Re: postfix original recipient
- Original Message - From: Gaby L g...@autoglobus2000.ro To: Postfix users postfix-users@postfix.org Sent: Wednesday, August 19, 2009 7:16 PM Subject: Re: postfix original recipient Ok Postfix logs the orig_to address when the envelope recipient address is replaced (for example with virtual_alias_maps). The email is send to do_ch...@de.opel.com (Envelope)but in orig_to is a.verme...@autoglobus2000.ro Why not appear real delivery address in message? (although it is in orig_to from maillog) Can I do original destination to appear in message? If not use virtual tables then appear in message original destination? This is example email Return-Path: dragos.do...@gm.com X-Original-To: autoglo...@ag2000.ro Delivered-To: autoglo...@ag2000.ro Received: from localhost (mail.ag2000.ro [127.0.0.1]) by mail.ag2000.ro (Postfix) with ESMTP id 68F58818082; Mon, 17 Aug 2009 13:19:41 +0300 (EEST) X-Virus-Scanned: amavisd-new at ag2000.ro Received: from mail.ag2000.ro ([127.0.0.1]) by localhost (mail.ag2000.ro [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LhINW+bFSHlR; Mon, 17 Aug 2009 13:19:28 +0300 (EEST) Received: from plgmler5.imr.gm.com (plgmler5.imr.gm.com [199.228.142.85]) by mail.ag2000.ro (Postfix) with ESMTP id 450CE818081; Mon, 17 Aug 2009 13:19:27 +0300 (EEST) Received: from plgmlir1.imr.gm.com (plgmlir1-2.imr.gm.com [199.228.142.169]) by plgmler5.imr.gm.com (8.14.2/8.13.8) with ESMTP id n7HAJHgr023744; Mon, 17 Aug 2009 05:19:20 -0500 Received: from plgmlir1.imr.gm.com (localhost [127.0.0.1]) by plgmlir1.imr.gm.com (8.14.2/8.12.10) with ESMTP id n7HAJDxX005565; Mon, 17 Aug 2009 05:19:13 -0500 Received: from DERUEMA16.eur.corp.gm.com ([134.46.236.103]) by plgmlir1.imr.gm.com (8.14.2/8.12.10) with ESMTP id n7HAJBwN005525; Mon, 17 Aug 2009 05:19:11 -0500 X-EDSINT-Source-Ip: 134.46.236.103 To: do_ch...@de.opel.com Subject: Rezultate Aftersales pe H2, la 13.08.2009. MIME-Version: 1.0 X-Mailer: Lotus Notes Release 6.5.4 HF1151 March 27, 2007 Message-ID: of07650702.057205dd-onc1257615.0036dc19-c1257615.0038b...@de.opel.com From: Dragos Dobre dragos.do...@gm.com Date: Mon, 17 Aug 2009 12:19:09 +0200 X-MIMETrack: Serialize by Router on DERUEMA16/M/GMSERVER/GMC at 17.08.2009 12:19:12 Content-Type: multipart/mixed; boundary==_mixed 0038B094C125761 - Original Message - From: Wietse Venema wie...@porcupine.org To: Postfix users postfix-users@postfix.org Sent: Wednesday, August 19, 2009 5:58 PM Subject: Re: postfix original recipient Gaby L: - I want to use virtual_alias_maps but I want to appear original destination address in header. It is possible? As documented (man 5 virtual), virtual_alias_maps changes the ENVELOPE address not the HEADER address. Wietse Thanks Postfix logs the orig_to address when the envelope recipient address is replaced (for example with virtual_alias_maps). Gaby L: Hi I have a problem with multi-destination and hidden address email (generic address is @de.opel.com) I use virtual table,amavisd-new. I don't view in header destination address but in maillog it appear in orig_to field.(a.verme...@autoglobus2000.ro) What insert in mail header orig_to field for filter for other incoming machine?
Re: Email Bounce Question
2009/8/19 Sean C. s...@unxhosting.com: Is it possible in postfix to set an account to never generate bounce back messages or to send them all to a email account rather than to the originating user? I have an account where users email in and it maps via aliases to another email address. When there is a issue I would prefer the users to not get the failure messages and perhaps instead send that message to another email account on my side. For all the other email which comes in to other accounts I would like to keep the normal bounces. At first I thought you were referring to outgoing mail, in which case you could use generic address rewriting. In any case, you want some sender-address munging. Canonical rewriting may do what you want: http://www.postfix.org/ADDRESS_REWRITING_README.html#canonical
Distribution lists/SPF with Postfix?
We have a basic distribution list setup within postfix under a virtual domain. One of the external parties who wants to sent to it has an SPF record in place so of course in its current configuration the message is being rejected by our SPF, and of course even if we allowed it, it would be rejected by the SPF of the recipients mail servers. At present the message would come directly from sender at theirdomain.com. Is there a way within Postfix to have it originate from distribution list at ourdomain.com on behalf of sender at theirdomain.com or would I need third party listserv software to do this? Thanks, Paul -- MIRA Ltd Watling Street, Nuneaton, Warwickshire, CV10 0TU, England. Registered in England and Wales No. 402570 VAT Registration GB 114 5409 96 The contents of this e-mail are confidential and are solely for the use of the intended recipient. If you receive this e-mail in error, please delete it and notify us either by e-mail, telephone or fax. You should not copy, forward or otherwise disclose the content of the e-mail as this is prohibited.
Re: Distribution lists/SPF with Postfix?
On Thursday 20 August 2009 10:01:37 Paul Hutchings wrote: We have a basic distribution list setup within postfix under a virtual domain. One of the external parties who wants to sent to it has an SPF record in place so of course in its current configuration the message is being rejected by our SPF, If they aren't a permitted sender don't accept it, their SPF config is presumably broken? and of course even if we allowed it, it would be rejected by the SPF of the recipients mail servers. If you are setting the envelope sender as this domain, then get your server added to their SPF record is probably the appropriate thing to do. At present the message would come directly from sender at theirdomain.com. Is there a way within Postfix to have it originate from distribution list at ourdomain.com on behalf of sender at theirdomain.com or would I need third party listserv software to do this? You are confusing envelope sender and headers. I think SPF is broken by design, but if you aren't rewriting the email, then yes mailing list software will do that for you. I've tended to regard SPF errors as self inflicted injuries.
Postfix + PLESK + mail filtering
Hi everyone, I'm trying to implement a mail filtering, which should put all SPAM tagged messages into a dedicated folder. It looks simple, but then PLESK comes in. It uses: virtual_transport = plesk_virtual which looks like this in master.cf: plesk_virtual unix - n n - - pipe flags=DORhu user=popuser:popuser argv=/usr/lib64/plesk-9.0/postfix-local -f ${sender} -d ${recipient} -p /var/qmail/mailnames This transport should be left intact. I'm looking into making a separate filter which will deliver the message to the Spam folder if it's tagged or pipe it back to postfix to deliver it with plesk_virtual if it's not. Are there any thoughts how to implement this? Google didn't gave the results or didn't knew how to look. Thanks in advance -- Regards, Vytenis
Postfix queue problem?
