Re: smtps:,Servname not supported for ai_socktype
J. Bakshi wrote: J. Bakshi wrote: mouss wrote: J. Bakshi wrote: Dear list, I get an error like postfix/master[18801]: fatal: 127.0.0.1:smtps: Servname not supported for ai_socktype below is my main.cf of postfix. Could any one give me a clue ? what does # grep smtps /etc/services return? Good morning mouss, Thanks for your kind reply. Here is grep smtps /etc/services of my server Sorry for my previous *incomplete* post but it was sent by mistake. The /etc/services didn't have any smtps entry. that was it. postfix couldn't know what port to use for smtps (ports are not hardcoded). Hence I added as below ~~~ #smtps 465/tcp# eMail Server smtps 465/tcp ~~~`` Now I don't have the smtps:,Servname not supported for ai_socktype error :-) but when using smtps I got can't connect to smtp server :-( what do you mean? you can't connect to smtps? please be explicit and describe exactly what is happening. I'm looking into it so that I can collect the error messages from log. In between if you give me any hints it would be really helpful. Onece I check and collect logs I'll come back to the list. - restart postfix - check that postfix is listening on port 465. use netstat, lsof, ... - check that no firewall prevents access - check postfix logs - read http://www.postfix.org/TLS_README.html
Re: distribution lists.
Almost. You should probably still have at least one domain listed, that is used for the right-hand-side of aliases where the target should be a local delivery. One approach is to use: main.cf: mydestination = local.invalid smtpd_sender_restrictions = check_sender_access regexp:/etc/postfix/reject_invalid check_recipient_access regexp:/etc/postfix/reject_invalid I put all checks in smtpd_recipient_restrictions. Is it the same?
Re: Altermime
Paul Cocker [EMAIL PROTECTED] schreef in bericht
news:[EMAIL PROTECTED]
Does anyone have any experience with Altermime? The official mailing
list page appears to be dead, but it strikes me as likely that several
postfix users may have experience with the app.
I know the postfix page discourages footers via the MTA, but alas the UK
has laws which require company numbers and registered addresses attached
to all communications, and managing a legal issue from the client side
is impractical, so here I go.
Unfortunately, while I was able to dig up some information on linking
altermime to postfix, the script only detailed how to do this for
specific e-mail addresses, where as I (and I'm betting most people who
do this) need it for all outgoing e-mail. At the same time I don't want
altermime to attach the footer to incoming e-mail.
Here's the instructions I found.
http://www.howtoforge.com/add-disclaimers-to-outgoing-emails-with-alterm
ime-postfix-debian-etch
I lack the scripting skills necessary to modify the setup. Help is much
appreciated.
I am working on CentOS 5.2 and have installed altermime 3.7 from
rpmforge.
Paul Cocker
st is the trading name for TNT Post UK Ltd (company number: 04417047), TNT
Post (Doordrop Media) Ltd (00613278), TNT Post Scotland Ltd (05695897), TNT
Post North Ltd (05701709), TNT Post South West Ltd (05983401), TNT Post
Midlands Limited (6458167)and TNT Post London Limited (6493826). Emma's
Diary and Lifecycle are trading names for Lifecycle Marketing (Mother and
Baby) Ltd (02556692). All companies are registered in England and Wales;
registered address: 1 Globeside Business Park, Fieldhouse Lane, Marlow,
Buckinghamshire, SL7 1HY.
Hello Paul,
Yes, we use Altermime of quite some time now, but it has some quirks.
Initially we started a similar way as described in the howto you mentioned.
But we encountered the following problems:
-Adding disclaimer in a formatted html page failed.
-In some webmail clients (like Hotmail) the inserted footer shows incorrect
line breaks. ( I 'm NOT tying to start a discussion on whois is RFC
compliant and who NOT), Just an observation...
It looks that Altermine has problems correctly MIME encoding the message
again.
The solution for us, to use the already used Amavisd-new to call Altermime
in a Policy bank, letting Amavisd-new responsible for decoding / encoding
the message. From then it worked as expected. The Amavisd-new Policybank /
Altermine solution provides the possibility to uses different policy banks
(and different disclaimers) for different mail directions. Just create a new
policybank and a new Postfix filter.
For this to work, you should use a resonable new Amavisd-new.
Create you /etc/altermime/disclaimer.htm and /etc/altermime/disclaimer.txt
file
Amavisd-new config:
-- amavisd.conf piece implematation sample
[EMAIL PROTECTED] = ( [.$mydomain] );
[EMAIL PROTECTED] = ( [ .$mydomain, '.domain1.com', '.domain2.com',
'.domain1.com' ], read_hash(/etc/postfix/maps/relay_domains) );
@local_domains_maps = read_hash(\%local_domains,
'/etc/postfix/maps/relay_domains');
$altermime = '/usr/bin/altermime';
@altermime_args_disclaimer =
qw(--verbose --disclaimer-html=/etc/altermime/disclaimer.htm
--disclaimer=/etc/altermime/disclaimer.txt);
$defang_maps_by_ccat{+CC_CATCHALL} = [ 'disclaimer' ];
@mynetworks = qw( 127.0.0.0/8 [::1] [FE80::]/10 [FEC0::]/10
10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 );
$inet_socket_port = [10024, 10026]; # listen on this local TCP port(s)
(see $protocol)
$interface_policy{'10026'} = 'OUTGOING_FILTER';
$policy_bank{'OUTGOING_FILTER'} = { # mail originating from the Internal
network
originating = 1, # is true in MYNETS by default, but let's make it
explicit
bypass_spam_checks_maps = [1], # don't spam-check outgoing mail
bypass_banned_checks_maps = [1], # don't banned-check outgoing mail
allow_disclaimers = 1, # enables disclaimer insertion if available
os_fingerprint_method = undef, # don't query p0f for internal clients
virus_admin_maps = [[EMAIL PROTECTED]],
spam_admin_maps = [[EMAIL PROTECTED]],
warnbadhsender = 1,
# # forward to a smtpd service providing DKIM signing service
# forward_method = 'smtp:[127.0.0.1]:10027',
# force MTA conversion to 7-bit (e.g. before DKIM signing)
smtpd_discard_ehlo_keywords = ['8BITMIME'],
terminate_dsn_on_notify_success = 0, # don't remove NOTIFY=SUCCESS
option
forward_method = 'smtp:[127.0.0.1]:10025', # forward to 10027
# Forward to 10027, and make smtpd instance in master.cf, if you want to
stack other non amavisd-new (policy) filters
};
In Postfix, you have to create a filter trigger, so forward mail coming from
your internal network to be redirected to the amavisd-new instance created
for your disclaimer.
