Re: Postfix config for static:hold on all unauthenticated mail
Simon: What I am trying to achieve is to have the following: - All clients listed in mynetworks unrestricted sending - All clients NOT in mynetworks using sasl_authenticated unrestricted sending - All clients NOT in mynetworks NOT using sasl_authenticated (all other clients i guess?) added to the queue, but with static:hold permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_unlisted_recipient, check_client_access static:hold Wietse
track down deferred mail reason
Hi, I have setup postfix as an mx backup using: relay_domains = betterthanbacon.com defer_transports = smtp Works ok, but upon browsing the log /var/log/mail.log, I have found the following entry: May 18 13:06:56 ks postfix/error[14135]: 781A83E1F9: to=eweivivuhi7...@blokowe. pl, relay=none, delay=0.14, delays=0.09/0.04/0/0.01, dsn=4.3.2, status=deferred (deferred transport) Does this mean my postfix server has accepted an email to eweivivuhi7...@blokowe.pl and is now waiting for delivery? I have tried to telnet to my postfix on port 25 using the rcpt to: command to the same email address, but I got a relay denied message. How do I track down and fix this problem so that postfix will only accept emails for relay_domains? Thanks!
Re: track down deferred mail reason
Juan Devas: Hi, I have setup postfix as an mx backup using: relay_domains = betterthanbacon.com defer_transports = smtp Works ok, but upon browsing the log /var/log/mail.log, I have found the following entry: May 18 13:06:56 ks postfix/error[14135]: 781A83E1F9: to=eweivivuhi7...@blokowe. pl, relay=none, delay=0.14, delays=0.09/0.04/0/0.01, dsn=4.3.2, status=deferred (deferred transport) Does this mean my postfix server has accepted an email to eweivivuhi7...@blokowe.pl and is now waiting for delivery? I have tried to telnet to my postfix on port 25 using the rcpt to: command to the same email address, but I got a relay denied message. How do I track down and fix this problem so that postfix will only accept emails for relay_domains? TO REPORT A PROBLEM see http://www.postfix.org/DEBUG_README.html#mail TO (UN)SUBSCRIBE see http://www.postfix.org/lists.html Thank you for using Postfix.
Re: Newsletter server setup questions
Hello Thank You for all informations sent over. Could You please send me specs for that commercial software so I can ask the client if that's what he supposed to have ? You can email me off-list,don't know this list rules by heart. Sincerely Dragan Nataraj wrote: Dragan Zubac wrote: Hello I need to setup Postfix mail server that will be used only occasionally for sending out newsletters and other automated emails. There are 4 boxes,1. is the box where Postfix is installed,boxes 2.,3. and 4. are boxes that have various scripts that will use SMTP to connect to box 1. in order to send emails. The requirements are as follows: 1. All Postfix mail logs must be able to check via some kind of web interface,where one will be able to see the MessageID,Subject,To, Date,Time and status of sent message,the similar can be seen on the following URL: http://www.kyapanel.com/images/rsgallery/original/kp8.png (although not necessarily using this software) The purpose of this requirement is for somebody to be able to find out if any of the emails sent out was not delivered,and if not, what was the reason. 2. The scripts will send 'important' and 'less important' emails. If script is programmed to send 'important' ones,the copy of email must be sent to a separate account that will archive all sent emails (automatically BCC or something similar). If script will send 'less important' email,there is no need to keep a copy of sent email. The purpose of this request is for somebody to be able to find out the same copy of email if a recipient confirm that he has not received that very same email. 3. Some emails will have kind of 'no-r...@domain.com' email address in 'From' field. If recipient of this email by accident or so does send a reply back to 'no-re...@domain.com',he should receive an error email ('User does not exist' or similar error) and also certain local user at 'domai.com' should be alerted that an attempt of email delivery to 'no-re...@domain.com' has been occurred. Could You please share Your ideas/thoughts how this can be achieved or so ? Sincerely Dragan Zubac I'm not sure if this is useful or not, but the two most common open source pieces of software for managing mailing lists are mailman and majordomo (the server used for this list). Both can be used with postfix. mailman is written in python and has a web based interface to allow users to subscribe as well as for management purposes. Majordomo is written in perl, and I believe the administration as well as subscription lists is still managed in email. Personally, I like the web interface of mailman as well as the way that it handles headers., though I have not managed a list myself with mailman. I don't know what kind of reporting these packages provide, but everything is in log files and python/perl code can be easily