Dear all , i have a big problem with postfx queue. I'm using postfix amavis spamassain. But queue has 5 mails. it's sending very slow. What Can i do ? Thanks. Postconf -n alias_maps = hash:/etc/aliases body_checks = regexp:/etc/postfix/body_checks bounce_queue_lifetime = 3d broken_sasl_auth_clients = yes config_directory = /etc/postfix content_filter = smtp-amavis:[127.0.0.1]:10024 disable_vrfy_command = yes header_checks = regexp:/etc/postfix/header_checks inet_interfaces = all local_recipient_maps = maximal_queue_lifetime = 3d message_size_limit = 2024 milter_default_action = accept milter_protocol = 2 mime_header_checks = regexp:/etc/postfix/mime_header_checks mydomain = example.net myhostname = gw.example.net mynetworks = 127.0.0.0/8 non_smtpd_milters = inet:localhost:10026 proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks qmgr_clog_warn_time = 0 receive_override_options = no_address_mappings smtp_tls_note_starttls_offer = yes smtp_use_tls = yes smtpd_data_restrictions = reject_unauth_pipelining, permit smtpd_delay_reject = yes smtpd_helo_required = yes smtpd_helo_restrictions = permit_mynetworks, check_helo_access hash:/etc/postfix/helo_access, permit smtpd_milters = inet:localhost:10026 smtpd_recipient_limit = 250 smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_invalid_hostname, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_sender_domain, reject_unknown_address, reject_unauth_pipelining, reject_unknown_recipient_domain, reject_non_fqdn_hostname, reject_unauth_destination, reject_sender_login_mismatch, check_client_access hash:/etc/postfix/backscatterer_white, reject_rbl_client zen.spamhaus.org, check_sender_access hash:/etc/postfix/backscatterer_white, check_sender_access hash:/etc/postfix/check_backscatterer smtpd_sasl_auth_enable = yes smtpd_sasl_authenticated_header = yes smtpd_sender_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unknown_sender_domain, warn_if_reject, reject_non_fqdn_sender, check_sender_access hash:/etc/postfix/sender_restrictions, check_sender_access hash:/etc/postfix/null_sender smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem smtpd_tls_auth_only = no smtpd_tls_cert_file = /etc/postfix/ssl/example.crt smtpd_tls_key_file = /etc/postfix/ssl/example.key smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s smtpd_use_tls = yes soft_bounce = yes tls_random_source = dev:/dev/urandom transport_maps = hash:/etc/postfix/transport unknown_address_reject_code = 554 unknown_client_reject_code = 554 unknown_hostname_reject_code = 554 unknown_local_recipient_reject_code = 554 unverified_recipient_reject_code = 554 unverified_sender_reject_code = 554 virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf master.cf smtp inet n - - - 60 smtpd #submission inet n - - - - smtpd # -o smtpd_tls_security_level=encrypt # -o smtpd_sasl_auth_enable=yes # -o smtpd_client_restrictions=permit_sasl_authenticate d,reject # -o milter_macro_daemon_name=ORIGINATING #smtps inet n - - - - smtpd # -o smtpd_tls_wrappermode=yes # -o smtpd_sasl_auth_enable=yes # -o smtpd_client_restrictions=permit_sasl_authenticate d,reject # -o milter_macro_daemon_name=ORIGINATING #628 inet n - - - - qmqpd pickup fifo n - - 60 1 pickup cleanup unix n - - - 0 cleanup qmgr fifo n - n 300 1 qmgr #qmgr fifo n - - 300 1 oqmgr tlsmgr unix - - - 1000? 1 tlsmgr rewrite unix - - - - - trivial-rewrite bounce unix - - - - 0 bounce defer unix - - - - 0 bounce trace unix - - - - 0 bounce verify unix - - - - 1 verify flush unix n - - 1000? 0 flush proxymap unix - - n - - proxymap proxywrite unix - - n - 1 proxymap smtp unix - - - - - smtp # When relaying mail as backup MX, disable fallback_relay to avoid MX loops relay unix - - - - - smtp -o smtp_fallback_relay= # -o smtp_helo_timeout=5 -o smtp_connect_timeout=5 showq unix n - - - - showq error unix - - - - - error retry unix - - - - - error discard unix - - - - - discard local unix - n n - - local virtual unix - n n - - virtual lmtp unix - - - - - lmtp anvil unix - - - - 1 anvil scache unix - - - - 1 scache # # == == # Interfaces to non-Postfix software. Be sure to examine the manual # pages of the non-Postfix software to find out what options it wants. # # Many of the following services use the Postfix pipe(8) delivery # agent. See the pipe(8) man page for information about ${recipient} # and other message envelope options. # == == # # maildrop. See the Postfix MAILDROP_README file for details. # Also specify
Fw: postfix original recipient
I have detect the problem All emails above @de.opel.com address is hidden addres but my domain hidden addres appear in orig_to from maillog. What do I to hidden address appear in mail header? - Subject: Re: postfix original recipient Ok Postfix logs the orig_to address when the envelope recipient address is replaced (for example with virtual_alias_maps). The email is send to do_ch...@de.opel.com (Envelope)but in orig_to is a.verme...@autoglobus2000.ro Why not appear real delivery address in message? (although it is in orig_to from maillog) Can I do original destination to appear in message? If not use virtual tables then appear in message original destination? This is example email Return-Path: dragos.do...@gm.com X-Original-To: autoglo...@ag2000.ro Delivered-To: autoglo...@ag2000.ro Received: from localhost (mail.ag2000.ro [127.0.0.1]) by mail.ag2000.ro (Postfix) with ESMTP id 68F58818082; Mon, 17 Aug 2009 13:19:41 +0300 (EEST) X-Virus-Scanned: amavisd-new at ag2000.ro Received: from mail.ag2000.ro ([127.0.0.1]) by localhost (mail.ag2000.ro [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LhINW+bFSHlR; Mon, 17 Aug 2009 13:19:28 +0300 (EEST) Received: from plgmler5.imr.gm.com (plgmler5.imr.gm.com [199.228.142.85]) by mail.ag2000.ro (Postfix) with ESMTP id 450CE818081; Mon, 17 Aug 2009 13:19:27 +0300 (EEST) Received: from plgmlir1.imr.gm.com (plgmlir1-2.imr.gm.com [199.228.142.169]) by plgmler5.imr.gm.com (8.14.2/8.13.8) with ESMTP id n7HAJHgr023744; Mon, 17 Aug 2009 05:19:20 -0500 Received: from plgmlir1.imr.gm.com (localhost [127.0.0.1]) by plgmlir1.imr.gm.com (8.14.2/8.12.10) with ESMTP id n7HAJDxX005565; Mon, 17 Aug 2009 05:19:13 -0500 Received: from DERUEMA16.eur.corp.gm.com ([134.46.236.103]) by plgmlir1.imr.gm.com (8.14.2/8.12.10) with ESMTP id n7HAJBwN005525; Mon, 17 Aug 2009 05:19:11 -0500 X-EDSINT-Source-Ip: 134.46.236.103 To: do_ch...@de.opel.com Subject: Rezultate Aftersales pe H2, la 13.08.2009. MIME-Version: 1.0 X-Mailer: Lotus Notes Release 6.5.4 HF1151 March 27, 2007 Message-ID: of07650702.057205dd-onc1257615.0036dc19-c1257615.0038b...@de.opel.com From: Dragos Dobre dragos.do...@gm.com Date: Mon, 17 Aug 2009 12:19:09 +0200 X-MIMETrack: Serialize by Router on DERUEMA16/M/GMSERVER/GMC at 17.08.2009 12:19:12 Content-Type: multipart/mixed; boundary==_mixed 0038B094C125761 - Original Message - From: Wietse Venema wie...@porcupine.org To: Postfix users postfix-users@postfix.org Sent: Wednesday, August 19, 2009 5:58 PM Subject: Re: postfix original recipient Gaby L: - I want to use virtual_alias_maps but I want to appear original destination address in header. It is possible? As documented (man 5 virtual), virtual_alias_maps changes the ENVELOPE address not the HEADER address. Wietse Thanks Postfix logs the orig_to address when the envelope recipient address is replaced (for example with virtual_alias_maps). Gaby L: Hi I have a problem with multi-destination and hidden address email (generic address is @de.opel.com) I use virtual table,amavisd-new. I don't view in header destination address but in maillog it appear in orig_to field.(a.verme...@autoglobus2000.ro) What insert in mail header orig_to field for filter for other incoming machine?
Re: Postfix queue problem?
Hallo Junior, * Junior Tux junior.pe...@gmail.com: Dear all , i have a big problem with postfx queue. I'm using postfix amavis spamassain. But queue has 5 mails. it's sending very slow. What Can i do ? Thanks. There are various ways to debug this problem and improve performance. A first stop should be http://www.postfix.org/QSHAPE_README.html which describes not only how the various queues work together, but does also give valuable hints on solving some of the problems which one might encounter. General hints on performance tuning can be found at http://www.postfix.org/TUNING_README.html - those documents together should provide you with a reasonable start. smtp-amavis unix - - n - 40 smtp -o smtp_data_done_timeout=1200 -o smtp_send_xforward_command=yes Can your server really handle 40 content filter processes (assuming that $max_servers in amavisd is set to 40, too)? You might want to look at your servers memory ressources and see if it startet swapping. You should also provide logging output of messages which are processed slowly - please note that you will need to track two queue IDs, one before it enters the content_filter and one after the reinjection. Cheers Stefan
Re: Postfix queue problem?
