Share postfix config directory
Hello, I have different SMTP gateways each one configurred exactly at the same manner. The only difference is the hostname. I would like to know if I could define /etc/postfix as an NFS share somewhere and export it on each of my SMTP gateways. The aim is obviously to change only one configuration file each time that a postfix configuration update is needed. TIA, rocsca
Re: forged address
it works is this enought to prevent forging the email ids?! thanks On Tue, Jan 13, 2009 at 5:59 PM, Noel Jones njo...@megan.vbhcs.org wrote: bharathan kailath wrote: 've a postfix server act as smtp out; i've allowed certain networks in mynetworks; my domain example.com http://example.com; my problem is from the allowed networks one can send mails (e.g m...@gmail.com mailto: m...@gmail.com to someb...@yahoo.com mailto:someb...@yahoo.com); it should not have accepted mails other than one of the sender/receiver belong to example.com http://example.com (its own domain) what could be wrong in the config? following is my config: Nothing wrong in your config[1], it's just that postfix does not enforce which domains can be used when sending mail from authorized clients. There are several ways you can enforce such a rule. The simplest is probably smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/mydomains reject_unauth_destination Where the mydomains table lists your local allowed domains as: example.com OK Note this MUST be in smtpd_sender_restrictions. You can also use reject_unlisted_sender in the above list to insure that sender names in your domain really exist. http://www.postfix.org/postconf.5.html#reject_unlisted_sender A more sophisticated (and more complicated) setup would require all local users to authenticate via SASL and would map SASL usernames to the allowed MAIL FROM using http://www.postfix.org/postconf.5.html#reject_sender_login_mismatch http://www.postfix.org/SASL_README.html [1] be aware that rfc-ignorant is intended for a scoring system (such as SpamAssassin), not outright rejects. There is a strong possibility of rejecting legit mail when used as an SMTP RBL. -- Noel Jones
Re: What do these logs mean?
* mouss mo...@ml.netoyen.net: too many users with 'a' as first letter, and machine is in the US while OP is in UK. so either OP munged things, or his server is under attack. anyway, as you said, not a postfix issue. One could fail2ban the attacker :) -- Ralf Hildebrandt (ralf.hildebra...@charite.de) snick...@charite.de Postfix - Einrichtung, Betrieb und Wartung Tel. +49 (0)30-450 570-155 http://www.arschkrebs.de We're thinking about upgrading from SunOS 4.1.1 to SunOS 3.5. -- Henry Spencer
Re: Servers High Performance and High Volume
* Res r...@ausics.net: Dovecot by far, for any number of users, we used to use Courier but found Dovecot had a good %30-%40 performance boost on busy servers, you could likely get away with one pop/imap server so long as it was decent hardware. Same here. This is mainly due to the caches dovecot uses. -- Ralf Hildebrandt (ralf.hildebra...@charite.de) snick...@charite.de Postfix - Einrichtung, Betrieb und Wartung Tel. +49 (0)30-450 570-155 http://www.arschkrebs.de Program aborting: Close all that you have worked on. You ask far too much.
Re: delay - this is what?
* bharathan kailath kbhara...@gmail.com: delay=85, delays=59/0.01/17/8.9, dsn=2.0.0, status=sent (250 Ok: queued as 67C7D1AB30F) i find this in postfix log; what does this mean? Total delivery time: 85s Of this: 59s were spent befor the qmgr (transfer time to your machine) 0.0.1s within qmgr 17s establishing the connection, incl. DNS lookups, HELO and TLS handshake (if any) 8.9 transfer of the message from your machine to the other machine -- Ralf Hildebrandt (ralf.hildebra...@charite.de) snick...@charite.de Postfix - Einrichtung, Betrieb und Wartung Tel. +49 (0)30-450 570-155 http://www.arschkrebs.de A printer consists of three main parts: the case, the jammed paper tray and the blinking red light
Re: What do these logs mean?
On 14 Jan 2009, at 08:52, Ralf Hildebrandt wrote: * mouss mo...@ml.netoyen.net: too many users with 'a' as first letter, and machine is in the US while OP is in UK. so either OP munged things, or his server is under attack. anyway, as you said, not a postfix issue. One could fail2ban the attacker :) Hello Ralf, What is fail2ban and how would I implement that? Rupert
Re: delay - this is what?
thanks On Wed, Jan 14, 2009 at 11:43 AM, Ralf Hildebrandt ralf.hildebra...@charite.de wrote: * bharathan kailath kbhara...@gmail.com: delay=85, delays=59/0.01/17/8.9, dsn=2.0.0, status=sent (250 Ok: queued as 67C7D1AB30F) i find this in postfix log; what does this mean? Total delivery time: 85s Of this: 59s were spent befor the qmgr (transfer time to your machine) 0.0.1s within qmgr 17s establishing the connection, incl. DNS lookups, HELO and TLS handshake (if any) 8.9 transfer of the message from your machine to the other machine -- Ralf Hildebrandt (ralf.hildebra...@charite.de) snick...@charite.de Postfix - Einrichtung, Betrieb und Wartung Tel. +49 (0)30-450 570-155 http://www.arschkrebs.de A printer consists of three main parts: the case, the jammed paper tray and the blinking red light
ETRN
we've got a gateway postfix server with which we provide mails to hosted domains; postfix is configured with Separate Domains with System Accounts (virtual alias domains and virtual alias maps); clients mail server pop up and collect all the their mails; it works great; but one of the client using ETRN and their domain is specified in transport and fast flush domain parameter in main.cf; that also work; but i want to know for this particular client (who send ETRN) can have a mailbox like other clients? now for this particular client our postfix server defer the mail till it get the ETRN from client; the idea is if mailbox is there i can retrieve/monitor the mails if anything goes wrong ; but is it possible in postfix? help appreciated
connection timeout on win2007 exchange
Hi Jan 13 15:43:41 relay1 postfix/smtp[18476]: 5BF411611EE: to= valer...@example.com, relay=xxx.xxx.xxx.xxx[1xxx.xxx.xxx.xxx ]:25, delay=101565, delays=100962/0.02/3.4/600, dsn=4.4.1, status=deferred (host xxx.xxx.xxx.xxx[xxx.xxx.xxx.xxx] said: 421 4 .4.1 Connection timed out (in reply to end of DATA command)) the above is the log from our postfix relay; the host machine is a win2007 exchange; this happens always; but some mails go through some not; what i can do about this ?
Re: Share postfix config directory
Rocco Scappatura: Hello, I have different SMTP gateways each one configurred exactly at the same manner. The only difference is the hostname. I would like to know if I could define /etc/postfix as an NFS share somewhere and export it on each of my SMTP gateways. The aim is obviously to change only one configuration file each time that a postfix configuration update is needed. Let the computer do the work for you. See: man 1 make. If you are not familiar with this tool, then you work too hard. Wietse
break mail into multiple for multiple recipients
On my MX servers we accept the mail and relay it to a spamassassin server Now for someids we dont spam-scan the mail ( for eg ab...@domain.com ) If a spammer marks a mail to some real recipient and to ab...@domain.com the mail goes thru because any mail for abuse@ is not scanned Can I configure postfix on the MX server to send mails for ab...@domain.com in a seperate transaction and other recipients in a seperate transaction I dont want to break all the multi-recipient mails into multiple, only for those mails marked to ab...@... Thanks Ram
Re: connection timeout on win2007 exchange
bharathan kailath: Hi Jan 13 15:43:41 relay1 postfix/smtp[18476]: 5BF411611EE: to= valer...@example.com, relay=xxx.xxx.xxx.xxx[1xxx.xxx.xxx.xxx ]:25, delay=101565, delays=100962/0.02/3.4/600, dsn=4.4.1, status=deferred (host xxx.xxx.xxx.xxx[xxx.xxx.xxx.xxx] said: 421 4 .4.1 Connection timed out (in reply to end of DATA command)) the above is the log from our postfix relay; the host machine is a win2007 exchange; this happens always; but some mails go through some not; what i can do about this ? Record the content of network packets with tcpdump, and find out which of the following is the case: 1) The client does not end the message with CRLF.CRLF 2) The server does not recognize CRLF.CRLF as the end of message. For example, because some buggy ```security''' software does not correctly handle the case where CRLF.CRLF is sent in two pieces. Wietse
Re: ETRN
bharathan kailath: we've got a gateway postfix server with which we provide mails to hosted domains; postfix is configured with Separate Domains with System Accounts (virtual alias domains and virtual alias maps); clients mail server pop up and collect all the their mails; it works great; but one of the client using ETRN and their domain is specified in transport and fast flush domain parameter in main.cf; that also work; but i want to know for this particular client (who send ETRN) can have a mailbox like other clients? now for this particular client our postfix server defer the mail till it get the ETRN from client; the idea is if mailbox is there i can retrieve/monitor the mails if anything goes wrong ; but is it possible in postfix? This is how ETRN works: 1) The SMTP client sends an ETRN command to the SMTP server. 2) The SMTP server searches the queue and delivers the mail. The Postfix ETRN implementation overrides the defer_transports setting, so you can use that to hold mail in the queue until ETRN. Wietse
Multiple SMTP relays based on sender's domain
Is it possible to set up Postfix to choose an SMTP relayhost when routing outbound mail based on the domain name of the sender ? Regards
Re: Multiple SMTP relays based on sender's domain
On Wed, Jan 14, 2009 at 5:01 AM, Gilles Albusac gilles.albu...@wanadoo.fr wrote: Is it possible to set up Postfix to choose an SMTP relayhost when routing outbound mail based on the domain name of the sender ? If you're okay with using addresses instead of domains, I think sender_dependent_relayhost_maps might do the trick for you.
