Re: performance tuning - relay
Christian Purnomo put forth on 6/27/2010 5:50 PM: From your questions above, I could see where you're coming from that if Server2 has performance problem then it would make sense to see the queue built up at Server1. I can confirm server2 is very underload at any time, the server is overspec'ed for what it is intended to do. I can also confirm while those thousands of emails queued up at Server1, Server2 was running smooth with 0.1-0.3 load average. What piqued my curiosity is why the queue on server2 starting growing, and rather large at that, _after_ you got the Postfix bottleneck straightened out on server1. We have had server2 for about 4 years now and we have been having this issues in the last 1 year where one of our new server happens to be a mailling list which sends out thousands of emails to subscribers. Anyway, Server2 spec is HP DL385G4, 4G RAM, 6 SCSI disks RAID 5 and reiserfs. I would have thought this hardware would be able to get the mails into the mailboxen as quickly as server1 could push them over, without the queue building up as you demonstrated in a previous message. Email service is primarily a disk bound application. IIRC, with the DL385G4 you would have the Smart Array 6i which is an integrated entry level controller. Even so, with 128MB of read/write cache and 6x10k(15?)rpm drives on a SCSI 320 bus, even in a slowish RAID5 configuration, you should easily be able to sync to mailboxen as many messages as server1 could push over either fast or gigabit ethernet. This server should be able to sync a few hundred emails to disk per second. Is the 6i just really horrible at RAID5, or is there something in the software stack slowing things down? Were you peaking the disk subsystem when the queue was building? The delivery method on Server2 is maildrop - we use some mailfilter rule to drop certain emails to certain folders. I can understand this is adding some overhead for the local delivery on Server2 but this is the cost I'm happy to take on. The queue can build up on Server2 and clear up overtime without impacting our primary MX (Server1). I'm not familiar at all with maildrop as I've never used it. That said, I wouldn't think maildrop alone would cause such a bottleneck. Some versions of Reiser are known for great speed will lots of small files, at least as far as delete performance. However, most versions of Reiser do not do so well with large files. Reiser is normally a good performer with maildir, but doesn't do so well with mbox, especially once the mbox files get large. Other disk writes? Is maildrop or any other process you're running creating extra log stamps per email processed? I assume you're storing the OS, logs, mail, everything on that RAID5 volume. Is this correct? As you stated, you're not really concerned with queue growth on server2. I went through all this simply because I think you're leaving some performance, maybe quite a bit, on the table WRT server2. I'm guessing it's in the OS/software stack and not the hardware. You may be able to get this box screaming with simple changes (reduce logging to only what's necessary), and maybe one or two more major changes (maildir to mbox or vice versa, switching from Reiser--defunct now anyway--to XFS). Or a really big change, dumping Maildrop/Courier for Dovecot/LDA which is quite a bit quicker from everything I've read. I say read because I've not used Courier but I have used Dovecot, and still do. Sorry if I've wasted your time here. I just thought I'd point out a few things just in case you get the urge to poke around on server2 looking for a little performance boost. -- Stan
Re: performance tuning - relay
Hi Stan Subject: Re: performance tuning - relay Date: Mon, Jun 28, 2010 at 01:23:15AM -0500 Quoting Stan Hoeppner (s...@hardwarefreak.com): : What piqued my curiosity is why the queue on server2 starting growing, and : rather large at that, _after_ you got the Postfix bottleneck straightened out : on server1. I was expecting this and don't have a problem with this limitation. The maildrop rule is rather long and I knew I would get penalized. However delays on local delivery on Server2 has no impact to production so it's ok. : I would have thought this hardware would be able to get the mails into the : mailboxen as quickly as server1 could push them over, without the queue : building up as you demonstrated in a previous message. Email service is : primarily a disk bound application. IIRC, with the DL385G4 you would have the : Smart Array 6i which is an integrated entry level controller. Even so, with : 128MB of read/write cache and 6x10k(15?)rpm drives on a SCSI 320 bus, even in : a slowish RAID5 configuration, you should easily be able to sync to mailboxen : as many messages as server1 could push over either fast or gigabit ethernet. : This server should be able to sync a few hundred emails to disk per second. : Is the 6i just really horrible at RAID5, or is there something in the software : stack slowing things down? Were you peaking the disk subsystem when the queue : was building? : : I'm not familiar at all with maildrop as I've never used it. That said, I : wouldn't think maildrop alone would cause such a bottleneck. Some versions of : Reiser are known for great speed will lots of small files, at least as far as : delete performance. However, most versions of Reiser do not do so well with : large files. Reiser is normally a good performer with maildir, but doesn't do : so well with mbox, especially once the mbox files get large. Maildrop is just procmail for Maildir. I had to use Maildir format as there are hundreds of thousands of email to the always_bcc email on Server2. : Other disk writes? Is maildrop or any other process you're running creating : extra log stamps per email processed? I assume you're storing the OS, logs, : mail, everything on that RAID5 volume. Is this correct? : : As you stated, you're not really concerned with queue growth on server2. I : went through all this simply because I think you're leaving some performance, : maybe quite a bit, on the table WRT server2. I'm guessing it's in the : OS/software stack and not the hardware. You may be able to get this box : screaming with simple changes (reduce logging to only what's necessary), and : maybe one or two more major changes (maildir to mbox or vice versa, switching : from Reiser--defunct now anyway--to XFS). Or a really big change, dumping : Maildrop/Courier for Dovecot/LDA which is quite a bit quicker from everything : I've read. I say read because I've not used Courier but I have used Dovecot, : and still do. Server2 wasn't my concern, Server1 was :) The issue as far as I could see Server1 was unable to feed enough email to Server2, I knew there was a limit somewhere on Server1 that prevented this. : Sorry if I've wasted your time here. I just thought I'd point out a few : things just in case you get the urge to poke around on server2 looking for a : little performance boost. There is no such thing as wasting time here, I am grateful for anyone to reply to my question. Thanks *_^
Re: dyndns adsl port forward
