Re: Limiting header_checks by domain or interface
Ville Walveranta пишет: Is it possible to limit header_checks either by recipient domain or by listening interface? I'd like to remove certain headers, but only from specific domains. Ville something like this: main.cf: ... header_checks = regexp:$config_directory/header_checks ... smtpd_recipient_restrictions = ... check_client_access hash:$config_directory/whitelist permit_mynetworks check_recipient_access regexp:$config_directory/must_header_checks ... ... must_header_checks: /.*/FILTER smtp:[127.0.0.1]:10025 master.cf: ... smtp inet n - n - - smtpd -o receive_override_options=no_header_body_checks -o header_checks= 127.0.0.1:10025 inet n - n - - smtpd -o smtpd_authorized_xforward_hosts=127.0.0.0/8 -o smtpd_client_restrictions= -o smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o smtpd_data_restrictions= -o mynetworks=127.0.0.0/8 -o receive_override_options=no_unknown_recipient_checks ... -- С Уважением, Янченко Игорь email: mailto:[EMAIL PROTECTED] jabber: xmpp://[EMAIL PROTECTED] SKIF ISP IGR0-UANIC
Re: Postfix listening on 25, unable to telnet to 25 - my first config
Hey, Have you actually tried telnetting from other locations? I see you live in The netherlands, where it is common for ISPs to block this port to all destinations, other than their own SMTP servers. I think this is kind of fascist, but it does, somewhat, limit zombies from sending spam through regular channels. Whenever I need to do some manual SMTP'ing over a telnet connection, I first login to another host, somewhere in our public network, rather than doing it from my workstation/laptop. It sucks a bit, but I git used to it and just hope this helps preventing some SPAM being sent. Samy On Nov 25, 2008, at 8:43 AM, Michael De Groote wrote: if you're connecting from a windoze machine, check the firewall (and antivirus, netsecurity, whatever crappy stuff) settings of the windoze machine. I've seen instances where outgoing connections to port 25 were being blocked by some Symantec product, or even the windoze firewall itself... (iirc) Michael De Groote ICT-coordinator Sint-Pietersschool Korbeek-Lo ICT-support Sancta Maria Basisschool Leuven On Fri, Nov 21, 2008 at 9:19 AM, Olivier MJ Crepin-Leblond [EMAIL PROTECTED] wrote: Also check SElinux if you are running this. It may prevent changes to the port config from taking place. You can see entries in the logfile called /var/log/messages Regards, Olivier -- Olivier MJ Crepin-Leblond, Ph.D Global Information Highway Ltd http://www.gih.com/ocl.html - Original Message - From: D G Teed To: Paul Cocker Cc: postfix users list Sent: Friday, November 21, 2008 2:47 AM Subject: Re: Postfix listening on 25, unable to telnet to 25 - my first config Paul Cocker schrieb: Definitely nothing in between, of that I'm certain. Are there any tools which will give me more information about attempts to connect to a port on a remote host? use tcpdump for that purpose please try $ telnet $IP_OF_SMTP_HOST 25 and show exactly, what you get I ran windump in the background and did a telnet to the IP, however a findstr on the output file contains no matches. If I do the same thing using the server name the only matching output in the dump is when the server performs a name lookup, after that there are no matching entries by IP or name. Am I doing something wrong? There are a few things that can make postfix listen only locally. One is firewall. You say it isn't an issue. On the postfix machine, if it is a Unix machine, use lsof -Pni to verify what ports and addresses master is listening on. If it is only listening to 127.0.0.1 then you have a problem with inet_interfaces, or else the look up of the host name listed in inet_interfaces. On many Linux machines, the host resolution order is hosts, dns, and so a bad entry on /etc/hosts can sting you. Make sure you don't have 127.0.0.1 set up with the internet host name of the server in /etc/hosts. It should be only localhost next to 127.0.0.1 I've seen Redhat installs with this messed up. --Donald PGP.sig Description: This is a digitally signed message part
Re: forwarding mail to another MX on same domain
On Sun, Nov 23, 2008 at 3:35 AM, mouss [EMAIL PROTECTED] wrote: As Henrik says, you can break them with /x. Got it to work after realizing a blank space is needed in front of the continuation lines... Note that in this example, pcre is too much. a hash (or cdb) will do fine: virtualdomain1.com REJECT virtualdomain2.com REJECT There is another (PCRE) clause in the file to prepend a header, though I suppose I could split it in two files since cdbs are faster to discern domains. .. in the end, thinking that the ones that are not explicitly rejected should be allowed in the context of this PCRE table. But since the table is called from smtpd_recipient_restrictions, such a statement creates an open relay. it doesn't look like you need that line anyway (you want to continue processing other checks, no?). Anyway, when such checks are to be performed before reject_unauth_destination, it is safer to put them in smtpd_sender_restrictions. Correct. But does Postfix know about the recipient information at smtpd_sender_restrictions stage to check for recipient access? I should re-read the stage document but it seems, if I remember correctly, that both the sender and recipient information are validated at the same time (i.e. a failed smtpd_sender_restrictions check doesn't produce an error until after RCPT TO has been issued). Ville
