Question regarding SPF

[Kammen van, Marco, Springer SBM NL]

Hi All,

 

We recently took over a company that used SPF.

Because our e-mail infra is way more complicated than theirs and we have
tons of external parties who send mails using our domains, we decided
long ago not to use SPF.

 

Now they say that %5 of their mailings don't arrive at customers
anymore, and say this is because we removed their SPF records.. 

I'm no expert on SPF but as far as I understand it only checks if a
sender is 'allowed' to send using that domain, so no relation what so
ever on dropping mail from parties that don't use SPF...
Or am I missing something?

 

Thanks & Regards,

 

- 

Marco van Kammen
Springer Science+Business Media
System Manager & Postmaster 

- 

van Godewijckstraat 30 | 3311 GX
Office Number: 05E21 
Dordrecht | The Netherlands 

-  

tel 

 +31(78)6576446

fax 

 +31(78)6576302

- 

www.springeronline.com   
www.springer.com  

- 

 

 

Re: Plus Addressing

[LuKreme]

On 16-Apr-2009, at 21:24, Jeff Grossman wrote:

Is there a way for me to not have Postfix change the case?


I had a similar issue where postfix (well, or something) was NOT  
changing the case on some virtual users $USER portion. I solved it  
with the following in the procmailrc file:


:0D
* USER ?? [A-Z]
{
   USER=`echo $USER | tr "[:upper:]" "[:lower:]"`
   LOG="Translated $USER to lowercase$NL"

   :0fw
   | formail -I"X-com.example-lc: Translated $USER to lowercase$NL"

}

That should get started.

--
To read makes our speaking English good.

Re: Plus Addressing

[Victor Duchovni]

On Thu, Apr 16, 2009 at 08:24:54PM -0700, Jeff Grossman wrote:

> I have set up "recipient_delimiter = +" so I could put a folder name in an 
> e-mail address and have it automatically filtered for me.  I am using 
> "mailbox_command = /usr/local/libexec/dovecot/deliver -n -m "$EXTENSION"" 
> as my mailbox_command.  When the mail gets passed to deliver, the extension 
> is lower case even if it originally started as uppercase.  I asked on the 
> Dovecot mailing list how I can convert it to uppercase for Deliver.  Timo 
> stated that Deliver does not do any case changing and that Postfix must be 
> passing the variable in lower case.  Is there a way for me to not have 
> Postfix change the case?  My folder names all start with a capital letter.  
> Deliver cannot find the mailbox because "folder" does not equal "Folder".

Don't use mailbox_command, use mailbox_transport (assuming that in your
case deliver can work acceptably running as a fixed pipe(8) user rather
than as the recipient). The recipient extension in local(8) deliveries is
converted to lower-case (the entire local-part is converted to lower-case,
before the extension is extracted).

-- 
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:


If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

Re: Newbie configuration/installation question

[Joe Sloan]

I would try testing just smtp delivery and make sure that is working, 
before adding the extra layer of complexity. Right now it's not clear 
whether the message is being rejected by postfix, or postfix is 
misconfigured, or rails is misconfigured.


A peek at the relevant sections, if any, in /var/log/mail.log would be 
helpful -


Joe

Tashfeen Ekram wrote:
I installed it with apt-get install postfix and then choose "Internet Site" during the configuration. 
i have configured rails to use smtp.

config.action_mailer.smtp_settings = {
  :address=> 'localhost',
  :port   => 25,
  :domain => 'www.example.com',
}

here is the trace i get:

Timeout::Error (execution expired):
  /usr/lib/ruby/1.8/timeout.rb:60:in `open'
  /usr/lib/ruby/1.8/net/smtp.rb:551:in `do_start'
  /usr/lib/ruby/1.8/net/smtp.rb:551:in `do_start'
  /usr/lib/ruby/1.8/net/smtp.rb:525:in `start'
  app/controllers/user/dashboard_controller.rb:13:in `index'

Rendered rescues/_trace (82.7ms)
Rendered rescues/_request_and_response (0.7ms)
Rendering rescues/layout (internal_server_error)




- Original Message 
From: J Sloan 
To: postfix-users@postfix.org
Sent: Monday, April 13, 2009 5:45:40 PM
Subject: Re: Newbie configuration/installation question

Tashfeen Ekram wrote:
  

I have installed Postfix on Ubuntu to use to only send emails for my
rails application. My rails application is not able to connect to it.
Could this be because sendmail is listeneing at port 20?
also, what configuration would suit me best if I only want to send
emails ant not receive. This is onyl for testing purposes on my own
laptop.




Just to eliminate a lot of guesswork: when you say you "installed
postfix" did you do something like "apt-get install postfix" or click on
postfix to install via synaptic, or did you download a tarball from the
internet and build it yourself?

How is rails configured to send the mail - with the sendmail command, or
via an smtp connection to the local host?

Joe



  

  

Plus Addressing

[Jeff Grossman]

I have set up "recipient_delimiter = +" so I could put a folder name in 
an e-mail address and have it automatically filtered for me.  I am using 
"mailbox_command = /usr/local/libexec/dovecot/deliver -n -m 
"$EXTENSION"" as my mailbox_command.  When the mail gets passed to 
deliver, the extension is lower case even if it originally started as 
uppercase.  I asked on the Dovecot mailing list how I can convert it to 
uppercase for Deliver.  Timo stated that Deliver does not do any case 
changing and that Postfix must be passing the variable in lower case.  
Is there a way for me to not have Postfix change the case?  My folder 
names all start with a capital letter.  Deliver cannot find the mailbox 
because "folder" does not equal "Folder".


Thanks,
Jeff

Re: Transport map lookup failures are fatal?

[Seth Mattinen]

Victor Duchovni wrote:
>> So, my question is, why is that fatal instead of temporary? Shouldn't it
>> be temporary? Observed on 2.5.5 and 2.4.5.
> 
> It should not be temporary. All lookups succeed and establish that the
> destination is non-existent. Postfix correctly bounces the message.
> 
> If you really want sub-optimal behaviour and a queue full of junk, try:
> 
> smtp_defer_if_no_mx_address_found = yes
> 

Just tested that; doesn't work when MX lookups are disabled in the
transport with [].

In hindsight, I should have realized that the lookup was fine, it was
returning NXDOMAIN and rightly seeing that as a successful "does not
exist" result. Of course, now the challenge is how to deal with
transient NXDOMAIN responses. I'll have find out how that hostname is
being updated if it is indeed dynamic DNS.

~Seth

Re: Transport map lookup failures are fatal?

[Seth Mattinen]

Victor Duchovni wrote:
> On Thu, Apr 16, 2009 at 06:47:58PM -0700, Seth Mattinen wrote:
> 
>> I apologize in advance if I'm being horribly dense, but I'm seeing
>> something that doesn't feel right. In the event that a transport map
>> lookup fails with a "host not found" error, Postfix is bouncing the
>> message rather than treating it as a temporary error.
> 
> The transport map lookup did not fail.
> 
>> For my test, I have the transport map:
>>
>> 50lightyears.com  smtp:[badrecord.mattinen.org]:1234
>>
>> Where "badrecord.mattinen.org" intentionally does not exist. So I send a
>> test message and I see this in the logs:
>>
>> postfix/smtp[5361]: 773FA3E442: to=, relay=none,
>> delay=0.25, delays=0.21/0.04/0/0, dsn=5.4.4, status=bounced (Host or
>> domain name not found. Name service error for
>> name=badrecord.mattinen.org type=A: Host not found)
> 
> The destination nexthop does not exist, this is not a transient condition.

In my example yes (I just needed a way to force the behavior, that's not
a real application), but in the issue I'm attempting to resolve the
error was:

"Host or domain name not found. Name service error for
name=mail.x.net type=A: Host found but no data record of requested type"

I assume - but haven't confirmed yet - this was caused by a Dynamic DNS
hostname in the transport. I assume the provider withdrew the A record
until the updated IP was available but during this time Postfix bounced
anything heading for that transport.


