Re: Mail forwarding through a relay

[John Regan]

Hi,

On Thu, Sep 12, 2019 at 3:14 AM Chris Wedgwood  wrote:

> > I have a postfix-3.2.6 system that acts as a mail server and
> > pop/imap using dovecot for a small domain. The problem is that
> > people are increasingly using it as a relay to a personal account,
> > such as Gmail and Yahoo.
>
> perhaps i misunderstand
>
> they are sending email from gmail/yahoo addresses from your MTA?  if
> so those will get blocked in many cases and marked as spam in many
> others
>

No, the issue is with people sending them email to their address on our
system which is then forwarded on to some remote system - a digitalwest
system in my example, but I'm also concerned with other systems, including
gmail and yahoo, of course.

Do mail providers like digitalwest typically allow forwarding from their
accounts through to other providers? With no easy solution, what do most
providers do?

Is SRS in practical use? Is the general recommendation that it should be
implemented in situations like this, or is disabling forwarding more
common? Is the policy of most systems to reject on SPF fail?

Thanks so much for everyone's help.

Re: Mail forwarding through a relay

[Chris Wedgwood]

> but note in the DMARC record that you quote: ' p=none': Gmail is
> telling other servers *not* to block (or quarantine) emails from
> @gmail.com that do not obey SPF or DKIM rules. Yahoo by contrast:
>
> # dig +short _dmarc.yahoo.com TXT
> "v=DMARC1; p=reject; pct=100; rua=mailto:dmarc_y_...@yahoo.com;;

IME some sites will still block or quarantine.

Re: Mail forwarding through a relay

[Matus UHLAR - fantomas]

use SRS when forwarding mail. look for postsrsd or postforward --
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Despite the cost of living, have you noticed how popular it remains?


On 12.09.19 11:14, Christos Chatzaras wrote:

Using SRS will cause reputation issues (if spam pass) as the e-mail is
forwarded with his domain, right?


he can disable forwarding to avoid any issues...

or install spam filter that won't allow spam being forwarded.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Linux IS user friendly, it's just selective who its friends are...

Re: Mail forwarding through a relay

[Christos Chatzaras]

> 
> use SRS when forwarding mail. look for postsrsd or postforward -- 
> Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
> Warning: I wish NOT to receive e-mail advertising to this address.
> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
> Despite the cost of living, have you noticed how popular it remains?

Using SRS will cause reputation issues (if spam pass) as the e-mail is 
forwarded with his domain, right?

Re: Mail forwarding through a relay

[Matus UHLAR - fantomas]

On 11.09.19 22:12, John Regan wrote:

I have a postfix-3.2.6 system that acts as a mail server and pop/imap using
dovecot for a small domain. The problem is that people are increasingly
using it as a relay to a personal account, such as Gmail and Yahoo.


do you mean, they use gmail and yahoo From: addresses, while sending through
your server? Or fdo they simply forward their incoming mail to their
gmail/yahoo addresses?


This is resulting in the receiving system rejecting the message due to SPF
failing.

Sep 11 22:03:06 email postfix/smtp[1187]: 33AA3962A9648: to=<
u...@example.com>, orig_to=,
relay=mx0.digitalwest.net[72.29.183.105]:25,
delay=2.7, delays=0.05/0/1.5/1.1, dsn=5.0.0, status=bounced (host
mx0.digitalwest.net[72.29.183.105] said: 550-[SPF] 44.104.18.100 is not
allowed to send mail from mchat.booking.com. 550-Message blocked - Please
check settings. See 550
http://support.digitalwest.net/KB/a163/550-spf-not-allowed-to-send-mail.aspx
(in reply to RCPT TO command))

Is my only option here to do something like SRS or can this be fixed
another way?


use SRS when forwarding mail. look for postsrsd or postforward 
--

Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Despite the cost of living, have you noticed how popular it remains?

Re: Mail forwarding through a relay

[Dominic Raferd]

On Thu, 12 Sep 2019 at 10:24, Chris Wedgwood  wrote:
>
> > I have a postfix-3.2.6 system that acts as a mail server and
> > pop/imap using dovecot for a small domain. The problem is that
> > people are increasingly using it as a relay to a personal account,
> > such as Gmail and Yahoo.
>
> perhaps i misunderstand
>
> they are sending email from gmail/yahoo addresses from your MTA?  if
> so those will get blocked in many cases and marked as spam in many
> others
>
>
> for example with gmail:
>
>   _dmarc.gmail.com.   596 IN  TXT "v=DMARC1; p=none; 
> sp=quarantine; rua=mailto:mailauth-repo...@google.com;
>
>   gmail.com.  205 IN  TXT "v=spf1 
> redirect=_spf.google.com"
>
>   _spf.google.com.176 IN  TXT "v=spf1 
> include:_netblocks.google.com include:_netblocks2.google.com 
> include:_netblocks3.google.com ~all"
>
> ...
>
> you MTA is not going to be included in any of those records, so you're
> MTA isn't a valid origin for @gmail.com and you're not going to be able to 
> sign messages with a valid (dkim)
> signature either. this is how spf/dmarc works


but note in the DMARC record that you quote: ' p=none': Gmail is
telling other servers *not* to block (or quarantine) emails from
@gmail.com that do not obey SPF or DKIM rules. Yahoo by contrast:

# dig +short _dmarc.yahoo.com TXT
"v=DMARC1; p=reject; pct=100; rua=mailto:dmarc_y_...@yahoo.com;;

Re: Mail forwarding through a relay

[Chris Wedgwood]

> I have a postfix-3.2.6 system that acts as a mail server and
> pop/imap using dovecot for a small domain. The problem is that
> people are increasingly using it as a relay to a personal account,
> such as Gmail and Yahoo.

perhaps i misunderstand

they are sending email from gmail/yahoo addresses from your MTA?  if
so those will get blocked in many cases and marked as spam in many
others


for example with gmail:

  _dmarc.gmail.com.   596 IN  TXT "v=DMARC1; p=none; 
sp=quarantine; rua=mailto:mailauth-repo...@google.com;

  gmail.com.  205 IN  TXT "v=spf1 
redirect=_spf.google.com"

  _spf.google.com.176 IN  TXT "v=spf1 
include:_netblocks.google.com include:_netblocks2.google.com 
include:_netblocks3.google.com ~all"

...

you MTA is not going to be included in any of those records, so you're
MTA isn't a valid origin for @gmail.com

and you're not going to be able to sign messages with a valid (dkim)
signature either


this is how spf/dmarc works

there is in some sense nothing to fix, if you want to send as
some@gmail.com you have to do it through a gmail smtp relay (which
they provide)

Re: Mail forwarding through a relay

[Dominic Raferd]

On Thu, 12 Sep 2019 at 05:14, John Regan  wrote:

> Hi,
>
> I have a postfix-3.2.6 system that acts as a mail server and pop/imap
> using dovecot for a small domain. The problem is that people are
> increasingly using it as a relay to a personal account, such as Gmail and
> Yahoo.
>
> This is resulting in the receiving system rejecting the message due to SPF
> failing.
>
> Sep 11 22:03:06 email postfix/smtp[1187]: 33AA3962A9648: to=<
> u...@example.com>, orig_to=, relay=
> mx0.digitalwest.net[72.29.183.105]:25, delay=2.7, delays=0.05/0/1.5/1.1,
> dsn=5.0.0, status=bounced (host mx0.digitalwest.net[72.29.183.105] said:
> 550-[SPF] 44.104.18.100 is not allowed to send mail from mchat.booking.com.
> 550-Message blocked - Please check settings. See 550
> http://support.digitalwest.net/KB/a163/550-spf-not-allowed-to-send-mail.aspx
> (in reply to RCPT TO command))
>
> Is my only option here to do something like SRS or can this be fixed
> another way?
>

I'm puzzled - you mention gmail and yahoo but the example you give is for
digitalwest. They appear to be blocking based purely on SPF (their
information link does not seem to work) - gmail does not do this and I
doubt yahoo do it either. The situation which will cause problems when
relaying to gmail or to yahoo is blocking based on DMARC where the sender
domain has set a p=reject policy but doesn't add a DKIM signature header.
Another problem you may face is that if you are relaying too much spam into
gmail your server might be blacklisted.

Mail forwarding through a relay

[John Regan]

Hi,

I have a postfix-3.2.6 system that acts as a mail server and pop/imap using
dovecot for a small domain. The problem is that people are increasingly
using it as a relay to a personal account, such as Gmail and Yahoo.

This is resulting in the receiving system rejecting the message due to SPF
failing.

Sep 11 22:03:06 email postfix/smtp[1187]: 33AA3962A9648: to=<
u...@example.com>, orig_to=,
relay=mx0.digitalwest.net[72.29.183.105]:25,
delay=2.7, delays=0.05/0/1.5/1.1, dsn=5.0.0, status=bounced (host
mx0.digitalwest.net[72.29.183.105] said: 550-[SPF] 44.104.18.100 is not
allowed to send mail from mchat.booking.com. 550-Message blocked - Please
check settings. See 550
http://support.digitalwest.net/KB/a163/550-spf-not-allowed-to-send-mail.aspx
(in reply to RCPT TO command))

Is my only option here to do something like SRS or can this be fixed
another way?

Re: Google Mail forwarding rewrites To, For and Delivered-To headers

[Pau Peris]

Hi,

i understand that's how they work and i can not do anything change it, but
which approach could i follow in order to workaround that issue?

Thank Boris,

On Wed, Nov 29, 2017 at 5:27 PM, Boris Behrens <b...@kervyn.de> wrote:

> You can't :-)
> That's how google apps work. I began to send mail over an own relay if
> it needs to be exact like I want.
>
> On Wed, Nov 29, 2017 at 05:10:55PM +0100, Pau Peris wrote:
> > Hi,
> >
> > i have a private server which handles email messages for different
> domains
> > - ie, example.com, mydomain.es - through Postfix. For domain mydomain.es
> > i'm already using Google Apps to handle the email. I use both systems to
> > handle the email for domain mydomain.es because i have some web apps
> > installed on the server which needs to send email messages on behalf
> > mydomain.es and as i already i had a Postfix mail server working i
> decided
> > to set it up on my MTA system.
> >
> > The issue i'm looking to solve is related to Google Mail forwarding
> system.
> > Some days ago i enabled automatic email forwarding for f...@mydomain.es
> so
> > ti forwards email to b...@example.com but when it gets Postfix on the
> server
> > i gets rejected due to the following message:
> >
> > postfix/smtpd[5945]: NOQUEUE: reject: RCPT from
> > mail-ot0-x22d.google.com[2607:f8b0:4003:c0f::22d]:
> > 550 5.1.0 *<foo+caf_=bar=example@mydomain.es <
> example@mydomain.es>>*:
> > Sender address rejected: User unknown; from=<pau+caf_=dmarc=
> > tobycoach@pauperis.com> to=<dm...@tobycoach.com> proto=ESMTP helo=<
> > mail-ot0-x22d.google.com>
> >
> > I don't know why Google does this rewriting but i would like to know what
> > could i do in order to solve this issue.
> >
> > These are the original headers:
> >
> > Delivered-To: foo+caf_=bar=example@mydomain.es
> > Received: by 10.157.7.81 with SMTP id 75csp4162688ote;
> > Wed, 29 Nov 2017 02:36:22 -0800 (PST)
> > X-Received: by 10.157.92.197 with SMTP id r5mr1920889oti.286.
> 1511951782640;
> > Wed, 29 Nov 2017 02:36:22 -0800 (PST)
> > ARC-Seal: i=1; a=rsa-sha256; t=1511951782; cv=none;
> > d=google.com; s=arc-20160816;
> > b=iRH6MZeu7Cm7aUGgPwgqJd+e5T4ijzeY/1IyUha8x/Aj9GSkx8jU/
> x3Ym6GRR526Zk
> >
> >  TP+JN3MY6tp38C7tubTUJPa3xRoeUCEt09g44egcjVfMHbTST0AZG86TvqNXzLSVC+0P
> >
> >  oTOh3ab1COe1GA2DLeaB24QtO3llLYiFZ83OViBMDGVaDr9Vlhp61HZoanND6oziruMb
> >
> >  QPrPGcejFEgX8oryU8nA6jUrkSHVXFQpwaPok+tNRk4SQuMMAvAX5umF2qO6i6MiDkOa
> >
> >  634L4nh/24a1+4FP/+sP/mbyjEk3X51gsoXGLmuv9SK/lXSmkvFERd1+n3Oh2cRlUMOK
> >  DDfw==
> > ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=
> google.com;
> > s=arc-20160816;
> > h=date:message-id:in-reply-to:references:subject:auto-
> submitted:to
> >  :from:dkim-signature:arc-authentication-results;
> > bh=XLvWlJgtropuAWVgL4T11D77Kxt40EfUM+DfSKy1y90=;
> > b=l+WZtBnktn4eI0hTjbom0Oa7tbsyfF8QkIX5TWB7AjuUHnIlG2rzBL88wkrtnO
> VPpe
> >
> >  BSmFQvRgXnxlZpsXOg4uzzyaMX8mk2Xw6Nih78oH10OFrZqrkr3ymX9dknWnXCv6KVM+
> >
> >  cqBc+MzdUsxw8gvVnOFnarO6rWM4kv+JAuabF6MQwvvHlRKOLrb9Wi4kE+t8UzU+kee2
> >
> >  V+0Gfs6Kzf4dl37tNwQhgcTHN5xcTalrQ6eDN8IpiPwV//o8jX8Jwqc8p7LTL7bjH8d6
> >
> >  VtMFVZkZGutZndsJl4Yw6QmiO/YUsQaV3AfuzLsxkEHlYUPB1W8GZbuIMQb/u5msimTW
> >  hNEw==
> > ARC-Authentication-Results: i=1; mx.google.com;
> >dkim=pass header.i=@googlemail.com header.s=20161025
> > header.b=tcyPoStR;
> >spf=pass (google.com: best guess record for domain of
> > postmas...@mail-sor-f69.google.com designates 209.85.220.69 as permitted
> > sender) smtp.helo=mail-sor-f69.google.com;
> >dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=
> > googlemail.com
> > Return-Path: <>
> > Received: from mail-sor-f69.google.com (mail-sor-f69.google.com.
> > [209.85.220.69])
> > by mx.google.com with SMTPS id
> > i17sor505691otc.135.2017.11.29.02.36.22
> > for <foo+caf_=bar=example@mydomain.es>
> > (Google Transport Security);
> > Wed, 29 Nov 2017 02:36:22 -0800 (PST)
> > Received-SPF: pass (google.com: best guess record for domain of
> > postmas...@mail-sor-f69.google.com designates 209.85.220.69 as permitted
> > sender) client-ip=209.85.220.69;
> > Authentication-Results: mx.google.com;
> >dkim=pass header.i=@googlemail.com header.s=20161025
> > header.b=tcyPoStR;
> >

Google Mail forwarding rewrites To, For and Delivered-To headers

[Pau Peris]

Hi,

i have a private server which handles email messages for different domains
- ie, example.com, mydomain.es - through Postfix. For domain mydomain.es
i'm already using Google Apps to handle the email. I use both systems to
handle the email for domain mydomain.es because i have some web apps
installed on the server which needs to send email messages on behalf
mydomain.es and as i already i had a Postfix mail server working i decided
to set it up on my MTA system.

The issue i'm looking to solve is related to Google Mail forwarding system.
Some days ago i enabled automatic email forwarding for f...@mydomain.es so
ti forwards email to b...@example.com but when it gets Postfix on the server
i gets rejected due to the following message:

postfix/smtpd[5945]: NOQUEUE: reject: RCPT from
mail-ot0-x22d.google.com[2607:f8b0:4003:c0f::22d]:
550 5.1.0 *<foo+caf_=bar=example@mydomain.es <example@mydomain.es>>*:
Sender address rejected: User unknown; from=<pau+caf_=dmarc=
tobycoach@pauperis.com> to=<dm...@tobycoach.com> proto=ESMTP helo=<
mail-ot0-x22d.google.com>

I don't know why Google does this rewriting but i would like to know what
could i do in order to solve this issue.

These are the original headers:

Delivered-To: foo+caf_=bar=example@mydomain.es
Received: by 10.157.7.81 with SMTP id 75csp4162688ote;
Wed, 29 Nov 2017 02:36:22 -0800 (PST)
X-Received: by 10.157.92.197 with SMTP id r5mr1920889oti.286.1511951782640;
Wed, 29 Nov 2017 02:36:22 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1511951782; cv=none;
d=google.com; s=arc-20160816;
b=iRH6MZeu7Cm7aUGgPwgqJd+e5T4ijzeY/1IyUha8x/Aj9GSkx8jU/x3Ym6GRR526Zk

 TP+JN3MY6tp38C7tubTUJPa3xRoeUCEt09g44egcjVfMHbTST0AZG86TvqNXzLSVC+0P

 oTOh3ab1COe1GA2DLeaB24QtO3llLYiFZ83OViBMDGVaDr9Vlhp61HZoanND6oziruMb

 QPrPGcejFEgX8oryU8nA6jUrkSHVXFQpwaPok+tNRk4SQuMMAvAX5umF2qO6i6MiDkOa

 634L4nh/24a1+4FP/+sP/mbyjEk3X51gsoXGLmuv9SK/lXSmkvFERd1+n3Oh2cRlUMOK
 DDfw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=date:message-id:in-reply-to:references:subject:auto-submitted:to
 :from:dkim-signature:arc-authentication-results;
bh=XLvWlJgtropuAWVgL4T11D77Kxt40EfUM+DfSKy1y90=;
b=l+WZtBnktn4eI0hTjbom0Oa7tbsyfF8QkIX5TWB7AjuUHnIlG2rzBL88wkrtnOVPpe

 BSmFQvRgXnxlZpsXOg4uzzyaMX8mk2Xw6Nih78oH10OFrZqrkr3ymX9dknWnXCv6KVM+

 cqBc+MzdUsxw8gvVnOFnarO6rWM4kv+JAuabF6MQwvvHlRKOLrb9Wi4kE+t8UzU+kee2

 V+0Gfs6Kzf4dl37tNwQhgcTHN5xcTalrQ6eDN8IpiPwV//o8jX8Jwqc8p7LTL7bjH8d6

 VtMFVZkZGutZndsJl4Yw6QmiO/YUsQaV3AfuzLsxkEHlYUPB1W8GZbuIMQb/u5msimTW
 hNEw==
ARC-Authentication-Results: i=1; mx.google.com;
   dkim=pass header.i=@googlemail.com header.s=20161025
header.b=tcyPoStR;
   spf=pass (google.com: best guess record for domain of
postmas...@mail-sor-f69.google.com designates 209.85.220.69 as permitted
sender) smtp.helo=mail-sor-f69.google.com;
   dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=
googlemail.com
Return-Path: <>
Received: from mail-sor-f69.google.com (mail-sor-f69.google.com.
[209.85.220.69])
by mx.google.com with SMTPS id
i17sor505691otc.135.2017.11.29.02.36.22
for <foo+caf_=bar=example@mydomain.es>
(Google Transport Security);
Wed, 29 Nov 2017 02:36:22 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of
postmas...@mail-sor-f69.google.com designates 209.85.220.69 as permitted
sender) client-ip=209.85.220.69;
Authentication-Results: mx.google.com;
   dkim=pass header.i=@googlemail.com header.s=20161025
header.b=tcyPoStR;
   spf=pass (google.com: best guess record for domain of
postmas...@mail-sor-f69.google.com designates 209.85.220.69 as permitted
sender) smtp.helo=mail-sor-f69.google.com;
   dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=
googlemail.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=googlemail.com; s=20161025;
h=from:to:auto-submitted:subject:references:in-reply-to:message-id
 :date;
bh=XLvWlJgtropuAWVgL4T11D77Kxt40EfUM+DfSKy1y90=;
b=tcyPoStRP7CyZ8hS+BqK8TN2R+MJGyzb+BcRwA6sWe16O0lVth0vHROn8RHQGmLVQF

 fDTy2mRT1WGTMXFrzv7mEq4iJDsNo/JG0rtmYZm2KlhKrKFLmVVJyGm4MFskHSVz4JGY

 fP3Jlc33HZ5JKAsBINmgwAjMsxo4VJxKWRqBpprl+jK/78n8gD14u8WUW82MwoIdcXZY

 NQhUxnjHzp73r4KalOqSbQTxhHKoRbAWJkG39e7685ewOGagYAXBn1yNE/LW1QLqC8AP

 A3CtsC42OM+HariU25Nh5djY9kNjResOUxHfZ4hyoMBvWplIBaN5Ak1UE8tc6kTiVzUJ
 l9NQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20161025;
h=x-gm-message-state:from:to:auto-submitted:subject:references
 :in-reply-to:message-id:date;
bh=XLvWlJgtropuAWVgL4T11D77Kxt40EfUM+DfSKy1y90=;
b=PGtpO1Yy75ok/k39/aaNrfJm5Aq8roycBntbnnE/WlrVSPoKgo0NhN7cqBjzeU2Ke7

 60yneA4HWVwyrHl1y+Tpgg7d98ZC51g1wcwjiTgOyi6YkAInwrI1540HGPNPzQrL1ddG

 pJ5/Hx21mcpHEcGUerWYDqPa2HOtm0WKjlxe+fn68QbGTd

Re: Mail Forwarding

[wa6vvv]

I think I have it working now.  Typos are killers.  I added @lafn.org to each
of the keys in the virtual_alias_maps file.  That seems to have worked.  I
am not sure why I needed (or if I needed) the virtual_mailbox_domains table.  