create a file /etc/postfix/outgoing_filter_check, and replace 192.168 with
your internal network
192.168 FILTER smtp:[127.0.0.1]:10026
create a map file of
Re: Race in simplest after-queue content filter?
On Sat, Sep 20, 2008 at 11:45:55PM -0500, Karl O. Pinc wrote: Ok. What does it mean when the external command run by spawn receives an EOF on STDIN? The client disconnected, and it should treated as though QUIT were sent. You don't need to respond with 221 Ok, just exit. This time the second recipient, not the first as in the previously supplied traffic captures, does not get the QUIT command. Instead the Postfix smtp command closes the connection. You can see this stream in packets 19-36. When connections time out from the connection cache without re-use (2 second timer by default), they are closed with no QUIT. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:[EMAIL PROTECTED] If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: smtps:,Servname not supported for ai_socktype
J. Bakshi wrote: The mail.warn log provides a message postfix/master[1912]: warning: /usr/lib/postfix/smtpd: bad command startup -- throttling check your logs. there are other logs before this one.
Re: Big Distribution List
On Mon, Sep 22, 2008 at 09:08:55AM -0300, jakjr wrote: Hi Guys, I have one big distribution list (100K emails). I'm using virtual_alias_maps for that like this: virtual_alias_maps = hash:/etc/postfix/virtual where virtual: [EMAIL PROTECTED] [EMAIL PROTECTED], . [EMAIL PROTECTED] By default Postfix truncates virtual(5) expansion at 1000 recipients. For lists this large you MUST not use virtual(5), rather use a :include: valued local alias, AND set an owner-list alias to make sure that bounces are NOT send to the sender. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:[EMAIL PROTECTED] If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: smtps:,Servname not supported for ai_socktype
J. Bakshi wrote: Hello mouss, Thanks for your kind help. I am now in a position to give you some really good news. When I was looking close to my logs and got the error can not connect to port 25 then your mail arrived and enlighten me. I have modified my main.cf as below #inet_interfaces = localhost then the master.cf as below smtp inet n - n - - smtpd submission inet n - n - - smtpd -o smtpd_etrn_restrictions=reject -o smtpd_client_restrictions=permit_sasl_authenticated,reject smtpsinet n - n - - smtpd -o smtpd_tls_wrappermode=yes smtpd_sasl_auth_enable This is incorrect. One -o for each option you wish to change. smtpd -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes (but since you have the last option in main.cf.. what's the point)? The good news is after restarting the postfix the mail server is collecting the emails from the net. The unsolved one is smtps is still not working. I have tried the either way too as you suggested to use TLS but both the cases it says can't connect to the smtp server. Why try to use the archaic and obsolete smtps port when you already have TLS on port 25? Most modern clients will support TLS on any port if you ask it to look. The mail.warn log provides a message postfix/master[1912]: warning: /usr/lib/postfix/smtpd: bad command startup -- throttling See above. Brian
Re: Big Distribution List
On Sep 22, 2008, at 8:08 AM, jakjr wrote: Hi Guys, I have one big distribution list (100K emails). I'm using virtual_alias_maps for that like this: virtual_alias_maps = hash:/etc/postfix/virtual where virtual: [EMAIL PROTECTED] [EMAIL PROTECTED], . [EMAIL PROTECTED] Everything is working fine, but when I send a email to this distribution list, the postix cleanup process take 1 hour to finish. I know this process is responsible for the checks, including expand the virtual address, but, is there a way to speed up this process ? Is there any reason you are not using a mailing list manager program such as mailman or ezmlm? It seems to me, that a list that size would be perfectly suited for a full blown mailing list manager.. But that's just me. -- Jason Pruim Raoset Inc. Technology Manager MQC Specialist 11287 James St Holland, MI 49424 www.raoset.com [EMAIL PROTECTED]
Re: Big Distribution List
On 9/22/2008, Victor Duchovni ([EMAIL PROTECTED]) wrote: By default Postfix truncates virtual(5) expansion at 1000 recipients. For lists this large you MUST not use virtual(5), rather use a :include: valued local alias, AND set an owner-list alias to make sure that bounces are NOT send to the sender. Or better, use a real mail list server like mailman... -- Best regards, Charles
Re: Altermime
Paul Cocker wrote: Does anyone have any experience with Altermime? The official mailing list page appears to be dead, but it strikes me as likely that several postfix users may have experience with the app. I know the postfix page discourages footers via the MTA, but alas the UK has laws which require company numbers and registered addresses attached to all communications, and managing a legal issue from the client side is impractical, so here I go. did you ask a lawyer or did you interpret the law yourself? try header_checks: /^Subject:/ PREPEND X-DISCLAIMER: this blah and blah. see http://www.example.com/mail/disclaimer.html Unfortunately, while I was able to dig up some information on linking altermime to postfix, the script only detailed how to do this for specific e-mail addresses, where as I (and I'm betting most people who do this) need it for all outgoing e-mail. At the same time I don't want altermime to attach the footer to incoming e-mail. the easy way is to use different content filters for inbound and otbound mail. check the FILTER statelent in access. but beware, this needs some efforts. Here's the instructions I found. http://www.howtoforge.com/add-disclaimers-to-outgoing-emails-with-alterm ime-postfix-debian-etch I lack the scripting skills necessary to modify the setup. Help is much appreciated. I am working on CentOS 5.2 and have installed altermime 3.7 from rpmforge. Paul Cocker st is the trading name for TNT Post UK Ltd (company number: 04417047), TNT Post (Doordrop Media) Ltd (00613278), TNT Post Scotland Ltd (05695897), TNT Post North Ltd (05701709), TNT Post South West Ltd (05983401), TNT Post Midlands Limited (6458167)and TNT Post London Limited (6493826). Emma's Diary and Lifecycle are trading names for Lifecycle Marketing (Mother and Baby) Ltd (02556692). All companies are registered in England and Wales; registered address: 1 Globeside Business Park, Fieldhouse Lane, Marlow, Buckinghamshire, SL7 1HY.
