Re: Postfix always tries to connect to ldap on localhost
Victor Duchovni schrieb: On Wed, Sep 30, 2009 at 11:26:30PM +0200, Patrick Ben Koetter wrote: ldap:/some/file.cf Thanks, that solved it. *shame* What happens if you don't use it properly? Why does it fall back to using localhost then? The table name is assumed to refer to a parameter prefix, rather than a file-name, and in the absense of explicit settings for said parameters, they all take the documented default values. I find the manpage not clear on that issue, perhaps it could be said more explicitly here... |file_name | The name of the lookup table source file when rebuilding a database. Jakob
Specifying 'check_sender_access' during 'smtpd_recipient_restrictions' filters recipient as well?
Hello list, This might be working as intended, but since it seemed a tad odd and I couldn't find any conclusive documentation that explained it, I figured I'd work up the courage and ask. I moved 'check_sender_access' from the 'smtpd_sender_restrictions' to the 'smtpd_recipient_restrictions' stage, and ran a test; Out: 220 nenya.dtnx.net ESMTP In: EHLO arturia.xs4all.nl Out: 250-nenya.dtnx.net Out: 250-PIPELINING Out: 250-SIZE 35651584 Out: 250-ETRN Out: 250-ENHANCEDSTATUSCODES Out: 250-8BITMIME Out: 250 DSN In: MAIL FROM:urcent...@gmail.com Out: 250 2.1.0 Ok In: RCPT TO:postmas...@configcast.com Out: 550 5.7.1 postmas...@configcast.com: Recipient address rejected: You are not a known MX for 'configcast.com'. In: QUIT Out: 221 2.0.0 Bye The rejection is from the hash database specified for 'check_sender_access', which has a line for every domain this server is responsible for, since all mail from those domains originates from our own servers; configcast.com REJECT You are not a known MX for 'configcast.com'. Since there is a seperate 'check_recipient_access' as well, I was expecting 'check_sender_access' to work for 'MAIL FROM' only, but the above example suggests it is consulted during the recipient stage as well, if specified there. Is this by design, working as intended? Or am I missing something somewhere? Postfix 2.6.3 on Debian Lenny i386. Cya, Jona
Re: Specifying 'check_sender_access' during 'smtpd_recipient_restrictions' filters recipient as well?
* URCentral Support (GMail) urcent...@gmail.com: Hello list, This might be working as intended, but since it seemed a tad odd and I couldn't find any conclusive documentation that explained it, I figured I'd work up the courage and ask. I moved 'check_sender_access' from the 'smtpd_sender_restrictions' to the 'smtpd_recipient_restrictions' stage, and ran a test; Out: 220 nenya.dtnx.net ESMTP In: EHLO arturia.xs4all.nl Out: 250-nenya.dtnx.net Out: 250-PIPELINING Out: 250-SIZE 35651584 Out: 250-ETRN Out: 250-ENHANCEDSTATUSCODES Out: 250-8BITMIME Out: 250 DSN In: MAIL FROM:urcent...@gmail.com Out: 250 2.1.0 Ok In: RCPT TO:postmas...@configcast.com Out: 550 5.7.1 postmas...@configcast.com: Recipient address rejected: You are not a known MX for 'configcast.com'. In: QUIT Out: 221 2.0.0 Bye The rejection is from the hash database specified for 'check_sender_access', which has a line for every domain this server is responsible for, since all mail from those domains originates from our own servers; configcast.com REJECT You are not a known MX for 'configcast.com'. Since there is a seperate 'check_recipient_access' as well, I was expecting 'check_sender_access' to work for 'MAIL FROM' only, but the above example suggests it is consulted during the recipient stage as well, if specified there. Is this by design, working as intended? Or am I missing something somewhere? Where's the main.cf snippet? -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | http://www.charite.de
Re: Double email because of aliased mailbox
Dan Schaefer wrote: Email address: mail...@example.com Aliases: ali...@example.com ali...@example.com ali...@example.com What I want to accomplish is any email being sent to mail...@example.com to be put into the mail...@example.com's Inbox and 1 copy to be sent to the 3 aliases. I'm using PostfixAdmin for MySQL and this is what I have in the To: field for mail...@example.com mail...@example.com ali...@example.com ali...@example.com ali...@example.com I do get an email in mail...@example.com's Inbox, but all 3 aliases see duplicate messages. Do you have any suggestions? Do I need to give more information? If you need it, I can give you the contents of the database field as well. No one wants to tackle this one?
receive only, no send allowed
Hi all, could you give me any clue how to accomplish following: 1. I need to configure postfix to allow some users only receive emails. They can download received emails by outlook or other client from postfix server, but they are prohibited to send one. 2. The second group of users should be restricted to read emails and send them only to certain domains or addresses. Is this possible by configuring postfix or is there also another way? Thanks a lot, Peter _ Windows Live™: Keep your life in sync. Check it out! http://windowslive.com/explore?ocid=TXT_TAGLM_WL_t1_allup_explore_012009
Re: Double email because of aliased mailbox
Dan Schaefer: Dan Schaefer wrote: Email address: mail...@example.com Aliases: ali...@example.com ali...@example.com ali...@example.com What I want to accomplish is any email being sent to mail...@example.com to be put into the mail...@example.com's Inbox and 1 copy to be sent to the 3 aliases. I'm using PostfixAdmin for MySQL and this is what I have in the To: field for mail...@example.com mail...@example.com ali...@example.com ali...@example.com ali...@example.com I do get an email in mail...@example.com's Inbox, but all 3 aliases see duplicate messages. Do you have any suggestions? Do I need to give more information? If you need it, I can give you the contents of the database field as well. No one wants to tackle this one? This is the Postfix mailing list. In terms of Postfix configuration, one could use a virtual alias. See: man 5 virtual, and: man 5 mysql_table. This is not the PostfixAdmin support forum. Wietse
Re: Double email because of aliased mailbox
Wietse Venema wrote: Dan Schaefer: Dan Schaefer wrote: Email address: mail...@example.com Aliases: ali...@example.com ali...@example.com ali...@example.com What I want to accomplish is any email being sent to mail...@example.com to be put into the mail...@example.com's Inbox and 1 copy to be sent to the 3 aliases. I'm using PostfixAdmin for MySQL and this is what I have in the To: field for mail...@example.com mail...@example.com ali...@example.com ali...@example.com ali...@example.com I do get an email in mail...@example.com's Inbox, but all 3 aliases see duplicate messages. Do you have any suggestions? Do I need to give more information? If you need it, I can give you the contents of the database field as well. No one wants to tackle this one? This is the Postfix mailing list. In terms of Postfix configuration, one could use a virtual alias. See: man 5 virtual, and: man 5 mysql_table. This is not the PostfixAdmin support forum. Wietse Thank you. My apologies. -- Dan Schaefer Web Developer/Systems Analyst Performance Administration Corp.
Postfix VCS repository
Is there an unofficial Postfix VCS repository? I believe there is not an official one, is there a reason for that? I'm asking because I want to keep track of what is going on 2.7 development. Checking the release notes file or the change log file is not very practical. Regards, Miguel signature.asc Description: OpenPGP digital signature
Specifying a transport for bounce messages
My expertise with email servers protocols is very limited. That being said, here is a problem I've been dealing with for a few hours now without finding a suitable solution: I run a box in Amazon's EC2, and I use postfix. In order to avoid being marked as a SPAM source because of EC2's IPs being dynamically assigned, I use AuthSMTP as a relay for my outbound email. My setup pretty much matches what is described at http://is.gd/3Qfay . Actually this is not true for ALL outbound emails. I actually love Gmail as a MUA, so I have most of my own domain's email accounts mapped to gmail accounts. For example, all incoming emails for my account myacco...@mydomain.com are forwarded to myacco...@gmail.com . Thus, in order to save AuthSMTP quota, and since Gmail servers deal correctly with EC2 IPs (they don't take them for SPAM sources), I actually use the transport_maps directive as follows: [/etc/postfix/main.cf]: transport_maps = hash:/etc/postfix/transport [/etc/postfix/transport]: # Syntax: .domain transport:relay_host gmail.com smtp: * : If I got it right, this makes all emails bound for gmail.com accounts to be sent directly by postfix via SMTP, whereas all other emails will be sent through the AuthSMTP relay. OK, so now here is my problem: When my postfix receives a SPAM message bound for one of my accounts, this email is forwarded to gmail's SMTP server directly. But then gmail's SPAM filter rejects this message and here starts my problem. AFAIK what postfix should do is bounce the message to the SPAM source address. But according to my transport file, unless the SPAM source address is a gmail account, postfix will attempt to send the bounce through my AuthSMTP relay, and my AuthSMTP quota gets quickly exhausted with all these SPAM bounce messages. What I have done is I have included the following line in my main.cf file: soft_bounce = yes This prevents the bounces to be sent through AuthSMTP, but I can see them getting stacked in postfix's queue: r...@mydomain:/etc/postfix# mailq -Queue ID- --Size-- Arrival Time -Sender/Recipient--- 233898A28916603 Thu Oct 1 12:04:31 f...@real-leads.com (host gmail-smtp-in.l.google.com[209.85.212.99] said: 552-5.7.0 Our system detected an illegal attachment on your message. Please 552-5.7.0 visit http://mail.google.com/support/bin/answer.py?answer=6590 to 552 5.7.0 review our attachment guidelines. 39si713908vws.28 (in reply to end of DATA command)) myacco...@gmail.com A04908A22268107 Thu Oct 1 11:42:23 silicon...@rouches-internet.com (host gmail-smtp-in.l.google.com[209.85.212.20] said: 552-5.7.0 Our system detected an illegal attachment on your message. Please 552-5.7.0 visit http://mail.google.com/support/bin/answer.py?answer=6590 to 552 5.7.0 review our attachment guidelines. 28si15619914vws.148 (in reply to end of DATA command)) myacco...@gmail.com I understand that this is not a real fix, and that after a time limit (default 5 days, I believe), postfix will eventually try to send those bounces through AuthSMTP anyway. Any ideas on how I should deal with these SPAM bounces in order to preserve my AuthSMTP quota? Is there any way I could force postfix to send bounces directly via SMTP instead of looking at my transport table? Many thanks, Jose
Fall back when dovecot SASL is unavailable?
Hi, I'm using dovecot for SASL authentication: smtpd_sasl_auth_enable = yes smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination smtpd_sasl_type = dovecot smtpd_sasl_path = private/auth-client Now if for whatever reason dovecot is not running, smtpd will also refuse to work, complaining fatal: no SASL authentication mechanisms. I would much prefer it to fall back to smtpd_sasl_auth_enable = no in that case, so that mail for local recipients can still be received. Is this possible? Cheers, Hagen
Re: Fall back when dovecot SASL is unavailable?
* Hagen Fürstenau hfuerste...@gmx.net: Hi, I'm using dovecot for SASL authentication: smtpd_sasl_auth_enable = yes smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination smtpd_sasl_type = dovecot smtpd_sasl_path = private/auth-client Now if for whatever reason dovecot is not running, smtpd will also refuse to work, complaining fatal: no SASL authentication mechanisms. Indeed! I would much prefer it to fall back to smtpd_sasl_auth_enable = no in that case, so that mail for local recipients can still be received. Is this possible? It's the one problem we're having here as well: When updating dovecot, postfix won't work due to that... -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | http://www.charite.de
double filter
Hi all, I need to add another filter to my existing anti-virus one. I've allready set an advanced content filter like the example in the Postfix After-Queue Content tutorial. Postfix Queue -- Port 10025 (Anti-Virus+AntiSpam)-- that reinject mails through the 10026 port to postfix -- delivery to mailbox Now, I want to add a vacation filter. I've the perl script, I've configured the entire system, now I just need to make the script run on each received message. How can I do ? Here is my main.cf file [snip] content_filter=pmx:127.0.0.1:10025 [snip] And my master.cf file smtp inet n - n - - smtpd [snip] pmx unix - - n - 10 smtp localhost:10026 inet n - n - 10 smtpd -o content_filter= -o local_recipient_maps= -o relay_recipient_maps= -o myhostname=localhost -o smtpd_helo_restrictions= -o smtpd_client_restrictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o mynetworks=127.0.0.0/8 Thanks in advance for any kind of help. - Sébastien Cottalorda Chef de Section Informatique Monaco Parkings 24 rue du Gabian B.P. 623 98013 Monaco Cedex Tel. +377 98982077 Fax. +377 92057496
Re: receive only, no send allowed
Peter Macko kirjoitti: Hi all, could you give me any clue how to accomplish following: 1. I need to configure postfix to allow some users only receive emails. They can download received emails by outlook or other client from postfix server, but they are prohibited to send one. 2. The second group of users should be restricted to read emails and send them only to certain domains or addresses. Is this possible by configuring postfix or is there also another way? http://www.postfix.org/RESTRICTION_CLASS_README.html#external this helps you on your journey. Also you can combine it with sasl and so on.. -- Eero
Re: Fall back when dovecot SASL is unavailable?
