restricted inbound on 587

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

restricted inbound on 587

Gary Aitken
I'm trying to set up a postfix-server on a google-compute-engine vm that works as follows:
   outgoing mail from local machine (aaa.xxx.com) to a select few specific
     addresses and any address on a specific domain (yyy.com)
   incoming mail from a single domain only (yyy.com)

DNS is set with MX as aaa.xxx.com, although the IP on the ipv4 interface is
an internal google address, not the one returned for aaa.xxx.com.
   
I've set the following:
   /etc/aliases
     postmaster:   root
     root:         [hidden email]
     foo-admin:    [hidden email],[hidden email]
       
   /etc/mailname:
     xxx.com

   /etc/postfix/access
     xxx.com  OK
     yyy.com  OK
     *            5.2.1  No incoming mail allowed

   /etc/postfix/main.cf:
     smtpd_tls_cert_file=/path/to/fullchain.pem
     smtpd_tls_key_file=/path/to/privkey.pem
     smtpd_use_tls=yes
     smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
     smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
     smtp_tls_security_level = may
     smtp_tls_loglevel=2
     smtp_tls_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
     myhostname = aaa.xxx.com
     alias_maps = hash:/etc/aliases
     alias_database = hash:/etc/aliases
     myorigin = /etc/mailname
     mydestination = $myhostname, ggg.c.projectname.internal, localhost.c.projectname.internal, localhost
     relay_domains =
     mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 yyy.com
     recipient_restrictions = check_recipient_access hash:/etc/postfix/access
     inet_interfaces = all
     inet_protocols = all
     recipient_delimiter = +
     
   /etc/postfix/master.cf:
     #smtp      inet  n       -       y       -       -       smtpd
     submission inet n       -       y       -       -       smtpd
     
   
When I attempt to send mail out using the mail command, the log shows:
Jan 16 21:20:05 ggg postfix/qmgr[13811]: 3CF5C3F3A5: from=<[hidden email]>, size=423, nrcpt=1 (queue active)
Jan 16 21:20:05 ggg postfix/smtp[13860]: initializing the client-side TLS engine
Jan 16 21:20:06 ggg postfix/smtp[13820]: connect to xxx.com[a.b.c.d]:25: Connection timed out
Jan 16 21:20:06 ggg postfix/smtp[13829]: connect to xxx.com[a.b.c.d]:25: Connection timed out
     
questions:
   1. Why is it attempting to send mail on port 25 and not 587?
   2. Why is it trying to connect to itself (xxx.com)?
      Note: the interface IP addr is of an internal google network,
            not the external DNS address which points to this machine.
   3. If I add the line:
        relayhost = [ok.relay.com]:587
      mail gets delivered
      although mail to [hidden email] does not get delivered
      without the relayhost directive.  Why not?

Thanks for any guidance,

Gary

Reply | Threaded
Open this post in threaded view
|

Re: restricted inbound on 587

Jaroslaw Rafa
Dnia 16.01.2021 o godz. 15:11:58 Gary Aitken pisze:
>   1. Why is it attempting to send mail on port 25 and not 587?

Because that's the usual port MTA tries to connect to when sending mail. You
didn't specify anywhere in your configuration that there should be a
connection to port 587.

>   2. Why is it trying to connect to itself (xxx.com)?

Because you are trying to send mail to [hidden email], MX for xxx.com is
aaa.xxx.com and your server knows from the "myhostname" entry in the config
file that it is aaa.xxx.com. So it tries to connect to itself.

>      Note: the interface IP addr is of an internal google network,
>            not the external DNS address which points to this machine.

Did you do the DNS query for "aaa.xxx.com" from this very machine or from
somewhere else? This machine probably has configured somewhere (in
/etc/hosts for example) the translation of aaa.xxx.com to this internal
address. Or the DNS from inside Google cloud just returns different results
than from outside.

>   3. If I add the line:
>        relayhost = [ok.relay.com]:587
>      mail gets delivered
>      although mail to [hidden email] does not get delivered
>      without the relayhost directive.  Why not?

