy: i thought 10025 was for mail from the vps to home?[16:33:46] <phunyguy> lunaphyte: yes, among other things.[16:34:05] *** lemondom has left #postfix[16:34:05] <lunaphyte> hmm[16:34:20] <phunyguy> initially that was the plan, but I also need a path for those boxes to send system mail.[16:34:32] <phunyguy> figured port 10025 was a good choice for that as well... no?[16:34:43] <lunaphyte> the port number is fine [well, mostly-ish][16:34:53] <phunyguy> I mean the one I defined with settings[16:37:09] <lunaphyte> interesting[16:37:15] <phunyguy> my train of thought was, "I need a path for outgoing and incoming mail. Outgoing should be allowed to relay on the VPS. Incoming there should never be any relaying, ever. Be it coming from VPS, or any other server that sends system mail"[16:37:54] <phunyguy> it should send mail to phunyguy.com - and that's it.[16:38:14] <lunaphyte> ok, so that's effectively port 25/mx service, just happens to be on a different port[16:38:31] <phunyguy> yes. Just with relay allowed from home to vps[16:38:41] <lunaphyte> well, right[16:38:45] *** sphenxes has quit IRC[16:38:46] <lunaphyte> depending on the direction you're talking[16:38:49] <phunyguy> right[16:39:05] <lunaphyte> from vps -> home, it's just basic mx service [so to speak][16:39:18] <phunyguy> relay will not be allowed then.[16:39:35] <phunyguy> and actually to simplify, it will be * -> home[16:39:45] <lunaphyte> put reject_unauth_destination before permit_tls_all_clientcerts[16:39:49] <lunaphyte> that's all you need to do[16:39:55] <phunyguy> ah hah.[16:40:07] *** sphenxes has joined #postfix[16:40:15] <phunyguy> and an authorized destination at this point would be what is stored in the mysql database[16:40:21] <lunaphyte> in essence[16:40:40] <lunaphyte> that's an area of your setup that will need some further consideration[16:41:06] <phunyguy> how so?[16:41:22] <phunyguy> also, I appreciate your patience with me.[16:41:43] <lunaphyte> it's all good[16:42:00] <phunyguy> oh you mean the database piece?[16:42:04] <phunyguy> oh lawd, yes.[16:42:33] <phunyguy> tbh I can't begin to tell you how I set that up. Lots of late nights and beer.[16:42:44] <phunyguy> ..and google.[16:44:23] <lunaphyte> is everything arriving and accepted at the vps just meant to continue to the home server?[16:44:42] <phunyguy> for the three domains, yes[16:44:57] <phunyguy> nothing is delivered on the VPS if that is what you are asking.[16:45:12] <phunyguy> it is a path in and out.[16:45:22] <lunaphyte> ok[16:45:59] <lunaphyte> at home, you have soem domains in mydestination, and some in virtual_mailbox_domains. is that deliberate? are those meant to be handled differently?[16:46:17] * phunyguy looks[16:46:40] <phunyguy> something in the back of my brain tells me I did that for root mail[16:47:10] <phunyguy> could be wrong, but I know I had issues getting mail originating locally delivered.[16:47:52] <lunaphyte> it looks like your using dovecot. is that where all mail ultimately ends up?[16:47:57] <lunaphyte> *you're[16:48:32] <phunyguy> yes[16:49:33] <lunaphyte> no mail at all delivered to traditional spool files in linux, for users in the passwd db?[16:49:59] <phunyguy> none[16:50:16] <phunyguy> should all be aliased out to an actual email address if cared about.[16:50:33] <lunaphyte> then i woudl say you really don't have much use for local(8), e.g. mydestination[16:50:35] *** TyrfingMjolnir has quit IRC[16:50:42] <phunyguy> alright. out it goes[16:50:44] <lunaphyte> at least that's what i would do[16:50:53] <lunaphyte> put those domains in your sql database[16:51:12] <phunyguy> that's easy! postfixadmin[16:51:22] <phunyguy> so put them in and alias them.[16:51:27] <phunyguy> sounds good[16:52:27] <lunaphyte> i'd also use the relay domain address class rather than the virtual domain address class, fwiw[16:52:55] <lunaphyte> since postfix [e.g. virtual(8)] is not doing the delivery, and isntead is relaying to dovecot which is then doing the delivery[16:53:05] <phunyguy> drat...[16:53:09] <phunyguy> wait[16:53:30] <phunyguy> ahh yes, postfix is just doing the database lookup and feeding to dovecot[16:53:52] <phunyguy> I told you.... those were dark times setting that system up.[16:54:45] <rob0> Lo, what times are these, when passing ruffians can say, "Ni!" to an old woman?[16:55:04] <phunyguy> The knights who say....?[16:57:03] <rob0> My name is rob0; I am a shrubber.[16:59:22] <phunyguy> lunaphyte: still trying to parse that myself...[16:59:48] <phunyguy> relay domain address class vs virtual domain address class[17:00:02] <phunyguy> I need some more context for that to make sense to me.[17:00:30] <lunaphyte> it can be the subject of some degree of debate, so i prefer to keep it as simple a concept as i can[17:00:42] <lunaphyte> for me, it starts with "choose your mda"[17:01:32] <lunaphyte> if you want to use local(8), then use the local domain class. if you want to use virtual(8), use the virtual domain class. if yo uwant to use some other software/system [e.g. dovecot], use the relay domain class[17:03:46] <phunyguy> hmm[17:05:12] <phunyguy> I think I understand a little..l[17:05:26] <rob0> !address_classes[17:05:27] <knoba> rob0: "address_classes" : http://www.postfix.org/ADDRESS_CLASS_README.html describes how Postfix deals with different classes of addresses: local, relay, virtual alias, virtual mailbox, and Internet.