Re: All email forward a copy to testing server
Mark Martinec skrev 2010-04-13 14:17: Patric, I looked in to it a little more and it looks like Maia re-writes the new.sub.domain.com to sub.domain.com. I get: /usr/sbin/amavisd-new[22834]: (22834-04) Checking: [62.127.194.20] patric.falin...@omg.nu - patric.falin...@sub.domain.com,patric.falin...@sub.domain.com When I guess it should be: /usr/sbin/amavisd-new[22834]: (22834-04) Checking: [62.127.194.20] patric.falin...@omg.nu - patric.falin...@sub.domain.com,patric.falin...@new.sub.domain.com Maybe this is more of a Maia problem so I will ask there if no one here knows whats wrong. I very much doubt it is the Maia doing a rewrite. More likely your smtp_generic mapping or masquerading. Keep in mind that a post-queue content filtered message goes through Postfix twice. Mark I asked at the Maia-list and they said that I should do the split after amavisd-maia processes the message and that I maybe could do something like this in master.cf: 127.0.0.1:10025 inet n - n - - smtpd -o content_filter= -o local_recipient_maps= [snip] -o recipient_bcc_maps = regexp:/etc/postfix/recipient_bcc So I did and restarted postfix, and after that I only get: host 127.0.0.1[127.0.0.1] said: 450 4.4.1 Can't connect to localhost port 10025 I tried manually telnet to port 10025 but it didn't work, I checked in netstat if something was listening to port 10025 and there was.. This is how it looks in my master.cf, only pasted the 10025 part: 127.0.0.1:10025 inet n - - - - smtpd -o content_filter= -o local_recipient_maps= -o relay_recipient_maps= -o smtpd_restriction_classes= -o smtpd_delay_reject=no -o smtpd_client_restrictions=permit_mynetworks,reject -o smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o mynetworks_style=host -o mynetworks=127.0.0.0/8,10.0.0.0/24 -o strict_rfc821_envelopes=yes -o smtpd_error_sleep_time=0 -o smtpd_soft_error_limit=1001 -o smtpd_hard_error_limit=1000 -o smtpd_client_connection_count_limit=0 -o smtpd_client_connection_rate_limit=0 -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_address_mappings Is it not possible to add -o recipient_bcc_maps = regexp:/etc/postfix/recipient_bcc in master.cf? How should I do to make the split after maia has processed the message if this doesn't work? Thanks, Patric
Re: Protection against stolen credentials?
On Wed, 2010-04-14 at 21:15 +0200, Ignacio García wrote: Hi there. Some days ago 1 of our postfix servers was abused by bot networks using one of our customer's stolen credentials, inadvertently done by a virus/keylogger probably. In few hours more than 2 spam messages were in our queue. Looking at the logs I realized all those outgoing messages came authenticated with the same stolen user credentials and from many different geolocations. Just changing the password solved the problem. This is a very disturbing issue for us, since it is hard to notice there's something going on until the server is already puking spam all over. Does anybody know of an automatic way of preventing this (or at least an automatic way of blocking it in early stages)? We were thinking of something like a script monitoring the logs for same-user authenticated connections from different IPs to create a blacklist of some sort... Thanks in advance. Ignacio This is very common problem. Search the archives for older conversations One of them is here http://groups.google.com/group/mailing.postfix.users/browse_thread/thread/596a160388faba35/862d6abf348b8962
defer: removed spurious QUEUEID log
This morning, I got a warning in my logs that I have never seen before: postfix-hub/cleanup[27115]: warning: defer: removed spurious 1E0DE10003 log It was followed by what seemed the normal delivery of a single mail: postfix-hub/smtpd[27112]: 1E0DE10003: client=edge.kvm.incertum.net[192.168.122.13] postfix-hub/cleanup[27115]: 1E0DE10003: message-id=20100414094410.gq24...@charite.de postfix-hub/qmgr[19522]: 1E0DE10003: from=owner-postfix-us...@postfix.org, size=5399, nrcpt=1 (queue active) postfix-out/smtp[4869]: 1DF1D1E05F: to=cite+postfix-us...@incertum.net, relay=mailhub.kvm.incertum.net[192.168.122.2]:25, delay=0.32, delays=0.04/0.01/0.01/0.27, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 1E0DE10003) postfix-hub/pipe[27116]: 1E0DE10003: to=cite+postfix-us...@incertum.net, relay=dovecot, delay=0.53, delays=0.26/0.01/0/0.26, dsn=2.0.0, status=sent (delivered via dovecot service) postfix-hub/qmgr[19522]: 1E0DE10003: removed What exactly happened here? Do I need to worry? If you need the output of postconf -n, do you need the output from the -hub instance only? Stefan
Re: defer: removed spurious QUEUEID log
Stefan Foerster:
This morning, I got a warning in my logs that I have never seen
before:
postfix-hub/cleanup[27115]: warning: defer: removed spurious 1E0DE10003 log
Long ago, queue file after {incoming/active/deferred}/1E0DE10003 was
deleted, without removing also removing the file defer/1E0DE10003.
It was followed by what seemed the normal delivery of a single mail:
postfix-hub/smtpd[27112]: 1E0DE10003:
client=edge.kvm.incertum.net[192.168.122.13]
Right, this is a new message that has claimed the name 1E0DE10003,
Postfix must not append mail delivery errors to a file that contains
the errors for the deleted 1E0DE10003 message.
Wietse
Re: All email forward a copy to testing server
Patric Falinder: Ok after a little trail and error I tried to remove the no_address_mappings from -o receive_override_options= in mater.cf and it started working:D I did as I first was told, with the options in main.cf so I didn't add the -o recipient_bcc_maps = regexp:/etc/postfix/recipient_bcc in master.cf. btw, does anyone know what no_address_mappings does in receive_override_options? If in doubt read the documentation: man 5 postconf ... receive_override_options (default: empty) Enable or disable recipient validation, built-in content filtering, or address mapping. Typically, these are specified in master.cf as com- mand-line arguments for the smtpd(8), qmqpd(8) or pickup(8) daemons. ... no_address_mappings Disable canonical address mapping, virtual alias map expansion, address masquerading, and automatic BCC (blind carbon-copy) recipients. This is typically specified BEFORE an external con- tent filter. Wietse
Re: Many IP address outgoing messages
On 4/15/2010 8:04 AM, Eduardo Júnior wrote: Hi, all Due the high load of e-mails over my link, I want that my messages outgoing through more IPs with only postfix box. I read about that, but not in official documentation. I want understand how this works and how to implement. Anyone could point me to the respective doc? Thanks, See the postfix 2.7 RELEASE_NOTES, under the section labeled Major changes - sender reputation. That will point you to further reading. Of course, this feature requires postfix 2.7 or newer. -- Noel Jones
Re: Many IP address outgoing messages
Anyone could point me to the respective doc? how about: http://www.kutukupret.com/2009/11/30/postfix-smtp-outgoing-ip-rotator-using-iptables/ -- Eero
Re: Append a custom head via a filter, partially OT
On 4/14/2010 11:02 PM, Gary Smith wrote: We use a filter to break out and run our spamassassin and other checks. In bash shell that process, we have a need to insert a custom unique header per email for compliance. Is there a simple way of doing this without having to go into any special mime processing of the message? Gary Smith Is there some reason the Message-ID won't work as a unique identifier? You can use a policy server to insert a header based on envelope information. http://www.postfix.org/SMTPD_POLICY_README.html If your header must be based on the message content, you'll need a milter or content_filter. -- Noel Jones
RE: Append a custom head via a filter, partially OT
Is there some reason the Message-ID won't work as a unique identifier? It's about compliance tracking and tagging for specific things. You can use a policy server to insert a header based on envelope information. http://www.postfix.org/SMTPD_POLICY_README.html If your header must be based on the message content, you'll need a milter or content_filter. Indeed. We are hooking into the content_filter as we speak. We do some analytics on the email message and need to append and track content specific hit ratios for specific messages. Basically, think of putting a spam score into a message, but instead of checking for spam, we are checking to see if the incoming message violates specific guidelines. I know it might sound a little trivial as we could just as easily develop some type of database, but since all out email already goes to a compliance archive, we want to keep intact what the hit ratio was for that specific message based upon that point in time without having to worry about keeping some type of mapping in place. (that's the slightly longer reason).