Basanta shrestha put forth on 6/27/2010 11:26 PM: Dear Stan, I doubt it is absolutely necessary to pay for that service. Please refer Yes, it is necessary. You can't host a mail server without paying someone some amount of money. If you actually _read_ my previous email and followed the links, you will see the page on dyndns.org that sells the mail forwarding service for $49.95/year. You can't get your email routed to your mail server _through_ dyndns.org without paying for one of their mail forwarding services, the cheapest one being $49.95/year. Using TZO and your own domain is an alternative. It costs a little more per year but you don't have to have TZO or anyone else forward your mail to you. Because you have your own domain, TZO let's you create an MX record, which dyndns.org does not allow. There are other options available, other providers of these services. Some services are free, some are not. Email is one that is not. Not for dyndns.org, not for any free dynamic dns provider. http://www.linuxforums.org/forum/servers/6797-email-server-setup.html None of the suggestions in that forum thread are true. The guy who said he had it working simply by not checking the box on their site is full of crap. Lying, pure and simple. Why? Go ask him. If you're on the postfix list you should already know by now the basics of mail routing for domains. If dyndns.org users want to get mail to their subdomain routed through dyndns primary domains, they _must_ pay for it. Why? Because it has to be manually programmed into dyndns.org's MTAs. If it's not, your mail doesn't get to your MTA. This is very very simple. -- Stan
Re: dyndns adsl port forward
On 06/28/2010 12:14 PM, Stan Hoeppner wrote: Basanta shrestha put forth on 6/27/2010 11:26 PM: Dear Stan, I doubt it is absolutely necessary to pay for that service. Please refer Yes, it is necessary. You can't host a mail server without paying someone some amount of money. If you actually _read_ my previous email and followed the links, you will see the page on dyndns.org that sells the mail forwarding service for $49.95/year. You can't get your email routed to your mail server _through_ dyndns.org without paying for one of their mail forwarding services, the cheapest one being $49.95/year. Using TZO and your own domain is an alternative. It costs a little more per year but you don't have to have TZO or anyone else forward your mail to you. Because you have your own domain, TZO let's you create an MX record, which dyndns.org does not allow. There are other options available, other providers of these services. Some services are free, some are not. Email is one that is not. Not for dyndns.org, not for any free dynamic dns provider. http://www.linuxforums.org/forum/servers/6797-email-server-setup.html None of the suggestions in that forum thread are true. The guy who said he had it working simply by not checking the box on their site is full of crap. Lying, pure and simple. Why? Go ask him. If you're on the postfix list you should already know by now the basics of mail routing for domains. If dyndns.org users want to get mail to their subdomain routed through dyndns primary domains, they _must_ pay for it. Why? Because it has to be manually programmed into dyndns.org's MTAs. If it's not, your mail doesn't get to your MTA. This is very very simple. you can use the dyndns.org free account for email by using the dyndns FQDN allocated for the server in your domain's MX entry. May not be the perfect way but it works. Mihira.
Re: performance tuning - relay
- Original Message From: Stan Hoeppner s...@hardwarefreak.com To: postfix-users@postfix.org Sent: Mon, June 28, 2010 2:23:15 AM Subject: Re: performance tuning - relay Christian Purnomo put forth on 6/27/2010 5:50 PM: From your questions above, I could see where you're coming from that if Server2 has performance problem then it would make sense to see the queue built up at Server1. I can confirm server2 is very underload at any time, the server is overspec'ed for what it is intended to do. I can also confirm while those thousands of emails queued up at Server1, Server2 was running smooth with 0.1-0.3 load average. What piqued my curiosity is why the queue on server2 starting growing, and rather large at that, _after_ you got the Postfix bottleneck straightened out on server1. We have had server2 for about 4 years now and we have been having this issues in the last 1 year where one of our new server happens to be a mailling list which sends out thousands of emails to subscribers. Anyway, Server2 spec is HP DL385G4, 4G RAM, 6 SCSI disks RAID 5 and reiserfs. I would have thought this hardware would be able to get the mails into the mailboxen as quickly as server1 could push them over, without the queue building up as you demonstrated in a previous message. Email service is primarily a disk bound application. IIRC, with the DL385G4 you would have the Smart Array 6i which is an integrated entry level controller. Even so, with 128MB of read/write cache and 6x10k(15?)rpm drives on a SCSI 320 bus, even in a slowish RAID5 configuration, you should easily be able to sync to mailboxen as many messages as server1 could push over either fast or gigabit ethernet. This server should be able to sync a few hundred emails to disk per second. Is the 6i just really horrible at RAID5, or is there something in the software stack slowing things down? Were you peaking the disk subsystem when the queue was building? The delivery method on Server2 is maildrop - we use some mailfilter rule to drop certain emails to certain folders. I can understand this is adding some overhead for the local delivery on Server2 but this is the cost I'm happy to take on. The queue can build up on Server2 and clear up overtime without impacting our primary MX (Server1). I'm not familiar at all with maildrop as I've never used it. That said, I wouldn't think maildrop alone would cause such a bottleneck. Some versions of Reiser are known for great speed will lots of small files, at least as far as delete performance. However, most versions of Reiser do not do so well with large files. Reiser is normally a good performer with maildir, but doesn't do so well with mbox, especially once the mbox files get large. Other disk writes? Is maildrop or any other process you're running creating extra log stamps per email processed? I assume you're storing the OS, logs, mail, everything on that RAID5 volume. Is this correct? As you stated, you're not really concerned with queue growth on server2. I went through all this simply because I think you're leaving some performance, maybe quite a bit, on the table WRT server2. I'm guessing it's in the OS/software stack and not the hardware. You may be able to get this box screaming with simple changes (reduce logging to only what's necessary), and maybe one or two more major changes (maildir to mbox or vice versa, switching from Reiser--defunct now anyway--to XFS). Or a really big change, dumping Maildrop/Courier for Dovecot/LDA which is quite a bit quicker from everything I've read. I say read because I've not used Courier but I have used Dovecot, and still do. Sorry if I've wasted your time here. I just thought I'd point out a few things just in case you get the urge to poke around on server2 looking for a little performance boost. -- Stan - Stan, Actually you do not need to pay for their mail forwarding services. I have a sever setup to accept email just fine and dandy for a dyndns.org support host, and I do not pay anything for it. I get mail to my system woa.homeip.net just fine without paying. The paid for services you speak of are for people who want to customize their own dyndns settings. You can send me an email to crypto...@woa.homeip.net and I will receive it, and I can send out. I would suggest you get a dyndns.org account, and do some research on it. I have been using dyndns.org since about 2001 when I first my DSL Connection. Daniel Reinhardt Website: www.cryptodan.com Email: crypto...@yahoo.com