RE: Share postfix config directory
I have different SMTP gateways each one configurred exactly at the same manner. The only difference is the hostname. I would like to know if I could define /etc/postfix as an NFS share somewhere and export it on each of my SMTP gateways. The aim is obviously to change only one configuration file each time that a postfix configuration update is needed. Let the computer do the work for you. See: man 1 make. If you are not familiar with this tool, then you work too hard. I know that make is a really powerfull tool. I have used it (in the sense that I have write down some Makefile) for compiling rather few C projects. At the moment I can't guess how I could use 'make' for my purpouse. I feel that in some manner it could be a substitution matter that 'make' is very clever to manage. But I can't infere anything more.. Could you give me further insight? :-) Thanks, rocsca
Re: Share postfix config directory
On Wed, 14 Jan 2009 14:07:05 +0100 Rocco Scappatura rocco.scappat...@infracom.it wrote: I know that make is a really powerfull tool. I have used it (in the sense that I have write down some Makefile) for compiling rather few C projects. At the moment I can't guess how I could use 'make' for my purpouse. I feel that in some manner it could be a substitution matter that 'make' is very clever to manage. But I can't infere anything more.. Could you give me further insight? :-) You're so going to kick yourself... ;-) Stop thinking about what you use make for and think about what it does: make updates a target if it depends on prerequisite files that have been modified since the target was last modified, or if the target does not exist. Your targets are the configurations on the shares. Each has your master copy as its prerequisite. Type make all to propagate your changes. Chris Babcock signature.asc Description: PGP signature
Re: Submission port SSL issues
On Wed, Jan 14, 2009 at 05:01:25AM -0800, Neil wrote: Specifically: Mail.app only does SSL, not TLS. This is not true. Mail.app supports STARTTLS, it does not support use of client certificates, but STARTTLS with our without SASL is supported in working both in Tiger and Leopard. It would test port 567 for connectivity, but not SSL-ability, for some reason, What is 567? Implement STARTTLS on 587 (submission), and only if needed to support Outlook/OE, also implement SSL on 465 (smtps). It'd be nice if they added TLS support to Mail.app though. And were a little more thorough in their connection tests. Mail.app supports STARTTLS, as SSL is a non-standard legacy Outlook protocol, this may only be supported on the legacy port (465). Don't implement server-side wrapper mode on other ports. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: Cannot Send Email via POSTFIX to any domain
secSwami wrote: Hi, I have spent countless hours researching this but I can't still figure out why I can't send email from postfix server to any other domain other than myself. I want my server to actually deliver the email and don't want to use ISP's mail server. The server resides on a business network so I know there is no blocking there (isp). I know there is some issue with my config. Can someone point me in the right direction? I would like users who authenticate to be able to send email anywhere using the server. I get error message : Relay access denied whenever sending email to anyone Here is my main.cf , I have left my master.cf file as it is. Thanks in advance. Here is my main.cf and master.cf (just in case). Welcome to the list. It seems you missed the welcome message: 1. TO REPORT A PROBLEM SEE: http://www.postfix.org/DEBUG_README.html#mail (specifically the part about 'postconf -n') For now, I'll dust off my crystal ball. smtp_sasl_auth_enable = yes smtp means Postfix sending to another server. Please review http://www.postfix.org/SASL_README.html#server_sasl Brian smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd smtp_sasl_security_options = virtual_mailbox_domains = /etc/postfix/vhosts.txt virtual_mailbox_base = /home/virtual virtual_mailbox_maps = hash:/etc/postfix/vmaps.txt virtual_uid_maps = static:5000 virtual_gid_maps = static:5000 virtual_alias_maps = hash:/etc/postfix/aliases smtpd_recipient_restrictions = permit_sasl_authenticated permit_mynetworks reject_unauth_destination
Re: Submission port SSL issues
On Jan 14, 2009, at 7:01 AM, Neil wrote: On Tue, Jan 13, 2009 at 7:49 PM, Victor Duchovni victor.ducho...@morganstanley.com wrote: On Tue, Jan 13, 2009 at 06:35:24PM -0800, Neil wrote: I followed Noel's suggestion (top part of master.cf below), but I still can't get it to work. I read the above, but I still can't see any information there. I think the word's can't, it and work need to each be replaced by a few paragraphs explaining clearly to non-psychics what you tried to do, what you expected to happen, and what actually happened. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly. I'm going to spare you a re-hashing of the problem (unless you really want it); the short of it was I was still having the SSL troubles from my original post. After following Noel's why-didn't-I-see-that advice, the continued error turned out to be that Mail.app was just being too smart for it's own good. Seeing as it gives me the same damned error no matter the problem wasn't very helpful of it either. Switching over to Tb for the bulk of my testing (it actually shows the server's response!) helped me come to the conclusion that Mail.app's I'll-find-the-best-port-for-you! feature wasn't too good at finding the best port... Specifically: Mail.app only does SSL, not TLS. It would test port 567 for connectivity, but not SSL-ability, for some reason, during connection tests; and then would decide that, since it was open and displaying a banner, 567 was the right port to use. Then, when it tried to send a mail, with SSL enabled, it would fail because, as you explained, you can't have SSL and STARTTLS on the same port (and 567 was configured with STARTTLS, as per Postfix's pseudo-defaults). Long story short, telling Mail.app to shove it and do it my way (use port 465 all the time) did the trick. I'm not really sure where in the auto-configuration process it got stuck on trying 567 first (I believe there might be circumstances where it will do the right thing sometime, because it seemed to last time I configured it), but frankly, I don't really care at this point. It'd be nice if they added TLS support to Mail.app though. And were a little more thorough in their connection tests. I'm not sure why your Mail.app doesn't support TLS, as mine does it find on port 25 with STARTTLS (port 25 also does regular incoming SMTP without it). It also works with SSL on 587, as I've been at places using that port and it finds it automatically when port 25 doesn't do STARTTLS. This required no configuration change from the default selection of Use Default Ports (25, 465, 587) in the SMTP section of the account settings. hose
how to block arabic emails ?
Dear All, How i can block all arabic emails? example email : header and body content : اضافه مهمه ومثيرة لبرنامج الاوت لوك thanks, best regards.
Re: What do these logs mean?
On 1/14/2009, Rupert Reid (isingl...@madasafish.com) wrote: What is fail2ban and how would I implement that? Google is your friend... -- Best regards, Charles
Re: Share postfix config directory
Rocco Scappatura: I have different SMTP gateways each one configurred exactly at the same manner. The only difference is the hostname. I would like to know if I could define /etc/postfix as an NFS share somewhere and export it on each of my SMTP gateways. The aim is obviously to change only one configuration file each time that a postfix configuration update is needed. Let the computer do the work for you. See: man 1 make. If you are not familiar with this tool, then you work too hard. I know that make is a really powerfull tool. I have used it (in the sense that I have write down some Makefile) for compiling rather few C projects. At the moment I can't guess how I could use 'make' for my purpouse. I feel that in some manner it could be a substitution matter that 'make' is very clever to manage. But I can't infere anything more.. Could you give me further insight? :-) # cat Makefile FILES: main.cf-a main.cf-b main.cf-c all: $(FILES) main.cf-a: Makefile main.cf-template sed 's/whatever/whatever/' main.cf-template $@ rsync -av $@ hosta:/etc/postfix main.cf-b: Makefile main.cf-template sed 's/whatever/whatever/' main.cf-template $@ rsync -av $@ hostb:/etc/postfix main.cf-c: Makefile main.cf-template sed 's/whatever/whatever/' main.cf-template $@ rsync -av $@ hostc:/etc/postfix
Re: backscattering
Aaron Wolfe wrote: we use a home grown policy filter for various things, I have been thinking about adding smtp to=from checks since it's almost zero additional resources to do. is it practical to attempt a sort of whitelist to allow the valid cases and then block the rest? is this a stupid idea? unfortunately SPF isn't an easy solution because we handle mail for many organizations and we haven't gotten much cooperation from them, but if that is a better way then I will keep harping on it. -Aaron I can certainly imagine this blocking legit mail, but if you get a large amount of spam such a rule would block, go for it. As you said, adding such a check to an existing policy server adds practically zero overhead. Just keep an eye on it, especially at first. There may be better ways to block what you are getting. Examine the postfix logs and the unwanted mail and look for patterns other than the From=To, such as the client being listed on some RBL, client in dynamic/home user space, rogue ISP, suspect HELO name, etc. -- Noel Jones
Re: Problem with Zen filtering legit e-mail
Bill Cole wrote: Roland Plüss wrote, On 1/13/09 9:47 AM: Brian Evans - Postfix List wrote: [...] Gentoo is not the issue, however the different SASL implementations can be an interesting experiment to get working. Dovecot SASL is easier, IMO, to setup and configure and you can disable the IMAP services from starting simply enough. Hm... I tried Cyrus so far. What's the difference between the two except the configuration? 1. Dovecot SASL is a free-standing authentication daemon rather than libraries that have to be linked into Postfix, which eliminates the opportunity for failure from having a mismatch between the libraries used to build Postfix and the ones in place at run time. 2. Dovecot only provides authentication for the SMTP server side of Postfix, so if you need to have the SMTP or LMTP client parts of Postfix authenticate themselves to a server, Cyrus is your only choice. And the config difference is a significant one. A SASL implementation that one cannot figure out how to configure has absolutely no functionality. It is also possible to configure Cyrus functionally but very insecurely, which is likely to be more difficult to accomplish with Dovecot. I guess in this case I should once upon time pay Dovecot a visit. I need only auth for SMTP/IMAP. LMTP I don't use so it's not a blocker there. -- Yours sincerely Plüss Roland signature.asc Description: OpenPGP digital signature
Re: how to block arabic emails ?
