[FIXED] How to use opendkim socket in 2 postfix instances?

Issue

I have 2 postfix instaces running, and i want to sign emails with opendkim, but the issue is i am not able to use same socket in both instances, code is below

/etc/default/opendkim

SOCKET="local:/var/spool/postfix/opendkim/opendkim.sock"
SOCKET="local:/var/spool/postfix-2/opendkim/opendkim.sock"

/etc/postfix/main.cf

smtpd_milters = local:opendkim/opendkim.sock
non_smtpd_milters = local:opendkim/opendkim.sock

/etc/postfix-2/main.cf

smtpd_milters = local:opendkim/opendkim.sock
non_smtpd_milters = local:opendkim/opendkim.sock

please help me!

Solution

OpenDKIM will only use one UNIX socket. You can't specify multiple UNIX sockets as you have above.

Option 1

Create the socket file somewhere else e.g. SOCKET="local:/var/run/opendkim/opendkim.sock". Make sure both instances of Postfix have permissions to access this file, through membership of the opendkim group or otherwise.

Create an opendkim directory in the chroot jail for each instance of Postfix:

mkdir /var/spool/postfix/opendkim/
mkdir /var/spool/postfix-2/opendkim/

Bind mount the directory that contains the socket file to each of the directories in the postfix chroot jails.

mount --bind /var/run/opendkim/ /var/spool/postfix/opendkim/
mount --bind /var/run/opendkim/ /var/spool/postfix-2/opendkim/

Both instances of Postfix should now have access to the same socket file, mounted within their own directories. If that is now working you'll want to add entries to /etc/fstab so that this mounting happens on every boot.

/var/run/opendkim/ /var/spool/postfix/opendkim none defaults,bind 0 0
/var/run/opendkim/ /var/spool/postfix-2/opendkim none defaults,bind 0 0

Option 2

Use a TCP/IP port instead of a unix socket for communication between Postfix and OpenDKIM e.g. SOCKET="inet:8891@localhost".

Change your Postfix main.cf files to use this TCP/IP socket:

smtpd_milters = inet:localhost:8891
non_smtpd_milters = inet:localhost:8891

If Postfix can't connect then you may need to adjust your firewall to allow this connection.

If your outgoing mail is not being signed then you may need to add the following lines to opendkim.conf:

InternalHosts           /etc/opendkim/TrustedHosts
ExternalIgnoreList      /etc/opendkim/TrustedHosts

Create this TrustedHosts file and list every IP address and hostname that Postfix might use when connecting to OpenDKIM, e.g.:

127.0.0.1
::1
localhost
hostname.example.com
example.com

This list identifies which hosts mail should be signed for, as opposed to external mail which should have any signatures verified.

Answered By - Ally Smith

Answer Checked By - David Goodson (PHPFixing Volunteer)

Read More

[FIXED] Why do I get a sender rejected from postfix when sending from phpmailer?

Issue

When I run the following PHP code I get an error.

$mail = new PHPMailer;
$mail->isSMTP();
$mail->SMTPDebug = SMTP::DEBUG_SERVER; // debug
$mail->Host = 'localhost';
$mail->Port = 25;
$mail->SMTPAuth = true;
$mail->Username = $uname;
$mail->Password = $pw;
$mail->CharSet = PHPMailer::CHARSET_UTF8;
$mail->setFrom('no-reply@example.com', 'website registration');
$mail->addAddress($cleaned_email);
$mail->Subject = 'Please verify your account';
$msg = '[registration text...]'
$msg = wordwrap($msg, 70);
$mail->Body = $msg;
                        
if (!$mail->send()) {
  echo $mail->ErrorInfo;
  exit();
} else {
  [... add user to db, etc...]
}

The mail appears to be sent. No error is generated by PHPMailer and the database code is run.

Here is the error generated in mail.log.

Aug 22 11:47:06 server postfix/smtp[8339]: 079AB1F909: to=<outsider-at-anydomain.com>, relay=mail.brighthouse.com[47.43.26.56]:25, delay=5.7, delays=0.06/0.02/0.31/5.3, dsn=2.0.0, status=sent (250 2.0.0 <user-at-example.com> sender rejected. Please see understanding-email-error-codes for more information.)

I have tried changing the send from address to my user that I am authenticating with in the PHP code.

I have tried adding a smtpd_sender_login_maps paramter with a matching hash table to my postfix config to map the no-reply address to my user that I authenticate with, but it ignores it as an unused parameter.