Re: catch-all not working with postfix dovecot lda
On 4/14/2010 3:42 PM, fakessh wrote: On Wed, 14 Apr 2010 13:50:34 -0500, Noel Jonesnjo...@megan.vbhcs.org wrote: On 4/14/2010 1:45 PM, fakessh wrote: On Wed, 14 Apr 2010 14:12:25 -0400, Charles Marcus cmar...@media-brokers.com wrote: I changed the entries @fakessh to r...@localhost in /etc/postfix/virtual postmap then a file to the postfix restart. all without success, or rather the same mistake Then post your new postconf -n, log entries showing the problem, and file contents. But you already have all the information you need to fix this yourself. Key points are 1) use fully qualified names in virtual_alias_maps. ie. u...@example1.com u...@example2.com *not* u...@example1.com user 2) if you want local delivery of the mail, the new domain must be listed in mydestination. Your fix may be as simple as adding localhost.$mydomain to mydestination. -- Noel Jones
Limit outgoing SMTP
Hi to all, Just a question, there is any method to limit the outgoing mails ? Something like domain.com allowed, domain.net not allowed, or u...@domain.com allowed, u...@domain.net not allowed. And this can be done for each user? If is possible, there is any web based or similar tool to manage this thing? Any help is really appreciated. Cordially, Claudio Prono. -- Claudio Prono OPST System Developer Gsm: +39-349-54.33.258 @PSS Srl Tel: +39-011-32.72.100 Via San Bernardino, 17Fax: +39-011-32.46.497 10141 Torino - ITALY http://atpss.net/disclaimer PGP Key - http://keys.atpss.net/c_prono.asc
DKIM-milter only for outgoing
Hi all My postfix server is set up with amavisd-new and dkim-milter. In the main.cf: content_filter = smtp-amavis:[127.0.0.1]:10024 smtpd_milters = inet:localhost:20209 non_smtpd_milters = inet:localhost:20209 milter_protocol = 2 milter_default_action = accept With this configuration the DKIM signature is added even to the incoming mails and I don't see any reason to do that. How can I set up the server to add DKIM signature only for the outgoing mails? thanks Levi
Re: DKIM-milter only for outgoing
From: Birta Levente blevi.li...@gmail.com Subject: DKIM-milter only for outgoing Date: Thu, 15 Apr 2010 17:23:12 +0300 My postfix server is set up with amavisd-new and dkim-milter. In the main.cf: content_filter = smtp-amavis:[127.0.0.1]:10024 smtpd_milters = inet:localhost:20209 non_smtpd_milters = inet:localhost:20209 milter_protocol = 2 milter_default_action = accept With this configuration the DKIM signature is added even to the incoming mails and I don't see any reason to do that. For dkim-filter, you can limit the signing domain by -d option. In Postfix, you should separate the services for incoming and outgoing(submission). If you do so, you can move the milter setting from main.cf to master.cf and setting like, smtpinet n - n - - smtpd -o . -o .. submission inet n - n - - smtpd -o smtpd_etern_restrictions=reject -o smtpd_sasl_auth_enable=yes -o ... -o smtpd_milters=inet:127.0.0.1:20209 ... I'm not sure how these are appropriate, but this setting smtpd_milters only for submission and work for me fine in normal operation. -- Tomo. pgpTbmczhKqgd.pgp Description: PGP signature
Re: Protection against stolen credentials?
El 15/04/10 12:41, ram escribió: The points mentioned should help you especially ratelimits , and FBL's Are you planning to do outgoing scanning. Hi Ram. I believe ratelimits and FBLs can help, but just partially. FBLs are of great help, but they work only after much harm has been done. For instance, right now we use FBLs to get warnings of this kind of problem (besides checking the logs, of course, which does not happen 24 hours/day). When we got our first warning we had more than 20k spam messages in the queue. OTOH, ratelimiting could work well. However, we have several customers with internal/intranet mail servers in their own facilities (with residnetial connections and dynamic IPs) who use our mail servers as authenticated SMTP relays to send external mail to the Internet, so limiting the number of outbound emails can be a problem for us. The way I think this could be solved is by having a program that: 1.- Checks the logs for authenticated smtp usage and saves smtp_authenticated_user, originating IPs, and country, which is dicovered using ip geolocation. 2.- During the following minutes, if IP from same authenticated user is different, then geolocate new IP, and if country is also different then set it as possible credential theft. 3.- If Step 2 repeats few times in few minutes (or even worse, if a third country is detected), then we sure have stolen credentials. 4.- Add smtp_authenticated_user to a blacklist, could add a simple header_checks entry to reject messages with smtp_authenticated_user header. That way account is still active and able to receive messages. However, outbound messaging is disabled. 5.- We could use a granulated scoring system. For instance, we are in Spain, and 99.9% of our customers are in Spain. So, even if more different IPs are used in short period of times, but all originate in Spain, it's fair to assume this person may be having connectivity problems or several devices connected (computer, 3g phone, pda) and running at the same time, so we cut them some slack :) We are already brainstorming this. However, were are good sysadmins but I cannot say the same about complex programming. We'll see what happens. Regards, Ignacio
Re: defer: removed spurious QUEUEID log
* Wietse Venema wie...@porcupine.org: Stefan Foerster: It was followed by what seemed the normal delivery of a single mail: postfix-hub/smtpd[27112]: 1E0DE10003: client=edge.kvm.incertum.net[192.168.122.13] Right, this is a new message that has claimed the name 1E0DE10003, Postfix must not append mail delivery errors to a file that contains the errors for the deleted 1E0DE10003 message. I see. Indeed, 1E0DE10003 was from April 6th, 2006, around noon. The long term storage logs don't contain any sender/recipient/relay information, only anonymized data, but I can see that the deferral was the result of a connection timeout. Apart from that one message and a lot of hostname verification failures, the logs for that day don't show any signs of trouble (as per the DEBUG_README). I guess there's not really a viable way of discovering what happend that day, even with the logs, is there? Do I need to investigate this further? Stefan
Re: Limit outgoing SMTP
Claudio Prono: Hi to all, Just a question, there is any method to limit the outgoing mails ? Something like domain.com allowed, domain.net not allowed, or u...@domain.com allowed, u...@domain.net not allowed. And this can be done for each user? Postfix enforces such limits while RECEIVING mail: http://www.postfix.org/SMTPD_ACCESS_README.html To stop mail from out-of-control web applications, use spam filters as discussed today in the lost credentials thread. If is possible, there is any web based or similar tool to manage this thing? Gui support is not included. Wietse
Re: defer: removed spurious QUEUEID log