Murat Ugur EMINOGLU wrote: Dear All, How i can block all arabic emails? example email : header and body content : اضافه مهمه ومثيرة لبرنامج الاوت لوك thanks, best regards. You need to post the actual message headers (View-Options in Outlook, View-Message Source in almost everything else.) Terry
SPF Checking
Hello List, I am wondering about an SPF checking addition for postfix. Where I see all of the addon software, I am not 100% comfortable modifying the postfix code and still have it be as secure as it was when I first set it up. Are there any plans on integrating SPF checking into postfix itself? If not, does anyone out there know how to stop forged emails coming in as someone you know, but they did not send them (as per their email headers)? Thanks!
Configure an Alternate Interface for Destination
I'm using multiple instances of Postfix. One of the IP addresses I just started using is blocked by a major provider. I've gone through all the hoops... It's not on any RBLs, rDNS records match the hostname, etc., but I have no indication that this provider has even received my request about the block let alone plans to remove it. Meanwhile, I'm using relayhost = [IP-of-other-Postfix-instance] to send mail through an IP address that isn't blocked, which kind of defeats my purposes for having multiple Postfix instances. What I want to do is configure an alternate transport for this domain like... /etc/postfix-asciiking/main.cf: transport_maps = hash:/etc/postfix-asciiking/transport /etc/postfix-asciiking/master.cf: blocked unix - - n - - smtp -o relayhost = [IP-of-other-Postfix-instance] /etc/postfix-asciiking/transport earthlink.com blocked: mindspring.com blocked: When I tried this, I did postmap on the tranport file and postfix reload for that configuration, but the logs clearly showed the asciiking Postfix instance attempting to make direct delivery to Earthlink rather than handing it to the other instance for delivery. I'm trying to follow Configuring an Alternate Transport from p 403 of 'The Book of Postfix'. Is my transport misconfigured? Is transport_maps the right main.cf parameter? Something painfully obvious? Thanks, Chris Babcock signature.asc Description: PGP signature
Re: Multiple SMTP relays based on sender's domain
Neil wrote: On Wed, Jan 14, 2009 at 5:01 AM, Gilles Albusac gilles.albu...@wanadoo.fr wrote: Is it possible to set up Postfix to choose an SMTP relayhost when routing outbound mail based on the domain name of the sender ? If you're okay with using addresses instead of domains, I think sender_dependent_relayhost_maps might do the trick for you. If you mean recipient domain, this will work: /etc/postfix/main.cf: transport_maps = hash:/etc/postfix/transport /etc/postfix/transport: army.mil smtp:smtp.yourisp.com fussymx.com smtp:mail.whoevertheytalkto.com Don't forget to postmap transport If you really mean sender, I'm not sure what you would use. Terry -- Terry Carmen CNY Support, LLC 315.382.3939 http://cnysupport.com
Re: SPF Checking
On Wed, Jan 14, 2009 at 05:22:25PM CET, Russ Lavoy ussray...@yahoo.com said: Hello List, I am wondering about an SPF checking addition for postfix. Where I see all of the addon software, I am not 100% comfortable modifying the postfix code and still have it be as secure as it was when I first set it up. Are there any plans on integrating SPF checking into postfix itself? If not, does anyone out there know how to stop forged emails coming in as someone you know, but they did not send them (as per their email headers)? postfix has the policy servers mechanism for this kind of checks. You do not need to modify postfix code, and postfix can benefit from third party policy daemons. -- Erwan
Re: SPF Checking
On Wednesday 14 January 2009 16:22:25 Russ Lavoy wrote: Hello List, I am wondering about an SPF checking addition for postfix. Where I see all of the addon software, I am not 100% comfortable modifying the postfix code and still have it be as secure as it was when I first set it up. Are there any plans on integrating SPF checking into postfix itself? If not, does anyone out there know how to stop forged emails coming in as someone you know, but they did not send them (as per their email headers)? Thanks! Personally, I use python-postfix-policyd-spf from http://www.openspf.org/Software (a.k.a. pypolicyd-spf), implemented as a check_policy_service. EG: master.cf: policyd-spf unix - n n - 0 spawn user=nobody argv=/usr/bin/policyd-spf main.cf: smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination, ... check_policy_service unix:private/policyd-spf # ls -l /var/spool/postfix/private/policyd-spf srw-rw-rw- 1 postfix postfix 0 Jan 6 16:09 /var/spool/postfix/private/policyd-spf HTH, Mark. -- Mark Watts BSc RHCE MBCS Senior Systems Engineer QinetiQ Applied Technologies GPG Key: http://www.linux-corner.info/mwatts.gpg signature.asc Description: This is a digitally signed message part.
Re: SPF Checking
Russ Lavoy wrote: Hello List, I am wondering about an SPF checking addition for postfix. Where I see all of the addon software, I am not 100% comfortable modifying the postfix code and still have it be as secure as it was when I first set it up. Are there any plans on integrating SPF checking into postfix itself? If not, does anyone out there know how to stop forged emails coming in as someone you know, but they did not send them (as per their email headers)? Use a policy server or a milter that supports SPF checking. There are a some listed here http://www.openspf.org/Software Seems these should be listed on the postfix addon page. Or the standard sendmail sid-milter http://sourceforge.net/projects/sid-milter/ None of the above require modifying postfix source; all work reasonably well. Since postfix has two methods to interface to standard SPF/SenderID software already, there are no plans to add postfix internal support for this. -- Noel Jones
Re: Configure an Alternate Interface for Destination
On Wed, January 14, 2009 10:23 am, Chris Babcock wrote: I'm using multiple instances of Postfix. One of the IP addresses I just started using is blocked by a major provider. I've gone through all the hoops... It's not on any RBLs, rDNS records match the hostname, etc., but I have no indication that this provider has even received my request about the block let alone plans to remove it. Meanwhile, I'm using relayhost = [IP-of-other-Postfix-instance] to send mail through an IP address that isn't blocked, which kind of defeats my purposes for having multiple Postfix instances. What I want to do is configure an alternate transport for this domain like... /etc/postfix-asciiking/main.cf: transport_maps = hash:/etc/postfix-asciiking/transport /etc/postfix-asciiking/master.cf: blocked unix - - n - - smtp -o relayhost = [IP-of-other-Postfix-instance] /etc/postfix-asciiking/transport earthlink.com blocked: mindspring.comblocked: Put the IP-of-other-Postfix-instance after blocked: See: http://www.postfix.org/transport.5.html When no nexthop host name is specified, the destination domain name is used instead. For example, the following directs mail for u...@example.com via the slow transport to a mail exchanger for example.com. The slow transport could be configured to run at most one delivery process at a time: example.com slow: -Matt When I tried this, I did postmap on the tranport file and postfix reload for that configuration, but the logs clearly showed the asciiking Postfix instance attempting to make direct delivery to Earthlink rather than handing it to the other instance for delivery. I'm trying to follow Configuring an Alternate Transport from p 403 of 'The Book of Postfix'. Is my transport misconfigured? Is transport_maps the right main.cf parameter? Something painfully obvious? Thanks, Chris Babcock -- Matt Rude website: http://www.mattrude.com - wiki: http://wiki.mattrude.com PGP Fingerprint: 0E94 70DA 89F8 5102 0862 5EA2 CB10 759E E65F 2C46
Re: Configure an Alternate Interface for Destination
Chris Babcock: Checking application/pgp-signature: FAILURE -- Start of PGP signed section. On Wed, 14 Jan 2009 10:50:01 -0600 (CST) Matt Rude li...@mattrude.com wrote: /etc/postfix-asciiking/main.cf: transport_maps = hash:/etc/postfix-asciiking/transport Show postconf -n output instead of cut-and-paste. You may have typo-ed something. /etc/postfix-asciiking/master.cf: blocked unix - - n - - smtp -o relayhost = [IP-of-other-Postfix-instance] As documented, relayhost is not used by the smtp CLIENT. Wietse
Re: Cannot Send Email via POSTFIX to any domain
