Re: has yahoo mailservers problems ?
On Wed, 12 Nov 2008 23:14:25 +0100 Martin Strand [EMAIL PROTECTED] wrote: On Wed, 12 Nov 2008 16:14:56 +0100, mouss [EMAIL PROTECTED] wrote: Dan Horne wrote: At least a couple of times per year, some large mail provider makes me jump through their hoops to get my users' mail to them (bellsouth/att after the merger was a nightmare), but you know what? I jump every time because that is what my users are paying me for. that's _your_ choice and your view. Many of us consider yahoo email to be unreliable. But let's please kill this thread. And that's _your_ choice and view. Dan is right - it's ridiculous for any provider to say sorry, we can't deliver mail to one of the largest email providers on the planet, and we're not trying to get around the problem. End users don't care about technical details, they just expect their email to get through when they click Send. To get back on topic, we've been deprioritized by Yahoo in the past but filling out the form actually worked for us, so Robert's problem will likely disappear soon. :) http://help.yahoo.com/l/us/yahoo/mail/postmaster/forms_index.html Of course, they expect you to setup your servers properly with SPF/DKIM/etc but you probably already know about that. Martin But why yahoo do that? What is yahoo?? Why? Why we have no problem with the others largest email providers like gmail, live etc? Why we are addicted to do SPF etc to deal with yahoo? Is not for yahoo to make theirs servers more reliable like others? Or does not yahoo have brains and material capabilities to do that? No sorry, I'm with mouss and others. Yahoo is not reliable. Postmasters should not be addicted to fill yahoo's form or implement SPF to be able to deal with yahoo. Because suppose all, I say all honnest postmaster in the world will fill up the famous yahoo form to be whitelisted, prioritized and implemented the famous SPF, Robert's problem will likely reappear soon. Right? Or is there IP/ISP/DOMAIN segregation? If _you_ continue like this, perhaps yahoo will finish to make you pay $ to be whitelisted. So, what you did will never make yahoo more reliable. That's to let me say yahoo is ridiculous. Tôba
Re: has yahoo mailservers problems ?
Martin Strand wrote: And that's _your_ choice and view. Dan is right - it's ridiculous for any provider to say sorry, we can't deliver mail to one of the largest email providers on the planet, and we're not trying to get around the problem. End users don't care about technical details, they just expect their email to get through when they click Send. To get back on topic, we've been deprioritized by Yahoo in the past but filling out the form actually worked for us, so Robert's problem will likely disappear soon. :) http://help.yahoo.com/l/us/yahoo/mail/postmaster/forms_index.html Of course, they expect you to setup your servers properly with SPF/DKIM/etc but you probably already know about that. many people have tried that and other things (check the archives of this and of other lists), but it does not work _consistently_, which is what I meant by unreliable, as opposed to reliable: giving the same result on successive trials See: http://www.merriam-webster.com/dictionary/reliable I won't be telling you what you should do and whether you should jump hoops or not. That's your business. I am simply saying that I and others do not believe that there is a documented procedure that works consistently. you can chose not to believe me.
Strange behavior from postfix..
I run a postfix 2.2.3 server (centOS 5.2) with the whole mySQL virtual users/domains setup, which works just fine except for a few small issues, which strangely affect only a few users. Basically, the server after recieving the mail, does a few checks then delivers it to the final destination just fine, but for a few users (for a reason I'm not able to understand) it sends a delivery report after successful deliveries (obviously an unsuccessful delivery should generate a message). for example: Nov 13 08:38:26 mail2 postfix/qmgr[3157]: 606062280A3: from=[EMAIL PROTECTED], size=5133, nrcpt=1 (queue active) Nov 13 08:38:26 mail2 postfix/virtual[10094]: 606062280A3: to=[EMAIL PROTECTED], relay=virtual, delay=0.16, delays=0.06/0.06/0/0.04, dsn=2.0.0, status=sent (delivered to maildir) Nov 13 08:38:26 mail2 postfix/bounce[10275]: 606062280A3: sender delivery status notification: 8769C2280B0 This wasn't an error, the mail went through just fine. I've had a look at both the main and master.cf files, and there's nothing there which would (IMHO) ask for all delivery status messages, and if it did, it should be a sitewide issue. I had a look at the database, the only rows which made reference to the user [EMAIL PROTECTED] were in the table mailbox, and there wasn't anything out of the ordinary there, same mail directory structure, no values which were different from the defaults, the amavis tables were the same (though I don't think postfix looks at those..). Does anyone have any ideas as to where I could start looking to try and understand why this user is receiving delivery notifications for all sent messages?
postdrop: fatal: uid=0: unexpected record type: 68
Hi, I get this error when I tried to send a mail via postdrop. vhs3:~# cat signedmail.txt | postdrop queue_id4BAE870402Fpostdrop: fatal: uid=0: unexpected record type: 68 The signedmail.txt contains the following (edited) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; snip Return-Path: [EMAIL PROTECTED] Message-ID: [EMAIL PROTECTED] Date: Mon, 27 Oct 2008 00:26:03 -0700 From: snip To: snip Subject: MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline Precedence: bulk X-Autoreply: yes Keep in touch A google search of unexpected record type: 68 did not yield any thing. What did I do wrong here?? with regards, raj
Re: smtpd banner
Res: Hi All, Is there a way to insert line breaks in the banner? On Sendmail we use \n, which does not work on Postfix. Postfix smtpd_banner behaves as documented. http://www.postfix.org/postconf.5.html#smtpd_banner Wietse
Re: Strange behavior from postfix..
On 11/13/2008, Nick ([EMAIL PROTECTED]) wrote: Basically, the server after recieving the mail, does a few checks then delivers it to the final destination just fine, but for a few users (for a reason I'm not able to understand) it sends a delivery report after successful deliveries (obviously an unsuccessful delivery should generate a message). for example: Nov 13 08:38:26 mail2 postfix/qmgr[3157]: 606062280A3: from=[EMAIL PROTECTED], size=5133, nrcpt=1 (queue active) Nov 13 08:38:26 mail2 postfix/virtual[10094]: 606062280A3: to=[EMAIL PROTECTED], relay=virtual, delay=0.16, delays=0.06/0.06/0/0.04, dsn=2.0.0, status=sent (delivered to maildir) Nov 13 08:38:26 mail2 postfix/bounce[10275]: 606062280A3: sender delivery status notification: 8769C2280B0 Does it do this for every message that that user receives? Or just some messages? Maybe these users have their mail clients configured to automatically send DSN responses (return receipt) to messages that request them? I always configure mine to ignore those personally, but... -- Best regards, Charles
Re: smtpd banner
Res: On Thu, 13 Nov 2008, Wietse Venema wrote: Is there a way to insert line breaks in the banner? On Sendmail we use \n, which does not work on Postfix. Postfix smtpd_banner behaves as documented. http://www.postfix.org/postconf.5.html#smtpd_banner Already read and an hour'd on google. Sendmails does as well, even thought it takes the \n newline :) Which is why I asked here, as you know, many softwares have 'undocumented' features somewhere, Noel already advised me that it's not possible with Postfix so we will think of a workaround, thanks anyway. As far as I know, Postfix smtpd_banner does not promise that it gives special meaning to \n. If something is not documented, then Postfix does not provide that feature. Wietse
Re: Why I set a specific transport parameter on show up?
On 11/13/2008, Jacky Chan ([EMAIL PROTECTED]) wrote: I would like to set a specific tranport for mail sending to yahoo, which slow it down to avoid getting greylisted. I set a dedicated transport in master.cf like slow unix - - n - 1 smtp And set the pre-transport parameters in main.cf like slow_destination_recipient_limit = 2 I would like to ask, why this configuration doesn't show up after I issue postfix reload or even restart the server? Please follow the troubleshooting instructions you got when signing up for this list... specifically: postconf -n output and logs showing the problem... -- Best regards, Charles
Why I set a specific transport parameter on show up?
Hi all, I would like to set a specific tranport for mail sending to yahoo, which slow it down to avoid getting greylisted. I set a dedicated transport in master.cf like slow unix - - n - 1 smtp And set the pre-transport parameters in main.cf like slow_destination_recipient_limit = 2 I would like to ask, why this configuration doesn't show up after I issue postfix reload or even restart the server? Best, Jacky -- View this message in context: http://www.nabble.com/Why-I-set-a-specific-transport-parameter-on-show-up--tp20477927p20477927.html Sent from the Postfix mailing list archive at Nabble.com.
