Re: [Assp-test] Submission with Postfix & ASSP

[James B. <jl...@bo...>]

Hi Thomas, Daniel and everyone else. 

I’ve set up a new mail server and mail seems to flow properly. Everything seems good. The only thing is that because ASSP is not the destination for submission (Postfix is) I can’t use the ‘Resend’ button in Block Reports. I also had to create the assp-block, assp-spam and assp-notspam email addresses otherwise Postfix would reject them as unknown users.

Ie now I can’t send an email to RSBM_spamx2FXLASTx5FXCHANCEx5FXSavex5FXupx5FXt...@bo... <mailto:RSBM_spamx2FXLASTx5FXCHANCEx5FXSavex5FXupx5FXt...@bo...> to get my blocked email sent to me.

The email client gets back:

The server response was: <RSBM_spamx2FXLASTx5FXCHANCEx5FXSavex5FXupx5FXt...@bo... <mailto:RSBM_spamx2FXLASTx5FXCHANCEx5FXSavex5FXupx5FXt...@bo...>>: Temporary lookup failure

ASSP Startup:

Jan-25-19 18:38:46 [init] Listening for SMTP connections on [::]:25 , 0.0.0.0:25
Jan-25-19 18:38:46 [init] Listening for admin HTTP connections on [::]:55555 , 0.0.0.0:55555
Jan-25-19 18:38:46 [init] Listening for stat HTTP connections on [::]:55553 , 0.0.0.0:55553
Jan-25-19 18:38:46 [init] Listening for SMTP relay connections on 127.0.0.1:10025

ASSP Config:

listenPort is: 25
smtpDestination is: 127.0.0.1:10026
smtpDestinationSSL is: SSL:127.0.0.1:126
listenPortSSL is:
listenPort2 is:
relayHost is: 127.0.0.1:10026
relayPort is: 127.0.0.1:10025

Postfix’s master.cf has:

127.0.0.1:10026    inet  n       -       n       -       -       smtpd
127.0.0.1:126      inet  n       -       n       -       -       smtpd
  -o syslog_name=assptls
  -o smtpd_tls_wrappermode=yes
  -o smtpd_proxy_filter=
  -o myhostname=mail.bordo.com.au <http://mail.bordo.com.au/>
465    inet  n       -       n       -       20       smtpd
        -o smtpd_sasl_auth_enable=yes
        -o smtpd_tls_wrappermode=yes
        -o smtpd_proxy_filter=127.0.0.1:10025
        -o smtpd_client_connection_count_limit=100
587    inet  n       -       n       -       20       smtpd
        -o smtpd_sasl_auth_enable=yes
        -o smtpd_tls_wrappermode=yes
        -o smtpd_proxy_filter=127.0.0.1:10025
        -o smtpd_client_connection_count_limit=100

So I now no longer have the SSL client requires a read first errors in ASSP, as it is not handling submissions, but ASSP’s email interface won’t work.

Any suggestions?

Thanks,

James.