>> So, my question is, why is that fatal instead of temporary? Shouldn't it
>> be temporary? Observed on 2.5.5 and 2.4.5.
> 
> It should not be temporary. All lookups succeed and establish that the
> destination is non-existent. Postfix correctly bounces the message.
> 
> If you really want sub-optimal behaviour and a queue full of junk, try:
> 
> smtp_defer_if_no_mx_address_found = yes
> 

So am I correct in assuming that any lookup failure (aside from DNS
timed out) at the transport map stage will result in a fatal condition?

~Seth

Re: Transport map lookup failures are fatal?

[Victor Duchovni]

On Thu, Apr 16, 2009 at 06:47:58PM -0700, Seth Mattinen wrote:

> I apologize in advance if I'm being horribly dense, but I'm seeing
> something that doesn't feel right. In the event that a transport map
> lookup fails with a "host not found" error, Postfix is bouncing the
> message rather than treating it as a temporary error.

The transport map lookup did not fail.

> For my test, I have the transport map:
> 
> 50lightyears.com  smtp:[badrecord.mattinen.org]:1234
> 
> Where "badrecord.mattinen.org" intentionally does not exist. So I send a
> test message and I see this in the logs:
> 
> postfix/smtp[5361]: 773FA3E442: to=, relay=none,
> delay=0.25, delays=0.21/0.04/0/0, dsn=5.4.4, status=bounced (Host or
> domain name not found. Name service error for
> name=badrecord.mattinen.org type=A: Host not found)

The destination nexthop does not exist, this is not a transient condition.

> So, my question is, why is that fatal instead of temporary? Shouldn't it
> be temporary? Observed on 2.5.5 and 2.4.5.

It should not be temporary. All lookups succeed and establish that the
destination is non-existent. Postfix correctly bounces the message.

If you really want sub-optimal behaviour and a queue full of junk, try:

smtp_defer_if_no_mx_address_found = yes

-- 
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:


If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

Better default enhanced status codes for REJECT status

[Rob Mueller]

We have a list of blocked users in a hash file like this:

blockedacco...@example.com REJECT

And use it like this:

smtpd_recipient_restrictions =
 ...
 check_recipient_access hash:/etc/postfix/access_to.hash

The error message generated by postfix when trying to send to this is:

554 5.7.1 : Recipient address rejected: Access 
denied



From http://tools.ietf.org/html/rfc1893


  X.7.1   Delivery not authorized, message refused

 The *sender* is not authorized to send to the destination.

It seems to me that using 5.7.1 as the default response for a 
*check_recipient_access* REJECT result isn't the best because it suggests 
that the *sender* is the problem in some way, not the recipient address.


Maybe better would be.

  X.2.1   Mailbox disabled, not accepting messages

 The mailbox exists, but is not accepting messages.

Though unless you've done permit_auth_destination *before* the 
check_recipient_access, you don't know that the "mailbox exists". It seems 
there's no really good status code for just saying "we don't like the 
recipient address"? Maybe:


  X.1.0   Other address status

 Something about the address specified in the message caused
 this DSN.

Of course we can do this manually by changing every line to:

blockedacco...@example.com REJECT 5.2.1 Access denied

But just thought I'd mention it as a possible enhancement to make the 
defaults better for all users.


Rob

Transport map lookup failures are fatal?

[Seth Mattinen]

I apologize in advance if I'm being horribly dense, but I'm seeing
something that doesn't feel right. In the event that a transport map
lookup fails with a "host not found" error, Postfix is bouncing the
message rather than treating it as a temporary error.

For my test, I have the transport map:

50lightyears.com  smtp:[badrecord.mattinen.org]:1234

Where "badrecord.mattinen.org" intentionally does not exist. So I send a
test message and I see this in the logs:

postfix/smtp[5361]: 773FA3E442: to=, relay=none,
delay=0.25, delays=0.21/0.04/0/0, dsn=5.4.4, status=bounced (Host or
domain name not found. Name service error for
name=badrecord.mattinen.org type=A: Host not found)

So, my question is, why is that fatal instead of temporary? Shouldn't it
be temporary? Observed on 2.5.5 and 2.4.5.

~Seth

Re: Sending SSL/TLS state to Dovecot auth

[Wietse Venema]

Postfix 2.6 will pass the "TLS is active flag". I have changed the
API so that we no longer need to make code changes in every SASL
plugin when another attribute is added.

Wietse

On Mon, Feb 23, 2009 at 02:18:01PM -0500, Timo Sirainen wrote:
> In some setups it's useful for authentication handling to know if the
> connection is SSL/TLS secured. The patch below should tell this to
> Dovecot. It compiles, but other than that I haven't yet tested it.
> 
> It anyway looks like sending the SSL/TLS state requires an additional
> parameter to xsasl_server_create(). Wietse, how do you think the API
> should be changed to support this functionality? I guess the choices
> are:
> 
>  - int tls parameter as in the patch
>  - a more generic int flags bitmask
>  - secprops-like string
>  - replace all the existing parameters with a pointer to struct
> xsasl_parameters so more stuff can easily be added to it later.
> 
> I guess I'd prefer the last one, especially because other people also
> want to tell the local/remote IP addresses to SASL.
> 
> diff -ru postfix-2.5.6/src/smtpd/smtpd_sasl_glue.c 
> postfix-2.5.6-dovecot/src/smtpd/smtpd_sasl_glue.c
> --- postfix-2.5.6/src/smtpd/smtpd_sasl_glue.c 2007-10-05 18:56:34.0 
> -0400
> +++ postfix-2.5.6-dovecot/src/smtpd/smtpd_sasl_glue.c 2009-02-23 
> 13:59:28.0 -0500
> @@ -151,6 +151,7 @@
>  const char *sasl_opts_val)
>  {
>  const char *mechanism_list;
> +int tls;
>  
>  /*
>   * Initialize SASL-specific state variables. Use long-lived storage for
> @@ -169,11 +170,16 @@
>   */
>  #define SMTPD_SASL_SERVICE "smtp"
>  
> +#ifdef USE_TLS
> +tls = state->tls_context != 0;
> +#else
> +tls = 0;
> +#endif
>  if ((state->sasl_server =
>xsasl_server_create(smtpd_sasl_impl, state->client,
>SMTPD_SASL_SERVICE, *var_smtpd_sasl_realm ?
>var_smtpd_sasl_realm : (char *) 0,
> -  sasl_opts_val)) == 0)
> +  sasl_opts_val, tls)) == 0)
>   msg_fatal("SASL per-connection initialization failed");
>  
>  /*
> diff -ru postfix-2.5.6/src/xsasl/xsasl_cyrus_server.c 
> postfix-2.5.6-dovecot/src/xsasl/xsasl_cyrus_server.c
> --- postfix-2.5.6/src/xsasl/xsasl_cyrus_server.c  2007-05-25 
> 12:42:17.0 -0400
> +++ postfix-2.5.6-dovecot/src/xsasl/xsasl_cyrus_server.c  2009-02-23 
> 14:03:21.0 -0500
> @@ -157,7 +157,8 @@
>  VSTREAM *,
>  const char *,
>  const char *,
> -const char *);
> +const char *,
> +int);
>  static void xsasl_cyrus_server_free(XSASL_SERVER *);
>  static int xsasl_cyrus_server_first(XSASL_SERVER *, const char *,
>   const char *, VSTRING *);
> @@ -262,7 +263,8 @@
>  VSTREAM *stream,
>  const char *service,
>  const char *realm,
> -const char *sec_props)
> +const char *sec_props,
> +int unused_tls)
>  {
>  const char *myname = "xsasl_cyrus_server_create";
>  char   *server_address;
> diff -ru postfix-2.5.6/src/xsasl/xsasl_dovecot_server.c 
> postfix-2.5.6-dovecot/src/xsasl/xsasl_dovecot_server.c
> --- postfix-2.5.6/src/xsasl/xsasl_dovecot_server.c2008-03-16 
> 19:09:04.0 -0400
> +++ postfix-2.5.6-dovecot/src/xsasl/xsasl_dovecot_server.c2009-02-23 
> 14:02:49.0 -0500
> @@ -160,6 +160,7 @@
>  char   *username;/* authenticated user */
>  VSTRING *sasl_line;
>  unsigned int sec_props;  /* Postfix mechanism filter */
> +int tls;/* TLS enabled in this session */
>  char   *mechanism_list;  /* filtered mechanism list */
>  ARGV   *mechanism_argv;  /* ditto */
>  } XSASL_DOVECOT_SERVER;
> @@ -172,7 +173,8 @@
>VSTREAM *,
>const char *,
>const char *,
> -  const char *);
> +  const char *,
> +  int);
>  static void xsasl_dovecot_server_free(XSASL_SERVER *);
>  static int xsasl_dovecot_server_first(XSASL_SERVER *, const char *,
>   

Re: Cluster of postfix

[Wietse Venema]

Juan Antonio Cuesta:
> Hello,
> 
> i have two postfix servers, and when i have to do any change in
> virtual file or in aliases file i must to do the same change in the 2
> servers.
> 
> Can someone say me how can i do my job more confortable and only do one time.

