[Q] smtpd: warning: n.n.n.n: address not listed for hostname smtp.academicjobseu.com
Hi, I just watched an IP address fail to be correctly resolved back to the A record. I could resolve the IP with the the same DNS on the same server myself. These connection from a server is recorded by postfix as unknown for 212.89.81.105, yet an nslookup on this IP resolves back to the correct address:- Non-authoritative answer: 105.81.89.212.in-addr.arpaname = smtp.academicjobseu.com. Feb 15 13:06:26 logout postfix/smtpd[111]: warning: 212.89.81.105: address not listed for hostname smtp.academicjobseu.com Feb 15 13:06:26 logout postfix/smtpd[111]: connect from unknown[212.89.81.105] Feb 15 13:06:29 logout postfix/smtpd[111]: 3E42B81E81: client=unknown[212.89.81.105] Feb 15 13:06:34 logout dkim-filter[222]: 3E42B81E81: no signature data Feb 15 13:06:34 logout postfix/qmgr[111]: 3E42B81E81: from=ag...@smtp.academicjobseu.com, size=, nrcpt=1 (queue active) Feb 15 13:06:34 logout postfix/smtpd[111]: disconnect from unknown[212.89.81.105] Is there something that I missed in the postfix configuration? Best wishes, S
Re: [Q] smtpd: warning: n.n.n.n: address not listed for hostname smtp.academicjobseu.com
On 15/02/11 13:18, J4K wrote: Hi, I just watched an IP address fail to be correctly resolved back to the A record. I could resolve the IP with the the same DNS on the same server myself. These connection from a server is recorded by postfix as unknown for 212.89.81.105, yet an nslookup on this IP resolves back to the correct address:- Non-authoritative answer: 105.81.89.212.in-addr.arpaname = smtp.academicjobseu.com. But the other way round, there is a mismatch: $ dig +short smtp.academicjobseu.com 212.89.81.106 The owner of the MX will need to fix this to prevent the error. Feb 15 13:06:26 logout postfix/smtpd[111]: warning: 212.89.81.105: address not listed for hostname smtp.academicjobseu.com Feb 15 13:06:26 logout postfix/smtpd[111]: connect from unknown[212.89.81.105] Feb 15 13:06:29 logout postfix/smtpd[111]: 3E42B81E81: client=unknown[212.89.81.105] Feb 15 13:06:34 logout dkim-filter[222]: 3E42B81E81: no signature data Feb 15 13:06:34 logout postfix/qmgr[111]: 3E42B81E81: from=ag...@smtp.academicjobseu.com mailto:ag...@smtp.academicjobseu.com, size=, nrcpt=1 (queue active) Feb 15 13:06:34 logout postfix/smtpd[111]: disconnect from unknown[212.89.81.105] Is there something that I missed in the postfix configuration? Best wishes, S signature.asc Description: OpenPGP digital signature
Re: [Q] smtpd: warning: n.n.n.n: address not listed for hostname smtp.academicjobseu.com
* J4K ju...@klunky.co.uk: Hi, I just watched an IP address fail to be correctly resolved back to the A record. I could resolve the IP with the the same DNS on the same server myself. These connection from a server is recorded by postfix as unknown for 212.89.81.105, yet an nslookup on this IP resolves back to the correct address:- Non-authoritative answer: 105.81.89.212.in-addr.arpaname = smtp.academicjobseu.com. Feb 15 13:06:26 logout postfix/smtpd[111]: warning: 212.89.81.105: address not listed for hostname smtp.academicjobseu.com Feb 15 13:06:26 logout postfix/smtpd[111]: connect from unknown[212.89.81.105] Feb 15 13:06:29 logout postfix/smtpd[111]: 3E42B81E81: client=unknown[212.89.81.105] Feb 15 13:06:34 logout dkim-filter[222]: 3E42B81E81: no signature data Feb 15 13:06:34 logout postfix/qmgr[111]: 3E42B81E81: from=ag...@smtp.academicjobseu.com, size=, nrcpt=1 (queue active) Feb 15 13:06:34 logout postfix/smtpd[111]: disconnect from unknown[212.89.81.105] Is there something that I missed in the postfix configuration? $ host 212.89.81.105 105.81.89.212.in-addr.arpa domain name pointer smtp.academicjobseu.com. $ host smtp.academicjobseu.com. smtp.academicjobseu.com has address 212.89.81.106 212.89.81.105 != 212.89.81.106 -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | http://www.charite.de
Re: [Q] smtpd: warning: n.n.n.n: address not listed for hostname smtp.academicjobseu.com
On 02/15/2011 01:31 PM, Ralf Hildebrandt wrote: * J4K ju...@klunky.co.uk: Hi, I just watched an IP address fail to be correctly resolved back to the A record. I could resolve the IP with the the same DNS on the same server myself. These connection from a server is recorded by postfix as unknown for 212.89.81.105, yet an nslookup on this IP resolves back to the correct address:- Non-authoritative answer: 105.81.89.212.in-addr.arpaname = smtp.academicjobseu.com. Feb 15 13:06:26 logout postfix/smtpd[111]: warning: 212.89.81.105: address not listed for hostname smtp.academicjobseu.com Feb 15 13:06:26 logout postfix/smtpd[111]: connect from unknown[212.89.81.105] Feb 15 13:06:29 logout postfix/smtpd[111]: 3E42B81E81: client=unknown[212.89.81.105] Feb 15 13:06:34 logout dkim-filter[222]: 3E42B81E81: no signature data Feb 15 13:06:34 logout postfix/qmgr[111]: 3E42B81E81: from=ag...@smtp.academicjobseu.com, size=, nrcpt=1 (queue active) Feb 15 13:06:34 logout postfix/smtpd[111]: disconnect from unknown[212.89.81.105] Is there something that I missed in the postfix configuration? $ host 212.89.81.105 105.81.89.212.in-addr.arpa domain name pointer smtp.academicjobseu.com. $ host smtp.academicjobseu.com. smtp.academicjobseu.com has address 212.89.81.106 212.89.81.105 != 212.89.81.106 # host 212.89.81.105 105.81.89.212.in-addr.arpa domain name pointer smtp.academicjobseu.com. # host 212.89.81.106 106.81.89.212.in-addr.arpa domain name pointer smtp.academicjobseu.com. Cheers.
