part 2 of: SSL not working after unwanted server migration

classic Classic list List threaded Threaded
24 messages Options
12
Reply | Threaded
Open this post in threaded view
|

part 2 of: SSL not working after unwanted server migration

Marco Fioretti
hello all,
this is the same server, same situation for which I asked for help
yesterday. Right now, after trying to test and follow up the advice
received, this is the status:

IMAPS: not working yet because of SSL "no shared cipher". Details
here: https://dovecot.org/pipermail/dovecot/2018-December/113862.html

POSTFIX: with the current configuration (see postconf -n output below)
it seems I can:

* receive email from all the mailing lists/newsletters I am subscribed to

* connect with mutt from my home computer, and send email through this
server to any other MTA I could use for testing, with two
"exceptions":

   gmail still refuses connection, see below what I got from the last
test a few minutes ago

  one server does accepts and deliver my messages, but flags them as
spam (no idea why, all I see is a "X-Spam-Flag: YES" header...

NOTIFICATION BY GMAIL:

<[hidden email]>: host
    gmail-smtp-in.l.google.com[2a00:1450:400c:c0c::1b] said: 550-5.7.1
    [XXXXXXXXXXXX] Our system has detected that this message does
    550-5.7.1 not meet IPv6 sending guidelines regarding PTR records and
    550-5.7.1 authentication. Please review 550-5.7.1
    https://support.google.com/mail/?p=IPv6AuthError for more information 550
    5.7.1 . t6si9122052wrw.74 - gsmtp (in reply to end of DATA command)

Fact is, "XXXXXXXXXXXX" is the ipv6 address of the server for which I
*did* add a reverse entry some hours ago (and I had done the same for
the ipv4 dns record yesterday). In other words, I don't know what else
I could / should do at this point on the DNS side.

Here is the output of postconf -n:

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
xxgdb $daemon_directory/$process_name $process_id & sleep 5
disable_vrfy_command = yes
html_directory = /usr/share/doc/postfix-2.4.3-documentation/html
inet_interfaces = all
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
mydestination = $myhostname, localhost
mydomain = $myhostname
myhostname = a.mx.MYDOMAIN
mynetworks = 127.0.0.0/8, my.home.ip.address
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases.postfix
non_smtpd_milters = inet:localhost:8891
procmail_destination_recipient_limit = 1
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.4.3-documentation/readme
relay_domains =
sample_directory = /etc/postfix
sender_dependent_relayhost_maps = hash:/etc/postfix/mymaps/relayhost_maps
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp_sasl_auth_enable = yes
smtp_sasl_mechanism_filter =
smtp_sasl_password_maps = hash:/etc/postfix/mymaps/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_sasl_tls_security_options = noanonymous
smtp_sasl_type = cyrus
smtp_sender_dependent_authentication = yes
smtp_tls_security_level = may
smtpd_helo_required = yes
smtpd_helo_restrictions =
smtpd_milters = inet:localhost:8891
smtpd_recipient_restrictions = reject_invalid_hostname,
reject_non_fqdn_hostname, reject_non_fqdn_sender,
reject_non_fqdn_recipient, reject_unknown_sender_domain,
reject_unknown_recipient_domain, permit_mynetworks,
permit_sasl_authenticated, reject_unauth_destination,
check_helo_access hash:/etc/postfix/reject_own_helo,
check_policy_service unix:postgrey/socket
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = /var/spool/postfix/private/auth
smtpd_sasl_type = dovecot
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/letsencrypt/archive/MYDOMAIN/fullchain1.pem
smtpd_tls_key_file = /etc/letsencrypt/archive/MYDOMAIN/privkey1.pem
smtpd_tls_loglevel = 1
smtpd_tls_security_level = may
strict_rfc821_envelopes = yes
unknown_address_reject_code = 554
unknown_client_reject_code = 554
unknown_hostname_reject_code = 554
unknown_local_recipient_reject_code = 550
virtual_alias_maps = hash:/etc/postfix/mymaps/valias.map
virtual_gid_maps = static:5000
virtual_mailbox_base = /var/mail/mymail_storage
virtual_mailbox_domains = /etc/postfix/mymaps/vhosts.map
virtual_mailbox_maps = hash:/etc/postfix/mymaps/vmailboxes.map
virtual_transport = procmail
virtual_uid_maps = static:5000
postconf: warning: /etc/postfix/main.cf: unused parameter:
smtp_tls_auth_only=yes
Reply | Threaded
Open this post in threaded view
|

Re: part 2 of: SSL not working after unwanted server migration

Benny Pedersen-2
Marco Fioretti skrev den 2018-12-11 11:35:

> IMAPS: not working yet because of SSL "no shared cipher". Details
> here: https://dovecot.org/pipermail/dovecot/2018-December/113862.html

current SSL dovecot settings in conf.d/10-ssl.conf

is missing in dovecot -n

ask a centos maintainer for dovecot to solve that, check dovecot config
files in /etc/dovecot/

make sure thay match what is intended from the maintainer before you
edit it

does dovecot.conf have last line !include..... ?

do you have stale old config files ?

sorry cant help more
Reply | Threaded
Open this post in threaded view
|

Re: part 2 of: SSL not working after unwanted server migration

rachalmers
In reply to this post by Marco Fioretti



Hi again.

The following settings are from my server. They may not necessarily work with yours.

# Smtpd means mails you receive from outside, smtp covers mails you send to other servers.


The notification from Google is telling you that your Reverse DNS does not point to your server. Are you on a Dynamic IP, or VPS network?
> 550-5.7.1 not meet IPv6 sending guidelines regarding PTR

Have you tried setting the preferred inet to ipV4.?

inet_protocols = ipv6, ipv4
inet_interfaces=all
smtp_address_preference = ipv6

Gmail is being very picky about this stuff. You may also need to set up your authenticated email with Google. See the address shown in your returned email.



You also have an unused parameter  smtp_tls_auth_only  This apparently doesn’t exist in postfix’s set of options.
> postconf: warning: /etc/postfix/main.cf: unused parameter:
> smtp_tls_auth_only=yes

Which I think may be referring to the second line. It should be smtpd_tls_auth_only.

Ciphers:
1. No shared cipher. Did you fix the error in your list of  ciphers mentioned earlier. I doubt you actually need such a big list anyway.


