Prevent sending message with known user out of LAN
Hello, How to prevent Postfix to send an email with a known user from outside my LAN if he is not authenticated ? I have the following parameters but a user can still do it : smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, #check_helo_access hash:/usr/local/etc/postfix/helo_access, #warn_if_reject, reject_invalid_helo_hostname, reject_non_fqdn_hostname, permit smtpd_sender_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unauth_pipelining, reject_unauth_destination, reject_unlisted_sender, permit smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_rbl_client cbl.abuseat.org, reject_rbl_client zen.spamhaus.org, permit Regard
Strange server configuration error problem
There are a few hosts which ocasionally throw errors like these: 1286:Mar 17 15:01:08 Server postfix/smtpd[1324]: connect from mail-ob0-f169.google.com http://mail-ob0-f169.google.com[209. 85.214.169] 1287:Mar 17 15:01:09 Server postfix/smtpd[1324]: Anonymous TLS connection established from mail-ob0-f169.google.com http://mail-ob0-f169.google.com[209.85.214.169]: TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits) 1291:Mar 17 15:01:10 Server postfix/smtpd[1324]: 69A87280008: client=mail-ob0-f169.google.com http://mail-ob0-f169.google.com[209.85.214.169] 1301:Mar 17 15:01:15 Server postfix/smtpd[1324]: disconnect from mail-ob0-f169.google.com http://mail-ob0-f169.google.com[209.85.214.169] 1313:Mar 17 15:02:20 Server postfix/smtpd[1324]: connect from unknown[113.11.251.194] 1314:Mar 17 15:02:21 Server postfix/smtpd[1324]: Anonymous TLS connection established from unknown[113.11.251.194]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits) 1315:Mar 17 15:02:22 Server postfix/smtpd[1324]: warning: unknown smtpd restriction: 1316:Mar 17 15:02:22 Server postfix/smtpd[1324]: NOQUEUE: reject: RCPT from unknown[113.11.251.194]: 451 4.3.5 Server configuration error; from= to=u...@mydomain.com mailto:u...@mydomain.com proto=ESMTP helo=vps.enggsol.com http://vps.enggsol.com Postfix reloads do not throw any errors so it's not a syntax problem within the config files. Checked the different restriction files too - nothing suspicious. Any clues what might be throwing these four exclamation marks?
Strange server configuration error problem
There are a few hosts which ocasionally throw errors like these: 1286:Mar 17 15:01:08 Server postfix/smtpd[1324]: connect from mail-ob0-f169.google.com http://mail-ob0-f169.google.com[209. 85.214.169] 1287:Mar 17 15:01:09 Server postfix/smtpd[1324]: Anonymous TLS connection established from mail-ob0-f169.google.com http://mail-ob0-f169.google.com[209.85.214.169]: TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits) 1291:Mar 17 15:01:10 Server postfix/smtpd[1324]: 69A87280008: client=mail-ob0-f169.google.com http://mail-ob0-f169.google.com[209.85.214.169] 1301:Mar 17 15:01:15 Server postfix/smtpd[1324]: disconnect from mail-ob0-f169.google.com http://mail-ob0-f169.google.com[209.85.214.169] 1313:Mar 17 15:02:20 Server postfix/smtpd[1324]: connect from unknown[113.11.251.194] 1314:Mar 17 15:02:21 Server postfix/smtpd[1324]: Anonymous TLS connection established from unknown[113.11.251.194]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits) 1315:Mar 17 15:02:22 Server postfix/smtpd[1324]: warning: unknown smtpd restriction: 1316:Mar 17 15:02:22 Server postfix/smtpd[1324]: NOQUEUE: reject: RCPT from unknown[113.11.251.194]: 451 4.3.5 Server configuration error; from= to=u...@mydomain.com mailto:u...@mydomain.com proto=ESMTP helo=vps.enggsol.com http://vps.enggsol.com Postfix reloads do not throw any errors so it's not a syntax problem within the config files. Checked the different restriction files too - nothing suspicious. Any clues what might be throwing these four exclamation marks?
Re: Strange server configuration error problem
Stefan Stefanov: 1315:Mar 17 15:02:22 Server postfix/smtpd[1324]: warning: unknown smtpd restriction: It is staring you in the face. Wietse
BURL (was: Unclear of smtp protocol)
Viktor Dukhovni: On Sun, Mar 30, 2014 at 09:13:19PM -0400, Wietse Venema wrote: Viktor Dukhovni: Postfix does not yet support Apple's BURL SMTP extension. With Apple as the only MUA that supports BURL, it probably does not make sense for Postfix to support BURL. Last time I asked (late 2013) Apple currently does not support BURL. I was looking for client software so that I could test Postfix BURL support without having to implement my own mail client first. I saw no BURL activity from iPhone or iPad with Apple's patch for Postfix, and the author of the patch confirmed that IOS had no BURL support. If anyone knows of a real client that implements BURL (not some unmaintained beta) then I am interested. Wietse
Re: Strange server configuration error problem
On Mon, Mar 31, 2014 at 11:17:07AM +0300, Stefan Stefanov wrote: 1314:Mar 17 15:02:21 Server postfix/smtpd[1324]: Anonymous TLS connection established from unknown[113.11.251.194]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits) 1315:Mar 17 15:02:22 Server postfix/smtpd[1324]: warning: unknown smtpd restriction: Either in main.cf in some smtpd_mumble_restrictions, or in an access table used by these, you have some non-printable characters instead of a valid restriction name. Check all your access tables for consecutive non-printable characters. -- Viktor.
Re: Strange server configuration error problem
Shoot me twice:-) It was an OK statement written with Cyrillic characters. Impossible to spot at a glance. Thanks for the help! On 31.03.2014 14:55, Viktor Dukhovni wrote: On Mon, Mar 31, 2014 at 11:17:07AM +0300, Stefan Stefanov wrote: 1314:Mar 17 15:02:21 Server postfix/smtpd[1324]: Anonymous TLS connection established from unknown[113.11.251.194]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits) 1315:Mar 17 15:02:22 Server postfix/smtpd[1324]: warning: unknown smtpd restriction: Either in main.cf in some smtpd_mumble_restrictions, or in an access table used by these, you have some non-printable characters instead of a valid restriction name. Check all your access tables for consecutive non-printable characters.