Re: dyndns adsl port forward
- Original Message From: Stan Hoeppner s...@hardwarefreak.com To: postfix-users@postfix.org Sent: Mon, June 28, 2010 2:44:54 AM Subject: Re: dyndns adsl port forward Basanta shrestha put forth on 6/27/2010 11:26 PM: Dear Stan, I doubt it is absolutely necessary to pay for that service. Please refer Yes, it is necessary. You can't host a mail server without paying someone some amount of money. If you actually _read_ my previous email and followed the links, you will see the page on dyndns.org that sells the mail forwarding service for $49.95/year. You can't get your email routed to your mail server _through_ dyndns.org without paying for one of their mail forwarding services, the cheapest one being $49.95/year. Using TZO and your own domain is an alternative. It costs a little more per year but you don't have to have TZO or anyone else forward your mail to you. Because you have your own domain, TZO let's you create an MX record, which dyndns.org does not allow. There are other options available, other providers of these services. Some services are free, some are not. Email is one that is not. Not for dyndns.org, not for any free dynamic dns provider. href=http://www.linuxforums.org/forum/servers/6797-email-server-setup.html; target=_blank http://www.linuxforums.org/forum/servers/6797-email-server-setup.html None of the suggestions in that forum thread are true. The guy who said he had it working simply by not checking the box on their site is full of crap. Lying, pure and simple. Why? Go ask him. If you're on the postfix list you should already know by now the basics of mail routing for domains. If dyndns.org users want to get mail to their subdomain routed through dyndns primary domains, they _must_ pay for it. Why? Because it has to be manually programmed into dyndns.org's MTAs. If it's not, your mail doesn't get to your MTA. This is very very simple. -- Stan Stan, Actually you do not need to pay for their mail forwarding services. I have a sever setup to accept email just fine and dandy for a dyndns.org support host, and I do not pay anything for it. I get mail to my system woa.homeip.net just fine without paying. The paid for services you speak of are for people who want to customize their own dyndns settings. You can send me an email to crypto...@woa.homeip.net and I will receive it, and I can send out. I would suggest you get a dyndns.org account, and do some research on it. I have been using dyndns.org since about 2001 when I first my DSL Connection. Daniel Reinhardt Website: www.cryptodan.com Email: crypto...@yahoo.com
Re: performance tuning - relay
- Original Message From: Daniel V. Reinhardt crypto...@yahoo.com To: postfix-users@postfix.org Sent: Mon, June 28, 2010 3:32:04 AM Subject: Re: performance tuning - relay - Original Message From: Stan Hoeppner ymailto=mailto:s...@hardwarefreak.com; href=mailto:s...@hardwarefreak.com;s...@hardwarefreak.com To: href=mailto:postfix-users@postfix.org;postfix-users@postfix.org Sent: Mon, June 28, 2010 2:23:15 AM Subject: Re: performance tuning - relay Christian Purnomo put forth on 6/27/2010 5:50 PM: From your questions above, I could see where you're coming from that if Server2 has performance problem then it would make sense to see the queue built up at Server1. I can confirm server2 is very underload at any time, the server is overspec'ed for what it is intended to do. I can also confirm while those thousands of emails queued up at Server1, Server2 was running smooth with 0.1-0.3 load average. What piqued my curiosity is why the queue on server2 starting growing, and rather large at that, _after_ you got the Postfix bottleneck straightened out on server1. We have had server2 for about 4 years now and we have been having this issues in the last 1 year where one of our new server happens to be a mailling list which sends out thousands of emails to subscribers. Anyway, Server2 spec is HP DL385G4, 4G RAM, 6 SCSI disks RAID 5 and reiserfs. I would have thought this hardware would be able to get the mails into the mailboxen as quickly as server1 could push them over, without the queue building up as you demonstrated in a previous message. Email service is primarily a disk bound application. IIRC, with the DL385G4 you would have the Smart Array 6i which is an integrated entry level controller. Even so, with 128MB of read/write cache and 6x10k(15?)rpm drives on a SCSI 320 bus, even in a slowish RAID5 configuration, you should easily be able to sync to mailboxen as many messages as server1 could push over either fast or gigabit ethernet. This server should be able to sync a few hundred emails to disk per second. Is the 6i just really horrible at RAID5, or is there something in the software stack slowing things down? Were you peaking the disk subsystem when the queue was building? The delivery method on Server2 is maildrop - we use some mailfilter rule to drop certain emails to certain folders. I can understand this is adding some overhead for the local delivery on Server2 but this is the cost I'm happy to take on. The queue can build up on Server2 and clear up overtime without impacting our primary MX (Server1). I'm not familiar at all with maildrop as I've never used it. That said, I wouldn't think maildrop alone would cause such a bottleneck. Some versions of Reiser are known for great speed will lots of small files, at least as far as delete performance. However, most versions of Reiser do not do so well with large files. Reiser is normally a good performer with maildir, but doesn't do so well with mbox, especially once the mbox files get large. Other disk writes? Is maildrop or any other process you're running creating extra log stamps per email processed? I assume you're storing the OS, logs, mail, everything on that RAID5 volume. Is this correct? As you stated, you're not really concerned with queue growth on server2. I went through all this simply because I think you're leaving some performance, maybe quite a bit, on the table WRT server2. I'm guessing it's in the OS/software stack and not the hardware. You may be able to get this box screaming with simple changes (reduce logging to only what's necessary), and maybe one or two more major changes (maildir to mbox or vice versa, switching from Reiser--defunct now anyway--to XFS). Or a really big change, dumping Maildrop/Courier for Dovecot/LDA which is quite a bit quicker from everything I've read. I say read because I've not used Courier but I have used Dovecot, and still do. Sorry if I've wasted your time here. I just thought I'd point out a few things just in case you get the urge to poke around on server2 looking for a little performance boost. -- Stan - Stan, Actually you do not need to pay for their mail forwarding services. I have a sever setup to accept email just fine and dandy for a dyndns.org support host, and I do not pay anything for it. I get mail to my system woa.homeip.net just fine without paying. The paid for services you speak of are for people who want to customize their own dyndns settings. You can send me an email to ymailto=mailto:crypto...@woa.homeip.net; href=mailto:crypto...@woa.homeip.net;crypto...@woa.homeip.net and I will receive it, and I can send out. I would suggest
