Re: local_recipient_maps into an ldap

[Nicolas Michel]

Victor Duchovni a écrit :

  On Thu, Sep 03, 2009 at 01:04:01PM +0200, Nicolas Michel wrote:

  
  
   In that file (ldap-localusers.cf), I set this :

 server_host = zimbra.pcsol.be
 search_base = ou=people,dc=pcsol,dc=be
 query_filter = (&(mail=%s)(accountStatus=active))
 result_atribute = uid
 bind = no

   When I test that configuration with postmap I get no output, nothing. If I
   remove the "bind = no" line, I get an error :

 postmap -q '[1...@pcsol.be' ldap:/etc/postfix/ldap-localusers.cf
 postmap: warning: dict_ldap_connect: Unable to bind to server
 ldap://zimbra.pcsol.be:389 as : 2 (Protocol error)

   Do someone have an idea??

  
  
Try adding:

	version = 3

to the LDAP .cf file.

  

I think we are on a good way. I don't have any error anyway. But my
postmap command give me back no output. 
So I summarize. I have now that configuration into my
ldap-localusers.cf :
server_host = zimbra.pcsol.be
search_base = ou=people,dc=pcsol,dc=be
query_filter = (&(mail=%s)(zimbraMailStatus=enabled))
result_atribute = uid
version = 3

Here is an entry of my ldap server (got with ldapsearch) :
# info, people, pcsol.be
dn: uid=info,ou=people,dc=pcsol,dc=be
zimbraId: 96743ab5-9494-4877-bf69-56a83e268a1f
zimbraMailStatus: enabled
mail: i...@pcsol.be
zimbraMailAlias: i...@pcsol.be
uid: info
objectClass: zimbraDistributionList
objectClass: zimbraMailRecipient
zimbraMailForwardingAddress: celine.clai...@pcsol.be
zimbraMailForwardingAddress: didier.lecle...@pcsol.be

So I try typing : 
postmap -q 'info' ldap:/etc/postfix/ldap-localusers.cf

But it gives me no outuput.

An idea??

Thx,
nm

Re: Sub-domain Alias Assistance

[/dev/rob0]

On Thursday 03 September 2009 21:25:37 Henri Shustak wrote:
> Noel Jones:
> > Addresses listed in alias_maps are expanded during delivery by the
> > local(8) delivery agent.  This is the only postfix process that
> > expands these aliases.  As a result, only local usernames (ie. the
> > user part of any domain listed in $mydestination) are valid in the
> > local alias table.
> > This is for both sendmail(TM) compatibility and for security.

> As such this lookup is not going to involve the part of the email
> after the '@' symbol. If I have misunderstood then please let me

Indeed it is only the LHS, the bare recipient name without @domain.

> I am guessing that in the earlier version of postfix the entire
> email address was being examined and now this is not the case.

Um, no. As Noel said, aliases(5) was originally written for Sendmail
compatibility. As far as I know, local(8) has never looked up
u...@domain in alias_maps. My guess would be that you misunderstood
something.
-- 
Offlist mail to this address is discarded unless
"/dev/rob0" or "not-spam" is in Subject: header

Re: Sub-domain Alias Assistance

[Henri Shustak]

Thank you to everyone who provided assistance with regards sub-domain
aliases. The mailman mailing lists are working great now!

Finally, what are your general thoughts on being able to include
non-local addresses in the /etc/aliases file? Before, I sign up to  
the

developer mailing list I would like some feed back about this from
people who have more experience with the way postfix works.

After all, there could be a good reason that this file is only for  
local
mail. If anyone is able to explain why this is file is only for  
dealing

with local mail then I would be be most interested to know more.

You all provided great feed back. The postfix mailman community is  
very

helpful which is a really good for this kind of project.

Thank you again!




Before you sign up for the developer mail list, read its purpose on  
the http://www.postfix.org/lists.html page.

"NOT for questions, problem reports and feature requests;"

Addresses listed in alias_maps are expanded during delivery by the  
local(8) delivery agent.  This is the only postfix process that  
expands these aliases.  As a result, only local usernames (ie. the  
user part of any domain listed in $mydestination) are valid in the  
local alias table.

This is for both sendmail(TM) compatibility and for security.

If you need to rewrite arbitrary addresses, use the  
virtual_alias_maps feature.


These design features are not likely to change.

For further details, see
http://www.postfix.org/aliases.5.html
http://www.postfix.org/local.8.html
http://www.postfix.org/OVERVIEW.html
and the list archives.



Okay thank you. This is all great information.

I understand now from reading the man page for local that this is only  
for local queues :
This line states this perfectly : "All delivery decisions are made  
using the bare recipient name"


As such this lookup is not going to involve the part of the email  
after the '@' symbol. If I have misunderstood then please let me know.


I am guessing that in the earlier version of postfix the entire email  
address was being examined and now this is not the case.


