RE: suppress NDRs from spoofed sender
So I'm very new to postfix, however I have a feeling that the Regex stuff can be done via some scripts. I guess that how the Python SPF checkers work... But as I said, I'm new to postfix so I could be way off target -Original Message- From: owner-postfix-us...@postfix.org on behalf of David Koski Sent: Mon 2/15/2010 03:19 To: postfix-users@postfix.org Subject: Re: suppress NDRs from spoofed sender On Tuesday 19 January 2010, Ansgar Wiechers wrote: On 2010-01-18 David Koski wrote: My mail server has been getting a fair amount of spam hits that have been rejected but the sender address is spoofed with the recipient's address. This generates an NDR to the recipient with the spam. I would like to suppress NDRs of this kind but not legitimate NDRs. What I'm doing is this: - store a hash of From:, To: and Date: header of all outgoing mail - accept all bounces that include From:, To: and Date: headers whose hash matches a stored hash - remove stored hashes older than 4 days This method does lead to rejection of valid bounces that don't include the above mentioned headers. However, I consider those bounces useless anyway. How about something more simple: test for From: is the same as To: and is from MAILER-DAEMON: grep ^From:.*da...@kosmosisland.com $test \ grep Return-Path:.*MAILER-DAEMON $test \ grep ^To:.*da...@kosmosisland.com $test ..where $test is the email file to scan. But can this be done with Postfix? Regards, David Koski da...@kosmosisland.com
Re: how to specify a default key in access(5)
* Stan Hoeppner s...@hardwarefreak.com: Wietse Venema put forth on 2/14/2010 12:52 PM: regexp:/etc/postfix/recipients.pcre ^^ Wietse is this a typo or am I about to learn something new about regexp/pcre interchangeability/compatibility in Postfix? I'm assuming in the example above that the .pcre file actually contains pcre syntax, not regexp syntax. It's a naming issue only. One would OF COURSE name pcre files .pcre and regexp files .regexp (or similar). -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | http://www.charite.de
Re: suppress NDRs from spoofed sender
Hi, In an older episode (Monday, 15. February 2010), David Koski wrote: grep ^From:.*da...@kosmosisland.com $test \ grep Return-Path:.*MAILER-DAEMON $test \ the Return-Path of an NDR is *not* .*MAILER-DAEMON.* - it is . mailer-daemon would be in the From-Header of the NDR Regards, wolfgang
Re: deliver problem ( Error: file_dotlock_create )
On 02/12/10 18:25, Stan Hoeppner wrote: Frank Bonnet put forth on 2/12/2010 10:05 AM: Hello all ( Postfix and Dovecot ) Trying to use deliver as mailbox_command with Postfix I get this error each time an email is arriving deliver(): Error: file_dotlock_create(/var/mail/) failed: Permission denied (euid=3003() egid=3010(smig) missing +w perm: /var/mail) (set mail_privileged_group=mail) Doea this means I have to chmod 777 the /var/mail directory ? If you're using dovecot mbox format but are not going to use sieve etc, then just have Postfix local drop the mail. That's what I do. Works great. Hello Well I do use sieve to let Roundcube build email filters ...
Re: deliver problem ( Error: file_dotlock_create )
Frank Bonnet put forth on 2/15/2010 3:10 AM: On 02/12/10 18:25, Stan Hoeppner wrote: Frank Bonnet put forth on 2/12/2010 10:05 AM: Hello all ( Postfix and Dovecot ) Trying to use deliver as mailbox_command with Postfix I get this error each time an email is arriving deliver(): Error: file_dotlock_create(/var/mail/) failed: Permission denied (euid=3003() egid=3010(smig) missing +w perm: /var/mail) (set mail_privileged_group=mail) Doea this means I have to chmod 777 the /var/mail directory ? No. And never use 777. Avoid it at all costs. Well I do use sieve to let Roundcube build email filters ... In that case I believe the answer is possibly in the error message itself: (set mail_privileged_group=mail) From /etc/dovecot/dovecot/conf: # Group to enable temporarily for privileged operations. Currently this is # used only with INBOX when either its initial creation or dotlocking fails. # Typically this is set to mail to give access to /var/mail. mail_privileged_group = mail It appears your deliver process isn't running with the proper credentials to allow writing (+w in the err) to the user mail files. The error message, I believe, is telling you to set mail_privileged_group=mail in dovecot.conf Give that a shot and see if it fixes the problem. BTW, did this problem crop up on a production system, out of the blue? If so, did you make any changes, and what changes did you make? Or is this a new system and you're just setting it up? Or did you just switch from Postfix local delivery to dovecot LDA and the problems started? -- Stan
Re: How to setup postfix to put the queued emails in hold (and not in deferred)
Hi Victor. Thanks for your reply. My problem is that I want to put all the emails in HOLD, apart the local one. As I said before, my installation is not exatly a standard one... I recognize local emails with: transport_maps = proxy:mysql:/etc/postfix/mysql-virtual_transports.cf where a database say me 'virtual' if the email is local, ':' otherwise. So I don't know how to say to postfix which email will not be HOLD... I'm quite lost at the moment... can you put me in the right way? Thanks Michele
Re: Postfix - Timeout While Sending End of Data (slightly OT)
On 15 February 2010 18:41, Stan Hoeppner s...@hardwarefreak.com wrote: I can't get to it without entering a CC and starting a 30 day trial. The bottom of the page is white space. I see no options anywhere on the page to get at the info without signing up. This is kinda by design isn't it? No pay, no play? It's the whole point of the Experts Exchange website is it not? Due to your membership and cookies, even if you aren't logged in, you're probably still seeing a different page than those without a membership and prior cookies already on the the PC accessing the site. It's a no go. Apologies for pushing the OT thread. Experts Exchange is viewable (at least) from google searches. I'm pretty sure it's a referer-check, used to get plenty of good google-juice for their content. As a convenient side-effect, you can always scroll down to the bottom for the answers if you got there via google search. Hit the top result from this search, the answers will be visible. http://www.google.com/search?q=Disable+inspect+esmtp+on+ASA+5505
Re: asterisks in smtp banner
2010/2/15 Serge Fonville serge.fonvi...@gmail.com: Hi, I noticed with a couple of mail servers that the smtp greeting contains 220 followed by a lot of asterisks. When I do a check using mxtoolbox I get Warning - Reverse DNS does not match SMTP Banner How do I assure that the normal text is displayed instead of the asterisks? Well, ask the administrator of network to disable cisco smtp fixup? -- Eero
how to deny mail from specific domain
I want to deny incoming mail from domain blu0.hotmail.com. I have put in /etc/postfix/sender_access the following line: blu0.hotmail.com554 Spam is not welcome and then I run postmap /etc/postfix/sender_access and postfix reload Is that enough?