And what is the error message? Is the domain "relay.com" not resolved? Then
again, it may be due to DNS working differently from inside Google cloud
than from outside. But it's hard to tell without the exact error message
with which the message was rejected.
--
Regards,
   Jaroslaw Rafa
   [hidden email]
--
"In a million years, when kids go to school, they're gonna know: once there
was a Hushpuppy, and she lived with her daddy in the Bathtub."
Reply | Threaded
Open this post in threaded view
|

Re: restricted inbound on 587

Viktor Dukhovni
In reply to this post by Gary Aitken
On Sat, Jan 16, 2021 at 03:11:58PM -0700, Gary Aitken wrote:

> I'm trying to set up a postfix-server on a google-compute-engine vm that works as follows:
>
>  * outgoing mail from local machine (aaa.xxx.com) to a select few specific
>    addresses and any address on a specific domain (yyy.com)
>  * incoming mail from a single domain only (yyy.com)
>
> DNS is set with MX as aaa.xxx.com, although the IP on the ipv4 interface is
> an internal google address, not the one returned for aaa.xxx.com.
>    
> I've set the following:
>    /etc/aliases
>      postmaster:   root
>      root:         [hidden email]
>      foo-admin:    [hidden email],[hidden email]
>        
>    /etc/mailname:
>      xxx.com
>
>    /etc/postfix/access
>      xxx.com  OK
>      yyy.com  OK
>      *            5.2.1  No incoming mail allowed

You say *outgoing* mail to these domains, but from which sources?
Just "mynetworks"?

>    /etc/postfix/main.cf:
>      smtpd_tls_cert_file=/path/to/fullchain.pem
>      smtpd_tls_key_file=/path/to/privkey.pem
>      smtpd_use_tls=yes
>      smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache

It seems you intend to receive some mail via inbound SMTP...

>      recipient_restrictions = check_recipient_access hash:/etc/postfix/access

There is no such parameter in Postfix.  Perhaps you wanted
"smtpd_recipient_restrictions".

    * If you're using Postfix >= 3.3, unless $compatibility_level
      is set to a value > 0, the default "smtpd_relay_restrictions"
      is empty, and the above configuration will fail for lack of
      "reject-by-default" relay control.

    * With Postfix 2.10 through 3.2, or compatibility_level >= 1,
      With the default "smtpd_relay_restrictions", this allows outbound
      mail from just mynetworks.

      However, the default relay restrictions "defer" unauthorised relay
      attempts, you should generally "reject" once the configuration is
      deemed correct.

>      smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
>      smtp_tls_security_level = may
>      smtp_tls_loglevel=2

This TLS log level is too verbose for anything other than expert
debugging.  Set it back to 1.

>      smtp_tls_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination

What is this?

>      mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 yyy.com

Hostnames in mynetworks are fragile, and not recommended, don't recall
whether they're still supported, but even if they are, you should not
use them.  So no "yyy.com" here.

>    /etc/postfix/master.cf:
>      #smtp      inet  n       -       y       -       -       smtpd
>      submission inet n       -       y       -       -       smtpd

This looks like a submission service, so you would generally require
TLS.

> When I attempt to send mail out using the mail command, the log shows:
> Jan 16 21:20:05 ggg postfix/qmgr[13811]: 3CF5C3F3A5: from=<[hidden email]>, size=423, nrcpt=1 (queue active)
> Jan 16 21:20:05 ggg postfix/smtp[13860]: initializing the client-side TLS engine
> Jan 16 21:20:06 ggg postfix/smtp[13820]: connect to xxx.com[a.b.c.d]:25: Connection timed out
> Jan 16 21:20:06 ggg postfix/smtp[13829]: connect to xxx.com[a.b.c.d]:25: Connection timed out
>      
> questions:
>    1. Why is it attempting to send mail on port 25 and not 587?

You have nothing in your configuration that would direct outbound
traffic to port 587, and it is likely not what you want anyway.
Does "xx.com" really receive inbound email on port 587?  If so,
you'd need a transport table entry to send it there, and probably
SASL to authenticate your access to that service.