Multiple auth (rimap + auxprop)
Hello, I have a postfix SMTP server authenticating with auxprop to a mysql server. It works. It works even if I configure it to authenticate with rimap. But now I have to make it work with both: It has to relay mails for both a list of mysql users and an IMAP server of which I can't get a list of users. Best would be to authenticate it with mysql, and if it fails check rimap. Is it possible to do this? I can't find anything about it and if I try it seems not to work. If it's not possibile, is it possible to get it to authenticate to 2 IMAP servers with rimap? I mean to check with the first and if it fails to check with the second one? Thanks! Andrea
Re: Multiple auth (rimap + auxprop)
* Andrea devnul...@gmail.com: Hello, I have a postfix SMTP server authenticating with auxprop to a mysql server. It works. It works even if I configure it to authenticate with rimap. But now I have to make it work with both: It has to relay mails for both a list of mysql users and an IMAP server of which I can't get a list of users. Best would be to authenticate it with mysql, and if it fails check rimap. Is it possible to do this? I can't find anything about it and if I try it seems not to work. Configure saslauthd for rimap and the SQL auxprop for MySQL. Then expand pwcheck_method in smtpd.conf like this: pwcheck_method: auxprop saslauthd p@rick If it's not possibile, is it possible to get it to authenticate to 2 IMAP servers with rimap? I mean to check with the first and if it fails to check with the second one? Thanks! Andrea -- [*] sys4 AG https://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
Can't reject forged sender/from address only when using AfterLogic Webmail
i'm running Postfix 2.11 and i would like to reject/prevent authenticated users from sending emails with forged sender/from address. Right now i've implemented the following policy which works just fine: smtpd_sender_login_maps = proxy:mysql:/etc/postfix/ mysql_sender_login_maps.cf smtpd_sender_restrictions = ... reject_unlisted_sender, reject_authenticated_sender_login_mismatch, ... This generates the following output when an authenticated user tries to spoof its sending email address https://gist.github.com/sibok/efb72be811a51691913a. But don't know why when using AfterLogic Webmail to spoof/forge authenticated user's from/sender email address Postfix sends the email cause AfterLogic Webmail is only changing from address but using the correct login and sender address. Pretty strange, here is the output log https://gist.github.com/sibok/0a6334fa1e5bd3662fc9 In the last log, note the sender is p...@example.com and the recipient is p...@webeloping.es. The spoofed sender is foo...@foobar.com One can see the spoofed address only appears in the DKIM line, these are the headers of the email recieved at Google Apps https://gist.github.com/sibok/a4aa6f96723628efa24e But when sending through Roundcube, RainLoop, Mozilla Thunderbird, etc. Postfix correctly rjeects the spoofed sender email as can be seen in the first provided gist. Does anyone know how should/could i prevent it? Maybe a regexp header_check? It looks like AfterLogic Webmail only rewrites the from header while using the correct from address for authenticating against Postfix. Maybe reject_authenticated_sender_login_mismatch is failing? Thanks in advanced!
Re: Can't reject forged sender/from address only when using AfterLogic Webmail
On Mon, Mar 31, 2014 at 04:32:45PM +0200, Pau Peris wrote: I'm running Postfix 2.11 and I would like to reject/prevent authenticated users from sending emails with forged sender/from address. Postfix only restricts forgery of the envelope sender address. There are no features in Postfix to restrict senders to a particular RFC 2822 From: address. If you're operating a submission service where authentication is required, and for some reason you absolutely must restrict the From address, the best you can do is to configure a dedicated cleanup(8) instance for the submission servvice that discards the From header, in which case if I recall correctly, Postfix will insert a new From header with the envelope sender email address (and no full name). header_checks: /^from:/ IGNORE This breaks legitimate use of Resent-From:. Both Apple's Mail.app and mutt allow users to resend a message to another recipient in a way that preserves the original From: header so they reply to the author, (the address of the forwarding user is in Resent-From) rather than the person forwarding the mail. -- Viktor.
fatal: open database /var/lib/postfix/smtpd_scache.db: Invalid argument error
I got the following error in one of our postfix servers this morning: fatal: open database /var/lib/postfix/smtpd_scache.db: Invalid argument This was preventing sending and receiving email. I ended up deleting the /var/lib/postfix/smtpd_scache.db file, restarted postfix and it started working again. This is the second time this has hapenned within the last 6 months or so. Even though I know how to fix, I'm wondering why this is happening to begin with and to prevent it from hapenning in the future. Is there a bug of some sort? A quick google search didn't reveal anything of that sort. My environment is Ubuntu 10.04 and postfix 2.8.5. Thanks
Re: Multiple auth (rimap + auxprop)
2014-03-31 15:30 GMT+02:00 Patrick Ben Koetter p...@sys4.de: Configure saslauthd for rimap and the SQL auxprop for MySQL. Then expand pwcheck_method in smtpd.conf like this: pwcheck_method: auxprop saslauthd Thanks, that's what I did but it seems not working. saslauthd only works, auxprop sql only works, but with this config it doesn't work: pwcheck_method: auxprop saslauthd mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5 NTLM auxprop_plugin: sql sql_engine: mysql sql_hostnames: xxx sql_user: xxx sql_passwd: xxx sql_database: xxx sql_select: SELECT password FROM LoginUsers WHERE LoginUser = '%u@%r' Any hints? Thanks!
Re: fatal: open database /var/lib/postfix/smtpd_scache.db: Invalid argument error
On Mon, Mar 31, 2014 at 11:37:42AM -0400, Deeztek Support wrote: I got the following error in one of our postfix servers this morning: fatal: open database /var/lib/postfix/smtpd_scache.db: Invalid argument Why on earth do people routinely truncate log entries to leave out the name of the daemon that is logging the message??? What Postfix service (daemon) logged this message? Was it after a Postfix reload, restart, or some other time? This was preventing sending and receiving email. I ended up deleting the /var/lib/postfix/smtpd_scache.db file, restarted postfix and it started working again. This is the second time this has hapenned within the last 6 months or so. Even though I know how to fix, I'm wondering why this is happening to begin with and to prevent it from hapenning in the future. Is there a bug of some sort? A quick google search didn't reveal anything of that sort. My environment is Ubuntu 10.04 and postfix 2.8.5. Have you changed the master.cf entry for tlsmgr(8) from its default configuration? It must have a process limit of 1. tlsmgrunix - - n 1000? 1 tlsmgr The database in question is not safe for multiple writers. Beyond that you might have a buggy Berkeley DB, or SELinux blocking access. Postfix tlsmgr(8) truncates the TLS session cache database whe it restarts, so there should not be any errors even if the database was previously corrupted. -- Viktor.
