Re: postfix hangs when SASL enabled
Travis wrote: I first tried the instructions in The BOOK of POSTFIX, but no luck Then I followed the instructions here: https://help.ubuntu.com/community/Postfix In both cases, the symptom is that postfix, upon being restarted, responds to nc -v -v localhost 25' with an accept and then an immediate disconnect. A second connection succeeds, but no banner is being printed. no need to use nc. just use telnet. I also notice that even though the SSL keys have passwords on them, postfix never prompts for them. daemons do not prompt. As http://www.postfix.org/TLS_README.html says: The private key must not be encrypted, meaning: the key must be accessible without a password I narrowed down the problem to this config value: smtpd_sasl_auth_enable = yes (next time, describe the problem in the body, even if the subject is well chosen). it is probable that you have a config error in your sasl configuration (smtpd.conf). run saslfinger and report its output. Here is the WORKING postconf -n (sasl_auth disabled), next time, show 'postconf -n' for the non working setup. [snip]
Re: postfix hangs when SASL enabled
I narrowed down the problem to this config value: smtpd_sasl_auth_enable = yes All problems are reported to logfile. http://www.postfix.org/DEBUG_README.html#logging Wietse TO REPORT A PROBLEM see http://www.postfix.org/DEBUG_README.html#mail
Re: rcpt count mismatch errors (not using Mailscanner)
[EMAIL PROTECTED]: Any ideas what causes these? Jul 21 23:14:43 kd1 postfix/qmgr[20699]: warning: F320A29569: rcpt count mismatch (-2) ... Version is postfix-2.3.r8,3 (FreeBSD port) This problem was removed by a code reorganization in Postfix 2.4, when I added support for message body replacement. A fix for Postfix 2.3 has been sent to Matthew, and will appear in Postfix 2.3.16, if it ever gets released. Wietse
Postfix + SPF/SRS advice
Hi guys, I'm running a mail gateway (soon to add a second one) and I've just recently started having problems with SPF as many of our users just use us to forward mail. At the moment all I have is an SPF entry in DNS so I'm looking at SPF and SRS patches/plugins for postfix. The last SRS patch I found was for postfix 2.1.4 which is hardly helpful. Can anyone give me suggestions on where I can find more information on SPF/SRS in Postfix or suggestions on other solutions to the SPF/SRS problem if any? Thanks Guy I'm running packages provided in Ubuntu 8.04: Postfix 2.5.1 + Postfix-mysql postfix-policyd 1.82 amavisd-new - Clam-AV (no spamassassin at the moment - although I've noticed spf packages related to it) -- Don't just do something...sit there!
Re: Postfix + SPF/SRS advice
Guy wrote: Hi guys, I'm running a mail gateway (soon to add a second one) and I've just recently started having problems with SPF as many of our users just use us to forward mail. At the moment all I have is an SPF entry in DNS so I'm looking at SPF and SRS patches/plugins for postfix. The last SRS patch I found was for postfix 2.1.4 which is hardly helpful. Can anyone give me suggestions on where I can find more information on SPF/SRS in Postfix or suggestions on other solutions to the SPF/SRS problem if any? SPF running in conjunction with Postfix will only do verification. http://www.openspf.org/Software lists the packages known to work properly. What makes you think you have a problem? That said, make sure to police your users effectively. Use antivirus and antispam (do install spamassassin). Read through http://www.openspf.org/ for issues on SPF. REQUIRE SASL for users on untrusted networks. If you want further help with a specific case, post (non-verbose) logs of a transaction and 'postconf -n'. Brian
Re: Postfix + SPF/SRS advice
Hi Brian, 2008/9/8 Brian Evans - Postfix List [EMAIL PROTECTED]: SPF running in conjunction with Postfix will only do verification. http://www.openspf.org/Software lists the packages known to work properly. What makes you think you have a problem? I should have been more specific. I've had a couple of cases of forwarded mail being rejected by servers doing SPF checks and obviously the sender doesn't match my server since it's forwarded mail. That's why I've been looking at SRS. That said, make sure to police your users effectively. Use antivirus and antispam (do install spamassassin). Read through http://www.openspf.org/ for issues on SPF. REQUIRE SASL for users on untrusted networks. At the moment the server already uses a few RBL's, greylisting and clam-av. But it only accepts mail. It isn't set up to allow any sending from users. SASL is already required for the servers used by clients to send out mail. Thanks Guy -- Don't just do something...sit there!
Re: Postfix + SPF/SRS advice
Guy wrote: Hi guys, I'm running a mail gateway (soon to add a second one) and I've just recently started having problems with SPF as many of our users just use us to forward mail. Can you give more details here? do you forward mail for domains that have a -all? (if so, can you give an example of such a domain?). is forwarded mail rejected? ... etc. At the moment all I have is an SPF entry in DNS which is irrelevant, gven that you have problems with other domains SPF records, not with yours. so I'm looking at SPF and SRS patches/plugins for postfix. The last SRS patch I found was for postfix 2.1.4 which is hardly helpful. postfix can be configured to pass any mail you want to whatever program you want. so if you want SRS, pass mail to an external program where you implement SRS. but there's no need to use SRS. you can use any rewrite mechanism you like. (well, obviously, I'm not spf-friendly. sorry;-). Can anyone give me suggestions on where I can find more information on SPF/SRS in Postfix or suggestions on other solutions to the SPF/SRS problem if any? the question is how you forward mail? you can use maildrop, procmail or whatever program. just pipe the message and you're done :)
Re: Postfix + SPF/SRS advice
Guy wrote: Hi Brian, 2008/9/8 Brian Evans - Postfix List [EMAIL PROTECTED]: SPF running in conjunction with Postfix will only do verification. http://www.openspf.org/Software lists the packages known to work properly. What makes you think you have a problem? I should have been more specific. I've had a couple of cases of forwarded mail being rejected by servers doing SPF checks and obviously the sender doesn't match my server since it's forwarded mail. That's why I've been looking at SRS. we'd like to see a concrete example: sender domain and the uncooperative remote server. That said, make sure to police your users effectively. Use antivirus and antispam (do install spamassassin). Read through http://www.openspf.org/ for issues on SPF. REQUIRE SASL for users on untrusted networks. At the moment the server already uses a few RBL's, greylisting and clam-av. But it only accepts mail. It isn't set up to allow any sending from users. SASL is already required for the servers used by clients to send out mail. how is forwarding implemented?
Re: Postfix + SPF/SRS advice
Hi Mouss, 2008/9/8 mouss [EMAIL PROTECTED]: we'd like to see a concrete example: sender domain and the uncooperative remote server. [EMAIL PROTECTED]: host ricercare.co.uk[195.216.196.141] said: 550 SPF: x.x.x.x is not allowed to send mail from growse.com (in reply to RCPT TO command) how is forwarding implemented? Forwarding is done by a MySQL table called by virtual_alias_maps in postfix. Any local mail is relayed to a Barracuda AntiSpam box and forwarders are relayed to their mx's. All mail goes through a list of rbls, greylisting (postfix-policyd) and clamav before relay. At the moment there is only one domain going through this gateway, but in the near future all our domains are going to be pushed through the gateways. Thanks Guy -- Don't just do something...sit there!
Re: Postfix + SPF/SRS advice
Guy wrote: Hi Mouss, 2008/9/8 mouss [EMAIL PROTECTED]: we'd like to see a concrete example: sender domain and the uncooperative remote server. [EMAIL PROTECTED]: host ricercare.co.uk[195.216.196.141] said: 550 SPF: x.x.x.x is not allowed to send mail from growse.com (in reply to RCPT TO command) \ growse.com SPF record: v=spf1 ip4:72.36.255.98 -all This means.. if it's not sending as 72.36.255.98 reject it. (If the mail server enforces SPF.) Brian
Re: Postfix not sending to proper servers.