I did notice there were no entries for [second_domain] in
virtual_alias_maps.  Those are all locally delivered so I assumed they were
not necessary.  I am receiving mail for that domain without them.

I have found the diagrams in the documentation quite helpful in
understanding postfix.  However, is there similar information on how the
various tables are used and in which order?



--
View this message in context: 
http://postfix.1071664.n5.nabble.com/Mail-Forwarding-tp91078p91095.html
Sent from the Postfix Users mailing list archive at Nabble.com.

Mail Forwarding

[Doug Hardie]

I thought I had everything working, but something broke. What I need to do is 
to accept mail for local delivery for several users on a couple domains 
(sermon-archive.info and one other) and relay mail for a number of users on 
domain (lafn.org) to a variety of different locations.  Each user could be on a 
different server.  My tests seemed to work, but when adding in the full tables, 
it broke.  Here are the various config files etc:

mail# postconf -n
command_directory = /usr/local/sbin
compatibility_level = 2
daemon_directory = /usr/local/libexec/postfix
data_directory = /var/db/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd 
$daemon_directory/$process_name $process_id & sleep 5
dovecot_destination_recipient_limit = 1
enable_long_queue_ids = yes
home_mailbox = Maildir/
html_directory = /usr/local/share/doc/postfix
inet_protocols = ipv4
local_recipient_maps = unix:passwd.byname $alias_maps
mail_owner = postfix
mail_spool_directory = /var/spool/mail
mailbox_size_limit = 0
mailq_path = /usr/local/bin/mailq
manpage_directory = /usr/local/man
max_use = 5
message_size_limit = 102400
mydestination = localhost.$mydomain, localhost
mydomain = sermon-archive.info
mynetworks_style = host
newaliases_path = /usr/local/bin/newaliases
postscreen_access_list = permit_mynetworks, 
cidr:/usr/local/etc/postfix/access.cidr
postscreen_greet_action = enforce
queue_directory = /var/spool/postfix
readme_directory = /usr/local/share/doc/postfix
sample_directory = /usr/local/etc/postfix
sendmail_path = /usr/local/sbin/sendmail
setgid_group = maildrop
smtp_destination_recipient_limit = 25
smtpd_authorized_xclient_hosts = 10.0.1.0/24
smtpd_command_filter = pcre:/usr/local/etc/postfix/quote
smtpd_error_sleep_time = 10
smtpd_hard_error_limit = 10
smtpd_milters = unix:/var/run/clamav/clmilter.sock
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth
smtpd_sasl_type = dovecot
smtpd_soft_error_limit = 1
smtpd_tls_cert_file = /etc/ssl/certs/mail.pem
smtpd_tls_key_file = /etc/ssl/private/mail.key
smtpd_tls_loglevel = 1
smtpd_tls_security_level = may
unknown_local_recipient_reject_code = 550
virtual_alias_domains = hash:/usr/local/etc/postfix/vmail_domains
virtual_alias_maps = hash:/usr/local/etc/postfix/vmail_alias
virtual_gid_maps = static:
virtual_mailbox_base = /var/mail/
virtual_mailbox_domains = hash:/usr/local/etc/postfix/local_domains
virtual_mailbox_limit = 102400
virtual_mailbox_maps = hash:/usr/local/etc/postfix/vmail_mailbox
virtual_minimum_uid = 
virtual_transport = dovecot
virtual_uid_maps = static:

mail# more local_domains
sermon-archive.info OK
mail.sermon-archive.infoOK
second.domain   OK


mail# more vmail_alias
postmaster  doug
bc979   doug
bc979-1 edward
bc979-4 jeanne
user1   mailb...@gmail.com
user2   mailb...@aol.com
refund  mailb...@hotmail.com


Plus a bunch more.  Other than postmaster, I thought that the left names should 
have @lafn.org, but that didn't seem to work either.


mail# more vmail_domains
lafn.orgOK


mail# more vmail_mailbox
d...@sermon-archive.infohome_mail/doug/
d...@mail.sermon-archive.info   home_mail/doug/


I also wanted to be able to have different users with the same name of 
different addresses such as d...@sermon-archive.info and doug@second.domain and 
have them go to different places.  Both seem to get local delivery to doug.

I am sure I have something configured wrong.  

When I try to send from a non-local system I get the following:

brain% telnet sermon-archive.info 25
Trying 71.177.216.148...
Connected to sermon-archive.info.
Escape character is '^]'.
220 mail.sermon-archive.info ESMTP Postfix
helo me
250 mail.sermon-archive.info
mail from:wa6...@arrl.net
250 2.1.0 Ok
rcpt to:ref...@lafn.org
550 5.1.1 : Recipient address rejected: User unknown in 
virtual alias table


— Doug

Re: "mail forwarding loop" when Resending Email to Oneself.

[Wietse Venema]

Ralph Corderoy:
> Hi Bill,
> 
> > > If not, what's the closest to a specification?
> >
> > The documentation in the software that adds it. In this case
> > specifically the man page for postconf(5)
> 
> I'd already read that, e.g. prepend_delivered_header, and it doesn't
> describe Postfix's logic for producing "mail forwarding loop", e.g. does
> it only check on final delivery so if it's a relay then it doesn't care?

The Postfix code that ADDS the delivered-to header will 
report a loop if that header already exists.

Doing it otherwise (checking without adding, or adding without
checking) makes no sense.

Wietse

Re: "mail forwarding loop" when Resending Email to Oneself.

[Ralph Corderoy]

Hi Bill,

> > If not, what's the closest to a specification?
>
> The documentation in the software that adds it. In this case
> specifically the man page for postconf(5)

I'd already read that, e.g. prepend_delivered_header, and it doesn't
describe Postfix's logic for producing "mail forwarding loop", e.g. does
it only check on final delivery so if it's a relay then it doesn't care?

I did find mutt has

3.22. bounce_delivered

Type: boolean
Default: yes

When this variable is set, mutt will include Delivered-To headers
when bouncing messages.  Postfix users may wish to unset this
variable.  — http://www.mutt.org/doc/manual/

But that's again imprecise, e.g. is Postfix involvement anywhere along
the route a problem?

If the MTA imposes new rules that affect the MUA's behaviour then I'd
expect it to offer guidance as to the MUA's policy.  (I realise "new"
could mean several years old here, but it's still a change.)  Every MTA
and MUA cooking up their own policy seems wrong.  Deviations and
broken implementations are bad enough when an RFC does exist.

-- 
Cheers, Ralph.
https://plus.google.com/+RalphCorderoy

Re: "mail forwarding loop" when Resending Email to Oneself.

[Bill Cole]

On 16 Nov 2016, at 7:43, Ralph Corderoy wrote:


Does an RFC cover Delivered-To?


No.


If not, what's the closest to a
specification?


The documentation in the software that adds it. In this case 
specifically the man page for postconf(5)

"mail forwarding loop" when Resending Email to Oneself.

[Ralph Corderoy]

Hi,

I send myself a little email.

Return-Path: <ra...@inputplus.co.uk>
X-Original-To: ralph
Delivered-To: ra...@inputplus.co.uk
Received: by orac.inputplus.co.uk (Postfix, from userid 1000)
id 9687C279FC; Wed, 16 Nov 2016 12:29:46 + (GMT)
Date: Wed, 16 Nov 2016 12:29:46 +
To: ra...@inputplus.co.uk
Message-Id: <20161116122946.9687c27...@orac.inputplus.co.uk>
From: ra...@inputplus.co.uk (Ralph Corderoy)

foo

I use nmh's dist(1) command to distribute it, using Resent-From,
Resent-To, etc., headers.  (IIRC this is similar to mutt's "bounce"
command.)

Postfix complains of a "mail forwarding loop" by return.

Return-Path: <>
X-Original-To: ra...@inputplus.co.uk
Delivered-To: ra...@inputplus.co.uk
Received: by orac.inputplus.co.uk (Postfix)
id 2DF9D27E4C; Wed, 16 Nov 2016 12:29:55 + (GMT)
Date: Wed, 16 Nov 2016 12:29:55 + (GMT)
From: mailer-dae...@inputplus.co.uk (Mail Delivery System)
Subject: Undelivered Mail Returned to Sender
To: ra...@inputplus.co.uk
Auto-Submitted: auto-replied
MIME-Version: 1.0
Content-Type: multipart/report; report-type=delivery-status;
boundary="0F24A1F958.1479299395/orac.inputplus.co.uk"
Content-Transfer-Encoding: 8bit
Message-Id: <20161116122955.2df9d27...@orac.inputplus.co.uk>

This is a MIME-encapsulated message.

--0F24A1F958.1479299395/orac.inputplus.co.uk
Content-Description: Notification
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit

This is the mail system at host orac.inputplus.co.uk.

I'm sorry to have to inform you that your message could not
be delivered to one or more recipients. It's attached below.

For further assistance, please send mail to postmaster.

If you do so, please include this problem report. You can
delete your own text from the attached returned message.

   The mail system

<ra...@inputplus.co.uk> (expanded from ): mail forwarding loop for
ra...@inputplus.co.uk

--0F24A1F958.1479299395/orac.inputplus.co.uk
Content-Description: Delivery report
Content-Type: message/delivery-status
Content-Transfer-Encoding: 8bit

Reporting-MTA: dns; orac.inputplus.co.uk
X-Postfix-Queue-ID: 0F24A1F958
X-Postfix-Sender: rfc822; ra...@inputplus.co.uk
Arrival-Date: Wed, 16 Nov 2016 12:29:55 + (GMT)

Final-Recipient: rfc822; ra...@inputplus.co.uk
Original-Recipient: rfc822;ralph
Action: failed
Status: 5.4.6
Diagnostic-Code: X-Postfix; mail forwarding loop for ra...@inputplus.co.uk

--0F24A1F958.1479299395/orac.inputplus.co.uk
Content-Description: Undelivered Message
Content-Type: message/rfc822
Content-Transfer-Encoding: 8bit

Return-Path: <ra...@inputplus.co.uk>
Received: from orac.inputplus.co.uk (orac.inputplus.co.uk [IPv6:::1])
by orac.inputplus.co.uk (Postfix) with ESMTP id 0F24A1F958
for ; Wed, 16 Nov 2016 12:29:55 + (GMT)
X-Original-To: ralph
Delivered-To: ra...@inputplus.co.uk
Received: by orac.inputplus.co.uk (Postfix, from userid 1000)
id 9687C279FC; Wed, 16 Nov 2016 12:29:46 + (GMT)
Date: Wed, 16 Nov 2016 12:29:46 +
To: ra...@inputplus.co.uk
User-Agent: mail v14.8.14
Message-Id: <20161116122946.9687c27...@orac.inputplus.co.uk>
From: ra...@inputplus.co.uk (Ralph Corderoy)
Resent-From: Ralph Corderoy <ra...@inputplus.co.uk>
Resent-To: ra...@inputplus.co.uk
Resent-Date: Wed, 16 Nov 2016 12:29:55 +
Resent-Message-Id: <20161116122955.0f24a1f...@orac.inputplus.co.uk>

foo

--0F24A1F958.1479299395/orac.inputplus.co.uk--

AIUI this is because the original email's Delivered-To header is in the
resent email with the same email address as the new email's destination.

Does an RFC cover Delivered-To?  If not, what's the closest to a
specification?

Resending the email to myself at the same email address is legitimate
and used to work in years past.  What does Postfix think an MUA should
do in this circumstance?  Remove the Delivered-To header whenever
resending?

Any other advice Postfix can offer this MUA?

-- 
Cheers, Ralph.
https://plus.google.com/+RalphCorderoy

Outbound Relays, Delivered-To, and "mail forwarding loop detected"

[Bob Proulx]

After many years it is now necessary for me to change my mail server
to one on a different network.  My old server network is going off the
Internet at some point but it will remain with a local dynamic
address.  It will need to relay mail.  I have set up a vpn between the
old server and the new server and am using it for mail transport
between.  At this moment I am still using my previous server for
incoming mail but forwarding outbound mail through the new server to
start the migration.  Mostly all good.  But I do have a problem that I
don't understand and am looking for help from the wisdom of the list.

If I re-mail a message by any of several methods I run into a
rejection on the new outbound server "mail forwarding loop detected"
due to Delivered-To header detection.  Of course the new server havoc
has never seen this message before.  I am running into Delivered-To
loop detection issues.  Let's jump into the details.  Old joseki and
new havoc are the two servers involved.  On havoc:

  Nov 18 12:08:16 havoc postfix/cleanup[27515]: 910CE4A0: reject: header 
X-X-Delivered-To: b...@proulx.com from localhost[127.0.0.1]; 
from=<b...@proulx.com> to=<r...@example.com> proto=ESMTP 
helo=: 5.7.1 mail forwarding loop detected

I have slightly redacted the mail addresses in order to avoid exposing
addresses but I think not in any significant way.  Hopefully.  What I
don't understand is why havoc's configuration is rejecting this
message.  The docs say:

  http://www.postfix.org/pipe.8.html

The D flag also enforces loop detection (Postfix 2.5  and
later):  if  a  message  already contains a Delivered-To:
header with the same recipient address, then the  message
is  returned  as undeliverable. The address comparison is
case insensitive.

But b...@proulx.com is not the recipient address.  So why is it matching?
What configures havoc to think b...@proulx.com is a forwarding loop?
That seems to be the snag I am tripping over.  Of course if I delete
all Delivered-To headers then mail is not rejected.

Thanks!
Bob

The havoc system is the new outbout relay.  On havoc I think the
significant config is:

  cat /etc/mailname
  havoc.proulx.com

  myhostname = havoc.proulx.com
  myorigin = /etc/mailname
  mydestination = $myhostname, localhost.$mydomain, localhost
  mynetworks = 127.0.0.0/8 [:::127.0.0.0]/104 [::1]/128

And on havoc somewhat more complicated by these that I think are not
related:

  transport_maps = hash:/etc/postfix/transport
  relay_domains = $mydestination
  relay_recipient_maps = hash:/etc/postfix/relay_recipients
  virtual_alias_domains = example.net, example.org # redacted domain names
  virtual_alias_maps = hash:/etc/postfix/virtual

Re: Outbound Relays, Delivered-To, and "mail forwarding loop detected"

[Wietse Venema]

Bob Proulx:
>   Nov 18 12:08:16 havoc postfix/cleanup[27515]: 910CE4A0: reject: header 
> X-X-Delivered-To: b...@proulx.com from localhost[127.0.0.1]; 
> from=<b...@proulx.com> to=<r...@example.com> proto=ESMTP 
> helo=: 5.7.1 mail forwarding loop detected

This message is logged by the CLEANUP daemon while doing header_checks.
You have a header_checks rule that blocks mail with this header.

Wietse

Re: Outbound Relays, Delivered-To, and "mail forwarding loop detected"

[Bob Proulx]

Wietse Venema wrote:
> Bob Proulx:
> >   Nov 18 12:08:16 havoc postfix/cleanup[27515]: 910CE4A0: reject: header 
> > X-X-Delivered-To: b...@proulx.com from localhost[127.0.0.1]; 
> > from=<b...@proulx.com> to=<r...@example.com> proto=ESMTP 
> > helo=: 5.7.1 mail forwarding loop detected
> 
> This message is logged by the CLEANUP daemon while doing header_checks.
> You have a header_checks rule that blocks mail with this header.

OMG!  Yes!  That was an amazing bit of diagnositic analysis.  :-)

A snippet of some anti-spam that has been there for so long I had
completely forgotten all about it.  Frankly I can't even remember
exactly why I have it there now.

  # Try to defeat spammers using injected Delivered-To headers.
  /^(Delivered-To:.*@proulx\.com)$/ REPLACE X-$1
  /^(X-Delivered-To:.*@proulx\.com)$/ REPLACE X-$1
  /^(X-X-Delivered-To:.*@proulx\.com)$/ REJECT mail forwarding loop detected

I removed those and of course that fixes the problem.  I can't believe
it was a self-inflicted problem and I hadn't realized it.

THANK YOU!

Bob

Re: Tracking down a mail forwarding loop

[Noel Jones]

On 2/12/2015 12:43 AM, LuKreme wrote:
 
 On Feb 11, 2015, at 6:20 PM, Wietse Venema wie...@porcupine.org wrote:

 LuKreme:
 Received: from thenewestsecret.net (unknown [170.130.246.215])
by mail.covisp.net (Postfix) with ESMTP id 00E42212DC0
for *bob*@covisp.net; Tue, 10 Feb 2015 08:53:22 -0700 (MST)
 Delivered-To: *bob*@covisp.net
 Received: by 170.130.246.215 with SMTP id 
 998S7h4.33K03w6s2R18O2.22351x4s23d1n26;
Tue, 10 Feb 2015 08:51:05 -0700 (PST)
 X-Received: by 170.130.246.215 with SMTP id 134G6f10K6Z34b712c43li;
Tue, 10 Feb 2015 08:51:05 -0700 (PST)
 Received: from thenewestsecret.net (thenewestsecret.net. )
by mx.google.com with ESMTP id 
 59333u4l19.1C4P11z.147.0.5.1.2.5.5.5.1.0.7.0.4
for *bob*@covisp.net;
Tue, 10 Feb 2015 08:51:05 -0700 (PST)
 Mime-Version: 1.0
 Date: 
 Message-Id: 235.946781y2r0b6qn6-c...@thenewestsecret.net
 To: *bob*@covisp.net

 This message contains a Delivered-To: *bob*@covisp.net header.
 Apparently, the sender added this to trigger a delivery error.
 Apparently, the sender, c...@thenewestsecret.net, wants to receive
 a bounce message. That message would confirm that *bob*@covisp.net
 is a valid email address.
 
 Does it make sense to reject messages with a Delivered-To: header?

Yes.  Incoming mail with that header cannot be delivered by postfix,
regardless whether it's really looping or not.

Although in this particular case it might be better to reject the
spammy-looking client.

 
 Why does it generate a mail loop in my local postfix?

The presence of that header triggers the loop detection in postfix.
 The sender is adding that header either in a misguided attempt to
improve delivery, or to intentionally cause a bounce to verify the
address.

 
 Could it have anything to do with the always_bcc setting?

No.  The header is added by the sender.

 Would some other MTA deliver the message anyway, or this simply a spam 
 harvesting tactic? The messages don’t seem to generate a valid bounce to a 
 valid address…


Some MTAs behave the same as postfix eg. qmail.  Some MTAs don't use
Delivered-To: and ignore it eg. Exchange.

We don't know the motive of the sender. We do know this isn't really
a loop and it looks like spam to me.