Brian Evans - Postfix List wrote: Hi Brian, Sorry for newbie mistake. Here is dump of my config as produced by postconf -n. [r...@wutang ~]# postconf -n alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases command_directory = /usr/sbin config_directory = /etc/postfix daemon_directory = /usr/libexec/postfix home_mailbox = Maildir/ html_directory = no inet_interfaces = all mail_owner = postfix mailq_path = /usr/bin/mailq.postfix manpage_directory = /usr/share/man mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain mydomain = localhost myhostname = localhost myorigin = $mydomain newaliases_path = /usr/bin/newaliases.postfix queue_directory = /var/spool/postfix readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES relay_domains = mydomain1.com , mydomain2.com relay_recipient_maps = hash:/etc/postfix/relay_recipients sample_directory = /usr/share/doc/postfix-2.3.3/samples sendmail_path = /usr/sbin/sendmail.postfix setgid_group = postdrop smtp_sasl_auth_enable = yes smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd smtp_sasl_security_options = smtpd_recipient_restrictions = permit_sasl_authenticated permit_mynetworksreject_unauth_destination smtpd_sender_restrictions = permit_sasl_authenticated permit_mynetworksreject_unauth_destination unknown_local_recipient_reject_code = 550 virtual_alias_maps = hash:/etc/postfix/aliases virtual_gid_maps = static:5000 virtual_mailbox_base = /home/virtual virtual_mailbox_domains = /etc/postfix/vhosts.txt virtual_mailbox_maps = hash:/etc/postfix/vmaps.txt virtual_uid_maps = static:5000 I would just like this server to email server for my company. Imap part (dovecot) works fine and I can get the emails but the part where I am using thunderbird or outlook to SEND email doesn't work. Here is dump of my maillog: Jan 2 00:35:09 localhost postfix/smtpd[3539]: generic_checks: name=reject_unauth_destination Jan 2 00:35:09 localhost postfix/smtpd[3539]: reject_unauth_destination: testu...@hotmail.com Jan 2 00:35:09 localhost postfix/smtpd[3539]: permit_auth_destination: testu...@hotmail.com Jan 2 00:35:09 localhost postfix/smtpd[3539]: ctable_locate: leave existing entry key testu...@hotmail.com Jan 2 00:35:09 localhost postfix/smtpd[3539]: NOQUEUE: reject: RCPT from adsl-71-135-98-129.dsl.pltn13.pacbell.net[71.135.98.129]: 554 5.7.1 testu...@hotmail.com: Relay access denied; from=testu...@mydomain.com to=testu...@hotmail.com proto=SMTP helo=[192.168.74.129] Thanks secSwami wrote: Hi, I have spent countless hours researching this but I can't still figure out why I can't send email from postfix server to any other domain other than myself. I want my server to actually deliver the email and don't want to use ISP's mail server. The server resides on a business network so I know there is no blocking there (isp). I know there is some issue with my config. Can someone point me in the right direction? I would like users who authenticate to be able to send email anywhere using the server. I get error message : Relay access denied whenever sending email to anyone Here is my main.cf , I have left my master.cf file as it is. Thanks in advance. Here is my main.cf and master.cf (just in case). Welcome to the list. It seems you missed the welcome message: 1. TO REPORT A PROBLEM SEE: http://www.postfix.org/DEBUG_README.html#mail (specifically the part about 'postconf -n') For now, I'll dust off my crystal ball. smtp_sasl_auth_enable = yes smtp means Postfix sending to another server. Please review http://www.postfix.org/SASL_README.html#server_sasl Brian smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd smtp_sasl_security_options = virtual_mailbox_domains = /etc/postfix/vhosts.txt virtual_mailbox_base = /home/virtual virtual_mailbox_maps = hash:/etc/postfix/vmaps.txt virtual_uid_maps = static:5000 virtual_gid_maps = static:5000 virtual_alias_maps = hash:/etc/postfix/aliases smtpd_recipient_restrictions = permit_sasl_authenticated permit_mynetworks reject_unauth_destination
Re: Cannot Send Email via POSTFIX to any domain
secSwami wrote: Brian Evans - Postfix List wrote: Hi Brian, Sorry for newbie mistake. Here is dump of my config as produced by postconf -n. [r...@wutang ~]# postconf -n [...] smtp_sasl_auth_enable = yes smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd smtp_sasl_security_options = smtpd_recipient_restrictions = permit_sasl_authenticatedpermit_mynetworks reject_unauth_destination smtpd_sender_restrictions = permit_sasl_authenticated permit_mynetworksreject_unauth_destination FYI, duplicated restrictions are a bit pointless. Best to remove the sender restriction for (self-)clarity. I would just like this server to email server for my company. Imap part (dovecot) works fine and I can get the emails but the part where I am using thunderbird or outlook to SEND email doesn't work. Then I gave you the correct link. http://www.postfix.org/SASL_README.html#server_sasl To summarize: set 'smtpd_sasl_auth_enable = yes' You still should read the rest of the link. The SASL_README may also help with other questions that can come up. Brian Here is dump of my maillog: Jan 2 00:35:09 localhost postfix/smtpd[3539]: generic_checks: name=reject_unauth_destination Jan 2 00:35:09 localhost postfix/smtpd[3539]: reject_unauth_destination: testu...@hotmail.com Jan 2 00:35:09 localhost postfix/smtpd[3539]: permit_auth_destination: testu...@hotmail.com Jan 2 00:35:09 localhost postfix/smtpd[3539]: ctable_locate: leave existing entry key testu...@hotmail.com Jan 2 00:35:09 localhost postfix/smtpd[3539]: NOQUEUE: reject: RCPT from adsl-71-135-98-129.dsl.pltn13.pacbell.net[71.135.98.129]: 554 5.7.1 testu...@hotmail.com: Relay access denied; from=testu...@mydomain.com to=testu...@hotmail.com proto=SMTP helo=[192.168.74.129] Thanks secSwami wrote: Hi, I have spent countless hours researching this but I can't still figure out why I can't send email from postfix server to any other domain other than myself. I want my server to actually deliver the email and don't want to use ISP's mail server. The server resides on a business network so I know there is no blocking there (isp). I know there is some issue with my config. Can someone point me in the right direction? I would like users who authenticate to be able to send email anywhere using the server. I get error message : Relay access denied whenever sending email to anyone Here is my main.cf , I have left my master.cf file as it is. Thanks in advance. Here is my main.cf and master.cf (just in case). Welcome to the list. It seems you missed the welcome message: 1. TO REPORT A PROBLEM SEE: http://www.postfix.org/DEBUG_README.html#mail (specifically the part about 'postconf -n') For now, I'll dust off my crystal ball. smtp_sasl_auth_enable = yes smtp means Postfix sending to another server. Please review http://www.postfix.org/SASL_README.html#server_sasl Brian smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd smtp_sasl_security_options = virtual_mailbox_domains = /etc/postfix/vhosts.txt virtual_mailbox_base = /home/virtual virtual_mailbox_maps = hash:/etc/postfix/vmaps.txt virtual_uid_maps = static:5000 virtual_gid_maps = static:5000 virtual_alias_maps = hash:/etc/postfix/aliases smtpd_recipient_restrictions = permit_sasl_authenticated permit_mynetworks reject_unauth_destination
Re: Cannot Send Email via POSTFIX to any domain
Brian Evans - Postfix List wrote: secSwami wrote: Brian Evans - Postfix List wrote: Hi Brian, Sorry for newbie mistake. Here is dump of my config as produced by postconf -n. [r...@wutang ~]# postconf -n [...] smtp_sasl_auth_enable = yes smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd smtp_sasl_security_options = smtpd_recipient_restrictions = permit_sasl_authenticatedpermit_mynetworks reject_unauth_destination smtpd_sender_restrictions = permit_sasl_authenticated permit_mynetworksreject_unauth_destination FYI, duplicated restrictions are a bit pointless. Best to remove the sender restriction for (self-)clarity. I would just like this server to email server for my company. Imap part (dovecot) works fine and I can get the emails but the part where I am using thunderbird or outlook to SEND email doesn't work. Then I gave you the correct link. http://www.postfix.org/SASL_README.html#server_sasl To summarize: set 'smtpd_sasl_auth_enable = yes' Brian, I have set that option to yes. I will go ahead and read up more on the SASL_README. Anything else that you can think that maybe wrong in the config? Thanks You still should read the rest of the link. The SASL_README may also help with other questions that can come up. Brian Here is dump of my maillog: Jan 2 00:35:09 localhost postfix/smtpd[3539]: generic_checks: name=reject_unauth_destination Jan 2 00:35:09 localhost postfix/smtpd[3539]: reject_unauth_destination: testu...@hotmail.com Jan 2 00:35:09 localhost postfix/smtpd[3539]: permit_auth_destination: testu...@hotmail.com Jan 2 00:35:09 localhost postfix/smtpd[3539]: ctable_locate: leave existing entry key testu...@hotmail.com Jan 2 00:35:09 localhost postfix/smtpd[3539]: NOQUEUE: reject: RCPT from adsl-71-135-98-129.dsl.pltn13.pacbell.net[71.135.98.129]: 554 5.7.1 testu...@hotmail.com: Relay access denied; from=testu...@mydomain.com to=testu...@hotmail.com proto=SMTP helo=[192.168.74.129] Thanks secSwami wrote: Hi, I have spent countless hours researching this but I can't still figure out why I can't send email from postfix server to any other domain other than myself. I want my server to actually deliver the email and don't want to use ISP's mail server. The server resides on a business network so I know there is no blocking there (isp). I know there is some issue with my config. Can someone point me in the right direction? I would like users who authenticate to be able to send email anywhere using the server. I get error message : Relay access denied whenever sending email to anyone Here is my main.cf , I have left my master.cf file as it is. Thanks in advance. Here is my main.cf and master.cf (just in case). Welcome to the list. It seems you missed the welcome message: 1. TO REPORT A PROBLEM SEE: http://www.postfix.org/DEBUG_README.html#mail (specifically the part about 'postconf -n') For now, I'll dust off my crystal ball. smtp_sasl_auth_enable = yes smtp means Postfix sending to another server. Please review http://www.postfix.org/SASL_README.html#server_sasl Brian smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd smtp_sasl_security_options = virtual_mailbox_domains = /etc/postfix/vhosts.txt virtual_mailbox_base = /home/virtual virtual_mailbox_maps = hash:/etc/postfix/vmaps.txt virtual_uid_maps = static:5000 virtual_gid_maps = static:5000 virtual_alias_maps = hash:/etc/postfix/aliases smtpd_recipient_restrictions = permit_sasl_authenticated permit_mynetworks reject_unauth_destination
Re: What do these logs mean?
Ralf Hildebrandt a écrit : * mouss mo...@ml.netoyen.net: too many users with 'a' as first letter, and machine is in the US while OP is in UK. so either OP munged things, or his server is under attack. anyway, as you said, not a postfix issue. One could fail2ban the attacker :) and if the probes use multiple TCP connections (if the pop server disconnects after a failure), then he can use rate limiting in his packet filter if supported (recent in iptables, overload in pf).
Re: How to restrict ACCESS not RELAY to the SMTP daemon?
