Re: Greylisting
Tom Allison wrote: I'm going by recent memory so please be kind if I miss something. I recall in the greylisting docs that under DATA and something else only one recipient is transmitted. Is that also true immediately following the RECIPIENT block? Is just the first one listed or any particular order? you only have the current recipient. if mail has multiple recipients, then the policy server is called for each recipient if the check is done at RCPT stage (so this doesn't apply to data stage, when you don't get the recipient(s)). What I am trying to do long term is look for some kind if a hook to keep deferring the bad email so it stays on the senders machine and I don't have to own it, other than this deferral process. not clear what you mean. defer causes the mail to stay on the previous MTA, if this is really an MTA. In case of ratware, the behaviour is unpredictable (ratware can retry or not). Of course, sine I thought of trying to do this yesterday it's probably already been tried a dozen different ways... do you mean you want to defer the mail indéfinitely. you can use defer, but be careful here. you'll have to be very selective because a false positive that is detected 5 days later is worst than one that is detected shortly. so reject is generally the way to go. don't think too much about zombies. defer won't help (they don't have to follow the smtp protocol!). and for real MTAs, it is unfriendly to delay mail too long.
Re: Greylist query...
On Tue, Oct 07, 2008 at 02:58:52PM +0200, mouss wrote: Johan Andersson wrote: Hi, We are thinking to implement some form of greylisting at one of our sites and wonder which one of the many flavors out there that this group have found reliable? I know postfix has its builting one from a while back, but feel unsure if it viable for our site... postgrey and gps seems they added some features that mighe be usable for us... like automatic trunking of the list I just starting to read up on it so I feel very noobish at the moment :) We have six MTA's that receive approx 1million emails a day (total) on roundrobined addresses. Anyone else out there with some experience on the different greylisting models? try (Cami's) policyd. it's written in C as a single threaded daemon. it uses mysql (myisam unfortunately!). Cami is no more working on it, but it's stable enough (and Cami used it in an ISP environment). it has other features (rate limiting, blacklist, whitelist, ...) check http://www.policyd.org/ and look at the Old policyd V1. If you do not have anything in place, I would recommend looking at the version 2 policyd that is more database backend agnostic. It is written in perl and uses DBD/DBI to connect to the backends. That way you can avoid being locked in to a particular database backend be it MySQL, PostgreSQL, Oracle, ... Ken
Re: smtpd_client_restrictions - order doesn't matter?
mouss wrote: LÉVAI Dániel wrote: Hi! I'm using postfix-2.5.4. I have this in my main.cf: smtpd_client_restrictions = check_client_access hash:/etc/postfix/client_access, permit_sasl_authenticated, reject_unknown_client_hostname It seems that the reject_unknown_client_hostname is applied always before the other rules, and I can not rely on the permit_sasl_authenticated rule to allow my connection always. Is this because of my smtpd_delay_reject = no setting, or is there something else? there is something else! - make sure reject_unknown_client_hostname is really called. Logs are needed. - check whether it is not caused by client_access The client_access is empty for now. - check other restrictions. I only get the hostname not found errors, and when I comment out that restriction, then I can connect (and authenticate). post the output of 'postconf -n' and relevant logs (showing the rejection). postfix/smtpd[23810]: warning: 78.131.56.68: hostname 78-131-56-68.static.hdsnet.hu verification failed: no address associated with name postfix/smtpd[23810]: connect from unknown[78.131.56.68] postfix/smtpd[23810]: NOQUEUE: reject: CONNECT from unknown[78.131.56.68]: 450 4.7.1 Client host rejected: cannot find your hostname, [78.131.56.68]; proto=SMTP postfix/smtpd[23810]: disconnect from unknown[78.131.56.68] postfix/smtpd[23810]: warning: 78.131.56.68: hostname 78-131-56-68.static.hdsnet.hu verification failed: no address associated with name postfix/smtpd[23810]: connect from unknown[78.131.56.68] postfix/smtpd[23810]: NOQUEUE: reject: CONNECT from unknown[78.131.56.68]: 450 4.7.1 Client host rejected: cannot find your hostname, [78.131.56.68]; proto=SMTP postfix/smtpd[23810]: disconnect from unknown[78.131.56.68] postconf -n: alias_database = hash:/etc/postfix/aliases alias_maps = hash:/etc/postfix/aliases biff = no bounce_template_file = /etc/postfix/bounce.cf command_directory = /usr/local/sbin config_directory = /etc/postfix daemon_directory = /usr/local/libexec/postfix debug_peer_level = 2 debug_peer_list = disable_vrfy_command = yes header_checks = regexp:/etc/postfix/header_checks html_directory = /usr/local/share/doc/postfix/html inet_protocols = ipv4 mail_owner = _postfix mailbox_size_limit = 0 mailq_path = /usr/local/sbin/mailq manpage_directory = /usr/local/man message_size_limit = 20971520 mynetworks_style = host newaliases_path = /usr/local/sbin/newaliases notify_classes = protocol, resource, software queue_directory = /var/spool/postfix readme_directory = /usr/local/share/doc/postfix/readme recipient_delimiter = + relocated_maps = hash:/etc/postfix/relocated sample_directory = /etc/postfix sendmail_path = /usr/local/sbin/sendmail setgid_group = _postdrop smtp_tls_security_level = may smtp_tls_session_cache_database = btree:${data_directory}/smtp_tls_scache smtpd_client_restrictions = check_client_access hash:/etc/postfix/client_access, permit_sasl_authenticated, reject_unknown_client_hostname smtpd_delay_reject = yes smtpd_error_sleep_time = 2s smtpd_hard_error_limit = 3 smtpd_helo_required = yes smtpd_helo_restrictions = check_helo_access hash:/etc/postfix/helo_access, permit_sasl_authenticated, reject_invalid_helo_hostname, reject_unknown_helo_hostname, reject_non_fqdn_helo_hostname smtpd_recipient_restrictions = check_recipient_access hash:/etc/postfix/spam-filter_leva, permit_mynetworks, permit_auth_destination, permit_sasl_authenticated, reject smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/sender_access, permit_sasl_authenticated, reject_unknown_sender_domain, reject_non_fqdn_sender smtpd_soft_error_limit = 2 smtpd_tls_auth_only = yes smtpd_tls_cert_file = /etc/ssl/postfix_cert.pem smtpd_tls_key_file = /etc/ssl/private/postfix_key.pem smtpd_tls_security_level = may smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_tls_scache transport_maps = hash:/etc/postfix/transport unknown_local_recipient_reject_code = 550 virtual_alias_maps = hash:/etc/postfix/virtual virtual_gid_maps = hash:/etc/postfix/virtual_users_gid virtual_mailbox_base = /var/mail/virtual virtual_mailbox_domains = hash:/etc/postfix/virtual_domains virtual_mailbox_limit = 0 virtual_mailbox_maps = hash:/etc/postfix/virtual_users virtual_minimum_uid = 8001 virtual_transport = dovecot-lda virtual_uid_maps = hash:/etc/postfix/virtual_users_uid Thanks! -- LEVAI Daniel PGP key ID = 0x4AC0A4B1 Key fingerprint = D037 03B9 C12D D338 4412 2D83 1373 917A 4AC0 A4B1
Re: Default 'delay_warning_time'
On 10/7/2008 9:26 AM, Ralf Hildebrandt wrote: Does the default: delay_warning_time = 0h really mean that the sender would get the warning immediately if the message wasn't able to be delivered immediately? Please read the docs carefully: To enable this feature, specify a non-zero time value (an integral value plus an optional one-letter suffix that specifies the time unit). Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). The default time unit is h (hours). Meaning: It's disabled. sigh I'm really getting tired of getting hit in the head by cluesticks... Thanks Ralf... -- Best regards, Charles
RE: My first config - unable to telnet to port 25, virtual.db missing
This server is only the secondary mail server for incoming mail, so it won't be bouncing anything just passing it onto the primary server which does perform valid recipient checks. I don't see any point doing it here too as it just means more hits against the AD servers for no greater effect, unless I needed to lessen the load on the primary MX server which I don't. That this wasn't evident might suggest I've configured it incorrectly to act as a secondary MX server. Paul Cocker Systems Infrastructure Support Network Administrator and Security Specialist -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Evans - Postfix List Sent: 06 October 2008 15:46 To: postfix-users@postfix.org Subject: Re: My first config - unable to telnet to port 25, virtual.db missing Paul Cocker wrote: I have a CentOS 5.2 machine running postfix 2.3.3 install via yum and am setting up for the first time, having been a sendmail user previously. I have been configuring it based around 'Postfix email firewall/gateway' setup in the postfix documentation as this machine will be acting as the primary mail server for outgoing mail and the second MX entry for incoming. The server has hosts.deny set to ALL:ALL but smtp in hosts.allow is also set to ALL. Running a postconf -n results in the following output: [...] relay_domains = domain1.co.uk, domain2.co.uk, domain3.co.uk No relay_recipient_maps? You seem to be heading to be a (Back|Out)scatter source. Highly suggest you have a static map or db map (LDAP,SQL) of real users. Oct 6 14:57:21 merlin postfix/trivial-rewrite[13474]: fatal: open database /etc/postfix/virtual.db: No such file or directory You forgot to run 'postmap hash:/etc/postfix/virtual'. This must be done for all hash, cdb, btree, (s)dbm files that you define as maps. Do I need to manually create virtual.db (and should I run a set-permissions from postconf if I do?), or is that incidental to the other errors? Are these errors the reason it won't accept connections on port 25, or is there an error in the config above? Does master.cf have an uncommented line for the smtpd service? What happens if you remove (comment) the line from hosts.deny? Brian TNT Post is the trading name for TNT Post UK Ltd (company number: 04417047), TNT Post (Doordrop Media) Ltd (00613278), TNT Post Scotland Ltd (05695897), TNT Post North Ltd (05701709), TNT Post South West Ltd (05983401), TNT Post Midlands Limited (6458167)and TNT Post London Limited (6493826). Emma's Diary and Lifecycle are trading names for Lifecycle Marketing (Mother and Baby) Ltd (02556692). All companies are registered in England and Wales; registered address: 1 Globeside Business Park, Fieldhouse Lane, Marlow, Buckinghamshire, SL7 1HY.
smtpd_client_restrictions - order doesn't matter?
