RE: About SMTP Auth with Mysql
Hello, One more info, maybe we can solve the source of the problem When I use related syntax sql_hostnames: (212.58.4.247:3306,212.58.4.245:3306) I got related error and next server are queried. interesting, looks like sasl or postfix I don't know which one but they care about : Nov 23 23:27:52 localhost postfix/smtpd[4325]: sql plugin could not connect to host (212.58.4.247 Regards Vahric -Original Message- From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] On Behalf Of Vahriç Muhtaryan Sent: Thursday, November 26, 2009 9:04 AM To: 'Patrick Ben Koetter'; postfix-users@postfix.org Subject: RE: About SMTP Auth with Mysql Thanks for answer I will check mysql proxy -Original Message- From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] On Behalf Of Patrick Ben Koetter Sent: Wednesday, November 25, 2009 11:06 PM To: postfix-users@postfix.org Subject: Re: About SMTP Auth with Mysql Vahriç, * Vahriç Muhtaryan vah...@doruk.net.tr: You can find out related out below. thanks for the debug output. Your config looks okay. Your problem is - as I understand it - you want Cyrus SASL to do something it can't do: 1. If you list more than one host with $sql_hostnames then those hosts will be queried in order listed from left to right. 2. The first host in the list that answers will be used. Any other host will not be queried. 3. It is not possible to query all hosts at the same time. So, if you want to query several MySQL servers at the same time, it cannot be done. All I can think of is moving your data to one SQL server instance. OTOH maybe you can use mysql-proxy http://forge.mysql.com/wiki/MySQL_Proxy, configure that to transform the query to query both servers and let SASL query the mysql-proxy. HTH, p...@rick Regards Vahric [r...@postfix-auth1 ~]# ./saslfinger-1.0.3/saslfinger -s saslfinger - postfix Cyrus sasl configuration Wed Nov 25 18:47:20 EET 2009 version: 1.0.2 mode: server-side SMTP AUTH -- basics -- Postfix: 2.5.9 System: CentOS release 5.4 (Final) -- smtpd is linked to -- libsasl2.so.2 = /usr/lib64/libsasl2.so.2 (0x003dfba0) -- active SMTP AUTH and TLS parameters for smtpd -- broken_sasl_auth_clients = yes smtpd_sasl_auth_enable = yes -- listing of /usr/lib64/sasl2 -- total 3500 drwxr-xr-x 2 root root 4096 Nov 22 23:17 . drwxr-xr-x 55 root root 36864 Nov 21 04:03 .. -rwxr-xr-x 1 root root890 Sep 4 03:04 libanonymous.la -rwxr-xr-x 1 root root 15880 Sep 4 03:05 libanonymous.so -rwxr-xr-x 1 root root 15880 Sep 4 03:05 libanonymous.so.2 -rwxr-xr-x 1 root root 15880 Sep 4 03:05 libanonymous.so.2.0.22 -rwxr-xr-x 1 root root876 Sep 4 03:04 libcrammd5.la -rwxr-xr-x 1 root root 19264 Sep 4 03:05 libcrammd5.so -rwxr-xr-x 1 root root 19264 Sep 4 03:05 libcrammd5.so.2 -rwxr-xr-x 1 root root 19264 Sep 4 03:05 libcrammd5.so.2.0.22 -rwxr-xr-x 1 root root899 Sep 4 03:04 libdigestmd5.la -rwxr-xr-x 1 root root 48520 Sep 4 03:05 libdigestmd5.so -rwxr-xr-x 1 root root 48520 Sep 4 03:05 libdigestmd5.so.2 -rwxr-xr-x 1 root root 48520 Sep 4 03:05 libdigestmd5.so.2.0.22 -rwxr-xr-x 1 root root939 Sep 4 03:04 libgssapiv2.la -rwxr-xr-x 1 root root 28096 Sep 4 03:05 libgssapiv2.so -rwxr-xr-x 1 root root 28096 Sep 4 03:05 libgssapiv2.so.2 -rwxr-xr-x 1 root root 28096 Sep 4 03:05 libgssapiv2.so.2.0.22 -rwxr-xr-x 1 root root883 Sep 4 03:04 libldapdb.la -rwxr-xr-x 1 root root 17736 Sep 4 03:05 libldapdb.so -rwxr-xr-x 1 root root 17736 Sep 4 03:05 libldapdb.so.2 -rwxr-xr-x 1 root root 17736 Sep 4 03:05 libldapdb.so.2.0.22 -rwxr-xr-x 1 root root862 Sep 4 03:04 liblogin.la -rwxr-xr-x 1 root root 16448 Sep 4 03:05 liblogin.so -rwxr-xr-x 1 root root 16448 Sep 4 03:05 liblogin.so.2 -rwxr-xr-x 1 root root 16448 Sep 4 03:05 liblogin.so.2.0.22 -rwxr-xr-x 1 root root864 Sep 4 03:04 libntlm.la -rwxr-xr-x 1 root root 32704 Sep 4 03:05 libntlm.so -rwxr-xr-x 1 root root 32704 Sep 4 03:05 libntlm.so.2 -rwxr-xr-x 1 root root 32704 Sep 4 03:05 libntlm.so.2.0.22 -rwxr-xr-x 1 root root862 Sep 4 03:04 libplain.la -rwxr-xr-x 1 root root 16416 Sep 4 03:05 libplain.so -rwxr-xr-x 1 root root 16416 Sep 4 03:05 libplain.so.2 -rwxr-xr-x 1 root root 16416 Sep 4 03:05 libplain.so.2.0.22 -rwxr-xr-x 1 root root936 Sep 4 03:04 libsasldb.la -rwxr-xr-x 1 root root 893304 Sep 4 03:05 libsasldb.so -rwxr-xr-x 1 root root 893304 Sep 4 03:05 libsasldb.so.2 -rwxr-xr-x 1 root root 893304 Sep 4 03:05 libsasldb.so.2.0.22 -rwxr-xr-x 1 root root878 Sep 4 03:04 libsql.la -rwxr-xr-x 1 root root 24808 Sep 4 03:05 libsql.so -rwxr-xr-x 1 root root 24808 Sep 4 03:05 libsql.so.2 -rwxr-xr-x 1 root root 24808 Sep 4 03:05 libsql.so.2.0.22 -rw-r--r-- 1 root root 25 Mar 15 2007 Sendmail.conf -rw-r--r-- 1 root root280 Nov 22 23:17 smtpd.conf --
Re: About SMTP Auth with Mysql
Vahriç, * Vahriç Muhtaryan vah...@doruk.net.tr: One more info, maybe we can solve the source of the problem When I use related syntax sql_hostnames: (212.58.4.247:3306,212.58.4.245:3306) I got related error and next server are queried. interesting, looks like sasl or postfix I don't know which one but they care about : Nov 23 23:27:52 localhost postfix/smtpd[4325]: sql plugin could not connect to host (212.58.4.247 Cyrus SASL cannot do what you want. Stop wasting everybodys time with your 'experiments'. If you want Cyrus SASL to query all servers in a row sit down and program it yourself. p...@rick Regards Vahric -Original Message- From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] On Behalf Of Vahriç Muhtaryan Sent: Thursday, November 26, 2009 9:04 AM To: 'Patrick Ben Koetter'; postfix-users@postfix.org Subject: RE: About SMTP Auth with Mysql Thanks for answer I will check mysql proxy -Original Message- From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] On Behalf Of Patrick Ben Koetter Sent: Wednesday, November 25, 2009 11:06 PM To: postfix-users@postfix.org Subject: Re: About SMTP Auth with Mysql Vahriç, * Vahriç Muhtaryan vah...@doruk.net.tr: You can find out related out below. thanks for the debug output. Your config looks okay. Your problem is - as I understand it - you want Cyrus SASL to do something it can't do: 1. If you list more than one host with $sql_hostnames then those hosts will be queried in order listed from left to right. 2. The first host in the list that answers will be used. Any other host will not be queried. 3. It is not possible to query all hosts at the same time. So, if you want to query several MySQL servers at the same time, it cannot be done. All I can think of is moving your data to one SQL server instance. OTOH maybe you can use mysql-proxy http://forge.mysql.com/wiki/MySQL_Proxy, configure that to transform the query to query both servers and let SASL query the mysql-proxy. HTH, p...@rick Regards Vahric [r...