Re: Client Trouble with SASL AUTH
Victor Duchovni wrote: On Sun, Sep 21, 2008 at 01:19:05PM +0200, Patrick Ben Koetter wrote: Thank you both so much for your help. This was the problem - well, part of it anyway. After setting the above, I could see that authentication was failing. I could also see that Postfix was choosing CRAM-MD5. I knew from prior testing that method failed interactively as well. Thus I set smtp_sasl_mechanism_filter = !CRAM-MD5. Then I started getting errors about ...no available mech Next I found smtp_sasl_security_options included noplaintext and noanonymous by default. Thus I set it to noanonymous to allow plaintext. I still got the ...no available mech... message. Well I knew from prior testing that PLAIN did work, thus I set smtp_sasl_mechanism_filter = PLAIN. SUCCESS!!! But for my own curiosity, why did not Postfix find PLAIN on its own? Why did I have to set it specifically? I would have thought that setting !CRAM-MD5 would have been enough. Choosing the mechanism is not done by Postfix, but by the Cyrus SASL library libsasl, linked into the Postfix smtp client. No, this is not entirely accurate. The smtp_sasl_mechanism_filter feature is implemented entirely in Postfix. When you specify a non-empty filter, only mechanisms that *match* the filter are passed to the SASL library. The match list !CRAM-MD5 does not match anything. To match all the remaining values one needs: smtp_sasl_mechanism_filter = !CRAM-MD5 static:all Thank you! This works. Cheers, Drew -- Be a Great Magician! Visit The Alchemist's Warehouse http://www.alchemistswarehouse.com
Re: distribution lists.
Mauro Sanna wrote: Not really. an OK in smtpd_sender_restrictions does not skip smtpd_recipient_restrictions. In particular, it doesn't make you an open relay. If it doesn't skip so why not put directly in smtpd_recipient_restrictions? this is an anti-question. if you put it under smtpd_recipient_restrictions and the check has an OK (something that may happen one day or another), then it will skip other checks. which is not what you want. so you don't put it there. In your case, you want to reject invalid senders. someday, you may want to change this to allow for few exceptions. if you put this under smtpd_sender_restrictions, you can simply use OK. if you put this under smtpd_recipient_restrictions, you can't (you don't want to skip other checks) so you can only use DUNNO which is less flexible (dunno will not skip the following checks, even in a single restriction class).
Re: Creating exceptions
Eduardo Júnior wrote: Hi all, I have in my smtpd_sender_restrictions policy with the rule reject_unknown_sender_domain active. However, e-mail notification of other internal servers, which does not have a valid domain are being blocked. Therefore, I want create exceptions for those domains nonexistent, but they are internal. Something to do with check_sender_access? add the servers to mynetworks.
Re: failover for check_policy_service
Wietse, If we don't care that Postfix handles mail correctly, why go through the trouble of setting up an SQL database in the first place? Things do not always come as one-bit on/off issues. E.g. my ISP has an option of delivering a guaranteed 2Mbit ADSL line, but if the capacity falls to 1.98 Mbit it will be taken offline until somebody fixes it. I will be offline for some hours/days/weeks ! The other option is a 2Mbit line with best effort i.e. if capacity falls down to 1.5 Mbit somebody will eventually fix it, but I am still up and running at a slower pace. So it is with the various SPAM-fighting tools. The best thing is to have them operational all the time, but if one fails, it is still a better to have your legitimate mail delivered with some added SPAM, than not having it delivered until somebody fixes the failing component. This is the rationale behind an optional 'dunno if failing' on check_policy_service components. - Jørgen Thomsen - Jørgen Thomsen
Re: How can I debug a timing out milter
On Mon, 2008-09-22 at 08:08 -0400, Wietse Venema wrote: ram: I have implemented a custom whitelist/blacklist with a milter. This milter has been working smoothly for a nearly 2 years now on multiple machines But now On 1 machine even if the load is very low and there is ample free memory once the number of smtpd processes reaches 300 ( I have set limit to 650 ) some milter processes start timing out. Some smtp connections only are affected most still go thru All Postfix SMTP servers connect to the same milter process. This means that the milter can see hundreds of concurrent connections from Postfix at the same time. Apparently, some milters stop working properly under conditions of high concurrency. Perhaps you can configure the milter to reserve space for more. My machine has enough memory. Is that what is meant by space How do I reserve space for more milters. I have been STFW-ing but with no results My milter is quiet simple. It just does a bsearch on a in-memory array , to find if the recipient has blacklisted / whitelisted the sender and takes action accordingly The array now has approx 200k elements, which should be nothing for 4GBRam box Thanks Ram
RE: [SPAM?] Re: Altermime
This is as handed down by our lawyer. Paul Cocker -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of mouss Sent: 22 September 2008 14:38 Cc: postfix-users@postfix.org Subject: [SPAM?] Re: Altermime Importance: Low Paul Cocker wrote: Does anyone have any experience with Altermime? The official mailing list page appears to be dead, but it strikes me as likely that several postfix users may have experience with the app. I know the postfix page discourages footers via the MTA, but alas the UK has laws which require company numbers and registered addresses attached to all communications, and managing a legal issue from the client side is impractical, so here I go. did you ask a lawyer or did you interpret the law yourself? st is the trading name for TNT Post UK Ltd (company number: 04417047), TNT Post (Doordrop Media) Ltd (00613278), TNT Post Scotland Ltd (05695897), TNT Post North Ltd (05701709), TNT Post South West Ltd (05983401), TNT Post Midlands Limited (6458167)and TNT Post London Limited (6493826). Emma's Diary and Lifecycle are trading names for Lifecycle Marketing (Mother and Baby) Ltd (02556692). All companies are registered in England and Wales; registered address: 1 Globeside Business Park, Fieldhouse Lane, Marlow, Buckinghamshire, SL7 1HY.