  -- Noel Jones

Re: Tracking down a mail forwarding loop

[LuKreme]

On 12 Feb 2015, at 08:25 , Noel Jones njo...@megan.vbhcs.org wrote:
 On 2/12/2015 12:43 AM, LuKreme wrote:
 
 On Feb 11, 2015, at 6:20 PM, Wietse Venema wie...@porcupine.org wrote:
 
 LuKreme:
 Received: from thenewestsecret.net (unknown [170.130.246.215])
   by mail.covisp.net (Postfix) with ESMTP id 00E42212DC0
   for *bob*@covisp.net; Tue, 10 Feb 2015 08:53:22 -0700 (MST)
 Delivered-To: *bob*@covisp.net
 Received: by 170.130.246.215 with SMTP id 
 998S7h4.33K03w6s2R18O2.22351x4s23d1n26;
   Tue, 10 Feb 2015 08:51:05 -0700 (PST)
 X-Received: by 170.130.246.215 with SMTP id 134G6f10K6Z34b712c43li;
   Tue, 10 Feb 2015 08:51:05 -0700 (PST)
 Received: from thenewestsecret.net (thenewestsecret.net. )
   by mx.google.com with ESMTP id 
 59333u4l19.1C4P11z.147.0.5.1.2.5.5.5.1.0.7.0.4
   for *bob*@covisp.net;
   Tue, 10 Feb 2015 08:51:05 -0700 (PST)
 Mime-Version: 1.0
 Date: 
 Message-Id: 235.946781y2r0b6qn6-c...@thenewestsecret.net
 To: *bob*@covisp.net
 
 This message contains a Delivered-To: *bob*@covisp.net header.
 Apparently, the sender added this to trigger a delivery error.
 Apparently, the sender, c...@thenewestsecret.net, wants to receive
 a bounce message. That message would confirm that *bob*@covisp.net
 is a valid email address.
 
 Does it make sense to reject messages with a Delivered-To: header?
 
 Yes.  Incoming mail with that header cannot be delivered by postfix,
 regardless whether it's really looping or not.
 
 Although in this particular case it might be better to reject the
 spammy-looking client.

Yes, but my postscreen is already aggressive enough that I had to tone it down 
a tad to let some legitimate mail (well, mail I wanted) in.

 Why does it generate a mail loop in my local postfix?
 
 The presence of that header triggers the loop detection in postfix.
 The sender is adding that header either in a misguided attempt to
 improve delivery, or to intentionally cause a bounce to verify the
 address.

What is interesting is that I see these *only* for one specific user, which is 
what made me think it was something on my end.

 We don't know the motive of the sender. We do know this isn't really
 a loop and it looks like spam to me.

Oh, they are all spam so far.

Thanks.

-- 
'Luck is my middle name,' said Rincewind, indistinctly. 'Mind you, my
first name is Bad.' --Interesting Times

Re: Tracking down a mail forwarding loop

[Wietse Venema]

LuKreme:
 Received: from thenewestsecret.net (unknown [170.130.246.215])
 by mail.covisp.net (Postfix) with ESMTP id 00E42212DC0
 for *bob*@covisp.net; Tue, 10 Feb 2015 08:53:22 -0700 (MST)
 Delivered-To: *bob*@covisp.net
 Received: by 170.130.246.215 with SMTP id 
 998S7h4.33K03w6s2R18O2.22351x4s23d1n26;
 Tue, 10 Feb 2015 08:51:05 -0700 (PST)
 X-Received: by 170.130.246.215 with SMTP id 134G6f10K6Z34b712c43li;
 Tue, 10 Feb 2015 08:51:05 -0700 (PST)
 Received: from thenewestsecret.net (thenewestsecret.net. )
 by mx.google.com with ESMTP id 
 59333u4l19.1C4P11z.147.0.5.1.2.5.5.5.1.0.7.0.4
 for *bob*@covisp.net;
 Tue, 10 Feb 2015 08:51:05 -0700 (PST)
 Mime-Version: 1.0
 Date: 
 Message-Id: 235.946781y2r0b6qn6-c...@thenewestsecret.net
 To: *bob*@covisp.net

This message contains a Delivered-To: *bob*@covisp.net header.
Apparently, the sender added this to trigger a delivery error.
Apparently, the sender, c...@thenewestsecret.net, wants to receive
a bounce message. That message would confirm that *bob*@covisp.net
is a valid email address.

Wietse

Re: Tracking down a mail forwarding loop

[LuKreme]

 On Feb 11, 2015, at 6:20 PM, Wietse Venema wie...@porcupine.org wrote:
 
 LuKreme:
 Received: from thenewestsecret.net (unknown [170.130.246.215])
by mail.covisp.net (Postfix) with ESMTP id 00E42212DC0
for *bob*@covisp.net; Tue, 10 Feb 2015 08:53:22 -0700 (MST)
 Delivered-To: *bob*@covisp.net
 Received: by 170.130.246.215 with SMTP id 
 998S7h4.33K03w6s2R18O2.22351x4s23d1n26;
Tue, 10 Feb 2015 08:51:05 -0700 (PST)
 X-Received: by 170.130.246.215 with SMTP id 134G6f10K6Z34b712c43li;
Tue, 10 Feb 2015 08:51:05 -0700 (PST)
 Received: from thenewestsecret.net (thenewestsecret.net. )
by mx.google.com with ESMTP id 
 59333u4l19.1C4P11z.147.0.5.1.2.5.5.5.1.0.7.0.4
for *bob*@covisp.net;
Tue, 10 Feb 2015 08:51:05 -0700 (PST)
 Mime-Version: 1.0
 Date: 
 Message-Id: 235.946781y2r0b6qn6-c...@thenewestsecret.net
 To: *bob*@covisp.net
 
 This message contains a Delivered-To: *bob*@covisp.net header.
 Apparently, the sender added this to trigger a delivery error.
 Apparently, the sender, c...@thenewestsecret.net, wants to receive
 a bounce message. That message would confirm that *bob*@covisp.net
 is a valid email address.

Does it make sense to reject messages with a Delivered-To: header?

Why does it generate a mail loop in my local postfix?

Could it have anything to do with the always_bcc setting?

$ postconf always_bcc
always_bcc = backups@*otherlocaldomain*.com

Would some other MTA deliver the message anyway, or this simply a spam 
harvesting tactic? The messages don’t seem to generate a valid bounce to a 
valid address…


-- 
S is for SUSAN who perished of fits
T is for TITUS who flew into bits

Re: Tracking down a mail forwarding loop

[LuKreme]

On Feb 6, 2015, at 3:43 PM, LuKreme krem...@kreme.com wrote:
 On 06 Feb 2015, at 15:05 , Wietse Venema wie...@porcupine.org wrote:
 NORMALLY, that header is present AFTER mail is delivered to b...@covisp.net.
 
 If it is present BEFORE mail is delivered to b...@covisp.net, then you have
 a loop (or the sender has added this header to trigger an error).
 
 Ah, right. I’ve added it and am eagerly awaiting another of these emails.

As the old saying goes:

A watched pot never delivers a mail loop causing message.

-- 
'We get that in here some nights, when someone's had a few. Cosmic
speculation about whether the gods exist. Next thing, there's a bolt of
lightning through the door with a note wrapped round it saying, Yes, we
do and a pair of sandals with smoke coming out.' (Small Gods)

Re: Tracking down a mail forwarding loop

[Wietse Venema]

LuKreme:
 
  On 05 Feb 2015, at 15:53 , Wietse Venema wie...@porcupine.org wrote:
  
  LuKreme:
  On 05 Feb 2015, at 05:07 , Wietse Venema wie...@porcupine.org wrote:
  Have you considered the possibility that the mail was sent with a
  bogus Delivered-To: header (i.e. the header is present, but not
  added by Postfix).
  
  Yes, but I'm unsure how to diagnose that.
  
  header_checks:
  /^Delivered-To: bob@covisp\.net$/ hold
 
 That would hold ALL the mail for bob, right? it is only the
 occasional email that causes this loop error.

NORMALLY, that header is present AFTER mail is delivered to b...@covisp.net.

If it is present BEFORE mail is delivered to b...@covisp.net, then you have
a loop (or the sender has added this header to trigger an error).

Wietse

Re: Tracking down a mail forwarding loop

[LuKreme]

On 06 Feb 2015, at 15:05 , Wietse Venema wie...@porcupine.org wrote:
 NORMALLY, that header is present AFTER mail is delivered to b...@covisp.net.
 
 If it is present BEFORE mail is delivered to b...@covisp.net, then you have
 a loop (or the sender has added this header to trigger an error).

Ah, right. I’ve added it and am eagerly awaiting another of these emails.

-- 
C code. C code run. Run, code, run.

Re: Tracking down a mail forwarding loop

[LuKreme]

Only other thing I can think of is that this is somehow related to always_bcc?


-- 
A dyslexic walks into a bra...

Re: Tracking down a mail forwarding loop

[Miles Fidelman]

wie...@porcupine.org (Wietse Venema) wrote:

LuKreme:

On 05 Feb 2015, at 05:07 , Wietse Venema wie...@porcupine.org wrote:

Have you considered the possibility that the mail was sent with a
bogus Delivered-To: header (i.e. the header is present, but not
added by Postfix).

Yes, but I'm unsure how to diagnose that.

header_checks:
/^Delivered-To: bob@covisp\.net$/ hold


Here is a full dump of one of these files (with only the user name munged)

https://www.dropbox.com/s/mvdg1f48fo640g3/768FC212C05.txt?dl=0

We already know that the message loops because the Delivered-To: header
is present.

Here are the first few headers of the message before delivery:

Return-Path: ros...@approvednowauto.com
Received: from approvednowauto.com (unknown [170.130.246.204])
 by mail.covisp.net (Postfix) with ESMTP id D3F1A212C03
 for b...@covisp.net; Thu,  5 Feb 2015 14:58:19 -0700 (MST)
Delivered-To: b...@covisp.net

I suggest that you have a look at the other ones. If none of the
other Received: headers belongs to your systems, then they added
Delivered-To: b...@covisp.net before sending the message to your
systems.

Wietse


I also noticed a List_Unsubscribe header buried in there - might want to 
look at whatever is doing list expansion.


Miles Fidelman

--
In theory, there is no difference between theory and practice.
In practice, there is.    Yogi Berra

Re: Tracking down a mail forwarding loop

[Wietse Venema]

LuKreme:
 On 05 Feb 2015, at 05:07 , Wietse Venema wie...@porcupine.org wrote:
  Have you considered the possibility that the mail was sent with a
  bogus Delivered-To: header (i.e. the header is present, but not
  added by Postfix).
 
 Yes, but I'm unsure how to diagnose that.

header_checks:
/^Delivered-To: bob@covisp\.net$/ hold

 Here is a full dump of one of these files (with only the user name munged)
 
 https://www.dropbox.com/s/mvdg1f48fo640g3/768FC212C05.txt?dl=0

We already know that the message loops because the Delivered-To: header
is present.

Here are the first few headers of the message before delivery:

Return-Path: ros...@approvednowauto.com
Received: from approvednowauto.com (unknown [170.130.246.204])
by mail.covisp.net (Postfix) with ESMTP id D3F1A212C03
for b...@covisp.net; Thu,  5 Feb 2015 14:58:19 -0700 (MST)
Delivered-To: b...@covisp.net

I suggest that you have a look at the other ones. If none of the
other Received: headers belongs to your systems, then they added
Delivered-To: b...@covisp.net before sending the message to your
systems.

Wietse

Re: Tracking down a mail forwarding loop

[LuKreme]

On 05 Feb 2015, at 05:07 , Wietse Venema wie...@porcupine.org wrote:
 Have you considered the possibility that the mail was sent with a
 bogus Delivered-To: header (i.e. the header is present, but not
 added by Postfix).

Yes, but I’m unsure how to diagnose that.

Here is a full dump of one of these files (with only the user name munged)

https://www.dropbox.com/s/mvdg1f48fo640g3/768FC212C05.txt?dl=0

-- 
Thank you for sending me a copy of your book; I'll waste no time
reading it. - Moses Hadas

Re: Tracking down a mail forwarding loop

[Wietse Venema]

LuKreme:
 
  On Feb 4, 2015, at 9:20 AM, Miles Fidelman mfidel...@meetinghouse.net 
  wrote:
  
  LuKreme wrote:
  I have a local user who is generating occasional mail forwarding loop 
  errors, which are causing forged emails to cause NDNs and fill up mailq.
  
  Jan 30 13:46:08 mail postfix/local[44147]: 7020950D4D4: 
  to=*bob*@covisp.net, relay=local, delay=0.65, delays=0.59/0/0/0.06, 
  dsn=5.4.6, status=bounced (mail forwarding loop for *bob*@covisp.net)
...
 Delivered-To: b...@covisp.net

Have you considered the possibility that the mail was sent with a
bogus Delivered-To: header (i.e. the header is present, but not
added by Postfix).

Wietse

Re: Tracking down a mail forwarding loop

[Miles Fidelman]

LuKreme wrote:

I have a local user who is generating occasional mail forwarding loop errors, 
which are causing forged emails to cause NDNs and fill up mailq.

Jan 30 13:46:08 mail postfix/local[44147]: 7020950D4D4: to=*bob*@covisp.net, 
relay=local, delay=0.65, delays=0.59/0/0/0.06, dsn=5.4.6, status=bounced (mail 
forwarding loop for *bob*@covisp.net)

The only place that “*bob*” is mentioned in virtual is in line like this:

bill...@covisp.net  bob,fred,george

Where bob, fred, and george are all local users.

bob doesn’t have a .forward, and I looked at his .procmailrc and it’s not 
forwarding mail anywhere.

Where else do I look?

postmap -q b...@covisp.net /etc/postfix/virtual doesn’t return any results.



I'd start with the headers in a message that's looped - that might help 
track things down.


Miles Fidelman

Tracking down a mail forwarding loop

[LuKreme]

I have a local user who is generating occasional mail forwarding loop errors, 
which are causing forged emails to cause NDNs and fill up mailq.

Jan 30 13:46:08 mail postfix/local[44147]: 7020950D4D4: to=*bob*@covisp.net, 
relay=local, delay=0.65, delays=0.59/0/0/0.06, dsn=5.4.6, status=bounced (mail 
forwarding loop for *bob*@covisp.net)

The only place that “*bob*” is mentioned in virtual is in line like this:

bill...@covisp.net  bob,fred,george

Where bob, fred, and george are all local users.

bob doesn’t have a .forward, and I looked at his .procmailrc and it’s not 
forwarding mail anywhere.

Where else do I look?

postmap -q b...@covisp.net /etc/postfix/virtual doesn’t return any results.

-- 
Behind every great man there's a woman with a vibrator -- Hawkeye Pierce

Re: Tracking down a mail forwarding loop

[Wietse Venema]

LuKreme:
 I have a local user who is generating occasional mail forwarding loop errors, 
 which are causing forged emails to cause NDNs and fill up mailq.
 
 Jan 30 13:46:08 mail postfix/local[44147]: 7020950D4D4: 
 to=*bob*@covisp.net, relay=local, delay=0.65, delays=0.59/0/0/0.06, 
 dsn=5.4.6, status=bounced (mail forwarding loop for *bob*@covisp.net)
 
 The only place that ?*bob*? is mentioned in virtual is in line like this:
 
 bill...@covisp.net  bob,fred,george
 
 Where bob, fred, and george are all local users.
 
 bob doesn?t have a .forward, and I looked at his .procmailrc and it?s not 
 forwarding mail anywhere.
 
 Where else do I look?

Other opportunities for forwarding, such as postconf mailbox_command?

Wietse

Re: Tracking down a mail forwarding loop

[LuKreme]

On 04 Feb 2015, at 07:38 , Wietse Venema wie...@porcupine.org wrote:
 
 LuKreme:
 I have a local user who is generating occasional mail forwarding loop 
 errors, which are causing forged emails to cause NDNs and fill up mailq.
 
 Jan 30 13:46:08 mail postfix/local[44147]: 7020950D4D4: 
 to=*bob*@covisp.net, relay=local, delay=0.65, delays=0.59/0/0/0.06, 
 dsn=5.4.6, status=bounced (mail forwarding loop for *bob*@covisp.net)
 
 The only place that ?*bob*? is mentioned in virtual is in line like this:
 
 bill...@covisp.net  bob,fred,george
 
 Where bob, fred, and george are all local users.
 
 bob doesn?t have a .forward, and I looked at his .procmailrc and it?s not 
 forwarding mail anywhere.
 
 Where else do I look?
 
 Other opportunities for forwarding, such as postconf mailbox_command”?

Yeah, that’s why I checked procmailrc.

I do see that the modification date on the procmailrc is quite recent. Maybe he 
munged something and got it fixed. I’ll keep watching.


-- 
Growing up leads to growing old, and then to dying/And dying to me don't
sound like all that much fun.

mail forwarding loop exploit

[Alexandre Ellert]

Hello,

I have a working setup with a dedicated MX inbound which deliver via transport 
to a postfix / dovecot backend server.
I found some mail, probably with forged Delivered-To header that make the 
backend bounce with mail forwarding loop

Here is the log of the backend  :

Feb 25 05:19:37 mut-mx-1 postfix/smtpd[9860]: connect from 
mail-in-1.numeezy.com[188.165.154.163]
Feb 25 05:19:38 mut-mx-1 postfix/smtpd[9860]: 0B34B4400A0: 
client=mail-in-1.numeezy.com[188.165.154.163]
Feb 25 05:19:38 mut-mx-1 postfix/cleanup[9864]: 0B34B4400A0: 
message-id=ofrfeclgtctkpalthwjctaefxrwyp_mrwifpb_qyhswspshayisgy...@mydomain.com
Feb 25 05:19:38 mut-mx-1 postfix/qmgr[24187]: 0B34B4400A0: 
from=accu...@mtnl.net.in, size=52696, nrcpt=1 (queue active)
Feb 25 05:19:38 mut-mx-1 postfix/smtpd[9860]: disconnect from 
mail-in-1.numeezy.com[188.165.154.163]
Feb 25 05:19:39 mut-mx-1 postfix/smtpd[9894]: connect from localhost[127.0.0.1]
Feb 25 05:19:39 mut-mx-1 postfix/smtpd[9894]: 01DCB4400A2: 
client=localhost[127.0.0.1]
Feb 25 05:19:39 mut-mx-1 postfix/cleanup[9864]: 01DCB4400A2: 
message-id=ofrfeclgtctkpalthwjctaefxrwyp_mrwifpb_qyhswspshayisgy...@mydomain.com
Feb 25 05:19:39 mut-mx-1 postfix/smtpd[9894]: disconnect from 
localhost[127.0.0.1]
Feb 25 05:19:39 mut-mx-1 postfix/qmgr[24187]: 01DCB4400A2: 
from=accu...@mtnl.net.in, size=52912, nrcpt=1 (queue active)
Feb 25 05:19:39 mut-mx-1 amavis[8589]: (08589-03) Passed CLEAN 
{RelayedInbound}, [188.165.154.163]:54450 [182.56.200.64] accu...@mtnl.net.in 
- accu...@mydomain.com, Queue-ID: 0B34B4400A0, Message-ID: 
ofrfeclgtctkpalthwjctaefxrwyp_mrwifpb_qyhswspshayisgy...@mydomain.com, 
mail_id: l5DBpkJG4N6C, Hits: 2.87, size: 52695, pt: 9, queued_as: 01DCB4400A2, 
966 ms
Feb 25 05:19:39 mut-mx-1 postfix/smtp[9865]: 0B34B4400A0: 
to=accu...@mydomain.com, relay=127.0.0.1[127.0.0.1]:10024, delay=1.1, 
delays=0.17/0/0/0.97, dsn=2.0.0, status=sent (250 2.0.0 from 
MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 01DCB4400A2)
Feb 25 05:19:39 mut-mx-1 postfix/qmgr[24187]: 0B34B4400A0: removed
Feb 25 05:19:39 mut-mx-1 postfix/pipe[9895]: 01DCB4400A2: 
to=accu...@mydomain.com, relay=dovecot, delay=0.04, delays=0.02/0.01/0/0.02, 
dsn=5.4.6, status=bounced (mail forwarding loop for accu...@mydomain.com)
Feb 25 05:19:39 mut-mx-1 postfix/cleanup[9897]: 0E3E04400A0: 
message-id=20140225041939.0e3e0440...@mail.numeezy.com
Feb 25 05:19:39 mut-mx-1 postfix/qmgr[24187]: 0E3E04400A0: from=, size=3486, 
nrcpt=1 (queue active)
Feb 25 05:19:39 mut-mx-1 postfix/bounce[9896]: 01DCB4400A2: sender non-delivery 
notification: 0E3E04400A0
Feb 25 05:19:39 mut-mx-1 postfix/qmgr[24187]: 01DCB4400A2: removed
Feb 25 05:19:39 mut-mx-1 postfix/smtp[9898]: 0E3E04400A0: 
to=accu...@mtnl.net.in, relay=37.59.203.171[37.59.203.171]:8025, delay=0.15, 
delays=0.03/0.01/0.02/0.09, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 
19D241A73BE)
Feb 25 05:19:39 mut-mx-1 postfix/qmgr[24187]: 0E3E04400A0: removed

I found 5 similar mail in my logs. Each mail is sent from a different IP but 
each time the first part of sender email is the same as recipient 
(from=accu...@mtnl.net.in to  accu...@mydomain.com in my exemple).
I don't know if that matters, but I smell like Spam although Amavis says it's 
clean

I think I'm in the case discuss here :
http://forum.spamcop.net/forums/lofiversion/index.php/t10734.html

Do you think I can be a backscatter source ?
Your advices are greatly appreciated.