@postfix-auth1 ~]# ./saslfinger-1.0.3/saslfinger -s saslfinger - postfix Cyrus sasl configuration Wed Nov 25 18:47:20 EET 2009 version: 1.0.2 mode: server-side SMTP AUTH -- basics -- Postfix: 2.5.9 System: CentOS release 5.4 (Final) -- smtpd is linked to -- libsasl2.so.2 = /usr/lib64/libsasl2.so.2 (0x003dfba0) -- active SMTP AUTH and TLS parameters for smtpd -- broken_sasl_auth_clients = yes smtpd_sasl_auth_enable = yes -- listing of /usr/lib64/sasl2 -- total 3500 drwxr-xr-x 2 root root 4096 Nov 22 23:17 . drwxr-xr-x 55 root root 36864 Nov 21 04:03 .. -rwxr-xr-x 1 root root890 Sep 4 03:04 libanonymous.la -rwxr-xr-x 1 root root 15880 Sep 4 03:05 libanonymous.so -rwxr-xr-x 1 root root 15880 Sep 4 03:05 libanonymous.so.2 -rwxr-xr-x 1 root root 15880 Sep 4 03:05 libanonymous.so.2.0.22 -rwxr-xr-x 1 root root876 Sep 4 03:04 libcrammd5.la -rwxr-xr-x 1 root root 19264 Sep 4 03:05 libcrammd5.so -rwxr-xr-x 1 root root 19264 Sep 4 03:05 libcrammd5.so.2 -rwxr-xr-x 1 root root 19264 Sep 4 03:05 libcrammd5.so.2.0.22 -rwxr-xr-x 1 root root899 Sep 4 03:04 libdigestmd5.la -rwxr-xr-x 1 root root 48520 Sep 4 03:05 libdigestmd5.so -rwxr-xr-x 1 root root 48520 Sep 4 03:05 libdigestmd5.so.2 -rwxr-xr-x 1 root root 48520 Sep 4 03:05 libdigestmd5.so.2.0.22 -rwxr-xr-x 1 root root939 Sep 4 03:04 libgssapiv2.la -rwxr-xr-x 1 root root 28096 Sep 4 03:05 libgssapiv2.so -rwxr-xr-x 1 root root 28096 Sep 4 03:05 libgssapiv2.so.2 -rwxr-xr-x 1 root root 28096 Sep 4 03:05 libgssapiv2.so.2.0.22 -rwxr-xr-x 1 root root883 Sep 4 03:04 libldapdb.la -rwxr-xr-x 1 root root 17736 Sep 4 03:05 libldapdb.so -rwxr-xr-x 1 root root 17736 Sep 4 03:05 libldapdb.so.2 -rwxr-xr-x 1 root root 17736 Sep 4 03:05 libldapdb.so.2.0.22 -rwxr-xr-x 1 root root862 Sep 4 03:04 liblogin.la -rwxr-xr-x 1 root root 16448 Sep 4 03:05 liblogin.so -rwxr-xr-x 1 root root 16448 Sep 4 03:05 liblogin.so.2 -rwxr-xr-x 1 root root 16448 Sep 4 03:05 liblogin.so.2.0.22 -rwxr-xr-x 1 root root864 Sep 4 03:04 libntlm.la -rwxr-xr-x 1 root root 32704 Sep 4 03:05 libntlm.so -rwxr-xr-x 1 root root 32704 Sep 4 03:05 libntlm.so.2 -rwxr-xr-x 1 root root 32704 Sep 4 03:05 libntlm.so.2.0.22 -rwxr-xr-x 1 root root862 Sep 4 03:04 libplain.la -rwxr-xr-x 1 root root 16416 Sep 4 03:05 libplain.so -rwxr-xr-x 1 root root 16416 Sep 4 03:05 libplain.so.2 -rwxr-xr-x 1 root root 16416 Sep 4 03:05 libplain.so.2.0.22 -rwxr-xr-x 1 root root936 Sep 4 03:04 libsasldb.la -rwxr-xr-x 1 root root 893304 Sep 4 03:05 libsasldb.so -rwxr-xr-x 1 root root 893304 Sep 4 03:05 libsasldb.so.2 -rwxr-xr-x 1 root root 893304 Sep 4 03:05
AW: AW: postfix - postgrey - lost connection after RSET
Thanks so far, the funny thing about the sending Mailserver is, that the MX for the domain in question is: forward : mail.bbb.com - ddd.dd.ddd.70 reverse : ddd.dd.ddd.70 - mail.bbb.com BUT the mail is delivered via ddd.dd.ddd.66 Might it be a problem of wrong NATing on their side? Thanks B -Ursprüngliche Nachricht- Von: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] Im Auftrag von lst_ho...@kwsoft.de Gesendet: Freitag, 27. November 2009 15:48 An: postfix-users@postfix.org Betreff: Re: AW: postfix - postgrey - lost connection after RSET Zitat von Eero Volotinen eero.voloti...@iki.fi: Braun Björn wrote: My logs (mail.log) Nov 5 10:07:56 grey2 postfix/smtpd[7153]: connect from unknown[ddd.dd.ddd.dd] Nov 5 10:07:56 grey2 postfix/smtpd[7153]: NOQUEUE: reject: RCPT from unknown[ddd.dd.ddd.dd]: 450 4.7.1 a...@aaa.de: Recipient address rejected: Greylisted, see http://isg.ee.ethz.ch/tools/postgrey/help/aaa.DE.html; from=b...@bbb.com to=a...@bbb.de proto=ESMTP helo=mail.bbb.com Nov 5 10:07:56 grey2 postfix/smtpd[7153]: lost connection after RSET from unknown[ddd.dd.ddd.dd] Nov 5 10:07:56 grey2 postfix/smtpd[7153]: disconnect from unknown[ddd.dd.ddd.dd] Or are these the wrong logs? Well, looks like spammer is connecting from ddd.dd.ddd.dd and after graylisting (45X temporary error) spammer software just drops connection. This depends if a...@aaa.de is missing a mail from b...@bbb.com and ddd.dd.ddd.dd is a valid mailserver for bbb.com then the problem is worth to investigate. Regards Andreas
Re: Bounce a particular recipient address with specified reject message
On 11/30/2009, techlist06 (techlis...@msws.org) wrote: So, if they click on reply in their client, the reply message should be sent to maillist_nore...@mydomain.com. My end accepts it (through spam filters), but then rejects the address with my custom reject message via my new access table with: You are NOT 'rejecting', you are ACCEPTING, then BOUNCING, which you should never do if you can possibly help it. Reject it at smtp time. Why waste system resources scanning messages you will later bounce?
Do i need any secure channel, if i'm using postfix to receive email only?
Hi folks, I'm using postfix for just receiving emails from network, do I need to enable TLS or anything else for building up a secure channel. I guess all this is required in case of my email clients connecting to my email server. Thanks Regards, Sumit Arora IPG RD Hub, Gurgaon Hewlett-Packard India Software Operation Pvt. Ltd. Work: x19013 Cell: +91-9958181104
Re: Do i need any secure channel, if i'm using postfix to receive email only?
Quoting Arora, Sumit sumit.ar...@hp.com: Hi folks, I'm using postfix for just receiving emails from network, do I need to enable TLS or anything else for building up a secure channel. I guess all this is required in case of my email clients connecting to my email server. Yes, enable TLS and only allow encrypted smtp traffic or use pgp (or both for paranoid security) -- Eero
OT: need some advice as to distro
Sorry to bring this here, but we are having trouble setting up a Postfix/dovecot mail system. Background: We are a bunch of retirees, so cost is a factor in any decision. We all have IT experience, some of going back decades, however the world of Linux and its software is new to us all. We used the cook book approach to setting up our first mail system. It uses Postfix/Dovecot on top of Fedora 8 and so far it works like a charm. While the cook-book approach got up and running fairly easily I think we missed out on the learning side of things. However, there is a growing concern about the basic OS slipping too far behind on important changes, the same goes for some of the packages we are planning on using, so we have started looking at alternatives. Fedora - a little too dynamic for use as a server. This is to be expected as it is a development system which I don't think is aimed at a production like environment, plus the latest release seems very desktop oriented. Centos 5.4 - while it looks like a good choice, there has been some political infighting going on recently which makes us a little nervous about its future. In addition we have found that a number of the core packages we wish to use are out of date (postfix, dovecot, amavisd-new among them). Ubuntu 9.10 Server edition - I am not sure what to say here. While at first glance it seems to be an ideal solution a, free server distribution with a Canonical backing it up. However, the setup of some packages seems to us odd, overly complicated and arbitrary. openSUSE - not tied, but some concerns over the Novel /Microsoft deal. Thanks in advance John A
RE: Bounce a particular recipient address with specified reject message
You are NOT 'rejecting', you are ACCEPTING, then BOUNCING, which you should never do if you can possibly help it. Reject it at smtp time. Why waste system resources scanning messages you will later bounce? I understand your point. Thank you for correcting my syntax. FWIW, this will only happen to a relatively minuscule number of inbound messages. I don't *think* it will take much in the way of resources. For my specific purpose, this check is to deal with the occasional, but fairly regular incorrect replies to the announcement list. The access map check is likely to only have to deal with such an accept, then bounce a few times a week. So I figured instead of testing thousands per day of unrelated inbound messages against this access check that I know will get hit rarely, I figured it would be better to put the check nearer the end of my UCE checks. Which will cause the occasional accept then bounce. Mainly I was apprehensive about moving the restriction on my main.cf. I have tried to carefully select respected authorities books and one particular UCE guide to build my main.cf. And it works very, very well (thanks Ralf). Not being an expert, I don't want to accidentally break anything that is there and screw it up. If you have a suggestion on where to put the access map restriction in my setup, I'm all ears. Thanks!
