Hi Google Cloud KMS team, are there any Google Cloud KMS plaintext size limitations to encrypt by key types for asymmetric and symmetric keys ?
Because we would like to encrypt/decrypt REST flow between frontend(browser) and backend(REST microservices) and would like to use Asymmetric approach (not Hybrid):
generate Frontend key-pair Data encrytion Public/Private keys (using javascript libs) - Data encrytion Public key is not encrypted by KEK
generate Backend key-pair Data encrytion Public/Private keys (using barricade with Google KMS) - Data encrytion Public key is not encrypted by KEK
exchange Data encrytion Public keys between Frontend and Backend to be able to encypte requests from Frontend to Backend and responses from Backend to Frontend back
We would like to store frontend generated asymmetric public/private keys during some calls session(in browser) and backend asymmetric public/private keys will be generated by google KMS
So, are there any Google Cloud KMS plaintext size limitations to encrypt by key types for asymmetric key?
In addition to a discussion of what the best protocol design for you is, to answer the specific question: the maximum payload size for RSA decryption is dependent on the key size and padding algorithm. All currently supported RSA encryption formats use OAEP, standardized in RFC 2437. You will see there that the message is:
an octet string of length at most k-2-2hLen, where k is the length in
octets of the modulus n and hLen is the length in octets of the hash
function output for EME-OAEP
So this leads to the following max lengths for m:
RSA_DECRYPT_OAEP_2048_SHA256: k = 256; hLen = 32; maxMLen = 190
RSA_DECRYPT_OAEP_3072_SHA256: k = 384; hLen = 32; maxMLen = 318
RSA_DECRYPT_OAEP_4096_SHA256: k = 512; hLen = 32; maxMLen = 446
RSA_DECRYPT_OAEP_4096_SHA512: k = 512; hLen = 64; maxMLen = 382
If you try to encrypt a message larger than this limit, your client-side will fail as unable to encrypt, so there's no question as to what KMS will do with a message too long.
Here's my test to verify that Cloud KMS can decrypt a message to the full length for a 2048bit RSA key:
# create an rsa2048-256 encryption key
tdierks#cloudshell:~ (kms-test-1367)$ gcloud kms keyrings create --location global so-60686427
tdierks#cloudshell:~ (kms-test-1367)$ gcloud kms keys create rsa-2048-256 --keyring so-60686427 --location global --purpose asymmetric-encryption --default-algorithm rsa-decrypt-oaep-2048-sha256
tdierks#cloudshell:~ (kms-test-1367)$ gcloud kms keys versions list --key rsa-2048-256 --keyring so-60686427 --location global
NAME STATE
projects/kms-test-1367/locations/global/keyRings/so-60686427/cryptoKeys/rsa-2048-256/cryptoKeyVersions/1 ENABLED
# get the public key
tdierks#cloudshell:~ (kms-test-1367)$ gcloud kms keys versions get-public-key 1 --key rsa-2048-256 --keyring so-60686427 --location global > /tmp/rsa-2048-256.pub
tdierks#cloudshell:~ (kms-test-1367)$ cat /tmp/rsa-2048-256.pub
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyvN5iBbV7daXKocL0CuB
bM+gaPMEigS6N8Jl9g7AY7ocrvNDONBa5JZzJTuMkNqgq21PZ1CUBD76jJlUOBgY
Nmj+sMNKw1c+slx47fvyK2uVMcmEEAfCcnUt2fK86v7v8UddbH/BNK+SobarkOQC
1kM74qdhKSvFFz+F9kAzrby4VjCxfWsDYCeFhS9Jrkxl6l/Z2WANy34y9ztbgJdi
eSugA7b/VfrlsxYz7xu498UWDbVbOPKs7UGB14icK4SVoF0irk7dWxNvAQD21mJU
YPAFmJ/MTQ+v3l+uEOrdicb9FcM6WNmyTwkN6DYcuD7eJYVwwz1sU8Y631swbjlS
wQIDAQAB
-----END PUBLIC KEY-----