Now if for whatever reason dovecot is not running, smtpd will also refuse to work, complaining fatal: no SASL authentication mechanisms. Indeed! I would much prefer it to fall back to smtpd_sasl_auth_enable = no in that case, so that mail for local recipients can still be received. Is this possible? It's the one problem we're having here as well: When updating dovecot, postfix won't work due to that... Yes, problem also exists when imap crashes or wrong startup order. -- Eero
Re: content_filter for outbound messages
* Darvin Denmian darvin.denm...@gmail.com: Hello, Currently I'm using content_filter to filter inbound messages. How? Now I need to know if is possible to do something like content_filter for outbound messages. Every outbound message was inbound once, no? -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | http://www.charite.de
Re: How should I create an email account?
RBsussy:/var/log # postfix -n postfix: invalid option -- 'n' postfix: fatal: usage: postfix [-c config_dir] [-Dv] command sussy:/var/log # postconf -n Oct 1 23:02:05 sussy postfix/scache[1715]: statistics: start interval Oct 1 22:58:45 Oct 1 23:02:05 sussy postfix/scache[1715]: statistics: domain lookup hits=0 miss=2 success=0% Oct 1 23:02:05 sussy postfix/scache[1715]: statistics: address lookup hits=0 miss=2 success=0% Oct 1 23:03:20 sussy postfix/smtpd[1969]: warning: connect to private/tlsmgr: No such file or directory Oct 1 23:03:21 sussy postfix/smtpd[1969]: warning: connect to private/tlsmgr: No such file or directory Oct 1 23:03:21 sussy postfix/smtpd[1969]: warning: problem talking to server private/tlsmgr: No such file or directory Oct 1 23:03:21 sussy postfix/smtpd[1969]: warning: no entropy for TLS key generation: disabling TLS support Oct 1 23:03:21 sussy postfix/smtpd[1969]: connect from unknown[111.94.12.63] Oct 1 23:03:21 sussy postfix/smtpd[1969]: NOQUEUE: reject: RCPT from unknown[111.94.12.63]: 554 5.7.1 feyb...@yahoo.com: Relay access denied; from=ri...@mygoogle.com to=feyb...@yahoo.com proto=ESMTP helo=mandreev.localnet Oct 1 23:03:21 sussy postfix/smtpd[1969]: disconnect from unknown[111.94.12.63] At least your mailserver is not open relay.. looks like something is really wrong with your config. -- Eero
Re: Specifying 'check_sender_access' during 'smtpd_recipient_restrictions' filters recipient as well?
On Thu, Oct 1, 2009 at 12:56 PM, Ralf Hildebrandt ralf.hildebra...@charite.de wrote: Is this by design, working as intended? Or am I missing something somewhere? Where's the main.cf snippet? Guess I did miss something somewhere. This is how it looks like now; smtpd_sender_restrictions = permit_mynetworks reject_unknown_sender_domain reject_non_fqdn_sender check_sender_access hash:/etc/postfix/chk_sender_access smtpd_recipient_restrictions = permit_mynetworks reject_unknown_reverse_client_hostname reject_non_fqdn_helo_hostname reject_unknown_helo_hostname reject_unauth_destination reject_non_fqdn_recipient reject_unknown_recipient_domain check_recipient_access hash:/etc/postfix/chk_recipient_access reject_unverified_recipient Which works; if 'postmas...@configcast.com' is used as a sender, it rejects the rest of the SMTP session, but if used as a recipient, it's fine, as expected. If I move 'check_sender_access' to the next stage however, like this; smtpd_sender_restrictions = permit_mynetworks reject_unknown_sender_domain reject_non_fqdn_sender check_sender_access hash:/etc/postfix/chk_sender_access smtpd_recipient_restrictions = permit_mynetworks reject_unknown_reverse_client_hostname reject_non_fqdn_helo_hostname reject_unknown_helo_hostname reject_unauth_destination check_sender_access hash:/etc/postfix/chk_sender_access reject_non_fqdn_recipient reject_unknown_recipient_domain check_recipient_access hash:/etc/postfix/chk_recipient_access reject_unverified_recipient then it will reject the recipient with the action specified in the 'check_sender_access' hash database; configcast.com REJECT You are not a known MX for 'configcast.com'. Is that how it's supposed to work? Cya, Jona
Are my basic definitions wrong? ip blocks in hash for check_sender_access
My understanding of client and sender are these: Client: An application used to send, receive e-mail messages. Sender: The from or sender name in the header that shows who (is claimed to have) sent the email. The context of the use that has me concerned are these: smtpd_client_restrictions and smtpd_sender_restrictions I currently have these lines in main.cf: check_client_access=hash:/etc/postfix/access smtpd_client_restrictions = permit_mynetworks hash:/etc/postfix/whitelist reject_rbl_client zen.spamhaus.org reject_rbl_client bl.spamcop.net reject_rbl_client dnsbl.njabl.org reject_rbl_client blackholes.five-ten-sg.com=127.0.0.4 reject_rbl_client blackholes.five-ten-sg.com=127.0.0.5 reject_rbl_client blackholes.five-ten-sg.com=127.0.0.6 reject_rbl_client blackholes.five-ten-sg.com=127.0.0.7 reject_rbl_client blackholes.five-ten-sg.com=127.0.0.8 reject_rbl_client blackholes.five-ten-sg.com=127.0.0.9 reject_rbl_client blackholes.five-ten-sg.com=127.0.0.10 reject_rbl_client blackholes.five-ten-sg.com=127.0.0.11 reject_rbl_client blackholes.five-ten-sg.com=127.0.0.13 permit smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/greylist check_sender_access hash:/etc/postfix/sender_access permit_mynetworks reject_unknown_sender_domain To me the content of the sender_access hash makes sense if it contains terms such as luck...@yaha.comDISCARD Does it also work correctly if that same files also has terms such as 64.94.244 DISCARD where the intent is to block any of 64.94.244.xxx ? Right now that ip address example shown above (64.94.244) is in the sender_access file (and the sender_access.db) but the log file shows events such as this: Sep 27 17:56:19 mgxx postfix/cleanup[22432]: 596A81FFCD: hold: header Received: from av7.experience.com (unknown [64.94.244.50])??by mgxx.cnm.edu (Postfix) with SMTP id 596A81FFCD??for gle...@cnm.edu; Sun, 27 Sep 2009 17:56:16 -0600 (MDT) from unknown[64.94.244.50]; from=no_re...@experience.com to=xx...@cnm.edu proto=SMTP helo=av7.experience.com Sep 27 17:56:19 mgxx postfix/cleanup[22432]: 596A81FFCD: message- id=27390832.651.1254095751632.javamail.r...@av7.experience.com Sep 27 17:56:19 mgxx postfix/cleanup[22432]: 596A81FFCD: warning: header Subject: eRecruiting Saved Search - Abq-Lots from unknown[64.94.244.50]; from=no_re...@experience.com to=xx...@cnm.edu proto=SMTP helo=av7.experience.com Sep 27 7:56:22 mgxx MailScanner[9931]: Requeue: 596A81FFCD.2D1A1 to C98C42016A Sep 27 17:56:22 mgxx postfix/qmgr[24665]: C98C42016A: from=no_re...@experience.com, size=33955, nrcpt=1 (queue active) Sep 27 17:56:22 mgxx postfix/smtp[23167]: C98C42016A: to=gle...@tvimail.cnm.edu, orig_to=gle...@cnm.edu, relay=tvimail.cnm.edu[198.133.181.119]:25, delay=5.7, delays=5.6/0/0/0.03, dsn=2.5.0, status=sent (250 2.5.0 Ok.) Sep 27 17:56:22 mg05 postfix/qmgr[24665]: C98C42016A: removed Based upon my understanding of the definitions of the terms I have always been uncertain about putting ip blocks in the same file. I have been told it has been working practice at this college for years before I got here. I need to be certain we are doing the right things. -- Robert Lopez Unix Systems Administrator Central New Mexico Community College (CNM) 525 Buena Vista SE Albuquerque, New Mexico 87106
Re: Double email because of aliased mailbox
Dan Schaefer wrote: Wietse Venema wrote: Dan Schaefer: Dan Schaefer wrote: Email address: mail...@example.com Aliases: ali...@example.com ali...@example.com ali...@example.com What I want to accomplish is any email being sent to mail...@example.com to be put into the mail...@example.com's Inbox and 1 copy to be sent to the 3 aliases. I'm using PostfixAdmin for MySQL and this is what I have in the To: field for mail...@example.com mail...@example.com ali...@example.com ali...@example.com ali...@example.com I do get an email in mail...@example.com's Inbox, but all 3 aliases see duplicate messages. Do you have any suggestions? Do I need to give more information? If you need it, I can give you the contents of the database field as well. No one wants to tackle this one? This is the Postfix mailing list. In terms of Postfix configuration, one could use a virtual alias. See: man 5 virtual, and: man 5 mysql_table. This is not the PostfixAdmin support forum. Wietse Thank you. My apologies. It WAS a problem with my Postfix config. And this was solved by a Postfix Admin developer. I wish I had asked sooner. http://sourceforge.net/projects/postfixadmin/forums/forum/676076/topic/3417045/index/page/1 -- Dan Schaefer Web Developer/Systems Analyst Performance Administration Corp.
Re: How should I create an email account?
On Wed, 30 Sep 2009 22:12:15 -0500 Stan Hoeppner s...@hardwarefreak.com wrote: Ricky Tompu Breaky put forth on 9/30/2009 5:10 PM: Sending failed: Your SMTP server does not support The server responded: 5.7.8 Error: authentication failed: generic failure. Choose a different authentication method. The server responded: 5.7.8 Error: authentication failed: generic failure The message will stay in the 'outbox' folder until you either fix the problem (e.g. a broken address) or remove the message from the 'outbox' folder. The following transport was used: mygoogle.com . I'm stucked again. Please help me. Could you tell me where my mistake, please? Pasting the corresponding postfix/smtpd log entries for this transaction would be very helpful. And please repaste the log entries above without redacting or obfuscating the hostnames. You're showing a TLD above which should be a hostname, not a TLD. We need to see what's actually going on in order to help you (or, at least I do). -- Stan RBAfter the failed email sending from KMail of my linux box (client RB computer connected to another ISP with an private-IP from DHCP RB Server of my ISP), I've checked the logfile of my Postfix on mail RB server side: sussy:/var/log # tail 100 /var/log/mail tail: cannot open `100' for reading: No such file or directory == /var/log/mail == sussy:/var/log # tail 100 /var/log/mail tail: cannot open `100' for reading: No such file or directory == /var/log/mail == Oct 1 23:02:05 sussy postfix/scache[1715]: statistics: start interval Oct 1 22:58:45 Oct 1 23:02:05 sussy postfix/scache[1715]: statistics: domain lookup hits=0 miss=2 success=0% Oct 1 23:02:05 sussy postfix/scache[1715]: statistics: address lookup hits=0 miss=2 success=0% Oct 1 23:03:20 sussy postfix/smtpd[1969]: warning: connect to private/tlsmgr: No such file or directory Oct 1 23:03:21 sussy postfix/smtpd[1969]: warning: connect to private/tlsmgr: No such file or directory Oct 1 23:03:21 sussy postfix/smtpd[1969]: warning: problem talking to server private/tlsmgr: No such file or directory Oct 1 23:03:21 sussy postfix/smtpd[1969]: warning: no entropy for TLS key generation: disabling TLS support Oct 1 23:03:21 sussy postfix/smtpd[1969]: connect from unknown[111.94.12.63] Oct 1 23:03:21 sussy postfix/smtpd[1969]: NOQUEUE: reject: RCPT from unknown[111.94.12.63]: 554 5.7.1 feyb...@yahoo.com: Relay access denied; from=ri...@mygoogle.com to=feyb...@yahoo.com proto=ESMTP helo=mandreev.localnet Oct 1 23:03:21 sussy postfix/smtpd[1969]: disconnect from unknown[111.94.12.63] sussy:/var/log #
Re: How should I create an email account?
