Share postfix config directory

2009-01-14 Thread Rocco Scappatura 
Hello,

I have different SMTP gateways each one configurred exactly at the same
manner. The only difference is the hostname.

I would like to know if I could define /etc/postfix as an NFS share
somewhere and export it on each of my SMTP gateways. The aim is
obviously to change only one configuration file each time that a postfix
configuration update is needed.

TIA,

rocsca

Re: forged address

2009-01-14 Thread bharathan kailath 
it works is this enought to prevent forging the email ids?!
thanks



On Tue, Jan 13, 2009 at 5:59 PM, Noel Jones njo...@megan.vbhcs.org wrote:

 bharathan kailath wrote:

 've a postfix server act as smtp out; i've allowed certain networks in
 mynetworks; my domain example.com http://example.com; my problem is
 from the allowed networks one can send mails (e.g m...@gmail.com mailto:
 m...@gmail.com to someb...@yahoo.com mailto:someb...@yahoo.com); it
 should not have accepted mails other than one of the sender/receiver belong
 to example.com http://example.com (its own domain)
 what could be wrong in the config? following is my config:


 Nothing wrong in your config[1], it's just that postfix does not enforce
 which domains can be used when sending mail from authorized clients.

 There are several ways you can enforce such a rule.  The simplest is
 probably
 smtpd_sender_restrictions =
  check_sender_access hash:/etc/postfix/mydomains
  reject_unauth_destination

 Where the mydomains table lists your local allowed domains as:
 example.com   OK
 Note this MUST be in smtpd_sender_restrictions.

 You can also use reject_unlisted_sender in the above list to insure that
 sender names in your domain really exist.
 http://www.postfix.org/postconf.5.html#reject_unlisted_sender

 A more sophisticated (and more complicated) setup would require all local
 users to authenticate via SASL and would map SASL usernames to the allowed
 MAIL FROM using
 http://www.postfix.org/postconf.5.html#reject_sender_login_mismatch
 http://www.postfix.org/SASL_README.html

 [1] be aware that rfc-ignorant is intended for a scoring system (such as
 SpamAssassin), not outright rejects.  There is a strong possibility of
 rejecting legit mail when used as an SMTP RBL.

 --
 Noel Jones

Re: What do these logs mean?

2009-01-14 Thread Ralf Hildebrandt 
* mouss mo...@ml.netoyen.net:

 too many users with 'a' as first letter, and machine is in the US while
 OP is in UK. so either OP munged things, or his server is under attack.
 
 anyway, as you said, not a postfix issue.

One could fail2ban the attacker :) 

-- 
Ralf Hildebrandt (ralf.hildebra...@charite.de)  snick...@charite.de
Postfix - Einrichtung, Betrieb und Wartung   Tel. +49 (0)30-450 570-155
http://www.arschkrebs.de
We're thinking about upgrading from SunOS 4.1.1 to SunOS 3.5. 
-- Henry Spencer

Re: Servers High Performance and High Volume

2009-01-14 Thread Ralf Hildebrandt 
* Res r...@ausics.net:

 Dovecot by far, for any number of users, we used to use Courier but
 found Dovecot had a good %30-%40 performance boost on busy servers, you
 could likely get away with one pop/imap server so long as it was decent
 hardware.

Same here. This is mainly due to the caches dovecot uses.

-- 
Ralf Hildebrandt (ralf.hildebra...@charite.de)  snick...@charite.de
Postfix - Einrichtung, Betrieb und Wartung   Tel. +49 (0)30-450 570-155
http://www.arschkrebs.de
Program aborting:
Close all that you have worked on.
You ask far too much.

Re: delay - this is what?

2009-01-14 Thread Ralf Hildebrandt 
* bharathan kailath kbhara...@gmail.com:

 delay=85, delays=59/0.01/17/8.9, dsn=2.0.0, status=sent (250 Ok: queued as 
 67C7D1AB30F)
 
 i find this in postfix log; what does this mean?

Total delivery time: 85s
Of this: 59s were spent befor the qmgr (transfer time to your machine)
0.0.1s within qmgr
17s establishing the connection, incl. DNS lookups, HELO and TLS handshake (if 
any)
8.9 transfer of the message from your machine to the other machine

-- 
Ralf Hildebrandt (ralf.hildebra...@charite.de)  snick...@charite.de
Postfix - Einrichtung, Betrieb und Wartung   Tel. +49 (0)30-450 570-155
http://www.arschkrebs.de
A printer consists of three main parts: the case, the jammed paper tray
and the blinking red light

Re: What do these logs mean?

2009-01-14 Thread Rupert Reid 


On 14 Jan 2009, at 08:52, Ralf Hildebrandt wrote:


* mouss mo...@ml.netoyen.net:

too many users with 'a' as first letter, and machine is in the US  
while
OP is in UK. so either OP munged things, or his server is under  
attack.


anyway, as you said, not a postfix issue.


One could fail2ban the attacker :)


Hello Ralf,
What is fail2ban and how would I implement that?

Rupert

Re: delay - this is what?

2009-01-14 Thread bharathan kailath 
thanks


On Wed, Jan 14, 2009 at 11:43 AM, Ralf Hildebrandt 
ralf.hildebra...@charite.de wrote:

 * bharathan kailath kbhara...@gmail.com:

  delay=85, delays=59/0.01/17/8.9, dsn=2.0.0, status=sent (250 Ok: queued
 as 67C7D1AB30F)
 
  i find this in postfix log; what does this mean?

 Total delivery time: 85s
 Of this: 59s were spent befor the qmgr (transfer time to your machine)
 0.0.1s within qmgr
 17s establishing the connection, incl. DNS lookups, HELO and TLS handshake
 (if any)
 8.9 transfer of the message from your machine to the other machine

 --
 Ralf Hildebrandt (ralf.hildebra...@charite.de)
 snick...@charite.de
 Postfix - Einrichtung, Betrieb und Wartung   Tel. +49 (0)30-450 570-155
 http://www.arschkrebs.de
 A printer consists of three main parts: the case, the jammed paper tray
 and the blinking red light

ETRN

2009-01-14 Thread bharathan kailath 
we've got a gateway postfix server with which we provide mails to hosted
domains; postfix is configured with Separate Domains with System Accounts
(virtual alias domains and virtual alias maps); clients mail server pop up
and collect all the their mails; it works great; but one of the client using
ETRN and their domain is specified in transport and fast flush domain
parameter in main.cf; that also work;

but i want to know for this particular client (who send ETRN) can have a
mailbox like other clients?

now for this particular client our postfix server defer the mail till it get
the ETRN from client;

the idea is if mailbox is there i can retrieve/monitor the mails if anything
goes wrong ; but is it possible in postfix?

help appreciated

connection timeout on win2007 exchange

2009-01-14 Thread bharathan kailath 
Hi

Jan 13 15:43:41 relay1 postfix/smtp[18476]: 5BF411611EE: to=
valer...@example.com, relay=xxx.xxx.xxx.xxx[1xxx.xxx.xxx.xxx
]:25, delay=101565, delays=100962/0.02/3.4/600, dsn=4.4.1, status=deferred
(host xxx.xxx.xxx.xxx[xxx.xxx.xxx.xxx] said: 421 4
.4.1 Connection timed out (in reply to end of DATA command))

the above is the log from our postfix relay; the host machine is a win2007
exchange; this happens always;
but some mails go through some not;

what i can do about this ?

Re: Share postfix config directory

2009-01-14 Thread Wietse Venema 
Rocco Scappatura:
 Hello,
 
 I have different SMTP gateways each one configurred exactly at the same
 manner. The only difference is the hostname.
 
 I would like to know if I could define /etc/postfix as an NFS share
 somewhere and export it on each of my SMTP gateways. The aim is
 obviously to change only one configuration file each time that a postfix
 configuration update is needed.

Let the computer do the work for you. See: man 1 make. If you are
not familiar with this tool, then you work too hard.

Wietse

break mail into multiple for multiple recipients

2009-01-14 Thread ram 
On my MX servers we accept the mail and relay it to a spamassassin
server

Now for someids we dont spam-scan the mail ( for eg ab...@domain.com )
If a spammer marks a mail to some real recipient and to ab...@domain.com
the mail goes thru because any mail for abuse@ is not scanned 


Can I configure postfix on the MX server to send mails for
ab...@domain.com in a seperate transaction and other recipients in a
seperate transaction 
I dont want to break all the multi-recipient mails into multiple, only
for those mails marked to ab...@...





Thanks
Ram

Re: connection timeout on win2007 exchange

2009-01-14 Thread Wietse Venema 
bharathan kailath:
 Hi
 
 Jan 13 15:43:41 relay1 postfix/smtp[18476]: 5BF411611EE: to=
 valer...@example.com, relay=xxx.xxx.xxx.xxx[1xxx.xxx.xxx.xxx
 ]:25, delay=101565, delays=100962/0.02/3.4/600, dsn=4.4.1, status=deferred
 (host xxx.xxx.xxx.xxx[xxx.xxx.xxx.xxx] said: 421 4
 .4.1 Connection timed out (in reply to end of DATA command))
 
 the above is the log from our postfix relay; the host machine is a win2007
 exchange; this happens always;
 but some mails go through some not;
 
 what i can do about this ?

Record the content of network packets with tcpdump, and find out
which of the following is the case:

1) The client does not end the message with CRLF.CRLF

2) The server does not recognize CRLF.CRLF as the end
of message. For example, because some buggy ```security''' software
does not correctly handle the case where CRLF.CRLF is sent
in two pieces.

Wietse

Re: ETRN

2009-01-14 Thread Wietse Venema 
bharathan kailath:
 we've got a gateway postfix server with which we provide mails to hosted
 domains; postfix is configured with Separate Domains with System Accounts
 (virtual alias domains and virtual alias maps); clients mail server pop up
 and collect all the their mails; it works great; but one of the client using
 ETRN and their domain is specified in transport and fast flush domain
 parameter in main.cf; that also work;
 
 but i want to know for this particular client (who send ETRN) can have a
 mailbox like other clients?
 
 now for this particular client our postfix server defer the mail till it get
 the ETRN from client;
 
 the idea is if mailbox is there i can retrieve/monitor the mails if anything
 goes wrong ; but is it possible in postfix?

This is how ETRN works:

1) The SMTP client sends an ETRN command to the SMTP server.

2) The SMTP server searches the queue and delivers the mail.

The Postfix ETRN implementation overrides the defer_transports
setting, so you can use that to hold mail in the queue until ETRN.

Wietse

Multiple SMTP relays based on sender's domain

2009-01-14 Thread Gilles Albusac 

Is it possible to set up Postfix to choose an SMTP relayhost when routing 
outbound mail based on the domain name of the sender ?


Regards

Re: Multiple SMTP relays based on sender's domain

2009-01-14 Thread Neil 
On Wed, Jan 14, 2009 at 5:01 AM, Gilles Albusac
gilles.albu...@wanadoo.fr wrote:

 Is it possible to set up Postfix to choose an SMTP relayhost when routing
 outbound mail based on the domain name of the sender ?


If you're okay with using addresses instead of domains, I think
sender_dependent_relayhost_maps might do the trick for you.