Re: Preventing local forwarding for some local domains
Thanks Victor.. I'll give that a try. With my first attempt I managed to create a loop of some kind, but after re-reading your description I think I know what caused it. One thing I wanted to clarify is the transport map definition. Does the domain name that comes after smtp: need to be the external filtering service's MX directly, or a domain name whose MX records point to the external filtering service's MX? Ville
Reject Non-Ascii characters
Hello to list, I am using postfix-2.5.5 on gentoo box in a virtual domain environment. Some of my users just copy paste the email addresses which contains some non-ascii characters in their recipients list which results in delaying mails for other users because it gets stuck in amavis. I am trying to reject these kind of mails to enter in to postfix. I am trying to achieve this in my test scenario setups like. smtpd_recipient_restrictions = check_sender_access pcre:/etc/postfix/ascii.pcre permit_mynetworks ... cat /etc/postfix/ascii.pcre /[^[:ascii:]]/ REJECT Non-Ascii Characters But i am not able to block. My postfix is accepting this mail. I am testing like test @test.com [EMAIL PROTECTED] test@test.com and like wise. Here is my postconf -n command_directory = /usr/sbin config_directory = /etc/postfix daemon_directory = /usr/lib/postfix data_directory = /var/lib/postfix debug_peer_level = 2 header_checks = pcre:/etc/postfix/header_checks home_mailbox = .maildir/ html_directory = /usr/share/doc/postfix-2.5.5/html inet_interfaces = all mail_owner = postfix mailq_path = /usr/bin/mailq manpage_directory = /usr/share/man mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain, mail.$mydomain, www.$mydomain, ftp.$mydomain mydomain = .blr myhostname = bijayant..blr mynetworks = 192.168.99.0/24, 127.0.0.0/8 mynetworks_style = subnet myorigin = $mydomain newaliases_path = /usr/bin/newaliases queue_directory = /var/spool/postfix readme_directory = /usr/share/doc/postfix-2.5.5/readme sample_directory = /etc/postfix sendmail_path = /usr/sbin/sendmail setgid_group = postdrop smtpd_recipient_restrictions = check_sender_access pcre:/etc/postfix/ascii.pcre permit_mynetworks reject unknown_local_recipient_reject_code = 550 virtual_gid_maps = static:1016 virtual_mailbox_base = /home/vmail/ virtual_mailbox_domains = mysql:/etc/postfix/mysql_virtual_domains_maps.cf virtual_mailbox_maps = mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf virtual_uid_maps = static:1006 postconf -m btree cidr environ hash mysql pcre proxy regexp static unix Please help me out. Bijayant Kumar Get your preferred Email name! Now you can @ymail.com and @rocketmail.com. http://mail.promotions.yahoo.com/newdomains/aa/
Re: Reject Non-Ascii characters
bijayant kumar a écrit : Hello to list, I am using postfix-2.5.5 on gentoo box in a virtual domain environment. Some of my users just copy paste the email addresses which contains some non-ascii characters in their recipients list which results in delaying mails for other users because it gets stuck in amavis. I am trying to reject these kind of mails to enter in to postfix. I am trying to achieve this in my test scenario setups like. smtpd_recipient_restrictions = check_sender_access pcre:/etc/postfix/ascii.pcre permit_mynetworks ... cat /etc/postfix/ascii.pcre /[^[:ascii:]]/ REJECT Non-Ascii Characters But i am not able to block. My postfix is accepting this mail. I am testing like test @test.com [EMAIL PROTECTED] test@test.com and like wise. I see no non-ascii chars there. try [EMAIL PROTECTED] (accented 'e' there). do you know that most chars are valid in addresses? you can restrict the chars used in your own addresses of course. what is the problem exactly? what gets stuck in amavis?
Re: forwarding mail to another MX on same domain
Ville Walveranta a écrit : On Sun, Nov 23, 2008 at 3:35 AM, mouss [EMAIL PROTECTED] wrote: As Henrik says, you can break them with /x. Got it to work after realizing a blank space is needed in front of the continuation lines... Note that in this example, pcre is too much. a hash (or cdb) will do fine: virtualdomain1.com REJECT virtualdomain2.com REJECT There is another (PCRE) clause in the file to prepend a header, though I suppose I could split it in two files since cdbs are faster to discern domains. .. in the end, thinking that the ones that are not explicitly rejected should be allowed in the context of this PCRE table. But since the table is called from smtpd_recipient_restrictions, such a statement creates an open relay. it doesn't look like you need that line anyway (you want to continue processing other checks, no?). Anyway, when such checks are to be performed before reject_unauth_destination, it is safer to put them in smtpd_sender_restrictions. Correct. But does Postfix know about the recipient information at smtpd_sender_restrictions stage to check for recipient access? I should re-read the stage document but it seems, if I remember correctly, that both the sender and recipient information are validated at the same time (i.e. a failed smtpd_sender_restrictions check doesn't produce an error until after RCPT TO has been issued). yes, in the default setup (smtpd_delay_reject=yes).