Re: [SPAM?] Re: Altermime
Paul Cocker wrote: This is as handed down by our lawyer. now you may ask him/her if it's ok to put the disclaimer in headers, knowing that headers travel along with the body. putting the disclaimer in headers have some advantages: - generally doesn't break signed mail - less risks to break mime messages - in the case of broken mime (unfortunately, this exists), you don't want to put your hands in. you prefer to pass this as is to whatever MUA the recipient uses. if you can't use headers, then the best you can do it configure the MUAs (unfortunately, there is no centralized way to do this) to add the disclaimer as a signature. This way, you still don't interfere with mime and don't break signatures. if you have no choice but altermime, separate inbound and outbound flow. you can use something like smtpd_client_restrictions = check_client_access pcre:/etc/postfix/filter_outbound permit_mynetworks permit_sasl_authenticated check_client_access pcre:/etc/postfix/filter_inbound == filter_outbound /./ FILTER filter:[127.0.0.1]:10586 == filter_inbound /./ FILTER filter:[127.0.0.1]:10024 so you use different content filters. and you can then add altermime to the outbound flow only.
some questions about my postfix config
Hello people, I have some questions for you, I configured postfix with virtual domains and unix accounts, also I configured sasl2 with pam (saslauthd) and tls with my own keys. all seems to work, but there are some questions I can't find. - where can I see what type of mech I'am using to authenticate? I think is plain but.. also when I sent an email to my server (unix account ) I can see that ( using outlook to send an email to my server.) Sep 22 13:51:55 orion postfix/smtpd[9636]: connect from unknown[84.78.228.193] Sep 22 13:51:55 orion postfix/smtpd[9636]: setting up TLS connection from unknown[84.78.228.193] Sep 22 13:51:56 orion postfix/smtpd[9636]: TLS connection established from unknown[84.78.228.193]: TLSv1 with cipher RC4-MD5 (128/128 bits) Sep 22 13:51:57 orion postfix/smtpd[9636]: warning: SASL authentication failure: incorrect NTLM response Sep 22 13:51:57 orion postfix/smtpd[9636]: warning: unknown[84.78.228.193]: SASL NTLM authentication failed: authentication failure Sep 22 13:51:58 orion postfix/smtpd[9636]: 1D38F27B8089: client=unknown[84.78.228.193], sasl_method=NTLM, [EMAIL PROTECTED] Sep 22 13:51:58 orion postfix/cleanup[9643]: 1D38F27B8089: message-id=[EMAIL PROTECTED] Sep 22 13:51:58 orion postfix/qmgr[30190]: 1D38F27B8089: from=[EMAIL PROTECTED], size=1532, nrcpt=1 (queue active) Sep 22 13:51:58 orion postfix/local[9644]: 1D38F27B8089: to=[EMAIL PROTECTED], orig_to=[EMAIL PROTECTED], relay=local, delay=0.92, delays=0.92/0/0/0.01, dsn=2.0.0, status=sent (delivered to mailbox) Sep 22 13:51:58 orion postfix/qmgr[30190]: 1D38F27B8089: removed Sep 22 13:51:59 orion postfix/smtpd[9636]: disconnect from unknown[84.78.228.193] there are some things that I can't understand warning: unknown[84.78.228.193]: SASL NTLM authentication failed: authentication failure why failed? but it works. 1D38F27B8089: to=[EMAIL PROTECTED], orig_to=[EMAIL PROTECTED], relay=local, delay=0.92, delays=0.92/0/0/0.01, dsn=2.0.0, status=sent (delivered to mailbox) why to: is diferent from orig_to, is because the account is local?? is all of that normal? here you have my postconf -n orion:~# postconf -n alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases append_dot_mydomain = no biff = no broken_sasl_auth_clients = yes config_directory = /etc/postfix inet_interfaces = all mailbox_size_limit = 0 mydestination = orion.ballano.net, localhost.ballano.net, localhost myhostname = orion.ballano.net mynetworks = 127.0.0.0/8 recipient_delimiter = + relayhost = smtp_tls_note_starttls_offer = yes smtp_use_tls = yes smtpd_banner = $myhostname ESMTP (Microsoft Exchange) smtpd_recipient_restrictions = reject_non_fqdn_sender, reject_non_fqdn_recipient, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination smtpd_sasl_auth_enable = yes smtpd_sasl_local_domain = ballano.net smtpd_sasl_security_options = noanonymous smtpd_tls_CAfile = /etc/ssl/certs/cacert.pem smtpd_tls_auth_only = yes smtpd_tls_cert_file = /etc/ssl/certs/cert.pem smtpd_tls_key_file = /etc/ssl/certs/key.pem smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s smtpd_use_tls = yes virtual_alias_domains = ballano.net virtual_alias_maps = hash:/etc/postfix/virtual and what I see if I connect throught telnet 220 orion.ballano.net ESMTP (Microsoft Exchange) ehlo ballano.net 250-orion.ballano.net 250-PIPELINING 250-SIZE 1024 250-VRFY 250-ETRN 250-STARTTLS 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN
Fwd: some questions about my postfix config