Problems with SASL authentication throw dovecot
I use Dovecot for SASL authentication from Postfix. In Postfix main.cf I have: smtpd_sasl_type = dovecot It works good, but now I need to allow users to connect by IMAP only from given IP adresses. I've added extra field allow_nets to passdb in Dovecot, and IMAP authentication works fine. But now I can't connect to my SMTP server because when smtpd ask dovecot about user authentification, dovecot always denied it. Even if I try to connect to SMTP from correct IP, listed in allow_nets for user. In dovecot log I have messages about incorrect ip like this: dovecot: 2010-02-15 13:28:51 Info: auth(default): passwd-file(malamut): lookup: user=malamut file=/etc/dovecot/temp.users dovecot: 2010-02-15 13:28:51 Info: auth(default): passdb(malamut): allow_nets check failed: Remote IP not known dovecot: 2010-02-15 13:28:53 Info: auth(default): client out: FAIL 7 user=malamut Problem is clear: smtpd don't send client IP to dovecot authentication socket. But I need to limit the ability of connection to users only from specific IP. Both for SMTP and IMAP. How can I do that? I use dovecot 1.0.15 and Postfix 2.5.5 on Debian Lenny. As I understand, it's a postfix problem, not dovecot. Moreover, I've seen a patch for postfix, which say smtpd send client IP to devocot socket, but only for 2.3.x - 2.4.x versions of Postfix, which is too old. So how can I solve this problem?
Re: asterisks in smtp banner
2010/2/15 Serge Fonville serge.fonvi...@gmail.com: Thanks for the replies How do I assure that the normal text is displayed instead of the asterisks? Well, ask the administrator of network to disable cisco smtp fixup? Turn off the SMTP protocol fixup in the Pix. I also found that as a solution. Unfortunately there is no pix in between. Only an ASA. I also found it might be related to inspect on ASAs, but again this is not enabled. http://www.binarywar.com/2009/11/cisco-pixasa-causes-smtp-banner-corruption/ Note that other end might also use cisco asa or pix before mailserver. -- Eero
Re: asterisks in smtp banner
Thanks for the reply How do I assure that the normal text is displayed instead of the asterisks? Well, ask the administrator of network to disable cisco smtp fixup? Turn off the SMTP protocol fixup in the Pix. I also found that as a solution. Unfortunately there is no pix in between. Only an ASA. I also found it might be related to inspect on ASAs, but again this is not enabled. http://www.binarywar.com/2009/11/cisco-pixasa-causes-smtp-banner-corruption/ Note that other end might also use cisco asa or pix before mailserver. Yes, I thought of that right after I clicked send. Thanks all Regards, Serge Fonville -- http://www.sergefonville.nl Convince Google!! They need to support Adsense over SSL https://www.google.com/adsense/support/bin/answer.py?hl=enanswer=10528 http://www.google.com/support/forum/p/AdSense/thread?tid=1884bc9310d9f923hl=en
Re: how to deny mail from specific domain
Ahh, someone here today with a Postfix question, not a Cisco one! ;) On Mon, Feb 15, 2010 at 12:57:40PM +0200, Aggelos wrote: I want to deny incoming mail from domain blu0.hotmail.com. From domain means what? Sender addr...@blu0.hotmail.com ? I have put in /etc/postfix/sender_access the following line: blu0.hotmail.com554 Spam is not welcome and then I run postmap /etc/postfix/sender_access Is there something magical about this /etc/postfix/sender_access filename that you are not telling us? and postfix reload Is that enough? Not even close. You must first understand how Postfix smtpd(8) access restrictions work. See: http://www.postfix.org/SMTPD_ACCESS_README.html as a starting point. Since the text of your rejection implies that spam is the problem you're trying to address, you really need to understand more about spam and spammers, too. Here is a good overview: http://jimsun.linxnet.com/misc/postfix-anti-UCE.txt -- Offlist mail to this address is discarded unless /dev/rob0 or not-spam is in Subject: header
Tar Pitting / Rate limiting sending of mail
Hello List Is there a module or configuration element to postfix that will allow for increasingly aggressive throttling of mails as they try to pass more mail through a server on an individual ip basis? I have looked at policyd which seems great but includes only a static throttling to x mails per time period. Eg 10 mails per minute no problem 100 mails per minute thottled down to only 20 per minute 1000 mails per minute thorttled down to 1 per minute 1000 mails per minute 1 per hour These numbers are meant to only be indicative rather than absolute. I would imagine that the system use some sort of token bucket system There is a pdf here http://spam.ani.univie.ac.at/files/cnis05.pdf that talks of it in general terms but i am unable to find any real world examples. Thanks in advance for any advice etc. Thanks Adam
Re: asterisks in smtp banner
On Mon, 2010-02-15 at 11:45 +0100, Ralf Hildebrandt wrote: * Serge Fonville serge.fonvi...@gmail.com: Hi, I noticed with a couple of mail servers that the smtp greeting contains 220 followed by a lot of asterisks. CISCO PIX. When I do a check using mxtoolbox I get Warning - Reverse DNS does not match SMTP Banner How do I assure that the normal text is displayed instead of the asterisks? Disable the smtp protocol fixup feature in the PIX. Can someone share a good reference that says that smtp-protocol-fixup can be safely disabled without compromising the security. Apparently the Cisco guys themselves dont own up to their bug and they say disabling anything is at ones own risk. That is enough to get the boot from the (so called! ) security team.