smtpd_tls_ciphers = medium
smtpd_tls_exclude_ciphers = SSLv2, aNULL, ADH, eNULL

smtp_tls_mandatory_ciphers = high



Robert



> On 11 Dec 2018, at 10:35, Marco Fioretti <[hidden email]> wrote:
>
> hello all,
> this is the same server, same situation for which I asked for help
> yesterday. Right now, after trying to test and follow up the advice
> received, this is the status:
>
> IMAPS: not working yet because of SSL "no shared cipher". Details
> here: https://dovecot.org/pipermail/dovecot/2018-December/113862.html
>
> POSTFIX: with the current configuration (see postconf -n output below)
> it seems I can:
>
> * receive email from all the mailing lists/newsletters I am subscribed to
>
> * connect with mutt from my home computer, and send email through this
> server to any other MTA I could use for testing, with two
> "exceptions":
>
>   gmail still refuses connection, see below what I got from the last
> test a few minutes ago
>
>  one server does accepts and deliver my messages, but flags them as
> spam (no idea why, all I see is a "X-Spam-Flag: YES" header...
>
> NOTIFICATION BY GMAIL:
>
> <[hidden email]>: host
>    gmail-smtp-in.l.google.com[2a00:1450:400c:c0c::1b] said: 550-5.7.1
>    [XXXXXXXXXXXX] Our system has detected that this message does
>    550-5.7.1 not meet IPv6 sending guidelines regarding PTR records and
>    550-5.7.1 authentication. Please review 550-5.7.1
>    https://support.google.com/mail/?p=IPv6AuthError for more information 550
>    5.7.1 . t6si9122052wrw.74 - gsmtp (in reply to end of DATA command)
>
> Fact is, "XXXXXXXXXXXX" is the ipv6 address of the server for which I
> *did* add a reverse entry some hours ago (and I had done the same for
> the ipv4 dns record yesterday). In other words, I don't know what else
> I could / should do at this point on the DNS side.
>
> Here is the output of postconf -n:
>
> alias_database = hash:/etc/aliases
> alias_maps = hash:/etc/aliases
> command_directory = /usr/sbin
> config_directory = /etc/postfix
> daemon_directory = /usr/libexec/postfix
> debug_peer_level = 2
> debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
> xxgdb $daemon_directory/$process_name $process_id & sleep 5
> disable_vrfy_command = yes
> html_directory = /usr/share/doc/postfix-2.4.3-documentation/html
> inet_interfaces = all
> mail_owner = postfix
> mailq_path = /usr/bin/mailq.postfix
> manpage_directory = /usr/share/man
> mydestination = $myhostname, localhost
> mydomain = $myhostname
> myhostname = a.mx.MYDOMAIN
> mynetworks = 127.0.0.0/8, my.home.ip.address
> myorigin = $mydomain
> newaliases_path = /usr/bin/newaliases.postfix
> non_smtpd_milters = inet:localhost:8891
> procmail_destination_recipient_limit = 1
> queue_directory = /var/spool/postfix
> readme_directory = /usr/share/doc/postfix-2.4.3-documentation/readme
> relay_domains =
> sample_directory = /etc/postfix
> sender_dependent_relayhost_maps = hash:/etc/postfix/mymaps/relayhost_maps
> sendmail_path = /usr/sbin/sendmail.postfix
> setgid_group = postdrop
> smtp_sasl_auth_enable = yes
> smtp_sasl_mechanism_filter =
> smtp_sasl_password_maps = hash:/etc/postfix/mymaps/sasl_passwd
> smtp_sasl_security_options = noanonymous
> smtp_sasl_tls_security_options = noanonymous
> smtp_sasl_type = cyrus
> smtp_sender_dependent_authentication = yes
> smtp_tls_security_level = may
> smtpd_helo_required = yes
> smtpd_helo_restrictions =
> smtpd_milters = inet:localhost:8891
> smtpd_recipient_restrictions = reject_invalid_hostname,
> reject_non_fqdn_hostname, reject_non_fqdn_sender,
> reject_non_fqdn_recipient, reject_unknown_sender_domain,
> reject_unknown_recipient_domain, permit_mynetworks,
> permit_sasl_authenticated, reject_unauth_destination,
> check_helo_access hash:/etc/postfix/reject_own_helo,
> check_policy_service unix:postgrey/socket
> smtpd_sasl_auth_enable = yes
> smtpd_sasl_path = /var/spool/postfix/private/auth
> smtpd_sasl_type = dovecot
> smtpd_tls_auth_only = yes
> smtpd_tls_cert_file = /etc/letsencrypt/archive/MYDOMAIN/fullchain1.pem
> smtpd_tls_key_file = /etc/letsencrypt/archive/MYDOMAIN/privkey1.pem
> smtpd_tls_loglevel = 1
> smtpd_tls_security_level = may
> strict_rfc821_envelopes = yes
> unknown_address_reject_code = 554
> unknown_client_reject_code = 554
> unknown_hostname_reject_code = 554
> unknown_local_recipient_reject_code = 550
> virtual_alias_maps = hash:/etc/postfix/mymaps/valias.map
> virtual_gid_maps = static:5000
> virtual_mailbox_base = /var/mail/mymail_storage
> virtual_mailbox_domains = /etc/postfix/mymaps/vhosts.map
> virtual_mailbox_maps = hash:/etc/postfix/mymaps/vmailboxes.map
> virtual_transport = procmail
> virtual_uid_maps = static:5000
> postconf: warning: /etc/postfix/main.cf: unused parameter:
> smtp_tls_auth_only=yes

Robert Chalmers
https://robert-chalmers.uk
[hidden email]
@R_A_Chalmers

Reply | Threaded
Open this post in threaded view
|

Re: part 2 of: SSL not working after unwanted server migration

Marco Fioretti
In reply to this post by Benny Pedersen-2
that problem with Dovecot is solved. It was caused by missing (not
sure why/how) the "include conf.d/*" line in dovecot.conf, so the ssl
configuration simply was not loaded. Now with dovecot,
if anybody is interested, I have this other question about how to
configure permissions properly between dovecot and postfix:

https://dovecot.org/pipermail/dovecot/2018-December/113868.html

with postfix proper, instead, the only or main problem right now seems
to be the reverse DNS
configuration, as I reported in my previous email
Il giorno mar 11 dic 2018 alle ore 12:03 Benny Pedersen <[hidden email]> ha scritto:

>
> Marco Fioretti skrev den 2018-12-11 11:35:
>
> > IMAPS: not working yet because of SSL "no shared cipher". Details
> > here: https://dovecot.org/pipermail/dovecot/2018-December/113862.html
>
> current SSL dovecot settings in conf.d/10-ssl.conf
>
> is missing in dovecot -n
>
> ask a centos maintainer for dovecot to solve that, check dovecot config
> files in /etc/dovecot/
>
> make sure thay match what is intended from the maintainer before you
> edit it
>
> does dovecot.conf have last line !include..... ?
>
> do you have stale old config files ?
>
> sorry cant help more
Reply | Threaded
Open this post in threaded view
|

Re: part 2 of: SSL not working after unwanted server migration

rachalmers
In reply to this post by Marco Fioretti


oh, and run “postfix check” as the superuser.

That will show up any obvious errors.



On 11 Dec 2018, at 10:35, Marco Fioretti <[hidden email]> wrote:

hello all,
this is the same server, same situation for which I asked for help
yesterday. Right now, after trying to test and follow up the advice
received, this is the status:

IMAPS: not working yet because of SSL "no shared cipher". Details
here: https://dovecot.org/pipermail/dovecot/2018-December/113862.html

POSTFIX: with the current configuration (see postconf -n output below)
it seems I can:

* receive email from all the mailing lists/newsletters I am subscribed to

* connect with mutt from my home computer, and send email through this
server to any other MTA I could use for testing, with two
"exceptions":

  gmail still refuses connection, see below what I got from the last
test a few minutes ago

 one server does accepts and deliver my messages, but flags them as
spam (no idea why, all I see is a "X-Spam-Flag: YES" header...

NOTIFICATION BY GMAIL:

<[hidden email]>: host
   gmail-smtp-in.l.google.com[2a00:1450:400c:c0c::1b] said: 550-5.7.1
   [XXXXXXXXXXXX] Our system has detected that this message does
   550-5.7.1 not meet IPv6 sending guidelines regarding PTR records and
   550-5.7.1 authentication. Please review 550-5.7.1
   https://support.google.com/mail/?p=IPv6AuthError for more information 550
   5.7.1 . t6si9122052wrw.74 - gsmtp (in reply to end of DATA command)

Fact is, "XXXXXXXXXXXX" is the ipv6 address of the server for which I
*did* add a reverse entry some hours ago (and I had done the same for
the ipv4 dns record yesterday). In other words, I don't know what else
I could / should do at this point on the DNS side.

Here is the output of postconf -n:

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
xxgdb $daemon_directory/$process_name $process_id & sleep 5
disable_vrfy_command = yes
html_directory = /usr/share/doc/postfix-2.4.3-documentation/html
inet_interfaces = all
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
mydestination = $myhostname, localhost
mydomain = $myhostname
myhostname = a.mx.MYDOMAIN
mynetworks = 127.0.0.0/8, my.home.ip.address
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases.postfix
non_smtpd_milters = inet:localhost:8891
procmail_destination_recipient_limit = 1
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.4.3-documentation/readme
relay_domains =
sample_directory = /etc/postfix
sender_dependent_relayhost_maps = hash:/etc/postfix/mymaps/relayhost_maps
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp_sasl_auth_enable = yes
smtp_sasl_mechanism_filter =
smtp_sasl_password_maps = hash:/etc/postfix/mymaps/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_sasl_tls_security_options = noanonymous
smtp_sasl_type = cyrus
smtp_sender_dependent_authentication = yes
smtp_tls_security_level = may
smtpd_helo_required = yes
smtpd_helo_restrictions =
smtpd_milters = inet:localhost:8891
smtpd_recipient_restrictions = reject_invalid_hostname,
reject_non_fqdn_hostname, reject_non_fqdn_sender,
reject_non_fqdn_recipient, reject_unknown_sender_domain,
reject_unknown_recipient_domain, permit_mynetworks,
permit_sasl_authenticated, reject_unauth_destination,
check_helo_access hash:/etc/postfix/reject_own_helo,
check_policy_service unix:postgrey/socket
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = /var/spool/postfix/private/auth
smtpd_sasl_type = dovecot
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/letsencrypt/archive/MYDOMAIN/fullchain1.pem
smtpd_tls_key_file = /etc/letsencrypt/archive/MYDOMAIN/privkey1.pem
smtpd_tls_loglevel = 1
smtpd_tls_security_level = may
strict_rfc821_envelopes = yes
unknown_address_reject_code = 554
unknown_client_reject_code = 554
unknown_hostname_reject_code = 554
unknown_local_recipient_reject_code = 550
virtual_alias_maps = hash:/etc/postfix/mymaps/valias.map
virtual_gid_maps = static:5000
virtual_mailbox_base = /var/mail/mymail_storage
virtual_mailbox_domains = /etc/postfix/mymaps/vhosts.map
virtual_mailbox_maps = hash:/etc/postfix/mymaps/vmailboxes.map
virtual_transport = procmail
virtual_uid_maps = static:5000
postconf: warning: /etc/postfix/main.cf: unused parameter:
smtp_tls_auth_only=yes