Thank you again for your help and clarification with regards the local  
command and its relevance to the /etc/aliases (.db file).

Re: Sub-domain Alias Assistance

[Noel Jones]

On 9/3/2009 6:28 PM, Henri Shustak wrote:

Thank you to everyone who provided assistance with regards sub-domain
aliases. The mailman mailing lists are working great now!

Finally, what are your general thoughts on being able to include
non-local addresses in the /etc/aliases file? Before, I sign up to the
developer mailing list I would like some feed back about this from
people who have more experience with the way postfix works.

After all, there could be a good reason that this file is only for local
mail. If anyone is able to explain why this is file is only for dealing
with local mail then I would be be most interested to know more.

You all provided great feed back. The postfix mailman community is very
helpful which is a really good for this kind of project.

Thank you again!




Before you sign up for the developer mail list, read its 
purpose on the http://www.postfix.org/lists.html page.

"NOT for questions, problem reports and feature requests;"

Addresses listed in alias_maps are expanded during delivery by 
the local(8) delivery agent.  This is the only postfix process 
that expands these aliases.  As a result, only local usernames 
(ie. the user part of any domain listed in $mydestination) are 
valid in the local alias table.

This is for both sendmail(TM) compatibility and for security.

If you need to rewrite arbitrary addresses, use the 
virtual_alias_maps feature.


These design features are not likely to change.

For further details, see
http://www.postfix.org/aliases.5.html
http://www.postfix.org/local.8.html
http://www.postfix.org/OVERVIEW.html
and the list archives.

  -- Noel Jones

Re: Sub-domain Alias Assistance

[Henri Shustak]

Thank you to everyone who provided assistance with regards sub-domain  
aliases. The mailman mailing lists are working great now!


Finally, what are your general thoughts on being able to include non- 
local addresses in the /etc/aliases file? Before, I sign up to the  
developer mailing list I would like some feed back about this from  
people who have more experience with the way postfix works.


After all, there could be a good reason that this file is only for  
local mail. If anyone is able to explain why this is file is only for  
dealing with local mail then I would be be most interested to know more.


You all provided great feed back. The postfix mailman community is  
very helpful which is a really good for this kind of project.


Thank you again!

Re: Sub-domain Alias Assistance

[Henri Shustak]

and this is how mailman does it with virtual alias, so to clear up
the mess, make sure there is no mydestination domains that are  
maillists, if there is move them to virtual_domains and if still  
needed map them to be delivered local


Yes - thanks to post by Vicktor, this is what I will be doing.


using mailman here, and i have lists.junc.info as mydestination just  
to confuse it even more, well this is how i did, but if you want  
more then one mailman domain then mailman can handle the  
virtual_domain as well as virtual_alias


and the virtual_alias maps back to local alias, this is needed as  
long virtual_alias does not support pipe "


Okay thanks good to know.

Re: Sub-domain Alias Assistance

[Benny Pedersen]

On Thu 03 Sep 2009 11:21:35 PM CEST, Henri Shustak wrote

and this is how mailman does it with virtual alias, so to clear up
the mess, make sure there is no mydestination domains that are  
maillists, if there is move them to virtual_domains and if still  
needed map them to be delivered local

Yes - thanks to post by Vicktor, this is what I will be doing.


using mailman here, and i have lists.junc.info as mydestination just  
to confuse it even more, well this is how i did, but if you want more  
then one mailman domain then mailman can handle the virtual_domain as  
well as virtual_alias


and the virtual_alias maps back to local alias, this is needed as long  
virtual_alias does not support pipe "|"


--
xpoint

RE: assistance with Helo Reject

[Jack]

> -Original Message-
> From: Gerard [mailto:postfix.u...@yahoo.com]
> Sent: Thursday, September 03, 2009 5:17 PM
> To: Jack
> Subject: Re: assistance with Helo Reject
> 
> On Thu, 3 Sep 2009 16:55:29 -0400
> "Jack"  wrote:
> 
> > I have the following settings in my postfix config:
> >
> > smtpd_helo_required = yes
> >
> > smtpd_recipient_restrictions =
> >
> > reject_invalid_helo_hostname,
> >
> > check_helo_access hash:/etc/postfix/helo_access,
> >
> > reject_invalid_helo_hostname,
> >
> > reject_non_fqdn_helo_hostname,
> >
> > Now either I'm being to strict with the above and possibly causing
> > some rejects or exchange boxes are not helping keep things simple.
> >
> > The below is the logging from one of the rejects, I see the non_fqdn
> > is at play here, but should I not be using that in my setting or
> > should the sender update their helo string??
> >
> > Sep  3 09:01:29 pluto postfix/smtpd[20653]: NOQUEUE: filter: RCPT from
> > mail3.hbo.com[64.236.235.240]: : Recipient address
> > triggers FILTER filter:dummy; from=
> > to= proto=ESMTP helo=
> >
> > Sep  3 09:01:29 pluto postfix/smtpd[20653]: NOQUEUE: reject: RCPT from
> > mail3.hbo.com[64.236.235.240]: 450 4.7.1 : Recipient
> > address rejected: SPF-Result=nymail1.homebox.com: 'SERVFAIL' error on
> > DNS 'SPF' lookup of 'nymail1.homebox.com'; from=
> > to= proto=ESMTP helo=
> >
> > Sep  3 09:01:29 pluto postfix/smtpd[20653]: disconnect from
> > mail3.hbo.com[64.236.235.240]
> 
> Please post the output of: "postconf -n"
> 
> Also. please do not post in HTML format. You appear to be using GMail.
> GMail has a plain text mailing option.
> 
> 
> --
> Gerard
> postfix.u...@yahoo.com
> 