Instead of a local file, use LDAP or SQL (with replicated database).

http://www.postfix.org/ldap_table.html
http://www.postfix.org/mysql_table.html
http://www.postfix.org/pgsql_table.html

Wietse

Cluster of postfix

[Juan Antonio Cuesta]

Hello,

i have two postfix servers, and when i have to do any change in
virtual file or in aliases file i must to do the same change in the 2
servers.

Can someone say me how can i do my job more confortable and only do one time.

Thank you.

Re: delivery temporarily suspended: Server certificate not verified

[Victor Duchovni]

On Thu, Apr 16, 2009 at 08:23:18PM +0200, gabriele wrote:

> I have only one peer as nexthop in my transport table , this is my
> configuration for postfix smtp :

These settings look a bit like an experimental particle physicist trying
to learn about the inner working of client TLS in Postfix by smashing
all the parameters together in a high energy collision.

What exactly are you trying to do?

- Encrypted connection to a server with no peername authentication?

- Secure connection to a server authenticated by the certificate
  fingerprint?

- Secure connection using trusted 3rd-party CAs and matching of
  names in trusted certificates?

> > # SMTP  TLS
> > smtp_use_tls=yes
> > smtp_tls_loglevel = 1
> > smtp_tls_enforce_peername = no
> > smtp_tls_CAfile = /etc/postfix/ssl/CA.pem
> > smtp_tls_cert_file=/etc/postfix/ssl/cert.pem
> > smtp_tls_key_file=/etc/postfix/ssl/key.pem
> > smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
> > smtp_tls_enforce_peername = no
> > smtp_tls_mandatory_ciphers = high
> > smtp_tls_mandatory_protocols = SSLv3, TLSv1
> > smtp_tls_secure_cert_match = nexthop
> > smtp_tls_security_level = fingerprint
> > smtp_tls_fingerprint_digest = sha1
> > smtp_tls_fingerprint_cert_match = 
> > D4:A8:07:24:0C:26:B6:D7:9D:AA:CC:CA:77:BA:3A:27:AE:0C:B5:35
> > smtp_tls_scert_verifydepth = 1
> > smtp_tls_note_starttls_offer = yes
> 
> ... and i can't still have a verified TLS connection with my relayhost  .
> My CA.pem , smtp_tls_CAfile = /etc/postfix/ssl/CA.pem , has my both
> selfsigned main CA certificate and my nexthop CA in it . Should i
> include the all ca certificates directory in postfix main.cf ? How can i
> have a verified tls connection with my relayhost ?

Pick just one strategy, and make sure the relay's certificate meets the
conditions you specify. If you still have problems, post detailed logs
with smtp_tls_loglevel=2 and unedited "postconf -n | grep smtp_tls_"
output.

-- 
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:


If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

Re: delivery temporarily suspended: Server certificate not verified

[Sahil Tandon]

On Thu, 16 Apr 2009, gabriele wrote:

> I have only one peer as nexthop in my transport table , this is my
> configuration for postfix smtp :

No; show output of 'postconf -n'.

[...]

> ... and i can't still have a verified TLS connection with my relayhost  .
> My CA.pem , smtp_tls_CAfile = /etc/postfix/ssl/CA.pem , has my both
> selfsigned main CA certificate and my nexthop CA in it . Should i
> include the all ca certificates directory in postfix main.cf ? How can i
> have a verified tls connection with my relayhost ?

Show logs that explain how what is failing.

-- 
Sahil Tandon 

delivery temporarily suspended: Server certificate not verified

[gabriele]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Hi list !
I have only one peer as nexthop in my transport table , this is my
configuration for postfix smtp :

> # SMTP  TLS
> smtp_use_tls=yes
> smtp_tls_loglevel = 1
> smtp_tls_enforce_peername = no
> smtp_tls_CAfile = /etc/postfix/ssl/CA.pem
> smtp_tls_cert_file=/etc/postfix/ssl/cert.pem
> smtp_tls_key_file=/etc/postfix/ssl/key.pem
> smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
> smtp_tls_enforce_peername = no
> smtp_tls_mandatory_ciphers = high
> smtp_tls_mandatory_protocols = SSLv3, TLSv1
> smtp_tls_secure_cert_match = nexthop
> smtp_tls_security_level = fingerprint
> smtp_tls_fingerprint_digest = sha1
> smtp_tls_fingerprint_cert_match = 
> D4:A8:07:24:0C:26:B6:D7:9D:AA:CC:CA:77:BA:3A:27:AE:0C:B5:35
> smtp_tls_scert_verifydepth = 1
> smtp_tls_note_starttls_offer = yes
> smtp_sasl_auth_enable = yes
> smtp_sasl_mechanism_filter = plain, login
> smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
> smtp_sasl_security_options =

... and i can't still have a verified TLS connection with my relayhost  .
My CA.pem , smtp_tls_CAfile = /etc/postfix/ssl/CA.pem , has my both
selfsigned main CA certificate and my nexthop CA in it . Should i
include the all ca certificates directory in postfix main.cf ? How can i
have a verified tls connection with my relayhost ?

Thanks!

Gab

- --
pub   1024D/5C5BE409 2009-04-09
  Key fingerprint = 2BDE 5361 39EA 3E75 9EE8  6724 CE20 F80F 5C5B E409
uid  Gabriele (Gab at Riseup.Net) 
uid  [jpeg image of size 1965]
sub   4096g/078F3AAD 2009-04-09

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEAREKAAYFAknnd5UACgkQpCYscrzyfkLPRACePYHRvQHI78whe5DykFbtekvf
XiQAn1sJza4u0ZXjSgS7Mh6YkdlAKMps
=Gf5o
-END PGP SIGNATURE-

Re: Looking for a little (offlist?) help with ldap integration

[Charles Marcus]

On 4/16/2009 4:05 PM, Evan Platt wrote:
> At 12:44 PM 4/16/2009, you wrote:
>> No... as long as they support plus addressing, you give them your main
>> address - joesm...@example.com - then they will accept anything
>> addressed to joesmith+anyth...@example.com, and reject everything else.

> That's still back at square one.. I often see my addresses sold, and
> since every address is 'accepted', people never get the 'hint' that an
> address is no longer valid.

Ah... ok... well, if you were accepting the mail yourself with postfix
its easy enough to do, but since you're working through a service
provider who doesn't do recipient verification, you're limited...

The only other thing would be if they provided a black-list that
supported plussed-addresses - but again, you're having to bug them, and
if they aren't charging you for the service, I understand why you want
to limit the level of bugging...

So yeah, I guess aliases is the only way to accomplish what you want
under the circumstances...

> So if I sign up for ABCInc, and use evan+abcinc, then see it's been sold
> and gets spammed, if they actually rejected it, the theory is since it
> would be rejected, people would get the hint it's not valid.

If thats the entire premise behing what you're trying to do, personally,
I wouldn't bother because I don't think the spammers take hints - or
baseball bats, for that matter... ;)

> Well, the problem is I do. Maybe it's OCD, but I like to track where my
> address is used and obtained from, hence LDAP :)

Probably you're best bet... sorry for the noise...

