[nycbug-talk] postfix question

Max Gribov max at neuropunks.org
Thu Mar 16 21:49:20 EST 2006


aand it seems i left out an important part, about the cert.

the cert is self signed generated with the following perl script:

----
#!/usr/bin/perl

$openssl = "/usr/bin/openssl";
$openssl_opt = " req -new -x509 -days 365 -nodes -out $ARGV[1] -keyout
$ARGV[1] ";
$openssl_conf = " -config $ARGV[0] ";

$cmd_ssl = $openssl . $openssl_opt . $openssl_conf;
$cmd_dh = $openssl . " gendh 512 >> $ARGV[1]";


$argc = @ARGV;

if ($argc < 2) {
        print "Usage: $0 <ssl.cnf> <keyout.pem>\n";
        exit 0;
}

print "Running $cmd_ssl\n";
system($cmd_ssl);
print "Running $cmd_dh\n";
system($cmd_dh);


and this is the .cnf file:
----
RANDFILE = /etc/postfix/certs/rand.file

        [ req ]
        default_bits = 1024
        encrypt_key = yes
        distinguished_name = req_dn
        x509_extensions = cert_type
        prompt = no

        [ req_dn ]
        C=US
        ST=New York
        L=New York
        O=Neuropunks
        OU=SMTP
        CN=mail.neuropunks.org
        emailAddress=postmaster at neuropunks.org

        [ cert_type ]
        nsCertType = server






Max Gribov wrote:

>a shot in the dark..
>heres my config, i know my ssl works for sure..
>---
>
>alias_maps = hash:/etc/aliases, hash:/usr/local/mailman/data/aliases
>broken_sasl_auth_clients = yes
>command_directory = /usr/sbin
>config_directory = /etc/postfix
>content_filter = smtp-amavis:[127.0.0.1]:10024
>daemon_directory = /usr/libexec/postfix
>debug_peer_level = 2
>disable_vrfy_command = yes
>empty_address_recipient = MAILER-DAEMON
>home_mailbox = Maildir/
>html_directory = no
>inet_interfaces = 38.117.144.218, 127.0.0.1, 69.31.43.10
>local_recipient_maps = $alias_maps, unix:passwd.byname,
>$virtual_mailbox_maps, $virtual_mailbox_domains, $virtual_alias_maps
>local_transport = local
>mail_owner = postfix
>mailbox_command = /usr/local/bin/procmail
>mailq_path = /usr/bin/mailq
>manpage_directory = /usr/local/man
>maximal_queue_lifetime = 2w
>mydestination = $myhostname, $mydomain, mailman.$mydomain
>mydomain = neuropunks.org
>myhostname = finn.neuropunks.org
>mynetworks = 38.117.144.218/32, 69.31.43.10/32, 127.0.0.1/32
>myorigin = $mydomain
>newaliases_path = /usr/bin/newaliases
>owner_request_special = no
>queue_directory = /var/spool/postfix
>readme_directory = /etc/postfix/readme
>recipient_delimiter = +
>relay_domains = /etc/postfix/relay-domains
>sample_directory = /etc/postfix/samples
>sendmail_path = /usr/sbin/sendmail
>setgid_group = postdrop
>smtpd_banner = $myhostname ESMTP
>smtpd_client_restrictions = hash:/etc/postfix/access, permit_mynetworks,
>permit_sasl_authenticated,  reject_rbl_client relays.ordb.org,
>reject_rbl_client
>opm.blitzed.org,reject_invalid_hostname,reject_unknown_sender_domain,
>reject_non_fqdn_sender
>smtpd_helo_required = yes
>smtpd_helo_restrictions = hash:/etc/postfix/access, permit_mynetworks,
>permit_sasl_authenticated, reject_rbl_client relays.ordb.org,
>reject_rbl_client opm.blitzed.org
>smtpd_recipient_restrictions = hash:/etc/postfix/access,
>permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination,
>reject_invalid_hostname, reject_non_fqdn_sender,
>reject_unknown_sender_domain, reject_unlisted_recipient,
>reject_unverified_recipient, reject_rbl_client relays.ordb.org,
>reject_rbl_client opm.blitzed.org
>smtpd_reject_unlisted_sender = yes
>smtpd_sasl_auth_enable = yes
>smtpd_sasl_security_options = noanonymous
>smtpd_sender_restrictions = hash:/etc/postfix/access, permit_mynetworks,
>permit_sasl_authenticated, reject_unlisted_sender,
>reject_invalid_hostname, reject_non_fqdn_sender,
>reject_unknown_sender_domain, reject_rbl_client relays.ordb.org,
>reject_rbl_client opm.blitzed.org
>smtpd_tls_CAfile = $smtpd_tls_cert_file
>smtpd_tls_ask_ccert = yes
>smtpd_tls_cert_file = /etc/postfix/certs/postfix.pem
>smtpd_tls_key_file = $smtpd_tls_cert_file
>smtpd_tls_loglevel = 1
>smtpd_use_tls = yes
>transport_maps = hash:/etc/postfix/transport
>unknown_local_recipient_reject_code = 550
>
>
>
>
>Steve Rieger wrote:
>
>  
>
>>am trying to setup postfix to relay all mail through gmail (yes it not 
>>right) below are the error logs, and postconf -n.
>>
>>Mar 16 12:30:11 tiger postfix/postfix-script: refreshing the Postfix 
>>mail system
>>Mar 16 12:30:11 tiger postfix/master[55]: reload configuration
>>Mar 16 12:30:32 tiger postfix/pickup[26986]: 4AD6016D0F8: uid=0 from=<root>
>>Mar 16 12:30:32 tiger postfix/cleanup[26994]: 4AD6016D0F8: 
>>message-id=<20060316203032.4AD6016D0F8 at tiger.up-south.com>
>>Mar 16 12:30:32 tiger postfix/qmgr[26987]: 4AD6016D0F8: 
>>from=<root at tiger.up-south.com>, size=28425, nrcpt=1 (queue active)
>>Mar 16 12:30:32 tiger postfix/smtp[26996]: warning: Only sdbm: type 
>>allowed for btree:/var/run/smtp_tls_session_cache
>>Mar 16 12:30:32 tiger postfix/smtp[26996]: warning: Could not open 
>>session cache btree:/var/run/smtp_tls_session_cache
>>Mar 16 12:30:32 tiger postfix/smtp[26996]: verify error:num=20:unable to 
>>get local issuer certificate
>>Mar 16 12:30:32 tiger postfix/smtp[26996]: verify 
>>error:num=27:certificate not trusted
>>Mar 16 12:30:32 tiger postfix/smtp[26996]: verify error:num=21:unable to 
>>verify the first certificate
>>Mar 16 12:30:33 tiger postfix/qmgr[26987]: warning: premature 