Marcelo Iturbe wrote: Hello, A client has a domain (sample.com) which resolves to the IP 190.190.168.54 The MX records this domain point to another IP completely different: 64.233.171.27 I don't see the same IPs here. $ host sample.com sample.com has address 208.87.33.150 sample.com mail is handled by 10 nullmx.sample.com. $ host nullmx.sample.com nullmx.sample.com has address 209.181.247.105 My postfix server houses the domain someotherdomain.com, you work for South Media Group? the problem is that I am unable to send email to my clients domain. When I look in the log files, I see that postfix is trying to send the email to the HOST and not the MX servers. The A record is used when no MX record is found (that's how mail works). just because _you_ _now_ see an MX record doesn't mean that postfix could find one at the time of the transaction. Sep 8 11:04:40 mailserver postfix/smtp[23528]: C6B494C421D: to= [EMAIL PROTECTED], relay=none, delay=1, status=deferred (connect to sample.com[190.190.168.54]: Connection refused) you'll have to do some debugging to see if you have a DNS problem. - if you are not running a local DNS server, consider running one - if your DNS queries are forwarded to your SP, consider disabling this - if your postfix has chrooted services, consider disabling chroot. - if your system resolver has bugs, try from another system The DNS table looks like it doesn't matter how it may look like to you. if you want help, show the real domain. [snip]
Postfix crashing under load
The last error messages I get are these: Sep 8 13:54:37 jaundiced-outlook postfix/smtp[7998]: warning: problem talking to service private/scache: Connection timed out Sep 8 13:54:37 jaundiced-outlook postfix/smtp[20375]: warning: problem talking to service private/scache: Connection timed out Sep 8 13:54:37 jaundiced-outlook postfix/smtp[7960]: warning: problem talking to service private/scache: Connection timed out Sep 8 13:54:37 jaundiced-outlook postfix/smtp[17618]: warning: problem talking to service private/scache: Connection timed out snip about 600 similar lines about this problem Sep 8 14:10:56 jaundiced-outlook postfix/master[11125]: fatal: watchdog timeout Sep 8 14:10:56 jaundiced-outlook postfix/qmgr[13568]: fatal: watchdog timeout postconf -n is: alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases command_directory = /usr/sbin config_directory = /etc/postfix daemon_directory = /usr/libexec/postfix data_directory = /var/lib/postfix debug_peer_level = 2 html_directory = /usr/share/doc/postfix-2.5.2-documentation/html inet_interfaces = all mail_owner = postfix mailq_path = /usr/bin/mailq.postfix manpage_directory = /usr/share/man max_use = 10 maximal_backoff_time = 900s minimal_backoff_time = 600s mydestination = $myhostname, localhost.$mydomain, localhost newaliases_path = /usr/bin/newaliases.postfix queue_directory = /var/spool/postfix readme_directory = /usr/share/doc/postfix-2.5.2-documentation/readme relay_destination_concurrency_limit = 1000 relay_domains = regexp:/etc/postfix/relay relay_recipient_maps = regexp:/etc/postfix/relay relayhost = [redacted-trap] sample_directory = /usr/share/doc/postfix-2.5.2/samples sendmail_path = /usr/sbin/sendmail.postfix setgid_group = postdrop smtpd_recipient_restrictions = check_policy_service inet:[127.0.0.1]:2025 check_sender_access hash:/etc/postfix/sender_access check_client_access hash:/etc/postfix/aol_server_rejects check_client_access hash:/etc/postfix/dnswl_rejects check_client_access hash:/etc/postfix/whitelisted_clients check_recipient_access hash:/etc/postfix/recipient_access reject_invalid_hostname reject_unknown_hostname reject_rbl_client cbl.abuseat.org reject_rbl_client dnsbl.sorbs.net reject_rbl_client aspews.ext.sorbs.net reject_unauth_destination unknown_hostname_reject_code = 550 unknown_local_recipient_reject_code = 550 This is a heavily loaded server. Suggestions on cause(s) and fixes? Devdas Bhagat
trusted access and authenticated access
Hi, I am trying to configure my postfix server to allow two types of users: trusted and authenticated The trusted users are sending from a set of IP addresses and I don't require them to authenticate since this has occurred up stream. The authenticated users are using thirdparty clients like t-bird. I am running into a problem where the trusted clients are being rejected on the mail from command. I suspect this is because of the reject_sender_login_mismatch configuration which to my understanding is required for authenticated clients. When I add 'smtpd_sasl_exceptions_networks = 2.2.2.2, 3.3.3.3', postfix for those systems no longer advertise the authentication capability. However, I get an error on 'mail from' command - 'Sender address rejected: not logged in'. How can I configure postfix to support both types of users? command_directory = /opt/zimbra/postfix-2.5.1/sbin config_directory = /opt/zimbra/postfix-2.5.1/conf daemon_directory = /opt/zimbra/postfix-2.5.1/libexec data_directory = /opt/zimbra/postfix-2.5.1/data debug_peer_level = 2 disable_vrfy_command = no html_directory = no mail_name = MUA Interface mail_owner = postfix mailq_path = /opt/zimbra/postfix-2.5.1/sbin/mailq manpage_directory = /opt/zimbra/postfix-2.5.1/man message_size_limit = 2300 mydestination = mynetworks = newaliases_path = /opt/zimbra/postfix-2.5.1/sbin/newaliases queue_directory = /opt/zimbra/postfix-2.5.1/spool readme_directory = no sample_directory = /opt/zimbra/postfix-2.5.1/conf sendmail_path = /opt/zimbra/postfix-2.5.1/sbin/sendmail setgid_group = postdrop smtpd_client_restrictions = permit_sasl_authenticated, reject_unauth_pipelining smtpd_data_restrictions = reject_unauth_pipelining smtpd_delay_reject = no smtpd_etrn_restrictions = reject smtpd_helo_required = yes smtpd_helo_restrictions = smtpd_recipient_limit = 100 smtpd_recipient_restrictions = permit_sasl_authenticated, reject_sender_login_mismatch, reject_unauth_destination smtpd_sasl_auth_enable = yes smtpd_sasl_exceptions_networks = 2.2.2.2, 3.3.3.3 smtpd_sasl_path = smtpd smtpd_sasl_security_options = noanonymous smtpd_sender_login_maps = ldap:/opt/zimbra/conf/ldap-vam.cf smtpd_sender_restrictions = reject_non_fqdn_sender, reject_unlisted_sender, reject_sender_login_mismatch, check_sender_access ldap:/opt/zimbra/conf/ldap-sender.cf, reject smtpd_tls_CAfile = /opt/zimbra/conf/cacert.pem smtpd_tls_auth_only = no smtpd_tls_cert_file = /opt/zimbra/conf/smtpd.crt smtpd_tls_key_file = /opt/zimbra/conf/smtpd.key smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s smtpd_use_tls = yes tls_random_source = dev:/dev/urandom transport_maps = ldap:/opt/zimbra/conf/ldap-transport.cf unknown_local_recipient_reject_code = 550 virtual_transport = error Any help is greatly appreciated. Charles _ Get more out of the Web. Learn 10 hidden secrets of Windows Live. http://windowslive.com/connect/post/jamiethomson.spaces.live.com-Blog-cns!550F681DAD532637!5295.entry?ocid=TXT_TAGLM_WL_domore_092008
Re: Postfix crashing under load
Devdas Bhagat wrote: The last error messages I get are these: Sep 8 13:54:37 jaundiced-outlook postfix/smtp[7998]: warning: problem talking to service private/scache: Connection timed out Sep 8 13:54:37 jaundiced-outlook postfix/smtp[20375]: warning: problem talking to service private/scache: Connection timed out Sep 8 13:54:37 jaundiced-outlook postfix/smtp[7960]: warning: problem talking to service private/scache: Connection timed out Sep 8 13:54:37 jaundiced-outlook postfix/smtp[17618]: warning: problem talking to service private/scache: Connection timed out snip about 600 similar lines about this problem Sep 8 14:10:56 jaundiced-outlook postfix/master[11125]: fatal: watchdog timeout Sep 8 14:10:56 jaundiced-outlook postfix/qmgr[13568]: fatal: watchdog timeout postconf -n is: [...] relay_domains = regexp:/etc/postfix/relay relay_recipient_maps = regexp:/etc/postfix/relay This looks potentially bad to me, but without knowing what is in that /etc/postfix/relay map, it's hard to judge. relayhost = [redacted-trap] smtpd_recipient_restrictions =check_policy_service inet:[127.0.0.1]:2025 check_sender_access hash:/etc/postfix/sender_access check_client_access hash:/etc/postfix/aol_server_rejects check_client_access hash:/etc/postfix/dnswl_rejects check_client_access hash:/etc/postfix/whitelisted_clients check_recipient_access hash:/etc/postfix/recipient_access reject_invalid_hostname reject_unknown_hostname reject_rbl_client cbl.abuseat.org reject_rbl_client dnsbl.sorbs.net reject_rbl_client aspews.ext.sorbs.net reject_unauth_destination This is a potential open relay. If check_sender_access returns or check_recipient_access an OK, then it is. They should return permit_auth_destination for the simple fact that they are easily forged. Easy fix: move reject_unauth_destination to the first position Employ and enforce SASL for untrusted networks. This is a heavily loaded server. Suggestions on cause(s) and fixes? Rethink your relay service or post more on what is in the maps discussed. Spammers can eat you alive if you let them. Brian