Re: [Q] smtpd: warning: n.n.n.n: address not listed for hostname smtp.academicjobseu.com
* J4K ju...@klunky.co.uk: $ host 212.89.81.105 105.81.89.212.in-addr.arpa domain name pointer smtp.academicjobseu.com. $ host smtp.academicjobseu.com. smtp.academicjobseu.com has address 212.89.81.106 212.89.81.105 != 212.89.81.106 # host 212.89.81.105 105.81.89.212.in-addr.arpa domain name pointer smtp.academicjobseu.com. # host 212.89.81.106 106.81.89.212.in-addr.arpa domain name pointer smtp.academicjobseu.com. $ host smtp.academicjobseu.com smtp.academicjobseu.com has address 212.89.81.106 106 != 105 -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | http://www.charite.de
Re: [Q] smtpd: warning: n.n.n.n: address not listed for hostname smtp.academicjobseu.com
On 02/15/2011 02:00 PM, Ralf Hildebrandt wrote: * J4K ju...@klunky.co.uk: $ host 212.89.81.105 105.81.89.212.in-addr.arpa domain name pointer smtp.academicjobseu.com. $ host smtp.academicjobseu.com. smtp.academicjobseu.com has address 212.89.81.106 212.89.81.105 != 212.89.81.106 # host 212.89.81.105 105.81.89.212.in-addr.arpa domain name pointer smtp.academicjobseu.com. # host 212.89.81.106 106.81.89.212.in-addr.arpa domain name pointer smtp.academicjobseu.com. $ host smtp.academicjobseu.com smtp.academicjobseu.com has address 212.89.81.106 106 != 105 Thanks Ralf. It is clear now.
Human factors (smtpd: warning: n.n.n.n: address not listed for ...)
FYI, I have changed the warnings from the code that implements forward-confirmed reverse DNS (FCRDNS). When the reverse name has no IP address: hostname foo.example.com does not resolve to address 1.2.3.4: host not found, try again When the reverse has some address but not the expected address: hostname foo.example.com does not resolve to address 1.2.3.4 The old warnings were very different. 1.2.3.4: hostname foo.example.com verification failed: host not found, try again 1.2.3.4: address not listed for hostname foo.example.com That's in both smtpd(8) and qmqpd(8). Wietse
mailer-daemon never rejected?
How can this happen? The address mailer-dae...@plancompany.at does not exist but if checked from barracuda SPF postfix answers with valid? Original-Nachricht Betreff: Undelivered Mail Returned to Sender Datum: Tue, 15 Feb 2011 17:30:11 +0100 (CET) Von: Mail Delivery System postmas...@thelounge.net An: quarant...@thelounge.net This is the mail system at host mail.thelounge.net. I'm sorry to have to inform you that your message could not be delivered to one or more recipients. It's attached below. For further assistance, please send mail to postmas...@thelounge.net If you do so, please include this problem report. You can delete your own text from the attached returned message. mailer-dae...@plancompany.at: host 127.0.0.1[127.0.0.1] said: 550 Recipient mailer-dae...@plancompany.at FAIL (in reply to RCPT TO command) signature.asc Description: OpenPGP digital signature
My postscreen results
I went live with my postscreen blocking mail, after some time of non-blocking while watching logs. Here's a discussion of those results (both non-blocking and blocking.) I've singled out some of the items which interested me; perhaps they will interest you as well. (Possibly all old-hat to the ones who leapt in early.) * Settings postscreen_dnsbl_sites = zen.spamhaus.org*3 b.barracudacentral.org*2 dnsbl.njabl.org*2 bl.spameatingmonkey.net*2 dnsbl.ahbl.org bl.spamcop.net dnsbl.sorbs.net spamtrap.trblspam.com swl.spamhaus.org*-5 list.dnswl.org=127.[0..255].[0..255].0*-2 list.dnswl.org=127.[0..255].[0..255].1*-4 list.dnswl.org=127.[0..255].[0..255].[2..255]*-6 postscreen_dnsbl_threshold = 3 postscreen_dnsbl_action = enforce postscreen_greet_action = enforce * Gripe = The one thing I do not like about it is that the DNSBL given as the reason for rejection is semi-random, specifically it seems to be the first one to hit dnsblog(8) for that client. My postscreen_dnsbl_sites are arranged in trust order. If a real person was to see one of these rejections, I would prefer that this person see Spamhaus or Barracuda or NJABL, not SORBS, Spamcop, or TRBL. I know my workaround is to use postscreen_dnsbl_reply_map, shown here in pcre: !