alias_maps = hash:/etc/postfix/aliases
biff = no
body_checks = pcre:/etc/postfix/body_checks body_checks_size_limit = 21200
bounce_queue_lifetime = 1d bounce_size_limit = 2048 broken_sasl_auth_clients
= yes command_directory = /usr/sbin config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix data_directory = /var/lib/postfix
debug_peer_level = 2 delay_warning_time = 24h deliver_lock_attempts = 10
disable_vrfy_command = yes header_checks = regexp:/etc/postfix/header_checks
html_directory = no

mail_owner = postfix
mail_spool_directory = /var/spool/mail
mailbox_size_limit = 4000
mailq_path = /usr/bin/mailq
manpage_directory = /usr/local/man
maximal_queue_lifetime = 5d
message_size_limit = 2400
mydestination = $myhostname, localhost.$mydomain, $mydomain myhostname =
mail.net myorigin = $mydomain newaliases_path = /usr/bin/newaliases
queue_directory = /var/spool/postfix readme_directory = no relay_domains =
/etc/postfix/backup_domains relay_recipient_maps =
hash:/etc/postfix/backup_domains_recipients,
hash:/etc/postfix/transport_recipients
sample_directory = /etc/postfix
sendmail_path = /usr/sbin/sendmail
setgid_group = postdrop
show_user_unknown_table_name = no
smtpd_delay_reject = yes
smtpd_hard_error_limit = 3
smtpd_helo_required = yes
smtpd_junk_command_limit = 3
smtpd_recipient_restrictions = reject_invalid_helo_hostname,
reject_non_fqdn_sender, reject_non_fqdn_recipient,
reject_unknown_sender_domain,   reject_unknown_recipient_domain,
permit_mynetworks,  permit_sasl_authenticated,
reject_unauth_destination,check_helo_access
hash:/etc/postfix/helo_access,reject_invalid_helo_hostname,
reject_non_fqdn_helo_hostname,check_policy_service
unix:private/policy,   check_sender_access hash:/etc/postfix/client_checks,
check_client_access hash:/etc/postfix/client_checks,   check_sender_access
hash:/etc/postfix/freemail_access, check_recipient_mx_access
hash:/etc/postfix/mx_access,reject_unauth_pipelining,
reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net,
reject_rbl_client psbl.surriel.com,reject_rbl_client
ix.dnsbl.manitu.net,reject_rbl_client b.barracudacentral.org,
check_recipient_access hash:/etc/postfix/filtered_domains
smtpd_restriction_classes = from_freemail_host smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous soft_bounce = no
strict_rfc821_envelopes = yes transport_maps = hash:/etc/postfix/transport,
hash:/etc/postfix/transport_bounce
unknown_address_reject_code = 554
unknown_client_reject_code = 554
unknown_hostname_reject_code = 554
unknown_local_recipient_reject_code = 550

Re: Sub-domain Alias Assistance

[Henri Shustak]

and this is how mailman does it with virtual alias, so to clear up  
the mess, make sure there is no mydestination domains that are  
maillists, if there is move them to virtual_domains and if still  
needed map them to be delivered local


Yes - thanks to post by Vicktor, this is what I will be doing.

Thanks.

Re: Sub-domain Alias Assistance

[Henri Shustak]

I have one further question in this case. Please correct me if I have
misunderstood the setup you described.

My question with this setup is : How do I stop delivery to the  
primary

domain?


Two possible solutions:

   1. List only one of the domains in $mydestination. Only addresses  
in
  local (mydestination) domains are passed to the local(8)  
delivery

  agent and subjected to aliases(5) expansion.

   2. Use a virtual(5) alias to implement the list:

virtual(5)
f...@example.comfoo-inter...@localhost

aliases(5)
foo-internal:   "|/path args"

Optional, block direct mail to "foo-internal":

access(5)
# For each domain in $mydestination:
foo-inter...@example.comREJECT Access denied
foo-inter...@example.netREJECT Access denied




Thanks Viktor,

Option two is a possibility. However, it seems overly complex. In this  
situation there are now three database files to be updated. Rather  
than just one. If this is the recommended way I will do it this way.  
It just far more complicated that what I was doing. Is there any  
reason (sorry I am not a post fix developer) that it is now not  
possible to specify a non-local domain in the /etc/alias file. Being  
able to do this was really a good way of dealing with the situation in  
the previous version. Just one database to update for list removal or  
addition?