Hi! I'm using postfix-2.5.4. I have this in my main.cf: smtpd_client_restrictions = check_client_access hash:/etc/postfix/client_access, permit_sasl_authenticated, reject_unknown_client_hostname It seems that the reject_unknown_client_hostname is applied always before the other rules, and I can not rely on the permit_sasl_authenticated rule to allow my connection always. Is this because of my smtpd_delay_reject = no setting, or is there something else? Thanks! -- LEVAI Daniel PGP key ID = 0x4AC0A4B1 Key fingerprint = D037 03B9 C12D D338 4412 2D83 1373 917A 4AC0 A4B1
Re: smtpd_client_restrictions - order doesn't matter?
On Tue, Oct 07, 2008 at 03:13:20PM +0200, L?VAI D?niel wrote: postfix/smtpd[23810]: warning: 78.131.56.68: hostname 78-131-56-68.static.hdsnet.hu verification failed: no address associated with name postfix/smtpd[23810]: connect from unknown[78.131.56.68] postfix/smtpd[23810]: NOQUEUE: reject: CONNECT from unknown[78.131.56.68]: 450 4.7.1 Client host rejected: cannot find your hostname, [78.131.56.68]; proto=SMTP You have smtpd_delay_reject = no and are rejecting at CONNECT time. Clearly SASL login has not yet been performed at that point, and so permit_sasl_authenticated is a NOP. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:[EMAIL PROTECTED] If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: Greylist query...
Postgrey is based on a Berkeley database. So it's going to tricky getting your 6 MTA's to play nice. But it has a sound approach for managing the list. I don't know about the others. But you might want to look for something that has a networked database. On Oct 7, 2008, at 7:44 AM, Johan Andersson [EMAIL PROTECTED] wrote: Hi, We are thinking to implement some form of greylisting at one of our sites and wonder which one of the many flavors out there that this group have found reliable? I know postfix has its builting one from a while back, but feel unsure if it viable for our site... postgrey and gps seems they added some features that mighe be usable for us... like automatic trunking of the list I just starting to read up on it so I feel very noobish at the moment :) We have six MTA's that receive approx 1million emails a day (total) on roundrobined addresses. Anyone else out there with some experience on the different greylisting models? /Johan Andersson
Re: Greylist query...
On Oct 7, 2008, at 7:44 AM, Johan Andersson wrote: Hi, We are thinking to implement some form of greylisting at one of our sites and wonder which one of the many flavors out there that this group have found reliable? I know postfix has its builting one from a while back, but feel unsure if it viable for our site... postgrey and gps seems they added some features that mighe be usable for us... like automatic trunking of the list I just starting to read up on it so I feel very noobish at the moment :) We have six MTA's that receive approx 1million emails a day (total) on roundrobined addresses. Anyone else out there with some experience on the different greylisting models? /Johan Andersson Hi Johan, I don't have near the volume you do, but I know lots of people that use ASSP on high traffic servers with out a problem. ASSP also runs great for my small mail server. One of the biggest features it has for me is the white lists. Most of my e-mail comes from other companies that have their own domain, so I can just whitelist all my client domains and then they don't get rejected or delayed. Just something to think about. -- Jason Pruim Raoset Inc. Technology Manager MQC Specialist 11287 James St Holland, MI 49424 www.raoset.com [EMAIL PROTECTED]
Re: Virtual domain uncertainty...
On 10/6/2008 7:18 PM, Wietse Venema wrote: Can I set up DNS (and MX records) for several different domains to point to the same postfix instance/host/IP address and reference that same postfix instance/host/IP by different DNS host names (smtp.example1.com, smtp.example2.com, etc), and have everything just work? Not unless you also list smtp.example1.com in $mydestination, otherwise mail will loop. ?! But the virtual how-to says the opposite... never list a virtual_mailbox_domain in mydestination... Obviously I'm missing something totally obvious to everyone else... :( You could also keep it simple and list the real hostname in the MX records. Hmmm... ok, and even if I do that, I can still tell user to configure their clients with smtp.example1.com as their outbound server? If the answer is yes, this is starting to make sense... -- Best regards, Charles
Default 'delay_warning_time'
Hi, What is probably a *very* obvious question... Does the default: delay_warning_time = 0h really mean that the sender would get the warning immediately if the message wasn't able to be delivered immediately? -- Best regards, Charles
Reverse DNS bug?
I have a weird issue where a sender with a valid reverse DNS entry is getting rejected. main.cf: === smtpd_delay_reject = yes smtpd_client_restrictions = ... reject_unknown_reverse_client_hostname Oct 4 19:04:21 postfix/smtpd[231]: connect from unknown[64.68.XXX.XXX] Oct 4 19:04:21 postfix/smtpd[231]: NOQUEUE: reject: RCPT from unknown[64.68.XXX.XXX]: 450 4.7.1 Client host rejected: cannot find your reverse hostname, [64.68.XXX.XXX]; from=[EMAIL PROTECTED] to=[EMAIL PROTECTED] proto=ESMTP helo=Y.COM Oct 4 19:04:21 smtp2-1 postfix/smtpd[231]: disconnect from unknown[64.68.XXX.XXX] # host 64.68.XXX.XXX XXX.XXX.68.64.in-addr.arpa domain name pointer BRYANLEX_lan_64.68.XXX.XXX.Z.TLD I've verified reverse DNS at www.dnswatch.info as well as all nameservers configured on the postfix system. The only possibility I see are the underscores. Other than that, the mail should have been let through. - Darek
Re: Reverse DNS bug?
On Tue, Oct 07, 2008 at 10:49:46AM -0400, Darek M. wrote: I have a weird issue where a sender with a valid reverse DNS entry is getting rejected. main.cf: === smtpd_delay_reject = yes smtpd_client_restrictions = ... reject_unknown_reverse_client_hostname Oct 4 19:04:21 postfix/smtpd[231]: connect from unknown[64.68.XXX.XXX] You've left out the DNS related warnings logged between the log entry above and the one below. Please look at these, and post them if you still have a question. Oct 4 19:04:21 postfix/smtpd[231]: NOQUEUE: reject: RCPT from unknown[64.68.XXX.XXX]: 450 4.7.1 Client host rejected: cannot find your reverse hostname, [64.68.XXX.XXX]; from=[EMAIL PROTECTED] to=[EMAIL PROTECTED] proto=ESMTP helo=Y.COM This is a transient failure. What are your unknown_mumble_reject_codes set to? After tuning and testing your rules, you should have: unknown_address_reject_code = 550 unknown_client_reject_code = 550 unknown_hostname_reject_code = 550 unknown_local_recipient_reject_code = 550 unknown_relay_recipient_reject_code = 550 unknown_virtual_alias_reject_code = 550 unknown_virtual_mailbox_reject_code = 550 -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:[EMAIL PROTECTED] If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: Retry - temp fail ndr?
Bill Cole: so I guess the answer is to tell him no, and if whatever it is is important, and he gets the warning, to follow the message up with a phone call (he should be doing that anyway for anything mission critical, but getting some people to understand that email is not a 100% reliable communication medium is sometimes difficult. He may get a little help from using the Return Receipt feature. That's done with headers and MUA's, so it is a bit less predictable than DSN's done at the SMTP level. On the other hand, DSN depends on all MTA's in the path supporting an extension to SMTP that some perceive as a threat to privacy and/or security. If an MTA does does not announce DSN support, then the up-stream MTA is required to send the positive notification. What you would typically get is a notice that your message was given to the receiving party's mail server. Wietse
Re: Default 'delay_warning_time'
* Charles Marcus [EMAIL PROTECTED]: Hi, What is probably a *very* obvious question... Does the default: delay_warning_time = 0h really mean that the sender would get the warning immediately if the message wasn't able to be delivered immediately? Please read the docs carefully: To enable this feature, specify a non-zero time value (an integral value plus an optional one-letter suffix that specifies the time unit). Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). The default time unit is h (hours). Meaning: It's disabled. -- Ralf Hildebrandt ([EMAIL PROTECTED]) [EMAIL PROTECTED] Postfix - Einrichtung, Betrieb und Wartung Tel. +49 (0)30-450 570-155 http://www.arschkrebs.de I'm looking for a job #define QUESTION ((bb) || !(bb)) -- Shakespeare
is OK stops processing user defined lists (classes) only or entire smtpd_..._restriction?
From http://jimsun.linxnet.com/misc/postfix-anti-UCE.txt OK stops processing of an access list and the restriction stage that contains it. Processing resumes with the next restriction stage (if any). Situation smtpd_restriction_classes = check_recipient_class check_recipient_class = check_recipient_access hash:/etc/postfix/maps/check_recipient, hash:/etc/postfix/maps/check_sender: mail.ru DUNNO yandex.ru DUNNO google.com check_recipient yahoo.com OK hash:/etc/postfix/maps/check_recipient: [EMAIL PROTECTED] OK [EMAIL PROTECTED] REJECT smtpd_recipient_restrictions = first sender restriction, check_sender_access hash:/etc/postfix/maps/check_sender, third sender restriction So [EMAIL PROTECTED] OK stops entire `smtpd_recipient_restrictions` (third sender restriction will not be processed) or google.com check_recipient only (so next is `yahoo.com OK` and then third sender restriction)? Thanks!