Thanks.

Alexandre

Re: What is causing this mail forwarding loop bounce?

[sendu]

On 17 Oct 2013, at 12:34, Wietse Venema [via Postfix] [Masked] 
fwd_sxh9d...@opayq.com wrote:
 
 Preview: sendu:   You mail is bounced because it contains a Delivere
 Safely received through a Masked Email. IF THIS IS SPAM, CLICK HERE TO BLOCK 
 THIS MASKED EMAIL.
 
 sendu:
 
   You mail is bounced because it contains a Delivered-To: header 
   with the address of the recipient. 
   
   Postfix adds this header upon delivery. The above error normally 
   means that you have an email fordwading loop. 
   
   Wietse 
  
  Yes, I already understood that I have a mail forwarding loop 
  according to the error - see the subject line. My question is what 
  is causing it, and how do I solve it? Why didn't the other email 
  suffer the same problem?
 
 Does the Delivered-To: header already exist in the message? If that 
 is the case, you have been forwarding mail back and forth between 
 Postfix and some other server. That is a mail delivery loop.

Well not back and forth between my Postfix server. But in any case, the 
messages in Google's quarantine do indeed already have the Delivered-To header 
prior to delivery. Their suggestion to me was that I turn off the D flag to 
avoid this problem.

How do I turn off the D flag?




--
View this message in context: 
http://postfix.1071664.n5.nabble.com/What-is-causing-this-mail-forwarding-loop-bounce-tp62199p62342.html
Sent from the Postfix Users mailing list archive at Nabble.com.

Re: What is causing this mail forwarding loop bounce?

[ecd6000a]

On 18 Oct 2013, at 17:45, Wietse Venema [Masked] wrote:
 Wietse:
 Does the Delivered-To: header already exist in the message? If that 
 is the case, you have been forwarding mail back and forth between 
 Postfix and some other server. That is a mail delivery loop.
 
 Sendu:
 Well not back and forth between my Postfix server. But in any case,
 the messages in Google's quarantine do indeed already have the
 Delivered-To header prior to delivery.
 
 And what put that header in there? If it was added by your own
 system, then you have a broken mail handling architecture.
 
 If you are passing mail between different systems that use the same
 Delivered-To: address, than that also is a broken mail handling
 architecture.

My system isn't doing anything. Google's spam system is adding the header. It 
is outside of my control.

At this point I don't care about absolute correctness. I just want to receive 
my email.

How do I disable the D flag?

Re: What is causing this mail forwarding loop bounce?

[Wietse Venema]

Wietse:
 Does the Delivered-To: header already exist in the message? If that 
 is the case, you have been forwarding mail back and forth between 
 Postfix and some other server. That is a mail delivery loop.

Sendu:
 Well not back and forth between my Postfix server. But in any case,
 the messages in Google's quarantine do indeed already have the
 Delivered-To header prior to delivery.

And what put that header in there? If it was added by your own
system, then you have a broken mail handling architecture.

If you are passing mail between different systems that use the same
Delivered-To: address, than that also is a broken mail handling
architecture.

Wietse

Re: What is causing this mail forwarding loop bounce?

[/dev/rob0]

On Fri, Oct 18, 2013 at 09:03:47AM -0700, sendu wrote:
 On 17 Oct 2013, at 12:34, Wietse Venema [via Postfix] [Masked] 
 fwd_sxh9d...@opayq.com wrote:
  sendu:
  
You mail is bounced because it contains a Delivered-To: header 
with the address of the recipient. 

Postfix adds this header upon delivery. The above error 
normally means that you have an email fordwading loop.
   
   Yes, I already understood that I have a mail forwarding loop 
   according to the error - see the subject line. My question is 
   what is causing it, and how do I solve it? Why didn't the other 
   email suffer the same problem?

AFAICT you have yet to share information which would enable us to 
answer these questions.

  Does the Delivered-To: header already exist in the message? If 
  that is the case, you have been forwarding mail back and forth 
  between Postfix and some other server. That is a mail delivery 
  loop.
 
 Well not back and forth between my Postfix server. But in any case, 
 the messages in Google's quarantine do indeed already have the 
 Delivered-To header prior to delivery. Their suggestion to me was 
 that I turn off the D flag to avoid this problem.

Was that supposed to be Postfix advice? It sounds like it might be a 
reference to the flags setting under COMMAND ATTRIBUTE SYNTAX in 
the Postfix pipe(8) manual.

However, nothing posted upthread seems to indicate that you are 
actually using pipe. Changing pipe settings won't work if you are 
using some other delivery agent. local(8) and virtual(8) have no 
flags.

 How do I turn off the D flag?

What is this D flag? Perhaps you need to go back to the one who 
made the suggestion to you.

I would suggest that you start over with non-verbose logs (and 
perhaps mail headers) which illustrate the problem, and current 
postconf -n output.
-- 
  http://rob0.nodns4.us/ -- system administration and consulting
  Offlist GMX mail is seen only if /dev/rob0 is in the Subject:

Re: What is causing this mail forwarding loop bounce?

[Wietse Venema]

ecd60...@opayq.com:
Sendu:
 But in any case, the messages in Google's quarantine do indeed
 already have the Delivered-To header prior to delivery.

Wietse:
 And what put that header in there?

Sendu:
 Google's spam system is adding the header. It is outside of my
 control.

If you are passing mail between different systems that use the same
Delivered-To: address, than that is a broken mail handling architecture.

 At this point I don't care about absolute correctness. I just want
 to receive my email.

 How do I disable the D flag?

The D flag exists only in the pipe(8) daemon and ADDS delivered-to
headers.  That does not appear to be your problem.

The fix is not to use the same domain name in Postfix and Google.
Using the same domain name just causes no end of pain when you
forward mail.

Wietse

Re: What is causing this mail forwarding loop bounce?

[sendu]

On 18 Oct 2013, at 18:18, /dev/rob0 [via Postfix] [Masked] 
fwd_osgke...@opayq.com wrote:
 
  How do I turn off the D flag? 
 
 What is this D flag? Perhaps you need to go back to the one who 
 made the suggestion to you. 

It was a tech support person quoting the man page for pipe.


 I would suggest that you start over with non-verbose logs (and 
 perhaps mail headers) which illustrate the problem, and current 
 postconf -n output. 

Please read the thread; these have already been supplied.




--
View this message in context: 
http://postfix.1071664.n5.nabble.com/What-is-causing-this-mail-forwarding-loop-bounce-tp62199p62353.html
Sent from the Postfix Users mailing list archive at Nabble.com.

Re: What is causing this mail forwarding loop bounce?

[sendu]

On 18 Oct 2013, at 18:29, Wietse Venema [via Postfix] [Masked] 
fwd_lhtv7...@opayq.com wrote:
 
  At this point I don't care about absolute correctness. I just want 
  to receive my email. 
  
  How do I disable the D flag? 
 
 The D flag exists only in the pipe(8) daemon and ADDS delivered-to 
 headers.  That does not appear to be your problem. 

The D flag also enforces loop detection is why the person from Google 
suggested disabling it. How else can I disable loop detection?

(And how do I know if I'm using the pipe daemon and it really is or is not the 
problem?)


 The fix is not to use the same domain name in Postfix and Google. 
 Using the same domain name just causes no end of pain when you 
 forward mail.

Google's service is supposed to just be a filter for email sent to me; how can 
I have different domain names in them? Can I just lie to Postfix about what my 
domain is, but still have it deliver mail correctly?






--
View this message in context: 
http://postfix.1071664.n5.nabble.com/What-is-causing-this-mail-forwarding-loop-bounce-tp62199p62354.html
Sent from the Postfix Users mailing list archive at Nabble.com.

Re: What is causing this mail forwarding loop bounce?

[Wietse Venema]

sendu:
 On 18 Oct 2013, at 18:29, Wietse Venema [via Postfix] [Masked] 
 fwd_lhtv7...@opayq.com wrote:
  
   At this point I don't care about absolute correctness. I just want 
   to receive my email. 
   
   How do I disable the D flag? 
  
  The D flag exists only in the pipe(8) daemon and ADDS delivered-to 
  headers.  That does not appear to be your problem. 
 
 The D flag also enforces loop detection is why the person from
 Google suggested disabling it. How else can I disable loop detection?

And where does your configuration actually USE the pipe daemon?

Clearly someone has no clue what advice they are giving.

  The fix is not to use the same domain name in Postfix and Google. 
  Using the same domain name just causes no end of pain when you 
  forward mail.
 
 Google's service is supposed to just be a filter for email sent
 to me; how can I have different domain names in them? Can I just
 lie to Postfix about what my domain is, but still have it deliver
 mail correctly?

I do not understand.

- They handle mail for y...@example.com. 

- They add Delivered-To: y...@example.com.

- They forward that mail then your mail server which also claims
  to be example.com.

That would be totally messed up. They should have used something
else (X-Google-Filtered: y...@example.com) and could provide a better
service without breaking down-stream systems.

You can use header_checks to remove the problem header, but I will
not help with implementing such iodiocy.

Wietse

Re: What is causing this mail forwarding loop bounce?

[Ansgar Wiechers]

On 2013-10-14 sendu wrote:
 I'm using Google's Postini replacement as a spam filter before mail
 gets to my smtp server. I currently have a problem where most emails
 that get spam trapped by Google disappear when I attempt to have them
 delivered. Google gives me the ability to reattempt delivery and I
 have a repeatable case where one example spam always gets bounced by
 my Postfix, and one always comes through fine.
 
 Here are my smtpd logs from a case where I tried to deliver the 2 spam
 emails seconds apart; the first one failed and the second one worked:
 
 http://pastebin.com/XUYR4ZDe

Please do not enable verbose logging unless specifically asked to.
Normal Postfix logging usually suffices for troubleshooting delivery
problems.

Regards
Ansgar Wiechers
-- 
Abstractions save us time working, but they don't save us time learning.
--Joel Spolsky

Re: What is causing this mail forwarding loop bounce?

[sendu]

Here's another delivery attempt, this time with all verbose logging turned
off:

http://pastebin.com/TtyDXKBX

It bounces; I don't know why. Is there any way to find out?



--
View this message in context: 
http://postfix.1071664.n5.nabble.com/What-is-causing-this-mail-forwarding-loop-bounce-tp62199p62229.html
Sent from the Postfix Users mailing list archive at Nabble.com.

Re: What is causing this mail forwarding loop bounce?

[Charles Marcus]

On 2013-10-15 10:01 AM, sendu ecd60...@opayq.com wrote:

Here's another delivery attempt, this time with all verbose logging turned
off:

http://pastebin.com/TtyDXKBX


Please post such things inline in the email body, many people will not 
click on links to unknown destinations...



It bounces; I don't know why. Is there any way to find out?


Maybe follow the instructions you received in the welcome message? Ie, 
provide postconf -n output for starters?


--

Best regards,

*/Charles/*

Re: What is causing this mail forwarding loop bounce?

[Wietse Venema]

sendu:
 Here's another delivery attempt, this time with all verbose logging turned
 off:
 
 http://pastebin.com/TtyDXKBX
 
 It bounces; I don't know why. Is there any way to find out?

This is the error message:

Oct 15 14:58:40 64x2 postfix/local[9029]: D67363381FE: to=se...@x.me.uk, 
relay=local, delay=0.6, delays=0.56/0.02/0/0.02, dsn=5.4.6, status=bounced 
(mail forwarding loop for se...@x.me.uk)

(with X instead of sendu to make life harder for scrapers).

You mail is bounced because it contains a Delivered-To: header
with the address of the recipient. 

Postfix adds this header upon delivery. The above error normally
means that you have an email fordwading loop.

Wietse

Re: What is causing this mail forwarding loop bounce?

[sendu]

 You mail is bounced because it contains a Delivered-To: header 
 with the address of the recipient. 
 
 Postfix adds this header upon delivery. The above error normally 
 means that you have an email fordwading loop. 
 
 Wietse 

Yes, I already understood that I have a mail forwarding loop according to the 
error - see the subject line. My question is what is causing it, and how do I 
solve it? Why didn't the other email suffer the same problem?

Here are the logs for the successful delivery of a message from Google 
quarantine:

Oct 15 15:25:21 64x2 postfix/smtpd[9455]: sql auxprop plugin using mysql engine
Oct 15 15:25:21 64x2 postfix/smtpd[9455]: connect from 
mail-qe0-f77.google.com[209.85.128.77]
Oct 15 15:25:22 64x2 postfix/smtpd[9455]: 6D2783381FE: 
client=mail-qe0-f77.google.com[209.85.128.77]
Oct 15 15:25:22 64x2 postfix/cleanup[9422]: 6D2783381FE: 
message-id=725921480.7881521381574873880.JavaMail.root@ip-10-204-86-63.ec2.internal
Oct 15 15:25:22 64x2 postfix/qmgr[21535]: 6D2783381FE: 
from=fwd_tfomi...@opayq.com, size=6950, nrcpt=1 (queue active)
Oct 15 15:25:22 64x2 postfix/local[9456]: 6D2783381FE: to=ecd60...@opayq.com, 
relay=local, delay=0.36, delays=0.33/0.01/0/0.01, dsn=2.0.0, status=sent 
(delivered to maildir)
Oct 15 15:25:22 64x2 postfix/qmgr[21535]: 6D2783381FE: removed
Oct 15 15:25:22 64x2 postfix/smtpd[9455]: disconnect from 
mail-qe0-f77.google.com[209.85.128.77]

What might be special about the problematic email?




--
View this message in context: 
http://postfix.1071664.n5.nabble.com/What-is-causing-this-mail-forwarding-loop-bounce-tp62199p62231.html
Sent from the Postfix Users mailing list archive at Nabble.com.

Re: What is causing this mail forwarding loop bounce?

[Wietse Venema]

sendu:
  You mail is bounced because it contains a Delivered-To: header 
  with the address of the recipient. 
  
  Postfix adds this header upon delivery. The above error normally 
  means that you have an email fordwading loop. 
  
  Wietse 
 
 Yes, I already understood that I have a mail forwarding loop
 according to the error - see the subject line. My question is what
 is causing it, and how do I solve it? Why didn't the other email
 suffer the same problem?

Does the Delivered-To: header already exist in the message? If that
is the case, you have been forwarding mail back and forth between
Postfix and some other server. That is a mail delivery loop.

If the Delivered-To: header does not already exist in the message
before Postfix receives it, then YOU have configured Postfix to
forward mail to itself.  Don't do that.

 Here are the logs for the successful delivery of a message from Google 
 quarantine:
 
 Oct 15 15:25:21 64x2 postfix/smtpd[9455]: sql auxprop plugin using mysql 
 engine
 Oct 15 15:25:21 64x2 postfix/smtpd[9455]: connect from 
 mail-qe0-f77.google.com[209.85.128.77]
 Oct 15 15:25:22 64x2 postfix/smtpd[9455]: 6D2783381FE: 
 client=mail-qe0-f77.google.com[209.85.128.77]
 Oct 15 15:25:22 64x2 postfix/cleanup[9422]: 6D2783381FE: 
 message-id=725921480.7881521381574873880.JavaMail.root@ip-10-204-86-63.ec2.internal
 Oct 15 15:25:22 64x2 postfix/qmgr[21535]: 6D2783381FE: 
 from=fwd_tfomi...@opayq.com, size=6950, nrcpt=1 (queue active)
 Oct 15 15:25:22 64x2 postfix/local[9456]: 6D2783381FE: 
 to=ecd60...@opayq.com, relay=local, delay=0.36, delays=0.33/0.01/0/0.01, 
 dsn=2.0.0, status=sent (delivered to maildir)
 Oct 15 15:25:22 64x2 postfix/qmgr[21535]: 6D2783381FE: removed
 Oct 15 15:25:22 64x2 postfix/smtpd[9455]: disconnect from 
 mail-qe0-f77.google.com[209.85.128.77]
 
 What might be special about the problematic email?

Obviously, this message has taken taking a different path than the
one that does bounce.  Maybe you can figure out what the difference
between the mail paths that bounce and the ones that don't bounce.

That difference is responsible for the problem.

Wietse

What is causing this mail forwarding loop bounce?

[sendu]

I'm using Google's Postini replacement as a spam filter before mail gets to
my smtp server. I currently have a problem where most emails that get spam
trapped by Google disappear when I attempt to have them delivered. Google
gives me the ability to reattempt delivery and I have a repeatable case
where one example spam always gets bounced by my Postfix, and one always
comes through fine.

Here are my smtpd logs from a case where I tried to deliver the 2 spam
emails seconds apart; the first one failed and the second one worked:

http://pastebin.com/XUYR4ZDe

Here's another attempt to deliver the same problematic email, this time with
-v verbosity added to just about everything in /etc/postfix/master.cf:

http://pastebin.com/ENkgTXz6

AFAICT, everything seems to go normally but then I get:
send attr reason = mail forwarding loop for se...@sendu.me.uk
and it eventually bounces.

My postconf -n:
postconf -n
address_verify_relayhost =
alias_database = hash:/etc/mail/aliases
alias_maps = mysql:/etc/postfix/mysql-aliases.cf
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = //usr/lib64/postfix
data_directory = /var/lib/postfix
debug_peer_level = 1
default_destination_concurrency_limit = 2
home_mailbox = .maildir/
html_directory = /usr/share/doc/postfix-2.5.5/html
inet_interfaces = all
local_destination_concurrency_limit = 2
local_recipient_maps = $alias_maps $virtual_mailbox_maps unix:passwd.byname
local_transport = local
mail_owner = postfix
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
mydomain = sendu.me.uk
myhostname = 64x2.sendu.me.uk
mynetworks_style = host
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.5.5/readme
relayhost = outbound.mailhop.org
relocated_maps = mysql:/etc/postfix/mysql-relocated.cf
sample_directory = /etc/postfix
sendmail_path = /usr/sbin/sendmail
setgid_group = postdrop
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options =
smtp_tls_CAfile = /etc/ssl/private/sub.class1.server.ca.pem
smtp_tls_CApath = /etc/ssl/certs
smtp_tls_cert_file = /etc/ssl/private/sendu.me.uk.crt
smtp_tls_key_file = /etc/ssl/private/sendu.me.uk.decrypted.key
smtp_tls_loglevel = 0
smtp_tls_session_cache_database =
btree:/var/lib/postfix/smtp_tls_session_cache
smtp_tls_session_cache_timeout = 3600s
smtp_use_tls = yes
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks,
reject_unauth_destination, check_client_access
cidr:/etc/postfix/allowed_clients.cidr, reject
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain =
smtpd_sasl_security_options = noanonymous
smtpd_tls_CAfile = /etc/ssl/private/sub.class1.server.ca.pem
smtpd_tls_CApath = /etc/ssl/certs
smtpd_tls_ask_ccert = yes
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/ssl/private/sendu.me.uk.crt
smtpd_tls_key_file = /etc/ssl/private/sendu.me.uk.decrypted.key
smtpd_tls_loglevel = 0
smtpd_tls_received_header = yes
smtpd_tls_session_cache_database =
btree:/var/lib/postfix/smtpd_tls_session_cache
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
tls_random_source = dev:/dev/urandom
unknown_local_recipient_reject_code = 550
virtual_alias_maps = mysql:/etc/postfix/mysql-virtual.cf
virtual_gid_maps = static:$vmail-gid
virtual_mailbox_base = /
virtual_mailbox_domains = mail.sendu.me.uk senduphotography.com bala.me.uk
virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual-maps.cf
virtual_minimum_uid = 1000
virtual_transport = virtual
virtual_uid_maps = static:$vmail-uid

I'm running Postfix 2.8.4

Any help greatly appreciated. 