OT: need some advice as to distro
Sorry to bring this here, but we are having trouble setting up a Postfix/dovecot mail system. Background: We are a bunch of retirees, so cost is a factor in any decision. We all have IT experience, some of going back decades, however the world of Linux and its software is new to us all. We used the cook book approach to setting up our first mail system. It uses Postfix/Dovecot on top of Fedora 8 and so far it works like a charm. While the cook-book approach got up and running fairly easily I think we missed out on the learning side of things. However, there is a growing concern about the basic OS slipping too far behind on important changes, the same goes for some of the packages we are planning on using, so we have started looking at alternatives. Fedora - a little too dynamic for use as a server. This is to be expected as it is a development system which I don't think is aimed at a production like environment, plus the latest release seems very desktop oriented. Centos 5.4 - while it looks like a good choice, there has been some political infighting going on recently which makes us a little nervous about its future. In addition we have found that a number of the core packages we wish to use are out of date (postfix, dovecot, amavisd-new among them). Ubuntu 9.10 Server edition - I am not sure what to say here. While at first glance it seems to be an ideal solution a, free server distribution with a Canonical backing it up. However, the setup of some packages seems to us odd, overly complicated and arbitrary. openSUSE - not tied, but some concerns over the Novel /Microsoft deal. Thanks in advance John A
Re: OT: need some advice as to distro
Centos 5.4 - while it looks like a good choice, there has been some political infighting going on recently which makes us a little nervous about its future. In addition we have found that a number of the core packages we wish to use are out of date (postfix, dovecot, amavisd-new among them). Centos 5.x is my selection. You can also use packages from epel and dag's rpm repositories. -- Eero
Re: OT: need some advice as to distro
Eero Volotinen wrote: Centos 5.4 - while it looks like a good choice, there has been some political infighting going on recently which makes us a little nervous about its future. In addition we have found that a number of the core packages we wish to use are out of date (postfix, dovecot, amavisd-new among them). Centos 5.x is my selection. You can also use packages from epel and dag's rpm repositories. On my system I recompiled dovecot from rpms, since I also wanted to use sieve on mailserver. (this requires a bit hacks, but works fine) -- Eero
Re: OT: need some advice as to distro
On 12/1/2009 9:09 AM, John wrote: Fedora - a little too dynamic for use as a server. This is to be expected as it is a development system which I don't think is aimed at a production like environment, plus the latest release seems very desktop oriented. FC supposedly changes too much. I might use it on a test box, but never as anything close to a production server. But hell, our first Linux servers were Gentoo based and we ran with them for the first two years of testing the waters. (Prior to that we were a Novell NetWare / Windows Server / Solaris shop. Now we're down to just Linux Windows.) Centos 5.4 - while it looks like a good choice, there has been some political infighting going on recently which makes us a little nervous about its future. In addition we have found that a number of the core packages we wish to use are out of date (postfix, dovecot, amavisd-new among them). There are two ways to use CentOS/RHEL. One is to stick only with the binary-compatible RPMs (i.e. the [base] [updates] repositories). In which case you're only going to get security fixes that Red Hat has backported into the versions that were there at release. Since RHEL 5 is getting a bit long in the tooth, that often means older versions of packages that are missing newer features. However, you can also choose to pull selective packages from other repositories like ATRPMs or RPMForge. At that point, you're no longer binary compatible with RHEL 5, but for the most part it doesn't matter. This is what most shops end up doing, they use as much as possible from the base/update repositories and only pull in specific packages from the 3rd party repo's. Personally, we chose CentOS for a bunch of reasons: - it closely tracks RHEL - books/training on RHEL 5 generally apply to CentOS 5 - migrating from CentOS 5 to RHEL 5 is a logical progression - if I have to bring in a consultant, it's easy to find those who are familiar with RHEL - I consider RHEL to be the gold standard of server-side Linux We're currently running CentOS 5 w/ postfix, dovecot, clamav-milter, amavisd-new, spf policy daemon, spamassassin and squirrelmail. I'm not overly concerned with the infighting that took place over the summer. It was worrying at the time, but seems to have been properly resolved in the following months. And even if CentOS did go belly-up, we'd simply take our knowledge and migrate fully to RHEL. Which, in terms of worst-case scenarios is not all that bad. Ubuntu 9.10 Server edition - I am not sure what to say here. While at first glance it seems to be an ideal solution a, free server distribution with a Canonical backing it up. However, the setup of some packages seems to us odd, overly complicated and arbitrary. Ubuntu LTS would probably be my 2nd choice, tied with openSUSE. I strongly considered SUSE back when I was debating what to replace Gentoo with. There's also Debian and a handful of others. openSUSE - not tied, but some concerns over the Novel /Microsoft deal.
Re: OT: need some advice as to distro
On Tue, 01 Dec 2009 16:30:36 +0200 Eero Volotinen eero.voloti...@iki.fi wrote: Centos 5.4 - while it looks like a good choice, there has been some political infighting going on recently which makes us a little nervous about its future. In addition we have found that a number of the core packages we wish to use are out of date (postfix, dovecot, amavisd-new among them). Centos 5.x is my selection. You can also use packages from epel and dag's rpm repositories. It suffers from Red Hat's liking for sendmail. The postfix package is aeons old. I would go with Ubuntu (probably 9.04 which is a long-term support version). -- John
Re: OT: need some advice as to distro
On Tue, Dec 1, 2009 at 9:39 AM, John Peach post...@johnpeach.com wrote: On Tue, 01 Dec 2009 16:30:36 +0200 Eero Volotinen eero.voloti...@iki.fi wrote: Centos 5.4 - while it looks like a good choice, there has been some political infighting going on recently which makes us a little nervous about its future. In addition we have found that a number of the core packages we wish to use are out of date (postfix, dovecot, amavisd-new among them). Centos 5.x is my selection. You can also use packages from epel and dag's rpm repositories. It suffers from Red Hat's liking for sendmail. The postfix package is aeons old. I would go with Ubuntu (probably 9.04 which is a long-term support version). -- John The age of a package only matters if you absolutely need a feature that's included in the newer version. All of the security fix are backported. If you do really need the newer versions, you can get RPMs from third party repositories.
Re: OT: need some advice as to distro
Centos 5.4 - while it looks like a good choice, there has been some political infighting going on recently which makes us a little nervous about its future. In addition we have found that a number of the core packages we wish to use are out of date (postfix, dovecot, amavisd-new among them). Centos is not likely to vanish, since it's just a re-branded version of Redhat Enterprise Linux. Since you already know Fedora, I'd suggest doing a base Centos install (no apps), then using the cheat sheet here: http://wiki.centos.org/HowTos/Amavisd. It sets up an additional repository that uses much more up-to-date apps than are in the Centos repository. Another option would be to install from source, which is actually not difficult at all, and is very similar to what you probably did 20 years ago, only easier. (the build scripts are much more polished than in years past). Terry
What Is Causing This Failure
I am getting a report from someone on my network that they are getting delivery failures when attempting to send an email from my Postfix server to the remote mail server. I see the message stuck on my Postfix servers queue: CB87E778055 1337 Mon Nov 30 08:59:15 tprem...@iamghost.com (connect to a.mx.premore.net[198.186.193.20]: No route to host) b...@premore.net I am guessing that this is a problem with the remote mail server 'a.mx.premore.net' since my server is sending and receiving email just fine to every other destination. I then decided to do a MX lookup for this domain premore.net see if there is anything wrong: ;; QUESTION SECTION: ;premore.net. IN MX ;; ANSWER SECTION: premore.net.3093IN MX 0 a.mx.premore.net. ;; ADDITIONAL SECTION: a.mx.premore.net. 3093IN A 198.186.193.20 However my mail server wont send to this destination address and I have no idea why. Can someone tell me how I can better examine this situation to understand where the fault lies. Thank you!
Re: OT: need some advice as to distro
On 12/1/2009 9:09 AM, John wrote: Sorry to bring this here, but we are having trouble setting up a Postfix/dovecot mail system. Background: We are a bunch of retirees, so cost is a factor in any decision. We all have IT experience, some of going back decades, however the world of Linux and its software is new to us all. We used the cook book approach to setting up our first mail system. It uses Postfix/Dovecot on top of Fedora 8 and so far it works like a charm. While the cook-book approach got up and running fairly easily I think we missed out on the learning side of things. However, there is a growing concern about the basic OS slipping too far behind on important changes, the same goes for some of the packages we are planning on using, so we have started looking at alternatives. soapbox I personally use Gentoo for all my Linux needs. There are several reasons for this. 1. It forces you to learn Linux. The handbook gives a great walk-through of how to set it up. 2. It is multi-platform; x86(_64), sparc(64), ppc(64), alpha, etc. 3. It is a build from source distro, but you don't need to know how. The Portage system takes care of individual packages and dependencies. You can tune and rebuild the entire system, if desired. 4. The base install is minimal; compile tools, python, perl and common commands. You get what you need, nothing more. 5. There is a security team in place to monitor vulnerabilities. 6. There is no OS upgrade. Only package updates. It will happily work forever updating single packages when *you* want. There is still an easy way to update everything as well. 7. There are stable, testing and experimental types of packages. All of which are easily accessible. 8. Tracking down dependencies is a non-issue. /soapbox I know other alternatives, such as FreeBSD, would also work well.