Re: postdrop: fatal: uid=0: unexpected record type: 68
On Thu, Nov 13, 2008 at 5:16 PM, Wietse Venema [EMAIL PROTECTED] wrote: Rajkumar S: Hi, I get this error when I tried to send a mail via postdrop. vhs3:~# cat signedmail.txt | postdrop queue_id4BAE870402Fpostdrop: fatal: uid=0: unexpected record type: 68 The postdrop command behaves as documented. http://www.postfix.org/postdrop.1.html In particular, see the -r command-line option. See also: http://www.postfix.org/sendmail.1.html I am able to send mails via sendmail, but not using postdrop, if some one has an example command using postdrop I would be happy :) raj
Re: postdrop: fatal: uid=0: unexpected record type: 68
Rajkumar S: Hi, I get this error when I tried to send a mail via postdrop. vhs3:~# cat signedmail.txt | postdrop queue_id4BAE870402Fpostdrop: fatal: uid=0: unexpected record type: 68 The postdrop command behaves as documented. http://www.postfix.org/postdrop.1.html In particular, see the -r command-line option. See also: http://www.postfix.org/sendmail.1.html Wietse
Re: postdrop: fatal: uid=0: unexpected record type: 68
Rajkumar S: On Thu, Nov 13, 2008 at 5:16 PM, Wietse Venema [EMAIL PROTECTED] wrote: Rajkumar S: Hi, I get this error when I tried to send a mail via postdrop. vhs3:~# cat signedmail.txt | postdrop queue_id4BAE870402Fpostdrop: fatal: uid=0: unexpected record type: 68 The postdrop command behaves as documented. http://www.postfix.org/postdrop.1.html In particular, see the -r command-line option. See also: http://www.postfix.org/sendmail.1.html I am able to send mails via sendmail, but not using postdrop, if some one has an example command using postdrop I would be happy :) POSTDROP(1)POSTDROP(1) NAME postdrop - Postfix mail posting utility SYNOPSIS postdrop [-rv] [-c config_dir] ... -r Use a Postfix-internal protocol for reading the message from standard input, and for reporting status information on standard output. This is currently the only supported method. As documented, postdrop implements a protocol that is internal to Postfix. You are therefore not supposed to use it. Wietse
Spamcop's position on backscatter
Occassionally I see a spamcop.net report on backscattered email. Our MXes forward to three other servers, so we use virtual_alias_maps, set up with a mapping for every email account, and we set smtpd_client_restrictions = reject_unlisted_recipient amongst other restrictions. I'll report the smtpd related details here so those who want to know how it is set up can see. smtpd_recipient_restrictions = reject_unknown_recipient_domain, reject_unauth_destination, check_recipient_access hash:/etc/postfix/user_overquota, check_recipient_access hash:/etc/postfix/recipient_access, check_sender_access hash:/etc/postfix/whitelist, check_client_access hash:/etc/postfix/access, reject_non_fqdn_recipient, reject_rbl_client MYLICENSEKEYISHEREBYOBSCURED.r.mail-abuse.com, permit smtpd_client_restrictions = reject_unlisted_recipient, check_client_access cidr:/etc/postfix/client.cidr, check_sender_access hash:/etc/postfix/whitelist, check_recipient_access hash:/etc/postfix/recipient_access, check_client_access hash:/etc/postfix/access, reject_invalid_hostname, reject_unknown_client smtpd_data_restrictions = reject_unauth_pipelining smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/blacklist, check_sender_access hash:/etc/postfix/whitelist, check_client_access hash:/etc/postfix/access, reject_unknown_sender_domain, reject_non_fqdn_sender smtpd_helo_restrictions = check_helo_access hash:/etc/postfix/helo_access, reject_invalid_hostname virtual_alias_domains = $virtual_alias_maps, mydomain.ca virtual_alias_maps = hash:/etc/postfix/relocated hash:/etc/postfix/class_lists hash:/etc/postfix/virtual /recipient I believe we are doing the right thing to prevent backscatter email queuing. If there is room for improvement, I'd like to learn anything missing/wrong with the above. Our users normally want others to learn of bounces for things like typo'ed addresses. So we are not going to turn off non-delivery messages. Spamcop's FAQ on backscatter and prevention Misdirected bounces implies there is something we can do to prevent this. In my understanding, my postfix set up does what spamcop is asking to be done: Configure your software to either reject messages during delivery or accept them permanently. Yet there are occassionally users reporting our MX to spamcop (even though the originating IP of the backscatter is listed in the header trace in the attached Delivery Report). Received: from acadiau.ca ([127.0.0.1]) by localhost (x3.mydomain.ca [127.0.0.1]) (amavisd-new, port 10024) with LMTP id Tfd1qCE4QYv1 for x; Mon, 10 Nov 2008 07:02:24 -0400 (AST) Received: from 212-34-112-114.domolink.elcom.ru ( 212-34-112-114.domolink.elcom.ru [212.34.112.114]) by acadiau.ca (Postfix) with ESMTP id D54454E4E1 for x; Mon, 10 Nov 2008 07:02:22 -0400 (AST) Message-ID: [EMAIL PROTECTED] From: ingelbert joachim x To: x Subject: ID MSG:81531 I am Julia, 27 y.o. Russia (dating) Is there anything more I can be doing? Does anyone feel Spamcop's position on backscatter too simplistic? --Donald
spamassassin spampref problem with alias
Hi to all. I've go a problem: i've set up postfix to call a script in master.cf: smtp inet n - n - - smtpd -o content_filter=filter:dummy filterunix - n n - 20 pipe flags=Rq user=filter argv=/var/antispam/myscript -f ${sender} -- ${recipient} /var/antispam/myscript is a script shell that submit the mail using spamc to spamd. Spamc is invoked using spamc -u $4 where $4 is the destination user. Now, suppose that $4 is [EMAIL PROTECTED] and [EMAIL PROTECTED] is an alias to [EMAIL PROTECTED] [EMAIL PROTECTED] has a spam score of 4 in the spampref table. with these configuration, [EMAIL PROTECTED] receives the email, but these email has been checked with a default spam score, and not with the spam score of 4. I'd like to scan the email with the preference of the real user that receives the email, is it possibile? Is it possible to scan the email AFTER postfix has determined the real user/users associated to the email? (even if this can imply to re-scan the email multiple times one for each user associated to the alias). Thanks to all -- /*/ nik600 http://www.kumbe.it
Re: Spamcop's position on backscatter
On 11/13/2008, D G Teed ([EMAIL PROTECTED]) wrote: I'll report the smtpd related details here so those who want to know how it is set up can see. postconf -n output is preferred... all of it... -- Best regards, Charles
Re: Spamcop's position on backscatter
D G Teed wrote: [snip] Is there anything more I can be doing? what is your problem exactly? are you listed on spamcop? if so, what IP are you talking about? what makes you believe you are listed because of backscatter? and why do you send backscatter (and what kind of bs)? Does anyone feel Spamcop's position on backscatter too simplistic? no evidence, no conclusion.
Re: spamassassin spampref problem with alias
nik600 wrote: Hi to all. I've go a problem: i've set up postfix to call a script in master.cf: smtp inet n - n - - smtpd -o content_filter=filter:dummy filterunix - n n - 20 pipe flags=Rq user=filter argv=/var/antispam/myscript -f ${sender} -- ${recipient} /var/antispam/myscript is a script shell that submit the mail using spamc to spamd. Spamc is invoked using spamc -u $4 where $4 is the destination user. Now, suppose that $4 is [EMAIL PROTECTED] and [EMAIL PROTECTED] is an alias to [EMAIL PROTECTED] [EMAIL PROTECTED] has a spam score of 4 in the spampref table. with these configuration, [EMAIL PROTECTED] receives the email, but these email has been checked with a default spam score, and not with the spam score of 4. I'd like to scan the email with the preference of the real user that receives the email, is it possibile? Is it possible to scan the email AFTER postfix has determined the real user/users associated to the email? (even if this can imply to re-scan the email multiple times one for each user associated to the alias). unless you disable address rewrite, the filter should get the address after it was expanded. so your problem doesn't match your description. show your master.cf and the output of 'psoctonf -n'.
Re: Why I set a specific transport parameter on show up?
Jacky Chan wrote: Hi all, I would like to set a specific tranport for mail sending to yahoo, which slow it down to avoid getting greylisted. why? unless you send a lot of mail, just let it go. and if you send a lot of mail, you'll ned to get whitelisted. I set a dedicated transport in master.cf like slow unix - - n - 1 smtp And set the pre-transport parameters in main.cf like slow_destination_recipient_limit = 2 I would like to ask, why this configuration doesn't show up after I issue postfix reload or even restart the server? to show up where? do you mean in postconf output? if so, no it won't. postconf only shows builtin parameters. This is a known limitation.
Re: postdrop: fatal: uid=0: unexpected record type: 68
On Thu, Nov 13, 2008 at 9:22 PM, Wietse Venema [EMAIL PROTECTED] wrote: As documented, postdrop implements a protocol that is internal to Postfix. You are therefore not supposed to use it. Thanks for the clue stick! raj
Re: Why I set a specific transport parameter on show up?