Re: Reject Non-Ascii characters
Thanks For the reply. I did as suggested but postfix accepted this mail also and then rejects complaining Recipient address rejected: User unknown in virtual mailbox table; from=[EMAIL PROTECTED] to=[EMAIL PROTECTED] proto=ESMTP helo=localhost It should not accepts the mail right? Some days ago at my original amavis server logs I observed some strange lines like (16188-21) WARN: address modified (recip): [EMAIL PROTECTED] - \240singh.richa09@gmail.com (16188-21) (!) lookup_sql: sql exec: err=7, 22021, DBD::Pg::st execute failed: ERROR: invalid byte sequence for encoding UTF8: 0xa0\nHINT: This error can also happen if the byte sequence does not match the encoding expected by the server, which is controlled by client_encoding., 7, ERROR: invalid byte sequence for encoding UTF8: 0xa0\nHINT: This error can also happen if the byte sequence does not match the encoding expected by the server, which is controlled by client_encoding.\n (16188-21) (!!) TROUBLE in process_request: sql exec: err=7, 22021, DBD::Pg::st execute failed: ERROR: invalid byte sequence for encoding UTF8: 0xa0\nHINT: This error can also happen if the byte sequence does not match the encoding expected by the server, which is controlled by client_encoding. at (eval 64) line 264, GEN201 line 12. (16188-21) (!) Requesting process rundown after fatal error TIMING [total 9 ms] - bdb-open: 9 (100%)100, rundown: 0 (0%)100 (16744-07) WARN: address modified (recip): [EMAIL PROTECTED] - \240nitin07.sharma@gmail.com (16744-07) (!) lookup_sql: sql exec: err=7, 22021, DBD::Pg::st execute failed: ERROR: invalid byte sequence for encoding UTF8: 0xa0\nHINT: This error can also happen if the byte sequence does not match the encoding expected by the server, which is controlled by client_encoding., 7, ERROR: invalid byte sequence for encoding UTF8: 0xa0\nHINT: This error can also happen if the byte sequence does not match the encoding expected by the server, which is controlled by client_encoding.\n I did google this error and found that this happens because the recipients email-id contains some non-ascii chracters and found that RFC822 and RFC821 does not allow these chracters in the headers. So we decided to reject these mails at Postfix level itself. But as I stated earlier I am not able to do so. Bijayant Kumar --- On Tue, 25/11/08, mouss [EMAIL PROTECTED] wrote: From: mouss [EMAIL PROTECTED] Subject: Re: Reject Non-Ascii characters To: postfix postfix-users@postfix.org Date: Tuesday, 25 November, 2008, 4:42 PM bijayant kumar a écrit : Hello to list, I am using postfix-2.5.5 on gentoo box in a virtual domain environment. Some of my users just copy paste the email addresses which contains some non-ascii characters in their recipients list which results in delaying mails for other users because it gets stuck in amavis. I am trying to reject these kind of mails to enter in to postfix. I am trying to achieve this in my test scenario setups like. smtpd_recipient_restrictions = check_sender_access pcre:/etc/postfix/ascii.pcre permit_mynetworks ... cat /etc/postfix/ascii.pcre /[^[:ascii:]]/ REJECT Non-Ascii Characters But i am not able to block. My postfix is accepting this mail. I am testing like test @test.com [EMAIL PROTECTED] test@test.com and like wise. I see no non-ascii chars there. try [EMAIL PROTECTED] (accented 'e' there). do you know that most chars are valid in addresses? you can restrict the chars used in your own addresses of course. what is the problem exactly? what gets stuck in amavis? Get your preferred Email name! Now you can @ymail.com and @rocketmail.com. http://mail.promotions.yahoo.com/newdomains/aa/
Re: Postfix listening on 25, unable to telnet to 25 - my first config
Hmm.. I think I was mistakingly replying to Michael as the original poster, but he was not. So, if OP does not live in The Netherlands, plz disregard my previous post ;] On Nov 25, 2008, at 11:20 AM, Samy Ascha, Xel Media B.V. wrote: Hey, Have you actually tried telnetting from other locations? I see you live in The netherlands, where it is common for ISPs to block this port to all destinations, other than their own SMTP servers. I think this is kind of fascist, but it does, somewhat, limit zombies from sending spam through regular channels. Whenever I need to do some manual SMTP'ing over a telnet connection, I first login to another host, somewhere in our public network, rather than doing it from my workstation/laptop. It sucks a bit, but I git used to it and just hope this helps preventing some SPAM being sent. Samy On Nov 25, 2008, at 8:43 AM, Michael De Groote wrote: if you're connecting from a windoze machine, check the firewall (and antivirus, netsecurity, whatever crappy stuff) settings of the windoze machine. I've seen instances where outgoing connections to port 25 were being blocked by some Symantec