Stefan Foerster: * Wietse Venema wie...@porcupine.org: Stefan Foerster: It was followed by what seemed the normal delivery of a single mail: postfix-hub/smtpd[27112]: 1E0DE10003: client=edge.kvm.incertum.net[192.168.122.13] Right, this is a new message that has claimed the name 1E0DE10003, Postfix must not append mail delivery errors to a file that contains the errors for the deleted 1E0DE10003 message. I see. Indeed, 1E0DE10003 was from April 6th, 2006, around noon. The long term storage logs don't contain any sender/recipient/relay information, only anonymized data, but I can see that the deferral was the result of a connection timeout. Apart from that one message and a lot of hostname verification failures, the logs for that day don't show any signs of trouble (as per the DEBUG_README). I guess there's not really a viable way of discovering what happend that day, even with the logs, is there? Do I need to investigate this further? I just looked at some code that I wrote in 1997 so. Normally the queue manager deletes a defer logfile when it brings a message into the active queue, and the bounce daemon deletes the defer logfile after sending a mail too old bounce message. If the defer file still exists without the message file, some of the following happened: - The queue file was deleted by hand without deleting the bounce/defer logfile for that message. In this case, nothing is list since the message would not be delivered. - After restoring a mail queue from elsewhere, postsuper was renaming files to make the 'queue id' match the message file inode number, and was interrupted before it got to rename the defer file. In this case nothing is lost, because at least one more mail delivery attempt will be made. - The message was renamed with postsuper -r. Again, nothing lost since there will be at last one more delivery attempt. - It it's none of the above, someone lost mail. Postfix is as careful about not losing mail, as it is about not losing information about delivery errors. Losing a delivery error is like losing the message itself - in both cases the recipient does not receive the message, and the sender is not notified. Wietse
Re: defer: removed spurious QUEUEID log
* Wietse Venema wie...@porcupine.org: Normally the queue manager deletes a defer logfile when it brings a message into the active queue, and the bounce daemon deletes the defer logfile after sending a mail too old bounce message. If the defer file still exists without the message file, some of the following happened: - The queue file was deleted by hand without deleting the bounce/defer logfile for that message. In this case, nothing is list since the message would not be delivered. - After restoring a mail queue from elsewhere, postsuper was renaming files to make the 'queue id' match the message file inode number, and was interrupted before it got to rename the defer file. In this case nothing is lost, because at least one more mail delivery attempt will be made. - The message was renamed with postsuper -r. Again, nothing lost since there will be at last one more delivery attempt. - It it's none of the above, someone lost mail. Postfix is as careful about not losing mail, as it is about not losing information about delivery errors. Losing a delivery error is like losing the message itself - in both cases the recipient does not receive the message, and the sender is not notified. That means chances are good that I did something stupid that the long term storage logs don't show, and that said act of stupidity did not cause harm. I think I can live with my presumed occasional stupor, as log as it only resurfaces every four years. As always, thank you for the insightful technical explanations. Stefan
Re: errors from postfix
Even if you solve quotes problem, postfix will deliver message to olpcx@aol.com. Is this what you want? You may try smtpname option of fetchmail to deliver to local mail user on postfix server. Or if you do not change rcpt to, you may try to deliver directly to mda with -m option. On Fri, Apr 9, 2010 at 1:10 AM, John Schmitt nuon...@yahoo.com wrote: I use fetchmail to get my email from yahoo gmail et al. Lately I've been getting these two messages when fetchmail runs. What is postfix doing and what is it trying to tell me? Is this something I should fix on my end? Is postfix trying to resend some spam I received from yahoo? Or is it just having trouble delivering spam to my inbox? I'm running a simple home setup for myself using Fedora 12. Transcript of session follows. Out: 220 mymachine.mydomain.net ESMTP Postfix In: HELO mymachine Out: 250 mymachine.mydomain.net In: MAIL FROM: Out: 250 2.1.0 Ok In: RCPT TO:???B?\ olpcxcqkkqc...@aol.com Out: 501 5.1.3 Bad recipient address syntax In: QUIT Out: 221 2.0.0 Bye For other details, see the local mail logfile Date: Thu, 8 Apr 2010 13:02:01 -0700 (PDT) From: Mail Delivery System mailer-dae...@mymachine.mydomain.net To: Postmaster postmas...@mydomain.net Subject: Postfix SMTP server: errors from localhost[::1] Transcript of session follows. Out: 220 mymachine.mydomain.net ESMTP Postfix In: EHLO pop-ssl.plus.mail.a06.yahoodns.net Out: 250-mymachine.mydomain.net Out: 250-PIPELINING Out: 250-SIZE Out: 250-VRFY Out: 250-ETRN Out: 250-STARTTLS Out: 250-ENHANCEDSTATUSCODES Out: 250-8BITMIME Out: 250 DSN In: MAIL FROM:???B?\ olpcxcqkkqc...@aol.com BODY=8BITMIME SIZE=2131 Out: 501 5.1.7 Bad sender address syntax In: RSET Out: 250 2.0.0 Ok In: QUIT Out: 221 2.0.0 Bye For other details, see the local mail logfile This is from /var/log/maillog: Apr 8 13:02:00 mymachine postfix/smtpd[13072]: connect from localhost[::1] Apr 8 13:02:00 mymachine postfix/smtpd[13000]: connect from localhost[::1] Apr 8 13:02:01 mymachine postfix/cleanup[13003]: 00144E02007: message-id=20100408200201.00144e02...@mymachine.mydomain.net Apr 8 13:02:01 mymachine postfix/smtpd[13000]: disconnect from localhost[::1] Apr 8 13:02:01 mymachine postfix/qmgr[21590]: 00144E02007: from=double-bou...@mymachine.mydomain.net, size=759, nrcpt=1 (queue active) Apr 8 13:02:01 mymachine lmtpunix[12930]: accepted connection Apr 8 13:02:01 mymachine lmtpunix[12930]: lmtp connection preauth'd as postman Apr 8 13:02:01 mymachine lmtpunix[12930]: duplicate_check: 20100408200201.00144e02...@mymachine.mydomain.net user.john 0 Apr 8 13:02:01 mymachine postfix/cleanup[13003]: 20E23E02009: message-id=20100408200201.20e23e02...@mymachine.mydomain.net Apr 8 13:02:01 mymachine lmtpunix[12930]: duplicate_check: 20100408200201.00144e02...@mymachine.mydomain.net user.john 0 Apr 8 13:02:01 mymachine postfix/qmgr[21590]: 20E23E02009: from=double-bou...@mymachine.mydomain.net, size=957, nrcpt=1 (queue active) Apr 8 13:02:01 mymachine postfix/smtpd[13072]: disconnect from localhost[::1] Apr 8 13:02:01 mymachine lmtpunix[13071]: accepted connection Apr 8 13:02:01 mymachine lmtpunix[13071]: lmtp connection preauth'd as postman Apr 8 13:02:01 mymachine lmtpunix[12930]: Delivered: 20100408200201.00144e02...@mymachine.mydomain.net to mailbox: user.john Apr 8 13:02:01 mymachine lmtpunix[12930]: mystore: starting txn 2147490480 Apr 8 13:02:01 mymachine lmtpunix[12930]: mystore: committing txn 2147490480 Apr 8 13:02:01 mymachine lmtpunix[12930]: duplicate_mark: 20100408200201.00144e02...@mymachine.mydomain.net user.john 1270756921 320038 Apr 8 13:02:01 mymachine lmtpunix[12930]: mystore: starting txn 2147490481 Apr 8 13:02:01 mymachine lmtpunix[12930]: mystore: committing txn 2147490481 Apr 8 13:02:01 mymachine lmtpunix[12930]: duplicate_mark: 20100408200201.00144e02...@mymachine.mydomain.net .jo...@.sieve. 1270756921 0 Apr 8 13:02:01 mymachine lmtpunix[13071]: duplicate_check: 20100408200201.20e23e02...@mymachine.mydomain.net user.john 0 Apr 8 13:02:01 mymachine postfix/lmtp[13008]: 00144E02007: to=j...@mydomain.net, orig_to=postmaster, relay=mymachine.mydomain.net[/var/lib/imap/socket/lmtp], delay=0.42, delays=0.06/0/0/0.35, dsn=2.1.5, status=sent (250 2.1.5 Ok) Apr 8 13:02:01 mymachine postfix/qmgr[21590]: 00144E02007: removed