Re: trusted access and authenticated access
Charles Account wrote: Hi, I am trying to configure my postfix server to allow two types of users: trusted and authenticated The trusted users are sending from a set of IP addresses and I don't require them to authenticate since this has occurred up stream. for these you need permit_mynetworks if they are allowed to relay. if they are not, setup a check_client_access to allow them. The authenticated users are using thirdparty clients like t-bird. so this server doesn't receive mail from the public internet, right? In short, it is not an MX. I am running into a problem where the trusted clients are being rejected on the mail from command. I suspect this is because of the reject_sender_login_mismatch configuration which to my understanding is required for authenticated clients. When I add 'smtpd_sasl_exceptions_networks = 2.2.2.2, 3.3.3.3', postfix for those systems no longer advertise the authentication capability. However, I get an error on 'mail from' command - 'Sender address rejected: not logged in'. How can I configure postfix to support both types of users? command_directory = /opt/zimbra/postfix-2.5.1/sbin config_directory = /opt/zimbra/postfix-2.5.1/conf daemon_directory = /opt/zimbra/postfix-2.5.1/libexec data_directory = /opt/zimbra/postfix-2.5.1/data debug_peer_level = 2 disable_vrfy_command = no html_directory = no mail_name = MUA Interface mail_owner = postfix mailq_path = /opt/zimbra/postfix-2.5.1/sbin/mailq manpage_directory = /opt/zimbra/postfix-2.5.1/man message_size_limit = 2300 mydestination = mynetworks = newaliases_path = /opt/zimbra/postfix-2.5.1/sbin/newaliases queue_directory = /opt/zimbra/postfix-2.5.1/spool readme_directory = no sample_directory = /opt/zimbra/postfix-2.5.1/conf sendmail_path = /opt/zimbra/postfix-2.5.1/sbin/sendmail setgid_group = postdrop smtpd_client_restrictions = permit_sasl_authenticated, reject_unauth_pipelining smtpd_data_restrictions = reject_unauth_pipelining smtpd_delay_reject = no smtpd_etrn_restrictions = reject smtpd_helo_required = yes smtpd_helo_restrictions = smtpd_recipient_limit = 100 smtpd_recipient_restrictions = permit_sasl_authenticated, reject_sender_login_mismatch, reject_unauth_destination smtpd_sasl_auth_enable = yes smtpd_sasl_exceptions_networks = 2.2.2.2, 3.3.3.3 smtpd_sasl_path = smtpd smtpd_sasl_security_options = noanonymous smtpd_sender_login_maps = ldap:/opt/zimbra/conf/ldap-vam.cf smtpd_sender_restrictions = reject_non_fqdn_sender, reject_unlisted_sender, reject_sender_login_mismatch, check_sender_access ldap:/opt/zimbra/conf/ldap-sender.cf, reject smtpd_tls_CAfile = /opt/zimbra/conf/cacert.pem smtpd_tls_auth_only = no smtpd_tls_cert_file = /opt/zimbra/conf/smtpd.crt smtpd_tls_key_file = /opt/zimbra/conf/smtpd.key smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s smtpd_use_tls = yes tls_random_source = dev:/dev/urandom transport_maps = ldap:/opt/zimbra/conf/ldap-transport.cf unknown_local_recipient_reject_code = 550 virtual_transport = error Any help is greatly appreciated. Charles _ Get more out of the Web. Learn 10 hidden secrets of Windows Live. http://windowslive.com/connect/post/jamiethomson.spaces.live.com-Blog-cns!550F681DAD532637!5295.entry?ocid=TXT_TAGLM_WL_domore_092008
Re: processing order lookup tables
mouss schreef: gerrit wrote: Hi All, Recently i implemented the sender check. First i made a split for the processing and put some restrictions under smtpd_sender_restrictions and some under stmpd_recipient_restrictions. This resulted in too many rejections, so i left the sender restrictions emtpy and put all under the recipient restrictions. smtpd_helo_restrictions = reject_invalid_hostname reject_non_fqdn_hostname smtpd_sender_restrictions = smtpd_recipient_restrictions = reject_non_fqdn_recipient reject_non_fqdn_sender reject_unknown_sender_domain reject_unknown_recipient_domain permit_mynetworks put reject_unauth_destination here. never put reject_unauth_destination after maps that return OK based on easily forged information (such as sender). Ok.. thank you. It's all very new to me. and sometimes not all is clear. But i want to learn things... and that's worth much ;) check_sender_access hash:/etc/postfix/sender_whitelist check_recipient_access hash:/etc/postfix/recipient_whitelist reject_unauth_destination reject_unverified_sender sender verification callbacks are not very appreciated. many people consider them abusive. now every time a spammer hits your server with a forged sender, you're hitting an innocent server. and you don't even have anti-spam checks to mitigate this. The name maybe a bit misleading. For some domains or email adresses, you have to whitelist them. Since this is done locally, eg. postfix doesn't have to do a query over the internet to check them, this would be the fair way i guess. Not every one does have a fully RFC compliant mailserver, yet i try to have one. :D The only thing i'm saying in those maps is : permit the request, if an email address matches a entry in that file. One question is now : In which order are the sender restrictions and recipient restrictions applied ? So when a mail comes in, are first all the rules applied from the recipient restrictions and then the sender restrictions or just the other way ? the other way, but why do you care? put all your restrictions under smtpd_recipient_restrictions so that you don't need to repeat permit_* checks. Another question : The mailserver (latest centos version 2.3.3) does virtual mailbox hosting. I have a few catch-all network wide email adresses : postmaster@, apache@ and some more. My goal is, if there isn't a explicit (real) mailbox for a postmaster in a domain, then this catch-all has to catch those mails. But... Since i forward these now, i put a table under virtual_alias_maps. But when a real mailbox is defined, the mail is picked up by the virtual_alias_maps first since the processing order is first virtual_alias_maps and then virtual_mailbox_maps.. Right ? it's catch all, not catch some :) you need to add identity mappings to your virtual_alias_maps: [EMAIL PROTECTED][EMAIL PROTECTED] ... so that they don't get redirected to your catchall aliases. Yet... I know this method. But i dont wanna put (in total) 8000 mappings in a file with only postmaster@somedomain and abuse@ [EMAIL PROTECTED] Therefor i wanted to use the regex way. This is what i have now in my main.cf ( see the reserved_address mapping file) : virtual_mailbox_domains = mysql:/etc/postfix/mysql-transport.cf virtual_mailbox_maps = mysql:/etc/postfix/mysql-mailbox.cf virtual_alias_maps = mysql:/etc/postfix/mysql-virtual.cf mysql:/etc/postfix/mysql-autoreply.cf regexp:/etc/postfix/reserved-addresses So my goal is to get this ( i hope i'm clear to everyone) : virtual_mailbox_maps = mysql:/etc/postfix/mysql-mailbox.cf regexp:/etc/postfix/reserved-addresses virtual_alias_maps = mysql:/etc/postfix/mysql-virtual.cf mysql:/etc/postfix/mysql-autoreply.cf In words : If one of the reserved_adresses like apache@, postmaster@ don't exist in virtual_alias_maps and the virtual_mailbox_maps, it has to be catched by the reserved_addresses map which contains entries like ^postmaster@ or '^abuse@' Because the virtual_alias_maps are searched before the virtual_mailbox_maps, i want to have the mapping there, under virtual_mailbox_maps. But... virtual_mailbox_maps expects an email = homedirectory mapping. And my wish is to have an email = alias mapping. Can this be accomplished ?