On Thu, Nov 13, 2008 at 02:09:25AM -0800, Jacky Chan wrote: I would like to set a specific tranport for mail sending to yahoo, which slow it down to avoid getting greylisted. I set a dedicated transport in master.cf like slow unix - - n - 1 smtp And set the pre-transport parameters in main.cf like slow_destination_recipient_limit = 2 I would like to ask, why this configuration doesn't show up after I issue postfix reload or even restart the server? This parameter is one built-in to Postfix, and postconf does not report user-created parameters. Also, setting this parameter won't slow down mail to Yahoo, it will in fact increase the number of messages sent, while lowering the number of recipients per-messages (assuming some messages have more than 2 Yahoo recipients, otherwise it has no effect at all). If your prorblem is output-rate or destination concurrency, you are using the wrong tool. If you must reduce the recipient count per transaction, IIRC Yahoo seems to prefer 10 recipients per-message rather than the RFC required 100. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:[EMAIL PROTECTED] If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: spamassassin spampref problem with alias
master.cf: smtp inet n - n - - smtpd -o content_filter=filter:dummy 9009 inet n - n - - smtpd -o content_filter=filter:dummy filterunix - n n - 20 pipe flags=Rq user=filter argv=/var/antispam/myscript -f ${sender} -- ${recipient} policy unix - n n - 0 spawn user=nobody argv=/usr/bin/perl /usr/libexec/postfix/greylist.pl # -o smtpd_client_restrictions=permit_sasl_authenticated,reject #smtpsinet n - n - - smtpd # -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes #submission inetn - n - - smtpd # -o smtpd_etrn_restrictions=reject # -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes #628 inet n - n - - qmqpd pickupfifo n - n 60 1 pickup cleanup unix n - n - 0 cleanup qmgr fifo n - n 300 1 qmgr #qmgr fifo n - n 300 1 oqmgr tlsmgrunix - - n 1000? 1 tlsmgr rewrite unix - - n - - trivial-rewrite bounceunix - - n - 0 bounce defer unix - - n - 0 bounce trace unix - - n - 0 bounce verifyunix - - n - 1 verify flush unix n - n 1000? 0 flush proxymap unix - - n - - proxymap smtp unix - - n - - smtp # When relaying mail as backup MX, disable fallback_relay to avoid MX loops relay unix - - n - - smtp -o fallback_relay= # -o smtp_helo_timeout=5 -o smtp_connect_timeout=5 showq unix n - n - - showq error unix - - n - - error discard unix - - n - - discard local unix - n n - - local virtual unix - n n - - virtual lmtp unix - - n - - lmtp anvil unix - - n - 1 anvil scacheunix - - n - 1 scache maildrop unix - n n - - pipe flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient} uucp unix - n n - - pipe flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient) # # Other external delivery methods. # ifmailunix - n n - - pipe flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient) bsmtp unix - n n - - pipe flags=Fq. user=foo argv=/usr/local/sbin/bsmtp -f $sender $nexthop $recipient retry unix - - n - - error proxywrite unix - - n - 1 proxymap postconf -n: alias_database = hash:/etc/mail/aliases alias_maps = hash:/etc/mail/aliases broken_sasl_auth_clients = yes command_directory = /usr/sbin config_directory = /etc/postfix daemon_directory = /usr/libexec/postfix data_directory = /var/lib/postfix disable_vrfy_command = yes html_directory = no mail_owner = postfix mailq_path = /usr/bin/mailq manpage_directory = /usr/local/man message_size_limit = 10024 mydestination = $transport_maps mydomain = foo.com myhostname = server.foo.com myorigin = $mydomain newaliases_path = /usr/bin/newaliases queue_directory = /var/spool/postfix readme_directory = no relay_domains = proxy:mysql:/etc/postfix/mysql_relay_domains_maps.cf,hash:/etc/postfix/relay sample_directory = /etc/postfix sendmail_path = /usr/sbin/sendmail setgid_group = postdrop smtp_host_lookup = native,dns smtpd_client_connection_count_limit = 50 smtpd_client_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_non_fqdn_sender, reject_rbl_client list.dsbl.org,reject_rbl_client sbl-xbl.spamhaus.org,reject_non_fqdn_hostname,reject_non_fqdn_recipient smtpd_helo_required = yes smtpd_helo_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_invalid_hostname smtpd_recipient_restrictions = permit_mynetworks,permit_sasl_authenticated,check_sender_access hash:/etc/postfix/whitelist/whitelist_reject_non_fqdn_sender,reject_non_fqdn_sender,reject_non_fqdn_sender,reject_unauth_destination,reject_unauth_pipelining,reject_rbl_client list.dsbl.org,reject_rbl_client sbl-xbl.spamhaus.org,reject_non_fqdn_hostname,reject_non_fqdn_recipient smtpd_sasl_auth_enable = yes smtpd_sasl_local_domain = smtpd_sasl_path = sasl2/smtpd smtpd_sasl_security_options = noanonymous smtpd_sasl_type = cyrus smtpd_sender_restrictions =
Re: Spamcop's position on backscatter
On Thu, Nov 13, 2008 at 12:05 PM, mouss [EMAIL PROTECTED] wrote: D G Teed wrote: [snip] Is there anything more I can be doing? what is your problem exactly? are you listed on spamcop? We are not listed on spam cop. There have been a couple of external reports I've seen in the last year. When I respond, I like to know I'm working with the best set up available. if so, what IP are you talking about? You need to know my IP as much as you need my address or phone number. It is irrelevant. We are not in block lists. I know how to check, and we have enough volume here that I'd learn pretty quickly if there was a problem. what makes you believe you are listed because of backscatter? What makes you believe I'm listed? I got a single report of a complaint. Have you not used the spamcop web interface before? and why do you send backscatter (and what kind of bs)? Why do you take a combative stance? We send non-delivery responses. If someone emailed [EMAIL PROTECTED], it will reject, saying that user doesn't exist. Our users expect this feature. If we told them bad addresses will cause email to be lost without notification, they would not be happy. Does anyone feel Spamcop's position on backscatter too simplistic? no evidence, no conclusion. Here is what they say... http://www.spamcop.net/fom-serve/cache/329.html#bounces --Donald
Re: Spamcop's position on backscatter
D G Teed wrote: We send non-delivery responses. If someone emailed [EMAIL PROTECTED] mailto:[EMAIL PROTECTED], it will reject, saying that user doesn't exist. Our users expect this feature. If we told them bad addresses will cause email to be lost without notification, they would not be happy. If you reject the invalid users during SMTP, you are not sending NDRs. It is the responsibility of the last server that accepted the message to send a NDR. If your server is actually sending the NDRs, you have something configured wrong as you are accepting and then later rejecting the emails.
Re: Spamcop's position on backscatter
On Thu, Nov 13, 2008 at 11:58 AM, Charles Marcus [EMAIL PROTECTED]wrote: On 11/13/2008, D G Teed ([EMAIL PROTECTED]) wrote: I'll report the smtpd related details here so those who want to know how it is set up can see. postconf -n output is preferred... all of it... OK - IP, domain, and Trend's RBL license are obscured but otherwise contextually accurate ... alias_database = hash:/etc/postfix/aliases alias_maps = hash:/etc/postfix/aliases alternate_config_directories = /etc/postfix-alumni anvil_rate_time_unit = 60s anvil_status_update_time = 600s biff = no bounce_queue_lifetime = 2d bounce_size_limit = 2000 bounce_template_file = /etc/postfix/bounce.cf canonical_maps = pcre:/etc/postfix/lowercase,hash:/etc/postfix/genericstable command_directory = /usr/sbin config_directory = /etc/postfix content_filter = lmtp-amavis:[127.0.0.1]:10024 daemon_directory = /usr/libexec/postfix debug_peer_level = 2 disable_vrfy_command = yes fast_flush_domains = x1.mydomain.ca, x2.mydomain.ca, x3.mydomain.ca, x4.mydomain.ca html_directory = no in_flow_delay = 5s inet_interfaces = localhost,x5.mydomain.ca initial_destination_concurrency = 200 invalid_hostname_reject_code = 556 lmtp_sasl_auth_enable = no lmtp_sasl_security_options = local_recipient_maps = mail_owner = postfix mailq_path = /usr/bin/mailq.postfix manpage_directory = /usr/share/man masquerade_domains = !x6.mydomain.ca mydomain.ca maximal_backoff_time = 21600s message_size_limit = 1000 minimal_backoff_time = 10800s mydestination = mydomain = mydomain.ca myhostname = mydomain.ca mynetworks = 555.555.0.0/16, 127.0.0.0/8 mynetworks_style = class newaliases_path = /usr/bin/newaliases.postfix qmgr_message_active_limit = 2 queue_directory = /var/spool/postfix queue_run_delay = 500s rbl_reply_maps = hash:/etc/postfix/rbl_reply readme_directory = no recipient_delimiter = + relay_domains = relay_recipient_maps = relocated_maps = sample_directory = /etc/postfix sendmail_path = /usr/sbin/sendmail.postfix setgid_group = postdrop smtpd_authorized_xclient_hosts = 127.0.0.1,555.555.201.19 smtpd_client_connection_count_limit = 20 smtpd_client_connection_rate_limit = 60 smtpd_client_event_limit_exceptions = $mynetworks smtpd_client_message_rate_limit = 60 smtpd_client_restrictions = reject_unlisted_recipient, check_client_access cidr:/etc/postfix/client.cidr, check_sender_access hash:/etc/postfix/whitelist, check_recipient_access hash:/etc/postfix/recipient_access, check_client_access hash:/etc/postfix/access, reject_invalid_hostname, reject_unknown_client smtpd_data_restrictions = reject_unauth_pipelining smtpd_error_sleep_time = 10s smtpd_helo_required = yes smtpd_helo_restrictions = check_helo_access hash:/etc/postfix/helo_access, reject_invalid_hostname smtpd_recipient_restrictions = reject_unknown_recipient_domain, reject_unauth_destination, check_recipient_access hash:/etc/postfix/campus_overquota, check_recipient_access hash:/etc/postfix/recipient_access, check_sender_access hash:/etc/postfix/whitelist, check_client_access hash:/etc/postfix/access, reject_non_fqdn_recipient, reject_rbl_client LICENSEKEYOBSCURED.r.mail-abuse.com, permit smtpd_sasl_auth_enable = no smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/blacklist, check_sender_access hash:/etc/postfix/whitelist, check_client_access hash:/etc/postfix/access, reject_unknown_sender_domain, reject_non_fqdn_sender smtpd_timeout = 60s transport_maps = hash:/etc/postfix/transport unknown_address_reject_code = 550 unknown_client_reject_code = 555 unknown_local_recipient_reject_code = 550 virtual_alias_domains = $virtual_alias_maps, mydomain.ca virtual_alias_maps = hash:/etc/postfix/relocated hash:/etc/postfix/class_lists hash:/etc/postfix/virtual