Thomas a écrit : Thomas wrote: Hello, i try to figure out how to restrict ACCESS to the SMTP daemon. With that, i mean something like the tcpwrapper for SMTP/SMTPS ... I found that about a similar solution: http://archives.neohapsis.com/archives/postfix/2007-05/0343.html There, the following is written: There's no real need to run a proxy in-between in this scenario. If you really want to have some control over connections before they're handled to postfix, use standalone smtp mode. Like this (inetd.conf): smtp inet stream nowait postfix.postfix accept-conn -deny=/file/deny -run=/usr/lib/postfix/smtpd -S .. There are two drawbacks: 1) this your pre-accepting server has to run smtpd as postfix user. Which means either it is running as postfix itself, or (worse) as root. 2) this approach requires fork+exec for each (non-blocked) connection. And another approach, which eliminates both drawbacks, is to use (unfinished) passfd port. Here's the patch for 2.3: http://www.corpit.ru/mjt/postfix-2.3.2-passfd.diff and for 2.4.0: http://www.corpit.ru/mjt/postfix-2.4.0-passfd.diff And here's a tiny program - a client side: http://www.corpit.ru/mjt/sendfd.c It works like this. In master.cf, instead of smtp inet ... smtpd use smtpd pass ... smtpd This will create /var/spool/postfix/public/smtpd AF_UNIX socket. Now, continuing the above example: smtp inet stream nowait nobody.postdrop accept-conn -deny=/file/deny -run=sendfd /var/spool/postfix/public/smtpd Which will just pass on the connection to postfix. I wonder why this `pass' port type support is commented-out... ;) ### That mail was from 2007 - maybe there is now a better way to handle such a situation? BTW, i never figured out that inetd/xinetd may be such a bad way to start programs! At least, programs that do not run as root normally ... you don't need tcp wrappers. smtpd restrictions provide the same functionaly (and more), and Wietse gave you an example. an alternative, that is appropriate for virtual machines, is firewalling. configure your packet filter (iptables, pf, ipfilter, ...) to only allow traffic that should be allowed.
Re: break mail into multiple for multiple recipients
ram a écrit : On my MX servers we accept the mail and relay it to a spamassassin server Now for someids we dont spam-scan the mail ( for eg ab...@domain.com ) If a spammer marks a mail to some real recipient and to ab...@domain.com the mail goes thru because any mail for abuse@ is not scanned Can I configure postfix on the MX server to send mails for ab...@domain.com in a seperate transaction and other recipients in a seperate transaction I dont want to break all the multi-recipient mails into multiple, only for those mails marked to ab...@... here are some choices: - use multiple postfix instances, and use transport_maps instead of content_filter/FILTER (you need multiple instance because transports are global) - use a filter that supports per recipient policies. amavsid-new and dspam can do that - pass all mail through the filter, but ignore the results for ab...@*. This is what I do, because this way I get spamassassin infos in the headers, which comes in handy if it's a fake complaint.
Re: What do these logs mean?
mouss wrote: and if the probes use multiple TCP connections (if the pop server disconnects after a failure), then he can use rate limiting in his packet filter if supported (recent in iptables, overload in pf). here is an example using iptables recent module: http://lists.opensuse.org/opensuse-security/2006-11/msg00025.html Just change the port and the rate limit for your needs. Check that your ipt_recent netfilter module is recent enough
Re: how to block arabic emails ?
Murat Ugur EMINOGLU a écrit : Dear All, How i can block all arabic emails? example email : header and body content : اضافه مهمه ومثيرة لبرنامج الاوت لوك thanks, best regards. try spamassassin. it has an ok_languages and ok_locales options. but it's better to see if you can block that mail based on the envelope.
Re: postfix implementation in forum like application - OT
Vivek Agrawal a écrit : Hello sir, Actually I know we can use postfix for sending mails. But I don't know can we use postfix to receive mails also. Or do we need to configure some extra tools. Initially I was using postfix with getmail tool. Through postfix I was sending mail using sendmail -t command. And I was using getmail to receive mails from the same gmail account. And have written a small java code which parse that incoming mail and store it in database. But here my query was , why we are using postfix. I can use other simple java api to send mails. why postfix. for queue mgmt: if the connection to the remote server fails, or if any other problem prevents you from sending the message to the remote server, then postfix will keep the message in the queue and retry later. To do this in your java application requires work and skills. it is wiser to minimise the code that you write and integrate with components that are know to be secure, robust, correct, ... etc. One more thing I would like to mention over here is that I am using gmail account just for learning purpose. In future I will use my own domain name. then you need an MTA, and postfix is an excellent choice.
Re: SPF Checking
Res a écrit : On Wed, 14 Jan 2009, Noel Jones wrote: Or the standard sendmail sid-milter http://sourceforge.net/projects/sid-milter/ I'd urge caution on this one, it favours Micro$ofts SAV more then SPF, and you will find a LOT of legitmate mail blocked, especially from mailing lists, although there is a patch to help with that if you goto the bug tracker. what is microsoft SAV? do you mean Sender Id? here, SAV is Sender Address Verification which has nothing to do with MS nor SPF.
Re: Problem with Zen filtering legit e-mail
mouss wrote: Roland Plüss a écrit : I guess in this case I should once upon time pay Dovecot a visit. I need only auth for SMTP/IMAP. LMTP I don't use so it's not a blocker there. you apparently didn't get it: - if you only need to authenticate TO YOUR postfix, then dovecot is a good choice. This happens when your mailer connects to postfix. - if you need your postfix to authenticate TO OTHER smtp servers, then you need cyrus-sasl. In short, dovecot doesn't support client side SASL. see the SASL README for more. Nah, it's only for client to my postfix. No need for postfix to auth to other smtp servers. Unless this would be somehow usefull or would prevent problems. -- Yours sincerely Plüss Roland signature.asc Description: OpenPGP digital signature
Re: Question about reject_unauthenticated_sender_login_mismatch
--- In post...@yahoogroups.com, Victor Duchovni victor.ducho...@... wrote: On Mon, Jan 12, 2009 at 09:35:14PM -0800, Jeff Weinberger wrote: When a sender is not authenticated, and reject_unauthenticated_sender_login_mismatch is specified, postfix takes the MAIL FROM address, looks it up in smtpd_sender_login_maps and if it's found, the message is rejected? Essentially the lookup is just for the existence of the MAIL FROM address in the smtpd_sender_login_maps table? Yes, that's what I said. Am I then correct in concluding that with: smtpd_sender_restrictions = permit_sasl_authenticated, reject_authenticated_sender_login_mismatch, reject Observe that the order of the first two elements is not entirely correct. that the permit_sasl_autheticated obviates the need for reject_unauthenticated_sender_login_mismatch? (as there would never be an unauthenticated sender permitted...) Yes. this saves you a table lookup before unauthenticated senders are rejected outright via reject. And am I also correct in concluding that if unauthenticated senders were allowed (as they would have to be for smtpd to accept messages from the internet), that reject_unauthenticated_sender_login_mismatch would prevent any non-authenticated sender from sending a message from (with MAIL FROM) any address listed in my smtpd_sender_login_maps? Yes, that's I said. I think I've misunderstood this again. here's the behavior I observed: I added -o smtpd_sender_restrictions=reject_unauthenticated_sender_login_mismatch to my master.cf smtp service entry (receiving mail on port 25). It then rejected all mail. Each message was rejected because the sender was not authenticated. This is obviously undesireable behavior for this service, as I will never receive any mail. The behavior I was seeking was that it would reject messages where the MAIL FROM is one of the addresses that validly authenticates. In other words if a spammer were to forge the MAIL FROM address as one of my valid users, then send the message to that same user or any other user on my server, postfix would reject it, knowing that that particular address should be sent from a matching (smtpd_sender_login_maps) authenticated user. Further, any mail received with a MAIL FROM that is not listed in my smtpd_sender_login_maps) should then be permitted to pass, at least to the next check. Given that reject_unauthenticated_sender_login_mismatch does not produce this behavior, is there another way to produce this behavior? (with the obvious corollary - is there any reason I would not want to do so?) Thank you!!
Re: Question about reject_unauthenticated_sender_login_mismatch
On Wed, Jan 14, 2009 at 11:15:54PM -, jeff_homeip wrote: I think I've misunderstood this again. here's the behavior I observed: I added -o smtpd_sender_restrictions=reject_unauthenticated_sender_login_mismatch to my master.cf smtp service entry (receiving mail on port 25). It then rejected all mail. Each message was rejected because the sender was not authenticated. You should not really expect us to help you with this with no log entries, associated postconf -n, and actual master.cf entries. The behavior I was seeking was that it would reject messages where the MAIL FROM is one of the addresses that validly authenticates. The reject_unauthenticated_sender_login_mismatch feature only rejects addresses listed in the smtpd_sender_logim_maps table: /* * Reject if the client is not logged in and the sender address has an * owner. */ if (smtpd_sasl_is_active(state) state-sasl_username == 0) { reply = (const RESOLVE_REPLY *) ctable_locate(smtpd_resolve_cache, sender); if (reply-flags RESOLVE_FLAG_FAIL) reject_dict_retry(state, sender); if (check_mail_addr_find(state, sender, smtpd_sender_login_maps, STR(reply-recipient), (char **) 0) != 0) return (smtpd_check_reject(state, MAIL_ERROR_POLICY, 553, 5.7.1, %s: Sender address rejected: not logged in, sender)); } So either your report is incomplete/inaccurate, or you have managed to list all the senders you tested in smtpd_sender_login_maps (difficult with indexed files, easier with regexp tables and SQL lookups). Given that reject_unauthenticated_sender_login_mismatch does not produce this behavior, [ ... ] With false premises you can reach any conclusion. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
holding messages for one address or one domain in the queue?
This may seem like an odd question, but I need to find a way to suspend delivery of mail to one account or one domain for a short period of time to allow me to do a bit of maintenance. As it stands now, I use maildrop as my delivery transport for virtual mailboxes. Is there a way to tell postfix to hold the mail in its queue until I tell it I'm ready? Is this as simple as having maildrop return a temporary failure code? and if that happens, postfix will retry at certain intervals (or on postqueue -f) right? And if that is a good way to do it, what return code should maildrop return? Or is there a better way? Thank you!