>>end-of-input on private/smtp socket while reading input attribute name
>>Mar 16 12:30:33 tiger postfix/master[55]: warning: process 
>>/usr/libexec/postfix/smtp pid 26996 killed by signal 10
>>Mar 16 12:30:33 tiger postfix/qmgr[26987]: warning: private/smtp socket: 
>>malformed response
>>Mar 16 12:30:33 tiger postfix/master[55]: warning: 
>>/usr/libexec/postfix/smtp: bad command startup -- throttling
>>Mar 16 12:30:33 tiger postfix/qmgr[26987]: warning: transport smtp 
>>failure -- see a previous warning/fatal/panic logfile record for the 
>>problem description
>>Mar 16 12:31:12 tiger postfix/pickup[26986]: 4130616D105: uid=0 from=<root>
>>Mar 16 12:31:12 tiger postfix/cleanup[26994]: 4130616D105: 
>>message-id=<20060316203112.4130616D105 at tiger.up-south.com>
>>Mar 16 12:31:12 tiger postfix/qmgr[26987]: 4130616D105: 
>>from=<root at tiger.up-south.com>, size=28417, nrcpt=1 (queue active)
>>Mar 16 12:31:33 tiger postfix/smtp[27019]: warning: Only sdbm: type 
>>allowed for btree:/var/run/smtp_tls_session_cache
>>Mar 16 12:31:33 tiger postfix/smtp[27019]: warning: Could not open 
>>session cache btree:/var/run/smtp_tls_session_cache
>>Mar 16 12:31:33 tiger postfix/smtp[27019]: verify error:num=20:unable to 
>>get local issuer certificate
>>Mar 16 12:31:33 tiger postfix/smtp[27019]: verify 
>>error:num=27:certificate not trusted
>>Mar 16 12:31:34 tiger postfix/smtp[27019]: verify error:num=21:unable to 
>>verify the first certificate
>>Mar 16 12:31:35 tiger postfix/qmgr[26987]: warning: premature 
>>end-of-input on private/smtp socket while reading input attribute name
>>Mar 16 12:31:35 tiger postfix/master[55]: warning: process 
>>/usr/libexec/postfix/smtp pid 27019 killed by signal 10
>>Mar 16 12:31:35 tiger postfix/qmgr[26987]: warning: private/smtp socket: 
>>malformed response
>>Mar 16 12:31:35 tiger postfix/master[55]: warning: 
>>/usr/libexec/postfix/smtp: bad command startup -- throttling
>>Mar 16 12:31:35 tiger postfix/qmgr[26987]: warning: transport smtp 
>>failure -- see a previous warning/fatal/panic logfile record for the 
>>problem description
>>
>>
>>tiger:/etc/postfix root# postconf -n
>>command_directory = /usr/sbin
>>config_directory = /etc/postfix
>>daemon_directory = /usr/libexec/postfix
>>debug_peer_level = 2
>>disable_dns_lookups = yes
>>enable_server_options = yes
>>html_directory = no
>>inet_interfaces = all
>>mail_owner = postfix
>>mailbox_size_limit = 0
>>mailbox_transport = cyrus
>>mailq_path = /usr/bin/mailq
>>manpage_directory = /usr/share/man
>>mydomain_fallback = localhost
>>myhostname = tiger.up-south.com
>>mynetworks_style = host
>>newaliases_path = /usr/bin/newaliases
>>queue_directory = /private/var/spool/postfix
>>readme_directory = /usr/share/doc/postfix
>>relayhost = [smtp.gmail.com]
>>sample_directory = /usr/share/doc/postfix/examples
>>sendmail_path = /usr/sbin/sendmail
>>setgid_group = postdrop
>>smtp_sasl_auth_enable = yes
>>smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
>>smtp_sasl_security_options = noanonymous
>>smtp_sasl_tls_security_options = noanonymous
>>smtp_tls_CAfile = /etc/postfix/cacert.pem
>>smtp_tls_cert_file = /etc/postfix/FOO-cert.pem
>>smtp_tls_key_file = /etc/postfix/FOO-key.pem
>>smtp_tls_loglevel = 1
>>smtp_tls_per_site = hash:/etc/postfix/tls_per_site
>>smtp_tls_session_cache_database = btree:/var/run/smtp_tls_session_cache
>>smtp_use_tls = yes
>>smtpd_sasl_application_name = smtpd
>>smtpd_sasl_auth_enable = no
>>smtpd_sasl_local_domain = $myhostname
>>smtpd_tls_CAfile = /etc/postfix/cacert.pem
>>smtpd_tls_cert_file = /etc/postfix/FOO-cert.pem
>>smtpd_tls_key_file = /etc/postfix/FOO-key.pem
>>smtpd_tls_received_header = yes
>>smtpd_tls_session_cache_database = btree:/var/run/smtpd_tls_session_cache
>>smtpd_use_tls = yes
>>tls_random_source = dev:/dev/urandom
>>transport_maps = hash:/etc/postfix/transport
>>unknown_local_recipient_reject_code = 550
>>
>> 
>>
>>    
>>
>
>_______________________________________________
>% NYC*BUG talk mailing list
>http://lists.nycbug.org/mailman/listinfo/talk
>%Be sure to check out our Jobs and NYCBUG-announce lists
>%We meet the first Wednesday of the month
>
>  
>




More information about the talk mailing list