Re: spamassassin spampref problem with alias
nik600 wrote: master.cf: smtp inet n - n - - smtpd -o content_filter=filter:dummy 9009 inet n - n - - smtpd -o content_filter=filter:dummy filterunix - n n - 20 pipe flags=Rq user=filter argv=/var/antispam/myscript -f ${sender} -- ${recipient} policy unix - n n - 0 spawn user=nobody argv=/usr/bin/perl /usr/libexec/postfix/greylist.pl You do not specify how the content_filter returns to postfix. With the current config, you would need 'receive_override_options = no_address_mappings' in main.cf *and* '-o receive_override_options=' in master.cf on the return of the filter to Postfix. If the filter was not meant to return to Postfix, then it cannot be accomplished. Also, I've commented on your postconf too. One area is of critical importance to check. postconf -n: mydestination = $transport_maps This could seriously break things if you ever set transport_maps. Anything in transport_maps should just be that. If you want to disable local delivery, set 'mydestination = '. Note: this breaks cron and possibly other notifications if myorigin is not defined in a different address class. mydomain = foo.com myhostname = server.foo.com myorigin = $mydomain [...] relay_domains = proxy:mysql:/etc/postfix/mysql_relay_domains_maps.cf,hash:/etc/postfix/relay relay_domains with no relay_recipient_maps can make you a Backscatter source. smtpd_client_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_non_fqdn_sender, reject_rbl_client list.dsbl.org,reject_rbl_client sbl-xbl.spamhaus.org,reject_non_fqdn_hostname,reject_non_fqdn_recipient dsbl.org is dead. Best to remove it to avoid future false positives. reject_non_fqdn_(sender|recipient) have no effect here since you don't know them yet. You don't specify which Postfix version you have. reject_non_fqdn_hostname was renamed in 2.3+ to reject_non_fqdn_helo_hostname (probably to clarify it's meaning) It only has meaning in helo restrictions or later (helo, sender, recipient, etc.) smtpd_recipient_restrictions = permit_mynetworks,permit_sasl_authenticated,check_sender_access hash:/etc/postfix/whitelist/whitelist_reject_non_fqdn_sender,reject_non_fqdn_sender,reject_non_fqdn_sender,reject_unauth_destination,reject_unauth_pipelining,reject_rbl_client list.dsbl.org,reject_rbl_client sbl-xbl.spamhaus.org,reject_non_fqdn_hostname,reject_non_fqdn_recipient Why query rbls twice? You already covered them in client restrictions. You must really not want non fqdn sender to check twice here, once in sender_restrictions and once in client_restrictions *WARNING*: an OK in whitelist_reject_non_fqdn_sender will make you an open relay if a spammer can guess an address in there. If you have OK in there, *fix it now*! At minimum, put permit_auth_destination *OR* (suggested) remove it, along with the reject_non_fqdn_sender's, and let sender_restrictions take care of it. smtpd_sender_restrictions = permit_sasl_authenticated,permit_mynetworks,check_sender_access hash:/etc/postfix/whitelist/whitelist_reject_non_fqdn_sender,reject_non_fqdn_sender,reject_unknown_sender_domain,reject_non_fqdn_hostname,reject_non_fqdn_recipient non_fqdn_recipient is unknown at this stage. Brian On Thu, Nov 13, 2008 at 5:08 PM, mouss [EMAIL PROTECTED] wrote: nik600 wrote: Hi to all. I've go a problem: i've set up postfix to call a script in master.cf: smtp inet n - n - - smtpd -o content_filter=filter:dummy filterunix - n n - 20 pipe flags=Rq user=filter argv=/var/antispam/myscript -f ${sender} -- ${recipient} /var/antispam/myscript is a script shell that submit the mail using spamc to spamd. Spamc is invoked using spamc -u $4 where $4 is the destination user. Now, suppose that $4 is [EMAIL PROTECTED] and [EMAIL PROTECTED] is an alias to [EMAIL PROTECTED] [EMAIL PROTECTED] has a spam score of 4 in the spampref table. with these configuration, [EMAIL PROTECTED] receives the email, but these email has been checked with a default spam score, and not with the spam score of 4. I'd like to scan the email with the preference of the real user that receives the email, is it possibile? Is it possible to scan the email AFTER postfix has determined the real user/users associated to the email? (even if this can imply to re-scan the email multiple times one for each user associated to the alias). unless you disable address rewrite, the filter should get the address after it was expanded. so your problem doesn't match your description. show your master.cf and the output of 'psoctonf -n'.
Re: has yahoo mailservers problems ?
t??ba([EMAIL PROTECTED])@Thu, Nov 13, 2008 at 11:00:54AM +0300: On Wed, 12 Nov 2008 23:14:25 +0100 Martin Strand [EMAIL PROTECTED] wrote: Of course, they expect you to setup your servers properly with SPF/DKIM/etc but you probably already know about that. Martin But why yahoo do that? What is yahoo?? Why? Why we have no problem with the others largest email providers like gmail, live etc? Why we are addicted to do SPF etc to deal with yahoo? Is not for yahoo to make theirs servers more reliable like others? Or does not yahoo have brains and material capabilities to do that? Yahoo is betting that they are big enough that you're willing to jump through some hoops to get to their users. Given the responses to this thread, it looks like that bet is working out for them. If Google started prioritizing the GSPF (Google-enhanced SPF) signed email coming in tomorrow, do you really think that most of us wouldn't set it up? -- Bill Weiss tragic political term meaning inconvenient. -- The Devil's Dictionary X
Re: spamassassin spampref problem with alias
nik600 wrote: master.cf: smtp inet n - n - - smtpd -o content_filter=filter:dummy 9009 inet n - n - - smtpd -o content_filter=filter:dummy filterunix - n n - 20 pipe flags=Rq user=filter argv=/var/antispam/myscript -f ${sender} -- ${recipient} [snip] postconf -n: [snip] I see nowhere where you disable address rewrite. so you shouldn't see the problem you described. can you show logs that prove that the filter gets the non expanded address? You can also log the addresses in your script. PS. If your script cannot handle multiple recipients, then you want: filter_destination_recipient_limit = 1
Re: Spamcop's position on backscatter
D G Teed wrote: On Thu, Nov 13, 2008 at 12:05 PM, mouss [EMAIL PROTECTED] wrote: D G Teed wrote: [snip] Is there anything more I can be doing? what is your problem exactly? are you listed on spamcop? We are not listed on spam cop. There have been a couple of external reports I've seen in the last year. When I respond, I like to know I'm working with the best set up available. if so, what IP are you talking about? You need to know my IP as much as you need my address or phone number. It is irrelevant. We are not in block lists. I know how to check, and we have enough volume here that I'd learn pretty quickly if there was a problem. notice that I said: If so, which means if you are listed on spamcop, then which IP is listed. not that I want to know your IP, but simply to check that the IP is really listed. some people sometimes report the wrong problems, and we like to check. what makes you believe you are listed because of backscatter? What makes you believe I'm listed? I got a single report of a complaint. Have you not used the spamcop web interface before? never ever. should I? and why do you send backscatter (and what kind of bs)? Why do you take a combative stance? I did not. I was simply trying to understand what your problem is. I thought you were listed on spamcop because of BS and you didn't like it. so I asked for details. We send non-delivery responses. if these are user does not exist or filter thinks this is spam/virus and the like, then you are a backscatter source. If someone emailed [EMAIL PROTECTED], it will reject, saying that user doesn't exist. Our users expect this feature. If we told them bad addresses will cause email to be lost without notification, they would not be happy. if address is typoeduser, then reject it during the smtp transaction while the untrusted client is still connected. once you accept mail, you should no more send bounces, except in few controlled situations. sure, losing mail is bad. but you should reject mail during the smtp transaction. if your postfix is a lreay server and you can't get the relay_recipient_maps, then you can use reject_unverified_recipient (only for selected domains). Does anyone feel Spamcop's position on backscatter too simplistic? no evidence, no conclusion. Here is what they say... http://www.spamcop.net/fom-serve/cache/329.html#bounces many people agree with that document. see the BACKSCATTER README.
