Need real examples of `no resolvable FQDN' host sending thru smtp relay

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Need real examples of `no resolvable FQDN' host sending thru smtp relay

reader
Where can I find real examples of /etc/postfix/main.cf setup on host
with no resolvable FQDN relaying throu smtp Smarthost with
authentication?

I've been experimenting; have setup sasl user password  authtication.
Hashed it with postmap, encluded the necessay smtp statements and etc
in main.cf
I've tried using the actual hostname and domain name (even though they
are not resolvable anywhere buit my home lan) in main.cf.

I wasn't sure about iincluding/attaching it here .. if that is allowed
in this newsgroup so left out main.cf for now.

My experimental configuration in place, I try sending something with
postfix's sendmail as root and as user reader
                                     
reader > sudo sendmail -vt <tmail.txt
Mail Delivery Status Report will be mailed to <root>.

reader > sendmail -vt <tmail.txt
Mail Delivery Status Report will be mailed to <reader>.
                                                                     
tmail.txt contains:        
    To: [hidden email]
    Subject: test of rough config on postfix
    From: [hidden email]

    And here goes the e-mail body test etc etc etc etc.
    .
I tried tmail as shown, and with `From: ' field like this:
   From: [hidden email]  (which is a working email address)

smtp.newsguy.com is also the SmartHost where I have credentials; used
in `main.cf'.

Even though the sendmail message says reports will be mailed, nothing
shows up at /var/spool/mail or at [hidden email] iinboxhowubunt
 
    ls -l /var/spool/mail/
   total 1
-  rw------- 1 reader mail 0 Jan  9 23:52 reader

empty.

Examples of working configs from a situation like mine would really be
helpful.  
Any suggestions at all would be most welcome.

Reply | Threaded
Open this post in threaded view
|

Re: Need real examples of `no resolvable FQDN' host sending thru smtp relay

Viktor Dukhovni
On Mon, Jan 11, 2021 at 12:18:15PM -0500, Harry wrote:

> Where can I find real examples of /etc/postfix/main.cf setup on host
> with no resolvable FQDN relaying throu smtp Smarthost with
> authentication?

    http://www.postfix.org/SOHO_README.html
    http://www.postfix.org/SOHO_README.html#fantasy

> reader > sendmail -vt <tmail.txt
> Mail Delivery Status Report will be mailed to <reader>.
>                                                                      
> I tried tmail as shown, and with `From: ' field like this:
>    From: [hidden email]  (which is a working email address)

The "From:" header has no bearing on the return path of email,
which comes from the message envelope.  You can set with the
"-f sender" option of sendmail(1).

> Even though the sendmail message says reports will be mailed, nothing
> shows up at /var/spool/mail or at [hidden email]

the fate of the probe report is in your logs.  If your system is
configured to relay all mail to a smarthost, then that's where
the notice would have been routed to.  Actual delivery requires
a working configuration.

If you configure a domain for local delivery, and use an address
in that domain as the envelope sender, then probe status reports
will be delivered locally.

    mydestination = localhost.local

  $ sendmail -f [hidden email] -bv [hidden email]

--
    Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: Need real examples of `no resolvable FQDN' host sending thru smtp relay

reader
Viktor Dukhovni <[hidden email]> writes:

> On Mon, Jan 11, 2021 at 12:18:15PM -0500, Harry wrote:
>
>> Where can I find real examples of /etc/postfix/main.cf setup on host
>> with no resolvable FQDN relaying throu smtp Smarthost with
>> authentication?
>
>     http://www.postfix.org/SOHO_README.html
>     http://www.postfix.org/SOHO_README.html#fantasy

Thx, those are helpful but I'm appartently still not getting it
right. Still failing like so:

(This has been snipped from all lines below:
    `Jan 14 15:28:54 localhost')


postfix/pickup[23288]: 40BBD492: uid=1000 from=<reader>
postfix/cleanup[23322]: 40BBD492: message-id=<20210114202854.40BBD492@localhost>
postfix/qmgr[23289]: 40BBD492: from=<[hidden email]>, size=374, nrcpt=1 (queue active)
postfix/smtp[23324]: connect to smtp.newsguy.com[74.209.136.63]:25: Connection timed out
postfix/smtp[23324]: 40BBD492: to=<[hidden email]>, relay=none, delay=30, delays=0.16/0.17/30/0, dsn=4.4.1, status=deferred (connect to smtp.newsguy.com[74.209.136.63]:25: Connection timed out)

Does this line from above indicate that messages are still going out
with `from=<[hidden email]> as sender from?

postfix/qmgr[23289]: 40BBD492: from=<[hidden email]>, size=374, nrcpt=1 (queue active)

I ask because I do have a 'generic.db' file in place.  (content of
generic file below)

[...]

> The "From:" header has no bearing on the return path of email,
> which comes from the message envelope.  You can set with the
> "-f sender" option of sendmail(1).

Is that inserted somewhere in postfix configuration or done with
cmdline?  

> the fate of the probe report is in your logs.  If your system is
> configured to relay all mail to a smarthost, then that's where
> the notice would have been routed to.  Actual delivery requires
> a working configuration.
>
> If you configure a domain for local delivery, and use an address
> in that domain as the envelope sender, then probe status reports
> will be delivered locally.
>
>     mydestination = localhost.local

>   $ sendmail -f [hidden email] -bv [hidden email]

Still not clear where the sendmail -f is done.  The way you've written
the line ... with leading `$', it appear to be done on command line.
But clearly not something you would be doing with each mail... so
where is the sendmail -f line set?

I'm going to include my full main.cf, generic and munged sasl_passwd
since I'm not really clear what is supposed to be in there... I've
tried the generic file recommended at one of urls you suggested:
http://www.postfix.org/SOHO_README.html#fantasy

PS: /etc/postfix/generic and /etc/postfix/sasl_passwd have been
postmapped and postfix reloaded.

-------       -------       ---=---       -------       -------
main.cf

# Debian specific:  Specifying a file name will cause the first
# line of that file to be used as the name.  The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname

smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = no

# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2 on
# fresh installs.
compatibility_level = 2

# TLS parameters
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_security_level=may

smtp_tls_CApath=/etc/ssl/certs
smtp_tls_security_level=may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

smtp_generic_maps = hash:/etc/postfix/generic
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
myhostname = localhost
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname  **added hp( mailname = newsguy.com )
mydestination = local.lan, $myhostname, localhost, localhost.localdomain, localhost
relayhost = [smtp.newsguy.com]
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options =
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
smtp_use_tls = yes

mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all
-------       -------       ---=---       -------       -------
/etc/postfix/generic

## 4 /etc/postfix/generic:
## 5     [hidden email]             [hidden email]
## 6     [hidden email]             [hidden email]
## 7     @localdomain.local                [hidden email]

[hidden email]         [hidden email]

-------       -------       ---=---       -------       -------
/etc/postfix sasl_passwd

[smtp.newsguy.com]        reader:XsecretX

-------       -------       ---=---       -------       -------

Reply | Threaded
Open this post in threaded view
|

Re: Need real examples of `no resolvable FQDN' host sending thru smtp relay

Viktor Dukhovni
On Thu, Jan 14, 2021 at 04:09:30PM -0500, Harry Putnam wrote:

> >     http://www.postfix.org/SOHO_README.html
> >     http://www.postfix.org/SOHO_README.html#fantasy
>
> Thx, those are helpful but I'm appartently still not getting it
> right. Still failing like so:
>
> postfix/pickup[23288]: 40BBD492: uid=1000 from=<reader>
> postfix/cleanup[23322]: 40BBD492: message-id=<20210114202854.40BBD492@localhost>
> postfix/qmgr[23289]: 40BBD492: from=<[hidden email]>, size=374, nrcpt=1 (queue active)
> postfix/smtp[23324]: connect to smtp.newsguy.com[74.209.136.63]:25: Connection timed out
> postfix/smtp[23324]: 40BBD492: to=<[hidden email]>, relay=none, delay=30, delays=0.16/0.17/30/0, dsn=4.4.1, status=deferred (connect to smtp.newsguy.com[74.209.136.63]:25: Connection timed out)

Postfix is trying to deliver email to:

>   smtp.newsguy.com[74.209.136.63]:25:

but, after waiting for a SYN-ACK (TCP connection completion)
from the server for 30 seconds:

>   delay=30, delays=0.16/0.17/30/0

gives up:

>   Connection timed out

If your connection is supposed to be to port 25 and 587 or 465, then
this is not a Postfix issue, Postfix is doing all the right things,
but the network connectivity just isn't there.