customized, so if your skilled at working with python/perl you could add report pages and features as needed. Both packages have been used quite extensively for large mailing lists. http://www.greatcircle.com/majordomo/ http://www.gnu.org/software/mailman/index.html Outside of these options, there are commercial services that are relatively inexpensive that provide mailing list managers with reporting functions that marketing types tend to want to see. I'm not personally a big fan of these things, and many are used for what I consider borderline spamming, but sometimes it's easier to farm things out than implement everything yourself. If it interests you, I can send you the name of one that one of my clients likes, though I have no personal experience. Nataraj
looking for an SMTP testing tool
I'm looking for an SMTP testing tool I can use to do tests of configuration changes to Postfix. To do the proper tests I need to carry out the actual SMTP protocol from this program (as opposed to just putting mail in the queue), with TLS, STARTTLS, and login/authentication support, do it from a command line or shell script, and be able to bypass terminal prompts for authentication passwords. Interactive mail clients are just too clumsy to do these tests with (mostly because I need to do tests with a large variety of configurations generated at test-run time). Anyone ever heard of such a thing? Ironically, it may well be spamware that can do better tests than anything I have seen so far, and that would be a shame. Open source highly preferred, of course (even better if in my favorite languages ... C, Pike, Python). I'm putting together a suite of regression tests. Some will run daily under cron. Some will be run when configuration changes are made. The objective is to verify that every aspect of sending mail is working (or not working as the case may be, such as rejecting attempts to open relay) as intended whenever changes are made.
Postfix, SASL and LDAPDB
Hey guys, I want to set up SASL authentication using LDAPDB, but it seems that postfix connects to LDAP but doesn't send anything to it... I try to authenticate using 'auth plain base64', and I receive : 535 5.7.8 Error: authentication failed: authentication failure Connection to LDAP works fine at the network level, but the only thing that postfix send to Slapd (sniffed using tcpdump) is a UNBIND request. Confirmed by the logs of slapd: May 18 17:25:29 samchiel slapd[1431]: conn=35 fd=17 ACCEPT from IP=127.0.0.1:57368 (IP=127.0.0.1:389) May 18 17:25:29 samchiel slapd[1431]: conn=35 op=0 UNBIND May 18 17:25:29 samchiel slapd[1431]: conn=35 fd=17 closed Postfix says the following: May 18 17:25:29 samchiel postfix/smtpd[12094]: localhost[127.0.0.1]: auth plain X May 18 17:25:29 samchiel postfix/smtpd[12094]: xsasl_cyrus_server_first: sasl_method plain, init_response X May 18 17:25:29 samchiel postfix/smtpd[12094]: xsasl_cyrus_server_first: decoded initial response May 18 17:25:29 samchiel postfix/smtpd[12094]: warning: SASL authentication failure: Password verification failed May 18 17:25:29 samchiel postfix/smtpd[12094]: warning: localhost[127.0.0.1]: SASL plain authentication failed: authentication failure May 18 17:25:29 samchiel postfix/smtpd[12094]: localhost[127.0.0.1]: 535 5.7.8 Error: authentication failed: authentication failure So, I assumed there might be something wrong with my configuration. Since I'm on Debian Squeeze (for testing purpose), I have a /etc/postfix/sasl/smtpd.conf that contains the configuration of ldapdb: # cat /etc/postfix/sasl/smtpd.conf pwcheck_method: auxprop auxprop_plugin: ldapdb mech_list: PLAIN LOGIN ldapdb_uri: ldap://localhost ldapdb_id: postfix ldapdb_pw: ZZZ ldapdb_mech: DIGEST-MD5 PLAIN LOGIN and sasl directives in main.conf # grep smtpd_sasl main.cf smtpd_sasl_type = cyrus smtpd_sasl_auth_enable = yes smtpd_sasl_path = smtpd smtpd_sasl_security_options = noanonymous smtpd_sasl_local_domain = $mydomain smtpd_sasl_authenticated_header = yes Did I miss anything ? Any clue on why postfix doesn't send anything but an UNBIND request to LDAP ? Thanks, Julien
Re: Postfix, SASL and LDAPDB
On Tue, May 18, 2010 at 05:44:43PM +0200, Julien Vehent wrote: I want to set up SASL authentication using LDAPDB, but it seems that postfix connects to LDAP but doesn't send anything to it... I try to authenticate using 'auth plain base64', and I receive : 535 5.7.8 Error: authentication failed: authentication failure Is the LDAP library linked into Postfix compiled with Cyrus SASL support? The ldapdb auxprop plugin needs an LDAP library that can do SASL binds. If your LDAP library is not SASL (rather than simple bind) enabled, this may not work. Take a look at the Notes LDAPDB auxprop options section of: http://www.sendmail.org/~ca/email/cyrus2/options.html for additional LDAP server-side requirements. -- Viktor. P.S. Morgan Stanley is looking for a New York City based, Senior Unix system/email administrator to architect and sustain our perimeter email environment. If you are interested, please drop me a note.