RE: Share postfix config directory

2009-01-14 Thread Rocco Scappatura 
  I have different SMTP gateways each one configurred exactly at the
 same
  manner. The only difference is the hostname.
 
  I would like to know if I could define /etc/postfix as an NFS
share
  somewhere and export it on each of my SMTP gateways. The aim is
  obviously to change only one configuration file each time that a
 postfix
  configuration update is needed.
 
 Let the computer do the work for you. See: man 1 make. If you are
 not familiar with this tool, then you work too hard.

I know that make is a really powerfull tool. I have used it (in the
sense that I have write down some Makefile) for compiling rather few C
projects. At the moment I can't guess how I could use 'make' for my
purpouse. I feel that in some manner it could be a substitution matter
that 'make' is very clever to manage. But I can't infere anything more..

Could you give me further insight? :-)

Thanks,

rocsca

Re: Share postfix config directory

2009-01-14 Thread Chris Babcock 
On Wed, 14 Jan 2009 14:07:05 +0100
Rocco Scappatura rocco.scappat...@infracom.it wrote:

 I know that make is a really powerfull tool. I have used it (in the
 sense that I have write down some Makefile) for compiling rather few C
 projects. At the moment I can't guess how I could use 'make' for my
 purpouse. I feel that in some manner it could be a substitution matter
 that 'make' is very clever to manage. But I can't infere anything
 more..
 
 Could you give me further insight? :-)

You're so going to kick yourself... ;-)

Stop thinking about what you use make for and think about what it does:

make  updates  a  target if it depends on prerequisite files
that have been modified since the target was last modified, or
if the target does not exist.

Your targets are the configurations on the shares. Each has your master
copy as its prerequisite. Type make all to propagate your changes.

Chris Babcock



signature.asc
Description: PGP signature

Re: Submission port SSL issues

2009-01-14 Thread Victor Duchovni 
On Wed, Jan 14, 2009 at 05:01:25AM -0800, Neil wrote:

 Specifically: Mail.app only does SSL, not TLS.

This is not true. Mail.app supports STARTTLS, it does not support use
of client certificates, but STARTTLS with our without SASL is supported
in working both in Tiger and Leopard.

 It would test port 567
 for connectivity, but not SSL-ability, for some reason,

What is 567? Implement STARTTLS on 587 (submission), and only if needed
to support Outlook/OE, also implement SSL on 465 (smtps).


 It'd be nice if they added TLS support to Mail.app though.  And were a
 little more thorough in their connection tests.

Mail.app supports STARTTLS, as SSL is a non-standard legacy Outlook
protocol, this may only be supported on the legacy port (465). Don't
implement server-side wrapper mode on other ports.

-- 
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the Reply-To header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
mailto:majord...@postfix.org?body=unsubscribe%20postfix-users

If my response solves your problem, the best way to thank me is to not
send an it worked, thanks follow-up. If you must respond, please put
It worked, thanks in the Subject so I can delete these quickly.

Re: Cannot Send Email via POSTFIX to any domain

2009-01-14 Thread Brian Evans - Postfix List 
secSwami wrote:
 Hi,

 I have spent countless hours researching this but I can't still figure
 out why I can't send email from postfix server to any other domain
 other than myself.
 I want my server to actually deliver the email and don't want to use
 ISP's mail server.  The server resides on a business network so I know
 there is no blocking there (isp).

 I know there is some issue with my config.  Can someone point me in
 the right direction?

 I would like users who authenticate to be able to send email anywhere
 using the server.  I get error message :  Relay access denied whenever
 sending email to anyone

 Here is my main.cf , I have left my master.cf file as it is.

 Thanks in advance.

 Here is my main.cf and master.cf (just in case).
Welcome to the list.
It seems you missed the welcome message:
1. TO REPORT A PROBLEM SEE: http://www.postfix.org/DEBUG_README.html#mail
(specifically the part about 'postconf -n')

For now, I'll dust off my crystal ball.

 smtp_sasl_auth_enable = yes
smtp means Postfix sending to another server.
Please review http://www.postfix.org/SASL_README.html#server_sasl

Brian
 smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
 smtp_sasl_security_options =
 virtual_mailbox_domains = /etc/postfix/vhosts.txt
 virtual_mailbox_base = /home/virtual
 virtual_mailbox_maps = hash:/etc/postfix/vmaps.txt
 virtual_uid_maps = static:5000
 virtual_gid_maps = static:5000
 virtual_alias_maps = hash:/etc/postfix/aliases

 smtpd_recipient_restrictions = permit_sasl_authenticated
  permit_mynetworks
   reject_unauth_destination

Re: Submission port SSL issues

2009-01-14 Thread hose 


On Jan 14, 2009, at 7:01 AM, Neil wrote:


On Tue, Jan 13, 2009 at 7:49 PM, Victor Duchovni
victor.ducho...@morganstanley.com wrote:

On Tue, Jan 13, 2009 at 06:35:24PM -0800, Neil wrote:


I followed Noel's suggestion (top part of master.cf below), but I
still can't get it to work.


I read the above, but I still can't see any information there. I  
think

the word's can't, it and work need to each be replaced by a few
paragraphs explaining clearly to non-psychics what you tried to do,
what you expected to happen, and what actually happened.

--
  Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the Reply-To header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
mailto:majord...@postfix.org?body=unsubscribe%20postfix-users

If my response solves your problem, the best way to thank me is to  
not
send an it worked, thanks follow-up. If you must respond, please  
put

It worked, thanks in the Subject so I can delete these quickly.



I'm going to spare you a re-hashing of the problem (unless you really
want it); the short of it was I was still having the SSL troubles from
my original post.

After following Noel's why-didn't-I-see-that advice, the continued
error turned out to be that Mail.app was just being too smart for it's
own good.  Seeing as it gives me the same damned error no matter the
problem wasn't very helpful of it either.  Switching over to Tb for
the bulk of my testing (it actually shows the server's response!)
helped me come to the conclusion that Mail.app's
I'll-find-the-best-port-for-you! feature wasn't too good at finding
the best port...

Specifically: Mail.app only does SSL, not TLS.  It would test port 567
for connectivity, but not SSL-ability, for some reason, during
connection tests; and then would decide that, since it was open and
displaying a banner, 567 was the right port to use.  Then, when it
tried to send a mail, with SSL enabled, it would fail because, as you
explained, you can't have SSL and STARTTLS on the same port (and 567
was configured with STARTTLS, as per Postfix's pseudo-defaults).  Long
story short, telling Mail.app to shove it and do it my way (use port
465 all the time) did the trick.  I'm not really sure where in the
auto-configuration process it got stuck on trying 567 first (I believe
there might be circumstances where it will do the right thing
sometime, because it seemed to last time I configured it), but
frankly, I don't really care at this point.

It'd be nice if they added TLS support to Mail.app though.  And were a
little more thorough in their connection tests.


I'm not sure why your Mail.app doesn't support TLS, as mine does it  
find on port 25 with STARTTLS (port 25 also does regular incoming SMTP  
without it).  It also works with SSL on 587, as I've been at places  
using that port and it finds it automatically when port 25 doesn't do  
STARTTLS.  This required no configuration change from the default  
selection of Use Default Ports (25, 465, 587) in the SMTP section of  
the account settings.


hose

how to block arabic emails ?

2009-01-14 Thread Murat Ugur EMINOGLU 

Dear All,

How i can block all arabic emails?

example email :

header and body content : اضافه مهمه ومثيرة لبرنامج الاوت لوك

thanks, best regards.

Re: What do these logs mean?

2009-01-14 Thread Charles Marcus 
On 1/14/2009, Rupert Reid (isingl...@madasafish.com) wrote:
 What is fail2ban and how would I implement that? 

Google is your friend...

-- 

Best regards,

Charles

Re: Share postfix config directory

2009-01-14 Thread Wietse Venema 
Rocco Scappatura:
   I have different SMTP gateways each one configurred exactly at the
  same
   manner. The only difference is the hostname.
  
   I would like to know if I could define /etc/postfix as an NFS
 share
   somewhere and export it on each of my SMTP gateways. The aim is
   obviously to change only one configuration file each time that a
  postfix
   configuration update is needed.
  
  Let the computer do the work for you. See: man 1 make. If you are
  not familiar with this tool, then you work too hard.
 
 I know that make is a really powerfull tool. I have used it (in the
 sense that I have write down some Makefile) for compiling rather few C
 projects. At the moment I can't guess how I could use 'make' for my
 purpouse. I feel that in some manner it could be a substitution matter
 that 'make' is very clever to manage. But I can't infere anything more..
 
 Could you give me further insight? :-)
 

# cat Makefile
FILES: main.cf-a main.cf-b main.cf-c

all: $(FILES)

main.cf-a: Makefile main.cf-template
sed 's/whatever/whatever/' main.cf-template $@
rsync -av $@ hosta:/etc/postfix

main.cf-b: Makefile main.cf-template
sed 's/whatever/whatever/' main.cf-template $@
rsync -av $@ hostb:/etc/postfix

main.cf-c: Makefile main.cf-template
sed 's/whatever/whatever/' main.cf-template $@
rsync -av $@ hostc:/etc/postfix

Re: backscattering

2009-01-14 Thread Noel Jones 

Aaron Wolfe wrote:


we use a home grown policy filter for various things, I have been
thinking about adding smtp to=from checks since it's almost zero
additional resources to do.  is it practical to attempt a sort of
whitelist to allow the valid cases and then block the rest?  is this a
stupid idea?  unfortunately SPF isn't an easy solution because we
handle mail for many organizations and we haven't gotten much
cooperation from them, but if that is a better way then I will keep
harping on it.

-Aaron


I can certainly imagine this blocking legit mail, but if you 
get a large amount of spam such a rule would block, go for it. 
 As you said, adding such a check to an existing policy 
server adds practically zero overhead.  Just keep an eye on 
it, especially at first.


There may be better ways to block what you are getting. 
Examine the postfix logs and the unwanted mail and look for 
patterns other than the From=To, such as the client being 
listed on some RBL, client in dynamic/home user space, rogue 
ISP, suspect HELO name, etc.



--
Noel Jones

Re: Problem with Zen filtering legit e-mail

2009-01-14 Thread Roland Plüss 


Bill Cole wrote:
 Roland Plüss wrote, On 1/13/09 9:47 AM:

 Brian Evans - Postfix List wrote:
 [...]
 Gentoo is not the issue, however the different SASL implementations can
 be an interesting experiment to get working.
 Dovecot SASL is easier, IMO, to setup and configure and you can disable
 the IMAP services from starting simply enough.

   
 Hm... I tried Cyrus so far. What's the difference between the two except
 the configuration?

 1. Dovecot SASL is a free-standing authentication daemon rather than
 libraries that have to be linked into Postfix, which eliminates the
 opportunity for failure from having a mismatch between the libraries
 used to build Postfix and the ones in place at run time.

 2. Dovecot only provides authentication for the SMTP server side of
 Postfix,   so if you need to have the SMTP or LMTP client parts of
 Postfix authenticate themselves to a server, Cyrus is your only choice.