/^zen\.spamhaus\.org$/multiple DNS-based blocklists But, I'd prefer for logging to sort the dnsblog names by score, highest first, and use that DNSBL name as the reason. (This workaround is in place and working fine.) * Scoring and whitelists == Thanks to Noel for getting me thinking about DNS whitelists. I am doubtful that they will matter much overall, but they do seem to be conservative so far. Mine have offset only a few negatively-scored hosts from my less-trusted (1 point) DNSBLs, mostly. There were 2 DNSWL hits for spameatingmonkey hosts, and zero for AHBL, so I am considering switching their places (and scores) in the above list. The largest part of my DNSWL hits are weighted toward lower-scored hosts. Out of 610 in the sample period I had 474 + 89 + 34 + 13 of 127.0.x.Y where Y is 0, 1, 2, and 3 respectively. I'm not seeing a lot of hits in SWL so far, and the few I did see were also found in DNSWL. (No SWL host was listed in any of the DNSBLs.) Overlap between dnswl.org and the DNSBLs listed was as follows: Also listed in: --- bl.spameatingmonkey.net 2 bl.spamcop.net4 dnsbl.sorbs.net 24 spamtrap.trblspam.com52 Of these, only 5 were listed on more than one DNSBL. All 5 of these were listed on TRBL; 3 also on spam.dnsbl.sorbs.net (127.0.0.6), and the other 2 also on bl.spameatingmonkey.net (127.0.0.10). Not surprisingly, each of the DNSWL listings was a .0 (trust level none.) DNSWL-SEM-TRBL -- 174.34.187.66 list.dnswl.org 127.0.15.0 174.34.187.66 bl.spameatingmonkey.net 127.0.0.10 174.34.187.66 spamtrap.trblspam.com 127.0.0.2 174.34.187.67 list.dnswl.org 127.0.15.0 174.34.187.67 bl.spameatingmonkey.net 127.0.0.10 174.34.187.67 spamtrap.trblspam.com 127.0.0.2 Note, the DNSWL-SEM-TRBL triples are right next door to one another, which suggests that a netblock listing might have been done. These particular hosts are an ESP: http://www.yourmailinglistprovider.com/antispam_policy.html I don't know how good (or bad) they are, but they do offer a free trial, so they're likely to attract spammers. DNSWL-SORBS-TRBL 66.192.165.130 list.dnswl.org 127.0.15.0 66.192.165.130 dnsbl.sorbs.net 127.0.0.6 66.192.165.130 spamtrap.trblspam.com 127.0.0.2 216.27.93.124 list.dnswl.org 127.0.15.0 216.27.93.124 dnsbl.sorbs.net 127.0.0.6 216.27.93.124 spamtrap.trblspam.com 127.0.0.2 195.121.247.8 list.dnswl.org 127.0.5.0 195.121.247.8 dnsbl.sorbs.net 127.0.0.6 195.121.247.8 spamtrap.trblspam.com 127.0.0.2 The first two of those are the ESP iContact.com. The latter is KPN, an ISP in Europe. The breakdown of dual listings by DNSWL trust level is what I would expect: dnswl.org returns: ## ## per DNSBL -- -- 127.0.x.3 (high)32 TRBL 1 SORBS spam (127.0.0.6) 127.0.x.2 (medium) 0 127.0.x.1 (low) 09 SORBS spam (All of these: Facebook) 127.0.x.0 (none) 70 50 TRBL 14 SORBS spam 4 Spamcop 2 Spameatingmonkey FWIW the three high-trust hosts are all well-known listservers: outgoing.securityfocus.com and webster.isc.org on TRBL; and vger.kernel.org on SORBS. No, I'd not want to lose mail from them. The non-trust hosts are about evenly split between ESPs and ISPs. These, I did not bother to examine as carefully other than that. Seems like some more aggressive sites might want to
Re: domain-aliases / recipient_canonical_maps / vrfy
i have solved this problem with some subqueries and the limit 1 is needed for MySQL 5.5 because 5.1 meant that somewhere are more than one row returned from a subquery recipient_canonical_maps = mysql:/etc/postfix/mysql-rewritedomains.cf [root@mail:/etc/postfix]$ cat /etc/postfix/mysql-rewritedomains.cf user = dbmailro password = ** dbname = dbmail hosts= unix:/var/lib/mysql/mysql.sock query= select target from dbma_rewrite_domains where source like '%d' and ((select count(*) from dbmail_aliases where alias like (select concat('%u', (select target from dbma_rewrite_domains where source like '%d' limit 1)) from dbma_rewrite_domains limit 1))0 or (select count(*) from dbmail_aliases where alias like '%u@' limit 1)0) limit 1 ___ CREATE TABLE `dbma_rewrite_domains` ( `source` varchar(255) NOT NULL, `target` varchar(255) NOT NULL, PRIMARY KEY (`source`) ) ENGINE=MyISAM DEFAULT CHARSET=utf8 PACK_KEYS=1 DELAY_KEY_WRITE=1 source = alias-domain target = @target-domain ___ if postfix would not accept postmaster and mailer-daemon for each domain even if it does not exist anywhere i would be lucky because it does not make sense, but that is another problem ok, postmaster is required and a global forwarder for all domains to me but mailer-daemon does not exist anywhere :-( Am 08.02.2011 22:37, schrieb Reindl Harald: Am 08.02.2011 22:32, schrieb Charles Marcus: Don't use domain aliases. Wildcard address rewrites disable recipient validation. Postfixadmin (2.3.2+) has working recipient verification with alias domains... Hm - I will take a look what they do if i find no simple solution external admin-software is a no-go because we have centralized and self-developed backends for postfix/dbmail, pureftpd, httpd, bind, dhcpd, domain-registration which is all tuned to work with each other in one admin-ui signature.asc Description: OpenPGP digital signature
Re: mailer-daemon never rejected?