product, or even the windoze firewall itself... (iirc) Michael De Groote ICT-coordinator Sint-Pietersschool Korbeek-Lo ICT-support Sancta Maria Basisschool Leuven On Fri, Nov 21, 2008 at 9:19 AM, Olivier MJ Crepin-Leblond [EMAIL PROTECTED] wrote: Also check SElinux if you are running this. It may prevent changes to the port config from taking place. You can see entries in the logfile called /var/log/messages Regards, Olivier -- Olivier MJ Crepin-Leblond, Ph.D Global Information Highway Ltd http://www.gih.com/ocl.html - Original Message - From: D G Teed To: Paul Cocker Cc: postfix users list Sent: Friday, November 21, 2008 2:47 AM Subject: Re: Postfix listening on 25, unable to telnet to 25 - my first config Paul Cocker schrieb: Definitely nothing in between, of that I'm certain. Are there any tools which will give me more information about attempts to connect to a port on a remote host? use tcpdump for that purpose please try $ telnet $IP_OF_SMTP_HOST 25 and show exactly, what you get I ran windump in the background and did a telnet to the IP, however a findstr on the output file contains no matches. If I do the same thing using the server name the only matching output in the dump is when the server performs a name lookup, after that there are no matching entries by IP or name. Am I doing something wrong? There are a few things that can make postfix listen only locally. One is firewall. You say it isn't an issue. On the postfix machine, if it is a Unix machine, use lsof -Pni to verify what ports and addresses master is listening on. If it is only listening to 127.0.0.1 then you have a problem with inet_interfaces, or else the look up of the host name listed in inet_interfaces. On many Linux machines, the host resolution order is hosts, dns, and so a bad entry on /etc/hosts can sting you. Make sure you don't have 127.0.0.1 set up with the internet host name of the server in /etc/hosts. It should be only localhost next to 127.0.0.1 I've seen Redhat installs with this messed up. --Donald PGP.sig Description: This is a digitally signed message part
Using multiple ip addresses to prevent ratelimits
Our clients set up their mail forwarding to blackberry servers The blackberry server is doing a ratelimit and mails get held up on our servers I can easily configure multiple IP addresses on the machine. Can I configure postfix to send using different bind addresses I know I can change the smtp_bind_address parameter through a script but that seems stupid having to restart postfix everytime Also we can never evenly spread out the mails thru different IPS
Re: Reject Non-Ascii characters
On Tuesday 25 November 2008 12:26:17 bijayant kumar wrote: Some days ago at my original amavis server logs I observed some strange lines like (16188-21) WARN: address modified (recip): [EMAIL PROTECTED] - \240singh.richa09@gmail.com (16188-21) (!) lookup_sql: sql exec: err=7, 22021, DBD::Pg::st execute failed: ERROR: invalid byte sequence for encoding UTF8: 0xa0 See amavisd-new-2.6.0 release notes, search for invalid byte sequence for encoding (either set $sql_allow_8bit_address to false, or ALTER sql tables as described there; use a recent version of amavisd-new: 2.6.1 or 2.6.2-rc1) Mark
Re: Preventing local forwarding for some local domains
Ville Walveranta wrote: Does the domain name that comes after smtp: need to be the external filtering service's MX directly, or a domain name whose MX records point to the external filtering service's MX? It can be either, as documented here under Result Format. http://www.postfix.org/transport.5.html # performs MX lookup example.com smtp:filtering-service.com # suppresses lookup, attempts to resolve the hostname directly example.com smtp:[mx01.filtering-service.com] You probably want the first one, they could change the DNS without warning. signature.asc Description: OpenPGP digital signature
Re: Reject Non-Ascii characters
Bijayant Kumar --- On Tue, 25/11/08, Mark Martinec [EMAIL PROTECTED] wrote: From: Mark Martinec [EMAIL PROTECTED] Subject: Re: Reject Non-Ascii characters To: postfix-users@postfix.org Date: Tuesday, 25 November, 2008, 5:45 PM On Tuesday 25 November 2008 12:26:17 bijayant kumar wrote: Some days ago at my original amavis server logs I observed some strange lines like (16188-21) WARN: address modified (recip): [EMAIL PROTECTED] - \240singh.richa09@gmail.com (16188-21) (!) lookup_sql: sql exec: err=7, 22021, DBD::Pg::st execute failed: ERROR: invalid byte sequence for encoding UTF8: 0xa0 See amavisd-new-2.6.0 release notes, search for invalid byte sequence for encoding (either set $sql_allow_8bit_address to false, or ALTER sql tables as described there; use a recent version of amavisd-new: 2.6.1 or 2.6.2-rc1) I could not upgrade the amavis server right now because we dont have any stand by server to do the same. Thats why i chose the option check_sender_access of postfix so that these mails could not enter to postfix itself. But somehow its not happening. Mark New Email addresses available on Yahoo! Get the Email name you#39;ve always wanted on the new @ymail and @rocketmail. Hurry before someone else does! http://mail.promotions.yahoo.com/newdomains/aa/