Re: processing order lookup tables
gerrit wrote: check_sender_access hash:/etc/postfix/sender_whitelist check_recipient_access hash:/etc/postfix/recipient_whitelist reject_unauth_destination reject_unverified_sender sender verification callbacks are not very appreciated. many people consider them abusive. now every time a spammer hits your server with a forged sender, you're hitting an innocent server. and you don't even have anti-spam checks to mitigate this. The name maybe a bit misleading. For some domains or email adresses, you have to whitelist them. Since this is done locally, eg. postfix doesn't have to do a query over the internet to check them, this would be the fair way i guess. Not every one does have a fully RFC compliant mailserver, yet i try to have one. :D The only thing i'm saying in those maps is : permit the request, if an email address matches a entry in that file. The problem is with reject_unverified_sender, not check_mumble_access. One question is now : In which order are the sender restrictions and recipient restrictions applied ? So when a mail comes in, are first all the rules applied from the recipient restrictions and then the sender restrictions or just the other way ? the other way, but why do you care? put all your restrictions under smtpd_recipient_restrictions so that you don't need to repeat permit_* checks. Another question : The mailserver (latest centos version 2.3.3) does virtual mailbox hosting. I have a few catch-all network wide email adresses : postmaster@, apache@ and some more. My goal is, if there isn't a explicit (real) mailbox for a postmaster in a domain, then this catch-all has to catch those mails. But... Since i forward these now, i put a table under virtual_alias_maps. But when a real mailbox is defined, the mail is picked up by the virtual_alias_maps first since the processing order is first virtual_alias_maps and then virtual_mailbox_maps.. Right ? it's catch all, not catch some :) you need to add identity mappings to your virtual_alias_maps: [EMAIL PROTECTED][EMAIL PROTECTED] ... so that they don't get redirected to your catchall aliases. Yet... I know this method. But i dont wanna put (in total) 8000 mappings in a file with only postmaster@somedomain and abuse@ [EMAIL PROTECTED] Therefor i wanted to use the regex way. why regex? you are using mysql, so let mysql do it. just write a query that returns what you want. the identity mapping is trivial in mysql (it amounts to something like: select email from Email where email = '%s' and ...) and lookup for postmaster and friends isn't harder. This is what i have now in my main.cf ( see the reserved_address mapping file) : virtual_mailbox_domains = mysql:/etc/postfix/mysql-transport.cf virtual_mailbox_maps = mysql:/etc/postfix/mysql-mailbox.cf virtual_alias_maps = mysql:/etc/postfix/mysql-virtual.cf mysql:/etc/postfix/mysql-autoreply.cf regexp:/etc/postfix/reserved-addresses So my goal is to get this ( i hope i'm clear to everyone) : virtual_mailbox_maps = mysql:/etc/postfix/mysql-mailbox.cf regexp:/etc/postfix/reserved-addresses virtual_alias_maps = mysql:/etc/postfix/mysql-virtual.cf mysql:/etc/postfix/mysql-autoreply.cf In words : If one of the reserved_adresses like apache@, postmaster@ don't exist in virtual_alias_maps and the virtual_mailbox_maps, it has to be catched by the reserved_addresses map which contains entries like ^postmaster@ or '^abuse@' Because the virtual_alias_maps are searched before the virtual_mailbox_maps, i want to have the mapping there, under virtual_mailbox_maps. virtual_mailbox_maps is for virtual mailboxes. you can of course create a mailbox for [EMAIL PROTECTED] but this is not the same thing as a virtual alias. But... virtual_mailbox_maps expects an email = homedirectory mapping. And my wish is to have an email = alias mapping. Can this be accomplished ? again, you need the identity mapping. just let mysql do it for you. virtual_alias_maps = proxy:mysql:/ proxy:mysql:/ proxy:mysql:/.../identity.cf proxy:mysql:/.../default_alias.cf the identity.cf returns its key if the key is found. default_alias.cf implements catchall.
Re: Postfix crashing under load
On Mon, Sep 08, 2008 at 10:35:40PM +0530, Devdas Bhagat wrote: The last error messages I get are these: Sep 8 13:54:37 jaundiced-outlook postfix/smtp[7998]: warning: problem talking to service private/scache: Connection timed out Sep 8 13:54:37 jaundiced-outlook postfix/smtp[20375]: warning: problem talking to service private/scache: Connection timed out Sep 8 13:54:37 jaundiced-outlook postfix/smtp[7960]: warning: problem talking to service private/scache: Connection timed out Sep 8 13:54:37 jaundiced-outlook postfix/smtp[17618]: warning: problem talking to service private/scache: Connection timed out snip about 600 similar lines about this problem Master daemon freezes and is unable to spawn any new processes. Sep 8 14:10:56 jaundiced-outlook postfix/master[11125]: fatal: watchdog timeout After a 1000s delay, master bails out, so the problem started 16 minutes and 40 seconds before 14:10:56, i.e at 13:53:16. Sep 8 14:10:56 jaundiced-outlook postfix/qmgr[13568]: fatal: watchdog timeout The queue manager was also frozen. What happened at ~13:53 ??? The master received no events for 1000 seconds, do you have a 60 second wakeup timer for pickup in the master.cf? Or a 300s timer for qmgr? Perhaps the O/S incorrectly reports a full qmgr FIFO as being ready, and then master blocks trying to write a wakekup trigger (one byte) to the fifo? But that still leaves the question as to why qmgr is frozen open... This looks like an O/S resource issue... -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:[EMAIL PROTECTED] If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: postfix/dovecot lda assistance
Scott Sharkey wrote: Hi All, I'm trying to set postfix up to deliver using dovecot's LDA delivery agent. I'm using postfixadmin, with mysql virtual user tables. Those tables include a transport field, which is set to virtual:. But I thought that the main.cf virtual_transport setting would redirect these through dovecot's lda. However, it appears not, as I've replaced the /usr/lib/dovecot/deliver entry in master with a dovecot.sh that just log's that it was called before executing the actual dovecot deliver, and the log remain's empty. Also, if I point the master.cf to a non-existant shell script, mail is still delivered, without error. Additionally, no dovecot-deliver log entries are ever made. do you have any problem setting dovecot: in your transports? So, below are some config entries and log results, but what am I doing wrong, or what should I try next. In master.cf: # Dovecot Local Delivery Agent dovecot unix - n n - - pipe flags=DRhu user=vmail:vmail argv=/usr/lib/dovecot/deliver -f ${sender} -d ${recipient} And in main.cf: virtual_transport = dovecot local_transport = dovecot dovecot_destination_recipient_limit = 1 And in mail.log: Sep 8 14:22:18 mail postfix/virtual[31793]: 15AE21C154: to=[EMAIL PROTECTED], relay=virtual, delay=0.47, delays=0.44/0.01/0/0.02, dsn=2.0.0, status=sent (delivered to maildir) The key here being the postfix/virtual and relay=virtual. Any suggestions welcome, and if you need more from the configs please let me know. Thanks! -scott
Re: Postfix crashing under load
Devdas Bhagat: The last error messages I get are these: Sep 8 13:54:37 jaundiced-outlook postfix/smtp[7998]: warning: problem talking to service private/scache: Connection timed out Sep 8 13:54:37 jaundiced-outlook postfix/smtp[20375]: warning: problem talking to service private/scache: Connection timed out Sep 8 13:54:37 jaundiced-outlook postfix/smtp[7960]: warning: problem talking to service private/scache: Connection timed out Sep 8 13:54:37 jaundiced-outlook postfix/smtp[17618]: warning: problem talking to service private/scache: Connection timed out snip about 600 similar lines about this problem Sep 8 14:10:56 jaundiced-outlook postfix/master[11125]: fatal: watchdog timeout Sep 8 14:10:56 jaundiced-outlook postfix/qmgr[13568]: fatal: watchdog timeout I think that the kernel is running out of steam. Try reducing the concurrency. The master daemon triggers qmgr and pickup regularly. That trigger write is non-blocking with a timeout of 1, so it cannot block the master daemon. Except of course when the kernel is messed up. Wietse
Re: Postfix crashing under load