[17:05:33] <rob0> !shrubbery[17:05:33] <knoba> rob0: Error: "shrubbery" is not a valid command.[17:05:39] <rob0> !herring[17:05:40] <phunyguy> rob0: already there[17:05:40] <knoba> rob0: Error: "herring" is not a valid command.[17:05:52] <phunyguy> i the goggled[17:05:56] <phunyguy> teh*[17:06:03] <phunyguy> heh hexchat autocorrected me[17:06:04] <rob0> !google[17:06:04] <knoba> rob0: "google" : Those who use Google before reading the Postfix documentation, if fortunate, end up at http://www.postfix.org/ . If not, they end up in a jumble of bad questions, misleading or wrong answers, and outdated information.[17:06:29] <phunyguy> I was fortunate because I have the google-fu[17:06:59] <phunyguy> I am trying to understand the differences in the context of my setup.[17:07:24] <phunyguy> so far, everything points to virtual.[17:07:32] <lunaphyte> that was why i asked if all mail is ultimately destined for dovecot[17:07:53] <phunyguy> it is, but dovecot is also local.[17:08:02] <lunaphyte> what do you mean "local"?[17:08:07] <phunyguy> on the same server[17:08:11] <lunaphyte> oh, heh.[17:08:14] <lunaphyte> that doesn't mean anything[17:08:17] <phunyguy> ok.[17:08:23] <lunaphyte> it could be anywhere[17:08:36] <phunyguy> I am trying to wrap my head around this.[17:08:54] <lunaphyte> that's what i was getting at with the ambiguity of some of the address class debates[17:09:16] <lunaphyte> i try to avoid subjective definitions, and attempt to focus on where things came from[17:09:40] <lunaphyte> there's a reason why the default transport for the local address class is literally named "local(8)"[17:09:56] <lunaphyte> same thing for the virtual domain class and "virtual(8)"[17:10:43] <phunyguy> I see.[17:12:12] <phunyguy> so for the virtual_ piece, It should actually have the relay_* stuff[17:12:19] <phunyguy> virtual_* *[17:12:24] <lunaphyte> that's my preference[17:12:49] <phunyguy> would I have to change anything else?[17:12:55] <phunyguy> format of the maps files, etc?[17:13:10] <lunaphyte> not much, if it all.[17:13:20] <phunyguy> I could always just try it and troubleshoot[17:13:29] <lunaphyte> any changes you might make would really just be further simplification[17:14:20] <lunaphyte> virtual_transport goes away and you just use relay_transport[17:14:43] <lunaphyte> your lookup maps can just return fixed values, as the result no longer matters[17:17:11] <phunyguy> oh boy... bunch of "unused parameter" warnings for relay_alias_maps and relay_mailbox_maps[17:18:00] <phunyguy> oh and relay_mailbox_domains[17:18:25] <phunyguy> looks like the options are a bit different in format[17:18:28] <lunaphyte> it's relay_domains and relay_recipient_maps[17:18:31] <phunyguy> name-wise[17:18:32] <phunyguy> yep[17:18:33] <rob0> none of those are actual settings[17:18:40] <lunaphyte> virtual_alias_maps stays[17:18:51] <lunaphyte> that's different from the virtual domain address class[17:19:34] <phunyguy> time to test[17:23:29] <phunyguy> ok, incoming works, but outgoing I think is broken from our earlier modifications[17:23:38] <phunyguy> because it is failing home -> vps[17:23:54] <lunaphyte> do a new pastebin with config and loga[17:24:12] <phunyguy> I need to get some food real quick.[17:24:19] <phunyguy> then I will. My brain is throbbing.[17:29:44] *** skylite has quit IRC[17:31:55] *** nh2 has quit IRC[17:33:39] *** [NoClan]GoAway has quit IRC[17:34:02] *** sphenxes01 has quit IRC[17:36:49] *** rsx has joined #postfix[17:37:24] *** SCHAAP137 has quit IRC[17:37:28] *** synthroid has joined #postfix[17:40:49] <phunyguy> lunaphyte: http://paste.ubuntu.com/14411810/, and http://paste.ubuntu.com/14411846/[17:40:56] <phunyguy> first is vps, second is home[17:41:20] <lunaphyte> do they have logs?[17:41:57] <Dominian> hmmm I'm not scrolling back, but is the issue you can't send email outbound to the internet from home basically?[17:42:20] <phunyguy> oh right, logs[17:42:44] <phunyguy> eeeeehhh... that would take some time to obfuscate.. .I can give relevant errors I think, though[17:43:02] <Dominian> !obfuscate[17:43:03] <knoba> Dominian: Error: "obfuscate" is not a valid command.[17:43:05] <Dominian> bah[17:43:09] <Dominian> there's a factoid for it[17:43:10] <Dominian> :P[17:43:12] <Dominian> but not what you think[17:43:24] <patdk-wk> !mung[17:43:24] <knoba> patdk-wk: "mung" : Mash Until No Good : the art of obfuscating data which ultimately results in unintentional consequences such as making diagnostics impossible. If you think you must hide details, see !have2mung[17:43:49] <Dominian> thanks patdk-wk[17:45:28] <patdk-wk> most likely the stuff your attempting to obfuscating is the important part[17:48:45] <phunyguy> lunaphyte: http://paste.ubuntu.com/14411939/[17:50:33] <lunaphyte> oh. your home postfix is not doing encryption[17:51:15] <Dominian> Unless it's trying to go through port 25 and not587[17:51:25] <Dominian> but meh.. WHO KNOWS.. I'm backing out now[17:51:41] *** JanC has quit IRC[17:54:04] <phunyguy> lol[17:54:21] <phunyguy> lunaphyte: so, what is the fix?