In my
/etc/e-smith/events/nethserver-mail-server-update
there’s only the directories structure, no files with code
=====
[root@mail nethserver-mail-server-update]# ls -lR
.:
total 0
drwxr-xr-x 2 root root 6 Mar 19 11:04 services2adjust
drwxr-xr-x 4 root root 28 Mar 19 11:01 templates2expand
./services2adjust:
total 0
./templates2expand:
total 0
drwxr-xr-x 8 root root 90 Mar 19 11:04 etc
drwxr-xr-x 3 root root 17 Mar 19 11:01 var
./templates2expand/etc:
total 0
drwxr-xr-x 2 root root 6 Mar 19 11:04 amavisd
drwxr-xr-x 2 root root 6 Mar 19 11:04 dovecot
drwxr-xr-x 2 root root 6 Mar 19 11:04 pam.d
drwxr-xr-x 3 root root 21 Mar 19 11:01 pki
drwxr-xr-x 2 root root 6 Mar 19 11:04 postfix
drwxr-xr-x 3 root root 20 Mar 19 11:01 systemd
./templates2expand/etc/amavisd:
total 0
./templates2expand/etc/dovecot:
total 0
./templates2expand/etc/pam.d:
total 0
./templates2expand/etc/pki:
total 0
drwxr-xr-x 4 root root 34 Mar 19 11:01 dovecot
./templates2expand/etc/pki/dovecot:
total 0
drwxr-xr-x 2 root root 6 Mar 19 11:04 certs
drwxr-xr-x 2 root root 6 Mar 19 11:04 private
./templates2expand/etc/pki/dovecot/certs:
total 0
./templates2expand/etc/pki/dovecot/private:
total 0
./templates2expand/etc/postfix:
total 0
./templates2expand/etc/systemd:
total 0
drwxr-xr-x 3 root root 31 Mar 19 11:01 system
./templates2expand/etc/systemd/system:
total 0
drwxr-xr-x 2 root root 6 Mar 19 11:04 dovecot.service.d
./templates2expand/etc/systemd/system/dovecot.service.d:
total 0
./templates2expand/var:
total 0
drwxr-xr-x 3 root root 24 Mar 19 11:01 lib
./templates2expand/var/lib:
total 0
drwxr-xr-x 3 root root 27 Mar 19 11:01 nethserver
./templates2expand/var/lib/nethserver:
total 0
drwxr-xr-x 2 root root 6 Mar 19 11:04 sieve-scripts
./templates2expand/var/lib/nethserver/sieve-scripts:
total 0
=====
root@mail nethserver-mail2-server-update]# ls -lR
.:
total 0
lrwxrwxrwx 1 root root 39 Mar 19 11:04 S00initialize-default-databases -> ../actions/initialize-default-databases
lrwxrwxrwx 1 root root 48 Mar 19 11:04 S01nethserver-mail-default-domain-create -> ../actions/nethserver-mail-default-domain-create
lrwxrwxrwx 1 root root 41 Mar 19 11:04 S30nethserver-mail-postmap-update -> ../actions/nethserver-mail-postmap-update
lrwxrwxrwx 1 root root 46 Mar 19 11:04 S40nethserver-mail-create-opendkim-key -> ../actions/nethserver-mail-create-opendkim-key
lrwxrwxrwx 1 root root 38 Mar 19 11:04 S50nethserver-sssd-initkeytabs -> ../actions/nethserver-sssd-initkeytabs
lrwxrwxrwx 1 root root 51 Mar 19 11:04 S95nethserver-mail-server-init-system-users -> ../actions/nethserver-mail-server-init-system-users
lrwxrwxrwx 1 root root 42 Mar 19 11:04 S98nethserver-mail-server-init-acl -> ../actions/nethserver-mail-server-init-acl
drwxr-xr-x 2 root root 82 Mar 19 11:04 services2adjust
drwxr-xr-x 4 root root 28 Mar 19 11:04 templates2expand
./services2adjust:
total 20
-rw-r--r-- 1 root root 8 Mar 8 18:03 dnsmasq