Re: dyndns adsl port forward
Mihira Fernando put forth on 6/28/2010 2:20 AM: you can use the dyndns.org free account for email by using the dyndns FQDN allocated for the server in your domain's MX entry. May not be the perfect way but it works. What domain MX entry? Why would someone pay for DNS hosting for a single domain, and a domain registration, when the combined cost of both may likely be about the same as just paying for the DynDNS mail forwarding service? On top of that, by using your suggestion, one would have to use a CNAME for the MX, no?. Ask Wietse about using CNAME for MX. -- Stan
Re: dyndns adsl port forward
On 06/28/2010 01:16 PM, Stan Hoeppner wrote: Mihira Fernando put forth on 6/28/2010 2:20 AM: you can use the dyndns.org free account for email by using the dyndns FQDN allocated for the server in your domain's MX entry. May not be the perfect way but it works. What domain MX entry? Why would someone pay for DNS hosting for a single domain, and a domain registration, when the combined cost of both may likely be about the same as just paying for the DynDNS mail forwarding service? On top of that, by using your suggestion, one would have to use a CNAME for the MX, no?. Ask Wietse about using CNAME for MX. Hey, I told you its not perfect. Also its not CNAME that you use. Its the A record. DynDNS client takes care of updating the IP for it. Besides, most domain registrars provide DNS hosting for the same price so there's only the cost of registration. Mihira.
Re: dyndns adsl port forward
Now that I know it works can you tell me where I went wrong ? I do not need to do anything in Mail Routing Section Right ? -Basanta On Mon, Jun 28, 2010 at 2:13 PM, Mihira Fernando mihirathe...@gmail.com wrote: On 06/28/2010 01:16 PM, Stan Hoeppner wrote: Mihira Fernando put forth on 6/28/2010 2:20 AM: you can use the dyndns.org free account for email by using the dyndns FQDN allocated for the server in your domain's MX entry. May not be the perfect way but it works. What domain MX entry? Why would someone pay for DNS hosting for a single domain, and a domain registration, when the combined cost of both may likely be about the same as just paying for the DynDNS mail forwarding service? On top of that, by using your suggestion, one would have to use a CNAME for the MX, no?. Ask Wietse about using CNAME for MX. Hey, I told you its not perfect. Also its not CNAME that you use. Its the A record. DynDNS client takes care of updating the IP for it. Besides, most domain registrars provide DNS hosting for the same price so there's only the cost of registration. Mihira.
Re: dyndns adsl port forward
On 6/28/2010 1:44 AM, Stan Hoeppner wrote: Basanta shrestha put forth on 6/27/2010 11:26 PM: Dear Stan, I doubt it is absolutely necessary to pay for that service. Please refer Yes, it is necessary. You can't host a mail server without paying someone some amount of money. If you actually _read_ my previous email and followed the links, you will see the page on dyndns.org that sells the mail forwarding service for $49.95/year. You can't get your email routed to your mail server _through_ dyndns.org without paying for one of their mail forwarding services, the cheapest one being $49.95/year. Wrong. All you need is a free foo.dyndns.org hostname. And a server with internet of course. If you want to use your own vanity/business domain rather than a foo.dyndns.org or similar free domain, you'll need either a static IP or paid custom dynamic IP service. Using TZO and your own domain is an alternative. It costs a little more per year but you don't have to have TZO or anyone else forward your mail to you. Because you have your own domain, TZO let's you create an MX record, which dyndns.org does not allow. There are other options available, other providers of these services. Some services are free, some are not. Email is one that is not. Not for dyndns.org, not for any free dynamic dns provider. http://www.linuxforums.org/forum/servers/6797-email-server-setup.html None of the suggestions in that forum thread are true. The guy who said he had it working simply by not checking the box on their site is full of crap. Lying, pure and simple. Why? Go ask him. Stan, you're wrong here. All you need is an A record pointing to your server. You get that for free with dyndns and other free dynamic IP services. Dyndns also allows you to set a custom MX record pointing somewhere else for free if you want. Remember, RFCs specify that in the absence of an MX record, the A record is to be treated as a 0 priority MX record. An MX record is not required to either send or receive mail. The thread conversation is a little convoluted, but essentially correct. If you're on the postfix list you should already know by now the basics of mail routing for domains. If dyndns.org users want to get mail to their subdomain routed through dyndns primary domains, they _must_ pay for it. Why? Because it has to be manually programmed into dyndns.org's MTAs. If it's not, your mail doesn't get to your MTA. This is very very simple. Don't confuse mail routing (mail directed from the internet to your server via DNS records) with mail hosting (mail accepted somewhere and forwarded/proxied to your server). Dyndns provides mail routing for free; their mail hosting service is a paid service. An important note here is that hosting mail on a dynamic IP is full of potential problems; you'll need to relay your outbound mail through somewhere such as a google account or your ISP, and your there is the possibility of your incoming mail being misrouted temporarily in the time between when your IP changes and the update propagates through the worldwide DNS system. -- Noel Jones
Re: Priority Management in postfix
On 6/28/2010 12:22 AM, Avinash Pawar // Viva wrote: Hi, I want to give priority to each outbound email and as per priority email will be sent. For example, if there are three email with priority *high*, *medium* and *low* respectively. In this case, the high priority email should be sent first, then medium priority email should be sent then low priority email should be sent. Please suggest me whether this is possible or not in postfix. If possible then please let me know how we can implement this? Postfix does not provide per-message priority.