>    2. Why is it trying to connect to itself (xxx.com)?
>       Note: the interface IP addr is of an internal google network,
>             not the external DNS address which points to this machine.

Because the recipient domain is not listed in mydestination, or
virtual_mailbox_domains, and the MX host of the recipient domain
(or the domain itself otherwise) is "xxx.com".

The Postfix book by Ralf and Patrick is probably a good first
resource if the material in:

    http://www.postfix.org/BASIC_CONFIGURATION_README.html
    http://www.postfix.org/STANDARD_CONFIGURATION_README.html
    http://www.postfix.org/SOHO_README.html

assumes more background than you already have.

--
    Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: restricted inbound on 587

Gary Aitken
In reply to this post by Jaroslaw Rafa
On 1/16/21 4:04 PM, Jaroslaw Rafa wrote:
> Dnia 16.01.2021 o godz. 15:11:58 Gary Aitken pisze:
>>    1. Why is it attempting to send mail on port 25 and not 587?
>
> Because that's the usual port MTA tries to connect to when sending mail. You
> didn't specify anywhere in your configuration that there should be a
> connection to port 587.

I thought the changes to master.cf (commenting out smtp and uncommenting
submission) changed that?

If not, how do I set outgoing to 587 only?

>>    2. Why is it trying to connect to itself (xxx.com)?
>
> Because you are trying to send mail to [hidden email], MX for xxx.com is
> aaa.xxx.com and your server knows from the "myhostname" entry in the config
> file that it is aaa.xxx.com. So it tries to connect to itself.

Somehow I would have thought it would use the loopback / localhost for that?

>>       Note: the interface IP addr is of an internal google network,
>>             not the external DNS address which points to this machine.
>
> Did you do the DNS query for "aaa.xxx.com" from this very machine or from
> somewhere else? This machine probably has configured somewhere (in
> /etc/hosts for example) the translation of aaa.xxx.com to this internal
> address. Or the DNS from inside Google cloud just returns different results
> than from outside.

The DNS values were verified from outside the google network.

>>    3. If I add the line:
>>         relayhost = [ok.relay.com]:587
>>       mail gets delivered
>>       although mail to [hidden email] does not get delivered
>>       without the relayhost directive.  Why not?
>
> And what is the error message? Is the domain "relay.com" not resolved? Then
> again, it may be due to DNS working differently from inside Google cloud
> than from outside. But it's hard to tell without the exact error message
> with which the message was rejected.

I don't see any incoming traffic on port 587 at all.

Thanks for the questions, and any further answers,

Gary

Reply | Threaded
Open this post in threaded view
|

Re: restricted inbound on 587

Gary Aitken
In reply to this post by Viktor Dukhovni
On 1/16/21 4:08 PM, Viktor Dukhovni wrote:

> On Sat, Jan 16, 2021 at 03:11:58PM -0700, Gary Aitken wrote:
>> I'm trying to set up a postfix-server on a google-compute-engine vm that works as follows:
>>
>>   * outgoing mail from local machine (aaa.xxx.com) to a select few specific
>>     addresses and any address on a specific domain (yyy.com)
>>   * incoming mail from a single domain only (yyy.com)
>>
>> DNS is set with MX as aaa.xxx.com, although the IP on the ipv4 interface is
>> an internal google address, not the one returned for aaa.xxx.com.
>>    
>> I've set the following:
>>     /etc/aliases
>>       postmaster:   root
>>       root:         [hidden email]
>>       foo-admin:    [hidden email],[hidden email]
>>        
>>     /etc/mailname:
>>       xxx.com
>>
>>     /etc/postfix/access
>>       xxx.com  OK
>>       yyy.com  OK
>>       *            5.2.1  No incoming mail allowed
>
> You say *outgoing* mail to these domains, but from which sources?
> Just "mynetworks"?

Yes
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 yyy.com
Do I need to explicitly add xxx.com, even though it is 127.0.0.0?