Robert Chalmers
https://robert-chalmers.uk
[hidden email]
@R_A_Chalmers

Reply | Threaded
Open this post in threaded view
|

Re: part 2 of: SSL not working after unwanted server migration

Wietse Venema
In reply to this post by Marco Fioretti
Marco Fioretti:

> <[hidden email]>: host
>     gmail-smtp-in.l.google.com[2a00:1450:400c:c0c::1b] said: 550-5.7.1
>     [XXXXXXXXXXXX] Our system has detected that this message does
>     550-5.7.1 not meet IPv6 sending guidelines regarding PTR records and
>     550-5.7.1 authentication. Please review 550-5.7.1
>     https://support.google.com/mail/?p=IPv6AuthError for more information 550
>     5.7.1 . t6si9122052wrw.74 - gsmtp (in reply to end of DATA command)
>
> Fact is, "XXXXXXXXXXXX" is the ipv6 address of the server for which I
> *did* add a reverse entry some hours ago (and I had done the same for
> the ipv4 dns record yesterday). In other words, I don't know what else
> I could / should do at this point on the DNS side.

Hours may not be enough to propagate the change to all DNS servers.

What do 'dig' or 'host' have to say about that PTR record? For my
primary server, it looks like this:

$ host 2604:8d00:189::2                                                     2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.9.8.1.0.0.0.d.8.4.0.6.2.ip6.arpa domain name pointer spike.porcupine.org.
$ dig +short ptr 2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.9.8.1.0.0.0.d.8.4.0.6.2.ip6.arpa
spike.porcupine.org.

I also have configured my server not to use IPv6 with gmail. Years
ago they did not distinguish between DNS lookup timeout or 'record
does not exist'. That configuration is still in effect so I don't
know if the problem has been fixed.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: part 2 of: SSL not working after unwanted server migration

Marco Fioretti
In reply to this post by rachalmers
Hello, all.

I have added or edited as suggested in main.cf all the settings that
Robert mentions in his reply below. Right now,  "postfix check" only
returns ~10 warnings all equal to " /etc/postfix/master.cf: unused
parameter: flags=D"

everything is working OK on the imap/dovecot side (except some minor
issues I will deal with later). The only problem that remains is the
one with gmail, but I have something new to report.

Using example.com as domain name placeholder, the DNS record may be OK
now (please confirm):

a) it includes a text entry for
"example.com:google-site-verification..." as Google
b) there is a reverse IPv6 entry, and it has propagated. About 20 minutes ago,
 "host <IPv6 address of my server> did start to return exactly "example.com"

BUT:

I only realized now that the rejection email I get when I try to send
email as [hidden email] to my gmail address says:

Reporting-MTA: dns; a.mx.example.com

this in turn led me to realize that the value of myhostname in main.cf
is "a.mx.example.com", NOT just "example.com" as it says in the DNS
records (*). To test myself, I changed myhostname to example.com, but
after restart I get messages to me bounced because [hidden email]
is "User unknown in local recipient table". So, is just "example.com"
the right value for myhostname, and if yes, how to fix the user
unknown error?
Here is the current output of postconf -n:

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
xxgdb $daemon_directory/$process_name $process_id & sleep 5
disable_vrfy_command = yes
html_directory = /usr/share/doc/postfix-2.4.3-documentation/html
inet_interfaces = all
inet_protocols = ipv6, ipv4
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
mydestination = $myhostname, localhost
mydomain = $myhostname
myhostname = example.com
mynetworks = 127.0.0.0/8, my.ip.home.address
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases.postfix
non_smtpd_milters = inet:localhost:8891
procmail_destination_recipient_limit = 1
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.4.3-documentation/readme
relay_domains =
sample_directory = /etc/postfix
sender_dependent_relayhost_maps = hash:/etc/postfix/mymaps/relayhost_maps
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp_address_preference = ipv6
smtp_sasl_auth_enable = yes
smtp_sasl_mechanism_filter =
smtp_sasl_password_maps = hash:/etc/postfix/mymaps/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_sasl_tls_security_options = noanonymous
smtp_sasl_type = cyrus
smtp_sender_dependent_authentication = yes
smtp_tls_mandatory_ciphers = high
smtp_tls_security_level = may
smtpd_helo_required = yes
smtpd_helo_restrictions =
smtpd_milters = inet:localhost:8891
smtpd_recipient_restrictions = reject_invalid_hostname,
reject_non_fqdn_hostname, reject_non_fqdn_sender,
reject_non_fqdn_recipient, reject_unknown_sender_domain,
reject_unknown_recipient_domain, permit_mynetworks,
permit_sasl_authenticated, reject_unauth_destination,
check_helo_access hash:/etc/postfix/reject_own_helo,
check_policy_service unix:postgrey/socket
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = /var/spool/postfix/private/auth
smtpd_sasl_type = dovecot
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/letsencrypt/archive/example.com/fullchain1.pem
smtpd_tls_ciphers = medium
smtpd_tls_exclude_ciphers = SSLv2, aNULL, ADH, eNULL
smtpd_tls_key_file = /etc/letsencrypt/archive/example.com/privkey1.pem
smtpd_tls_loglevel = 1
smtpd_tls_security_level = may
smtpd_use_tls = yes
strict_rfc821_envelopes = yes
unknown_address_reject_code = 554
unknown_client_reject_code = 554
unknown_hostname_reject_code = 554
unknown_local_recipient_reject_code = 550
virtual_alias_maps = hash:/etc/postfix/mymaps/valias.map
virtual_gid_maps = static:5000
virtual_mailbox_base = /var/mail/mymail_storage
virtual_mailbox_domains = /etc/postfix/mymaps/vhosts.map
virtual_mailbox_maps = hash:/etc/postfix/mymaps/vmailboxes.map
virtual_transport = procmail
virtual_uid_maps = static:1001
postconf: warning: /etc/postfix/master.cf: unused parameter: flags=D

THANKS,
Marco

(*) please don't ask why this mismatch... it is one more of the things
that I had no time to check myself because I had to migrate without
advice...)
Il giorno mar 11 dic 2018 alle ore 13:16 Robert Chalmers
<[hidden email]> ha scritto:

>
>
>
>
> Hi again.
>
> The following settings are from my server. They may not necessarily work with yours.
>
> # Smtpd means mails you receive from outside, smtp covers mails you send to other servers.
>
>
> The notification from Google is telling you that your Reverse DNS does not point to your server. Are you on a Dynamic IP, or VPS network?
> > 550-5.7.1 not meet IPv6 sending guidelines regarding PTR
>
> Have you tried setting the preferred inet to ipV4.?
>
> inet_protocols = ipv6, ipv4
> inet_interfaces=all
> smtp_address_preference = ipv6
>
> Gmail is being very picky about this stuff. You may also need to set up your authenticated email with Google. See the address shown in your returned email.
>
>
>
> You also have an unused parameter  smtp_tls_auth_only  This apparently doesn’t exist in postfix’s set of options.
> > postconf: warning: /etc/postfix/main.cf: unused parameter:
> > smtp_tls_auth_only=yes
>
> Which I think may be referring to the second line. It should be smtpd_tls_auth_only.
>
> Ciphers:
> 1. No shared cipher. Did you fix the error in your list of  ciphers mentioned earlier. I doubt you actually need such a big list anyway.
>
>
> smtpd_tls_ciphers = medium
> smtpd_tls_exclude_ciphers = SSLv2, aNULL, ADH, eNULL
>
> smtp_tls_mandatory_ciphers = high
>
>
>
> Robert
>
>
>
> > On 11 Dec 2018, at 10:35, Marco Fioretti <[hidden email]> wrote:
> >
> > hello all,
> > this is the same server, same situation for which I asked for help
> > yesterday. Right now, after trying to test and follow up the advice
> > received, this is the status:
> >
> > IMAPS: not working yet because of SSL "no shared cipher". Details
> > here: https://dovecot.org/pipermail/dovecot/2018-December/113862.html
> >
> > POSTFIX: with the current configuration (see postconf -n output below)
> > it seems I can:
> >
> > * receive email from all the mailing lists/newsletters I am subscribed to
> >
> > * connect with mutt from my home computer, and send email through this
> > server to any other MTA I could use for testing, with two
> > "exceptions":
> >
> >   gmail still refuses connection, see below what I got from the last
> > test a few minutes ago
> >
> >  one server does accepts and deliver my messages, but flags them as
> > spam (no idea why, all I see is a "X-Spam-Flag: YES" header...
> >
> > NOTIFICATION BY GMAIL:
> >
> > <[hidden email]>: host
> >    gmail-smtp-in.l.google.com[2a00:1450:400c:c0c::1b] said: 550-5.7.1
> >    [XXXXXXXXXXXX] Our system has detected that this message does
> >    550-5.7.1 not meet IPv6 sending guidelines regarding PTR records and
> >    550-5.7.1 authentication. Please review 550-5.7.1
> >    https://support.google.com/mail/?p=IPv6AuthError for more information 550
> >    5.7.1 . t6si9122052wrw.74 - gsmtp (in reply to end of DATA command)
> >
> > Fact is, "XXXXXXXXXXXX" is the ipv6 address of the server for which I
> > *did* add a reverse entry some hours ago (and I had done the same for
> > the ipv4 dns record yesterday). In other words, I don't know what else
> > I could / should do at this point on the DNS side.
> >
> > Here is the output of postconf -n:
> >
> > alias_database = hash:/etc/aliases
> > alias_maps = hash:/etc/aliases
> > command_directory = /usr/sbin
> > config_directory = /etc/postfix
> > daemon_directory = /usr/libexec/postfix
> > debug_peer_level = 2
> > debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
> > xxgdb $daemon_directory/$process_name $process_id & sleep 5
> > disable_vrfy_command = yes
> > html_directory = /usr/share/doc/postfix-2.4.3-documentation/html
> > inet_interfaces = all
> > mail_owner = postfix
> > mailq_path = /usr/bin/mailq.postfix
> > manpage_directory = /usr/share/man
> > mydestination = $myhostname, localhost
> > mydomain = $myhostname
> > myhostname = a.mx.MYDOMAIN
> > mynetworks = 127.0.0.0/8, my.home.ip.address
> > myorigin = $mydomain
> > newaliases_path = /usr/bin/newaliases.postfix
> > non_smtpd_milters = inet:localhost:8891
> > procmail_destination_recipient_limit = 1
> > queue_directory = /var/spool/postfix
> > readme_directory = /usr/share/doc/postfix-2.4.3-documentation/readme
> > relay_domains =
> > sample_directory = /etc/postfix
> > sender_dependent_relayhost_maps = hash:/etc/postfix/mymaps/relayhost_maps
> > sendmail_path = /usr/sbin/sendmail.postfix
> > setgid_group = postdrop
> > smtp_sasl_auth_enable = yes
> > smtp_sasl_mechanism_filter =
> > smtp_sasl_password_maps = hash:/etc/postfix/mymaps/sasl_passwd
> > smtp_sasl_security_options = noanonymous
> > smtp_sasl_tls_security_options = noanonymous
> > smtp_sasl_type = cyrus
> > smtp_sender_dependent_authentication = yes
> > smtp_tls_security_level = may
> > smtpd_helo_required = yes
> > smtpd_helo_restrictions =
> > smtpd_milters = inet:localhost:8891
> > smtpd_recipient_restrictions = reject_invalid_hostname,
> > reject_non_fqdn_hostname, reject_non_fqdn_sender,
> > reject_non_fqdn_recipient, reject_unknown_sender_domain,
> > reject_unknown_recipient_domain, permit_mynetworks,
> > permit_sasl_authenticated, reject_unauth_destination,
> > check_helo_access hash:/etc/postfix/reject_own_helo,
> > check_policy_service unix:postgrey/socket
> > smtpd_sasl_auth_enable = yes
> > smtpd_sasl_path = /var/spool/postfix/private/auth
> > smtpd_sasl_type = dovecot
> > smtpd_tls_auth_only = yes
> > smtpd_tls_cert_file = /etc/letsencrypt/archive/MYDOMAIN/fullchain1.pem
> > smtpd_tls_key_file = /etc/letsencrypt/archive/MYDOMAIN/privkey1.pem
> > smtpd_tls_loglevel = 1
> > smtpd_tls_security_level = may
> > strict_rfc821_envelopes = yes
> > unknown_address_reject_code = 554
> > unknown_client_reject_code = 554
> > unknown_hostname_reject_code = 554
> > unknown_local_recipient_reject_code = 550
> > virtual_alias_maps = hash:/etc/postfix/mymaps/valias.map
> > virtual_gid_maps = static:5000
> > virtual_mailbox_base = /var/mail/mymail_storage
> > virtual_mailbox_domains = /etc/postfix/mymaps/vhosts.map
> > virtual_mailbox_maps = hash:/etc/postfix/mymaps/vmailboxes.map
> > virtual_transport = procmail
> > virtual_uid_maps = static:5000
> > postconf: warning: /etc/postfix/main.cf: unused parameter:
> > smtp_tls_auth_only=yes
>
> Robert Chalmers
> https://robert-chalmers.uk
> [hidden email]
> @R_A_Chalmers
>
Reply | Threaded
Open this post in threaded view
|

Re: part 2 of: SSL not working after unwanted server migration

rachalmers
Where/what is the -D in your master.cf file ????




On 11 Dec 2018, at 14:35, Marco Fioretti <[hidden email]> wrote:

/etc/postfix/master.cf: unused
parameter: flags=D"

Robert Chalmers
https://robert-chalmers.uk
[hidden email]
@R_A_Chalmers

Reply | Threaded
Open this post in threaded view
|

Re: part 2 of: SSL not working after unwanted server migration

rachalmers
Do a 
postconf -Mf

to show your master.cf file configuration.



On 11 Dec 2018, at 14:47, Robert Chalmers <[hidden email]> wrote:

Where/what is the -D in your master.cf file ????




On 11 Dec 2018, at 14:35, Marco Fioretti <[hidden email]> wrote:

/etc/postfix/master.cf: unused
parameter: flags=D"


Reply | Threaded
Open this post in threaded view
|

Re: part 2 of: SSL not working after unwanted server migration

Marco Fioretti
here it is:

postconf -Mf
smtp       inet  n       -       n       -       -       smtpd
submission inet  n       -       n       -       -       smtpd
    -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes
    -o smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
smtps      inet  n       -       n       -       -       smtpd
    -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes
    -o smtpd_client_restrictions=permit_sasl_authenticated,reject
628        inet  n       -       n       -       -       qmqpd
pickup     fifo  n       -       n       60      1       pickup
cleanup    unix  n       -       n       -       0       cleanup
qmgr       fifo  n       -       n       300     1       qmgr
tlsmgr     unix  -       -       n       1000?   1       tlsmgr
rewrite    unix  -       -       n       -       -       trivial-rewrite
bounce     unix  -       -       n       -       0       bounce
defer      unix  -       -       n       -       0       bounce
trace      unix  -       -       n       -       0       bounce
verify     unix  -       -       n       -       1       verify
flush      unix  n       -       n       1000?   0       flush
proxymap   unix  -       -       n       -       -       proxymap
smtp       unix  -       -       n       -       -       smtp
relay      unix  -       -       n       -       -       smtp
    -o fallback_relay=
showq      unix  n       -       n       -       -       showq
error      unix  -       -       n       -       -       error
retry      unix  -       -       n       -       -       error
discard    unix  -       -       n       -       -       discard
local      unix  -       n       n       -       -       local
virtual    unix  -       n       n       -       -       virtual
lmtp       unix  -       -       n       -       -       lmtp
anvil      unix  -       -       n       -       1       anvil
scache     unix  -       -       n       -       1       scache
procmail   unix  -       n       n       -       -       pipe -o flags=D
    user=myvmail_user argv=/usr/bin/procmail -t -m USER=${recipient}
    EXTENSION=${extension} /usr/local/etc/procmailrc.common
here it
Il giorno mar 11 dic 2018 alle ore 15:51 Robert Chalmers
<[hidden email]> ha scritto:

>
> Do a
> postconf -Mf
>
> to show your master.cf file configuration.
>
>
>
> On 11 Dec 2018, at 14:47, Robert Chalmers <[hidden email]> wrote:
>
> Where/what is the -D in your master.cf file ????
>
>
>
>
> On 11 Dec 2018, at 14:35, Marco Fioretti <[hidden email]> wrote:
>
> /etc/postfix/master.cf: unused
> parameter: flags=D"
>
>
>
Reply | Threaded
Open this post in threaded view
|

Re: part 2 of: SSL not working after unwanted server migration

rachalmers
So if you look carefully at master.cf, you will see that somewhere you have a stray “-D” attached to something.

Do you use vi to edit?