[17:54:58] <phunyguy> also I have pizza fixing my hunger pangs[17:56:42] *** TyrfingMjolnir has joined #postfix[17:58:05] <phunyguy> also, ip communication between domains, ip adddresses, etc works.[17:58:14] <phunyguy> hence why I ripped them out.[17:59:30] <phunyguy> leaving in just hostnames.[18:00:09] *** internat has quit IRC[18:00:26] *** zorg1 has quit IRC[18:01:15] <lunaphyte> moment[18:01:57] *** davlefouAMD has quit IRC[18:04:40] <lunaphyte> you have to tell home postfix to connect to port 10025 when connecting to the vps, and to use the transport from master.cf[18:04:48] <lunaphyte> oh, you don't have that[18:04:51] <lunaphyte> you need to add that[18:05:19] *** teraflops has left #postfix[18:05:23] <phunyguy> is that not relay_hosts?[18:05:35] <phunyguy> err[18:05:37] <phunyguy> relayhost[18:05:57] *** JanC has joined #postfix[18:06:10] <phunyguy> totally left a domain in that pastebin[18:06:16] <phunyguy> now the creepers are gonna get me.[18:06:18] <phunyguy> 😞[18:06:29] <lunaphyte> oh. set syslog_name override for 10025 on the vps, so we can see for sure it's arriving to that service[18:06:47] <phunyguy> ok[18:07:22] <lunaphyte> if you are concerned about privacy, use a pastebin which can be marked as private and an expiration set[18:08:36] <phunyguy> I don't think paste.ubuntu.com is publicly listed anywhere[18:08:50] <phunyguy> (except here now)[18:09:16] <lunaphyte> some pastebins will list "recent pastes", etc[18:09:17] <Tuxick> ;p[18:09:25] <lunaphyte> that's what private means. not listed in lists like that[18:09:55] <lunaphyte> and add smtp_tls_note_starttls_offer to both[18:10:10] <phunyguy> yes it is reaching that transport[18:10:57] <lunaphyte> once you set smtp_tls_note_starttls_offer you'll be able to confirm on the home server if the vps is offering starttls[18:11:02] <phunyguy> would that be safe to add to the main.cf or should that strictly be on the 10025 transport?[18:11:10] <lunaphyte> no that's fine for global[18:11:15] <phunyguy> okay.[18:11:41] <phunyguy> =yes?[18:11:48] <lunaphyte> yes[18:13:04] <lunaphyte> home is missing smtp_tls_security_level[18:13:22] <lunaphyte> i would use secure[18:13:25] <lunaphyte> at least for now[18:14:08] <phunyguy> on just the relay transports?[18:14:16] <phunyguy> oh wait[18:14:18] <phunyguy> smtp[18:14:26] <lunaphyte> global config[18:14:40] <lunaphyte> no reason not to for home postfix. it only talks to the vps[18:15:40] <phunyguy> ah HAH[18:15:45] <phunyguy> that damn server cert again[18:16:00] <phunyguy> this time they NEED to be server certs on the smtpd side.[18:16:10] * phunyguy grumbles.[18:16:23] <lunaphyte> server certs?[18:16:34] <phunyguy> yeah server/client[18:16:45] <phunyguy> ./pkitool --server name, and ./pkitool name[18:17:03] *** Haudegen has quit IRC[18:17:05] <phunyguy> the VPS "server" certs are actually client certs. I'm an idiot.[18:17:31] <lunaphyte> what is pkitool?[18:17:39] <phunyguy> part of the easyrsa package[18:17:42] <phunyguy> just some scripts[18:17:44] <lunaphyte> what does --server *actually* do?[18:17:46] <lunaphyte> oh[18:17:55] <lunaphyte> sounds awful :)[18:18:39] <phunyguy> certificate verification failed for mx1.xx[xx.xx.xx.xx]:10025: not designated for use as a server certificate.[18:18:43] <phunyguy> :|[18:18:49] <lunaphyte> does it just set x509 constaints and key usage?[18:18:52] <lunaphyte> i see, sounds like it[18:18:56] <phunyguy> yes.[18:19:16] <phunyguy> my pki stuff is a mess. Might behoove me just to redo it[18:19:19] <lunaphyte> you might consider just using the actual software instead of these "helpful" wizards[18:19:25] *** xcrracer has joined #postfix[18:19:47] <phunyguy> but for the sake of testing, I will redo the vps certs.[18:20:03] <phunyguy> just keeping in mind that client is for smtp, and server is for smtpd[18:20:21] <lunaphyte> yes, but using the same cert for both is likely sane[18:20:35] <phunyguy> actually in this case, it would just be an additional set.[18:21:26] <phunyguy> I don't mind keeping them separate. I mean, there has to be a reason to add those constraints, no?[18:21:35] <lunaphyte> to an extent[18:21:52] <lunaphyte> that's the key usage field though, not the constraint field.[18:22:00] <lunaphyte> you can look at the cert itself and see[18:22:04] <phunyguy> also, is smtp*_tls_CAfile needed at all?[18:22:10] <lunaphyte> openssl x509 -in <hostname> -noout -text[18:22:22] <lunaphyte> yes[18:22:28] <phunyguy> alright making sure[18:22:35] <phunyguy> at some point in all of this they were commented out[18:23:45] *** xcrracer has quit IRC[18:23:59] <phunyguy> also did one of you try to connect to my VPS?[18:24:12] *** xcrracer has joined #postfix[18:24:23] <phunyguy> If so... I SEENT IT. -.