On Thu, 01 Oct 2009 19:41:14 +0300 Eero Volotinen eero.voloti...@iki.fi wrote: RBsussy:/var/log # postfix -n postfix: invalid option -- 'n' postfix: fatal: usage: postfix [-c config_dir] [-Dv] command sussy:/var/log # postconf -n RBWupps... Shame on me. Sorry. sussy:~ # postconf -n alias_maps = hash:/etc/aliases biff = no body_checks = regexp:/etc/postfix/body_checks broken_sasl_auth_clients = yes canonical_maps = hash:/etc/postfix/canonical command_directory = /usr/sbin config_directory = /etc/postfix content_filter = amavis:[127.0.0.1]:10024 daemon_directory = /usr/lib/postfix data_directory = /var/lib/postfix debug_peer_level = 2 defer_transports = delay_warning_time = 1h disable_dns_lookups = no disable_mime_output_conversion = no header_checks = regexp:/etc/postfix/header_checks html_directory = /usr/share/doc/packages/postfix-doc/html inet_interfaces = all inet_protocols = all mail_owner = postfix mail_spool_directory = /var/mail mailbox_command = mailbox_size_limit = 0 mailbox_transport = mailq_path = /usr/bin/mailq manpage_directory = /usr/share/man masquerade_classes = envelope_sender, header_sender, header_recipient masquerade_domains = mail.globo-mall.com www.globo-mall.com masquerade_exceptions = root message_size_limit = 1024 message_strip_characters = \0 mime_header_checks = regexp:/etc/postfix/mime_header_checks mydestination = sussy.globo-mall.com, localhost, localhost.localdomain mydomain = globo-mall.com myhostname = sussy.globo-mall.com mynetworks = 127.0.0.0/8 mynetworks_style = subnet myorigin = $mydomain nested_header_checks = regexp:/etc/postfix/nested_header_checks newaliases_path = /usr/bin/newaliases proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $virtual_mailbox_limit_maps queue_directory = /var/spool/postfix readme_directory = /usr/share/doc/packages/postfix-doc/README_FILES receive_override_options = no_address_mappings relay_domains = mysql:/etc/postfix/mysql-virtual_relaydomains.cf relayhost = relocated_maps = hash:/etc/postfix/relocated sample_directory = /usr/share/doc/packages/postfix-doc/samples sender_canonical_maps = hash:/etc/postfix/sender_canonical sendmail_path = /usr/sbin/sendmail setgid_group = maildrop smtp_sasl_auth_enable = no smtp_use_tls = no smtpd_banner = $myhostname ESMTP $mail_name ($mail_version) smtpd_client_restrictions = check_client_access mysql:/etc/postfix/mysql-virtual_client.cf smtpd_helo_required = no smtpd_helo_restrictions = smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf, reject_unauth_destination smtpd_sasl_auth_enable = yes smtpd_sasl_authenticated_header = yes smtpd_sender_restrictions = check_sender_access mysql:/etc/postfix/mysql-virtual_sender.cf smtpd_tls_cert_file = /etc/postfix/smtpd.cert smtpd_tls_key_file = /etc/postfix/smtpd.key smtpd_tls_security_level = may smtpd_use_tls = yes strict_8bitmime = no strict_rfc821_envelopes = no transport_maps = proxy:mysql:/etc/postfix/mysql-virtual_transports.cf unknown_local_recipient_reject_code = 550 virtual_alias_domains = virtual_alias_maps = proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, mysql:/etc/postfix/mysql-virtual_email2email.cf virtual_gid_maps = static:5000 virtual_mailbox_base = /var/vmail virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf virtual_transport = maildrop virtual_uid_maps = static:5000 sussy:~ # Oct 1 23:02:05 sussy postfix/scache[1715]: statistics: start interval Oct 1 22:58:45 Oct 1 23:02:05 sussy postfix/scache[1715]: statistics: domain lookup hits=0 miss=2 success=0% Oct 1 23:02:05 sussy postfix/scache[1715]: statistics: address lookup hits=0 miss=2 success=0% Oct 1 23:03:20 sussy postfix/smtpd[1969]: warning: connect to private/tlsmgr: No such file or directory Oct 1 23:03:21 sussy postfix/smtpd[1969]: warning: connect to private/tlsmgr: No such file or directory Oct 1 23:03:21 sussy postfix/smtpd[1969]: warning: problem talking to server private/tlsmgr: No such file or directory Oct 1 23:03:21 sussy postfix/smtpd[1969]: warning: no entropy for TLS key generation: disabling TLS support Oct 1 23:03:21 sussy postfix/smtpd[1969]: connect from unknown[111.94.12.63] Oct 1 23:03:21 sussy postfix/smtpd[1969]: NOQUEUE: reject: RCPT from unknown[111.94.12.63]: 554 5.7.1 feyb...@yahoo.com: Relay access denied; from=ri...@mygoogle.com to=feyb...@yahoo.com proto=ESMTP helo=mandreev.localnet Oct 1 23:03:21 sussy postfix/smtpd[1969]: disconnect from unknown[111.94.12.63] At least your mailserver is not open relay.. looks like something is really wrong with
Re: How should I create an email account?
sussy:~ # postconf -n alias_maps = hash:/etc/aliases biff = no body_checks = regexp:/etc/postfix/body_checks broken_sasl_auth_clients = yes canonical_maps = hash:/etc/postfix/canonical command_directory = /usr/sbin config_directory = /etc/postfix content_filter = amavis:[127.0.0.1]:10024 daemon_directory = /usr/lib/postfix data_directory = /var/lib/postfix debug_peer_level = 2 defer_transports = delay_warning_time = 1h disable_dns_lookups = no disable_mime_output_conversion = no header_checks = regexp:/etc/postfix/header_checks html_directory = /usr/share/doc/packages/postfix-doc/html inet_interfaces = all inet_protocols = all mail_owner = postfix mail_spool_directory = /var/mail mailbox_command = mailbox_size_limit = 0 mailbox_transport = mailq_path = /usr/bin/mailq manpage_directory = /usr/share/man masquerade_classes = envelope_sender, header_sender, header_recipient masquerade_domains = mail.globo-mall.com www.globo-mall.com masquerade_exceptions = root message_size_limit = 1024 message_strip_characters = \0 mime_header_checks = regexp:/etc/postfix/mime_header_checks mydestination = sussy.globo-mall.com, localhost, localhost.localdomain mydomain = globo-mall.com myhostname = sussy.globo-mall.com mynetworks = 127.0.0.0/8 mynetworks_style = subnet myorigin = $mydomain nested_header_checks = regexp:/etc/postfix/nested_header_checks newaliases_path = /usr/bin/newaliases proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $virtual_mailbox_limit_maps queue_directory = /var/spool/postfix readme_directory = /usr/share/doc/packages/postfix-doc/README_FILES receive_override_options = no_address_mappings relay_domains = mysql:/etc/postfix/mysql-virtual_relaydomains.cf relayhost = relocated_maps = hash:/etc/postfix/relocated sample_directory = /usr/share/doc/packages/postfix-doc/samples sender_canonical_maps = hash:/etc/postfix/sender_canonical sendmail_path = /usr/sbin/sendmail setgid_group = maildrop smtp_sasl_auth_enable = no smtp_use_tls = no smtpd_banner = $myhostname ESMTP $mail_name ($mail_version) smtpd_client_restrictions = check_client_access mysql:/etc/postfix/mysql-virtual_client.cf smtpd_helo_required = no smtpd_helo_restrictions = smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf, reject_unauth_destination smtpd_sasl_auth_enable = yes smtpd_sasl_authenticated_header = yes smtpd_sender_restrictions = check_sender_access mysql:/etc/postfix/mysql-virtual_sender.cf smtpd_tls_cert_file = /etc/postfix/smtpd.cert smtpd_tls_key_file = /etc/postfix/smtpd.key smtpd_tls_security_level = may smtpd_use_tls = yes strict_8bitmime = no strict_rfc821_envelopes = no transport_maps = proxy:mysql:/etc/postfix/mysql-virtual_transports.cf unknown_local_recipient_reject_code = 550 virtual_alias_domains = virtual_alias_maps = proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, mysql:/etc/postfix/mysql-virtual_email2email.cf virtual_gid_maps = static:5000 virtual_mailbox_base = /var/vmail virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf virtual_transport = maildrop virtual_uid_maps = static:5000 sussy:~ # Well, default config on suse? is really messy, maybe you can take basic config from postfix and start with it? -- Eero
Re: Are my basic definitions wrong? ip blocks in hash for check_sender_access
Robert Lopez wrote: My understanding of client and sender are these: Client: An application used to send, receive e-mail messages. Sender: The from or sender name in the header that shows who (is claimed to have) sent the email. Indeed. The context of the use that has me concerned are these: smtpd_client_restrictions and smtpd_sender_restrictions I currently have these lines in main.cf: check_client_access=hash:/etc/postfix/access smtpd_client_restrictions = permit_mynetworks hash:/etc/postfix/whitelist This is depreciated syntax equivalent to check_client_access hash:/etc/postfix/whitelist reject_rbl_client zen.spamhaus.org reject_rbl_client bl.spamcop.net reject_rbl_client dnsbl.njabl.org reject_rbl_client blackholes.five-ten-sg.com=127.0.0.4 reject_rbl_client blackholes.five-ten-sg.com=127.0.0.5 reject_rbl_client blackholes.five-ten-sg.com=127.0.0.6 reject_rbl_client blackholes.five-ten-sg.com=127.0.0.7 reject_rbl_client blackholes.five-ten-sg.com=127.0.0.8 reject_rbl_client blackholes.five-ten-sg.com=127.0.0.9 reject_rbl_client blackholes.five-ten-sg.com=127.0.0.10 reject_rbl_client blackholes.five-ten-sg.com=127.0.0.11 reject_rbl_client blackholes.five-ten-sg.com=127.0.0.13 permit smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/greylist check_sender_access hash:/etc/postfix/sender_access permit_mynetworks reject_unknown_sender_domain To me the content of the sender_access hash makes sense if it contains terms such as luck...@yaha.com DISCARD Does it also work correctly if that same files also has terms such as 64.94.244 DISCARD where the intent is to block any of 64.94.244.xxx ? Right now that ip address example shown above (64.94.244) is in the sender_access file (and the sender_access.db) but the log file shows events such as this: You are explicitly asking postfix to check a sender for the file hash:/etc/postfix/sender_access. This will never match an IP. Based upon my understanding of the definitions of the terms I have always been uncertain about putting ip blocks in the same file. I have been told it has been working practice at this college for years before I got here. I need to be certain we are doing the right things You may put check_client_access to point to the same map in order to check for an IP. This is discouraged as that map may be abused in the future. People love putting all their eggs in one basket. Abuse can occur if placed in recipient restriction before reject_unauth_destination with an OK result. The check_client_access can be placed in sender_restrictions if you like.
Re: How should I create an email account?
On Thu, 01 Oct 2009 19:59:51 +0300 Eero Volotinen eero.voloti...@iki.fi wrote: ... Well, default config on suse? is really messy, maybe you can take basic config from postfix and start with it? RBYes, you're right Eero It's from OpenSuSE11.1 MMM... Do you RBhave the sample of the 'basic config' files? Which files is it? the RB'main.cf'? or others also ('master.cf' etc)? RBPlease send it/them to me if you have the 'basic config', please. RBThank you very much in advance.
Re: How should I create an email account?
Ricky Tompu Breaky kirjoitti: On Thu, 01 Oct 2009 19:59:51 +0300 Eero Volotinen eero.voloti...@iki.fi wrote: ... Well, default config on suse? is really messy, maybe you can take basic config from postfix and start with it? RBYes, you're right Eero It's from OpenSuSE11.1 MMM... Do you RBhave the sample of the 'basic config' files? Which files is it? the RB'main.cf'? or others also ('master.cf' etc)? RBPlease send it/them to me if you have the 'basic config', please. RBThank you very much in advance. look at /usr/share/doc/postfix . This is really rtfm issue, you can find lots of information from www pages.. -- Eero
Re: How should I create an email account?