Open master.cf and use 
/-D

That will search for it?

Robert


On 11 Dec 2018, at 14:57, Marco Fioretti <[hidden email]> wrote:

here it is:

postconf -Mf
smtp       inet  n       -       n       -       -       smtpd
submission inet  n       -       n       -       -       smtpd
   -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes
   -o smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
smtps      inet  n       -       n       -       -       smtpd
   -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes
   -o smtpd_client_restrictions=permit_sasl_authenticated,reject
628        inet  n       -       n       -       -       qmqpd
pickup     fifo  n       -       n       60      1       pickup
cleanup    unix  n       -       n       -       0       cleanup
qmgr       fifo  n       -       n       300     1       qmgr
tlsmgr     unix  -       -       n       1000?   1       tlsmgr
rewrite    unix  -       -       n       -       -       trivial-rewrite
bounce     unix  -       -       n       -       0       bounce
defer      unix  -       -       n       -       0       bounce
trace      unix  -       -       n       -       0       bounce
verify     unix  -       -       n       -       1       verify
flush      unix  n       -       n       1000?   0       flush
proxymap   unix  -       -       n       -       -       proxymap
smtp       unix  -       -       n       -       -       smtp
relay      unix  -       -       n       -       -       smtp
   -o fallback_relay=
showq      unix  n       -       n       -       -       showq
error      unix  -       -       n       -       -       error
retry      unix  -       -       n       -       -       error
discard    unix  -       -       n       -       -       discard
local      unix  -       n       n       -       -       local
virtual    unix  -       n       n       -       -       virtual
lmtp       unix  -       -       n       -       -       lmtp
anvil      unix  -       -       n       -       1       anvil
scache     unix  -       -       n       -       1       scache
procmail   unix  -       n       n       -       -       pipe -o flags=D
   user=myvmail_user argv=/usr/bin/procmail -t -m USER=${recipient}
   EXTENSION=${extension} /usr/local/etc/procmailrc.common
here it
Il giorno mar 11 dic 2018 alle ore 15:51 Robert Chalmers
<[hidden email]> ha scritto:

Do a
postconf -Mf

to show your master.cf file configuration.



On 11 Dec 2018, at 14:47, Robert Chalmers <[hidden email]> wrote:

Where/what is the -D in your master.cf file ????




On 11 Dec 2018, at 14:35, Marco Fioretti <[hidden email]> wrote:

/etc/postfix/master.cf: unused
parameter: flags=D"




Robert Chalmers
https://robert-chalmers.uk
[hidden email]
@R_A_Chalmers

Reply | Threaded
Open this post in threaded view
|

Re: part 2 of: SSL not working after unwanted server migration

rachalmers
In reply to this post by Marco Fioretti
You may actually have a -D where you should have a -d ????





On 11 Dec 2018, at 14:57, Marco Fioretti <[hidden email]> wrote:

here it is:

postconf -Mf
smtp       inet  n       -       n       -       -       smtpd
submission inet  n       -       n       -       -       smtpd
   -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes
   -o smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
smtps      inet  n       -       n       -       -       smtpd
   -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes
   -o smtpd_client_restrictions=permit_sasl_authenticated,reject
628        inet  n       -       n       -       -       qmqpd
pickup     fifo  n       -       n       60      1       pickup
cleanup    unix  n       -       n       -       0       cleanup
qmgr       fifo  n       -       n       300     1       qmgr
tlsmgr     unix  -       -       n       1000?   1       tlsmgr
rewrite    unix  -       -       n       -       -       trivial-rewrite
bounce     unix  -       -       n       -       0       bounce
defer      unix  -       -       n       -       0       bounce
trace      unix  -       -       n       -       0       bounce
verify     unix  -       -       n       -       1       verify
flush      unix  n       -       n       1000?   0       flush
proxymap   unix  -       -       n       -       -       proxymap
smtp       unix  -       -       n       -       -       smtp
relay      unix  -       -       n       -       -       smtp
   -o fallback_relay=
showq      unix  n       -       n       -       -       showq
error      unix  -       -       n       -       -       error
retry      unix  -       -       n       -       -       error
discard    unix  -       -       n       -       -       discard
local      unix  -       n       n       -       -       local
virtual    unix  -       n       n       -       -       virtual
lmtp       unix  -       -       n       -       -       lmtp
anvil      unix  -       -       n       -       1       anvil
scache     unix  -       -       n       -       1       scache
procmail   unix  -       n       n       -       -       pipe -o flags=D
   user=myvmail_user argv=/usr/bin/procmail -t -m USER=${recipient}
   EXTENSION=${extension} /usr/local/etc/procmailrc.common
here it
Il giorno mar 11 dic 2018 alle ore 15:51 Robert Chalmers
<[hidden email]> ha scritto:

Do a
postconf -Mf

to show your master.cf file configuration.



On 11 Dec 2018, at 14:47, Robert Chalmers <[hidden email]> wrote:

Where/what is the -D in your master.cf file ????




On 11 Dec 2018, at 14:35, Marco Fioretti <[hidden email]> wrote:

/etc/postfix/master.cf: unused
parameter: flags=D"




Robert Chalmers
https://robert-chalmers.uk
[hidden email]
@R_A_Chalmers

Reply | Threaded
Open this post in threaded view
|

Re: part 2 of: SSL not working after unwanted server migration

Marco Fioretti
Hello Robert,
there is no "-D" in master.cf, only "=D".
IN any case... I don't know what to answer.

By this I mean that I put together this procmail line in master.cf:

procmail  unix  -       n       n       -       -       pipe  -o
flags=D user=myvmail_user argv=/usr/bin/procmail -t -m
USER=${recipient} EXTENSION=${extension}
/usr/local/etc/procmailrc.common

(with "=D", not "-D") maybe 10 years ago, in order to filter all
incoming email with procmail, following advice from procmail and
postfix mailing lists. Since then, and until 4 days ago, it had always
worked as expected, and never given me reasons to remember its
existence. Do you mean that the "flags=D" setting is obsolete in the
current version of postfix?

Marco
Il giorno mar 11 dic 2018 alle ore 16:36 Robert Chalmers
<[hidden email]> ha scritto:

>
> You may actually have a -D where you should have a -d ????
>
>
>
>
>
> On 11 Dec 2018, at 14:57, Marco Fioretti <[hidden email]> wrote:
>
> here it is:
>
> postconf -Mf
> smtp       inet  n       -       n       -       -       smtpd
> submission inet  n       -       n       -       -       smtpd
>    -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes
>    -o smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
> smtps      inet  n       -       n       -       -       smtpd
>    -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes
>    -o smtpd_client_restrictions=permit_sasl_authenticated,reject
> 628        inet  n       -       n       -       -       qmqpd
> pickup     fifo  n       -       n       60      1       pickup
> cleanup    unix  n       -       n       -       0       cleanup
> qmgr       fifo  n       -       n       300     1       qmgr
> tlsmgr     unix  -       -       n       1000?   1       tlsmgr
> rewrite    unix  -       -       n       -       -       trivial-rewrite
> bounce     unix  -       -       n       -       0       bounce
> defer      unix  -       -       n       -       0       bounce
> trace      unix  -       -       n       -       0       bounce
> verify     unix  -       -       n       -       1       verify
> flush      unix  n       -       n       1000?   0       flush
> proxymap   unix  -       -       n       -       -       proxymap
> smtp       unix  -       -       n       -       -       smtp
> relay      unix  -       -       n       -       -       smtp
>    -o fallback_relay=
> showq      unix  n       -       n       -       -       showq
> error      unix  -       -       n       -       -       error
> retry      unix  -       -       n       -       -       error
> discard    unix  -       -       n       -       -       discard
> local      unix  -       n       n       -       -       local
> virtual    unix  -       n       n       -       -       virtual
> lmtp       unix  -       -       n       -       -       lmtp
> anvil      unix  -       -       n       -       1       anvil
> scache     unix  -       -       n       -       1       scache
> procmail   unix  -       n       n       -       -       pipe -o flags=D
>    user=myvmail_user argv=/usr/bin/procmail -t -m USER=${recipient}
>    EXTENSION=${extension} /usr/local/etc/procmailrc.common
> here it
> Il giorno mar 11 dic 2018 alle ore 15:51 Robert Chalmers
> <[hidden email]> ha scritto:
>
>
> Do a
> postconf -Mf
>
> to show your master.cf file configuration.
>
>
>
> On 11 Dec 2018, at 14:47, Robert Chalmers <[hidden email]> wrote:
>
> Where/what is the -D in your master.cf file ????
>
>
>
>
> On 11 Dec 2018, at 14:35, Marco Fioretti <[hidden email]> wrote:
>
> /etc/postfix/master.cf: unused
> parameter: flags=D"
>
>
>
>
> Robert Chalmers
> https://robert-chalmers.uk
> [hidden email]
> @R_A_Chalmers
>
Reply | Threaded
Open this post in threaded view
|

Re: part 2 of: SSL not working after unwanted server migration

rachalmers

No no. That line is quite different.