I need to know the criterion of creation of a queued mail,so that I can retrieve the subject from it
Hi to everyone. I need to extract from the email in HOLD queue the subject. So the emails are stored in /var/spool/postfix/hold I can see that before the Subject there is a special character, that is changing apparently random. Then, after the subject, there is apparently always N%Date Do some of you know the criterion how postfix create the email queued? If I find that the subject is always between Subject: and N%Date, I can easly write a script to retrieve it... Thanks Michele
Re: asterisks in smtp banner
Can someone share a good reference that says that smtp-protocol-fixup can be safely disabled without compromising the security. Apparently the Cisco guys themselves dont own up to their bug and they say disabling anything is at ones own risk. That is enough to get the boot from the (so called! ) security team. Well, I think this smtp fixup designed to protect poor smtp servers like microsoft exchange? or poorly configured smtp servers.. Anyway, looks like cisco smtp fixup contains lot of bugs like: http://www.arschkrebs.de/postfix/postfix_cisco_pix_bugs.shtml http://blogs.oucs.ox.ac.uk/networks/2009/11/26/cisco-firewall-smtp-fixup-considered-harmful/ -- Eero
Re: I need to know the criterion of creation of a queued mail,so that I can retrieve the subject from it
Michele Carandente: Hi to everyone. I need to extract from the email in HOLD queue the subject. Use the postcat command. The format of Postfix queue files is not public. Software that reads Postfix queue files is not supported and will break when I change Postfix, Software that uses the documented interfaces will keep working even after major changes to Postfix internals. Wietse So the emails are stored in /var/spool/postfix/hold I can see that before the Subject there is a special character, that is changing apparently random. Then, after the subject, there is apparently always N%Date Do some of you know the criterion how postfix create the email queued? If I find that the subject is always between Subject: and N%Date, I can easly write a script to retrieve it... Thanks Michele
Re: asterisks in smtp banner
There are good explanations here: http://groups.google.com/group/comp.dcom.sys.cisco/browse_frm/thread/ee1c9bc0180cacad/8e679e9c420395dc?tvc=1q=smtp%20fixup%20cisco%20sendmail -- Vladimir Vassiliev v...@edu.yar.ru
Re: asterisks in smtp banner
* ram r...@netcore.co.in: Can someone share a good reference that says that smtp-protocol-fixup can be safely disabled without compromising the security. Apparently the Cisco guys themselves dont own up to their bug and they say disabling anything is at ones own risk. Of course ALL changes are ones own risk -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | http://www.charite.de
Re: Scalable
On 13.2.2010, at 0.41, Victor Duchovni wrote: No, this is largely irrelevant. What matters is the IMAP performance they expect, that IMAP servers are reasonably CPU and memory intensive. From what I've seen is that IMAP servers normally take less than 1% CPU load (mainly Dovecot, but I'd think others too). Memory is more important, currently maybe 0.5 MB/connection or so for Dovecot. Usually anyway disk IO is the bottleneck.
Re: Problems with SASL authentication throw dovecot
On Mon, 15 Feb 2010, Неворотин Вадим wrote: Problem is clear: smtpd don't send client IP to dovecot authentication socket. But I need to limit the ability of connection to users only from specific IP. Both for SMTP and IMAP. How can I do that? This has been discussed before: http://marc.info/?l=postfix-usersm=121789269506492w=2 -- Sahil Tandon sa...@tandon.net
Re: Problems with SASL authentication throw dovecot
Problem is clear: smtpd don't send client IP to dovecot authentication socket. Upgrade to Postfix 2.7. Wietse 20090418 Cleanup: use [an extensible API] to pass SMTP client address information to the dovecot SASL plugin, and prepare for passing server address information. Files: xsasl/xsasl.h, xsasl/xsasl_dovecot_server.c, smtpd/smtpd_sasl_glue.c.
Re: Postfix - Timeout While Sending End of Data (slightly OT)
On 2010-02-15 5:23 AM, Barney Desmond wrote: Apologies for pushing the OT thread. Experts Exchange is viewable (at least) from google searches. I'm pretty sure it's a referer-check, used to get plenty of good google-juice for their content. As a convenient side-effect, you can always scroll down to the bottom for the answers if you got there via google search. Hit the top result from this search, the answers will be visible. http://www.google.com/search?q=Disable+inspect+esmtp+on+ASA+5505 Not for me...