> On 17 Dec 2018, at 1:12 pm, Daniel Miller <dm...@am... <mailto:dm...@am...>> wrote:
> 
> Couple things I notice:
> 
> In ASSP - you have set:
> 
> listenPort:=25
> smtpDestination:=127.0.0.1:10026
> listenPortSSL:=
> smtpDestinationSSL:=127.0.0.1:126
> listenPort2:=
> smtpAuthServer:=SSL:127.0.0.1:126
> relayHost:=127.0.0.1:10026
> relayPort:=127.0.0.1:10025
> So - ASSP is globally listening on port 25, and will forward any connection to 10026.  In the clear.
> 
> You have an override for explicit SSL connections to port 126.
> 
> And an authenticated connection target of 10026 - exclusively SSL.  However - you don't declare listenPort2.  So ASSP isn't explicitly listening for authentication and, unless I'm quite wrong (which is always a strong possibility), the smtpAuthServer setting won't be used.
> 
> ASSP is listening for connections from Postfix on 10025 and will forward those connections back to port 10026.
> 
> So - my initial ASSP summary:
> 
> ASSP listens openly on port 25, will forward clear connections to 10026 and SSL connections to 126.  However - the SSL connection to Postfix is not "forced".  Also the communication from & back to Postfix for relay is not forced SSL either.
> 
> Next...Postfix:
> 
> 
> 127.0.0.1:10026    inet  n       -       n       -       -       smtpd
>    -o smtpd_sasl_auth_enable=yes
> 127.0.0.1:126      inet  n       -       n       -       -       smtpd
>   -o syslog_name=assptls
>   -o smtpd_tls_wrappermode=yes
>   -o smtpd_proxy_filter=
>   -o myhostname=mail.bordo.com.au <http://mail.bordo.com.au/>
> 465    inet  n       -       n       -       20       smtpd
>         -o smtpd_proxy_filter=127.0.0.1:10025
>         -o smtpd_client_connection_count_limit=100
> 
> Postfix is listening for authentication on port 10026 - without requiring SSL (though it will support STARTTLS).
> 
> Postfix is listening for "forced" SSL connections on port 126.
> 
> And listening on port 465 where it will forward to port 10025.  Again without requiring SSL.
> 
> So...
> 
> I'm guessing your Mail.app is using STARTTLS - it connects to Postfix on port 465, which accepts the connection, forwards to ASSP on 10025, which returns to Postfix at 10026 - at which time Postfix checks for authentication - and then it continues on its way.
> 
> Thunderbird is probably trying to do "forced" SSL - which isn't being listened for.
> 
> My initial recommendations:
> 
> * Move the "-o smtpd_sasl_auth_enable=yes" to your port 465 stanza.  This is where the authentication should be.  
> 
> * Add (don't move) the "-o smtpd_tls_wrappermode=yes" to the port 465 stanza.  This will enable "forced" SSL.
> 
> * Change ASSP's "smtpDestinationSSL" to "SSL:127.0.0.1:126"  (note the prefix of "SSL:")
> 
> * The smtpAuthServer setting should be cleared so it's not confusing.
> 
> The new flow - port 25 continues as it was.  Which means both cleartext and STARTTLS support (but NOT "forced" SSL).  Port 465 is now a dedicated SSL listener which requires authentication before it passes Postfix - which then forwards to ASSP via port 10025.  ASSP will forward that via port 10026.
> 
> I think after you do that...things might be a little better, although now your Mail.app may need to be adjusted!  There may be something else we need to adjust in Postfix but this should be close.
> 
> A purist might insist on adding SSL to ports 10025 & 10026 - but let's leave that for later when everything else is working if you really want it.
> 
> 
> Daniel
> 
> On 12/14/2018 8:28 AM, Daniel Miller via Assp-test wrote:
>> Ok - so you have Postfix listening.  There's a few different choices available to have Postfix forward to ASSP.  I would recommend using Postfix's before-queue content filter method.
>> 
>> The entries you've setup in master.cf already are for mail that has been processed by ASSP and now needs delivery.  Again - before proceeding further you need to verify things work - clients can connect and authenticate and send via your existing ASSP/Postfix/Dovecot chain.
>> 
>> Now in master.cf:
>> 
>> 465      inet  n       -       n       -       20      smtpd
>>         -o smtpd_proxy_filter <http://www.postfix.org/postconf.5.html#smtpd_proxy_filter>=127.0.0.1:10025
>>         -o smtpd_client_connection_count_limit <http://www.postfix.org/postconf.5.html#smtpd_client_connection_count_limit>=10
>> Note the above address/port are arbitrary - pick what you want though the localhost address is appropriate given your setup.  The "smtpd_client_connection_count_limit" may be adjusted as needed.  It is also up to you whether or not to have additional validation checks in this Postfix listener (you should - let Postfix block out whatever it can before it touches ASSP otherwise there's not much point in this approach).
>> 
>> The "smtpd_proxy_filter" tells Postfix to forward mail to another server for processing prior to delivery.  So ASSP needs to be listening for that connection.  You can use the primary listeners listenPort, listenPort2, and listenPortSSL but probably a better choice is to configure ASSP with:
>> 
>>     relayPort=127.0.0.1:10025
>> That matches the setting in master.cf above - and that should do it.  To make it SSL - for the master.cf entry above for 465 add
>> 
>>     -o smtpd_tls_wrappermode=yes
>> and in ASSP make it
>> 
>>     relayPort=SSL:127.0.0.1:10025
>> Daniel
>> 
>> On 12/13/2018 7:13 PM, James Brown wrote:
>>>> On 13 Dec 2018, at 5:39 am, Daniel Miller <dm...@am... <mailto:dm...@am...>> wrote:
>>>> 
>>>> The "lsof -i" is a lower-case i (just confirming if it got auto-corrected by email spellcheck).
>>>> 
>>>> If "lsof" (or other tools) can't confirm an open port we've got other problems.  Need to get that part first.  What is expected:
>>>> 
>>>> # lsof -i :126
>>>> COMMAND  PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
>>>> master  1260 root  104u  IPv4  33860      0t0  TCP localhost.localdomain:126 (LISTEN)
>>>> 
>>>> Daniel
>>> Yes, Daniel, it was auto-correct in my email.
>>> 
>>> The reason I got nothing returned is because I did not run in sudo mode. Now I get:
>>> 
>>> $ sudo lsof -i :10026
>>> Password:
>>> COMMAND   PID USER   FD   TYPE             DEVICE SIZE/OFF NODE NAME
>>> master  89692 root   85u  IPv4 0x1117b83fdbb9d20b      0t0  TCP localhost:10026 (LISTEN)
>>> 
>>> $ sudo lsof -i :126
>>> COMMAND   PID USER   FD   TYPE             DEVICE SIZE/OFF NODE NAME
>>> perl    32559 root   25u  IPv4 0x1117b83fd26de50b      0t0  TCP localhost:49213->localhost:nxedit (CLOSE_WAIT)
>>> master  89692 root   88u  IPv4 0x1117b83fdbb9e50b      0t0  TCP localhost:nxedit (LISTEN)
>>> 
>>> James.
>> 
>> 
>> 
>> _______________________________________________
>> Assp-test mailing list
>> Ass...@li... <mailto:Ass...@li...>
>> https://lists.sourceforge.net/lists/listinfo/assp-test <https://lists.sourceforge.net/lists/listinfo/assp-test>