>>     /etc/postfix/main.cf:
>>       smtpd_tls_cert_file=/path/to/fullchain.pem
>>       smtpd_tls_key_file=/path/to/privkey.pem
>>       smtpd_use_tls=yes
>>       smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
>
> It seems you intend to receive some mail via inbound SMTP...

yes, on port 587.

>>       recipient_restrictions = check_recipient_access hash:/etc/postfix/access
>
> There is no such parameter in Postfix.  Perhaps you wanted
> "smtpd_recipient_restrictions".

Yes, typo in the original message
Is there a way to specify this in main.cf, or only in master.cf?

>      * If you're using Postfix >= 3.3, unless $compatibility_level
>        is set to a value > 0, the default "smtpd_relay_restrictions"
>        is empty, and the above configuration will fail for lack of
>        "reject-by-default" relay control.

postfix 3.3.0-1

>      * With Postfix 2.10 through 3.2, or compatibility_level >= 1,
>        With the default "smtpd_relay_restrictions", this allows outbound
>        mail from just mynetworks.

compatibility_level = 2
yes, I only want outbound from mynetworks

>        However, the default relay restrictions "defer" unauthorised relay
>        attempts, you should generally "reject" once the configuration is
>        deemed correct.

I thought the above /etc/postfix/access should do that?
>>       xxx.com  OK
>>       yyy.com  OK
>>       *            5.2.1  No incoming mail allowed

>>       smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
>>       smtp_tls_security_level = may
>>       smtp_tls_loglevel=2
>
> This TLS log level is too verbose for anything other than expert
> debugging.  Set it back to 1.

Happily...
I think I was seeing minimal output, which was why I bumped it up.

>>       smtp_tls_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
>
> What is this?

typo, error in transcription, should have been:
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination

however, that was left-over from I'm not sure where and should probably be
   smtpd_relay_restrictions = permit_mynetworks reject_unauth_destination

>>       mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 yyy.com
>
> Hostnames in mynetworks are fragile, and not recommended, don't recall
> whether they're still supported, but even if they are, you should not
> use them.  So no "yyy.com" here.

thanks.

>>     /etc/postfix/master.cf:
>>       #smtp      inet  n       -       y       -       -       smtpd
>>       submission inet n       -       y       -       -       smtpd
>
> This looks like a submission service, so you would generally require
> TLS.

Yes, I assume that's a hint I need
   smtp_use_tls=yes
Do I need others besides smtp_tls_cert_file and smtp_tls_key_file?

>> When I attempt to send mail out using the mail command, the log shows:
>> Jan 16 21:20:05 ggg postfix/qmgr[13811]: 3CF5C3F3A5: from=<[hidden email]>, size=423, nrcpt=1 (queue active)
>> Jan 16 21:20:05 ggg postfix/smtp[13860]: initializing the client-side TLS engine
>> Jan 16 21:20:06 ggg postfix/smtp[13820]: connect to xxx.com[a.b.c.d]:25: Connection timed out
>> Jan 16 21:20:06 ggg postfix/smtp[13829]: connect to xxx.com[a.b.c.d]:25: Connection timed out
>>      
>> questions:
>>     1. Why is it attempting to send mail on port 25 and not 587?
>
> You have nothing in your configuration that would direct outbound
> traffic to port 587, and it is likely not what you want anyway.
> Does "xx.com" really receive inbound email on port 587?  If so,
> you'd need a transport table entry to send it there, and probably
> SASL to authenticate your access to that service.

In this case the destination address does listen on 587.  
Why is it not likely what I want?
When specified as relayhost, the postfix process delivers the mail to the
(same) relayhost as a destination just fine.

>>     2. Why is it trying to connect to itself (xxx.com)?
>>        Note: the interface IP addr is of an internal google network,
>>              not the external DNS address which points to this machine.
>
> Because the recipient domain is not listed in mydestination, or
> virtual_mailbox_domains, and the MX host of the recipient domain
> (or the domain itself otherwise) is "xxx.com".