-- 

Best regards,

Charles

mailserver with dynamic IP and relayhost

[svoop]

Hi

My mailserver (mail.bitcetera.com) is behind a router that gets a dynamic IP
(87.221.120.44) from the ISP. In order to prevent outgoing mail from being
considered spam due to the dynamic IP, I've configured the ISP's mailserver as
relayhost.

Unfortunately, Yahoo still throws my mails in the spam folder. I've tried using
the generic DN for the dynamic IP (44.120.221.87.dynamic.jazztel.es) as
myhostname, but that doesn't help. Any idea why and what I could do to prevent
this? Here are the headers of a mail to Yahoo:

Return-Path: 
Authentication-Results: mta161.mail.re3.yahoo.com from=delirium.ch;
domainkeys=neutral (no sig); from=delirium.ch; dkim=neutral (no sig)
Received: from 62.14.3.171 (EHLO smtp02.jazztel.es) (62.14.3.171) by
mta161.mail.re3.yahoo.com with SMTP; Thu, 16 Apr 2009 08:00:36 -0700
Received: from [87.221.120.44] (helo=mail.bitcetera.com) by smtp02.jazztel.es
with esmtpa (Exim 4.69) (envelope-from ) id 1LuT4A-0004LO-RS
for mytestac...@yahoo.de; Thu, 16 Apr 2009 16:59:50 +0200
Received: from samba.bitcetera.com (samba.bitcetera.com [192.168.118.20]) (using
TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested)
by mail.bitcetera.com (Postfix) with ESMTPSA id 4856A396378 for
; Thu, 16 Apr 2009 17:00:31 +0200 (CEST)
Message-Id:
From:   
To: mytestac...@yahoo.de
Content-Type: text/plain; charset=US-ASCII; format=flowed
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (Apple Message framework v930.3)
Subject: testlikon
Date: Thu, 16 Apr 2009 17:00:30 +0200
Content-Length: 10 

Thanks for your help!

Re: Looking for a little (offlist?) help with ldap integration

[Evan Platt]

At 12:44 PM 4/16/2009, you wrote:

No... as long as they support plus addressing, you give them your main
address - joesm...@example.com - then they will accept anything
addressed to joesmith+anyth...@example.com, and reject everything else.


That's still back at square one.. I often see my addresses sold, and 
since every address is 'accepted', people never get the 'hint' that 
an address is no longer valid.


So if I sign up for ABCInc, and use evan+abcinc, then see it's been 
sold and gets spammed, if they actually rejected it, the theory is 
since it would be rejected, people would get the hint it's not valid.



You said you only had one real address and everything else was aliased
to it. Of course, you'd have to give them the CURRENT list of aliases in
use, but just don't create any more aliases. Then you'd only have to
send them an update when you encounter a service that doesn't let you
use a plussed address (rare, but it happens), in which case you'd have
to create another regular alias.


Well, the problem is I do. Maybe it's OCD, but I like to track where 
my address is used and obtained from, hence LDAP :) 

Re: Looking for a little (offlist?) help with ldap integration

[Charles Marcus]

On 4/16/2009 3:27 PM, Evan Platt wrote:
> So - if my username is joesmith, use say joesmith+abcincorporated @
> mydomain . com?

Yes...

> Well, the problem is whenever I sign up for a list or make a purchase, I
> create a new one, so I'd be sending them a list pretty often, hence the
> idea of LDAP.

No... as long as they support plus addressing, you give them your main
address - joesm...@example.com - then they will accept anything
addressed to joesmith+anyth...@example.com, and reject everything else.

You said you only had one real address and everything else was aliased
to it. Of course, you'd have to give them the CURRENT list of aliases in
use, but just don't create any more aliases. Then you'd only have to
send them an update when you encounter a service that doesn't let you
use a plussed address (rare, but it happens), in which case you'd have
to create another regular alias.

-- 

Best regards,

Charles

Re: Newbie configuration/installation question

[Tashfeen Ekram]

can a previous installation of sendmail conflict with postfix?

i seem to be getting timed out errors. postfix is running per the command 
prompt status check. 



- Original Message 
From: Tashfeen Ekram 
To: postfix-users@postfix.org
Sent: Tuesday, April 14, 2009 9:57:35 AM
Subject: Re: Newbie configuration/installation question


I installed it with apt-get install postfix and then choose "Internet Site" 
during the configuration. 
i have configured rails to use smtp.
config.action_mailer.smtp_settings = {
  :address    => 'localhost',
  :port   => 25,
  :domain => 'www.example.com',
}



- Original Message 
From: J Sloan 
To: postfix-users@postfix.org
Sent: Monday, April 13, 2009 5:45:40 PM
Subject: Re: Newbie configuration/installation question

Tashfeen Ekram wrote:
> I have installed Postfix on Ubuntu to use to only send emails for my
> rails application. My rails application is not able to connect to it.
> Could this be because sendmail is listeneing at port 20?
> also, what configuration would suit me best if I only want to send
> emails ant not receive. This is onyl for testing purposes on my own
> laptop.


Just to eliminate a lot of guesswork: when you say you "installed
postfix" did you do something like "apt-get install postfix" or click on
postfix to install via synaptic, or did you download a tarball from the
internet and build it yourself?

How is rails configured to send the mail - with the sendmail command, or
via an smtp connection to the local host?

Joe

Re: Looking for a little (offlist?) help with ldap integration

[Evan Platt]

At 12:22 PM 4/16/2009, you wrote:

On 4/16/2009 3:11 PM, Evan Platt wrote:
> My mail provider says they can query an LDAP database, but can't offer
> much assistance to me in setting it up.
>
> Baiscally now I use /etc/posfix/aliases, but that's obviously useless
> for LDAP.

Surprising - they can't do recipient verification (doesn't require LDAP,
just relies on an honest answer from your server)?


I can ask... I don't think so since when I've brought this up in the 
past, the response is 'get an ldap server dude!'



In that case, what I'd do is use plus-addressing instead of making up
fullblown aliases on the fly.


So - if my username is joesmith, use say joesmith+abcincorporated @ 
mydomain . com?


Well, the problem still is I'd rather have them reject the e-mail 
rather then accept then deliver..



Your anti-spam service provider should have the ability to simply define
a list of valid users via flat file if nothing else


Well, the problem is whenever I sign up for a list or make a 
purchase, I create a new one, so I'd be sending them a list pretty 
often, hence the idea of LDAP.



(if they can't, I'd switch providers), so just make sure they 
support plus addressing, and

give them your one (or however many) valid emails and be done with it..


Well, the price for them is right - free :) But the problem is 
dynamics. I don't want to have to bug them every time I add or remove 
an address... :)


Evan 

Re: Looking for a little (offlist?) help with ldap integration

[Charles Marcus]

On 4/16/2009 3:11 PM, Evan Platt wrote:
> My mail provider says they can query an LDAP database, but can't offer
> much assistance to me in setting it up.
> 
> Baiscally now I use /etc/posfix/aliases, but that's obviously useless
> for LDAP.

Surprising - they can't do recipient verification (doesn't require LDAP,
just relies on an honest answer from your server)?

> My aliases consists of aliases redirected to one account (I really only
> have one mail account, every alias directs to that).

In that case, what I'd do is use plus-addressing instead of making up
fullblown aliases on the fly.

Your anti-spam service provider should have the ability to simply define
a list of valid users via flat file if nothing else (if they can't, I'd
switch providers), so just make sure they support plus addressing, and
give them your one (or however many) valid emails and be done with it..

-- 

Best regards,

Charles

Looking for a little (offlist?) help with ldap integration

[Evan Platt]

I know this is somewhat offtopic, but hopefully someone here can / is 
willing to help me out a little... :)


I run a mail server for me, myself, and I. I create aliases as needed 
to 'tag' where an address goes - ie if I sign up for ABC Corp, I 
might give them abccorp@ my domain.


My mail server is set up that for my domain, my primary MX is a 
anti-spam antivirus server. Mail is scanned, then delivered to my 
postfix. As such, mail will ONLY come from a few IP's.


(I guess the above isn't quite related to this, but just some background).

Because of this, every mail is accepted - mail to sadnfkjsdnfkasd @ 
mydomain is accepted as long as it's not deemed spam.