sorry I didn't say thanks for your help!!! :) Hello people, I have some questions for you, I configured postfix with virtual domains and unix accounts, also I configured sasl2 with pam (saslauthd) and tls with my own keys. all seems to work, but there are some questions I can't find. - where can I see what type of mech I'am using to authenticate? I think is plain but.. also when I sent an email to my server (unix account ) I can see that ( using outlook to send an email to my server.) Sep 22 13:51:55 orion postfix/smtpd[9636]: connect from unknown[84.78.228.193] Sep 22 13:51:55 orion postfix/smtpd[9636]: setting up TLS connection from unknown[84.78.228.193] Sep 22 13:51:56 orion postfix/smtpd[9636]: TLS connection established from unknown[84.78.228.193]: TLSv1 with cipher RC4-MD5 (128/128 bits) Sep 22 13:51:57 orion postfix/smtpd[9636]: warning: SASL authentication failure: incorrect NTLM response Sep 22 13:51:57 orion postfix/smtpd[9636]: warning: unknown[84.78.228.193]: SASL NTLM authentication failed: authentication failure Sep 22 13:51:58 orion postfix/smtpd[9636]: 1D38F27B8089: client=unknown[84.78.228.193], sasl_method=NTLM, [EMAIL PROTECTED] Sep 22 13:51:58 orion postfix/cleanup[9643]: 1D38F27B8089: message-id=[EMAIL PROTECTED] Sep 22 13:51:58 orion postfix/qmgr[30190]: 1D38F27B8089: from=[EMAIL PROTECTED], size=1532, nrcpt=1 (queue active) Sep 22 13:51:58 orion postfix/local[9644]: 1D38F27B8089: to=[EMAIL PROTECTED], orig_to=[EMAIL PROTECTED], relay=local, delay=0.92, delays=0.92/0/0/0.01, dsn=2.0.0, status=sent (delivered to mailbox) Sep 22 13:51:58 orion postfix/qmgr[30190]: 1D38F27B8089: removed Sep 22 13:51:59 orion postfix/smtpd[9636]: disconnect from unknown[84.78.228.193] there are some things that I can't understand warning: unknown[84.78.228.193]: SASL NTLM authentication failed: authentication failure why failed? but it works. 1D38F27B8089: to=[EMAIL PROTECTED], orig_to=[EMAIL PROTECTED], relay=local, delay=0.92, delays=0.92/0/0/0.01, dsn=2.0.0, status=sent (delivered to mailbox) why to: is diferent from orig_to, is because the account is local?? is all of that normal? here you have my postconf -n orion:~# postconf -n alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases append_dot_mydomain = no biff = no broken_sasl_auth_clients = yes config_directory = /etc/postfix inet_interfaces = all mailbox_size_limit = 0 mydestination = orion.ballano.net, localhost.ballano.net, localhost myhostname = orion.ballano.net mynetworks = 127.0.0.0/8 recipient_delimiter = + relayhost = smtp_tls_note_starttls_offer = yes smtp_use_tls = yes smtpd_banner = $myhostname ESMTP (Microsoft Exchange) smtpd_recipient_restrictions = reject_non_fqdn_sender, reject_non_fqdn_recipient, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination smtpd_sasl_auth_enable = yes smtpd_sasl_local_domain = ballano.net smtpd_sasl_security_options = noanonymous smtpd_tls_CAfile = /etc/ssl/certs/cacert.pem smtpd_tls_auth_only = yes smtpd_tls_cert_file = /etc/ssl/certs/cert.pem smtpd_tls_key_file = /etc/ssl/certs/key.pem smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s smtpd_use_tls = yes virtual_alias_domains = ballano.net virtual_alias_maps = hash:/etc/postfix/virtual and what I see if I connect throught telnet 220 orion.ballano.net ESMTP (Microsoft Exchange) ehlo ballano.net 250-orion.ballano.net 250-PIPELINING 250-SIZE 1024 250-VRFY 250-ETRN 250-STARTTLS 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN
Re: How can I debug a timing out milter
ram: My milter is quiet simple. It just does a bsearch on a in-memory array , to find if the recipient has blacklisted / whitelisted the sender and takes action accordingly The array now has approx 200k elements, which should be nothing for 4GBRam box What measures did you take to avoid errors (race conditions, deadlock, etc.) due to concurrent access to this data structure? Wietse
Re: some questions about my postfix config
David Ballano wrote: - where can I see what type of mech I'am using to authenticate? I think is plain but.. also when I sent an email to my server (unix account ) I can see that ( using outlook to send an email to my server.) Sep 22 13:51:55 orion postfix/smtpd[9636]: connect from unknown[84.78.228.193] Sep 22 13:51:55 orion postfix/smtpd[9636]: setting up TLS connection from unknown[84.78.228.193] Sep 22 13:51:56 orion postfix/smtpd[9636]: TLS connection established from unknown[84.78.228.193]: TLSv1 with cipher RC4-MD5 (128/128 bits) TLS connection established. Sep 22 13:51:57 orion postfix/smtpd[9636]: warning: SASL authentication failure: incorrect NTLM response auth NTLM failed. Sep 22 13:51:57 orion postfix/smtpd[9636]: warning: unknown[84.78.228.193]: SASL NTLM authentication failed: authentication failure AUTH NTLM failed again. Sep 22 13:51:58 orion postfix/smtpd[9636]: 1D38F27B8089: client=unknown[84.78.228.193], sasl_method=NTLM, [EMAIL PROTECTED] AUTH