Wietse Venema: Devdas Bhagat: The last error messages I get are these: Sep 8 13:54:37 jaundiced-outlook postfix/smtp[7998]: warning: problem talking to service private/scache: Connection timed out Sep 8 13:54:37 jaundiced-outlook postfix/smtp[20375]: warning: problem talking to service private/scache: Connection timed out Sep 8 13:54:37 jaundiced-outlook postfix/smtp[7960]: warning: problem talking to service private/scache: Connection timed out Sep 8 13:54:37 jaundiced-outlook postfix/smtp[17618]: warning: problem talking to service private/scache: Connection timed out snip about 600 similar lines about this problem Sep 8 14:10:56 jaundiced-outlook postfix/master[11125]: fatal: watchdog timeout Sep 8 14:10:56 jaundiced-outlook postfix/qmgr[13568]: fatal: watchdog timeout I think that the kernel is running out of steam. Try reducing the concurrency. The master daemon triggers qmgr and pickup regularly. That trigger write is non-blocking with a timeout of 1, so it cannot block the master daemon. Except of course when the kernel is messed up. Hmm, except that write_buf() will retry the write() after en EAGAIN error. So to be really smart, write_buf() should watch the clock and break the loop when the time expires. Wietse
Re: Postfix crashing under load
On Mon, Sep 08, 2008 at 03:31:29PM -0400, Wietse Venema wrote: The master daemon triggers qmgr and pickup regularly. That trigger write is non-blocking with a timeout of 1, so it cannot block the master daemon. Except of course when the kernel is messed up. Hmm, except that write_buf() will retry the write() after en EAGAIN error. So to be really smart, write_buf() should watch the clock and break the loop when the time expires. Somewhat related question, if one removes all wakeup timers from master.cf, will master(8) croak with a watchdog timer if the remaining services are idle long enough? -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:[EMAIL PROTECTED] If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: Postfix crashing under load
Wietse Venema: Wietse Venema: Devdas Bhagat: The last error messages I get are these: Sep 8 13:54:37 jaundiced-outlook postfix/smtp[7998]: warning: problem talking to service private/scache: Connection timed out Sep 8 13:54:37 jaundiced-outlook postfix/smtp[20375]: warning: problem talking to service private/scache: Connection timed out Sep 8 13:54:37 jaundiced-outlook postfix/smtp[7960]: warning: problem talking to service private/scache: Connection timed out Sep 8 13:54:37 jaundiced-outlook postfix/smtp[17618]: warning: problem talking to service private/scache: Connection timed out snip about 600 similar lines about this problem Sep 8 14:10:56 jaundiced-outlook postfix/master[11125]: fatal: watchdog timeout Sep 8 14:10:56 jaundiced-outlook postfix/qmgr[13568]: fatal: watchdog timeout I think that the kernel is running out of steam. Try reducing the concurrency. The master daemon triggers qmgr and pickup regularly. That trigger write is non-blocking with a timeout of 1, so it cannot block the master daemon. Except of course when the kernel is messed up. Hmm, except that write_buf() will retry the write() after en EAGAIN error. So to be really smart, write_buf() should watch the clock and break the loop when the time expires. If this is the problem, the workaround would be to break the loop after EAGAIN. That would keep the master from timing out. You'd still have a deadlocked qmgr for 1000s, though. Wietse ssize_t write_buf(int fd, const char *buf, ssize_t len, int timeout) { const char *start = buf; ssize_t count; while (len 0) { if (timeout 0 write_wait(fd, timeout) 0) return (-1); if ((count = write(fd, buf, len)) 0) { #if 0 if (errno == EAGAIN timeout 0) continue; #endif if (errno == EINTR) continue; return (-1); }
Re: Postfix crashing under load
Victor Duchovni: On Mon, Sep 08, 2008 at 03:31:29PM -0400, Wietse Venema wrote: The master daemon triggers qmgr and pickup regularly. That trigger write is non-blocking with a timeout of 1, so it cannot block the master daemon. Except of course when the kernel is messed up. Hmm, except that write_buf() will retry the write() after en EAGAIN error. So to be really smart, write_buf() should watch the clock and break the loop when the time expires. Somewhat related question, if one removes all wakeup timers from master.cf, will master(8) croak with a watchdog timer if the remaining services are idle long enough? I don't care. Postfix without queue manager makes no sense, and having no wakeup on the queue manager is insane. Wietse
Re: postfix hangs when SASL enabled
On Mon, Sep 08, 2008 at 08:15:24AM +0200, mouss wrote: Travis wrote: I also notice that even though the SSL keys have passwords on them, postfix never prompts for them. daemons do not prompt. Perhaps they should not, but apache does. Dovecot has a config file entry with the password to the key to allow use of keys with passwords, which is helpful because: It turns out that my software (tinyca2) as well as the normal openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024 (suggested here: https://help.ubuntu.com/community/Postfix) both prompt for passwords with which to encrypt the key. As http://www.postfix.org/TLS_README.html says: The private key must not be encrypted, meaning: the key must be accessible without a password Ah, thank you. it is probable that you have a config error in your sasl configuration (smtpd.conf). run saslfinger and report its output. saslfinger - postfix Cyrus sasl configuration Mon Sep 8 23:58:13 CEST 2008 version: 1.0.2 mode: server-side SMTP AUTH -- basics -- Postfix: 2.3.8 System: Debian GNU/Linux 4.0 \n \l -- smtpd is linked to -- libsasl2.so.2 = /usr/lib/libsasl2.so.2 (0xb7d2e000) -- active SMTP AUTH and TLS parameters for smtpd -- broken_sasl_auth_clients = yes smtpd_sasl_local_domain = smtpd_sasl_security_options = noanonymous smtpd_tls_CAfile = /c/keys/cacert.pem smtpd_tls_auth_only = no smtpd_tls_cert_file = /c/keys/mail.bitrot.info-cert.pem smtpd_tls_key_file = /c/keys/mail.bitrot.info-key.pem smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache smtpd_tls_session_cache_timeout = 3600s smtpd_use_tls = yes -- listing of /usr/lib/sasl2 -- total 112 drwxr-xr-x 2 root root 4096 Jul 25 03:08 . drwxr-xr-x 58 root root 20480 Sep 8 01:16 .. -rw-r--r-- 1 root root 21726 Dec 13 2006 libsasldb.a -rw-r--r-- 1 root root 856 Dec 13 2006 libsasldb.la -rw-r--r-- 1 root root 17980 Dec 13 2006 libsasldb.so -rw-r--r-- 1 root root 17980 Dec 13 2006 libsasldb.so.2 -rw-r--r-- 1 root root 17980 Dec 13 2006 libsasldb.so.2.0.22 -- content of /etc/postfix/sasl/smtpd.conf -- # Global parameters log_level: 3 pwcheck_method: saslauthd mech_list: plain login -- active services in /etc/postfix/master.cf -- # service type private unpriv chroot wakeup maxproc command + args # (yes) (yes) (yes) (never) (100) smtp inet n - - - - smtpd pickupfifo n - - 60 1 pickup cleanup unix n - - - 0 cleanup qmgr fifo n - n 300 1 qmgr tlsmgrunix - - - 1000? 1 tlsmgr rewrite unix - - - - - trivial-rewrite bounceunix - - - - 0 bounce defer unix - - - - 0 bounce trace unix - - - - 0 bounce verifyunix - - - - 1 verify flush unix n - - 1000? 0 flush proxymap unix - - n - - proxymap smtp unix - - - - - smtp relay unix - - - - - smtp -o fallback_relay= showq unix n - - - - showq error unix - - - - - error discard unix - - - - - discard local unix - n n - - local virtual unix - n n - - virtual lmtp unix - - - - - lmtp anvil unix - - - - 1 anvil scacheunix - - - - 1 scache maildrop unix - n n - - pipe flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient} uucp unix - n n - - pipe flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient) ifmailunix - n n - - pipe flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient) bsmtp unix - n n - - pipe flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient scalemail-backend unix - n n - 2 pipe flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension} mailman unix - n n - - pipe flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py ${nexthop} ${user} -- mechanisms on localhost -- -- end of saslfinger output -- -- Crypto ergo sum. http://www.subspacefield.org/~travis/ Truth does not fear scrutiny or competition, only lies do. If you are a spammer, please email [EMAIL PROTECTED] to get blacklisted.
Re: postfix hangs when SASL enabled
Travis: It turns out that my software (tinyca2) as well as the normal openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024 (suggested here: https://help.ubuntu.com/community/Postfix) both prompt for passwords with which to encrypt the key. See instructions at the end of http://www.postfix.org/TLS_README.html Begin quote: * Create an unpassworded private key for host foo.porcupine.org and create an unsigned public key certificate. % openssl req -new -nodes -keyout foo-key.pem -out foo-req.pem -days 365 End quote. Wietse
Re: postfix hangs when SASL enabled