 And the config difference is a significant one. A SASL implementation
 that one cannot figure out how to configure  has absolutely no
 functionality. It is also possible to configure Cyrus functionally but
 very insecurely, which is likely to be more difficult to accomplish
 with Dovecot.


I guess in this case I should once upon time pay Dovecot a visit. I need
only auth for SMTP/IMAP. LMTP I don't use so it's not a blocker there.

-- 
Yours sincerely
Plüss Roland




signature.asc
Description: OpenPGP digital signature

Re: how to block arabic emails ?

2009-01-14 Thread Terry Carmen 

Murat Ugur EMINOGLU wrote:

Dear All,

How i can block all arabic emails?

example email :

header and body content : اضافه مهمه ومثيرة لبرنامج الاوت لوك

thanks, best regards.


You need to post the actual message headers (View-Options in Outlook, 
View-Message Source in almost everything else.)


Terry

SPF Checking

2009-01-14 Thread Russ Lavoy 
Hello List,

I am wondering about an SPF checking addition for postfix.  Where I see all of 
the addon software, I am not 100% comfortable modifying the postfix code and 
still have it be as secure as it was when I first set it up.

Are there any plans on integrating SPF checking into postfix itself?

If not, does anyone out there know how to stop forged emails coming in as 
someone you know, but they did not send them (as per their email headers)?

Thanks!

Configure an Alternate Interface for Destination

2009-01-14 Thread Chris Babcock 
I'm using multiple instances of Postfix. One of the IP addresses I just
started using is blocked by a major provider. I've gone through all the
hoops... It's not on any RBLs, rDNS records match the hostname, etc.,
but I have no indication that this provider has even received my
request about the block let alone plans to remove it.

Meanwhile, I'm using relayhost = [IP-of-other-Postfix-instance] to
send mail through an IP address that isn't blocked, which kind of
defeats my purposes for having multiple Postfix instances.

What I want to do is configure an alternate transport for this domain
like...

/etc/postfix-asciiking/main.cf:
transport_maps = hash:/etc/postfix-asciiking/transport

/etc/postfix-asciiking/master.cf:
blocked  unix  -   -   n   -   -   smtp
  -o relayhost = [IP-of-other-Postfix-instance]

/etc/postfix-asciiking/transport
earthlink.com   blocked:
mindspring.com  blocked:

When I tried this, I did postmap on the tranport file and postfix reload
for that configuration, but the logs clearly showed the asciiking
Postfix instance attempting to make direct delivery to Earthlink rather
than handing it to the other instance for delivery. I'm trying to follow
Configuring an Alternate Transport from p 403 of 'The Book of
Postfix'. Is my transport misconfigured? Is transport_maps the right
main.cf parameter? Something painfully obvious?

Thanks,
Chris Babcock



signature.asc
Description: PGP signature

Re: Multiple SMTP relays based on sender's domain

2009-01-14 Thread Terry Carmen 

Neil wrote:

On Wed, Jan 14, 2009 at 5:01 AM, Gilles Albusac
gilles.albu...@wanadoo.fr wrote:
  

Is it possible to set up Postfix to choose an SMTP relayhost when routing
outbound mail based on the domain name of the sender ?




If you're okay with using addresses instead of domains, I think
sender_dependent_relayhost_maps might do the trick for you.
  

If you mean recipient domain, this will work:


/etc/postfix/main.cf:
transport_maps = hash:/etc/postfix/transport


/etc/postfix/transport:
army.mil smtp:smtp.yourisp.com
fussymx.com smtp:mail.whoevertheytalkto.com

Don't forget to postmap transport


If you really mean sender, I'm not sure what you would use.


Terry



--
Terry Carmen
CNY Support, LLC

315.382.3939
http://cnysupport.com

Re: SPF Checking

2009-01-14 Thread Erwan David 
On Wed, Jan 14, 2009 at 05:22:25PM CET, Russ Lavoy ussray...@yahoo.com said:
 Hello List,
 
 I am wondering about an SPF checking addition for postfix.  Where I see all 
 of the addon software, I am not 100% comfortable modifying the postfix code 
 and still have it be as secure as it was when I first set it up.
 
 Are there any plans on integrating SPF checking into postfix itself?
 
 If not, does anyone out there know how to stop forged emails coming in as 
 someone you know, but they did not send them (as per their email headers)?
 

postfix has the policy servers mechanism for this kind of checks. You
do not need to modify postfix code, and postfix can benefit from third
party policy daemons.

-- 
Erwan

Re: SPF Checking

2009-01-14 Thread Mark Watts 

On Wednesday 14 January 2009 16:22:25 Russ Lavoy wrote:
 Hello List,

 I am wondering about an SPF checking addition for postfix.  Where I see all
 of the addon software, I am not 100% comfortable modifying the postfix code
 and still have it be as secure as it was when I first set it up.

 Are there any plans on integrating SPF checking into postfix itself?

 If not, does anyone out there know how to stop forged emails coming in as
 someone you know, but they did not send them (as per their email headers)?

 Thanks!

Personally, I use python-postfix-policyd-spf from 
http://www.openspf.org/Software
(a.k.a. pypolicyd-spf), implemented as a check_policy_service.

EG:

master.cf:
policyd-spf  unix  -   n   n   -   0   spawn
   user=nobody argv=/usr/bin/policyd-spf

main.cf:
smtpd_recipient_restrictions =
permit_mynetworks,
reject_unauth_destination,
...
check_policy_service unix:private/policyd-spf

# ls -l /var/spool/postfix/private/policyd-spf
srw-rw-rw- 1 postfix postfix 0 Jan  6 16:09 
/var/spool/postfix/private/policyd-spf


HTH,

Mark.

-- 
Mark Watts BSc RHCE MBCS
Senior Systems Engineer
QinetiQ Applied Technologies
GPG Key: http://www.linux-corner.info/mwatts.gpg


signature.asc
Description: This is a digitally signed message part.

Re: SPF Checking

2009-01-14 Thread Noel Jones 

Russ Lavoy wrote:

Hello List,

I am wondering about an SPF checking addition for postfix.  Where I see all of 
the addon software, I am not 100% comfortable modifying the postfix code and 
still have it be as secure as it was when I first set it up.

Are there any plans on integrating SPF checking into postfix itself?

If not, does anyone out there know how to stop forged emails coming in as 
someone you know, but they did not send them (as per their email headers)?



Use a policy server or a milter that supports SPF checking.
There are a some listed here
http://www.openspf.org/Software
Seems these should be listed on the postfix addon page.

Or the standard sendmail sid-milter
http://sourceforge.net/projects/sid-milter/

None of the above require modifying postfix source; all work 
reasonably well.


Since postfix has two methods to interface to standard 
SPF/SenderID software already, there are no plans to add 
postfix internal support for this.


--
Noel Jones

Re: Configure an Alternate Interface for Destination

2009-01-14 Thread Matt Rude 

On Wed, January 14, 2009 10:23 am, Chris Babcock wrote:
 I'm using multiple instances of Postfix. One of the IP addresses I just
 started using is blocked by a major provider. I've gone through all the
 hoops... It's not on any RBLs, rDNS records match the hostname, etc., but
 I have no indication that this provider has even received my
 request about the block let alone plans to remove it.

 Meanwhile, I'm using relayhost = [IP-of-other-Postfix-instance] to
 send mail through an IP address that isn't blocked, which kind of defeats
 my purposes for having multiple Postfix instances.

 What I want to do is configure an alternate transport for this domain
 like...

 /etc/postfix-asciiking/main.cf:
 transport_maps = hash:/etc/postfix-asciiking/transport

 /etc/postfix-asciiking/master.cf:
 blocked  unix  -   -   n   -   -   smtp -o
 relayhost = [IP-of-other-Postfix-instance]

 /etc/postfix-asciiking/transport
 earthlink.com blocked:
 mindspring.comblocked:

Put the IP-of-other-Postfix-instance after blocked:

See: http://www.postfix.org/transport.5.html

   When  no  nexthop  host name is specified, the destination
   domain name is used instead. For  example,  the  following
   directs  mail  for u...@example.com via the slow transport
   to a mail exchanger for example.com.  The  slow  transport
   could be configured to run at most one delivery process at
   a time:

example.com  slow:


-Matt



 When I tried this, I did postmap on the tranport file and postfix reload
 for that configuration, but the logs clearly showed the asciiking Postfix
 instance attempting to make direct delivery to Earthlink rather than
 handing it to the other instance for delivery. I'm trying to follow
 Configuring an Alternate Transport from p 403 of 'The Book of
 Postfix'. Is my transport misconfigured? Is transport_maps the right
 main.cf parameter? Something painfully obvious?

 Thanks,
 Chris Babcock





-- 
Matt Rude
website: http://www.mattrude.com  -  wiki: http://wiki.mattrude.com
PGP Fingerprint: 0E94 70DA 89F8 5102 0862  5EA2 CB10 759E E65F 2C46

Re: Configure an Alternate Interface for Destination

2009-01-14 Thread Wietse Venema 
Chris Babcock:
Checking application/pgp-signature: FAILURE
-- Start of PGP signed section.
 On Wed, 14 Jan 2009 10:50:01 -0600 (CST)
 Matt Rude li...@mattrude.com wrote:
 
  
   /etc/postfix-asciiking/main.cf:
   transport_maps = hash:/etc/postfix-asciiking/transport

Show postconf -n output instead of cut-and-paste. You may
have typo-ed something.

   /etc/postfix-asciiking/master.cf:
   blocked  unix  -   -   n   -   -   smtp -o
   relayhost = [IP-of-other-Postfix-instance]

As documented, relayhost is not used by the smtp CLIENT.

Wietse

Re: Cannot Send Email via POSTFIX to any domain

2009-01-14 Thread secSwami 

Brian Evans - Postfix List wrote:

Hi Brian,

Sorry for newbie mistake.  Here is dump of my config as produced by 
postconf -n.


[r...@wutang ~]# postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
home_mailbox = Maildir/
html_directory = no
inet_interfaces = all
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
mydomain = localhost
myhostname = localhost
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES
relay_domains = mydomain1.com , mydomain2.com
relay_recipient_maps = hash:/etc/postfix/relay_recipients
sample_directory = /usr/share/doc/postfix-2.3.3/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options =
smtpd_recipient_restrictions = permit_sasl_authenticated
permit_mynetworksreject_unauth_destination
smtpd_sender_restrictions = permit_sasl_authenticated
permit_mynetworksreject_unauth_destination

unknown_local_recipient_reject_code = 550
virtual_alias_maps = hash:/etc/postfix/aliases
virtual_gid_maps = static:5000
virtual_mailbox_base = /home/virtual
virtual_mailbox_domains = /etc/postfix/vhosts.txt
virtual_mailbox_maps = hash:/etc/postfix/vmaps.txt
virtual_uid_maps = static:5000



I would just like this server to email server for my company.  Imap part 
(dovecot) works fine and I can get the emails but the part where I am 
using thunderbird or outlook to SEND email doesn't work.