--
View this message in context: 
http://postfix.1071664.n5.nabble.com/What-is-causing-this-mail-forwarding-loop-bounce-tp62199.html
Sent from the Postfix Users mailing list archive at Nabble.com.

Yahoo mail forwarding

[LuKreme]

Wondering if anyone else has had this issue with Yahoo.

I have a user who setup his mail to forward to his yahoo account. All of his 
mail (he changed his forwarding from gmail to yahoo) went to yahoo for about a 
month.

About a week after the forward was setup, all mail to yahoo is rejected with a 
554:Con:b1 error. Now, a year or so later, mail to yahoo is sporadic, sometimes 
it sends, sometimes I get a 554 for a couple of days and everything clears up 
for another month or 5.

I never seem to get 421 errors, just 521.

I remember having horrible problems with Yahoo blacklisting any server at the 
drop of a hat about  decade ago, but I thought they'd mostly pulled their heads 
out since then.

Anything I can do on my end for the occasional yahoo emails (the user in 
question switched back to gmail) that will make them happier without too much 
effort on my part?

-- 
When a distinguished but elderly scientist states that something is
possible, he is almost certainly right. When he states that something is
impossible, he is probably wrong.

Re: OT: Mail forwarding services

[Reindl Harald]

Am 30.01.2013 13:13, schrieb Fernando Maior:
 In the area where my office is, internet providers cannot offer us links with 
 fixed ip, only dhcp. I wonder if
 someone in the list knows about a mail forwarder server that can receive 
 emails from my server and forwards them to
 the internet in our behalf.

your provider should have a relayhost

on the other hand: if you receive mails the MX can not
be on a dynamic IP, so why is on the mailserver which
is your MX not a smtpd?




signature.asc
Description: OpenPGP digital signature

Re: OT: Mail forwarding services

[Jerry]

On Wed, 30 Jan 2013 10:13:58 -0200
Fernando Maior articulated:

 In the area where my office is, internet providers cannot offer us
 links with fixed ip, only dhcp. I wonder if someone in the list knows
 about a mail forwarder server that can receive emails from my server
 and forwards them to the internet in our behalf.

Perhaps something like this is what you are looking for:

http://dyn.com/

-- 
Jerry ✌
postfix-u...@seibercom.net
_
TO REPORT A PROBLEM see http://www.postfix.org/DEBUG_README.html#mail
TO (UN)SUBSCRIBE see http://www.postfix.org/lists.html

Re: OT: Mail forwarding services

[Stan Hoeppner]

On 1/30/2013 6:13 AM, Fernando Maior wrote:
 Hello All,
 
 In the area where my office is, internet providers cannot offer us links
 with fixed ip, only dhcp. I wonder if someone in the list knows about a
 mail forwarder server that can receive emails from my server and forwards
 them to the internet in our behalf.

In this case simply configure a relayhost and outbound SASL auth, and
use the provider's submission server.  Basic configuration information
can be found here:
http://www.hardwarefreak.com/postfix-adsl-relay-config.txt

That covers outbound.  With a dynamic IP, how are you receiving mail to
your domain/server?  Are you using a dynamic DNS service?  If so, those
services usually offer mail relaying, albeit for an extra fee.

-- 
Stan

Re: OT: Mail forwarding services

[/dev/rob0]

On Wed, Jan 30, 2013 at 10:13:58AM -0200, Fernando Maior wrote:
 In the area where my office is, internet providers cannot offer us 
 links with fixed ip, only dhcp. I wonder if someone in the list 
 knows about a mail forwarder server that can receive emails from my 
 server and forwards them to the internet in our behalf.

Perhaps cheaper, and perhaps better than this: you could get a VPS 
and run your own mail service, both MX and outbound, from there. 
There are many different VPS providers, as well as different 
virtualization technologies they use.

http://en.wikipedia.org/wiki/Virtual_private_server

I wouldn't say a VPS is for everyone: you generally do need to be (or 
to have employed) a competent system administrator, not to mention a 
mail system administrator . But it's also an affordable way to gain
such experience.
-- 
  http://rob0.nodns4.us/ -- system administration and consulting
  Offlist GMX mail is seen only if /dev/rob0 is in the Subject:

Re: OT: Mail forwarding services

[mouss]

Le 30/01/2013 13:13, Fernando Maior a écrit :
 Hello All,

 In the area where my office is, internet providers cannot offer us links
 with fixed ip, only dhcp. I wonder if someone in the list knows about a
 mail forwarder server that can receive emails from my server and forwards
 them to the internet in our behalf.


well, it really depends on a way too many things! how much mail do you
send? are you ready to pay for or are you looking for a free service
(free also means no contractual guarantee)? ... etc.

for a free service, you can try google or other.
if you want something else, many of us here (including $self) can
setup that for you. the richer you are, the more we will make you pay:)
If it's for  a charity org or the like, I'll do that for free (with the
usual things: no mass mail, no stupid sender).

Re: mail forwarding loop from certain spam only

[Ralf Hildebrandt]

* Noel Jones postfix-users@postfix.org:
 On 11/28/2012 1:17 PM, Will Yardley wrote:
  [Apologies in advance for the less than complete information below;
  hoping someone may have an idea of what's happening anyway]
  
  I'm having a problem where messages are accepted but then seem to
  generate a mail forwarding loop. It seems to happen a lot with mail from
  a particular spammer.
 
 There was a discussion earlier this month about some spammer
 including a Delivered-To: header in their spam.  Postfix local(8)
 uses this header to detect loops and will bounce messages with a
 Delivered-To: header equal to the current recipient.
 
 Seems likely this is your problem too.
 
 There were some suggestions for dealing with it in that discussion,
 but there is no particularly good solution -- see archives.  The
 best solution is to detect the message as spam and reject it before
 the Delivered-To: header is a factor.

To verify this, use a header_checks entry like:

/^Delivered-To:/ WARN

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer
Aufsichtsratsvorsitzender: Joerg Heidrich

Re: mail forwarding loop from certain spam only

[Will Yardley]

On Wed, Nov 28, 2012 at 04:02:57PM -0600, Noel Jones wrote:
 On 11/28/2012 1:17 PM, Will Yardley wrote:

  I'm having a problem where messages are accepted but then seem to
  generate a mail forwarding loop. It seems to happen a lot with mail
  from a particular spammer.
 
 There was a discussion earlier this month about some spammer including
 a Delivered-To: header in their spam.  Postfix local(8) uses this
 header to detect loops and will bounce messages with a Delivered-To:
 header equal to the current recipient.

Thanks. I was tearing my hair out about this one, and couldn't see
anything really obviously weird in the raw message, but this explanation
makes sense.
 
I will poke through the archives and see if any of the nasty solutions
might help, now that I have an idea of what to look for. Our
architecture is fairly simple, so may be able to just unset
$nested_header_checks and define a header check to block these.

You are right that the messages have 'Delivered-To' headers set to the
user's address, and I can reproduce this behavior with later Postfix
versions as well.

  The To: header in the raw email as viewed in postcat looks like this:
  To: f...@example.edu f...@example.edu
 
 Postfix doesn't use To: headers for delivery, only envelope information.

Right, I understand that, and could see that the env recipient looked
correct in the logs -- it just stood out, esp. since Postfix does seems
to rewrite it before delivering it if I send a test message with similar
headers.
 
  Nov 27 05:05:47 hostname postfix/smtpd[32160]: 0C18B32807B: 
  client=ajaxkottely.info[93.115.135.15]
 
 This client is listed in the zen and barracudacentral RBLs today,
 maybe they weren't listed yet yesterday. You are using some RBLs?

Just an example, but yes, we do use some RBLs, including Zen. We have
classes which allow users to choose a more or less restrictive policy
(or no blocking), but this user does have our recommended class. At this
time, I'm seeing this particular source in zen [from one of our SMTP
servers this morning]:
$ dig 15.135.115.93.zen.spamhaus.org +sh
127.0.0.3

However, my guess is that they've already started sending from other IPs
that aren't blocked in major blocklists - don't see any new mail from
that source today. Also have some messages from back on 31.14.46.16
(also listed) from back on Tues.

w

mail forwarding loop from certain spam only

[Will Yardley]

[Apologies in advance for the less than complete information below;
hoping someone may have an idea of what's happening anyway]

I'm having a problem where messages are accepted but then seem to
generate a mail forwarding loop. It seems to happen a lot with mail from
a particular spammer.

The To: header in the raw email as viewed in postcat looks like this:
To: f...@example.edu f...@example.edu

(where f...@example.edu is a valid address which works in other cases;
the unbracketed address isn't quoted, though in my tests, Postfix seems
to fix this by quoting the bare address, so I'm not sure why that's not
the case in the queue file).

Postfix accepts the mail initially, but then the mail gets rejected
(and, since the sender domain resolves to a host which has no mail
server listening, the DSN sits in our queues for days).

Nov 27 05:05:47 hostname postfix/smtpd[32160]: 0C18B32807B: 
client=ajaxkottely.info[93.115.135.15]
Nov 27 05:05:47 hostname postfix/cleanup[32525]: 0C18B32807B: 
message-id=673371cd-8f1f-0dc8-cd7d-a4571d4c1...@ajaxkottely.info
Nov 27 05:05:47 hostname postfix/qmgr[7633]: 0C18B32807B: 
from=medicare.enrollm...@ajaxkottely.info, size=8323, nrcpt=1 (queue active)
Nov 27 05:05:47 hostname postfix/lmtp[31222]: DD086328056: 
to=f...@example.edu, relay=127.0.0.1[127.0.0.1]:33325, conn_use=2, delay=9.4, 
delays=1.8/0/0/7.6, dsn=2.0.0, status=sent (250 2.0.0 from 
MTA([127.0.0.1]:33326): 250 2.0.0 Ok: queued as 0C18B32807B)
Nov 27 05:05:47 hostname postfix/local[32177]: 0C18B32807B: 
to=f...@example.edu, relay=local, delay=0.04, delays=0.02/0.02/0/0.01, 
dsn=5.4.6, status=bounced (mail forwarding loop for f...@example.edu)

Unfortunately, I can't post full postconf -n output here (see snippets
below), but suffice it to say that I'm confident that mail to
f...@example.edu works under most conditions. Is there anything I can do
to figure out the cause of this?

Users are defined in LDAP, and in this case, example.edu is *not* a
virtual domain. localhost:33326 is the return from amavis.

mail_version = 2.3.3
alias_maps = proxy:ldap:acct_alias_ldap,
 proxy:ldap:other_alias_ldap,
 hash:/etc/postfix/config/aliases
virtual_alias_maps = hash:/etc/postfix/config/virtusertable

I will try adding the sending host in question to $debug_peer_list to
see if I get any more information. I am happy to provide other debugging
information within reason if it's possible.

w

Re: Mail forwarding loop

[Daniele Nicolodi]

On 10/11/2012 23:58, Noel Jones wrote:
 On 11/10/2012 9:09 AM, Daniele Nicolodi wrote:

 What I observe is that postfix is receiving messages containing a forged
 Delivered-To header that makes postfix think it is seeing a mail
 forwarding loop. The local(8) daemon bounces the messages, but
 those messages are spam and the from addresses are invalid, therefore
 the bounces get stock in the delivery queue. This is not a problem in
 itself, but I do not like to generate bounces for spam messages.

 If it's just a handful of messages, probably do nothing is the
 best solution.  It's also worth examining the spam to see if there
 is some common feature other the the Delivered-to header you can use
 to reject them.
 
 If you are seeing a lot of these, there is no perfect solution, but
 there are some things you can do.  Do whatever seems to work best in
 your environment, or do nothing.
 
 Separate incoming and outgoing - If you happen to have (or care to
 set up) multiple postfix instances to separate incoming and outgoing
 mail, it is somewhat safe to REJECT incoming internet mail
 containing a Delivered-to @yourdomain.  Don't do this on outgoing
 mail; your users won't be able to forward messages.
 
 Plus-1 loop detection - Use header_checks something like
 /^X-Loop.*@example\.com$/  REJECT
 /^(Delivered-to: .*@example\.com)$/  REPLACE X-Loop-$1
 This will push the loop detection back one loop.  I can imagine
 cases where this will break horribly.
 
 Nuclear option - Remove the Delivered-To header and hope real loops
 get detected by the presence of too many Received: headers before
 something melts.
 /^Delivered-To: .*@example.com/ IGNORE
 Some forwarding methods alter/remove Received: headers, so this is
 Not Recommended.  Use this as a temporary crutch if you're getting
 hammered with forged headers and can't tell which are legit and
 which aren't.
 
 Run spamasssassin sooner - detect spam before local(8) gets the mail
 by using a smtpd_proxy_filter or milter to detect and reject spam
 before it enters your server.  amavisd-new and spamass-milter are
 popular and effective choices.  Note running spamassassin pre-queue
 may require more resources than running it during delivery since
 there's a time limit involved; your server must be able to finish
 scanning the mail before the remote server disconnects.

Hello Noel,

thank you for the detailed response. I think that the delayed loop
detection with header rewriting is the best suited solution in my setup.

Best,
Daniele

Re: Mail forwarding loop

[Daniele Nicolodi]

On 10/11/2012 17:52, Sahil Tandon wrote:
 On Sat, 2012-11-10 at 16:09:24 +0100, Daniele Nicolodi wrote:
 ... 
 What I observe is that postfix is receiving messages containing a
 forged Delivered-To header that makes postfix think it is seeing a
 mail forwarding loop. The local(8) daemon bounces the messages, but
 those messages are spam and the from addresses are invalid, therefore
 the bounces get stock in the delivery queue. This is not a problem in
 itself, but I do not like to generate bounces for spam messages.
 
 See the list archives for previous discussion of this issue.  For
 example:
 
  http://thread.gmane.org/gmane.mail.postfix.user/148887
 
 Read the entire thread before trying to implement the suggestion
 solutions.

Hello Sahil,

thank for your reply. I searched the list archives as previously
suggested, but I found only a thread where no solution was proposed,
somehow I missed this one.

Best,
Daniele

Re: Mail forwarding loop

[Jamie Paul Griffin]

/ Daniele Nicolodi wrote on Fri  9.Nov'12 at 11:01:54 +0100 /

 On 09/11/2012 10:35, Jamie Paul Griffin wrote:
  / Daniele Nicolodi wrote on Fri  9.Nov'12 at 10:06:14 +0100 /
  
  On 09/11/2012 08:40, Jamie Paul Griffin wrote:
 
  If you want to use content filtering with postfix, you might have
  better results if you use amavisd-new + spamassassin + clamav. It's
  just a suggestion but it does work well and it's dead easy to
  configure. May I also recommend the unofficial clamav signatures as
  well with my suggested filtering set-up. I believe plenty of postfix
  users have good results with this filtering method.
 
  Hello Jamie,
 
  I do not understand your hint. What does this have to do with incoming
  messages having a bogus Delivered-To header? As far as I know neither
  spamassassin or clamav have a feature that detects those.
 
  Best,
  Daniele
  
  Of course, you're right but having read the follow-ups from others,
  the issue looks as though there is some configuration issue with your
  spamassassin set-up so I thought it might be useful to suggest that
  you try using spamassassin with amavisd-new. I didn't mean to confuse
  you, and my comments may have seemed a bit random so sorry about
  that. :-)
  
 
 Can you please pinpoint the configuration issues you are mentioning? I
 believe my system is configured just right for what it is supposed to do.
 
 Cheers,
 Daniele

It's difficult to know how you've set up your spam filter. Some more 
information would help more.

On the machine i'm using now, I don't use postfix, but I do use spamassassin. I 
have procmail recipies that use spamc to filter the messages. On my Mac I do 
use postfix and use amavisd-new, with spamassassin and clamav. That isn't 
especially relevent to you but it's just to highlight that people use different 
methods - your method isn't clear to me from the information you've posted so 
far. Sorry I can't be more helpful right now. It shouldn't take too long to 
provide a solution with more info. 

Re: Mail forwarding loop

[Daniele Nicolodi]

On 10/11/2012 11:16, Jamie Paul Griffin wrote:
 It's difficult to know how you've set up your spam filter. Some more
 information would help more.
 
 On the machine i'm using now, I don't use postfix, but I do use
 spamassassin. I have procmail recipies that use spamc to filter the
 messages. On my Mac I do use postfix and use amavisd-new, with
 spamassassin and clamav. That isn't especially relevent to you but
 it's just to highlight that people use different methods - your
 method isn't clear to me from the information you've posted so far.
 Sorry I can't be more helpful right now. It shouldn't take too long
 to provide a solution with more info.

I don't really get why you would like to help me fix something that is
working just fine. The problem I'm asking advice for is completely
unrelated to spamassassin.

What I observe is that postfix is receiving messages containing a forged
Delivered-To header that makes postfix think it is seeing a mail
forwarding loop. The local(8) daemon bounces the messages, but
those messages are spam and the from addresses are invalid, therefore
the bounces get stock in the delivery queue. This is not a problem in
itself, but I do not like to generate bounces for spam messages.

Best,
Daniele

Re: Mail forwarding loop

[Sahil Tandon]

On Sat, 2012-11-10 at 16:09:24 +0100, Daniele Nicolodi wrote:
 ... 
 What I observe is that postfix is receiving messages containing a
 forged Delivered-To header that makes postfix think it is seeing a
 mail forwarding loop. The local(8) daemon bounces the messages, but
 those messages are spam and the from addresses are invalid, therefore
 the bounces get stock in the delivery queue. This is not a problem in
 itself, but I do not like to generate bounces for spam messages.

See the list archives for previous discussion of this issue.  For
example:

 http://thread.gmane.org/gmane.mail.postfix.user/148887

Read the entire thread before trying to implement the suggestion
solutions.

-- 
Sahil Tandon

Re: Mail forwarding loop

[Noel Jones]

On 11/10/2012 9:09 AM, Daniele Nicolodi wrote:
 
 What I observe is that postfix is receiving messages containing a forged
 Delivered-To header that makes postfix think it is seeing a mail
 forwarding loop. The local(8) daemon bounces the messages, but
 those messages are spam and the from addresses are invalid, therefore
 the bounces get stock in the delivery queue. This is not a problem in
 itself, but I do not like to generate bounces for spam messages.
 


If it's just a handful of messages, probably do nothing is the
best solution.  It's also worth examining the spam to see if there
is some common feature other the the Delivered-to header you can use
to reject them.

If you are seeing a lot of these, there is no perfect solution, but
there are some things you can do.  Do whatever seems to work best in
your environment, or do nothing.

Separate incoming and outgoing - If you happen to have (or care to
set up) multiple postfix instances to separate incoming and outgoing
mail, it is somewhat safe to REJECT incoming internet mail
containing a Delivered-to @yourdomain.  Don't do this on outgoing
mail; your users won't be able to forward messages.