Re: holding messages for one address or one domain in the queue?
Jeff Weinberger: This may seem like an odd question, but I need to find a way to suspend delivery of mail to one account or one domain for a short period of time to allow me to do a bit of maintenance. As it stands now, I use maildrop as my delivery transport for virtual mailboxes. Is there a way to tell postfix to hold the mail in its queue until I tell it I'm ready? /etc/postfix/transport: u...@example.comretry:4.4.1 Service unavailable another.example.com retry:4.4.1 Service unavailable Is this as simple as having maildrop return a temporary failure code? That would work, too. Postfix will return mail when it exceeds $maximal_queue_lifetime. and if that happens, postfix will retry at certain intervals (or on postqueue -f) right? And if that is a good way to do it, what return code should maildrop return? If using pipe-to-command: /usr/include/sysexits.h's EX_TEMPFAIL If using LMTP: a suitable 4XX numeric code. Wietse
Re: Question about reject_unauthenticated_sender_login_mismatch
--- In post...@yahoogroups.com, Victor Duchovni victor.ducho...@... wrote: On Wed, Jan 14, 2009 at 11:15:54PM -, jeff_homeip wrote: I think I've misunderstood this again. here's the behavior I observed: I added -o smtpd_sender_restrictions=reject_unauthenticated_sender_login_mismatch to my master.cf smtp service entry (receiving mail on port 25). It then rejected all mail. Each message was rejected because the sender was not authenticated. You should not really expect us to help you with this with no log entries, associated postconf -n, and actual master.cf entries. I'm always happy to provide whatever might be helpful, and yet always conscious of excessively long messages. I generally don't post postconf -n in its entirety for that and disclosure reasons (yes, I'm paranoid). But I try to give the relevant entries and anything else you think will help. The behavior I was seeking was that it would reject messages where the MAIL FROM is one of the addresses that validly authenticates. The reject_unauthenticated_sender_login_mismatch feature only rejects addresses listed in the smtpd_sender_logim_maps table: /* * Reject if the client is not logged in and the sender address has an * owner. */ if (smtpd_sasl_is_active(state) state-sasl_username == 0) { reply = (const RESOLVE_REPLY *) ctable_locate(smtpd_resolve_cache, sender); if (reply-flags RESOLVE_FLAG_FAIL) reject_dict_retry(state, sender); if (check_mail_addr_find(state, sender, smtpd_sender_login_maps, STR(reply-recipient), (char **) 0) != 0) return (smtpd_check_reject(state, MAIL_ERROR_POLICY, 553, 5.7.1, %s: Sender address rejected: not logged in, sender)); } So either your report is incomplete/inaccurate, or you have managed to list all the senders you tested in smtpd_sender_login_maps (difficult with indexed files, easier with regexp tables and SQL lookups). Given that reject_unauthenticated_sender_login_mismatch does not produce this behavior, [ ... ] With false premises you can reach any conclusion. I am quite certain that my premises are not false. I tested it with senders who I know for a fact ARE listed in the smtpd_sender_login_maps both as authenticated (they were accepted) and from another client that did not authenticate (they were properly rejected). Then I waited for someone else to send mail to one of my users. Here is the log entry that was produced: Jan 14 15:03:37 s postfix/smtpd[44746]: NOQUEUE: reject: RCPT from mail37.messagelabs.com[216.82.241.83]: 553 5.7.1 katie.prev...@morris.com: Sender address rejected: not logged in; from=katie.prev...@morris.com to=myu...@userdomain.tld proto=SMTP helo=mail37.messagelabs.com only altered to avoid posting one of my users' e-mail addresses and otherwise as logged. The address logged as from=... is not in my smtpd_sender_login_maps (I looked again to be sure) and is not a user or sender on my server at all. The master.cf entry is: smtp inet n - n - - smtpd -o smtpd_sender_restrictions=reject_unauthenticated_sender_login_mismatch that is the only line I used. I would expect the above-mentioned mail to be permitted, and in other cases I have had no problems. Immediately after seeing this in the logs, I removed the -o smtpd_sender_restrictions=reject_unauthenticated_sender_login_mismatch from my master.cf entry, and since then no mail has been rejected with a reason of not logged in. I don't know how else to interpret this behavior, other than to conclude that adding that line to my master.cf caused the mail to be rejected, which is not what I expected. Knowing that I cannot determine, apparently, what will be helpful in diagnosing this behavior or suggesting ways I can achieve the desired behavior, I am posting below my complete postconf -n (some addresses and sensitive items edited out as noted, but otherwise unaltered). I am hoping that you or someone will either identify what I've done wrong or help me find a way to achieve the desired behavior. If there is any additional information I have not provided here that would be helpful in doing one of these two, please ask - I will provide as much as I am able. Thank you for your help. --Jeff postconf -n: alias_database = mysql:/etc/postfix/mysql_alias_maps.cf alias_maps = mysql:/etc/postfix/mysql_alias_maps.cf broken_sasl_auth_clients = yes command_directory = /usr/sbin config_directory = /etc/postfix daemon_directory = /usr/libexec/postfix debug_peer_level = 2 default_verp_delimiters = += disable_vrfy_command = yes html_directory = /etc/postfix/html inet_interfaces = all local_recipient_maps = luser_relay = address hidden mail_owner = postfix user mailbox_size_limit = 0 mailq_path = /usr/bin/mailq manpage_directory = /usr/share/man message_size_limit = 0 mydestination =
Re: holding messages for one address or one domain in the queue?
--- In post...@yahoogroups.com, wie...@... (Wietse Venema) wrote: Jeff Weinberger: This may seem like an odd question, but I need to find a way to suspend delivery of mail to one account or one domain for a short period of time to allow me to do a bit of maintenance. As it stands now, I use maildrop as my delivery transport for virtual mailboxes. Is there a way to tell postfix to hold the mail in its queue until I tell it I'm ready? /etc/postfix/transport: u...@... retry:4.4.1 Service unavailable another.example.com retry:4.4.1 Service unavailable Is this as simple as having maildrop return a temporary failure code? That would work, too. Postfix will return mail when it exceeds $maximal_queue_lifetime. and if that happens, postfix will retry at certain intervals (or on postqueue -f) right? And if that is a good way to do it, what return code should maildrop return? If using pipe-to-command: /usr/include/sysexits.h's EX_TEMPFAIL If using LMTP: a suitable 4XX numeric code. Wietse Thank you - I should have thought of the transport map also. i appreciate your help!
Re: holding messages for one address or one domain in the queue?
On Jan 14, 2009, at 3:53 PM, Roderick A. Anderson wrote: Jeff Weinberger wrote: This may seem like an odd question, but I need to find a way to suspend delivery of mail to one account or one domain for a short period of time to allow me to do a bit of maintenance. As it stands now, I use maildrop as my delivery transport for virtual mailboxes. Is there a way to tell postfix to hold the mail in its queue until I tell it I'm ready? I've used a pretty simple trick of putting the domain in the header_checks.regexp file. header_checks.regexp /^To: @example.com/HOLD Rod nice trick! - thanks! -- Is this as simple as having maildrop return a temporary failure code? and if that happens, postfix will retry at certain intervals (or on postqueue -f) right? And if that is a good way to do it, what return code should maildrop return? Or is there a better way? Thank you!
Re: Send-Only Server Config?
maddae...@gmail.com wrote: I've been asked to build a mail server for the purpose of sending mail from various machines within a LAN to anywhere on the Net. I'm guessing that this would be considered a relay in a sense, since the server will not be receiving mail from the outside, but please correct me if I'm wrong. I do something similar - having several linux servers in the internet. All of them can only send mail - to the relayhost: # domain varies with domain and host, of course mydomain = domain mynetworks = 127.0.0.0/8 myorigin = $mydomain relayhost = relayhost The relayhost receives mail from all domains and all ips/networks of those clients: # main part: mydestination = $myhostname, localhost.$mydomain, localhost, server1, server2, relayhost, domain, domain2, domain3 mydomain = domain mynetworks = 127.0.0.0/8, network, network2, network3, ip1,ip2 myorigin = $mydomain # some additional config: append_dot_mydomain = no biff = no mailbox_size_limit = 1073741824 message_size_limit = 1024 recipient_delimiter = . relocated_maps = hash:/etc/postfix/relocated # for tests etc: #soft_bounce = no #soft_bounce = yes # security and access: strict_rfc821_envelopes = yes smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU) smtpd_client_restrictions = reject_invalid_hostname smtpd_helo_required = yes smtpd_helo_restrictions = reject_invalid_hostname smtpd_recipient_restrictions = permit_mynetworks, reject_unknown_recipient_domain, permit_sasl_authenticated, reject_unauth_destination smtpd_sasl_auth_enable = yes smtpd_sasl_path = private/auth smtpd_sasl_type = dovecot smtpd_sender_restrictions = reject_unknown_address smtpd_tls_auth_only = yes smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache smtpd_use_tls = yes Works great :) IF you can read and send mail from any mail client - the mails do not get back to the single client servers! They stay at the relay host and can be read there via imap/pop...