Re: Can't reject forged sender/from address only when using AfterLogic Webmail
Hello Viktor, thanks a lot for your time and the great explanation, but i think that's not what i'm looking for. What i'm trying to accomplish is to make sure the from address used in the envelope is the same address used to login. I don't mind if they use a different reply to address or something similar. I thought smtpd_sender_login_maps plus reject_unlisted_sender and reject_authenticated_sender_login_mismatch would do the trick but there's a case where login address is the same as the sender address - at least that's what it looks like after checking the mail.log - but once i get the email at Google Apps i notice the From header belongs to the forged address edited through the Identity edit form which AfterLogic Webmail provides. Same Identity forms exists in different webmail solutions or email desktop clients like Roundcube or Mozilla Thunderbird but don't know why After logic operates in a different way. What i would like is to reject the email when the from address has been edited. I hope you can help me to get a clue here. Thanks a lot On Mon, Mar 31, 2014 at 4:56 PM, Viktor Dukhovni postfix-us...@dukhovni.org wrote: On Mon, Mar 31, 2014 at 04:32:45PM +0200, Pau Peris wrote: I'm running Postfix 2.11 and I would like to reject/prevent authenticated users from sending emails with forged sender/from address. Postfix only restricts forgery of the envelope sender address. There are no features in Postfix to restrict senders to a particular RFC 2822 From: address. If you're operating a submission service where authentication is required, and for some reason you absolutely must restrict the From address, the best you can do is to configure a dedicated cleanup(8) instance for the submission servvice that discards the From header, in which case if I recall correctly, Postfix will insert a new From header with the envelope sender email address (and no full name). header_checks: /^from:/ IGNORE This breaks legitimate use of Resent-From:. Both Apple's Mail.app and mutt allow users to resend a message to another recipient in a way that preserves the original From: header so they reply to the author, (the address of the forwarding user is in Resent-From) rather than the person forwarding the mail. -- Viktor.
Re: Can't reject forged sender/from address only when using AfterLogic Webmail
On Mon, Mar 31, 2014 at 05:52:33PM +0200, Pau Peris wrote: thanks a lot for your time and the great explanation, but i think that's not what i'm looking for. What i'm trying to accomplish is to make sure the from address used in the envelope is the same address used to login. I don't mind if they use a different reply to address or something similar. Well, your previous post sure seemed to imply that you wanted to restrict the From: address in the message header. Do you know what the term envelope sender address means in SMTP? I think not. I thought smtpd_sender_login_maps plus reject_unlisted_sender and reject_authenticated_sender_login_mismatch would do the trick but there's a case where login address is the same as the sender address - at least that's what it looks like after checking the mail.log - but once i get the email at Google Apps i notice the From header belongs to the forged address edited through the Identity edit form which AfterLogic Webmail provides. There you go again, talking about the header From. MAKE UP YOUR MIND! What i would like is to reject the email when the from address has been edited. I hope you can help me to get a clue here. First understand that the SMTP envelope sender address is NOT the same thing as the message header From: address. -- Viktor.
Re: fatal: open database /var/lib/postfix/smtpd_scache.db: Invalid argument error
On 3/31/2014 11:50 AM, Viktor Dukhovni wrote: Why on earth do people routinely truncate log entries to leave out the name of the daemon that is logging the message??? Cause sometimes they forget. By the way the daemon in question is postfix/tlsmgr but you already knew that. What Postfix service (daemon) logged this message? Was it after a Postfix reload, restart, or some other time? No it happens seemingly at random. Have you changed the master.cf entry for tlsmgr(8) from its default configuration? It must have a process limit of 1. tlsmgrunix - - n 1000? 1 tlsmgr Yes, the master.cf entry for tlsmgr has a process limit of 1 and it looks just your example above. The database in question is not safe for multiple writers. Beyond that you might have a buggy Berkeley DB, or SELinux blocking access. SELinux is not installed. How would I determine if Berkeley DB is buggy? Postfix tlsmgr(8) truncates the TLS session cache database whe it restarts, so there should not be any errors even if the database was previously corrupted. Agreed, yet it still happens.
Re: fatal: open database /var/lib/postfix/smtpd_scache.db: Invalid argument error
Deeztek Support: The database in question is not safe for multiple writers. Beyond that you might have a buggy Berkeley DB, or SELinux blocking access. SELinux is not installed. How would I determine if Berkeley DB is buggy? Well, Postfix uses the Berkeley DB API. If that causes Berkeley DB to piss over it self, then it is buggy. On the other hand, the warranty is totally void if the db file is written by non-Postfix programs, or when the file system is used in an unsafe manner: server without ECC memory, NFS with soft mount, shutdown without sync, write-caching enabled in the hypervisor, and so on. Wietse
Re: fatal: open database /var/lib/postfix/smtpd_scache.db: Invalid argument error
On Mon, Mar 31, 2014 at 12:45:57PM -0400, Deeztek Support wrote: What Postfix service (daemon) logged this message? Was it after a Postfix reload, restart, or some other time? No it happens seemingly at random. You need to examine your logs more carefully. The tlsmgr(8) process only opens the cache databases on startup, in before chroot initialization (which happens whether chroot is used or not). Therefore, the errors you report can only happen when tlsmgr(8) is restarted. On a system with a steady stream of email, tlsmgr(8) never exits unless you reload or restart Postfix. So you would only expect cache database open events after a reload or restart, or on systems that process only a trickle of email, where tlsmgr(8) might exit because it is idle. Regardless, when the database is opened, it is automatically truncated, which should never fail. However the particular fatal log message you report open database: ... only occurs in one place in Postfix: dict_sdbm.c:msg_fatal(open database %s: %m, dbm_path); You must be one of the folks who never got the memo about not using sdbm. :-) Switch to Berkeley DB btree for your scache databases. -- Viktor.