Reindl Harald: How can this happen? The address mailer-dae...@plancompany.at does not exist but if checked from barracuda SPF postfix answers with valid? Postfix SENDS mail from mailer-daemon, therefore Postfix ACCEPTS mail to mailer-daemon. When the mailer-daemon alias does not exist (it should resolve to postmaster), the local delivery agent logs a warning and discards the recipient. Wietse
relay_recipient and/or relay_domains issue
I have two issues that I believe are connected so I'm putting them into one submission to the list: ISSUE 1 I want to forward root's mail to a local user called mike. The user's email address is m...@ascendency.net and is a legitimate user on the system, but has a virtual mailbox. I've added that email address in /etc/aliases and run the /usr/bin/newaliases command. The problem I'm having is that root's email gets directed to m...@patton.ascendecny.net instead of m...@ascendency.net resulting in the following error: Reason: Remote SMTP server has rejected address Diagnostic code: smtp;554 5.7.1 m...@patton.ascendency.net: Relay access denied ISSUE 2 Messages sent to aliases that should point to legitimate email address on the server return the following error: Remote host said: 550 5.1.1 $aliasaddr...@ascendency.net: Recipient address rejected: User unknown in relay recipient table I believe both of these issues are related to my configuration of relay_domains and/or relay_recipient_maps. Please see links below to links all relevant configuration files. DOCUMENTATION REVIEWED 1. http://www.postfix.org/ADDRESS_CLASS_README.html 2. http://www.postfix.org/postconf.5.html#relay_recipient_maps VERSIONS 1. FreeBSD - 8.1-RELEASE 2. PostFix - 2.7.2,1 3. MySQL - 5.5.9 4. Dovecot - 1.2.16 CONFIGURATION FILES 1. postconf -n: http://pastebin.com/E0gMpmqf 2. postconf -m: http://pastebin.com/hC7waDmY 3. master.cf: http://pastebin.com/KcPTccCA 4. mysql_virtual_alias_maps.cf: http://pastebin.com/guqFiMQA 5. mysql_virtual_domains_maps.cf: http://pastebin.com/jV1iVEF8 6. mysql_virtual_mailbox_maps.c: http://pastebin.com/UckJ2FQ9 7. mysql_virtual_mailbox_limit_maps.cf: http://pastebin.com/6fkzV9eH 8. mysql_relay_domains_maps.c: http://pastebin.com/TL3y5KwG OTHER CONFIGURATION DETAILS (I have most of my configuration in mysql tables) 1. Domain - ascendency.net 2. Server name - patton -- Mike Loiterman Email: m...@ascendency.net
Re: mailer-daemon never rejected?
Reindl Harald: I just added mailer-daemon@ - postmas...@thelounge.net That would be a terrible mistake, since it aliases EVERYONE ELSES domain too. Remove this nonsense. Wietse
Re: mailer-daemon never rejected?
Am 15.02.2011 19:07, schrieb Wietse Venema: Reindl Harald: I just added mailer-daemon@ - postmas...@thelounge.net That would be a terrible mistake no, it would not since it aliases EVERYONE ELSESm domain too this is what it should do and what postmaster@, hostmaster@ and abuse@ also have to do for all domains Remove this nonsense where do you see any nonsense? as long as i am postmaster for all domains on this server i have to get every postmaster-related mail in my account and nonsense would be configure 200 postmaster-accounts in my client nobody else expect other operators which are receiving the global postmaster-account is interested in technical mails because 98% out there are too stopid to understand a simple bounce and deleting all mails they do not understand instead forward to anybody who does signature.asc Description: OpenPGP digital signature
Postfix relay to local MTA on different port or IP
I have a server running postfix on port 25 and a secondary mail platform listening on port 2525. I have tried many combinations of settings but keep getting: Feb 12 08:34:43 server1 postfix/smtp[11104]: 19183EB01F0: to=u...@domain.com, relay=none, delay=6.9, delays=6.9/0.01/0/0, dsn=5.4.6, status=bounced (mail for domain.com loops back to myself) My server name is server1.domain.com and my mail platform on 2525 is hosting domain.com. What settings in my main.cf will prevent postfix from thinking this is a loop? [root@server1 log]# postconf -n alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases command_directory = /usr/sbin config_directory = /etc/postfix daemon_directory = /usr/libexec/postfix data_directory = /var/lib/postfix debug_peer_level = 2 default_rbl_reply = $rbl_code Service unavailable; $rbl_class [$rbl_what] blocked using $rbl_domain${rbl_reason?; $rbl_reason} header_checks = regexp:/etc/postfix/header_checks html_directory = /usr/share/doc/postfix-2.7.2-documentation/html mail_owner = postfix mailq_path = /usr/bin/mailq.postfix manpage_directory = /usr/share/man newaliases_path = /usr/bin/newaliases.postfix queue_directory = /var/spool/postfix readme_directory = /usr/share/doc/postfix-2.7.2-documentation/readme relay_domains = $mydestination, domain.com sample_directory = /etc/postfix sendmail_path = /usr/sbin/sendmail.postfix setgid_group = postdrop smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_invalid_hostname, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_unauth_destination, reject_rbl_client zen.spamhaus.org, reject_rbl_client cbl.abuseat.org, reject_rbl_client bl.spamcop.net, permit unknown_local_recipient_reject_code = 550 /etc/postfix/transport domain.comsmtp:[192.168.1.3]:2525 I have tried limiting postfix to listening only on loopback and 192.168.1.1:25 and the mail platform to listen only on 192.168.1.3:25 then adjusting the transport file accordingly but it still bounces the message. Thanks for the help. Dave
Re: mailer-daemon never rejected?
Reindl Harald: I just added mailer-daemon@ - postmas...@thelounge.net Including mailer-dae...@porcupine.org - postmas...@thelounge.net. Wietse
Re: Postfix relay to local MTA on different port or IP
Dave Jones: I have a server running postfix on port 25 and a secondary mail platform listening on port 2525. I have tried many combinations of settings but keep getting: Feb 12 08:34:43 server1 postfix/smtp[11104]: 19183EB01F0: to=u...@domain.com, relay=none, delay=6.9, delays=6.9/0.01/0/0, dsn=5.4.6, status=bounced (mail for domain.com loops back to myself) http://www.postfix.org/STANDARD_CONFIGURATION_README.html#backup See description of PRIMARY MX configuration. Wietse
Re: mailer-daemon never rejected?
