Viewing Category: Postfix  [clear category selection]

Postfix and Submission

Here's a tip for configuring Postfix to provide a Submission service. The /etc/postfix/ is updated to define the service:

# ========================================================================== # service type private unpriv chroot wakeup maxproc command + args # ========================================================================== ... submission inet n - n - - submission -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject

Typically the procedure would be to define smtpd as the command. However, by symlinking that executable as submission, it will cause syslog messages to be identifiable as distinct from regular SMTP traffic -- very helpful when scanning logs to see whether connection came in on TCP 25 vs. 587. The link exists in /usr/libexec/postfix:

cd /usr/libexec/postfix && ln -s smtpd submission

I found this tip on a blog called Dave's Brain. His solution uses Cyrus SASL, whereas mine uses Dovecot SASL. However, there's no effective difference. He also defines a submission_recipient_restrictions map to limit the users allowed to login; my configuration allows all authenticated users.

Outlook and SMTP AUTH using SASL

After much frustration, I finally figured out why Microsoft Office Outlook wouldn't properly authenticate when sending mail through a new mail server. Specifically, Outlook 2003 was not performing the ESMTP AUTH (see RFC 4954) command when connected to a Postfix server configured to use Dovecot SASL authentication after starting TLS encryption. I assumed that the problem was with Outlook, since Apple Mail, Thunderbird, and Evolution all worked just fine. It turns out that the problem was with the authentication mechanism choices offered to the e-mail client. Since I was only allowing authentication after TLS encryption had been enabled, I only configured the PLAIN authentication mechanism for the Dovecot authentication daemon:

auth default { mechanisms = plain ... }

It turns out that Outlook uses the LOGIN authentication mechanism, so it didn't attempt to login until I configured Dovecot to offer it:

auth default { mechanisms = plain login ... }

That did the trick. Even though PLAIN and LOGIN are essentially the same, Outlook needed it on a silver platter. The Dovecot Wiki is an awesome resource.

Postfix Queue Cleaner

In my never-ending fight against spam and backscatter, I updated my Postfix mail queue cleaning script. It now allows performs two actions: list or delete. It also accepts multiple patterns to match against e-mail addresses. There are still a couple of issues, such as when an envelope specifies more than one recipient, but to improve it any more, I'd really have to port it to Perl. I might do that some day, but it's been several years since I've hacked with Perl.

Here's the updated version of the bash shell script:

#!/bin/bash usage() { echo "Usage: $0 {list|delete} pattern [pattern]" } if [ $# -lt 2 ]; then usage exit 1 fi COMMAND=$1 shift PATTERNS="$*" list() { for P in $PATTERNS; do mailq | grep -E "^ {4,}.*$P" | tr -d ' ' done } delete() { DELIDS=`mktemp /tmp/delids.XXXXXX` for P in $PATTERNS; do mailq | grep -B 2 -E "^ {4,}.*$P" | grep -i -E '^[0-9A-F]' | \ cut -d ' ' -f 1 > $DELIDS postsuper -d - < $DELIDS done } case "$COMMAND" in list) list ;; delete) delete ;; *) usage exit 1 ;; esac

A couple great tools

I've been doing quite a bit of data shuffling lately in my project to migrate corporate e-mail services from an older server to a new architecture using Postfix, Dovecot, and OpenLDAP. I was inspired by Jamm, which I have used with good results at other installations. However, the administration interface didn't really address all my requirements, so I wrote my own. More on that later.

Anyway, this all leads up to my praise for a couple of products that have made life much more, um, livable. They are <oXygen/> XML Editor and Apache Directory Studio, formerly called LDAP Studio.

I've used this product for several years, and it's gotten orders of magnitude better since then. That's not to say that it wasn't a solid product when I started using it, rather, it has become an amazing suite of XML tools since then. Case in point: when I needed to import a whole bunch of e-mail forwarding aliases, I use the text import tool to build an XML file that I could then parse with my own program. I had never tried this feature before, but without even glancing at the manual I was able to complete the task in minutes.

Another thing that SyncRO soft (in ROmania, get it?) should get a whole lot of praise for is releasing a multi-platform Java application that feels like a native Mac OS X application. Many companies that create cross-platform Java applications have completely broken user interfaces when used with the Java Look and Feel library for Mac OS X (Aqua LAF). For example, Gentleware's Poseidon for UML is horrendous, which is a shame because it's an otherwise very good UML tool.

Oxygen XML Editor is distributed as a traditional tarball (.tar.gz) that is simply unarchived and executed. That's it -- no installer like Macrovision InstallAnywhere, which sucks really hard, by the way. The only installation to speak of is to paste in a license key upon the first launch. Simple. If I could make one suggestion, it would be to follow Apple's installer guidelines by distributing the software in a compressed Disk Image.

I have one final comment about Oxygen XML Editor: price. I use the Enterprise Edition, which is currently US$ 275. At first I thought that was too expensive, but after trying some of the offerings from other vendors, I came to the conclusion that it's a bargain. I don't hesitate recommending it to anyone.

I've only used Apache Directory Studio for a short while. Before that, I was using ldapsearch, ldapadd, and ldapmodify on the command line. While I was setting up the system, the CLI tools were necessary to aide in debugging a few problems. However, now that most of the problems are ironed out, I can switch to a GUI. Apache Directory Studio is an Eclipse RCP application, which is great because I'm very comfortable in Eclipse. I spend most of my day in CFEclipse.

Okay, that's enough gushing for now. Back on your heads.