I've decided to post this here and not on serverfault, as the community there is to small and nearly 80% of my questions are unanswered...
So I've got my sever with 3 domains: x.com, y.com and z.com. x.com relays internally, y.com relays internally, and z.com SHOULD relay through amazon SES.
Right now, x and y.com mail correctly internally, but I need z.com to relay through SES.
So, my config so far in main.cf:
sender_dependent_relayhost_maps = hash:/etc/postfix/sender_transport
domainz_sasl_auth_enable = yes
domainz_sasl_security_options = noanonymous
domainz_sasl_password_maps = hash:/etc/postfix/sas2_passwd
domainz_use_tls = yes
domainz_tls_security_level = encrypt
domainz_tls_note_starttls_offer = yes
domainz_tls_CAfile = /etc/ssl/certs/ca-bundle.crt
and in my master.cf, I've appended a unix channel above the default smtp:
domainz unix - - n - 1 smtp
smtp inet n - n - - smtpd
and in my sender_transport I have
#domainZ.com domainz:
1. Where do I enter the ses smtp of "email-smtp.us-east-1.amazonaws.com". I assume we need to hit "domainz:" so we can pass the correct sasl data to it.
2. Keep in mind that this is mail going out from the server, not in, so that's why I didn't set a transport_map.
This is the error I'm getting when pushing out mail from #domainz:
"status=bounced (Host or domain name not found. Name service error for name=domainz type=AAAA: Host not found)"; so before we can even get to amazon's SES host, I'm having an issue at the transport level that I can't seem to figure out.
Thanks,
Mike
After nearly 24 hours of trying to solve this, I finally figured it out. I hope this helps whomever is looking to use this same method and doesn't have to go through the pain I just went through!
So in my example above, domain x + y relayed through virtual aliases. For z we must use a transport, in this case it was a sender_dependent_relayhost_maps transport, so I can grab the sender and relay them through amazon SES.
In main.cf, regardless of smtp/unix-socket, we straight up use SES standards:
smtp_sasl_auth_enable=yes
smtp_sasl_security_options=noanonymous
smtp_sasl_password_maps=hash:/etc/postfix/sas
smtp_use_tls=yes
smtp_tls_security_level=encrypt
smtp_tls_note_starttls_offer=yes
smtp_tls_CAfile=/etc/ssl/certs/ca-bundle.crt
In sender_dependent_relayhost_maps we use:
#domainz.com [email-smtp.us-east-1.amazonaws.com]:25
The smtp_sasl_password_maps file stores the matching relay's user:key.
And that's it!
Related
I'm using sample codes from documentation and I'm trying to connect to server using Prosys OPC UA Client. I have tried opcua-commander and integration objects opc ua client and it looks like server works just fine.
Here's what is happening:
After entering endpointUrl, client adds to url -- urn:NodeOPCUA-Server-default.
Client asks to specify security settings.
Client asks to choose server - only 1 option and it's urn:NodeOPCUA-Server-default.
And it goes back to step 2 and 3 over and over.
If I just minimize prosys client without closing configuration after some time I get this info in terminal:
Server: closing SESSION new ProsysOpcUaClient Session15 because of timeout = 300000 has expired without a keep alive
\x1B[46mchannel = \x1B[49m ::ffff:10.10.13.2 port = 51824
I have tried this project and it works -> node-opcua-htmlpanel. What's missing in sample code then?
After opening debugger I have noticed that each Time I select security settings and hit OK, server_publish_engine reports:
server_publish_engine:179 Cencelling pending PublishRequest with statusCode BadSecureChannelClosed (0x80860000) length = 0
This is due to a specific interoperability issue that was introduced in node-opcua#0.2.2. this will be fixed in next version of node-opcua. The resolution can be tracked here https://github.com/node-opcua/node-opcua/issues/464
The issue has been handled at the Prosys OPC Forum:
The error happens because the server sends different
EndpointDescriptions in GetEndpointsResponse and
CreateSessionResponse.
In GetEndpoints, the returned EndpointDescriptions contain
TransportProfileUri=http://opcfoundation.org/UA-Profile/Transport/uatcp-uasc-uabinary.
In CreateSessionResponse, the corresponding TransportProfileUri is
empty.