My mail provider says they can query an LDAP database, but can't 
offer much assistance to me in setting it up.


Baiscally now I use /etc/posfix/aliases, but that's obviously useless 
for LDAP.


My aliases consists of aliases redirected to one account (I really 
only have one mail account, every alias directs to that).


So I'm looking for a little help with the easiest way to convert this 
aliases to use for LDAP. I've read quite a few help pages, but not 
sure if I'm finding the right one or what the right way to do this 
is. This is on a OS/X client box, and I have webmin and ldapadmin 
(Windows GUI interface to ldap server)..


I've provided my postconf -n output below.. Apppreciate any help! Thanks!

Evan


# postconf -n
alias_database = hash:/etc/postfix/aliases
alias_maps = hash:/etc/postfix/aliases
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
debug_peer_level = 2
inet_interfaces = all
mail_owner = postfix
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
message_size_limit = 0
mydomain = espphotography.com
mydomain_fallback = localhost
myhostname = espphotography.com
mynetworks = 192.168.1.0/24,216.200.134.247
mynetworks_style = subnet
newaliases_path = /usr/bin/newaliases
queue_directory = /private/var/spool/postfix
readme_directory = /usr/share/doc/postfix
relayhost = [smtp.comcast.net]:587
sample_directory = /usr/share/doc/postfix/examples
sendmail_path = /usr/sbin/sendmail
setgid_group = postdrop
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/saslpass
smtp_sasl_security_options = noanonymous
smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/access
smtpd_tls_cert_file = /System/Library/OpenSSL/certs/smtpd.pem
smtpd_tls_key_file = $smtpd_tls_cert_file
smtpd_use_tls = yes
unknown_local_recipient_reject_code = 550

Re: Disabling LDAP lookups

[Darek M.]

Wietse Venema wrote:

Darek M.:
  
Hi there, my postfix "smart relay" install queries my LDAP system where 
it was never configured to do so.


The OS is configured with LDAP/KRB5 authentication and does user/group 
lookups via LDAP using nss_ldap:


# egrep 'passwd|group' /etc/nsswitch.conf
  group: files ldap
  group_compat: nis
  passwd: files ldap
  passwd_compat: nis

I disabled local delivery as per "The book of Postfix":
  mydestination =
  local_recipient_maps =
  virtual_alias_maps = hash:/etc/postfix/virtual
  local_transport = error:local mail delivery is disabled



Every Postfix process needs to look up the postfix user, and for
sanity checks it also looks up the postdrop group.

Postfix does not look up this user/group information via LDAP. The
system library does the lookups via the nsswitch mechanism.

Wietse


Right, if those are system user lookups then there's no way to avoid it 
if I want to keep ldap/kerberos auth.  I just wasn't clear about whether 
these were local destination lookups.


Thanks.

Re: Disabling LDAP lookups

[Wietse Venema]

Darek M.:
> Hi there, my postfix "smart relay" install queries my LDAP system where 
> it was never configured to do so.
> 
> The OS is configured with LDAP/KRB5 authentication and does user/group 
> lookups via LDAP using nss_ldap:
> 
> # egrep 'passwd|group' /etc/nsswitch.conf
>   group: files ldap
>   group_compat: nis
>   passwd: files ldap
>   passwd_compat: nis
> 
> I disabled local delivery as per "The book of Postfix":
>   mydestination =
>   local_recipient_maps =
>   virtual_alias_maps = hash:/etc/postfix/virtual
>   local_transport = error:local mail delivery is disabled

Every Postfix process needs to look up the postfix user, and for
sanity checks it also looks up the postdrop group.

Postfix does not look up this user/group information via LDAP. The
system library does the lookups via the nsswitch mechanism.

Wietse

Re: Info about queues

[Terry Carmen]

> How I can get more information about the messages through the different
> queues ?
> For example, information like input/output time.
>
>
> How many queues, Postfix have? 5 or 6 ?
> 1. active
> 2. deferred
> 3. hold
> 4. incoming
> 5. maildrop
>
> 6. corrupt (is a queue ?)


http://www.postfix.org/QSHAPE_README.html#maildrop_queue

Re: Disabling LDAP lookups

[Victor Duchovni]

On Thu, Apr 16, 2009 at 01:46:07PM -0400, Darek M. wrote:

> Hi there, my postfix "smart relay" install queries my LDAP system where it 
> was never configured to do so.
>
> The OS is configured with LDAP/KRB5 authentication and does user/group 
> lookups via LDAP using nss_ldap:

Postfix will at the very least obtain the uid/gid of the "postfix" user
and "postdrop" group from the system passwd/group tables.

> # egrep 'passwd|group' /etc/nsswitch.conf
>  group: files ldap
>  group_compat: nis
>  passwd: files ldap
>  passwd_compat: nis

If you don't want LDAP, don't use LDAP.

-- 
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:


If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

Disabling LDAP lookups

[Darek M.]

Hi there, my postfix "smart relay" install queries my LDAP system where 
it was never configured to do so.


The OS is configured with LDAP/KRB5 authentication and does user/group 
lookups via LDAP using nss_ldap:


# egrep 'passwd|group' /etc/nsswitch.conf
 group: files ldap
 group_compat: nis
 passwd: files ldap
 passwd_compat: nis

I disabled local delivery as per "The book of Postfix":
 mydestination =
 local_recipient_maps =
 virtual_alias_maps = hash:/etc/postfix/virtual
 local_transport = error:local mail delivery is disabled

And in my transport.db I simply have:
 * smtp:[192.168.22.29]:25

to go to the central mail server.  Yet postfix still performs LDAP queries:

# sockstat -4c|grep :636
postfix  showq  67305 10 tcp4   LOCAL_SYSTEM:59537   LDAP_SERVER:636
postfix  showq  67300 10 tcp4   LOCAL_SYSTEM:62712   LDAP_SERVER:636
postfix  smtp   66966 11 tcp4   LOCAL_SYSTEM:54342   LDAP_SERVER:636
postfix  smtpd  66804 16 tcp4   LOCAL_SYSTEM:56945   LDAP_SERVER:636
... (a bunch of similar 'smtpd' processes)
postfix  smtpd  66803 16 tcp4   LOCAL_SYSTEM:56944   LDAP_SERVER:636
postfix  cleanup66681 12 tcp4   LOCAL_SYSTEM:56851   LDAP_SERVER:636
postfix  smtpd  66679 16 tcp4   LOCAL_SYSTEM:56849   LDAP_SERVER:636
postfix  cleanup66677 12 tcp4   LOCAL_SYSTEM:56848   LDAP_SERVER:636
postfix  smtp   66643 11 tcp4   LOCAL_SYSTEM:56825   LDAP_SERVER:636
postfix  smtpd  66642 16 tcp4   LOCAL_SYSTEM:56824   LDAP_SERVER:636
postfix  qmgr   66641 10 tcp4   LOCAL_SYSTEM:56823   LDAP_SERVER:636
postfix  cleanup66632 12 tcp4   LOCAL_SYSTEM:56815   LDAP_SERVER:636
postfix  trivial-re 66630 12 tcp4   LOCAL_SYSTEM:56812   LDAP_SERVER:636
postfix  flush  66079 11 tcp4   LOCAL_SYSTEM:50414   LDAP_SERVER:636
postfix  bounce 66078 10 tcp4   LOCAL_SYSTEM:55124   LDAP_SERVER:636
postfix  pickup 64449 9  tcp4   LOCAL_SYSTEM:54848   LDAP_SERVER:636
postfix  smtpd  63740 16 tcp4   LOCAL_SYSTEM:63620   LDAP_SERVER:636

Taking out 'ldap' from /etc/nsswitch.conf would stop these lookups.  But 
I'm looking for another solution.  Postfix is doing local user lookups, 
but I don't know which knob to twist to stop it from doing so.


I'm attaching my postconf below.