NTLM succeeded. No, I don't know why it failed before it worked, but it did work eventually. If you're curious what the client sent, get a network capture. sasl_method=NTLM shows the authentication mech used. [EMAIL PROTECTED] shows the username used. The existence of these entries proves that AUTH was successful. Sep 22 13:51:58 orion postfix/local[9644]: 1D38F27B8089: to=[EMAIL PROTECTED], orig_to=[EMAIL PROTECTED], relay=local, delay=0.92, delays=0.92/0/0/0.01, dsn=2.0.0, status=sent (delivered to mailbox) This is reasonable, but maybe not what you intended. Probably a virtual_alias_maps entry causes the recipient to be rewritten. You can add -v to the master.cf cleanup service to see what rewrites the address. Or just look in your virtual table. here you have my postconf -n orion:~# postconf -n mailbox_size_limit = 0 This is unwise. Set some kind of limit. mydestination = orion.ballano.net, localhost.ballano.net, localhost myhostname = orion.ballano.net mynetworks = 127.0.0.0/8 smtpd_banner = $myhostname ESMTP (Microsoft Exchange) This won't fool anyone. But if it makes you feel better, OK. -- Noel Jones
Re: some questions about my postfix config
David Ballano wrote: I added -v to the smtpd, it's just incredible... Incredible how? I don't see anything terribly unusual here. BTW, I don't use AUTH NTLM so I'm not sure what the normal logging for an AUTH NTLM session looks like; it's quite possible what you are seeing is normal and expected. If you don't want to offer NTLM, you can disable it in your cyrus setup. http://www.postfix.org/SASL_README.html#server_cyrus -- Noel Jones
Re: Big Distribution List
Victor Duchovni: On Mon, Sep 22, 2008 at 09:08:55AM -0300, jakjr wrote: Hi Guys, I have one big distribution list (100K emails). I'm using virtual_alias_maps for that like this: virtual_alias_maps = hash:/etc/postfix/virtual where virtual: [EMAIL PROTECTED] [EMAIL PROTECTED], . [EMAIL PROTECTED] By default Postfix truncates virtual(5) expansion at 1000 recipients. For lists this large you MUST not use virtual(5), rather use a :include: valued local alias, AND set an owner-list alias to make sure that bounces are NOT send to the sender. I just did a quick run-time profile of the cleanup daemon's CPU usage, and it was no surprise that most time was spent manipulating email addresses. I expected less that the time was spent in a quadratic algorithm. Specifically, most time was being spent in tok822_append(), as it is called by tok822_group(). Function tok822_append() is called from several places, and I had to inline it to find out which calls are expensive. The expense is incurred when tok822_append() appends a list of multiple tokens, which makes the algorithm quadratic. This could be avoided by passing in a pointer to the last list element, and keeping that pointer up to date as the program evolves. The owner member of an address token is never tested for its actual value, only for zero or non-zero. Therefore in many cases the quadratic behavior can be avoided altogether. However, this is not something I would change while recovering from a seven-hour time shift. Wietse
restricted aliases
I need to add support for (multi-recipient) aliases that are only able to receive messages from selected users. I was initially looking at mailman or majordomo, however from what I understand of them, they authenticate only on the from address so it looks like it would be easy to forge. (Correct me if this is wrong). I also thought of smtpd_restriction_classes however that is also subject to easy spoofing and the documentation even says Postfix restriction classes aren't really the right solution So I am wondering. What IS a good way to do this. Optimally, I would like to restrict based on the SASL username.
Re: restricted aliases
Hi! On Tue, Sep 23, 2008 at 3:43 PM, Chris St Denis [EMAIL PROTECTED] wrote: I need to add support for (multi-recipient) aliases that are only able to receive messages from selected users. I was initially looking at mailman or majordomo, however from what I understand of them, they authenticate only on the from address so it looks like it would be easy to forge. (Correct me if this is wrong). I also thought of smtpd_restriction_classes however that is also subject to easy spoofing and the documentation even says Postfix restriction classes aren't really the right solution So I am wondering. What IS a good way to do this. Optimally, I would like to restrict based on the SASL username. As far as I know, you can actually restrict the from address that each username can use, I have no time to get the info right now, but it *is* in postfix's documentation. Another solution would be use mailman with a PGP patch added, and it will validate the PGP signature. I hope this helps, Ildefonso Camargo.
Re: distribution lists.