Re: Priority Management in postfix
Avinash Pawar // Viva: Hi, I want to give priority to each outbound email and as per priority email will be sent. There is no priority support in Postfix. Postfix uses a shared queue by design. Instead of making Postfix more complex, you could use different Postfix instances. Using a university as an example, that would be one Postfix instance for the professors and one for the students. Wietse
Re: Replace Private IP by Server Hostname in mail header
Thank you Jeroen, My need is to prvent peopel seeing my internal IPs, if i can make my server write on the header 127.0.0.1 instead instead of the 192.168.0.2 is will be great. I see on the header of your mail for example, all Received: tags indicate 127.0.0.1, i want my server to do the same thing if possible. Thank you -- |-Rachid Abdelkhalak |-Network Security Engineer, MTDS |-in morocco 080200MTDS |-direct +212(0)537278820 |-mobile +212(0)661173437 |-14, rue 16 novembre |-Rabat 10080 Kingdom of Morocco On Sun, 27 Jun 2010, Jeroen Geilman wrote: On 06/27/2010 01:20 PM, Rachid Abdelkhalak wrote: Hello List, I have a mail relay and an internal mail server both under Postfix and behind a firewall (DMZ and LAN), on both segment i'm using a private IP address with NAT. On all outgoing emails headers sent by our users, i can see my servers ip addresses (private). Is there any config that i can do to make postfix write hostname instead of the ip address on the header or replace the private ip address by the public ip address? Thank you Brest regards. The format and content of Received: headers is described in detail in the relevant RFCs. Make sure you know why you want to mess with them before blundering forward. J.
Re: Replace Private IP by Server Hostname in mail header
Richid, Why is it a problem that people see your internal IPs? Thanks On 28/06/10 18:03, Rachid Abdelkhalak wrote: Thank you Jeroen, My need is to prvent peopel seeing my internal IPs, if i can make my server write on the header 127.0.0.1 instead instead of the 192.168.0.2 is will be great. I see on the header of your mail for example, all Received: tags indicate 127.0.0.1, i want my server to do the same thing if possible. Thank you -- |-Rachid Abdelkhalak |-Network Security Engineer, MTDS |-in morocco 080200MTDS |-direct +212(0)537278820 |-mobile +212(0)661173437 |-14, rue 16 novembre |-Rabat 10080 Kingdom of Morocco On Sun, 27 Jun 2010, Jeroen Geilman wrote: On 06/27/2010 01:20 PM, Rachid Abdelkhalak wrote: Hello List, I have a mail relay and an internal mail server both under Postfix and behind a firewall (DMZ and LAN), on both segment i'm using a private IP address with NAT. On all outgoing emails headers sent by our users, i can see my servers ip addresses (private). Is there any config that i can do to make postfix write hostname instead of the ip address on the header or replace the private ip address by the public ip address? Thank you Brest regards. The format and content of Received: headers is described in detail in the relevant RFCs. Make sure you know why you want to mess with them before blundering forward. J.
Re: Replace Private IP by Server Hostname in mail header
This is not a problem for me, the end customer's IT boss asked me to see if it is possible to do it, he dont like to publish theire private IPs for 'Security reasons'. If it is not possible, i have to give him convincing arguments. Thank you -- |-Rachid Abdelkhalak |-Network Security Engineer, MTDS |-in morocco 080200MTDS |-direct +212(0)537278820 |-mobile +212(0)661173437 |-14, rue 16 novembre |-Rabat 10080 Kingdom of Morocco On Mon, 28 Jun 2010, Jonathan Tripathy wrote: Richid, Why is it a problem that people see your internal IPs? Thanks On 28/06/10 18:03, Rachid Abdelkhalak wrote: Thank you Jeroen, My need is to prvent peopel seeing my internal IPs, if i can make my server write on the header 127.0.0.1 instead instead of the 192.168.0.2 is will be great. I see on the header of your mail for example, all Received: tags indicate 127.0.0.1, i want my server to do the same thing if possible. Thank you -- |-Rachid Abdelkhalak |-Network Security Engineer, MTDS |-in morocco 080200MTDS |-direct +212(0)537278820 |-mobile +212(0)661173437 |-14, rue 16 novembre |-Rabat 10080 Kingdom of Morocco On Sun, 27 Jun 2010, Jeroen Geilman wrote: On 06/27/2010 01:20 PM, Rachid Abdelkhalak wrote: Hello List, I have a mail relay and an internal mail server both under Postfix and behind a firewall (DMZ and LAN), on both segment i'm using a private IP address with NAT. On all outgoing emails headers sent by our users, i can see my servers ip addresses (private). Is there any config that i can do to make postfix write hostname instead of the ip address on the header or replace the private ip address by the public ip address? Thank you Brest regards. The format and content of Received: headers is described in detail in the relevant RFCs. Make sure you know why you want to mess with them before blundering forward. J.
