[Valvula] Help with setup...

Francis Brosnan Blázquez francis.brosnan en aspl.es
Mar Jun 13 09:16:37 CEST 2017


Hi Jim,


> Okay I have made some progress. I added -q to the # valvulad
> -l jim en datamantic.com -o -d command and saw this error:
> 
> 
> 
> I: __valvulad_run_request_common_object: no SQL query for (DOMAIN  --
> local domain detection will not work -- rules depending on this will
> not work), returning false
> I: __valvulad_run_request_common_object: no SQL query for (ACCOUNT --
> local account detection will not work -- rules depending on this will
> not work), returning false
> I: __valvulad_run_request_common_object: no SQL query for (ALIAS --
> local alias detection will not work -- rules depending on this will
> not work), returning false
> 
> 
> which made me remember seeing that in both 
> 
> 
> /etc/postfix/mysql_virtual_alias_maps.cf
> 
> /etc/postfix/mysql_virtual_domains_maps.cf
> 
> 
> there was a ‘query =‘ line which had been commented out. I uncommented
> and then
> 
> 
> #valvulad -l jim en datamantic.com -o -q -d
> 
> 
> [snip]
> I: __valvulad_run_request_common_object: running query (non-query=1):
> SELECT domain FROM domain WHERE domain='jim en datamantic.com' AND
> backupmx = '0' AND active = '1'
> I: __valvulad_run_request_common_object: no SQL query for (ACCOUNT --
> local account detection will not work -- rules depending on this will
> not work), returning false
> I: __valvulad_run_request_common_object: running query (non-query=1):
> SELECT goto FROM alias WHERE address='jim en datamantic.com' AND active =
> '1'
> INFO: jim en datamantic.com is a local address
> 
> 
> Seems like success! It recognizes my local address. 


Good,


> But why the middle line in the previous result above:
> 
> 
> I: __valvulad_run_request_common_object: no SQL query for (ACCOUNT --
> local account detection will not work -- rules depending on this will
> not work), returning false
> 
> 
> Is this a problem? I was thinking it might be so after some googling I
> added:
> 
> 
> query = select concat(domain,' ',maildir) from mailbox
> where username='%s' and active='1’;
> 
> 
> to /etc/postfix/mysql_virtual_mailbox_maps.cf and then
> 
> 
> valvulad -l jim en datamantic.com -o -q -d
> [snip]
> I: __valvulad_run_request_common_object: running query (non-query=1):
> SELECT domain FROM domain WHERE domain='jim en datamantic.com' AND
> backupmx = '0' AND active = '1'
> I: __valvulad_run_request_common_object: running query (non-query=1):
> select concat(domain,' ',maildir) from mailbox
> where username='jim en datamantic.com' and active='1';
> INFO: jim en datamantic.com is a local address
> 
> 
> So this looks good. It is recognizing my local address with no errors.

Ok,

These two "warnings" are caused because you are using/were the old
postfix mysql interface based on select_field, where_field, etc..which
was not suppoted by valvulad.

With the latest 337 this is now supported and should be now working.
This also might intertwine with the lack of support for variables
valvula had (which is also supported). 

Please, check if latest valvula revision solves these warnings.

> But how do I test that it is working? 


Ok, once you run valvulad -l and it recognizes your accounts, then it
should be working.


> I made a php script to send email (using PHP mail()) and set the From:
> header to a username and domain that do not exist on my system and the
> mail went through. Shouldn’t this have been stopped? 


:-) Ok, you are using mail() php function, which uses postfix submit
interface, which, for design reasons by postfix's authors, do not call
policy daemon you have configured  (in this case valvula).

This is the pickup service. You send a mail() and it gets into
maildrop/ directory and then pickup service puts into active without
making any indication to policy daemon.

If you want to restrict/control this, you'll have to use
authorized_submit_users to limit this maildrop/ inyection  and force
any web application to use standard localhost:25/tcp port to send any
mail.


> Or is PHP somehow bypassing postfix (by writing directly to the queue
> or something like that?) 


Not bypassing but using postfix's maildrop/ mecanism based on mail
command (used by mail() php function). It's perfectly normal.


> Or maybe it’s not rejected because it’s coming from localhost which is
> trusted? If my PHP test isn’t useful how could I test?

The comment "coming from" only applies if you tcp-connect to postfix.
If you use mail() function, there is no "coming from" and no policy
daemon.

> I tried using telnet to port 25 and then request:
> 
> 
> AUTH LOGIN
> 
> 
> so I could log in validly, but then craft an email with invalid FROM:
> info and see if that goes through but it won’t let me log in,
> replying:
> 
> 
> 535 5.7.8 Error: authentication failed: Invalid
> authentication mechanism
> 
> 
> I understand this last part is really beyond the scope of what is
> reasonable for you to help me with, but maybe you have a quick idea….