-[18:28:03] *** [NoClan]GoAway has joined #postfix[18:35:48] *** Haudegen has joined #postfix[18:37:46] *** aindilis2 has quit IRC[18:38:06] <phunyguy> lunaphyte: still getting this in home server log: status=deferred (Server certificate not verified), when trying to connect to send outbound.[18:38:37] <lunaphyte> the home server cannot establish a trust path form the vps cert to a known root[18:39:17] <lunaphyte> from home server, use s_client and provide the proper root cert to confirm trust is possible[18:39:39] <lunaphyte> then use that same root cert file in the home postfix config for smtp_tls_CAfile[18:39:43] *** sphenxes01 has joined #postfix[18:43:01] <phunyguy> it verified... and I am...[18:44:12] <phunyguy> well let me try both VPSs[18:44:40] <phunyguy> ok, yes both sides verified OK.[18:49:02] <phunyguy> also did vps* -> home[18:49:08] <phunyguy> ...verified OK. o.O[18:54:34] *** gu1lle_ has joined #postfix[18:59:34] <shudon> hi all :) i want to inject mail into my queue. i have an email i pulled out of my queue with postcat. how can i re-send this email to a new email address[19:00:08] <lunaphyte> smtp or the sendmail command[19:00:33] <phunyguy> wait a minute.[19:00:53] <phunyguy> nevermind.[19:01:04] <shudon> lunaphyte: could i just pipe the output of postcat to sendmail?[19:01:19] <lunaphyte> quite unlikely[19:01:35] <lunaphyte> you will need to process and properly construct a new message[19:02:19] <shudon> hmm...[19:03:50] <shudon> can you recommend any tools to parse and emit email?[19:04:05] *** sarri has quit IRC[19:04:05] <lunaphyte> none in particular[19:04:13] <shudon> ok, thanks lunaphyte :)[19:04:19] <lunaphyte> i just tend to use traditional shell tools[19:06:14] *** sarri has joined #postfix[19:16:33] <phunyguy> yeah this is not working at all. s_client showed certs were fine, yet postfix refuses to verify.[19:17:18] <phunyguy> Jan 5 13:15:36 nuclearpenguin postfix/smtp[15986]: 2E499604C7: Server certificate not verified[19:17:33] <lunaphyte> does dns match?[19:17:55] <phunyguy> most likely not on the certs[19:18:17] <lunaphyte> it must[19:18:33] <phunyguy> it won't on at least one direction[19:18:34] <lunaphyte> that is a fundamental aspect of pki[19:18:47] <lunaphyte> then you need to use different certs for different functions[19:19:01] <phunyguy> ...I am...[19:19:12] <phunyguy> I am getting so frustrated with this.[19:19:13] <lunaphyte> then there's no reason it cannot match[19:19:22] * phunyguy woosaaas[19:19:31] <lunaphyte> just take it one step at a time[19:20:24] <phunyguy> so you are probably right... I need to ditch pkitool[19:20:40] <lunaphyte> this is one of a myriad of reasons why services hostnames are invaluable.[19:20:55] <phunyguy> one direction communicates with phunyguy.com. the other directions talk to mx1.phunyguy.com and mx2.phunyguy.com[19:21:06] <phunyguy> that is what pki is supposed to be verifying, correct[19:21:07] <phunyguy> ?[19:21:08] <lunaphyte> people get too caught up in trying to make hostnames match, instead of decoupling them from one another so it just doesn't matter[19:21:33] <lunaphyte> the vps is mx1?[19:21:39] <phunyguy> yeah I have two[19:21:42] <phunyguy> mx1 and mx2[19:21:47] <lunaphyte> both running postfix?[19:21:54] <phunyguy> yes, same exact configs.[19:21:58] <lunaphyte> oh[19:22:04] <phunyguy> phunyguy.com has two MX records pointing to each.[19:22:57] <phunyguy> so, real quick, while I have this on my mind.[19:23:12] <lunaphyte> will the home server be relaying to both vps'?[19:23:22] <phunyguy> yes[19:23:43] <phunyguy> would there be some worth here renewing my startssl cert for the home side[19:23:49] <lunaphyte> i wouldn't[19:23:56] <lunaphyte> i would use my own certs for al of that[19:23:58] <phunyguy> well I had planned to anyway for clients connecting[19:24:12] <lunaphyte> there's just no reason for commercial certs for that[19:24:31] <phunyguy> is there a reason not to?[19:24:54] <phunyguy> the cert is used for a website as well that is publicly visible... so I figure if I already have it[19:25:15] <lunaphyte> for starters, there's the principle[19:25:32] <lunaphyte> beyond that, you cna do longer validity periods with your own certs, which is perfectly reasonable[19:26:05] <phunyguy> the principle.. being... the fact that someone else controls your destiny?[19:26:42] <lunaphyte> eh, somewhat. more the principle of avoiding the awful commercial certificate industry[19:26:51] <phunyguy> oh. Well startssl is free[19:26:55] <phunyguy> so there's that.[19:27:24] <phunyguy> ok, so, let's start with vps to home.[19:27:45] <phunyguy> there are two ends here to the tls communication.[19:28:11] <phunyguy> mx{1,2} need to verify they are talking to phunyguy.com, which is where it sends incoming mail.[19:28:16] <phunyguy> that's side 1, right?[19:28:35] <lunaphyte> yes, and private certs are even freer ;)[19:28:56] <phunyguy> the other half to that, is phunyguy.com needs to verify that mx{1,2} are what is connecting, and allow the delivery.[19:29:07] <phunyguy> am I accurate so far?[19:30:49] <lunaphyte> the other half doesn't matter so much, in that sense[19:30:51] <phunyguy> so with all of that said, the postfix configs are most lily fine. what needs to be redone is the pki stuff.