-D is not it.
Are you starting master with a -D maybe.

Like /use/sbin/master -D type of thing?

Turn on verbose output with a -v and see if you can catch it.




-----



> On 11 Dec 2018, at 3:49 pm, Marco Fioretti <[hidden email]> wrote:
>
> Hello Robert,
> there is no "-D" in master.cf, only "=D".
> IN any case... I don't know what to answer.
>
> By this I mean that I put together this procmail line in master.cf:
>
> procmail  unix  -       n       n       -       -       pipe  -o
> flags=D user=myvmail_user argv=/usr/bin/procmail -t -m
> USER=${recipient} EXTENSION=${extension}
> /usr/local/etc/procmailrc.common
>
> (with "=D", not "-D") maybe 10 years ago, in order to filter all
> incoming email with procmail, following advice from procmail and
> postfix mailing lists. Since then, and until 4 days ago, it had always
> worked as expected, and never given me reasons to remember its
> existence. Do you mean that the "flags=D" setting is obsolete in the
> current version of postfix?
>
> Marco
> Il giorno mar 11 dic 2018 alle ore 16:36 Robert Chalmers
> <[hidden email]> ha scritto:
>>
>> You may actually have a -D where you should have a -d ????
>>
>>
>>
>>
>>
>> On 11 Dec 2018, at 14:57, Marco Fioretti <[hidden email]> wrote:
>>
>> here it is:
>>
>> postconf -Mf
>> smtp       inet  n       -       n       -       -       smtpd
>> submission inet  n       -       n       -       -       smtpd
>>   -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes
>>   -o smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
>> smtps      inet  n       -       n       -       -       smtpd
>>   -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes
>>   -o smtpd_client_restrictions=permit_sasl_authenticated,reject
>> 628        inet  n       -       n       -       -       qmqpd
>> pickup     fifo  n       -       n       60      1       pickup
>> cleanup    unix  n       -       n       -       0       cleanup
>> qmgr       fifo  n       -       n       300     1       qmgr
>> tlsmgr     unix  -       -       n       1000?   1       tlsmgr
>> rewrite    unix  -       -       n       -       -       trivial-rewrite
>> bounce     unix  -       -       n       -       0       bounce
>> defer      unix  -       -       n       -       0       bounce
>> trace      unix  -       -       n       -       0       bounce
>> verify     unix  -       -       n       -       1       verify
>> flush      unix  n       -       n       1000?   0       flush
>> proxymap   unix  -       -       n       -       -       proxymap
>> smtp       unix  -       -       n       -       -       smtp
>> relay      unix  -       -       n       -       -       smtp
>>   -o fallback_relay=
>> showq      unix  n       -       n       -       -       showq
>> error      unix  -       -       n       -       -       error
>> retry      unix  -       -       n       -       -       error
>> discard    unix  -       -       n       -       -       discard
>> local      unix  -       n       n       -       -       local
>> virtual    unix  -       n       n       -       -       virtual
>> lmtp       unix  -       -       n       -       -       lmtp
>> anvil      unix  -       -       n       -       1       anvil
>> scache     unix  -       -       n       -       1       scache
>> procmail   unix  -       n       n       -       -       pipe -o flags=D
>>   user=myvmail_user argv=/usr/bin/procmail -t -m USER=${recipient}
>>   EXTENSION=${extension} /usr/local/etc/procmailrc.common
>> here it
>> Il giorno mar 11 dic 2018 alle ore 15:51 Robert Chalmers
>> <[hidden email]> ha scritto:
>>
>>
>> Do a
>> postconf -Mf
>>
>> to show your master.cf file configuration.
>>
>>
>>
>> On 11 Dec 2018, at 14:47, Robert Chalmers <[hidden email]> wrote:
>>
>> Where/what is the -D in your master.cf file ????
>>
>>
>>
>>
>> On 11 Dec 2018, at 14:35, Marco Fioretti <[hidden email]> wrote:
>>
>> /etc/postfix/master.cf: unused
>> parameter: flags=D"
>>
>>
>>
>>
>> Robert Chalmers
>> https://robert-chalmers.uk
>> [hidden email]
>> @R_A_Chalmers
>>
Reply | Threaded
Open this post in threaded view
|

Re: part 2 of: SSL not working after unwanted server migration

Matus UHLAR - fantomas
In reply to this post by Marco Fioretti
On 11.12.18 16:49, Marco Fioretti wrote:
>there is no "-D" in master.cf, only "=D".
>IN any case... I don't know what to answer.
>
>By this I mean that I put together this procmail line in master.cf:
>
>procmail  unix  -       n       n       -       -       pipe  -o
>flags=D user=myvmail_user argv=/usr/bin/procmail -t -m
>USER=${recipient} EXTENSION=${extension}
>/usr/local/etc/procmailrc.common

the "flags" is supposed to be indented, since it is continuation of
"procmail" line:


procmail  unix  -       n       n       -       -       pipe  -o
        flags=D user=myvmail_user argv=/usr/bin/procmail -t -m
        USER=${recipient} EXTENSION=${extension}
        /usr/local/etc/procmailrc.common

>(with "=D", not "-D") maybe 10 years ago, in order to filter all
>incoming email with procmail, following advice from procmail and
>postfix mailing lists. Since then, and until 4 days ago, it had always
>worked as expected, and never given me reasons to remember its
>existence. Do you mean that the "flags=D" setting is obsolete in the
>current version of postfix?

it's not obsolete, but the filtering through procmail like this apparently is.

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
If Barbie is so popular, why do you have to buy her friends?
Reply | Threaded
Open this post in threaded view
|

Re: part 2 of: SSL not working after unwanted server migration

Marco Fioretti
In reply to this post by rachalmers
I confess I do not know how to check that. The output of which command
should I turn verbose?

Thanks
Il giorno mar 11 dic 2018 alle ore 16:57 Robert Chalmers
<[hidden email]> ha scritto:

>
>
> No no. That line is quite different.
>
> -D is not it.
> Are you starting master with a -D maybe.
>
> Like /use/sbin/master -D type of thing?
>
> Turn on verbose output with a -v and see if you can catch it.
>
>
>
>
> -----
>
>
>
> > On 11 Dec 2018, at 3:49 pm, Marco Fioretti <[hidden email]> wrote:
> >
> > Hello Robert,
> > there is no "-D" in master.cf, only "=D".
> > IN any case... I don't know what to answer.
> >
> > By this I mean that I put together this procmail line in master.cf:
> >
> > procmail  unix  -       n       n       -       -       pipe  -o
> > flags=D user=myvmail_user argv=/usr/bin/procmail -t -m
> > USER=${recipient} EXTENSION=${extension}
> > /usr/local/etc/procmailrc.common
> >
> > (with "=D", not "-D") maybe 10 years ago, in order to filter all
> > incoming email with procmail, following advice from procmail and
> > postfix mailing lists. Since then, and until 4 days ago, it had always
> > worked as expected, and never given me reasons to remember its
> > existence. Do you mean that the "flags=D" setting is obsolete in the
> > current version of postfix?
> >
> > Marco
> > Il giorno mar 11 dic 2018 alle ore 16:36 Robert Chalmers
> > <[hidden email]> ha scritto:
> >>
> >> You may actually have a -D where you should have a -d ????
> >>
> >>
> >>
> >>
> >>
> >> On 11 Dec 2018, at 14:57, Marco Fioretti <[hidden email]> wrote:
> >>
> >> here it is:
> >>
> >> postconf -Mf
> >> smtp       inet  n       -       n       -       -       smtpd
> >> submission inet  n       -       n       -       -       smtpd
> >>   -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes
> >>   -o smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
> >> smtps      inet  n       -       n       -       -       smtpd
> >>   -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes
> >>   -o smtpd_client_restrictions=permit_sasl_authenticated,reject
> >> 628        inet  n       -       n       -       -       qmqpd
> >> pickup     fifo  n       -       n       60      1       pickup
> >> cleanup    unix  n       -       n       -       0       cleanup
> >> qmgr       fifo  n       -       n       300     1       qmgr
> >> tlsmgr     unix  -       -       n       1000?   1       tlsmgr
> >> rewrite    unix  -       -       n       -       -       trivial-rewrite
> >> bounce     unix  -       -       n       -       0       bounce
> >> defer      unix  -       -       n       -       0       bounce
> >> trace      unix  -       -       n       -       0       bounce
> >> verify     unix  -       -       n       -       1       verify
> >> flush      unix  n       -       n       1000?   0       flush
> >> proxymap   unix  -       -       n       -       -       proxymap
> >> smtp       unix  -       -       n       -       -       smtp
> >> relay      unix  -       -       n       -       -       smtp
> >>   -o fallback_relay=
> >> showq      unix  n       -       n       -       -       showq
> >> error      unix  -       -       n       -       -       error
> >> retry      unix  -       -       n       -       -       error
> >> discard    unix  -       -       n       -       -       discard
> >> local      unix  -       n       n       -       -       local
> >> virtual    unix  -       n       n       -       -       virtual
> >> lmtp       unix  -       -       n       -       -       lmtp
> >> anvil      unix  -       -       n       -       1       anvil
> >> scache     unix  -       -       n       -       1       scache
> >> procmail   unix  -       n       n       -       -       pipe -o flags=D
> >>   user=myvmail_user argv=/usr/bin/procmail -t -m USER=${recipient}
> >>   EXTENSION=${extension} /usr/local/etc/procmailrc.common
> >> here it
> >> Il giorno mar 11 dic 2018 alle ore 15:51 Robert Chalmers
> >> <[hidden email]> ha scritto:
> >>
> >>
> >> Do a
> >> postconf -Mf
> >>
> >> to show your master.cf file configuration.
> >>
> >>
> >>
> >> On 11 Dec 2018, at 14:47, Robert Chalmers <[hidden email]> wrote:
> >>
> >> Where/what is the -D in your master.cf file ????
> >>
> >>
> >>
> >>
> >> On 11 Dec 2018, at 14:35, Marco Fioretti <[hidden email]> wrote:
> >>
> >> /etc/postfix/master.cf: unused
> >> parameter: flags=D"
> >>
> >>
> >>
> >>
> >> Robert Chalmers
> >> https://robert-chalmers.uk
> >> [hidden email]
> >> @R_A_Chalmers
> >>
Reply | Threaded
Open this post in threaded view
|