Re: Reject Non-Ascii characters
bijayant kumar wrote: Thanks For the reply. I did as suggested but postfix accepted this mail also and then rejects complaining Recipient address rejected: User unknown in virtual mailbox table; from=[EMAIL PROTECTED] to=[EMAIL PROTECTED] proto=ESMTP helo=localhost It should not accepts the mail right? You appear to be checking the wrong thing. You showed us this: smtpd_recipient_restrictions = check_sender_access pcre:/etc/postfix/ascii.pcre permit_mynetworks But your test there is using check_sender_access. Add a check for check_recipient_access using the same PCRE table as well and test again. signature.asc Description: OpenPGP digital signature
Re: Using multiple ip addresses to prevent ratelimits
ram wrote: Our clients set up their mail forwarding to blackberry servers The blackberry server is doing a ratelimit and mails get held up on our servers I can easily configure multiple IP addresses on the machine. Can I configure postfix to send using different bind addresses I know I can change the smtp_bind_address parameter through a script but that seems stupid having to restart postfix everytime Also we can never evenly spread out the mails thru different IPS I don't believe there's an easy solution. This problem comes up reasonably frequently and is probably the bane of every mailserver admin's existence. You'd think you could create extra smtp-service instances in master.cf and bind them to different addresses with -o smtp_bind_address=a.b.c.d, then use transport maps to fiddle with them, but this apparently doesn't work. You can easily run multiple instances of postfix on the one machine, but that still doesn't solve the problem of distributing the mail in a round-robin manner, unless you want to use DNS round-robin'ing, and rely on postfix doing a new lookup for every message, and not sending too many messages in one connection to the instance, and... it's not really sane. Of course the right thing is for the blackberry servers not to rate-limit you. Meanwhile, I still want a pony and a million bucks... P.S. My apologies if this is inaccurate; things may have changed in more recent versions, but I believe this is correct at least for v2.3 (latest RHEL/Centos). signature.asc Description: OpenPGP digital signature
Re: Using multiple ip addresses to prevent ratelimits
ram: Our clients set up their mail forwarding to blackberry servers The blackberry server is doing a ratelimit and mails get held up on our servers I can easily configure multiple IP addresses on the machine. Can I configure postfix to send using different bind addresses I know I can change the smtp_bind_address parameter through a script but that seems stupid having to restart postfix everytime Also we can never evenly spread out the mails thru different IPS There is an example in QSHAPE_README that implements delays with a non-responding destination plus smtp_fallback_relay. This might do the job for Postfix 2.5. Postfix 2.5 has outbound rate limits per destination. http://www.postfix.org/postconf.5.html#default_destination_rate_delay You would use something like /etc/postfix/main.cf: smtp_destination_rate_delay=60 Or some other delay. This delay is enforced by the queue manager. Wietse
Re: Hiding Internal Mail Servers
On Mon, 2008-11-24 at 17:26 -0700, Wietse Venema wrote: Sturgis, Grant: Hey all, I'm trying to hide our internal mail servers from the message headers of outbound email. I've done some reading about this and have found two solutions: 2. Use header_checks like this http://www.nabble.com/Hide-internal-address-(Postfix)-td2300995.html This removes Received: message headers, without changing email addresses. Wietse Many thanks. So I added this: /^received: / IGNORE /^X-Sender: / IGNORE as a header_check and tested by sending a mail to hotmail.com. It never arrived, so I'm guessing they are dropping the message? If I comment out those lines and reload postgres it works fine. So, is this the best way to hide internal mail servers? This electronic message transmission is a PRIVATE communication which contains information which may be confidential or privileged. The information is intended to be for the use of the individual or entity named above. If you are not the intended recipient, please be aware that any disclosure, copying, distribution or use of the contents of this information is prohibited. Please notify the sender of the delivery error by replying to this message, or notify us by telephone (877-633-2436, ext. 0), and then delete it from your system.