On Thu, 01 Oct 2009 20:15:52 +0300 Eero Volotinen eero.voloti...@iki.fi wrote: Ricky Tompu Breaky kirjoitti: On Thu, 01 Oct 2009 19:59:51 +0300 Eero Volotinen eero.voloti...@iki.fi wrote: ... Well, default config on suse? is really messy, maybe you can take basic config from postfix and start with it? RBYes, you're right Eero It's from OpenSuSE11.1 MMM... Do RByou have the sample of the 'basic config' files? Which files is RBit? the 'main.cf'? or others also ('master.cf' etc)? RBPlease send it/them to me if you have the 'basic config', RBplease. RBThank you very much in advance. look at /usr/share/doc/postfix . This is really rtfm issue, you can find lots of information from www pages.. -- Eero RBNo, I don't have that file on OpenSuSE11.1: sussy:~ # ls /usr/share/doc/postfix ls: cannot access /usr/share/doc/postfix: No such file or directory sussy:~ # RBOK, thank you very much for the information. RBps: What is 'rtfm'? What does that stand for?
Re: Specifying 'check_sender_access' during 'smtpd_recipient_restrictions' filters recipient as well?
On Thu, Oct 1, 2009 at 6:46 PM, URCentral @ Gmail urcent...@gmail.com wrote: Is this by design, working as intended? Or am I missing something somewhere? Where's the main.cf snippet? Guess I did miss something somewhere. This is how it looks like now; smtpd_sender_restrictions = permit_mynetworks reject_unknown_sender_domain reject_non_fqdn_sender check_sender_access hash:/etc/postfix/chk_sender_access smtpd_recipient_restrictions = permit_mynetworks reject_unknown_reverse_client_hostname reject_non_fqdn_helo_hostname reject_unknown_helo_hostname reject_unauth_destination reject_non_fqdn_recipient reject_unknown_recipient_domain check_recipient_access hash:/etc/postfix/chk_recipient_access reject_unverified_recipient Which works; if 'postmas...@configcast.com' is used as a sender, it rejects the rest of the SMTP session, but if used as a recipient, it's fine, as expected. If I move 'check_sender_access' to the next stage however, like this; smtpd_sender_restrictions = permit_mynetworks reject_unknown_sender_domain reject_non_fqdn_sender check_sender_access hash:/etc/postfix/chk_sender_access smtpd_recipient_restrictions = permit_mynetworks reject_unknown_reverse_client_hostname reject_non_fqdn_helo_hostname reject_unknown_helo_hostname reject_unauth_destination check_sender_access hash:/etc/postfix/chk_sender_access reject_non_fqdn_recipient reject_unknown_recipient_domain check_recipient_access hash:/etc/postfix/chk_recipient_access reject_unverified_recipient then it will reject the recipient with the action specified in the 'check_sender_access' hash database; configcast.com REJECT You are not a known MX for 'configcast.com'. Correcting myself; there are two hash databases specified on the live server, like this; check_sender_access hash:/etc/postfix/chk_sender_local hash:/etc/postfix/chk_sender_access The 'chk_sender_local' is currently empty. If I remove the first one so it actually matches the example given above, with just one hash database, the problem disappears and it works as expected. From the various examples I've seen I assumed that several type:table pairs per restriction are possible, and I can override the restrictions set in the second database by giving an 'OK' for 'postmas...@configcast.com' in the first, but I guess that assumption is incorrect? Cya, Jona
Re: newbie confused about auth; changing subject a little.
On Wed, Sep 30, 2009 at 11:39:12PM +0200, Patrick Ben Koetter wrote: * Jay G. Scott g...@arlut.utexas.edu: okay, maybe i'm catching on. i set up the /etc/sasldb2 method of authentication. that's doing so far what i want. 1. okay, i guess /etc/postfix/sasl_passwd is only for client security? but why does the client need security? my /etc/postfix/sasl_passwd Clients need to identify themselves too if a remote server requires that. file (and assoc .db) were nonsensical, yet i got authenticated, encrypted email delivered to that machine, and read it w/ mutt. what does /etc/postfix/sasl_passwd really do? /etc/postfix/sasl_passwd provides a mapping from servers the Postfix smtp client connects to and the username:passwords it should use when it authenticates with the remote SMTP server. am i not really using it? should i remove those references in main.cf? If your Postfix smtp client does not need to authenticate, yes. i guess /etc/sasldb2 is doing what i wanted. namely, i wanted to make a list of all the users (and passwords) that i liked, and let the mail server play nice with them, and not let anyone else play. yep. 2. did i just open holes in my security? is this a pretty reasonable way to do what i want? Hard to tell without knowing the current config settings. Send an updated version of postconf -n. that was sent in my email prior, dated 30 sep, 417 lines. also the saslfinger stuff is in there. ah, whoops. the smtpd.conf changed, of course. here it is now: # per koetter book. log_level: 3 pwcheck_method: auxprop mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5 # auxilliary plugin parameters auxprop_plugin: sasldb #--- and thank you, by the way. 3. do i have extraneous stuff in my main.cf file now? what do i need to delete? postconf -n ... 4. i said method of authentication but that's sloppy, right, i'm using auxprop(?) as the password-verification service? Nope. auxprop and password-verification service are two pairs of shoes (as we say in Germany...). or saslauthd with an auxprop plugin? i know i'm using saslauthd, i just want to know what the right term is, should i ever need to tell someone what i'm doing. libsasl uses either an internal method or an external password authentication service. If it uses the interal method the (auxprop) plugin reads passwords from an authentication backend and compares that plaintext string to the password submitted from the mail client. With an external password authentication service it just asks the service: Is this password for this username valid and the password authentication service responds either yes or no. HTH, it does, thanks. j. p...@rick -- All technical questions asked privately will be automatically answered on the list and archived for public access unless privacy is explicitely required and justified. saslfinger (debugging SMTP AUTH): http://postfix.state-of-mind.de/patrick.koetter/saslfinger/ -- Jay Scott 512-835-3553g...@arlut.utexas.edu Head of Sun Support, Sr. Operating Systems Specialist Applied Research Labs, Computer Science Div. S224 University of Texas at Austin
Re: How should I create an email account?
Ricky Tompu Breaky wrote: On Thu, 01 Oct 2009 20:15:52 +0300 Eero Volotinen eero.voloti...@iki.fi wrote: Ricky Tompu Breaky kirjoitti: On Thu, 01 Oct 2009 19:59:51 +0300 Eero Volotinen eero.voloti...@iki.fi wrote: ... Well, default config on suse? is really messy, maybe you can take basic config from postfix and start with it? RBYes, you're right Eero It's from OpenSuSE11.1 MMM... Do RByou have the sample of the 'basic config' files? Which files is RBit? the 'main.cf'? or others also ('master.cf' etc)? RBPlease send it/them to me if you have the 'basic config', RBplease. RBThank you very much in advance. look at /usr/share/doc/postfix . This is really rtfm issue, you can find lots of information from www pages.. -- Eero RBNo, I don't have that file on OpenSuSE11.1: sussy:~ # ls /usr/share/doc/postfix ls: cannot access /usr/share/doc/postfix: No such file or directory sussy:~ # RBOK, thank you very much for the information. postconf -d will give you defaults. ~Seth
Re: Specifying 'check_sender_access' during 'smtpd_recipient_restrictions' filters recipient as well?
URCentral @ Gmail wrote: On Thu, Oct 1, 2009 at 6:46 PM, URCentral @ Gmail urcent...@gmail.com wrote: Which works; if 'postmas...@configcast.com' is used as a sender, it rejects the rest of the SMTP session, but if used as a recipient, it's fine, as expected. If I move 'check_sender_access' to the next stage however, like this; smtpd_sender_restrictions = permit_mynetworks reject_unknown_sender_domain reject_non_fqdn_sender check_sender_access hash:/etc/postfix/chk_sender_access smtpd_recipient_restrictions = permit_mynetworks reject_unknown_reverse_client_hostname reject_non_fqdn_helo_hostname reject_unknown_helo_hostname reject_unauth_destination check_sender_access hash:/etc/postfix/chk_sender_access reject_non_fqdn_recipient reject_unknown_recipient_domain check_recipient_access hash:/etc/postfix/chk_recipient_access reject_unverified_recipient then it will reject the recipient with the action specified in the 'check_sender_access' hash database; configcast.com REJECT You are not a known MX for 'configcast.com'. Correcting myself; there are two hash databases specified on the live server, like this; check_sender_access hash:/etc/postfix/chk_sender_local hash:/etc/postfix/chk_sender_access If this was specified in recipient restrictions, it is equivalent to: check_sender_access hash:/etc/postfix/chk_sender_local check_recipient_access hash:/etc/postfix/chk_sender_access This refers to the depreciated syntax of bare map in a restriction class. Postfix does not allow check_(*)_access to list multiple tables. The restriction *must* be repeated each time or an assumption takes place based on the past. The 'chk_sender_local' is currently empty. If I remove the first one so it actually matches the example given above, with just one hash database, the problem disappears and it works as expected. From the various examples I've seen I assumed that several type:table pairs per restriction are possible, and I can override the restrictions set in the second database by giving an 'OK' for 'postmas...@configcast.com' in the first, but I guess that assumption is incorrect? Cya, Jona
Re: Postfix VCS repository
Miguel Di Ciurcio Filho: Is there an unofficial Postfix VCS repository? I believe there is not an official one, is there a reason for that? I'm asking because I want to keep track of what is going on 2.7 development. Checking the release notes file or the change log file is not very practical. There is a collection of PGP-signed tarballs linked off the download webpage. I am not aware of a version control system that provides the integrity guarantees of PGP. Wietse
Re: Postfix VCS repository
Wietse Venema wrote: Miguel Di Ciurcio Filho: Is there an unofficial Postfix VCS repository? I believe there is not an official one, is there a reason for that? I'm asking because I want to keep track of what is going on 2.7 development. Checking the release notes file or the change log file is not very practical. There is a collection of PGP-signed tarballs linked off the download webpage. I am not aware of a version control system that provides the integrity guarantees of PGP. Wietse PGP? I don't think so. As for integrity checks, there is git which does checks based on SHA1. Git also references OpenSSL keys.
Re: Specifying a transport for bounce messages
Jose Maria Sanchez de Ocana: OK, so now here is my problem: When my postfix receives a SPAM message bound for one of my accounts, this email is forwarded to gmail's SMTP server directly. But then gmail's SPAM filter rejects this message and here starts my problem. AFAIK what postfix should do is bounce the message to the SPAM source address. The REAL mistake in your setup is that you forward SPAM into gmail. This causes gmail to treat your machine as a SPAMMER, and may affect legitimate mail that you do want to receive. You must NEVER bounce SPAM to the sender address, because in most cases that is not the sender. Wietse
Re: Postfix VCS repository
On Thu, 2009-10-01 at 13:27 -0400, Wietse Venema wrote: Miguel Di Ciurcio Filho: Is there an unofficial Postfix VCS repository? I believe there is not an official one, is there a reason for that? I'm asking because I want to keep track of what is going on 2.7 development. Checking the release notes file or the change log file is not very practical. There is a collection of PGP-signed tarballs linked off the download webpage. I am not aware of a version control system that provides the integrity guarantees of PGP. Apparently both Mercurial and git support it, at least for explicitly signed revisions: http://mercurial.selenic.com/wiki/GpgExtension http://www.kernel.org/pub/software/scm/git/docs/git-tag.html I should probably try using those too. :) signature.asc Description: This is a digitally signed message part
Re: Specifying 'check_sender_access' during 'smtpd_recipient_restrictions' filters recipient as well?
