Relay Access Denied

classic Classic list List threaded Threaded
12 messages Options
Reply | Threaded
Open this post in threaded view
|

Relay Access Denied

VP Lists
Hi folks.

I’m on a LAN, with a mail server on OS X Server Mountain Lion. It’s running Postfix as a mail server.  

My LAN has a 192.168.x.x range.  I’m getting that error when an app I’m developing, is trying to send an email out through this email server to the internet.  A gmail address specifically.



My main.cf:

biff = no
command_directory = /usr/sbin
config_directory = /Library/Server/Mail/Config/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /Library/Server/Mail/Data/mta
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin xxgdb $daemon_directory/$process_name $process_id & sleep 5
dovecot_destination_recipient_limit = 1
html_directory = /usr/share/doc/postfix/html
imap_submit_cred_file = /Library/Server/Mail/Config/postfix/submit.cred
inet_interfaces = loopback-only
inet_protocols = all
mail_owner = _postfix
mailbox_size_limit = 0
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
message_size_limit = 10485760
mydomain_fallback = localhost
mynetworks = 192.168.0.0/24 127.0.0.0/8 # RF
newaliases_path = /usr/bin/newaliases
queue_directory = /Library/Server/Mail/Data/spool
readme_directory = /usr/share/doc/postfix
recipient_delimiter = +
sample_directory = /usr/share/doc/postfix/examples
sendmail_path = /usr/sbin/sendmail
setgid_group = _postdrop
smtpd_client_restrictions = permit_mynetworks permit_sasl_authenticated permit
smtpd_recipient_restrictions = permit_sasl_authenticated permit_mynetworks reject unauthdestination permit
smtpd_tls_ciphers = medium
smtpd_tls_exclude_ciphers = SSLv2, aNULL, ADH, eNULL
tls_random_source = dev:/dev/urandom
unknown_local_recipient_reject_code = 550
use_sacl_cache = yes
postconf: warning: /etc/postfix/main.cf: unused parameter: smtpd_relay_restrictions=permit_mynetworks permit_sasl_authenticated reject_unauth_destination

I’m hosting a handful of local and FQDN on the LAN, and I develop using a machine.local naming scheme.  Just wondering how I can whitelist my internal domains to get outgoing emails past my mail server.  Not really sure what to post here as well.

Any insight appreciated.

Cheers


_____________
Rich in Toronto @ VP







Reply | Threaded
Open this post in threaded view
|

Re: Relay Access Denied

B. Reino
Sorry for top posting. Mobile client here..

Your mynetworks has 192.168.0.0/24 but you say you use 192.168.x.x, i.e. 192.168.0.0/16.

In the headers of your mail I see 192.168.1.4, which would thus not be in mynetworks.

So you may want to check that..
Cheers.


On March 24, 2019 8:35:59 PM UTC, VP Lists <[hidden email]> wrote:
Hi folks.

I’m on a LAN, with a mail server on OS X Server Mountain Lion. It’s running Postfix as a mail server.

My LAN has a 192.168.x.x range. I’m getting that error when an app I’m developing, is trying to send an email out through this email server to the internet. A gmail address specifically.



My main.cf:

biff = no
command_directory = /usr/sbin
config_directory = /Library/Server/Mail/Config/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /Library/Server/Mail/Data/mta
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin xxgdb $daemon_directory/$process_name $process_id & sleep 5
dovecot_destination_recipient_limit = 1
html_directory = /usr/share/doc/postfix/html
imap_submit_cred_file = /Library/Server/Mail/Config/postfix/submit.cred
inet_interfaces = loopback-only
inet_protocols = all
mail_owner = _postfix
mailbox_size_limit = 0
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
message_size_limit = 10485760
mydomain_fallback = localhost
mynetworks = 192.168.0.0/24 127.0.0.0/8 # RF
newaliases_path = /usr/bin/newaliases
queue_directory = /Library/Server/Mail/Data/spool
readme_directory = /usr/share/doc/postfix
recipient_delimiter = +
sample_directory = /usr/share/doc/postfix/examples
sendmail_path = /usr/sbin/sendmail
setgid_group = _postdrop
smtpd_client_restrictions = permit_mynetworks permit_sasl_authenticated permit
smtpd_recipient_restrictions = permit_sasl_authenticated permit_mynetworks reject unauthdestination permit
smtpd_tls_ciphers = medium
smtpd_tls_exclude_ciphers = SSLv2, aNULL, ADH, eNULL
tls_random_source = dev:/dev/urandom
unknown_local_recipient_reject_code = 550
use_sacl_cache = yes
postconf: warning: /etc/postfix/main.cf: unused parameter: smtpd_relay_restrictions=permit_mynetworks permit_sasl_authenticated reject_unauth_destination

I’m hosting a handful of local and FQDN on the LAN, and I develop using a machine.local naming scheme. Just wondering how I can whitelist my internal domains to get outgoing emails past my mail server. Not really sure what to post here as well.

