store | blogs | forums | twitter | facebook | wiki | downloads | support portal
Atomic Secure Linux
It is currently Thu Aug 22, 2019 2:22 pm

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]




Post new topic Reply to topic  [ 11 posts ] 
Author Message
 Post subject: Move to Postfix install checklist.
Unread postPosted: Fri Aug 14, 2015 5:17 pm 
Offline
Forum Regular
Forum Regular

Joined: Mon Dec 06, 2004 10:43 pm
Posts: 471
Looks like I'm going to have to move to Postfix. I just need a verification of my process please.

Currently have Clamav, spamassassin, pyzor, dcc, qmail-scanner, etc running on Qmail.

Should I uninstall spamassassin, clamav, qmail-scanner before switching to Postfix and then reinstall clamav, spamassassin then install clampf?

What gotcha's should I be aware of and will this be seamless for the client? Currently requilre long user name.

Thanks, Franklyn

_________________
Franklyn Halamka
Still learning my way around Linux Security.
http://www.galacticzero.net


Top
 Profile  
Reply with quote  
 Post subject: Re: Move to Postfix install checklist.
Unread postPosted: Fri Aug 14, 2015 7:36 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin

Joined: Wed Dec 31, 1969 8:00 pm
Posts: 8329
Location: earth
So first gotcha, if you're going from a legacy system where you used short names for smtp_auth its not going to work with postfix.

We have a thread talking about Anti-spam/Anti-virus options for postfix: viewtopic.php?f=4&t=8086

The one Im currently playing with is called sagator. The thread there really gets into some nitty gritty details.


Top
 Profile  
Reply with quote  
 Post subject: Re: Move to Postfix install checklist.
Unread postPosted: Sat Aug 15, 2015 12:21 am 
Offline
Forum Regular
Forum Regular

Joined: Mon Dec 06, 2004 10:43 pm
Posts: 471
Thanks Scott,

Just5 upgraded to 12 with latest patches. Only 2 clients on it and everyone is uing long names.

So, guess I'll do my switch tomorow night. Only reason I'm doing tis is because the client needs to be able to send mail to AOL customers and they aren't getting through. The IP rep test says undetermined with them even though the main IP for mail is clean. The don';t like the mismatch or in-arpa address for the virtual host domain.

_________________
Franklyn Halamka
Still learning my way around Linux Security.
http://www.galacticzero.net


Top
 Profile  
Reply with quote  
 Post subject: Re: Move to Postfix install checklist.
Unread postPosted: Sat Aug 15, 2015 10:05 am 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin

Joined: Wed Dec 31, 1969 8:00 pm
Posts: 8329
Location: earth
Gotcha, so you're using postfix so you can bind the outbound mail for a domain to a specific IP right?


Top
 Profile  
Reply with quote  
 Post subject: Re: Move to Postfix install checklist.
Unread postPosted: Sat Aug 15, 2015 1:14 pm 
Offline
Forum Regular
Forum Regular

Joined: Mon Dec 06, 2004 10:43 pm
Posts: 471
Yes, that is the idea. AOL doesn't like to recieve mail from my virtual client and no matter what I do on the receiving end, ie. adding to all whitelists on client side his mail is still being bounced.

Quote:
*** ATTENTION ***

Your e-mail is being returned to you because there was a problem with its delivery. The reason your mail is being returned to you is listed in the section labeled: "----- The delivery status notification errors -----".

The line beginning with "Diagnostic-Code:" describes the specific reason your e-mail could not be delivered. The following lines contains the
RFC822 header of the original email message.

Please direct further questions regarding this message to your e-mail administrator.

--AOL Postmaster

----- The delivery status notification errors -----

<jmoorecatz@aol.com>: host core-lrb02g.mail.aol.com[10.76.58.115] said: 554
5.7.1 Your mail could not be delivered because the recipient is only
accepting mail from specific email addresses. If you feel you received this
in error, please contact the recipient directly and ask them to check their
email settings. (in reply to end of DATA command)


The onoly thing I can figure at this point is the SMTP Header doesn't match his domain. I've contacted the postmaster on this and they replied that the receiver is blocking. This particular email is to his Mother.... I've specifically allowed his email, whitelisted etc on her mail profile and still getting this bounce message.

Hence my move to postfix. /sigh.

_________________
Franklyn Halamka
Still learning my way around Linux Security.
http://www.galacticzero.net


Top
 Profile  
Reply with quote  
 Post subject: Re: Move to Postfix install checklist.
Unread postPosted: Sun Aug 16, 2015 9:45 am 
Offline
Long Time Forum Regular
Long Time Forum Regular

Joined: Thu Dec 09, 2004 11:19 am
Posts: 2321
Wow. I've never seen that rejection error before. It implies the recipient is using an AOL setting I've never seen before, or maybe there's something more complex going on?