# test it by encrypting a test message and decrypting it
tdierks#cloudshell:~ (kms-test-1367)$ echo "squeamish ossifrage" | openssl pkeyutl -encrypt -pubin -inkey /tmp/rsa-2048-256.pub -pkeyopt rsa_padding_mode:oaep -pkeyopt rsa_oaep_md:sha256 -pkeyopt rsa_mgf1_md:sha256 > /tmp/rsa-2048-256.enc
tdierks#cloudshell:~ (kms-test-1367)$ gcloud kms asymmetric-decrypt --location global --keyring so-60686427 --key rsa-2048-256 --version 1 --ciphertext-file /tmp/rsa-2048-256.enc --plaintext-file /dev/stdout
squeamish ossifrage
# generate a 190 byte message, encrypt it, and decrypt it, verify by comparing md5sum
tdierks#cloudshell:~ (kms-test-1367)$ dd ibs=190 count=1 < /dev/urandom > /tmp/message-190
1+0 records in
0+1 records out
190 bytes copied, 0.0002066 s, 920 kB/s
tdierks#cloudshell:~ (kms-test-1367)$ ls -l /tmp/message-190
-rw-r--r-- 1 tdierks tdierks 190 Mar 15 14:54 /tmp/message-190
tdierks#cloudshell:~ (kms-test-1367)$ openssl pkeyutl -in /tmp/message-190 -encrypt -pubin -inkey /tmp/rsa-2048-256.pub -pkeyopt rsa_padding_mode:oaep -pkeyopt rsa_oaep_md:sha256 -pkeyopt rsa_mgf1_md:sha256 > /tmp/rsa-2048-256-m190.enc
tdierks#cloudshell:~ (kms-test-1367)$ gcloud kms asymmetric-decrypt --location global --keyring so-60686427 --key rsa-2048-256 --version 1 --ciphertext-file /tmp/rsa-2048-256-m190.enc --plaintext-file /dev/stdout | md5sum
4932e23fb11c094c1dd703ba34afc565 -
tdierks#cloudshell:~ (kms-test-1367)$ md5sum /tmp/message-190
4932e23fb11c094c1dd703ba34afc565 /tmp/message-190
# try again with 191 bytes
tdierks#cloudshell:~ (kms-test-1367)$ dd ibs=191 count=1 < /dev/urandom > /tmp/message-191
1+0 records in
0+1 records out
191 bytes copied, 7.2545e-05 s, 2.6 MB/s
tdierks#cloudshell:~ (kms-test-1367)$ ls -l /tmp/message-191
-rw-r--r-- 1 tdierks tdierks 191 Mar 15 14:59 /tmp/message-191
tdierks#cloudshell:~ (kms-test-1367)$ openssl pkeyutl -in /tmp/message-191 -encrypt -pubin -inkey /tmp/rsa-2048-256.pub -pkeyopt rsa_padding_mode:oaep -pkeyopt rsa_oaep_md:sha256 -pkeyopt rsa_mgf1_md:sha256 > /tmp/rsa-2048-256-m191.enc
Public Key operation error
140191432818944:error:2406F079:random number generator:RAND_load_file:Cannot open file:../crypto/rand/randfile.c:98:Filename=/home/tdierks/.rnd
140191432818944:error:0409A06E:rsa routines:RSA_padding_add_PKCS1_OAEP_mgf1:data too large for key size:../crypto/rsa/rsa_oaep.c:62:
As you can see, OpenSSL failed on encrypting a 191 byte input file.
Related
I got a mairadb 10.1 on ubuntu 18.04 where I wannt to connect via SSL. In november it worked, but my selfmade certificates runed out. So I created some new ones, but since then I got this errormessage when I try to connect (in python-mariadb the code looks similary, so I guess its a mariadb problem.)
ERROR 2026 (HY000): SSL connection error: unsupported protocol
When I connect via localhost from the server to the server, it works with an ssl connection.
I tried then to use another server, this time its a debian buster with mariadb 10.3 and it behaves the same.
Sites I already visited but haven't brought me further:
https://github.com/PyMySQL/PyMySQL/issues/817
MariaDB SSL connection error: Unsupported record version Unknown-0.0
https://www.debian.org/releases/stable/amd64/release-notes/ch-information.en.html#openssl-defaults
sudo openssl x509 -text -noout -in boba-server-cert.pem
Certificate:
Data:
Version: 1 (0x0)
Serial Number: 1 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = ..., ST = ..., L = ..., O = ..., CN = CA B
Validity
Not Before: Dec 21 10:48:33 2020 GMT
Not After : Dec 21 10:48:33 2021 GMT
Subject: C = .., ST = ..., L = ..., O = ..., CN = [domain]
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
...