Here is dump of my maillog:

Jan  2 00:35:09 localhost postfix/smtpd[3539]: generic_checks: 
name=reject_unauth_destination
Jan  2 00:35:09 localhost postfix/smtpd[3539]: 
reject_unauth_destination: testu...@hotmail.com
Jan  2 00:35:09 localhost postfix/smtpd[3539]: permit_auth_destination: 
testu...@hotmail.com
Jan  2 00:35:09 localhost postfix/smtpd[3539]: ctable_locate: leave 
existing entry key testu...@hotmail.com
Jan  2 00:35:09 localhost postfix/smtpd[3539]: NOQUEUE: reject: RCPT 
from adsl-71-135-98-129.dsl.pltn13.pacbell.net[71.135.98.129]: 554 5.7.1 
testu...@hotmail.com: Relay access denied; 
from=testu...@mydomain.com to=testu...@hotmail.com proto=SMTP 
helo=[192.168.74.129]


Thanks




secSwami wrote:
  

Hi,

I have spent countless hours researching this but I can't still figure
out why I can't send email from postfix server to any other domain
other than myself.
I want my server to actually deliver the email and don't want to use
ISP's mail server.  The server resides on a business network so I know
there is no blocking there (isp).

I know there is some issue with my config.  Can someone point me in
the right direction?

I would like users who authenticate to be able to send email anywhere
using the server.  I get error message :  Relay access denied whenever
sending email to anyone

Here is my main.cf , I have left my master.cf file as it is.

Thanks in advance.

Here is my main.cf and master.cf (just in case).


Welcome to the list.
It seems you missed the welcome message:
1. TO REPORT A PROBLEM SEE: http://www.postfix.org/DEBUG_README.html#mail
(specifically the part about 'postconf -n')

For now, I'll dust off my crystal ball.
  

smtp_sasl_auth_enable = yes


smtp means Postfix sending to another server.
Please review http://www.postfix.org/SASL_README.html#server_sasl

Brian
  

smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options =
virtual_mailbox_domains = /etc/postfix/vhosts.txt
virtual_mailbox_base = /home/virtual
virtual_mailbox_maps = hash:/etc/postfix/vmaps.txt
virtual_uid_maps = static:5000
virtual_gid_maps = static:5000
virtual_alias_maps = hash:/etc/postfix/aliases

smtpd_recipient_restrictions = permit_sasl_authenticated
 permit_mynetworks
  reject_unauth_destination

Re: Cannot Send Email via POSTFIX to any domain

2009-01-14 Thread Brian Evans - Postfix List 
secSwami wrote:
 Brian Evans - Postfix List wrote:

 Hi Brian,

 Sorry for newbie mistake.  Here is dump of my config as produced by
 postconf -n.

 [r...@wutang ~]# postconf -n
[...]
 smtp_sasl_auth_enable = yes
 smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
 smtp_sasl_security_options =
 smtpd_recipient_restrictions =
 permit_sasl_authenticatedpermit_mynetworks   
 reject_unauth_destination
 smtpd_sender_restrictions = permit_sasl_authenticated   
 permit_mynetworksreject_unauth_destination
FYI, duplicated restrictions are a bit pointless. Best to remove the
sender restriction for (self-)clarity.

 I would just like this server to email server for my company.  Imap
 part (dovecot) works fine and I can get the emails but the part where
 I am using thunderbird or outlook to SEND email doesn't work.

Then I gave you the correct link.
http://www.postfix.org/SASL_README.html#server_sasl
To summarize: set 'smtpd_sasl_auth_enable = yes'

You still should read the rest of the link.  The SASL_README may also
help with other questions that can come up.

Brian


 Here is dump of my maillog:

 Jan  2 00:35:09 localhost postfix/smtpd[3539]: generic_checks:
 name=reject_unauth_destination
 Jan  2 00:35:09 localhost postfix/smtpd[3539]:
 reject_unauth_destination: testu...@hotmail.com
 Jan  2 00:35:09 localhost postfix/smtpd[3539]:
 permit_auth_destination: testu...@hotmail.com
 Jan  2 00:35:09 localhost postfix/smtpd[3539]: ctable_locate: leave
 existing entry key testu...@hotmail.com
 Jan  2 00:35:09 localhost postfix/smtpd[3539]: NOQUEUE: reject: RCPT
 from adsl-71-135-98-129.dsl.pltn13.pacbell.net[71.135.98.129]: 554
 5.7.1 testu...@hotmail.com: Relay access denied;
 from=testu...@mydomain.com to=testu...@hotmail.com proto=SMTP
 helo=[192.168.74.129]

 Thanks



 secSwami wrote:
  
 Hi,

 I have spent countless hours researching this but I can't still figure
 out why I can't send email from postfix server to any other domain
 other than myself.
 I want my server to actually deliver the email and don't want to use
 ISP's mail server.  The server resides on a business network so I know
 there is no blocking there (isp).

 I know there is some issue with my config.  Can someone point me in
 the right direction?

 I would like users who authenticate to be able to send email anywhere
 using the server.  I get error message :  Relay access denied whenever
 sending email to anyone

 Here is my main.cf , I have left my master.cf file as it is.

 Thanks in advance.

 Here is my main.cf and master.cf (just in case).
 
 Welcome to the list.
 It seems you missed the welcome message:
 1. TO REPORT A PROBLEM SEE:
 http://www.postfix.org/DEBUG_README.html#mail
 (specifically the part about 'postconf -n')

 For now, I'll dust off my crystal ball.
  
 smtp_sasl_auth_enable = yes
 
 smtp means Postfix sending to another server.
 Please review http://www.postfix.org/SASL_README.html#server_sasl

 Brian
  
 smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
 smtp_sasl_security_options =
 virtual_mailbox_domains = /etc/postfix/vhosts.txt
 virtual_mailbox_base = /home/virtual
 virtual_mailbox_maps = hash:/etc/postfix/vmaps.txt
 virtual_uid_maps = static:5000
 virtual_gid_maps = static:5000
 virtual_alias_maps = hash:/etc/postfix/aliases

 smtpd_recipient_restrictions = permit_sasl_authenticated
  permit_mynetworks
   reject_unauth_destination

Re: Cannot Send Email via POSTFIX to any domain

2009-01-14 Thread secSwami 

Brian Evans - Postfix List wrote:

secSwami wrote:
  

Brian Evans - Postfix List wrote:

Hi Brian,

Sorry for newbie mistake.  Here is dump of my config as produced by
postconf -n.

[r...@wutang ~]# postconf -n


[...]
  

smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options =
smtpd_recipient_restrictions =
permit_sasl_authenticatedpermit_mynetworks   
reject_unauth_destination
smtpd_sender_restrictions = permit_sasl_authenticated   
permit_mynetworksreject_unauth_destination


FYI, duplicated restrictions are a bit pointless. Best to remove the
sender restriction for (self-)clarity.
  

I would just like this server to email server for my company.  Imap
part (dovecot) works fine and I can get the emails but the part where
I am using thunderbird or outlook to SEND email doesn't work.



Then I gave you the correct link.
http://www.postfix.org/SASL_README.html#server_sasl
To summarize: set 'smtpd_sasl_auth_enable = yes'
  

Brian,

I have set that option to yes.  I will go ahead and read up more on the 
SASL_README.

Anything else that you can think that maybe wrong in the config?

Thanks


You still should read the rest of the link.  The SASL_README may also
help with other questions that can come up.

Brian

  

Here is dump of my maillog:

Jan  2 00:35:09 localhost postfix/smtpd[3539]: generic_checks:
name=reject_unauth_destination
Jan  2 00:35:09 localhost postfix/smtpd[3539]:
reject_unauth_destination: testu...@hotmail.com
Jan  2 00:35:09 localhost postfix/smtpd[3539]:
permit_auth_destination: testu...@hotmail.com
Jan  2 00:35:09 localhost postfix/smtpd[3539]: ctable_locate: leave
existing entry key testu...@hotmail.com
Jan  2 00:35:09 localhost postfix/smtpd[3539]: NOQUEUE: reject: RCPT
from adsl-71-135-98-129.dsl.pltn13.pacbell.net[71.135.98.129]: 554
5.7.1 testu...@hotmail.com: Relay access denied;
from=testu...@mydomain.com to=testu...@hotmail.com proto=SMTP
helo=[192.168.74.129]

Thanks





secSwami wrote:
 
  

Hi,

I have spent countless hours researching this but I can't still figure
out why I can't send email from postfix server to any other domain
other than myself.
I want my server to actually deliver the email and don't want to use
ISP's mail server.  The server resides on a business network so I know
there is no blocking there (isp).

I know there is some issue with my config.  Can someone point me in
the right direction?

I would like users who authenticate to be able to send email anywhere
using the server.  I get error message :  Relay access denied whenever
sending email to anyone

Here is my main.cf , I have left my master.cf file as it is.

Thanks in advance.

Here is my main.cf and master.cf (just in case).



Welcome to the list.
It seems you missed the welcome message:
1. TO REPORT A PROBLEM SEE:
http://www.postfix.org/DEBUG_README.html#mail
(specifically the part about 'postconf -n')

For now, I'll dust off my crystal ball.
 
  

smtp_sasl_auth_enable = yes



smtp means Postfix sending to another server.
Please review http://www.postfix.org/SASL_README.html#server_sasl

Brian
 
  

smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options =
virtual_mailbox_domains = /etc/postfix/vhosts.txt
virtual_mailbox_base = /home/virtual
virtual_mailbox_maps = hash:/etc/postfix/vmaps.txt
virtual_uid_maps = static:5000
virtual_gid_maps = static:5000
virtual_alias_maps = hash:/etc/postfix/aliases

smtpd_recipient_restrictions = permit_sasl_authenticated
 permit_mynetworks
  reject_unauth_destination

Re: What do these logs mean?

2009-01-14 Thread mouss 
Ralf Hildebrandt a écrit :
 * mouss mo...@ml.netoyen.net:
 
 too many users with 'a' as first letter, and machine is in the US while
 OP is in UK. so either OP munged things, or his server is under attack.

 anyway, as you said, not a postfix issue.
 
 One could fail2ban the attacker :) 
 

and if the probes use multiple TCP connections (if the pop server
disconnects after a failure), then he can use rate limiting in his
packet filter if supported (recent in iptables, overload in pf).

Re: How to restrict ACCESS not RELAY to the SMTP daemon?

2009-01-14 Thread mouss 
Thomas a écrit :
 Thomas wrote:
 Hello,
 i try to figure out how to restrict ACCESS to the SMTP daemon.

 With that, i mean something like the tcpwrapper for SMTP/SMTPS ...
 
 I found that about a similar solution:
 
 http://archives.neohapsis.com/archives/postfix/2007-05/0343.html
 
 There, the following is written:
 
 
 
 There's no real need to run a proxy in-between in this scenario.
 
 If you really want to have some control over connections before they're
 handled
 to postfix, use standalone smtp mode. Like this (inetd.conf):
 
  smtp inet stream nowait postfix.postfix accept-conn -deny=/file/deny
 -run=/usr/lib/postfix/smtpd -S ..
 
 There are two drawbacks:
 
 1) this your pre-accepting server has to run smtpd as postfix user.
 Which means either it is running as postfix itself, or (worse) as root.
 
 2) this approach requires fork+exec for each (non-blocked) connection.
 