2bounce_notice_recipient = postmaster
access_map_reject_code = 554
address_verify_default_transport = $default_transport
address_verify_local_transport = $local_transport
address_verify_map =
address_verify_negative_cache = yes
address_verify_negative_expire_time = 3d
address_verify_negative_refresh_time = 3h
address_verify_poll_count = 3
address_verify_poll_delay = 3s
address_verify_positive_expire_time = 31d
address_verify_positive_refresh_time = 7d
address_verify_relay_transport = $relay_transport
address_verify_relayhost = $relayhost
address_verify_sender = postmaster
address_verify_sender_dependent_relayhost_maps = 
$sender_dependent_relayhost_maps

address_verify_service_name = verify
address_verify_transport_maps = $transport_maps
address_verify_virtual_transport = $virtual_transport
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
allow_mail_to_commands = alias, forward
allow_mail_to_files = alias, forward
allow_min_user = no
allow_percent_hack = yes
allow_untrusted_routing = no
alternate_config_directories =
always_bcc =
anvil_rate_time_unit = 60s
anvil_status_update_time = 600s
append_at_myorigin = no
append_dot_mydomain = yes
application_event_drain_time = 100s
authorized_flush_users = static:anyone
authorized_mailq_users = static:anyone
authorized_submit_users = static:anyone
backwards_bounce_logfile_compatibility = yes
berkeley_db_create_buffer_size = 16777216
berkeley_db_read_buffer_size = 131072
best_mx_transport =
biff = yes
body_checks =
body_checks_size_limit = 51200
bounce_notice_recipient = postmaster
bounce_queue_lifetime = 5d
bounce_service_name = bounce
bounce_size_limit = 5
bounce_template_file =
broken_sasl_auth_clients = no
canonical_classes = envelope_sender, envelope_recipient, header_sender, 
header_recipient

canonical_maps =
cleanup_service_name = cleanup
command_directory = /usr/sbin
command_execution_directory =
command_expansion_filter = 
12345678...@%-_=+:,./abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ

command_time_limit = 1000s
config_directory = /etc/postfix
connection_cache_protocol_timeout = 5s
connection_cache_service_name = scache
connection_cache_status_update_time = 600s
connection_cache_ttl_limit = 2s
content_filter =
daemon_directory = /usr/libexec/postfix
daemon_timeout = 18000s
debug_peer_level = 2
debug_peer_list =
default_database_type = hash
default_delivery_slot_cost = 5
default_delivery_slot_discount = 50
default_delivery_slot_loan = 3
default_destination_concurrency_limit = 20
default_destination_recipient_limit = 50
default_extra_recipient_limit = 1000
default_minimum_delivery_slots = 3
default_privs = nobody
default_process_limit = 100
default_rbl_reply = $rbl_code Service unavailable; $rbl_class 
[$rbl_what] blocked using $rb

Re: Auto reply messages

[mouss]

Sahil Tandon a écrit :
> On Thu, 16 Apr 2009, Antonis Rizopoulos wrote:
> 
>> I was trying to setup postfix to send auto reply messages using procmail
>> with this script :
>> http://www.opensourcehowto.org/uploads/scripts/vacation.txt
>> but I can't get it work. I also tried the *.forward* files but no luck.
>> So I think procmail and .forward files are for local system users mail
>> deliveries, not virtual (without any system home directory), or I don't
>> know how to do this.
> 
> Read http://www.postfix.org/virtual.8.html; specifically the section titled
> HISTORY.
> 
>> In my setup I have virtual users and I use Courier-IMAP for M.D.A.
>> My users are stored in Courier's database.
>>
>> Is there any way to allow a user to activate/deactivate an auto-reply
>> message by sending an email to himself with "special" subject and/or body ?
> 
> Probably, but that is well out of the scope of this mailing list.  FWIW, many
> people have had success using Dovecot's LDA to deliver mail which plays
> nicely with sieve scripts that include vacation (auto-reply) functionality.
> 

since he uses courier, he should consider using maildrop instead of
procmail.

Re: Info about queues

[Sahil Tandon]

On Thu, 16 Apr 2009, no7find - wrote:

> How I can get more information about the messages through the different
> queues ?
> For example, information like input/output time.
> 
> How many queues, Postfix have? 5 or 6 ?
> 1. active
> 2. deferred
> 3. hold
> 4. incoming
> 5. maildrop
> 
> 6. corrupt (is a queue ?)

Do not send the same message to the mailing list twice.  Read:
http://www.postfix.org/QSHAPE_README.html

-- 
Sahil Tandon 

Re: Filter incoming emails by source IP but depending on destination domains

[Denis BUCHER]

Noel Jones a écrit :
> Denis BUCHER wrote:
>> I have a server with different domains on it. Some domains should only
>> receive emails from specific IP adresses (SPAM filtering) while other
>> domains should accept emails from all domains.
>>
>> How could I implement this ?
>>
>> I suppose I have to do a hash with the specific IPs, and add this hash
>> as filter for the domains that should be filtered ?
>>
>> Is this correct, and could someone point me to how it should be done ?
> 
> Here's the documentation on how to do something like this:
> http://www.postfix.org/RESTRICTION_CLASS_README.html
> 
> A brief example:
> #main.cf
> smtpd_delay_reject = yes
> (this is the default; required for this example)
> 
> smtpd_restriction_classes = from_spamfilter_only
> 
> from_spamfilter_only =
>   check_client_access cidr:/etc/postfix/from_spamfilter.cidr
> 
> smtpd_client_restrictions =
>   check_recipient_access hash:/etc/postfix/filtered_domains
> 
> # filtered_domains table
> # postmap this table after edits!
> example.com  from_spamfilter_only
> other.example.org  from_spamfilter_only
> 
> # from_spamfilter cidr table
> # postmap not necessary.
> 10.1.1.0/27  OK
> 192.168.100.127  OK
>  # next line rejects any unauthorized clients
> 0.0.0.0/0  REJECT you must use our MX host

Thanks a lot, this looks very nice and powerful, exactly what I was
searching for :-))

(And thanks to Ralf Hildebrandt that pointed to the same method too)

Have a nice week !

Denis

Re: Auto reply messages

[Sahil Tandon]

On Thu, 16 Apr 2009, Antonis Rizopoulos wrote:

> I was trying to setup postfix to send auto reply messages using procmail
> with this script :
> http://www.opensourcehowto.org/uploads/scripts/vacation.txt
> but I can't get it work. I also tried the *.forward* files but no luck.
> So I think procmail and .forward files are for local system users mail
> deliveries, not virtual (without any system home directory), or I don't
> know how to do this.

Read http://www.postfix.org/virtual.8.html; specifically the section titled
HISTORY.

> In my setup I have virtual users and I use Courier-IMAP for M.D.A.
> My users are stored in Courier's database.
> 
> Is there any way to allow a user to activate/deactivate an auto-reply
> message by sending an email to himself with "special" subject and/or body ?

Probably, but that is well out of the scope of this mailing list.  FWIW, many
people have had success using Dovecot's LDA to deliver mail which plays
nicely with sieve scripts that include vacation (auto-reply) functionality.

-- 
Sahil Tandon 

Info about queues

[no7find -]

How I can get more information about the messages through the different
queues ?
For example, information like input/output time.


How many queues, Postfix have? 5 or 6 ?
1. active
2. deferred
3. hold
4. incoming
5. maildrop

6. corrupt (is a queue ?)


Thanks

Info about queues

[no7find -]

How I can get more information about the messages through the different
queues ?
For example, information like input/output time.


How many queues, Postfix have? 5 or 6 ?
1. active
2. deferred
3. hold
4. incoming
5. maildrop

6. corrupt (is a queue ?)


Thanks

Re: Delivering mail to 2 sites

[Noel Jones]

Eric Magutu wrote:

Hi,
I am currently using exim and was doing and installation on postifx. I 
needed postfix to accept mail for domain.com  and 
deliver the email to 2 different servers a local and remote without 
configuring forwarders. We have implemented this in exim but would like 
to do the same with Postfix.


Can someone shed some light on how to configure this? If you have a 
better way to achieve the same thing without the use of forwarders I'm 
open to suggestions.


--
Regards,
Eric Magutu



To send mail to an additional destination, you need to add an 
additional recipient.  Use virtual_alias_maps to add a second 
recipient, transport_maps to direct the mail where it should 
go, and smtp_generic_maps to rewrite the address back to the 
original form as it's transmitted.