On second thought, * Junior Tux junior.pe...@gmail.com: qmgr_clog_warn_time = 0 you might want to leave that at the default value to get helpful information. smtpd_milters = inet:localhost:10026 This milter could be a problem if it is slow. soft_bounce = yes On a prodcution machine, this will increase the load in most cases (senders retrying instead of giving up). virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf If your database is slow or overloaded with connections, this might could slow down mail delivery. Postfix logs lookup problems, so you can verify that quite easily. Cheers Stefan
Re: SSL_accept error
2009/8/14 Barney Desmond barneydesm...@gmail.com 2009/8/14 Ebbe Hjorth ebbe.hjo...@gmail.com: No more hints? :-( Do you still have a problem? You said, Ahh, now we are talkin, which sounds like you were successful. Patrick's docs ( http://postfix.state-of-mind.de/patrick.koetter/smtpauth/postfix_tls_support.html ) are great, but I think they're a little misleading in this case. You don't need to create a full CA, you (probably) just want a self-signed certificate. Do you need a CA-signed certificate? No: most of the time, so just use a self-signed certificate Yes: if SMTP clients *require* encryption, *and* will perform verification of the server's certificate for trust. Note that this applies to controlled conditions, like an enterprise; SMTP clients from the internet should not care about verification. Want to use a self-signed certificate? 1. Make the key: touch smtpd.key chmod 600 smtpd.key openssl genrsa 1024 smtpd.key 2. Make the cert, answering the questions when asked: openssl req -new -key smtpd.key -x509 -days 3650 -out smtpd.crt 3. Add them to your postfix config as appropriate smtpd_tls_key_file = /etc/postfix/smtpd.pem smtpd_tls_cert_file = /etc/postfix/smtpd.crt Hi, I did the above 3 steps, stilling getting errors - so now i have disabled tls in main and master, and now it is working ;) Thanks you for all your help and inputs, it is very much appreciated!!! / Ebbe
Re: postfix original recipient
Gaby L: Ok Postfix logs the orig_to address when the envelope recipient address is replaced (for example with virtual_alias_maps). The email is send to do_ch...@de.opel.com (Envelope)but in orig_to is a.verme...@autoglobus2000.ro Why not appear real delivery address in message? (although it is in orig_to from maillog) Email is delivered to the envelope recipient address. This address may differ from the recipient address in the header. For example, this message is sent to postfix-users, but it is delivered to your mailbox (and my mailbox, and the mailbox of a bunch of other people). Listing everyone in the message header would not be desirable. Postfix can be configured to add an X-Original-To: message header upon final delivery (with local(8), pipe(8) and lmtp(8)). Wietse Can I do original destination to appear in message? If not use virtual tables then appear in message original destination? This is example email Return-Path: dragos.do...@gm.com X-Original-To: autoglo...@ag2000.ro Delivered-To: autoglo...@ag2000.ro Received: from localhost (mail.ag2000.ro [127.0.0.1]) by mail.ag2000.ro (Postfix) with ESMTP id 68F58818082; Mon, 17 Aug 2009 13:19:41 +0300 (EEST) X-Virus-Scanned: amavisd-new at ag2000.ro Received: from mail.ag2000.ro ([127.0.0.1]) by localhost (mail.ag2000.ro [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LhINW+bFSHlR; Mon, 17 Aug 2009 13:19:28 +0300 (EEST) Received: from plgmler5.imr.gm.com (plgmler5.imr.gm.com [199.228.142.85]) by mail.ag2000.ro (Postfix) with ESMTP id 450CE818081; Mon, 17 Aug 2009 13:19:27 +0300 (EEST) Received: from plgmlir1.imr.gm.com (plgmlir1-2.imr.gm.com [199.228.142.169]) by plgmler5.imr.gm.com (8.14.2/8.13.8) with ESMTP id n7HAJHgr023744; Mon, 17 Aug 2009 05:19:20 -0500 Received: from plgmlir1.imr.gm.com (localhost [127.0.0.1]) by plgmlir1.imr.gm.com (8.14.2/8.12.10) with ESMTP id n7HAJDxX005565; Mon, 17 Aug 2009 05:19:13 -0500 Received: from DERUEMA16.eur.corp.gm.com ([134.46.236.103]) by plgmlir1.imr.gm.com (8.14.2/8.12.10) with ESMTP id n7HAJBwN005525; Mon, 17 Aug 2009 05:19:11 -0500 X-EDSINT-Source-Ip: 134.46.236.103 To: do_ch...@de.opel.com Subject: Rezultate Aftersales pe H2, la 13.08.2009. MIME-Version: 1.0 X-Mailer: Lotus Notes Release 6.5.4 HF1151 March 27, 2007 Message-ID: of07650702.057205dd-onc1257615.0036dc19-c1257615.0038b...@de.opel.com From: Dragos Dobre dragos.do...@gm.com Date: Mon, 17 Aug 2009 12:19:09 +0200 X-MIMETrack: Serialize by Router on DERUEMA16/M/GMSERVER/GMC at 17.08.2009 12:19:12 Content-Type: multipart/mixed; boundary==_mixed 0038B094C125761 - Original Message - From: Wietse Venema wie...@porcupine.org To: Postfix users postfix-users@postfix.org Sent: Wednesday, August 19, 2009 5:58 PM Subject: Re: postfix original recipient Gaby L: - I want to use virtual_alias_maps but I want to appear original destination address in header. It is possible? As documented (man 5 virtual), virtual_alias_maps changes the ENVELOPE address not the HEADER address. Wietse Thanks Postfix logs the orig_to address when the envelope recipient address is replaced (for example with virtual_alias_maps). Gaby L: Hi I have a problem with multi-destination and hidden address email (generic address is @de.opel.com) I use virtual table,amavisd-new. I don't view in header destination address but in maillog it appear in orig_to field.(a.verme...@autoglobus2000.ro) What insert in mail header orig_to field for filter for other incoming machine?
Re: Postfix queue problem?
Junior Tux: Dear all , i have a big problem with postfx queue. I'm using postfix amavis spamassain. But queue has 5 mails. it's sending very slow. What Can i do ? Thanks. The first thing you should do is search the logfile for signs of trouble that causes programs to fail. http://www.postfix.org/DEBUG_README.html#logging Wietse
Postfix external mail receiving problems
Hello all, It is my first time configuring postfix and I've learned a lot the past couple of days from the community, thank you. My problem is in receiving mail, it doesn't have a problem sending out test mails from the Linux command prompt (using: echo test | mail -s testsubject testem...@hotmailorwhereever.com) or from a client like zimbra/ms outlook. It is sending through port 465 as a defense against abuse: Aug 20 12:46:25 myserver postfix/smtpd[10086]: connect from ipxx-xxx-xxx-xxx.dc.dc.cox.net[xx.xxx.xxx.xxx] Aug 20 12:46:25 myserver postfix/smtpd[10086]: setting up TLS connection from ipxx-xxx-xxx-xxx.dc.dc.cox.net[xx.xxx.xxx.xxx] Aug 20 12:46:25 myserver postfix/smtpd[10086]: Anonymous TLS connection established from ipxx-xxx-xxx-xxx.dc.dc.cox.net[xx.xxx.xxx.xxx]: TLSv1 with cipher RC4-MD5 (128/128 bits) Aug 20 12:46:26 myserver postfix/smtpd[10086]: 85A921E50E: client=ipxx-xxx-xxx-xxx.dc.dc.cox.net[xx.xxx.xxx.xxx], sasl_method=LOGIN, sasl_username=me Aug 20 12:46:26 myserver postfix/cleanup[10092]: 85A921E50E: message-id=.1201250768782000.javamail.mehp-...@mehp-pc Aug 20 12:46:26 myserver postfix/qmgr[10077]: 85A921E50E: from=m...@mydomainnamehere.org, size=609, nrcpt=1 (queue active) Aug 20 12:46:26 myserver postfix/smtpd[10086]: disconnect from ipxx-xxx-xxx-xxx.dc.dc.cox.net[xx.xxx.xxx.xxx] Aug 20 12:46:27 myserver dovecot: pop3-login: Login: user=me, method=PLAIN, rip=xx.xxx.xxx.xxx, lip=xx.xxx.xx.xxx, TLS Aug 20 12:46:28 myserver dovecot: POP3(me): Disconnected: Logged out top=0/0, retr=0/0, del=0/0, size=0 Aug 20 12:46:28 myserver postfix/smtp[10093]: 85A921E50E: to=test...@gmail.com, relay=gmail-smtp-in.l.google.com[209.85.217.5]:25, delay=1.8, delays=0.27/0.01/0.56/0.95, dsn=2.0.0, status=sent (250 2.$ Aug 20 12:46:28 myserver postfix/qmgr[10077]: 85A921E50E: removed Aug 20 12:49:46 myserver postfix/anvil[10089]: statistics: max connection rate 1/60s for (smtps:68.227.203.231) at Aug 20 12:46:25 Aug 20 12:49:46 myserver postfix/anvil[10089]: statistics: max connection count 1 for (smtps:68.227.203.231) at Aug 20 12:46:25 Aug 20 12:49:46 myserver postfix/anvil[10089]: statistics: max cache size 1 at Aug 20 12:46:25 Aug 20 13:00:31 myserver postfix/postfix-script[10162]: warning: /var/spool/postfix/etc/hosts and /etc/hosts differ Aug 20 13:00:43 myserver postfix/postfix-script[10304]: warning: /var/spool/postfix/etc/hosts and /etc/hosts differ So far, the ports are open, except for 25 (verified with tools online): nmap mail.mydomainnamehere.org Starting Nmap 4.62 ( http://nmap.org ) at 2009-08-20 12:13 BST Interesting ports on mydomainnamehere.org (68.xxx.xx.xxx): Not shown: 1709 closed ports PORTSTATE SERVICE 22/tcp open ssh 80/tcp open http 111/tcp open rpcbind 465/tcp open smtps 993/tcp open imaps 995/tcp open pop3s Nmap done: 1 IP address (1 host up) scanned in 0.145 seconds My original understanding was that postfix would send out mail from the server only, but then I discovered that it also receives mail as well to deliver to my server box ...hence the conceptual grouping with the term, mail transfer agent (MTA). The major problems in the setup include (1 through 2): #1 Accepting emails from external sources, such as from my gmail account to myserver, as /var/log/mail.log indicates. Aug 20 11:33:50 myserver postfix/smtpd[9888]: connect from unknown[67.52.59.170] Aug 20 11:33:50 myserver postfix/smtpd[9888]: setting up TLS connection from unknown[67.52.59.170] Aug 20 11:34:16 myserver postfix/smtpd[9870]: SSL_accept error from mail-yw0-f193.google.com[209.85.211.193]: -1 Aug 20 11:34:16 myserver postfix/smtpd[9870]: lost connection after CONNECT from mail-yw0-f193.google.com[209.85.211.193] Aug 20 11:34:16 myserver postfix/smtpd[9870]: disconnect from mail-yw0-f193.google.com[209.85.211.193] Here is my /etc/postfix/master.cf file: # Postfix master process configuration file. For details on the format # of the file, see the master(5) manual page (command: man 5 master). # # Do not forget to execute postfix reload after editing this file. # # == # service type private unpriv chroot wakeup maxproc command + args # (yes) (yes) (yes) (never) (100) # == #smtp inet n - - - - smtpd # -o smtpd_tls_wrappermode=yes # -o smtpd_sasl_auth_enable=yes # -o smtpd_reject_unlisted_sender=yes # -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject # -o broken_sasl_auth_clients=yes #submission inet n - - - - smtpd # -o smtpd_tls_security_level=encrypt # -o smtpd_sasl_auth_enable=yes # -o smtpd_client_restrictions=permit_sasl_authenticated,reject # -o smtpd_tls_wrappermode=yes # -o broken_sasl_auth_clients=yes # -o smtpd_reject_unlisted_sender=yes # -o
Re: is my server an open relay?