 And another approach, which eliminates both drawbacks, is to use
 (unfinished)
 passfd port. Here's the patch for 2.3:
 http://www.corpit.ru/mjt/postfix-2.3.2-passfd.diff
 and for 2.4.0:
 http://www.corpit.ru/mjt/postfix-2.4.0-passfd.diff
 
 And here's a tiny program - a client side:
 http://www.corpit.ru/mjt/sendfd.c
 
 It works like this. In master.cf, instead of
  smtp inet ... smtpd
 use
  smtpd pass ... smtpd
 
 This will create /var/spool/postfix/public/smtpd AF_UNIX socket.
 Now, continuing the above example:
 
  smtp inet stream nowait nobody.postdrop accept-conn -deny=/file/deny
 -run=sendfd /var/spool/postfix/public/smtpd
 
 Which will just pass on the connection to postfix.
 
 I wonder why this `pass' port type support is commented-out... ;)
 ###
 
 That mail was from 2007 - maybe there is now a better way to handle such
 a situation?
 
 BTW, i never figured out that inetd/xinetd may be such a bad way to
 start programs!
 At least, programs that do not run as root normally ...
 

you don't need tcp wrappers. smtpd restrictions provide the same
functionaly (and more), and Wietse gave you an example.

an alternative, that is appropriate for virtual machines, is
firewalling. configure your packet filter (iptables, pf, ipfilter, ...)
to only allow traffic that should be allowed.

Re: break mail into multiple for multiple recipients

2009-01-14 Thread mouss 
ram a écrit :
 On my MX servers we accept the mail and relay it to a spamassassin
 server
 
 Now for someids we dont spam-scan the mail ( for eg ab...@domain.com )
 If a spammer marks a mail to some real recipient and to ab...@domain.com
 the mail goes thru because any mail for abuse@ is not scanned 
 
 
 Can I configure postfix on the MX server to send mails for
 ab...@domain.com in a seperate transaction and other recipients in a
 seperate transaction 
 I dont want to break all the multi-recipient mails into multiple, only
 for those mails marked to ab...@...
 
 

here are some choices:

- use multiple postfix instances, and use transport_maps instead of
content_filter/FILTER (you need multiple instance because transports are
global)

- use a filter that supports per recipient policies. amavsid-new and
dspam can do that

- pass all mail through the filter, but ignore the results for ab...@*.
This is what I do, because this way I get spamassassin infos in the
headers, which comes in handy if it's a fake complaint.

Re: What do these logs mean?

2009-01-14 Thread rafa 

mouss wrote:


and if the probes use multiple TCP connections (if the pop server
disconnects after a failure), then he can use rate limiting in his
packet filter if supported (recent in iptables, overload in pf).


here is an example using iptables recent module:
http://lists.opensuse.org/opensuse-security/2006-11/msg00025.html
Just change the port and the rate limit for your needs.
Check that your ipt_recent netfilter module is recent enough

Re: how to block arabic emails ?

2009-01-14 Thread mouss 
Murat Ugur EMINOGLU a écrit :
 Dear All,
 
 How i can block all arabic emails?
 
 example email :
 
 header and body content : اضافه مهمه ومثيرة لبرنامج الاوت لوك
 
 thanks, best regards.

try spamassassin. it has an ok_languages and ok_locales options.

but it's better to see if you can block that mail based on the envelope.

Re: postfix implementation in forum like application - OT

2009-01-14 Thread mouss 
Vivek Agrawal a écrit :
 Hello sir,
   Actually I know we can use postfix for sending mails. But I don't
 know can we use postfix to receive mails also. Or do we need to configure
 some extra tools.
 
   Initially I was using postfix with getmail tool. Through postfix I
 was sending mail using sendmail -t command. And I was using getmail to
 receive mails from the same gmail account. And have written a small java
 code which parse that incoming mail and store it in database. But here my
 query was , why we are using postfix. I can use other simple java api to
 send mails. why postfix.
 

for queue mgmt: if the connection to the remote server fails, or if any
other problem prevents you from sending the message to the remote
server, then postfix will keep the message in the queue and retry later.

To do this in your java application requires work and skills. it is
wiser to minimise the code that you write and integrate with components
that are know to be secure, robust, correct, ... etc.

 One more thing I would like to mention over here is that I am using gmail
 account just for learning purpose. In future I will use my own domain name.
 

then you need an MTA, and postfix is an excellent choice.

Re: SPF Checking

2009-01-14 Thread mouss 
Res a écrit :
 On Wed, 14 Jan 2009, Noel Jones wrote:
 
 Or the standard sendmail sid-milter
 http://sourceforge.net/projects/sid-milter/
 
 I'd urge caution on this one, it favours Micro$ofts SAV more then SPF,
 and you will find a LOT of legitmate mail blocked, especially from
 mailing lists, although there is a patch to help with that if you goto
 the bug tracker.
 

what is microsoft SAV? do you mean Sender Id? here, SAV is Sender
Address Verification which has nothing to do with MS nor SPF.

Re: Problem with Zen filtering legit e-mail

2009-01-14 Thread Roland Plüss 


mouss wrote:
 Roland Plüss a écrit :
   
 I guess in this case I should once upon time pay Dovecot a visit. I need
 only auth for SMTP/IMAP. LMTP I don't use so it's not a blocker there.

 

 you apparently didn't get it:

 - if you only need to authenticate TO YOUR postfix, then dovecot is a
 good choice. This happens when your mailer connects to postfix.

 - if you need your postfix to authenticate TO OTHER smtp servers, then
 you need cyrus-sasl.

 In short, dovecot doesn't support client side SASL. see the SASL
 README for more.
   
Nah, it's only for client to my postfix. No need for postfix to auth to
other smtp servers. Unless this would be somehow usefull or would
prevent problems.

-- 
Yours sincerely
Plüss Roland




signature.asc
Description: OpenPGP digital signature

Re: Question about reject_unauthenticated_sender_login_mismatch

2009-01-14 Thread jeff_homeip 
--- In post...@yahoogroups.com, Victor Duchovni victor.ducho...@... wrote:

 On Mon, Jan 12, 2009 at 09:35:14PM -0800, Jeff Weinberger wrote:

  When a sender is not authenticated, and
  reject_unauthenticated_sender_login_mismatch is specified, postfix takes
  the MAIL FROM address, looks it up in smtpd_sender_login_maps and if
  it's found, the message is rejected?
 
  Essentially the lookup is just for the existence of the MAIL FROM
  address in the smtpd_sender_login_maps table?

 Yes, that's what I said.

  Am I then correct in concluding that with:
 
  smtpd_sender_restrictions =
  permit_sasl_authenticated,
  reject_authenticated_sender_login_mismatch,
  reject

 Observe that the order of the first two elements is not entirely
 correct.

  that the permit_sasl_autheticated obviates the need for
  reject_unauthenticated_sender_login_mismatch?
  (as there would never be an unauthenticated sender permitted...)

 Yes. this saves you a table lookup before unauthenticated senders are
 rejected outright via reject.

  And am I also correct in concluding that if unauthenticated senders were
  allowed (as they would have to be for smtpd to accept messages from the
  internet), that reject_unauthenticated_sender_login_mismatch would
  prevent any non-authenticated sender from sending a message from (with MAIL
  FROM) any address listed in my smtpd_sender_login_maps?

 Yes, that's I said.


I think I've misunderstood this again. here's the behavior I observed:

I added  -o 
smtpd_sender_restrictions=reject_unauthenticated_sender_login_mismatch to
my master.cf smtp service entry (receiving mail on port 25).

It then rejected all mail. Each message was rejected because the sender was not
authenticated.

This is obviously undesireable behavior for this service, as I will never 
receive any mail.

The behavior I was seeking was that it would reject messages where the MAIL 
FROM is one
of the addresses that validly authenticates.

In other words if a spammer were to forge the MAIL FROM address as one of my 
valid
users, then send the message to that same user or any other user on my server, 
postfix
would reject it, knowing that that particular address should be sent from a 
matching
(smtpd_sender_login_maps) authenticated user.

Further, any mail received with a MAIL FROM that is not listed in my
smtpd_sender_login_maps) should then be permitted to pass, at least to the next 
check.

Given that reject_unauthenticated_sender_login_mismatch does not produce this 
behavior,
is there another way to produce this behavior? (with the obvious corollary - is 
there any
reason I would not want to do so?)

Thank you!!

Re: Question about reject_unauthenticated_sender_login_mismatch

2009-01-14 Thread Victor Duchovni 
On Wed, Jan 14, 2009 at 11:15:54PM -, jeff_homeip wrote:

 I think I've misunderstood this again. here's the behavior I observed:
 
 I added  -o 
 smtpd_sender_restrictions=reject_unauthenticated_sender_login_mismatch to
 my master.cf smtp service entry (receiving mail on port 25).
 
 It then rejected all mail. Each message was rejected because the sender was 
 not
 authenticated.

You should not really expect us to help you with this with no log entries,
associated postconf -n, and actual master.cf entries.


 The behavior I was seeking was that it would reject messages where
 the MAIL FROM is one of the addresses that validly authenticates.

The reject_unauthenticated_sender_login_mismatch feature only rejects
addresses listed in the smtpd_sender_logim_maps table:

/*
 * Reject if the client is not logged in and the sender address has an
 * owner.
 */
if (smtpd_sasl_is_active(state)  state-sasl_username == 0) {
reply = (const RESOLVE_REPLY *) ctable_locate(smtpd_resolve_cache, 
sender);
if (reply-flags  RESOLVE_FLAG_FAIL)
reject_dict_retry(state, sender);
if (check_mail_addr_find(state, sender, smtpd_sender_login_maps,
 STR(reply-recipient), (char **) 0) != 0)
return (smtpd_check_reject(state, MAIL_ERROR_POLICY, 553, 5.7.1,
   %s: Sender address rejected: not logged in, sender));
}

So either your report is incomplete/inaccurate, or you have managed to
list all the senders you tested in smtpd_sender_login_maps (difficult
with indexed files, easier with regexp tables and SQL lookups).

 Given that reject_unauthenticated_sender_login_mismatch does not
 produce this behavior, [ ... ]

With false premises you can reach any conclusion.

-- 
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the Reply-To header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
mailto:majord...@postfix.org?body=unsubscribe%20postfix-users

If my response solves your problem, the best way to thank me is to not
send an it worked, thanks follow-up. If you must respond, please put
It worked, thanks in the Subject so I can delete these quickly.

holding messages for one address or one domain in the queue?

2009-01-14 Thread Jeff Weinberger 
This may seem like an odd question, but I need to find a way to  
suspend delivery of mail to one account or one domain for a short  
period of time to allow me to do a bit of maintenance.


As it stands now, I use maildrop as my delivery transport for virtual  
mailboxes.


Is there a way to tell postfix to hold the mail in its queue until I  
tell it I'm ready?


Is this as simple as having maildrop return a temporary failure code?  
and if that happens, postfix will retry at certain intervals (or on  
postqueue -f) right? And if that is a good way to do it, what return  
code should maildrop return?


Or is there a better way?

Thank you!

Re: holding messages for one address or one domain in the queue?