A basic example:

main.cf:
virtual_alias_maps = hash:/etc/postfix/virtual

virtual:
us...@example.com  us...@example.com us...@new.example.com

Then use a transport table entry to route the new mail to the 
proper server.

main.cf:
transport_maps = hash:/etc/postfix/transport

transport:
new.example.com  relay:[192.168.192.168]

Then use a pcre smtp_generic_maps to rewrite the recipient 
back to the original domain when postfix sends the mail.

main.cf:
smtp_generic_maps = pcre:/etc/postfix/smtp_generic.pcre

smtp_generic.pcre:
/^(.*)@new\.example\.com$/  $...@example.com


Important Notes:
Do not change your current setting for virtual_alias_domains.
Do not use wildcard or regexp rewrites in virtual_alias_maps; 
each recipient must be listed individually.


  -- Noel Jones

Delivering mail to 2 sites

[Eric Magutu]

Hi,
I am currently using exim and was doing and installation on postifx. I
needed postfix to accept mail for domain.com and deliver the email to 2
different servers a local and remote without configuring forwarders. We have
implemented this in exim but would like to do the same with Postfix.

Can someone shed some light on how to configure this? If you have a better
way to achieve the same thing without the use of forwarders I'm open to
suggestions.

-- 
Regards,
Eric Magutu

Re: meaning of connect immediately followed by disconnect in mail log

[Wietse Venema]

Victor Duchovni:
> On Thu, Apr 16, 2009 at 10:27:33AM -0400, Kevin Murphy wrote:
> 
> > postfix 2.1.5 (Mac OS X 10.4.11, Tiger), logging set to debug level:
> >
> > Out of curiosity, what do empty connect/disconnect pairs in the mail log 
> > mean?  I.e.:
> >
> > Mar 19 09:50:19 jupiter postfix/smtpd[1452]: connect from 
> > mx3.westat.com[198.232.249.38]
> > Mar 19 09:50:20 jupiter postfix/smtpd[1452]: disconnect from 
> > mx3.westat.com[198.232.249.38]
> >
> > In this example, the user at westat.com was told by his mail server that 
> > his email could not be delivered to our mail server.  However, I see no 
> > indications of errors in the mail log.  In the prior minute there were only 
> > 5 connects, so load on the box was small.
> >
> > I see lots of these connect/disconnect pairs in my logs, at least 17% of 
> > all connections.  Over 99% of westat's connections to our mail server over 
> > the last month had this result.
> 
> Firewall brain-damage? Does your server have ECN enabled, is
> window-scaling on by default? I find that a public mail-server can rarely
> afford to have modern TCP options enabled and still send/receive mail
> to/from systems behind random vendor's firewall.
> 
> So on Linux 2.6 systems, I have:
> 
> net.ipv4.tcp_adv_win_scale = 0
> net.ipv4.tcp_ecn = 0
> 
> the second is the default for now, but the first is needed, because the
> default window scale is > 0.
> 
> This problem is resolved via "tcpdump"...

As of 20090109, Postfix 2.6 supports a workaround. Below
is a quote from the Postfix 2.6 release notes.

Wietse

Specify "tcp_windowsize = 65535" (or less) to work around routers
with broken TCP window scaling implementations.  This is perhaps
more convenient than collecting tcpdump output and tuning kernel
parameters by hand.  With Postfix TCP servers (smtpd(8), qmqpd(8)),
this feature is implemented by the Postfix master(8) daemon.

To change this parameter without stopping Postfix, you need to first
terminate all Postfix TCP servers:

# postconf -e master_service_disable=inet
# postfix reload

This immediately terminates all processes that accept network
connections.  Then you enable Postfix TCP servers with the updated
tcp_windowsize setting:

# postconf -e tcp_windowsize=65535 master_service_disable=
# postfix reload

If you skip these steps with a running Postfix system, then the
tcp_windowsize change will work only for Postfix TCP clients (smtp(8),
lmtp(8)).

Of course you can also do "postfix stop" and "postfix start",
but that is more disruptive.

Re: meaning of connect immediately followed by disconnect in mail log

[Ralf Hildebrandt]

* Victor Duchovni :

> Firewall brain-damage? Does your server have ECN enabled, is
> window-scaling on by default? I find that a public mail-server can
> rarely afford to have modern TCP options enabled and still send/receive
> mail to/from systems behind random vendor's firewall.

Amen to that!!!

-- 
Ralf Hildebrandt
Postfix - Einrichtung, Betrieb und Wartung   Tel. +49 (0)30-450 570-155
http://www.computerbeschimpfung.de
Don't judge too fast! Some are gurus, but most of us mortals just read
the documentation that comes with the TLS patch.-- Patrick Koetter

Re: meaning of connect immediately followed by disconnect in mail log

[Victor Duchovni]

On Thu, Apr 16, 2009 at 10:27:33AM -0400, Kevin Murphy wrote:

> postfix 2.1.5 (Mac OS X 10.4.11, Tiger), logging set to debug level:
>
> Out of curiosity, what do empty connect/disconnect pairs in the mail log 
> mean?  I.e.:
>
> Mar 19 09:50:19 jupiter postfix/smtpd[1452]: connect from 
> mx3.westat.com[198.232.249.38]
> Mar 19 09:50:20 jupiter postfix/smtpd[1452]: disconnect from 
> mx3.westat.com[198.232.249.38]
>
> In this example, the user at westat.com was told by his mail server that 
> his email could not be delivered to our mail server.  However, I see no 
> indications of errors in the mail log.  In the prior minute there were only 
> 5 connects, so load on the box was small.
>
> I see lots of these connect/disconnect pairs in my logs, at least 17% of 
> all connections.  Over 99% of westat's connections to our mail server over 
> the last month had this result.

Firewall brain-damage? Does your server have ECN enabled, is
window-scaling on by default? I find that a public mail-server can rarely
afford to have modern TCP options enabled and still send/receive mail
to/from systems behind random vendor's firewall.

So on Linux 2.6 systems, I have:

net.ipv4.tcp_adv_win_scale = 0
net.ipv4.tcp_ecn = 0

the second is the default for now, but the first is needed, because the
default window scale is > 0.

This problem is resolved via "tcpdump"...

-- 
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:


If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

meaning of connect immediately followed by disconnect in mail log

[Kevin Murphy]

postfix 2.1.5 (Mac OS X 10.4.11, Tiger), logging set to debug level:

Out of curiosity, what do empty connect/disconnect pairs in the mail log 
mean?  I.e.:


Mar 19 09:50:19 jupiter postfix/smtpd[1452]: connect from 
mx3.westat.com[198.232.249.38]
Mar 19 09:50:20 jupiter postfix/smtpd[1452]: disconnect from 
mx3.westat.com[198.232.249.38]


In this example, the user at westat.com was told by his mail server that 
his email could not be delivered to our mail server.  However, I see no 
indications of errors in the mail log.  In the prior minute there were 
only 5 connects, so load on the box was small.


I see lots of these connect/disconnect pairs in my logs, at least 17% of 
all connections.  Over 99% of westat's connections to our mail server 
over the last month had this result.


Thanks,
Kevin Murphy

Re: A better backscatter killer?

[kj]

Dennis Carr wrote:
Looking at options here for eliminating backscatter.  


I've reviewed the Howto for this, but it only seems to be effective
against backscatter where one's home domain is forged - not too useful,
IMNSHO, because spammers aren't always going to forge the home domain.  


One thing I've been looking at doing is basically checking headers, and
if the From: header is null, then reject it immediately.

Other approach is to eliminate my 2ary MX from DNS - most of my spam
comes from that.  I don't really want to do that, though, because the
idea of a 2ary MX is for a fallback.

Do recipient verification on your secondary MX.

Or even better, don't use a secondary MX.  Real servers sending to you, 
will try again. If you expect to have more than four odd days at a time, 
you have bigger things to worry about anyway.