At this point. I will update the three files if that is the  
recommended way of doing this. I just think the way it used to work  
was far less complex.


I see that option one is also a possible with some major re- 
arrangement of the postfix configuration. However, doing this  
rearrangement means that then running a mailing list on a different  
domain in the future on this server becomes quite complex again.


Option one should work. I will try option two a this point. If any one  
has any other ways of doing this then please let me know.


Being able to add in something like mailinglistn...@example.com to  
the /etc/alias file is a good idea, I am happy to contribute back to  
post fix project to make this work if others think this is a good  
idea, provided doing this would not be overly complicated. I really  
liked the ability to do this in the older version of postfix. It was  
very nice being able to just set this from a single file in the /etc/ 
alias/ file. However, I suppose this is a topic for the developer  
mailing list.


Thanks again, for your suggestions Viktor. With your assistance I will  
be able to get it working in the very near future! Right now I am very  
keen to actually get it working ASAP.


I am then happy to spend some time to work it out in a better way even  
if this means a re-organization.


Again, if anyone has some other suggestions I am listening. Thank you  
again to everyone who has provided me with some feed back to date!

Re: assistance with Helo Reject

[Noel Jones]

On 9/3/2009 3:55 PM, Jack wrote:

Hello Everyone,

I have the following settings in my postfix config:

smtpd_helo_required = yes

smtpd_recipient_restrictions =

reject_invalid_helo_hostname,

check_helo_access hash:/etc/postfix/helo_access,

reject_invalid_helo_hostname,

reject_non_fqdn_helo_hostname,



No reason to have reject_invalid_helo_hostname listed twice...


Now either I’m being to strict with the above and possibly causing some
rejects or exchange boxes are not helping keep things simple.

The below is the logging from one of the rejects, I see the non_fqdn is
at play here, but should I not be using that in my setting or should the
sender update their helo string??



I don't see anything like that.  Did you post the wrong log 
snippet?



Sep 3 09:01:29 pluto postfix/smtpd[20653]: NOQUEUE: filter: RCPT from
mail3.hbo.com[64.236.235.240]: : Recipient address
triggers FILTER filter:dummy; from=
to= proto=ESMTP helo=


... a check_recipient_access map with a FILTER result.



Sep 3 09:01:29 pluto postfix/smtpd[20653]: NOQUEUE: reject: RCPT from
mail3.hbo.com[64.236.235.240]: 450 4.7.1 : Recipient
address rejected: SPF-Result=nymail1.homebox.com: 'SERVFAIL' error on
DNS 'SPF' lookup of 'nymail1.homebox.com'; from=
to= proto=ESMTP helo=


an SPF failure, caused by a temporary DNS error.  I assume 
this is some SPF policy service.


Postfix doesn't complain about the helo anywhere here, and 
nothing obviously wrong with the helo the client used.



  -- Noel Jones

Re: Sub-domain Alias Assistance

[Benny Pedersen]

On Thu 03 Sep 2009 09:46:42 PM CEST, Henri Shustak wrote


Okay thank you this makes sense.

I have one further question in this case. Please correct me if I
have misunderstood the setup you described.

My question with this setup is : How do I stop delivery to the  
primary domain?


the virtual_alias is the only one that can be writed to from outside localhost

the local alias cant be writed to from outside

and this is how mailman does it with virtual alias, so to clear up the  
mess, make sure there is no mydestination domains that are maillists,  
if there is move them to virtual_domains and if still needed map them  
to be delivered local


--
xpoint

assistance with Helo Reject

[Jack]

Hello Everyone,

 

I have the following settings in my postfix config:

smtpd_helo_required = yes

 

smtpd_recipient_restrictions =

reject_invalid_helo_hostname,

check_helo_access hash:/etc/postfix/helo_access,

reject_invalid_helo_hostname,

reject_non_fqdn_helo_hostname,

 

Now either I'm being to strict with the above and possibly causing some
rejects or exchange boxes are not helping keep things simple.

 

The below is the logging from one of the rejects, I see the non_fqdn is at
play here, but should I not be using that in my setting or should the sender
update their helo string??