Trouble with virtual_alias_maps and mailman stopped working
Hi, I'm having some trouble with my production server, that mailman stopped working apparently without any modification. I think everything at my postfix configuration is ok, but what I'm seeing is that virtual_alias_maps isn't working as expected. My setup consists in one virtual domain example.com and some accounts from this domain are lists, like samplel...@example.com According to postfix flow, if I send an e-mail to samplel...@example.com it will match the line hash:/var/lib/mailman/data/virtual-mailman in my virtual_alias_maps and returns samplelist, then it's expected to match samplelist at line alias_maps = hash:/var/lib/mailman/data/aliases and pipe the e-mail to |/var/lib/mailman/mail/mailman post samplelist, but instead postfix is just sending the e-mail to maildrop with destination like one of my regular accounts, then maildrop is returning user unknown, of course because samplel...@example.com isn't a valid user account. I don't know why postfix isn't matching alias_maps to pipe the mail to mailman. Someone could help me? Thanks! My /var/lib/mailman/data/virtual-mailman: # STANZA START: samplelist # CREATED: Mon Mar 31 16:59:34 2008 samplel...@example.com samplelist samplelist-ad...@example.comsamplelist-admin samplelist-boun...@example.com samplelist-bounces samplelist-conf...@example.com samplelist-confirm samplelist-j...@example.com samplelist-join samplelist-le...@example.comsamplelist-leave samplelist-ow...@example.comsamplelist-owner samplelist-requ...@example.com samplelist-request samplelist-subscr...@example.comsamplelist-subscribe samplelist-unsubscr...@example.com samplelist-unsubscribe # STANZA END: reserva My /var/lib/mailman/data/aliases: # STANZA START: samplelist # CREATED: Mon Mar 31 16:59:34 2008 samplelist: |/var/lib/mailman/mail/mailman post samplelist samplelist-admin: |/var/lib/mailman/mail/mailman admin samplelist samplelist-bounces: |/var/lib/mailman/mail/mailman bounces samplelist samplelist-confirm: |/var/lib/mailman/mail/mailman confirm samplelist samplelist-join:|/var/lib/mailman/mail/mailman join samplelist samplelist-leave: |/var/lib/mailman/mail/mailman leave samplelist samplelist-owner: |/var/lib/mailman/mail/mailman owner samplelist samplelist-request: |/var/lib/mailman/mail/mailman request samplelist samplelist-subscribe: |/var/lib/mailman/mail/mailman subscribe samplelist samplelist-unsubscribe: |/var/lib/mailman/mail/mailman unsubscribe samplelist # STANZA END: samplelist Let me show my postfix configuration: ### main.cf ### mydestination = example-srv.example.com myhostname = example-srv.example.com mydomain = example-srv.example.com myorigin = $myhostname mynetworks = 127.0.0.1 relay_domains = mysql:/etc/postfix/mysql/relay_domains.cf inet_protocols = ipv4 virtual_uid_maps = static:5000 virtual_gid_maps = static:5000 virtual_mailbox_domains = mysql:/etc/postfix/mysql/mailbox_domains.cf virtual_mailbox_maps = mysql:/etc/postfix/mysql/mailbox_maps.cf virtual_alias_maps = proxy:mysql:/etc/postfix/mysql/alias_maps.cf, proxy:mysql:/etc/postfix/mysql/forwarding_maps.cf, proxy:mysql:/etc/postfix/mysql/list_maps.cf, hash:/var/lib/mailman/data/virtual-mailman, virtual_transport = maildrop maildrop_destination_recipient_limit=1 recipient_delimiter = + alias_maps = hash:/var/lib/mailman/data/aliases alias_database = hash:/var/lib/mailman/data/aliases local_recipient_maps = $alias_maps smtpd_helo_required = yes smtpd_delay_reject = yes disable_vrfy_command = yes smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_unknown_recipient_domain, reject_non_fqdn_recipient, reject_unauth_pipelining smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_invalid_hostname, reject_unauth_pipelining smtpd_sender_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unknown_sender_domain, reject_non_fqdn_sender, reject_sender_login_mismatch, check_sender_access hash:/etc/postfix/blacklist reject_unauth_pipelining smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, check_sender_access hash:/etc/postfix/whitelist reject_unknown_client, reject_unauth_pipelining, check_policy_service inet:127.0.0.1:10031, reject_rbl_client bl.spamcop.net,
Re: Many IP address outgoing messages
Eduardo Júnior put forth on 4/15/2010 8:04 AM: Due the high load of e-mails over my link, I want that my messages outgoing through more IPs with only postfix box. If you only have one physical link, how will sending mail from multiple IPs within the same subnet solve your link congestion problem? -- Stan
block specific IP addresses
I have several boxes that check my relay every 40 seconds to check that the server is up. After multiple attempts to get the number of checks reduced I would like the know the preferred way to block specific IP addresses in Postfix. I have no issue with checks.. but every 40 seconds is ridiculous. OS : CentOS 5.4 Postfix version: 2.5.1 Thx Charles
Re: block specific IP addresses
On Thu, 15 Apr 2010, CT wrote: I have several boxes that check my relay every 40 seconds to check that the server is up. After multiple attempts to get the number of checks reduced I would like the know the preferred way to block specific IP addresses in Postfix. http://www.postfix.org/postconf.5.html#check_client_access http://www.postfix.org/access.5.html -- Sahil Tandon sa...@freebsd.org
Re: Many IP address outgoing messages
Hi, On Thu, Apr 15, 2010 at 6:35 PM, Stan Hoeppner s...@hardwarefreak.com wrote: Eduardo Júnior put forth on 4/15/2010 8:04 AM: Due the high load of e-mails over my link, I want that my messages outgoing through more IPs with only postfix box. If you only have one physical link, how will sending mail from multiple IPs within the same subnet solve your link congestion problem? Currently my Postfix box outgoing e-mails through only one physical link, but i have others available. According to Eero, this can be done by means of firewall, using iptables. But my main goal is to learn how to do that using Postfix, whose reference was passed by Noel. -- Eduardo Júnior GNU/Linux user #423272 :wq
Re: Trouble with virtual_alias_maps and mailman stopped working