> Does this line from above indicate that messages are still going out
> with `from=<[hidden email]> as sender from?

The message envelope in the queued message is "[hidden email]", but if
you're using "smtp_generic_maps", logging of the original address form
is expected, because the rewrites would happen on the fly during delivery,
and so the queued message shows the address pre-rewrite.

> I ask because I do have a 'generic.db' file in place.  (content of
> generic file below)

Rewriting via generic happens "post queue" and so is not reflected
in local log messages.  The new address is only seen by the remote
system (to which you never connect).

> > The "From:" header has no bearing on the return path of email,
> > which comes from the message envelope.  You can set with the
> > "-f sender" option of sendmail(1).
>
> Is that inserted somewhere in postfix configuration or done with
> cmdline?  

The "-f sender" option of sendmail(1) is generally understood to be
a command-line option.

> >   $ sendmail -f [hidden email] -bv [hidden email]
>
> Still not clear where the sendmail -f is done.  The way you've written
> the line ... with leading `$', it appear to be done on command line.
> But clearly not something you would be doing with each mail... so
> where is the sendmail -f line set?

On the command line when you're want to send a delivery probe and
be sure to have results delivered to the right sender address.

> I'm going to include my full main.cf,

    http://www.postfix.org/DEBUG_README.html#mail

> mailbox_command = procmail -a "$EXTENSION"

I don't recommend this unless you know what you're doing.

> mailbox_size_limit = 0

This may be unwise.

> myhostname = localhost
> mydestination = local.lan, $myhostname, localhost, localhost.localdomain, localhost

It is best to set myhostname to a "dotted" name.  And use one of
the above names for the domain part of the sender address, rather
than "localhost.local", which is not listed.

> myorigin = /etc/mailname  **added hp( mailname = newsguy.com )

I sure hope that "** ..." bit isn't actually there.  And support for
filenames in myorigin is Debian/Ubuntu specific.

> relayhost = [smtp.newsguy.com]

Perhaps a submission port number (587? 465?, ...) is needed here?

> smtp_generic_maps = hash:/etc/postfix/generic

This is fine.

> smtp_sasl_auth_enable = yes
> smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
> smtp_sasl_security_options =

You should generally set smtp_sasl_tls_security_options as described in
SASL_README.

    http://www.postfix.org/SASL_README.html#client_sasl_enable
    http://www.postfix.org/SASL_README.html#client_sasl_policy

    smtp_sasl_security_options = noplaintext, noanonymous
    smtp_sasl_tls_security_options = noanonymous

> smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
> smtp_tls_CApath=/etc/ssl/certs
> smtp_tls_security_level=may
> smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
> smtp_use_tls = yes

You should likely *enforce* TLS to the submission server.

> smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
> smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
> smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
> smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
> smtpd_tls_security_level=may

You're unlikely to need an SMTP server, you can just keep it listening
only on the loopback interface, or disable it entirely.

    inet_interfaces = loopback-only
    master_service_disable = inet

> -------       -------       ---=---       -------       -------
> /etc/postfix/generic
> [hidden email]         [hidden email]

Fine.

> /etc/postfix sasl_passwd
> [smtp.newsguy.com]        reader:XsecretX

If you add a ":port" suffix to the relay setting, you should also add it
here (the SASL password lookup key), and in the TLS policy file.  For
example:

    main.cf:
        smtp_tls_policy_maps = hash:/etc/postfix/tls-policy

    tls-policy:
        [smtp.newsguy.com]:587  secure

--
    Viktor.