Any insight appreciated.

Cheers
Rich in Toronto @ VP







Reply | Threaded
Open this post in threaded view
|

Re: Relay Access Denied

VP Lists

> On Mar 24, 2019, at 5:20 PM, B. Reino <[hidden email]> wrote:
>
> Sorry for top posting. Mobile client here..

No problem.  I don’t mind top-posting anywhere.

> Your mynetworks has 192.168.0.0/24 but you say you use 192.168.x.x, i.e. 192.168.0.0/16.
>
> In the headers of your mail I see 192.168.1.4, which would thus not be in mynetworks.

Yes, it’s now corrected.

mynetworks = 192.168.1.0/24 127.0.0.0/8

smtpd_client_restrictions = permit_mynetworks permit_sasl_authenticated permit
recipient_delimiter = +
smtpd_tls_ciphers = medium
inet_protocols = all
inet_interfaces = loopback-only
config_directory = /Library/Server/Mail/Config/postfix

smtpd_recipient_restrictions = permit_sasl_authenticated permit_mynetworks reject unauthdestination permit

smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination


Same error.  


> So you may want to check that..

_____________
Rich in Toronto @ VP






Reply | Threaded
Open this post in threaded view
|

Re: Relay Access Denied

Viktor Dukhovni
On Sun, Mar 24, 2019 at 05:36:56PM -0400, VP Lists wrote:

> smtpd_client_restrictions = permit_mynetworks permit_sasl_authenticated permit

What do you expect this to do?

> smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination
>
> Same error.  

Care to post logs?  Care to post "postconf -nf" (older versions
"postconf -n") output?

--
        Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: Relay Access Denied

VP Lists

> On Mar 24, 2019, at 6:31 PM, Viktor Dukhovni <[hidden email]> wrote:
>
> On Sun, Mar 24, 2019 at 05:36:56PM -0400, VP Lists wrote:
>
>> smtpd_client_restrictions = permit_mynetworks permit_sasl_authenticated permit
>
> What do you expect this to do?

At this point I have no clue.  I think it was in there from previous messing.  

>> smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination
>>
>> Same error.  
>
> Care to post logs?  Care to post "postconf -nf" (older versions
> "postconf -n") output?

# /var/log/mail.log:
Mar 24 18:37:35 alpha.mydomain.com postfix/postscreen[11964]: CONNECT from [192.168.1.4]:52147 to [192.168.1.6]:25
Mar 24 18:37:35 alpha.mydomain.com postfix/postscreen[11964]: PASS OLD [192.168.1.4]:52147
Mar 24 18:37:35 alpha.mydomain.com postfix/smtpd[11966]: connect from unknown[192.168.1.4]
Mar 24 18:37:35 alpha.mydomain.com postfix/smtpd[11966]: NOQUEUE: reject: RCPT from unknown[192.168.1.4]: 554 5.7.1 <[hidden email]>: Relay access denied; from=<[hidden email]> to=<[hidden email]> proto=ESMTP helo=<mydomain.com>
Mar 24 18:37:35 alpha.mydomain.com postfix/smtpd[11966]: disconnect from unknown[192.168.1.4]

So below we see that mynetworks includes the LAN for relaying.  But above, it says my workstation (192.168.1.4) is unknown.  No clue why.  

$ postconf -nf

biff = no
command_directory = /usr/sbin
config_directory = /Library/Server/Mail/Config/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /Library/Server/Mail/Data/mta
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin xxgdb
    $daemon_directory/$process_name $process_id & sleep 5
dovecot_destination_recipient_limit = 1
html_directory = /usr/share/doc/postfix/html
imap_submit_cred_file = /Library/Server/Mail/Config/postfix/submit.cred
inet_interfaces = loopback-only
inet_protocols = all
mail_owner = _postfix
mailbox_size_limit = 0
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
message_size_limit = 10485760
mydomain_fallback = localhost
mynetworks = 192.168.1.0/24, 192.168.1.23, 192.168.1.4, 127.0.0.0/8, [::1]/128 # RF
newaliases_path = /usr/bin/newaliases
queue_directory = /Library/Server/Mail/Data/spool
readme_directory = /usr/share/doc/postfix
recipient_delimiter = +
sample_directory = /usr/share/doc/postfix/examples
sendmail_path = /usr/sbin/sendmail
setgid_group = _postdrop
smtpd_client_restrictions = permit_mynetworks permit_sasl_authenticated permit
smtpd_recipient_restrictions = permit_sasl_authenticated permit_mynetworks
    reject unauthdestination permit
smtpd_tls_ciphers = medium
smtpd_tls_exclude_ciphers = SSLv2, aNULL, ADH, eNULL
tls_random_source = dev:/dev/urandom
unknown_local_recipient_reject_code = 550
use_sacl_cache = yes