Re: Hiding Internal Mail Servers
On Tue, 2008-11-25 at 11:32 -0700, Sturgis, Grant wrote: On Mon, 2008-11-24 at 17:26 -0700, Wietse Venema wrote: Sturgis, Grant: Hey all, I'm trying to hide our internal mail servers from the message headers of outbound email. I've done some reading about this and have found two solutions: 2. Use header_checks like this http://www.nabble.com/Hide-internal-address-(Postfix)-td2300995.html This removes Received: message headers, without changing email addresses. Wietse Many thanks. So I added this: /^received: / IGNORE /^X-Sender: / IGNORE as a header_check and tested by sending a mail to hotmail.com. It never arrived, so I'm guessing they are dropping the message? If I comment out those lines and reload postgres it works fine. excuse me, that is reload postfix... So, is this the best way to hide internal mail servers? This electronic message transmission is a PRIVATE communication which contains information which may be confidential or privileged. The information is intended to be for the use of the individual or entity named above. If you are not the intended recipient, please be aware that any disclosure, copying, distribution or use of the contents of this information is prohibited. Please notify the sender of the delivery error by replying to this message, or notify us by telephone (877-633-2436, ext. 0), and then delete it from your system.
Re: Hiding Internal Mail Servers
Sturgis, Grant a écrit : On Mon, 2008-11-24 at 17:26 -0700, Wietse Venema wrote: Sturgis, Grant: Hey all, I'm trying to hide our internal mail servers from the message headers of outbound email. I've done some reading about this and have found two solutions: 2. Use header_checks like this http://www.nabble.com/Hide-internal-address-(Postfix)-td2300995.html This removes Received: message headers, without changing email addresses. Wietse Many thanks. So I added this: /^received: / IGNORE /^X-Sender: / IGNORE don't do that. only remove selected headers. make your expressions as precise as possible. only remove the headers that contain infos about internal hosts. and it may be better to use REPLACE so that the infos are modified, such as replacing 192.168.1.x by 10.3.6.x... etc. and if you are worried about someone being able to retrieve the original IP, then use an expression for each internal server. as a header_check and tested by sending a mail to hotmail.com. It never arrived, so I'm guessing they are dropping the message? If I comment out those lines and reload postgres it works fine. s/postgres/postfix ;-p I guess many spam filters won't like seeing a message without relay received headers. if it's this, then you may need to use REPLACE instead of IGNORE. So, is this the best way to hide internal mail servers? well, if you modify the message, you may trigger spam rules that try to detect forged mail... so caution is needed here. it is easier to let the internal headers get out...
Re: Hiding Internal Mail Servers
Sturgis, Grant: I'm trying to hide our internal mail servers from the message headers of outbound email. I've done some reading about this and have found two solutions: ... 2. Use header_checks like this http://www.nabble.com/Hide-internal-address-(Postfix)-td2300995.html Wietse Venema: This removes Received: message headers, without changing email addresses. Sturgis, Grant: Many thanks. So I added this: /^received: / IGNORE /^X-Sender: / IGNORE This removes ALL Received: headers. That is a bit drastic. You could use a REPLACE action to sanitize IP address and hostname information. See: http://www.google.com/search?q=postfix+replace+received as a header_check and tested by sending a mail to hotmail.com. It never arrived, so I'm guessing they are dropping the message? If I comment Hotmail does with your email whatever they want. Wietse
Re: backscatter with virtual domain
--On Friday, November 21, 2008 7:49 PM -0800 Quanah Gibson-Mount [EMAIL PROTECTED] wrote: So, I'm guessing not breaking recipient validation means adding aliases, which I can't do, or the above bit about the domain and query, which I also apparently can't do. I'll look into a policy service, thanks! Ok, I've written a simple perl script policy service, that queries our LDAP server if they are using an alias domain, and verifies the recipient account exists. If it does, it returns dunno as the action to take. What's the correct action to take if the account doesn't exist? Currently I have defer_if_permit Service temporarily unavailable. Our smtpd_recipient_restrictions are: reject_non_fqdn_recipient, permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, reject_unlisted_recipient, reject_invalid_hostname, reject_non_fqdn_sender, check_policy_service unix:private/policy, permit Finally, although I can test the script just fine from the command line, I'm not 100% sure postfix is actually executing it. I added to master.cf: policyunix - n n - 0 spawn user=nobody argv=/usr/bin/perl /opt/zimbra/libexec/zmpostfixpolicyd -v and I modified the smtpd_recipient_restrictions as above, plus added policy_time_limit = 3600 to main.cf. I verified the unix socket exists: [EMAIL PROTECTED] spool]# cd /opt/zimbra/data/postfix/spool/private/ [EMAIL PROTECTED] private]# ls -l policy srw-rw-rw- 1 postfix postfix 0 Nov 25 11:59 policy We have: queue_directory = /opt/zimbra/data/postfix/spool so that should be the correct location. However, when I connect to the SMTP port and send an email to a user, I don't see that zmpostfixpolicyd is run. Shouldn't it be running on all emails that come in, regardless of whether or not it takes action? Thanks! --Quanah -- Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc Zimbra :: the leader in open source messaging and collaboration