Re: What Is Causing This Failure
Carlos Williams wrote: CB87E778055 1337 Mon Nov 30 08:59:15 tprem...@iamghost.com (connect to a.mx.premore.net[198.186.193.20]: No route to host) However my mail server wont send to this destination address and I have no idea why. Can someone tell me how I can better examine this situation to understand where the fault lies. Well, check your internet connectivity. No route to host means that server cannot connect to other end. (you can test using telnet ip.address 25) Usually netmask/gateway or firewall is poorly configured or your isp is blocking direct smtp connections without smarthost. -- Eero
Re: What Is Causing This Failure
On Tue, Dec 01, 2009 at 10:03:21AM -0500, Carlos Williams wrote: CB87E778055 1337 Mon Nov 30 08:59:15 tprem...@iamghost.com (connect to a.mx.premore.net[198.186.193.20]: No route to host) b...@premore.net Looks like more of a network issue and not postfix specific. Try to telnet to the remote host and see if you can connect (run a tcpdump at the same time to see whats happening). Try simple network diagnostics (ie. ping, traceroute etc ...). /erol
Re: What Is Causing This Failure
On Tue, 2009-12-01 at 10:03 -0500, Carlos Williams wrote: I am getting a report from someone on my network that they are getting delivery failures when attempting to send an email from my Postfix server to the remote mail server. I see the message stuck on my Postfix servers queue: CB87E778055 1337 Mon Nov 30 08:59:15 tprem...@iamghost.com (connect to a.mx.premore.net[198.186.193.20]: No route to host) b...@premore.net This is a network issue and not a postfix issue. Try connecting to a.mx.premore.net using telnet on port 25. Check your routing tables to find out why a network connection to that host is not possible. I am guessing that this is a problem with the remote mail server 'a.mx.premore.net' since my server is sending and receiving email just fine to every other destination. I then decided to do a MX lookup for this domain premore.net see if there is anything wrong: ;; QUESTION SECTION: ;premore.net. IN MX ;; ANSWER SECTION: premore.net. 3093IN MX 0 a.mx.premore.net. ;; ADDITIONAL SECTION: a.mx.premore.net. 3093IN A 198.186.193.20 However my mail server wont send to this destination address and I have no idea why. Can someone tell me how I can better examine this situation to understand where the fault lies. Thank you! -- Martijn de Munnik mart...@youngguns.nl YoungGuns
Re: What Is Causing This Failure
* Carlos Williams carlosw...@gmail.com: I am getting a report from someone on my network that they are getting delivery failures when attempting to send an email from my Postfix server to the remote mail server. I see the message stuck on my Postfix servers queue: CB87E778055 1337 Mon Nov 30 08:59:15 tprem...@iamghost.com (connect to a.mx.premore.net[198.186.193.20]: No route to host) b...@premore.net Works OK. What does tracroute 198.186.193.20 return? # traceroute 198.186.193.20 traceroute to 198.186.193.20 (198.186.193.20), 30 hops max, 60 byte packets ... snip ... 4 zr-pot1-te0-0-0-3.x-win.dfn.de (188.1.144.30) 5.288 ms 5.290 ms 5.281 ms 5 cr02.frf02.pccwbtn.net (80.81.192.50) 18.030 ms 18.027 ms 18.132 ms 6 carpathia.ge12-1.br02.ash01.pccwbtn.net (63.218.94.166) 109.111 ms 106.313 ms 106.528 ms 7 xe-3-3.e4.iad1.cirn.net (209.222.130.29) 105.968 ms 106.036 ms 106.044 ms 8 66.117.37.180 (66.117.37.180) 101.005 ms 100.773 ms 101.520 ms 9 * * * 10 * * * 11 * * * 12 * * * 13 * * * 14 * * * 15 * * * 16 * * * 17 * * * 18 * * * 19 * * * 20 * * * 21 * * * 22 * * * 23 * * * 24 * * * 25 dns5.docforge.org (198.186.193.20) 4.241 ms 1.685 ms 0.271 ms I am guessing that this is a problem with the remote mail server 'a.mx.premore.net' since my server is sending and receiving email just fine to every other destination. I then decided to do a MX lookup for this domain premore.net see if there is anything wrong: ;; QUESTION SECTION: ;premore.net. IN MX ;; ANSWER SECTION: premore.net. 3093IN MX 0 a.mx.premore.net. ;; ADDITIONAL SECTION: a.mx.premore.net. 3093IN A 198.186.193.20 However my mail server wont send to this destination address and I have no idea why. Can someone tell me how I can better examine this situation to understand where the fault lies. Thank you! -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | http://www.charite.de
Re: What Is Causing This Failure
On Tue, 1 Dec 2009 10:03:21 -0500, you wrote: I am getting a report from someone on my network that they are getting delivery failures when attempting to send an email from my Postfix server to the remote mail server. I see the message stuck on my Postfix servers queue: CB87E778055 1337 Mon Nov 30 08:59:15 tprem...@iamghost.com (connect to a.mx.premore.net[198.186.193.20]: No route to host) b...@premore.net I am guessing that this is a problem with the remote mail server 'a.mx.premore.net' since my server is sending and receiving email just fine to every other destination. I then decided to do a MX lookup for this domain premore.net see if there is anything wrong: ;; QUESTION SECTION: ;premore.net. IN MX ;; ANSWER SECTION: premore.net. 3093IN MX 0 a.mx.premore.net. ;; ADDITIONAL SECTION: a.mx.premore.net. 3093IN A 198.186.193.20 However my mail server wont send to this destination address and I have no idea why. Can someone tell me how I can better examine this situation to understand where the fault lies. Thank you! Unless I'm misreading and misunderstanding your logs # telnet 198.186.193.20 25 Trying 198.186.193.20... telnet: connect to address 198.186.193.20: Operation timed out telnet: Unable to connect to remote host The mail server on that IP isn't answering.
Re: What Is Causing This Failure
* Evan Platt e...@espphotography.com: Unless I'm misreading and misunderstanding your logs # telnet 198.186.193.20 25 Trying 198.186.193.20... telnet: connect to address 198.186.193.20: Operation timed out telnet: Unable to connect to remote host The mail server on that IP isn't answering. # telnet 198.186.193.20 25 Trying 198.186.193.20... Connected to 198.186.193.20. Escape character is '^]'. 220 share.docforge.org ESMTP Postfix -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | http://www.charite.de
Re: What Is Causing This Failure
On Tue, 1 Dec 2009 16:13:02 +0100, you wrote: # telnet 198.186.193.20 25 Trying 198.186.193.20... Connected to 198.186.193.20. Escape character is '^]'. 220 share.docforge.org ESMTP Postfix D'oh... Forgot which machine I was connected to.I tried it on the one that has port 25 blocked by the ISP. :) My bad, sorry :)
Re: OT: need some advice as to distro
John wrote: Sorry to bring this here, but we are having trouble setting up a Postfix/dovecot mail system. Background: We are a bunch of retirees, so cost is a factor in any decision. We all have IT experience, some of going back decades, however the world of Linux and its software is new to us all. We used the cook book approach to setting up our first mail system. It uses Postfix/Dovecot on top of Fedora 8 and so far it works like a charm. While the cook-book approach got up and running fairly easily I think we missed out on the learning side of things. However, there is a growing concern about the basic OS slipping too far behind on important changes, the same goes for some of the packages we are planning on using, so we have started looking at alternatives. Fedora - a little too dynamic for use as a server. This is to be expected as it is a development system which I don't think is aimed at a production like environment, plus the latest release seems very desktop oriented. Centos 5.4 - while it looks like a good choice, there has been some political infighting going on recently which makes us a little nervous about its future. In addition we have found that a number of the core packages we wish to use are out of date (postfix, dovecot, amavisd-new among them). Ubuntu 9.10 Server edition - I am not sure what to say here. While at first glance it seems to be an ideal solution a, free server distribution with a Canonical backing it up. However, the setup of some packages seems to us odd, overly complicated and arbitrary. openSUSE - not tied, but some concerns over the Novel /Microsoft deal. Thanks in advance John A Personally, Debian Stable (currently Lenny) is my Linux of choice for production system. Package management via apt is second to none and everything is very well documented with a willing and able community for support. Why restate whats already written: http://www.debian.org/intro/why_debian When it comes down to it, the best distro is the one you know how to use. I would start with a distro that you are most comfortable with and know how to use the best. Good luck and kind regards, _Terry
Re: What Is Causing This Failure
On Tue, Dec 1, 2009 at 10:10 AM, Ralf Hildebrandt ralf.hildebra...@charite.de wrote: Works OK. What does tracroute 198.186.193.20 return? # traceroute 198.186.193.20 traceroute to 198.186.193.20 (198.186.193.20), 30 hops max, 60 byte packets ... snip ... 4 zr-pot1-te0-0-0-3.x-win.dfn.de (188.1.144.30) 5.288 ms 5.290 ms 5.281 ms 5 cr02.frf02.pccwbtn.net (80.81.192.50) 18.030 ms 18.027 ms 18.132 ms 6 carpathia.ge12-1.br02.ash01.pccwbtn.net (63.218.94.166) 109.111 ms 106.313 ms 106.528 ms 7 xe-3-3.e4.iad1.cirn.net (209.222.130.29) 105.968 ms 106.036 ms 106.044 ms 8 66.117.37.180 (66.117.37.180) 101.005 ms 100.773 ms 101.520 ms 9 * * * 10 * * * 11 * * * 12 * * * 13 * * * 14 * * * 15 * * * 16 * * * 17 * * * 18 * * * 19 * * * 20 * * * 21 * * * 22 * * * 23 * * * 24 * * * 25 dns5.docforge.org (198.186.193.20) 4.241 ms 1.685 ms 0.271 ms I am unable to connect via Telnet so it appears to be a network / ISP issue. car...@tunafish:~$ telnet 198.186.193.20 25 Trying 198.186.193.20... telnet: Unable to connect to remote host: No route to host
Re: OT: need some advice as to distro
On 12/1/2009 10:08 AM, Brian Evans - Postfix List wrote: soapbox I personally use Gentoo for all my Linux needs. I wasn't going to say anything, but I'll add a 'me too' here. I've been using Gentoo only for our in house servers since 2005. They've all been through 2 major GCC version updates, and I've honestly never had a serious problem. A rolling release distro like Gentoo is really easy to keep completely up to date, and I never have to worry about being forced to use old/outdated software. There are several reasons for this. 1. It forces you to learn Linux. The handbook gives a great walk-through of how to set it up. 2. It is multi-platform; x86(_64), sparc(64), ppc(64), alpha, etc. 3. It is a build from source distro, but you don't need to know how. The Portage system takes care of individual packages and dependencies. You can tune and rebuild the entire system, if desired. 4. The base install is minimal; compile tools, python, perl and common commands. You get what you need, nothing more. 5. There is a security team in place to monitor vulnerabilities. 6. There is no OS upgrade. Only package updates. It will happily work forever updating single packages when *you* want. There is still an easy way to update everything as well. 7. There are stable, testing and experimental types of packages. All of which are easily accessible. 8. Tracking down dependencies is a non-issue. /soapbox I know other alternatives, such as FreeBSD, would also work well.
Re: What Is Causing This Failure
* Carlos Williams carlosw...@gmail.com: 25 dns5.docforge.org (198.186.193.20) 4.241 ms 1.685 ms 0.271 ms I am unable to connect via Telnet so it appears to be a network / ISP issue. car...@tunafish:~$ telnet 198.186.193.20 25 Trying 198.186.193.20... telnet: Unable to connect to remote host: No route to host What is the output of traceroute 198.186.193.20 ? -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | http://www.charite.de
Re: OT: need some advice as to distro
Charles Marcus wrote: On 12/1/2009 10:08 AM, Brian Evans - Postfix List wrote: soapbox I personally use Gentoo for all my Linux needs. I wasn't going to say anything, but I'll add a 'me too' here. Are you really using lot of servers (like 100 pieces) with gentoo on production environment? -- Eero
Re: OT: need some advice as to distro
Terry L. Inzauro wrote: John wrote: Sorry to bring this here, but we are having trouble setting up a Postfix/dovecot mail system. Background: We are a bunch of retirees, so cost is a factor in any decision. We all have IT experience, some of going back decades, however the world of Linux and its software is new to us all. We used the cook book approach to setting up our first mail system. It uses Postfix/Dovecot on top of Fedora 8 and so far it works like a charm. While the cook-book approach got up and running fairly easily I think we missed out on the learning side of things. However, there is a growing concern about the basic OS slipping too far behind on important changes, the same goes for some of the packages we are planning on using, so we have started looking at alternatives. Fedora - a little too dynamic for use as a server. This is to be expected as it is a development system which I don't think is aimed at a production like environment, plus the latest release seems very desktop oriented. Centos 5.4 - while it looks like a good choice, there has been some political infighting going on recently which makes us a little nervous about its future. In addition we have found that a number of the core packages we wish to use are out of date (postfix, dovecot, amavisd-new among them). Ubuntu 9.10 Server edition - I am not sure what to say here. While at first glance it seems to be an ideal solution a, free server distribution with a Canonical backing it up. However, the setup of some packages seems to us odd, overly complicated and arbitrary. openSUSE - not tied, but some concerns over the Novel /Microsoft deal. Thanks in advance John A Personally, Debian Stable (currently Lenny) is my Linux of choice for production system. Package management via apt is second to none and everything is very well documented with a willing and able community for support. Why restate whats already written: http://www.debian.org/intro/why_debian When it comes down to it, the best distro is the one you know how to use. I would start with a distro that you are most comfortable with and know how to use the best. Good luck and kind regards, _Terry I took a quick look at Debian, but as it was very similar to Ubuntu (which I know is based on Debian) it looked to have the same problems from our perspective. An example, from the Postfix setup was the replacement of the LMTP process binary with a symlink to the SMTP binary. This may not be a real problem, perhaps the two binaries are the same, and Debian/Ubuntu are being smart, but as I could not find a rational for the change I have to wonder if this may be a problem in the future. Other examples are the strange reconfiguration of the Amavisd config files, changes to SASL setup, all make us a little nervous.