Re: SMTPD resctrictions question
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Am 10.02.2010 23:17, schrieb Jan Kohnert: Hi, Jannis Achstetter schrieb: An email (FROM is not in $mydestination) from an unauthenticated user to an address in $mydestination is accecpted. This is also fine. An email from an unauthenticated user to any destination but $mydestination (open relay) is denied. Perfect. BUT: Any email (FROM is in $mydestination) to $mydestination is accepted by any user since TO is in $mydestination. How do I stop this? Only if the sender IP is in mynetworks. I think you possibly want mynetworks = 127.0.0.1 Then only senders from the local machine can send unauthenticated. I had mynetworks_style = host so I thought to be fine. Setting mynetworks = 127.0.0.1 didn't help. So, here is the output from postfinger and an excerpt from the logfile (assuming you guys beeing trustworthy for that type of content ;) where a mail is accepted that should not be. I don't have my domains listed in mydestination but in virtual_mailbox_domains since it is a pure virtual setup. Mailserver-configuration (postfinger): http://kripton.kripserver.net/self/postfix/postfinger.log Logfile for the one mail: http://kripton.kripserver.net/self/postfix/log.log I left the amavis-stuff in for completeness Jannis -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.14 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkt5anwACgkQeYlewm37lbgibwCcD8UhThFrw6I8Qy7Lz50S2Btf BiQAn2SolvGYpi4z+WBDbnT7R/vyRD4U =CXrK -END PGP SIGNATURE-
Re: suppress NDRs from spoofed sender
On Monday 15 February 2010, wolfgang wrote: Hi, In an older episode (Monday, 15. February 2010), David Koski wrote: grep ^From:.*da...@kosmosisland.com $test \ grep Return-Path:.*MAILER-DAEMON $test \ the Return-Path of an NDR is *not* .*MAILER-DAEMON.* - it is . mailer-daemon would be in the From-Header of the NDR Regards, wolfgang That is correct. It is the NDR that I want to stop because it has a spoofed sender address. Regards, David Koski da...@kosmosisland.com
Upgrading Postfix
Hello, I have Postfix 2.1.5 running on Mac Server 10.4.11. I would like to upgrade Postfix. Which version would you recommend? Thanks in advance for advise. -- Jeff
Re: Upgrading Postfix
2010/2/15 Jeff Bernier jbern...@risd.edu: Hello, I have Postfix 2.1.5 running on Mac Server 10.4.11. I would like to upgrade Postfix. Which version would you recommend? Thanks in advance for advise. How about latest stable version (2.7) ? -- Eero
Re: how to specify a default key in access(5)
On 2/14/2010 8:29 PM, Stan Hoeppner wrote: Wietse Venema put forth on 2/14/2010 12:52 PM: regexp:/etc/postfix/recipients.pcre ^^ Wietse is this a typo or am I about to learn something new about regexp/pcre interchangeability/compatibility in Postfix? I'm assuming in the example above that the .pcre file actually contains pcre syntax, not regexp syntax. It's a typo. But surely you're aware the syntax is virtually the same[1]; pcre just has a few added features not available in standard regexp that make writing some expressions easier. The main reason pcre is preferred with postfix is because it's faster -- and occasionally magnitudes faster -- than the vendor-supplied regexp library. [1] as far as postfix is concerned -- Noel Jones
Re: Upgrading Postfix
* Eero Volotinen eero.voloti...@iki.fi: I have Postfix 2.1.5 running on Mac Server 10.4.11. I would like to upgrade Postfix. Which version would you recommend? Thanks in advance for advise. How about latest stable version (2.7) ? Since Apple made a significant number of changes: Stick with the Apple version. -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | http://www.charite.de
Re: I need to know the criterion of creation of a queued mail,so that I can retrieve the subject from it
On Mon, Feb 15, 2010 at 10:55 AM, Michele Carandente carande...@gmail.com wrote: Hi to everyone. I need to extract from the email in HOLD queue the subject. So the emails are stored in /var/spool/postfix/hold I can see that before the Subject there is a special character, that is changing apparently random. Then, after the subject, there is apparently always N%Date RFC 822 Item 4.1 Note: Due to an artifact of the notational conventions, the syn- tax indicates that, when present, some fields, must be in a particular order. Header fields are NOT required to occur in any particular order, except that the message body must occur AFTER the headers. It is recommended that, if present, headers be sent in the order Return- Path, Received, Date, From, Subject, Sender, To, cc, etc. RFC5322 Item 3.6 It is important to note that the header fields are not guaranteed to be in a particular order. They may appear in any order, and they have been known to be reordered occasionally when transported over the Internet. However, for the purposes of this specification, header fields SHOULD NOT be reordered when a message is transported or transformed Do some of you know the criterion how postfix create the email queued? If I find that the subject is always between Subject: and N%Date, I can easly write a script to retrieve it... Thanks Michele -- Reinaldo de Carvalho http://korreio.sf.net http://python-cyrus.sf.net Don't try to adapt the software to the way you work, but rather yourself to the way the software works (myself)
Re: Upgrading Postfix
On Feb 15, 2010, at 12:42 PM, Ralf Hildebrandt wrote: * Eero Volotinen eero.voloti...@iki.fi: I have Postfix 2.1.5 running on Mac Server 10.4.11. I would like to upgrade Postfix. Which version would you recommend? Thanks in advance for advise. How about latest stable version (2.7) ? Since Apple made a significant number of changes: Stick with the Apple version. Or at least be aware that the GUI in Server Admin shouldn't be used for administration of Postfix after the upgrade, and that you'll be needing to do a bit at the command line level to make the change. Unless there is some particular issue you're trying to overcome, sticking with what you have may be the best recommendation, until you're ready to upgrade your entire server.
how to deny incoming mail from specific domain
I want to deny incoming mail from domain blu0.hotmail.com. I have put in /etc/postfix/sender_access the following line: blu0.hotmail.com554 Spam is not welcome and then I run postmap /etc/postfix/sender_access and postfix reload Is that enough?