RE: {Spam?} Re: My first config - unable to telnet to port 25, virtual.db missing
Thanks for the clarifications. I've compiled virtual and progress is being made. As we receive around 100 000 mails a day, I assume that doesn't fall into the category of low volume, so I don't think reject_unverified_recipient would be suitable, nor is maintaining a list of valid e-mail addresses in postfix manually. So at this point I'll see to setup a method for queering AD, and I see the HOWTO section has a couple of articles which cover this. My only concern would be the risks in opening up communications to AD from the DMZ. Paul Cocker -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of mouss Sent: 06 October 2008 16:30 To: postfix-users@postfix.org Subject: {Spam?} Re: My first config - unable to telnet to port 25, virtual.db missing Paul Cocker a écrit : I have a CentOS 5.2 machine running postfix 2.3.3 install via yum and am setting up for the first time, having been a sendmail user previously. I have been configuring it based around 'Postfix email firewall/gateway' setup in the postfix documentation as this machine will be acting as the primary mail server for outgoing mail and the second MX entry for incoming. The server has hosts.deny set to ALL:ALL but smtp in hosts.allow is also set to ALL. hosts.* are irrelevant. postfix doesn't use tcpwrappers. [snip] relay_domains = domain1.co.uk, domain2.co.uk, domain3.co.uk As Brian said, list the relay users in relay_recipient_maps. otherwise use reject_unverified_recipient (with a check_recipient_access). sample_directory = /usr/share/doc/postfix-2.3.3/samples sendmail_path = /usr/sbin/sendmail.postfix setgid_group = postdrop unknown_local_recipient_reject_code = 550 virtual_alias_maps = hash:/etc/postfix/virtual I do /usr/sbin/postfix check, which results in no errors, followed by /usr/sbin/postfix start. I can see master running in my process list. However, attempts to connect to port 25 on this machine from within the 100.243.0.0/22 network timeout with 'Connect failed' messages. My maillog is filled with the following: Oct 6 14:57:20 merlin postfix/postfix-script: starting the Postfix mail system Oct 6 14:57:20 merlin postfix/master[13470]: daemon started -- version 2.3.3, configuration /etc/postfix Oct 6 14:57:20 merlin postfix/qmgr[13472]: CDF481F80062: from=[EMAIL PROTECTED], size=971, nrcpt=1 (queue active) ... Oct 6 14:57:21 merlin postfix/trivial-rewrite[13474]: fatal: open database /etc/postfix/virtual.db: No such file or directory you forgot to compile the virtual map: # postmap hash:/etc/postfix/virtual Please read: http://www.postfix.org/DATABASE_README.html Oct 6 14:57:21 merlin postfix/cleanup[13473]: fatal: open database /etc/postfix/virtual.db: No such file or directory Oct 6 14:57:22 merlin postfix/master[13470]: warning: process /usr/libexec/postfix/cleanup pid 13473 exit status 1 Oct 6 14:57:22 merlin postfix/master[13470]: warning: /usr/libexec/postfix/cleanup: bad command startup -- throttling Oct 6 14:57:22 merlin postfix/master[13470]: warning: process /usr/libexec/postfix/trivial-rewrite pid 13474 exit status 1 Oct 6 14:57:22 merlin postfix/master[13470]: warning: /usr/libexec/postfix/trivial-rewrite: bad command startup -- throttling ... Do I need to manually create virtual.db (and should I run a set-permissions from postconf if I do?), or is that incidental to the other errors? Are these errors the reason it won't accept connections on port 25, or is there an error in the config above? Paul Cocker TNT Post is the trading name for TNT Post UK Ltd (company number: 04417047), TNT Post (Doordrop Media) Ltd (00613278), TNT Post Scotland Ltd (05695897), TNT Post North Ltd (05701709), TNT Post South West Ltd (05983401), TNT Post Midlands Limited (6458167)and TNT Post London Limited (6493826). Emma's Diary and Lifecycle are trading names for Lifecycle Marketing (Mother and Baby) Ltd (02556692). All companies are registered in England and Wales; registered address: 1 Globeside Business Park, Fieldhouse Lane, Marlow, Buckinghamshire, SL7 1HY. TNT Post is the trading name for TNT Post UK Ltd (company number: 04417047), TNT Post (Doordrop Media) Ltd (00613278), TNT Post Scotland Ltd (05695897), TNT Post North Ltd (05701709), TNT Post South West Ltd (05983401), TNT Post Midlands Limited (6458167)and TNT Post London Limited (6493826). Emma's Diary and Lifecycle are trading names for Lifecycle Marketing (Mother and Baby) Ltd (02556692). All companies are registered in England and Wales; registered address: 1 Globeside Business Park, Fieldhouse Lane, Marlow, Buckinghamshire, SL7 1HY.
Greylisting
I'm going by recent memory so please be kind if I miss something. I recall in the greylisting docs that under DATA and something else only one recipient is transmitted. Is that also true immediately following the RECIPIENT block? Is just the first one listed or any particular order? What I am trying to do long term is look for some kind if a hook to keep deferring the bad email so it stays on the senders machine and I don't have to own it, other than this deferral process. Of course, sine I thought of trying to do this yesterday it's probably already been tried a dozen different ways...
Re: Greylist query...
Isnt ASSP more than just greylisting? On Oct 7, 2008, at 8:08 AM, Jason Pruim [EMAIL PROTECTED] wrote: On Oct 7, 2008, at 7:44 AM, Johan Andersson wrote: Hi, We are thinking to implement some form of greylisting at one of our sites and wonder which one of the many flavors out there that this group have found reliable? I know postfix has its builting one from a while back, but feel unsure if it viable for our site... postgrey and gps seems they added some features that mighe be usable for us... like automatic trunking of the list I just starting to read up on it so I feel very noobish at the moment :) We have six MTA's that receive approx 1million emails a day (total) on roundrobined addresses. Anyone else out there with some experience on the different greylisting models? /Johan Andersson Hi Johan, I don't have near the volume you do, but I know lots of people that use ASSP on high traffic servers with out a problem. ASSP also runs great for my small mail server. One of the biggest features it has for me is the white lists. Most of my e-mail comes from other companies that have their own domain, so I can just whitelist all my client domains and then they don't get rejected or delayed. Just something to think about. -- Jason Pruim Raoset Inc. Technology Manager MQC Specialist 11287 James St Holland, MI 49424 www.raoset.com [EMAIL PROTECTED]
Re: Greylist query...
On Tue, Oct 07, 2008 at 01:44:25PM +0200, Johan Andersson wrote: Hi, We are thinking to implement some form of greylisting at one of our sites and wonder which one of the many flavors out there that this group have found reliable? I know postfix has its builting one from a while back, but feel unsure if it viable for our site... postgrey and gps seems they added some features that mighe be usable for us... like automatic trunking of the list I just starting to read up on it so I feel very noobish at the moment :) We have six MTA's that receive approx 1million emails a day (total) on roundrobined addresses. Anyone else out there with some experience on the different greylisting models? /Johan Andersson We are using sqlgrey with a PostgreSQL backend for 6 MTA's and it works well, although the effectiveness of greylisting is declining. Ken
Re: Reverse DNS bug?
Victor Duchovni wrote: On Tue, Oct 07, 2008 at 10:49:46AM -0400, Darek M. wrote: I have a weird issue where a sender with a valid reverse DNS entry is getting rejected. main.cf: === smtpd_delay_reject = yes smtpd_client_restrictions = ... reject_unknown_reverse_client_hostname Oct 4 19:04:21 postfix/smtpd[231]: connect from unknown[64.68.XXX.XXX] You've left out the DNS related warnings logged between the log entry above and the one below. Please look at these, and post them if you still have a question. The error lines are all that it logged. Nothing in between. Maybe you mean warning: 1.2.3.4: hostname 1.2.3.4.someisp.tld verification failed: hostname nor servname provided, or not known Didn't see that warning in this case. Oct 4 19:04:21 postfix/smtpd[231]: NOQUEUE: reject: RCPT from unknown[64.68.XXX.XXX]: 450 4.7.1 Client host rejected: cannot find your reverse hostname, [64.68.XXX.XXX]; from=[EMAIL PROTECTED] to=[EMAIL PROTECTED] proto=ESMTP helo=Y.COM This is a transient failure. What are your unknown_mumble_reject_codes set to? After tuning and testing your rules, you should have: unknown_address_reject_code = 550 unknown_client_reject_code = 550 unknown_hostname_reject_code = 550 unknown_local_recipient_reject_code = 550 unknown_relay_recipient_reject_code = 550 unknown_virtual_alias_reject_code = 550 unknown_virtual_mailbox_reject_code = 550 I didn't change any reject codes from the stock install, and I'm fine with a temporary reject for DNS errors. The issue is Postfix not seeing the reverse entry. access_map_reject_code = 554 invalid_hostname_reject_code = 501 maps_rbl_reject_code = 554 multi_recipient_bounce_reject_code = 550 non_fqdn_reject_code = 504 plaintext_reject_code = 450 reject_code = 554 relay_domains_reject_code = 554 unknown_address_reject_code = 450 unknown_client_reject_code = 450 unknown_hostname_reject_code = 450 unknown_local_recipient_reject_code = 550 unknown_relay_recipient_reject_code = 550 unknown_virtual_alias_reject_code = 550 unknown_virtual_mailbox_reject_code = 550 unverified_recipient_reject_code = 450 unverified_sender_reject_code = 450 - Darek
On localhost SMTP OK, but outside localhost - Recipient address rejected
Hi! I have looked in www.postfix.org (docs, howto FAQ, thats how I got it working so far) Googled and I have searched the archives, but can't get it to work (but as a postfix noob, I could search for wrong things :-( ). I also have Dovecot, spamassassin, amavisd-new, postfixadmin RoundCube (working as far as I can see) on my Fedora 9, if that could give some hint. If I try on my server in DMZ it works OK, I get this: START [EMAIL PROTECTED] postfix]# telnet localhost 25 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 220 localhost.localdomain ESMTP Postfix helo trying.my.best 250 localhost.localdomain mail from: [EMAIL PROTECTED] 250 2.1.0 Ok rcpt to: [EMAIL PROTECTED] 250 2.1.5 Ok data 354 End data with . Hi there, it's working . 250 2.0.0 Ok: queued as 2558C1E2893 quit 221 2.0.0 Bye END If I try from a computer on my LAN it don't work, I get this: START telnet 172.16.16.1 25 220 localhost.localdomain ESMTP Postfix helo trying.my.best 250 localhost.localdomain mail from:[EMAIL PROTECTED] 250 2.1.0 Ok rcpt to:[EMAIL PROTECTED] 450 4.7.1 : Recipient address rejected: Greylisted for 5 minutes quit 221 Closing connection. Good bye. END My postconf -n alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases broken_sasl_auth_clients = yes command_directory = /usr/sbin config_directory = /etc/postfix content_filter = smtp-amavis:[127.0.0.1]:10024 daemon_directory = /usr/libexec/postfix data_directory = /var/lib/postfix debug_peer_level = 2 html_directory = no inet_interfaces = all inet_protocols = all mail_owner = postfix mailq_path = /usr/bin/mailq.postfix manpage_directory = /usr/share/man mydestination = $myhostname, localhost.$mydomain, localhost mydomain = mysecretdomain.com newaliases_path = /usr/bin/newaliases.postfix queue_directory = /var/spool/postfix readme_directory = /usr/share/doc/postfix-2.5.1/README_FILES sample_directory = /usr/share/doc/postfix-2.5.1/samples sendmail_path = /usr/sbin/sendmail.postfix setgid_group = postdrop smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, check_policy_service inet:127.0.0.1:2501 smtpd_sasl_auth_enable = yes smtpd_sasl_local_domain = $myhostname smtpd_sasl_security_options = noanonymous unknown_local_recipient_reject_code = 550 virtual_alias_domains = mysecretdomain.com virtual_alias_maps = mysql:/etc/postfix/mysql_virtual_alias_maps.cf virtual_gid_maps = static:1001 virtual_mailbox_base = /home/vmail virtual_mailbox_domains = mysql:/etc/postfix/mysql_virtual_domains_maps.cf virtual_mailbox_maps = mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf virtual_minimum_uid = 1001 virtual_transport = virtual virtual_uid_maps = static:1001 Any ideas (sorry if it's something obvious)?