In principle, the server application is not working according to
specification. The part 4 of the OPC UA specification states that “The
Server shall return a set of EndpointDescriptions available for the
serverUri specified in the request. … The Client shall verify this
list with the list from a DiscoveryEndpoint if it used a
DiscoveryEndpoint to fetch the EndpointDescriptions. It is recommended
that Servers only include the server.applicationUri, endpointUrl,
securityMode, securityPolicyUri, userIdentityTokens,
transportProfileUri and securityLevel with all other parameters set to
null. Only the recommended parameters shall be verified by the
client.”
I am using Roll Your Own IRC Bot on the Haskell wiki and I receive those two errors when running the code provided by the guide.
What is wrong? Why can't I connect?
I am using Ubuntu and I've tried compiling it with ghc and running it with ghci.
import Network
import System.IO
import Text.Printf
server = "irc.freenode.org"
port = 6667
chan = "#tutbot-testing"
nick = "tutbot"
main = do
h <- connectTo server (PortNumber (fromIntegral port))
hSetBuffering h NoBuffering
write h "NICK" nick
write h "USER" (nick++" 0 * :tutorial bot")
write h "JOIN" chan
listen h
write :: Handle -> String -> String -> IO ()
write h s t = do
hPrintf h "%s %s\r\n" s t
printf "> %s %s\n" s t
listen :: Handle -> IO ()
listen h = forever $ do
s <- hGetLine h
putStrLn s
where
forever a = do a; forever a
The No Ident Response notice refers to an hilariously antiqued protocol from the depths of Internet history. In the olden days, when multi-user Unix machines were the rule rather than the exception, sometimes a server wanted to get some information on the specific user on the connecting client who had initiated the connection. The Ident protocol was created for this purpose. I guess IRC servers still contain code to try to query Ident servers, but they probably receive vanishingly few responses, so you can probably ignore this error.
The SASL error is more serious. It suggests that the specific IRC server you're connecting to has been configured to require user identification and authentication via the SASL protocol before allowing a connection. You probably don't want the added complexity of adding SASL support to your bot!
However, I'm not able to duplicate your problem. When I run the code you've posted above, I connect to host kornbluth.freenode.net [2001:1bc0:c1::6667/6667], see the notice about No Ident response, but my connection is accepted, as are the commands to set my nickname and join the #tutbot-testing channel, and I see the message of the day. I also see messages from some poor soul (maybe you?) asking for help with his or her bot, but I can't respond because the tutbot code above can't send any commands!
Is it possible you were testing it using a difference server or nick than the one in the code above, and that's caused the problem? If not, it's possible that there's a specific "irc.freenode.org" server that's configured to require SASL while the rest are working fine. Try switching the server name to:
server = "kornbluth.freenode.net"
That seemed to work for me.
Update: It looks like freenode requires SASL authentication from Amazon Web Services IP addresses (as noted in this bug report for an IRC client), so that would explain the problem you're having.
I have installed Gitlab 8.15 and Exim 4.84 on CentOS 7
Whenever Gitlab sends a message, it should come from 'gitlab#mydomain.nl' which is correctly set in config/gitlab.yml.
If I look in the log, I see the following:
2016-12-21 21:50:02 cwd=/ 6 args: /usr/sbin/sendmail -i -f gitlab#mydomain.nl -- mypersonal#gmail.com
2016-12-21 21:50:02 1cJnpq-0001ZR-NG <= git#vps.mydomain.nl U=git P=local S=3859 id=585aeafaad130_175126f0b9c43854#vps.mydomain.nl.mail T="Reset password instructions" from <git#vps.mydomain.nl> for mypersonal#gmail.com
Note that between those 2 lines, the from address changed from gitlab#mydomain.nl to git#vps.mydomain.nl which is based on user#FQDN.
My external SMTP server then does a DKIM and SPF lookup on vps.mydomain.nl, instead of mydomain.nl, which fails and the mail is rejected.
I am not sure where this change happens and how I should fix this. Is this something on Gitlab side or something on Exim side?
The relevant parts from my exim configuration:
begin routers
mysmtphost_email:
driver = manualroute
domains = ! +local_domains
ignore_target_hosts = 127.0.0.0/8
transport = mysmtphost_relay
route_list = * vps.mysmtphost.email::587
no_more
(...)
begin transports
mysmtphost_relay:
driver = smtp
port = 587
hosts_require_auth = <; $host_address
hosts_require_tls = <; $host_address
Just found out the user git was not part of the trusted_users directive in the exim.conf file. I changed it to include the user as follows:
trusted_users = mail:apache:passenger:git
I came to this conclusion since mails sent by other Rails applications running as user passenger were being sent correctly as specified by the from address. Then I noticed passenger being part of this directive and git not.