Re: Replace Private IP by Server Hostname in mail header
On 6/28/2010 1:07 PM, Rachid Abdelkhalak wrote: This is not a problem for me, the end customer's IT boss asked me to see if it is possible to do it, he dont like to publish theire private IPs for 'Security reasons'. If it is not possible, i have to give him convincing arguments. Thank you -- |-Rachid Abdelkhalak |-Network Security Engineer, MTDS |-in morocco 080200MTDS |-direct +212(0)537278820 |-mobile +212(0)661173437 |-14, rue 16 novembre |-Rabat 10080 Kingdom of Morocco On Mon, 28 Jun 2010, Jonathan Tripathy wrote: Richid, Why is it a problem that people see your internal IPs? Thanks On 28/06/10 18:03, Rachid Abdelkhalak wrote: Thank you Jeroen, My need is to prvent peopel seeing my internal IPs, if i can make my server write on the header 127.0.0.1 instead instead of the 192.168.0.2 is will be great. I see on the header of your mail for example, all Received: tags indicate 127.0.0.1, i want my server to do the same thing if possible. Thank you -- |-Rachid Abdelkhalak |-Network Security Engineer, MTDS |-in morocco 080200MTDS |-direct +212(0)537278820 |-mobile +212(0)661173437 |-14, rue 16 novembre |-Rabat 10080 Kingdom of Morocco On Sun, 27 Jun 2010, Jeroen Geilman wrote: On 06/27/2010 01:20 PM, Rachid Abdelkhalak wrote: Hello List, I have a mail relay and an internal mail server both under Postfix and behind a firewall (DMZ and LAN), on both segment i'm using a private IP address with NAT. On all outgoing emails headers sent by our users, i can see my servers ip addresses (private). Is there any config that i can do to make postfix write hostname instead of the ip address on the header or replace the private ip address by the public ip address? Thank you Brest regards. The format and content of Received: headers is described in detail in the relevant RFCs. Make sure you know why you want to mess with them before blundering forward. J. I guess I don't see how an internal private IP is a security risk. -Matt
Re: Replace Private IP by Server Hostname in mail header
Me too Matt, but i have to give him a solution or an answer as i'm the person who maintain their mail plateforme. Thank you -- |-Rachid Abdelkhalak |-Network Security Engineer, MTDS |-in morocco 080200MTDS |-direct +212(0)537278820 |-mobile +212(0)661173437 |-14, rue 16 novembre |-Rabat 10080 Kingdom of Morocco On Mon, 28 Jun 2010, Matt Hayes wrote: On 6/28/2010 1:07 PM, Rachid Abdelkhalak wrote: This is not a problem for me, the end customer's IT boss asked me to see if it is possible to do it, he dont like to publish theire private IPs for 'Security reasons'. If it is not possible, i have to give him convincing arguments. Thank you -- |-Rachid Abdelkhalak |-Network Security Engineer, MTDS |-in morocco 080200MTDS |-direct +212(0)537278820 |-mobile +212(0)661173437 |-14, rue 16 novembre |-Rabat 10080 Kingdom of Morocco On Mon, 28 Jun 2010, Jonathan Tripathy wrote: Richid, Why is it a problem that people see your internal IPs? Thanks On 28/06/10 18:03, Rachid Abdelkhalak wrote: Thank you Jeroen, My need is to prvent peopel seeing my internal IPs, if i can make my server write on the header 127.0.0.1 instead instead of the 192.168.0.2 is will be great. I see on the header of your mail for example, all Received: tags indicate 127.0.0.1, i want my server to do the same thing if possible. Thank you -- |-Rachid Abdelkhalak |-Network Security Engineer, MTDS |-in morocco 080200MTDS |-direct +212(0)537278820 |-mobile +212(0)661173437 |-14, rue 16 novembre |-Rabat 10080 Kingdom of Morocco On Sun, 27 Jun 2010, Jeroen Geilman wrote: On 06/27/2010 01:20 PM, Rachid Abdelkhalak wrote: Hello List, I have a mail relay and an internal mail server both under Postfix and behind a firewall (DMZ and LAN), on both segment i'm using a private IP address with NAT. On all outgoing emails headers sent by our users, i can see my servers ip addresses (private). Is there any config that i can do to make postfix write hostname instead of the ip address on the header or replace the private ip address by the public ip address? Thank you Brest regards. The format and content of Received: headers is described in detail in the relevant RFCs. Make sure you know why you want to mess with them before blundering forward. J. I guess I don't see how an internal private IP is a security risk. -Matt
Re: Replace Private IP by Server Hostname in mail header
Hi Rachid, Ahh the good old end user's boss problem! Well I guess the arguments could be that since it's an internal IP address, there is *no way* it can be accessed from outside. Even if the boss's firewall left all ports open to the mail server, they couldn't access it via the internal IP address, as ISP infrastructure doesn't route private IP addresses. Another point you could mention to him, is that let him know that when anybody in the world sends an email via Thunderbird, Outlook etc.., their private IP is exposed. This has never done anyone any harm. In fact Rachid, I already know your internal IP address of the machine you're using at the minute. It ends in 144! If this is still an issue, put the box either on a public subnet, or put it in a private subnet which is different from the rest of the office PCs/servers. Just my 2 pence Thanks Jonathan On 28/06/10 18:07, Rachid Abdelkhalak wrote: This is not a problem for me, the end customer's IT boss asked me to see if it is possible to do it, he dont like to publish theire private IPs for 'Security reasons'. If it is not possible, i have to give him convincing arguments. Thank you -- |-Rachid Abdelkhalak |-Network Security Engineer, MTDS |-in morocco 080200MTDS |-direct +212(0)537278820 |-mobile +212(0)661173437 |-14, rue 16 novembre |-Rabat 10080 Kingdom of Morocco On Mon, 28 Jun 2010, Jonathan Tripathy wrote: Richid, Why is it a problem that people see your internal IPs? Thanks On 28/06/10 18:03, Rachid Abdelkhalak wrote: Thank you Jeroen, My need is to prvent peopel seeing my internal IPs, if i can make my server write on the header 127.0.0.1 instead instead of the 192.168.0.2 is will be great. I see on the header of your mail for example, all Received: tags indicate 127.0.0.1, i want my server to do the same thing if possible. Thank you -- |-Rachid Abdelkhalak |-Network Security Engineer, MTDS |-in morocco 080200MTDS |-direct +212(0)537278820 |-mobile +212(0)661173437 |-14, rue 16 novembre |-Rabat 10080 Kingdom of Morocco On Sun, 27 Jun 2010, Jeroen Geilman wrote: On 06/27/2010 01:20 PM, Rachid Abdelkhalak wrote: Hello List, I have a mail relay and an internal mail server both under Postfix and behind a firewall (DMZ and LAN), on both segment i'm using a private IP address with NAT. On all outgoing emails headers sent by our users, i can see my servers ip addresses (private). Is there any config that i can do to make postfix write hostname instead of the ip address on the header or replace the private ip address by the public ip address? Thank you Brest regards. The format and content of Received: headers is described in detail in the relevant RFCs. Make sure you know why you want to mess with them before blundering forward. J.