Re: On localhost SMTP OK, but out side localhost - Recipient address rejected?
Hi, Check: http://www.postfix.org/basic.html#relaying Seems to me like you just need to add your lan addresses in mynetworks. /Victor raffe reinoso wrote: Hi! I have looked in www.postfix.org (docs, howto FAQ, thats how I got it working so far) Googled and I have searched the archives, but can't get it to work (but as a postfix noob, I could search for wrong things :-( ). I also have Dovecot, spamassassin, amavisd-new, postfixadmin RoundCube (working as far as I can see) on my Fedora 9, if that could give some hint. If I try on my server in DMZ it works OK, I get this: START [EMAIL PROTECTED] postfix]# telnet localhost 25 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 220 localhost.localdomain ESMTP Postfix helo trying.my.best 250 localhost.localdomain mail from: [EMAIL PROTECTED] 250 2.1.0 Ok rcpt to: [EMAIL PROTECTED] 250 2.1.5 Ok data 354 End data with . Hi there, it's working . 250 2.0.0 Ok: queued as 2558C1E2893 quit 221 2.0.0 Bye END If I try from a computer on my LAN it don't work, I get this: START telnet 172.16.16.1 25 220 localhost.localdomain ESMTP Postfix helo trying.my.best 250 localhost.localdomain mail from:[EMAIL PROTECTED] 250 2.1.0 Ok rcpt to:[EMAIL PROTECTED] 450 4.7.1 : Recipient address rejected: Greylisted for 5 minutes quit 221 Closing connection. Good bye. END My postconf -n alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases broken_sasl_auth_clients = yes command_directory = /usr/sbin config_directory = /etc/postfix content_filter = smtp-amavis:[127.0.0.1]:10024 daemon_directory = /usr/libexec/postfix data_directory = /var/lib/postfix debug_peer_level = 2 html_directory = no inet_interfaces = all inet_protocols = all mail_owner = postfix mailq_path = /usr/bin/mailq.postfix manpage_directory = /usr/share/man mydestination = $myhostname, localhost.$mydomain, localhost mydomain = mysecretdomain.com newaliases_path = /usr/bin/newaliases.postfix queue_directory = /var/spool/postfix readme_directory = /usr/share/doc/postfix-2.5.1/README_FILES sample_directory = /usr/share/doc/postfix-2.5.1/samples sendmail_path = /usr/sbin/sendmail.postfix setgid_group = postdrop smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, check_policy_service inet:127.0.0.1:2501 smtpd_sasl_auth_enable = yes smtpd_sasl_local_domain = $myhostname smtpd_sasl_security_options = noanonymous unknown_local_recipient_reject_code = 550 virtual_alias_domains = mysecretdomain.com virtual_alias_maps = mysql:/etc/postfix/mysql_virtual_alias_maps.cf virtual_gid_maps = static:1001 virtual_mailbox_base = /home/vmail virtual_mailbox_domains = mysql:/etc/postfix/mysql_virtual_domains_maps.cf virtual_mailbox_maps = mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf virtual_minimum_uid = 1001 virtual_transport = virtual virtual_uid_maps = static:1001 Any ideas (sorry if it's something obvious)? -- Victor Jerlin, CTO Gränslösa System GSYS HB Cell#: +356--0125
Re: On localhost SMTP OK, but outside localhost - Recipient address rejected_
raffe reinoso: smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, check_policy_service inet:127.0.0.1:2501 If this is your greylisting service, and you don't want to greylist local network clients, then you need to change your mynetworks setting. Perhaps: mynetworks = 127.0.0.0/8 172.16.16.0/24 Wietse
Re: Greylist query...
Kenneth Marshall a écrit : On Tue, Oct 07, 2008 at 02:58:52PM +0200, mouss wrote: Johan Andersson wrote: Hi, We are thinking to implement some form of greylisting at one of our sites and wonder which one of the many flavors out there that this group have found reliable? I know postfix has its builting one from a while back, but feel unsure if it viable for our site... postgrey and gps seems they added some features that mighe be usable for us... like automatic trunking of the list I just starting to read up on it so I feel very noobish at the moment :) We have six MTA's that receive approx 1million emails a day (total) on roundrobined addresses. Anyone else out there with some experience on the different greylisting models? try (Cami's) policyd. it's written in C as a single threaded daemon. it uses mysql (myisam unfortunately!). Cami is no more working on it, but it's stable enough (and Cami used it in an ISP environment). it has other features (rate limiting, blacklist, whitelist, ...) check http://www.policyd.org/ and look at the Old policyd V1. If you do not have anything in place, I would recommend looking at the version 2 policyd that is more database backend agnostic. It is written in perl and uses DBD/DBI to connect to the backends. That way you can avoid being locked in to a particular database backend be it MySQL, PostgreSQL, Oracle, ... I don't know the status of the V2 (I looked at a long time ago, but it was still a in development/design stage). note that some people don't want perl based solutions. For good or bad reasons, but let's avoid a long debate ;-p
Re: Virtual domain uncertainty...
Charles Marcus wrote: On 10/7/2008, Wietse Venema ([EMAIL PROTECTED]) wrote: But the virtual how-to says the opposite... never list a virtual_mailbox_domain in mydestination... If you list smtp.example.com as a virtual domain, then do not list it in mydestination. Ok... more confusion... 1. 'smtp.example.com' is not a 'domain', it is a host name. 2. My system has been setup forever with the following: mydomain = example.com mydestination = $myhostname, localhost.$mydomain, localhost myhostname = smtp.example.com (as per previously supplied postconf -n outpput) but, example.com (the domain, not the hostname) is also listed in virtual_mailbox_domains via the mysql lookup... Is this OK/normal? I'm thinking yes, because: yes, it's ok. 'smtp.example.com' != 'example.com' and the host/system has to have one (and only one?) FQDN? yes, _the_ hostname used by postfix must be FQDN. Note that both smtp.example.com and example.com are FQDN. Thanks, and I appreciate your patience in helping me to understand the ramifications of adding virtual domains to my production system. virtual domains is ambiguous. you are talking about virtual mailbox domains (contrast with virtual alias domains). you can add as many virtual mailbox domains as you want: - never list a single domain in multiple classes (a domain belongs to at most one of: local, virtual mailbox, relay, virtual alias) - specify the list of valid users (virtual_mailbox_maps) - if you deliver via virtual (this is the default), virtual_mailbox_maps must return the mailbox location (relative to virtual_mailbox_base) - you can have a per mailbox uid:gid or use a single uid:gid for all mailboxes (the maps are then: static:1234, where 1234 is the uid or gid). - alias_maps only apply to local domains. if you want aliases for non local users, use virtual_alias_maps (which applies to _all_ mail, even if the domain isn't yours) since you use mysql, take a look at the howto on workaround.org for inspiration.
Re: Virtual domain uncertainty...
On 10/7/2008 3:09 PM, mouss wrote: but, example.com (the domain, not the hostname) is also listed in virtual_mailbox_domains via the mysql lookup... Is this OK/normal? I'm thinking yes, because: yes, it's ok. Ok, good... :) Note that both smtp.example.com and example.com are FQDN. Right, but the latter can never be a _host_ name... virtual domains is ambiguous. you are talking about virtual mailbox domains (contrast with virtual alias domains). True, and thanks for pointing that out... I do know how important it is to be precise when discussing things like this... - you can have a per mailbox uid:gid or use a single uid:gid for all mailboxes (the maps are then: static:1234, where 1234 is the uid or gid). Is there any place that discusses the pros/cons of per mailbox vs static udi/gid? I'm usng static now, but not sure if there is any advantage one way or another. I'm mostly concerned with security and simplicity (I'm lazy and don't like cleaning up messes or managing complicated configurations)... since you use mysql, take a look at the howto on workaround.org for inspiration. Thanks, I will... :) -- Best regards, Charles
Re: Virtual domain uncertainty...
