My constellation is as follows:
- server 1: cmgateway.domain.de, later is cmgateway
Ciphermail encryption gateway appliance version with integrated postfix +
fetchmail. - server 2: mailserver.domain.de, later is mailserver
postfix + dovecot . Postfix is configured to send mails over my smarthost.
What I want to achieve:
cmgateway:fetchmail should pass to cmgateway:postfix should pass to mailserver:postfix.
What works:
Over my mailserver:postfix I can send mails with a mail Client (thunderbird, outlook) via IMAP over Dovecot wonderfully.
What does not work and i want to archive is:
cmgateway:postfix transfers found mails ( from fetchmail ) to my mailserver:postfix ( I can see this in the logs ),
BUT ( and here comes the problem )mailserver:postfix forwards these mails directly back out through my smarthost.
It is supposed to deliver the mails locally though.
If I install a fetchmail directly on mailserver and tell it smtpaddress localhost,
the fun works and it delivers to my local mailbox.
But the mails should come from cmgateway:fetchmail.
I hope I could make my problem understandable.
Are configs needed or is this a logical/basic understanding problem?
Thanks for your help in advance.
Greetings
Thomas
![pictuer-quick-check][1]
cmgateway:Fetchmail
# /etc/fetchmailrc for system-wide daemon mode
# This file must be chmod 0600, owner fetchmail
# log through syslog facility
set syslog
# Direct error mail to the local postmaster
set no bouncemail
# Defaults
defaults:
timeout 300
antispam -1
batchlimit 100
# !!! DON'T CHANGE ANYTHING BETWEEN START-AUTO-CONFIG AND END-AUTO-CONFIG BECAUSE IT WILL BE OVERWRITTEN !!!
### START-AUTO-CONFIG ###
set daemon 20
set postmaster "[email protected]"
poll "sslin.df.eu" service 993 proto IMAP no uidl user "[email protected]" password "password" is "[email protected]" folder "INBOX" options ssl no idle keep
### END-AUTO-CONFIG ###
mailserver:Postifx
myhostname = mailserver.mydomain.de
mydomain = mydomain.de
myorigin = mydomain.de
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no
append_dot_mydomain = no
readme_directory = no
compatibility_level = 2
mydestination = mailserver.mydomain.de, localhost.localdomain, localhost
relayhost = sslout.df.eu:465
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 192.168.1.0/24
home_mailbox = Maildir/
mailbox_command =
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = ipv4
# TLS parameters
smtpd_tls_auth_only = no
smtpd_use_tls = yes
smtpd_tls_cert_file = /etc/ssl/certs/mailserver.mydomain.de.crt
smtpd_tls_key_file = /etc/ssl/private/mailserver.mydomain.de.key
smtpd_tls_CAfile = /etc/ssl/certs/cacert.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_tls_note_starttls_offer = yes
smtp_use_tls = yes
smtp_tls_wrappermode = yes
smtp_tls_security_level = encrypt
smtp_sasl_auth_enable = yes
smtp_sasl_security_options = noanonymous
smtp_sasl_password_maps = hash:/etc/postfix/sasl_password
sender_canonical_maps = hash:/etc/postfix/sender_canonical
#smtp_generic_maps = hash:/etc/postfix/generic
mailserver:dovecot
disable_plaintext_auth = no
mail_privileged_group = mail
mail_location = maildir:~/Maildir
auth_mechanisms = plain login
ssl = required
ssl_cert = </etc/ssl/certs/mailserver.mydomain.de.crt
ssl_key = </etc/ssl/private/mailserver.mydomain.de.key
userdb {
driver = passwd
}
passdb {
driver = pam
}
protocols = imap
service auth {
unix_listener /var/spool/postfix/private/auth {
mode = 0660
user=postfix
group=postfix
}
}
First Part solved
I would like to describe a follow-up problem and am unsure if I should have opened another post for this.