Am 15.02.2011 19:36, schrieb Wietse Venema: Reindl Harald: I just added mailer-daemon@ - postmas...@thelounge.net Including mailer-dae...@porcupine.org - postmas...@thelounge.net Check your mails after greylisting :-) These Forwards on the dbmail-side and as long postfix has porcupine.org not configured they never go to local smtp! [root@mail:~]$ cat maillog | grep mailer-dae...@porcupine.org Feb 15 19:39:53 mail postfix/smtp[23633]: 20266C5: to=mailer-dae...@porcupine.org, relay=spike.porcupine.org[168.100.189.2]:25, delay=17, delays=0.09/0/2/15, dsn=4.7.1, status=deferred (host spike.porcupine.org[168.100.189.2] said: 450 4.7.1 h.rei...@thelounge.net: Sender address rejected: Greylisted for 60 seconds... (in reply to RCPT TO command)) signature.asc Description: OpenPGP digital signature
Multi-homed server inet_interfaces or smtp-bind-address
First off I am still a bit green on this stuff. Both my servers are multi-homed, server A which runs Postfix is configured - eth0 :n.n.n.186 and eth1:n.n.n.187. The host name for this server is mail.domain.tld which points to n.n.n.187. Up until last Friday we did not have any problems. On Friday we started to get bounced when we tried to reply to a new contact at ATT/Prodigy. Their bounce message is as follows: host sbcmx5.prodigy.net[207.115.21.24] said: 553 5.3.0 flpd241 DNSBL:ATTRBL 521 n.n.n.186 _is_blocked.__For_information_see_http://att.net/blocks (in reply to MAIL FROM command. A check of our logs shows only four message destined for their servers in the last four weeks. I have check our servers using abuse.net and we do not appear to be an open relay. None of the RBL have us listed. So I do not think the problem is spamming. I think the problem is Postfix is sending using eth0, which in turn means that it appears to come from n.n.n.186, which in turn means that a reverse lookup does not resolve to mail.domain.tld. The loop is not closed and therefor we are suspect. I did some digging around I think that I need to modify my Postfix configuration by adding inet_interfaces=n.n.n.186, n.n.n.187, localhost and smtp_bind_address=n.n.n.187. However this is where I get a little confused as in one set of documents I have read it says to add these into main.cf, while the postconf.5html say to leave the inet_interface at default and add the smtp_bind_address the master.cf. Help would be appreciated, also any suggestions on improving the setup. John A postconf ouput below== alias_database = $alias_maps alias_maps = hash:/etc/aliases allow_untrusted_routing = no biff = no body_checks = regexp:/etc/postfix/maps/body_checks bounce_size_limit = 65536 broken_sasl_auth_clients = yes command_directory = /usr/sbin config_directory = /etc/postfix content_filter = amavisfeed:[127.0.0.1]:10024 daemon_directory = /usr/libexec/postfix debug_peer_level = 2 default_privs = nobody default_process_limit = 20 delay_warning_time = 12 disable_vrfy_command = yes header_checks = regexp:/etc/postfix/maps/header_checks header_size_limit = 32768 home_mailbox = Maildir/ html_directory = no in_flow_delay = 1s inet_protocols = all local_destination_concurrency_limit = 5 mail_owner = postfix mailbox_command = /usr/libexec/dovecot/deliver mailq_path = /usr/bin/mailq.postfix manpage_directory = /usr/share/man message_size_limit = 32768000 mydestination = localhost, localhost.localdomain, localdomain mydomain = domain.tld myhostname = mail.$mydomain mynetworks = 127.0.0.0/8, 192.168.40.0/28 n.n.n.176/28 myorigin = $mydomain newaliases_path = /usr/bin/newaliases.postfix queue_directory = /var/spool/postfix readme_directory = /usr/share/doc/postfix-2.5.5/README_FILES recipient_delimiter = + relay_domains = relocated_maps = hash:/etc/postfix/maps/relocated sample_directory = /usr/share/doc/postfix-2.5.5/samples sendmail_path = /usr/sbin/sendmail.postfix setgid_group = postdrop smtp_sasl_security_options = noanonymous smtp_sasl_tls_security_options = noanonymous smtp_tls_CAfile = /etc/pki/CA/sub.class2.server.ca.crt smtp_tls_cert_file = /etc/pki/tls/certs/Linderly_Mail_SSL.crt smtp_tls_key_file = /etc/pki/tls/private/Linderly_Mail_SSL_Decrypted.key smtp_tls_note_starttls_offer = yes smtp_use_tls = yes smtpd_banner = $myhostname ESMTP smtpd_data_restrictions = reject_multi_recipient_bounce, reject_unauth_pipelining, permit smtpd_delay_reject = yes smtpd_error_sleep_time = 5s smtpd_hard_error_limit = 20 smtpd_helo_required = yes smtpd_recipient_limit = 128 smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unauth_destination, reject_unlisted_recipient, check_sender_access hash:/etc/postfix/maps/sender_access, reject_unlisted_sender, check_client_access hash:/etc/postfix/maps/client_access, reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, check_helo_access pcre:/etc/postfix/maps/helo_checks, check_helo_access pcre:/etc/postfix/maps/helo_access, reject_unknown_helo_hostname, check_recipient_access hash:/etc/postfix/maps/recipient_access reject_unknown_sender_domain, check_policy_service unix:/var/spool/postfix/postgrey/socket permit smtpd_sasl_auth_enable = yes smtpd_sasl_local_domain = $myhostname smtpd_sasl_path = private/auth smtpd_sasl_security_options = noanonymous smtpd_sasl_type = dovecot smtpd_soft_error_limit = 10 smtpd_tls_CAfile = /etc/pki/CA/sub.class2.server.ca.crt smtpd_tls_auth_only = no smtpd_tls_cert_file = /etc/pki/tls/certs/Linderly_Mail_SSL.crt smtpd_tls_key_file = /etc/pki/tls/private/Linderly_Mail_SSL_Decrypted.key smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s smtpd_use_tls = yes soft_bounce = no strict_rfc821_envelopes = yes tls_random_source = dev:/dev/urandom
Content message/partial and header checks
Hi, I have a sender that is trying to send mail to one of our recipients, but it is being rejected because it is a message/partial content type: /^Content-(Disposition|Type):\s+.*?message\/partial\b/ REJECT I pulled this from the jimsun antispam page. Is this still necessary? If so, how would I go about creating an exception for this specific sender? This file is defined in my mime_header_checks file. Perhaps I can create an entry in my regular header checks file that exempts this user from further checks? I guess this is really a question about the ordering of how the checks are done and how to construct such a rule to authorize this user to send otherwise unauthorized content. Thanks, Alex
When does a delivery attempt start?