Charles Marcus wrote: On 10/7/2008 3:09 PM, mouss wrote: Note that both smtp.example.com and example.com are FQDN. Right, but the latter can never be a _host_ name... of course it can: # hostname example.com # hostname example.com Is there any place that discusses the pros/cons of per mailbox vs static udi/gid? Not that I know of, except in unix books ;-p I'm usng static now, but not sure if there is any advantage one way or another. I'm mostly concerned with security and simplicity (I'm lazy and don't like cleaning up messes or managing complicated configurations)... I use a single uid:gid. This makes it easy to have scripts that play with mail (retrain the filter, ...) without having to run as different users or as a privileged user (or having to play with group permissions...). This also makes it easy to deliver with an unprivileged LDA. Other people prefer per uid:gid so that if the imap/pop thread/process that is reading someone's mailbox can't be tricked to read other people mail. In short, from a security perspective, there are arguments for either side. a bug in a privileged LDA may lead to a system compromise. a bug in the imap server exposes people mail. but an LDA is far easier to code than an imap server. chose your camp!
Re: Virtual domain uncertainty...
Le Tue 7/10/2008, Charles Marcus disait On 10/7/2008 3:09 PM, mouss wrote: but, example.com (the domain, not the hostname) is also listed in virtual_mailbox_domains via the mysql lookup... Is this OK/normal? I'm thinking yes, because: yes, it's ok. Ok, good... :) Note that both smtp.example.com and example.com are FQDN. Right, but the latter can never be a _host_ name... Hummm, www.sg is a domain (see whois) and a host.
multiple outgoing interfaces?
I have a server with several public IP addresses (aliases on one network card), running Postfix. The machine also runs several websites, which interact with the users (forums, automated responses for queries etc.). I would like to configure each website to send mails via a different IP address. For example, if website1 connects to 192.168.1.1:25, Postfix should try to deliver mail from this website via outgoing 192.168.1.1 address. If website2 connects to 192.168.2.2:25, Postfix should try to deliver mail from this website via outgoing 192.168.2.2 address. And so on. Is it possible to do so in Postfix? So far, the system uses two outgoing addresses, but also using two separate MTAs (Exim and Postfix, each using a different outgoing address), which is suboptimal, and does not scale very well with additional IP addresses ;) -- Tomasz Chmielewski http://wpkg.org
Re: Virtual domain uncertainty...
Charles Marcus wrote: On 10/7/2008 3:09 PM, mouss wrote: but, example.com (the domain, not the hostname) is also listed in virtual_mailbox_domains via the mysql lookup... Is this OK/normal? I'm thinking yes, because: yes, it's ok. Ok, good... :) Note that both smtp.example.com and example.com are FQDN. Right, but the latter can never be a _host_ name... Sure it can. virtual domains is ambiguous. you are talking about virtual mailbox domains (contrast with virtual alias domains). True, and thanks for pointing that out... I do know how important it is to be precise when discussing things like this... - you can have a per mailbox uid:gid or use a single uid:gid for all mailboxes (the maps are then: static:1234, where 1234 is the uid or gid). Is there any place that discusses the pros/cons of per mailbox vs static udi/gid? I'm usng static now, but not sure if there is any advantage one way or another. Using per-mailbox uid's enlists the OS's built-in access control to help prevent users from being able to access other users' mail, and in principle that should be more secure. Unfortunately, it also means that all of your tools that work with delivery and mail store access have to understand that model for virtual mailbox domains mapping to real uid's. That usually means that those tools (e.g. an IMAP server) have to have a master component running as root, which some people see as a risk. In addition, making that work is inherently a bit more complicated, and there is a risk when that causes breakage of fixing it in some manner that is significantly worse than just using the same (otherwise unprivileged) uid for all mailboxes (and for all of the manipulators of them.) You also can run into scaling issues with some OS's that have 16-bit uid's and reserve ranges as special. I'm mostly concerned with security and simplicity (I'm lazy and don't like cleaning up messes or managing complicated configurations)... If you don't have untrusted users with shell (or similarly arbitrary) access that lets them run random code, the simplicity of using a single uid for virtual mailboxes is probably also a security win.
sender_dependent_relayhost_maps - am i missing something?
I'm attempting to get sender_dependent_relayhost_maps working on postfix 2.5.1. What I'm trying to do is this: all mail from [EMAIL PROTECTED] should be sent out from a different mail server, because SPF has been set to that IP address. All others should use the default relay, indicated in main.cf's relayhost entry. From googling around I thought it was as simple as defining the map file in main.cf and then indicating in that file, which domain I want to match on, (with @ at the beginning) and what the target relay server should be. I know for sure that mail can get to 192.168.10.3 when I set 192.168.10.3 as the relayhost in main.cf. Am I missing something? == output from postconf -n == alias_maps = hash:/etc/aliases command_directory = /usr/sbin config_directory = /etc/postfix daemon_directory = /usr/libexec/postfix data_directory = /var/lib/postfix debug_peer_level = 2 html_directory = no mail_owner = postfix mailq_path = /usr/bin/mailq manpage_directory = /usr/share/man mynetworks = 192.168.0.0/16, 127.0.0.1/32 newaliases_path = /usr/bin/newaliases queue_directory = /var/spool/postfix readme_directory = /usr/share/doc/postfix-2.5.1/README_FILES relayhost = [192.168.10.5] sample_directory = /usr/share/doc/postfix-2.5.1/samples sender_dependent_relayhost_maps = hash:/etc/postfix/sender_maps sendmail_path = /usr/sbin/sendmail setgid_group = postdrop unknown_local_recipient_reject_code = 550 == cat /etc/postfix/sender_maps == @domain1.com192.168.10.3
Re: multiple outgoing interfaces?
Wietse Venema schrieb: Tomasz Chmielewski: I have a server with several public IP addresses (aliases on one network card), running Postfix. The machine also runs several websites, which interact with the users (forums, automated responses for queries etc.). I would like to configure each website to send mails via a different IP address. Postfix can specify the source IP address. More or less, this sounds like what I'd like to do... The KERNEL chooses the network interface. Not much work for the kernel here - I have only one network card (interface, besides loopback). Postfix has no control over the kernel's routing algorithms. I was a bit afraid to hear a confirmation that what I'd like to do would be hard or impossible to achieve. Basically, if Postfix can specify the source IP address, that should be fine for me... provided that it can make some decisions here (i.e., which outgoing interface to choose, depending on From: or Received: etc). But I guess I can't do it, can I? Any other ideas? -- Tomasz Chmielewski http://wpkg.org
Re: Virtual domain uncertainty...
On 10/7/2008, Victor Duchovni ([EMAIL PROTECTED]) wrote: This is false. DNS allows SOA, NS and A (or ) records to exist at the same level (for the same domain name). So a delegated domain name (zone cut) can also be a host. What is not legal is CNAME records in combination with NS or SOA, so a zone cut cannot be a CNAME. Heh... as always, thanks (mouss, Victor and Bill) for the correction... Maybe one day I'll learn not to speak unless/until I know what I'm talking about (guess I won't be speaking again any time soon)... ;) -- Best regards, Charles
Re: multiple outgoing interfaces?
Victor Duchovni schrieb: On Tue, Oct 07, 2008 at 10:31:40PM +0200, Tomasz Chmielewski wrote: I have a server with several public IP addresses (aliases on one network card), running Postfix. The machine also runs several websites, which interact with the users (forums, automated responses for queries etc.). I would like to configure each website to send mails via a different IP address. For example, if website1 connects to 192.168.1.1:25, Postfix should try to deliver mail from this website via outgoing 192.168.1.1 address. If website2 connects to 192.168.2.2:25, Postfix should try to deliver mail from this website via outgoing 192.168.2.2 address. And so on. Is it possible to do so in Postfix? So far, the system uses two outgoing addresses, but also using two separate MTAs (Exim and Postfix, each using a different outgoing address), which is suboptimal, and does not scale very well with additional IP addresses ;) If all mail entering the server via SMTP leaves the server via SMTP (no local deliveries, virtual mailbox deliveries, ...) such a policy may be possible, but it is generally not necessary. Hmm, how? What real problem does this solve? No real problem, more an aesthetic wish, where a website should be similar to its reverse DNS in email's headers. More, an exercise on how to use 3 IP addresses, but mostly, learning what can be done with Postfix and what can not be done (so far I've learned that in some aspects, it can be harder to configure than other MTAs, but offers really much more functionality/flexibility once you learn how). If you are onboarding low-volume email marketing clients, and want to isolated their reputations from each other, good luck... I thought most email marketing comes from infected Windows boxes. At least my p0f seems to be indicating that :( -- Tomasz Chmielewski http://wpkg.org
Re: multiple outgoing interfaces?
Tomasz Chmielewski wrote: Wietse Venema schrieb: Tomasz Chmielewski: I have a server with several public IP addresses (aliases on one network card), running Postfix. The machine also runs several websites, which interact with the users (forums, automated responses for queries etc.). I would like to configure each website to send mails via a different IP address. Postfix can specify the source IP address. More or less, this sounds like what I'd like to do... The KERNEL chooses the network interface. Not much work for the kernel here - I have only one network card (interface, besides loopback). Postfix has no control over the kernel's routing algorithms. I was a bit afraid to hear a confirmation that what I'd like to do would be hard or impossible to achieve. you can run multiple postfix instances, each with its inet_interfaces. This even gives you multiple sendmail -C ... commands. postfix cannot force the outgoing network interface, but since you only have one, this is irrelevant. Basically, if Postfix can specify the source IP address, that should be fine for me... provided that it can make some decisions here (i.e., which outgoing interface to choose, depending on From: or Received: etc). since you have one network card, you have one outgoing interface. Choosing among one thing would be strange outside of maths ;-p But I guess I can't do it, can I? Any other ideas?