Re: OT: need some advice as to distro
On 12/1/2009, Eero Volotinen (eero.voloti...@iki.fi) wrote: Are you really using lot of servers (like 100 pieces) with gentoo on production environment? No, only 3 - what made you think 'our in-house servers' meant hundreds? I do know a few people who manage them in the hundreds with some custom scripting. But with the right skill set, someone could do the same with pretty much any distro they wanted to use - Gentoo just makes lots of things a whole lot easier... ;)
Re: What Is Causing This Failure
On Tue, Dec 1, 2009 at 10:43 AM, Ralf Hildebrandt ralf.hildebra...@charite.de wrote: What is the output of traceroute 198.186.193.20 ? I get no results from my mail server: traceroute to 198.186.193.20 (198.186.193.20), 30 hops max, 40 byte packets 1 * * * 2 * * * 3 * * * 4 * * * 5 * * * . . . 29 * * * 30 * * * Strange...
Re: OT: need some advice as to distro
On Tue, Dec 01, 2009 at 10:51:31AM -0500, John wrote: Terry L. Inzauro wrote: When it comes down to it, the best distro is the one you know how to use. I would start with a distro that you are most comfortable with and know how to use the best. +1 ... I started on Slackware and have not yet seen a need to change. I build Postfix from source, and regularly make upgrade to see what Wietse has been up to. He never disappoints me, it always works. I took a quick look at Debian, but as it was very similar to Ubuntu (which I know is based on Debian) it looked to have the same problems from our perspective. An example, from the Postfix setup was the replacement of the LMTP process binary with a symlink to the SMTP binary. This may not be a real problem, perhaps the two binaries are the Postfix rolled lmtp(8) into smtp(8) some years ago, but mine is a hard link, not a symlink. I don't think there's any reason a symlink would not work, but I don't see the benefit. Wastes an inode? same, and Debian/Ubuntu are being smart, but as I could not find a rational for the change I have to wonder if this may be a problem in the future. Other examples are the strange reconfiguration of the Amavisd config files, changes to SASL setup, all make us a little nervous. I agree, IMO Debian introduces too many bugs with their packaging decisions. I won't elaborate here because the whole thing was off topic to begin with, and Debian fans would try to counter. Let's say that I have lost much of the respect I had for Debian, and leave it at that. The bottom line is what Terry said, above. -- Offlist mail to this address is discarded unless /dev/rob0 or not-spam is in Subject: header
Re: OT: need some advice as to distro
On 01/12/2009 14:09, John wrote: Sorry to bring this here, but we are having trouble setting up a Postfix/dovecot mail system. Background: We are a bunch of retirees, so cost is a factor in any decision. We all have IT experience, some of going back decades, however the world of Linux and its software is new to us all. We used the cook book approach to setting up our first mail system. It uses Postfix/Dovecot on top of Fedora 8 and so far it works like a charm. While the cook-book approach got up and running fairly easily I think we missed out on the learning side of things. However, there is a growing concern about the basic OS slipping too far behind on important changes, the same goes for some of the packages we are planning on using, so we have started looking at alternatives. Try FreeBSD. http://www.freebsd.org/where.html - Mark
Re: What Is Causing This Failure
Perhaps your mail server is on a DNSBL? Regards Frog - Original Message - From: Carlos Williams carlosw...@gmail.com To: postfix-users@postfix.org Sent: Tuesday, 1 December, 2009 4:05:25 PM Subject: Re: What Is Causing This Failure On Tue, Dec 1, 2009 at 10:43 AM, Ralf Hildebrandt ralf.hildebra...@charite.de wrote: What is the output of traceroute 198.186.193.20 ? I get no results from my mail server: traceroute to 198.186.193.20 (198.186.193.20), 30 hops max, 40 byte packets 1 * * * 2 * * * 3 * * * 4 * * * 5 * * * . . . 29 * * * 30 * * * Strange...
Re: What Is Causing This Failure
On Tue, 2009-12-01 at 16:27 +, Frog wrote: Perhaps your mail server is on a DNSBL? Regards Frog Nope, this is a problem at the ip level, routing. This is not a postfix or mail/smtp issue. - Original Message - From: Carlos Williams carlosw...@gmail.com To: postfix-users@postfix.org Sent: Tuesday, 1 December, 2009 4:05:25 PM Subject: Re: What Is Causing This Failure On Tue, Dec 1, 2009 at 10:43 AM, Ralf Hildebrandt ralf.hildebra...@charite.de wrote: What is the output of traceroute 198.186.193.20 ? I get no results from my mail server: traceroute to 198.186.193.20 (198.186.193.20), 30 hops max, 40 byte packets 1 * * * 2 * * * 3 * * * 4 * * * 5 * * * . . . 29 * * * 30 * * * Strange...
Re: What Is Causing This Failure
Frog wrote: Perhaps your mail server is on a DNSBL? Regards Frog - Original Message - From: Carlos Williams carlosw...@gmail.com To: postfix-users@postfix.org Sent: Tuesday, 1 December, 2009 4:05:25 PM Subject: Re: What Is Causing This Failure On Tue, Dec 1, 2009 at 10:43 AM, Ralf Hildebrandt ralf.hildebra...@charite.de wrote: What is the output of traceroute 198.186.193.20 ? I get no results from my mail server: traceroute to 198.186.193.20 (198.186.193.20), 30 hops max, 40 byte packets 1 * * * 2 * * * 3 * * * 4 * * * 5 * * * . . . 29 * * * 30 * * * Strange... why all the off topic posts today? --- chances are a router along the way is not forwarding icmp probes/responses correctly.. [10:39:23 r...@allover:~]# tcptraceroute 198.186.193.20 25 Selected device eth0, address 10.123.0.250, port 56230 for outgoing packets Tracing the path to 198.186.193.20 on TCP port 25 (smtp), 30 hops max 1 10.123.0.252 0.302 ms 0.133 ms 0.128 ms 2 bizXX.sta.linkcity.org.XX.22.72.in-addr.arpa (72.22.XX.XX) 0.412 ms 0.315 ms 0.312 ms 3 10.200.100.1 6.961 ms 0.499 ms 0.474 ms 4 sl-gw16-kc-3-1.sprintlink.net (160.81.151.109) 0.564 ms 0.437 ms 0.491 ms 5 sl-crs1-kc-0-5-0-0.sprintlink.net (144.232.11.152) 1.073 ms 0.827 ms 0.737 ms 6 sl-crs1-chi-0-1-0-3.sprintlink.net (144.232.18.214) 12.008 ms 12.409 ms 11.996 ms 7 sl-st20-chi-13-0-0.sprintlink.net (144.232.20.3) 11.603 ms 11.579 ms 11.569 ms 8 144.232.8.114 11.715 ms 11.777 ms 11.657 ms 9 ae-32-52.ebr2.Chicago1.Level3.net (4.68.101.62) 12.476 ms 21.324 ms 18.234 ms 10 ae-5.ebr2.Chicago2.Level3.net (4.69.140.194) 12.354 ms 12.639 ms 12.676 ms 11 ae-2-2.ebr2.Washington1.Level3.net (4.69.132.70) 33.594 ms 33.414 ms 33.252 ms 12 ae-62-62.csw1.Washington1.Level3.net (4.69.134.146) 46.577 ms 39.840 ms 35.910 ms 13 ae-1-69.edge2.Washington4.Level3.net (4.68.17.19) 33.635 ms 33.585 ms 33.636 ms 14 xe-0-2-0.cr1.iad1.us.nlayer.net (4.79.168.74) 33.761 ms 33.292 ms 73.096 ms 15 vl74.ar1.iad1.us.nlayer.net (69.31.31.190) 33.976 ms 33.986 ms 34.315 ms 16 as6450.vl134.ar1.iad1.us.nlayer.net (69.31.31.115) 33.968 ms 33.436 ms 33.511 ms 17 dns5.docforge.org (198.186.193.20) [open] 33.906 ms 33.987 ms 34.153 ms [10:39:25 r...@allover:~]#
Re: Do i need any secure channel, if i'm using postfix to receive email only?
On Tue, Dec 01, 2009 at 12:37:47PM +, Arora, Sumit wrote: I'm using postfix for just receiving emails from network, do I need to enable TLS or anything else for building up a secure channel. I guess all this is required in case of my email clients connecting to my email server. Your question is far too vague to answer. You need to pose it in the context of one or more explicit use-cases, described with enough specificity so that the risk model is clear. There is no such thing as secure, there is only mitigates a list of threats considered in the design. What threats do you want to mitigate and in what cases? -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: What Is Causing This Failure
On Tue, Dec 1, 2009 at 11:42 AM, Terry L. Inzauro tinza...@ha-solutions.net wrote: why all the off topic posts today? I suspected this to be Postfix or Mail related so I posted here. It was determined with the help of the list it was not a MTA issue. Simple as that! Sorry for any inconvenience.