Well, To determine you are an opne relay, there are a couple of things you can do Google for open relay check From a remote site send an email from another domain to another domain through your mail server Check your settings agains the manual HTH Regards, Serge Fonville On Thu, Aug 20, 2009 at 2:54 PM, Israel Garciaigalva...@gmail.com wrote: My scenario: I have a lot of postfix servers, each one, use to sent mail directly to internet, so It's difficult to monitor them. What I want? Put all postfix's of my servers to send all their external mail to an smarthost server in my network. I mean, the smarthost must receive ONLY mail from my servers and relay them mail to internet. Remember I have a lot of different servers and domains so I don't know how to configure this smarthost becasuse in some way it's becoming an open relay. My question: How can I setup a secure smarthost to my network that receive mail ONLY from my servers and relay all mail directly to Internet? Include some configuration if possible. regards, Israel.
Re: Special needs(filter - SASL)
- Original Message - From: Brian Evans - Postfix List grkni...@scent-team.com To: Postfix users postfix-users@postfix.org Date: Wed, 19 Aug 2009 14:41:51 -0400 Subject: Re: Special needs(filter - SASL) none none wrote: I would like email to be filtered ONLY from user that relays(SASL authed) mail to the outside(not localhost) mailbox. That is, if that same user is sending mail from local machine(no relaying) then filter doesn't kicks in. I've looked at postfix man pages and documentation and it is too much hassle about creating other instances of smtp ot smtpd etc... and pcre has limited caps for me. I am very skilled when it comes to PHP, so would like to create PHP script that would suck that mail in and spit it out for delivery by postfix. But Right now I would be happy even with in /usr/local/etc/postfix/main.cf: header_checks = pcre:/usr/local/etc/postfix/strip_relay_header BUT, that header_checks rule should kick in ONLY for remote SASL authed user when target mailbox is NOT locally hosted (goes out to the internet) header_checks are applied globally for an instance. There is no way around that fact. What *is* possible is to use a content_filter or milter instead. See some ideas here: http://www.postfix.org/FILTER_README.html http://www.postfix.org/MILTER_README.html I think I will go for before-queue Milter support SMTP-only - which means It will be applied to incoming mail from the internet(Both SASL authed and those from outside senders with target as/for local mailboxes) I am a little bit puzzled with qmqpd. When it kicks in? I read only explicitly authorized client hosts are allowed to use the service And is in network category, so were hopping that, it would be my ticket to apply filter only to SASL authed users and no one else. /etc/postfix/main.cf: # Milters for mail that arrives via the smtpd(8) server. # See below for socket address syntax. smtpd_milters = unix:/path/to/php_daemon/its.sock This is how I link to my php daemon. Now tell me, how does string(which is mail[it's header body]) is PASSED to and RETRIEVED back to postfix? I mean, is it true, that string(which is mail[it's header body]) goes to its.sock AND after filtering, is returned to postfix, again, via its.sock
Re: is my server an open relay?
Israel Garcia wrote: My scenario: I have a lot of postfix servers, each one, use to sent mail directly to internet, so It's difficult to monitor them. What I want? Put all postfix's of my servers to send all their external mail to an smarthost server in my network. I mean, the smarthost must receive ONLY mail from my servers and relay them mail to internet. Remember I have a lot of different servers and domains so I don't know how to configure this smarthost becasuse in some way it's becoming an open relay. My question: How can I setup a secure smarthost to my network that receive mail ONLY from my servers and relay all mail directly to Internet? Include some configuration if possible. if you know the IP addresses of your lots of different servers and domains, just use the mynetwork directive [1] And most important, RTFM [2] [1] http://www.postfix.org/postconf.5.html#mynetworks [2] http://www.postfix.org/STANDARD_CONFIGURATION_README.html -- Udo Rader, CTO http://www.bestsolution.at http://riaschissl.blogspot.com
Re: is my server an open relay?
Israel Garcia wrote: Yes, I did it, I put all my servers IPs inside mynetworks at main.cf...BUT I noticed that a user from any server can send mail using any sender and it's a big problem, because any user can send spam inside my network to Internet.. How can I block this user from sending mail with any sender address? regards, Israel. On Thu, Aug 20, 2009 at 8:07 AM, Udo Raderlist...@bestsolution.at wrote: Israel Garcia wrote: My scenario: I have a lot of postfix servers, each one, use to sent mail directly to internet, so It's difficult to monitor them. What I want? Put all postfix's of my servers to send all their external mail to an smarthost server in my network. I mean, the smarthost must receive ONLY mail from my servers and relay them mail to internet. Remember I have a lot of different servers and domains so I don't know how to configure this smarthost becasuse in some way it's becoming an open relay. My question: How can I setup a secure smarthost to my network that receive mail ONLY from my servers and relay all mail directly to Internet? Include some configuration if possible. if you know the IP addresses of your lots of different servers and domains, just use the mynetwork directive [1] And most important, RTFM [2] [1] http://www.postfix.org/postconf.5.html#mynetworks [2] http://www.postfix.org/STANDARD_CONFIGURATION_README.html please don't top post and please don't reply off-list. then, as suggested in http://www.postfix.org/DEBUG_README.html#mail show what postconf -n gives and post log excerpts for the described problem from the affected server. -- Udo Rader, CTO http://www.bestsolution.at http://riaschissl.blogspot.com
Re: is my server an open relay?
Serge, I mean I'm an open relay to my servers, becasue any user from any server can send mail putting any sender..I'm looking a way to block that... regards, Israel. On Thu, Aug 20, 2009 at 8:02 AM, Serge Fonvilleserge.fonvi...@gmail.com wrote: Well, To determine you are an opne relay, there are a couple of things you can do Google for open relay check From a remote site send an email from another domain to another domain through your mail server Check your settings agains the manual HTH Regards, Serge Fonville On Thu, Aug 20, 2009 at 2:54 PM, Israel Garciaigalva...@gmail.com wrote: My scenario: I have a lot of postfix servers, each one, use to sent mail directly to internet, so It's difficult to monitor them. What I want? Put all postfix's of my servers to send all their external mail to an smarthost server in my network. I mean, the smarthost must receive ONLY mail from my servers and relay them mail to internet. Remember I have a lot of different servers and domains so I don't know how to configure this smarthost becasuse in some way it's becoming an open relay. My question: How can I setup a secure smarthost to my network that receive mail ONLY from my servers and relay all mail directly to Internet? Include some configuration if possible. regards, Israel. -- Regards; Israel Garcia
Re: is my server an open relay?