Re: Spamcop's position on backscatter
On Thu, Nov 13, 2008 at 2:14 PM, mouss [EMAIL PROTECTED] wrote: D G Teed wrote: What makes you believe I'm listed? I got a single report of a complaint. Have you not used the spamcop web interface before? never ever. should I? No, but as you said, some people report the wrong problem and I'd like to check. I guess if your mail server eats all email and you have no users whose accounts get compromised by phishing then you'd never need to see the spamcop report, even occasionally. We send non-delivery responses. if these are user does not exist or filter thinks this is spam/virus and the like, then you are a backscatter source. I don't think we send NDRs as emails originating here. I think we reject emails. Maybe you can tell me. I test emailed a bogus address at work from home. My home ISP's SMTP server sent back a NDR, not my work's MX server. Inside the NDR from my home ISP's SMTP, I see reference to the name of one of the workplace MX servers, but the Reporting-MTA is that of the home ISP, not work's MX. If someone emailed [EMAIL PROTECTED], it will reject, saying that user doesn't exist. Our users expect this feature. If we told them bad addresses will cause email to be lost without notification, they would not be happy. if address is typoeduser, then reject it during the smtp transaction while the untrusted client is still connected. once you accept mail, you should no more send bounces, except in few controlled situations. sure, losing mail is bad. but you should reject mail during the smtp transaction. if your postfix is a lreay server and you can't get the relay_recipient_maps, then you can use reject_unverified_recipient (only for selected domains). In this thread I've posted my postconf -n output. We user virtual_alias_maps and smtpd_client_restrictions = reject_unlisted_recipient is at the beginning of our list of restrictions. This causes email to be rejected for non-delivery. We do not relay to our Exchange or Cyrus server only to find out at that stage the email address does not exist. Our mapping file (virtual_alias_maps) is the complete list of all addresses and what final server they go to. [EMAIL PROTECTED][EMAIL PROTECTED] Does this not achieve the same result as using relay_recipient_maps ? --Donald
Re: Spamcop's position on backscatter
D G Teed wrote: On Thu, Nov 13, 2008 at 2:14 PM, mouss [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: If someone emailed [EMAIL PROTECTED] mailto:[EMAIL PROTECTED], it will reject, saying that user doesn't exist. Our users expect this feature. If we told them bad addresses will cause email to be lost without notification, they would not be happy. if address is typoeduser, then reject it during the smtp transaction while the untrusted client is still connected. once you accept mail, you should no more send bounces, except in few controlled situations. sure, losing mail is bad. but you should reject mail during the smtp transaction. if your postfix is a lreay server and you can't get the relay_recipient_maps, then you can use reject_unverified_recipient (only for selected domains). In this thread I've posted my postconf -n output. We user virtual_alias_maps and smtpd_client_restrictions = reject_unlisted_recipient is at the beginning of our list of restrictions. client restrictions are checked on connect. reject_unlisted_recipient is not known until the recipient restrictions. This causes email to be rejected for non-delivery. We do not relay to our Exchange or Cyrus server only to find out at that stage the email address does not exist. Our mapping file (virtual_alias_maps) is the complete list of all addresses and what final server they go to. [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] Does this not achieve the same result as using relay_recipient_maps ? virtual_alias_maps is a map that can rewrite an address across any address class. relay_recipient_maps is a verification map for relay_domains class. You basically will allow a catch all on the MX if a spammer knew the back end domain(s) with no relay_recipient_maps present. This may cause Backscatter. Your experience may vary of course. Brian
Multiple message problem
Hi folks -- I've got a problem and I can't seem to find the cause. Basically, if I address a message with: TO: [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED] Each recipient gets the same number of copies of the message as there are recipients... so 3 recipients, they each get 3 copies. If it was 10 recipients, there'd be 10 copies each, etc. I'm using Postfix 2.5.3 and virtual users in Mysql. I'm not doing anything really strange, most configuration is default. The only 'strange' thing is I'm handing incoming mail to dspam 3.8.0 as a content filter and then handing it back into Postfix via the sendmail command and delivering it to virtual users via maildrop. Singular recipient messages work fine, it's the strung together ones that are duplicating. Is there some sort of delimiter setting that I'm missing? thanks for any help - Rob K smime.p7s Description: S/MIME Cryptographic Signature
Re: Multiple message problem
On Thu, Nov 13, 2008 at 04:03:17PM -0500, Rob Klingsten wrote: Hi folks -- I've got a problem and I can't seem to find the cause. Basically, if I address a message with: TO: [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED] Each recipient gets the same number of copies of the message as there are recipients... so 3 recipients, they each get 3 copies. If it was 10 recipients, there'd be 10 copies each, etc. I'm using Postfix 2.5.3 and virtual users in Mysql. I'm not doing anything really strange, most configuration is default. The only 'strange' thing is I'm handing incoming mail to dspam 3.8.0 as a content filter and then handing it back into Postfix via the sendmail command and delivering it to virtual users via maildrop. There's your problem. The sendmail re-injection undoutedly is broken and is mis-routing mail to header recipients... Try a Bcc: that user will get no mail at all, but the To/Cc: users will get an extra copy. This is really bad, DO NOT use sendmail -t to re-inject mail, instead send to the envelope recipient(s) which are known via command-line arguments or similar non-header context. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:[EMAIL PROTECTED] If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: Multiple message problem
Rob Klingsten wrote: Hi folks -- I've got a problem and I can't seem to find the cause. Basically, if I address a message with: TO: [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED] Each recipient gets the same number of copies of the message as there are recipients... so 3 recipients, they each get 3 copies. If it was 10 recipients, there'd be 10 copies each, etc. I'm using Postfix 2.5.3 and virtual users in Mysql. I'm not doing anything really strange, most configuration is default. The only 'strange' thing is I'm handing incoming mail to dspam 3.8.0 as a content filter and then handing it back into Postfix via the sendmail command and delivering it to virtual users via maildrop. Singular recipient messages work fine, it's the strung together ones that are duplicating. Is there some sort of delimiter setting that I'm missing? thanks for any help - Rob K There is not enough information to give a good answer. Please post 'postconf -n' and master.cf to get a better answer. Also, a log sample where dspam passes mail back to Postfix (pickup service) may help too. Brian
Queue ID gets reused? Not unique?