Re: A question about Postfix and virus scanning
Ali Majdzadeh put forth on 12/1/2009 12:25 AM: Dear friends, Thanks for this nice discussion. Actually, as a project, we are going to deliver an e-mail architecture which supports over 100 users. We use Postfix, courier-imap, amavisd-new, spamassassin and clamav and of course the tools needed to balance the load between multiple instances of the mentioned tools. We use specmail to test our architecture. Recently, we have introduced our intended e-mail filtering platform consisting amavisd-new, spamassassin and clamav to the architecture and we have observed significant delivery time decrease regarding Postifx. As a way out, we thought of the ways which made it possible to do offline virus scanning, but actually we have found that amavisd-new together with it's filtering tools is a serious performance bottleneck. I really appreciate suggestions regarding this scenario. Hi Ali, First off, this is an edge solution, correct? These Postfix servers are MX hosts? If so... I humbly, but seriously, suggest you hire Victor or another highly qualified Postfix engineer to assist you with architecting your 1 million user solution. Also, SpecMail 2009 is not a valid test of what your real world mail stream will be once you go live. You absolutely cannot rely on this benchmark to give you realistic feedback on the performance of your architecture. It doesn't, and cannot, simulate real spam streams. And spam attempts will be 50-90% of your real world connection load. Summary: SPECmail2009 The SPECmail2009 benchmark measures the ability of corporate e-mail systems to meet today's demanding e-mail users over fast corporate local area networks (LAN). The SPECmail2009 benchmark simulates corporate mail server workloads that range from 250 to 10,000 or more users, using industry standard SMTP and IMAP4 protocols. This e-mail server benchmark creates client workloads based on a 40,000 user corporation, and uses folder and message MIME structures that include both traditional office documents and a variety of rich media content. The benchmark also adds support for encrypted network connections using industry standard SSL v3.0 and TLS 1.0 technology. SPECmail2009 replaces all versions of SPECmail2008, first released in August 2008. The results from the two benchmarks are not comparable. With the availability of SPECmail2009, SPEC has retired the SPECmail2008 benchmark. SPEC will stop accepting new SPECmail2008 results as of the submission deadline on June 12, 2009. For a 1 million user system, you absolutely need to kill 90%+ of your spam load _before_ piping inbound connections to your AS/AV content filter daemons. You are seeing why already with the results of this synthetic benchmark pumping only _legit_ mail through your system. Of your inbound spam, you should be able to kill on the order of 50-80% or more, with merely the following, _BEFORE_ piping to SpamAssassin, clamav, or amavisd-new: smtpd_client_restrictions = reject_unknown_client_hostname reject_unauth_pipelining smtpd_sender_restricions = reject_non_fqdn_sender smtpd_helo_required = yes smtpd_helo_restrictions = reject_non_fqdn_helo_hostname reject_invalid_helo_hostname reject_unknown_helo_hostname smtpd_recipient_restrictions = permit_mynetworks reject_unauth_destination reject_unlisted_recipient reject_rbl_client zen.spamhaus.org check_policy_service inet:127.0.0.1:6 For a 1 million user site, you'll need to make arrangements with Spamhaus to get access to the Data Feed Service. The above usage example is for smaller sites with low query rates. You'd need to run rbldnsd on your postfix servers or mirror the Spamhaus zone(s) on a local dns server. That's beyond the scope of this email. The policy service above is the Postfix greylisting daemon called postgrey. It is very effective against residential broadband infected PCs, or botnets. It will kill a ton of spam without consuming near the resources or content filters. The bulk of efficient spam blocking is performed based on the following: 1. Client IP address reputation (think dnsbl, local block lists) 2. Client FCrDNS (PTR name), lack thereof or generic (think dsl/cable) 3. Improper HELO/EHLO string SPECmail cannot simulate any of these things because they're all based on IP address or DNS. Let me say that again: SPECmail cannot simulate any of these things. Yet, they are the most important aspects of architecting an efficient large internet mail system because, again, 50-90% of an org's mail stream is spam. The following simple header check will kill most spam from hijacked accounts at Yahoo, Google, Hotmail, and private orgs running the likes of Squirrelmail, etc: header_checks = pcre:/etc/postfix/header_checks /etc/postfix/header_checks # Reject spam from compromised accounts/hosts /^Received: from user / REJECT Compromised account This is not a
Re: A question about Postfix and virus scanning
Stan, Thank you a lot for all these valuable information. Your reply proved that there exists some circumstances where nothing can help but experience. Thanks again. Regarding the points which had mentioned in your mail, I would like to ask a question concerning what Wietse proposed. Does the usage of milter help? I mean, is the milter architecture considered as a way to kill spam load _before_ piping inbound connections to AS/AV content filter daemons? Or, achieving that goal is just through configuring Postfix itself? Thanks again Stan. Warm Regards Ali Majdzadeh Kohbanani 2009/12/1 Stan Hoeppner s...@hardwarefreak.com Ali Majdzadeh put forth on 12/1/2009 12:25 AM: Dear friends, Thanks for this nice discussion. Actually, as a project, we are going to deliver an e-mail architecture which supports over 100 users. We use Postfix, courier-imap, amavisd-new, spamassassin and clamav and of course the tools needed to balance the load between multiple instances of the mentioned tools. We use specmail to test our architecture. Recently, we have introduced our intended e-mail filtering platform consisting amavisd-new, spamassassin and clamav to the architecture and we have observed significant delivery time decrease regarding Postifx. As a way out, we thought of the ways which made it possible to do offline virus scanning, but actually we have found that amavisd-new together with it's filtering tools is a serious performance bottleneck. I really appreciate suggestions regarding this scenario. Hi Ali, First off, this is an edge solution, correct? These Postfix servers are MX hosts? If so... I humbly, but seriously, suggest you hire Victor or another highly qualified Postfix engineer to assist you with architecting your 1 million user solution. Also, SpecMail 2009 is not a valid test of what your real world mail stream will be once you go live. You absolutely cannot rely on this benchmark to give you realistic feedback on the performance of your architecture. It doesn't, and cannot, simulate real spam streams. And spam attempts will be 50-90% of your real world connection load. Summary: SPECmail2009 The SPECmail2009 benchmark measures the ability of corporate e-mail systems to meet today's demanding e-mail users over fast corporate local area networks (LAN). The SPECmail2009 benchmark simulates corporate mail server workloads that range from 250 to 10,000 or more users, using industry standard SMTP and IMAP4 protocols. This e-mail server benchmark creates client workloads based on a 40,000 user corporation, and uses folder and message MIME structures that include both traditional office documents and a variety of rich media content. The benchmark also adds support for encrypted network connections using industry standard SSL v3.0 and TLS 1.0 technology. SPECmail2009 replaces all versions of SPECmail2008, first released in August 2008. The results from the two benchmarks are not comparable. With the availability of SPECmail2009, SPEC has retired the SPECmail2008 benchmark. SPEC will stop accepting new SPECmail2008 results as of the submission deadline on June 12, 2009. For a 1 million user system, you absolutely need to kill 90%+ of your spam load _before_ piping inbound connections to your AS/AV content filter daemons. You are seeing why already with the results of this synthetic benchmark pumping only _legit_ mail through your system. Of your inbound spam, you should be able to kill on the order of 50-80% or more, with merely the following, _BEFORE_ piping to SpamAssassin, clamav, or amavisd-new: smtpd_client_restrictions = reject_unknown_client_hostname reject_unauth_pipelining smtpd_sender_restricions = reject_non_fqdn_sender smtpd_helo_required = yes smtpd_helo_restrictions = reject_non_fqdn_helo_hostname reject_invalid_helo_hostname reject_unknown_helo_hostname smtpd_recipient_restrictions = permit_mynetworks reject_unauth_destination reject_unlisted_recipient reject_rbl_client zen.spamhaus.org check_policy_service inet:127.0.0.1:6 For a 1 million user site, you'll need to make arrangements with Spamhaus to get access to the Data Feed Service. The above usage example is for smaller sites with low query rates. You'd need to run rbldnsd on your postfix servers or mirror the Spamhaus zone(s) on a local dns server. That's beyond the scope of this email. The policy service above is the Postfix greylisting daemon called postgrey. It is very effective against residential broadband infected PCs, or botnets. It will kill a ton of spam without consuming near the resources or content filters. The bulk of efficient spam blocking is performed based on the following: 1. Client IP address reputation (think dnsbl, local block lists) 2. Client FCrDNS (PTR name), lack thereof or generic (think dsl/cable) 3. Improper
Re: OT: need some advice as to distro
John Peach wrote: On Tue, 01 Dec 2009 16:30:36 +0200 Eero Volotinen eero.voloti...@iki.fi wrote: Centos 5.4 - while it looks like a good choice, there has been some political infighting going on recently which makes us a little nervous about its future. In addition we have found that a number of the core packages we wish to use are out of date (postfix, dovecot, amavisd-new among them). Centos 5.x is my selection. You can also use packages from epel and dag's rpm repositories. It suffers from Red Hat's liking for sendmail. The postfix package is aeons old. I would go with Ubuntu (probably 9.04 which is a long-term support version). Since we're talking linux distros I've used redhat, fedora, suse/sles, slackware and others and while they all have their strong points I prefer debian or ubuntu LTS for server deployments if at all possible. Package management is a snap, everything just works. BTW ubuntu 8.04 is the most recent LTS release, 10.04 next spring will be the next. Joe