The whole story is a connection of a postfix to a ciphermail encryption gateway, where the gateway (cmgateway) is hooked into an existing postfix as a content filter.
Thanks to your help I can now deliver mails locally with my mailserver:postfix and receive them via client using dovecot.
What works is:
When I send out mails via mailserver:postfix, the mail is actually sent to cmgateway:content-filter before, the mail is signed or encrypted, sent back and postfix sends it over my smarthost.
Works great.
What does not work is:
Since I RECEIVE mails via fetchmail and give them to my mailserver:postfix, these mails unfortunately don't go through my cmgateway:content-filter, which is totally stupid, since the mails are then not automatically checked and decrypted.
So my question is, what do I have to do that mails that go to my postfix via fetchmail are too processed trough my cmgateway:content-filter?
cmgateway – Ciphermail Gateway Appliance
Postfix Settings and extra Djigzo Vars comes from the appliance,
that I configured via GUI.
cmgateway:postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
content_filter = djigzo:[127.0.0.1]:10025
djigzo_after_filter_message_size_limit = ${djigzo_calculated_after_filter_message_size_limit}
djigzo_before_filter_message_size_limit = 10240000
djigzo_calculated_after_filter_message_size_limit = 30720000
djigzo_calculated_queue_minfree = 92160000
djigzo_mailbox_size_limit = 512000000
djigzo_mydestination =
djigzo_myhostname = cmgateway.unixuser.de
djigzo_mynetworks = 192.168.1.0/24
djigzo_parent_domain_matches_subdomains =
djigzo_rbl_clients =
djigzo_reject_unverified_recipient =
djigzo_relay_domains =
djigzo_relay_transport_host =
djigzo_relay_transport_host_mx_lookup =
djigzo_relay_transport_host_port = 25
djigzo_relayhost =
djigzo_relayhost_mx_lookup =
djigzo_relayhost_port = 25
djigzo_smtp_helo_name = cmgateway.unixuser.de
djigzo_unverified_recipient_reject_code = 450
enable_long_queue_ids = yes
local_recipient_maps =
local_transport = error:local mail delivery is disabled
mail_name = CipherMail
mailbox_size_limit = ${djigzo_mailbox_size_limit}
message_size_limit = ${djigzo_after_filter_message_size_limit}
mydestination = ${djigzo_mydestination}
myhostname = ${djigzo_myhostname}
mynetworks = 127.0.0.0/8, [::1]/128, ${djigzo_mynetworks}
notify_classes =
parent_domain_matches_subdomains = ${djigzo_parent_domain_matches_subdomains}
queue_minfree = ${djigzo_calculated_queue_minfree}
recipient_delimiter = +
relay_domains = ${djigzo_relay_domains}
relay_transport = relay${djigzo_relay_transport_host?:${djigzo_relay_transport_host_mx_lookup:[}${djigzo_relay_transport_host}${djigzo_relay_transport_host_mx_lookup:]}:${djigzo_relay_transport_host_port}}
relayhost = ${djigzo_relayhost_mx_lookup:${djigzo_relayhost?[}}${djigzo_relayhost}${djigzo_relayhost_mx_lookup:${djigzo_relayhost?]}}${djigzo_relayhost?:${djigzo_relayhost_port}}
smtp_address_preference = ipv4
smtp_helo_name = ${djigzo_smtp_helo_name?$djigzo_smtp_helo_name}${djigzo_smtp_helo_name:${myhostname}}
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/smtp_client_passwd
smtp_sasl_security_options =
smtp_sasl_type = cyrus
smtp_tls_CAfile = /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
smtp_tls_exclude_ciphers = $smtpd_tls_exclude_ciphers
smtp_tls_loglevel = 1
smtp_tls_mandatory_protocols = $smtpd_tls_mandatory_protocols
smtp_tls_protocols = $smtpd_tls_protocols
smtp_tls_security_level = may
smtpd_authorized_xforward_hosts = 127.0.0.1/32
smtpd_banner = $myhostname ESMTP $mail_name