Ok, you'll have to telnet using authentication to really test this way:
https://www.ndchost.com/wiki/mail/test-smtp-auth-telnet

Best Regards,


> Thank you for all your help.
> 
> 
> 
> 
> > On Jun 12, 2017, at 9:13 AM, Jim Bassett <jim en datamantic.com> wrote:
> > 
> > 
> > 
> > Hi Francis.
> > 
> > 
> > 
> > I changed my /etc/postfix/main.cf to remove the use of the
> > $config_directory variable. That solved the issue we were seeing
> > where valvula couldn’t open the mysql_virtual_ mapping files. But
> > I’m still getting the same result:
> > 
> > 
> > # valvulad -l jim en datamantic.com -o -d
> > I: file /etc/valvula/valvula.conf loaded, ok
> > I: server configuration is valid..
> > I: Loading local domains configuration..
> > I: Working with postfix
> > declaration: proxy:mysql:/etc/postfix/mysql_virtual_alias_maps.cf
> > (from /etc/postfix/main.cf)
> > I: Found postfix mysql configuration,
> > opening: /etc/postfix/mysql_virtual_alias_maps.cf..
> > I: Declaration found: (virtual_alias_maps) [user] -> [postfix]
> > I: Declaration found: (virtual_alias_maps) [password] -> [xxxxx]
> > I: Declaration found: (virtual_alias_maps) [hosts] -> [localhost]
> > I: Declaration found: (virtual_alias_maps) [dbname] -> [mail]
> > I: Declaration found: (virtual_alias_maps) [table] -> [alias]
> > I: Declaration found: (virtual_alias_maps) [select_field] -> [goto]
> > I: Declaration found: (virtual_alias_maps) [where_field]
> > -> [address]
> > I: Declaration found: (virtual_alias_maps)
> > [additional_conditions] -> [and active = '1']
> > I: Working with postfix
> > declaration: proxy:mysql:/etc/postfix/mysql_virtual_domains_maps.cf
> > (from /etc/postfix/main.cf)
> > I: Found postfix mysql configuration,
> > opening: /etc/postfix/mysql_virtual_domains_maps.cf..
> > I: Declaration found: (virtual_mailbox_domains) [user] -> [postfix]
> > I: Declaration found: (virtual_mailbox_domains) [password]
> > -> [xxxxx]
> > I: Declaration found: (virtual_mailbox_domains) [hosts]
> > -> [localhost]
> > I: Declaration found: (virtual_mailbox_domains) [dbname] -> [mail]
> > I: Declaration found: (virtual_mailbox_domains) [table] -> [domain]
> > I: Declaration found: (virtual_mailbox_domains) [select_field]
> > -> [domain]
> > I: Declaration found: (virtual_mailbox_domains) [where_field]
> > -> [domain]
> > I: Declaration found:
> > (virtual_mailbox_domains) [additional_conditions] -> [and backupmx =
> > '0' and active = '1']
> > I: Working with postfix
> > declaration: proxy:mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf
> > (from /etc/postfix/main.cf)
> > I: Found postfix mysql configuration,
> > opening: /etc/postfix/mysql_virtual_mailbox_maps.cf..
> > I: Declaration found: (virtual_mailbox_maps) [user] -> [postfix]
> > I: Declaration found: (virtual_mailbox_maps) [password] -> [xxxxx]
> > I: Declaration found: (virtual_mailbox_maps) [hosts] -> [localhost]
> > I: Declaration found: (virtual_mailbox_maps) [dbname] -> [mail]
> > I: Declaration found: (virtual_mailbox_maps) [table] -> [mailbox]
> > I: Declaration found: (virtual_mailbox_maps) [select_field]
> > -> [CONCAT(domain,'/',maildir)]
> > I: Declaration found: (virtual_mailbox_maps) [where_field]
> > -> [username]
> > I: Registering localhost..
> > I: Registering oak.datamantic.com..
> > ERROR: jim en datamantic.com is not a local domain nor a local address
> > 
> > 
> > 
> > 
> > > On Jun 12, 2017, at 5:06 AM, Francis Brosnan Blázquez
> > > <francis.brosnan en aspl.es> wrote:
> > > 
> > > 
> > > 
> > > Hi Jim,
> > > 
> > > I've added support to allow handling variables while parsing
> > > postfix
> > > configuration files. This way, valvula now should be able to
> > > support
> > > your case.
> > > 
> > > If you are installing with packages, try to update with packages
> > > already published. If you are compiling sources, get latest
> > > revision
> > > from https://github.com/asples/valvula
> > > 
> > > 
> > > After installing, you should see version:
> > > 
> > > >> valvulad --version
> > > 1.0.8.b330
> > > 
> > > ...and after that, it should detect your account with:
> > > 
> > > >> valvulad -l jim en datamantic.com
> > > 
> > > Please, let me know your results,
> > > Best Regards,
> > > 
> > > 
> > > El dom, 11-06-2017 a las 13:09 -0400, Jim Bassett escribió:
> > > 
> > > > Hi Francis. Thanks again! You are very nice to help me (and on a
> > > > Sunday!)
> > > > 
> > > > 
> > > > > On Jun 11, 2017, at 12:28 PM, Francis Brosnan Blázquez
> > > > > <francis.brosnan en aspl.es> wrote: 
> > > > > 
> > > > > Could you describe your mysql postfix setup? It should be easy
> > > > > to show
> > > > > it by running:
> > > > > 
> > > > > >> grep mysql /etc/postfix/main.cf
> > > > > 
> > > > > ...and then running "cat " over some of the
> > > > > mysql:your-file-to-map-mail-accounts, something like:
> > > > > 
> > > > > >> cat  /etc/postfix/mysql-aliases.cf
> > > > > 
> > > > > I need to see how your mysql configuration maps your accounts
> > > > > (remove
> > > > > or XXXX's users, passwords an database, but leave variables
> > > > > and mysql