On 4/15/2010 3:22 PM, Bruno Ribeiro da Silva wrote: Hi, I'm having some trouble with my production server, that mailman stopped working apparently without any modification. I think everything at my postfix configuration is ok, but what I'm seeing is that virtual_alias_maps isn't working as expected. My setup consists in one virtual domain example.com and some accounts from this domain are lists, like samplel...@example.com According to postfix flow, if I send an e-mail to samplel...@example.com it will match the line hash:/var/lib/mailman/data/virtual-mailman in my virtual_alias_maps and returns samplelist, then it's expected to match samplelist at line alias_maps = hash:/var/lib/mailman/data/aliases and pipe the e-mail to |/var/lib/mailman/mail/mailman post samplelist, but instead postfix is just sending the e-mail to maildrop with destination like one of my regular accounts, then maildrop is returning user unknown, of course because samplel...@example.com isn't a valid user account. I don't know why postfix isn't matching alias_maps to pipe the mail to mailman. Someone could help me? Thanks! My /var/lib/mailman/data/virtual-mailman: # STANZA START: samplelist # CREATED: Mon Mar 31 16:59:34 2008 samplel...@example.com samplelist samplelist-ad...@example.comsamplelist-admin samplelist-boun...@example.com samplelist-bounces samplelist-conf...@example.com samplelist-confirm samplelist-j...@example.com samplelist-join samplelist-le...@example.comsamplelist-leave samplelist-ow...@example.comsamplelist-owner samplelist-requ...@example.com samplelist-request samplelist-subscr...@example.comsamplelist-subscribe samplelist-unsubscr...@example.com samplelist-unsubscribe # STANZA END: reserva The result addresses above should include a domain listed in mydestination. samplel...@example.com samplel...@localhost.example.com ... mydestination = localhost.example.com ... -- Noel Jones
Re: Trouble with virtual_alias_maps and mailman stopped working
On 2010-04-15 Bruno Ribeiro da Silva wrote: Hi, I'm having some trouble with my production server, that mailman stopped working apparently without any modification. I think everything at my postfix configuration is ok, but what I'm seeing is that virtual_alias_maps isn't working as expected. Check your logs. Postfix logs all relevant aspects of any mail transaction. What does it say there? [...] samplel...@example.com samplelist Change samplelist to samplel...@example-srv.example.com. Since example.com is not your $mydestination: is it defined as a virtual mailbox domain? Also post the output of postconf -n rather than your main.cf. Regards Ansgar Wiechers -- Another option [for defragmentation] is to back up your important files, erase the hard disk, then reinstall Mac OS X and your backed up files. --http://docs.info.apple.com/article.html?artnum=25668
Re: block specific IP addresses
CT put forth on 4/15/2010 4:43 PM: I have several boxes that check my relay every 40 seconds to check that the server is up. After multiple attempts to get the number of checks reduced I would like the know the preferred way to block specific IP addresses in Postfix. I have no issue with checks.. but every 40 seconds is ridiculous. To accomplish the task in Postfix, blocking only SMTP connections from those IP addresses: edit: /etc/postfix/main.cf smtpd_[client/recipient]_restrictions = ... check_client_access hash:/etc/postfix/blacklist ... # [client/recipient] selection depends on whether you use the everything under smtpd_recipient_restrictions style main.cf layout. create: /etc/postfix/blacklist ... 1.2.3.4 REJECT 4.3.2.1 REJECT 3.2.1.4 REJECT ... /$ postmap /etc/postfix/blacklist /$ postfix reload Simply eh? Or to deny all port access from those IPs, if using Linux, use Netfilter: /$ iptables -I INPUT -s 1.2.3.4 -j DROP /$ iptables -I INPUT -s 4.3.2.1 -j DROP /$ iptables -I INPUT -s 3.2.1.4 -j DROP iptables inputs are non persistent across reboots. Without knowing what OS/distro you're using, I'll give generic instructions on running this at system startup instead of rc.* instructions. As root, create something like /usr/bin/load_iptables.sh and make sure the execute bit is set. #! /bin/sh iptables -I INPUT -s 1.2.3.4 -j DROP iptables -I INPUT -s 4.3.2.1 -j DROP iptables -I INPUT -s 3.2.1.4 -j DROP As root create this crontab entry usually with crontab -e @reboot /usr/bin/load_iptables.sh Now all packets from those IPs will be dropped. Hope this helps. -- Stan
Re: catch-all not working with postfix dovecot lda
On Thu, 15 Apr 2010 08:33:43 -0500, Noel Jones njo...@megan.vbhcs.org wrote: On 4/14/2010 3:42 PM, fakessh wrote: On Wed, 14 Apr 2010 13:50:34 -0500, Noel Jonesnjo...@megan.vbhcs.org wrote: On 4/14/2010 1:45 PM, fakessh wrote: On Wed, 14 Apr 2010 14:12:25 -0400, Charles Marcus cmar...@media-brokers.com wrote: I changed the entries @fakessh to r...@localhost in /etc/postfix/virtual postmap then a file to the postfix restart. all without success, or rather the same mistake Then post your new postconf -n, log entries showing the problem, and file contents. my postcon -n [r...@r13151 ~]# postconf -n alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases body_checks = regexp:/etc/postfix/body_checks.cf bounce_notice_recipient = postmaster broken_sasl_auth_clients = yes command_directory = /usr/sbin config_directory = /etc/postfix content_filter = dksign:[127.0.0.1]:10028 daemon_directory = /usr/libexec/postfix debug_peer_level = 2 default_privs = nobody double_bounce_sender = no header_checks = regexp:/etc/postfix/header_checks.cf home_mailbox = Maildir/ html_directory = no in_flow_delay = 10 inet_interfaces = all mail_spool_directory = /var/spool/mail mailbox_command = /usr/libexec/dovecot/deliver mailq_path = /usr/bin/mailq.postfix manpage_directory = /usr/share/man maps_rbl_domains = bl.spamcop.net mime_header_checks = regexp:/etc/postfix/mime_header_checks.cf mydestination = $myhostname, localhost.$mydomain mydomain = r13151.ovh.net mynetworks = 127.0.0.0/8 ,87.98.186.232 myorigin = $mydomain newaliases_path = /usr/bin/newaliases.postfix queue_run_delay = 2000s readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES recipient_delimiter = + relay_domains = sample_directory = /usr/share/doc/postfix-2.3.3/samples sendmail_path = /usr/sbin/sendmail.postfix setgid_group = postdrop smtp_sasl_security_options = noanonymous smtp_sasl_tls_security_options = noanonymous smtp_sender_dependent_authentication = yes smtp_tls_loglevel = 3 smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_tls_session_cache smtpd_banner = $myhostname ESMTP $mail_name ($mail_version) smtpd_client_restrictions = permit_mynetworks,reject_unknown_reverse_client_hostname,reject_unauth_pipelining, reject_non_fqdn_recipient , permit smtpd_milters = inet:[127.0.0.1]:10040 smtpd_recipient_restrictions = permit_mynetworks permit_inet_interfaces permit_sasl_authenticated reject_unverified_recipient reject_non_fqdn_sender reject_non_fqdn_recipient reject_unknown_sender_domain reject_unknown_recipient_domain reject_unknown_reverse_client_hostname reject_unauth_destination reject_unauth_pipelining reject_rbl_client zen.spamhaus.org reject_sender_login_mismatch check_policy_service unix:postgrey/socket check_sender_access hash:/etc/postfix/check_backscatterer check_policy_service unix:private/spfpolicy reject_rbl_client bl.spamcop.net reject_rhsbl_sender dbl.spamhaus.org reject_rbl_client cbl.abuseat.org reject_rbl_client b.barracudacentral.org smtpd_reject_unlisted_sender = no smtpd_sasl_auth_enable = yes smtpd_sasl_authenticated_header = yes smtpd_sasl_local_domain = $myhostname smtpd_sasl_path = private/auth smtpd_sasl_type = dovecot smtpd_tls_CAfile = /etc/pki/tls/sub.class4.server.ca.pem smtpd_tls_auth_only = yes smtpd_tls_cert_file = /etc/pki/tls/newcerts/01.pem smtpd_tls_key_file = /etc/pki/tls/private/r13151.ovh.net.key smtpd_tls_received_header = yes smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_tls_session_cache smtpd_use_tls = yes soft_bounce = no tls_random_source = dev:/dev/urandom unknown_local_recipient_reject_code = 550 virtual_alias_domains = fakessh.eu renelacroute.fr nicolaspichot.fr virtual_alias_maps = hash:/etc/postfix/virtual But you already have all the information you need to fix this yourself. Key points are 1) use fully qualified names in virtual_alias_maps. ie. u...