My bad, I misunderstood the question, skimmed to the msg to fast ;-) Sorry 'bout that As mentioned read the section on mynetworks Regards, Serge Fonville On Thu, Aug 20, 2009 at 3:23 PM, Israel Garciaigalva...@gmail.com wrote: Serge, I mean I'm an open relay to my servers, becasue any user from any server can send mail putting any sender..I'm looking a way to block that... regards, Israel. On Thu, Aug 20, 2009 at 8:02 AM, Serge Fonvilleserge.fonvi...@gmail.com wrote: Well, To determine you are an opne relay, there are a couple of things you can do Google for open relay check From a remote site send an email from another domain to another domain through your mail server Check your settings agains the manual HTH Regards, Serge Fonville On Thu, Aug 20, 2009 at 2:54 PM, Israel Garciaigalva...@gmail.com wrote: My scenario: I have a lot of postfix servers, each one, use to sent mail directly to internet, so It's difficult to monitor them. What I want? Put all postfix's of my servers to send all their external mail to an smarthost server in my network. I mean, the smarthost must receive ONLY mail from my servers and relay them mail to internet. Remember I have a lot of different servers and domains so I don't know how to configure this smarthost becasuse in some way it's becoming an open relay. My question: How can I setup a secure smarthost to my network that receive mail ONLY from my servers and relay all mail directly to Internet? Include some configuration if possible. regards, Israel. -- Regards; Israel Garcia
Re: is my server an open relay?
This is the postconf -n on my smarthost server. server:/etc/postfix# postconf -n append_dot_mydomain = no biff = no config_directory = /etc/postfix inet_interfaces = all mailbox_size_limit = 1024000 mydestination = myhostname = server.domain mynetworks = 127.0.0.0/8 xx.xx.xx.xx #-- my.network.subnet myorigin = /etc/mailname readme_directory = no relayhost = smtpd_banner = $myhostname ESMTP $mail_name transport_maps = hash:/etc/postfix/transport With this conf, only the IPs from mynetworks relay mail throuhg the smarthost. BUT, I repeat, users can send mail from their servers using any sender address. How can I block this? regards, israel. On Thu, Aug 20, 2009 at 8:30 AM, Serge Fonvilleserge.fonvi...@gmail.com wrote: My bad, I misunderstood the question, skimmed to the msg to fast ;-) Sorry 'bout that As mentioned read the section on mynetworks Regards, Serge Fonville On Thu, Aug 20, 2009 at 3:23 PM, Israel Garciaigalva...@gmail.com wrote: Serge, I mean I'm an open relay to my servers, becasue any user from any server can send mail putting any sender..I'm looking a way to block that... regards, Israel. On Thu, Aug 20, 2009 at 8:02 AM, Serge Fonvilleserge.fonvi...@gmail.com wrote: Well, To determine you are an opne relay, there are a couple of things you can do Google for open relay check From a remote site send an email from another domain to another domain through your mail server Check your settings agains the manual HTH Regards, Serge Fonville On Thu, Aug 20, 2009 at 2:54 PM, Israel Garciaigalva...@gmail.com wrote: My scenario: I have a lot of postfix servers, each one, use to sent mail directly to internet, so It's difficult to monitor them. What I want? Put all postfix's of my servers to send all their external mail to an smarthost server in my network. I mean, the smarthost must receive ONLY mail from my servers and relay them mail to internet. Remember I have a lot of different servers and domains so I don't know how to configure this smarthost becasuse in some way it's becoming an open relay. My question: How can I setup a secure smarthost to my network that receive mail ONLY from my servers and relay all mail directly to Internet? Include some configuration if possible. regards, Israel. -- Regards; Israel Garcia -- Regards; Israel Garcia
Re: Distribution lists/SPF with Postfix?
Paul Hutchings wrote: No their SPF config works as they want it. I think perhaps mentioning SPF was a red herring, what I really want to know is how I can have a distribution list in a Postfix Virtual Domain that sends with the envelope (if that's the term) set to something we control and not using the senders domain/email address *whilst still* making it clear at MUA level that the original sender is the sender. Set the envelope sender to something in your domain. Set the From: header, which is what mail clients display, to something in the client's domain. Look at this message as an example; your mail client says it's from me, but the envelope sender is owner-postfix-us...@postfix.org -- Noel Jones
Re: is my server an open relay?
Israel Garcia wrote: This is the postconf -n on my smarthost server. server:/etc/postfix# postconf -n append_dot_mydomain = no biff = no config_directory = /etc/postfix inet_interfaces = all mailbox_size_limit = 1024000 mydestination = myhostname = server.domain mynetworks = 127.0.0.0/8 xx.xx.xx.xx #-- my.network.subnet myorigin = /etc/mailname readme_directory = no relayhost = smtpd_banner = $myhostname ESMTP $mail_name transport_maps = hash:/etc/postfix/transport With this conf, only the IPs from mynetworks relay mail throuhg the smarthost. BUT, I repeat, users can send mail from their servers using any sender address. How can I block this? once more: please don't top post. And yet once more: please post log excerpts showing the misbehaviour (a user [...] sending mail from their servers using any server address). whay you you mean by any sender address? An IP address or an email address? And your problem is probably that you did not define who is allowed to use your server as a relay, read http://www.postfix.org/postconf.5.html#smtpd_client_restrictions it should be something like: smtpd_client_restriction = permit_mynetworks reject -- Udo Rader, CTO http://www.bestsolution.at http://riaschissl.blogspot.com
Re: Postfix external mail receiving problems
Paul H Park wrote: Hello all, It is my first time configuring postfix and I've learned a lot the past couple of days from the community, thank you. My problem is in receiving mail, it doesn't have a problem sending out test mails from the Linux command prompt (using: echo test | mail -s testsubject testem...@hotmailorwhereever.com) or from a client like zimbra/ms outlook. It is sending through port 465 as a defense against abuse: ... So far, the ports are open, except for 25 (verified with tools online): port 25 must be open to receive external mail. Here is my /etc/postfix/master.cf file: # == # service type private unpriv chroot wakeup maxproc command + args # (yes) (yes) (yes) (never) (100) # == #smtp inet n - - - - smtpd # -o smtpd_tls_wrappermode=yes # -o smtpd_sasl_auth_enable=yes # -o smtpd_reject_unlisted_sender=yes # -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject # -o broken_sasl_auth_clients=yes Uncomment the smtp ... smtpd service in your master.cf. Do NOT use smtpd_tls_wrappermode or any of those other options; they don't belong here. -- Noel Jones
Re: Xserve running Mac OS X
The Doctor wrote: Right I have the following colocated box with the following configuration: $postconf -n mailbox_command = /usr/bin/procmail mailbox_transport = cyrus mailbox_transport takes precidence over mailbox_command.. so procmail is never called by Postfix relayhost = $mydomain Remove this. It may cause mail loops. It's purpose is the default, next-hop destination of mail NOT meant for your machine. The DNS are pointing to this box as MX and when I do a local test, no log nor delivery is taking place. What do I need to fix? Logging is done by your system via syslog calls. Postfix does not log directly. Without logs, we cannot tell what is going on.
Re: Postfix + PLESK + mail filtering
Vytenis Sabaliauskas wrote: This transport should be left intact. I'm looking into making a separate filter which will deliver the message to the Spam folder if it's tagged or pipe it back to postfix to deliver it with plesk_virtual if it's not. Are there any thoughts how to implement this? I'd suggest reviewing http://www.postfix.org/FILTER_README.html
Re: is my server an open relay?
Israel Garcia wrote: This is the postconf -n on my smarthost server. server:/etc/postfix# postconf -n append_dot_mydomain = no biff = no config_directory = /etc/postfix inet_interfaces = all mailbox_size_limit = 1024000 mydestination = myhostname = server.domain mynetworks = 127.0.0.0/8 xx.xx.xx.xx #-- my.network.subnet myorigin = /etc/mailname readme_directory = no relayhost = smtpd_banner = $myhostname ESMTP $mail_name transport_maps = hash:/etc/postfix/transport With this conf, only the IPs from mynetworks relay mail throuhg the smarthost. BUT, I repeat, users can send mail from their servers using any sender address. How can I block this? You can prevent relaying by unwanted systems by properly specifying mynetworks. You can prevent access by unauthenticated users by using SASL on your smarthosts: http://www.postfix.org/SASL_README.html Although it's not appropriate for general use, you could prevent users from sending using bogus email addresses with by using Sender Address Verification on your own servers: http://www.postfix.org/ADDRESS_VERIFICATION_README.html Terry
Re: Postfix 2.2.9 and MySql 5
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Brent Robinson said the following on 20/08/09 16:37: Do we need to upgrade or recompile Postfix in order for it to work correctly with MySql 5? You should, since Postfix uses MySQL libraries and include files. Ciao, luigi - -- / +--[Luigi Rosa]-- \ The last time somebody said, I find I can write much better with a word processor., I replied, They used to say the same thing about drugs. --Roy Blount, Jr. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkqNcT4ACgkQ3kWu7Tfl6ZTy4ACbBPhT3xQvYdm+1kDYnGPCab2Z U8QAoIIY7I6cDolHUuGXnwVW2Y7W2MY9 =OV2E -END PGP SIGNATURE-
Re: Distribution lists/SPF with Postfix?