Re: Postfix, SASL and LDAPDB
On Tue, 18 May 2010 12:37:47 -0400, Victor Duchovni victor.ducho...@morganstanley.com wrote: On Tue, May 18, 2010 at 05:44:43PM +0200, Julien Vehent wrote: I want to set up SASL authentication using LDAPDB, but it seems that postfix connects to LDAP but doesn't send anything to it... I try to authenticate using 'auth plain base64', and I receive : 535 5.7.8 Error: authentication failed: authentication failure Is the LDAP library linked into Postfix compiled with Cyrus SASL support? The ldapdb auxprop plugin needs an LDAP library that can do SASL binds. If your LDAP library is not SASL (rather than simple bind) enabled, this may not work. I believe it is, since I see connexion to the LDAP server. ldd confirms it too: # ldd /usr/sbin/postfix linux-gate.so.1 = (0xb7788000) libpostfix-global.so.1 = /usr/lib/libpostfix-global.so.1 (0xb774b000) libpostfix-util.so.1 = /usr/lib/libpostfix-util.so.1 (0xb771e000) libssl.so.0.9.8 = /usr/lib/i686/cmov/libssl.so.0.9.8 (0xb76d3000) libcrypto.so.0.9.8 = /usr/lib/i686/cmov/libcrypto.so.0.9.8 (0xb757b000) libsasl2.so.2 = /usr/lib/libsasl2.so.2 (0xb7564000) libdb-4.7.so = /usr/lib/libdb-4.7.so (0xb740c000) libnsl.so.1 = /lib/i686/cmov/libnsl.so.1 (0xb73f5000) libresolv.so.2 = /lib/i686/cmov/libresolv.so.2 (0xb73df000) libc.so.6 = /lib/i686/cmov/libc.so.6 (0xb7298000) libdl.so.2 = /lib/i686/cmov/libdl.so.2 (0xb7294000) libz.so.1 = /usr/lib/libz.so.1 (0xb728) libpthread.so.0 = /lib/i686/cmov/libpthread.so.0 (0xb7267000) /lib/ld-linux.so.2 (0xb7789000) Take a look at the Notes LDAPDB auxprop options section of: http://www.sendmail.org/~ca/email/cyrus2/options.html for additional LDAP server-side requirements. The same directory is queried by cyrus-imapd using LDAPDB as well, and it works fine. So I assume the configuration/mistake is postfix specific and not in the LDAP conf. Julien
Re: looking for an SMTP testing tool
On Tue, May 18, 2010 at 12:59, Wietse Venema wie...@porcupine.org wrote: This sounds like a job for Expect and openssl s_client. Expect is at http://expect.nist.gov/ Ah, yeah ... that ... or pexpect for Python (just used pexpect last month to extract stats from our Cisco routers).
Re: Postfix, SASL and LDAPDB
On Tue, May 18, 2010 at 07:47:12PM +0200, Julien Vehent wrote: Is the LDAP library linked into Postfix compiled with Cyrus SASL support? The ldapdb auxprop plugin needs an LDAP library that can do SASL binds. If your LDAP library is not SASL (rather than simple bind) enabled, this may not work. I believe it is, since I see connexion to the LDAP server. ldd confirms it too: # ldd /usr/sbin/postfix linux-gate.so.1 = (0xb7788000) libpostfix-global.so.1 = /usr/lib/libpostfix-global.so.1 (0xb774b000) libpostfix-util.so.1 = /usr/lib/libpostfix-util.so.1 (0xb771e000) libssl.so.0.9.8 = /usr/lib/i686/cmov/libssl.so.0.9.8 (0xb76d3000) libcrypto.so.0.9.8 = /usr/lib/i686/cmov/libcrypto.so.0.9.8 (0xb757b000) libsasl2.so.2 = /usr/lib/libsasl2.so.2 (0xb7564000) libdb-4.7.so = /usr/lib/libdb-4.7.so (0xb740c000) libnsl.so.1 = /lib/i686/cmov/libnsl.so.1 (0xb73f5000) libresolv.so.2 = /lib/i686/cmov/libresolv.so.2 (0xb73df000) libc.so.6 = /lib/i686/cmov/libc.so.6 (0xb7298000) libdl.so.2 = /lib/i686/cmov/libdl.so.2 (0xb7294000) libz.so.1 = /usr/lib/libz.so.1 (0xb728) libpthread.so.0 = /lib/i686/cmov/libpthread.so.0 (0xb7267000) /lib/ld-linux.so.2 (0xb7789000) 1. Your Postfix is not directly linked with LDAP at all, it looks like you are on a Debian system, and the LDAP table driver is dynamically loaded. So we don't know whether the LDAP library you are using has SASL support or not. 2. Mere TCP connection to the LDAP server