[19:31:02] <lunaphyte> mx{1,2} need to verify they are talking to phunyguy.com - yes, absolutely[19:31:34] <lunaphyte> mx{1,2} initiated the connection, so they absolutely need to know they in fact did connect to whom they intended to[19:31:42] <phunyguy> for clarification, I am talking about mail from say gmail, hits vps, then vps needs to send it home.[19:32:00] <lunaphyte> but phunyguy.com just needs to know a trusted cert is used[19:32:19] <lunaphyte> yes, your pki is probably lacking[19:32:27] <phunyguy> ahh, that second part will be more secure later when I restrict that to specific certs.[19:32:29] <lunaphyte> i can't stress the value of service hostnames enough here[19:32:47] <phunyguy> but for now, all certs are fine in that respect.[19:32:55] <lunaphyte> might i recomend some conventions like mta.example.com, msa.example.com, mda.example.com, mfa.example.com?[19:33:24] <phunyguy> you could, I would have to look up how that is relevant to really understand it[19:33:35] <lunaphyte> decouple the hostnames from other things the computers may or may not be doing, and make your certs for those hostnames[19:33:53] <lunaphyte> in your case, mta1/mta2 [or mx1/mx2 if you prefer[19:33:54] <phunyguy> ...then make sure dns matches[19:33:54] *** lucascastro has quit IRC[19:34:00] <lunaphyte> [for the vpses][19:34:12] <lunaphyte> msa for the home server[19:34:32] <lunaphyte> mda if you run dovecot on another computer [or just want the benefit of modularity][19:34:32] <phunyguy> well in some cases, home server is also mta[19:34:38] <phunyguy> incoming confusion[19:34:46] <lunaphyte> why would home server be mta?[19:35:01] <lunaphyte> home server is msa and mda[19:35:06] <phunyguy> actually, you're right[19:35:15] <phunyguy> what about any other node that just needs to send home[19:35:30] <lunaphyte> still msa or mda[19:36:04] <lunaphyte> time to eat. bbiab[19:36:10] <phunyguy> noooooo![19:36:18] <phunyguy> fine 😞[19:36:26] <phunyguy> man talk about a cliffhanger[19:39:49] <phunyguy> I am going to go out on a limb here, and say that the side dns matters most on, is the server verifying it is talking to a specific endpoint. So just to simplify it, I would need private certs for the smtpd side. in this case, 3 of them, mx1.phunyguy.com, mx2.phunyguy.com, and phunyguy.com. This would allow dns verification. The other half is simple.[19:40:21] <phunyguy> internally and externally phunyguy.com resolves to the same box. This is good.[19:40:46] <phunyguy> internally and externally, mx1 and mx2 resolve the same. This is also good. I think I have the baseline of what I need.[19:50:39] *** lucascastro has joined #postfix[19:50:48] <phunyguy> with that said, I may still be able to get away with specifying a different set of certs on the submission transport, to use the startssl one. Anything client related, I would prefer it not to prompt because of invalid cert.[19:51:16] <phunyguy> but from home -> VPS and back, sure. Self signed all day.[20:02:18] *** wdp has joined #postfix[20:02:19] *** wdp has joined #postfix[20:09:49] *** Yatekii has joined #postfix[20:09:52] <Yatekii> hi![20:10:01] <Yatekii> !welcome[20:10:02] <knoba> Yatekii: "welcome" : Welcome to #postfix! If you're new here, or to IRC, first read the channel topic (/topic). It has important instructions on how to ask good questions. You will get more and better help if you follow those instructions. Good Luck![20:10:54] <Yatekii> hey guys, is there a way in postfix to trace an incomming mail's working path? i mean which directives are execute and what modules a mail is handed to before it is delivered?[20:13:42] <rob0> I'm not sure what you're asking, if it is not covered by normal non-verbose logging.[20:13:59] <rob0> One item which might be of interest:[20:14:10] <rob0> !smtpd_tls_loglevel[20:14:10] <knoba> rob0: "smtpd_tls_loglevel" : enable additional postfix smtp server logging of tls activity. each logging level also includes the information that is logged at a lower logging level.[20:14:50] <rob0> Enable this with "smtpd_tls_loglevel = 1" to see if TLS was used for incoming mail.[20:14:51] <Yatekii> well, I wanna see which filters a mail passes before it is delivered to my mailbox. eg clamav/spf-checker/sieve[20:15:08] <Yatekii> ok ty :)[20:15:49] <rob0> Postfix logs that it hands off mail to any third-party software. Beyond that, it's the responsibility of that software to log what it did.[20:16:28] <Yatekii> rob0: hmk[20:17:03] <Yatekii> because I use policy-spf unix - n n - - spawn[20:17:03] <Yatekii> user=nobody argv=/usr/bin/policyd-spf[20:17:08] <Yatekii> to check spf records[20:17:16] <Yatekii> but I don't see anything in the mail headers[20:18:59] <shudon> hi all :) i want to send an email i pulled out of my queue with "postcat -dq <qid>" and found only the lines beginning with "78" -- is there some way i could send this email without having to muck around with it? maybe maildrop would be friendlier to my idea than sendmail?