Do you have an AOL mail feedback loop set up with them?
https://postmaster.aol.com/fbl-request
Also https://postmaster.aol.com/

_________________
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>


Top
 Profile  
Reply with quote  
 Post subject: Re: Move to Postfix install checklist.
Unread postPosted: Mon Aug 17, 2015 12:56 pm 
Offline
Forum Regular
Forum Regular

Joined: Mon Dec 06, 2004 10:43 pm
Posts: 471
Not yet Feris. I've not been able to whitelist the domain or ip address's either.Using their reputation tool I get an undisclosed message which doesn't do me any good.

The last test I ran came back with a Reverse DNS listing softlayer static ip and not the ip of the domain. Also that IP is shared with other domains on the server.

_________________
Franklyn Halamka
Still learning my way around Linux Security.
http://www.galacticzero.net


Top
 Profile  
Reply with quote  
 Post subject: Re: Move to Postfix install checklist.
Unread postPosted: Mon Aug 17, 2015 1:02 pm 
Offline
Forum Regular
Forum Regular

Joined: Mon Dec 06, 2004 10:43 pm
Posts: 471
This is my current setting for postfix and outgoing mail:

Outgoing mail mode
Send from domain IP addresses
Send from domain IP addresses and use domain names in SMTP greeting
Send from the specified IP addresses

_________________
Franklyn Halamka
Still learning my way around Linux Security.
http://www.galacticzero.net


Top
 Profile  
Reply with quote  
 Post subject: Re: Move to Postfix install checklist.
Unread postPosted: Tue Aug 18, 2015 7:05 am 
Offline
Forum Regular
Forum Regular

Joined: Tue Aug 01, 2006 2:45 pm
Posts: 573
Location: Netherlands
Some tips for any Postfix installation (different than OS defaults):

- Set secure smtpd_banner, do not leak program/version info.
- Enable optimistic encryption via smtp_tls_security_level.
- Configure your own certificate via smtpd_tls_cert_file
- Disable weak ciphers for TLS encryption in Postfix via 'smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5, CBC3-SHA'
- Generate custom Diffie Hellman parameters for Postfix via "openssl dhparam -out /etc/pki/tls/certs/postfix_dhparam.pem 2048" and set via smtpd_tls_dh1024_param_file.
- Set the smtp_tls_CAfile /etc/pki/tls/certs/ca-bundle.crt (CentOS 6/7) to validate remote certs.
- Not using IPv6? Set "inet_protocols = ipv4"
- Wanting to log Subjects in maillog? Set "header_checks = regexp:/etc/postfix/header_checks" and let that file have contents "/^Subject:/ WARN"

_________________
Lemonbit Internet Dedicated Server Management


Top
 Profile  
Reply with quote  
 Post subject: Re: Move to Postfix install checklist.
Unread postPosted: Tue Aug 18, 2015 2:14 pm 
Offline
Forum Regular
Forum Regular

Joined: Mon Dec 06, 2004 10:43 pm
Posts: 471
will this fix the client getting the CA message being invalid? Basically they don't have one and the serve3r is selfsigned. for the mail IP address? Do I have to create a selfsigned cert for each domain on this shared IP in each domain panel?

How do I get rid of the Reverse DNS pointing to softlayer instead of each virtual domain on that IP?

Thanks.

_________________
Franklyn Halamka
Still learning my way around Linux Security.
http://www.galacticzero.net


Top
 Profile  
Reply with quote  
 Post subject: Re: Move to Postfix install checklist.
Unread postPosted: Wed Aug 19, 2015 5:30 am 
Offline
Forum Regular
Forum Regular

Joined: Tue Aug 01, 2006 2:45 pm
Posts: 573
Location: Netherlands
Galactic Zero wrote:
will this fix the client getting the CA message being invalid? Basically they don't have one and the serve3r is selfsigned. for the mail IP address? Do I have to create a selfsigned cert for each domain on this shared IP in each domain panel?


You can only install one server certificate via Postfix, and if you want this to be working without warnings, you will need to make sure that:
- The certificate is signed by a trusted CA.
- The certificate holds the domain name that the client uses to connect to the mail server.

Basically, how it works for every certificate validated service.

Quote:
How do I get rid of the Reverse DNS pointing to softlayer instead of each virtual domain on that IP?


This can be done through the Softlayer control panel. Networks themselves are usually authoritative for the reverse DNS zones of IP blocks. This has nothing to do with your mail server configuration.

_________________
Lemonbit Internet Dedicated Server Management


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 11 posts ] 

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group