2009-01-14 Thread Wietse Venema 
Jeff Weinberger:
 This may seem like an odd question, but I need to find a way to  
 suspend delivery of mail to one account or one domain for a short  
 period of time to allow me to do a bit of maintenance.
 
 As it stands now, I use maildrop as my delivery transport for virtual  
 mailboxes.
 
 Is there a way to tell postfix to hold the mail in its queue until I  
 tell it I'm ready?

/etc/postfix/transport:
u...@example.comretry:4.4.1 Service unavailable
another.example.com retry:4.4.1 Service unavailable

 Is this as simple as having maildrop return a temporary failure code?  

That would work, too.

Postfix will return mail when it exceeds $maximal_queue_lifetime.

 and if that happens, postfix will retry at certain intervals (or on  
 postqueue -f) right? And if that is a good way to do it, what return  
 code should maildrop return?

If using pipe-to-command: /usr/include/sysexits.h's EX_TEMPFAIL
If using LMTP: a suitable 4XX numeric code.

Wietse

Re: Question about reject_unauthenticated_sender_login_mismatch

2009-01-14 Thread jeff_homeip 
--- In post...@yahoogroups.com, Victor Duchovni victor.ducho...@... wrote:

 On Wed, Jan 14, 2009 at 11:15:54PM -, jeff_homeip wrote:

  I think I've misunderstood this again. here's the behavior I observed:
 
  I added  -o
smtpd_sender_restrictions=reject_unauthenticated_sender_login_mismatch to
  my master.cf smtp service entry (receiving mail on port 25).
 
  It then rejected all mail. Each message was rejected because the sender was 
  not
  authenticated.

 You should not really expect us to help you with this with no log entries,
 associated postconf -n, and actual master.cf entries.


I'm always happy to provide whatever might be helpful, and yet always conscious 
of
excessively long messages. I generally don't post postconf -n in its entirety 
for that and
disclosure reasons (yes, I'm paranoid). But I try to give the relevant entries 
and anything
else you think will help.



  The behavior I was seeking was that it would reject messages where
  the MAIL FROM is one of the addresses that validly authenticates.

 The reject_unauthenticated_sender_login_mismatch feature only rejects
 addresses listed in the smtpd_sender_logim_maps table:

 /*
  * Reject if the client is not logged in and the sender address has an
  * owner.
  */
 if (smtpd_sasl_is_active(state)  state-sasl_username == 0) {
 reply = (const RESOLVE_REPLY *) ctable_locate(smtpd_resolve_cache, 
 sender);
 if (reply-flags  RESOLVE_FLAG_FAIL)
 reject_dict_retry(state, sender);
 if (check_mail_addr_find(state, sender, smtpd_sender_login_maps,
  STR(reply-recipient), (char **) 0) != 0)
 return (smtpd_check_reject(state, MAIL_ERROR_POLICY, 553, 5.7.1,
%s: Sender address rejected: not logged in, sender));
 }

 So either your report is incomplete/inaccurate, or you have managed to
 list all the senders you tested in smtpd_sender_login_maps (difficult
 with indexed files, easier with regexp tables and SQL lookups).

  Given that reject_unauthenticated_sender_login_mismatch does not
  produce this behavior, [ ... ]

 With false premises you can reach any conclusion.

I am quite certain that my premises are not false. I tested it with senders who 
I know for a
fact ARE listed in the smtpd_sender_login_maps both as authenticated (they were
accepted) and from another client that did not authenticate (they were properly 
rejected).

Then I waited for someone else to send mail to one of my users. Here is the log 
entry that
was produced:

Jan 14 15:03:37 s postfix/smtpd[44746]: NOQUEUE: reject: RCPT from
mail37.messagelabs.com[216.82.241.83]: 553 5.7.1 katie.prev...@morris.com: 
Sender
address rejected: not logged in; from=katie.prev...@morris.com
to=myu...@userdomain.tld proto=SMTP helo=mail37.messagelabs.com

only altered to avoid posting one of my users' e-mail addresses and otherwise 
as logged.
The address logged as from=... is not in my smtpd_sender_login_maps (I 
looked again
to be sure) and is not a user or sender on my server at all.

The master.cf entry is:

smtp  inet  n   -   n   -   -   smtpd
   -o smtpd_sender_restrictions=reject_unauthenticated_sender_login_mismatch

that is the only line I used.

I would expect the above-mentioned mail to be permitted, and in other cases I 
have had
no problems.

Immediately after seeing this in the logs, I removed the -o
smtpd_sender_restrictions=reject_unauthenticated_sender_login_mismatch from my
master.cf entry, and since then no mail has been rejected with a reason of not 
logged in.

I don't know how else to interpret this behavior, other than to conclude that 
adding that
line to my master.cf caused the mail to be rejected, which is not what I 
expected.

Knowing that I cannot determine, apparently, what will be helpful in diagnosing 
this
behavior or suggesting ways I can achieve the desired behavior, I am posting 
below my
complete postconf -n (some addresses and sensitive items edited out as noted, 
but
otherwise unaltered).

I am hoping that you or someone will either identify what I've done wrong or 
help me find
a way to achieve the desired behavior.

If there is any additional information I have not provided here that would be 
helpful in
doing one of these two, please ask - I will provide as much as I am able.

Thank you for your help.

--Jeff

postconf -n:

alias_database = mysql:/etc/postfix/mysql_alias_maps.cf
alias_maps = mysql:/etc/postfix/mysql_alias_maps.cf
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
debug_peer_level = 2
default_verp_delimiters = +=
disable_vrfy_command = yes
html_directory = /etc/postfix/html
inet_interfaces = all
local_recipient_maps =
luser_relay = address hidden
mail_owner = postfix user
mailbox_size_limit = 0
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
message_size_limit = 0
mydestination =

Re: holding messages for one address or one domain in the queue?

2009-01-14 Thread jeff_homeip 
--- In post...@yahoogroups.com, wie...@... (Wietse Venema) wrote:

 Jeff Weinberger:
  This may seem like an odd question, but I need to find a way to
  suspend delivery of mail to one account or one domain for a short
  period of time to allow me to do a bit of maintenance.
 
  As it stands now, I use maildrop as my delivery transport for virtual
  mailboxes.
 
  Is there a way to tell postfix to hold the mail in its queue until I
  tell it I'm ready?

 /etc/postfix/transport:
 u...@...  retry:4.4.1 Service unavailable
 another.example.com   retry:4.4.1 Service unavailable

  Is this as simple as having maildrop return a temporary failure code?

 That would work, too.

 Postfix will return mail when it exceeds $maximal_queue_lifetime.

  and if that happens, postfix will retry at certain intervals (or on
  postqueue -f) right? And if that is a good way to do it, what return
  code should maildrop return?

 If using pipe-to-command: /usr/include/sysexits.h's EX_TEMPFAIL
 If using LMTP: a suitable 4XX numeric code.

   Wietse


Thank you - I should have thought of the transport map also.

i appreciate your help!

Re: holding messages for one address or one domain in the queue?

2009-01-14 Thread Jeff Weinberger 


On Jan 14, 2009, at 3:53 PM, Roderick A. Anderson wrote:


Jeff Weinberger wrote:
This may seem like an odd question, but I need to find a way to  
suspend delivery of mail to one account or one domain for a short  
period of time to allow me to do a bit of maintenance.
As it stands now, I use maildrop as my delivery transport for  
virtual mailboxes.
Is there a way to tell postfix to hold the mail in its queue until  
I tell it I'm ready?


I've used a pretty simple trick of putting the domain in the  
header_checks.regexp file.


header_checks.regexp

/^To: @example.com/HOLD


Rod


nice trick! - thanks!


--
Is this as simple as having maildrop return a temporary failure  
code? and if that happens, postfix will retry at certain intervals  
(or on postqueue -f) right? And if that is a good way to do it,  
what return code should maildrop return?

Or is there a better way?
Thank you!

Re: Send-Only Server Config?

2009-01-14 Thread Thomas 

maddae...@gmail.com wrote:

I've been asked to build a mail server for the purpose of sending mail
from various machines within a LAN to anywhere on the Net.  I'm
guessing that this would be considered a relay in a sense, since the
server will not be receiving mail from the outside, but please correct
me if I'm wrong.
  


I do something similar - having several linux servers in the internet.
All of them can only send mail - to the relayhost:

# domain varies with domain and host, of course
mydomain = domain
mynetworks = 127.0.0.0/8
myorigin = $mydomain
relayhost = relayhost


The relayhost receives mail from all domains and all ips/networks of 
those clients:


# main part:
mydestination = $myhostname, localhost.$mydomain, localhost, server1, 
server2, relayhost, domain, domain2, domain3

mydomain = domain
mynetworks = 127.0.0.0/8, network, network2, network3, ip1,ip2
myorigin = $mydomain

# some additional config:
append_dot_mydomain = no
biff = no
mailbox_size_limit = 1073741824
message_size_limit = 1024
recipient_delimiter = .
relocated_maps = hash:/etc/postfix/relocated
# for tests etc:
#soft_bounce = no
#soft_bounce = yes

# security and access:
strict_rfc821_envelopes = yes
smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
smtpd_client_restrictions = reject_invalid_hostname
smtpd_helo_required = yes
smtpd_helo_restrictions = reject_invalid_hostname
smtpd_recipient_restrictions = permit_mynetworks, 
reject_unknown_recipient_domain, permit_sasl_authenticated, 
reject_unauth_destination

smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth
smtpd_sasl_type = dovecot
smtpd_sender_restrictions = reject_unknown_address
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
smtpd_use_tls = yes


Works great :)

IF you can read and send mail from any mail client - the mails do not 
get back to the single client servers!

They stay at the relay host and can be read there via imap/pop...

Re: Share postfix config directory

2009-01-14 Thread Thomas 

I never had a problem to do exactly this ...

For what do you need the hostname of the server?
My main.cf does not contain a hostname - it can easily be used over an 
NFS share:


mkdir /data
mount server:/data /data
/etc/init.d/postfix stop
cp -rp /etc/postfix /data/postfix_nfs
mv /etc/postfix /etc/postfix_ORIG
ln -s /data/postfix_nfs /etc/postfix
/etc/init.d/postfix start
echo `hostname`| Mail -s `hostname` account@yourdomain

Works :)

My simple client server main.cf:

postconf -n
config_directory = /etc/postfix
mydomain = yourdomain
mynetworks = 127.0.0.0/8
myorigin = $mydomain
relayhost = your relay

Where does the hostname kick in at your site?



Rocco Scappatura wrote:

Hello,

I have different SMTP gateways each one configurred exactly at the same
manner. The only difference is the hostname.

I would like to know if I could define /etc/postfix as an NFS share
somewhere and export it on each of my SMTP gateways. The aim is
obviously to change only one configuration file each time that a postfix
configuration update is needed.

TIA,

rocsca

Re: Servers High Performance and High Volume

2009-01-14 Thread Sahil Tandon 
 On Wed, 14 Jan 2009, Ralf Hildebrandt wrote:

 * Res r...@ausics.net:

 Dovecot by far, for any number of users, we used to use Courier but
 found Dovecot had a good %30-%40 performance boost on busy servers, you
 could likely get away with one pop/imap server so long as it was decent
 hardware.

 Same here. This is mainly due to the caches dovecot uses.