Re: part 2 of: SSL not working after unwanted server migration

rachalmers
Hi
I misread the output of postconf above

returns ~10 warnings all equal to " /etc/postfix/master.cf: unused
parameter: flags=D"

Remove the ‘flags=D’ and restart. Then do a post one -MF again

Remember, you have to restart postfix to load master, not just reload.

Robert



__________
Robert Chalmers
https://robert-chalmers.uk
[hidden email]
@R_A_Chalmers

On 11 Dec 2018, at 4:12 pm, Marco Fioretti <[hidden email]> wrote:

I confess I do not know how to check that. The output of which command
should I turn verbose?

Thanks
Il giorno mar 11 dic 2018 alle ore 16:57 Robert Chalmers
<[hidden email]> ha scritto:


No no. That line is quite different.

-D is not it.
Are you starting master with a -D maybe.

Like /use/sbin/master -D type of thing?

Turn on verbose output with a -v and see if you can catch it.




-----



On 11 Dec 2018, at 3:49 pm, Marco Fioretti <[hidden email]> wrote:

Hello Robert,
there is no "-D" in master.cf, only "=D".
IN any case... I don't know what to answer.

By this I mean that I put together this procmail line in master.cf:

procmail  unix  -       n       n       -       -       pipe  -o
flags=D user=myvmail_user argv=/usr/bin/procmail -t -m
USER=${recipient} EXTENSION=${extension}
/usr/local/etc/procmailrc.common

(with "=D", not "-D") maybe 10 years ago, in order to filter all
incoming email with procmail, following advice from procmail and
postfix mailing lists. Since then, and until 4 days ago, it had always
worked as expected, and never given me reasons to remember its
existence. Do you mean that the "flags=D" setting is obsolete in the
current version of postfix?

Marco
Il giorno mar 11 dic 2018 alle ore 16:36 Robert Chalmers
<[hidden email]> ha scritto:

You may actually have a -D where you should have a -d ????





On 11 Dec 2018, at 14:57, Marco Fioretti <[hidden email]> wrote:

here it is:

postconf -Mf
smtp       inet  n       -       n       -       -       smtpd
submission inet  n       -       n       -       -       smtpd
 -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes
 -o smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
smtps      inet  n       -       n       -       -       smtpd
 -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes
 -o smtpd_client_restrictions=permit_sasl_authenticated,reject
628        inet  n       -       n       -       -       qmqpd
pickup     fifo  n       -       n       60      1       pickup
cleanup    unix  n       -       n       -       0       cleanup
qmgr       fifo  n       -       n       300     1       qmgr
tlsmgr     unix  -       -       n       1000?   1       tlsmgr
rewrite    unix  -       -       n       -       -       trivial-rewrite
bounce     unix  -       -       n       -       0       bounce
defer      unix  -       -       n       -       0       bounce
trace      unix  -       -       n       -       0       bounce
verify     unix  -       -       n       -       1       verify
flush      unix  n       -       n       1000?   0       flush
proxymap   unix  -       -       n       -       -       proxymap
smtp       unix  -       -       n       -       -       smtp
relay      unix  -       -       n       -       -       smtp
 -o fallback_relay=
showq      unix  n       -       n       -       -       showq
error      unix  -       -       n       -       -       error
retry      unix  -       -       n       -       -       error
discard    unix  -       -       n       -       -       discard
local      unix  -       n       n       -       -       local
virtual    unix  -       n       n       -       -       virtual
lmtp       unix  -       -       n       -       -       lmtp
anvil      unix  -       -       n       -       1       anvil
scache     unix  -       -       n       -       1       scache
procmail   unix  -       n       n       -       -       pipe -o flags=D
 user=myvmail_user argv=/usr/bin/procmail -t -m USER=${recipient}
 EXTENSION=${extension} /usr/local/etc/procmailrc.common
here it
Il giorno mar 11 dic 2018 alle ore 15:51 Robert Chalmers
<[hidden email]> ha scritto:


Do a
postconf -Mf

to show your master.cf file configuration.



On 11 Dec 2018, at 14:47, Robert Chalmers <[hidden email]> wrote:

Where/what is the -D in your master.cf file ????




On 11 Dec 2018, at 14:35, Marco Fioretti <[hidden email]> wrote:

/etc/postfix/master.cf: unused
parameter: flags=D"




Robert Chalmers
https://robert-chalmers.uk
[hidden email]
@R_A_Chalmers

Reply | Threaded
Open this post in threaded view
|

Re: part 2 of: SSL not working after unwanted server migration

Marco Fioretti
OK, I removed that part of the procmail line, and restarted. Here is
output of postconf -Mf and, respectively, postconf -n

(just for my own knowledge: this has nothing to do with the ipv6
complaints from google, or has it?)

Thanks,
Marco

###############################################

smtp       inet  n       -       n       -       -       smtpd
submission inet  n       -       n       -       -       smtpd
    -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes
    -o smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
smtps      inet  n       -       n       -       -       smtpd
    -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes
    -o smtpd_client_restrictions=permit_sasl_authenticated,reject
628        inet  n       -       n       -       -       qmqpd
pickup     fifo  n       -       n       60      1       pickup
cleanup    unix  n       -       n       -       0       cleanup
qmgr       fifo  n       -       n       300     1       qmgr
tlsmgr     unix  -       -       n       1000?   1       tlsmgr
rewrite    unix  -       -       n       -       -       trivial-rewrite
bounce     unix  -       -       n       -       0       bounce
defer      unix  -       -       n       -       0       bounce
trace      unix  -       -       n       -       0       bounce
verify     unix  -       -       n       -       1       verify
flush      unix  n       -       n       1000?   0       flush
proxymap   unix  -       -       n       -       -       proxymap
smtp       unix  -       -       n       -       -       smtp
relay      unix  -       -       n       -       -       smtp
    -o fallback_relay=
showq      unix  n       -       n       -       -       showq
error      unix  -       -       n       -       -       error
retry      unix  -       -       n       -       -       error
discard    unix  -       -       n       -       -       discard
local      unix  -       n       n       -       -       local
virtual    unix  -       n       n       -       -       virtual
lmtp       unix  -       -       n       -       -       lmtp
anvil      unix  -       -       n       -       1       anvil
scache     unix  -       -       n       -       1       scache
procmail   unix  -       n       n       -       -       pipe
    -o user=myvmail_user argv=/usr/bin/procmail -t -m USER=${recipient}
    EXTENSION=${extension} /usr/local/etc/procmailrc.common