On tor 20 aug 2009 11:19:57 CEST, Simon Waters wrote I think SPF is broken by design, but if you aren't rewriting the email, then yes mailing list software will do that for you. spf brokken ?, it brokken as much as spam filters using blacklists and not whitelists, seriously if it was whitelist url it will not be easy to just get a new domain that is not blacklisted, but how long will the fun continue ? back to the op problem is that spf is checking envelope senders so use a maillist software that is not brokken to have the envelope on the maillist not as the same as the maillist poster from address, then its possible to have spf pass to the recipient, just like its working on plenty of other maillist i am on -- xpoint
RE: domainkey
At Wed, 19 Aug 2009 10:31:45 -0500, AMP Admin wrote: We have the following setup for dkimproxy but it's only signing with dkim and not domainkey. We would like to do both. Any ideas? Use sender_map.conf ;; -- I'm not sure how to use sender_map.conf. can you give me an example or point me to some documentation on it?
RE: domainkey
-Original Message- From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] On Behalf Of Byung-Hee HWANG Sent: Wednesday, August 19, 2009 7:21 PM To: AMP Admin Cc: postfix-users@postfix.org Subject: Re: domainkey At Wed, 19 Aug 2009 10:31:45 -0500, AMP Admin wrote: We have the following setup for dkimproxy but it's only signing with dkim and not domainkey. We would like to do both. Any ideas? Use sender_map.conf ;; -- Byung-Hee HWANG ∑ WWW: http://izb.knu.ac.kr/~bh/ Never mind! I found it and it's working!
Re: is my server an open relay?
Please stop the top-posting. On Thursday 20 August 2009 09:09:34 Israel Garcia wrote: This is the postconf -n on my smarthost server. myhostname = server.domain Typically myhostname should be a real DNS name, resolvable from outside, and should also be the valus of the PTR for the IP address. mynetworks = 127.0.0.0/8 xx.xx.xx.xx #-- my.network.subnet 1. Munging essential information will make it impossible for you to get real help. 2. You're going to have to limit this to hosts that you TRUST. If that's the empty set, unset it: mynetworks =. myorigin = /etc/mailname Be sure to read your Debian README for Debian-specific information. transport_maps = hash:/etc/postfix/transport Why? With this conf, only the IPs from mynetworks relay mail throuhg the smarthost. BUT, I repeat, users can send mail from their servers using any sender address. How can I block this? Did you know that this default behavior has always existed for mail systems? Did you know that this is a FAQ on this list, I believe already asked once this week? Is this an actual problem, or a theoretical one? If you have actual abusers (senders using external addresses are probably not real abusers, but that's for you to decide) revoke their access to your network. Political/social problems generally do not have solutions that are technological. The answer, repeated for you and yet again for the archives, is to require and enforce authentication, and use smtpd_sender_login_maps, listing sender addresses you allow for each SASL AUTH user. http://www.postfix.org/SASL_README.html http://www.postfix.org/postconf.5.html#smtpd_sender_login_maps You then use reject_authenticated_sender_login_mismatch *before* permit_sasl_authenticated in your smtpd_recipient_restrictions. -- Offlist mail to this address is discarded unless /dev/rob0 or not-spam is in Subject: header
RE: domainkey
Ok, new problem. Sender: i...@example.com dkim: Does work Domainkey: Does work Sender: i...@differentdomain.com Dkim: Does work Domainkey: Does NOT work Our sender map looks like this: # sign i...@differentdomain.com i...@differentdomain.comdkim(d=example.com), domainkeys(d=example.com) # sign example.com mail with both a domainkeys and dkim signature example.com dkim(c=relaxed,a=rsa-sha256), domainkeys(c=nofws) mail.example.com dkim(c=relaxed,a=rsa-sha256), domainkeys(c=nofws)
split domain and relaying
I have a domain split on two postfix servers. The secondary (not the default) hosts only a few email accounts so I added them to the transport map: off...@domainchanged.com dovecot: o...@domainchanged.comdovecot: reu...@domainchanged.com dovecot: ... This works for local delivery and accepts email from the primary server just fine. However, when using this secondary server for relaying to accounts hosted on the primary the delivery fails: # telnet localhost 25 Trying 127.0.0.1... Connected to localhost.localdomain. Escape character is '^]'. 220 imail.domainchanged.com ESMTP Postfix (Debian/GNU) helo kosmosisland.com 250 imail.domainchanged.com mail from:da...@kosmosisland.com 250 2.1.0 Ok rcpt to:t...@domainchanged.com 550 5.1.1 t...@domainchanged.com: Recipient address rejected: User unknown in virtual mailbox table So I added to the transport table at the end: * smtp:[mail.domainchanged.com] mail.domainchanged.com is the primary. This did not help. What is the trick? Regards, David Koski da...@kosmosisland.com
RE: Distribution lists/SPF with Postfix?
Thanks for the reply. Can I do this with Postfix and if so, how please? I did read the address-rewriting help but frankly am struggling to find the exact details I need. This is literally the only distribution list that we have on Postfix and it only has a handful of members so I really don't want to have to start looking at listserv software just for that. Paul -Original Message- From: owner-postfix-us...@postfix.org on behalf of Noel Jones Sent: Thu 8/20/2009 3:28 PM To: postfix-users@postfix.org Subject: Re: Distribution lists/SPF with Postfix? Paul Hutchings wrote: No their SPF config works as they want it. I think perhaps mentioning SPF was a red herring, what I really want to know is how I can have a distribution list in a Postfix Virtual Domain that sends with the envelope (if that's the term) set to something we control and not using the senders domain/email address *whilst still* making it clear at MUA level that the original sender is the sender. Set the envelope sender to something in your domain. Set the From: header, which is what mail clients display, to something in the client's domain. Look at this message as an example; your mail client says it's from me, but the envelope sender is owner-postfix-us...@postfix.org -- Noel Jones -- MIRA Ltd Watling Street, Nuneaton, Warwickshire, CV10 0TU, England. Registered in England and Wales No. 402570 VAT Registration GB 114 5409 96 The contents of this e-mail are confidential and are solely for the use of the intended recipient. If you receive this e-mail in error, please delete it and notify us either by e-mail, telephone or fax. You should not copy, forward or otherwise disclose the content of the e-mail as this is prohibited.
Re: split domain and relaying
On Thursday, August 20, 2009 at 19:21 CEST, David Koski da...@kosmosisland.com wrote: I have a domain split on two postfix servers. The secondary (not the default) hosts only a few email accounts so I added them to the transport map: off...@domainchanged.com dovecot: o...@domainchanged.comdovecot: reu...@domainchanged.com dovecot: ... This works for local delivery and accepts email from the primary server just fine. However, when using this secondary server for relaying to accounts hosted on the primary the delivery fails: # telnet localhost 25 Trying 127.0.0.1... Connected to localhost.localdomain. Escape character is '^]'. 220 imail.domainchanged.com ESMTP Postfix (Debian/GNU) helo kosmosisland.com 250 imail.domainchanged.com mail from:da...@kosmosisland.com 250 2.1.0 Ok rcpt to:t...@domainchanged.com 550 5.1.1 t...@domainchanged.com: Recipient address rejected: User unknown in virtual mailbox table So I added to the transport table at the end: * smtp:[mail.domainchanged.com] mail.domainchanged.com is the primary. This did not help. What is the trick? The transport table isn't used for recipient address validation. Remove the wildcard entry. You must list all of the domain's valid addresses in the virtual mailbox table. -- Magnus Bäck mag...@dsek.lth.se
Re: is my server an open relay?
check your server: http://www.mxtoolbox.com/ are you server open relay? You must use smtp autenticate. 2009/8/20 Israel Garcia igalva...@gmail.com: My scenario: I have a lot of postfix servers, each one, use to sent mail directly to internet, so It's difficult to monitor them. What I want? Put all postfix's of my servers to send all their external mail to an smarthost server in my network. I mean, the smarthost must receive ONLY mail from my servers and relay them mail to internet. Remember I have a lot of different servers and domains so I don't know how to configure this smarthost becasuse in some way it's becoming an open relay. My question: How can I setup a secure smarthost to my network that receive mail ONLY from my servers and relay all mail directly to Internet? Include some configuration if possible. regards, Israel. -- Jose Alberto Pertuz GNU-Linux user #452473 Caracas,Venezuela 58+414+1279657
Re: is my server an open relay?