_____________
Rich in Toronto @ VP


Reply | Threaded
Open this post in threaded view
|

Re: Relay Access Denied

Viktor Dukhovni
On Sun, Mar 24, 2019 at 06:38:40PM -0400, VP Lists wrote:

> # /var/log/mail.log:
> Mar 24 18:37:35 alpha.mydomain.com postfix/postscreen[11964]: CONNECT from [192.168.1.4]:52147 to [192.168.1.6]:25
> Mar 24 18:37:35 alpha.mydomain.com postfix/postscreen[11964]: PASS OLD [192.168.1.4]:52147
> Mar 24 18:37:35 alpha.mydomain.com postfix/smtpd[11966]: connect from unknown[192.168.1.4]
> Mar 24 18:37:35 alpha.mydomain.com postfix/smtpd[11966]: NOQUEUE: reject: RCPT from unknown[192.168.1.4]: 554 5.7.1 <[hidden email]>: Relay access denied; from=<[hidden email]> to=<[hidden email]> proto=ESMTP helo=<mydomain.com>

This is likely blocked by "smtpd_relay_restrictions", or your
mynetworks setting had not yet taken effect for all the running
smtpd(8) processes.

> smtpd_client_restrictions = permit_mynetworks permit_sasl_authenticated permit

This is rather pointless.

> smtpd_recipient_restrictions = permit_sasl_authenticated permit_mynetworks
>     reject unauthdestination permit

This is rather busted.

> smtpd_tls_ciphers = medium
> smtpd_tls_exclude_ciphers = SSLv2, aNULL, ADH, eNULL

The default settings are better.

> use_sacl_cache = yes

This must be some Apple-specific Postfix setting, are you running Apple's
Postfix binaries?

--
        Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: Relay Access Denied

VP Lists

> On Mar 25, 2019, at 1:37 AM, Viktor Dukhovni <[hidden email]> wrote:
>
>>
>> # /var/log/mail.log:
>> Mar 24 18:37:35 alpha.mydomain.com postfix/postscreen[11964]: CONNECT from [192.168.1.4]:52147 to [192.168.1.6]:25
>> Mar 24 18:37:35 alpha.mydomain.com postfix/postscreen[11964]: PASS OLD [192.168.1.4]:52147
>> Mar 24 18:37:35 alpha.mydomain.com postfix/smtpd[11966]: connect from unknown[192.168.1.4]
>> Mar 24 18:37:35 alpha.mydomain.com postfix/smtpd[11966]: NOQUEUE: reject: RCPT from unknown[192.168.1.4]: 554 5.7.1 <[hidden email]>: Relay access denied; from=<[hidden email]> to=<[hidden email]> proto=ESMTP helo=<mydomain.com>
>
> This is likely blocked by "smtpd_relay_restrictions", or your
> mynetworks setting had not yet taken effect for all the running
> smtpd(8) processes.

At the moment, that directive is commented-out.  I was getting reports that it was not being used:

$ sudo postfix reload
/usr/sbin/postconf: warning: /etc/postfix/main.cf: unused parameter: smtpd_relay_restrictions=permit_mynetworks permit_sasl_authenticated reject_unauth_destination
postfix/postfix-script: refreshing the Postfix mail system

Either way, with that directive active or not, same results: Relay access denied

>> smtpd_client_restrictions = permit_mynetworks permit_sasl_authenticated permit
>
> This is rather pointless.
>
>> smtpd_recipient_restrictions = permit_sasl_authenticated permit_mynetworks
>>    reject unauthdestination permit
>
> This is rather busted.

I don’t know why.  This is how the package came.  

>> smtpd_tls_ciphers = medium
>> smtpd_tls_exclude_ciphers = SSLv2, aNULL, ADH, eNULL
>
> The default settings are better.

These are the defaults it came with.  

>> use_sacl_cache = yes
>
> This must be some Apple-specific Postfix setting, are you running Apple's
> Postfix binaries?