Plus-1 loop detection - Use header_checks something like
/^X-Loop.*@example\.com$/  REJECT
/^(Delivered-to: .*@example\.com)$/  REPLACE X-Loop-$1
This will push the loop detection back one loop.  I can imagine
cases where this will break horribly.

Nuclear option - Remove the Delivered-To header and hope real loops
get detected by the presence of too many Received: headers before
something melts.
/^Delivered-To: .*@example.com/ IGNORE
Some forwarding methods alter/remove Received: headers, so this is
Not Recommended.  Use this as a temporary crutch if you're getting
hammered with forged headers and can't tell which are legit and
which aren't.

Run spamasssassin sooner - detect spam before local(8) gets the mail
by using a smtpd_proxy_filter or milter to detect and reject spam
before it enters your server.  amavisd-new and spamass-milter are
popular and effective choices.  Note running spamassassin pre-queue
may require more resources than running it during delivery since
there's a time limit involved; your server must be able to finish
scanning the mail before the remote server disconnects.


Good luck.




  -- Noel Jones

Re: Mail forwarding loop

[Daniele Nicolodi]

On 09/11/2012 08:40, Jamie Paul Griffin wrote:
 / David Rees wrote on Thu  8.Nov'12 at 14:59:01 -0800 /
 
 On Thu, Nov 8, 2012 at 8:25 AM, Daniele Nicolodi dani...@grinta.net wrote:
 I think I have a problem with my simple mail server. I noticed several
 bounce mails in the queue, which postfix in unable to deliver.

 You're seeing the same issue as was posted the other day in the thread
 Best way to handle a Delivered-To exploit??. Searching the archives
 similar issues have come up before, but no real good solutions that I
 could find.

 -Dave
 
 If you want to use content filtering with postfix, you might have
 better results if you use amavisd-new + spamassassin + clamav. It's
 just a suggestion but it does work well and it's dead easy to
 configure. May I also recommend the unofficial clamav signatures as
 well with my suggested filtering set-up. I believe plenty of postfix
 users have good results with this filtering method.

Hello Jamie,

I do not understand your hint. What does this have to do with incoming
messages having a bogus Delivered-To header? As far as I know neither
spamassassin or clamav have a feature that detects those.

Best,
Daniele

Re: Mail forwarding loop

[Jamie Paul Griffin]

/ Daniele Nicolodi wrote on Fri  9.Nov'12 at 10:06:14 +0100 /

 On 09/11/2012 08:40, Jamie Paul Griffin wrote:
  / David Rees wrote on Thu  8.Nov'12 at 14:59:01 -0800 /
  
  On Thu, Nov 8, 2012 at 8:25 AM, Daniele Nicolodi dani...@grinta.net 
  wrote:
  I think I have a problem with my simple mail server. I noticed several
  bounce mails in the queue, which postfix in unable to deliver.
 
  You're seeing the same issue as was posted the other day in the thread
  Best way to handle a Delivered-To exploit??. Searching the archives
  similar issues have come up before, but no real good solutions that I
  could find.
 
  -Dave
  
  If you want to use content filtering with postfix, you might have
  better results if you use amavisd-new + spamassassin + clamav. It's
  just a suggestion but it does work well and it's dead easy to
  configure. May I also recommend the unofficial clamav signatures as
  well with my suggested filtering set-up. I believe plenty of postfix
  users have good results with this filtering method.
 
 Hello Jamie,
 
 I do not understand your hint. What does this have to do with incoming
 messages having a bogus Delivered-To header? As far as I know neither
 spamassassin or clamav have a feature that detects those.
 
 Best,
 Daniele

Of course, you're right but having read the follow-ups from others, the issue 
looks as though there is some configuration issue with your spamassassin set-up 
so I thought it might be useful to suggest that you try using spamassassin with 
amavisd-new. I didn't mean to confuse you, and my comments may have seemed a 
bit random so sorry about that. :-)

Re: Mail forwarding loop

[Daniele Nicolodi]

On 09/11/2012 10:35, Jamie Paul Griffin wrote:
 / Daniele Nicolodi wrote on Fri  9.Nov'12 at 10:06:14 +0100 /
 
 On 09/11/2012 08:40, Jamie Paul Griffin wrote:

 If you want to use content filtering with postfix, you might have
 better results if you use amavisd-new + spamassassin + clamav. It's
 just a suggestion but it does work well and it's dead easy to
 configure. May I also recommend the unofficial clamav signatures as
 well with my suggested filtering set-up. I believe plenty of postfix
 users have good results with this filtering method.

 Hello Jamie,

 I do not understand your hint. What does this have to do with incoming
 messages having a bogus Delivered-To header? As far as I know neither
 spamassassin or clamav have a feature that detects those.

 Best,
 Daniele
 
 Of course, you're right but having read the follow-ups from others,
 the issue looks as though there is some configuration issue with your
 spamassassin set-up so I thought it might be useful to suggest that
 you try using spamassassin with amavisd-new. I didn't mean to confuse
 you, and my comments may have seemed a bit random so sorry about
 that. :-)
 

Can you please pinpoint the configuration issues you are mentioning? I
believe my system is configured just right for what it is supposed to do.

Cheers,
Daniele

Mail forwarding loop

[Daniele Nicolodi]

Hello,

I think I have a problem with my simple mail server. I noticed several
bounce mails in the queue, which postfix in unable to deliver.

 C0B0160EC 12730 Thu Nov  8 12:35:47  MAILER-DAEMON
 (lost connection with eforward5.registrar-servers.com[38.101.213.202] while 
 receiving the initial server greeting)
  
 instant.checkm...@designakeackson.info

All of them destined to what look to be fake addresses. The original
mails that originate the bounce are indeed spam.

On this server I use spamassassin as content filter, which re-injects
the mail into postfix after scanning it via local delivery. Spam is then
discarded via a sieve rule (not bounced).

It looks like postfix detects a mail forwarding loop when the mail is
re-injected by spamassassin via local delivery. Why isn't the loop
detected when the mail is received by the smtpd? I do not like to
generate unnecessary bounce mails. Is this a real problem? How can I fix it?

Here is what I think is a relevant log excerpt:

 # egrep 2ABF060A6\|BCDF560EF\|C0B0160EC\|FD01D4DD-1DEF-1BC3-9A2A-5EDE8F9DD6C5 
 /var/log/mail.log
 Nov  8 12:35:46 zed postfix/smtpd[2515]: 2ABF060A6: 
 client=designakeackson.info[176.126.174.9]
 Nov  8 12:35:46 zed postfix/cleanup[2517]: 2ABF060A6: 
 message-id=fd01d4dd-1def-1bc3-9a2a-5ede8f9dd...@designakeackson.info
 Nov  8 12:35:46 zed postfix/qmgr[3850]: 2ABF060A6: 
 from=instant.checkm...@designakeackson.info, size=9793, nrcpt=1 (queue 
 active)
 Nov  8 12:35:46 zed spamd[2282]: spamd: processing message 
 fd01d4dd-1def-1bc3-9a2a-5ede8f9dd...@designakeackson.info for daniele:1000
 Nov  8 12:35:47 zed spamd[2282]: spamd: result: Y 5 - 
 BAYES_50,HTML_MESSAGE,RP_MATCHES_RCVD,SPF_SOFTFAIL,T_FILL_THIS_FORM_SHORT,URIBL_DBL_SPAM,URIBL_JP_SURBL,URIBL_WS_SURBL
  
 scantime=1.4,size=9786,user=daniele,uid=1000,required_score=5.0,rhost=localhost,raddr=127.0.0.1,rport=60966,mid=fd01d4dd-1def-1bc3-9a2a-5ede8f9dd...@designakeackson.info,bayes=0.50,autolearn=no
 Nov  8 12:35:47 zed postfix/pickup[2485]: BCDF560EF: uid=65534 
 from=instant.checkm...@designakeackson.info
 Nov  8 12:35:47 zed postfix/cleanup[2517]: BCDF560EF: 
 message-id=fd01d4dd-1def-1bc3-9a2a-5ede8f9dd...@designakeackson.info
 Nov  8 12:35:47 zed postfix/pipe[2518]: 2ABF060A6: to=dani...@grinta.net, 
 relay=spamassassin, delay=1.7, delays=0.24/0.01/0/1.4, dsn=2.0.0, status=sent 
 (delivered via spamassassin service)
 Nov  8 12:35:47 zed postfix/qmgr[3850]: BCDF560EF: 
 from=instant.checkm...@designakeackson.info, size=10941, nrcpt=1 (queue 
 active)
 Nov  8 12:35:47 zed postfix/qmgr[3850]: 2ABF060A6: removed
 Nov  8 12:35:47 zed postfix/local[2522]: BCDF560EF: to=dani...@grinta.net, 
 relay=local, delay=0.02, delays=0/0.01/0/0.01, dsn=5.4.6, status=bounced 
 (mail forwarding loop for dani...@grinta.net)
 Nov  8 12:35:47 zed postfix/cleanup[2517]: C0B0160EC: 
 message-id=20121108123547.c0b016...@zed.grinta.net
 Nov  8 12:35:47 zed postfix/bounce[2523]: BCDF560EF: sender non-delivery 
 notification: C0B0160EC
 Nov  8 12:35:47 zed postfix/qmgr[3850]: C0B0160EC: from=, size=12730, 
 nrcpt=1 (queue active)
 Nov  8 12:35:47 zed postfix/qmgr[3850]: BCDF560EF: removed
 Nov  8 12:35:52 zed postfix/smtp[2512]: C0B0160EC: host 
 eforward3.registrar-servers.com[209.105.246.196] said: 450 4.1.1 
 instant.checkm...@designakeackson.info: Recipient address rejected: 
 unverified address: unknown user: instant.checkm...@designakeackson.info 
 (in reply to RCPT TO command)
 Nov  8 12:35:52 zed postfix/smtp[2512]: C0B0160EC: host 
 eforward1.registrar-servers.com[69.160.33.82] refused to talk to me: 421 
 4.3.2 All server ports are busy
 Nov  8 12:35:54 zed postfix/smtp[2512]: C0B0160EC: 
 to=instant.checkm...@designakeackson.info, 
 relay=eforward2.registrar-servers.com[209.105.246.195]:25, delay=7.2, 
 delays=0/0/7/0.17, dsn=4.1.1, status=deferred (host 
 eforward2.registrar-servers.com[209.105.246.195] said: 450 4.1.1 
 instant.checkm...@designakeackson.info: Recipient address rejected: 
 unverified address: unknown user: instant.checkm...@designakeackson.info 
 (in reply to RCPT TO command))
 Nov  8 12:45:42 zed postfix/qmgr[3850]: C0B0160EC: from=, size=12730, 
 nrcpt=1 (queue active)
 Nov  8 12:45:43 zed postfix/smtp[2566]: C0B0160EC: host 
 eforward3.registrar-servers.com[209.105.246.196] refused to talk to me: 421 
 4.3.2 All server ports are busy
 Nov  8 12:46:05 zed postfix/smtp[2566]: C0B0160EC: host 
 eforward2.registrar-servers.com[209.105.246.195] said: 450 4.1.1 
 instant.checkm...@designakeackson.info: Recipient address rejected: 
 unverified address: unknown user: instant.checkm...@designakeackson.info 
 (in reply to RCPT TO command)
 Nov  8 12:46:06 zed postfix/smtp[2566]: C0B0160EC: host 
 eforward1.registrar-servers.com[69.160.33.82] refused to talk to me: 421 
 4.3.2 All server ports are busy
 Nov  8 12:46:06 zed postfix/smtp[2566]: C0B0160EC: host 
 eforward4.registrar-servers.com[69.160.33.74] refused to talk to me: 421

Re: Mail forwarding loop

[Jeroen Geilman]

On 11/08/2012 05:25 PM, Daniele Nicolodi wrote:

Hello,

I think I have a problem with my simple mail server. I noticed several
bounce mails in the queue, which postfix in unable to deliver.


C0B0160EC 12730 Thu Nov  8 12:35:47  MAILER-DAEMON
(lost connection with eforward5.registrar-servers.com[38.101.213.202] while 
receiving the initial server greeting)
  instant.checkm...@designakeackson.info

All of them destined to what look to be fake addresses. The original
mails that originate the bounce are indeed spam.

On this server I use spamassassin as content filter, which re-injects
the mail into postfix after scanning it via local delivery. Spam is then
discarded via a sieve rule (not bounced).

It looks like postfix detects a mail forwarding loop when the mail is
re-injected by spamassassin via local delivery. Why isn't the loop
detected when the mail is received by the smtpd?


Postfix cannot detect a mail loop if it has never seen the message before.
You are not re-injecting the filtered message, you are calling 
sendmail(1), which in turn invokes pickup(8):



  I do not like to
generate unnecessary bounce mails. Is this a real problem? How can I fix it?

Here is what I think is a relevant log excerpt:


# egrep 2ABF060A6\|BCDF560EF\|C0B0160EC\|FD01D4DD-1DEF-1BC3-9A2A-5EDE8F9DD6C5 
/var/log/mail.log
Nov  8 12:35:46 zed postfix/smtpd[2515]: 2ABF060A6: 
client=designakeackson.info[176.126.174.9]
Nov  8 12:35:46 zed postfix/cleanup[2517]: 2ABF060A6: 
message-id=fd01d4dd-1def-1bc3-9a2a-5ede8f9dd...@designakeackson.info
Nov  8 12:35:46 zed postfix/qmgr[3850]: 2ABF060A6: 
from=instant.checkm...@designakeackson.info, size=9793, nrcpt=1 (queue active)
Nov  8 12:35:46 zed spamd[2282]: spamd: processing message 
fd01d4dd-1def-1bc3-9a2a-5ede8f9dd...@designakeackson.info for daniele:1000
Nov  8 12:35:47 zed spamd[2282]: spamd: result: Y 5 - 
BAYES_50,HTML_MESSAGE,RP_MATCHES_RCVD,SPF_SOFTFAIL,T_FILL_THIS_FORM_SHORT,URIBL_DBL_SPAM,URIBL_JP_SURBL,URIBL_WS_SURBL
 
scantime=1.4,size=9786,user=daniele,uid=1000,required_score=5.0,rhost=localhost,raddr=127.0.0.1,rport=60966,mid=fd01d4dd-1def-1bc3-9a2a-5ede8f9dd...@designakeackson.info,bayes=0.50,autolearn=no
Nov  8 12:35:47 zed postfix/pickup[2485]: BCDF560EF: uid=65534 
from=instant.checkm...@designakeackson.info
Nov  8 12:35:47 zed postfix/cleanup[2517]: BCDF560EF: 
message-id=fd01d4dd-1def-1bc3-9a2a-5ede8f9dd...@designakeackson.info
Nov  8 12:35:47 zed postfix/pipe[2518]: 2ABF060A6: to=dani...@grinta.net, 
relay=spamassassin, delay=1.7, delays=0.24/0.01/0/1.4, dsn=2.0.0, status=sent 
(delivered via spamassassin service)
Nov  8 12:35:47 zed postfix/qmgr[3850]: BCDF560EF: 
from=instant.checkm...@designakeackson.info, size=10941, nrcpt=1 (queue 
active)
Nov  8 12:35:47 zed postfix/qmgr[3850]: 2ABF060A6: removed
Nov  8 12:35:47 zed postfix/local[2522]: BCDF560EF: to=dani...@grinta.net, 
relay=local, delay=0.02, delays=0/0.01/0/0.01, dsn=5.4.6, status=bounced (mail 
forwarding loop for dani...@grinta.net)
Nov  8 12:35:47 zed postfix/cleanup[2517]: C0B0160EC: 
message-id=20121108123547.c0b016...@zed.grinta.net
Nov  8 12:35:47 zed postfix/bounce[2523]: BCDF560EF: sender non-delivery 
notification: C0B0160EC
Nov  8 12:35:47 zed postfix/qmgr[3850]: C0B0160EC: from=, size=12730, nrcpt=1 
(queue active)
Nov  8 12:35:47 zed postfix/qmgr[3850]: BCDF560EF: removed
Nov  8 12:35:52 zed postfix/smtp[2512]: C0B0160EC: host 
eforward3.registrar-servers.com[209.105.246.196] said: 450 4.1.1 
instant.checkm...@designakeackson.info: Recipient address rejected: unverified address: 
unknown user: instant.checkm...@designakeackson.info (in reply to RCPT TO command)
Nov  8 12:35:52 zed postfix/smtp[2512]: C0B0160EC: host 
eforward1.registrar-servers.com[69.160.33.82] refused to talk to me: 421 4.3.2 
All server ports are busy
Nov  8 12:35:54 zed postfix/smtp[2512]: C0B0160EC: to=instant.checkm...@designakeackson.info, 
relay=eforward2.registrar-servers.com[209.105.246.195]:25, delay=7.2, delays=0/0/7/0.17, dsn=4.1.1, 
status=deferred (host eforward2.registrar-servers.com[209.105.246.195] said: 450 4.1.1 
instant.checkm...@designakeackson.info: Recipient address rejected: unverified address: 
unknown user: instant.checkm...@designakeackson.info (in reply to RCPT TO command))
Nov  8 12:45:42 zed postfix/qmgr[3850]: C0B0160EC: from=, size=12730, nrcpt=1 
(queue active)
Nov  8 12:45:43 zed postfix/smtp[2566]: C0B0160EC: host 
eforward3.registrar-servers.com[209.105.246.196] refused to talk to me: 421 
4.3.2 All server ports are busy
Nov  8 12:46:05 zed postfix/smtp[2566]: C0B0160EC: host 
eforward2.registrar-servers.com[209.105.246.195] said: 450 4.1.1 
instant.checkm...@designakeackson.info: Recipient address rejected: unverified address: 
unknown user: instant.checkm...@designakeackson.info (in reply to RCPT TO command)
Nov  8 12:46:06 zed postfix/smtp[2566]: C0B0160EC: host 
eforward1.registrar-servers.com[69.160.33.82] refused to talk to me

Re: Mail forwarding loop

[Jeroen Geilman]

On 11/08/2012 11:12 PM, Jeroen Geilman wrote:

On 11/08/2012 05:25 PM, Daniele Nicolodi wrote:

Hello,

I think I have a problem with my simple mail server. I noticed several
bounce mails in the queue, which postfix in unable to deliver.


C0B0160EC 12730 Thu Nov  8 12:35:47 MAILER-DAEMON
(lost connection with 
eforward5.registrar-servers.com[38.101.213.202] while receiving the 
initial server greeting)

instant.checkm...@designakeackson.info

All of them destined to what look to be fake addresses. The original
mails that originate the bounce are indeed spam.

On this server I use spamassassin as content filter, which re-injects
the mail into postfix after scanning it via local delivery. Spam is then
discarded via a sieve rule (not bounced).

It looks like postfix detects a mail forwarding loop when the mail is
re-injected by spamassassin via local delivery. Why isn't the loop
detected when the mail is received by the smtpd?





And now without thick-fingering CTRL-Enter:

Postfix cannot detect a mail loop if it has never seen the message before.
You are not re-injecting the filtered message, you are (or, rather, SA 
is) calling sendmail(1), which in turn invokes pickup(8):


Nov  8 12:35:47 zed postfix/pickup[2485]: BCDF560EF: uid=65534 
from=instant.checkm...@designakeackson.info


This means a different path is followed from the original submission 
over SMTP; sendmail-submitted mail generally lacks features that allow 
such loops to be detected.
In this case, you are using the nobody user to re-submit the message, 
which will throw postfix off further, since it has no MAIL FROM: to 
match it with.


Re-inject the message over a separate smtpd(8) instance instead; the 
content filter loopback will not alter the envelope, thus enabling 
postfix to detect a loop.


smtpd(8): MAIL FROM: joe@home, RCPT TO: jim@work - Spamassassin - SMTP 
re-inject: MAIL FROM: joe@home, RCPT TO: jim@work.
sendmail(1): MAIL FROM: joe@home, RCPT TO: jim@work - Spamassassin - 
sendmail: MAIL FROM: nobody (uid=65534), RCPT TO: jim@work.


Note the nobody above.


  I do not like to
generate unnecessary bounce mails. Is this a real problem? How can I 
fix it?