On Thu, Oct 1, 2009 at 7:26 PM, Brian Evans - Postfix List grkni...@scent-team.com wrote: Correcting myself; there are two hash databases specified on the live server, like this; check_sender_access hash:/etc/postfix/chk_sender_local hash:/etc/postfix/chk_sender_access If this was specified in recipient restrictions, it is equivalent to: check_sender_access hash:/etc/postfix/chk_sender_local check_recipient_access hash:/etc/postfix/chk_sender_access This refers to the depreciated syntax of bare map in a restriction class. Postfix does not allow check_(*)_access to list multiple tables. The restriction *must* be repeated each time or an assumption takes place based on the past. Ahh, that makes sense. So given the above example; check_sender_access hash:/etc/postfix/chk_sender_local check_sender_access hash:/etc/postfix/chk_sender_access would work? Cya, Jona
Re: Specifying 'check_sender_access' during 'smtpd_recipient_restrictions' filters recipient as well?
URCentral @ Gmail wrote: On Thu, Oct 1, 2009 at 7:26 PM, Brian Evans - Postfix List grkni...@scent-team.com wrote: Correcting myself; there are two hash databases specified on the live server, like this; check_sender_access hash:/etc/postfix/chk_sender_local hash:/etc/postfix/chk_sender_access If this was specified in recipient restrictions, it is equivalent to: check_sender_access hash:/etc/postfix/chk_sender_local check_recipient_access hash:/etc/postfix/chk_sender_access This refers to the depreciated syntax of bare map in a restriction class. Postfix does not allow check_(*)_access to list multiple tables. The restriction *must* be repeated each time or an assumption takes place based on the past. Ahh, that makes sense. So given the above example; check_sender_access hash:/etc/postfix/chk_sender_local check_sender_access hash:/etc/postfix/chk_sender_access would work? Indeed.
Re: Are my basic definitions wrong? ip blocks in hash for check_sender_access
On Thu, Oct 1, 2009 at 11:02 AM, Brian Evans - Postfix List grkni...@scent-team.com wrote: Robert Lopez wrote: snip check_client_access=hash:/etc/postfix/access smtpd_client_restrictions = permit_mynetworks hash:/etc/postfix/whitelist This is depreciated syntax equivalent to check_client_access hash:/etc/postfix/whitelist Brian which line is depreciated syntax? reject_rbl_client zen.spamhaus.org reject_rbl_client bl.spamcop.net reject_rbl_client dnsbl.njabl.org reject_rbl_client blackholes.five-ten-sg.com=127.0.0.4 reject_rbl_client blackholes.five-ten-sg.com=127.0.0.5 reject_rbl_client blackholes.five-ten-sg.com=127.0.0.6 reject_rbl_client blackholes.five-ten-sg.com=127.0.0.7 reject_rbl_client blackholes.five-ten-sg.com=127.0.0.8 reject_rbl_client blackholes.five-ten-sg.com=127.0.0.9 reject_rbl_client blackholes.five-ten-sg.com=127.0.0.10 reject_rbl_client blackholes.five-ten-sg.com=127.0.0.11 reject_rbl_client blackholes.five-ten-sg.com=127.0.0.13 permit smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/greylist check_sender_access hash:/etc/postfix/sender_access permit_mynetworks reject_unknown_sender_domain snip Right now that ip address example shown above (64.94.244) is in the sender_access file (and the sender_access.db) but the log file shows events such as this: You are explicitly asking postfix to check a sender for the file hash:/etc/postfix/sender_access. ...check a sender for the file... Are you confirming postfix looks only for a sender-name found in the Reply-To: in the /etc/postfix/sender_access file? This will never match an IP. Thank you for confirming that point. Based upon my understanding of the definitions of the terms I have always been uncertain about putting ip blocks in the same file. I have been told it has been working practice at this college for years before I got here. I need to be certain we are doing the right things You may put check_client_access to point to the same map in order to check for an IP. This is discouraged as that map may be abused in the future. People love putting all their eggs in one basket. Abuse can occur if placed in recipient restriction before reject_unauth_destination with an OK result. The check_client_access can be placed in sender_restrictions if you like. I am not clear who you suggest may do the abuse, but I understand your point is it is best to use separate files, each for a single purpose. So is this the implementation you would suggest... check_client_access=hash:/etc/postfix/access_domain check_client_access=hash:/etc/postfix/access_ip where the access_domain file has domain names and the access_ip file has ip addresses? This (from http://www.postfix.org/postconf.5.html) suggests a single file can have multiple uses: check_client_access type:table Search the specified access database for the client hostname, parent domains, client IP address, or networks obtained by stripping least significant octets. See the access(5) manual page for details. -- Robert Lopez Unix Systems Administrator Central New Mexico Community College (CNM) 525 Buena Vista SE Albuquerque, New Mexico 87106
Re: Are my basic definitions wrong? ip blocks in hash for check_sender_access
On Thursday 01 October 2009 11:47:47 Robert Lopez wrote: My understanding of client and sender are these: Client: An application used to send, receive e-mail messages. In the context of check_client_access it means the IP address and/or forward-confirmed reverse DNS name of the client application which connects to smtpd(8) to send mail. Sender: The from or sender name in the header that shows who (is claimed to have) sent the email. Header is irrelevant. Sender (for check_sender_access) is the address used in the SMTP MAIL FROM: command. This message, for example, is purportedly from me, but if you look at the header which your Postfix added, you'll see it was not: Return-Path: owner-postfix-us...@postfix.org Oops, I see that you're probably reading the list from gmail, not from your own Postfix, but likewise, the gmail MTA probably prepends the Return-Path: header too. The context of the use that has me concerned are these: smtpd_client_restrictions and smtpd_sender_restrictions I currently have these lines in main.cf: check_client_access=hash:/etc/postfix/access Irrelevant, ignored. This is an example of why the list welcome message asks for postconf -n and not lines from main.cf. check_client_access is a restriction that can be used in any of the various smtpd_*_restrictions stages. It does nothing where you put that. See http://www.postfix.org/SMTPD_ACCESS_README.html for an overview of how access(5) restrictions work. smtpd_client_restrictions = It's often recommended for simplicity to keep restrictions in a single stage, and that stage would have to be smtpd_recipient_restrictions, because that is where mandatory relay control occurs. When so doing, one must be careful about whitelisting. The README aforementioned contains a warning. Whitelisting entries can be done safely either after reject_unauth_destination, or using a permit_auth_destination lookup result (rather than OK or permit.) permit_mynetworks hash:/etc/postfix/whitelist Don't do this. You seem to be following some outdated tutorial. I see that Brian has beat me to this explanation, so I'll leave it at what he had to say about it. reject_rbl_client zen.spamhaus.org reject_rbl_client bl.spamcop.net reject_rbl_client dnsbl.njabl.org reject_rbl_client blackholes.five-ten-sg.com=127.0.0.4 Yikes. That DNSBL doesn't have a very solid reputation. I do hope you know what you're doing! You should only use DNSBLs with which you are familiar. (Personally, I do not use reject_rbl_client bl.spamcop.net either, but many sites probably do.) reject_rbl_client blackholes.five-ten-sg.com=127.0.0.5 reject_rbl_client blackholes.five-ten-sg.com=127.0.0.6 reject_rbl_client blackholes.five-ten-sg.com=127.0.0.7 reject_rbl_client blackholes.five-ten-sg.com=127.0.0.8 reject_rbl_client blackholes.five-ten-sg.com=127.0.0.9 reject_rbl_client blackholes.five-ten-sg.com=127.0.0.10 reject_rbl_client blackholes.five-ten-sg.com=127.0.0.11 reject_rbl_client blackholes.five-ten-sg.com=127.0.0.13 permit smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/greylist check_sender_access hash:/etc/postfix/sender_access Two hash: maps doing the same type of lookup at the same point in your restrictions does not make sense. I would either consolidate these, or (more likely, given your confusion) reconsider the lookup types. permit_mynetworks reject_unknown_sender_domain I would reverse these. There's no point in accepting mail from your users when these conditions exist: 1. No other site will accept it from you 2. You have no way to send a bounce to the sender YMMV. If your DNS is fragile, a sender domain lookup might fail on occasion, and you might prefer not to get calls from your confused and/or upset users. (To be precise, permit_mynetworks at the end of smtpd_sender_restrictions is meaningless, since the default is to permit anyway. It makes sense the way you have it; I just disagree.) To me the content of the sender_access hash makes sense if it contains terms such as luck...@yaha.com DISCARD That's an email address, such as might be used as a sender address. BTW, check_sender_access is not generally a very safe or useful tool to use against spam. Most spam sender addresses are forged, and many of those are real sender addresses: the joe job. See http://en.wikipedia.org/wiki/Joe_job - I don't like to help spammers destroy the usability of email. Also, DISCARD is a strange choice. Why not REJECT? Does it also work correctly if that same files also has terms such as 64.94.244 DISCARD where the intent is to block any of 64.94.244.xxx ? Seems to be confusion of your basic definitions, as per $SUBJECT. :) Right now that ip address example shown above (64.94.244) is in the sender_access file (and the sender_access.db) but the log file shows events
Re: Postfix VCS repository
Brian Evans - Postfix List: Wietse Venema wrote: Miguel Di Ciurcio Filho: Is there an unofficial Postfix VCS repository? I believe there is not an official one, is there a reason for that? I'm asking because I want to keep track of what is going on 2.7 development. Checking the release notes file or the change log file is not very practical. There is a collection of PGP-signed tarballs linked off the download webpage. I am not aware of a version control system that provides the integrity guarantees of PGP. Wietse PGP? I don't think so. Then we agree. A system that computes SHA1 without secret key provides no detection of after-the-fact changes. Wietse
Re: Postfix VCS repository
Wietse Venema wrote: Brian Evans - Postfix List: Wietse Venema wrote: Miguel Di Ciurcio Filho: Is there an unofficial Postfix VCS repository? I believe there is not an official one, is there a reason for that? I'm asking because I want to keep track of what is going on 2.7 development. Checking the release notes file or the change log file is not very practical. There is a collection of PGP-signed tarballs linked off the download webpage. I am not aware of a version control system that provides the integrity guarantees of PGP. Wietse PGP? I don't think so. Then we agree. A system that computes SHA1 without secret key provides no detection of after-the-fact changes. Wietse I should Google more before replying as Timo pointed out my misunderstandings.
Re: How should I create an email account?
RBps: What is 'rtfm'? What does that stand for? It means that you need to read the friendly manual on the long run. -- Eero
Re: How should I create an email account?
On 1-Oct-2009, at 12:42, Eero Volotinen wrote: RBps: What is 'rtfm'? What does that stand for? It means that you need to read the friendly manual on the long run. The 'f' does not stand for 'friendly'. Read The F-ing Manual -- I know she's in there, said Verence, holding his crown in his hands in the famous Ai-Señor-Mexican-Bandits-Have-Raided-Our-Village position
Re: How should I create an email account?