[20:21:45] <Yatekii> ahhhhh[20:21:50] <Yatekii> apple mail uses sslv3[20:21:54] <Yatekii> why?[20:21:56] <Yatekii> ff[20:22:36] *** gongoputch has quit IRC[20:23:29] *** lucascastro has quit IRC[20:29:23] <Yatekii> rob0: I get warning: TLS library problem: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher:s3_srvr.c:1396: that looks fine to me - I don't want sslv3[20:29:47] <Yatekii> but lost connection after STARTTLS from looks weird to me? TLS should work?[20:33:11] <rob0> "no shared cipher" means you limited smtpd's TLS ciphers to a set, none of which the client can do.[20:36:31] <Yatekii> hmm then my client sucks then[20:36:44] <Yatekii> but does SSL also write STARTTLS?[20:37:08] <Yatekii> because i didn't disable any ciphers for TS[20:37:20] <Yatekii> *TLS[20:37:20] <Yatekii> just sslv3 and sslv2 ...[20:37:23] <Yatekii> and some otehr ones[20:39:55] *** synthroid has quit IRC[20:40:12] *** lucascastro has joined #postfix[20:45:22] *** CQ has joined #postfix[20:46:59] <CQ> hello, I'm a postfix newbie coming from sendmail (after too many headaches) and have some questions... first is where gethostbyname gets the fqdn from. I have it set in /etc/hosts, but it still goes from and to user at myhost dot localdomain[20:50:48] <Tuxick> $myhostname[20:50:59] <Tuxick> man 5 postconf[20:51:22] <CQ> Tuxick: I thought it gets it from gethostbyname, and if it's correct in /etc/hosts I didn't need to specify it[20:52:02] <CQ> The default is to use the fully-qualified domain name from gethostname() ...from main.cf[20:52:06] <Tuxick> afaik postfix doesn't look at that at all[20:52:14] <Tuxick> or better not rely on it[20:52:54] <Tuxick> it does if you insist, i suppose[20:53:19] <rob0> Without context, not possible to answer.[20:54:17] <rob0> My guess is that some non-Postfix software like mailx(1) is setting the address.[20:54:48] <CQ> rob0: well I'll just set it for now... I want to get it working first, then get the details.[20:56:44] <Tuxick> there's also /etc/mailname, can't remember what stuff looks there[20:57:01] <Tuxick> but imo /etc/hosts would be bad place to look[20:58:10] <phunyguy> lunaphyte: alright... using pure openssl commands I appear to have created a proper pki cert set for the three devices. deliver to/from works. I had to disable smtp_tls_level=secure, because it wouldn't send outbount to gmail with it on vps.[20:58:17] <rob0> /etc/mailname is Debian-specific.[20:58:37] <phunyguy> err smtp_tls_security_level**[20:59:05] <phunyguy> ...since cert is not trusted by gmail[20:59:16] <lunaphyte> phunyguy: smtp_tls_security_level=secure only goes in the global config on the home server[20:59:33] <CQ> how does postfix know to do authenticated SMTP to a relay?[20:59:35] <phunyguy> gotcha. it is there.[20:59:45] <lunaphyte> on the vps, it doesn't go in the global config. only the service/transport for relaying to the home server[21:00:33] <phunyguy> lunaphyte: gotcha. so this would be something I would need to look up the syntax for.[21:01:06] <phunyguy> I do remember seeing that in the docs.[21:02:47] <Yatekii> why does it mention TLS AND PLAIN? Jan 5 20:59:11 localhost dovecot: imap-login: Login: user=<admin at yatekii dot ch>, method=PLAIN, rip=, lip=, mpid=19038, TLS, session=<4RLTq5soUABcaVIP>[21:04:34] <rob0> dovecot ^^. Transport Layer Security, and AUTH PLAIN mechanism.[21:04:57] <phunyguy> there it is, smtp_tls_policy_maps[21:05:10] *** edux has joined #postfix[21:05:51] <CQ> Jan 5 21:05:22 bsdpim postfix/smtp[25084]: warning: smtp_sasl_auth_enable is true, but SASL support is not compiled in[21:05:55] <CQ> ...how do I fix that?[21:06:04] <CQ> this is on a freebsd box[21:06:29] <Yatekii> rob0: I know its dovecot and thus plain is ok but why does it have TLS too :S[21:06:58] <Zerberus> CQ: compile postfix against cyrus-sasl - see the SASL_README[21:08:25] <phunyguy> lunaphyte: so, would I set `phunyguy.com secure` in that file, or `[nuclearpenguin.phunyguy.com]:10025 secure match=next hop` ?[21:08:29] *** Haudegen has quit IRC[21:08:47] *** edux__ has quit IRC[21:09:49] <phunyguy> nexthop*[21:10:10] <rob0> cq, do you need client AUTH?[21:10:35] <CQ> rob0: yes, I need to authenticate to the smarthost[21:10:44] <rob0> !saslclient[21:10:45] <knoba> rob0: "saslclient" : See http://www.postfix.org/SASL_README.html#client_sasl when you need client-side SASL authentication to deliver mail to another server[21:11:17] *** rsx has quit IRC[21:11:27] <CQ> http://serverfault.com/questions/337837/is-sasl-not-supported-in-postfix-on-freebsd ...working through this[21:16:05] *** ced117 has joined #postfix[21:16:08] *** synthroid has joined #postfix[21:18:07] *** MxyzptlkFishStix has quit IRC[21:19:03] *** MxyzptlkFishStix has joined #postfix[21:20:06] <CQ> ok, got the smarthost working. How can I get all mail that goes to local destinations get sent to a different address (via the smarthost)?[21:21:14] *** nhooyr has quit IRC[21:22:12] <phunyguy> oh my. This works good.