does not prove support for LDAP SASL bind in the LDAP client. You need to determine whether your LDAP library supports SASL. Running ldd on Postfix binaries won't tell you that, you need to run ldd on the LDAP library used by the dynamically laoded Postfix LDAP table driver and also, on the SASL LDAP plugin. Take a look at the Notes LDAPDB auxprop options section of: http://www.sendmail.org/~ca/email/cyrus2/options.html for additional LDAP server-side requirements. The same directory is queried by cyrus-imapd using LDAPDB as well, and it works fine. So I assume the configuration/mistake is postfix specific and not in the LDAP conf. What is in the IMAP server SASL configuration file? -- Viktor. P.S. Morgan Stanley is looking for a New York City based, Senior Unix system/email administrator to architect and sustain our perimeter email environment. If you are interested, please drop me a note.
Re: looking for an SMTP testing tool
Phil Howard a écrit : I'm looking for an SMTP testing tool I can use to do tests of configuration changes to Postfix. To do the proper tests I need to carry out the actual SMTP protocol from this program (as opposed to just putting mail in the queue), with TLS, STARTTLS, and login/authentication support, do it from a command line or shell script, and be able to bypass terminal prompts for authentication passwords. Interactive mail clients are just too clumsy to do these tests with (mostly because I need to do tests with a large variety of configurations generated at test-run time). Anyone ever heard of such a thing? Ironically, it may well be spamware that can do better tests than anything I have seen so far, and that would be a shame. Open source highly preferred, of course (even better if in my favorite languages ... C, Pike, Python). if perl is acceptable for you, then it's easy to do what you want using available perl modules, or you can just use: http://www.logix.cz/michal/devel/smtp-cli/smtp-cli I'm putting together a suite of regression tests. Some will run daily under cron. Some will be run when configuration changes are made. The objective is to verify that every aspect of sending mail is working (or not working as the case may be, such as rejecting attempts to open relay) as intended whenever changes are made.
Re: lmtp_generic_maps for delivery to dovecot
ram a écrit : On Mon, 2010-05-10 at 10:15 -0500, Noel Jones wrote: On 5/10/2010 8:33 AM, ram wrote: Can I use somthing like lmtp_generic_maps for delivery to dovecot Your question is incomplete. What are you trying to accomplish? How does postfix deliver to dovecot? I have a master.cf entry for delivery to dovecot. dovecot unix - n n - - pipe flags=DRhu user=vmail:vmail argv=/usr/libexec/dovecot/deliver -f ${sender} -d ${recipient} The rules are very simple mails to *...@local.example.com send to dovecot:[127.0.0.1] mails to *...@otherlocation.example.com send to smtp:[otherlocation] But the users are created on dovecot as u...@example.com. what stops you from telling dovecot to accept mail for u...@local.example.com? for example, if using mysql, nothing stops you from doing the mailbox resolution that does what you want. you can use IDs to make local.example.com = example.com. now, if you really can't, then dedicate a specific transport: exacot argv=.../deliver... ${sender} - d ${us...@example.com but chances are this is a lot far from what you should be doing. stated otherwise: you're creating artificial needs... How can I configure postfix to send mails for *...@local.example.com to dovecot and strip off the local. I use lmtp_generic_maps for a similar thing in postfix+cyrus Thanks Derwyn.