On Thu, Oct 1, 2009 at 12:56 PM, Ricky Tompu Breaky ricky.bre...@uni.de wrote: On Thu, 01 Oct 2009 19:41:14 +0300 Eero Volotinen eero.voloti...@iki.fi wrote: RBsussy:/var/log # postfix -n postfix: invalid option -- 'n' postfix: fatal: usage: postfix [-c config_dir] [-Dv] command sussy:/var/log # postconf -n RBWupps... Shame on me. Sorry. sussy:~ # postconf -n alias_maps = hash:/etc/aliases biff = no body_checks = regexp:/etc/postfix/body_checks broken_sasl_auth_clients = yes canonical_maps = hash:/etc/postfix/canonical command_directory = /usr/sbin config_directory = /etc/postfix content_filter = amavis:[127.0.0.1]:10024 daemon_directory = /usr/lib/postfix data_directory = /var/lib/postfix debug_peer_level = 2 defer_transports = delay_warning_time = 1h disable_dns_lookups = no disable_mime_output_conversion = no header_checks = regexp:/etc/postfix/header_checks html_directory = /usr/share/doc/packages/postfix-doc/html inet_interfaces = all inet_protocols = all mail_owner = postfix mail_spool_directory = /var/mail mailbox_command = mailbox_size_limit = 0 mailbox_transport = mailq_path = /usr/bin/mailq manpage_directory = /usr/share/man masquerade_classes = envelope_sender, header_sender, header_recipient masquerade_domains = mail.globo-mall.com www.globo-mall.com masquerade_exceptions = root message_size_limit = 1024 message_strip_characters = \0 mime_header_checks = regexp:/etc/postfix/mime_header_checks mydestination = sussy.globo-mall.com, localhost, localhost.localdomain mydomain = globo-mall.com myhostname = sussy.globo-mall.com mynetworks = 127.0.0.0/8 mynetworks_style = subnet myorigin = $mydomain nested_header_checks = regexp:/etc/postfix/nested_header_checks newaliases_path = /usr/bin/newaliases proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $virtual_mailbox_limit_maps queue_directory = /var/spool/postfix readme_directory = /usr/share/doc/packages/postfix-doc/README_FILES receive_override_options = no_address_mappings relay_domains = mysql:/etc/postfix/mysql-virtual_relaydomains.cf relayhost = relocated_maps = hash:/etc/postfix/relocated sample_directory = /usr/share/doc/packages/postfix-doc/samples sender_canonical_maps = hash:/etc/postfix/sender_canonical sendmail_path = /usr/sbin/sendmail setgid_group = maildrop smtp_sasl_auth_enable = no smtp_use_tls = no smtpd_banner = $myhostname ESMTP $mail_name ($mail_version) smtpd_client_restrictions = check_client_access mysql:/etc/postfix/mysql-virtual_client.cf smtpd_helo_required = no smtpd_helo_restrictions = smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf, reject_unauth_destination smtpd_sasl_auth_enable = yes smtpd_sasl_authenticated_header = yes smtpd_sender_restrictions = check_sender_access mysql:/etc/postfix/mysql-virtual_sender.cf smtpd_tls_cert_file = /etc/postfix/smtpd.cert smtpd_tls_key_file = /etc/postfix/smtpd.key smtpd_tls_security_level = may smtpd_use_tls = yes strict_8bitmime = no strict_rfc821_envelopes = no transport_maps = proxy:mysql:/etc/postfix/mysql-virtual_transports.cf unknown_local_recipient_reject_code = 550 virtual_alias_domains = virtual_alias_maps = proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, mysql:/etc/postfix/mysql-virtual_email2email.cf virtual_gid_maps = static:5000 virtual_mailbox_base = /var/vmail virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf virtual_transport = maildrop virtual_uid_maps = static:5000 sussy:~ # Oct 1 23:02:05 sussy postfix/scache[1715]: statistics: start interval Oct 1 22:58:45 Oct 1 23:02:05 sussy postfix/scache[1715]: statistics: domain lookup hits=0 miss=2 success=0% Oct 1 23:02:05 sussy postfix/scache[1715]: statistics: address lookup hits=0 miss=2 success=0% Oct 1 23:03:20 sussy postfix/smtpd[1969]: warning: connect to private/tlsmgr: No such file or directory Oct 1 23:03:21 sussy postfix/smtpd[1969]: warning: connect to private/tlsmgr: No such file or directory Oct 1 23:03:21 sussy postfix/smtpd[1969]: warning: problem talking to server private/tlsmgr: No such file or directory Oct 1 23:03:21 sussy postfix/smtpd[1969]: warning: no entropy for TLS key generation: disabling TLS support Oct 1 23:03:21 sussy postfix/smtpd[1969]: connect from unknown[111.94.12.63] Oct 1 23:03:21 sussy postfix/smtpd[1969]: NOQUEUE: reject: RCPT from unknown[111.94.12.63]: 554 5.7.1 feyb...@yahoo.com: Relay access denied; from=ri...@mygoogle.com to=feyb...@yahoo.com proto=ESMTP helo=mandreev.localnet Oct 1 23:03:21 sussy
Re: How should I create an email account?
LuKreme kirjoitti: On 1-Oct-2009, at 12:42, Eero Volotinen wrote: RBps: What is 'rtfm'? What does that stand for? It means that you need to read the friendly manual on the long run. The 'f' does not stand for 'friendly'. Read The F-ing Manual Well, there are many variations: http://en.wikipedia.org/wiki/RTFM Usually it is tip to read docs before asking questions. I think if person is not able to configure basic functionality of postfix, then this mailinglist is wrong place ;) But, this is only my opinion .. -- Eero
Errors with before queue filtering and policyd-weight - help please.
I'm trying to setup before queue filtering using policyd-weight but can't get my configuration right. Could someone please point out what I've done wrong... My policyd-weight.conf contains only this: $TCP_PORT= 12524; My main.cf contains the following relevant lines: soft_bounce = yes smtpd_proxy_timeout = 1200s My master.cf contains the following relevant lines: smtp inetn - n - 200 smtpd -o smtpd_proxy_filter=127.0.0.1:12524 -o smtpd_client_connection_count_limit=20 127.0.0.1:20026 inet n - n - 200 smtpd -o smtpd_authorized_xforward_hosts=127.0.0.0/8 -o smtpd_client_restrictions= -o smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o content_filter= -o mynetworks=127.0.0.0/8 -o receive_override_options=no_unknown_recipient_checks When I use the above settings I end up with no mail flowing and tons of error messages stating: Out: 451 4.3.0 Error: queue file write error It's just dawning on me that perhaps I have the wrong user running policyd-weight Does that sound right? Kevin W. Gagel Network Administrator Local 5448 My blog: http://mail.cnc.bc.ca/blogs/gagel My shared files: http://mail.cnc.bc.ca/users/gagel --- The College of New Caledonia Visit us at http://www.cnc.bc.ca Virus scanning is done on all incoming and outgoing email. Anti-spam information for CNC can be found at http://gateway.cnc.bc.ca ---
Re: Errors with before queue filtering and policyd-weight - help please.
Kevin Gagel wrote: I'm trying to setup before queue filtering using policyd-weight but can't get my configuration right. Could someone please point out what I've done wrong... [snip] When I use the above settings I end up with no mail flowing and tons of error messages stating: Out: 451 4.3.0 Error: queue file write error It's just dawning on me that perhaps I have the wrong user running policyd-weight Does that sound right? Maybe because policyd-weight is a policy service not a content filter. http://www.postfix.org/SMTPD_POLICY_README.html
Re: Errors with before queue filtering and policyd-weight - help please.
Kevin Gagel: When I use the above settings I end up with no mail flowing and tons of error messages stating: Out: 451 4.3.0 Error: queue file write error Perhaps surprisingly, Postfix writes the details of the problem to the mailog file, not to the SMTP client. Wietse
Re: How should I create an email account?
On Oct 1, 2009, at 12:17 PM, LuKreme krem...@kreme.com wrote: Read The F-ing Manual Fishing? I always thought it was read the fine manual. -- If this was a real .signature it would be more interesting.
Re: How should I create an email account?
Euro, Especially for you, I highly appreciate your help so (much) far. Thank you thousands time. Let me dip my concentration in the documentation and information I get from this mailing list. Again thank you...thank you...thank you... === On Thu, 01 Oct 2009 21:42:02 +0300 Eero Volotinen eero.voloti...@iki.fi wrote: RBps: What is 'rtfm'? What does that stand for? It means that you need to read the friendly manual on the long run. -- Eero
Re: How should I create an email account?
I don't how to say thank you. I highly appreciate your help so (much) far. Thank you thousands time. Let me dip my concentration in the documentation and information I get from this mailing list. Again thank you...thank you...thank you... On Thu, 01 Oct 2009 10:25:55 -0700 Seth Mattinen se...@rollernet.us wrote: Ricky Tompu Breaky wrote: On Thu, 01 Oct 2009 20:15:52 +0300 Eero Volotinen eero.voloti...@iki.fi wrote: Ricky Tompu Breaky kirjoitti: On Thu, 01 Oct 2009 19:59:51 +0300 Eero Volotinen eero.voloti...@iki.fi wrote: ... Well, default config on suse? is really messy, maybe you can take basic config from postfix and start with it? RBYes, you're right Eero It's from OpenSuSE11.1 MMM... Do RByou have the sample of the 'basic config' files? Which files is RBit? the 'main.cf'? or others also ('master.cf' etc)? RBPlease send it/them to me if you have the 'basic config', RBplease. RBThank you very much in advance. look at /usr/share/doc/postfix . This is really rtfm issue, you can find lots of information from www pages.. -- Eero RBNo, I don't have that file on OpenSuSE11.1: sussy:~ # ls /usr/share/doc/postfix ls: cannot access /usr/share/doc/postfix: No such file or directory sussy:~ # RBOK, thank you very much for the information. postconf -d will give you defaults. ~Seth
Re: Postfix VCS repository
On Thu, Oct 01, 2009 at 01:46:51PM -0400, Wietse Venema wrote: Then we agree. A system that computes SHA1 without secret key provides no detection of after-the-fact changes. Except that the SHA-1 signature is just 20 bytes covering the entire tree, and there are *many* trees (no single master), with some more stable than others, the digests of the stable trees can be signed and/or saved off-line. Tampering with prior history in a tree is hard, if one wants to convince all the other tree copies that the the altered tree is genuine. One can of course create new leaf nodes (patches), but these are clearly visible as new revisions. So git is IIRC more tamper-evident than it seems at first glance, provided that there are lots of trees (which is typically the case), and developers notice that their tree is inconsistent with the previously common history of a tree they are pulling from or pushing to. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: Errors with before queue filtering and policyd-weight - helpplease.
OK, reconfigured to: main.cf smtpd_recipient_restrictions = reject_non_fqdn_recipient, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_sender_domain, check_sender_mx_access cidr:/etc/postfix/wildcard_mx_records.cidr, permit_mynetworks, check_client_access hash:/etc/postfix/whitelist, reject_unauth_destination, reject_non_fqdn_hostname, reject_invalid_hostname, reject_unauth_pipelining, reject_unverified_sender, check_policy_service inet:127.0.0.1:12524, permit master.cf smtp inet n - n - 200 smtpd 127.0.0.1:12526 inet n - n - 200 smtpd -o smtpd_authorized_xforward_hosts=127.0.0.0/8 -o smtpd_client_restrictions= -o smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o content_filter= -o mynetworks=127.0.0.0/8 -o receive_override_options=no_unknown_recipient_checks Now I get these errors: Oct 1 12:54:59 gateway postfix/smtpd[14635]: warning: connect to 127.0.0.1:12524: Connection refused Oct 1 12:54:59 gateway postfix/smtpd[14635]: warning: problem talking to server 127.0.0.1:12524: Connection refused Kevin W. Gagel Network Administrator Local 5448 My blog: http://mail.cnc.bc.ca/blogs/gagel My shared files: http://mail.cnc.bc.ca/users/gagel --- Original message --- From: Brian Evans - Postfix List grkni...@scent-team.com [snip] Maybe because policyd-weight is a policy service not a content filter. http://www.postfix.org/SMTPD_POLICY_README.html --- The College of New Caledonia Visit us at http://www.cnc.bc.ca Virus scanning is done on all incoming and outgoing email. Anti-spam information for CNC can be found at http://gateway.cnc.bc.ca ---
Re: How should I create an email account?
On Thu, 01 Oct 2009 22:25:35 +0300 Eero Volotinen eero.voloti...@iki.fi wrote: http://en.wikipedia.org/wiki/RTFM RBYes, but this mailing-list has made so much further step for my RBunderstanding. Now it's my turn to work on it alone. The information RBI got is already enough. I think now I can do far better to RBunderstand mailserver and finally to overcome my problem. RBThanks, Eero.
Re: How should I create an email account?