RE: Mails time before queue manager
Hi Victor, I have emptied the notify_classes 1) Bounces are for outbound sent to lot of email addresses. And this is not spamming. We have mailing list server 4 numbers, those are maintained for around 80 clients, from there emails will be triggered through 9 SMTP servers where postfix is installed. Every server almost send half a million emails a day. These are only outbound servers. We have another one server oursmtpmail.com which receives all the bounces, etc. From this we read the inbox and include those hard / soft bouced emails to the skipped list and soft bounces would be released as per their reasons for skip. 2) qshape -s T5 10 20 40 80 160 320 640 1280 1280+ TOTAL 2466 2465 1 0 0 0 0 0 00 0 oursmtpmail.com 2118 2117 1 0 0 0 0 0 00 0 MAILER-DAEMON 348 348 0 0 0 0 0 0 00 0 The qshape information is around an hour back information. Now for last 40mins it's still at the command prompt and I am not seeing any output as of now. 3) Can you please suggest any tool which can give me ASCII histogram for the emails for the c+d delays. Now the postconf -n -- alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases bounce_queue_lifetime = 0 broken_sasl_auth_clients = yes command_directory = /usr/sbin config_directory = /etc/postfix daemon_directory = /usr/libexec/postfix debug_peer_level = 2 html_directory = no inet_interfaces = all local_recipient_maps = mail_owner = postfix mailq_path = /usr/bin/mailq.postfix manpage_directory = /usr/share/man maximal_queue_lifetime = 0 message_size_limit = 5024 mydestination = $myhostname, localhost.$mydomain, localhost mydomain = smtp2.oursmtpmail.com myhostname = smtp2.oursmtpmail.com newaliases_path = /usr/bin/newaliases.postfix non_smtpd_milters = unix:/var/run/dkim-milter/dkim-milter.sock, unix:/var/run/dk-milter/dk-milter.sock notify_classes = queue_directory = /var/spool/postfix queue_run_delay = 2m readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES relay_domains = sample_directory = /usr/share/doc/postfix-2.3.3/samples sendmail_path = /usr/sbin/sendmail.postfix setgid_group = postdrop smtpd_banner = smtp2.oursmtpmail.com smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_unknown_sender_domain smtpd_delay_reject = yes smtpd_error_sleep_time = 1s smtpd_hard_error_limit = 20 smtpd_milters = unix:/var/run/dkim-milter/dkim-milter.sock, unix:/var/run/dk-milter/dk-milter.sock smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination smtpd_reject_unlisted_sender = yes smtpd_sasl_auth_enable = yes smtpd_sasl_path = private/auth smtpd_sasl_security_options = noanonymous smtpd_sasl_type = dovecot smtpd_soft_error_limit = 10 transport_maps = hash:/etc/postfix/transport unknown_local_recipient_reject_code = 550 virtual_alias_maps = hash:/etc/postfix/virtual virtual_mailbox_limit = 10240 -- Can you please suggest how to address the issue now?
Re: fatal: open database /var/lib/postfix/smtpd_scache.db: Invalid argument error
On Mon, Mar 31, 2014 at 05:14:49PM +, Viktor Dukhovni wrote: However the particular fatal log message you report open database: ... only occurs in one place in Postfix: dict_sdbm.c:msg_fatal(open database %s: %m, dbm_path); You must be one of the folks who never got the memo about not using sdbm. :-) Switch to Berkeley DB btree for your scache databases. Or perhaps not, my RTFS search was too narrow to find the other cases. dict_cdb.c:open database %s: %m, cdb_path)); dict_db.c: open database %s: %m, db_path)); dict_dbm.c:open database %s: %m, dict_lmdb.c: open database %s: %s, mdb_path, mdb_strerror(status)); dict_sdbm.c: msg_fatal(open database %s: %m, dbm_path); dict_thash.c: open database %s: %m, path)); -- Viktor.
Re: Can't reject forged sender/from address only when using AfterLogic Webmail
Hello Viktor, i really do not know what to answer to you about your last email. Anyway, as i understand envelope sender is where a computer are going to respond an email, if needed, and the from header is where people reply emails. If i'm wrong just an explanation will suffice. That said, i'm still wondering - and i do not know if anyone here is able to answer - why Mozilla Thunderbird or Roundcube get rejected when Editing the From address - at least it looks to me the From address and not the envelope sender - but doing through AfterLogic Webmail the Postfix mail.log show a different behavior/flow. I think that could help me to understand what's going on here, in case you know it. Last, i'm just a Web Software Engineer dealing with some Postfix requirements i try to solve/implement as fast as i can. That's why i'm here, looking for a little help from a friend. Thanks in advanced, On Mon, Mar 31, 2014 at 6:01 PM, Viktor Dukhovni postfix-us...@dukhovni.org wrote: On Mon, Mar 31, 2014 at 05:52:33PM +0200, Pau Peris wrote: thanks a lot for your time and the great explanation, but i think that's not what i'm looking for. What i'm trying to accomplish is to make sure the from address used in the envelope is the same address used to login. I don't mind if they use a different reply to address or something similar. Well, your previous post sure seemed to imply that you wanted to restrict the From: address in the message header. Do you know what the term envelope sender address means in SMTP? I think not. I thought smtpd_sender_login_maps plus reject_unlisted_sender and reject_authenticated_sender_login_mismatch would do the trick but there's a case where login address is the same as the sender address - at least that's what it looks like after checking the mail.log - but once i get the email at Google Apps i notice the From header belongs to the forged address edited through the Identity edit form which AfterLogic Webmail provides. There you go again, talking about the header From. MAKE UP YOUR MIND! What i would like is to reject the email when the from address has been edited. I hope you can help me to get a clue here. First understand that the SMTP envelope sender address is NOT the same thing as the message header From: address. -- Viktor.