@example1.com u...@example2.com *not* u...@example1.com user my jed /etc/postfix/virtual # # AUTHOR(S) #Wietse Venema #IBM T.J. Watson Research #P.O. Box 704 #Yorktown Heights, NY 10598, USA # # VIRTUAL(5$ postmas...@fakessh.eu r...@localhost.r13151.ovh.net fake...@fakessh.eu fake...@localhost.r13151.ovh.net webm...@fakessh.eu webm...@localhost.r13151.ovh.net se...@fakessh.eu se...@localhost.r13151.ovh.net @fakessh r...@localhost.r13151.ovh.net renelacro...@renelacroute.fr renelacro...@localhost.r13151.ovh.net @renelacroute.fr r...@localhost.r13151.ovh.net postmas...@renelacroute.fr r...@localhost.r13151.ovh.net nicolaspic...@nicolaspichot.fr nicolaspic...@localhost.r13151.ovh.net @nicolaspichot.fr r...@localhost.r13151.ovh.net 2) if you want local delivery of the mail, the new domain must be listed in mydestination. i use local delivery agent [r...@r13151 ~]# rpm -qa | grep dovecot
Re: catch-all not working with postfix dovecot lda
On Fri, 16 Apr 2010 00:26:25 +0200, fakessh fake...@fakessh.eu wrote: On Thu, 15 Apr 2010 08:33:43 -0500, Noel Jones njo...@megan.vbhcs.org wrote: On 4/14/2010 3:42 PM, fakessh wrote: On Wed, 14 Apr 2010 13:50:34 -0500, Noel Jonesnjo...@megan.vbhcs.org wrote: On 4/14/2010 1:45 PM, fakessh wrote: On Wed, 14 Apr 2010 14:12:25 -0400, Charles Marcus cmar...@media-brokers.com wrote: I changed the entries @fakessh to r...@localhost in /etc/postfix/virtual postmap then a file to the postfix restart. all without success, or rather the same mistake Then post your new postconf -n, log entries showing the problem, and file contents. my postcon -n [r...@r13151 ~]# postconf -n alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases body_checks = regexp:/etc/postfix/body_checks.cf bounce_notice_recipient = postmaster broken_sasl_auth_clients = yes command_directory = /usr/sbin config_directory = /etc/postfix content_filter = dksign:[127.0.0.1]:10028 daemon_directory = /usr/libexec/postfix debug_peer_level = 2 default_privs = nobody double_bounce_sender = no header_checks = regexp:/etc/postfix/header_checks.cf home_mailbox = Maildir/ html_directory = no in_flow_delay = 10 inet_interfaces = all mail_spool_directory = /var/spool/mail mailbox_command = /usr/libexec/dovecot/deliver mailq_path = /usr/bin/mailq.postfix manpage_directory = /usr/share/man maps_rbl_domains = bl.spamcop.net mime_header_checks = regexp:/etc/postfix/mime_header_checks.cf mydestination = $myhostname, localhost.$mydomain mydomain = r13151.ovh.net mynetworks = 127.0.0.0/8 ,87.98.186.232 myorigin = $mydomain newaliases_path = /usr/bin/newaliases.postfix queue_run_delay = 2000s readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES recipient_delimiter = + relay_domains = sample_directory = /usr/share/doc/postfix-2.3.3/samples sendmail_path = /usr/sbin/sendmail.postfix setgid_group = postdrop smtp_sasl_security_options = noanonymous smtp_sasl_tls_security_options = noanonymous smtp_sender_dependent_authentication = yes smtp_tls_loglevel = 3 smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_tls_session_cache smtpd_banner = $myhostname ESMTP $mail_name ($mail_version) smtpd_client_restrictions = permit_mynetworks,reject_unknown_reverse_client_hostname,reject_unauth_pipelining, reject_non_fqdn_recipient , permit smtpd_milters = inet:[127.0.0.1]:10040 smtpd_recipient_restrictions = permit_mynetworks permit_inet_interfaces permit_sasl_authenticated reject_unverified_recipient reject_non_fqdn_sender reject_non_fqdn_recipient reject_unknown_sender_domain reject_unknown_recipient_domain reject_unknown_reverse_client_hostname reject_unauth_destination reject_unauth_pipelining reject_rbl_client zen.spamhaus.org reject_sender_login_mismatch check_policy_service unix:postgrey/socket check_sender_access hash:/etc/postfix/check_backscatterer check_policy_service unix:private/spfpolicy reject_rbl_client bl.spamcop.net reject_rhsbl_sender dbl.spamhaus.org reject_rbl_client cbl.abuseat.org reject_rbl_client b.barracudacentral.org smtpd_reject_unlisted_sender = no smtpd_sasl_auth_enable = yes smtpd_sasl_authenticated_header = yes smtpd_sasl_local_domain = $myhostname smtpd_sasl_path = private/auth smtpd_sasl_type = dovecot smtpd_tls_CAfile = /etc/pki/tls/sub.class4.server.ca.pem smtpd_tls_auth_only = yes smtpd_tls_cert_file = /etc/pki/tls/newcerts/01.pem smtpd_tls_key_file = /etc/pki/tls/private/r13151.ovh.net.key smtpd_tls_received_header = yes smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_tls_session_cache smtpd_use_tls = yes soft_bounce = no tls_random_source = dev:/dev/urandom unknown_local_recipient_reject_code = 550 virtual_alias_domains = fakessh.eu renelacroute.fr nicolaspichot.fr virtual_alias_maps = hash:/etc/postfix/virtual But you already have all the information you need to fix this yourself. Key points are 1) use fully qualified names in virtual_alias_maps. ie. u...@example1.com u...@example2.com *not* u...@example1.com user my jed /etc/postfix/virtual # # AUTHOR(S) #Wietse Venema #IBM T.J. Watson Research #P.O. Box 704 #Yorktown Heights, NY 10598, USA # # VIRTUAL(5$ postmas...@fakessh.eu r...@localhost.r13151.ovh.net fake...@fakessh.eu fake...@localhost.r13151.ovh.net webm...@fakessh.eu webm...@localhost.r13151.ovh.net se...@fakessh.eu se...@localhost.r13151.ovh.net @fakessh r...@localhost.r13151.ovh.net renelacro...@renelacroute.fr renelacro...@localhost.r13151.ovh.net @renelacroute.fr r...@localhost.r13151.ovh.net postmas...@renelacroute.fr r...@localhost.r13151.ovh.net nicolaspic...@nicolaspichot.fr nicolaspic...@localhost.r13151.ovh.net @nicolaspichot.fr r...@localhost.r13151.ovh.net 2) if you
Re: Many IP address outgoing messages
Eduardo Júnior put forth on 4/15/2010 4:52 PM: On Thu, Apr 15, 2010 at 6:35 PM, Stan Hoeppner s...@hardwarefreak.com wrote: Eduardo Júnior put forth on 4/15/2010 8:04 AM: Due the high load of e-mails over my link, I want that my messages outgoing through more IPs with only postfix box. If you only have one physical link, how will sending mail from multiple IPs within the same subnet solve your link congestion problem? Currently my Postfix box outgoing e-mails through only one physical link, but i have others available. A single DSL line can pump a half million messages/day. Why do you have so many outgoing messages that you're clogging your pipe? This doesn't seem like normal mail flow. -- Stan
Re: block specific IP addresses
CT a écrit : I have several boxes that check my relay every 40 seconds to check that the server is up. After multiple attempts to get the number of checks reduced I would like the know the preferred way to block specific IP addresses in Postfix. I have no issue with checks.. but every 40 seconds is ridiculous. the first answer is: try to reach their abuse/postmaster. if you fail, then firewall them. if so, just DROP their traffic (this will cause more delay on their side). you can also redirect their traffic to a slow silly server (torture server).
crl support?