smtpd_discard_ehlo_keywords = silent-discard, dsn, etrn
smtpd_etrn_restrictions = reject
smtpd_recipient_restrictions = permit_mynetworks reject_unauth_destination ${djigzo_rbl_clients} ${djigzo_reject_unverified_recipient? reject_unverified_recipient}
smtpd_tls_cert_file = /etc/pki/tls/certs/postfix.pem
smtpd_tls_dh1024_param_file = /etc/postfix/dh2048.pem
smtpd_tls_dh512_param_file = /etc/postfix/dh2048.pem
smtpd_tls_exclude_ciphers = AESCCM8, aNULL, ARIA, DES, DSS, eNULL, EXPORT, IDEA, MD5, PSK, RC4, SEED
smtpd_tls_key_file = /etc/pki/tls/private/postfix.key
smtpd_tls_loglevel = 1
smtpd_tls_mandatory_protocols = $smtpd_tls_protocols
smtpd_tls_protocols = !SSLv2, !SSLv3
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
tls_preempt_cipherlist = yes
unverified_recipient_reject_code = ${djigzo_unverified_recipient_reject_code}
cmgateway:postconf -M
smtp inet n - n - - smtpd -o message_size_limit=${djigzo_before_filter_message_size_limit}
pickup fifo n - n 60 1 pickup
cleanup unix n - n - 0 cleanup
qmgr fifo n - n 300 1 qmgr
tlsmgr unix - - n 1000? 1 tlsmgr
rewrite unix - - n - - trivial-rewrite
bounce unix - - n - 0 bounce
defer unix - - n - 0 bounce
trace unix - - n - 0 bounce
verify unix - - n - 1 verify
flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - n - - smtp
relay unix - - n - - smtp -o smtp_fallback_relay=
showq unix n - n - - showq
error unix - - n - - error
retry unix - - n - - error
discard unix - - n - - discard
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
scache unix - - n - 1 scache
djigzo unix - - n - 4 smtp -o smtp_send_xforward_command=yes -o disable_dns_lookups=yes -o smtp_generic_maps=
cleanup_reinject unix n - n - 0 cleanup -o hopcount_limit=100
127.0.0.1:10026 inet n - n - 10 smtpd -o content_filter= -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks,no_milters -o smtpd_helo_restrictions= -o smtpd_client_restrictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o smtpd_tls_security_level= -o mynetworks=127.0.0.0/8 -o smtpd_authorized_xforward_hosts=127.0.0.0/8 -o smtpd_authorized_xclient_hosts=127.0.0.0/8 -o cleanup_service_name=cleanup_reinject
127.0.0.1:10027 inet n - n - 10 smtpd -o smtpd_helo_restrictions= -o smtpd_client_restrictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o smtpd_tls_security_level= -o mynetworks=127.0.0.0/8 -o syslog_name=postfix/10027 -o message_size_limit=${djigzo_before_filter_message_size_limit}
mailserver:postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
compatibility_level = 2
content_filter = djigzo:[<ip:cmgateway:content-filter>]:10025
home_mailbox = Maildir/
inet_interfaces = all
inet_protocols = ipv4
mailbox_command =
mailbox_size_limit = 0
mydestination = mydomain.de, mailserver.mydomain.de, localhost.localdomain, localhost
mydomain = mydomain.de
myhostname = mailserver.mydomain.de
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 192.168.1.0/24
myorigin = mydomain.de
readme_directory = no
recipient_delimiter = +
relayhost = sslout.df.eu:465
sender_canonical_maps = hash:/etc/postfix/sender_canonical
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_password
smtp_sasl_security_options = noanonymous
smtp_tls_note_starttls_offer = yes
smtp_tls_security_level = encrypt
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_tls_wrappermode = yes
smtp_use_tls = yes
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth
smtpd_sasl_type = dovecot
smtpd_tls_CAfile = /etc/ssl/certs/cacert.pem
smtpd_tls_auth_only = no
smtpd_tls_cert_file = /etc/ssl/certs/mailserver.mydomain.de.crt