Re: Share postfix config directory
I never had a problem to do exactly this ... For what do you need the hostname of the server? My main.cf does not contain a hostname - it can easily be used over an NFS share: mkdir /data mount server:/data /data /etc/init.d/postfix stop cp -rp /etc/postfix /data/postfix_nfs mv /etc/postfix /etc/postfix_ORIG ln -s /data/postfix_nfs /etc/postfix /etc/init.d/postfix start echo `hostname`| Mail -s `hostname` account@yourdomain Works :) My simple client server main.cf: postconf -n config_directory = /etc/postfix mydomain = yourdomain mynetworks = 127.0.0.0/8 myorigin = $mydomain relayhost = your relay Where does the hostname kick in at your site? Rocco Scappatura wrote: Hello, I have different SMTP gateways each one configurred exactly at the same manner. The only difference is the hostname. I would like to know if I could define /etc/postfix as an NFS share somewhere and export it on each of my SMTP gateways. The aim is obviously to change only one configuration file each time that a postfix configuration update is needed. TIA, rocsca
Re: Servers High Performance and High Volume
On Wed, 14 Jan 2009, Ralf Hildebrandt wrote: * Res r...@ausics.net: Dovecot by far, for any number of users, we used to use Courier but found Dovecot had a good %30-%40 performance boost on busy servers, you could likely get away with one pop/imap server so long as it was decent hardware. Same here. This is mainly due to the caches dovecot uses. Not to mention Dovecots LDA fits in nicely with postfix :) +1 for Postfix w/ Dovecot LDA. -- Sahil Tandon sa...@tandon.net
Re: holding messages for one address or one domain in the queue?
On Wed, Jan 14, 2009 at 04:41:59PM -0800, Jeff Weinberger wrote: On Jan 14, 2009, at 3:53 PM, Roderick A. Anderson wrote: Jeff Weinberger wrote: This may seem like an odd question, but I need to find a way to suspend delivery of mail to one account or one domain for a short period of time to allow me to do a bit of maintenance. As it stands now, I use maildrop as my delivery transport for virtual mailboxes. Is there a way to tell postfix to hold the mail in its queue until I tell it I'm ready? I've used a pretty simple trick of putting the domain in the header_checks.regexp file. header_checks.regexp /^To: @example.com/HOLD Using header_checks for this is unreliable; there is no guarantee the recipient will be listed in the To: header. You're not listed in To: in this message, but you receive it anyway. You can use HOLD with a check_recipient_access map reliably, that's another good way to temporarily pause delivery. -- Noel Jones
Re: Question about reject_unauthenticated_sender_login_mismatch
On Thu, Jan 15, 2009 at 12:21:51AM -, jeff_homeip wrote: I am quite certain that my premises are not false. I tested it with senders who I know for a fact ARE listed in the smtpd_sender_login_maps both as authenticated (they were accepted) and from another client that did not authenticate (they were properly rejected). Then I waited for someone else to send mail to one of my users. Here is the log entry that was produced: Jan 14 15:03:37 s postfix/smtpd[44746]: NOQUEUE: reject: RCPT from mail37.messagelabs.com[216.82.241.83]: 553 5.7.1 katie.prev...@morris.com: Sender address rejected: not logged in; from=katie.prev...@morris.com to=myu...@userdomain.tld proto=SMTP helo=mail37.messagelabs.com The map lookup matched on katie.prev...@morris.com. If you're using SQL for this table, you need to re-examine your query. Test queries with something like: postmap -q katie.prev...@morris.com mysql:/path/to/xxx.cf Note there is a difference between not found and an empty response. -- Noel Jones
Re: holding messages for one address or one domain in the queue?
On Wed, 14 Jan 2009, Noel Jones wrote: On Wed, Jan 14, 2009 at 04:41:59PM -0800, Jeff Weinberger wrote: On Jan 14, 2009, at 3:53 PM, Roderick A. Anderson wrote: Jeff Weinberger wrote: This may seem like an odd question, but I need to find a way to suspend delivery of mail to one account or one domain for a short period of time to allow me to do a bit of maintenance. As it stands now, I use maildrop as my delivery transport for virtual mailboxes. Is there a way to tell postfix to hold the mail in its queue until I tell it I'm ready? I've used a pretty simple trick of putting the domain in the header_checks.regexp file. header_checks.regexp /^To: @example.com/HOLD Using header_checks for this is unreliable; there is no guarantee the recipient will be listed in the To: header. You're not listed in To: in this message, but you receive it anyway. You can use HOLD with a check_recipient_access map reliably, that's another good way to temporarily pause delivery. I think this affects all recipients of the message, so the OP probably wants to use transport_maps to limit holding/queuing only for a particular sent of recipients. -- Sahil Tandon sa...@tandon.net
Re: holding messages for one address or one domain in the queue?
On Wed, 14 Jan 2009, Sahil Tandon wrote: On Wed, 14 Jan 2009, Noel Jones wrote: On Wed, Jan 14, 2009 at 04:41:59PM -0800, Jeff Weinberger wrote: On Jan 14, 2009, at 3:53 PM, Roderick A. Anderson wrote: Jeff Weinberger wrote: This may seem like an odd question, but I need to find a way to suspend delivery of mail to one account or one domain for a short period of time to allow me to do a bit of maintenance. As it stands now, I use maildrop as my delivery transport for virtual mailboxes. Is there a way to tell postfix to hold the mail in its queue until I tell it I'm ready? I've used a pretty simple trick of putting the domain in the header_checks.regexp file. header_checks.regexp /^To: @example.com/HOLD Using header_checks for this is unreliable; there is no guarantee the recipient will be listed in the To: header. You're not listed in To: in this message, but you receive it anyway. You can use HOLD with a check_recipient_access map reliably, that's another good way to temporarily pause delivery. I think this affects all recipients of the message, so the OP probably wants to use transport_maps to limit holding/queuing only for a particular sent of recipients. s/sent/set/ :) -- Sahil Tandon sa...@tandon.net
Re: Question about reject_unauthenticated_sender_login_mismatch
On Wed, Jan 14, 2009 at 08:54:52PM -0600, Noel Jones wrote: Jan 14 15:03:37 s postfix/smtpd[44746]: NOQUEUE: reject: RCPT from mail37.messagelabs.com[216.82.241.83]: 553 5.7.1 katie.prev...@morris.com: Sender address rejected: not logged in; from=katie.prev...@morris.com to=myu...@userdomain.tld proto=SMTP helo=mail37.messagelabs.com The map lookup matched on katie.prev...@morris.com. If you're using SQL for this table, you need to re-examine your query. Test queries with something like: postmap -q katie.prev...@morris.com mysql:/path/to/xxx.cf Spot on! Note there is a difference between not found and an empty response. In most cases Postfix suppresses empty results (and records a warning int the logs). On Thu, Jan 15, 2009 at 12:21:51AM -, jeff_homeip wrote: So either your report is incomplete/inaccurate, or you have managed to list all the senders you tested in smtpd_sender_login_maps (difficult with indexed files, easier with regexp tables and SQL lookups). Jan 14 15:03:37 s postfix/smtpd[44746]: NOQUEUE: reject: RCPT from mail37.messagelabs.com[216.82.241.83]: 553 5.7.1 katie.prev...@morris.com: Sender address rejected: not logged in; from=katie.prev...@morris.com to=myu...@userdomain.tld proto=SMTP helo=mail37.messagelabs.com I don't know how else to interpret this behavior, other than to conclude that adding that line to my master.cf caused the mail to be rejected, which is not what I expected. I suggested two possibilities (and even hinted at SQL query issues as a possible cause), you seem to have overlooked the second. smtpd_sender_login_maps = mysql:/etc/postfix/mysql_smtpd_sender_login_maps.cf There's the problem. Now test the table as Noel suggested. $ echo katie.prev...@morris.com | postmap -q - mysql:/etc/postfix/mysql_smtpd_sender_login_maps.cf -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: Question about reject_unauthenticated_sender_login_mismatch
--- In post...@yahoogroups.com, Victor Duchovni victor.ducho...@... wrote: On Wed, Jan 14, 2009 at 08:54:52PM -0600, Noel Jones wrote: Jan 14 15:03:37 s postfix/smtpd[44746]: NOQUEUE: reject: RCPT from mail37.messagelabs.com[216.82.241.83]: 553 5.7.1 katie.prev...@...: Sender address rejected: not logged in; from=katie.prev...@... to=myu...@... proto=SMTP helo=mail37.messagelabs.com The map lookup matched on katie.prev...@... If you're using SQL for this table, you need to re-examine your query. Test queries with something like: postmap -q katie.prev...@... mysql:/path/to/xxx.cf Spot on! Note there is a difference between not found and an empty response. In most cases Postfix suppresses empty results (and records a warning int the logs). On Thu, Jan 15, 2009 at 12:21:51AM -, jeff_homeip wrote: So either your report is incomplete/inaccurate, or you have managed to list all the senders you tested in smtpd_sender_login_maps (difficult with indexed files, easier with regexp tables and SQL lookups). Jan 14 15:03:37 s postfix/smtpd[44746]: NOQUEUE: reject: RCPT from mail37.messagelabs.com[216.82.241.83]: 553 5.7.1 katie.prev...@...: Sender address rejected: not logged in; from=katie.prev...@... to=myu...@... proto=SMTP helo=mail37.messagelabs.com I don't know how else to interpret this behavior, other than to conclude that adding that line to my master.cf caused the mail to be rejected, which is not what I expected. I suggested two possibilities (and even hinted at SQL query issues as a possible cause), you seem to have overlooked the second. smtpd_sender_login_maps = mysql:/etc/postfix/mysql_smtpd_sender_login_maps.cf There's the problem. Now test the table as Noel suggested. $ echo katie.prev...@... | postmap -q - mysql:/etc/postfix/mysql_smtpd_sender_login_maps.cf -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@...?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly. Noel, Viktor: I see why you think that - but I did test with postmap -q quite extensively before I added this, sorry I didn't mention it here. I just tested again with this result: % /etc/postfix : postmap -q katie.prev...@morris.com mysql:/etc/postfix/mysql_smtpd_sender_login_maps.cf % /etc/postfix : postmap returned an empty result, which I thought was correct. Should it be returning something different? If so, what should the result for an address not listed on my server be? I appreciate your help and your work to narrow down and isolate the issue here. Thanks! --Jeff