 Not to mention Dovecots LDA fits in nicely with postfix :)

+1 for Postfix w/ Dovecot LDA.

-- 
Sahil Tandon sa...@tandon.net

Re: holding messages for one address or one domain in the queue?

2009-01-14 Thread Noel Jones 
On Wed, Jan 14, 2009 at 04:41:59PM -0800, Jeff Weinberger wrote:
 
 On Jan 14, 2009, at 3:53 PM, Roderick A. Anderson wrote:
 
 Jeff Weinberger wrote:
 This may seem like an odd question, but I need to find a way to  
 suspend delivery of mail to one account or one domain for a short  
 period of time to allow me to do a bit of maintenance.
 As it stands now, I use maildrop as my delivery transport for  
 virtual mailboxes.
 Is there a way to tell postfix to hold the mail in its queue until  
 I tell it I'm ready?
 
 I've used a pretty simple trick of putting the domain in the  
 header_checks.regexp file.
 
 header_checks.regexp
 
 /^To: @example.com/HOLD
 
 

Using header_checks for this is unreliable; there is no guarantee the recipient
will be listed in the To: header.  You're not listed in To: in this message, but
you receive it anyway.

You can use HOLD with a check_recipient_access map reliably, that's another 
good way to temporarily pause delivery.

-- 
Noel Jones

Re: Question about reject_unauthenticated_sender_login_mismatch

2009-01-14 Thread Noel Jones 
On Thu, Jan 15, 2009 at 12:21:51AM -, jeff_homeip wrote:
 I am quite certain that my premises are not false. I tested it with senders 
 who I know for a
 fact ARE listed in the smtpd_sender_login_maps both as authenticated (they 
 were
 accepted) and from another client that did not authenticate (they were 
 properly rejected).
 
 Then I waited for someone else to send mail to one of my users. Here is the 
 log entry that
 was produced:
 
 Jan 14 15:03:37 s postfix/smtpd[44746]: NOQUEUE: reject: RCPT from
 mail37.messagelabs.com[216.82.241.83]: 553 5.7.1 katie.prev...@morris.com: 
 Sender
 address rejected: not logged in; from=katie.prev...@morris.com
 to=myu...@userdomain.tld proto=SMTP helo=mail37.messagelabs.com
 


The map lookup matched on katie.prev...@morris.com.  
If you're using SQL for this table, you need to re-examine your query.
Test queries with something like:
postmap -q katie.prev...@morris.com mysql:/path/to/xxx.cf

Note there is a difference between not found and an empty response.


-- 
Noel Jones

Re: holding messages for one address or one domain in the queue?

2009-01-14 Thread Sahil Tandon 
On Wed, 14 Jan 2009, Noel Jones wrote:

 On Wed, Jan 14, 2009 at 04:41:59PM -0800, Jeff Weinberger wrote:
  
  On Jan 14, 2009, at 3:53 PM, Roderick A. Anderson wrote:
  
  Jeff Weinberger wrote:
  This may seem like an odd question, but I need to find a way to  
  suspend delivery of mail to one account or one domain for a short  
  period of time to allow me to do a bit of maintenance.
  As it stands now, I use maildrop as my delivery transport for  
  virtual mailboxes.
  Is there a way to tell postfix to hold the mail in its queue until  
  I tell it I'm ready?
  
  I've used a pretty simple trick of putting the domain in the  
  header_checks.regexp file.
  
  header_checks.regexp
  
  /^To: @example.com/HOLD
  
  
 
 Using header_checks for this is unreliable; there is no guarantee the 
 recipient
 will be listed in the To: header.  You're not listed in To: in this message, 
 but
 you receive it anyway.
 
 You can use HOLD with a check_recipient_access map reliably, that's another 
 good way to temporarily pause delivery.

I think this affects all recipients of the message, so the OP probably wants to
use transport_maps to limit holding/queuing only for a particular sent of 
recipients.

-- 
Sahil Tandon sa...@tandon.net

Re: holding messages for one address or one domain in the queue?

2009-01-14 Thread Sahil Tandon 
On Wed, 14 Jan 2009, Sahil Tandon wrote:

 On Wed, 14 Jan 2009, Noel Jones wrote:
 
  On Wed, Jan 14, 2009 at 04:41:59PM -0800, Jeff Weinberger wrote:
   
   On Jan 14, 2009, at 3:53 PM, Roderick A. Anderson wrote:
   
   Jeff Weinberger wrote:
   This may seem like an odd question, but I need to find a way to  
   suspend delivery of mail to one account or one domain for a short  
   period of time to allow me to do a bit of maintenance.
   As it stands now, I use maildrop as my delivery transport for  
   virtual mailboxes.
   Is there a way to tell postfix to hold the mail in its queue until  
   I tell it I'm ready?
   
   I've used a pretty simple trick of putting the domain in the  
   header_checks.regexp file.
   
   header_checks.regexp
   
   /^To: @example.com/HOLD
   
   
  
  Using header_checks for this is unreliable; there is no guarantee the 
  recipient
  will be listed in the To: header.  You're not listed in To: in this 
  message, but
  you receive it anyway.
  
  You can use HOLD with a check_recipient_access map reliably, that's another 
  good way to temporarily pause delivery.
 
 I think this affects all recipients of the message, so the OP probably wants 
 to
 use transport_maps to limit holding/queuing only for a particular sent of 
 recipients.

s/sent/set/

:)

-- 
Sahil Tandon sa...@tandon.net

Re: Question about reject_unauthenticated_sender_login_mismatch

2009-01-14 Thread Victor Duchovni 
On Wed, Jan 14, 2009 at 08:54:52PM -0600, Noel Jones wrote:

  Jan 14 15:03:37 s postfix/smtpd[44746]: NOQUEUE: reject: RCPT from
  mail37.messagelabs.com[216.82.241.83]: 553 5.7.1 katie.prev...@morris.com:
  Sender address rejected: not logged in; from=katie.prev...@morris.com
  to=myu...@userdomain.tld proto=SMTP helo=mail37.messagelabs.com
 
 The map lookup matched on katie.prev...@morris.com.  
 If you're using SQL for this table, you need to re-examine your query.
 Test queries with something like:

   postmap -q katie.prev...@morris.com mysql:/path/to/xxx.cf

Spot on!

 Note there is a difference between not found and an empty response.

In most cases Postfix suppresses empty results (and records a warning
int the logs).

On Thu, Jan 15, 2009 at 12:21:51AM -, jeff_homeip wrote:

  So either your report is incomplete/inaccurate, or you have managed to
  list all the senders you tested in smtpd_sender_login_maps (difficult
  with indexed files, easier with regexp tables and SQL lookups).
 
 Jan 14 15:03:37 s postfix/smtpd[44746]: NOQUEUE: reject: RCPT from
 mail37.messagelabs.com[216.82.241.83]: 553 5.7.1 katie.prev...@morris.com:
 Sender address rejected: not logged in; from=katie.prev...@morris.com
 to=myu...@userdomain.tld proto=SMTP helo=mail37.messagelabs.com
 
 
 I don't know how else to interpret this behavior, other than to conclude
 that adding that line to my master.cf caused the mail to be rejected,
 which is not what I expected.

I suggested two possibilities (and even hinted at SQL query issues as
a possible cause), you seem to have overlooked the second.

 smtpd_sender_login_maps = mysql:/etc/postfix/mysql_smtpd_sender_login_maps.cf

There's the problem. Now test the table as Noel suggested.

$ echo katie.prev...@morris.com |
postmap -q - mysql:/etc/postfix/mysql_smtpd_sender_login_maps.cf

-- 
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the Reply-To header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
mailto:majord...@postfix.org?body=unsubscribe%20postfix-users

If my response solves your problem, the best way to thank me is to not
send an it worked, thanks follow-up. If you must respond, please put
It worked, thanks in the Subject so I can delete these quickly.

Re: Question about reject_unauthenticated_sender_login_mismatch

2009-01-14 Thread jeff_homeip 
--- In post...@yahoogroups.com, Victor Duchovni victor.ducho...@... wrote:

 On Wed, Jan 14, 2009 at 08:54:52PM -0600, Noel Jones wrote:

   Jan 14 15:03:37 s postfix/smtpd[44746]: NOQUEUE: reject: RCPT from
   mail37.messagelabs.com[216.82.241.83]: 553 5.7.1 katie.prev...@...:
   Sender address rejected: not logged in; from=katie.prev...@...
   to=myu...@... proto=SMTP helo=mail37.messagelabs.com
 
  The map lookup matched on katie.prev...@...
  If you're using SQL for this table, you need to re-examine your query.
  Test queries with something like:
 
  postmap -q katie.prev...@... mysql:/path/to/xxx.cf

 Spot on!

  Note there is a difference between not found and an empty response.

 In most cases Postfix suppresses empty results (and records a warning
 int the logs).

 On Thu, Jan 15, 2009 at 12:21:51AM -, jeff_homeip wrote:

   So either your report is incomplete/inaccurate, or you have managed to
   list all the senders you tested in smtpd_sender_login_maps (difficult
   with indexed files, easier with regexp tables and SQL lookups).
 
  Jan 14 15:03:37 s postfix/smtpd[44746]: NOQUEUE: reject: RCPT from
  mail37.messagelabs.com[216.82.241.83]: 553 5.7.1 katie.prev...@...:
  Sender address rejected: not logged in; from=katie.prev...@...
  to=myu...@... proto=SMTP helo=mail37.messagelabs.com
 
 
  I don't know how else to interpret this behavior, other than to conclude
  that adding that line to my master.cf caused the mail to be rejected,
  which is not what I expected.

 I suggested two possibilities (and even hinted at SQL query issues as
 a possible cause), you seem to have overlooked the second.

  smtpd_sender_login_maps = 
  mysql:/etc/postfix/mysql_smtpd_sender_login_maps.cf

 There's the problem. Now test the table as Noel suggested.

 $ echo katie.prev...@... |
   postmap -q - mysql:/etc/postfix/mysql_smtpd_sender_login_maps.cf

 --
   Viktor.

 Disclaimer: off-list followups get on-list replies or get ignored.
 Please do not ignore the Reply-To header.

 To unsubscribe from the postfix-users list, visit
 http://www.postfix.org/lists.html or click the link below:
 mailto:majord...@...?body=unsubscribe%20postfix-users

 If my response solves your problem, the best way to thank me is to not
 send an it worked, thanks follow-up. If you must respond, please put
 It worked, thanks in the Subject so I can delete these quickly.


Noel, Viktor:

I see why you think that - but I did test with postmap -q quite extensively 
before I added
this, sorry I didn't mention it here.

I just tested again with this result:

% /etc/postfix : postmap -q katie.prev...@morris.com
mysql:/etc/postfix/mysql_smtpd_sender_login_maps.cf
% /etc/postfix :

postmap returned an empty result, which I thought was correct. Should it be 
returning
something different? If so, what should the result for an address not listed on 
my server
be?

I appreciate your help and your work to narrow down and isolate the issue here. 
Thanks!