On Mon, Sep 22, 2008 at 05:04:05PM +0200, mouss wrote: under smtpd_recipient_restrictions, you can't (you don't want to skip other checks) so you can only use DUNNO which is less flexible (dunno will not skip the following checks, even in a single restriction class). Actually, DUNNO only skips further (less specific) lookup keys in the same TABLE, it DOES NOT skip further checks in the same class. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:[EMAIL PROTECTED] If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: restricted aliases
Chris St Denis wrote: I need to add support for (multi-recipient) aliases that are only able to receive messages from selected users. I was initially looking at mailman or majordomo, however from what I understand of them, they authenticate only on the from address so it looks like it would be easy to forge. (Correct me if this is wrong). There is no way to prevent strangers from forging straner identities. this is not specific to email (If I call you on the phone, I can say that I am foo bar, provided you don't know foo bar enough to detect the forgery). you can enforce authentication for _your_ users. you can also refuse mail from external servers with a sender in your domain. so go for a mailing list manager. I also thought of smtpd_restriction_classes however that is also subject to easy spoofing and the documentation even says Postfix restriction classes aren't really the right solution There is no way to prevent forgery. all you can do is make it harder by requiring a login:password. but even this only reduces risks. So I am wondering. What IS a good way to do this. Optimally, I would like to restrict based on the SASL username. enforce login and sender match. then restrict based on sender.
Mail Archiving
I was wondering if anyone here knew of a good way to duplicate emails for archival purposes. What i want to do is use a gateway machine that will deliver mail to two machines. one being an active imap/pop3 system and the other being a mail archival system i was thinking that there might be something like editing the transport file to do that but that only allows a single destination per domain as far as i know. Any help is appreciated, Thanks
Re: Mail Archiving
James wrote: I was wondering if anyone here knew of a good way to duplicate emails for archival purposes. What i want to do is use a gateway machine that will deliver mail to two machines. one being an active imap/pop3 system and the other being a mail archival system i was thinking that there might be something like editing the transport file to do that but that only allows a single destination per domain as far as i know. Any help is appreciated, Thanks Try recipient_bcc_maps http://www.postfix.org/postconf.5.html#recipient_bcc_maps
Re: Mail Archiving
On Mon, 2008-09-22 at 15:07 -0700, Chris St Denis wrote: James wrote: I was wondering if anyone here knew of a good way to duplicate emails for archival purposes. What i want to do is use a gateway machine that will deliver mail to two machines. one being an active imap/pop3 system and the other being a mail archival system i was thinking that there might be something like editing the transport file to do that but that only allows a single destination per domain as far as i know. Any help is appreciated, Thanks Try recipient_bcc_maps http://www.postfix.org/postconf.5.html#recipient_bcc_maps I do not believe this is sufficient for [legal] archive purposes; it does not appear to capture BCC recipients of the message. An archive milter is probably required to meet data retention requirements; while a few people claim to have such a milter no one has shared one to my knowledge.
Re: Mail Archiving
We use something similar. We are a small company so what suits us may not be usable for you, either way I'll give you the run down so you can decide. We use an alias to forward mail to the regular mail box that is accessed via imap/pop and then to a custom program that stores the mail in mbox format. The only reason we use a custom program (a script of sort would probably do however ours is written in C) is to sort the mail by month. To archive sent mail we use the same technique via sender_bcc_maps to the same program that dates the mailboxes by month. A quick example of the end product is: joeuser-recv-MM- joeuser-sent-MM- This technique has worked very well for us. You can use the mbox style files with thunderbird or mutt if you need to extract mail from them. The only downside is the complexity of setting up an email account. You need to remember to add the proper aliases and what not. I've automated the process with scripts to make it less likely that we miss something. Chris St Denis wrote: James wrote: I was wondering if anyone here knew of a good way to duplicate emails for archival purposes. What i want to do is use a gateway machine that will deliver mail to two machines. one being an active imap/pop3 system and the other being a mail archival system i was thinking that there might be something like editing the transport file to do that but that only allows a single destination per domain as far as i know. Any help is appreciated, Thanks Try recipient_bcc_maps http://www.postfix.org/postconf.5.html#recipient_bcc_maps
Re: restricted aliases
mouss wrote: Chris St Denis wrote: I need to add support for (multi-recipient) aliases that are only able to receive messages from selected users. I was initially looking at mailman or majordomo, however from what I understand of them, they authenticate only on the from address so it looks like it would be easy to forge. (Correct me if this is wrong). There is no way to prevent strangers from forging straner identities. this is not specific to email (If I call you on the phone, I can say that I am foo bar, provided you don't know foo bar enough to detect the forgery). you can enforce authentication for _your_ users. you can also refuse mail from external servers with a sender in your domain. so go for a mailing list manager. I also thought of smtpd_restriction_classes however that is also subject to easy spoofing and the documentation even says Postfix restriction classes aren't really the right solution There is no way to prevent forgery. all you can do is make it harder by requiring a login:password. but even this only reduces risks. So I am wondering. What IS a good way to do this. Optimally, I would like to restrict based on the SASL username. enforce login and sender match. then restrict based on sender. Looking through the docs it looks like I can use smtpd_sender_login_maps and smtpd_sender_restrictions with reject_sender_login_mismatch However I want to apply this only to selected destination addresses and I'm not sure how to go about this. Can I use reject_sender_login_mismatch (or something similar) in a recipient map? Does smtpd_sender_login_maps have to contain all addresses on the server, or just the ones I care about? Optmally, I want to apply reject_sender_login_mismatch only to users when sending to specific addresses. Reject if the check fails, but not check for sending to anywhere else. Dealing with forgeries from the internet isn't a big concern because incoming mail comes in on a different ip, I can just block all incoming mail with from: locally hosted domain. It is preventing senders from one local domain from spoofing another for these restricted aliases that needs protection.