From the Exim documentation:
Trusted users are always permitted to use the -f option or a leading
“From ” line to specify the envelope sender of a message that is
passed to Exim through the local interface (see the -bm and -f options
below). See the untrusted_set_sender option for a way of permitting
non-trusted users to set envelope senders.
http://www.exim.org/exim-html-current/doc/html/spec_html/ch-the_exim_command_line.html#SECTtrustedadmin
Processes running as root or the Exim user are always trusted. Other
trusted users are defined by the trusted_users or trusted_groups
options. In the absence of -f, or if the caller is not trusted, the
sender of a local message is set to the caller’s login name at the
default qualify domain.
I've just installed git git-1.8.1.2 and gitlab gitlab_6.7.2-omnibus-1.ubuntu.12.04_amd64.deb on fresh install of Ubuntu 12.04 lts following: https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/README.md#ubuntu-12-04 and: https://www.gitlab.com/2014/03/12/packaged-gitlab-with-omnibus/
When setting up a new user in gitlab, it attempts to send out an email with temporary passwords but postfix gets an error from the relay host:
Bad sender address syntax (in reply to MAIL FROM command)
My /etc/gitlab/config/environments/production.rb looks like this
config.action_mailer.delivery_method = :smtp
config.action_mailer.perform_deliveries = true
config.action_mailer.raise_delivery_errors = true
config.action_mailer.smtp_settings = {
:address => 'mail.domain.com',
:port => 587,
:domain => 'domain.com',
:user_name => 'username#domain.com',
:password => 'password',
:authentication => 'password',
:enable_starttls_auto => true
}
I can send email via command line with postfix using I think the same relay host.
echo “This will go into the body of the mail.” | sendmail “Hello world” myemail#domain.com
What might be going wrong and where should I look?
I have also had the same problem on AWS using SES. After wasting 2 days debugging, reading docs and forums, I tried to loose the Security Group inbound rules, which were restricted only to the ports 22, 80 and 443.
Firstly I opened all inbound traffic for debug purposes. As soon as I open all ports to the world (0.0.0.0/0), the issue was gone. But this cannot stay so, then I closed all inbound ports, except 22 (SSH), 90 (HTTP), 443 (HTTPS) and additionally 25 (SMTP) to the IP of the SMTP-Server and it is still working.
So, to sum up, the SES needs to be able to communicate with the server using the SMTP port. That's why the port must be open for inbound traffic as well.
I am setting up a small local network with 3 laptops. My goal is to experiment with the UpNP protocol and have the laptops discover each other using UpNP. In order to do this, they need to be able to listen for notifications from each other. As per the protocol, these notifications are sent on multicast address 239.255.255.250:1900. However, I am having a problem setting the laptops up to listen on that address. I am starting just using 1 pc. My PC's IP address is 10.0.0.5.
However, when I try to set up a UdpClient to listen on 239.255.255.250:1900 I get an error saying: "The requested address is not valid in its context".
I have tried just setting it up using this:
IPEndPoint endpoint = new IPEndPoint(IPAddress.Parse("239.255.255.250"), 1900);
UdpClient client = new UdpClient(endpoint);
client.BeginReceive(MessageReceived, null);
I have also tried:
UdpClient client = new UdpClient(Port);
client.JoinMulticastGroup(IPAddress.Parse("239.255.255.250"));
client.BeginReceive(MessageReceived, null);
But I still get the same error: "The requested address is not valid in its context".
How do I correctly set up my UdpClient to listen on the multicast address 239.255.255.250:1900 ?
Thanks for your help!!!
Ok, after much searching and banging my head on my desk, I've got this thing working. I thought I had it working yesterday, but it only worked on Windows 7 and not on XP..
So, here it goes:
IPEndPoint localEndPoint = new IPEndPoint(IPAddress.Any, Port);
UdpClient client = new UdpClient();
client.Client.SetSocketOption(SocketOptionLevel.Socket, SocketOptionName.ReuseAddress, true);
client.Client.Bind(localEndPoint);
client.JoinMulticastGroup(IPAddress);
client.MulticastLoopback = true;
Client.BeginReceive(MessageReceived, null);
I sure wish this was documented a bit better, but I guess that's why we get the big bucks $$$.
Thanks StackOverflow for providing such an AWESOME knowledgebase from which to extract this stuff !!