They all are.  Yes this is Mountain Lion (10.8.5) Server.  Is there a default setup for LAN access?  I find their setup rather restrictive.  I’ve had issues with this setup before.  Security in the LAN is tight already, so I don’t need my mail server keeping me out.  

Cheers

_____________
Rich in Toronto @ VP






Reply | Threaded
Open this post in threaded view
|

Re: Relay Access Denied

VP Lists
In reply to this post by Viktor Dukhovni

> On Mar 25, 2019, at 1:37 AM, Viktor Dukhovni <[hidden email]> wrote:
>
> This must be some Apple-specific Postfix setting, are you running Apple's
> Postfix binaries?

mail_version = 2.9.2

_____________
Rich in Toronto @ VP






Reply | Threaded
Open this post in threaded view
|

Re: Relay Access Denied

B. Reino
On Mon, 25 Mar 2019, VP Lists wrote:

>> On Mar 25, 2019, at 1:37 AM, Viktor Dukhovni <[hidden email]> wrote:
>>
>> This must be some Apple-specific Postfix setting, are you running Apple's
>> Postfix binaries?
>
> mail_version = 2.9.2

smtpd_relay_restrictions appeared only with 2.10. That explains the
"unused parameter" warning.

Your (old) version should IIRC use only smtpd_recipient_restrictions.

But given that you have some weird version on a weird OS with a weird
configuration, I will have to pass.

Best is to reinstall, from a trusted (non-Apple?) source, and start with
default configuration, which is very sane. Only touch what you actually
need to touch, and leave the rest to Viktor and Wietse, who seem to know
what they do :)

Cheers and good luck.
Reply | Threaded
Open this post in threaded view
|

Re: Relay Access Denied

Viktor Dukhovni
In reply to this post by VP Lists
> On Mar 25, 2019, at 7:23 AM, VP Lists <[hidden email]> wrote:
>
>>> smtpd_client_restrictions = permit_mynetworks permit_sasl_authenticated permit
>>
>> This is rather pointless.

Delete it, it serves no purpose.

>>> smtpd_recipient_restrictions = permit_sasl_authenticated permit_mynetworks
>>>   reject unauthdestination permit
>>
>> This is rather busted.
>
> I don’t know why.  This is how the package came.  

No, it did not.  It probably had:

   smtpd_recipient_restrictions =
        permit_sasl_authenticated,
        permit_mynetworks,
        reject_unauth_destination,
        permit

what you have rejects all inbound email from outside senders.

>>> smtpd_tls_ciphers = medium
>>> smtpd_tls_exclude_ciphers = SSLv2, aNULL, ADH, eNULL
>>
>> The default settings are better.
>
> These are the defaults it came with.

Take the defaults from a more recent release:

  # Remove this from main.cf, taking the empty default
  smtpd_tls_exclude_ciphers =

  # Add these:
  smtpd_tls_ciphers = medium
  smtpd_tls_protocols = !SSLv2, !SSLv3
  smtp_tls_ciphers = medium
  smtp_tls_protocols = !SSLv2, !SSLv3

As for why "mynetworks" is not enough, perhaps time to look
at your master.cf file...

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: Relay Access Denied

VP Lists

> On Mar 25, 2019, at 11:28 AM, Viktor Dukhovni <[hidden email]> wrote:
>
> As for why "mynetworks" is not enough, perhaps time to look
> at your master.cf file...

Here it is:

# Postfix master process configuration file.  For details on the format
# of the file, see the master(5) manual page (command: "man 5 master").
#
# Do not forget to execute "postfix reload" after editing this file.
#
# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (yes)   (never) (100)
# ==========================================================================
# ==== Begin auto-generated section ========================================
# This section of the master.cf file is auto-generated by the Server Admin
#  Mail backend plugin whenever mails settings are modified.
smtp      inet  n       -       n       -       1       postscreen
smtpd     pass  -       -       n       -       -       smtpd
dnsblog   unix  -       -       n       -       0       dnsblog
tlsproxy  unix  -       -       n       -       0       tlsproxy
submission inet n       -       n       -       -       smtpd
  -o smtpd_tls_security_level=encrypt
smtp      unix  -       -       n       -       -       smtp
# === End auto-generated section ===========================================
# Modern SMTP clients communicate securely over port 25 using the STARTTLS command.
# Some older clients, such as Outlook 2000 and its predecessors, do not properly
# support this command and instead assume a preconfigured secure connection
# on port 465. This was sometimes called "smtps", but such usage was never
# approved by the IANA and therefore conflicts with another, legitimate assignment.
# For more details about managing secure SMTP connections with postfix, please see:
#   http://www.postfix.org/TLS_README.html
# To read more about configuring secure connections with Outlook 2000, please read:
#   http://support.microsoft.com/default.aspx?scid=kb;en-us;Q307772
# Apple does not support the use of port 465 for this purpose.
# After determining that connecting clients do require this behavior, you may choose
# to manually enable support for these older clients by uncommenting the following
# four lines.
#465      inet  n       -       n       -       -       smtpd
#  -o smtpd_tls_wrappermode=yes
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
#628       inet  n       -       n       -       -       qmqpd
pickup    fifo  n       -       n       60      1       pickup
  -o content_filter=
cleanup   unix  n       -       n       -       0       cleanup
qmgr      fifo  n       -       n       300     1       qmgr
#qmgr     fifo  n       -       n       300     1       oqmgr
tlsmgr    unix  -       -       n       1000?   1       tlsmgr
rewrite   unix  -       -       n       -       -       trivial-rewrite
bounce    unix  -       -       n       -       0       bounce
defer     unix  -       -       n       -       0       bounce
trace     unix  -       -       n       -       0       bounce
verify    unix  -       -       n       -       1       verify
sacl-cache unix -       -       n       -       1       sacl-cache
flush     unix  n       -       n       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
proxywrite unix -       -       n       -       1       proxymap
# When relaying mail as backup MX, disable fallback_relay to avoid MX loops
relay     unix  -       -       n       -       -       smtp
        -o smtp_fallback_relay=
#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq     unix  n       -       n       -       -       showq
error     unix  -       -       n       -       -       error
retry     unix  -       -       n       -       -       error
discard   unix  -       -       n       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       n       -       -       lmtp
anvil     unix  -       -       n       -       1       anvil
scache    unix  -       -       n       -       1       scache
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent.  See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
#maildrop  unix  -       n       n       -       -       pipe
#  flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
#
# ====================================================================
#
# Recent Cyrus versions can use the existing "lmtp" master.cf entry.
#
# Specify in cyrus.conf:
#   lmtp    cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
#
# Specify in main.cf one or more of the following:
#  mailbox_transport = lmtp:inet:localhost
#  virtual_transport = lmtp:inet:localhost
#
# ====================================================================
#
# Cyrus 2.1.5 (Amos Gouaux)
# Also specify in main.cf: cyrus_destination_recipient_limit=1
#
#cyrus     unix  -       n       n       -       -       pipe
#  user=_cyrus argv=/usr/bin/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
#
# ====================================================================
#
# Old example of delivery via Cyrus.
#
#old-cyrus unix  -       n       n       -       -       pipe
#  flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
#
# ====================================================================
#
# Dovecot
#
dovecot   unix  -       n       n       -       25      pipe
  flags=DRhu user=_dovecot:mail argv=/usr/libexec/dovecot/dovecot-lda -d ${user}
# Use these settings to enable +addressing ([hidden email])
# flags=DRhu user=_dovecot:mail argv=/usr/libexec/dovecot/dovecot-lda -d ${user} -a ${recipient} -m ${extension}
#
# ====================================================================
#
# Greylist policy server
#
policy    unix  -       n       n       -       -       spawn
  user=nobody:mail argv=/usr/bin/perl /usr/libexec/postfix/greylist.pl
#
# ====================================================================
#
# See the Postfix UUCP_README file for configuration details.
#
#uucp      unix  -       n       n       -       -       pipe
#  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
#
# ====================================================================
#
# Other external delivery methods.
#
#ifmail    unix  -       n       n       -       -       pipe
#  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
#
#bsmtp     unix  -       n       n       -       -       pipe
#  flags=Fq. user=bsmtp argv=/usr/local/sbin/bsmtp -f $sender $nexthop $recipient
#
#scalemail-backend unix -       n       n       -       2       pipe
#  flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store
#  ${nexthop} ${user} ${extension}
#
#mailman   unix  -       n       n       -       -       pipe
#  flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
#  ${nexthop} ${user}


_____________
Rich in Toronto @ VP






Reply | Threaded
Open this post in threaded view
|

Re: Relay Access Denied

VP Lists
In reply to this post by Viktor Dukhovni
>
> On Mar 25, 2019, at 11:28 AM, Viktor Dukhovni <[hidden email]> wrote:
>
> As for why "mynetworks" is not enough, perhaps time to look
> at your master.cf file...

Fixed.  I needed a “From” header for gmail to accept it.  That was inside the Ruby gem configuration.  

Cheers

_____________
Rich in Toronto @ VP