The recipient domain is not listed in mydestination; but shouldn't it be
contacting the MX host of the recipient domain rather than itself?

> The Postfix book by Ralf and Patrick is probably a good first
> resource if the material in:
>
>      http://www.postfix.org/BASIC_CONFIGURATION_README.html
>      http://www.postfix.org/STANDARD_CONFIGURATION_README.html
>      http://www.postfix.org/SOHO_README.html
>
> assumes more background than you already have.

Thanks, I will go through those (again).
The book seems likely to be horribly out of date, unfortunately.

This *seems* like it should be fairly straight-forward:
     postfix-server.xxx.com => yyy.com:587
     postfix-server.xxx.com:587 <= yyy.com
     postfix-server.xxx.com => zzz.com:587

Gary
Reply | Threaded
Open this post in threaded view
|

Re: restricted inbound on 587

Viktor Dukhovni
On Sat, Jan 16, 2021 at 11:37:50PM -0700, Gary Aitken wrote:

> >>     /etc/postfix/master.cf:
> >>       #smtp      inet  n       -       y       -       -       smtpd
> >>       submission inet n       -       y       -       -       smtpd
> >
> > This looks like a submission service, so you would generally require
> > TLS.
>
> Yes, I assume that's a hint I need
>    smtp_use_tls=yes

No, that's the obsolete syntax to enable opportunistic outbound (SMTP
client) TLS, but you need mandatory inbound (SMTP server) TLS.

    smtpd_tls_security_level = encrypt

> Do I need others besides smtp_tls_cert_file and smtp_tls_key_file?

Neither have anything to do with inbound TLS, and you generally don't
need client certificates.  The right parameters are:

    smtpd_tls_cert_file
    smtpd_tls_key_file

and if you have both the cert and the key in the same file then
just the "cert" one will do.

> > You have nothing in your configuration that would direct outbound
> > traffic to port 587, and it is likely not what you want anyway.
> > Does "xx.com" really receive inbound email on port 587?  If so,
> > you'd need a transport table entry to send it there, and probably
> > SASL to authenticate your access to that service.
>
> In this case the destination address does listen on 587.  
> Why is it not likely what I want?

Because you did not explain that this is a relayhost.  Your message said
that you sent outbound mail to just that domain, not that you were using
that domain as a relayhost.  Which is it?

> The recipient domain is not listed in mydestination; but shouldn't it be
> contacting the MX host of the recipient domain rather than itself?

Now you're really confusing things.  If you want delivery to port 587 of
a relayhost (submission service smarthost that figures how where to
route the mail), then the MX records of the recipient domain are
irrelevant.  If you want to deliver to the MX host of domain you'd want
to use port 25, which is where domains receive inbound mail.

It seems you're rather confused abou† what you want...

> The book seems likely to be horribly out of date, unfortunately.

The books is more than sufficiently current on the fundamentals.
Postfix configurations that worked in 2001 still work largely
unchanged today, and your difficulties are with the concepts,
not configuration specifics.

--
    Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: restricted inbound on 587

Matus UHLAR - fantomas
In reply to this post by Gary Aitken
>On 1/16/21 4:04 PM, Jaroslaw Rafa wrote:
>>Dnia 16.01.2021 o godz. 15:11:58 Gary Aitken pisze:
>>>   1. Why is it attempting to send mail on port 25 and not 587?
>>
>>Because that's the usual port MTA tries to connect to when sending mail. You
>>didn't specify anywhere in your configuration that there should be a
>>connection to port 587.

On 16.01.21 21:14, Gary Aitken wrote:
>I thought the changes to master.cf (commenting out smtp and uncommenting
>submission) changed that?

this way, you have closed port 25 which is why yor postfix can't connect to
itself.

>If not, how do I set outgoing to 587 only?

by using relayhost, default_transport, transport_maps or other feature.