2008/9/9 Travis [EMAIL PROTECTED]: Perhaps they should not, but apache does. Dovecot has a config file entry with the password to the key to allow use of keys with passwords, which is helpful because: Apache's default behaviour to prompt is less than ideal, but can be configured to do otherwise. It turns out that my software (tinyca2) as well as the normal openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024 (suggested here: https://help.ubuntu.com/community/Postfix) both prompt for passwords with which to encrypt the key. As Wietse mentions, this guide is perverse. This smells like cargo-culting, there's no need to create the key with a passphrase then strip it a couple of steps later. This will also do exactly what you want. (I've also fixed that bit of the documentation) openssl genrsa 1024 unencrypted.key
Re: rcpt count mismatch errors (not using Mailscanner)
Wietse Venema: [EMAIL PROTECTED]: Any ideas what causes these? Jul 21 23:14:43 kd1 postfix/qmgr[20699]: warning: F320A29569: rcpt count mismatch (-2) ... Version is postfix-2.3.r8,3 (FreeBSD port) This problem was removed by a code reorganization in Postfix 2.4, when I added support for message body replacement. This patch fixes the Postfix 2.3 rcpt count mismatch warning message that is logged after Milter applications add a recipient to a queue file. Postfix 2.3 is the oldest Postfix release that is still being updated. The current patchlevel is 15. Wietse diff -cr --new-file /var/tmp/postfix-2.3.8/src/cleanup/Makefile.in ./src/cleanup/Makefile.in *** /var/tmp/postfix-2.3.8/src/cleanup/Makefile.in Thu Oct 19 11:16:17 2006 --- ./src/cleanup/Makefile.in Mon Sep 8 08:46:28 2008 *** *** 3,14 cleanup_extracted.c cleanup_state.c cleanup_rewrite.c \ cleanup_map11.c cleanup_map1n.c cleanup_masquerade.c \ cleanup_out_recipient.c cleanup_init.c cleanup_api.c \ ! cleanup_addr.c cleanup_bounce.c cleanup_milter.c OBJS = cleanup.o cleanup_out.o cleanup_envelope.o cleanup_message.o \ cleanup_extracted.o cleanup_state.o cleanup_rewrite.o \ cleanup_map11.o cleanup_map1n.o cleanup_masquerade.o \ cleanup_out_recipient.o cleanup_init.o cleanup_api.o \ ! cleanup_addr.o cleanup_bounce.o cleanup_milter.o HDRS = TESTSRC = DEFS = -I. -I$(INC_DIR) -D$(SYSTYPE) --- 3,14 cleanup_extracted.c cleanup_state.c cleanup_rewrite.c \ cleanup_map11.c cleanup_map1n.c cleanup_masquerade.c \ cleanup_out_recipient.c cleanup_init.c cleanup_api.c \ ! cleanup_addr.c cleanup_bounce.c cleanup_milter.c cleanup_final.c OBJS = cleanup.o cleanup_out.o cleanup_envelope.o cleanup_message.o \ cleanup_extracted.o cleanup_state.o cleanup_rewrite.o \ cleanup_map11.o cleanup_map1n.o cleanup_masquerade.o \ cleanup_out_recipient.o cleanup_init.o cleanup_api.o \ ! cleanup_addr.o cleanup_bounce.o cleanup_milter.o cleanup_final.o HDRS = TESTSRC = DEFS = -I. -I$(INC_DIR) -D$(SYSTYPE) *** *** 321,326 --- 321,352 cleanup_extracted.o: ../../include/vstring.h cleanup_extracted.o: cleanup.h cleanup_extracted.o: cleanup_extracted.c + cleanup_final.o: ../../include/argv.h + cleanup_final.o: ../../include/been_here.h + cleanup_final.o: ../../include/cleanup_user.h + cleanup_final.o: ../../include/dict.h + cleanup_final.o: ../../include/header_opts.h + cleanup_final.o: ../../include/htable.h + cleanup_final.o: ../../include/mail_conf.h + cleanup_final.o: ../../include/mail_stream.h + cleanup_final.o: ../../include/maps.h + cleanup_final.o: ../../include/match_list.h + cleanup_final.o: ../../include/match_ops.h + cleanup_final.o: ../../include/milter.h + cleanup_final.o: ../../include/mime_state.h + cleanup_final.o: ../../include/msg.h + cleanup_final.o: ../../include/mymalloc.h + cleanup_final.o: ../../include/nvtable.h + cleanup_final.o: ../../include/rec_type.h + cleanup_final.o: ../../include/resolve_clnt.h + cleanup_final.o: ../../include/string_list.h + cleanup_final.o: ../../include/sys_defs.h + cleanup_final.o: ../../include/tok822.h + cleanup_final.o: ../../include/vbuf.h + cleanup_final.o: ../../include/vstream.h + cleanup_final.o: ../../include/vstring.h + cleanup_final.o: cleanup.h + cleanup_final.o: cleanup_final.c cleanup_init.o: ../../include/argv.h cleanup_init.o: ../../include/been_here.h cleanup_init.o: ../../include/dict.h diff -cr --new-file /var/tmp/postfix-2.3.8/src/cleanup/cleanup.h ./src/cleanup/cleanup.h *** /var/tmp/postfix-2.3.8/src/cleanup/cleanup.hThu Oct 19 11:16:17 2006 --- ./src/cleanup/cleanup.h Mon Sep 8 08:45:45 2008 *** *** 220,225 --- 220,230 extern void cleanup_extracted(CLEANUP_STATE *, int, const char *, ssize_t); /* + * cleanup_final.c + */ + extern void cleanup_final(CLEANUP_STATE *); + + /* * cleanup_rewrite.c */ extern int cleanup_rewrite_external(const char *, VSTRING *, const char *); diff -cr --new-file /var/tmp/postfix-2.3.8/src/cleanup/cleanup_api.c ./src/cleanup/cleanup_api.c *** /var/tmp/postfix-2.3.8/src/cleanup/cleanup_api.cThu Jun 15 14:07:15 2006 --- ./src/cleanup/cleanup_api.c Mon Sep 8 08:47:12 2008 *** *** 235,240 --- 235,247 } /* + * Update the preliminary message size and count fields with the actual + * values. + */ + if (CLEANUP_OUT_OK(state)) + cleanup_final(state); + + /* * If there was an error that requires us to generate a bounce message * (mail submitted with the Postfix sendmail command, mail forwarded by * the local(8) delivery agent, or mail re-queued with postsuper -r), diff -cr --new-file /var/tmp/postfix-2.3.8/src/cleanup/cleanup_extracted.c ./src/cleanup/cleanup_extracted.c ***
can send mail, but cannot receive (through ISP smtp)
Hi all, I have set up Postfix 2.5.4 with TLS, Cyrus SASL and LDAP lookups for users. I tested it with openssl s_client command on ports 25, 465 and 587 and everything works (authentication and test emails). I use self signed CA certificates. I also tested sending mail on gmail, yahoo and other providers and it works, but when I reply back, nothing happens: no error in the logs, no mailer-daemon back to gmail or yahoo saying something is wrong. My IP is dynamic and I have set up a dynamic DNS for my test domain, test.lexarrow.com, with A and MX records for mail.test.lexarrow.com. I checked DNS settings with dig MX and dig A commands (they turn out ok) and with dnsstuff.com (everything turns out ok except the Mail section. After almost 60 hrs of digging I am running out of ideas. Please help. My podtfinger output is: *--System Parameters--* mail_version = 2.5.4 hostname = localhost uname = Linux localhost 2.6.24-19-generic #1 SMP Wed Aug 20 22:56:21 UTC 2008 i686 GNU/Linux *--Packaging information--* *--main.cf non-default parameters--* broken_sasl_auth_clients = yes cyrus_sasl_config_path = /opt/sasl/etc debug_peer_level = 90 debug_peer_list = test.lexarrow.com local_recipient_maps = mail_spool_directory = /var/spool/postfix mydomain = test.lexarrow.com myhostname = mail.test.lexarrow.com mynetworks = 127.0.0.0/8 127.0.1.1 10.0.0.1 mynetworks_style = host myorigin = $mydomain relayhost = smtp.rdslink.ro smtpd_banner = $myhostname ESMTP $mail_name ($mail_version) (Ubuntu Linux) smtpd_sasl_auth_enable = yes smtpd_sasl_authenticated_header = yes smtpd_sasl_local_domain = #this must be empty smtpd_tls_CAfile = /etc/postfix/ssl/pcacert.pem smtpd_tls_cert_file = /etc/postfix/ssl/pservercrt.pem smtpd_tls_key_file = /etc/postfix/ssl/pserverkey.pem smtpd_tls_loglevel = 3 smtpd_tls_received_header = yes smtpd_tls_security_level = encrypt smtpd_use_tls = yes smtp_sasl_password_maps = ldap:/etc/postfix/ldap-aliases.cf smtp_tls_note_starttls_offer = yes smtp_use_tls = yes soft_bounce = yes virtual_alias_maps = ldap:/etc/postfix/ldap-aliases.cf virtual_gid_maps = static:1004 virtual_mailbox_base = /home/vmail virtual_mailbox_domains = $mydomain virtual_mailbox_maps = ldap:/etc/postfix/ldap-mailboxes.cf virtual_minimum_uid = 1000 virtual_uid_maps = static:1003 *--master.cf--* 25 inet n - n - - smtpd -v 587 inet n - n - - smtpd -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject_unauth_destination,permit_mynetworks,reject smtps inet n - n - - smtpd -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject pickupfifo n - n 60 1 pickup cleanup unix n - n - 0 cleanup -v qmgr fifo n - n 300 1 qmgr tlsmgrunix - - n 1000? 1 tlsmgr rewrite unix - - n - - trivial-rewrite bounceunix - - n - 0 bounce defer unix - - n - 0 bounce trace unix - - n - 0 bounce verifyunix - - n - 1 verify flush unix n - n 1000? 0 flush proxymap unix - - n - - proxymap proxywrite unix - - n - 1 proxymap smtp unix - - n - - smtp relay unix - - n - - smtpd -o smtp_fallback_relay= showq unix n - n - - showq error unix - - n - - error retry unix - - n - - error discard unix - - n - - discard local unix - n n - - local virtual unix - n n - - virtual lmtp unix - - n - - lmtp anvil unix - - n - 1 anvil scacheunix - - n - 1 scache * -- end of postfinger output --* *dig result* dig mx test.lexarrow.com ; DiG 9.4.2-P1 mx test.lexarrow.com ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 54532 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;test.lexarrow.com.INMX ;; ANSWER SECTION: test.lexarrow.com.3600INMX10 mail.test.lexarrow.com. ;; Query time: 186 msec ;; SERVER: 10.0.0.1#53(10.0.0.1) ;; WHEN: Tue Sep 9 03:16:01 2008 ;; MSG SIZE rcvd: 56
my networks exclusions not working?