Is there a way of getting a log entry that documents when Postfix is trying to actually deliver a mail? Something along the lines it's in the active queue, and Postfix is about to create|reuse an (S|L)MTP connection to whatever destination it deems to be correct Why am I interested in this? basically I want to show that it's NOT lingering in the queue after it has been scanned for viruses and reinjected into the queue -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | http://www.charite.de
Re: Content message/partial and header checks
On 2/15/2011 1:23 PM, Alex wrote: Hi, I have a sender that is trying to send mail to one of our recipients, but it is being rejected because it is a message/partial content type: /^Content-(Disposition|Type):\s+.*?message\/partial\b/ REJECT I pulled this from the jimsun antispam page. Is this still necessary? If so, how would I go about creating an exception for this specific sender? This file is defined in my mime_header_checks file. Perhaps I can create an entry in my regular header checks file that exempts this user from further checks? I guess this is really a question about the ordering of how the checks are done and how to construct such a rule to authorize this user to send otherwise unauthorized content. Thanks, Alex You can't make exceptions for header_checks, all mail is checked. If a rule causes problems, your choices are to live with it, remove the rule, or change the rule to HOLD for manual intervention. message/partial is considered a potential security risk since it allows several fragments to be mailed separately and then be reassembled by the recipient's mail program. This fragmentation may allow unwanted content such as viruses to slip past gateway filters that only see the fragments and not the whole message. This isn't currently a major attack vector. I can't remember when the last message/partial, either legit or not, came through here. If you want to allow this mail, either remove the rule or change it from REJECT to HOLD. Mail put in the HOLD queue can be listed with the mailq command, and will stay on hold until either released with postsuper -H QUEUEID or deleted with postsuper -d QUEUEID. -- Noel Jones
Re: relay_recipient and/or relay_domains issue
On 02/15/2011 07:07 PM, Mike Loiterman wrote: I have two issues that I believe are connected so I'm putting them into one submission to the list: ISSUE 1 I want to forward root's mail to a local user called mike. The user's email address is m...@ascendency.net and is a legitimate user on the system, but has a virtual mailbox. I've added that email address in /etc/aliases and run the /usr/bin/newaliases command. The problem I'm having is that root's email gets directed to m...@patton.ascendecny.net instead of m...@ascendency.net resulting in the following error: Reason: Remote SMTP server has rejected address Diagnostic code: smtp;554 5.7.1m...@patton.ascendency.net: Relay access denied ISSUE 2 Messages sent to aliases that should point to legitimate email address on the server return the following error: Remote host said: 550 5.1.1$aliasaddr...@ascendency.net: Recipient address rejected: User unknown in relay recipient table I believe both of these issues are related to my configuration of relay_domains and/or relay_recipient_maps. Please see links below to links all relevant configuration files. DOCUMENTATION REVIEWED 1. http://www.postfix.org/ADDRESS_CLASS_README.html 2. http://www.postfix.org/postconf.5.html#relay_recipient_maps VERSIONS 1. FreeBSD - 8.1-RELEASE 2. PostFix - 2.7.2,1 3. MySQL - 5.5.9 4. Dovecot - 1.2.16 CONFIGURATION FILES 1. postconf -n: http://pastebin.com/E0gMpmqf 2. postconf -m: http://pastebin.com/hC7waDmY 3. master.cf: http://pastebin.com/KcPTccCA 4. mysql_virtual_alias_maps.cf: http://pastebin.com/guqFiMQA 5. mysql_virtual_domains_maps.cf: http://pastebin.com/jV1iVEF8 6. mysql_virtual_mailbox_maps.c: http://pastebin.com/UckJ2FQ9 7. mysql_virtual_mailbox_limit_maps.cf: http://pastebin.com/6fkzV9eH 8. mysql_relay_domains_maps.c: http://pastebin.com/TL3y5KwG OTHER CONFIGURATION DETAILS (I have most of my configuration in mysql tables) 1. Domain - ascendency.net 2. Server name - patton -- Mike Loiterman Email: m...@ascendency.net The nature of the error messages indicates that you have your address classes mixed up. Mydestination holds domains that will be delivered locally. These can be, but should not trivially be, aliased away to virtual addresses - it is much simpler to reverse the function of the domains, or use the proper masquerading or canonicalizing maps. Likewise, virtual_mailbox_domains holds domains that will be delivered to the virtual(8) delivery agent - or whatever you use as virtual_transport instead. Relay_domains contains domains you want to accept mail for, but which you will always send onwards. Now: The problem I'm having is that root's email gets directed to m...@patton.ascendecny.net instead of m...@ascendency.net How does it get directed ? Presumably, you aliased root to m...@patton.net. If, instead, you aliased root to mike - don't do that. You should not use unqualified addresses on the RHS of an alias, unless you know /exactly/ what the result will be. http://www.postfix.org/postconf.5.html#myorigin And: Remote host said: 550 5.1.1$aliasaddr...@ascendency.net: Recipient address rejected: User unknown in relay recipient table This has nothing to do with aliasing; note that it thinks the address in question is present in *relay_domains*. Make SURE that your domains occur in only one address class; specifying a domain in multiple classes does not work. This may not be immediately apparent (to you or to postfix) when they are buried in mysql maps. (The contents of which would make this certain, instead of conjecture.) -- J.