Here is what I think is a relevant log excerpt:

# egrep 
2ABF060A6\|BCDF560EF\|C0B0160EC\|FD01D4DD-1DEF-1BC3-9A2A-5EDE8F9DD6C5 /var/log/mail.log 

Nov  8 12:35:46 zed postfix/smtpd[2515]: 2ABF060A6: 
client=designakeackson.info[176.126.174.9]
Nov  8 12:35:46 zed postfix/cleanup[2517]: 2ABF060A6: 
message-id=fd01d4dd-1def-1bc3-9a2a-5ede8f9dd...@designakeackson.info
Nov  8 12:35:46 zed postfix/qmgr[3850]: 2ABF060A6: 
from=instant.checkm...@designakeackson.info, size=9793, nrcpt=1 
(queue active)
Nov  8 12:35:46 zed spamd[2282]: spamd: processing message 
fd01d4dd-1def-1bc3-9a2a-5ede8f9dd...@designakeackson.info for 
daniele:1000
Nov  8 12:35:47 zed spamd[2282]: spamd: result: Y 5 - 
BAYES_50,HTML_MESSAGE,RP_MATCHES_RCVD,SPF_SOFTFAIL,T_FILL_THIS_FORM_SHORT,URIBL_DBL_SPAM,URIBL_JP_SURBL,URIBL_WS_SURBL 
scantime=1.4,size=9786,user=daniele,uid=1000,required_score=5.0,rhost=localhost,raddr=127.0.0.1,rport=60966,mid=fd01d4dd-1def-1bc3-9a2a-5ede8f9dd...@designakeackson.info,bayes=0.50,autolearn=no 

Nov  8 12:35:47 zed postfix/pickup[2485]: BCDF560EF: uid=65534 
from=instant.checkm...@designakeackson.info
Nov  8 12:35:47 zed postfix/cleanup[2517]: BCDF560EF: 
message-id=fd01d4dd-1def-1bc3-9a2a-5ede8f9dd...@designakeackson.info
Nov  8 12:35:47 zed postfix/pipe[2518]: 2ABF060A6: 
to=dani...@grinta.net, relay=spamassassin, delay=1.7, 
delays=0.24/0.01/0/1.4, dsn=2.0.0, status=sent (delivered via 
spamassassin service)
Nov  8 12:35:47 zed postfix/qmgr[3850]: BCDF560EF: 
from=instant.checkm...@designakeackson.info, size=10941, nrcpt=1 
(queue active)

Nov  8 12:35:47 zed postfix/qmgr[3850]: 2ABF060A6: removed
Nov  8 12:35:47 zed postfix/local[2522]: BCDF560EF: 
to=dani...@grinta.net, relay=local, delay=0.02, 
delays=0/0.01/0/0.01, dsn=5.4.6, status=bounced (mail forwarding 
loop for dani...@grinta.net)
Nov  8 12:35:47 zed postfix/cleanup[2517]: C0B0160EC: 
message-id=20121108123547.c0b016...@zed.grinta.net
Nov  8 12:35:47 zed postfix/bounce[2523]: BCDF560EF: sender 
non-delivery notification: C0B0160EC
Nov  8 12:35:47 zed postfix/qmgr[3850]: C0B0160EC: from=, 
size=12730, nrcpt=1 (queue active)

Nov  8 12:35:47 zed postfix/qmgr[3850]: BCDF560EF: removed
Nov  8 12:35:52 zed postfix/smtp[2512]: C0B0160EC: host 
eforward3.registrar-servers.com[209.105.246.196] said: 450 4.1.1 
instant.checkm...@designakeackson.info: Recipient address 
rejected: unverified address: unknown user: 
instant.checkm...@designakeackson.info (in reply to RCPT TO command)
Nov  8 12:35:52 zed postfix/smtp[2512]: C0B0160EC: host 
eforward1.registrar-servers.com[69.160.33.82] refused to talk to me: 
421 4.3.2 All server ports are busy
Nov  8 12:35:54 zed postfix/smtp[2512]: C0B0160EC: 
to=instant.checkm...@designakeackson.info, 
relay=eforward2.registrar-servers.com[209.105.246.195]:25, 
delay=7.2

Re: Mail forwarding loop

[Daniele Nicolodi]

On 08/11/2012 23:21, Jeroen Geilman wrote:
 Postfix cannot detect a mail loop if it has never seen the message before.
 You are not re-injecting the filtered message, you are (or, rather, SA 
 is) calling sendmail(1), which in turn invokes pickup(8):
 
  Nov  8 12:35:47 zed postfix/pickup[2485]: BCDF560EF: uid=65534 
 from=instant.checkm...@designakeackson.info
 
 This means a different path is followed from the original submission 
 over SMTP; sendmail-submitted mail generally lacks features that allow 
 such loops to be detected.
 In this case, you are using the nobody user to re-submit the message, 
 which will throw postfix off further, since it has no MAIL FROM: to 
 match it with.
 
 Re-inject the message over a separate smtpd(8) instance instead; the 
 content filter loopback will not alter the envelope, thus enabling 
 postfix to detect a loop.
 
 smtpd(8): MAIL FROM: joe@home, RCPT TO: jim@work - Spamassassin - SMTP 
 re-inject: MAIL FROM: joe@home, RCPT TO: jim@work.
 sendmail(1): MAIL FROM: joe@home, RCPT TO: jim@work - Spamassassin - 
 sendmail: MAIL FROM: nobody (uid=65534), RCPT TO: jim@work.
 
 Note the nobody above.

Hello Jeroen,

thank you for your reply, but I do not follow you. My problem is that a
mail forwarding loop is detected where I suppose there should be none,
not the opposite. The same log you quite, imho shows that a proper FROM
was indeed provided by sendmail, as I believe that Postfix reports the
envelope sendere and not the From: header in its logs.

My configuration is basically what described as Simple content filter
example in the documentation: http://www.postfix.org/FILTER_README.html

Cheers,
Daniele

Re: Mail forwarding loop

[David Rees]

On Thu, Nov 8, 2012 at 8:25 AM, Daniele Nicolodi dani...@grinta.net wrote:
 I think I have a problem with my simple mail server. I noticed several
 bounce mails in the queue, which postfix in unable to deliver.

You're seeing the same issue as was posted the other day in the thread
Best way to handle a Delivered-To exploit??. Searching the archives
similar issues have come up before, but no real good solutions that I
could find.

-Dave

Re: Mail forwarding loop

[Jeroen Geilman]

On 11/08/2012 11:39 PM, Daniele Nicolodi wrote:

On 08/11/2012 23:21, Jeroen Geilman wrote:

Postfix cannot detect a mail loop if it has never seen the message before.
You are not re-injecting the filtered message, you are (or, rather, SA
is) calling sendmail(1), which in turn invokes pickup(8):

  Nov  8 12:35:47 zed postfix/pickup[2485]: BCDF560EF: uid=65534
from=instant.checkm...@designakeackson.info

This means a different path is followed from the original submission
over SMTP; sendmail-submitted mail generally lacks features that allow
such loops to be detected.
In this case, you are using the nobody user to re-submit the message,
which will throw postfix off further, since it has no MAIL FROM: to
match it with.

Re-inject the message over a separate smtpd(8) instance instead; the
content filter loopback will not alter the envelope, thus enabling
postfix to detect a loop.

smtpd(8): MAIL FROM: joe@home, RCPT TO: jim@work - Spamassassin - SMTP
re-inject: MAIL FROM: joe@home, RCPT TO: jim@work.
sendmail(1): MAIL FROM: joe@home, RCPT TO: jim@work - Spamassassin -
sendmail: MAIL FROM: nobody (uid=65534), RCPT TO: jim@work.

Note the nobody above.

Hello Jeroen,

thank you for your reply, but I do not follow you. My problem is that a
mail forwarding loop is detected where I suppose there should be none,
not the opposite. The same log you quite, imho shows that a proper FROM
was indeed provided by sendmail, as I believe that Postfix reports the
envelope sendere and not the From: header in its logs.


Ah, I see. I misread the question, then.
See David's response for a possible explanation.


My configuration is basically what described as Simple content filter
example in the documentation: http://www.postfix.org/FILTER_README.html

Cheers,
Daniele





--
J.

Re: Mail forwarding loop

[Jamie Paul Griffin]

/ David Rees wrote on Thu  8.Nov'12 at 14:59:01 -0800 /

 On Thu, Nov 8, 2012 at 8:25 AM, Daniele Nicolodi dani...@grinta.net wrote:
  I think I have a problem with my simple mail server. I noticed several
  bounce mails in the queue, which postfix in unable to deliver.
 
 You're seeing the same issue as was posted the other day in the thread
 Best way to handle a Delivered-To exploit??. Searching the archives
 similar issues have come up before, but no real good solutions that I
 could find.
 
 -Dave

If you want to use content filtering with postfix, you might have better 
results if you use amavisd-new + spamassassin + clamav. It's just a suggestion 
but it does work well and it's dead easy to configure. May I also recommend the 
unofficial clamav signatures as well with my suggested filtering set-up. I 
believe plenty of postfix users have good results with this filtering method. 

SMTP AUTH on alternative port and mail forwarding domains

[Christoph Scheurer]

Hello,

I have a mail server with postfix 2.5.5 (Debian lenny) which is serving mail
forwarding domains as described in VIRTUAL_README.html without any problems.
The respective part in main.cf contains (domain name removed):
virtual_alias_domains = 
virtual_alias_maps = cdb:/etc/postfix/virtual

Now I had to set up a SASL-authenticated (just using sasldb) submission
instance on that server on a non-standard port (25025) for a couple of users.
The respective section in master.cf then reads like this:

smtp  inet  n   -   -   -   -   smtpd
25025 inet  n   -   -   -   -   smtpd
   -o smtpd_tls_auth_only=no
   -o smtpd_sasl_auth_enable=yes
   -o smtpd_sasl_security_options=noanonymous,noplaintext
   -o smtpd_sasl_local_domain=
   -o broken_sasl_auth_clients=yes
   -o smtpd_client_restrictions=permit_sasl_authenticated,reject
   -o 
smtpd_recipient_restrictions=permit_sasl_authenticated,reject_unauth_destination
   -o content_filter=

With this the standard mail server still works like before and ESMTPA relaying
for the authenticated users also works like expected but for one case: it
bounces for recipients with addresses in the virtual forwarding domains which
should be handled (i.e. mapped) by the server itself.

I have tried to add the virtual_alias_domains and virtual_alias_maps settings
explicitly via -o overwrites to the 25025 service in master.cf, but to no
avail. Turning on verbose messages with -v on the 25025 smtpd shows in the
logs that this smtpd is able to correctly resolve the virtual names in the
section

 CHECKING RECIPIENT MAPS 
...
postfix/smtpd[11296]: maps_find: virtual_alias_maps: 
cdb:/etc/postfix/virtual(0,lock|fold_fix): test@ = test@
postfix/smtpd[11296]: mail_addr_find: test@ - test@

but mail to the address test@ still bounces if submitted via the smtpd
on port 25025 while at the same time it is successfully delivered if injected
via the standard smtpd.

I assumed that for the 25025 smtpd anything which is not overwritten with -o
in master.cf is exactly the same as defined in main.cf, but obviously I must
be missing something here.  Any hint as to what it is is highly appreciated.

Kind regards,

Ch. Scheurer

Re: SMTP AUTH on alternative port and mail forwarding domains

[Noel Jones]

On 7/9/2011 10:10 AM, Christoph Scheurer wrote:
 Hello,
 
 I have a mail server with postfix 2.5.5 (Debian lenny) which is serving mail
 forwarding domains as described in VIRTUAL_README.html without any problems.
 The respective part in main.cf contains (domain name removed):
 virtual_alias_domains = 
 virtual_alias_maps = cdb:/etc/postfix/virtual
 
 Now I had to set up a SASL-authenticated (just using sasldb) submission
 instance on that server on a non-standard port (25025) for a couple of users.
 The respective section in master.cf then reads like this:
 
 smtp  inet  n   -   -   -   -   smtpd
 25025 inet  n   -   -   -   -   smtpd
-o smtpd_tls_auth_only=no
-o smtpd_sasl_auth_enable=yes
-o smtpd_sasl_security_options=noanonymous,noplaintext
-o smtpd_sasl_local_domain=
-o broken_sasl_auth_clients=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o 
 smtpd_recipient_restrictions=permit_sasl_authenticated,reject_unauth_destination
-o content_filter=
 
 With this the standard mail server still works like before and ESMTPA relaying
 for the authenticated users also works like expected but for one case: it
 bounces for recipients with addresses in the virtual forwarding domains which
 should be handled (i.e. mapped) by the server itself.
 
 I have tried to add the virtual_alias_domains and virtual_alias_maps settings
 explicitly via -o overwrites to the 25025 service in master.cf, but to no
 avail. Turning on verbose messages with -v on the 25025 smtpd shows in the
 logs that this smtpd is able to correctly resolve the virtual names in the
 section
 
  CHECKING RECIPIENT MAPS 
 ...
 postfix/smtpd[11296]: maps_find: virtual_alias_maps: 
 cdb:/etc/postfix/virtual(0,lock|fold_fix): test@ = test@
 postfix/smtpd[11296]: mail_addr_find: test@ - test@
 
 but mail to the address test@ still bounces if submitted via the smtpd
 on port 25025 while at the same time it is successfully delivered if injected
 via the standard smtpd.
 
 I assumed that for the 25025 smtpd anything which is not overwritten with -o
 in master.cf is exactly the same as defined in main.cf, but obviously I must
 be missing something here.  Any hint as to what it is is highly appreciated.
 
 Kind regards,
 
 Ch. Scheurer
 


Please show us postconf -n output, all non-comment lines
from main.cf, and non-verbose logs illustrating the problem.


  -- Noel Jones

Re: SMTP AUTH on alternative port and mail forwarding domains

[Christoph Scheurer]

Hello,

I am replying to myself, because I found the problem:

 smtp  inet  n   -   -   -   -   smtpd
 25025 inet  n   -   -   -   -   smtpd
-o smtpd_tls_auth_only=no
-o smtpd_sasl_auth_enable=yes
-o smtpd_sasl_security_options=noanonymous,noplaintext
-o smtpd_sasl_local_domain=
-o broken_sasl_auth_clients=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o 
 smtpd_recipient_restrictions=permit_sasl_authenticated,reject_unauth_destination
-o content_filter=
Here ^ I turned off the content_filter which is not needed
for the SMTP AUTH submissions. I overlooked though that I had specified

receive_override_options = no_address_mappings

in main.cf so virtual mapping would not occur before the content_filter, and
thus never for the additional smtpd listening on 25025. After adding a line

-o receive_override_options=

to it in master.cf now everything works as expected.

Kind regards,

Ch. Scheurer

Re: Mail forwarding

[pch0317]

On 26/05/11 21:46, mouss wrote:

Le 26/05/2011 18:41, pch0317 a écrit :

Hi,
I want to forward mail only for one user u...@mydomain.tld to
u...@otherdomain.tld.

I try do it in this way:
/etc/postfix/virtual:
   ...
   u...@mydomain.tld u...@mydomain.tld, u...@otherdomain.tld
   ...

When I send mail to u...@mydomain.tld it receive message but user
u...@otherdomain.tld receive 2 identical copy of mail.
How to send only one copy of mail to u...@otherdomain.tld


http://www.postfix.org/FILTER_README.html
http://www.postfix.org/postconf.5.html#receive_override_options




perfect help

Thanks

Mail forwarding

[pch0317]

Hi,
I want to forward mail only for one user u...@mydomain.tld to 
u...@otherdomain.tld.


I try do it in this way:
/etc/postfix/virtual:
  ...
  u...@mydomain.tld u...@mydomain.tld, u...@otherdomain.tld
  ...

When I send mail to u...@mydomain.tld it receive message but user 
u...@otherdomain.tld receive 2 identical copy of mail.

How to send only one copy of mail to u...@otherdomain.tld


Thanks

Re: Mail forwarding

[mouss]

Le 26/05/2011 18:41, pch0317 a écrit :
 Hi,
 I want to forward mail only for one user u...@mydomain.tld to
 u...@otherdomain.tld.
 
 I try do it in this way:
 /etc/postfix/virtual:
   ...
   u...@mydomain.tld u...@mydomain.tld, u...@otherdomain.tld
   ...
 
 When I send mail to u...@mydomain.tld it receive message but user
 u...@otherdomain.tld receive 2 identical copy of mail.
 How to send only one copy of mail to u...@otherdomain.tld
 

http://www.postfix.org/FILTER_README.html
http://www.postfix.org/postconf.5.html#receive_override_options

Re: Mail forwarding possible when mailbox_size_limit is reached?

[Axel Freyn]

On Sun, Oct 24, 2010 at 09:14:08AM -0400, Wietse Venema wrote:
  Sending a mail to the test-account with a full mailbox results in
  
  postfix/smtpd[29666]: 5A32115CEAA: client=localhost.localdomain[127.0.0.1]
  postfix/cleanup[29651]: 5A32115CEAA: 
  message-id=20101024125249.gb29...@de
  postfix/qmgr[28520]: 5A32115CEAA: from=a...@de, size=983, nrcpt=1 
  (queue active)
  postfix/smtpd[29666]: disconnect from localhost.localdomain[127.0.0.1]
  postfix/local[29650]: 5A32115CEAA: to=a...@de, relay=local, 
  delay=0.01, delays=0/0/0/0, dsn=4.2.2, status=SOFTBOUNCE (cannot update 
  mailbox /var/mail/abf for user abf. error writing message: File too large)
  
  (again, postfix does not forward the mail)
 
 Try without soft bounce (and without EX_TEMPFAIL).
Thanks -- that was the problem! Now everything works as expected :-)
Beside, I just checked: with soft_bounce=no, the order of the entries
in .forward or /etc/aliases is NOT important -- the mails are always
forwarded, even when the local mailbox is larger than
mailbox_size_limit.

Thank you!

Axel

Mail forwarding possible when mailbox_size_limit is reached?

[Axel Freyn]

Hi,


We are using both mail forwarding (with an alias_database and
$HOME/.forward - files), and a mailbox_size_limit for the user
mailboxes. The local delivery is done by postfix/local.

The problem now is: If the mailbox is full, also the forwarding does not work
anymore -- postfix/local generates a SOFTBOUNCE before trying to forward the
mail:

postfix/smtpd[12341]: A9B8515C6F8: client=localhost.localdomain[127.0.0.1]
postfix/cleanup[12335]: A9B8515C6F8: 
message-id=20101022181430.e253115c...@...de
postfix/qmgr[5039]: A9B8515C6F8: from=r...@de, size=855, nrcpt=1 (queue 
active)
postfix/local[12342]: A9B8515C6F8: to=a...@de, relay=local, delay=1, 
delays=0/0.01/0/1, dsn=4.2.0, status=SOFTBOUNCE (can't create user output file. 
Command output: procmail: Error while writing to /var/mail/abf )


When there is space left in the mailbox, the mail is locally delivered and then
also forwarded correctly:

postfix/qmgr[5039]: A9B8515C6F8: from=r...@de, size=855, nrcpt=1 (queue 
active)
postfix/local[12401]: A9B8515C6F8: to=a...@.de, relay=local, delay=425, 
delays=425/0.01/0/0.01, dsn=2.0.0, status=sent (delivered to command: 
/usr/bin/procmail -a $EXTENSION)
postfix/local[12401]: A9B8515C6F8: to=a...@.de, relay=local, delay=425, 
delays=425/0.01/0/0.01, dsn=2.0.0, status=sent (forwarded as B4E2015C0FA)
postfix/qmgr[5039]: A9B8515C6F8: removed


Is there an (easy) way how I could convince postfix to forward mails
also if local delivery is impossible due to mailbox_size_limit? E.g.
exchanging the order (first forwarding, then delivery in the local
mailbox (and this local delivery maybe followed by the SOFTBOUNCE))
would be perfect for me. (Then it would be possible to distribute
automatic warn messages to users whose mailbox is full).