I have the following mynetworks defined Dispite having 69.31.160.0/20 defined and !69.31.174.220 defined, I can still relay mail from 69.31.174.220 without smtp authentication. Why is this? Does order matter or is there another problem with my syntax? mynetworks = 69.31.160.0/20, 69.31.176.0/20, 69.67.160.0/20, 69.67.176.0/20, 207.102.197.0/24, 207.194.228.0/24, 207.194.229.0/24, 209.52.5.0/24, 209.52.15.0/24, 209.52.25.0/24, 209.52.26.0/24, 209.52.30.0/24, !69.67.187.103, !69.67.187.113, !69.67.187.116, 209.87.128.0/20, 64.251.83.160/27, !69.31.165.146, !69.31.174.220, 206.12.31.0/24, 206.12.175.0/24, 207.102.30.0/24,
Re: postfix/dovecot lda assistance
Hi Brian, I'm editing this to make it a bit shorter. Brian Evans - Postfix List wrote: Scott Sharkey wrote: Brian Evans - Postfix List wrote: Scott Sharkey wrote: We need your 'postconf -n' to give more hints about a correct setup. (with virtual_ maps explained too) see below: alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases Note: in a virtual setting, these are never referenced (for domains in Actually, these are used for the lists.xxx.com domains, which are mailman-domains, that I am now putting through local. No effect on the dovecot or virtual domains though, I agree. And alias_maps now has hash:/var/lib/mailman/data/aliases as well. I was hoping to avoid that using the python-to-mailman.py script, but the flaw in that plan is that you still have to have a map somewhere with the valid addresses, so it seems pointless. I've gone back to marking these as local domains. local_recipient_maps = $virtual_mailbox_maps, $virtual_alias_maps, $alias_maps, hash:/etc/postfix/relay_recipient_map dropped the relay_recipient map, but questions remain (see below) local_transport = dovecot put this back to local for the list domains (which are the only local mail accounts). mailbox_size_limit = 0 mime_header_checks = pcre:/etc/postfix/mime_header_checks mydestination = $transport_maps This does not look right to me. Do NOT mix virtual and mydestination. This should list mail domains that are local to the machine. If you do not need it, use the default. This will pick up things like cron jobs and pass it to dovecot. You are correct. I've redefined this to 'localhost', $myhostname, and a map of the list domains. (select domain where domain = %s and transport = 'local') myhostname = mail.linuxunlimited.com mynetworks = 127.0.0.0/8 [:::127.0.0.0]/104 [::1]/128 relay_domains = proxy:mysql:/etc/postfix/mysql_relay_domain_map.cf relay_domains with no relay_recipient_maps parameter? This is not the best way to handle this. What is? -- I have no way to determine the actual users on the relay domain... I'm not actually using any relay domains, now that I've moved the mailman lists to local... But theoretically, I could be a backup MX for someone. How do I create/manage a list of THEIR recipients... I was under the impression that I would NOT, just accept all and deliver to them, but I can see the flaw in that plan... Not planning on using this, at least not right now, so I may just turn it off (came with postfixadmin setup) smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_unauth_pipelining, check_policy_service inet:127.0.0.1:10031, reject_invalid_hostname, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_non_fqdn_hostname, reject_rbl_client cbl.abuseat.org, reject_rbl_client list.dsbl.org, reject_rbl_client dnsbl.njabl.org, reject_rbl_client sbl.spamhaus.org, permit dsbl is dead and gone, you con combine the other lists into 1.. zen.spamhaus.org incorporates cbl.abuseat.org, njabl.org, sbl and also their pbl. (recommended and saves DNS query resources) yeah, that was copied from an old mail server, and I haven't gotten around to updating this part yet... one step at a time!!! grin Fixed now. I had read about zen, but had not dug into the details yet. transport_maps = proxy:mysql:/etc/postfix/mysql_transport_map.cf Is this trip really necessary? Not sure... I have dovecot, local, vacation, and potentially relay transports, loaded via postfixadmin/mysql. The dovecot domains are virtual, the mail list domains local, vacation and relay are special cases. How do I set the default transport to dovecot? virtual_gid_maps = static:2000 virtual_mailbox_base = /home/virtual virtual_uid_maps = static:2000 These options will be ignored after dovecot takes over. Yeah, right. But I started with a different virtual setup, so these are just leftovers. I can probably kill them. All of the virtual_ maps point to mysql tables, but the relevant part (I think) is that the transport entry is virtual for most of them (some are set to mailman for mailing list domains, and I think maybe one is set to virtual for the autoreply function). No virtual_mailbox_domains? Good catch. I had actually defined the .cf file to look them up, but forgot to set this. Fixed now. And actually, the transports are now dovecot - that was the initial error that prompted my posting... It seems to me that the documentation was not clear and you tried to invent your own ways or followed a poor HOWTO. WORSE! I'm trying to follow about 10 howto's, since the doc's are nowhere near clear enough (lots of theory, very little practical application, it seems!) And no one howto is doing exactly what I want. So, I'm trying to understand, and also to marry up
Re: Spam from hotmail servers - how to kill?
James Robertson wrote: Recently we noticed an increase in junk and discovered that it's coming from Hotmail (and to a lesser extent Yahoo). The problem is that these spammers are smarter that the average spammer. The don't spam flatout all the time (not to us anyway) and since the mail comes from hotmail's servers and they use a Hotmail address [EMAIL PROTECTED] then they get by Postfix and Spamassassin quite easily. I have not tested it but I would imagine greylisting would fail since hotmail's servers will do the normal thing and retry later (using same sender address etc). Most of what we have been getting is Drugs related junk so I increased the scores in Spamassassin accordingly which has helped but some still gets by based on different content in the messages and obvioulsy if they chnage tactics and start doing weight loss etc then it will probably get in. We cannot block hotmail due to valid mail coming from there. Is there a way in Postfix that could filter out this junk somehow? Below are some examples ## Microsoft Mail Internet Headers Version 2.0 Received: from mail.icfrith.com.au ([XXX.XXX.XXX.XXX]) by icfmail1.icfrith.com.au with Microsoft SMTPSVC(5.0.2195.6713); Tue, 19 Aug 2008 23:59:42 +1000 Received: from localhost (localhost.localdomain [127.0.0.1]) by mail.icfrith.com.au (Postfix) with ESMTP id DD64D2B959 for [EMAIL PROTECTED]; Tue, 19 Aug 2008 23:59:43 +1000 (EST) X-Virus-Scanned: Debian amavisd-new at icfrith.com.au X-Spam-Score: -0.144 X-Spam-Level: X-Spam-Status: No, score=-0.144 required=5.31 tests=[BAYES_00=-2.599, DCC_CHECK=2.17, DRUGS_ERECTILE=0.282, HTML_MESSAGE=0.001, ONLINE_PHARMACY=0.001, TVD_VISIT_PHARMA=0.001] Received: from mail.icfrith.com.au ([127.0.0.1]) by localhost (icfsydmxg-vm.icfrith.com.au [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JLdoDGWcLqRX for [EMAIL PROTECTED]; Tue, 19 Aug 2008 23:59:40 +1000 (EST) Received: from blu0-omc3-s29.blu0.hotmail.com (blu0-omc3-s29.blu0.hotmail.com [65.55.116.104]) by mail.icfrith.com.au (Postfix) with ESMTP id 00ED62B905 for [EMAIL PROTECTED]; Tue, 19 Aug 2008 23:59:34 +1000 (EST) Received: from BLU135-W36 ([65.55.116.73]) by blu0-omc3-s29.blu0.hotmail.com with Microsoft SMTPSVC(6.0.3790.3959); Tue, 19 Aug 2008 06:59:27 -0700 Message-ID: [EMAIL PROTECTED] Content-Type: multipart/alternative; boundary=_605a643e-57e1-4566-b4f5-80149ef06c75_ X-Originating-IP: [68.97.155.25] From: Nancy Johnson [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Back into the youth - only with Viagra Professional Date: Tue, 19 Aug 2008 13:59:26 + Importance: High MIME-Version: 1.0 X-OriginalArrivalTime: 19 Aug 2008 13:59:27.0695 (UTC) FILETIME=[CB5F55F0:01C90203] Return-Path: [EMAIL PROTECTED] --_605a643e-57e1-4566-b4f5-80149ef06c75_ Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable --_605a643e-57e1-4566-b4f5-80149ef06c75_ Content-Type: text/html; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable --_605a643e-57e1-4566-b4f5-80149ef06c75_-- # Microsoft Mail Internet Headers Version 2.0 Received: from mail.icfrith.com.au ([XXX.XXX.XXX.XXX]) by icfmail1.icfrith.com.au with Microsoft SMTPSVC(5.0.2195.6713); Tue, 19 Aug 2008 20:55:59 +1000 Received: from localhost (localhost.localdomain [127.0.0.1]) by mail.icfrith.com.au (Postfix) with ESMTP id 5A7AC2B961 for [EMAIL PROTECTED]; Tue, 19 Aug 2008 20:56:00 +1000 (EST) X-Virus-Scanned: Debian amavisd-new at icfrith.com.au X-Spam-Score: 1.728 X-Spam-Level: * X-Spam-Status: No, score=1.728 required=5.31 tests=[BAYES_50=0.001, DRUGS_ERECTILE=0.282, FB_CIALIS_LEO3=1.441, HTML_MESSAGE=0.001, SUBJECT_DRUG_GAP_C=0.003] Received: from mail.icfrith.com.au ([127.0.0.1]) by localhost (icfsydmxg-vm.icfrith.com.au [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oFVqnG2CBkCi for [EMAIL PROTECTED]; Tue, 19 Aug 2008 20:55:52 +1000 (EST) Received: from blu0-omc2-s17.blu0.hotmail.com (blu0-omc2-s17.blu0.hotmail.com [65.55.111.92]) by mail.icfrith.com.au (Postfix) with ESMTP id 6700E2B905 for [EMAIL PROTECTED]; Tue, 19 Aug 2008 20:55:45 +1000 (EST) Received: from BLU118-W8 ([65.55.111.72]) by blu0-omc2-s17.blu0.hotmail.com with Microsoft SMTPSVC(6.0.3790.3959); Tue, 19 Aug 2008 03:55:42 -0700 Message-ID: [EMAIL PROTECTED] Content-Type: multipart/alternative; boundary=_de1e-6bd9-42f3-a8c2-16a3ba887632_ X-Originating-IP: [119.141.38.224] From: Nancy Taylor [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Amplify your sexual power with Soft Cialis. Date: Tue, 19 Aug 2008 10:55:42 + Importance: High MIME-Version: 1.0
RE: my networks exclusions not working?