--kj

Postfix 2.6.0 stable release candidate

[Wietse Venema]

Last night I have uploaded postfix-2.6.0-RC1, the first Postfix
2.6 stable release candidate. The documentation still needs some
work, and depending on time I may still be able to slip in some
small amount of new code. The biggest changes since Postfix 2.5 are:

- Automatic stress-dependent behavior is turned on (STRESS_README).
  The rationale is that when mail performance is down the tubes,
  then it is OK to make drastic temporary configuration changes.

- Support for multiple Postfix instances (MULTI_INSTANCE_README).
  This also involves a minor file reorganization where some files
  are moved from $config_directory to $daemon_directory.

As usual in the past few years, no Postfix development happened in
February-March as this is the conference paper review season.  The
documentation was not ready in January, so the Posfix 2.6 release
had to wait until I have time.

Expect to have a stable release later this month.

Wietse

Re: problems with smtpd_sender_restrictions and smtpd_client_restrictions

[deconya]

Thanks!

Well if I put reject_unknown_client, my client says " Client host rejected:
cannot find your hostname, [10.160.1.193].It's refer about $myhostname ??

Well the good news is if I put only

smtpd_client_restrictions=
check_client_access hash:/etc/postfix/access,
#   reject_unknown_client,
reject_rbl_client zen.spamhaus.org

goes right, one first step .-)

Other good blacklists?

Thanks && Best Regards

On Thu, Apr 16, 2009 at 1:29 PM, Ralf Hildebrandt <
ralf.hildebra...@charite.de> wrote:

> * deconya :
> > Hi list
> >
> > Im having problems with smtpd_sender_restrictions and
> > smtpd_client_restrictions options. Actually I have:
> >
> > smtpd_sender_restrictions =
> > reject_unknown_sender_domain,
> > check_sender_access hash:/etc/postfix/spammer,
> > reject_non_fqdn_sender
> >
> > smtpd_client_restrictions=
> ---> make that check_client_access hash:/etc/postfix/access,
> > remove thatreject_unauth_destination,
> >reject_unknown_client,
> >reject_rbl_client sbl.spamhaus.org
>
> Make that reject_rbl_client zen.spamhaus.org
>
> --
> Ralf Hildebrandt
> Postfix - Einrichtung, Betrieb und Wartung   Tel. +49 (0)30-450 570-155
> http://www.computerbeschimpfung.de
> Die kuerzesten Computerwitze:
> 1) Muesste laufen.
>

Re: Configuring virtual mailboxes AND local account delivery under one domain name

[mouss]

Phil Gunhouse a écrit :
> Hi, have googled and searched the list for an answer so hope this isn't a
> regular query... we're moving from a sendmail configuration to Postfix
> primarily for database configured virtual mailboxes and the ease of
> management that entails, we wish to manage both users within our domain and
> other virtual domains under one umbrella, but to retain some 'unix account'
> processing, via the local delivery agent, for bounce handlers, mailing list
> software etc.
> 
> It appears that things are not designed to allow delivery to virtual
> mailboxes for the domain in which the mailserver lives, which is in effect
> what we want to achieve, quote: 'NEVER list a virtual alias domain name as a
> mydestination domain!'
> 

myhostname = foo.example.com
mydomain = example.com
mydestination = $myhostname, localhost, localhost.$mydomain
virtual_mailbox_domains = $mydomain


and use virtual_alias_maps to redirect "unix" users to local:

j...@example.comj...@localhost
fool...@example.com fool...@localhost
foolist-subscr...@example.com   foolist-subscr...@localhost
...


for mailing lists, it is simpler to reserve a specific domain such as
lists.example.com. then you can deliver such mail via local (by adding
lists.example.com to mydestination) or via a transport that you define
in master.cf (in which case, you can configure lists.example.com as a
virtual mailbox domain).



> I can 'fudge' the situation by configuring the mailserver under a fake
> internal domain to allow virtual mailboxes for the 'real' domain to work,
> then 'fix' things so the server appears externally as the 'real' domain to
> match DNS lookups etc., finally forwarding mail to
> unixaccount.mycompany.local where local processing is required...
> 
> myhostname = mailserver.mycompany.local
> mycompany  = mycompany.local
> myorigin   = mycompany.com
> smtp_helo_name = mailserver.mycompany.com
> smtpd_banner   = mailserver.mycompany.com ESMTP $mail_name
> 
> ... but this doesn't feel like a proper solution. Can the list recommend any
> tried and tested configurations for achieving this mixed scenario.
> 
> 

Re: problems with smtpd_sender_restrictions and smtpd_client_restrictions

[Ralf Hildebrandt]

* deconya :
> Hi list
> 
> Im having problems with smtpd_sender_restrictions and
> smtpd_client_restrictions options. Actually I have:
> 
> smtpd_sender_restrictions =
> reject_unknown_sender_domain,
> check_sender_access hash:/etc/postfix/spammer,
> reject_non_fqdn_sender
> 
> smtpd_client_restrictions=
---> make that check_client_access hash:/etc/postfix/access,
> remove thatreject_unauth_destination,
>reject_unknown_client,
>reject_rbl_client sbl.spamhaus.org

Make that reject_rbl_client zen.spamhaus.org

-- 
Ralf Hildebrandt
Postfix - Einrichtung, Betrieb und Wartung   Tel. +49 (0)30-450 570-155
http://www.computerbeschimpfung.de
Die kuerzesten Computerwitze:
1) Muesste laufen.

problems with smtpd_sender_restrictions and smtpd_client_restrictions

[deconya]

Hi list

Im having problems with smtpd_sender_restrictions and
smtpd_client_restrictions options. Actually I have:

smtpd_sender_restrictions =
reject_unknown_sender_domain,
check_sender_access hash:/etc/postfix/spammer,
reject_non_fqdn_sender

smtpd_client_restrictions=
   hash:/etc/postfix/access,
   reject_unauth_destination,
   reject_unknown_client,
   reject_rbl_client sbl.spamhaus.org

If I use only smtpd_sender_restrictions all goes well, but when I active
smtpd_client_restrictions all the smtpd connections are refused. I don't
know If the order of the options affects because are in the last part of
main.cf, but is strange because my IP nots banned. Anyone has any idea
where's the problem?

Thanks && Best regards

Auto reply messages

[Antonis Rizopoulos]

Hello,

I was trying to setup postfix to send auto reply messages using procmail
with this script :
http://www.opensourcehowto.org/uploads/scripts/vacation.txt
but I can't get it work. I also tried the *.forward* files but no luck.
So I think procmail and .forward files are for local system users mail
deliveries, not virtual (without any system home directory), or I don't
know how to do this.

In my setup I have virtual users and I use Courier-IMAP for M.D.A.
My users are stored in Courier's database.

Is there any way to allow a user to activate/deactivate an auto-reply
message by sending an email to himself with "special" subject and/or body ?

Thank you very much!



__ Information from ESET Smart Security, version of virus signature 
database 4011 (20090415) __

The message was checked by ESET Smart Security.

http://www.eset.com

Configuring virtual mailboxes AND local account delivery under one domain name

[Phil Gunhouse]

Hi, have googled and searched the list for an answer so hope this isn't a
regular query... we're moving from a sendmail configuration to Postfix
primarily for database configured virtual mailboxes and the ease of
management that entails, we wish to manage both users within our domain and
other virtual domains under one umbrella, but to retain some 'unix account'
processing, via the local delivery agent, for bounce handlers, mailing list
software etc.

It appears that things are not designed to allow delivery to virtual
mailboxes for the domain in which the mailserver lives, which is in effect
what we want to achieve, quote: 'NEVER list a virtual alias domain name as a
mydestination domain!'

I can 'fudge' the situation by configuring the mailserver under a fake
internal domain to allow virtual mailboxes for the 'real' domain to work,
then 'fix' things so the server appears externally as the 'real' domain to
match DNS lookups etc., finally forwarding mail to
unixaccount.mycompany.local where local processing is required...

myhostname = mailserver.mycompany.local
mycompany  = mycompany.local
myorigin   = mycompany.com
smtp_helo_name = mailserver.mycompany.com
smtpd_banner   = mailserver.mycompany.com ESMTP $mail_name

... but this doesn't feel like a proper solution. Can the list recommend any
tried and tested configurations for achieving this mixed scenario.

Thanks,

Phil.