Re: Question about reject_unauthenticated_sender_login_mismatch
--- In post...@yahoogroups.com, Victor Duchovni victor.ducho...@... wrote: On Thu, Jan 15, 2009 at 05:17:07AM -, jeff_homeip wrote: There's the problem. Now test the table as Noel suggested. $ echo katie.prevost@ | postmap -q - mysql:/etc/postfix/mysql_smtpd_sender_login_maps.cf I just tested again with this result: % /etc/postfix : postmap -q katie.prev...@... mysql:/etc/postfix/mysql_smtpd_sender_login_maps.cf % /etc/postfix : Please use the suggested: echo lookup-key | postmap -q - table form. Also as documented, smtpd_sender_login_maps uses additional lookup keys: http://www.postfix.org/postconf.5.html#smtpd_sender_login_maps smtpd_sender_login_maps (default: empty) Optional lookup table with the SASL login names that own sender (MAIL FROM) addresses. Specify zero or more type:table lookup tables. With lookups from indexed files such as DB or DBM, or from networked tables such as NIS, LDAP or SQL, the following search operations are done with a sender address of u...@domain: 1) u...@domain This table lookup is always done and has the highest precedence. 2) user This table lookup is done only when the domain part of the sender address matches $myorigin, $mydestination, $inet_interfaces or $proxy_interfaces. 3) @domain This table lookup is done last and has the lowest precedence. In all cases the result of table lookup must be either not found or a list of SASL login names separated by comma and/or whitespace. You need to tset the full set of lookup keys (sh, ksh or bash, not csh): ( echo morris.com | postmap -q - mysql:/etc/postfix/mysql_mydestination_maps.cf 2 echo katie.prevost sleep 1 echo katie.prev...@... echo @morris.com ) | postmap -q - mysql:/etc/postfix/mysql_smtpd_sender_login_maps.cf All this assumes that the sender address in question is unmodified... % /etc/postfix : ( echo morris.com | postmap -q - mysql:/etc/postfix/mysql_mydestination_maps.cf 2 echo katie.prevost sleep 1 echo katie.prev...@... echo @morris.com ) | postmap -q - mysql:/etc/postfix/mysql_smtpd_sender_login_maps.cf % /etc/postfix : again, an empty result set. I'm not sure of all the possible meanings of All this assumes that the sender address in question is unmodified... but I know I've left the sender address untouched and I don't think I have anything that rewrites the sender address, so as far as I know it's unmodified. I appreciate you continuing to seek possible causes. I am having another issue which is not exactly this, but is related to this thread, and i suspect there may be some relation (I think it's the same thing - getting my restriction slightly wrong): Per your and Wietse's suggestions, I changed: -o smtpd_sender_restrictions= permit_sasl_authenticated,reject_sender_login_mismatch,reject in my submission service to: -o smtpd_sender_restrictions=reject_sender_login_mismatch,permit_sasl_authenticated,rejec t so that the permit_sasl_authenticated didn't obviate the reject_sender_login_mismatch. Now I am unable to send mail when authenticated as me with a valid address from a client outside of my_networks. My master.cf submission entry is: submission inet n - n - - smtpd -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions= -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject -o smtpd_sender_restrictions=reject_sender_login_mismatch,permit_sasl_authenticated,rejec t -o milter_macro_daemon_name=ORIGINATING in its unaltered entirety. my postconf -n remains as in the message in this thread of several hours ago. The log entry is: Jan 14 22:10:06 s postfix/smtpd[1557]: NOQUEUE: reject: RCPT from unknown[32.155.5.72]: 554 5.7.1 jweinber...@mac.com: Relay access denied; from=j...@jweinberger.homeip.net to=jweinber...@mac.com proto=ESMTP helo=[10.97.215.245] I am using my mobile phone to test this, but I verified that it is submitting on port 587. jweinber...@mac.com is another address that is also mine. It is listed as a valid from address sasl authenticated user in my smtpd_sender_login_maps (so I can send messages from that when I don't have immediate access to my regular mail client and Im logged in as j...@jweinberger.homeip.net. If I send to another unrelated address, it works fine, so this is clearly caused by the fact that the address to which I'm sending is also listed in smtpd_sender_login_maps. I didn't expect this behavior, but I'm guessing it's what postfix is supposed to do. Can you explain why this happens? and do you have any suggestions to avoid it? Thank you again.
Working example of main.cf with virtual domains
Hi, After trying for another day to get my postfix config to work for virtual domains, I would really appreciate if someone can give me an example of WORKING main.cf file. The problem I am having is whenever a MOBILE user is trying to send email to ANYWHERE using the postfix server and Thunderbird/Outlook Express client, they get error message saying relay access denied. I would appreciate some help on this. Thanks in advance.
Re: Question about reject_unauthenticated_sender_login_mismatch
-BEGIN PGP SIGNED MESSAGE- Hash: RIPEMD160 jeff_homeip wrote: If I send to another unrelated address, it works fine, so this is clearly caused by the fact that the address to which I'm sending is also listed in smtpd_sender_login_maps. I'm not following the thread too deeply, but ... This points more and more to a map problem. I didn't expect this behavior, but I'm guessing it's what postfix is supposed to do. Can you explain why this happens? and do you have any suggestions to avoid it? Have you already shown your map SQL query? If not, doing so might help. - -- Victoriano Giralt Systems Manager Central Computing Facility University of Malaga SPAIN -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFJbt6xV6+mDjj1PTgRAzOWAJ0XjHCQbCh6g/8fa4k+O6hWEzHP1ACdGrDF hhRV6Dvixd7L1P05eeifyyk= =hqgE -END PGP SIGNATURE-
Re: Question about reject_unauthenticated_sender_login_mismatch (additional info
--- In post...@yahoogroups.com, Victor Duchovni victor.ducho...@... wrote: On Thu, Jan 15, 2009 at 05:17:07AM -, jeff_homeip wrote: There's the problem. Now test the table as Noel suggested. $ echo katie.prevost@ | postmap -q - mysql:/etc/postfix/mysql_smtpd_sender_login_maps.cf I just tested again with this result: % /etc/postfix : postmap -q katie.prev...@... mysql:/etc/postfix/mysql_smtpd_sender_login_maps.cf % /etc/postfix : Please use the suggested: echo lookup-key | postmap -q - table form. Also as documented, smtpd_sender_login_maps uses additional lookup keys: http://www.postfix.org/postconf.5.html#smtpd_sender_login_maps smtpd_sender_login_maps (default: empty) Optional lookup table with the SASL login names that own sender (MAIL FROM) addresses. Specify zero or more type:table lookup tables. With lookups from indexed files such as DB or DBM, or from networked tables such as NIS, LDAP or SQL, the following search operations are done with a sender address of u...@domain: 1) u...@domain This table lookup is always done and has the highest precedence. 2) user This table lookup is done only when the domain part of the sender address matches $myorigin, $mydestination, $inet_interfaces or $proxy_interfaces. 3) @domain This table lookup is done last and has the lowest precedence. In all cases the result of table lookup must be either not found or a list of SASL login names separated by comma and/or whitespace. You need to tset the full set of lookup keys (sh, ksh or bash, not csh): ( echo morris.com | postmap -q - mysql:/etc/postfix/mysql_mydestination_maps.cf 2 echo katie.prevost sleep 1 echo katie.prev...@... echo @morris.com ) | postmap -q - mysql:/etc/postfix/mysql_smtpd_sender_login_maps.cf All this assumes that the sender address in question is unmodified... -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@...?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly. Here's some additional information on the issue of not being able to send from outside my_networks from one authorized address to another: I restored my master.cf from my latest backup and before I started testing the reject_(un)authorixed, I had one additional smtpd_sender_restrictions listed: -o smtpd_sender_restrictions=$submission_sender_restrictions,reject_sender_login_mismatc h,permit_sasl_authenticated,reject in my submission service. it's defined in main.cf as: submission_sender_restrictions =check_sender_access pcre:/etc/postfix/smtpd_sender_restrictions.pcre smtpd_sender_restrictions.pcre is: /^(.*)/ PREPEND X-Envelope-Sender: ${1} just the one line where I hope I can capture the envelope sender (this is related to an earlier issue where my spam filter failed to preserve the envelope sender, so this is a workaround). When I added this back, all worked fine. If I remove this one restriction (check_sender_access), I can no longer send. is this check_sender_access, because it's not rejecting the sender, allowing it somehow? I thought this information might be useful or important. Thanks again!
Re: how to block arabic emails ?
Thanks for all reply. Best Regards. Res wrote: On Wed, 14 Jan 2009, Murat Ugur EMINOGLU wrote: Dear All, How i can block all arabic emails? example email : header and body content : اضافه مهمه ومثيرة لبرنامج الاوت لوك on our internal email servers (and on my personal one) I use milter-regex to stop all those pesky cable/dial/dsl users, its great because i can also use this rule in milter-regex.conf : reject Access Denied ; Please use the English language when communicating with us header /Subject/i /=[?](KOI8-[RU]|GB2312|GB2312_CHARSET|ISO-2022-JP|SHIFT[-_]JIS|BIG5|WINDOWS-125[156])[?][QB][?]/ie header /Subject/i /charset=(3D)??(KOI8-[RU]|GB2312|GB2312_CHARSET|ISO-2022-JP|SHIFT[-_]JIS|BIG5)/ie header /Subject/i/[-]{6}/e header /Content-Type/i ,text/(plain|html); *charset=?(KOI8-[RU]|GB2312(_CHARSET)?|ISO-2022-JP|SHIFT[-_]JIS|BIG5),ie I'm sure this needs to be expanded more but its stopped a lot of rot. *** NEVER use it on a public access system (ISP/ASP/OSP etc) or you will upset a lot of people :)