Postfix config:

# See /usr/share/postfix/main.cf.dist for a commented, more complete version


# Debian specific:  Specifying a file name will cause the first
# line of that file to be used as the name.  The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname

smtpd_banner = $myhostname ESMTP $mail_name (Raspbian)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = no

# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2 on
# fresh installs.
compatibility_level = 2

# TLS parameters
smtpd_tls_cert_file = /etc/letsencrypt/live/www.example.com/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/www.example.com/privkey.pem
#smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
#smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

smtpd_relay_restrictions =
        permit_mynetworks
        permit_sasl_authenticated
        defer_unauth_destination
myhostname = server
mydomain = example.com
virtual_alias_domains = example2.com
virtual_alias_maps = hash:/etc/postfix/virtual
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = $mydomain
mydestination = $myhostname, $mydomain, server, localhost.localdomain, localhost
relayhost = mail.brighthouse.com
mynetworks = 127.0.0.0/8
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = ipv4
notify_classes = resource, software, 2bounce
home_mailbox = Maildir/
#mailbox_command =
mailbox_transport = lmtp:unix:private/dovecot-lmtp
smtpd_sender_restrictions = permit_sasl_authenticated
smtpd_recipient_restrictions =
        permit_sasl_authenticated,
        permit_mynetworks,
        reject_unauth_destination
        reject_sender_login_mismatch
smtpd_helo_required = yes
smtpd_helo_restrictions =
        permit_mynetworks,
        permit_sasl_authenticated,
        reject_invalid_helo_hostname,
        reject_non_fqdn_helo_hostname,
        reject_unknown_helo_hostname,
        check_helo_access hash:/etc/postfix/helo_access
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = noanonymous
smptd_sender_login_maps = hash:/etc/postfix/controlled_envelope_senders

Solution

My issue has nothing to do with PHP Mailer. The php code I posted works. My issue is with my email server setup. I have posted a more server related question on Super User here: https://superuser.com/questions/1580944/soho-postfix-dovecot-configuration-for-small-web-app-and-user-base

Thank you all for the replies.

Answered By - Bryan isthebest

Answer Checked By - Clifford M. (PHPFixing Volunteer)

Read More

[FIXED] How to set sender name in mailutils while preserving the sender address

Issue

I have set up mailutils in ubuntu 20.04, I can send an email using the command below

echo 'this is a body' | mail -s 'Test Email' -r noreply@domain.com myaddress@example.com

but the first problem with the above command is that it sends the mail with the name 'Ubuntu', which is my current user, only the sender name is not good in this case, the sender address is the one I specified. (Ubuntu <noreply@domain.com>).

Then in this second command when I try to send specifying the sender's name:

echo 'this is a body' | mail -s 'Test Email' -r 'SenderName <noreply@domain.net>' myaddress@example.com

In my email inbox it will show the following sender: Ubuntu <SenderName@mainmailserver-1-eu>

How can I change the sender name in mailutils while preserving the sender address?

Solution

The -r option sets the envelope sender. Probably try

mailx -s 'Test Email' -a 'From: SenderName <noreply@domain.net>' myaddress@example.com <<<"this is a body"

You may wish to also separately set the envelope sender, but this adds a proper From: header which controls what gets displayed more directly.

Some MUAs might still display something different if there is a separate Sender: header, which some systems automatically add when you override the default. If you need detailed control over these things, you will probably also need to separately configure your MTA (Postfix, Sendmail, what have you).

Answered By - tripleee

Answer Checked By - Terry (PHPFixing Volunteer)

Read More

[FIXED] Is anybody able to send mails to gmail through AWS LAMP server using postfix, sendmail

Issue

I am using php mail function to send mails to gmail,yahoo accounts. I have a AWS LAMP instance, i have installed postfix and sendmail. I went through many forums infinite number of forums, still not able to send mails. After too many changes i was able to see Message accepted for delivery, but after some time got the same message. stat=Deferred: Connection timed out with mta7.am0.yahoodns.net. stat=Deferred: Connection timed out with alt4.gmail-smtp-in.l.google.com.

Just i am wondering is anyone able to send mails using the same scenario.

Solution

TLDR: Sending email is hard. Don't attempt final delivery yourself. Use AWS SES or another ESP.

As AWS is aware that spammers have, and will, try to send their mail from anywhere by any means, AWS explicitly prevents EC2 Instances from being able to send email without some effort. It is not in your best interest as a sender to attempt to send email directly, unless you understand very well the various mechanisms in place to securely send email, accurately identify yourself as a legitimate sender, and gain reputation on your EIP with ISPs. Primarily, AWS intends for you to use SES to send email outside your VPC.

• How to use Sendmail with SES
• How to request port 25 unblocked

I can't emphasize enough that businesses small and large choose to send their mail through a third party (an ESP, or Email Service Provider, like AWS SES) in order to resolve the many, many issues that will come up when attempting to do it all yourself. The various acronyms involved, all of which require their own research and understanding from various RFC's include: SPF, DKIM, and DMARC; there is also the regular maintenance required in monitoring whether or not your IP is currently, or in the future, blacklisted by the various RBL's that monitor Spam Traps; and, of course, list hygiene, or scrubbing your list for bounces (not doing these is a guaranteed path to staying in the spam folder, even if you finally succeed in sending email out port 25). Let an ESP do some of this for you.

Answered By - Randy Wallace

Read More