Dear List I don't find anywhere in TLS documentation how to make postfix respect a crl so that client's whose certs have been revoked cannot use the submission server. Can someone please confirm that this feature is supported or not? Thanks
Re: [Dovecot] catch-all not working with postfix dovecot lda
On Fri, 16 Apr 2010 09:07:55 +1000, Noel Butler noel.but...@ausics.net wrote: Postfix must first know the user(s) therefore this isa postfix issue and not dovecot dovecot deliver assumes the MTA has verified the user to accept mail from and does not do further authentication how to build a catch-all with dovecot lda the question then. is not a postfix issue On Fri, 2010-04-16 at 01:00 +0200, fakessh wrote: its tha archive to the cross post to postfix-users help me http://www.mail-archive.com/postfix-users@postfix.org/msg22963.html On Fri, 16 Apr 2010 00:26:25 +0200, fakessh fake...@fakessh.eu wrote: On Thu, 15 Apr 2010 08:33:43 -0500, Noel Jones njo...@megan.vbhcs.org wrote: On 4/14/2010 3:42 PM, fakessh wrote: On Wed, 14 Apr 2010 13:50:34 -0500, Noel Jonesnjo...@megan.vbhcs.org wrote: On 4/14/2010 1:45 PM, fakessh wrote: On Wed, 14 Apr 2010 14:12:25 -0400, Charles Marcus cmar...@media-brokers.com wrote: I changed the entries @fakessh to r...@localhost in /etc/postfix/virtual postmap then a file to the postfix restart. all without success, or rather the same mistake Then post your new postconf -n, log entries showing the problem, and file contents. my postcon -n [r...@r13151 ~]# postconf -n alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases body_checks = regexp:/etc/postfix/body_checks.cf bounce_notice_recipient = postmaster broken_sasl_auth_clients = yes command_directory = /usr/sbin config_directory = /etc/postfix content_filter = dksign:[127.0.0.1]:10028 daemon_directory = /usr/libexec/postfix debug_peer_level = 2 default_privs = nobody double_bounce_sender = no header_checks = regexp:/etc/postfix/header_checks.cf home_mailbox = Maildir/ html_directory = no in_flow_delay = 10 inet_interfaces = all mail_spool_directory = /var/spool/mail mailbox_command = /usr/libexec/dovecot/deliver mailq_path = /usr/bin/mailq.postfix manpage_directory = /usr/share/man maps_rbl_domains = bl.spamcop.net mime_header_checks = regexp:/etc/postfix/mime_header_checks.cf mydestination = $myhostname, localhost.$mydomain mydomain = r13151.ovh.net mynetworks = 127.0.0.0/8 ,87.98.186.232 myorigin = $mydomain newaliases_path = /usr/bin/newaliases.postfix queue_run_delay = 2000s readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES recipient_delimiter = + relay_domains = sample_directory = /usr/share/doc/postfix-2.3.3/samples sendmail_path = /usr/sbin/sendmail.postfix setgid_group = postdrop smtp_sasl_security_options = noanonymous smtp_sasl_tls_security_options = noanonymous smtp_sender_dependent_authentication = yes smtp_tls_loglevel = 3 smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_tls_session_cache smtpd_banner = $myhostname ESMTP $mail_name ($mail_version) smtpd_client_restrictions = permit_mynetworks,reject_unknown_reverse_client_hostname,reject_unauth_pipelining, reject_non_fqdn_recipient , permit smtpd_milters = inet:[127.0.0.1]:10040 smtpd_recipient_restrictions = permit_mynetworks permit_inet_interfaces permit_sasl_authenticated reject_unverified_recipient reject_non_fqdn_sender reject_non_fqdn_recipient reject_unknown_sender_domain reject_unknown_recipient_domain reject_unknown_reverse_client_hostname reject_unauth_destination reject_unauth_pipelining reject_rbl_client zen.spamhaus.org reject_sender_login_mismatch check_policy_service unix:postgrey/socket check_sender_access hash:/etc/postfix/check_backscatterer check_policy_service unix:private/spfpolicy reject_rbl_client bl.spamcop.net reject_rhsbl_sender dbl.spamhaus.org reject_rbl_client cbl.abuseat.org reject_rbl_client b.barracudacentral.org smtpd_reject_unlisted_sender = no smtpd_sasl_auth_enable = yes smtpd_sasl_authenticated_header = yes smtpd_sasl_local_domain = $myhostname smtpd_sasl_path = private/auth smtpd_sasl_type = dovecot smtpd_tls_CAfile = /etc/pki/tls/sub.class4.server.ca.pem smtpd_tls_auth_only = yes smtpd_tls_cert_file = /etc/pki/tls/newcerts/01.pem smtpd_tls_key_file = /etc/pki/tls/private/r13151.ovh.net.key smtpd_tls_received_header = yes smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_tls_session_cache smtpd_use_tls = yes soft_bounce = no tls_random_source = dev:/dev/urandom unknown_local_recipient_reject_code = 550 virtual_alias_domains = fakessh.eu renelacroute.fr nicolaspichot.fr virtual_alias_maps = hash:/etc/postfix/virtual But you already have all the information you need to fix this yourself. Key points are 1) use fully qualified names in virtual_alias_maps. ie. u...@example1.com u...@example2.com *not* u...@example1.com user my jed /etc/postfix/virtual # # AUTHOR(S) # Wietse Venema # IBM T.J. Watson Research # P.O. Box 704 # Yorktown Heights, NY 10598, USA # # VIRTUAL(5$ postmas...@fakessh.eu r...@localhost.r13151.ovh.net
Fwd: Re: [Dovecot] catch-all not working with postfix dovecot lda (fwd)
it may be a problem in dealing with amavisd perl milter Subject: Re: [Dovecot] catch-all not working with postfix dovecot lda On Fri, 16 Apr 2010 09:07:55 +1000, Noel Butler noel.but...@ausics.net wrote: Postfix must first know the user(s) therefore this isa postfix issue and not dovecot dovecot deliver assumes the MTA has verified the user to accept mail from and does not do further authentication how to build a catch-all with dovecot lda the question then. is not a postfix issue On Fri, 2010-04-16 at 01:00 +0200, fakessh wrote: its tha archive to the cross post to postfix-users help me http://www.mail-archive.com/postfix-users@postfix.org/msg22963.html On Fri, 16 Apr 2010 00:26:25 +0200, fakessh fake...@fakessh.eu wrote: On Thu, 15 Apr 2010 08:33:43 -0500, Noel Jones njo...@megan.vbhcs.org wrote: On 4/14/2010 3:42 PM, fakessh wrote: On Wed, 14 Apr 2010 13:50:34 -0500, Noel Jonesnjo...@megan.vbhcs.org wrote: On 4/14/2010 1:45 PM, fakessh wrote: On Wed, 14 Apr 2010 14:12:25 -0400, Charles Marcus cmar...@media-brokers.com wrote: I changed the entries @fakessh to r...@localhost in /etc/postfix/virtual postmap then a file to the postfix restart. all without success, or rather the same mistake Then post your new postconf -n, log entries showing the problem, and file contents. my postcon -n [r...@r13151 ~]# postconf -n alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases body_checks = regexp:/etc/postfix/body_checks.cf bounce_notice_recipient = postmaster broken_sasl_auth_clients = yes command_directory = /usr/sbin config_directory = /etc/postfix content_filter = dksign:[127.0.0.1]:10028 daemon_directory = /usr/libexec/postfix debug_peer_level = 2 default_privs = nobody double_bounce_sender = no header_checks = regexp:/etc/postfix/header_checks.cf home_mailbox = Maildir/ html_directory = no in_flow_delay = 10 inet_interfaces = all mail_spool_directory = /var/spool/mail mailbox_command = /usr/libexec/dovecot/deliver mailq_path = /usr/bin/mailq.postfix manpage_directory = /usr/share/man maps_rbl_domains = bl.spamcop.net mime_header_checks = regexp:/etc/postfix/mime_header_checks.cf mydestination = $myhostname, localhost.