Re: postfix hangs when SASL enabled
On Mon, Sep 08, 2008 at 08:15:24AM +0200, mouss wrote: In both cases, the symptom is that postfix, upon being restarted, responds to nc -v -v localhost 25' with an accept and then an immediate disconnect. A second connection succeeds, but no banner is being printed. no need to use nc. just use telnet. nc works as well as telnet Postfix is hanging upon connecting to port 25 I narrowed down the problem to this config value: smtpd_sasl_auth_enable = yes When that value is enabled, connections to port 25 get no answer. Actually the first one is closed quickly, and the second connection hangs indefinitely. Here is the WORKING postconf -n (sasl_auth disabled), next time, show 'postconf -n' for the non working setup. Here is postconf -n for non-working setup: alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases append_dot_mydomain = no biff = no config_directory = /etc/postfix home_mailbox = Maildir/ inet_interfaces = all mailbox_command = /usr/bin/procmail -t -a $EXTENSION -a $USER -a $DOMAIN -a $LOCAL mailbox_size_limit = 0 mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain, mail.$mydomain, www.$mydomain, ftp.$mydomain, mx.$mydomain, ntp.$mydomain, ping.$mydomain, smtp.$mydomain, ssh.$mydomain, time.$mydomain, timehost.$mydomain, vpn.$mydomain, web.$mydomain, lists.$mydomain myhostname = lexus.bitrot.info mynetworks = 172.16.0.0/12, 127.0.0.0/8, 83.149.117.8/32 myorigin = $mydomain recipient_delimiter = + relayhost = smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU) smtpd_client_restrictions = permit_mynetworks,reject_unauth_pipelining, check_client_access hash:/etc/postfix/whitelist_client, reject_unknown_reverse_client_hostname,permit smtpd_helo_required = yes smtpd_recipient_restrictions = reject_unknown_recipient_domain, permit_mynetworks,permit_sasl_authenticated, reject_unauth_destination,permit smtpd_reject_unlisted_recipient = yes smtpd_reject_unlisted_sender = no smtpd_sasl_auth_enable = yes smtpd_sender_restrictions = permit_mynetworks, permit_sasl_authenticated,check_sender_access hash:/etc/postfix/whitelist_sender,reject_non_fqdn_sender, reject_unknown_sender_domain,permit smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache smtpd_use_tls = yes unknown_local_recipient_reject_code = 550 virtual_alias_domains = hash:/etc/postfix/virtual_alias_domains virtual_alias_maps = hash:/etc/postfix/virtual_alias_maps -- Crypto ergo sum. http://www.subspacefield.org/~travis/ Truth does not fear scrutiny or competition, only lies do. If you are a spammer, please email [EMAIL PROTECTED] to get blacklisted.
Re: multiple outgoing interfaces?
Tomasz Chmielewski wrote: Victor Duchovni schrieb: On Tue, Oct 07, 2008 at 10:31:40PM +0200, Tomasz Chmielewski wrote: I have a server with several public IP addresses (aliases on one network card), running Postfix. The machine also runs several websites, which interact with the users (forums, automated responses for queries etc.). I would like to configure each website to send mails via a different IP address. For example, if website1 connects to 192.168.1.1:25, Postfix should try to deliver mail from this website via outgoing 192.168.1.1 address. If website2 connects to 192.168.2.2:25, Postfix should try to deliver mail from this website via outgoing 192.168.2.2 address. And so on. Maybe I missed something here given the previous replies but I do not think postfix binds to multiple ips as you want. To make this happen, you would need to create multiple instances of postfix with multiple queues and configs. Then this is easy. Is it possible to do so in Postfix? So far, the system uses two outgoing addresses, but also using two separate MTAs (Exim and Postfix, each using a different outgoing address), which is suboptimal, and does not scale very well with additional IP addresses ;) If all mail entering the server via SMTP leaves the server via SMTP (no local deliveries, virtual mailbox deliveries, ...) such a policy may be possible, but it is generally not necessary. Hmm, how? What real problem does this solve? No real problem, more an aesthetic wish, where a website should be similar to its reverse DNS in email's headers. More, an exercise on how to use 3 IP addresses, but mostly, learning what can be done with Postfix and what can not be done (so far I've learned that in some aspects, it can be harder to configure than other MTAs, but offers really much more functionality/flexibility once you learn how). If you are onboarding low-volume email marketing clients, and want to isolated their reputations from each other, good luck... Email marketing is legal so what is the problem here? Why does everyone throw the baby out with the bathwater? I thought most email marketing comes from infected Windows boxes. At least my p0f seems to be indicating that :( This would be the illegal form of marketing which is a problem and easily detected.
saslfinger output, was Re: postfix hangs when SASL enabled
postconf -n when trying to use SASL alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases append_dot_mydomain = no biff = no config_directory = /etc/postfix home_mailbox = Maildir/ inet_interfaces = all mailbox_command = /usr/bin/procmail -t -a $EXTENSION -a $USER -a $DOMAIN -a $LOCAL mailbox_size_limit = 0 mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain, mail.$mydomain, www.$mydomain, ftp.$mydomain, mx.$mydomain, ntp.$mydomain, ping.$mydomain, smtp.$mydomain, ssh.$mydomain, time.$mydomain, timehost.$mydomain, vpn.$mydomain, web.$mydomain, lists.$mydomain myhostname = lexus.bitrot.info mynetworks = 172.16.0.0/12, 127.0.0.0/8, 83.149.117.8/32 myorigin = $mydomain recipient_delimiter = + relayhost = smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU) smtpd_client_restrictions = permit_mynetworks,reject_unauth_pipelining, check_client_access hash:/etc/postfix/whitelist_client, reject_unknown_reverse_client_hostname,permit smtpd_helo_required = yes smtpd_recipient_restrictions = reject_unknown_recipient_domain, permit_mynetworks,permit_sasl_authenticated, reject_unauth_destination,permit smtpd_reject_unlisted_recipient = yes smtpd_reject_unlisted_sender = no smtpd_sasl_auth_enable = yes smtpd_sasl_authenticated_header = yes smtpd_sasl_path = smtpd smtpd_sender_restrictions = permit_mynetworks, permit_sasl_authenticated,check_sender_access hash:/etc/postfix/whitelist_sender,reject_non_fqdn_sender, reject_unknown_sender_domain,permit smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache smtpd_use_tls = yes unknown_local_recipient_reject_code = 550 virtual_alias_domains = hash:/etc/postfix/virtual_alias_domains virtual_alias_maps = hash:/etc/postfix/virtual_alias_maps saslfinger -s when trying to use SASL saslfinger - postfix Cyrus sasl configuration Tue Oct 7 23:25:23 CEST 2008 version: 1.0.2 mode: server-side SMTP AUTH -- basics -- Postfix: 2.3.8 System: Debian GNU/Linux 4.0 \n \l -- smtpd is linked to -- libsasl2.so.2 = /usr/lib/libsasl2.so.2 (0xb7dbb000) -- active SMTP AUTH and TLS parameters for smtpd -- smtpd_sasl_auth_enable = yes smtpd_sasl_authenticated_header = yes smtpd_sasl_path = smtpd smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache smtpd_use_tls = yes -- listing of /usr/lib/sasl2 -- total 116 drwxr-xr-x 2 root root 4096 Oct 7 22:47 . drwxr-xr-x 60 root root 20480 Sep 28 02:03 .. -rw-r--r-- 1 root root 21726 Dec 13 2006 libsasldb.a -rw-r--r-- 1 root root 856 Dec 13 2006 libsasldb.la -rw-r--r-- 1 root root 17980 Dec 13 2006 libsasldb.so -rw-r--r-- 1 root root 17980 Dec 13 2006 libsasldb.so.2 -rw-r--r-- 1 root root 17980 Dec 13 2006 libsasldb.so.2.0.22 -rw-rw 1 root root49 Oct 7 22:47 smtpd.conf -- listing of /usr/local/lib/sasl2 -- total 116 drwxr-xr-x 2 root root 4096 Oct 7 22:47 . drwxr-xr-x 60 root root 20480 Sep 28 02:03 .. -rw-r--r-- 1 root root 21726 Dec 13 2006 libsasldb.a -rw-r--r-- 1 root root 856 Dec 13 2006 libsasldb.la -rw-r--r-- 1 root root 17980 Dec 13 2006 libsasldb.so -rw-r--r-- 1 root root 17980 Dec 13 2006 libsasldb.so.2 -rw-r--r-- 1 root root 17980 Dec 13 2006 libsasldb.so.2.0.22 -rw-rw 1 root root49 Oct 7 22:47 smtpd.conf -- content of /usr/lib/sasl2/smtpd.conf -- pwcheck_method: saslauthd mech_list: PLAIN LOGIN -- content of /usr/local/lib/sasl2/smtpd.conf -- pwcheck_method: saslauthd mech_list: PLAIN LOGIN -- content of /etc/postfix/sasl/smtpd.conf -- pwcheck_method: saslauthd mech_list: PLAIN LOGIN -- active services in /etc/postfix/master.cf -- # service type private unpriv chroot wakeup maxproc command + args # (yes) (yes) (yes) (never) (100) smtp inet n - - - - smtpd pickupfifo n - - 60 1 pickup cleanup unix n - - - 0 cleanup qmgr fifo n - n 300 1 qmgr tlsmgrunix - - - 1000? 1 tlsmgr rewrite unix - - - - - trivial-rewrite bounceunix - - - - 0 bounce defer unix - - - - 0 bounce trace unix - - - - 0 bounce verifyunix - - - - 1 verify flush unix n - - 1000? 0 flush proxymap unix - - n - - proxymap smtp unix - - - - - smtp relay unix - - - - - smtp -o fallback_relay= showq unix n - - - - showq error unix -
Re: multiple outgoing interfaces?