-rw-r--r-- 1 root root 8 Mar 8 18:03 dovecot
-rw-r--r-- 1 root root 8 Mar 8 18:03 opendkim
-rw-r--r-- 1 root root 8 Mar 8 18:03 postfix
-rw-r--r-- 1 root root 8 Mar 8 18:03 rsyslog
./templates2expand:
total 0
drwxr-xr-x 8 root root 145 Mar 19 11:04 etc
drwxr-xr-x 3 root root 17 Mar 19 11:04 var
./templates2expand/etc:
total 0
-rw-r--r-- 1 root root 0 Mar 8 18:03 dnsmasq.conf
drwxr-xr-x 2 root root 85 Mar 19 11:04 dovecot
-rw-r--r-- 1 root root 0 Mar 8 18:03 hosts
drwxr-xr-x 2 root root 62 Mar 19 11:04 opendkim
-rw-r--r-- 1 root root 0 Mar 8 18:03 opendkim.conf
drwxr-xr-x 2 root root 28 Mar 19 11:04 pam.d
drwxr-xr-x 3 root root 21 Mar 19 11:04 pki
drwxr-xr-x 2 root root 114 Mar 22 09:46 postfix
drwxr-xr-x 3 root root 20 Mar 19 11:04 systemd
./templates2expand/etc/dovecot:
total 0
-rw-r--r-- 1 root root 0 Mar 8 18:03 deny.passwd
-rw-r--r-- 1 root root 0 Mar 8 18:03 dovecot.conf
-rw-r--r-- 1 root root 0 Mar 8 18:03 master-users
-rw-r--r-- 1 root root 0 Mar 8 18:03 quota.passwd
./templates2expand/etc/opendkim:
total 0
-rw-r--r-- 1 root root 0 Mar 8 18:03 KeyTable
-rw-r--r-- 1 root root 0 Mar 8 18:03 SigningTable
-rw-r--r-- 1 root root 0 Mar 8 18:03 TrustedHosts
./templates2expand/etc/pam.d:
total 0
-rw-r--r-- 1 root root 0 Mar 8 18:03 dovecot-master
./templates2expand/etc/pki:
total 0
drwxr-xr-x 4 root root 34 Mar 19 11:04 dovecot
./templates2expand/etc/pki/dovecot:
total 0
drwxr-xr-x 2 root root 25 Mar 19 11:04 certs
drwxr-xr-x 2 root root 25 Mar 19 11:04 private
./templates2expand/etc/pki/dovecot/certs:
total 0
-rw-r--r-- 1 root root 0 Mar 8 18:03 dovecot.pem
./templates2expand/etc/pki/dovecot/private:
total 0
-rw-r--r-- 1 root root 0 Mar 8 18:03 dovecot.pem
./templates2expand/etc/postfix:
total 0
-rw-r--r-- 1 root root 0 Mar 8 18:03 internal_access
-rw-r--r-- 1 root root 0 Mar 8 18:03 main.cf
-rw-r--r-- 1 root root 0 Mar 8 18:03 master.cf
-rw-r--r-- 1 root root 0 Mar 8 18:03 recipient_bcc
-rw-r--r-- 1 root root 0 Mar 8 18:03 transport
-rw-r--r-- 1 root root 0 Mar 8 18:03 virtual
./templates2expand/etc/systemd:
total 0
drwxr-xr-x 3 root root 31 Mar 19 11:04 system
./templates2expand/etc/systemd/system:
total 0
drwxr-xr-x 2 root root 25 Mar 19 11:04 dovecot.service.d
./templates2expand/etc/systemd/system/dovecot.service.d:
total 0
-rw-r--r-- 1 root root 0 Mar 8 18:03 limits.conf
./templates2expand/var:
total 0
drwxr-xr-x 3 root root 24 Mar 19 11:04 lib
./templates2expand/var/lib:
total 0
drwxr-xr-x 3 root root 27 Mar 19 11:04 nethserver
./templates2expand/var/lib/nethserver:
total 0
drwxr-xr-x 2 root root 26 Mar 19 11:04 sieve-scripts
./templates2expand/var/lib/nethserver/sieve-scripts:
total 0
-rw-r--r-- 1 root root 0 Mar 8 18:03 before.sieve
stephdl
(Stéphane de Labrusse)
March 22, 2018, 9:56am
25
do not make a mistake, I spoke about nethserver-mail-server-save
[root@ns7dev6 ~]# ll -R /etc/e-smith/events/nethserver-mail-server-save/