Re: fatal: open database /var/lib/postfix/smtpd_scache.db: Invalid argument error *** SOLVED ***
On 3/31/2014 1:25 PM, Viktor Dukhovni wrote: On Mon, Mar 31, 2014 at 05:14:49PM +, Viktor Dukhovni wrote: However the particular fatal log message you report open database: ... only occurs in one place in Postfix: dict_sdbm.c:msg_fatal(open database %s: %m, dbm_path); You must be one of the folks who never got the memo about not using sdbm. :-) Switch to Berkeley DB btree for your scache databases. Or perhaps not, my RTFS search was too narrow to find the other cases. dict_cdb.c:open database %s: %m, cdb_path)); dict_db.c: open database %s: %m, db_path)); dict_dbm.c:open database %s: %m, dict_lmdb.c: open database %s: %s, mdb_path, mdb_strerror(status)); dict_sdbm.c: msg_fatal(open database %s: %m, dbm_path); dict_thash.c: open database %s: %m, path)); It looks like running out of space causes that too. I found this entry in the logs from the day before: fatal: /var/lib/postfix/smtpd_scache.db: flush dictionary: No space left on device One of the first things I checked but space was fine when i looked. It looks like a backup was using the drive as temporary space and then it would move the backup file to smb share when it was finished. So while it was using it as temporary storage it would fill up the drive, thus the problem. It has since been fixed. Thanks for your help
Re: Mails time before queue manager
On Mon, Mar 31, 2014 at 10:55:04PM +0530, KK Patnaik wrote: 1) Bounces are for outbound sent to lot of email addresses. And this is not spamming. Many bulk email senders believe the spammers are all the other bulk senders, but not they. These are only outbound servers. 2) qshape -s Why -s, this gives no information about the destination of slow email. You should probably also scan the deferred queue, thus: # qshape incoming active deferred If the output device is a terminal, qshape will give you progressive output for every 1000 messages found. The qshape information is around an hour back information. Now for last 40mins it's still at the command prompt and I am not seeing any output as of now. Sounds like you got slammed with a bunch of new mail and your disk sub-system in not fast enough for qshape to read the entire queue in a timely manner, especially with mail processing competing. 3) Can you please suggest any tool which can give me ASCII histogram for the emails for the c+d delays. You write a Perl or Python script to parse this from delays=a/b/c/d in your own logs. bounce_queue_lifetime = 0 maximal_queue_lifetime = 0 Bad idea. non_smtpd_milters = unix:/var/run/dkim-milter/dkim-milter.sock, unix:/var/run/dk-milter/dk-milter.sock smtpd_milters = unix:/var/run/dkim-milter/dkim-milter.sock, unix:/var/run/dk-milter/dk-milter.sock Is this keeping up with the mail stream? Perhaps this is a bottleneck. You must read your logs and determine what's going on. Have you tried the collate script I've sent? Can you please suggest how to address the issue now? The data is in your logs, understanding them well enough to identify the problem source is your responsibility. You need to determine whether your CPU, network, disk or output concurrency are maxed out, or whether remote destinations are throttling your deliveries, ... Perhaps you syslogd is misconfigured and is logging synchronously. See LINUX_README.html. That would cause the disk to be swamped. -- Viktor.
Re: fatal: open database /var/lib/postfix/smtpd_scache.db: Invalid argument error *** SOLVED ***
Deeztek Support: It looks like running out of space causes that too. I found this entry in the logs from the day before: fatal: /var/lib/postfix/smtpd_scache.db: flush dictionary: No space left on device One of the first things I checked but space was fine when i looked. It looks like a backup was using the drive as temporary space and then it would move the backup file to smb share when it was finished. So while it was using it as temporary storage it would fill up the drive, thus the problem. It has since been fixed. Ah, a case of unsafe use. Yes, running out of space will do it. Wietse
Re: Multiple auth (rimap + auxprop)
* Andrea devnul...@gmail.com: 2014-03-31 15:30 GMT+02:00 Patrick Ben Koetter p...@sys4.de: Configure saslauthd for rimap and the SQL auxprop for MySQL. Then expand pwcheck_method in smtpd.conf like this: pwcheck_method: auxprop saslauthd Thanks, that's what I did but it seems not working. saslauthd only works, auxprop sql only works, but with this config it doesn't work: pwcheck_method: auxprop saslauthd mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5 NTLM Reduce mech_list to PLAIN LOGIN. saslauthd can process PLAIN LOGIN only. auxprop_plugin: sql sql_engine: mysql sql_hostnames: xxx sql_user: xxx sql_passwd: xxx sql_database: xxx sql_select: SELECT password FROM LoginUsers WHERE LoginUser = '%u@%r' Any hints? Any log? p@rick Thanks! -- [*] sys4 AG https://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
Re: Multiple auth (rimap + auxprop)