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chris St Denis Sent: Tuesday, 9 September 2008 10:41 AM To: postfix-users@postfix.org Subject: my networks exclusions not working? I have the following mynetworks defined Dispite having 69.31.160.0/20 defined and !69.31.174.220 defined, I can still relay mail from 69.31.174.220 without smtp authentication. Why is this? Does order matter or is there another problem with my syntax? mynetworks = 69.31.160.0/20, [...] !69.31.174.220, Table lookups generally return the first match encountered, and since it's a trivial change, try putting the exclusion before the broader inclusion to see if that makes the difference. But I'm sure someone can give us the official word if that's not quite right.
Re: can send mail, but cannot receive (through ISP smtp)
On Tue, Sep 09, 2008 at 03:20:32AM +0300, Alex Bernea wrote: Hi all, I have set up Postfix 2.5.4 with TLS, Cyrus SASL and LDAP lookups for users. I tested it with openssl s_client command on ports 25, 465 and 587 and everything works (authentication and test emails). I use self signed CA certificates. I also tested sending mail on gmail, yahoo and other providers and it works, but when I reply back, nothing happens: no error in the logs, no mailer-daemon back to gmail or yahoo saying something is wrong. My IP is dynamic and I have set up a dynamic DNS for my test domain, test.lexarrow.com, with A and MX records for mail.test.lexarrow.com. I checked DNS settings with dig MX and dig A commands (they turn out ok) and with dnsstuff.com (everything turns out ok except the Mail section. You might want to permit port 25 through your firewall. $ dig +noall +ans +add -t mx test.lexarrow.com test.lexarrow.com. 3570IN MX 10 mail.test.lexarrow.com. mail.test.lexarrow.com. 30 IN A 79.116.195.248 $ telnet 79.116.195.248 25 Trying 79.116.195.248... hangs -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:[EMAIL PROTECTED] If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: my networks exclusions not working?
Chris St Denis wrote: I have the following mynetworks defined Dispite having 69.31.160.0/20 defined and !69.31.174.220 defined, I can still relay mail from 69.31.174.220 without smtp authentication. Why is this? Does order matter or is there another problem with my syntax? Yes, order matters; the exceptions must go first. See http://www.postfix.org/postconf.5.html#mynetworks which reads in part: The list is matched left to right, and the search stops on the first match. -- Noel Jones mynetworks = 69.31.160.0/20, 69.31.176.0/20, 69.67.160.0/20, 69.67.176.0/20, 207.102.197.0/24, 207.194.228.0/24, 207.194.229.0/24, 209.52.5.0/24, 209.52.15.0/24, 209.52.25.0/24, 209.52.26.0/24, 209.52.30.0/24, !69.67.187.103, !69.67.187.113, !69.67.187.116, 209.87.128.0/20, 64.251.83.160/27, !69.31.165.146, !69.31.174.220, 206.12.31.0/24, 206.12.175.0/24, 207.102.30.0/24,
Re: can send mail, but cannot receive (through ISP smtp)
On Tue, Sep 9, 2008 at 4:18 AM, Victor Duchovni [EMAIL PROTECTED] wrote: On Tue, Sep 09, 2008 at 03:20:32AM +0300, Alex Bernea wrote: Hi all, I have set up Postfix 2.5.4 with TLS, Cyrus SASL and LDAP lookups for users. I tested it with openssl s_client command on ports 25, 465 and 587 and everything works (authentication and test emails). I use self signed CA certificates. I also tested sending mail on gmail, yahoo and other providers and it works, but when I reply back, nothing happens: no error in the logs, no mailer-daemon back to gmail or yahoo saying something is wrong. My IP is dynamic and I have set up a dynamic DNS for my test domain, test.lexarrow.com, with A and MX records for mail.test.lexarrow.com. I checked DNS settings with dig MX and dig A commands (they turn out ok) and with dnsstuff.com (everything turns out ok except the Mail section. You might want to permit port 25 through your firewall. $ dig +noall +ans +add -t mx test.lexarrow.com test.lexarrow.com. 3570IN MX 10 mail.test.lexarrow.com. mail.test.lexarrow.com. 30 IN A 79.116.195.248 $ telnet 79.116.195.248 25 Trying 79.116.195.248... hangs -- Viktor. Thanks for the quick reply Viktor! I apologize for not mentioning the fact that my ISP blocks port 25. Seems to be both incoming and outgoing. They said it was just outgoing. I wrote them a mail to open the port, maybe I get lucky. Will post when I have news. Alex
Re: Postfix crashing under load
On Mon, Sep 08, 2008 at 01:23:53PM -0400, Brian Evans - Postfix List wrote: relay_recipient_maps = regexp:/etc/postfix/relay This looks potentially bad to me, but without knowing what is in that /etc/postfix/relay map, it's hard to judge. relayhost = [redacted-trap] smtpd_recipient_restrictions = check_policy_service inet:[127.0.0.1]:2025 check_sender_access hash:/etc/postfix/sender_access check_client_access hash:/etc/postfix/aol_server_rejects check_client_access hash:/etc/postfix/dnswl_rejects check_client_access hash:/etc/postfix/whitelisted_clients check_recipient_access hash:/etc/postfix/recipient_access reject_invalid_hostname reject_unknown_hostname reject_rbl_client cbl.abuseat.org reject_rbl_client dnsbl.sorbs.net reject_rbl_client aspews.ext.sorbs.net reject_unauth_destination This is a potential open relay. Nah, it's sending mail to exactly the correct servers. There's a reason for this host to have a relayhost setting, and for me to redact it. Look at the name of the relayhost :P If check_sender_access returns or check_recipient_access an OK, then it is. They should return permit_auth_destination for the simple fact that they are easily forged. Easy fix: move reject_unauth_destination to the first position That would just increase the amount of mail the relayhost needs to process for no appreciable benefit. Devdas Bhagat
Re: Postfix crashing under load
On Mon, Sep 08, 2008 at 03:27:31PM -0400, Wietse Venema wrote: Devdas Bhagat: The last error messages I get are these: Sep 8 13:54:37 jaundiced-outlook postfix/smtp[7998]: warning: problem talking to service private/scache: Connection timed out Sep 8 13:54:37 jaundiced-outlook postfix/smtp[20375]: warning: problem talking to service private/scache: Connection timed out Sep 8 13:54:37 jaundiced-outlook postfix/smtp[7960]: warning: problem talking to service private/scache: Connection timed out Sep 8 13:54:37 jaundiced-outlook postfix/smtp[17618]: warning: problem talking to service private/scache: Connection timed out snip about 600 similar lines about this problem Sep 8 14:10:56 jaundiced-outlook postfix/master[11125]: fatal: watchdog timeout Sep 8 14:10:56 jaundiced-outlook postfix/qmgr[13568]: fatal: watchdog timeout I think that the kernel is running out of steam. Try reducing the concurrency. The master daemon triggers qmgr and pickup regularly. That trigger write is non-blocking with a timeout of 1, so it cannot block the master daemon. Except of course when the kernel is messed up. Hmm, this is Linux 2.6.9-67.0.1.EL #1 Fri Nov 30 11:41:37 EST 2007 x86_64 x86_64 x86_64 GNU/Linux on a RHEL 4 box. I'll lower the concurrency and see if the system stabilizes. Devdas Bhagat