On Thu, 1 Oct 2009 15:22:39 -0400 Aaron Wolfe aawo...@gmail.com wrote: On Thu, Oct 1, 2009 at 12:56 PM, Ricky Tompu Breaky ricky.bre...@uni.de wrote: On Thu, 01 Oct 2009 19:41:14 +0300 Eero Volotinen eero.voloti...@iki.fi wrote: RBsussy:/var/log # postfix -n postfix: invalid option -- 'n' postfix: fatal: usage: postfix [-c config_dir] [-Dv] command sussy:/var/log # postconf -n RBWupps... Shame on me. Sorry. sussy:~ # postconf -n alias_maps = hash:/etc/aliases biff = no body_checks = regexp:/etc/postfix/body_checks broken_sasl_auth_clients = yes canonical_maps = hash:/etc/postfix/canonical command_directory = /usr/sbin config_directory = /etc/postfix content_filter = amavis:[127.0.0.1]:10024 daemon_directory = /usr/lib/postfix data_directory = /var/lib/postfix debug_peer_level = 2 defer_transports = delay_warning_time = 1h disable_dns_lookups = no disable_mime_output_conversion = no header_checks = regexp:/etc/postfix/header_checks html_directory = /usr/share/doc/packages/postfix-doc/html inet_interfaces = all inet_protocols = all mail_owner = postfix mail_spool_directory = /var/mail mailbox_command = mailbox_size_limit = 0 mailbox_transport = mailq_path = /usr/bin/mailq manpage_directory = /usr/share/man masquerade_classes = envelope_sender, header_sender, header_recipient masquerade_domains = mail.globo-mall.com www.globo-mall.com masquerade_exceptions = root message_size_limit = 1024 message_strip_characters = \0 mime_header_checks = regexp:/etc/postfix/mime_header_checks mydestination = sussy.globo-mall.com, localhost, localhost.localdomain mydomain = globo-mall.com myhostname = sussy.globo-mall.com mynetworks = 127.0.0.0/8 mynetworks_style = subnet myorigin = $mydomain nested_header_checks = regexp:/etc/postfix/nested_header_checks newaliases_path = /usr/bin/newaliases proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $virtual_mailbox_limit_maps queue_directory = /var/spool/postfix readme_directory = /usr/share/doc/packages/postfix-doc/README_FILES receive_override_options = no_address_mappings relay_domains = mysql:/etc/postfix/mysql-virtual_relaydomains.cf relayhost = relocated_maps = hash:/etc/postfix/relocated sample_directory = /usr/share/doc/packages/postfix-doc/samples sender_canonical_maps = hash:/etc/postfix/sender_canonical sendmail_path = /usr/sbin/sendmail setgid_group = maildrop smtp_sasl_auth_enable = no smtp_use_tls = no smtpd_banner = $myhostname ESMTP $mail_name ($mail_version) smtpd_client_restrictions = check_client_access mysql:/etc/postfix/mysql-virtual_client.cf smtpd_helo_required = no smtpd_helo_restrictions = smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf, reject_unauth_destination smtpd_sasl_auth_enable = yes smtpd_sasl_authenticated_header = yes smtpd_sender_restrictions = check_sender_access mysql:/etc/postfix/mysql-virtual_sender.cf smtpd_tls_cert_file = /etc/postfix/smtpd.cert smtpd_tls_key_file = /etc/postfix/smtpd.key smtpd_tls_security_level = may smtpd_use_tls = yes strict_8bitmime = no strict_rfc821_envelopes = no transport_maps = proxy:mysql:/etc/postfix/mysql-virtual_transports.cf unknown_local_recipient_reject_code = 550 virtual_alias_domains = virtual_alias_maps = proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, mysql:/etc/postfix/mysql-virtual_email2email.cf virtual_gid_maps = static:5000 virtual_mailbox_base = /var/vmail virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf virtual_transport = maildrop virtual_uid_maps = static:5000 sussy:~ # Oct 1 23:02:05 sussy postfix/scache[1715]: statistics: start interval Oct 1 22:58:45 Oct 1 23:02:05 sussy postfix/scache[1715]: statistics: domain lookup hits=0 miss=2 success=0% Oct 1 23:02:05 sussy postfix/scache[1715]: statistics: address lookup hits=0 miss=2 success=0% Oct 1 23:03:20 sussy postfix/smtpd[1969]: warning: connect to private/tlsmgr: No such file or directory Oct 1 23:03:21 sussy postfix/smtpd[1969]: warning: connect to private/tlsmgr: No such file or directory Oct 1 23:03:21 sussy postfix/smtpd[1969]: warning: problem talking to server private/tlsmgr: No such file or directory Oct 1 23:03:21 sussy postfix/smtpd[1969]: warning: no entropy for TLS key generation: disabling TLS support Oct 1 23:03:21 sussy postfix/smtpd[1969]: connect from unknown[111.94.12.63] Oct 1 23:03:21 sussy postfix/smtpd[1969]: NOQUEUE: reject: RCPT
Re: Errors with before queue filtering and policyd-weight - helpplease.
Kevin Gagel wrote: OK, reconfigured to: main.cf smtpd_recipient_restrictions = reject_non_fqdn_recipient, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_sender_domain, check_sender_mx_access cidr:/etc/postfix/wildcard_mx_records.cidr, permit_mynetworks, check_client_access hash:/etc/postfix/whitelist, reject_unauth_destination, reject_non_fqdn_hostname, reject_invalid_hostname, reject_unauth_pipelining, reject_unverified_sender, check_policy_service inet:127.0.0.1:12524, permit This is better. master.cf smtp inet n - n - 200 smtpd 127.0.0.1:12526 inet n - n - 200 smtpd -o smtpd_authorized_xforward_hosts=127.0.0.0/8 -o smtpd_client_restrictions= -o smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o content_filter= -o mynetworks=127.0.0.0/8 -o receive_override_options=no_unknown_recipient_checks FYI, Policy servers do not have a return path. Now I get these errors: Oct 1 12:54:59 gateway postfix/smtpd[14635]: warning: connect to 127.0.0.1:12524: Connection refused Oct 1 12:54:59 gateway postfix/smtpd[14635]: warning: problem talking to server 127.0.0.1:12524: Connection refused Sounds like your policy server is not running or responding on localhost. If you cannot telnet to it, then Postfix cannot talk to it either.
Re: How should I create an email account?
Ricky Tompu Breaky kirjoitti: On Thu, 01 Oct 2009 22:25:35 +0300 Eero Volotinen eero.voloti...@iki.fi wrote: http://en.wikipedia.org/wiki/RTFM RBYes, but this mailing-list has made so much further step for my RBunderstanding. Now it's my turn to work on it alone. The information RBI got is already enough. I think now I can do far better to RBunderstand mailserver and finally to overcome my problem. RBThanks, Eero. It is my advice that you start with pure basic configuration and then add stuff later when you know what you (really) are doing. You can easily drop all mysql stuff from configuration and add basic configuration. read the: http://www.postfix.org/BASIC_CONFIGURATION_README.html read the: http://wiki.centos.org/HowTos/postfix read the: http://beginlinux.com/server_training/mail-server/1041-postfix-mail-server-set-up read the: http://www.poor-attitude.org/postfix/basic.html read the: http://man.chinaunix.net/newsoft/postfix/STANDARD_CONFIGURATION_README.html Good luck, it only requires some reading the master postfix.. -- Eero
Re: How should I create an email account?
Eero Volotinen wrote: read the: http://www.poor-attitude.org/postfix/basic.html This page is horribly out of date and should not be referenced. (it's about Postfix 1.x)
Re: Fall back when dovecot SASL is unavailable?
On Thu, Oct 01, 2009 at 03:08:31PM +0200, Hagen F??rstenau wrote: I'm using dovecot for SASL authentication: smtpd_sasl_auth_enable = yes smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination smtpd_sasl_type = dovecot smtpd_sasl_path = private/auth-client Now if for whatever reason dovecot is not running, smtpd will also refuse to work, complaining fatal: no SASL authentication mechanisms. I would much prefer it to fall back to smtpd_sasl_auth_enable = no in that case, so that mail for local recipients can still be received. Is this possible? This would incorrectly reject mail, due to a transient problem (authentication down). A better solution would be to 4XX fail all auth attempts. Frankly, configure SASL just on port 587, and *require* SASL there, in which case, no point in running the service while SASL is down. Keep your dovecot server running. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: Postfix always tries to connect to ldap on localhost
On Thu, Oct 01, 2009 at 09:35:02AM +0200, Jakob Lenfers wrote: I find the manpage not clear on that issue, perhaps it could be said more explicitly here... |file_name | The name of the lookup table source file when rebuilding a database. http://www.postfix.org/ldap_table.5.html BACKWARDS COMPATIBILITY For backwards compatibility with Postfix version 2.0 and earlier, LDAP parameters can also be defined in main.cf. Specify as LDAP source a name that doesn't begin with a slash or a dot. The LDAP parameters will then be accessi- ble as the name you've given the source in its definition, an underscore, and the name of the parameter. For exam- ple, if the map is specified as ldap:ldapsource, the server_host parameter below would be defined in main.cf as ldapsource_server_host. I see no mention of file_name in ldap_table(5). -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Specifying a transport for bounce messages
Wietse Venema put forth on 10/1/2009 12:34 PM: The REAL mistake in your setup is that you forward SPAM into gmail. This causes gmail to treat your machine as a SPAMMER, and may affect legitimate mail that you do want to receive. 110% correct. You must NEVER bounce SPAM to the sender address, because in most cases that is not the sender. Exactly. Most MAIL FROM: addresses in spam are forged. Bouncing spam messages after you receive them merely creates outscatter http://en.wikipedia.org/wiki/Backscatter_(e-mail), and makes your MX a spam source in the eyes of receivers. You need to reject all spam (or as much as possible) at the inbound SMTP stage on your Postfix MX. Welcome to the world of spam fighting Jose. It's probably as important as any other aspect of running an MX host in 2009 and beyond. You need to implement some basic anti spam/UCE controls on your Postfix MX asap. Adding the following to your main.cf and restarting Postfix would be a good place to start immediately: disable_vrfy_command = yes smtpd_client_restrictions = reject_unknown_reverse_client_hostname smtpd_helo_required = yes smtpd_helo_restrictions = reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, reject_unknown_helo_hostname smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination, reject_rbl_client zen.spamhaus.org, reject_rbl_client dnsbl.sorbs.net, reject_rbl_client bl.spamcop.net, reject_rbl_client psbl.surriel.com This is just a basic setup and will help kill most of the spam you're currently receiving. As time passes and more spammers get ahold of the email addresses at your domain, you'll need to implement additional measures. There is plenty of Postfix antispam/UCE documentation available on the Postfix website and other places easily found with Google. There are also many antispam mailing lists you could join to gain knowledge and experience on the subject as well. Probably the first thing you should look at implementing is Postgrey: http://postgrey.schweikert.ch/ If you can, install the version available through your operating system's package management system, instead of manually installing all the components from the Postgrey website. Hope this gets you off to a good start. -- Stan
Re: Are my basic definitions wrong? ip blocks in hash for check_sender_access
Robert Lopez wrote: My understanding of client and sender are these: Client: An application used to send, receive e-mail messages. No. the client is the IP node. so it's either the IP of the reverse DNS of the host that is trying to send mail. regarding reverse dns, if it is not confirmed, then it is unknown. a name is confirmed if IP - name - IP returns the original IP. Sender: The from or sender name in the header that shows who (is claimed to have) sent the email. The sender in smtp is the address in the MAIL FROM command. This is generally the address you seee in the Return-Path header, but this not guaranteed (depends on the MTA). in simple cases, this also the address that people use as From: or Reply-To: in their mailers, but anybody can set whatever headers they want. The context of the use that has me concerned are these: smtpd_client_restrictions and smtpd_sender_restrictions I currently have these lines in main.cf: check_client_access=hash:/etc/postfix/access smtpd_client_restrictions = permit_mynetworks hash:/etc/postfix/whitelist it is recommended to put the right check_foo_access, instead of relying of the old implicit mode. here check_client_access hash:/etc/postfix/whitelist reject_rbl_client zen.spamhaus.org reject_rbl_client bl.spamcop.net reject_rbl_client dnsbl.njabl.org reject_rbl_client blackholes.five-ten-sg.com=127.0.0.4 reject_rbl_client blackholes.five-ten-sg.com=127.0.0.5 reject_rbl_client blackholes.five-ten-sg.com=127.0.0.6 reject_rbl_client blackholes.five-ten-sg.com=127.0.0.7 reject_rbl_client blackholes.five-ten-sg.com=127.0.0.8 reject_rbl_client blackholes.five-ten-sg.com=127.0.0.9 reject_rbl_client blackholes.five-ten-sg.com=127.0.0.10 reject_rbl_client blackholes.five-ten-sg.com=127.0.0.11 reject_rbl_client blackholes.five-ten-sg.com=127.0.0.13 it depends on your site, but in general, five-ten is way too aggressive. permit smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/greylist check_sender_access hash:/etc/postfix/sender_access permit_mynetworks reject_unknown_sender_domain To me the content of the sender_access hash makes sense if it contains terms such as luck...@yaha.com DISCARD avoid DISCARD. use REJECT instead. Does it also work correctly if that same files also has terms such as 64.94.244 DISCARD no. check_sender_access applies to a sender address, which is something like j...@example.com. where the intent is to block any of 64.94.244.xxx ? for this, use check_client_access. check_client_access hash:/etc/postfix/access_client Right now that ip address example shown above (64.94.244) is in the sender_access file (and the sender_access.db) but the log file shows events such as this: Sep 27 17:56:19 mgxx postfix/cleanup[22432]: 596A81FFCD: hold: header Received: from av7.experience.com (unknown [64.94.244.50])??by mgxx.cnm.edu (Postfix) with SMTP id 596A81FFCD??for gle...@cnm.edu; Sun, 27 Sep 2009 17:56:16 -0600 (MDT) from unknown[64.94.244.50]; from=no_re...@experience.com to=xx...@cnm.edu proto=SMTP helo=av7.experience.com Sep 27 17:56:19 mgxx postfix/cleanup[22432]: 596A81FFCD: message- id=27390832.651.1254095751632.javamail.r...@av7.experience.com Sep 27 17:56:19 mgxx postfix/cleanup[22432]: 596A81FFCD: warning: header Subject: eRecruiting Saved Search - Abq-Lots from unknown[64.94.244.50]; from=no_re...@experience.com to=xx...@cnm.edu proto=SMTP helo=av7.experience.com Sep 27 7:56:22 mgxx MailScanner[9931]: Requeue: 596A81FFCD.2D1A1 to C98C42016A Sep 27 17:56:22 mgxx postfix/qmgr[24665]: C98C42016A: from=no_re...@experience.com, size=33955, nrcpt=1 (queue active) Sep 27 17:56:22 mgxx postfix/smtp[23167]: C98C42016A: to=gle...@tvimail.cnm.edu, orig_to=gle...@cnm.edu, relay=tvimail.cnm.edu[198.133.181.119]:25, delay=5.7, delays=5.6/0/0/0.03, dsn=2.5.0, status=sent (250 2.5.0 Ok.) Sep 27 17:56:22 mg05 postfix/qmgr[24665]: C98C42016A: removed Based upon my understanding of the definitions of the terms I have always been uncertain about putting ip blocks in the same file. I have been told it has been working practice at this college for years before I got here. I need to be certain we are doing the right things. whatever they were doing, use different checks for different goals. while you can use a single file for both check_sender_access and check_client_access, this is ugly at best. note that you can put a check_sender_access under smtpd_client_restrictions and a check_client_access under smtpd_sender_restrictions. which brings you back to what Rob said: it may be a good idea to put all your anti-spam checks under a single smtpd_foo_restrictions.