 

 

Sep  3 09:01:29 pluto postfix/smtpd[20653]: NOQUEUE: filter: RCPT from
mail3.hbo.com[64.236.235.240]: : Recipient address triggers
FILTER filter:dummy; from= to=
proto=ESMTP helo=

Sep  3 09:01:29 pluto postfix/smtpd[20653]: NOQUEUE: reject: RCPT from
mail3.hbo.com[64.236.235.240]: 450 4.7.1 : Recipient address
rejected: SPF-Result=nymail1.homebox.com: 'SERVFAIL' error on DNS 'SPF'
lookup of 'nymail1.homebox.com'; from= to=
proto=ESMTP helo=

Sep  3 09:01:29 pluto postfix/smtpd[20653]: disconnect from
mail3.hbo.com[64.236.235.240]

 

 

 

Thanks!!!

 

Jack

Re: Sub-domain Alias Assistance

[Victor Duchovni]

On Fri, Sep 04, 2009 at 07:46:42AM +1200, Henri Shustak wrote:

> I have one further question in this case. Please correct me if I have 
> misunderstood the setup you described.
>
> My question with this setup is : How do I stop delivery to the primary 
> domain?

Two possible solutions:

1. List only one of the domains in $mydestination. Only addresses in
   local (mydestination) domains are passed to the local(8) delivery
   agent and subjected to aliases(5) expansion.

2. Use a virtual(5) alias to implement the list:

virtual(5)
f...@example.comfoo-inter...@localhost

aliases(5)
foo-internal:   "|/path args"

Optional, block direct mail to "foo-internal":

access(5)
# For each domain in $mydestination:
foo-inter...@example.comREJECT Access denied
foo-inter...@example.netREJECT Access denied

-- 
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:


If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

Re: Sub-domain Alias Assistance

[Henri Shustak]

maillistn...@domain.com:  "|/var/lib/mailman/mail/ 
mailman post maillistname"


f...@bar.tld: "|/path"

is not local in postalias

foo: "|/path"

is

to solve setup mailman to use postfix virtual_alias_domains

this is explained in mailman docs

--
xpoint



Okay thank you this makes sense.

I have one further question in this case. Please correct me if I have  
misunderstood the setup you described.


My question with this setup is : How do I stop delivery to the primary  
domain?


Clarification of question :
---

If I had a mailing list called foo-maill...@sub-domain.com which I had  
redirected to local account foo-maillist. How would I then stop  
delivery to the foo-maill...@domain.com.


As I understand it, adding the foo-maillist to the /etc/alias would  
essentially mean that there would be an email account for this mailing  
list at both the sub-domain and also at the primary domain. How do I  
avoid adding the foo-maillist into the /etc/alias to stop this from  
happening? Essentially, I would like to have foo-maill...@sub- 
domain.com and not have foo-maill...@domain.com. In the past I had  
specified the full domain in the alias file and it was working.


I am guessing that I misunderstood the way to do this in the past and  
botched up the configuration. Howevr, everything worked when I tested  
this previous configuration. However, now when I runs post-alias this  
warning is reported is this warning fatal will postfix still work  
correctly. I would like to set this up in way that makes sense. I am  
still learning what the recommended way of doing this with postfix is,  
I thought I had worked it out.


Any further clarification would be warmly welcomed. I have tried  
creating a file called /etc/postfix/virtual/aliases and then added the  
virtual alias information to this file. The mail server is setup with  
the other files /etc/postfix/virtual/domains and /etc/postfix/virtual/ 
addresses as I have configured the mail server to run other virtual  
domains.


If there is a way of setting up the mailing list on the sub-domain and  
not on the primary domain that would be great. However, as far as I  
can tell this is not possible with the virtual alias domains as it  
must deliver to a local address. Please let me know if I have  
misunderstood the postfix documentation or your recommendations.


The only way I had worked out of stopping the local delivery was to  
speicy the full address in the /etc/alias file. Which worked in the  
past.


Is there some way to only have the address foo-maill...@sub-domain.com  
and not have the foo-maill...@domain.com


Thank you again for your assistance. Much appreciated.


virtual_alias_maps: (note that this is postmap'd not postalias'd, so
there's no colons)

listn...@example.com   listname
listname-ad...@example.com listname-admin
etc..

Then in /etc/aliases:

listname: "|/var/lib/mailman/mail/mailman post listname"
listname-admin: "|/var/lib/mailman/mail/mailman admin listname"




Thank you for this reply as well. However, I think this has exactly  
the problem I am attempting to work around. I would like to not have  
the mailing list on the local domain only on the virtual domain.


If I have misunderstood please correct me.

Thank you again.

Re: Postfix Alias issue, need some help.

[Noel Jones]

On 9/3/2009 3:55 AM, vince_ wrote:


Hi !

I have a problem with the postfix Alias. I manage very long lists of e-mail
adress through the alias system and sometimes some of the e-mail adress are
invalid.

When I send a mail to an alias, if one  of the adress is not correct, no
mail is sent event to the valid adresses.

Is there a way to fix that ? I would like that postfix sends mails to all
the valid adress of the alias and just sends me alerts is some of the adress
are not valid.

thank you very much !

Vincent.





This is not a typical response to an alias that includes an 
invalid recipient.