##############################################

postconf -n

47.53.159.60
Il giorno mar 11 dic 2018 alle ore 17:26 Robert Chalmers
<[hidden email]> ha scritto:

>
> Hi
> I misread the output of postconf above
>
> returns ~10 warnings all equal to " /etc/postfix/master.cf: unused
> parameter: flags=D"
>
> Remove the ‘flags=D’ and restart. Then do a post one -MF again
>
> Remember, you have to restart postfix to load master, not just reload.
>
> Robert
>
>
>
> __________
> Robert Chalmers
> https://robert-chalmers.uk
> [hidden email]
> @R_A_Chalmers
>
> On 11 Dec 2018, at 4:12 pm, Marco Fioretti <[hidden email]> wrote:
>
> I confess I do not know how to check that. The output of which command
> should I turn verbose?
>
> Thanks
> Il giorno mar 11 dic 2018 alle ore 16:57 Robert Chalmers
> <[hidden email]> ha scritto:
>
>
>
> No no. That line is quite different.
>
>
> -D is not it.
>
> Are you starting master with a -D maybe.
>
>
> Like /use/sbin/master -D type of thing?
>
>
> Turn on verbose output with a -v and see if you can catch it.
>
>
>
>
>
> -----
>
>
>
>
> On 11 Dec 2018, at 3:49 pm, Marco Fioretti <[hidden email]> wrote:
>
>
> Hello Robert,
>
> there is no "-D" in master.cf, only "=D".
>
> IN any case... I don't know what to answer.
>
>
> By this I mean that I put together this procmail line in master.cf:
>
>
> procmail  unix  -       n       n       -       -       pipe  -o
>
> flags=D user=myvmail_user argv=/usr/bin/procmail -t -m
>
> USER=${recipient} EXTENSION=${extension}
>
> /usr/local/etc/procmailrc.common
>
>
> (with "=D", not "-D") maybe 10 years ago, in order to filter all
>
> incoming email with procmail, following advice from procmail and
>
> postfix mailing lists. Since then, and until 4 days ago, it had always
>
> worked as expected, and never given me reasons to remember its
>
> existence. Do you mean that the "flags=D" setting is obsolete in the
>
> current version of postfix?
>
>
> Marco
>
> Il giorno mar 11 dic 2018 alle ore 16:36 Robert Chalmers
>
> <[hidden email]> ha scritto:
>
>
> You may actually have a -D where you should have a -d ????
>
>
>
>
>
>
> On 11 Dec 2018, at 14:57, Marco Fioretti <[hidden email]> wrote:
>
>
> here it is:
>
>
> postconf -Mf
>
> smtp       inet  n       -       n       -       -       smtpd
>
> submission inet  n       -       n       -       -       smtpd
>
>  -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes
>
>  -o smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
>
> smtps      inet  n       -       n       -       -       smtpd
>
>  -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes
>
>  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
>
> 628        inet  n       -       n       -       -       qmqpd
>
> pickup     fifo  n       -       n       60      1       pickup
>
> cleanup    unix  n       -       n       -       0       cleanup
>
> qmgr       fifo  n       -       n       300     1       qmgr
>
> tlsmgr     unix  -       -       n       1000?   1       tlsmgr
>
> rewrite    unix  -       -       n       -       -       trivial-rewrite
>
> bounce     unix  -       -       n       -       0       bounce
>
> defer      unix  -       -       n       -       0       bounce
>
> trace      unix  -       -       n       -       0       bounce
>
> verify     unix  -       -       n       -       1       verify
>
> flush      unix  n       -       n       1000?   0       flush
>
> proxymap   unix  -       -       n       -       -       proxymap
>
> smtp       unix  -       -       n       -       -       smtp
>
> relay      unix  -       -       n       -       -       smtp
>
>  -o fallback_relay=
>
> showq      unix  n       -       n       -       -       showq
>
> error      unix  -       -       n       -       -       error
>
> retry      unix  -       -       n       -       -       error
>
> discard    unix  -       -       n       -       -       discard
>
> local      unix  -       n       n       -       -       local
>
> virtual    unix  -       n       n       -       -       virtual
>
> lmtp       unix  -       -       n       -       -       lmtp
>
> anvil      unix  -       -       n       -       1       anvil
>
> scache     unix  -       -       n       -       1       scache
>
> procmail   unix  -       n       n       -       -       pipe -o flags=D
>
>  user=myvmail_user argv=/usr/bin/procmail -t -m USER=${recipient}
>
>  EXTENSION=${extension} /usr/local/etc/procmailrc.common
>
> here it
>
> Il giorno mar 11 dic 2018 alle ore 15:51 Robert Chalmers
>
> <[hidden email]> ha scritto:
>
>
>
> Do a
>
> postconf -Mf
>
>
> to show your master.cf file configuration.
>
>
>
>
> On 11 Dec 2018, at 14:47, Robert Chalmers <[hidden email]> wrote:
>
>
> Where/what is the -D in your master.cf file ????
>
>
>
>
>
> On 11 Dec 2018, at 14:35, Marco Fioretti <[hidden email]> wrote:
>
>
> /etc/postfix/master.cf: unused
>
> parameter: flags=D"
>
>
>
>
>
> Robert Chalmers
>
> https://robert-chalmers.uk
>
> [hidden email]
>
> @R_A_Chalmers
>
>
Reply | Threaded
Open this post in threaded view
|

Re: part 2 of: SSL not working after unwanted server migration

Marco Fioretti
In reply to this post by Matus UHLAR - fantomas
Il giorno mar 11 dic 2018 alle ore 17:03 Matus UHLAR - fantomas
<[hidden email]> ha scritto:

> the "flags" is supposed to be indented, since it is continuation of
> "procmail" line:
>
>
> procmail  unix  -       n       n       -       -       pipe  -o
>         flags=D user=myvmail_user argv=/usr/bin/procmail -t -m
>         USER=${recipient} EXTENSION=${extension}
>         /usr/local/etc/procmailrc.common

maybe it came out as indented when copying/pasting/replying in email,
but it is NOT indented in the file. All that stuff has been on one line for,
as I said, ~10 years now.
> ... Do you mean that the "flags=D" setting is obsolete in the
> >current version of postfix?
>
> it's not obsolete, but the filtering through procmail like this apparently is.

OK, as long as the functionality remains the same, I certainly don't mind
removing that part of the line!

But if you check the output of postconf -Mf that I posted a few minutes ago...
now the question becomes "why there is a warning about "user=myvmail_user"?

As far as I can see, this postfix+procmail part of the system is
working as expected now. It
is "only" gmail interfacing and webmail configuration that are still giving me
pains.

Marco
Reply | Threaded
Open this post in threaded view
|

Re: part 2 of: SSL not working after unwanted server migration

rachalmers

Ok, I see no warnings in your
postconf -Mf  ???

It looks good to me.

If that ip address you show is your’s, then you will never have a valid PTR record on it, because it belongs to your ISP.

host 47.53.159.60
60.159.53.47.in-addr.arpa domain name pointer net-47-53-159-60.cust.vodafonedsl.it.

dig +short net-47-53-159-60.cust.vodafonedsl.it
47.53.159.60


Gmail interfacing is always difficult. If you are running ipv6, and don’t need it, turn it off. Maybe Gmail will be ok then

robert






> On 11 Dec 2018, at 16:52, Marco Fioretti <[hidden email]> wrote:
>
> Il giorno mar 11 dic 2018 alle ore 17:03 Matus UHLAR - fantomas
> <[hidden email]> ha scritto:
>
>> the "flags" is supposed to be indented, since it is continuation of
>> "procmail" line:
>>
>>
>> procmail  unix  -       n       n       -       -       pipe  -o
>>        flags=D user=myvmail_user argv=/usr/bin/procmail -t -m
>>        USER=${recipient} EXTENSION=${extension}
>>        /usr/local/etc/procmailrc.common
>
> maybe it came out as indented when copying/pasting/replying in email,
> but it is NOT indented in the file. All that stuff has been on one line for,
> as I said, ~10 years now.
>> ... Do you mean that the "flags=D" setting is obsolete in the
>>> current version of postfix?
>>
>> it's not obsolete, but the filtering through procmail like this apparently is.
>
> OK, as long as the functionality remains the same, I certainly don't mind
> removing that part of the line!
>
> But if you check the output of postconf -Mf that I posted a few minutes ago...
> now the question becomes "why there is a warning about "user=myvmail_user"?
>
> As far as I can see, this postfix+procmail part of the system is
> working as expected now. It
> is "only" gmail interfacing and webmail configuration that are still giving me
> pains.
>
> Marco

Robert Chalmers
https://robert-chalmers.uk
[hidden email]
@R_A_Chalmers

12