Re: Mail Archiving
We use MailScanner as spam and virus filter and the mail archiving and monitoring function to copy mails in dedicated account, it is easy configurable with rules to copy mails in severals mails account, see http://www.mailscanner.info/ Sam. Adam Tauno Williams a écrit : On Mon, 2008-09-22 at 15:07 -0700, Chris St Denis wrote: James wrote: I was wondering if anyone here knew of a good way to duplicate emails for archival purposes. What i want to do is use a gateway machine that will deliver mail to two machines. one being an active imap/pop3 system and the other being a mail archival system i was thinking that there might be something like editing the transport file to do that but that only allows a single destination per domain as far as i know. Any help is appreciated, Thanks Try recipient_bcc_maps http://www.postfix.org/postconf.5.html#recipient_bcc_maps I do not believe this is sufficient for [legal] archive purposes; it does not appear to capture BCC recipients of the message. An archive milter is probably required to meet data retention requirements; while a few people claim to have such a milter no one has shared one to my knowledge. -- Ce message a été vérifié par MailScanner pour des virus ou des polluriels et rien de suspect n'a été trouvé. For all your IT requirements visit: http://www.transtec.co.uk
Re: restricted aliases
Chris St Denis wrote: Dealing with forgeries from the internet isn't a big concern because incoming mail comes in on a different ip, I can just block all incoming mail with from: locally hosted domain. It is preventing senders from one local domain from spoofing another for these restricted aliases that needs protection. As has been mentioned previously, mailman or another mailing list manager has already solved this problem in a more robust fashion... -- Jay Chandler / KB1JWQ Living Legend / Systems Exorcist Today's Excuse: the xy axis in the trackball is coordinated with the summer solstice
Re: Race in simplest after-queue content filter?
On 09/22/2008 08:02:44 AM, Wietse Venema wrote:
This is a shell script that sits between a Postfix SMTP client and
a Postfix SMTP server. It is implemented with awk and nc. awk
reads from the SMTP client and sends modified content into nc.
The shell script runs as a child process of the spawn daemon.
Postfix -- awk -\ Postfix
SMTPnc ---SMTP
client / server
The biggest problem with this script are:
1) Your script only works if the Postfix SMTP server closes the
connection immediately after the completion of a MAIL FROM
transaction. Otherwise, the nc process will hang until the
Postfix SMTP server times out after 1000 seconds.
I did indeed see this behavior, and wrote to the list with
both a question as to whether the SMTP exchange should
really finish before the SMTP server closes the
connection (the answer is yes), and
proposed code which (see below) works under
every test condition I've come up with..
2) Your script assumes that every SMTP connection will have only
one MAIL FROM transaction. However, the SMTP protocol supports
more than one MAIL FROM transaction per SMTP connection, and
Postfix expects that SMTP clients implement this part of the
SMTP standard.
Could you please elaborate as to where this
failure is? The awk script was written to distinguish
between:
mail headers and body.
the SMTP commands the the mail content
(by detecting the SMTP DATA command and it's ending period cr lf)
no matter how many MAIL FROM transactions succeed or fail.
I did find a bug concerning email messages with no body,
but your concern appears more general than that.
The filter does not care whether the mail is accepted for
delivery or not, or any other SMTP semantics or state
because it does not reject mail. It's purpose
is to filter mail content and otherwise pass SMTP
commands untouched. Having distinguished SMTP
commands from mail headers from mail body
alteration of mail content is a straightforward enhancement
away.
As far as I can tell it works with respect to
multiple MAIL FROM transactions. (Specifically,
it removes Sender: message headers. Note that
this is a stupid way to do this. The header_checks
IGNORE feature, IIRC, would be the right way to
do this. But that's not the point. The point
is having some simple working code as a starting
point for when I want to quickly put together
some correct but not necessarily
efficient filtering.)
Here's the script again, patched with DELAY set to 0
and the conditional fixed to support messages with no body:
#!/bin/sh
DELAY=0
host=$1
port=$2
awk -W interactive \
'BEGIN {headers = 1;
data = 0;};
/^DATA\r$/ {data = 1;};
/^\r$/ {if (data == 1) {
headers = 0;
}
};
{if (data == 1) {
if (headers == 0 || $1 == Sender:) {
print;
}
if ($0 == .\r) {
# End of data, smtp loops and allows another message
headers = 1;
data = 0;
}
} else {
print;
}
}; ' \
| nc -q $DELAY $host $port
... and your script is not built
to handle the case where the Postfix SMTP server does not close a
connection immediately.
The bug is that you use nc, which does not terminate until it
encounters an end-of-file condition on input from BOTH stdin AND
from the network.
The classic nc terminates ONLY when the network side closes.
The -q (Debian patch) will tell nc to terminate upon
encountering an end-of-file condition on stdin, after
flushing all output to the network, irrespective
of whether the network has an end-of-file condition. When
used with -q nc ALSO terminates when the network side
is closed. nc -q takes a value, the number of seconds
before terminating, so nc -q 0 means terminate
when STDIN closes, after flushing the network buffers.
Victor Duchovni informs me that it's expected for postfix
to disconnect rather than sending an SMTP QUIT,
so I can safely set DELAY to 0 and eliminate the problem
I was having with nc hanging. This makes complete sense
in the context of what SMTP says about unexpected closure
of the TCP connections, but I thought it was safer to ask
instead of guessing about the results of unfamiliar behavior.
This takes care of the end-of-file condition on the stdin side.
A properly implemented SMTP proxy filter takes action immediately
when it encounters an end-of-file condition on input from EITHER
stdin OR from the network.
Since nc always terminates when the network side closes, the
script should work. As it appeared to do. I wrote
because I was wondering about the hanging nc (and it's
connected smtpd) process; now I know I can safely get
rid of that by setting DELAY to 0. (It's too bad
-q is Debian and not part of the stock nc.)
This exchange has been like pulling teeth. Is there
something wrong with the way I'm interacting with
the list or something I can do differently to make
things easier in the future? The only thing