Please share more details of how your system is configured, 
including "postconf -n", and the errors logged by postfix.



  -- Noel Jones

Re: before-queue proxy filter and SMTP dot stuffing sanitation

[Wietse Venema]

Mark Martinec:
> So far I lived under impression that smtpd service does some
> basic sanitation, de-pipelining etc to a SMTP session,
> before passing data to a smtpd_proxy_filter content filter.
> 
> Apparently dot-stuffing sanitation is not performed,
> as (invalid) lines with a single leading dot can still reach
> a proxy content filter (which yields a warning in the log
> in case of amavisd).
> 
> Is this expected behaviour and I should turn off the warnings?

That's sanitation without modification.

By design, Postfix tries to pass unmodified SMTP commands to the
before-filter proxy (necessary exceptions are the EHLO, SASL and
TLS handhakes).

Wietse

Re: before-queue proxy filter and SMTP dot stuffing sanitation

[Victor Duchovni]

On Thu, Sep 03, 2009 at 04:37:26PM +0200, Mark Martinec wrote:

> So far I lived under impression that smtpd service does some
> basic sanitation, de-pipelining etc to a SMTP session,
> before passing data to a smtpd_proxy_filter content filter.

Valid SMTP in, valid SMTP out.
Garbage-in (overly long lines, single leading ".", ...), garbage out.

> Apparently dot-stuffing sanitation is not performed,
> as (invalid) lines with a single leading dot can still reach
> a proxy content filter (which yields a warning in the log
> in case of amavisd).

Yes,

src/smtpd/smtpd.c:data_cmd():

if (prev_rec_type != REC_TYPE_CONT && *start == '.'
&& (state->proxy == 0 ? (++start, --len) == 0 : len == 1))
break;

Skipping the leading "." only happens with no proxy. With a proxy, the
verbatim SMTP stream is copied to the proxy... Only the message size
limit is enforced, the rest is up to the proxy.

-- 
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:


If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

before-queue proxy filter and SMTP dot stuffing sanitation

[Mark Martinec]

So far I lived under impression that smtpd service does some
basic sanitation, de-pipelining etc to a SMTP session,
before passing data to a smtpd_proxy_filter content filter.

Apparently dot-stuffing sanitation is not performed,
as (invalid) lines with a single leading dot can still reach
a proxy content filter (which yields a warning in the log
in case of amavisd).

Is this expected behaviour and I should turn off the warnings?

  Mark

Re: local_recipient_maps into an ldap

[Victor Duchovni]

On Thu, Sep 03, 2009 at 01:04:01PM +0200, Nicolas Michel wrote:

>In that file (ldap-localusers.cf), I set this :
> 
>  server_host = zimbra.pcsol.be
>  search_base = ou=people,dc=pcsol,dc=be
>  query_filter = (&(mail=%s)(accountStatus=active))
>  result_atribute = uid
>  bind = no
> 
>When I test that configuration with postmap I get no output, nothing. If I
>remove the "bind = no" line, I get an error :
> 
>  postmap -q '[1...@pcsol.be' ldap:/etc/postfix/ldap-localusers.cf
>  postmap: warning: dict_ldap_connect: Unable to bind to server
>  ldap://zimbra.pcsol.be:389 as : 2 (Protocol error)
> 
>Do someone have an idea??

Try adding:

version = 3

to the LDAP .cf file.

-- 
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:


If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

Re: sasl realm

[Steve Heaven]

We found the problem, it seems that saslauthd has an option -r

 -r  Combine the realm with the login (with an �...@’ sign in between).
 e.g.  login: "foo" realm: "bar" will get passed as login:
 "f...@bar".

This seems to have been the default with the previous distro

  
-- 
thorNET 
Internet Services, Consultancy & Training
www.thornet.co.uk

Re: Sub-domain Alias Assistance

[Benny Pedersen]

On Thu 03 Sep 2009 11:27:01 AM CEST, Henri Shustak wrote

maillistn...@domain.com:   
"|/var/lib/mailman/mail/mailman post maillistname"


f...@bar.tld: "|/path"

is not local in postalias

foo: "|/path"

is

to solve setup mailman to use postfix virtual_alias_domains

this is explained in mailman docs

--
xpoint

Re: cannot find your hostname

[Benny Pedersen]

On Thu 03 Sep 2009 04:40:51 AM CEST, Scott Haneda wrote

How exactly does one get to that man page?


man man

man 5 postconf

--
xpoint

Re: local_recipient_maps into an ldap

[Nicolas Michel]

Olivier Nicole a écrit :

  Nicolas,

  
  
server_host = zimbra.pcsol.be

  
  
Are you sure your server is running on port 389? Would you run TLS?

>From your Postfix machine, can you access the LDAP server on zimbra
machine (no firewall)?

I would try ldapsearch command on the postfix machine to make sure
that all the parameters in ldap-localusers.cf are valid.