Re: how to deny incoming mail from specific domain
on 02/15/2010 10:47 PM Aggelos wrote the following: I want to deny incoming mail from domain blu0.hotmail.com. I have put in /etc/postfix/sender_access the following line: blu0.hotmail.com554 Spam is not welcome and then I run postmap /etc/postfix/sender_access and postfix reload Is that enough? Sorry I sent the same post twice.
Re: how to deny incoming mail from specific domain
Quoting Aggelos marma...@freemail.gr: I want to deny incoming mail from domain blu0.hotmail.com. I have put in /etc/postfix/sender_access the following line: blu0.hotmail.com554 Spam is not welcome and then I run postmap /etc/postfix/sender_access and postfix reload Is that enough? Not unless postconf -n |grep sender_access turns up something. In any case, I'm not sure that refusing to talk to a single hotmail server will accomplish anything useful. What are you trying to do? Terry
Re: how to deny incoming mail from specific domain
Aggelos a écrit : I want to deny incoming mail from domain blu0.hotmail.com. what do you mean by from? - the domain of the client machine? (reverse dns) - the domain of the envelope sender address? - the domain of the from/reply-to header addresses? ... I have put in /etc/postfix/sender_access the following line: blu0.hotmail.com554 Spam is not welcome do you really get mail sent by j...@blu0.hotmail.com ? you may want to show a concrete example of what you want to block. and then I run postmap /etc/postfix/sender_access and postfix reload Is that enough?
Re: how to deny mail from specific domain
on 02/15/2010 02:44 PM /dev/rob0 wrote the following: Ahh, someone here today with a Postfix question, not a Cisco one! ;) On Mon, Feb 15, 2010 at 12:57:40PM +0200, Aggelos wrote: I want to deny incoming mail from domain blu0.hotmail.com. From domain means what? Sender addr...@blu0.hotmail.com ? Actually I want to deny all mail that has in the source something like the following: Received: from blu0-omc1-s16.blu0.hotmail.com I have put in /etc/postfix/sender_access the following line: blu0.hotmail.com554 Spam is not welcome and then I run postmap /etc/postfix/sender_access Is there something magical about this /etc/postfix/sender_access filename that you are not telling us? and postfix reload Is that enough? Not even close. You must first understand how Postfix smtpd(8) access restrictions work. See: http://www.postfix.org/SMTPD_ACCESS_README.html as a starting point. Since the text of your rejection implies that spam is the problem you're trying to address, you really need to understand more about spam and spammers, too. Here is a good overview: http://jimsun.linxnet.com/misc/postfix-anti-UCE.txt Here is what I have at the end of the main.cf : allow_percent_hack = no body_checks = regexp:/etc/postfix/body_checks config_directory = /etc/postfix disable_vrfy_command = yes header_checks = regexp:/etc/postfix/header_checks smtpd_helo_required = yes smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination, reject_unknown_recipient_domain, check_sender_access hash:/etc/postfix/sender_access, check_helo_access hash:/etc/postfix/helo_access, reject_invalid_hostname, reject_non_fqdn_hostname, reject_unknown_hostname, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_non_fqdn_recipient, reject_unauth_pipelining, check_client_access hash:/etc/postfix/client_access, reject_unknown_client, reject_rbl_client bl.spamcop.net, reject_rbl_client sbl.spamhaus.org, reject_rbl_client list.dsbl.org, reject_rbl_client dnsbl.njabl.org, reject_rbl_client dnsbl.sorbs.net strict_rfc821_envelopes = yes swap_bangpath = no unknown_address_reject_code = 554 unknown_client_reject_code = 554 unknown_hostname_reject_code = 554 unlisted_recipient_reject_code = 554
Re: how to deny incoming mail from specific domain
on 02/15/2010 10:54 PM te...@cnysupport.com wrote the following: postconf -n |grep sender_access # postconf -n |grep sender_access smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination, reject_unknown_recipient_domain, check_sender_access hash:/etc/postfix/sender_access, check_helo_access hash:/etc/postfix/helo_access, reject_invalid_hostname,reject_non_fqdn_hostname, reject_unknown_hostname,reject_non_fqdn_sender, reject_unknown_sender_domain, reject_non_fqdn_recipient, reject_unauth_pipelining, check_client_access hash:/etc/postfix/client_access,reject_unknown_client, reject_rbl_client bl.spamcop.net,reject_rbl_client sbl.spamhaus.org, reject_rbl_client list.dsbl.org,reject_rbl_client dnsbl.njabl.org,reject_rbl_client dnsbl.sorbs.net
Re: how to deny mail from specific domain