Re: content_filter for outbound messages
Darvin Denmian wrote: Ralf, I'm testing this using: master.cf : # Inbound smtp inet n - - - - smtpd -v -o content_filter=filter:dummy filterunix - n n - 10 pipe flags=Rq user=filter null_sender= argv=/usr/bin/filter.sh -f ${sender} -- ${recipient} How can I apply something like this for outbound? unless you use a specific smtpd for outbound, the above applies to all mail submitted via smtp. if you want this to apply to all mail, including mail submitted via the sendmail command, just put the content_filter= statement in main.cf. however, you can't do this if your filter.sh resubmits mail via sendmail because you'd get an infinite loop.
Re: Fall back when dovecot SASL is unavailable?
Ralf Hildebrandt wrote: * Hagen Fürstenau hfuerste...@gmx.net: Hi, I'm using dovecot for SASL authentication: smtpd_sasl_auth_enable = yes smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination smtpd_sasl_type = dovecot smtpd_sasl_path = private/auth-client Now if for whatever reason dovecot is not running, smtpd will also refuse to work, complaining fatal: no SASL authentication mechanisms. Indeed! I would much prefer it to fall back to smtpd_sasl_auth_enable = no in that case, so that mail for local recipients can still be received. Is this possible? It's the one problem we're having here as well: When updating dovecot, postfix won't work due to that... for the auth part, only enable auth for submission (587). for the deliver part, make it after the filter, so that mail is still kept in the local queue. I used to stop postfix while upgrading dovecot, but I don't do that anymore. I now only stop postfix if upgrading mysql (I thought about dumping the db and changing postfix config, but this is too much...).
Re: content_filter for outbound messages
mouss, as you said , if I use content_filter=filter:localhost:port and my filter is able to reinject the message in postfix queue, Postfix will check inbound and outbound messages, right? Thanks!!! On Thu, Oct 1, 2009 at 6:46 PM, mouss mo...@ml.netoyen.net wrote: Darvin Denmian wrote: Ralf, I'm testing this using: master.cf : # Inbound smtp inet n - - - - smtpd -v -o content_filter=filter:dummy filter unix - n n - 10 pipe flags=Rq user=filter null_sender= argv=/usr/bin/filter.sh -f ${sender} -- ${recipient} How can I apply something like this for outbound? unless you use a specific smtpd for outbound, the above applies to all mail submitted via smtp. if you want this to apply to all mail, including mail submitted via the sendmail command, just put the content_filter= statement in main.cf. however, you can't do this if your filter.sh resubmits mail via sendmail because you'd get an infinite loop.
Re: content_filter for outbound messages
mouss, as you said , if I use content_filter=3Dfilter:localhost:port and my filter is able to reinject the message in postfix queue, Postfix will check inbound and outbound messages, right? Thanks!!! On Thu, Oct 1, 2009 at 6:46 PM, mouss mo...@ml.netoyen.net wrote: Darvin Denmian wrote: Ralf, I'm testing this using: master.cf : # Inbound smtp inet n - - - - smtpd -v -o content_filter=filter:dummy filter unix - n n - 10 pipe flags=Rq user=filter null_sender= argv=/usr/bin/filter.sh -f ${sender} -- ${recipient} How can I apply something like this for outbound? unless you use a specific smtpd for outbound, the above applies to all mail submitted via smtp. if you want this to apply to all mail, including mail submitted via the sendmail command, just put the content_filter= statement in main.cf. however, you can't do this if your filter.sh resubmits mail via sendmail because you'd get an infinite loop.
How should I create an email account?
Ricky Tompu Breaky put forth on 10/1/2009 2:54 PM: Let me dip my concentration in the documentation and information I get from this mailing list. Dip into one or more of these as well: http://www.fredshack.com/docs/postfix.html http://www.amazon.com/Postfix-Patrick-Ben-Koetter/dp/3898645185/ref=sr_1_4?ie=UTF8s=booksqid=1254447389sr=1-4 http://www.amazon.com/Book-Postfix-State-Art-Transport/dp/1593270011/ref=sr_1_2?ie=UTF8s=booksqid=1254447389sr=1-2 http://www.amazon.com/Postfix-Definitive-Guide-Kyle-Dent/dp/0596002122 http://www.amazon.com/Beginning-SUSE-Linux-Second-Professional/dp/1590596749/ref=sr_1_3?ie=UTF8s=booksqid=1254447644sr=1-3 http://www.amazon.com/OpenSUSE-Linux-Enterprise-Server-Bible/dp/0470275871/ref=sr_1_2?ie=UTF8s=booksqid=1254447644sr=1-2 http://www.amazon.com/openSUSE-Linux-Unleashed-Michael-McCallister/dp/067232945X/ref=sr_1_4?ie=UTF8s=booksqid=1254447644sr=1-4 -- Stan
Re: Errors with before queue filtering and policyd-weight - helpplease.
Brian Evans - Postfix List put forth on 10/1/2009 3:03 PM: Kevin Gagel wrote: Now I get these errors: Oct 1 12:54:59 gateway postfix/smtpd[14635]: warning: connect to 127.0.0.1:12524: Connection refused Oct 1 12:54:59 gateway postfix/smtpd[14635]: warning: problem talking to server 127.0.0.1:12524: Connection refused Sounds like your policy server is not running or responding on localhost. If you cannot telnet to it, then Postfix cannot talk to it either. Make sure your loopback interface is configured as well, and make sure you don't have some oddball iptables rule causing problems. If you're running selinux or apparmor or similar, turn that off until you've got this working. -- Stan
Are my basic definitions wrong? ip blocks in hash for check_sender_access
Robert Lopez put forth on 10/1/2009 11:47 AM: My understanding of client and sender are these: Client: An application used to send, receive e-mail messages. In the context of Postfix client restrictions, the _client_ is the remote SMTP server that is sending email to your Postfix server. It is defined as a client because it is initiating a connection to your server. (When your Postfix connects to a remote MTA to deliver mail, your Postfix is the _client_). Thus, any client restrictions you implement are going to scrutinize the IP address and dns parameters (mainly FQrDNS name) of the machine connecting to yours. In short, any machine connecting to your Postfix to deliver email is called a _client_. Don't feel bad for misunderstanding this client server thing. Many IT folks suffer the same confusion when dealing with real MTAs for the first time (and I don't mean M$ Exchange ;)). Myself included. -- Stan The context of the use that has me concerned are these: smtpd_client_restrictions and smtpd_sender_restrictions I currently have these lines in main.cf: check_client_access=hash:/etc/postfix/access smtpd_client_restrictions = permit_mynetworks hash:/etc/postfix/whitelist reject_rbl_client zen.spamhaus.org reject_rbl_client bl.spamcop.net reject_rbl_client dnsbl.njabl.org reject_rbl_client blackholes.five-ten-sg.com=127.0.0.4 reject_rbl_client blackholes.five-ten-sg.com=127.0.0.5 reject_rbl_client blackholes.five-ten-sg.com=127.0.0.6 reject_rbl_client blackholes.five-ten-sg.com=127.0.0.7 reject_rbl_client blackholes.five-ten-sg.com=127.0.0.8 reject_rbl_client blackholes.five-ten-sg.com=127.0.0.9 reject_rbl_client blackholes.five-ten-sg.com=127.0.0.10 reject_rbl_client blackholes.five-ten-sg.com=127.0.0.11 reject_rbl_client blackholes.five-ten-sg.com=127.0.0.13 permit smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/greylist check_sender_access hash:/etc/postfix/sender_access permit_mynetworks reject_unknown_sender_domain To me the content of the sender_access hash makes sense if it contains terms such as luck...@yaha.com DISCARD Does it also work correctly if that same files also has terms such as 64.94.244 DISCARD where the intent is to block any of 64.94.244.xxx ? Right now that ip address example shown above (64.94.244) is in the sender_access file (and the sender_access.db) but the log file shows events such as this: Sep 27 17:56:19 mgxx postfix/cleanup[22432]: 596A81FFCD: hold: header Received: from av7.experience.com (unknown [64.94.244.50])??by mgxx.cnm.edu (Postfix) with SMTP id 596A81FFCD??for gle...@cnm.edu; Sun, 27 Sep 2009 17:56:16 -0600 (MDT) from unknown[64.94.244.50]; from=no_re...@experience.com to=xx...@cnm.edu proto=SMTP helo=av7.experience.com Sep 27 17:56:19 mgxx postfix/cleanup[22432]: 596A81FFCD: message- id=27390832.651.1254095751632.javamail.r...@av7.experience.com Sep 27 17:56:19 mgxx postfix/cleanup[22432]: 596A81FFCD: warning: header Subject: eRecruiting Saved Search - Abq-Lots from unknown[64.94.244.50]; from=no_re...@experience.com to=xx...@cnm.edu proto=SMTP helo=av7.experience.com Sep 27 7:56:22 mgxx MailScanner[9931]: Requeue: 596A81FFCD.2D1A1 to C98C42016A Sep 27 17:56:22 mgxx postfix/qmgr[24665]: C98C42016A: from=no_re...@experience.com, size=33955, nrcpt=1 (queue active) Sep 27 17:56:22 mgxx postfix/smtp[23167]: C98C42016A: to=gle...@tvimail.cnm.edu, orig_to=gle...@cnm.edu, relay=tvimail.cnm.edu[198.133.181.119]:25, delay=5.7, delays=5.6/0/0/0.03, dsn=2.5.0, status=sent (250 2.5.0 Ok.) Sep 27 17:56:22 mg05 postfix/qmgr[24665]: C98C42016A: removed Based upon my understanding of the definitions of the terms I have always been uncertain about putting ip blocks in the same file. I have been told it has been working practice at this college for years before I got here. I need to be certain we are doing the right things.