I think you need to bind in any case, if you do not configure a
bind_dn and a bind_pw, it will make an anonymous bind, but I think you
have to bind to your LDAP server before you can make a query.

If you bind anonymously, you must make sure that the attributes you
are searching for are readable.

Best regards,

Olivier
  

I can read my ldap with ldapsearch :
ldapsearch -x -b "ou=people,dc=pcsol,dc=be" -H
"ldap://zimbra.pcsol.be"


Here is a sample of the output :
# info, people, pcsol.be
dn: uid=info,ou=people,dc=pcsol,dc=be
zimbraId: 96743ab5-9494-4877-bf69-56a83e268a1f
zimbraMailStatus: enabled
mail: i...@pcsol.be
zimbraMailAlias: i...@pcsol.be
uid: info
objectClass: zimbraDistributionList
objectClass: zimbraMailRecipient
zimbraMailForwardingAddress: celine.clai...@pcsol.be
zimbraMailForwardingAddress: didier.lecle...@pcsol.be
  

When I delete "bind = no", and I set bind_pw and bin_dn, I get the same
error :
postmap -q 'bla...@pcsol.be'
ldap:/etc/postfix/ldap-localusers.cf
postmap: warning: dict_ldap_connect: Unable to bind to server
ldap://zimbra.pcsol.be:389 as uid=root,ou=people,dc=pcsol,dc=be: 2
(Protocol error)
  

The "protocol error" let me think that there is a problem with
encryption somewhere??

Re: Sub-domain Alias Assistance

[Barney Desmond]

2009/9/3 Henri Shustak :
> However, I am now concerned that I have made some mistakes with regards the
> setup of the postfix configuration.
>
> I updated the system (with apt-get) and I guess this updated the version of
> postfix I was running. I figured everything was running correctly. However,
> when I recently went to configure a mailing list by adding various lines
> similar to the following :
>
> maillistn...@domain.com:              "|/var/lib/mailman/mail/mailman post
> maillistname"
>
> into the /etc/alias file and then going to run the postalias command on this
> file to update the .db file. the following error was reported :
>
> postalias: warning: /etc/aliases, line XXX: name must be local
>
> for every line which contained the above syntax.

/etc/aliases is only good for local names - basically: system accounts.

One solution to this is a set of virtual aliases that point to local
aliases, something like (this is just an example, I can't remember the
usual mailman syntax):

virtual_alias_maps: (note that this is postmap'd not postalias'd, so
there's no colons)

listn...@example.com   listname
listname-ad...@example.com listname-admin
etc..

Then in /etc/aliases:

listname: "|/var/lib/mailman/mail/mailman post listname"
listname-admin: "|/var/lib/mailman/mail/mailman admin listname"


A cleaner solution might be to use mailman's "virtual domain" support.
It's been a while since I've looked at it, but this should be the
right page:
http://www.gnu.org/software/mailman/mailman-install/postfix-virtual.html

If memory serves, it leaves all the alias-handling to mailman, which is a boon.

Re: A couple of problems

[rank1seeker]

- Original Message -
From: Benny Pedersen 
To: postfix-users@postfix.org
Date: Wed, 02 Sep 2009 20:43:10 +0200
Subject: Re: A couple of problems

> On ons 02 sep 2009 20:06:08 CEST, Daniel L'Hommedieu wrote
> > I guess nobody has any ideas on the other problem I mentioned,  
> > because nobody has responded to that half of my original email. :(
> 
> are you saying that your wife cant use smtp auth ? :)
> 
> -- 
> xpoint


I bet it definitely must be that! :))

Well, look like its time for you, to supply your wife with a proper amount 
of educatinon.
;)

Re: local_recipient_maps into an ldap

[Olivier Nicole]

Nicolas,

> server_host = zimbra.pcsol.be

Are you sure your server is running on port 389? Would you run TLS?

>From your Postfix machine, can you access the LDAP server on zimbra
machine (no firewall)?

I would try ldapsearch command on the postfix machine to make sure
that all the parameters in ldap-localusers.cf are valid.

I think you need to bind in any case, if you do not configure a
bind_dn and a bind_pw, it will make an anonymous bind, but I think you
have to bind to your LDAP server before you can make a query.

If you bind anonymously, you must make sure that the attributes you
are searching for are readable.

Best regards,

Olivier

sasl realm

[Steve Heaven]

We have upgraded our system this morning from 
postfix 2.2.2
saslauthd 2.1.20

to 
postfix 2.3.3
saslauthd 2.1.22

We now find that the sasl realm is not being handled as before.
We use imap authentication and sasl is now trying to make an imap login
using only the user part of the email address stripping off the @ and
domain part.