$mydomain mydomain = r13151.ovh.net mynetworks = 127.0.0.0/8 ,87.98.186.232 myorigin = $mydomain newaliases_path = /usr/bin/newaliases.postfix queue_run_delay = 2000s readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES recipient_delimiter = + relay_domains = sample_directory = /usr/share/doc/postfix-2.3.3/samples sendmail_path = /usr/sbin/sendmail.postfix setgid_group = postdrop smtp_sasl_security_options = noanonymous smtp_sasl_tls_security_options = noanonymous smtp_sender_dependent_authentication = yes smtp_tls_loglevel = 3 smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_tls_session_cache smtpd_banner = $myhostname ESMTP $mail_name ($mail_version) smtpd_client_restrictions = permit_mynetworks,reject_unknown_reverse_client_hostname,reject_unauth_pipelining, reject_non_fqdn_recipient , permit smtpd_milters = inet:[127.0.0.1]:10040 smtpd_recipient_restrictions = permit_mynetworks permit_inet_interfaces permit_sasl_authenticated reject_unverified_recipient reject_non_fqdn_sender reject_non_fqdn_recipient reject_unknown_sender_domain reject_unknown_recipient_domain reject_unknown_reverse_client_hostname reject_unauth_destination reject_unauth_pipelining reject_rbl_client zen.spamhaus.org reject_sender_login_mismatch check_policy_service unix:postgrey/socket check_sender_access hash:/etc/postfix/check_backscatterer check_policy_service unix:private/spfpolicy reject_rbl_client bl.spamcop.net reject_rhsbl_sender dbl.spamhaus.org reject_rbl_client cbl.abuseat.org reject_rbl_client b.barracudacentral.org smtpd_reject_unlisted_sender = no smtpd_sasl_auth_enable = yes smtpd_sasl_authenticated_header = yes smtpd_sasl_local_domain = $myhostname smtpd_sasl_path = private/auth smtpd_sasl_type = dovecot smtpd_tls_CAfile = /etc/pki/tls/sub.class4.server.ca.pem smtpd_tls_auth_only = yes smtpd_tls_cert_file = /etc/pki/tls/newcerts/01.pem smtpd_tls_key_file = /etc/pki/tls/private/r13151.ovh.net.key smtpd_tls_received_header = yes smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_tls_session_cache smtpd_use_tls = yes soft_bounce = no tls_random_source = dev:/dev/urandom unknown_local_recipient_reject_code = 550 virtual_alias_domains = fakessh.eu renelacroute.fr nicolaspichot.fr virtual_alias_maps = hash:/etc/postfix/virtual But you already have all the information you need to fix this yourself. Key points are 1) use fully qualified names in virtual_alias_maps. ie. u...@example1.com u...@example2.com *not* u...@example1.com user my jed /etc/postfix/virtual # # AUTHOR(S) # Wietse Venema # IBM T.J. Watson Research # P.O. Box 704 #
Re: block specific IP addresses
Stan Hoeppner wrote, On 04/15/2010 05:16 PM: CT put forth on 4/15/2010 4:43 PM: I have several boxes that check my relay every 40 seconds to check that the server is up. After multiple attempts to get the number of checks reduced I would like the know the preferred way to block specific IP addresses in Postfix. I have no issue with checks.. but every 40 seconds is ridiculous. To accomplish the task in Postfix, blocking only SMTP connections from those IP addresses: edit: /etc/postfix/main.cf smtpd_[client/recipient]_restrictions = ... check_client_access hash:/etc/postfix/blacklist ... # [client/recipient] selection depends on whether you use the everything under smtpd_recipient_restrictions style main.cf layout. create: /etc/postfix/blacklist ... 1.2.3.4 REJECT 4.3.2.1 REJECT 3.2.1.4 REJECT ... /$ postmap /etc/postfix/blacklist /$ postfix reload Simply eh? snip Stan... I had ran across your suggestion in my searches but figured I would ask to be sure I was heading down the right path... These IP's are on my trusted subnets but I *wasn't* sure of was that if I did create the blacklist if I also have to create a whitelist for my trusted subnets Looks like I don't.. and yes very simple.. I like simple.. since there are only a handful of top pollers and ..Exactly what I was looking for.. Syntax follow up question... 1.2.3.4 tab REJECT or 1.2.3.4 tabtab REJECT Thx charles
Re: block specific IP addresses
mouss wrote, On 04/15/2010 06:03 PM: CT a écrit : I have several boxes that check my relay every 40 seconds to check that the server is up. After multiple attempts to get the number of checks reduced I would like the know the preferred way to block specific IP addresses in Postfix. I have no issue with checks.. but every 40 seconds is ridiculous. the first answer is: try to reach their abuse/postmaster. if you fail, then firewall them. if so, just DROP their traffic (this will cause more delay on their side). you can also redirect their traffic to a slow silly server (torture server). Mouss.. I could use a host based fw.. but would rather use Postfx as there are only a handful of pollers.. Thx Charles
Re: crl support?
zhong ming wu: Dear List I don't find anywhere in TLS documentation how to make postfix respect a crl so that client's whose certs have been revoked cannot use the submission server. Can someone please confirm that this feature is supported or not? If it is not in the documentation, then it is not implemented. Wietse
Re: crl support?
On Thu, Apr 15, 2010 at 07:16:58PM -0400, zhong ming wu wrote: I don't find anywhere in TLS documentation how to make postfix respect a crl so that client's whose certs have been revoked cannot use the submission server. The supported model for submission servers that use client certs is to list all supported fingerprints in a table. With fingerprint security, you don't need CRLs. Alternatively, you can extract all the revoked certs from the CRL, and use check_ccert_access to deny access, while allowing everyone else signed by the CA. -- Viktor. P.S. Morgan Stanley is looking for a New York City based, Senior Unix system/email administrator to architect and sustain our perimeter email environment. If you are interested, please drop me a note.
Re: Limit outgoing SMTP
Wietse Venema wrote: Claudio Prono: Hi to all, Just a question, there is any method to limit the outgoing mails ? Something like domain.com allowed, domain.net not allowed, or u...@domain.com allowed, u...@domain.net not allowed. And this can be done for each user? Postfix enforces such limits while RECEIVING mail: http://www.postfix.org/SMTPD_ACCESS_README.html To stop mail from out-of-control web applications, use spam filters as discussed today in the lost credentials thread. If is possible, there is any web based or similar tool to manage this thing? Gui support is not included. Wietse I use this procedure to acomplish who one domain can send internet email and one domain can send only local mail. r...@imss:~$ vi /etc/postfix/main.cf smtpd_recipient_restrictions = check_sender_access hash:/etc/postfix/Custom/sender_deny permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination smtpd_client_restrictions = permit_sasl_authenticated, reject_unknown_client smtpd_restriction_classes = local_only local_only = check_recipient_access hash:/etc/postfix/Custom/local_domains, reject r...@imss:~$ cat /etc/postfix/Custom/local_domains ### # Acuerdate: postmap /etc/postfix/Custom/local_domains ### xxx.lan OK xxx.es OK ### # Acuerdate: postmap /etc/postfix/Custom/sender_deny ### os...@xxx.lan local_only ### # Acuerdate: postmap /etc/postfix/Custom/virtual ### os...@xxx.es oscar.xxx os...@xxx.lan oscar.xxx