smtpd_tls_key_file = /etc/ssl/private/mailserver.mydomain.de.key
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
mailserver:postconf -M
smtp inet n - y - - smtpd
pickup unix n - y 60 1 pickup
cleanup unix n - y - 0 cleanup
qmgr unix n - n 300 1 qmgr
tlsmgr unix - - y 1000? 1 tlsmgr
rewrite unix - - y - - trivial-rewrite
bounce unix - - y - 0 bounce
defer unix - - y - 0 bounce
trace unix - - y - 0 bounce
verify unix - - y - 1 verify
flush unix n - y 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - y - - smtp
relay unix - - y - - smtp -o syslog_name=postfix/$service_name
showq unix n - y - - showq
error unix - - y - - error
retry unix - - y - - error
discard unix - - y - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - y - - lmtp
anvil unix - - y - 1 anvil
scache unix - - y - 1 scache
postlog unix-dgram n - n - 1 postlogd
maildrop unix - n n - - pipe flags=DRXhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
uucp unix - n n - - pipe flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
ifmail unix - n n - - pipe flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix - n n - 2 pipe flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman unix - n n - - pipe flags=FRX user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py ${nexthop} ${user}
djigzo unix - - n - 4 smtp -o smtp_send_xforward_command=yes -o disable_dns_lookups=yes -o smtp_generic_maps= -o smtp_tls_wrappermode=no -o smtp_tls_security_level=none
:10026 inet n - n - 10 smtpd -o content_filter= -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks,no_milters -o smtpd_helo_restrictions= -o smtpd_client_restrictions= -o smtpd_sender_restrictions= -o smtpd_relay_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o mynetworks=127.0.0.0/8,<ip-cmgateway:content-scanner>/32 -o smtpd_authorized_xforward_hosts=127.0.0.0/8,<ip-cmgateway:content-filter>/32 -o smtpd_authorized_xclient_hosts=127.0.0.0/8,<ip-cmgateway:content-filter>/32
Mailflow from [email protected] to [email protected]
Return-Path: <[email protected]>
X-Original-To: vorname.nachname@localhost
Delivered-To: vorname.nachname@localhost
Received: from cmgateway.mydomain.de (unknown [192.168.1.100])
by mailserver.mydomain.de (Postfix) with ESMTP id 300A69FE83
for <vorname.nachname@localhost>; Thu, 30 Sep 2021 15:18:51 +0200 (CEST)
Received: from mailserver.mydomain.de (mailserver.mydomain.de [127.0.0.1])
by mailserver.mydomain.de (Postfix) with ESMTP id B1F629FE83
for <vorname.nachname@localhost>; Thu, 30 Sep 2021 15:18:50 +0200 (CEST)
Delivery-date: Thu, 30 Sep 2021 15:18:47 +0200
Received: from sslin.df.eu
by mailserver.mydomain.de with IMAP (fetchmail-6.4.16)
for <vorname.nachname@localhost> (single-drop); Thu, 30 Sep 2021 15:18:50 +0200 (CEST)
Received: from [80.67.18.23] (helo=mx14.ispgateway.de)
by mailcluster2-1.ispgateway.de with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256)
(Exim 4.94.2)
(envelope-from <[email protected]>)
id 1mVvxX-0002n4-8A; Thu, 30 Sep 2021 15:18:47 +0200
X-Envelope-to: [email protected]
Received: from [209.85.221.53] (helo=mail-wr1-f53.google.com)
by mx14.ispgateway.de with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
(Exim 4.94.2)
(envelope-from <[email protected]>)
id 1mVvxX-0008N2-1L
for [email protected]; Thu, 30 Sep 2021 15:18:47 +0200
Received: by mail-wr1-f53.google.com with SMTP id i23so10058684wrb.2
for <[email protected]>; Thu, 30 Sep 2021 06:18:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=20210112;
h=from:to:subject:date:message-id:mime-version;
...