2014-03-31 20:39 GMT+02:00 Patrick Ben Koetter p...@sys4.de: Any log? Sure, with: pwcheck_method: saslauthd mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5 NTLM Using IMAP account works. When I change smtpd.conf with: pwcheck_method: auxprop saslauthd mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5 NTLM auxprop_plugin: sql sql_engine: mysql sql_hostnames: xxx sql_user: xxx sql_passwd: xxx sql_database: xxx sql_select: SELECT password FROM LoginUsers WHERE LoginUser = '%u@%r' With same IMAP user, this is debug postfix log: Mar 31 20:52:32 smtps postfix/smtpd[14221]: connect from unknown[192.168.0.42] Mar 31 20:52:32 smtps postfix/smtpd[14221]: smtp_stream_setup: maxtime=300 enable_deadline=0 Mar 31 20:52:32 smtps postfix/smtpd[14221]: match_hostname: unknown ~? 192.168.0.0/16 Mar 31 20:52:32 smtps postfix/smtpd[14221]: match_hostaddr: 192.168.0.42 ~? 192.168.0.0/16 Mar 31 20:52:32 smtps postfix/smtpd[14221]: unknown[192.168.0.42]: 220 xxx ESMTP Postfix Mar 31 20:52:32 smtps postfix/smtpd[14221]: xsasl_cyrus_server_create: SASL service=smtp, realm=(null) Mar 31 20:52:32 smtps postfix/smtpd[14221]: name_mask: noanonymous Mar 31 20:52:32 smtps postfix/smtpd[14221]: watchdog_pat: 0x7f0ed67af8b0 Mar 31 20:52:32 smtps postfix/smtpd[14221]: unknown[192.168.0.42]: EHLO [192.168.0.42] Mar 31 20:52:32 smtps postfix/smtpd[14221]: match_list_match: unknown: no match Mar 31 20:52:32 smtps postfix/smtpd[14221]: match_list_match: 192.168.0.42: no match Mar 31 20:52:32 smtps postfix/smtpd[14221]: unknown[192.168.0.42]: 250-xxx Mar 31 20:52:32 smtps postfix/smtpd[14221]: unknown[192.168.0.42]: 250-PIPELINING Mar 31 20:52:32 smtps postfix/smtpd[14221]: unknown[192.168.0.42]: 250-SIZE 5120 Mar 31 20:52:32 smtps postfix/smtpd[14221]: unknown[192.168.0.42]: 250-VRFY Mar 31 20:52:32 smtps postfix/smtpd[14221]: unknown[192.168.0.42]: 250-ETRN Mar 31 20:52:32 smtps postfix/smtpd[14221]: unknown[192.168.0.42]: 250-STARTTLS Mar 31 20:52:32 smtps postfix/smtpd[14221]: unknown[192.168.0.42]: 250-AUTH PLAIN LOGIN CRAM-MD5 DIGEST-MD5 NTLM Mar 31 20:52:32 smtps postfix/smtpd[14221]: unknown[192.168.0.42]: 250-AUTH=PLAIN LOGIN CRAM-MD5 DIGEST-MD5 NTLM Mar 31 20:52:32 smtps postfix/smtpd[14221]: unknown[192.168.0.42]: 250-ENHANCEDSTATUSCODES Mar 31 20:52:32 smtps postfix/smtpd[14221]: unknown[192.168.0.42]: 250-8BITMIME Mar 31 20:52:32 smtps postfix/smtpd[14221]: unknown[192.168.0.42]: 250 DSN Mar 31 20:52:32 smtps postfix/smtpd[14221]: watchdog_pat: 0x7f0ed67af8b0 Mar 31 20:52:32 smtps postfix/smtpd[14221]: unknown[192.168.0.42]: AUTH PLAIN AGFuZHJlYS5zY2Fyc29Ac3RhZmYudGVsZW1hci5pdAB2ZHdzdDFuMTA= Mar 31 20:52:32 smtps postfix/smtpd[14221]: xsasl_cyrus_server_first: sasl_method PLAIN, init_response AGFuZHJlYS5zY2Fyc29Ac3RhZmYudGVsZW1hci5pdAB2ZHdzdDFuMTA= Mar 31 20:52:32 smtps postfix/smtpd[14221]: xsasl_cyrus_server_first: decoded initial response Mar 31 20:52:32 smtps postfix/smtpd[14221]: warning: unknown[192.168.0.42]: SASL PLAIN authentication failed: authentication failure Mar 31 20:52:32 smtps postfix/smtpd[14221]: unknown[192.168.0.42]: 535 5.7.8 Error: authentication failed: authentication failure Mar 31 20:52:32 smtps postfix/smtpd[14221]: watchdog_pat: 0x7f0ed67af8b0 Mar 31 20:52:32 smtps postfix/smtpd[14221]: unknown[192.168.0.42]: AUTH LOGIN Mar 31 20:52:32 smtps postfix/smtpd[14221]: xsasl_cyrus_server_create: SASL service=smtp, realm=(null) Mar 31 20:52:32 smtps postfix/smtpd[14221]: name_mask: noanonymous Mar 31 20:52:32 smtps postfix/smtpd[14221]: xsasl_cyrus_server_first: sasl_method LOGIN Mar 31 20:52:32 smtps postfix/smtpd[14221]: xsasl_cyrus_server_auth_response: uncoded server challenge: Username: Mar 31 20:52:32 smtps postfix/smtpd[14221]: unknown[192.168.0.42]: 334 VXNlcm5hbWU6 Mar 31 20:52:32 smtps postfix/smtpd[14221]: unknown[192.168.0.42]: YW5kcmVhLnNjYXJzb0BzdGFmZi50ZWxlbWFyLml0 Mar 31 20:52:32 smtps postfix/smtpd[14221]: xsasl_cyrus_server_next: decoded response: usern...@domain.com Mar 31 20:52:32 smtps postfix/smtpd[14221]: xsasl_cyrus_server_auth_response: uncoded server challenge: Password: Mar 31 20:52:32 smtps postfix/smtpd[14221]: unknown[192.168.0.42]: 334 UGFzc3dvcmQ6 Mar 31 20:52:32 smtps postfix/smtpd[14221]: unknown[192.168.0.42]: dmR3c3QxbjEw Mar 31 20:52:32 smtps postfix/smtpd[14221]: xsasl_cyrus_server_next: decoded response: mypassword Mar 31 20:52:32 smtps postfix/smtpd[14221]: warning: unknown[192.168.0.42]: SASL LOGIN authentication failed: authentication failure Mar 31 20:52:32 smtps postfix/smtpd[14221]: unknown[192.168.0.42]: 535 5.7.8 Error: authentication failed: authentication failure Mar 31 20:52:32 smtps postfix/smtpd[14221]: watchdog_pat: 0x7f0ed67af8b0 Thanks
Re: Multiple auth (rimap + auxprop)
2014-03-31 20:57 GMT+02:00 Andrea devnul...@gmail.com: Mar 31 20:52:32 smtps postfix/smtpd[14221]: warning: unknown[192.168.0.42]: SASL LOGIN authentication failed: authentication failure Mar 31 20:52:32 smtps postfix/smtpd[14221]: unknown[192.168.0.42]: 535 5.7.8 Error: authentication failed: authentication failure Mar 31 20:52:32 smtps postfix/smtpd[14221]: watchdog_pat: 0x7f0ed67af8b0 Thanks Ehm.. I should never do things like this fast... password changed! At least this is a testing environment. However: this is the log if it can help! Thanks
Re: Multiple auth (rimap + auxprop)
Hae you tried PLAIN with auxprop only? Use gen-auth, a script from John Jetmoore, to create auth strings and telnet to the server. p@rick * Andrea devnul...@gmail.com: 2014-03-31 20:39 GMT+02:00 Patrick Ben Koetter p...@sys4.de: Any log? Sure, with: pwcheck_method: saslauthd mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5 NTLM Using IMAP account works. When I change smtpd.conf with: pwcheck_method: auxprop saslauthd mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5 NTLM auxprop_plugin: sql sql_engine: mysql sql_hostnames: xxx sql_user: xxx sql_passwd: xxx sql_database: xxx sql_select: SELECT password FROM LoginUsers WHERE LoginUser = '%u@%r' With same IMAP user, this is debug postfix log: Mar 31 20:52:32 smtps postfix/smtpd[14221]: connect from unknown[192.168.0.42] Mar 31 20:52:32 smtps postfix/smtpd[14221]: smtp_stream_setup: maxtime=300 enable_deadline=0 Mar 31 20:52:32 smtps postfix/smtpd[14221]: match_hostname: unknown ~? 192.168.0.0/16 Mar 31 20:52:32 smtps postfix/smtpd[14221]: match_hostaddr: 192.168.0.42 ~? 