[21:22:20] *** nhooyr has joined #postfix[21:26:51] *** Haudegen has joined #postfix[21:28:26] *** lucascastro has quit IRC[21:31:29] <phunyguy> lunaphyte: I cannot express how grateful I am for your help. Seriously. I will let this sit and marinade for now. It appears to be stable.[21:32:03] <rob0> "Stable"=="A place full of horse poo" ;)[21:32:18] <phunyguy> the noun version, yes[21:32:21] <phunyguy> heh[21:34:34] <CQ> http://www.postfix.org/STANDARD_CONFIGURATION_README.html#fantasy ... I'm looking at this, but can't get it to work. I want all mail to get forwarded to another account[21:34:54] <CQ> I've set up the ggeneric mapping, but nothing changes[21:35:32] *** sphenxes02 has joined #postfix[21:35:50] <lunaphyte> phunyguy: which file?[21:35:59] *** [dmp] has quit IRC[21:36:34] *** feandil_ has joined #postfix[21:36:37] <phunyguy> the tls_policy_maps[21:36:41] *** [dmp] has joined #postfix[21:36:49] <phunyguy> smtp_tls_policy_maps*[21:36:58] <lunaphyte> oh. you don't really need that[21:37:01] <feandil_> Hi all, I have a stupid issue: I can't get postfix to send more than one message per connection between two of my nodes[21:37:07] <phunyguy> I figured it out though.[21:37:23] <phunyguy> I don't?[21:37:26] <feandil_> I must have messed up the configuration, but I can't find why, at what should I look at ?[21:37:52] <phunyguy> how else am I going to tell outbound to home mail to smtp_tls_security_level=secure?[21:38:01] <phunyguy> (for only that direction)[21:38:08] <lunaphyte> i would just use a transport[21:38:22] <phunyguy> idgi[21:38:28] <phunyguy> master.cf thing?[21:38:35] <feandil_> (all disconnects are: disconnect from XXXX ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7 :()[21:38:43] <lunaphyte> yes[21:39:01] <phunyguy> oh..[21:39:08] *** sphenxes has quit IRC[21:39:14] <phunyguy> is what I did OK, though?[21:39:18] *** [dmp] has quit IRC[21:39:32] *** sphenxes has joined #postfix[21:39:39] <phunyguy> it basically says, anything going out to home, use secure[21:39:45] *** [dmp] has joined #postfix[21:39:52] *** sphenxes01 has quit IRC[21:40:13] <phunyguy> but for completeness sake, it would be smtpd on left, and 10025 on right in master.cf?[21:40:20] <phunyguy> completeness' *[21:40:48] <phunyguy> didn't realize you could do that.[21:45:00] *** lucascastro has joined #postfix[21:45:32] <feandil_> I even tried to configure the connection cache manually, but it didn't work: http://dpaste.com/0B2H1Z9[21:46:01] <feandil_> (this is postfix-3.0.2 running on a Gentoo)[21:49:52] <feandil_> oh, "The Postfix shared connection cache cannot be used with TLS" ? really ? :([21:50:13] <CQ> what can be the cause of the generic map not being applied at all? postconf -n shows smtp_generic_maps = hash:/usr/local/etc/postfix/generic ...which is where the map is (and it's .db)[21:53:39] *** lucascastro has quit IRC[21:56:01] <Tuxick> sure you (re) postmapped it?[21:56:42] <CQ> Tuxick: what I basically want, is that all mails to @hostname.domain.net go to me at somedomain dot com[21:57:02] <CQ> I added a line to generic: @hostname.domain.net me at somedomain dot com[21:57:46] <Zerberus> CQ: that's address rewriting, not rerouting[21:57:53] <lunaphyte> phunyguy: sure, it does the same thing, ultimately. the main difference is that you'll probably have other things you want to adjust for delivery to that destination beyond the tls policy[21:58:26] *** spY|da has quit IRC[21:58:32] <CQ> Zerberus: what do I need? I can't figure it out... I've been googling and reading and trying for close to an hour now[21:59:21] <Zerberus> CQ: don't define the target domain in $mydestination if you are using a local(8) configuration[22:01:34] <CQ> Zerberus: I have a local configuration with a smarthost[22:02:42] <CQ> Zerberus: I don't have mydestination set[22:02:59] *** feandil_ has left #postfix[22:03:25] <phunyguy> lunaphyte: that makes sense, actually. So, can you give me some clues for that type of transport setup? Would it be something like `smtpd inet n - - - - nuclearpenguin.phunyguy.com:10025 ?[22:03:47] *** [NoClan]GoAway has quit IRC[22:03:53] <Zerberus> !tell CQ getting_help[22:03:54] <knoba> CQ: "getting_help" : before asking your question, read the !relevant_logs and !showconfig factoids, and prepare a single pastebin containing all of that data. if you don't understand what this means, or if you need help doing this, please let us know. also see !pastebin[22:09:42] <rob0> mydestination has a default, BTW[22:12:21] *** ced117 has quit IRC[22:13:08] <CQ> Zerberus: your rewriting vs. rerouting comment helped a ton, it works!! I am using virtual_alias_maps = hash:/usr/local/etc/postfix/virtual and it's exactly what I need. phew.[22:13:11] *** synthroid has quit IRC[22:13:16] <CQ> thanks a ton for the help and patience[22:13:52] <Zerberus> CQ: showed you all the love and care already in #sendmail :>[22:18:26] <CQ> Zerberus: well, blame #freebsd, they told me to chuck it and go with postfix :)[22:18:59] <CQ> but the sendmail experience helped here[22:19:16] <CQ> I didn't stumble over the AUTH stuff this time :)[22:33:39] <Yatekii> hmm guys, I have no amaivs service in the master.cf but it still gets executed...nothing in the main.cf too... any ideas where it could be directed to it? (incoming mail)[22:33:48] <Yatekii> hmm maybe dovecot :S[22:42:47] *** tunage has quit IRC[22:43:08] <Poster> maybe have it defined with content_filter ?