Re: backscatter with virtual domain
On Tue, Nov 25, 2008 at 02:14:10PM -0800, Quanah Gibson-Mount wrote: --On Friday, November 21, 2008 7:49 PM -0800 Quanah Gibson-Mount [EMAIL PROTECTED] wrote: So, I'm guessing not breaking recipient validation means adding aliases, which I can't do, or the above bit about the domain and query, which I also apparently can't do. I'll look into a policy service, thanks! Ok, I've written a simple perl script policy service, that queries our LDAP server if they are using an alias domain, and verifies the recipient account exists. If it does, it returns dunno as the action to take. What's the correct action to take if the account doesn't exist? Currently I have defer_if_permit Service temporarily unavailable. A hard REJECT seems more reasonable for invalid recipient addresses. REJECT 5.1.1 Mailbox unavailable Our smtpd_recipient_restrictions are: reject_non_fqdn_recipient, permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, reject_unlisted_recipient, reject_invalid_hostname, reject_non_fqdn_sender, check_policy_service unix:private/policy, permit Finally, although I can test the script just fine from the command line, I'm not 100% sure postfix is actually executing it. I added to master.cf: policyunix - n n - 0 spawn user=nobody argv=/usr/bin/perl /opt/zimbra/libexec/zmpostfixpolicyd -v Your script can syslog its activities. The script will only be called for senders that don't match mynetworks and don't have SASL credentials. and I modified the smtpd_recipient_restrictions as above, plus added policy_time_limit = 3600 to main.cf. I verified the unix socket exists: [EMAIL PROTECTED] spool]# cd /opt/zimbra/data/postfix/spool/private/ [EMAIL PROTECTED] private]# ls -l policy srw-rw-rw- 1 postfix postfix 0 Nov 25 11:59 policy We have: queue_directory = /opt/zimbra/data/postfix/spool so that should be the correct location. However, when I connect to the SMTP port and send an email to a user, I don't see that zmpostfixpolicyd is run. Shouldn't it be running on all emails that come in, regardless of whether or not it takes action? You are probably sending from mynetworks. The script is spawned on demand (first call to the policy service). -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:[EMAIL PROTECTED] If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: backscatter with virtual domain
--On Tuesday, November 25, 2008 5:21 PM -0500 Victor Duchovni [EMAIL PROTECTED] wrote: What's the correct action to take if the account doesn't exist? Currently I have defer_if_permit Service temporarily unavailable. A hard REJECT seems more reasonable for invalid recipient addresses. REJECT 5.1.1 Mailbox unavailable Ok, I changed it to: return reject 5.1.1 Mailbox unavailable; thanks! Finally, although I can test the script just fine from the command line, I'm not 100% sure postfix is actually executing it. I added to master.cf: Your script can syslog its activities. The script will only be called for senders that don't match mynetworks and don't have SASL credentials. You are probably sending from mynetworks. The script is spawned on demand (first call to the policy service). Ok, that would definitely be the issue. My box is firewalled, so I can only connect to it from the host itself. Thanks again for all your help! --Quanah -- Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc Zimbra :: the leader in open source messaging and collaboration
Re: backscatter with virtual domain
On Tue, Nov 25, 2008 at 02:30:22PM -0800, Quanah Gibson-Mount wrote: --On Tuesday, November 25, 2008 5:21 PM -0500 Victor Duchovni [EMAIL PROTECTED] wrote: What's the correct action to take if the account doesn't exist? Currently I have defer_if_permit Service temporarily unavailable. A hard REJECT seems more reasonable for invalid recipient addresses. REJECT 5.1.1 Mailbox unavailable Ok, I changed it to: return reject 5.1.1 Mailbox unavailable; thanks! Finally, although I can test the script just fine from the command line, I'm not 100% sure postfix is actually executing it. I added to master.cf: Your script can syslog its activities. The script will only be called for senders that don't match mynetworks and don't have SASL credentials. You are probably sending from mynetworks. The script is spawned on demand (first call to the policy service). Ok, that would definitely be the issue. My box is firewalled, so I can only connect to it from the host itself. Thanks again for all your help! To test it, move the policy check above permit_mynetworks, but make sure that the script ignores domains you are not responsible for or is triggered via a restriction class: validate_alias_domains: alias-domain.example.comcheck_alias_domain_recipient main.cf: smtpd_recipient_restrictions = check_recipient_access hash:/etc/postfix/validate_alias_domains ... smtpd_restriction_classes = check_alias_domain_recipient check_alias_domain_recipient = check_policy_service unix:private/policy_socket_name -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:[EMAIL PROTECTED] If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: backscatter with virtual domain