Re: When does a delivery attempt start?
Ralf Hildebrandt: Is there a way of getting a log entry that documents when Postfix is trying to actually deliver a mail? The queue manager connects to the UNIX-domain socket for a particular delivery agent such as smtp(8) or local(8), and waits for a response from a delivery agent that it is ready. Once a delivery agent responds, it receives the delivery request, and that is the start of delivery. You can see this only by turning on verbose logging. The delivery request contains among many things hints whether to try to save/reuse a connection, but it is up to the delivery agent to either ignore that hint (local(8) and pipe(8) don't reuse) or to pay attention to that hint (as smtp(8) does). Something along the lines it's in the active queue, and Postfix is about to create|reuse an (S|L)MTP connection to whatever destination it deems to be correct Why am I interested in this? basically I want to show that it's NOT lingering in the queue after it has been scanned for viruses and reinjected into the queue Use multiple instances, and filtered mail will not share the queue with unfiltered mail, so you know exactly why it is in an active queue. Wietse
Re: relay_recipient and/or relay_domains issue
On Feb 15, 2011, at 3:45 PM, Jeroen Geilman wrote: On 02/15/2011 07:07 PM, Mike Loiterman wrote: I have two issues that I believe are connected so I'm putting them into one submission to the list: ISSUE 1 I want to forward root's mail to a local user called mike. The user's email address is m...@ascendency.net and is a legitimate user on the system, but has a virtual mailbox. I've added that email address in /etc/aliases and run the /usr/bin/newaliases command. The problem I'm having is that root's email gets directed to m...@patton.ascendecny.net instead of m...@ascendency.net resulting in the following error: Reason: Remote SMTP server has rejected address Diagnostic code: smtp;554 5.7.1m...@patton.ascendency.net: Relay access denied ISSUE 2 Messages sent to aliases that should point to legitimate email address on the server return the following error: Remote host said: 550 5.1.1$aliasaddr...@ascendency.net: Recipient address rejected: User unknown in relay recipient table I believe both of these issues are related to my configuration of relay_domains and/or relay_recipient_maps. Please see links below to links all relevant configuration files. DOCUMENTATION REVIEWED 1. http://www.postfix.org/ADDRESS_CLASS_README.html 2. http://www.postfix.org/postconf.5.html#relay_recipient_maps VERSIONS 1. FreeBSD - 8.1-RELEASE 2. PostFix - 2.7.2,1 3. MySQL - 5.5.9 4. Dovecot - 1.2.16 CONFIGURATION FILES 1. postconf -n: http://pastebin.com/E0gMpmqf 2. postconf -m: http://pastebin.com/hC7waDmY 3. master.cf: http://pastebin.com/KcPTccCA 4. mysql_virtual_alias_maps.cf: http://pastebin.com/guqFiMQA 5. mysql_virtual_domains_maps.cf: http://pastebin.com/jV1iVEF8 6. mysql_virtual_mailbox_maps.c: http://pastebin.com/UckJ2FQ9 7. mysql_virtual_mailbox_limit_maps.cf: http://pastebin.com/6fkzV9eH 8. mysql_relay_domains_maps.c: http://pastebin.com/TL3y5KwG OTHER CONFIGURATION DETAILS (I have most of my configuration in mysql tables) 1. Domain - ascendency.net 2. Server name - patton -- Mike Loiterman Email: m...@ascendency.net The nature of the error messages indicates that you have your address classes mixed up. Mydestination holds domains that will be delivered locally. These can be, but should not trivially be, aliased away to virtual addresses - it is much simpler to reverse the function of the domains, or use the proper masquerading or canonicalizing maps. Likewise, virtual_mailbox_domains holds domains that will be delivered to the virtual(8) delivery agent - or whatever you use as virtual_transport instead. Relay_domains contains domains you want to accept mail for, but which you will always send onwards. Now: The problem I'm having is that root's email gets directed to m...@patton.ascendecny.net instead of m...@ascendency.net How does it get directed ? Presumably, you aliased root to m...@patton.net. If, instead, you aliased root to mike - don't do that. You should not use unqualified addresses on the RHS of an alias, unless you know /exactly/ what the result will be. http://www.postfix.org/postconf.5.html#myorigin And: Remote host said: 550 5.1.1$aliasaddr...@ascendency.net: Recipient address rejected: User unknown in relay recipient table This has nothing to do with aliasing; note that it thinks the address in question is present in *relay_domains*. Make SURE that your domains occur in only one address class; specifying a domain in multiple classes does not work. This may not be immediately apparent (to you or to postfix) when they are buried in mysql maps. (The contents of which would make this certain, instead of conjecture.) -- J. Issue number 1 was a problem with an upstream relay. I have fixed since fixed my issue. The problem was that the upstream relay was using recipient verification caching before it even got to my server. Issue number 2 is still a problem for me. Yes, I have aliased root to m...@ascendency.net. Here is the log of what happens: http://pastebin.com/sXsyuMdH
Re: relay_recipient and/or relay_domains issue