...
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20210112;
...
...
X-Gm-Message-State: AOAM532Mi+9hBhIeKRyxZ8mrv7KD20yvxc3VONKwCkqsWH/ogS2KhbUd
YN1oqMrTf1snf3apkNSFnIF8nwfvud4bZw==
X-Google-Smtp-Source: ABdhPJyqHVpnPTv0v+vEPth75iFBs6gHSDH8GkXrc84pQMoafAT6UZKwGe7ezuW6Mz2MZrbtyx/vTQ==
X-Received: by 2002:a5d:4e8e:: with SMTP id e14mr6075326wru.280.1633007926486;
Thu, 30 Sep 2021 06:18:46 -0700 (PDT)
Received: from zero.localnet (b2b-37-24-59-146.unitymedia.biz. [37.24.59.146])
by smtp.gmail.com with ESMTPSA id t16sm5297571wmi.33.2021.09.30.06.18.45
for <[email protected]>
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Thu, 30 Sep 2021 06:18:45 -0700 (PDT)
From: taumeister <[email protected]>
To: [email protected]
Subject: test
Date: Thu, 30 Sep 2021 15:18:44 +0200
Message-ID: <12963307.VfqQIOsWLq@zero>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="nextPart3105979.8Fo9iPulqY"; micalg="sha256"; protocol="application/pkcs7-signature"
X-Received-SPF: pass ( mx14.ispgateway.de: domain of gmail.com designates 209.85.221.53 as permitted sender )
X-DKIM: DKIM passed: ([email protected] domain=gmail.com), signature is good.
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
spamfilter06.ispgateway.de
X-Spam-Level:
X-Spam-Status: No, hits=0.0 required=9999.0 tests=BAYES_50 autolearn=disabled
version=3.4.0
X-Spam-CMAETAG: v=2.2 cv=Vb6HBBh9 c=1 sm=1 tr=0
a=f3DIsCLYdJ36Iz1841r7JQ==:17 a=7QKq2e-ADPsA:10 a=nPLt57aK5UoA:10
a=nS36O97Bj3wUElCrIrAA:9 a=CjuIK1q_8ugA:10 a=nlHNP32c2GOG8w8F970A:9
a=ZVk8-NSrHBgA:10 a=30ssDGKg3p0A:10
X-Spam-CMAECATEGORY:
X-Spam-CMAESUBCATEGORY:
X-Spam-CMAESCORE:
--nextPart3105979.8Fo9iPulqY
Content-Transfer-Encoding: 7Bit
Content-Type: text/plain; charset="us-ascii"
test
--nextPart3105979.8Fo9iPulqY
Content-Type: application/pkcs7-signature; name="smime.p7s"
Content-Disposition: attachment; filename="smime.p7s"
Content-Transfer-Encoding: base64
MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCCDVcw
...
..
iWw4PiXyoxYAdifS9anajXimDWcgUfY/ps+VEgAAAAAAAA==
--nextPart3105979.8Fo9iPulqY--
Best Answer
I don't see anything in your Postfix@Server2 configuration saying that it should deliver those mails locally. You have to tell Postfix that it is the "final destination" for a mail domain.
I recommend you add your domain to
mydestination(the non-virtual setup, best suited for local users, which your Dovecot settingdriver=pamindicates). That will fix the mail looping back out from the Postfix instance not knowing it is the destination for those.About processing the mail from fetchmail through your gateway: I think that would happen, or at least produce meaningful diagnostic logs/headers, as soon as you actually try it. The headers you currently show do not seem to be a mail that was inserted to cmgateway by fetchmail, but rather a mail that was pulled by fetchmail running on mailserver.
Unrelated, but will improve some behaviour of your IMAP server: I would also recommend you deliver the mail via Dovecot LMTP (the default steps in the documentation should be fine), that way Dovecot will be the only program changing the mailbox.