192.168.0.0/16 Mar 31 20:52:32 smtps postfix/smtpd[14221]: unknown[192.168.0.42]: 220 xxx ESMTP Postfix Mar 31 20:52:32 smtps postfix/smtpd[14221]: xsasl_cyrus_server_create: SASL service=smtp, realm=(null) Mar 31 20:52:32 smtps postfix/smtpd[14221]: name_mask: noanonymous Mar 31 20:52:32 smtps postfix/smtpd[14221]: watchdog_pat: 0x7f0ed67af8b0 Mar 31 20:52:32 smtps postfix/smtpd[14221]: unknown[192.168.0.42]: EHLO [192.168.0.42] Mar 31 20:52:32 smtps postfix/smtpd[14221]: match_list_match: unknown: no match Mar 31 20:52:32 smtps postfix/smtpd[14221]: match_list_match: 192.168.0.42: no match Mar 31 20:52:32 smtps postfix/smtpd[14221]: unknown[192.168.0.42]: 250-xxx Mar 31 20:52:32 smtps postfix/smtpd[14221]: unknown[192.168.0.42]: 250-PIPELINING Mar 31 20:52:32 smtps postfix/smtpd[14221]: unknown[192.168.0.42]: 250-SIZE 5120 Mar 31 20:52:32 smtps postfix/smtpd[14221]: unknown[192.168.0.42]: 250-VRFY Mar 31 20:52:32 smtps postfix/smtpd[14221]: unknown[192.168.0.42]: 250-ETRN Mar 31 20:52:32 smtps postfix/smtpd[14221]: unknown[192.168.0.42]: 250-STARTTLS Mar 31 20:52:32 smtps postfix/smtpd[14221]: unknown[192.168.0.42]: 250-AUTH PLAIN LOGIN CRAM-MD5 DIGEST-MD5 NTLM Mar 31 20:52:32 smtps postfix/smtpd[14221]: unknown[192.168.0.42]: 250-AUTH=PLAIN LOGIN CRAM-MD5 DIGEST-MD5 NTLM Mar 31 20:52:32 smtps postfix/smtpd[14221]: unknown[192.168.0.42]: 250-ENHANCEDSTATUSCODES Mar 31 20:52:32 smtps postfix/smtpd[14221]: unknown[192.168.0.42]: 250-8BITMIME Mar 31 20:52:32 smtps postfix/smtpd[14221]: unknown[192.168.0.42]: 250 DSN Mar 31 20:52:32 smtps postfix/smtpd[14221]: watchdog_pat: 0x7f0ed67af8b0 Mar 31 20:52:32 smtps postfix/smtpd[14221]: unknown[192.168.0.42]: AUTH PLAIN AGFuZHJlYS5zY2Fyc29Ac3RhZmYudGVsZW1hci5pdAB2ZHdzdDFuMTA= Mar 31 20:52:32 smtps postfix/smtpd[14221]: xsasl_cyrus_server_first: sasl_method PLAIN, init_response AGFuZHJlYS5zY2Fyc29Ac3RhZmYudGVsZW1hci5pdAB2ZHdzdDFuMTA= Mar 31 20:52:32 smtps postfix/smtpd[14221]: xsasl_cyrus_server_first: decoded initial response Mar 31 20:52:32 smtps postfix/smtpd[14221]: warning: unknown[192.168.0.42]: SASL PLAIN authentication failed: authentication failure Mar 31 20:52:32 smtps postfix/smtpd[14221]: unknown[192.168.0.42]: 535 5.7.8 Error: authentication failed: authentication failure Mar 31 20:52:32 smtps postfix/smtpd[14221]: watchdog_pat: 0x7f0ed67af8b0 Mar 31 20:52:32 smtps postfix/smtpd[14221]: unknown[192.168.0.42]: AUTH LOGIN Mar 31 20:52:32 smtps postfix/smtpd[14221]: xsasl_cyrus_server_create: SASL service=smtp, realm=(null) Mar 31 20:52:32 smtps postfix/smtpd[14221]: name_mask: noanonymous Mar 31 20:52:32 smtps postfix/smtpd[14221]: xsasl_cyrus_server_first: sasl_method LOGIN Mar 31 20:52:32 smtps postfix/smtpd[14221]: xsasl_cyrus_server_auth_response: uncoded server challenge: Username: Mar 31 20:52:32 smtps postfix/smtpd[14221]: unknown[192.168.0.42]: 334 VXNlcm5hbWU6 Mar 31 20:52:32 smtps postfix/smtpd[14221]: unknown[192.168.0.42]: YW5kcmVhLnNjYXJzb0BzdGFmZi50ZWxlbWFyLml0 Mar 31 20:52:32 smtps postfix/smtpd[14221]: xsasl_cyrus_server_next: decoded response: usern...@domain.com Mar 31 20:52:32 smtps postfix/smtpd[14221]: xsasl_cyrus_server_auth_response: uncoded server challenge: Password: Mar 31 20:52:32 smtps postfix/smtpd[14221]: unknown[192.168.0.42]: 334 UGFzc3dvcmQ6 Mar 31 20:52:32 smtps postfix/smtpd[14221]: unknown[192.168.0.42]: dmR3c3QxbjEw Mar 31 20:52:32 smtps postfix/smtpd[14221]: xsasl_cyrus_server_next: decoded response: mypassword Mar 31 20:52:32 smtps postfix/smtpd[14221]: warning: unknown[192.168.0.42]: SASL LOGIN authentication failed: authentication failure Mar 31 20:52:32 smtps postfix/smtpd[14221]: unknown[192.168.0.42]: 535 5.7.8 Error: authentication failed: authentication failure Mar 31 20:52:32 smtps postfix/smtpd[14221]: watchdog_pat: 0x7f0ed67af8b0 Thanks -- [*] sys4 AG
Re: Multiple auth (rimap + auxprop)
2014-03-31 21:30 GMT+02:00 Patrick Ben Koetter p...@sys4.de: Hae you tried PLAIN with auxprop only? Use gen-auth, a script from John Jetmoore, to create auth strings and telnet to the server. p@rick Yes, tried even now with help of gen-auth and testsaslauthd. testsaslauthd works perfectly! 1) just auxprop, telnet, AUTH PLAIN with mysql user, OK 2) just saslauthd, telnet, AUTH PLAIN with imap user, OK 3) auxprop saslauthd, telnet, AUTH PLAIN with mysql user OK 4) auxprop saslauthd, telnet, AUTH PLAIN with imap user FAILED I'm going crazy :)
Re: Multiple auth (rimap + auxprop)
2014-03-31 21:52 GMT+02:00 Andrea devnul...@gmail.com: 2014-03-31 21:30 GMT+02:00 Patrick Ben Koetter p...@sys4.de: Hae you tried PLAIN with auxprop only? Use gen-auth, a script from John Jetmoore, to create auth strings and telnet to the server. p@rick Yes, tried even now with help of gen-auth and testsaslauthd. testsaslauthd works perfectly! 1) just auxprop, telnet, AUTH PLAIN with mysql user, OK 2) just saslauthd, telnet, AUTH PLAIN with imap user, OK 3) auxprop saslauthd, telnet, AUTH PLAIN with mysql user OK 4) auxprop saslauthd, telnet, AUTH PLAIN with imap user FAILED I'm going crazy :) Well, just to try I changed order of auxprop and saslauthd on smtpd.conf: 5) saslauthd auxprop, telnet, AUTH PLAIN with mysql user OK 6) saslauthd auxprop, telnet, AUTH PLAIN with imap user FAILED postfix2.9.6-2 sasl2-bin 2.1.25.dfsg1-6+deb7u1
Re: Can't reject forged sender/from address only when using AfterLogic Webmail