/etc/e-smith/events/nethserver-mail-server-save/:
total 0
lrwxrwxrwx 1 root root 41 Mar 18 11:15 S30nethserver-mail-postmap-update -> ../actions/nethserver-mail-postmap-update
lrwxrwxrwx 1 root root 39 Mar 18 11:15 S95nethserver-mail-quota-recalc -> ../actions/nethserver-mail-quota-recalc
drwxr-xr-x 2 root root 36 Mar 18 11:15 services2adjust
drwxr-xr-x 4 root root 28 Mar 18 11:15 templates2expand
/etc/e-smith/events/nethserver-mail-server-save/services2adjust:
total 8
-rw-r--r-- 1 root root 7 Mar 8 18:03 dovecot
-rw-r--r-- 1 root root 7 Mar 8 18:03 postfix
/etc/e-smith/events/nethserver-mail-server-save/templates2expand:
total 0
drwxr-xr-x 6 root root 86 Mar 18 11:15 etc
drwxr-xr-x 3 root root 17 Mar 18 11:15 var
/etc/e-smith/events/nethserver-mail-server-save/templates2expand/etc:
total 0
drwxr-xr-x 2 root root 65 Mar 18 11:15 dovecot
drwxr-xr-x 2 root root 62 Mar 18 11:15 opendkim
-rw-r--r-- 1 root root 0 Mar 8 18:03 opendkim.conf
drwxr-xr-x 2 root root 28 Mar 18 11:15 pam.d
drwxr-xr-x 2 root root 97 Mar 18 11:15 postfix
/etc/e-smith/events/nethserver-mail-server-save/templates2expand/etc/dovecot:
total 0
-rw-r--r-- 1 root root 0 Mar 8 18:03 deny.passwd
-rw-r--r-- 1 root root 0 Mar 8 18:03 dovecot.conf
-rw-r--r-- 1 root root 0 Mar 8 18:03 quota.passwd
/etc/e-smith/events/nethserver-mail-server-save/templates2expand/etc/opendkim:
total 0
-rw-r--r-- 1 root root 0 Mar 8 18:03 KeyTable
-rw-r--r-- 1 root root 0 Mar 8 18:03 SigningTable
-rw-r--r-- 1 root root 0 Mar 8 18:03 TrustedHosts
/etc/e-smith/events/nethserver-mail-server-save/templates2expand/etc/pam.d:
total 0
-rw-r--r-- 1 root root 0 Mar 8 18:03 dovecot-master
/etc/e-smith/events/nethserver-mail-server-save/templates2expand/etc/postfix:
total 0
-rw-r--r-- 1 root root 0 Mar 8 18:03 internal_access
-rw-r--r-- 1 root root 0 Mar 8 18:03 main.cf
-rw-r--r-- 1 root root 0 Mar 8 18:03 recipient_bcc
-rw-r--r-- 1 root root 0 Mar 8 18:03 transport
-rw-r--r-- 1 root root 0 Mar 8 18:03 virtual
/etc/e-smith/events/nethserver-mail-server-save/templates2expand/var:
total 0
drwxr-xr-x 3 root root 24 Mar 18 11:15 lib
/etc/e-smith/events/nethserver-mail-server-save/templates2expand/var/lib:
total 0
drwxr-xr-x 3 root root 27 Mar 18 11:15 nethserver
/etc/e-smith/events/nethserver-mail-server-save/templates2expand/var/lib/nethserver:
total 0
drwxr-xr-x 2 root root 26 Mar 18 11:15 sieve-scripts
/etc/e-smith/events/nethserver-mail-server-save/templates2expand/var/lib/nethserver/sieve-scripts:
total 0
-rw-r--r-- 1 root root 0 Mar 8 18:03 before.sieve
stephdl
(Stéphane de Labrusse)
March 22, 2018, 10:00am
26
saitobenkei:
if there’s the rspamd module installed, the last command should be:
signal-event nethserver-mail2-server-update
I did a mistake
yes you can use
signal-event nethserver-mail2-server-update
or
nethserver-mail-server-save

1 Like
I’ve replied to command that @giacomo wrote in his post.