I get fake sender (blizzard.com) mails like so: From - Mon Feb 15 12:36:41 2010 X-Account-Key: account19 X-UIDL: af3fd81a824190cb X-Mozilla-Status: 0001 X-Mozilla-Status2: X-Mozilla-Keys: Return-Path: steven_m_cr...@hotmail.com X-Original-To: u...@my.domain.org Delivered-To: u...@my.domain.org Received: from blu0-omc1-s16.blu0.hotmail.com (blu0-omc1-s16.blu0.hotmail.com [65.55.116.27]) by mysmpt.my.domain.org (Postfix) with ESMTP id 33C04FB9D for u...@my.domain.org; Mon, 15 Feb 2010 12:14:49 +0200 (EET) Received: from BLU0-SMTP25 ([65.55.116.9]) by blu0-omc1-s16.blu0.hotmail.com with Microsoft SMTPSVC(6.0.3790.3959); Mon, 15 Feb 2010 02:14:46 -0800 X-Originating-IP: [222.69.163.146] X-Originating-Email: [steven_m_cr...@hotmail.com] Message-ID: blu0-smtp25c0ae687aa29c4655d059c7...@phx.gbl Received: from zjg ([222.69.163.146]) by BLU0-SMTP25.blu0.hotmail.com over TLS secured channel with Microsoft SMTPSVC(6.0.3790.3959); Mon, 15 Feb 2010 02:14:45 -0800 Reply-To: wowaccountad...@admin-blizzard.com Date: Mon, 15 Feb 2010 06:18:19 +0800 From: wowaccountadmin wowaccountad...@blizzard.com To: u...@my.domain.org Subject: World of Warcraft - Warning X-mailer: Foxmail 6, 15, 201, 22 Mime-Version: 1.0 Content-Type: multipart/alternative; boundary==003_Dragon137305138608_= X-OriginalArrivalTime: 15 Feb 2010 10:14:45.0979 (UTC) FILETIME=[B2C67AB0:01CAAE27] This is a multi-part message in MIME format. --=003_Dragon137305138608_= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: base64
Re: how to deny mail from specific domain
On 15-Feb-2010, at 14:41, Aggelos wrote: Return-Path: steven_m_cr...@hotmail.com X-Original-To: u...@my.domain.org Delivered-To: u...@my.domain.org Received: from blu0-omc1-s16.blu0.hotmail.com (blu0-omc1-s16.blu0.hotmail.com [65.55.116.27]) by mysmpt.my.domain.org (Postfix) with ESMTP id 33C04FB9D for u...@my.domain.org; Mon, 15 Feb 2010 12:14:49 +0200 (EET) Received: from BLU0-SMTP25 ([65.55.116.9]) by blu0-omc1-s16.blu0.hotmail.com with Microsoft SMTPSVC(6.0.3790.3959); Mon, 15 Feb 2010 02:14:46 -0800 X-Originating-IP: [222.69.163.146] X-Originating-Email: [steven_m_cr...@hotmail.com] Message-ID: blu0-smtp25c0ae687aa29c4655d059c7...@phx.gbl Received: from zjg ([222.69.163.146]) by BLU0-SMTP25.blu0.hotmail.com over TLS secured channel with Microsoft SMTPSVC(6.0.3790.3959); Mon, 15 Feb 2010 02:14:45 -0800 Reply-To: wowaccountad...@admin-blizzard.com Date: Mon, 15 Feb 2010 06:18:19 +0800 From: wowaccountadmin wowaccountad...@blizzard.com Just as a unrelated point, forward these messages (as attachments or at least with complete headers) to ha...@blizzard.com. They DO go after these sites. I've fed a couple of dozen to bayes and they no longer get through. You could also do something like uri URI_BLIZZARD /\bblizzard\.com\b/i mimeheader MH_BLIZZARD Content-Transfer-Encoding: base64 metaSPOOF_BLIZZARD (URI_BLIZZARD MH_BLIZZARD) score SPOOF_BLIZZARD 1.0 (untested, but something like that) -- 'Oook?' 'I like to listen to a man who likes to talk! Whoops! Sawdust and treacle! Put that in your herring and smoke it!' 'I don't think he wants one,' said Ponder. --Lords and Ladies
Re: how to deny mail from specific domain
On 15-Feb-2010, at 14:56, LuKreme wrote: uri URI_BLIZZARD /\bblizzard\.com\b/i Sorry, wrong list. Thought I was reading the spamassassin group. -- Are you a lucky little lady in the city of light Or just another lost angel?
Re: If I don't want to queue emails, which value I've to give to default_transport?
On Mon, Feb 15, 2010 at 7:25 AM, Michele Carandente carande...@gmail.com wrote: Hi to everybody. I'm queuing all the emails to be sent. So the option that is doing it is: default_transport = smtp I would like to have the option to send directly emails, without queue. You can't, at least if you not to write the code :). But you can and should queue only deliverable messages (postfix will do this if you haven't broked the configuration). And, you can but should avoid, put queue directory in RAM. And don't forget a stop/startup script to save and restore RAM fs content, and recover from a abrupt reboot. -- Reinaldo de Carvalho http://korreio.sf.net http://python-cyrus.sf.net Don't try to adapt the software to the way you work, but rather yourself to the way the software works (myself)
Re: Postfix - Timeout While Sending End of Data
So here's an update:
1. I have turned off fixup smtp and checked that inspect esmtp or inspect
smtp is not running.
2. I have also enabled ICMP for both ends from our DMZ mail server and
internal mail server. It is still happening.
Plot thickens huh.
On Mon, Feb 15, 2010 at 6:22 PM, DJ Lucas d...@lucasit.com wrote:
On 02/14/2010 10:17 PM, Jafaruddin Lie wrote:
We do have a CISCO ASA 5520 that the outgoing mailserver sits behind,
and I have done the no fixup protocol on the box to no avail.