Re: What Is Causing This Failure
Carlos Williams put forth on 12/1/2009 9:32 AM: I am unable to connect via Telnet so it appears to be a network / ISP issue. car...@tunafish:~$ telnet 198.186.193.20 25 Trying 198.186.193.20... telnet: Unable to connect to remote host: No route to host Definitely a network problem between you and the remote host. Works fine here in the US: greer:/etc/postfix# ping 198.186.193.20 PING 198.186.193.20 (198.186.193.20) 56(84) bytes of data. 64 bytes from 198.186.193.20: icmp_seq=1 ttl=51 time=79.1 ms 64 bytes from 198.186.193.20: icmp_seq=2 ttl=51 time=78.9 ms 64 bytes from 198.186.193.20: icmp_seq=3 ttl=51 time=78.7 ms 64 bytes from 198.186.193.20: icmp_seq=4 ttl=51 time=78.7 ms ^C --- 198.186.193.20 ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time 3012ms rtt min/avg/max/mdev = 78.729/78.883/79.151/0.263 ms greer:/etc/postfix# telnet 198.186.193.20 25 Trying 198.186.193.20... Connected to 198.186.193.20. Escape character is '^]'. 220 share.docforge.org ESMTP Postfix quit 221 2.0.0 Bye -- Stan
Re: A question about Postfix and virus scanning
Ali Majdzadeh: question concerning what Wietse proposed. Does the usage of milter help? I mean, is the milter architecture considered as a way to kill spam load _before_ piping inbound connections to AS/AV content filter daemons? Or, Milter is a way to inspect or update message content without making extra copies of the message. It has some scaling issues 1) it processes mail before-queue, which some will find a feature and 2) all requests are handled by one Milter process; the latter may be addressed by using a third-party multiplexer that spreads requests across multiple milter process instances. As a general rule, the earlier you can block mail, the better. In some countries, the inbound SMTP session is the only place where you can block incoming mail, because mail cannot be discarded. The postscreen program (www.postfix.org/wip.html) takes this a little further by keeping the bots away from the SMTP server. Unfortunately, I can't be of much further help here. 1M users is a thousand times beyond my first-hand experience, and that was before SPAM became a problem. Wietse
Re: OT: need some advice as to distro
On Tue, 01 Dec 2009 09:39:06 -0500 John Peach post...@johnpeach.com wrote: On Tue, 01 Dec 2009 16:30:36 +0200 Eero Volotinen eero.voloti...@iki.fi wrote: Centos 5.4 - while it looks like a good choice, there has been some political infighting going on recently which makes us a little nervous about its future. In addition we have found that a number of the core packages we wish to use are out of date (postfix, dovecot, amavisd-new among them). Centos 5.x is my selection. You can also use packages from epel and dag's rpm repositories. It suffers from Red Hat's liking for sendmail. The postfix package is aeons old. I would go with Ubuntu (probably 9.04 which is a long-term support version). It's actually 8.04 that's LTS. The next release (10.04) will be also LTS (5 years). I am in favor of Ubuntu Server for Postfix related uses. Postfix is the standard MTA, so it's use is well documented, pretty much everything you might want to add on to Postfix is packaged so there's no need to hunt down external repositories, and it benifits both from Debian's strong package management system and well maintained Postfix package. Scott K
Re: A question about Postfix and virus scanning
Wietse, Hi Thanks for your reply. I recall that I had read about another filtering option available in Postfix which was called smtpd_proxy_filter (if I spell it correctly) and which filtered messages before queuing. So, is there any difference between the so-called method and using Milter? Thanks again. Kind Regards Ali Majdzadeh Kohbanani 2009/12/1 Wietse Venema wie...@porcupine.org Ali Majdzadeh: question concerning what Wietse proposed. Does the usage of milter help? I mean, is the milter architecture considered as a way to kill spam load _before_ piping inbound connections to AS/AV content filter daemons? Or, Milter is a way to inspect or update message content without making extra copies of the message. It has some scaling issues 1) it processes mail before-queue, which some will find a feature and 2) all requests are handled by one Milter process; the latter may be addressed by using a third-party multiplexer that spreads requests across multiple milter process instances. As a general rule, the earlier you can block mail, the better. In some countries, the inbound SMTP session is the only place where you can block incoming mail, because mail cannot be discarded. The postscreen program (www.postfix.org/wip.html) takes this a little further by keeping the bots away from the SMTP server. Unfortunately, I can't be of much further help here. 1M users is a thousand times beyond my first-hand experience, and that was before SPAM became a problem. Wietse
Re: A question about Postfix and virus scanning
Ali Majdzadeh: Wietse, Hi Thanks for your reply. I recall that I had read about another filtering option available in Postfix which was called smtpd_proxy_filter (if I spell it correctly) and which filtered messages before queuing. So, is there any difference between the so-called method and using Milter? Thanks again. Both Milter and smtpd_proxy_filter process mail before it is queued. The smtpd_proxy_filter approach is more general (it uses SMTP instead of the Milter protocol). I haven't done performance comparisons. If your performance is inadequate, I suggest that you do a detailed system performance analysis to find out if the limit is CPU, memory, file I/O or perhaps some trivial DNS configuration problem. Wietse
Re: A question about Postfix and virus scanning
Wietse, Thanks for all these useful points. I will inform the list about the results of our tests regarding the issue. Warm Regards Ali Majdzadeh Kohbanani 2009/12/1 Wietse Venema wie...@porcupine.org Ali Majdzadeh: Wietse, Hi Thanks for your reply. I recall that I had read about another filtering option available in Postfix which was called smtpd_proxy_filter (if I spell it correctly) and which filtered messages before queuing. So, is there any difference between the so-called method and using Milter? Thanks again. Both Milter and smtpd_proxy_filter process mail before it is queued. The smtpd_proxy_filter approach is more general (it uses SMTP instead of the Milter protocol). I haven't done performance comparisons. If your performance is inadequate, I suggest that you do a detailed system performance analysis to find out if the limit is CPU, memory, file I/O or perhaps some trivial DNS configuration problem. Wietse
Re: OT: need some advice as to distro
Scott Kitterman put forth on 12/1/2009 12:22 PM: I am in favor of Ubuntu Server for Postfix related uses. Postfix is the standard MTA, so it's use is well documented, pretty much everything you might want to add on to Postfix is packaged so there's no need to hunt down external repositories, and it benifits both from Debian's strong package management system and well maintained Postfix package. Half your argument is based on Debian features. Why not just use Debian then, instead of Ubuntu? Especially for a headless server? I've been a Debian (non-GUI) user for almost 10 years. I've never touched Ubuntu, or any other distro. Debian has always come through for my server needs, so I've never considered anything else. Convince me why I should switch my Postfix server environment from Debian to Ubuntu. I'm curious to see how compelling your argument is. -- Stan
Re: OT: need some advice as to distro
Stan Hoeppner wrote: Half your argument is based on Debian features. Which are also, therefore, ubuntu features. Why not just use Debian then, instead of Ubuntu? Because enterprise support is available for ubuntu, and also, if someone is familiar with ubuntu desktop already it makes sense for them to deploy ubuntu server if servers are needed. Especially for a headless server? What difference does it make if the server is headless? How would that be an advantage for debian? I've been a Debian (non-GUI) user for almost 10 years. I've never touched Ubuntu, or any other distro. Debian has always come through for my server needs, so I've never considered anything else. Convince me why I should switch my Postfix server environment from Debian to Ubuntu. I'm curious to see how compelling your argument is. If you're happy with debian then there's no point - but let's turn the question around: Convince me why I should switch from ubuntu to debian. Let's see what arguments you have. Joe
Re: OT: need some advice as to distro
On Tue, Dec 1, 2009 at 4:15 PM, Joe j...@tmsusa.com wrote: Stan Hoeppner wrote: I've been a Debian (non-GUI) user for almost 10 years. I've never touched Ubuntu, or any other distro. Debian has always come through for my server needs, so I've never considered anything else. Convince me why I should switch my Postfix server environment from Debian to Ubuntu. I'm curious to see how compelling your argument is. If you're happy with debian then there's no point - but let's turn the question around: Convince me why I should switch from ubuntu to debian. Let's see what arguments you have. Joe How about you both realize that neither of you has enough information to make an objective decision, and that any kind of arguments you can come up with has more to do with what you're familiar with than anything else, and continuing the discussion along these lines only amounts to a holy war and nothing else. As for the original question, it all comes down to what you are comfortable with. The 2 main runners here are CentOS and Ubuntu. I've heard good things about Ubuntu but haven't tried it much. I use CentOS for all of my servers, and the main reason is that it's based on Redhat, and Redhat is the main Linux distro that all the big companies support. I'm not saying that they don't also support other distros, just that Redhat is usually first on the list. The yum package manager works quite well, and the days are long gone when there were dependency issues with rpms. I have very strong feelings against installing things from source, unless they are first built into a package. You want to be spending your time running the server and doing other things, not patting yourself on the back because you compiled all of your own packages.