I am trying to crytp using gpg2 the mails sent by Nagios3. For that, I have create this custom command on /etc/nagios3/commands.cfg :
/usr/bin/printf "%b" "***** Nagios *****\n\nNotification Type: $NOTIFICATIONTYPE$\n\nService: $SERVICEDESC$\nHost: $HOSTALIAS$\nAddress: $HOSTADDRESS$\nState: $SERVICESTATE$\n\nDate/Time: $LONGDATETIME$\n\nAdditional Info:\n\n$SERVICEOUTPUT$\n" | /usr/bin/gpg2 --armor --encrypt --recipient toto#titi.com | /usr/bin/mail -s "** $NOTIFICATIONTYPE$ Service Alert: $HOSTALIAS$/$SERVICEDESC$ is $SERVICESTATE$ **" $CONTACTEMAIL$
}
Some points:
The e-mail is sent but it is "empty":
Sep 19 14:35:25 tutu nagios3: Finished daemonizing... (New PID=4313)
Sep 19 14:36:15 tutu nagios3: SERVICE ALERT:
tete_vm;HTTP;OK;HARD;4;HTTP OK: HTTP/1.1 200 OK - 347 bytes in 0.441
second response time Sep 19 14:36:15 tutu nagios3: SERVICE
NOTIFICATION: tata;tete_vm;HTTP;OK;notify-service-by-email;HTTP OK:
HTTP/1.1 200 OK - 347 bytes in 0.441 second response time
The command:
/usr/bin/gpg2 --armor --encrypt --recipient toto#titi.com | /usr/bin/mail -s "** $NOTIFICATIONTYPE$ Service Alert: $HOSTALIAS$/$SERVICEDESC$ is $SERVICESTATE$ **" $CONTACTEMAIL$</code>
works very well on command line
I have tested this command:
/usr/bin/printf "%b" "***** Nagios *****\n\nNotification Type: $NOTIFICATIONTYPE$\n\nService: $SERVICEDESC$\nHost: $HOSTALIAS$\nAddress: $HOSTADDRESS$\nState: $SERVICESTATE$\n\nDate/Time: $LONGDATETIME$\n\nAdditional Info:\n\n$SERVICEOUTPUT$\n" | /usr/bin/gpg2 --armor --encrypt --recipient toto#titi.com >> /tmp/toto.txt
The file /tmp/toto.txt is created but "empty".
So, it seems to be a problem using /usr/bin/gpg2 on this file, but I cannot find why!
The most common mistake when encrypting from within services using GnuPG is that the recipient's key was imported by another (system) user than the one the service is running under, for example imported by root, but the service runs as nagios.
GnuPG maintains per-user "GnuPG home directories" (usually ~/.gnupg) with per-user keyrings in them. If you imported as root, other service accounts don't know anything about the keys in there.
The first step for debugging the issue would be to redirect gpg's stderr to a file, so you can read the error message by adding 2>>/tmp/gpg-error.log to the GnuPG call:
/usr/bin/printf "%b" "***** Nagios *****\n\nNotification Type: $NOTIFICATIONTYPE$\n\nService: $SERVICEDESC$\nHost: $HOSTALIAS$\nAddress: $HOSTADDRESS$\nState: $SERVICESTATE$\n\nDate/Time: $LONGDATETIME$\n\nAdditional Info:\n\n$SERVICEOUTPUT$\n" | /usr/bin/gpg2 --armor --encrypt --recipient toto#titi.com 2>>/tmp/gpg-error.log | /usr/bin/mail -s "** $NOTIFICATIONTYPE$ Service Alert: $HOSTALIAS$/$SERVICEDESC$ is $SERVICESTATE$ **" $CONTACTEMAIL$
If the issue is something like "key not found" or similar, you've got two possibilities to resolve the issue:
Import to the service's user account. Switch to the service's user, and import the key again.
Hard-code the GnuPG home directory to somewhere else using the --homedir [directory] option, for example in a place you also store your Nagios plugins.
Be aware of using appropriate, restrictive permissions. GnuPG is very picky if other users than the owner are allowed to read the files!