On Thu, Aug 20, 2009 at 11:32 AM, /dev/rob0r...@gmx.co.uk wrote: Please stop the top-posting. OK, I'm sorry. On Thursday 20 August 2009 09:09:34 Israel Garcia wrote: This is the postconf -n on my smarthost server. myhostname = server.domain DONE! Typically myhostname should be a real DNS name, resolvable from outside, and should also be the valus of the PTR for the IP address. mynetworks = 127.0.0.0/8 xx.xx.xx.xx #-- my.network.subnet 1. Munging essential information will make it impossible for you to get real help. 2. You're going to have to limit this to hosts that you TRUST. If that's the empty set, unset it: mynetworks =. myorigin = /etc/mailname Be sure to read your Debian README for Debian-specific information. transport_maps = hash:/etc/postfix/transport Why? DELETED! With this conf, only the IPs from mynetworks relay mail throuhg the smarthost. BUT, I repeat, users can send mail from their servers using any sender address. How can I block this? Did you know that this default behavior has always existed for mail systems? Did you know that this is a FAQ on this list, I believe already asked once this week? Is this an actual problem, or a theoretical one? If you have actual abusers (senders using external addresses are probably not real abusers, but that's for you to decide) revoke their access to your network. Political/social problems generally do not have solutions that are technological. theoretical. The answer, repeated for you and yet again for the archives, is to require and enforce authentication, and use smtpd_sender_login_maps, listing sender addresses you allow for each SASL AUTH user. http://www.postfix.org/SASL_README.html http://www.postfix.org/postconf.5.html#smtpd_sender_login_maps You then use reject_authenticated_sender_login_mismatch *before* permit_sasl_authenticated in your smtpd_recipient_restrictions. -- Offlist mail to this address is discarded unless /dev/rob0 or not-spam is in Subject: header well, here's my actual postconf -n append_dot_mydomain = no biff = no config_directory = /etc/postfix disable_vrfy_command = yes inet_interfaces = all local_recipient_maps = local_transport = error:local mail delivery is disabled mailbox_size_limit = 1024000 mydestination = myhostname = vps198.domain.xxx mynetworks = 127.0.0.0/8 67.XXX.XX.0/24 myorigin = /etc/mailname readme_directory = no relayhost = smtpd_banner = $myhostname ESMTP $mail_name smtpd_client_restrictions = reject_unknown_sender_domain, check_client_access hash:/etc/postfix/access, permit_mynetworks, reject smtpd_data_restrictions = reject_unauth_pipelining, permit smtpd_error_sleep_time = 60 smtpd_hard_error_limit = 10 smtpd_helo_required = yes smtpd_recipient_restrictions = check_recipient_access hash:/etc/postfix/recipients, permit_mynetworks, reject smtpd_restriction_classes = no_spam smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/blackwhitelist smtpd_soft_error_limit = 60 virtual_alias_maps = hash:/etc/postfix/virtual Now that I control all mail on this server, What would add to this configuration in order to improve the cuality of my mail service. Thanks. -- Regards; Israel Garcia
Re: Distribution lists/SPF with Postfix?
Paul Hutchings wrote: Thanks for the reply. Can I do this with Postfix and if so, how please? Control From: header and envelope sender from whatever software submits the mail to postfix. -- Noel Jones I did read the address-rewriting help but frankly am struggling to find the exact details I need. This is literally the only distribution list that we have on Postfix and it only has a handful of members so I really don't want to have to start looking at listserv software just for that. Paul -Original Message- From: owner-postfix-us...@postfix.org on behalf of Noel Jones Sent: Thu 8/20/2009 3:28 PM To: postfix-users@postfix.org Subject: Re: Distribution lists/SPF with Postfix? Paul Hutchings wrote: No their SPF config works as they want it. I think perhaps mentioning SPF was a red herring, what I really want to know is how I can have a distribution list in a Postfix Virtual Domain that sends with the envelope (if that's the term) set to something we control and not using the senders domain/email address *whilst still* making it clear at MUA level that the original sender is the sender. Set the envelope sender to something in your domain. Set the From: header, which is what mail clients display, to something in the client's domain. Look at this message as an example; your mail client says it's from me, but the envelope sender is owner-postfix-us...@postfix.org -- Noel Jones
Re: Distribution lists/SPF with Postfix?
Paul Hutchings a écrit : We have a basic distribution list setup within postfix under a virtual domain. One of the external parties who wants to sent to it has an SPF record in place so of course in its current configuration the message is being rejected by our SPF, and of course even if we allowed it, it would be rejected by the SPF of the recipients mail servers. At present the message would come directly from sender at theirdomain.com. Is there a way within Postfix to have it originate from distribution list at ourdomain.com on behalf of sender at theirdomain.com or would I need third party listserv software to do this? use a list manager: mailman or sympa, for example.
Re: Distribution lists/SPF with Postfix?
Paul Hutchings escreveu: This is literally the only distribution list that we have on Postfix and it only has a handful of members so I really don't want to have to start looking at listserv software just for that. why not that would be the correct way of handling a distribution list without messing with SPF having a single list or thousands of lists doesnt change the fact that use a list manager is the correct way of doing that. -- Atenciosamente / Sincerily, Leonardo Rodrigues Solutti Tecnologia http://www.solutti.com.br Minha armadilha de SPAM, NÃO mandem email gertru...@solutti.com.br My SPAMTRAP, do not email it
rbl checks, best place
Hello, I'm running postfix, amavisd-new and spamassassin. Currently in my postfix smtpd_recipient_restrictions right at the end last thing i have some rbl checks. I'm wondering if that's the best place for them or should i disable that and activate them in spamassassin? Suggestions welcome. Thanks. Dave.
Re: rbl checks, best place
Hi Dave, I'm running postfix, amavisd-new and spamassassin. Currently in my postfix smtpd_recipient_restrictions right at the end last thing i have some rbl checks. I'm wondering if that's the best place for them or should i disable that and activate them in spamassassin? Suggestions welcome. This is a difficult question. Do you really 100% trust the rbl you are using to have no false positive (some were listing gmail.com recently)? If yes, the you can keep the rbl in postfix, it rejects the email at earlier stage. If no, you better test rbl in SA, as the rbl test only contributes to the final score. I personnally use the second. Bests, Olivier
Re: Email server health check?
I am wondering if anyone has advice on where there are any email health checks online. I used to use dnsstuff.com but they have since gone commercial. You have been given links and other suggestions for this that are sound, I would follow those suggestions. It's frustrating to have your users' emails land in Yahoo or Gmail spam folders, but not be able to understand why. DNS checks out fine as far as I can tell (tried out intodns.com and did my own DIGging) and all the rest as far as I am able to check. Checked the big name RBLs and got nothing there, either. At that point, you sound like you are doing ok. Where do people turn to try to get feedback on their outgoing emails? Even a spamassassin score checker would be nice, but alas (and specific issues with Yahoo/Gmail are of course nearly hopeless because those companies could care less about us little people). I have around 10 servers that have had issues with yahoo or hotmail or aol, ranging from ending up in the spam folder, to bounces, to eating the messages silently and not providing any data. I have been able to resolve all cases. Scott, thank you for the following information/experiences. I have done a little bit of that before, but nowhere near as much as you. It's good to hear someone who has made it work for them. Generally, I find Google the most objectionable as both a postmaster and a end user, because they don't provide ANY means of contact that I can tell -- they only provide some Google Groups that are dedicated to certain categories of troubles with their services, but from what I can tell, they just let the people in those groups/forums babble at each other and make wild guesses about various problems and they never chime in or actually help anyone themselves. Maybe they've done interesting things with their interfaces and usability and so forth, but their customer service approach (we don't have any) makes the likes of hotmail seem pleasant to deal with. Anyway, I'll take your cue and try to stay upbeat about it! :-) Thanks again! Aol: http://postmaster.aol.com/ Start there, you need to get into their feedback loop, this will alert you any time someone reports your emails as spam. They make it hard by only giving a message id, which I find can be tough to track down on a BCC/CC delivery with a lot of aol.com addresses in it. Apply for their whitelist, follow the feedback loop reports, and act on them, and you will be fine. Email their support system. While it will take 10-20 frustrating emails, that had they just read the first email in full, you will get unblocked. * Different providers like different things, some like DKIM, others SPF, and others something more proprietary, you just have to work with them, and you can get in their good graces. yahoo and hotmail http://help.yahoo.com/l/us/yahoo/mail/postmaster/ http://postmaster.msn.com/ Their general policy is to send to the spam folder, and ask questions later. If they do not do that, and you have a new IP they have never seen, they may accept the message, not deliver it, and not notify anyone about it. It is all about IP history, if you have none, you are considered a bad guy. With both providers, you will need to email their support system. You will fill out a form, asking for attention. They will reply, asking you to fill out the same form again. They will reply, asking for clarification that you already provided in forms 1 and 2. Those will then be replied to asking for specifics that you answered in form 3. This will go on for a while. I generally see it takes 15 emails back and forth to get resolution. At some point, you will get a survey, to rate their performance on the issue. This is when you know they have unblocked you. By filling out the survey, at least with yahoo, that closes the ticket, so unless you have tested you are done, do not fill the survey out until you are sure you are deliverable. They may get you to a real human, who asks you to do telnet tests, and other things they should be doing on their end by looking at their logs. Just go through the motions, be polite, or they will drop the email communication and ignore. The email address of ticket-id-x...@silly-big-provider.example.com will expire and you get to start it all over. Many of the questions will ask how you manage your mailing lists, which most of the time for me, are not applicable. Others ask questions about a setup that would not be applicable to an outbound only smtp host for formmail type things. You sort of just have to logically fill in the blanks. The up front forms you are filling out are just a process to get you to a real human who will look into your issues. Be diligent, I have never walked away with emails that could not hit an inbox. I have not ran into this issue with