Hi all, I was examining my Postfix logs and saw two sequential sessions using the same queue ID. I was a bit surprised as I had the assumption that queue IDs were generated randomly, which means they should be practically unique. Okay, so this could be a wrong assumption... My question is, how are queue IDs exactly generated? I couldn't find this info in the Postfix documentation, but I might have overlooked it. Well, now some details for anyone interested in what happened. I'm running two machines (mail servers) with Debian 5.0 (lenny) and Postfix 2.5.5. Let's call them box A and box B. Box A was the machine using the same queue ID for two sessions. The accompanying log entries (and explanations): Box A (session 1): Nov 13 17:44:26 box-a postfix/smtpd[27915]: connect from localhost[127.0.0.1] Nov 13 17:44:26 box-a postfix/smtpd[27915]: 1C96531C9D: client=localhost[127.0.0.1] Nov 13 17:44:26 box-a postfix/cleanup[27917]: 1C96531C9D: message-id=[EMAIL PROTECTED] Nov 13 17:44:26 box-a postfix/qmgr[1917]: 1C96531C9D: from=[EMAIL PROTECTED], size=409, nrcpt=1 (queue active) Nov 13 17:44:26 box-a postfix/smtpd[27915]: disconnect from localhost[127.0.0.1] On the machine itself, [EMAIL PROTECTED] sends a mail to [EMAIL PROTECTED] Queued as 1C96531C9D. Nov 13 17:44:26 box-a postfix/smtp[27920]: 1C96531C9D: to=[EMAIL PROTECTED], relay=box-b.example.org[192.168.0.3]:25, delay=0, delays=0/0/0/0, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 1D0A81039FA5) Nov 13 17:44:26 box-a postfix/qmgr[1917]: 1C96531C9D: removed The mail can't be delivered locally, so is relayed to box B. Queued as 1D0A81039FA5. Box B (session 1): Nov 13 17:44:26 box-b postfix/smtpd[16249]: connect from box-a.example.org[192.168.0.2] Nov 13 17:44:26 box-b postfix/smtpd[16249]: 1D0A81039FA5: client=box-a.example.org[192.168.0.2] Nov 13 17:44:26 box-b postfix/cleanup[16251]: 1D0A81039FA5: message-id=[EMAIL PROTECTED] Nov 13 17:44:26 box-b postfix/qmgr[1893]: 1D0A81039FA5: from=[EMAIL PROTECTED], size=616, nrcpt=1 (queue active) Nov 13 17:44:26 box-b postfix/cleanup[16251]: 1E50E1039FB4: message-id=[EMAIL PROTECTED] Nov 13 17:44:26 box-b postfix/smtpd[16249]: disconnect from box-a.example.org[192.168.0.2] Mail is received from box A. Indeed queued as 1D0A81039FA5. Nov 13 17:44:26 box-b postfix/local[16252]: 1D0A81039FA5: to=[EMAIL PROTECTED], relay=local, delay=0.01, delays=0/0/0/0.01, dsn=2.0.0, status=sent (forwarded as 1E50E1039FB4) Nov 13 17:44:26 box-b postfix/qmgr[1893]: 1D0A81039FA5: removed There's an alias for bill on box B, so the mail is forwarded. Queued as 1E50E1039FB4. Nov 13 17:44:26 box-b postfix/qmgr[1893]: 1E50E1039FB4: from=[EMAIL PROTECTED], size=753, nrcpt=1 (queue active) Nov 13 17:44:26 box-b postfix/smtp[16253]: 1E50E1039FB4: to=[EMAIL PROTECTED], orig_to=[EMAIL PROTECTED], relay=box-a.example.org[192.168.0.2]:25, delay=0.01, delays=0.01/0/0/0, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 1C96531C9D) Nov 13 17:44:26 box-b postfix/qmgr[1893]: 1E50E1039FB4: removed The alias' target is on box A, so box B relays the mail to box A. Queued as 1C96531C9D. Hey, didn't we see this ID before? Box A (session 2): Nov 13 17:44:26 box-a postfix/smtpd[27915]: connect from box-b.example.org[192.168.0.3] Nov 13 17:44:26 box-a postfix/smtpd[27915]: 1C96531C9D: client=box-b.example.org[192.168.0.3] Nov 13 17:44:26 box-a postfix/cleanup[27917]: 1C96531C9D: message-id=[EMAIL PROTECTED] Nov 13 17:44:26 box-a postfix/qmgr[1917]: 1C96531C9D: from=[EMAIL PROTECTED], size=959, nrcpt=1 (queue active) Nov 13 17:44:26 box-a postfix/smtpd[27915]: disconnect from box-b.example.org[192.168.0.3] Nov 13 17:44:26 box-a postfix/virtual[27922]: 1C96531C9D: to=[EMAIL PROTECTED], relay=virtual, delay=0.01, delays=0/0/0/0.01, dsn=2.0.0, status=sent (delivered to maildir) Nov 13 17:44:26 box-a postfix/qmgr[1917]: 1C96531C9D: removed The mail is finally delivered. Indeed queued as 1C96531C9D. Yeah, we saw this ID before... in the beginning, when [EMAIL PROTECTED] sent the mail to the local Postfix daemon on the same machine. Some observations: - The reused queue ID is in a session that is in some way related to the first used of the queue ID. - The process is really fast, everything happens in the same second. - While replaying this scenario the duplicate queue ID isn't always reproducible. Like 2 times out of 10. I'm wondering if this behaviour of Postfix is normal. Thanks in advance for any information regarding this subeject! Durk
Re: Queue ID gets reused? Not unique?
On Thu, Nov 13, 2008 at 10:36:10PM +0100, Durk Strooisma wrote: I was examining my Postfix logs and saw two sequential sessions using the same queue ID. I was a bit surprised as I had the assumption that queue IDs were generated randomly, which means they should be practically unique. They are not random, which makes unique within: - The 1 second interval when the queue id is created, provided your clock does not jump backwards - The lifetime of the message that has that queue id When a new second stards, and the old message is gone, the queue id is available for re-use. Okay, so this could be a wrong assumption... My question is, how are queue IDs exactly generated? I couldn't find this info in the Postfix documentation, but I might have overlooked it. They are generated to avoid *collisions* of queue files names for messages that exist at the same time, but not otherwise intended to be unique beyond the two conditions above. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:[EMAIL PROTECTED] If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: Multiple message problem
I've got a problem and I can't seem to find the cause. Basically, if I address a message with: TO: [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED] Each recipient gets the same number of copies of the message as there are recipients... so 3 recipients, they each get 3 copies. If it was 10 recipients, there'd be 10 copies each, etc. I'm using Postfix 2.5.3 and virtual users in Mysql. I'm not doing anything really strange, most configuration is default. The only 'strange' thing is I'm handing incoming mail to dspam 3.8.0 as a content filter and then handing it back into Postfix via the sendmail command and delivering it to virtual users via maildrop. There's your problem. The sendmail re-injection undoutedly is broken and is mis-routing mail to header recipients... Try a Bcc: that user will get no mail at all, but the To/Cc: users will get an extra copy. This is really bad, DO NOT use sendmail -t to re-inject mail, instead send to the envelope recipient(s) which are known via command-line arguments or similar non-header context. Ok, just when you think you have it all figured out ... :( Thank you very much for the info, I will go back to the drawing board for my delivery stage from dspam. Thought it was all working well. Thanks again - Rob K smime.p7s Description: S/MIME Cryptographic Signature
Re: Multiple message problem
On Thu, Nov 13, 2008 at 04:53:54PM -0500, Rob Klingsten wrote: I've got a problem and I can't seem to find the cause. Basically, if I address a message with: TO: [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED] Each recipient gets the same number of copies of the message as there are recipients... so 3 recipients, they each get 3 copies. If it was 10 recipients, there'd be 10 copies each, etc. I'm using Postfix 2.5.3 and virtual users in Mysql. I'm not doing anything really strange, most configuration is default. The only 'strange' thing is I'm handing incoming mail to dspam 3.8.0 as a content filter and then handing it back into Postfix via the sendmail command and delivering it to virtual users via maildrop. There's your problem. The sendmail re-injection undoutedly is broken and is mis-routing mail to header recipients... Try a Bcc: that user will get no mail at all, but the To/Cc: users will get an extra copy. This is really bad, DO NOT use sendmail -t to re-inject mail, instead send to the envelope recipient(s) which are known via command-line arguments or similar non-header context. Ok, just when you think you have it all figured out ... :( Thank you very much for the info, I will go back to the drawing board for my delivery stage from dspam. Thought it was all working well. If dspam runs for one user at a time, when the mail goes back for delivery send it to that user, not to anyone in the headers... If dspam processes multiple users in parallel, it must capture the envelope and pass it back to sendmail(1). DO NOT lose the envelope sender, the From: header is not the envelope sender. Dspam must present the envelope sender to the sendmail re-injection command. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:[EMAIL PROTECTED] If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: Queue ID gets reused? Not unique?
Durk Strooisma: Hi all, I was examining my Postfix logs and saw two sequential sessions using the same queue ID. I was a bit surprised as I had the assumption that queue IDs were generated randomly, which means they should be practically unique. Postfix behaves as documented. Please point out where the documentation made the promise to you that queue IDs are unique. Wietse
smtpd_sasl_security_options = noplaintext with dovecot?
I have postfix-2.5.4 and dovecot-1.1.2. I'd like to use: smtpd_sasl_security_options = noplaintext It barfs on this with: fatal: no SASL authentication mechanisms and smtpd doesn't start. Of course I don't want people sending their passwords in plaintext over the net. Am I missing something? Thanks, Rich
Re: smtpd_sasl_security_options = noplaintext with dovecot?
Rich Winkel wrote: I have postfix-2.5.4 and dovecot-1.1.2. I'd like to use: smtpd_sasl_security_options = noplaintext It barfs on this with: fatal: no SASL authentication mechanisms and smtpd doesn't start. Of course I don't want people sending their passwords in plaintext over the net. Am I missing something? Thanks, Rich Most folks use smtpd_tls_auth_only = yes to require STARTTLS before AUTH since some popular mail clients only support plaintext methods (plain and/or login), rather than disabling plaintext. Anyway, you need to enable something besides plain and login in your dovecot.conf if you want to disable plaintext in postfix. # dovecot.conf snippit auth default { # Space separated list of wanted authentication mechanisms: # plain login digest-md5 cram-md5 ntlm rpa apop anonymous mechanisms = login plain digest-md5 cram-md5 -- Noel Jones
Simple mail authentication
I have a simple (I'll post postconf -n if it would help) Postfix box that basically takes in mail and hands it off. I have one user that would like to send and receive mail from the outside. I'm ok with receiving mail, but I have to (I think) set up some authentication so that I don't become an open relay. What's the simplest way to do this? Thanks!
Re: Simple mail authentication
N. Yaakov Ziskind wrote: I have a simple (I'll post postconf -n if it would help) Postfix box that basically takes in mail and hands it off. I have one user that would like to send and receive mail from the outside. I'm ok with receiving mail, but I have to (I think) set up some authentication so that I don't become an open relay. What's the simplest way to do this? Thanks! http://www.postfix.org/SASL_README.html What works best for you depends largely on how your users read mail now. If you happen to use cyrus IMAP already, it would seem natural to also use cyrus SASL for smtp authentication. Your system vendor may provide a postfix already built with cyrus SASL included. I like dovecot - I find it fairly simple to configure and dirt-easy to integrate with postfix. Dovecot can use a plain-text file for credentials if you have few users and don't want the burden of configuring a *SQL backend. Oh, and just because you use cyrus or dovecot for postfix SMTP AUTH support, that doesn't lock you into that product for IMAP and POP3 services. -- Noel Jones
Re: smtpd_sasl_security_options = noplaintext with dovecot?