I try to use tcl package pki::sign. The goal is to sign a SOAP message with a X509 certificate, using tclws.
Parsing the public key is OK :
pki::x509::parse_cert $publickey
However, parsing the private key does not work
pki::pkcs::parse_key $privatekey
It results in the following error :
"Expected Sequence (0x30), but got 42"
The certificate was provided to me as a .p12 file.
I could get the public and private key with openssl with the following commands :
Public key :
openssl pkcs12 -in cert.p12 -clcerts -nokeys -out cert.pem
Private key :
openssl pkcs12 -in cert.p12 -nocerts -nodes -out key.pem
I use tcpdump on openwrt to capture packets and send them to a raspberry pi with netcat.
the problem is that i want to use multiple routers to capture the requests, and forward them to the raspberry pi.
tcpdump -i wlan0 -e -s 256 -l type mgt subtype probe-req |nc 192.168.0.230 22222
And i recieve the packet info with a python script:
import socket
HOST = 'localhost' # use '' to expose to all networks
PORT = 12345
def incoming(host, port):
"""Open specified port and return file-like object"""
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
# set SOL_SOCKET.SO_REUSEADDR=1 to reuse the socket if
# needed later without waiting for timeout (after it is
# closed, for example)
sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
sock.bind((host, port))
sock.listen(0) # do not queue connections
request, addr = sock.accept()
return request.makefile('r', 0)
# /-- network ---
for line in incoming(HOST, PORT):
print line,
output:
15:17:57 801928 3933710786us tsft 1.0 Mb/s 2412 Mhz 11b -38dB signal antanna 1 BSSID: broadcast SA:xxxx ....
desired output:
192.168.0.130 15:17:57 801928 3933710786us tsft 1.0 Mb/s 2412 Mhz 11b -38dB signal antanna 1 BSSID: broadcast SA:xxxx ....
But how can i add the the Ip-address of the router to the command? so i can see witch router received the packet.
Or how can i just send and extra string like "router1" to identify the router?
You can send an extra string to the router with the script below:
#! /bin/bash
ip=$(ifconfig wlan0 | grep cast | awk -F: '{print $2}' | awk '{print $1}' )
tcpdump -i wlan0 -e -s 256 -l type mgt subtype probe-req |\
while read line; do
echo "$ip" "$(date +%T)" "$line"
done | nc 192.168.0.230 22222
It will insert ip address and time stamp at the beggining of each line of tcpdump's output and pipe it to netcat.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 6 years ago.
Improve this question
i'm trying to get postfix to accept the vacation.pl script, as supplied by the vacation plugin for roundcube (i'm interested in calling scripts when receiving mail for specific domains / subdomains). So far everything seems to work out.. except the script is not called ;)
here some data to get you started, then some more explaination:
postconf -n:
root#mail:/etc/postfix# postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
broken_sasl_auth_clients = yes
config_directory = /etc/postfix
disable_vrfy_command = yes
dovecot_destination_recipient_limit = 1
inet_interfaces = all
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
message_size_limit = 20480000
mydestination = localhost, localhost.localdomain, localhost, vacation.example.com
myhostname = example.com
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
myorigin = /etc/mailname
proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $smtpd_sender_login_maps
readme_directory = no
recipient_delimiter = +
relayhost =
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
smtpd_recipient_restrictions = permit_sasl_authenticated permit_mynetworks reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_path = private/auth_dovecot
smtpd_sasl_type = dovecot
smtpd_sender_login_maps = proxy:mysql:/etc/postfix/mysql_sender_login_maps.cf
smtpd_sender_restrictions = reject_unknown_sender_domain
smtpd_tls_cert_file = /etc/postfix/sslcert/mailserver.crt
smtpd_tls_key_file = /etc/postfix/sslcert/mailserver.key
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
transport_maps = hash:/etc/postfix/transport
virtual_alias_maps = proxy:mysql:/etc/postfix/mysql_virtual_alias_maps.cf
virtual_gid_maps = static:5000
virtual_mailbox_base = /var/vmail/
virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql_virtual_domains_maps.cf
virtual_mailbox_limit = proxy:mysql:/etc/postfix/mysql_virtual_mailbox_limit_maps.cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf
virtual_minimum_uid = 104
virtual_transport = dovecot
virtual_uid_maps = static:5000
transport file:
root#mail:/etc/postfix# cat transport
vacation.example.com vacation:
.vacation.example.com vacation:
main.cf:
root#mail:/etc/postfix# cat main.cf
myorigin = /etc/mailname
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no
# appending .domain is the MUA's job.
append_dot_mydomain = no
# maximum size for emails (20MB)
message_size_limit = 20480000
# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h
readme_directory = no
# TLS parameters
smtpd_tls_cert_file=/etc/postfix/sslcert/mailserver.crt
smtpd_tls_key_file=/etc/postfix/sslcert/mailserver.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.