>>>   2. Why is it trying to connect to itself (xxx.com)?
>>
>>Because you are trying to send mail to [hidden email], MX for xxx.com is
>>aaa.xxx.com and your server knows from the "myhostname" entry in the config
>>file that it is aaa.xxx.com. So it tries to connect to itself.

note that xxx.com domain is registered, I guess not to you.

domain names reserved for this are example.com, example.net and example.org

>Somehow I would have thought it would use the loopback / localhost for that?

only if you set it so. If the mail is to be processed locally, postfix
doesn't send it via SMTP to itself.

simply put aaa.xxx.com to $mydestinations

>>>   3. If I add the line:
>>>        relayhost = [ok.relay.com]:587
>>>      mail gets delivered
>>>      although mail to [hidden email] does not get delivered
>>>      without the relayhost directive.  Why not?
>>
>>And what is the error message? Is the domain "relay.com" not resolved? Then
>>again, it may be due to DNS working differently from inside Google cloud
>>than from outside. But it's hard to tell without the exact error message
>>with which the message was rejected.
>
>I don't see any incoming traffic on port 587 at all.

I wonder, internet bots try port 587 on any hosts within minutes.
--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
I drive way too fast to worry about cholesterol.
Reply | Threaded
Open this post in threaded view
|

Re: restricted inbound on 587

Gary Aitken
In reply to this post by Viktor Dukhovni
On 1/17/21 12:30 AM, Viktor Dukhovni wrote:

> On Sat, Jan 16, 2021 at 11:37:50PM -0700, Gary Aitken wrote:
>
>>>>      /etc/postfix/master.cf:
>>>>        #smtp      inet  n       -       y       -       -       smtpd
>>>>        submission inet n       -       y       -       -       smtpd
>>>
>>> This looks like a submission service, so you would generally require
>>> TLS.
>>
>> Yes, I assume that's a hint I need
>>     smtp_use_tls=yes
>
> No, that's the obsolete syntax to enable opportunistic outbound (SMTP
> client) TLS, but you need mandatory inbound (SMTP server) TLS.
>
>      smtpd_tls_security_level = encrypt

The issue *is* with outbound; I need outbound to 587 and inbound on 587.

>> Do I need others besides smtp_tls_cert_file and smtp_tls_key_file?
>
> Neither have anything to do with inbound TLS, and you generally don't
> need client certificates.  The right parameters are:
>
>      smtpd_tls_cert_file
>      smtpd_tls_key_file

Those are already set for inbound.

> and if you have both the cert and the key in the same file then
> just the "cert" one will do.

Thanks.

>>> You have nothing in your configuration that would direct outbound
>>> traffic to port 587, and it is likely not what you want anyway.
>>> Does "xx.com" really receive inbound email on port 587?  If so,
>>> you'd need a transport table entry to send it there, and probably
>>> SASL to authenticate your access to that service.
>>
>> In this case the destination address does listen on 587.
>> Why is it not likely what I want?
>
> Because you did not explain that this is a relayhost.  Your message said
> that you sent outbound mail to just that domain, not that you were using
> that domain as a relayhost.  Which is it?

That domain and its mx server serves as both a destination and a relay
host if necessary.  In this case I would like it to be only a destination,
but at the moment the only way I have been able to get postfix to contact
it on 587 is to have postfix treat it as a relayhost.

I think the issue is I need to specify default_transport as suggested by
Matus; I will try that.

>> The recipient domain is not listed in mydestination; but shouldn't it be
>> contacting the MX host of the recipient domain rather than itself?
>
> Now you're really confusing things.  If you want delivery to port 587 of
> a relayhost (submission service smarthost that figures how where to
> route the mail), then the MX records of the recipient domain are
> irrelevant.  If you want to deliver to the MX host of domain you'd want
> to use port 25, which is where domains receive inbound mail.
>
> It seems you're rather confused abou† what you want...

I'm certainly confused about how to accomplish it...
The postfix server is inside the google cloud, and google blocks port 25.
That's why I need it to go out to 587, not 25.