Re: Replace Private IP by Server Hostname in mail header
Thank you Jonathan. -- |-Rachid Abdelkhalak |-Network Security Engineer, MTDS |-in morocco 080200MTDS |-direct +212(0)537278820 |-mobile +212(0)661173437 |-14, rue 16 novembre |-Rabat 10080 Kingdom of Morocco On Mon, 28 Jun 2010, Jonathan Tripathy wrote: Hi Rachid, Ahh the good old end user's boss problem! Well I guess the arguments could be that since it's an internal IP address, there is *no way* it can be accessed from outside. Even if the boss's firewall left all ports open to the mail server, they couldn't access it via the internal IP address, as ISP infrastructure doesn't route private IP addresses. Another point you could mention to him, is that let him know that when anybody in the world sends an email via Thunderbird, Outlook etc.., their private IP is exposed. This has never done anyone any harm. In fact Rachid, I already know your internal IP address of the machine you're using at the minute. It ends in 144! If this is still an issue, put the box either on a public subnet, or put it in a private subnet which is different from the rest of the office PCs/servers. Just my 2 pence Thanks Jonathan On 28/06/10 18:07, Rachid Abdelkhalak wrote: This is not a problem for me, the end customer's IT boss asked me to see if it is possible to do it, he dont like to publish theire private IPs for 'Security reasons'. If it is not possible, i have to give him convincing arguments. Thank you -- |-Rachid Abdelkhalak |-Network Security Engineer, MTDS |-in morocco 080200MTDS |-direct +212(0)537278820 |-mobile +212(0)661173437 |-14, rue 16 novembre |-Rabat 10080 Kingdom of Morocco On Mon, 28 Jun 2010, Jonathan Tripathy wrote: Richid, Why is it a problem that people see your internal IPs? Thanks On 28/06/10 18:03, Rachid Abdelkhalak wrote: Thank you Jeroen, My need is to prvent peopel seeing my internal IPs, if i can make my server write on the header 127.0.0.1 instead instead of the 192.168.0.2 is will be great. I see on the header of your mail for example, all Received: tags indicate 127.0.0.1, i want my server to do the same thing if possible. Thank you -- |-Rachid Abdelkhalak |-Network Security Engineer, MTDS |-in morocco 080200MTDS |-direct +212(0)537278820 |-mobile +212(0)661173437 |-14, rue 16 novembre |-Rabat 10080 Kingdom of Morocco On Sun, 27 Jun 2010, Jeroen Geilman wrote: On 06/27/2010 01:20 PM, Rachid Abdelkhalak wrote: Hello List, I have a mail relay and an internal mail server both under Postfix and behind a firewall (DMZ and LAN), on both segment i'm using a private IP address with NAT. On all outgoing emails headers sent by our users, i can see my servers ip addresses (private). Is there any config that i can do to make postfix write hostname instead of the ip address on the header or replace the private ip address by the public ip address? Thank you Brest regards. The format and content of Received: headers is described in detail in the relevant RFCs. Make sure you know why you want to mess with them before blundering forward. J.