myhostname = example.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = localhost, localhost.localdomain, localhost, vacation.example.com
#mydestination = $myhostname, localhost.$mydomain, localhost, vacation.example.com
relayhost =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
# a bit more spam protection
disable_vrfy_command = yes
# Authentification
smtpd_sasl_type=dovecot
smtpd_sasl_path=private/auth_dovecot
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
broken_sasl_auth_clients = yes
proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $smtpd_sender_login_maps
smtpd_sender_login_maps = proxy:mysql:/etc/postfix/mysql_sender_login_maps.cf
smtpd_sender_restrictions = reject_unknown_sender_domain
smtpd_recipient_restrictions = permit_sasl_authenticated
permit_mynetworks
reject_unauth_destination
dovecot_destination_recipient_limit=1
# Virtual mailboxes
virtual_mailbox_base = /var/vmail/
virtual_transport = dovecot
#virtual_transport = virtual
virtual_alias_maps = proxy:mysql:/etc/postfix/mysql_virtual_alias_maps.cf
virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql_virtual_domains_maps.cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf
virtual_minimum_uid = 104
virtual_uid_maps = static:5000
virtual_gid_maps = static:5000
virtual_mailbox_limit = proxy:mysql:/etc/postfix/mysql_virtual_mailbox_limit_maps.cf
transport_maps=hash:/etc/postfix/transport
master.cf
root#mail:/etc/postfix# cat master.cf
#
# Postfix master process configuration file. For details on the format
# of the file, see the master(5) manual page (command: "man 5 master").
#
# Do not forget to execute "postfix reload" after editing this file.
#
# ==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (100)
# ==========================================================================
smtp inet n - - - - smtpd
-o content_filter=amavis:[127.0.0.1]:10024
#submission inet n - - - - smtpd
# -o smtpd_tls_security_level=encrypt
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
smtps inet n - - - - smtpd
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o content_filter=amavis:[127.0.0.1]:10024
# -o milter_macro_daemon_name=ORIGINATING
#628 inet n - - - - qmqpd
pickup fifo n - - 60 1 pickup
-o content_filter=
-o receive_override_options=no_header_body_checks
cleanup unix n - - - 0 cleanup
qmgr fifo n - n 300 1 qmgr
#qmgr fifo n - - 300 1 oqmgr
tlsmgr unix - - - 1000? 1 tlsmgr
rewrite unix - - - - - trivial-rewrite
bounce unix - - - - 0 bounce
defer unix - - - - 0 bounce
trace unix - - - - 0 bounce
verify unix - - - - 1 verify
flush unix n - - 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - - - - smtp
# When relaying mail as backup MX, disable fallback_relay to avoid MX loops
relay unix - - - - - smtp
-o smtp_fallback_relay=
# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq unix n - - - - showq
error unix - - - - - error
retry unix - - - - - error
discard unix - - - - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - - - - lmtp
anvil unix - - - - 1 anvil
scache unix - - - - 1 scache
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent. See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