[22:43:50] <Poster> something like http://www.postfix.org/FILTER_README.html#advanced_filter maybe[22:45:44] <lunaphyte> phunyguy: http://dpaste.com/1442CSD.txt[22:48:29] *** sphenxes has quit IRC[22:49:21] *** synthroid has joined #postfix[22:50:59] *** robinho86 has quit IRC[22:51:51] *** synthroid has quit IRC[22:58:38] *** KaiForce has joined #postfix[23:00:44] *** [NoClan]GoAway has joined #postfix[23:01:19] *** pti-jean_ has quit IRC[23:07:27] *** FinboySlick has quit IRC[23:11:11] <phunyguy> lunaphyte: where is relay-mda defined?[23:12:19] <lunaphyte> oh, that's just a symbolic name from the services db for the port number[23:12:19] <Zerberus> in transport map on right hand side[23:13:22] <lunaphyte> oh, whoops. no it's not.[23:13:25] <lunaphyte> that's for smtpd[23:13:45] <lunaphyte> its use there is its canonical introduction into the postfix config[23:13:57] <lunaphyte> then you just reference it elsewhere, like Zerberus said[23:15:00] <lunaphyte> in your case, you'd do relay_transport = relay-mda:[hostname]:smtp-relay[23:15:13] <lunaphyte> in that example, smtp-relay is defined in the services db[23:15:21] <lunaphyte> >getent services smtp-relay[23:15:21] <lunaphyte> smtp-relay 10023/tcp[23:15:34] <lunaphyte> but you could just put the port if you wanted - 10025 in your case[23:16:54] <lunaphyte> that means that when relay_transport is used, it uses the settings defined in master.cf for the service/transport with the name "relay-mda", connects to the host hostname, on the port smtp-relay [10023][23:20:46] <KaiForce> my configuration (main.cf) contains the line "smtpd_client_restrictions = reject_rbl_client sbl.spamhaus.org, reject_rbl_client blackholes.easynet.nl"[23:21:16] <KaiForce> Can I merely comment it out and restart postfix? I have another system that does blacklisting.[23:21:43] <KaiForce> (goal is to remove blacklisting from the Postfix server)[23:22:25] <Zerberus> you can[23:23:32] <phunyguy> lunaphyte: Excellent! Exactly what I was looking for! Thank you thank you thank you.[23:23:39] <phunyguy> you too Zerberus[23:28:53] *** dstarh has joined #postfix[23:30:53] <phunyguy> lunaphyte: so based on your linked example, you don't want a client cert presented when going out to the internet?[23:31:27] <phunyguy> personally I am not opposed to presenting a cert unless someone gives me a good reason not to.[23:33:08] *** dstarh has quit IRC[23:39:58] <lunaphyte> it's a bad idea, yes[23:40:27] <lunaphyte> do not present a client cert unless you know, unequivocally, that the other side is expecting it/wants it[23:40:46] <lunaphyte> if you start going around shoving your client cert down people's throats, you are going to have problems[23:41:03] <lunaphyte> it's like you demanding to answer a question no one is asking you[23:41:22] *** CQ has left #postfix[23:41:22] * rob0 demands[23:41:41] <lunaphyte> you will eventually come across servers which will choke, and mail relay will fail[23:41:51] <lunaphyte> well, what's then answer then?![23:42:35] <rob0> 42[23:43:35] <phunyguy> ^[23:43:42] <phunyguy> lunaphyte: alright then. Sounds good.[23:44:14] <phunyguy> Also, I am commenting the shit out of these configs, because if I don't, I will forget what all of this means when I need it most in like 6 months or something.[23:44:37] *** TyrfingMjolnir has quit IRC[23:44:58] <phunyguy> comments + backups[23:45:30] <phunyguy> I assumed that presenting a cert would allow servers to specify an encryption option.[23:45:51] <phunyguy> smtpd_tls_security_level=may or something[23:47:13] <lunaphyte> the negotiation of that sort of thing happens period, as part of how tls works, regardless of if a client presents a cert or not[23:47:29] <phunyguy> ahh. Did not realize that.[23:47:56] <phunyguy> So postfix, if asked to use TLS... will.. even without an smtp client cert defined?[23:48:40] *** shawniverson has quit IRC[23:50:15] *** gu1lle_ has quit IRC[23:51:42] *** ekkis has joined #postfix[23:52:15] <phunyguy> lunaphyte: I see you don't have smtp_tls_CAfile defined in that linked example....[23:52:27] <phunyguy> also are the {} required around the variables?[23:54:45] *** ekkis has quit IRC[23:55:02] *** ekkis has joined #postfix[23:55:14] <ekkis> afternoon everyone. I've had postfix running for a long time (years) and recently filled up my disk. I had to expand the drive (it's running on a VM) and afterwards postfix doesn't seem to be receiving mail. I can connect to it on port 25 from the outside, so it's reachable, but I'm not getting any mail... I'm running on Fedora Core where they've messed up the logging so I'm not sure I know where to look for logs. anyone here running[23:55:14] <ekkis> on Fedora 22?[23:56:35] <ekkis> can anyone see me?[23:57:47] <Poster> does your /var filesystem have space?[23:58:00] <Poster> or wherever your postfix spool is running from, probably /var/spool/postfix