confused about different smtpd information in main.cf
I'm confused about the following in the main.cf smtpd_receipient_restrictions smtpd_sender_restrictions smtpd_client_restrictions smtpd_data_restrictions this I pretty much get smtpd_helo_restrictions this I pretty much get Now with postfix all of these are blank except smtpd_receipient_restrictions. The default is something simple. Based on mynetworks to let your network through and then reject unauthorized destination to block anything else. Now it has turned into a real nightmare. I treid to apply some ip numbers to the access list and it did not work. I used my test server to backtrack the problem under smtpd_client_restrictions with reject unknown client. So below is all my restrictions. If you can clean them up or recommend anything to add. It should help me have less problems. For example some people have reject at the end of most everything while other have permit or leave blank. Thanks, Josh (I use pop-before-smtp) I get confused because the quick guide to pop to smtp says to put reject_non_fqdn_recipeint. So then I ask why there and not below. Seems like everybody has there own way of doing something and as I found out today. It can cause problems. smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, check_client_access hash:/etc/postfix/access, check_client_access hash:/etc/postfix/pop-before-smtp, reject_unauth_destination, reject_non_fqdn_recipient, reject_unlisted_recipient, reject_unknown_sender_domain, reject_unverified_sender, reject_multi_recipient_bounce, reject_invalid_hostname, reject_unknown_recipient_domain, reject_unauth_pipelining, check_helo_access regexp:/etc/postfix/helo.regexp, reject_rbl_client multi.uribl.com, reject_rbl_client dsn.rfc-ignorant.org, reject_rbl_client dul.dnsbl.sorbs.net, reject_rbl_client sbl-xbl.spamhaus.org, reject_rbl_client bl.spamcop.net, reject_rbl_client dnsbl.sorbs.net, reject_rbl_client cbl.abuseat.org, reject_rbl_client ix.dnsbl.manitu.net, reject_rbl_client combined.rbl.msrbl.net, reject_rbl_client rabl.nuclearelephant.com smtpd_data_restrictions = reject_unauth_pipelining, reject_multi_recipient_bounce, permit # Requirements for the sender details smtpd_sender_restrictions = permit_mynetworks, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unauth_pipelining, check_sender_access hash:/etc/postfix/sender_access, permit (do I really need pop-before-smtp there? Somebody else had it in a example?) # Requirements for the connecting server smtpd_client_restrictions = permit_mynetworks, check_client_access hash:/etc/postfix/access, check_client_access hash:/etc/postfix/pop-before-smtp, reject_unknown_client, reject_rbl_client sbl.spamhaus.org, reject_rbl_client dnsbl.njabl.org, reject_unauth_destination smtpd_helo_restrictions = permit_mynetworks, regexp:/etc/postfix/helo.regexp, permit -- This message has been scanned for viruses and dangerous content by Mychoice, and is believed to be clean.
Re: looking for an SMTP testing tool
* Phil Howard ttip...@gmail.com: I'm looking for an SMTP testing tool I can use to do tests of configuration changes to Postfix. To do the proper tests I need to carry out the actual SMTP protocol from this program (as opposed to just putting mail in the queue), with TLS, STARTTLS, and login/authentication support, do it from a command line or shell script, and be able to bypass terminal prompts for authentication passwords. Interactive mail clients are just too clumsy to do these tests with (mostly because I need to do tests with a large variety of configurations generated at test-run time). Perhaps swaks is the right tool for you: http://jetmore.org/john/code/swaks/ Stefan
reject_unverified_sender in postfix woud like to over ride with email address
reject unverified sender is nice way to block spam. But it also blocks my other servers that really are not e-mail servers. I have tried to get around this with no luck. I have two backup servers that are not really e-mail servers. There is no route to them but they do send out information via sendmail. I would like to override the address not using the ip but the name it is sent from. (r...@priback.mydomain.com) as the example address goes. But when I put it in the client_access list. It still tries to verify the sender. I know this is the issue since when I remove the reject unverfied sender the mail goes through. Thanks, Josh -- This message has been scanned for viruses and dangerous content by Mychoice, and is believed to be clean.
RE: postmaster problem with virtual and mysql
A while back I changed my aliases to use the mysql database. Well I thought everything was fine until I had a changed and relized the postmaster address was not working. Okay no problem I'll just link a postmaster address to the support account of my system. Well that is great if I send a mail to post master. But when postfix has a issue. It sends it to postmas...@primary.domainname.com instead of postmas...@domainname.com. I have two servers and so ofcourse the other one doesn't work either. secondary.domainname.com. as it goes. So all I get is a user not found. For our servers using mysql mapping, I have a hash map prior to the mysql map, so I can map out critical accounts (such as abuse/postmaster/etc). This way if mysql is offline, the critical emails come through (include the system alerts). Hope that helps...
Rate Limiting
Hi , I am using Postfix as an MTA but I see nowadays lot of spam going out of my system. I have used transport based throttling for a domain but I am looking for options for per sender based rate limiting. Can I achieve per user based throttling using postfix or I have to use some 3rd party software ? If no what rate limiting software can I use to achieve this. Thanks, Punit