Thanks! That's just what I needed! Rich On Thu, Nov 13, 2008 at 05:58:45PM -0600, Noel Jones wrote: Most folks use smtpd_tls_auth_only = yes to require STARTTLS before AUTH since some popular mail clients only support plaintext methods (plain and/or login), rather than disabling plaintext. Anyway, you need to enable something besides plain and login in your dovecot.conf if you want to disable plaintext in postfix. # dovecot.conf snippit auth default { # Space separated list of wanted authentication mechanisms: # plain login digest-md5 cram-md5 ntlm rpa apop anonymous mechanisms = login plain digest-md5 cram-md5 -- Noel Jones
Re: Simple mail authentication
N. Yaakov Ziskind [EMAIL PROTECTED] wrote: I have a simple (I'll post postconf -n if it would help) Postfix box that basically takes in mail and hands it off. I have one user that would like to send and receive mail from the outside. I'm ok with receiving mail, but I have to (I think) set up some authentication so that I don't become an open relay. What's the simplest way to do this? http://www.postfix.org/SASL_README.html http://www.postfix.org/TLS_README.html -- Sahil Tandon [EMAIL PROTECTED]
How can setup a dedicated transport to slow down output-rate to yahoo in Postfix 2.3?
Victor Duchovni wrote: If your prorblem is output-rate or destination concurrency, you are using the wrong tool. As subject, yeap, I actually want to setup such kind of transport to avoid getting greylist from yahoo. As I know, Postfix 2.5 has destination_rate_delay, it can slow down the output-rate, right? But in Postfix 2.3, no such parameter provides, so how can it be setup? So I consider to setup a dedicated transport name: slow for yahoo Then add the following two parameters for this transport slow_destination_recipient_limit = 4 slow_desintation_concurrency_limit = 4 I would like to ask, does it enforce the following? 1. Postfix will split the messages by nrcpt (number of recipient) by 4 2. Only 4 concurrent connection will be made to yahoo at a time 3. My server will have 4 concurrent connection made to yahoo with maximun 4 nrcpt per message at a time (perhaps a second). If the above is true, do I slow down the output-rate to yahoo? Thanks, Best, Jacky -- View this message in context: http://www.nabble.com/Why-I-set-a-specific-transport-parameter-not-show-up--tp20477927p20493131.html Sent from the Postfix mailing list archive at Nabble.com.
Re: Why I set a specific transport parameter on show up?
Yes, so how can I know the user-defined parameter takes effect? Thank you mouss-2 wrote: Jacky Chan wrote: Hi all, I would like to set a specific tranport for mail sending to yahoo, which slow it down to avoid getting greylisted. why? unless you send a lot of mail, just let it go. and if you send a lot of mail, you'll ned to get whitelisted. I set a dedicated transport in master.cf like slow unix - - n - 1 smtp And set the pre-transport parameters in main.cf like slow_destination_recipient_limit = 2 I would like to ask, why this configuration doesn't show up after I issue postfix reload or even restart the server? to show up where? do you mean in postconf output? if so, no it won't. postconf only shows builtin parameters. This is a known limitation. -- View this message in context: http://www.nabble.com/Why-I-set-a-specific-transport-parameter-not-show-up--tp20477927p20493144.html Sent from the Postfix mailing list archive at Nabble.com.
Re: How can setup a dedicated transport to slow down output-rate to yahoo in Postfix 2.3?
Jacky Chan: Victor Duchovni wrote: If your prorblem is output-rate or destination concurrency, you are using the wrong tool. As subject, yeap, I actually want to setup such kind of transport to avoid getting greylist from yahoo. As I know, Postfix 2.5 has destination_rate_delay, it can slow down the output-rate, right? But in Postfix 2.3, no such parameter provides, so how can it be setup? If it could be done, I would not have added it to 2.5. So I consider to setup a dedicated transport name: slow for yahoo Then add the following two parameters for this transport slow_destination_recipient_limit = 4 slow_desintation_concurrency_limit = 4 I would like to ask, does it enforce the following? 1. Postfix will split the messages by nrcpt (number of recipient) by 4 2. Only 4 concurrent connection will be made to yahoo at a time 3. My server will have 4 concurrent connection made to yahoo with maximun 4 nrcpt per message at a time (perhaps a second). This will not control the number of deliveries per time unit. Wietse
OpenLDAP version with Postfix?
What is the best OpenLDAP version to use with Postfix at the moment? I'm mainly wondering whether OpenLDAP 2.4 has any significant problem issues with Postfix? As always, thanks for any insights! Ville
Re: OpenLDAP version with Postfix?
On Thu, 13 Nov 2008 21:34:30 -0600 Ville Walveranta [EMAIL PROTECTED] wrote: What is the best OpenLDAP version to use with Postfix at the moment? I'm mainly wondering whether OpenLDAP 2.4 has any significant problem issues with Postfix? As always, thanks for any insights! In my Ubuntu Intrepid box, I use postfix-ldap and slapd 2.4.11-0ubuntu6 without any problem. Why do you say that OpenLDAP 2.4 has any significant problem? -- Tôba
Authenticating aginst ActiveDirectory?
There is very little on the topic on the web and on the Postfix Users archives. The little I find seems to imply it's very difficult to extract password information from AD (say, to sync to OpenLDAP). Since the last thread about this topic in this group is from last year, I'm asking whether a solution exists at this point. There is a product called PowerADvantage that would seem to do the job, but the fact that they don't post their prices on their website probably suggests that the cost is likely in four figures which exceeds the available budget (I'm checking with them anyway). The environment where I'd need this solution is small, with a dozen or so AD logins, and so I may just have to maintain the domain passwords separately from the mail passwords. AD will be kept around to facilitate resource sharing on the Windows LAN but the mail is moving from Exchange 2003 to Postfix as soon as possible. An OpenSource solution would be preferable, though on Windows/AD side a utility worth few hundred dollars might skirt the budget. Many thanks again for any advice!
RE: Authenticating aginst ActiveDirectory?
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ville Walveranta Sent: Friday, 14 November 2008 3:27 PM To: Postfix users Subject: Authenticating aginst ActiveDirectory? There is very little on the topic on the web and on the Postfix Users archives. The little I find seems to imply it's very difficult to extract password information from AD (say, to sync to OpenLDAP). Since the last thread about this topic in this group is from last year, I'm asking whether a solution exists at this point. There is a product called PowerADvantage that would seem to do the job, but the fact that they don't post their prices on their website probably suggests that the cost is likely in four figures which exceeds the available budget (I'm checking with them anyway). The environment where I'd need this solution is small, with a dozen or so AD logins, and so I may just have to maintain the domain passwords separately from the mail passwords. AD will be kept around to facilitate resource sharing on the Windows LAN but the mail is moving from Exchange 2003 to Postfix as soon as possible. An OpenSource solution would be preferable, though on Windows/AD side a utility worth few hundred dollars might skirt the budget. Many thanks again for any advice! I'm sorry, why do you need to sync passwords to relay mail to your Exchange servers? To do relay recipient validation, you just need to do a simple LDAP lookup to the AD to verify valid email addresses. Since you only have a single Exchange server, you don't even need to do anything out of the ordinary with LDAP queries to specify the destination relay server for your recipients. If you want AD users to logon to *nix boxes (which is nothing to do with mail services), enable Services for Unix on the AD, and setup LDAP authentication for the specified users in PAM.
Re: Name service error
Jeffrey Shawn Klotz [EMAIL PROTECTED] wrote: I'm having DNS issues when delivering mail on a postfix server. The server seems to run fine for several hours. After a while, emails start to stay in the queue with the following error for all domains: postqueue -p *D63998D18BF88122 Thu Nov 13 20:19:58 [EMAIL PROTECTED] (Host or domain name not found. Name service error for name=att.blackberry.net type=MX: Host not found, try again) [EMAIL PROTECTED] * If I flush the queue (postqueue -f) mail starts to flow again and continues to clear the queue for several hours. The server does not seem to have DNS issues with other applications. NSLookup does not seem to have issues. What if you nslookup as the postfix user? What are the contents of your /etc/resolv.conf? What about /etc/nsswitch.conf or /etc/hosts? See the FAQ for clues: http://www.postfix.org/faq.html#delay. I don't think it's a postfix problem. Is there a way I can verify Postfix is able to perform DNS lookups? Is there a way to log more detailed information on the routing/delivery process. Isn't it performing DNS lookups just fine when delivering to other domains? Is this problem limited to att.blackberry.net or was that just one of many examples? Also see: http://www.postfix.org/DEBUG_README.html#mail. -- Sahil Tandon [EMAIL PROTECTED]
Re: Authenticating aginst ActiveDirectory?