In our logs we have:

Sep  3 12:00:12 frigga saslauthd[18039]: do_auth : auth failure:
[user=XXX] [service=smtp] [realm=MYDOMAIN.COM] [mech=rimap]
[reason=remote server rejected your credentials]

So it is setting the realm equal to the domain part. 
This is new behaviour with the new versions. How can we revert to the
old behaviour?

Thanks

  Steve


-- 
thorNET 

Internet Services, Consultancy & Training
www.thornet.co.uk

sasl realm

[Steve Heaven]

We have upgraded our system this morning from 
postfix 2.2.2
saslauthd 2.1.20

to 
postfix 2.3.3
saslauthd 2.1.22

We now find that the sasl realm is not being handled as before.
We use imap authentication and sasl is now trying to make an imap login
using only the user part of the email address stripping off the @ and
domain part.

In our logs we have:

Sep  3 12:00:12 frigga saslauthd[18039]: do_auth : auth failure:
[user=XXX] [service=smtp] [realm=MYDOMAIN.COM] [mech=rimap]
[reason=remote server rejected your credentials]

So it is setting the realm equal to the domain part. 
This is new behaviour with the new versions. How can we revert to the
old behaviour?

Thanks

  Steve


-- 
thorNET 

Internet Services, Consultancy & Training
www.thornet.co.uk

local_recipient_maps into an ldap

[Nicolas Michel]

Hello,

I have a zimbra server for managing mail accounts. I have a postfix
mail server before it. Mails from outdoor arrive on that server before
being relayed to the zimbra server.

I want to search from the postfix server into the ldap of zimbra the
users/aliases to reject every mail destinated to an unknown user.
Actually, I need to create a system account for any new user, and
create an alias into /etc/aliases.

I have postfix-2.1.5

I set this into my main.cf :
local_recipient_maps = ldap:/etc/postfix/ldap-localusers.cf

In that file (ldap-localusers.cf), I set this :
server_host = zimbra.pcsol.be
search_base = ou=people,dc=pcsol,dc=be
query_filter = (&(mail=%s)(accountStatus=active))
result_atribute = uid
bind = no

When I test that configuration with postmap I get no output, nothing.
If I remove the "bind = no" line, I get an error :
postmap -q 'n...@pcsol.be'
ldap:/etc/postfix/ldap-localusers.cf
postmap: warning: dict_ldap_connect: Unable to bind to server
ldap://zimbra.pcsol.be:389 as : 2 (Protocol error)
  

Do someone have an idea??

Thank you,
nm

Sub-domain Alias Assistance

[Henri Shustak]

Hello,

I manage a mailman mailing list server. The mailing list address  
(aliases) were being managed from from /etc/aliases (on Ubuntu). In  
the past I have configured the aliases and ran the postalias command  
to update the .db file and everything has been working great!


However, I am now concerned that I have made some mistakes with  
regards the setup of the postfix configuration.


I updated the system (with apt-get) and I guess this updated the  
version of postfix I was running. I figured everything was running  
correctly. However, when I recently went to configure a mailing list  
by adding various lines similar to the following :


maillistn...@domain.com:  "|/var/lib/mailman/mail/mailman  
post maillistname"


into the /etc/alias file and then going to run the postalias command  
on this file to update the .db file. the following error was reported :


postalias: warning: /etc/aliases, line XXX: name must be local

for every line which contained the above syntax.

I am guessing this is because the domain.com is not the local domain  
for the server. However, post fix is setup to relay mail for this this  
subdomain in the /etc/postfix/main.cf file. In addition, mailman is  
configured as the transport for this domain.


I am not sure exactly what I have done wrong or how to fix this  
situation. At present, I am not able to add any mailing lists to the  
server. I will keep looking into the problem.


However, if anyone on this list is able to provide any helpful hints,  
they would certainly be most welcomed.


I will report back if I manage to work this out.

Thanks.



Disclaimer : I am still learning about postfix administration. As such  
it is very possible that I have configured something in a very odd way  
and I am doing something very simple totally wrong.



-
This email is protected by LBackup, an open source backup solution :
http://www.lucidsystems.org/tools/lbackup

LBackup is fully compatible with LINUX and Mac OS X based systems.
In addition you are free to customize it to meet your requirements
via pre and post hook scripts. Alternatively you may edit the source
code which is included with every download of LBackup.
-

Postfix Alias issue, need some help.

[vince_]

Hi !

I have a problem with the postfix Alias. I manage very long lists of e-mail
adress through the alias system and sometimes some of the e-mail adress are
invalid.

When I send a mail to an alias, if one  of the adress is not correct, no
mail is sent event to the valid adresses.

Is there a way to fix that ? I would like that postfix sends mails to all
the valid adress of the alias and just sends me alerts is some of the adress
are not valid.

thank you very much !

Vincent.


-- 
View this message in context: 
http://www.nabble.com/Postfix-Alias-issue%2C-need-some-help.-tp25271423p25271423.html
Sent from the Postfix mailing list archive at Nabble.com.