maildrop unix - n n - - pipe
flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
#
# ====================================================================
#
# Recent Cyrus versions can use the existing "lmtp" master.cf entry.
#
# Specify in cyrus.conf:
# lmtp cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
#
# Specify in main.cf one or more of the following:
# mailbox_transport = lmtp:inet:localhost
# virtual_transport = lmtp:inet:localhost
#
# ====================================================================
#
# Cyrus 2.1.5 (Amos Gouaux)
# Also specify in main.cf: cyrus_destination_recipient_limit=1
#
#cyrus unix - n n - - pipe
# user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
#
# ====================================================================
# Old example of delivery via Cyrus.
#
#old-cyrus unix - n n - - pipe
# flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
#
# ====================================================================
#
# See the Postfix UUCP_README file for configuration details.
#
uucp unix - n n - - pipe
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
#
# Other external delivery methods.
#
ifmail unix - n n - - pipe
flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe
flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix - n n - 2 pipe
flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman unix - n n - - pipe
flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
${nexthop} ${user}
dovecot unix - n n - - pipe
flags=DRhu user=vmail:vmail argv=/usr/lib/dovecot/deliver -d ${recipient}
vacation unix - n n - - pipe
flags=Rq user=vmail argv=/var/spool/vacation/vacation.pl -f ${sender} -- ${recipient}
amavis unix - - - - 2 smtp
-o smtp_data_done_timeout=1200
-o smtp_send_xforward_command=yes
127.0.0.1:10025 inet n - - - - smtpd
-o content_filter=
-o local_recipient_maps=
-o relay_recipient_maps=
-o transport_maps=hash:/etc/postfix/transport
-o smtpd_restriction_classes=
-o smtpd_delay_reject=no
-o smtpd_client_restrictions=permit_mynetworks,reject
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o smtpd_data_restrictions=reject_unauth_pipelining
-o smtpd_end_of_data_restrictions=
-o mynetworks=127.0.0.0/8
-o smtpd_error_sleep_time=0
-o smtpd_soft_error_limit=1001
-o smtpd_hard_error_limit=1000
-o smtpd_client_connection_count_limit=0
-o smtpd_client_connection_rate_limit=0
-o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_address_mappings
# now what should fire the "vacation" script is the fact that there is an mysql table entry in:
mysql> select address,goto from alias where address='peter#example.com' and active=1;
+-------------------------+-----------------------------------------------------------------------------------------------+
| address | goto |
+-------------------------+-----------------------------------------------------------------------------------------------+
| peter#example.com | peter#example.com#vacation.example.com,peter#example.com,peter#foobar.org |
so in theory whatever i send to peter#example.com gets saved into peter#example.com's mailbox, then gets forwarded to peter#example.com#vacation.example.com and to peter#example.com#vacation.example.com. the second very strange email address in the database that is not really correct was not my idea but is the result of enabling vacation via the roundcubemail vacation.pl plugin.
so the problem is when i send mail to peter#example.com, the forward to peter#foobar.org works, but something in the forward to strange peter#example.com#vacation.example.com doesnt work as the script is never called that should be called with the mail piped into it when receiving mail for .vacation.example.com.
I checked all sql querys in the according sql files, they all seem to work out.
hope you can help :)
It seems i solved the mystery problem. When i create an alias myself from test#example.com to test#vacation.example.com, the script gets called.
mail.log
Jul 12 15:20:55 mail postfix/pipe[14843]: 8854BB80B07: to=<test#vacation.example.com>, relay=vacation, delay=0.19, delays=0.07/0/0/0.12, dsn=2.0.0, status=sent (delivered via vacation service)
vacation.pl logfile:
2013/07/12 15:21:27 DEBUG> /var/spool/vacation/vacation.pl:550 main:: - Script argument SMTP recipient is : 'test#vacation.example.com' and smtp_sender : 'peter#example.org'
2013/07/12 15:21:27 DEBUG> /var/spool/vacation/vacation.pl:580 main:: - Converted autoreply mailbox back to normal style - from test#vacation.example.com to test
2013/07/12 15:21:27 DEBUG> /var/spool/vacation/vacation.pl:590 main:: - Email headers have to: 'test#example.com' and From: 'Peter <peter#example.org>'
2013/07/12 15:21:27 ERROR> /var/spool/vacation/vacation.pl:538 main::check_and_clean_from_address - Address is not valid; exiting
and dies for some reason i stopped caring about. The alias setup with the strange double # renaming via aliases was all configured through the web interface of the roundcube plugin, so as so many people liked the plugin i thought double # would be ok and working for this small task. i was wondering about it myself but well. seems like double # does not make sense ;) so the transport thing works out. i guess my problem in the first place was trusting the reviews of this specific roundcube plugin: http://sourceforge.net/projects/rcubevacation/
will move to sieve now.. but i learned a lot about postfix and to know how to pipe a mail to a script for a specific subdomain is a nice to have knowledge ;)