--On Tuesday, November 25, 2008 7:32 PM -0500 Victor Duchovni [EMAIL PROTECTED] wrote: To test it, move the policy check above permit_mynetworks, but make sure that the script ignores domains you are not responsible for or is triggered via a restriction class: Great, thanks! I managed to validate it using a different host giving it access through the firewall. It works exactly like I want it to. :) And I added checks initially to ensure it ignores domains the server doesn't host (just returns dunno). --Quanah -- Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc Zimbra :: the leader in open source messaging and collaboration
Re: Postfix and quota clarification
hi! On Tue, Nov 25, 2008 at 4:18 AM, Rocco Scappatura [EMAIL PROTECTED] wrote: On Mon, Nov 24, 2008 at 4:49 AM, mouss [EMAIL PROTECTED] wrote: Jose Ildefonso Camargo Tolosa a écrit : However, Postfix supports access maps that can reject mail for over-quota users, if you are willing to periodically add up all the mail each user has. I have been using filesystem quotas for this purpose, and it works just fine. Off course, I have a dedicated filesystem for mail storage. The problem is that this is detected at delivery time, which will cause backscatter if it happens too often and your filter misses a lot of spam. if this doesn't happen often, then yes, it's the easy way. otherwise, an access check as suggested by Wietse may be necessary. True, that's why I try to implement many quota warning systems, so the user knows that he/she have to clean their mailbox, also, there is a side-effect to the fs quota: it is pretty much likely that the imap server (dovecot) fail to access the user mailbox once the hard limit is over (unless you fix it, but I didn't), and they just call support, and then one tells them to clean up the mailbox asap, and just reenable the access (by deleting a couple of dovecot's files, and extending their quota for a while). Well, I also try to have a good spam filter (ASSP). 2- there is no safe quota support in any MTA. most quota implementations will send a bounce, which may resultin backscatter true. but quotas are necessary: the more disk space the users have, the more garbage they store. but this doesn't require checking quota in real time or at delivery time. populating an access list (periodically or opportunistically) should be enough. maybe, but can also prove to be slow, and even more when you have thousands of users. I think that... maybe... using soft-quotas (as a counter) and having unlimited hard-quota and grace periods could have a similar effect, and can be faster (I don't know if this actually works, I hasn't tried) Infact, this is exactly the problem that I have. I'm using Postfix as post-office platform too. And I need to check disk usage. First time I ve patched with VDA patch. Then I have upgraded postfix and I have no more appliad the relative patch. Indeed I read that is not good to use VDA patch so I have believed that that there was a native support for quota by Postfix. Anyway I share the fact that MTA has not to face quota issues, as mouss pointed out in a previous email. But I have to check quota exactly for the same needs that you have exposed. Have you a pratical alternative to VDA patch to suggest me? Well I don't know, I just installed Postfix, and configured fs quota (Debian GNU/Linux), and it just worked. I also use Dovecot, and configured the quota plug-in and used the fs backend, just to let the webmail app get quota info and show a nice quota bar. I also run warnquota from a cron job every day at 08:00, to send a warning mail to overquota users (over soft quota, off course).
Suspending outgoing smtp temporary
Hi, How can I suspend postfix delivering mails to external domains temporary? Postfix must accept mails to other destinations but not deliver them till it's told to. raj
Re: Suspending outgoing smtp temporary
On Wednesday, November 26, 2008 at 07:06 CET, Rajkumar S [EMAIL PROTECTED] wrote: How can I suspend postfix delivering mails to external domains temporary? Postfix must accept mails to other destinations but not deliver them till it's told to. http://www.postfix.org/postconf.5.html#defer_transports Setting this to smtp should do, but it depends a little bit on the rest of your configuration. If you use the smtp transport for your content filter or for relaying to internal servers you will defer more messages than desired. -- Magnus Bäck [EMAIL PROTECTED]
Re: Suspending outgoing smtp temporary
On Wed, Nov 26, 2008 at 07:18:32AM +0100, Magnus B?ck wrote: On Wednesday, November 26, 2008 at 07:06 CET, Rajkumar S [EMAIL PROTECTED] wrote: How can I suspend postfix delivering mails to external domains temporary? Postfix must accept mails to other destinations but not deliver them till it's told to. http://www.postfix.org/postconf.5.html#defer_transports Setting this to smtp should do, but it depends a little bit on the rest of your configuration. If you use the smtp transport for your content filter or for relaying to internal servers you will defer more messages than desired. With Postfix 2.4 or later, a more fine-grained solution is: default_transport = retry:4.3.2 External mail temporarily unavailable This assumes you have no transport table entries for domains that are not yours (or are relay_domains). Otherwise, make sure that smtp is only used for external email, use relay for SMTP delivery to internal and relay domains, and scan (or similar) for advanced content filters. Then follow the recipe Magnus outlined. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:[EMAIL PROTECTED] If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: Preventing local forwarding for some local domains
Thanks Victor and Barney. I got this correctly configured tonight (the loop issue was resolved); works perfectly now! Ville