I have also enabled ICMP from that box to our internal mail server,
and ping works so I figure the ICMP NO-FRAGMENT wouldn't be an issue
here now.
It sounds as though the issue surfaced about the same time the new
security device came into play. If so, it might help to make that
absolutely clear to everyone who reads this thread. Is this the only
change in the environment? From what you've said above, it sounds like
you're on the right track. Only thing I noticed is that you mentioned
fixup (PIX) and not inspect (ASA). I don't have an ASA in front of me
ATM (and honestly, I'm not all that good with them anyway), however
something 'like' the following commands should get you to the right
place if you don't have access to ASDM (assuming you haven't changed too
much in the default configuration). There are plenty of examples all
over the net if you use the correct search terms. Obviously, you should
do a 'show run' to make sure my second assumption is correct (and that
this could even be the problem).
{{{
policy-map global_policy
class inspection_default
no inspect esmtp
}}}
Don't forget to write, else it'll be gone on reboot if it works. Sorry,
done that a couple of times myself, though I always dump my configs. A
friendly reminder never hurts either way.
BTW, here is a better example than the Cisco docs (IMO), probably should
have just linked to there in the first place instead of the above
gibberish. Oh well.
http://www.experts-exchange.com/Security/Software_Firewalls/Enterprise_Firewalls/Cisco_PIX_Firewall/Q_24438893.html
-- DJ Lucas
--
This message has been scanned for viruses and
dangerous content, and is believed to be clean.
--
Registered Linux user no. 384430
Using DIGEST MD5 SMTP-AUTH on RedHat
Hi, I have TLS turned on on my server but since that server also accepts incoming mail from the internet, I can¹t require it¹s use and so it is certainly possible that some of our users using AUTH-SMTP are still connecting unencrypted. Currently the only authentication mechanism we are using is PLAIN and so I want to use CRAM or DIGEST MD5. All the helps I can find on the web give instructions on building from source but I¹m running a RedHat Enterprise server and all the libraries are already installed. The problem is that I can¹t find any instructions on how to configure to use mechanisms beyond PLAIN and if I specify noplaintext in main.cf, Postfix just hangs. Is anybody using any of the secure authentication mechanisms and would you be willing to share your configuration with me? Thanks, Rob Rob Tanner UNIX Services Manager Linfield College, McMinnville Oregon
Re: Postfix - Timeout While Sending End of Data
2010/2/16 Jafaruddin Lie jafaruddin@gmail.com: So here's an update: 1. I have turned off fixup smtp and checked that inspect esmtp or inspect smtp is not running. 2. I have also enabled ICMP for both ends from our DMZ mail server and internal mail server. It is still happening. well, try to disable tcp-windows-scaling ? -- Eero
Re: Using DIGEST MD5 SMTP-AUTH on RedHat
On 2/15/2010 4:30 PM, Rob Tanner wrote: Hi, I have TLS turned on on my server but since that server also accepts incoming mail from the internet, I can’t require it’s use and so it is certainly possible that some of our users using AUTH-SMTP are still connecting unencrypted. Currently the only authentication mechanism we are using is PLAIN and so I want to use CRAM or DIGEST MD5. All the helps I can find on the web give instructions on building from source but I’m running a RedHat Enterprise server and all the libraries are already installed. The problem is that I can’t find any instructions on how to configure to use mechanisms beyond PLAIN and if I specify noplaintext in main.cf, Postfix just hangs. Is anybody using any of the secure authentication mechanisms and would you be willing to share your configuration with me? Thanks, Rob The easy solution is set in main.cf smtpd_tls_auth_only = yes so that TLS is required before AUTH is offered. -- Noel Jones
Re: Using DIGEST MD5 SMTP-AUTH on RedHat
Rob Tanner: I have TLS turned on on my server but since that server also accepts incoming mail from the internet, I can?t require it?s use and so it is certainly possible that some of our users using AUTH-SMTP are still connecting unencrypted. Currently the only authentication mechanism we are using is PLAIN and so I want to use CRAM or DIGEST MD5. All the helps I can find on the web give instructions on building from source but I?m running a RedHat Enterprise server and all the libraries are already installed. The problem is that I can?t find any instructions on how to configure to use mechanisms beyond PLAIN and if I specify noplaintext in main.cf, Postfix just hangs. No it doesn't. Look in the maillog file for warnings. Wietse
log message
I'm seeing the following message in my log files, had a search on google and could not come up with anything. postfix/postsuper[4932]: warning: bogus file name: hold/razor-agent.log Can anyone shine some light on the subject? Thanks, Jon
how not to send a message?