Significant relay delays
Hi, I have been using an older version of postfix on a relay server for quite a few years now, without any real incident. It accepts mail from one or two other servers and forwards it on to an internal Exchange server on the same network. It handles about 250k messages per day. It's configured with dual instances. It seems for the last few months there is an increasing delay in delivery times and I can't explain why. I suspect something on the Exchange side because nothing has changed on the postfix server. The administrators of the Exchange box aren't able to provide any ideas either. I'm also pretty sure it's not a network issue. After passing billions of packets there isn't a single error. I'm also pretty sure DNS is configured properly. I'm seeing occasions where there will be a constant 50 messages in the second instance, and as many as 500 at times. The 500 messages may sit there for a half-hour, and then all of the sudden they are delivered. However, there remains a constant 50 in the queue with status info like conversation timed out while sending end of data -- message may be sent more than once or Error: timeout exceeded (in reply to end of DATA command). The messages may sit in the queue for even a few weeks, and I assume are eventually delivered. In my mail log, I see info like the following: Aug 20 01:08:12 bocmailrelay POSTFIX_F/smtp[1186]: C638B1A8008: to=marie l...@example.com, relay=mail.example.com[xxx.yyy.zzz.3], delay=625109, st atus=deferred (conversation with mail.example.com[xxx.yyy.zzz.3] timed out while sending end of data -- message may be sent more than once) I'm having difficulty discerning messages entering the second queue (with delay=0, typically) and messages being queued because they couldn't immediately be delivered. Is there an easier way to establish which messages are being queued because they couldn't easily be delivered? I thought I would try debug_peer_list and increase logging to try and get information on delays from a specific domain, but I'm not sure that is what this variable is used for. Is there another way to increase logging either for a specific domain or for this problem to better troubleshoot it? Thanks, Alex Hayes
Re: Significant relay delays
Hi, This is just a wild guess... I'm also pretty sure it's not a network issue. After passing billions of packets there isn't a single error. I'm also pretty sure DNS is configured properly. Have you checked the connection between postfix and the exchange machines? After some years, a cable can get bad, lousy, and the packets would not pass so reliably anymore. After moving a machine/wandering around a rack cabinet, one may have step on a cable and disconnect it or damage it. Bests, Olivier
Re: rbl checks, best place
On Thursday 20 August 2009 22:56:31 Olivier Nicole wrote: I'm running postfix, amavisd-new and spamassassin. Currently in my postfix smtpd_recipient_restrictions right at the end last thing i have some rbl checks. I'm wondering if that's the best place for them or should i disable that and activate them in spamassassin? Suggestions welcome. This is a difficult question. I disagree. First part I'd pick on is some rbl checks. Know your DNSBL. Read their policies. Subscribe to announce lists if they offer it. Many HOWTOs you might find on the 'net show an assortment of DNSBLs being queried, and beginners quite foolishly copy that assortment without thought. Big mistake! The only DNSBL I would recommend for widespread use is Zen, http://www.spamhaus.org/zen/ . The Caution advised is easily addressed in Postfix by putting restrictions to permit relaying ahead of the reject_rbl_client lookup: precisely as Dave has it. But do note that there's a risk in using a DNSBL in content inspection. Do you really 100% trust the rbl you are using to have no false positive (some were listing gmail.com recently)? 1. Again, know your DNSBL. 2. Gmail is not squeaky clean, it's no surprise that they end up in DNSBLs at times. I think this was SORBS. They also get into the automated Spamcop DNSBL. It's not a false positive, because they were listed for actually relaying spam. (Most of the 419's I see tend to come from gmail.) 3. If Zen makes a mistake or gets too aggressive, I guarantee yours will not be the only site blocking mail from that sender. The sending site is going to have to resolve the issue. 4. Quite often the real mail blocked by Zen is XBL. That's typically important as a wake-up call to the administrator of the blocked site; perhaps they have a virus or 37 spewing. (BTDT, myself.) 5. A reject_rbl_client false positive results in the sender getting an immediate bounce. The sender knows the mail was not delivered. Rejection in a post-queue content_filter requires the difficult choice: do you bounce, and risk getting yourself listed as a backscatter source? Or, do you deliver to quarantine, and risk having real mail lost in the deluge? Or, do you just give it all to our friend Dave Null, and ensure that real mail will be lost sooner or later? If yes, the you can keep the rbl in postfix, it rejects the email at earlier stage. If no, you better test rbl in SA, as the rbl test only contributes to the final score. I personnally use the second. And that's a misuse of a good RBL. Sure, some of them are more appropriate in scoring. Don't use those with reject_rbl_client. It's also a huge waste of bandwidth and resources. It varies from site-to-site and even from user-to-user, but my rough unscientific estimate is that about 90% of all SMTP traffic is abuse. What is the point in filtering through all that garbage, only to make your mail less safe and reliable than it would have been, if using the DNSBL properly? The choice is clear, to me. -- Offlist mail to this address is discarded unless /dev/rob0 or not-spam is in Subject: header
Re: rbl checks, best place
This is a difficult question. I disagree. Just that because you disagree makes the question not simple :) 2. Gmail is not squeaky clean, it's no surprise that they end up in Of course, but then it gets people complaining why they cannot receive mails from gmail. 5. A reject_rbl_client false positive results in the sender getting an immediate bounce. The sender knows the mail was not delivered. Then you are lucky, your are only dealing with educated senders. Regular sender will disregard/delete a bounce message and will simply complain his message was not delivered. 1. Again, know your DNSBL. 3. If Zen makes a mistake or gets too aggressive, I guarantee yours will not be the only site blocking mail from that sender. The sending site is going to have to resolve the issue. That means you must spend more time on checking that the quality of the RBL you are using is constant. Olivier
Re: Xserve running Mac OS X
On Thu, Aug 20, 2009 at 10:38:42AM -0400, Brian Evans - Postfix List wrote: The Doctor wrote: Right I have the following colocated box with the following configuration: $postconf -n mailbox_command = /usr/bin/procmail mailbox_transport = cyrus mailbox_transport takes precidence over mailbox_command.. so procmail is never called by Postfix relayhost = $mydomain Remove this. It may cause mail loops. It's purpose is the default, next-hop destination of mail NOT meant for your machine. The DNS are pointing to this box as MX and when I do a local test, no log nor delivery is taking place. What do I need to fix? Logging is done by your system via syslog calls. Postfix does not log directly. Without logs, we cannot tell what is going on. One moment I got: tail /var/log/mail.log Aug 20 21:44:28 Xserve-002436F349EE postfix/postfix-script[57707]: fatal: the Postfix mail system is not running Aug 20 21:44:31 Xserve-002436F349EE postfix/postfix-script[57710]: fatal: the Postfix mail system is not running Aug 20 21:44:31 Xserve-002436F349EE postfix/postfix-script[57713]: fatal: the Postfix mail system is not running Aug 20 21:44:32 Xserve-002436F349EE postfix/postfix-script[57716]: fatal: the Postfix mail system is not running Aug 20 21:44:34 Xserve-002436F349EE postfix/postfix-script[57718]: fatal: usage: postfix start (or stop, reload, abort, flush, check, set-permissions, upgrade-configuration) Aug 20 21:44:37 Xserve-002436F349EE postfix/master[57766]: fatal: open lock file pid/master.pid: unable to set exclusive lock: Resource temporarily unavailable Aug 20 21:44:47 Xserve-002436F349EE postfix/master[57768]: fatal: open lock file pid/master.pid: unable to set exclusive lock: Resource temporarily unavailable Aug 20 21:44:57 Xserve-002436F349EE postfix/master[57779]: fatal: open lock file pid/master.pid: unable to set exclusive lock: Resource temporarily unavailable Aug 20 21:45:07 Xserve-002436F349EE postfix/master[57782]: fatal: open lock file pid/master.pid: unable to set exclusive lock: Resource temporarily unavailable -- Member - Liberal International This is doc...@nl2k.ab.ca Ici doc...@nl2k.ab.ca God, Queen and country! Beware Anti-Christ rising! Never Satan President Republic! The fool says in his heart, There is no God. They are corrupt, and their ways are vile; there is no one who does good. - Ps 53:1