signal-event nethserver-mail-server-update
That command doesn’t work for me with rspamd module installed, so I’ve found why.
2 Likes
Ok, after some other test it seems that Roundcube and Webtop don’t use SMTP authenticaton (with credentials submitted at login) to send mail so the configuration doesn’t work.
It’s possible to enable SMTP authentication to send mail in Webtop and Roundcube?
saitobenkei
(Saito Benkei)
November 20, 2018, 8:53am
30
If you need more than one user to be able to use the same email address, enter the users separated by comma
for example, you want users u1, u2 and u3 to be able to send as marketing@local.neth.eu :
u1@local.neth.eu u1
u2@local.neth.eu u2
marketing@local.neth.eu u1, u2, u3
@local.neth.eu u2
saitobenkei
(Saito Benkei)
November 20, 2018, 8:54am
31
With latest version of Webtop now it seems YES:
These should be the commands to enable outgoing authentication on webtop:
http://docs.nethserver.org/en/v7/webtop5.html#smtp-setting
But I haven’t tried.
stephdl
(Stéphane de Labrusse)
December 12, 2018, 10:53pm
32
we could use pcre and ease a lot the code
# cat /etc/e-smith/templates-custom/etc/postfix/master.cf/40restrictions
{
push @submission_smtpd_options , ‘smtpd_sender_restrictions=reject_authenticated_sender_login_mismatch’;
push @submission_smtpd_options , ‘smtpd_sender_login_maps=pcre:/etc/postfix/login_maps.pcre’;
'';
}
then
# cat /etc/postfix/login_maps.pcre
#Match the domain name of user
/^(.*)$/ ${1}
#match a specific domain name
#/^(.*)@nethservertest.org\.org$/ ${1}
and
signal-event nethserver-mail-server-update
the test with curl are good, but indeed sogo and roudcubemail do not respect the policy
1 Like
stephdl
(Stéphane de Labrusse)
December 13, 2018, 6:33am
33
With roundcubemail we could try this
// Set identities access level:
// 0 - many identities with possibility to edit all params
// 1 - many identities with possibility to edit all params but not email address
// 2 - one identity with possibility to edit all params
// 3 - one identity with possibility to edit all params but not email address
// 4 - one identity with possibility to edit only signature
$config['identities_level'] = 0;
$config['identities_level'] = 4;
is a good security choice
Of course this won’t work nicely with our configuration with only one domain name and the domain alias
cc @saitobenkei cc @giacomo cc @davidep
1 Like
davidep
(Davide Principi)
December 13, 2018, 8:32am
34
I’m not sure the regexp is enough
giacomo:
push @submission_smtpd_options, 'smtpd_sender_restrictions=reject_authenticated_sender_login_mismatch';
push @submission_smtpd_options, 'smtpd_sender_login_maps=hash:/etc/postfix/smtpd_sender_login_maps';
Is it possible make a template of /etc/postfix/smtpd_sender_login_maps
by expanding the pseudonym records?