The configuration:

service local is defined in master.cf as:
local unix  -   n   n   -   -   local

The relevant parts of postconf -n (except myhostname, the
command-direcotries,..):

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
content_filter = smtp:[127.0.0.1]:10024
default_transport = uucp
inet_interfaces = localhost
mailbox_command = /usr/bin/procmail -a $EXTENSION
mailbox_size_limit = 10240
message_size_limit = 3024
myorigin = /etc/mailname
readme_directory = /usr/share/doc/postfix
recipient_canonical_maps = hash:/etc/postfix/recipient_canonical
recipient_delimiter = +
relayhost = shuttle
sender_canonical_maps = hash:/etc/postfix/sender_canonical
soft_bounce = yes
transport_maps = hash:/etc/postfix/transport
unknown_local_recipient_reject_code = 550



Axel

Re: Mail forwarding possible when mailbox_size_limit is reached?

[Wietse Venema]

Axel Freyn:
 
 Hi,
 
 
 We are using both mail forwarding (with an alias_database and
 $HOME/.forward - files), and a mailbox_size_limit for the user
 mailboxes. The local delivery is done by postfix/local.
 
 The problem now is: If the mailbox is full, also the forwarding does not work
 anymore -- postfix/local generates a SOFTBOUNCE before trying to forward the
 mail:
 
 postfix/smtpd[12341]: A9B8515C6F8: client=localhost.localdomain[127.0.0.1]
 postfix/cleanup[12335]: A9B8515C6F8: 
 message-id=20101022181430.e253115c...@...de
 postfix/qmgr[5039]: A9B8515C6F8: from=r...@de, size=855, nrcpt=1 (queue 
 active)
 postfix/local[12342]: A9B8515C6F8: to=a...@de, relay=local, delay=1, 
 delays=0/0.01/0/1, dsn=4.2.0, status=SOFTBOUNCE (can't create user output 
 file. Command output: procmail: Error while writing to /var/mail/abf )
 

I see no Postfix errors here.

PROCMAIL updates the mailbox (and fails because of the limit) before
PROCMAIL forwards the message.

Wietse

Re: Mail forwarding possible when mailbox_size_limit is reached?

[Jeroen Geilman]

On 10/23/2010 01:15 PM, Axel Freyn wrote:

Hi,


We are using both mail forwarding (with an alias_database and
$HOME/.forward - files), and a mailbox_size_limit for the user
mailboxes. The local delivery is done by postfix/local.
   


No it's not.



mailbox_command = /usr/bin/procmail -a $EXTENSION
   


Procmail does local mailbox delivery.

--
J.

Re: Mail forwarding possible when mailbox_size_limit is reached?

[Axel Freyn]

Hi,
On Sat, Oct 23, 2010 at 08:02:08AM -0400, Wietse Venema wrote:
  We are using both mail forwarding (with an alias_database and
  $HOME/.forward - files), and a mailbox_size_limit for the user
  mailboxes. The local delivery is done by postfix/local.
  
  The problem now is: If the mailbox is full, also the forwarding does not 
  work
  anymore -- postfix/local generates a SOFTBOUNCE before trying to forward the
  mail:
  
  postfix/smtpd[12341]: A9B8515C6F8: client=localhost.localdomain[127.0.0.1]
  postfix/cleanup[12335]: A9B8515C6F8: 
  message-id=20101022181430.e253115c...@...de
  postfix/qmgr[5039]: A9B8515C6F8: from=r...@de, size=855, nrcpt=1 
  (queue active)
  postfix/local[12342]: A9B8515C6F8: to=a...@de, relay=local, delay=1, 
  delays=0/0.01/0/1, dsn=4.2.0, status=SOFTBOUNCE (can't create user output 
  file. Command output: procmail: Error while writing to /var/mail/abf )
  
 
 I see no Postfix errors here.
 
 PROCMAIL updates the mailbox (and fails because of the limit) before
 PROCMAIL forwards the message.

Thanks for your fast reply! 
Probably my mail was not clear: I agree, there is now error due to
Postfix. It probably behaves as it is configured and as it should (but:
not as I would like it to behave in this situation ;-))

Let's assume, I have a $HOME/.forward which forwards mails for abf to
the external Mail-adress axel-fr...@gmx.de, and keeps a local copy in
/var/mail/abf.

Then I would like to have the behaviour:

a) If the mailbox_size_limit for /var/mail/abf is NOT reached:
   - a copy of the mail is stored locally in /var/mail/abf 
(that is done by Procmail, I think?)
   - a copy of the mail is forwarded to axel-fr...@gmx.de (with a new ID
 (here: B4E2015C0FA). 
(that is done by postfix/local?)

b) If the mailbox_size_limit for /var/mail/abf IS reached:
   - local delivery to /var/mail/abf fails, (maybe creating a
 SOFTBOUNCE)
   - nevertheless, a copy of the mail is forwarded to axel-fr...@gmx.de.

However, I did not succeed to obtain the second case. As my Postfix is
configured now, it first tries to do the local delivery using procmail,
and it stops the complete delivery process if procmail fails. So, if the
mailbox_size_limit IS reached, postfix does NOT forward the mail to
axel-fr...@gmx.de.


So maybe my question could be reformulated as:
Can I tell Postfix: FIRST do all forwarding ($HOME/.forward and
/etc/aliases), and THEN pass the mail to procmail?

That would result in my desired effect:
 - Mails are ALWAYS forwarded -- even when the local mailbox is full
 - Mails are locally delivered if the local mailbox_limit is not reached
   If the local mailbox is full, this local copy of the mail is
   returned with a Softbounce.

Axel

Re: Mail forwarding possible when mailbox_size_limit is reached?

[Wietse Venema]

Wietse:
 PROCMAIL updates the mailbox (and fails because of the limit) before
 PROCMAIL forwards the message.

Axel Freyn:
 Thanks for your fast reply! 
 Probably my mail was not clear: I agree, there is now error due to
 Postfix. It probably behaves as it is configured and as it should (but:
 not as I would like it to behave in this situation ;-))
 
 Let's assume, I have a $HOME/.forward which forwards mails for abf to
 the external Mail-adress axel-fr...@gmx.de, and keeps a local copy in
 /var/mail/abf.
 
 Then I would like to have the behaviour:
 
 a) If the mailbox_size_limit for /var/mail/abf is NOT reached:
- a copy of the mail is stored locally in /var/mail/abf 
   (that is done by Procmail, I think?)
- a copy of the mail is forwarded to axel-fr...@gmx.de (with a new ID
  (here: B4E2015C0FA). 
   (that is done by postfix/local?)
 
 b) If the mailbox_size_limit for /var/mail/abf IS reached:
- local delivery to /var/mail/abf fails, (maybe creating a
  SOFTBOUNCE)
- nevertheless, a copy of the mail is forwarded to axel-fr...@gmx.de.
 
 However, I did not succeed to obtain the second case. As my Postfix is

Well, the problem was that PROCMAIL delivered to mailbox BEFORE
forwarding, so don't make that same mistake with ~/.forward.

Instead, deliver to mailbox AFTER forwarding.

~/.forward:
axel-fr...@gmx.de
# Postfix local(8) mailbox delivery.
abf
# procmail mailbox delivery with soft_bounce.
# |/some/where/procmail ...procmail_arguments... || exit 75

(Status 75 is defined in /usr/include/sysexits.h as EX_TEMPFAIL).

Wietse

Incorrect mail forwarding with virtual_alias_maps LDAP

[j...@scusting.com]

Hi,

I have inherited a postfix MDA that I'm just trying to understand and we 
currently have a problem with the forwarding of emails using LDAP lookups.


Currently an email is forwarded if it matches the below map:

virtual_alias_maps = ldap:ldapforward
ldapforward_query_filter = 
((|(mail=%s)(mailalternateaddress=%s))(mailforwardingaddress=*))

ldapforward_result_attribute = mailforwardingaddress

Now if we have the following 2 LDAP users:

mail=...@somedomain.com

mail=f...@somedomain.com
mailalternateaddress=catch...@somedomain.com
mailforwardingaddress=f...@elsewhere.com

The initial lookup doesnt match against bob as he has no mailforward, 
but then the postfix catchall lookup matches against the 2nd address and 
forwards the email that should of gone to bob.


Whats the solution for this setup?  How do I stop LDAP filters matching 
the catchall mailbox when a more specific one exists without a mailforward?


We will need to do similar things to this later with AV  anti-spam 
where we will need to match against bob and only match against catchall 
when there is no bob email account etc. I have been searching but havent 
found solutions to this problem, I'm guessing we are doing it wrong if 
others dont have this issue.


Thanks in advance.

Jim.

Re: Incorrect mail forwarding with virtual_alias_maps LDAP

[Wietse Venema]

j...@scusting.com:
 Hi,
 
 I have inherited a postfix MDA that I'm just trying to understand and we 
 currently have a problem with the forwarding of emails using LDAP lookups.
 
 Currently an email is forwarded if it matches the below map:
 
 virtual_alias_maps = ldap:ldapforward
 ldapforward_query_filter = 
 ((|(mail=%s)(mailalternateaddress=%s))(mailforwardingaddress=*))
 ldapforward_result_attribute = mailforwardingaddress
 
 Now if we have the following 2 LDAP users:
 
 mail=...@somedomain.com
 
 mail=f...@somedomain.com
 mailalternateaddress=catch...@somedomain.com
 mailforwardingaddress=f...@elsewhere.com
 
 The initial lookup doesnt match against bob as he has no mailforward, 
 but then the postfix catchall lookup matches against the 2nd address and 
 forwards the email that should of gone to bob.
 
 Whats the solution for this setup?  How do I stop LDAP filters matching 
 the catchall mailbox when a more specific one exists without a mailforward?

This requires a one-to-one virtual alias mapping:

b...@example.com- b...@example.com

By design, virtual aliasing stops when a right-hand side address
matches the left-hand side (of course it also stops when a right-hand
side address fails to match the virtual alias table).

Wietse

Received: headers and mail forwarding loops

[Stefan Förster]

When I submit a mail to my Postfix server (using SASL auth over a TLS
connection), Postfix adds the following received header:

 Received: from aletheia.cite.lan (33.33.33.333.dynamic.cablesurf.de
[33.33.33.333]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
(No client certificate requested) by mail.incertum.net (Postfix) with
ESMTPSA for c...@example.net; Fri, 31 Jul 2009 23:42:33 +0200 (CEST)

This is working as expected. If I create a new mail and forcibly
insert the above header before I submit it, I get a NDR saying that
there is a mail forwarding loop for c...@example.net - which is
exactly what I expected, but I'm not 100% sure how this mechanism
works. So my question is:

Does Postfix compare both the sending host _and_ the recipient address
in Received: headers? If not, with regard to Received: headers,
which (if any) information is compared to detect a mail forwarding
loop?


Cheers
Stefan

Re: Received: headers and mail forwarding loops

[Wietse Venema]

Stefan F?rster:
 When I submit a mail to my Postfix server (using SASL auth over a TLS
 connection), Postfix adds the following received header:
 
  Received: from aletheia.cite.lan (33.33.33.333.dynamic.cablesurf.de
 [33.33.33.333]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 
 bits))
 (No client certificate requested) by mail.incertum.net (Postfix) with
 ESMTPSA for c...@example.net; Fri, 31 Jul 2009 23:42:33 +0200 (CEST)
 
 This is working as expected. If I create a new mail and forcibly
 insert the above header before I submit it, I get a NDR saying that
 there is a mail forwarding loop for c...@example.net - which is

As documented, Postfix uses Delivered-To: headers for loop detection.

Local delivery agent:
=
prepend_delivered_header (default: command, file, forward)
   The message delivery contexts where the Postfix local(8) delivery agent
   prepends a Delivered-To:  message header with the address that the mail
   was delivered to. This information  is  used  for  mail  delivery  loop
   detection.

   By  default,  the Postfix local delivery agent prepends a Delivered-To:
   header when forwarding mail and when delivering to file  (mailbox)  and
   command.  Turning  off the Delivered-To: header when forwarding mail is
   not recommended.

   Specify zero or more of forward, file, or command.

   Example:

   prepend_delivered_header = forward

Pipe delivery agent:

   flags=BDFORXhqu. (optional)
  Optional message processing flags.  By  default,  a  message  is
  copied unchanged.

  ...

  D  Prepend  a  Delivered-To: recipient message header with
 the envelope recipient address. Note: for this  to  work,
 the  transport_destination_recipient_limit must be 1 (see
 SINGLE-RECIPIENT DELIVERY above for details).

 The D flag also enforces loop detection (Postfix 2.5  and
 later):  if  a  message  already contains a Delivered-To:
 header with the same recipient address, then the  message
 is  returned  as undeliverable. The address comparison is
 case insensitive.

Wietse

 exactly what I expected, but I'm not 100% sure how this mechanism
 works. So my question is:
 
 Does Postfix compare both the sending host _and_ the recipient address
 in Received: headers? If not, with regard to Received: headers,
 which (if any) information is compared to detect a mail forwarding
 loop?
 
 
 Cheers
 Stefan
 
 

Re: Received: headers and mail forwarding loops

[Stefan Förster]

* Wietse Venema wie...@porcupine.org wrote:
 Stefan Förster:
  This is working as expected. If I create a new mail and forcibly
  insert the above header before I submit it, I get a NDR saying that
  there is a mail forwarding loop for c...@example.net - which is
 
 As documented, Postfix uses Delivered-To: headers for loop detection.

I am very sorry - I had indeed pasted too many lines into my test
email.


Cheers
Stefan

mail forwarding is not working at all

[J. Bakshi]

Dear all,

I hope you all are very well.

I have come with a strange problem with my email server which is running
almost 2 years now.  actually I have never tried the mail forwarding
with the system but it has the option. Today I need to add the mail
forwarding feature and found that the forwarding is not working. This is
a suse 10.2 server with postfix-2.5.1-28.5.

I have alredy gone through the mail; mail.info; mail.err and mail.warn
log but no error reports related to this issue.

More details
-

here is the config from my main.cf for forwarding

``
virtual_alias_domains = hash:/etc/postfix/virtual
virtual_alias_maps =
mysql:/etc/postfix/mysql-virtual-alias-maps.cf,mysql:/etc/postfix/mysql-email2email.cf
virtual_gid_maps = static:5000
virtual_mailbox_domains =
mysql:/etc/postfix/mysql-virtual-mailbox-domains.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf
virtual_transport = dovecot
dovecot_destination_recipient_limit = 1
virtual_uid_maps = static:5000
``

The  mysql-virtual-alias-maps.cf and the mysql-email2email.cf has the
mysql query with the correct  database, userid/password to communicate
the mysql. More over if I check like

``
postmap -q email-id  mysql:/etc/postfix/mysql-virtual-alias-maps.cf

then it replies back the righ alias already set for that email id.

but still the mails received by the email-id and not its alias email
address.

Is there anything required to enable the forwarding ?

Here is the postconf -n

`
alias_maps = hash:/etc/aliases
biff = no
canonical_maps = hash:/etc/postfix/canonical
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/lib/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
disable_dns_lookups = no
disable_mime_output_conversion = no
html_directory = /usr/share/doc/packages/postfix/html
inet_protocols = all
mail_owner = postfix
mail_spool_directory = /var/mail
mailbox_size_limit = 0
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
message_size_limit = 2048
mydestination = $myhostname, localhost.$mydomain
mydomain = mydomain
myhostname =  my hostname
mynetworks_style = subnet
newaliases_path = /usr/bin/newaliases
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/packages/postfix/README_FILES
receive_override_options = no_address_mappings
relocated_maps = hash:/etc/postfix/relocated
sample_directory = /usr/share/doc/packages/postfix/samples
sendmail_path = /usr/sbin/sendmail
setgid_group = maildrop
smtp_use_tls = yes
smtpd_recipient_restrictions =
permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth
smtpd_sasl_type = dovecot
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/ssl/certs/postfix.pem
smtpd_tls_key_file = /etc/ssl/private/postfix.pem
smtpd_use_tls = yes
strict_8bitmime = no
strict_rfc821_envelopes = no
unknown_local_recipient_reject_code = 550
virtual_alias_domains = hash:/etc/postfix/virtual
virtual_alias_maps =
mysql:/etc/postfix/mysql-virtual-alias-maps.cf,mysql:/etc/postfix/mysql-email2email.cf
virtual_gid_maps = static:5000
virtual_mailbox_domains =
mysql:/etc/postfix/mysql-virtual-mailbox-domains.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf
virtual_transport = dovecot
virtual_uid_maps = static:5000
`

with regards

Re: mail forwarding is not working at all

[Magnus Bäck]

On Tue, June 2, 2009 11:08 am, J. Bakshi said:

 I have come with a strange problem with my email server which is running
 almost 2 years now.  actually I have never tried the mail forwarding
 with the system but it has the option. Today I need to add the mail
 forwarding feature and found that the forwarding is not working. This is
 a suse 10.2 server with postfix-2.5.1-28.5.

[...]

 receive_override_options = no_address_mappings

This explicitly disables address rewriting like aliasing. Unless you have
something in your master.cf that overrides and enables rewriting, this is
the culprit.

[...]

-- 
Magnus Bäck
mag...@dsek.lth.se

Re: mail forwarding is not working at all

[J. Bakshi]

Magnus Bäck wrote:
 On Tue, June 2, 2009 11:08 am, J. Bakshi said:

   
 I have come with a strange problem with my email server which is running
 almost 2 years now.  actually I have never tried the mail forwarding
 with the system but it has the option. Today I need to add the mail
 forwarding feature and found that the forwarding is not working. This is
 a suse 10.2 server with postfix-2.5.1-28.5.
 

 [...]

   
 receive_override_options = no_address_mappings
 

 This explicitly disables address rewriting like aliasing. Unless you have
 something in your master.cf that overrides and enables rewriting, this is
 the culprit.
   

Hello Magnus,

You are a Hero !!!
I have reset the setting like

`

receive_override_options =


and the forwarding start working.

Millions of thanks.




 [...]

   

mail forwarding loop for sample.em...@firstdomain.com

[admin2]

Hi there,

I am getting error messages for mail sent to 
sample.em...@firstdomain.com but in the /etc/postfix/aliases file I have 
an entry for sample.email to send to sample.em...@anotherdomain.com . 
why am I getting a forwarding loop.


Status: 5.4.6
Diagnostic-Code: X-Postfix; mail forwarding loop for 
sample.em...@firstdomain.com




r...@firstdomain.com:/etc/postfix# cat /etc/hosts
127.0.0.1 localhost localhost.localdomain
174.143.253.66 firstdomain.com

# cat /etc/mailname
firstdomain.com


Please help.

Cheers,

Noah

Re: mail forwarding loop for sample.em...@firstdomain.com

[Wietse Venema]

admin2:
 Hi there,
 
 I am getting error messages for mail sent to 
 sample.em...@firstdomain.com but in the /etc/postfix/aliases file I have 
 an entry for sample.email to send to sample.em...@anotherdomain.com . 
 why am I getting a forwarding loop.
 
 Status: 5.4.6
 Diagnostic-Code: X-Postfix; mail forwarding loop for 
 sample.em...@firstdomain.com
 
 
 
 r...@firstdomain.com:/etc/postfix# cat /etc/hosts
 127.0.0.1 localhost localhost.localdomain
 174.143.253.66 firstdomain.com
 
 # cat /etc/mailname
 firstdomain.com
 
 
 Please help.

Please read the mailing list welcome message, repeated below.

TO REPORT A PROBLEM see http://www.postfix.org/DEBUG_README.html#mail

TO (UN)SUBSCRIBE see http://www.postfix.org/lists.html

Thank you for using Postfix.

Mail forwarding

[Jeff Bernier]

Can I use Postfix as a host for email forwarding?
 
The scenario I envision is an Alum or Faculty member authenticates to a web 
portal, then tells the system where to forward their email. All email destined 
for Staff would go to our current email system.
 
Any thoughts are welcome.
 
Regards,
Jeff
 
It does not require many words to speak the truth. - Chief Joseph, Great Nez 
Perce Indian Chief