--Jeff

Re: Question about reject_unauthenticated_sender_login_mismatch

2009-01-14 Thread jeff_homeip 
--- In post...@yahoogroups.com, Victor Duchovni victor.ducho...@... wrote:

 On Thu, Jan 15, 2009 at 05:17:07AM -, jeff_homeip wrote:

   There's the problem. Now test the table as Noel suggested.
  
   $ echo katie.prevost@ |
 postmap -q - mysql:/etc/postfix/mysql_smtpd_sender_login_maps.cf
 
  I just tested again with this result:
 
  % /etc/postfix : postmap -q katie.prev...@...
  mysql:/etc/postfix/mysql_smtpd_sender_login_maps.cf
  % /etc/postfix :

 Please use the suggested:

 echo lookup-key | postmap -q - table

 form. Also as documented, smtpd_sender_login_maps uses additional
 lookup keys:

 http://www.postfix.org/postconf.5.html#smtpd_sender_login_maps

 smtpd_sender_login_maps (default: empty)

 Optional lookup table with the SASL login names that own sender
 (MAIL FROM) addresses.

 Specify zero or more type:table lookup tables. With lookups from
 indexed files such as DB or DBM, or from networked tables such as
 NIS, LDAP or SQL, the following search operations are done with a
 sender address of u...@domain:

 1) u...@domain
 This table lookup is always done and has the highest precedence.

 2) user
 This table lookup is done only when the domain part of the sender
 address matches $myorigin, $mydestination, $inet_interfaces
 or $proxy_interfaces.

 3) @domain
 This table lookup is done last and has the lowest precedence.

 In all cases the result of table lookup must be either not found
 or a list of SASL login names separated by comma and/or whitespace.

 You need to tset the full set of lookup keys (sh, ksh or bash, not csh):

 (
   echo morris.com |
   postmap -q - mysql:/etc/postfix/mysql_mydestination_maps.cf 2 
   echo katie.prevost
   sleep 1
   echo katie.prev...@...
   echo @morris.com
 ) | postmap -q - mysql:/etc/postfix/mysql_smtpd_sender_login_maps.cf

 All this assumes that the sender address in question is unmodified...


% /etc/postfix : (
 echo morris.com |
 postmap -q - mysql:/etc/postfix/mysql_mydestination_maps.cf 2 
 echo katie.prevost
 sleep 1
 echo katie.prev...@...
 echo @morris.com
 ) | postmap -q - mysql:/etc/postfix/mysql_smtpd_sender_login_maps.cf
% /etc/postfix :

again, an empty result set.

I'm not sure of all the possible meanings of All this assumes that the sender 
address in
question is unmodified... but I know I've left the sender address untouched 
and I don't
think I have anything that rewrites the sender address, so as far as I know 
it's unmodified.

I appreciate you continuing to seek possible causes.

I am having another issue which  is not exactly this, but is related to this 
thread, and i
suspect there may be some relation (I think it's the same thing - getting my 
restriction
slightly wrong):

Per your and Wietse's suggestions, I changed:

  -o smtpd_sender_restrictions=
permit_sasl_authenticated,reject_sender_login_mismatch,reject

in my submission service to:

  -o
smtpd_sender_restrictions=reject_sender_login_mismatch,permit_sasl_authenticated,rejec
t

so that the permit_sasl_authenticated didn't obviate the 
reject_sender_login_mismatch.

Now I am unable to send mail when authenticated as me with a valid address from 
a client
outside of my_networks.

My master.cf submission entry is:

submission inet n   -   n   -   -   smtpd
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=
  -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
  -o
smtpd_sender_restrictions=reject_sender_login_mismatch,permit_sasl_authenticated,rejec
t
  -o milter_macro_daemon_name=ORIGINATING

in its unaltered entirety. my postconf -n remains as in the message in this 
thread of
several hours ago.

The log entry is:

Jan 14 22:10:06 s postfix/smtpd[1557]: NOQUEUE: reject: RCPT from
unknown[32.155.5.72]: 554 5.7.1 jweinber...@mac.com: Relay access denied;
from=j...@jweinberger.homeip.net to=jweinber...@mac.com proto=ESMTP
helo=[10.97.215.245]

I am using my mobile phone to test this, but I verified that it is submitting 
on port 587.

jweinber...@mac.com is another address that is also mine. It is listed as a 
valid from
address sasl authenticated user in my smtpd_sender_login_maps (so I can send 
messages
from that when I don't have immediate access to my regular mail client and Im 
logged in
as j...@jweinberger.homeip.net.

If I send to another unrelated address, it works fine, so this is clearly 
caused by the fact
that the address to which I'm sending is also listed in smtpd_sender_login_maps.

I didn't expect this behavior, but I'm guessing it's what postfix is supposed 
to do.

Can you explain why this happens? and do you have any suggestions to avoid it?

Thank you again.

Working example of main.cf with virtual domains

2009-01-14 Thread secSwami 

Hi,

After trying for another day to get my postfix config to work for 
virtual domains, I would really appreciate if someone can give me an 
example of WORKING main.cf file.
The problem I am having is whenever a MOBILE user is trying to send 
email to ANYWHERE using the postfix server and Thunderbird/Outlook 
Express client, they get error message saying relay access denied.


I would appreciate some help on this.

Thanks in advance.

Re: Question about reject_unauthenticated_sender_login_mismatch

2009-01-14 Thread Victoriano Giralt 
-BEGIN PGP SIGNED MESSAGE-
Hash: RIPEMD160

jeff_homeip wrote:
 If I send to another unrelated address, it works fine, so this is clearly 
 caused by the fact 
 that the address to which I'm sending is also listed in 
 smtpd_sender_login_maps.
I'm not following the thread too deeply, but ...
This points more and more to a map problem.

 I didn't expect this behavior, but I'm guessing it's what postfix is supposed 
 to do.
 
 Can you explain why this happens? and do you have any suggestions to avoid it?
Have you already shown your map SQL query? If not, doing so might help.

- --
Victoriano Giralt
Systems Manager
Central Computing Facility
University of Malaga
SPAIN
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFJbt6xV6+mDjj1PTgRAzOWAJ0XjHCQbCh6g/8fa4k+O6hWEzHP1ACdGrDF
hhRV6Dvixd7L1P05eeifyyk=
=hqgE
-END PGP SIGNATURE-

Re: Question about reject_unauthenticated_sender_login_mismatch (additional info

2009-01-14 Thread jeff_homeip 
--- In post...@yahoogroups.com, Victor Duchovni victor.ducho...@... wrote:

 On Thu, Jan 15, 2009 at 05:17:07AM -, jeff_homeip wrote:

   There's the problem. Now test the table as Noel suggested.
  
   $ echo katie.prevost@ |
 postmap -q - mysql:/etc/postfix/mysql_smtpd_sender_login_maps.cf
 
  I just tested again with this result:
 
  % /etc/postfix : postmap -q katie.prev...@...
  mysql:/etc/postfix/mysql_smtpd_sender_login_maps.cf
  % /etc/postfix :

 Please use the suggested:

 echo lookup-key | postmap -q - table

 form. Also as documented, smtpd_sender_login_maps uses additional
 lookup keys:

 http://www.postfix.org/postconf.5.html#smtpd_sender_login_maps

 smtpd_sender_login_maps (default: empty)

 Optional lookup table with the SASL login names that own sender
 (MAIL FROM) addresses.

 Specify zero or more type:table lookup tables. With lookups from
 indexed files such as DB or DBM, or from networked tables such as
 NIS, LDAP or SQL, the following search operations are done with a
 sender address of u...@domain:

 1) u...@domain
 This table lookup is always done and has the highest precedence.

 2) user
 This table lookup is done only when the domain part of the sender
 address matches $myorigin, $mydestination, $inet_interfaces
 or $proxy_interfaces.

 3) @domain
 This table lookup is done last and has the lowest precedence.

 In all cases the result of table lookup must be either not found
 or a list of SASL login names separated by comma and/or whitespace.

 You need to tset the full set of lookup keys (sh, ksh or bash, not csh):

 (
   echo morris.com |
   postmap -q - mysql:/etc/postfix/mysql_mydestination_maps.cf 2 
   echo katie.prevost
   sleep 1
   echo katie.prev...@...
   echo @morris.com
 ) | postmap -q - mysql:/etc/postfix/mysql_smtpd_sender_login_maps.cf

 All this assumes that the sender address in question is unmodified...

 --
   Viktor.

 Disclaimer: off-list followups get on-list replies or get ignored.
 Please do not ignore the Reply-To header.

 To unsubscribe from the postfix-users list, visit
 http://www.postfix.org/lists.html or click the link below:
 mailto:majord...@...?body=unsubscribe%20postfix-users

 If my response solves your problem, the best way to thank me is to not
 send an it worked, thanks follow-up. If you must respond, please put
 It worked, thanks in the Subject so I can delete these quickly.


Here's some additional information on the issue of not being able to send from 
outside
my_networks from one authorized address to another:

I restored my master.cf from my latest backup and before I started testing the
reject_(un)authorixed, I had one additional smtpd_sender_restrictions 
listed:

  -o
smtpd_sender_restrictions=$submission_sender_restrictions,reject_sender_login_mismatc
h,permit_sasl_authenticated,reject

in my submission service. it's defined in main.cf as:

submission_sender_restrictions =check_sender_access
pcre:/etc/postfix/smtpd_sender_restrictions.pcre

smtpd_sender_restrictions.pcre is:

/^(.*)/ PREPEND X-Envelope-Sender: ${1}

just the one line where I hope I can capture the envelope sender (this is 
related to an
earlier issue where my spam filter failed to preserve the envelope sender, so 
this is a
workaround).

When I added this back, all worked fine. If I remove this one restriction
(check_sender_access), I can no longer send.

is this check_sender_access, because it's not rejecting the sender, allowing it 
somehow?

I thought this information might be useful or important.

Thanks again!

Re: how to block arabic emails ?

2009-01-14 Thread Murat Ugur EMINOGLU 

Thanks for all reply.

Best Regards.

Res wrote:

On Wed, 14 Jan 2009, Murat Ugur EMINOGLU wrote:


Dear All,

How i can block all arabic emails?

example email :

header and body content : اضافه مهمه ومثيرة لبرنامج الاوت لوك



on our internal email servers (and on my personal one) I use 
milter-regex to stop all those pesky cable/dial/dsl users, its great 
because i can also use this rule in milter-regex.conf :


reject Access Denied ; Please use the English language when 
communicating with us
header /Subject/i
/=[?](KOI8-[RU]|GB2312|GB2312_CHARSET|ISO-2022-JP|SHIFT[-_]JIS|BIG5|WINDOWS-125[156])[?][QB][?]/ie 

header /Subject/i
/charset=(3D)??(KOI8-[RU]|GB2312|GB2312_CHARSET|ISO-2022-JP|SHIFT[-_]JIS|BIG5)/ie 


header /Subject/i/[-]{6}/e
header /Content-Type/i  ,text/(plain|html); 
*charset=?(KOI8-[RU]|GB2312(_CHARSET)?|ISO-2022-JP|SHIFT[-_]JIS|BIG5),ie



I'm sure this needs to be expanded more but its stopped a lot of rot.
*** NEVER use it on a public access system (ISP/ASP/OSP etc) or you will 
upset a lot of people :)