> > > > > query).
> > > > > 
> > > > > With this information I can see what's going on (I think).
> > > > > 
> > > > 
> > > > 
> > > > 
> > > > 
> > > > 
> > > > #grep mysql /etc/postfix/main.cf
> > > > virtual_alias_maps = proxy:mysql:
> > > > $config_directory/mysql_virtual_alias_maps.cf
> > > > virtual_mailbox_domains = proxy:mysql:
> > > > $config_directory/mysql_virtual_domains_maps.cf
> > > > virtual_mailbox_maps = proxy:mysql:
> > > > $config_directory/mysql_virtual_mailbox_maps.cf
> > > > 
> > > > # cat /etc/postfix/mysql_virtual_alias_maps.cf
> > > > user = xxxxx
> > > > password = xxxxx
> > > > hosts = localhost
> > > > dbname = xxxxx
> > > > table = alias
> > > > select_field = goto
> > > > where_field = address
> > > > additional_conditions = and active = '1'
> > > > #query = SELECT goto FROM alias WHERE address='%s' AND active =
> > > > ‘1'
> > > > 
> > > > 
> > > > 
> > > > 
> > > > # cat /etc/postfix/mysql_virtual_domains_maps.cf
> > > > user = xxxxx
> > > > password = xxxxx
> > > > hosts = localhost
> > > > dbname = xxxxx
> > > > table = domain
> > > > select_field = domain
> > > > where_field = domain
> > > > additional_conditions = and backupmx = '0' and active = '1'
> > > > #query = SELECT domain FROM domain WHERE domain='%s' AND
> > > > backupmx = '0' AND active = ‘1'
> > > > 
> > > > 
> > > > # cat /etc/postfix/mysql_virtual_mailbox_maps.cf
> > > > user = xxxxx
> > > > password = xxxxx
> > > > hosts = localhost
> > > > dbname = xxxxx
> > > > table = mailbox
> > > > select_field = CONCAT(domain,'/',maildir)
> > > > where_field = username
> > > > 
> > > > 
> > > > 
> > > > 
> > > > # valvulad -l jim en datamantic.com -o -d
> > > > I: file /etc/valvula/valvula.conf loaded, ok
> > > > I: server configuration is valid..
> > > > I: Loading local domains configuration..
> > > > I: Working with postfix declaration: proxy:mysql:
> > > > $config_directory/mysql_virtual_alias_maps.cf
> > > > (from /etc/postfix/main.cf)
> > > > I: Found postfix mysql configuration,
> > > > opening: $config_directory/mysql_virtual_alias_maps.cf..
> > > > E: Unable to open
> > > > file $config_directory/mysql_virtual_alias_maps.cf, errno=2
> > > > I: Working with postfix declaration: proxy:mysql:
> > > > $config_directory/mysql_virtual_domains_maps.cf
> > > > (from /etc/postfix/main.cf)
> > > > I: Found postfix mysql configuration,
> > > > opening: $config_directory/mysql_virtual_domains_maps.cf..
> > > > E: Unable to open
> > > > file $config_directory/mysql_virtual_domains_maps.cf, errno=2
> > > > I: Working with postfix declaration: proxy:mysql:
> > > > $config_directory/mysql_virtual_mailbox_maps.cf
> > > > (from /etc/postfix/main.cf)
> > > > I: Found postfix mysql configuration,
> > > > opening: $config_directory/mysql_virtual_mailbox_maps.cf..
> > > > E: Unable to open
> > > > file $config_directory/mysql_virtual_mailbox_maps.cf, errno=2
> > > > I: Registering localhost..
> > > > I: Registering oak.datamantic.com..
> > > > ERROR: jim en datamantic.com is not a local domain nor a local
> > > > address
> > > > 
> > > > 
> > > > 
> > > > 
> > > > $config_directory is defined near the top
> > > > of /etc/postfix/main.cf as 
> > > > 
> > > > 
> > > > $config_directory = /etc/postfix 
> > > > 
> > > > 
> > > > but it looks like valvula is literally trying to open files
> > > > like 
> > > > 
> > > > 
> > > > $config_directory/mysql_virtual_alias_maps.cf.  
> > > > 
> > > > 
> > > > instead of expanding $config_directory into /etc/postfix? Maybe
> > > > that is the problem?
> > > > 
> > > > 
> > > 
> > > 
> > > -- 
> > > Francis Brosnan Blázquez  -  ASPL
> > > http://www.asplhosting.com/
> > > http://www.aspl.es/
> > > https://twitter.com/aspl_es
> > > https://twitter.com/asplhosting
> > > https://twitter.com/francisbrosnanb
> > > https://es.linkedin.com/in/francis-brosnan-blázquez-1353a218
> > > 
> > > 91 134 14 22 - 91 134 14 45 - 91 116 07 57
> > > Av. Juan Carlos I 13, 2ºC, Torre Garena
> > > 28806 - Alcalá de Henares (España)
> > > 
> > > AVISO LEGAL
> > >  
> > > En virtud de lo dispuesto en la Ley Orgánica 15/1999, de 13 de
> > > diciembre, de Protección de Datos de Carácter Personal, le informamos de
> > > que sus datos de carácter personal, recogidos de fuentes accesibles al
> > > público o datos que usted nos ha facilitado previamente, proceden de
> > > bases de datos propiedad de Advanced Software Production Line, S.L.
> > > (ASPL).
> > >  
> > > ASPL garantiza que los datos serán tratados con la finalidad de mantener
> > > las oportunas relaciones comerciales o promocionales con usted o la
> > > entidad que usted representa. No obstante, usted puede ejercitar sus
> > > derechos de acceso, rectificación, cancelación y oposición dispuestos en
> > > la mencionada Ley Orgánica, notificándolo por escrito a ASPL -
> > > Protección Datos, Av. Juan Carlos I 13, 2ºC, Alcalá de Henares
> > > (Madrid).
> > 
> > 
> > 
> > 
> > _______________________________________________
> > Valvula mailing list
> > Valvula en lists.aspl.es
> > http://lists.aspl.es/cgi-bin/mailman/listinfo/valvula
> > 
> 
> 
> 