On Thu, Nov 13, 2008 at 10:32 PM, MacShane, Tracy [EMAIL PROTECTED] wrote: I'm sorry, why do you need to sync passwords to relay mail to your Exchange servers? To do relay recipient validation, you just need to do a simple LDAP lookup to the AD to verify valid email addresses. Since you only have a single Exchange server, you don't even need to do anything out of the ordinary with LDAP queries to specify the destination relay server for your recipients. Actually there won't be an Exchange server any more; I'm replacing it with Postfix. It's a small environment and there isn't a dedicated server for Exchange available; it's been sharing a server with AD which is a bad idea in the first place. Since the users aren't using any of Exchange's extra features such as calendaring, there is no reason for why they couldn't access mail via IMAP on Postfix/Dovecot. I was aware of the possibility of exporting the user names (without authentication information) from AD to the front end, but it's not sufficient for login if the mail access takes also place on the Postfix server. If you want AD users to logon to *nix boxes (which is nothing to do with mail services), enable Services for Unix on the AD, and setup LDAP authentication for the specified users in PAM. Perhaps this mechanism could be used for the mail authentication as well in the above scenario. Postfix/Dovecot should be able to do LDAP authentication via PAM (http://www.dovecot.org/list/dovecot/2006-April/012454.html, http://www.lxtreme.nl/index.pl/docs/linux/dovecot_postfix_pam). Ville
OpenLDAP version with Postfix?
(copying the list; this went initially out to tôba only) I'm not aware of any any problems — I'm thinking that there probably would not be any, but various packages have prerequisites or support for 2.3 or 2.2. That is not to say, of course, that they wouldn't work with the latest version, and that's why I asked as I'm new to OpenLDAP. Good to hear it's working without any problems.. I generally like to use the latest versions of packages, so that's probably the way to go! Ville
RE: Authenticating aginst ActiveDirectory?
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ville Walveranta Sent: Friday, 14 November 2008 4:29 PM To: Postfix users Subject: Re: Authenticating aginst ActiveDirectory? On Thu, Nov 13, 2008 at 10:32 PM, MacShane, Tracy [EMAIL PROTECTED] wrote: I'm sorry, why do you need to sync passwords to relay mail to your Exchange servers? Actually there won't be an Exchange server any more; I'm replacing it with Postfix. It's a small environment and there isn't a dedicated server for Exchange available; it's been sharing a server with AD which is a bad idea in the first place. ... Ahah, light dawns. If you want AD users to logon to *nix boxes (which is nothing to do with mail services), enable Services for Unix on the AD, and setup LDAP authentication for the specified users in PAM. Perhaps this mechanism could be used for the mail authentication as well in the above scenario. Postfix/Dovecot should be able to do LDAP authentication via PAM (http://www.dovecot.org/list/dovecot/2006-April/012454.html, http://www.lxtreme.nl/index.pl/docs/linux/dovecot_postfix_pam). Ville Yes, I certainly haven't had any problem with Unix services when enabling regular logons to a *nix server via AD authentication (I haven't tried Postfix/Dovecot authentication myself, but there's plenty of info for that, as you have found). It should certainly make your solution a lot simpler to implement.
Body checks and warning log
I'm trying to create a very simple body check for a limited time to get an indicative idea of how many users may be sending credit card numbers via email. I have a simple pcre body_check map that is logging a warning when it encounters a match. Unfortunately, the entire message line that triggers the warning is added to the mail log, naturally with the potential credit card number in plain text. cat /etc/postfix/body_checks.pcre /\b(?:\d[ -]*){13,16}\b/WARN Credit card number Nov 14 11:54:28 smtptest postfix/cleanup[21394]: 98D7015E0091: warning: body text 1243 1211 1232 1232 blah blah from localhost.localdomain[127.0.0.1]; from=[EMAIL PROTECTED] to=test.user mailto:[EMAIL PROTECTED] @ mailto:[EMAIL PROTECTED] domain.example.com proto=SMTP helo=server.example.com: Credit card number Our security people are having wibbles about this logging regime, so I was wondering if there was some way to ensure the WARN action doesn't log the matched line (I can obviously append a truncated version of the apparent number with the optional text), or if there might be a better way to do this auditing task.
Re: Body checks and warning log
This is probably a too complex solution but I mention it anyway. In late July there was a discussion here about rewriting the subject line. I'm using an external spam filtering service (Katharion), and if I choose spams to be delivered (rather than quarantined), they're tagged with **SPAM** in front of the original subject. That is ugly, so I wanted to remove it from the subject line and create X-Spam: yes header instead so that the spam mail could be deposited into the original recipient's Spam folder for easy searching for false positives. So... by using smtpprox it is possible to pull each email out of the queue for processing/mangling/investigating before re-injecting it back into the queue. It works for the inbound mail, so perhaps it would work for the outbound as well. That way you could write a small perl routine that would detect a credit card number anywhere in a message, record it in the log (or even in a database), and also make sure that c/c info is not stored in plaintext. It could even be expanded further to prevent the emails containing c/c info from going out and instead returning them to the sender with the c/c starred out and with a warning that c/c info should not be sent via emails. Ville
Re: Spamcop's position on backscatter
D G Teed wrote: On Thu, Nov 13, 2008 at 2:14 PM, mouss [EMAIL PROTECTED] wrote: We send non-delivery responses. if these are user does not exist or filter thinks this is spam/virus and the like, then you are a backscatter source. I don't think we send NDRs as emails originating here. I think we reject emails. Maybe you can tell me. I test emailed a bogus address at work from home. My home ISP's SMTP server sent back a NDR, not my work's MX server. Inside the NDR from my home ISP's SMTP, I see reference to the name of one of the workplace MX servers, but the Reporting-MTA is that of the home ISP, not work's MX. That's still backscatter even if it is your ISP that generates it. if you ISP can't get the list of valid email addresses, it is better not to use it as an MX (and use your server instead). some providers now discard such mail (do not generate NDRs) because of backscatter. not ideal, but backscatter is a real problem (you know that when you get hit by a backscatter storm). PS. In this case, it is the ISP server that may be listed, not yours. In this thread I've posted my postconf -n output. We user virtual_alias_maps and smtpd_client_restrictions = reject_unlisted_recipient is at the beginning of our list of restrictions. This causes email to be rejected for non-delivery. We do not relay to our Exchange or Cyrus server only to find out at that stage the email address does not exist. Our mapping file (virtual_alias_maps) is the complete list of all addresses and what final server they go to. [EMAIL PROTECTED][EMAIL PROTECTED] Does this not achieve the same result as using relay_recipient_maps ? it's ok on your server. but the problem is on your ISP server. it is relaying mail without knowing the list of your valid recipients.
Re: Spamcop's position on backscatter
Brian Evans - Postfix List wrote: D G Teed wrote: We user virtual_alias_maps and smtpd_client_restrictions = reject_unlisted_recipient is at the beginning of our list of restrictions. client restrictions are checked on connect. In the default setup (smtpd_delay_reject=yes), client, helo, sender and recipient restrictions are performed at RCPT TO stage. so it is ok. [snip]
Re: Body checks and warning log
MacShane, Tracy wrote: I'm trying to create a very simple body check for a limited time to get an indicative idea of how many users may be sending credit card numbers via email. I have a simple pcre body_check map that is logging a warning when it encounters a match. Unfortunately, the entire message line that triggers the warning is added to the mail log, naturally with the potential credit card number in plain text. cat /etc/postfix/body_checks.pcre /\b(?:\d[ -]*){13,16}\b/WARN Credit card number Nov 14 11:54:28 smtptest postfix/cleanup[21394]: 98D7015E0091: warning: body text 1243 1211 1232 1232 blah blah from localhost.localdomain[127.0.0.1]; from=[EMAIL PROTECTED] to=test.user mailto:[EMAIL PROTECTED] @ mailto:[EMAIL PROTECTED] domain.example.com proto=SMTP helo=server.example.com: Credit card number Our security people are having wibbles about this logging regime, so I was wondering if there was some way to ensure the WARN action doesn't log the matched line (I can obviously append a truncated version of the apparent number with the optional text), or if there might be a better way to do this auditing task. you can use HOLD, then have a cron job to check the message and release it. Alternatively, you can use FILTER to pass the message to another smtpd. example: == body_checks: // FILTER filter:[127.0.0.1]:25666 == master.cf 127.0.0.1:25666 . smtpd -o syslog_name=postwatch -o receive_override_options=no_address_mappings -o mynetworks=127.0.0.1 -o smtpd_recipient_restrictions=${smtpd666_recipient_restrictions} ... == main.cf smtpd666_recipient_restrictions= check_client_access pcre:/etc/postfix/logcard permit_mynetworks reject == logcard /./ WARN credit card blah blah note that this will override your content filter setting. if you had one, then make sure it is used in the :25666 smtpd (either explicit -o content_filter=... in master.cf, or a content_filter=... in main.cf will do). PS. if you use clamav, check its Data Loss Protection feature.