As a rule of thumb the db format is
<key> <TAB> <Account prop>
The Account prop should be filtered, ignoring “external” addresses…
stephdl
(Stéphane de Labrusse)
December 13, 2018, 8:38am
35
works well at first tests
do you think postfix sasl authentication is aware about pseudonym, at the end I am sure we want here a way to banish it and allow only the user@firstDomain.com email address. At least it is what roundcubemail and SOGo displays as user address email
davidep
(Davide Principi)
December 13, 2018, 1:39pm
36
For example,
user: first.user@example.com
pseudonym: info@example.com
→ first.user@example.com
The user wants to send a message as first.user@example.com
: it works for both first.user@example.com
and first.user
SMTP/AUTH login names.
But, if the user wants to send a message as info@example.com
the regexp does not match.
The regexp is a good generic/fallback rule but we need a table where this record exists too:
info@example.com first.user@example.com,first.user
I’d like to simplify the table, by not requiring ,first.user
too…
1 Like
stephdl
(Stéphane de Labrusse)
December 13, 2018, 4:04pm
37
we can force roundcubemail to use sasl=login
-$config['smtp_server'] = '127.0.0.1';
+$config['smtp_server'] = 'tls://127.0.0.1';
// SMTP port (default is 25; use 587 for STARTTLS or 465 for the
// deprecated SSL over SMTP (aka SMTPS))
$config['smtp_port'] = 587;
// SMTP username (if required) if you use %u as the username Roundcube
// will use the current username for login
-$config['smtp_user'] = '';
+$config['smtp_user'] = '%u';
// SMTP password (if required) if you use %p as the password Roundcube
// will use the current user's password for login
-$config['smtp_pass'] = '';
+$config['smtp_pass'] = '%p';
// SMTP AUTH type (DIGEST-MD5, CRAM-MD5, LOGIN, PLAIN or empty to use
// best server supported one)
-$config['smtp_auth_type'] = '';
+$config['smtp_auth_type'] = 'LOGIN';
after that we must respect the smtpd_sender_login_maps
workable with pseudonym @davidep
stephdl
(Stéphane de Labrusse)
December 13, 2018, 4:26pm
38
I did and it is ok
Dec 13 17:23:01 ns7loc14 postfix/smtpd[5997]: connect from localhost[127.0.0.1]
Dec 13 17:23:03 ns7loc14 postfix/smtpd[5997]: NOQUEUE: reject: RCPT from localhost[127.0.0.1]: 553 5.7.1 <zorro@nethservertest.org>: Sender address rejected: not owned by user stephane@nethservertest.org; from=<zorro@nethservertest.org> to=<stephane@nethservertest.org> proto=ESMTP helo=<ns7loc14.nethservertest.org>
Dec 13 17:23:03 ns7loc14 postfix/smtpd[5997]: disconnect from localhost[127.0.0.1]
with the smtpd_sender_login_maps
only known identities are allowed (pseudonym or real account)
stephdl
(Stéphane de Labrusse)
December 13, 2018, 4:37pm
39
stephdl:
smtp_server
https://sogo.nu/bugs/view.php?id=31
no TLS/SSL encryption in SOGO
A workaround is to use stunnel
@mark_nl what do you think, we need tls to authenticate with sasl, at least my first tries without failed
mark_nl
(Mark Verlinde)
December 13, 2018, 5:22pm
40
stephdl:
no TLS/SSL encryption in SOGO :’(
A workaround is to use stunnel
@mark_nl what do you think, we need tls to authenticate with sasl, at least my first tries without failed
Sorry, do not know what this is about… Will try to understand / read-in soon
1 Like
stephdl
(Stéphane de Labrusse)
December 13, 2018, 7:04pm
41
We want to follow a strict policy for sender address and allow only the good from address. The challlenge here is that SOGo do not allow to send email with sasl authentication with TLS…
Either I am wrong (please shoot), or it is really incredible
when you add : SOGoSMTPAuthenticationType = PLAIN;
you cannot anymore send email, until you modify in your postfix configuration
-smtpd_tls_auth_only = yes
+smtpd_tls_auth_only = no
and you restart the service
saitobenkei
(Saito Benkei)
December 13, 2018, 7:24pm
42
But smtp of sogo doesn’t connect to the same server (127.0.0.1) to send mail? It’s really necessary to use TLS/SSL?
1 Like