Re: forwarding mail to another MX on same domain

[Ville Walveranta]

I just realized that this would not resolve the issue because the
remote MX would just redeliver it to the local server which is the
final destination of the domain. I'm probably better off with a simple
alias domain forward.

So while it's not worth considering how to tweak my specific
configuration, I'd still be curious to know why the transport map..

[EMAIL PROTECTED]smtp:mx.myexternaldomain.com

..produces a Relay access denied error. Does the relay access need
to be specifically allowed for that destination even though the
transport is internal by a mapping?

Ville

Re: Limiting header_checks by domain or interface

[mouss]

Ville Walveranta a écrit :
 Is it possible to limit header_checks either by recipient domain or by
 listening interface? I'd like to remove certain headers, but only from
 specific domains.
 

You can set a cleanup for each smtpd. something like this:

192.0.2.3:25    smtpd
-o cleanup_service_name=myothercleanup
...

myothercleanup unixn   -   n   -   0   cleanup
-o header_checks=pcre:/etc/postfix/myotherheaderchecks.pcre

Re: forwarding mail to another MX on same domain

[mouss]

Ville Walveranta a écrit :
 I just realized that this would not resolve the issue because the
 remote MX would just redeliver it to the local server which is the
 final destination of the domain. I'm probably better off with a simple
 alias domain forward.
 
 So while it's not worth considering how to tweak my specific
 configuration, I'd still be curious to know why the transport map..
 
 [EMAIL PROTECTED]smtp:mx.myexternaldomain.com
 
 ..produces a Relay access denied error. Does the relay access need
 to be specifically allowed for that destination even though the
 transport is internal by a mapping?
 



http://www.postfix.org/postconf.5.html#reject_unauth_destination

Re: forwarding mail to another MX on same domain

[Wietse Venema]

Ville Walveranta:
 I'll continue here since Krosrow's issue has been resolved (so I'm not
 really hijacking the thread).
 
 I now have the following defined in mailbox_transport_maps:
 
 [EMAIL PROTECTED]smtp:mx.myexternaldomain.com
 
 Yet when I attempt to send mail to the local system at
 [EMAIL PROTECTED] I get
 
 554 5.7.1 [EMAIL PROTECTED]: Relay access denied
 quit
 221 2.0.0 Bye
 
 Why?

For Postfix to accept mail for myexternaldomain.com, it must
be listed in (exactly) one of the following:

mydestination
virtual_alias_domains
virtual_mailbox_domains
relay_domains.

For more information see http://www.postfix.org/ADDRESS_CLASS_README.html.

Wietse

Re: Postfix and quota clarification

[Jose Ildefonso Camargo Tolosa]

Hi!

On Sat, Nov 22, 2008 at 9:53 PM, Wietse Venema [EMAIL PROTECTED] wrote:
 mouss:
 Rocco Scappatura a ?crit :
  Hello,
 
  I have a post-office platform based on
  Postfix-2.5.2+Courier-IMAP-4.0.1-Courier-authlib-0.53+MySQL-5.0.33.
 
  Can someone give some hint on how enable (and verify that works) quota
  on mailboxes?
 

 1- there is no quota support in postfix.

 However, Postfix supports access maps that can reject mail for
 over-quota users, if you are willing to periodically add up all
 the mail each user has.

I have been using filesystem quotas for this purpose, and it works
just fine.  Off course, I have a dedicated filesystem for mail
storage.


Wietse

 2- there is no safe quota support in any MTA. most quota implementations
 will send a bounce, which may resultin backscatter

true.  but quotas are necessary: the more disk space the users have,
the more garbage they store.

 3- if you can queue mail, you can deliver it ;-p
 4- disks don't cost too much now.

true, but when you have 10k users, the cost of each not so
expensive hard drive starts to add, and not only that, in a public
organization you can have wait-times of around 6 months just to get a
hard drive.  Oh, and don't forget: you have plug these hard drives
somewhere: every server has they hard drives limit, and you could
take a PC and lots of SATA controllers, and build a nice low-cost
NAS-like thing, but a few people qualify this as unreliable, they
need to spend lots of money on IBM or HP storage systems, and because
of the cost, they just don't buy them, and thus: we have a limited
amount of disk space :( .

 5- if your users abuse mail, destroy their heads, not ours.

 I don't think my boss let me do that, jejejeje :D

c-ya!

Ildefonso.

Re: Address Verification Header

[Noel Jones]

Jason Wohlford wrote:

On Nov 22, 2008, at 11:41 AM, Noel Jones wrote:
But regardless, if you want to evaluate the results of the 
verification outside of postfix, you really need to do the 
verification probes outside of postfix.



Yes, but I trust postfix. I have some hope of hacking a perl script to 
integrate with spamassassin. I got no hope of writing my own verify.


Unfortunately, I don't see a clear solution.



There isn't a clear solution.  Your best bets are to either 
hack postfix to insert the results of the probe in a header 
(might not be too hard...  all the pieces are there already), 
or to forget it.


--
Noel Jones

Use of permit_inet_interfaces?

[Ville Walveranta]

I now have

smtpd_client_restrictions =
permit_mynetworks
permit_inet_interfaces
check_client_access hash:$config_directory/tables/smtpd_client_access
reject

smtpd_client_restrictions_katharion =
permit_mynetworks
permit_sasl_authenticated
check_client_access
hash:$config_directory/tables/smtpd_client_access_katharion
reject

The latter restricts an interface in master.cf to the relay servers of
an external spam-filtering service:

192.168.1.97:25  inet n -   n   -   -   smtpd
   -o smtpd_client_restrictions=${smtpd_client_restrictions_katharion}
   -o smtpd_recipient_restrictions=${smtpd_recipient_restrictions_katharion}
   -o cleanup_service_name=cleanup_katharion

I was under the impression that `permit_inet_interfaces' in
smtpd_client_restrictions would've allowed requests coming *through*
the inet_interfaces (currently defined as 127.0.0.1, 192.168.1.99 –
still in the testing environment) but not from the additional
interface created in master.cf as 192.168.1.97. But apparently this is
not the case; apparently permit_inet_interfaces allows the request
when its IP matches that _of_ the interface, i.e. in this case
127.0.0.1 or 192.168.1.99. When would a request match one of those?
What, in other words, is the use for permit_inet_interfaces?

Since I'm interested in matching the remote clients, I think I need to
create a restriction like the smtpd_client_access_katharion, but in
reverse so that any other client is allowed on the public interface
but not one of the spam filtering service (though nobody is going to
violate that rule so it's a bit of a moot point).

Ville

Re: forwarding mail to another MX on same domain

[Ville Walveranta]

Couple of messages earlier in this thread I posted the following pcre
smtpd_recipient_access table:

# reject domains that are served by Katharion
# on the generic smtpd interface
/(@virtualdomain1\.com|
 @virtualdomain2\.com|
 @virtualdomain3\.com|
 @virtualdomain4\.com|
 @virtualdomain5\.com)$/  REJECT

That was of wrong format. In case someone is reading this later in the
archives, here's the corrected version:

/virtualdomain1\.com$/  REJECT
/virtualdomain2\.com$/  REJECT
/virtualdomain3\.com$/  REJECT
/virtualdomain4\.com$/  REJECT
/virtualdomain5\.com$/  REJECT

PCRE statements can't be broken on multiple lines, of course, so if
there are many items on the list it's better to break up the boolean
statement. Also, I had initially (though not in the earlier post)..

/^/ OK

.. in the end, thinking that the ones that are not explicitly rejected
should be allowed in the context of this PCRE table. But since the
table is called from smtpd_recipient_restrictions, such a statement
creates an open relay.

Ville