mouss wrote: Tomasz Chmielewski wrote: mouss schrieb: Tomasz Chmielewski wrote: Basically, if Postfix can specify the source IP address, that should be fine for me... provided that it can make some decisions here (i.e., which outgoing interface to choose, depending on From: or Received: etc). Isn't it just to create a couple of transports and specify smtp_bind_address ? -o inet_interfaces=192.168.1.1 -o smtp_bind_address=192.168.1.1 You could skip the inet_interfaces part there and use a map in header_checks for instance to chose transport for delivery. since you have one network card, you have one outgoing interface. Choosing among one thing would be strange outside of maths ;-p Now I see I didn't pick the thread's title very well ;) (should be: multiple outgoing IP addresses). sysv heritage. Compare this: # ifconfig eth0:1 192.168.1.1 # ifconfig eth0:2 192.168.1.2 # ifconfig ... eth0:0 inet adr:192.168.1.1 ... ... eth0:2 ... inet adr:192.168.1.2 ... Deprecated! ip addr add 192.168.1.1/24 dev eth0 ip addr add 192.168.1.2/24 dev eth0 ip addr list with the BSD way: # ifconfig xl0 192.168.1.1 alias # ifconfig xl0 192.168.1.2 alias # ifconfig xl0: ... inet 192.168.1.1 ... inet 192.168.1.2 ... ... -- Victor Jerlin, CTO Gränslösa System GSYS HB Cell#: +356--0125
Re: throttling delivery rate question
On Tue, Oct 07, 2008 at 04:32:06PM -0600, Steve Lindemann wrote: fyi... the systems giving me the most grief all use ironport filters and they all started complaining within a few days of each other. I suspect some software update on the ironport but need data to prove I'm not overwhelming them like they say. I'm just not sure what I should be looking for on my end to show that. Sounds like your senderbase score changed, and you are now subjected to tighter resource limits. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:[EMAIL PROTECTED] If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Postfix white listing with helo_access
We have implemented HELO restrictions for our postfix configuration to attempt to cut down on the amount of spam. Unfortunately this has turn up a lot of legitimate servers that have been incorrectly configured. That is to say, they do not have dns entries for their mail servers. Whilst we are attempting to get the sysadmin's to resolve these issues I need to put in a work around to allow these legitimate mail servers to send mails to our users. I am considering setting up a white list system using check_helo_access however I am not sure about the sequencing of the commands in main.cf. The configuration I am considering is (main.cf extract of only relevant section): unknown_hostname_reject_code = 550 smtpd_helo_required = yes smtpd_helo_restrictions = reject_invalid_hostname reject_non_fqdn_hostname check_helo_access hash:/etc/postfix/helo_access reject_unknown_hostname In /etc/postfix/helo_access I will have: mailhost.domain1.suffix OK mailhost.domain2.suffix OK mailhost.domain3.suffix OK My question is related to the sequencing. With this configuration when a valid server in my helo_access file returns an OK will it then be processed, or will it then move onto the reject_unknown_hostname and get rejected because it does not not have a dns entry? If this is the case is there some way around this? Thanks, Pat Grogan
Re: Postfix white listing with helo_access
mouss wrote: [snip] unknown_hostname_reject_code = 550 smtpd_helo_required = yes smtpd_helo_restrictions = reject_invalid_hostname reject_non_fqdn_hostname check_helo_access hash:/etc/postfix/helo_access reject_unknown_hostname In /etc/postfix/helo_access I will have: mailhost.domain1.suffixOK mailhost.domain2.suffixOK mailhost.domain3.suffixOK My question is related to the sequencing. With this configuration when a valid server in my helo_access file returns an OK will it then be processed, or will it then move onto the reject_unknown_hostname and get rejected because it does not not have a dns entry? it will skip reject_unknown_hostname. I realize this may be interpreted too generally. An OK will cause all subsequent checks in the same smtpd_mumble_restrictions to be skipped. but again, use check_client_access (preferably with IP addresses to avoid problems in case of DNS failure or misconfiguration).
Re: sender_dependent_relayhost_maps - am i missing something?
# /etc/postfix/sender_maps.regexp /@example\.com$/ [192.168.10.3] /./ [192.168.10.5 - do not index a regexp table with postmap. - you can use pcre rather than regexp above if your postfix supports pcre tables. Ah I misunderstood the precedence, thinking that relayhost in main.cf would be the fallback/catchall. So I tried what you suggested and I believe my problem now might only be regex related? So, in main.cf, I went with pcre since my instance of postfix doesn't support regex: sender_dependent_relayhost_maps = pcre:/etc/postfix/sender_maps.pcre For troubleshooting, I tried setting the catch all entry to what I want to relay to (billing.domain2.com) - just to force it so I know this rule is doing something. Doing that works: /@billing\.domain2\.com$/ billing.domain2.com /./ [billing.domain2.com] But when I set it to what I'm trying to do: /@billing\.domain2\.com$/ billing.domain2.com /./ [mail.domain1.com] It seems like it's not matching correctly, though the syntax seems right.
Re: sender_dependent_relayhost_maps - am i missing something?
On Tue, Oct 07, 2008 at 04:07:28PM -0500, Noel Jones wrote: As documented, relayhost takes precedence over sender_dependent_relayhost_maps. http://www.postfix.org/postconf.5.html#sender_dependent_relayhost_maps My reading of the code in 2.4, 2.5 and 2.6 is that sender dependent relayhost overrides relayhost. The documentation points out that when default_transport or relay_transport have an explicit nexthop, that takes precedence over the sender dependent tables. Finally the transport table trumps everything else. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:[EMAIL PROTECTED] If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: sender_dependent_relayhost_maps - am i missing something?
Victor Duchovni: On Tue, Oct 07, 2008 at 04:07:28PM -0500, Noel Jones wrote: As documented, relayhost takes precedence over sender_dependent_relayhost_maps. http://www.postfix.org/postconf.5.html#sender_dependent_relayhost_maps My reading of the code in 2.4, 2.5 and 2.6 is that sender dependent relayhost overrides relayhost. The source code implements the documented behavior. man 5 postconf: sender_dependent_relayhost_maps (default: empty) A sender-dependent override for the global relayhost parameter setting. Wietse The documentation points out that when default_transport or relay_transport have an explicit nexthop, that takes precedence over the sender dependent tables. Finally the transport table trumps everything else. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:[EMAIL PROTECTED] If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
About steps to setup virtual mailbox domain class
Hi folks, Debian Etch Postfix 2.3.8 Dovcot I'm learning to setup virtual mailbox domain class. Please shed me some light on its setup; On /etc/postfix/main.cf -rw-r--r-- 1 root root 373 2008-09-30 03:26 dynamicmaps.cf -rw-r--r-- 1 root root 2108 2008-10-03 12:54 main.cf -rw-r--r-- 1 root root 4925 2008-10-01 16:03 master.cf -rw-r- 1 root postfix 140 2008-09-30 04:05 mysql-virtual-alias-maps.cf -rw-r- 1 root postfix 132 2008-09-30 04:01 mysql-virtual-mailbox-domains.cf -rw-r- 1 root postfix 128 2008-09-30 04:03 mysql-virtual-mailbox-maps.cf -rw-r--r-- 1 root root17975 2008-08-19 05:51 postfix-files -rwxr-xr-x 1 root root 6840 2008-08-19 05:51 postfix-script -rwxr-xr-x 1 root root22239 2008-08-19 05:51 post-install drwxr-xr-x 2 root root 4096 2008-09-30 03:26 sasl On /etc/postfix/mysql-virtual-alias-maps.cf user = mailuser password = mailuserpasswd hosts = 127.0.0.1 dbname = mailserver query = SELECT destination FROM view_aliases WHERE email='%s' On /etc/postfix/mysql-virtual-mailbox-domains.cf user = mailuser password = mailuserpasswd hosts = 127.0.0.1 dbname = mailserver query = SELECT 1 FROM virtual_domains WHERE name='%s' On /etc/postfix/mysql-virtual-mailbox-maps.cf user = mailuser password = mailuserpasswd hosts = 127.0.0.1 dbname = mailserver query = SELECT 1 FROM view_users WHERE email='%s' Creating following files; 1) /etc/postfix/mysql-vmailbox.cf [EMAIL PROTECTED]satimis.com/info [EMAIL PROTECTED] satimis.com/sales [EMAIL PROTECTED] satimis.com/postmaster [EMAIL PROTECTED] satimis.com/admin [EMAIL PROTECTED] satimis.com/John [EMAIL PROTECTED] satimis.com/Peter etc. 2) /etc/postfix/mysql-virtual.cf [EMAIL PROTECTED]info [EMAIL PROTECTED] sales [EMAIL PROTECTED] postmaster [EMAIL PROTECTED] satimis [EMAIL PROTECTED] admin [EMAIL PROTECTED] John [EMAIL PROTECTED] Peter etc. Any mistake committed or any steps missing? TIA B.R. Stephen Send instant messages to your online friends http://uk.messenger.yahoo.com
Re: sender_dependent_relayhost_maps - am i missing something?