-- 
Francis Brosnan Blázquez  -  ASPL
http://www.asplhosting.com/
http://www.aspl.es/
https://twitter.com/aspl_es
https://twitter.com/asplhosting
https://twitter.com/francisbrosnanb
https://es.linkedin.com/in/francis-brosnan-blázquez-1353a218

91 134 14 22 - 91 134 14 45 - 91 116 07 57
Av. Juan Carlos I 13, 2ºC, Torre Garena
28806 - Alcalá de Henares (España)

AVISO LEGAL
 
En virtud de lo dispuesto en la Ley Orgánica 15/1999, de 13 de
diciembre, de Protección de Datos de Carácter Personal, le informamos de
que sus datos de carácter personal, recogidos de fuentes accesibles al
público o datos que usted nos ha facilitado previamente, proceden de
bases de datos propiedad de Advanced Software Production Line, S.L.
(ASPL).
 
ASPL garantiza que los datos serán tratados con la finalidad de mantener
las oportunas relaciones comerciales o promocionales con usted o la
entidad que usted representa. No obstante, usted puede ejercitar sus
derechos de acceso, rectificación, cancelación y oposición dispuestos en
la mencionada Ley Orgánica, notificándolo por escrito a ASPL -
Protección Datos, Av. Juan Carlos I 13, 2ºC, Alcalá de Henares
(Madrid).
------------ próxima parte ------------
Se ha borrado un adjunto en formato HTML...
URL: <http://lists.aspl.es/pipermail/valvula/attachments/20170613/d3fbd85e/attachment-0001.html>


Más información sobre la lista de distribución Valvula