Re: Replace Private IP by Server Hostname in mail header
No problem at all. If you need more help, let me know, as this is the kind of stuff that I deal with here (convincing bosses..). Btw, unless you get your users to use webmail, their local internal IP address of their client machines will always be in the email headers - even if the server is in a different subnet. You can try and make him relax by letting him know that this is how GMail and Hotmail work (if you use their POP/SMTP features) Thanks Jonathan On 28/06/10 18:19, Rachid Abdelkhalak wrote: Thank you Jonathan. -- |-Rachid Abdelkhalak |-Network Security Engineer, MTDS |-in morocco 080200MTDS |-direct +212(0)537278820 |-mobile +212(0)661173437 |-14, rue 16 novembre |-Rabat 10080 Kingdom of Morocco On Mon, 28 Jun 2010, Jonathan Tripathy wrote: Hi Rachid, Ahh the good old end user's boss problem! Well I guess the arguments could be that since it's an internal IP address, there is *no way* it can be accessed from outside. Even if the boss's firewall left all ports open to the mail server, they couldn't access it via the internal IP address, as ISP infrastructure doesn't route private IP addresses. Another point you could mention to him, is that let him know that when anybody in the world sends an email via Thunderbird, Outlook etc.., their private IP is exposed. This has never done anyone any harm. In fact Rachid, I already know your internal IP address of the machine you're using at the minute. It ends in 144! If this is still an issue, put the box either on a public subnet, or put it in a private subnet which is different from the rest of the office PCs/servers. Just my 2 pence Thanks Jonathan On 28/06/10 18:07, Rachid Abdelkhalak wrote: This is not a problem for me, the end customer's IT boss asked me to see if it is possible to do it, he dont like to publish theire private IPs for 'Security reasons'. If it is not possible, i have to give him convincing arguments. Thank you -- |-Rachid Abdelkhalak |-Network Security Engineer, MTDS |-in morocco 080200MTDS |-direct +212(0)537278820 |-mobile +212(0)661173437 |-14, rue 16 novembre |-Rabat 10080 Kingdom of Morocco On Mon, 28 Jun 2010, Jonathan Tripathy wrote: Richid, Why is it a problem that people see your internal IPs? Thanks On 28/06/10 18:03, Rachid Abdelkhalak wrote: Thank you Jeroen, My need is to prvent peopel seeing my internal IPs, if i can make my server write on the header 127.0.0.1 instead instead of the 192.168.0.2 is will be great. I see on the header of your mail for example, all Received: tags indicate 127.0.0.1, i want my server to do the same thing if possible. Thank you -- |-Rachid Abdelkhalak |-Network Security Engineer, MTDS |-in morocco 080200MTDS |-direct +212(0)537278820 |-mobile +212(0)661173437 |-14, rue 16 novembre |-Rabat 10080 Kingdom of Morocco On Sun, 27 Jun 2010, Jeroen Geilman wrote: On 06/27/2010 01:20 PM, Rachid Abdelkhalak wrote: Hello List, I have a mail relay and an internal mail server both under Postfix and behind a firewall (DMZ and LAN), on both segment i'm using a private IP address with NAT. On all outgoing emails headers sent by our users, i can see my servers ip addresses (private). Is there any config that i can do to make postfix write hostname instead of the ip address on the header or replace the private ip address by the public ip address? Thank you Brest regards. The format and content of Received: headers is described in detail in the relevant RFCs. Make sure you know why you want to mess with them before blundering forward. J.
RE: dealing with Yahoo slowness
-Original Message- From: owner-postfix-us...@postfix.org [mailto:owner-postfix- us...@postfix.org] On Behalf Of Florin Andrei Sent: Tuesday, 15 June 2010 6:00 a.m. To: postfix-users@postfix.org Subject: Re: dealing with Yahoo slowness On 06/10/2010 05:09 PM, Mike Hutchinson wrote: yahoo_destination_concurrency_limit = 4 yahoo_destination_rate_delay = 1s Well, we do that already (concurrency = 2, rate_delay = 2s). It's still slow. Do you use multiple outbound email gateways? Maybe I should try to increase our existing parameters, it looks like we're using half your values. [Michael Hutchinson] made a late reply: Sounds like you've run into the version problem I had some time ago, where the rate controls were present, but were a bit buggy. See Wietse's post if you haven't already. Once we'd performed the upgrade, and applied the rate limiting configuration everything went smoothly - perhaps try the same values from the original post and work from there. Cheers, Michael.
Re: Replace Private IP by Server Hostname in mail header
Rachid Abdelkhalak a écrit : Hello List, I have a mail relay and an internal mail server both under Postfix and behind a firewall (DMZ and LAN), on both segment i'm using a private IP address with NAT. On all outgoing emails headers sent by our users, i can see my servers ip addresses (private). so what? everybody knows you're using a private subnet. so at a minimum, we know it's one of three groups (private A, B, C). and most probably, your browser probably shows it. and anyway, who cares? viruses, trojans, .. don't care what IP class you use. they can find it since they run on _your_ hosts. I can tell you that I use the 192.168.1.0/24 subnet. can we get past that now? most attacks nowadays are web based (XSS, ...) or host based (viruses, ...). note that your message shows that you use IMSS (and Alapine). such info is more precious than your IP... (and please use your browser to visit one of the privacy related sites and you'll see what infos your browser shows). Is there any config that i can do to make postfix write hostname instead of the ip address on the header or replace the private ip address by the public ip address? if you are talking about your own mail (not customer mail), then differentiate between outbound (submitted) mail and inbound mail. for example, use port 587 for outbound mail (ideally enforce SASL/TLS here). Then for such mail, simply remove all received headers: /^Received:/IGNORE of course, don't do that with other mail.
Re: dyndns adsl port forward
Noel Jones put forth on 6/28/2010 6:56 AM: Don't confuse mail routing (mail directed from the internet to your server via DNS records) with mail hosting (mail accepted somewhere and forwarded/proxied to your server). Dyndns provides mail routing for free; their mail hosting service is a paid service. I haven't confused the two at all Noel. It appears they've changed their free service since I looked into it 5 years ago. IIRC back then they didn't offer free mail routing to a subdomain, it was an extra charge. -- Stan
Re: dyndns adsl port forward
Mihira Fernando put forth on 6/28/2010 3:28 AM: Also its not CNAME that you use. Its the A record. My mistake. You can actually point the MX for another domain at the dyndns fqdn. I got my thought process screwed up due to all the goofiness of how DynDNS does some things, and the specific scenario being discussed. DynDNS client takes care of updating the IP for it. Heh, yeah, I know exactly what dynamic dns is. I used it for quite some time myself. Besides, most domain registrars provide DNS hosting for the same price so there's only the cost of registration. Thanks for the tip. I've not registered a domain in quite a long time. Back then (most?) registrars didn't offer free DNS hosting with registration. -- Stan