Richard Wurman wrote: I think my problem is related to my regular expression syntax. What is the pcre equivalent to regexp's: /@example\.com$/ ? I want to match on @billing.domain2.com .. AFAIK there are subtle differences between pcre and regexp syntax and the most basic stuff is the same? I've been trying this in my pcre table: /@billing\.domain2\.com$/ billing.domain2.com /./ [mail.domain1.com] That expression should work fine either regexp or pcre, but you might want to enclose billing.domain2.com in [ ] to suppress MX lookups, which may interfere with what you intend. but that never matches and everything gets sent out on the default/catchall server, mail.domain1.com Looking around I could swear the syntax is correct. Am I missing something? You can test your expression with postmap -q [EMAIL PROTECTED] pcre:/path/to/file Generally, expressions written for regexp work just fine with pcre. It's when you go the other way you run into trouble - pcre has some extensions not supported by many regexp libraries. Note that if you have transport_maps entry matching the recipient domain or if you have set default_transport or relay_transport they will override your sender map. -- Noel Jones
Re: sender_dependent_relayhost_maps - am i missing something?
Wietse Venema wrote: Victor Duchovni: On Tue, Oct 07, 2008 at 04:07:28PM -0500, Noel Jones wrote: As documented, relayhost takes precedence over sender_dependent_relayhost_maps. http://www.postfix.org/postconf.5.html#sender_dependent_relayhost_maps My reading of the code in 2.4, 2.5 and 2.6 is that sender dependent relayhost overrides relayhost. The source code implements the documented behavior. man 5 postconf: sender_dependent_relayhost_maps (default: empty) A sender-dependent override for the global relayhost parameter setting. Wietse Oops, misfired on that one. My mind saw relayhost when it wasn't really there. -- Noel Jones
Re: query re setup
Lists wrote: I have spent the last couple of hours trying to get TLS working, sadly no luck. When I telnet and and do STARTTLS I get the error no server certs available TLS won't be enabled. I followed the instructions on the how to forge (the link I was given before was a tad over my head) The certs are all made and in the /etc/postfix/ssl/mailserver directory Undo whatever you've done and follow the quick and dirty instructions in the postfix TLS_README. http://www.postfix.org/TLS_README.html#quick-start as an aside - does this require a purchased security certificate to work? No, self signed certificates are fine. However, after you get everything working you might want to buy a certificate to make it easier on your users (assuming more than a small group). I like rapidsslonline for cheap, widely accepted certificates, but there are others. The only reason to buy a certificate is so your users don't have mess with importing your own root certificate into their client, or to keep from training them to ignore invalid certificate errors. Also to check I understand does the client (i.e. thunderbird) send a request to send to the server which sends them back a key that gets 'attached' to the email that is sent which then authenticates when it reaches the server and is allowed to be sent? Or have I got it all wrong. Nothing is attached to the email, maybe you're thinking about DKIM. google for how TLS works or similar. -- Noel Jones
Mailman Alias always used virtual_alias_maps
Hi I am seeing some odd behaviour with virtual_alias_maps I have a domain set up in ldap directorylets call it whatIwant.com. It has an email address of [EMAIL PROTECTED] set up. Note: it is a different domain to the one specified in the mydomain parameter. I have mailman setup, it contains a list called support. Its entry in hash:/var/lib/mailman/data/aliases looks like: # STANZA START: support # CREATED: Thu Feb 15 17:52:43 2007 support: [EMAIL PROTECTED] support-admin: [EMAIL PROTECTED] support-bounces: [EMAIL PROTECTED] support-confirm: [EMAIL PROTECTED] support-join:[EMAIL PROTECTED] support-leave: [EMAIL PROTECTED] support-owner: [EMAIL PROTECTED] support-request: [EMAIL PROTECTED] support-subscribe: [EMAIL PROTECTED] support-unsubscribe: [EMAIL PROTECTED] # STANZA END: support virtual_alias_maps looks like: virtual_alias_maps = hash:/etc/aliases, ldap:aliases, ldap:virtualforward, hash:/var/lib/mailman/data/aliases the problem is. Any mail I send to [EMAIL PROTECTED] ( or to [EMAIL PROTECTED] for that matter) does not go to the correct location, it gets picked up by mailman and sent to [EMAIL PROTECTED] and I see logs like Oct 8 11:57:11 fez postfix/pipe[30195]: 66D2D1E0806D: to= [EMAIL PROTECTED], orig_to=[EMAIL PROTECTED], relay=mailman, delay=0, status=sent (lists.mydomain.net.au) ie. It just picks up the username, finds that in the mailman aliases file and uses that list. It completely ignores the fact that I want it to go to a different domain. I am running postfix 2.2.10 on ubuntu dapper. I have applied the ubuntu/debian diff changes and the vda patch for quotas to the default .tar.gz file. Has anyone seen this before or suggest whats gone wrong. Thanks Darragh
Re: query re setup
Will have a go at those instructions thanks. I don't want to make things difficult for our clients. I like the setup that allows the client to use pop details to authenticate - I even managed to get that working ;) What I was trying to do with TLS was to encrypt the password that gets sent (but i'm not sure this is even necessary) Would it be alright to leave out TLS support? / OR / if TLS support is enabled does it have to be used or will the pop details still authenticate? Sorry am getting myself horribly confused at this stage. I really appreciate all the assistance. Kate Noel Jones wrote: Lists wrote: I have spent the last couple of hours trying to get TLS working, sadly no luck. When I telnet and and do STARTTLS I get the error no server certs available TLS won't be enabled. I followed the instructions on the how to forge (the link I was given before was a tad over my head) The certs are all made and in the /etc/postfix/ssl/mailserver directory Undo whatever you've done and follow the quick and dirty instructions in the postfix TLS_README. http://www.postfix.org/TLS_README.html#quick-start as an aside - does this require a purchased security certificate to work? No, self signed certificates are fine. However, after you get everything working you might want to buy a certificate to make it easier on your users (assuming more than a small group). I like rapidsslonline for cheap, widely accepted certificates, but there are others. The only reason to buy a certificate is so your users don't have mess with importing your own root certificate into their client, or to keep from training them to ignore invalid certificate errors. Also to check I understand does the client (i.e. thunderbird) send a request to send to the server which sends them back a key that gets 'attached' to the email that is sent which then authenticates when it reaches the server and is allowed to be sent? Or have I got it all wrong. Nothing is attached to the email, maybe you're thinking about DKIM. google for how TLS works or similar.
how to specify any/catch_all domain/email in HASH access map?
For example in this hash I wanna OK for all domains except mail.ru and yandex.ru: hash:/etc/postfix/maps/check_sender: mail.ru REJECT yandex.ru REJECT all other OK So what I must write insteed of all other? Maybe . (single point)? Thanks.
FW: how to specify any/catch_all domain/email in HASH access map?
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, 8 October 2008 2:12 PM To: postfix-users@postfix.org Subject: how to specify any/catch_all domain/email in HASH access map? For example in this hash I wanna OK for all domains except mail.ru and yandex.ru: hash:/etc/postfix/maps/check_sender: mail.ru REJECT yandex.ru REJECT all other OK So what I must write insteed of all other? Maybe . (single point)? Thanks. Are you *sure* you want to explictly pass all mail from every other domain in the Internet other than those two - that means all mail originating from other domains will skip the rest of any checks you may have. You don't need to specify anything for all other domains if you are just intending to block the two domains you list - the default action for any message that's traversing the header checks is DUNNO (which will then pass the message onto the next header check, if you have one, or the message is accepted for delivery).
Re: Mailman Alias always used virtual_alias_maps
On Wed, Oct 08, 2008 at 01:31:13PM +1100, Darragh Gammell wrote: Hi I am seeing some odd behaviour with virtual_alias_maps I have a domain set up in ldap directorylets call it whatIwant.com. It has an email address of [EMAIL PROTECTED] set up. Note: it is a different domain to the one specified in the mydomain parameter. I have mailman setup, it contains a list called support. Its entry in hash:/var/lib/mailman/data/aliases looks like: # STANZA START: support # CREATED: Thu Feb 15 17:52:43 2007 support: [EMAIL PROTECTED] support-admin: [EMAIL PROTECTED] support-bounces: [EMAIL PROTECTED] support-confirm: [EMAIL PROTECTED] support-join:[EMAIL PROTECTED] support-leave: [EMAIL PROTECTED] support-owner: [EMAIL PROTECTED] support-request: [EMAIL PROTECTED] support-subscribe: [EMAIL PROTECTED] support-unsubscribe: [EMAIL PROTECTED] # STANZA END: support virtual_alias_maps looks like: virtual_alias_maps = hash:/etc/aliases, ldap:aliases, ldap:virtualforward, hash:/var/lib/mailman/data/aliases Why are you including local aliases in virtual_alias_maps? (Point shotgun away from foot...) the problem is. Any mail I send to [EMAIL PROTECTED] ( or to [EMAIL PROTECTED] for that matter) does not go to the correct location, it gets picked up by mailman and sent to [EMAIL PROTECTED] and I see logs like Oct 8 11:57:11 fez postfix/pipe[30195]: 66D2D1E0806D: to= [EMAIL PROTECTED], orig_to=[EMAIL PROTECTED], relay=mailman, delay=0, status=sent (lists.mydomain.net.au) If you read http://www.postfix.org/virtual.5.html, you will see that lookups are done for bare user names for addresses of the form: * [EMAIL PROTECTED] * user@domain listed in $mydestination * [EMAIL PROTECTED]ip address listed in $inet_interfaces or $proxy_maps] TABLE SEARCH ORDER user address, address, ... Redirect mail for [EMAIL PROTECTED] to address when site is equal to $myorigin, when site is listed in $mydes- tination, or when it is listed in $inet_interfaces or $proxy_interfaces. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:[EMAIL PROTECTED] If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: how to specify any/catch_all domain/email in HASH access map?
[EMAIL PROTECTED] [EMAIL PROTECTED] wrote: For example in this hash I wanna OK for all domains except mail.ru and yandex.ru: hash:/etc/postfix/maps/check_sender: No, you do not want an OK for all domains except those two. You want a DUNNO, which is the default; so just REJECT those domains. -- Sahil Tandon [EMAIL PROTECTED]