Am 31.03.2014 19:26, schrieb Pau Peris: i really do not know what to answer to you about your last email. Anyway, as i understand envelope sender is where a computer are going to respond an email, if needed, and the from header is where people reply emails. If i'm wrong just an explanation will suffice. That said, i'm still wondering - and i do not know if anyone here is able to answer - why Mozilla Thunderbird or Roundcube get rejected when Editing the From address - at least it looks to me the From address and not the envelope sender there is no looks to me From: Pau Peris p...@webeloping.es Sender: owner-postfix-us...@postfix.org Return-Path: owner-postfix-us...@postfix.org above the headers of your message, the Return-Path is the envelope On Mon, Mar 31, 2014 at 6:01 PM, Viktor Dukhovni postfix-us...@dukhovni.org mailto:postfix-us...@dukhovni.org wrote: On Mon, Mar 31, 2014 at 05:52:33PM +0200, Pau Peris wrote: thanks a lot for your time and the great explanation, but i think that's not what i'm looking for. What i'm trying to accomplish is to make sure the from address used in the envelope is the same address used to login. I don't mind if they use a different reply to address or something similar. Well, your previous post sure seemed to imply that you wanted to restrict the From: address in the message header. Do you know what the term envelope sender address means in SMTP? I think not. I thought smtpd_sender_login_maps plus reject_unlisted_sender and reject_authenticated_sender_login_mismatch would do the trick but there's a case where login address is the same as the sender address - at least that's what it looks like after checking the mail.log - but once i get the email at Google Apps i notice the From header belongs to the forged address edited through the Identity edit form which AfterLogic Webmail provides. There you go again, talking about the header From. MAKE UP YOUR MIND! What i would like is to reject the email when the from address has been edited. I hope you can help me to get a clue here. First understand that the SMTP envelope sender address is NOT the same thing as the message header From: address
Re: Can't reject forged sender/from address only when using AfterLogic Webmail
I'm forwarding the email to the list which was sent to rhsoft by mistake. Thanks. Sent from my Android mobile, excuse the brevity. On Apr 1, 2014 12:42 AM, li...@rhsoft.net li...@rhsoft.net wrote: REPLY TO THE LIST Am 01.04.2014 00:16, schrieb Pau Peris: Thanks for your reply. I'm not native english speaker so, although HTML and top posting is not wellcome, i hope grammatical errors are not taken that hard. Jokes a part, I really appreciate your clarification about the return-path and envelope sender, although i'm not able to understand how it is related to the issue exposed. Maybe someone can explain it a little bit. I think the issue i'm suffering is clear. Email clients - desktop and web app ones - provide user Identity edition so one can change the sender/from address and not the envelope one. Am i right here? Following rhsoft tips i managed to reject what i underatand is called email sender forgering through the config posted on my first email of this thread. But, as I underatand, there's still a case which I do not understand at all how it is working and I think it is not related to envelope sender - check logs at gist URLs peovided af first email - where Postfix is not rejecting emails which from address shown at headers do not match login nor auth sender maps. I hope someone can explain what's happening here. Thank you so much. -- Sent from my Android mobile, excuse the brevity. On Mar 31, 2014 10:44 PM, li...@rhsoft.net mailto:li...@rhsoft.net li...@rhsoft.net mailto:li...@rhsoft.net wrote: Am 31.03.2014 19:26, schrieb Pau Peris: i really do not know what to answer to you about your last email. Anyway, as i understand envelope sender is where a computer are going to respond an email, if needed, and the from header is where people reply emails. If i'm wrong just an explanation will suffice. That said, i'm still wondering - and i do not know if anyone here is able to answer - why Mozilla Thunderbird or Roundcube get rejected when Editing the From address - at least it looks to me the From address and not the envelope sender there is no looks to me From: Pau Peris p...@webeloping.es mailto:p...@webeloping.es Sender: owner-postfix-us...@postfix.org mailto: owner-postfix-us...@postfix.org Return-Path: owner-postfix-us...@postfix.org mailto: owner-postfix-us...@postfix.org above the headers of your message, the Return-Path is the envelope On Mon, Mar 31, 2014 at 6:01 PM, Viktor Dukhovni postfix-us...@dukhovni.org mailto:postfix-us...@dukhovni.org mailto:postfix-us...@dukhovni.orgmailto: postfix-us...@dukhovni.org wrote: On Mon, Mar 31, 2014 at 05:52:33PM +0200, Pau Peris wrote: thanks a lot for your time and the great explanation, but i think that's not what i'm looking for. What i'm trying to accomplish is to make sure the from address used in the envelope is the same address used to login. I don't mind if they use a different reply to address or something similar. Well, your previous post sure seemed to imply that you wanted to restrict the From: address in the message header. Do you know what the term envelope sender address means in SMTP? I think not. I thought smtpd_sender_login_maps plus reject_unlisted_sender and reject_authenticated_sender_login_mismatch would do the trick but there's a case where login address is the same as the sender address - at least that's what it looks like after checking the mail.log - but once i get the email at Google Apps i notice the From header belongs to the forged address edited through the Identity edit form which AfterLogic Webmail provides. There you go again, talking about the header From. MAKE UP YOUR MIND! What i would like is to reject the email when the from address has been edited. I hope you can help me to get a clue here. First understand that the SMTP envelope sender address is NOT the same thing as the message header From: address