Thanks,

Gary
Reply | Threaded
Open this post in threaded view
|

Re: restricted inbound on 587

Gary Aitken
In reply to this post by Matus UHLAR - fantomas
On 1/17/21 9:53 AM, Matus UHLAR - fantomas wrote:

>> On 1/16/21 4:04 PM, Jaroslaw Rafa wrote:
>>> Dnia 16.01.2021 o godz. 15:11:58 Gary Aitken pisze:
>>>>   1. Why is it attempting to send mail on port 25 and not 587?
>>>
>>> Because that's the usual port MTA tries to connect to when sending mail. You
>>> didn't specify anywhere in your configuration that there should be a
>>> connection to port 587.
>
> On 16.01.21 21:14, Gary Aitken wrote:
>> I thought the changes to master.cf (commenting out smtp and uncommenting
>> submission) changed that?
>
> this way, you have closed port 25 which is why yor postfix can't connect to
> itself.

Thanks.

>> If not, how do I set outgoing to 587 only?
>
> by using relayhost, default_transport, transport_maps or other feature.

Ah,  Thanks, default_transport is what I was looking for, will try that.

Gary
Reply | Threaded
Open this post in threaded view
|

Re: restricted inbound on 587

Matus UHLAR - fantomas
In reply to this post by Gary Aitken
>>>>>     /etc/postfix/master.cf:
>>>>>       #smtp      inet  n       -       y       -       -       smtpd
>>>>>       submission inet n       -       y       -       -       smtpd

>>>>This looks like a submission service, so you would generally require
>>>>TLS.

>>On Sat, Jan 16, 2021 at 11:37:50PM -0700, Gary Aitken wrote:
>>>Yes, I assume that's a hint I need
>>>    smtp_use_tls=yes

>On 1/17/21 12:30 AM, Viktor Dukhovni wrote:
>>No, that's the obsolete syntax to enable opportunistic outbound (SMTP
>>client) TLS, but you need mandatory inbound (SMTP server) TLS.
>>
>>     smtpd_tls_security_level = encrypt

On 18.01.21 17:18, Gary Aitken wrote:
>The issue *is* with outbound; I need outbound to 587 and inbound on 587.

are you aware that only mail clients and explicitly configured mail servers
will deliver mail to you on port 587?


>>>>You have nothing in your configuration that would direct outbound
>>>>traffic to port 587, and it is likely not what you want anyway.
>>>>Does "xx.com" really receive inbound email on port 587?  If so,
>>>>you'd need a transport table entry to send it there, and probably
>>>>SASL to authenticate your access to that service.
>>>
>>>In this case the destination address does listen on 587.
>>>Why is it not likely what I want?
>>
>>Because you did not explain that this is a relayhost.  Your message said
>>that you sent outbound mail to just that domain, not that you were using
>>that domain as a relayhost.  Which is it?
>
>That domain and its mx server serves as both a destination and a relay
>host if necessary.  In this case I would like it to be only a destination,
>but at the moment the only way I have been able to get postfix to contact
>it on 587 is to have postfix treat it as a relayhost.
>
>I think the issue is I need to specify default_transport as suggested by
>Matus; I will try that.
>
>>>The recipient domain is not listed in mydestination; but shouldn't it be
>>>contacting the MX host of the recipient domain rather than itself?
>>
>>Now you're really confusing things.  If you want delivery to port 587 of
>>a relayhost (submission service smarthost that figures how where to
>>route the mail), then the MX records of the recipient domain are
>>irrelevant.  If you want to deliver to the MX host of domain you'd want
>>to use port 25, which is where domains receive inbound mail.
>>
>>It seems you're rather confused abou† what you want...
>
>I'm certainly confused about how to accomplish it...
>The postfix server is inside the google cloud, and google blocks port 25.
>That's why I need it to go out to 587, not 25.

Also, (nearly) no server will allow you to send mail via port 587 without
authentication (to that server).

This is aparently the reason why google blocks you from contacting other
servers on port 25 - you can spam them that way.

simply said, by blocking port 25 your provider prevents you from sending
spam and requires you to use mail service of them or other providers.

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
A day without sunshine is like, night.