Re: OT: need some advice as to distro
Brian Mathis wrote: On Tue, Dec 1, 2009 at 4:15 PM, Joe j...@tmsusa.com wrote: Stan Hoeppner wrote: I've been a Debian (non-GUI) user for almost 10 years. I've never touched Ubuntu, or any other distro. Debian has always come through for my server needs, so I've never considered anything else. Convince me why I should switch my Postfix server environment from Debian to Ubuntu. I'm curious to see how compelling your argument is. If you're happy with debian then there's no point - but let's turn the question around: Convince me why I should switch from ubuntu to debian. Let's see what arguments you have. Joe How about you both realize that neither of you has enough information to make an objective decision, and that any kind of arguments you can come up with has more to do with what you're familiar with than anything else, and continuing the discussion along these lines only amounts to a holy war and nothing else. As for the original question, it all comes down to what you are comfortable with. The 2 main runners here are CentOS and Ubuntu. I've heard good things about Ubuntu but haven't tried it much. with all due respect - would you please keep this very off topic noise from this usually very informative and helpful mailing list? If you don't fulfill my plea, I promise that I will claim that postfix runs best under cygwin ... -- Udo Rader, CTO http://www.bestsolution.at http://riaschissl.blogspot.com
Re: A question about Postfix and virus scanning
Stan Hoeppner: Wietse Venema put forth on 12/1/2009 1:20 PM: If your performance is inadequate, I suggest that you do a detailed system performance analysis to find out if the limit is CPU, memory, file I/O or perhaps some trivial DNS configuration problem. That may be difficult for the OP to provide. From all I've read, his perceived performance degradation is being generated by a synthetic load test application, SPECmail 2009, in a _lab_ environment, so DNS isn't even in the testing. SPECmail 2009 is designed to test internal Surely, mail is injected via SMTP, and therefore, the Postfix SMTP server will attempt to lookup the client hostname and IP address; since they are using SMTP-based content filters, that is another source of name service lookups. All this presents a load on name service. I have seen enough to know that a bad DNS configuration can do wonders for performance. Wietse
Re: OT: need some advice as to distro
Udo Rader wrote: Brian Mathis wrote: On Tue, Dec 1, 2009 at 4:15 PM, Joe j...@tmsusa.com wrote: Stan Hoeppner wrote: I've been a Debian (non-GUI) user for almost 10 years. I've never touched Ubuntu, or any other distro. Debian has always come through for my server needs, so I've never considered anything else. Convince me why I should switch my Postfix server environment from Debian to Ubuntu. I'm curious to see how compelling your argument is. If you're happy with debian then there's no point - but let's turn the question around: Convince me why I should switch from ubuntu to debian. Let's see what arguments you have. Joe How about you both realize that neither of you has enough information to make an objective decision, and that any kind of arguments you can come up with has more to do with what you're familiar with than anything else, and continuing the discussion along these lines only amounts to a holy war and nothing else. As for the original question, it all comes down to what you are comfortable with. The 2 main runners here are CentOS and Ubuntu. I've heard good things about Ubuntu but haven't tried it much. with all due respect - would you please keep this very off topic noise from this usually very informative and helpful mailing list? Agreed, it wandered too far OT... end of thread, follow-ups to PM. Joe
Re: A question about Postfix and virus scanning
Wietse Venema put forth on 12/1/2009 3:47 PM: Surely, mail is injected via SMTP, and therefore, the Postfix SMTP server will attempt to lookup the client hostname and IP address; since they are using SMTP-based content filters, that is another source of name service lookups. All this presents a load on name service. I have seen enough to know that a bad DNS configuration can do wonders for performance. Assuming the test streams are generated by a handful of SPECmail load generator hosts, the hostnames and addresses of those client machines would quickly be cached, no? That doesn't generate a real world SMTP DNS scenario, does it? The handful of names and IPs would only be a minute fraction of the real world client variety, and I would assume DNS delays would be minimal in this test environment. I guess it's always possible that the local resolvers he's testing with could have a problem, if that's what you mean. -- Stan
Re: A question about Postfix and virus scanning
Stan Hoeppner: Wietse Venema put forth on 12/1/2009 3:47 PM: Surely, mail is injected via SMTP, and therefore, the Postfix SMTP server will attempt to lookup the client hostname and IP address; since they are using SMTP-based content filters, that is another source of name service lookups. All this presents a load on name service. I have seen enough to know that a bad DNS configuration can do wonders for performance. Assuming the test streams are generated by a handful of SPECmail load generator hosts, the hostnames and addresses of those client machines would quickly be cached, no? I can assure you that there is no such caching the Postfix SMTP server before the SMTP-based content filter, and not in the Postfix SMTP server after the SMTP-based content filter. In addition, Postfix and content filters may do other DNS lookups for reputation etc. Ideally, name/address/reputation lookups will have only minimal impact, but I was explicitly not talking about ideal configurations when I wrote: If your performance is inadequate, I suggest that you do a detailed system performance analysis to find out if the limit is CPU, memory, file I/O or perhaps some trivial DNS configuration problem. I would not be so quick to dismiss DNS-related problems out of hand in scenarios that involve synthetic email messages. Wietse
Re: A question about Postfix and virus scanning
Wietse Venema put forth on 12/1/2009 6:17 PM: I would not be so quick to dismiss DNS-related problems out of hand in scenarios that involve synthetic email messages. Ok, I follow you now Wietse. Given the inbound mail load he's generating, the DNS resolvers in his test environment may not be able to keep up with the query load generated by the receiving Postfix servers. Oh, when I was talking about caching earlier, I was referring to caching done by his resolvers, not by Postfix or the underlying OS. My assumption was that if his resolvers were local (likely given a test environment) that they'd respond faster than in a real world mail scenario, given that the test clients were likely few in number, thus less work and/or latency for the resolvers. -- Stan
Re: OT: need some advice as to distro
On Tue, Dec 1, 2009 at 2:20 PM, John j...@klam.ca wrote: Thank you all for your input, having looked at the responses and discussed amongst ourselves and as I am the grunt doing the work, we will probably go with Centos. Some of our reasoning was, it close to Fedora so we have some experience, there are several third party repositories that carry the latest packages and its fairly well documented. That said, I think I will setup an Ubuntu server as an experiment just to see how difficult/different it is in setup and operate. Once again thank you all John A In the end it doesn't matter. Just as long as you edit your configs with vi, wait no EMACS oh damn. -B
postscreen dnsblog problem
freebsd 7.2 mail_version = 2.7-20091008 out of 6 postscreen machines, I've got one that every 20 or 30 minutes just halts, port 25 is dead (several monit agents see it dead), then it starts off by itself after a few minutes, dumping a bunch of these in maillog: warning: postscreen_dnsbl_query: connect to dnsblog service: Connection refused master: dnsblog unix - - n - 0 dnsblog smtp inet n - - - 1 postscreen smtpd pass - - - -200 smtpd main: postscreen_blacklist_networks = mysql:/usr/local/etc/postfix/mysql-mta_clients_reactive_b.cf postscreen_blacklist_action = drop postscreen_cache_map = btree:$data_directory/ps_cache postscreen_cache_ttl = 1d postscreen_dnsbl_action = drop postscreen_dnsbl_sites = zen.spamhaus.org, b.barracudacentral.org, ix.dnsbl.manitu.net postscreen_greet_action = drop postscreen_greet_banner = $smtpd_banner postscreen_greet_wait = 10s postscreen_hangup_action = drop postscreen_post_queue_limit = $default_process_limit postscreen_pre_queue_limit = $default_process_limit postscreen_whitelist_networks = $mynetworks, mysql:/usr/local/etc/postfix/mysql-mta_clients_w.cf congrats on the great innovation of postscreen. Extremely effective request: add a param so that we can specify a dnsbl rank = x where the IP must have x RBL hits to provoke drop. Len __ IMGate OpenSource Mail Firewall www.IMGate.net
Re: OT: need some advice as to distro
On Tuesday 01 December 2009, Terry L. Inzauro wrote: snip Personally, Debian Stable (currently Lenny) is my Linux of choice for production system. Package management via apt is second to none and everything is very well documented with a willing and able community for support. Why restate whats already written: http://www.debian.org/intro/why_debian When it comes down to it, the best distro is the one you know how to use. I would start with a distro that you are most comfortable with and know how to use the best. After using RPM based distros for years I didn't know it could get better. That is until I tried Debian. I have installed and still maintain tens of servers and now I cringe when I have to work with RPM based distros. It just takes too much time. I thought Ubuntu LTS would be better but I have had more problems with it then Debian. For example, doing a distribution upgrade has rendered a system unbootable and made me boot from CD to fix it. I have never had a problem upgrading Debian. I have even upgraded several remotely without a problem. Try upgrading RH 3 to 4 to 5 remotely or otherwise. I don't know anyone who has worked with both Debian and RPM based distros enough to get good at them and chose to run RH or Centos. The worst thing about Debian is it comes default with Exim so I have to always do this: # apt-get --purge install postfix And that's it! Regards, David Koski da...@kosmosisland.com
Re: OT: need some advice as to distro
David Koski put forth on 12/1/2009 10:45 PM: For example, doing a distribution upgrade has rendered a system unbootable and made me boot from CD to fix it. I have never had a problem upgrading Debian. I have even upgraded several remotely without a problem. Try upgrading RH 3 to 4 to 5 remotely or otherwise. I don't know anyone who has worked with both Debian and RPM based distros enough to get good at them and chose to run RH or Centos. I've in-place upgraded a couple of systems over the years from Woody all the way to Lenny (3 distribution upgrades) without any serious issues, including compiling and installing new custom kernels along the way (I do _only_ custom kernels). Sticking with LILO instead of trying to replace it with grub probably avoided many potential problems. Sticking with non initrd custom kernels allows me to keep using LILO. I hope I can use LILO forever. Probably wishful thinking. :) BTW, don't you really mean? # apt-get purge exim # apt-get install postfix ;) -- Stan
Re: OT: need some advice as to distro
On Tuesday 01 December 2009, Stan Hoeppner wrote: BTW, don't you really mean? # apt-get purge exim # apt-get install postfix Last I tried I couldn't remove the MTA without replacement. The onliner apt-get --purge install postfix installs postfix and purges exim without complaining about not having an MTA. Regards, David
Re: OT: need some advice as to distro
Quoting David Koski da...@kosmosisland.com: On Tuesday 01 December 2009, Stan Hoeppner wrote: BTW, don't you really mean? # apt-get purge exim # apt-get install postfix Last I tried I couldn't remove the MTA without replacement. The onliner apt-get --purge install postfix installs postfix and purges exim without complaining about not having an MTA. Maybe it's now time to stop this offtopic message thread. -- Eero
Re: OT: need some advice as to distro
David Koski wrote: On Tuesday 01 December 2009, Stan Hoeppner wrote: BTW, don't you really mean? # apt-get purge exim # apt-get install postfix Last I tried I couldn't remove the MTA without replacement. The onliner apt-get --purge install postfix installs postfix and purges exim without complaining about not having an MTA. Correct. You have to let apt remove exim during the process of installing postfix or it'll fail because some kind of MTA is mandatory. First thing I do with any Debian install as well. ~Seth
Re: OT: need some advice as to distro
Quoting Eero Volotinen eero.voloti...@iki.fi: Quoting David Koski da...@kosmosisland.com: On Tuesday 01 December 2009, Stan Hoeppner wrote: BTW, don't you really mean? # apt-get purge exim # apt-get install postfix Last I tried I couldn't remove the MTA without replacement. The onliner apt-get --purge install postfix installs postfix and purges exim without complaining about not having an MTA. Maybe it's now time to stop this offtopic message thread. True. This thread now sees /dev/null.