Page 1 of 1
Move to Postfix install checklist.
Posted: Fri Aug 14, 2015 5:17 pm
by Galactic Zero
Looks like I'm going to have to move to Postfix. I just need a verification of my process please.
Currently have Clamav, spamassassin, pyzor, dcc, qmail-scanner, etc running on Qmail.
Should I uninstall spamassassin, clamav, qmail-scanner before switching to Postfix and then reinstall clamav, spamassassin then install clampf?
What gotcha's should I be aware of and will this be seamless for the client? Currently requilre long user name.
Thanks, Franklyn
Re: Move to Postfix install checklist.
Posted: Fri Aug 14, 2015 7:36 pm
by scott
So first gotcha, if you're going from a legacy system where you used short names for smtp_auth its not going to work with postfix.
We have a thread talking about Anti-spam/Anti-virus options for postfix:
https://atomicorp.com/forum/viewtopic.php?f=4&t=8086
The one Im currently playing with is called sagator. The thread there really gets into some nitty gritty details.
Re: Move to Postfix install checklist.
Posted: Sat Aug 15, 2015 12:21 am
by Galactic Zero
Thanks Scott,
Just5 upgraded to 12 with latest patches. Only 2 clients on it and everyone is uing long names.
So, guess I'll do my switch tomorow night. Only reason I'm doing tis is because the client needs to be able to send mail to AOL customers and they aren't getting through. The IP rep test says undetermined with them even though the main IP for mail is clean. The don';t like the mismatch or in-arpa address for the virtual host domain.
Re: Move to Postfix install checklist.
Posted: Sat Aug 15, 2015 10:05 am
by scott
Gotcha, so you're using postfix so you can bind the outbound mail for a domain to a specific IP right?
Re: Move to Postfix install checklist.
Posted: Sat Aug 15, 2015 1:14 pm
by Galactic Zero
Yes, that is the idea. AOL doesn't like to recieve mail from my virtual client and no matter what I do on the receiving end, ie. adding to all whitelists on client side his mail is still being bounced.
*** ATTENTION ***
Your e-mail is being returned to you because there was a problem with its delivery. The reason your mail is being returned to you is listed in the section labeled: "----- The delivery status notification errors -----".
The line beginning with "Diagnostic-Code:" describes the specific reason your e-mail could not be delivered. The following lines contains the
RFC822 header of the original email message.
Please direct further questions regarding this message to your e-mail administrator.
--AOL Postmaster
----- The delivery status notification errors -----
<
jmoorecatz@aol.com>: host core-lrb02g.mail.aol.com[10.76.58.115] said: 554
5.7.1 Your mail could not be delivered because the recipient is only
accepting mail from specific email addresses. If you feel you received this
in error, please contact the recipient directly and ask them to check their
email settings. (in reply to end of DATA command)
The onoly thing I can figure at this point is the SMTP Header doesn't match his domain. I've contacted the postmaster on this and they replied that the receiver is blocking. This particular email is to his Mother.... I've specifically allowed his email, whitelisted etc on her mail profile and still getting this bounce message.
Hence my move to postfix. /sigh.
Re: Move to Postfix install checklist.
Posted: Sun Aug 16, 2015 9:45 am
by faris
Wow. I've never seen that rejection error before. It implies the recipient is using an AOL setting I've never seen before, or maybe there's something more complex going on?
Do you have an AOL mail feedback loop set up with them?
https://postmaster.aol.com/fbl-request
Also
https://postmaster.aol.com/
Re: Move to Postfix install checklist.
Posted: Mon Aug 17, 2015 12:56 pm
by Galactic Zero
Not yet Feris. I've not been able to whitelist the domain or ip address's either.Using their reputation tool I get an undisclosed message which doesn't do me any good.
The last test I ran came back with a Reverse DNS listing softlayer static ip and not the ip of the domain. Also that IP is shared with other domains on the server.
Re: Move to Postfix install checklist.
Posted: Mon Aug 17, 2015 1:02 pm
by Galactic Zero
This is my current setting for postfix and outgoing mail:
Outgoing mail mode
Send from domain IP addresses
Send from domain IP addresses and use domain names in SMTP greeting
Send from the specified IP addresses
Re: Move to Postfix install checklist.
Posted: Tue Aug 18, 2015 7:05 am
by prupert
Some tips for any Postfix installation (different than OS defaults):
- Set secure smtpd_banner, do not leak program/version info.
- Enable optimistic encryption via smtp_tls_security_level.
- Configure your own certificate via smtpd_tls_cert_file
- Disable weak ciphers for TLS encryption in Postfix via 'smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5, CBC3-SHA'
- Generate custom Diffie Hellman parameters for Postfix via "openssl dhparam -out /etc/pki/tls/certs/postfix_dhparam.pem 2048" and set via smtpd_tls_dh1024_param_file.
- Set the smtp_tls_CAfile /etc/pki/tls/certs/ca-bundle.crt (CentOS 6/7) to validate remote certs.
- Not using IPv6? Set "inet_protocols = ipv4"
- Wanting to log Subjects in maillog? Set "header_checks = regexp:/etc/postfix/header_checks" and let that file have contents "/^Subject:/ WARN"
Re: Move to Postfix install checklist.
Posted: Tue Aug 18, 2015 2:14 pm
by Galactic Zero
will this fix the client getting the CA message being invalid? Basically they don't have one and the serve3r is selfsigned. for the mail IP address? Do I have to create a selfsigned cert for each domain on this shared IP in each domain panel?
How do I get rid of the Reverse DNS pointing to softlayer instead of each virtual domain on that IP?
Thanks.
Re: Move to Postfix install checklist.
Posted: Wed Aug 19, 2015 5:30 am
by prupert
Galactic Zero wrote:will this fix the client getting the CA message being invalid? Basically they don't have one and the serve3r is selfsigned. for the mail IP address? Do I have to create a selfsigned cert for each domain on this shared IP in each domain panel?
You can only install one server certificate via Postfix, and if you want this to be working without warnings, you will need to make sure that:
- The certificate is signed by a trusted CA.
- The certificate holds the domain name that the client uses to connect to the mail server.
Basically, how it works for every certificate validated service.
How do I get rid of the Reverse DNS pointing to softlayer instead of each virtual domain on that IP?
This can be done through the Softlayer control panel. Networks themselves are usually authoritative for the reverse DNS zones of IP blocks. This has nothing to do with your mail server configuration.