Dear postfix people, I just sent a message I should not have sent, using my local postfix setup, which forwards to a smarthost for further processing. After sending the message, I almost immediately pulled the plug, and looking at mailq, I felt good about that: -Queue ID- --Size-- Arrival Time -Sender/Recipient--- 3DE8FEF5 5142 Tue Feb 16 13:48:14 madd...@lapse.rw.madduck.net fri...@gmail.com -- 5 Kbytes in 1 Request. So I removed it: % sudo postsuper -d 3DE8FEF5 postsuper: 3DE8FEF5: removed postsuper: Deleted: 1 message and checked mailq, which now reported an empty queue. I then reconnected, and syslog rewarded me with: 13:49:51 lapse postfix/smtp[17216]: 3DE8FEF5: to=fri...@gmail.com, relay=b.mx.madduck.net[2001:41e0:ff43::1]:587, delay=97, delays=0.08/0.01/84/13, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 764981D4099) Ouch! :( I realise that I probably connected too quickly and that maybe there was even an open connection to the smarthost, which didn't timeout but just resumed (though it was logged 90 seconds after the initial submission…) Is there anything I should have done differently, for the next time this happens? Probably kill the running smtp process, or is there something else? -- martin | http://madduck.net/ | http://two.sentenc.es/ fitter, healthier, more productive like a pig, in a cage, on antibiotics -- radiohead spamtraps: madduck.bo...@madduck.net digital_signature_gpg.asc Description: Digital signature (see http://martin-krafft.net/gpg/)
Re: Postfix - Timeout While Sending End of Data
Thank you for all your responses. We nailed it down to the dodgy server / Postfix setup. I copied some of the deferred mail queues to another newly setup Postfix server (in the same DMZ) and those mails got sent immediately. So, all mailis are now going out through the new server. Looking good so far. On Tue, Feb 16, 2010 at 10:26 AM, Jafaruddin Lie jafaruddin@gmail.comwrote: The size of the email is not big, and I don't think the size of the emails matter. No, no attachments, it's mostly just acknowledgement mails. I have seen emails being blocked at around 3KB, whilst emails around 5KB got sent whilst a 160KB mail got blocked. OK, I have disabled tcp_windows_scaling on the server, we'll see if this keeps on happening. On Tue, Feb 16, 2010 at 10:20 AM, Daniel V. Reinhardt crypto...@yahoo.com wrote: From: Jafaruddin Lie jafaruddin@gmail.com To: Daniel V. Reinhardt crypto...@yahoo.com Sent: Mon, February 15, 2010 10:50:07 PM Subject: Re: Postfix - Timeout While Sending End of Data Currently we have mails going to our internal mail server being queued up. So, to answer your question, it's ethernet 100Mbps connection. On Tue, Feb 16, 2010 at 9:36 AM, Daniel V. Reinhardt crypto...@yahoo.com wrote: So here's an update: 1. I have turned off fixup smtp and checked that inspect esmtp or inspect smtp is not running. 2. I have also enabled ICMP for both ends from our DMZ mail server and internal mail server. It is still happening. Plot thickens huh. What is your connection speed, and what are you sending? Thanks, Daniel Reinhardt Website: www.cryptodan.com Email: crypto...@yahoo.com You didnt answer my question, what is being sent in these e-mails like attachments, and if so what size are they. Can you provide log files and what not? Also keep replies on the list. Thanks, Daniel Reinhardt Website: www.cryptodan.com Email: crypto...@yahoo.com -- Registered Linux user no. 384430 -- Registered Linux user no. 384430
Re: log message
On Mon, Feb 15, 2010 at 15:36, Jon L Miller jlmil...@mmtnetworks.com.au wrote: I’m seeing the following message in my log files, had a search on google and could not come up with anything. postfix/postsuper[4932]: warning: bogus file name: hold/razor-agent.log Can anyone shine some light on the subject? razor-agent.log is most likely an artifact of an anti-spam tool, something like amavisd-new or maia mailguard. Why it's storing things where postfix can see it is beyond me. I'd check the configuration for whatever it is that you're running besides postfix, as well as your postfix configuration, to see where it's finding that file. Kurt
Can this be done with Postfix? Any rules/recipes that already exist?
I would like to setup a SMTP proxy/filter box which simply sits in between the real server and the internet. All incoming mail passes through the filter, and all outgoing mail also passes through the filter. Basically the box will do a single job, it will have all the domains handled by the organisation listed in the $mydomain and the rule processing will be that it looks at the To and From only, it then compares each one to $mydomain. If one header matches $mydomain (say To:) then it looks at the other for comparison, if it is not listed in $mydomain it then strips the domain from that address and it copies the email and sends it a new email address based on it going to an address within the organisation. For example: The organisation has mydomain.com as their $mydomain. They email someone at postfix.org. Or someone from postfix.org emails someone at mydomain.com The filter box matches the To/From as not being in $mydomain and creates a copy of the email and sends it to postfix@mydomain.com which is handled by the authorative mail server. The original message goes on its merry way uninterrupted and the copy is routed back internally The authorative mail server then does as it pleases based on that email address. All emails to and from a domain are then collected at a single mailbox for an extensible journaling purposes based on the email address. Any ideas would be appreciated.
Re: Problems with SASL authentication throw dovecot
Thanks, it's exactly what I need))) I'll try to compile a new version... 2010/2/15 Wietse Venema wie...@porcupine.org Problem is clear: smtpd don't send client IP to dovecot authentication socket. Upgrade to Postfix 2.7. Wietse 20090418 Cleanup: use [an extensible API] to pass SMTP client address information to the dovecot SASL plugin, and prepare for passing server address information. Files: xsasl/xsasl.h, xsasl/xsasl_dovecot_server.c, smtpd/smtpd_sasl_glue.c.
Re: Postfix 2.7.0 stable release available
Wietse Venema wrote: - Support for reputation management based on the local SMTP client IP address. This is typically implemented with FILTER transportname: actions in access maps or header/body checks, and mail delivery transports in master.cf with unique smtp_bind_address values. I'm very excited about this feature, are there any examples of it around yet? In particular my case is : Default : email leaves from one IP address special user(s): email leaves from a separate address Does anyone here know how often Simon Mudd releases his RPMs? Thankyou Carl
Re: Postfix 2.7.0 stable release available
Hi, Does anyone here know how often Simon Mudd releases his RPMs? It looks like this might help for now: http://www.kutukupret.com/2010/02/08/compiling-postfix-2-7-0-as-rpm-package/ Regards, Alex