On 02/15/2011 10:56 PM, Mike Loiterman wrote: On Feb 15, 2011, at 3:45 PM, Jeroen Geilman wrote: On 02/15/2011 07:07 PM, Mike Loiterman wrote: I have two issues that I believe are connected so I'm putting them into one submission to the list: ISSUE 1 I want to forward root's mail to a local user called mike. The user's email address is m...@ascendency.net and is a legitimate user on the system, but has a virtual mailbox. I've added that email address in /etc/aliases and run the /usr/bin/newaliases command. The problem I'm having is that root's email gets directed to m...@patton.ascendecny.net instead of m...@ascendency.net resulting in the following error: Reason: Remote SMTP server has rejected address Diagnostic code: smtp;554 5.7.1m...@patton.ascendency.net: Relay access denied ISSUE 2 Messages sent to aliases that should point to legitimate email address on the server return the following error: Remote host said: 550 5.1.1$aliasaddr...@ascendency.net: Recipient address rejected: User unknown in relay recipient table I believe both of these issues are related to my configuration of relay_domains and/or relay_recipient_maps. Please see links below to links all relevant configuration files. DOCUMENTATION REVIEWED 1. http://www.postfix.org/ADDRESS_CLASS_README.html 2. http://www.postfix.org/postconf.5.html#relay_recipient_maps VERSIONS 1. FreeBSD - 8.1-RELEASE 2. PostFix - 2.7.2,1 3. MySQL - 5.5.9 4. Dovecot - 1.2.16 CONFIGURATION FILES 1. postconf -n: http://pastebin.com/E0gMpmqf 2. postconf -m: http://pastebin.com/hC7waDmY 3. master.cf: http://pastebin.com/KcPTccCA 4. mysql_virtual_alias_maps.cf: http://pastebin.com/guqFiMQA 5. mysql_virtual_domains_maps.cf: http://pastebin.com/jV1iVEF8 6. mysql_virtual_mailbox_maps.c: http://pastebin.com/UckJ2FQ9 7. mysql_virtual_mailbox_limit_maps.cf: http://pastebin.com/6fkzV9eH 8. mysql_relay_domains_maps.c: http://pastebin.com/TL3y5KwG OTHER CONFIGURATION DETAILS (I have most of my configuration in mysql tables) 1. Domain - ascendency.net 2. Server name - patton -- Mike Loiterman Email: m...@ascendency.net The nature of the error messages indicates that you have your address classes mixed up. Mydestination holds domains that will be delivered locally. These can be, but should not trivially be, aliased away to virtual addresses - it is much simpler to reverse the function of the domains, or use the proper masquerading or canonicalizing maps. Likewise, virtual_mailbox_domains holds domains that will be delivered to the virtual(8) delivery agent - or whatever you use as virtual_transport instead. Relay_domains contains domains you want to accept mail for, but which you will always send onwards. Now: The problem I'm having is that root's email gets directed to m...@patton.ascendecny.net instead of m...@ascendency.net How does it get directed ? Presumably, you aliased root to m...@patton.net. If, instead, you aliased root to mike - don't do that. You should not use unqualified addresses on the RHS of an alias, unless you know /exactly/ what the result will be. http://www.postfix.org/postconf.5.html#myorigin And: Remote host said: 550 5.1.1$aliasaddr...@ascendency.net: Recipient address rejected: User unknown in relay recipient table This has nothing to do with aliasing; note that it thinks the address in question is present in *relay_domains*. Make SURE that your domains occur in only one address class; specifying a domain in multiple classes does not work. This may not be immediately apparent (to you or to postfix) when they are buried in mysql maps. (The contents of which would make this certain, instead of conjecture.) -- J. Issue number 1 was a problem with an upstream relay. I have fixed since fixed my issue. The problem was that the upstream relay was using recipient verification caching before it even got to my server. Issue number 2 is still a problem for me. Yes, I have aliased root to m...@ascendency.net. Here is the log of what happens: http://pastebin.com/sXsyuMdH Feb 15 14:28:29 patton postfix/smtp[63705]: 0BBB41A984F: to=r...@patton.ascendency.net, orig_to=root, relay=127.0.0.1[127.0.0.1]:10024, delay=0.77, delays=0/0/0/0.76, dsn=2.6.0, status=sent (250 2.6.0 Ok, id=63535-10, from MTA: 250 2.0.0 Ok: queued as ABD2A1A9852) I don't see root being aliased anywhere. Also, NOTE that if $myorigin is not included in $mydestination, unqualified addresses will /never/ match your local domains - and hence cannot be delivered locally. myorigin defaults to myhostname, in your case patton.ascendency.net, and mydestination does not. We do not know what your
Re: email is properly rejected but reason given to user unclear
Le 15/02/2011 07:36, Per-Erik Persson a écrit : On Mon, 14 Feb 2011 16:52:42 -0600, Stan Hoeppner s...@hardwarefreak.com wrote: Per-Erik Persson put forth on 2/14/2011 4:17 PM: I have recently found out the beuty of restriction classes. So to reject senders from certain sites that usually misspell their sender address I have set up the following: smtpd_restriction_classes = verify_client_sender verify_client_sender = reject_unverified_sender, permit smtpd_client_restrictions = check_client_access hash:/etc/postfix/client-access, check_client_access pcre:/etc/postfix/client-pcre-access, permit_mynetworks, permit_sasl_authenticated, permit client-access looks like this: hostname_of_misspelled sender_1 verify_client_sender hostname_of_misspelled sender_2 verify_client_sender bla bla bla other hosts i dislike It works! But the sender(roundcube webmail) gets the errormessage 450 could not add recipient It is not the recipientaddress that postfix blocks the email on, it is the senderaddress. Can I give a better errormessage to the users that insists on changing their senderaddresses, explaining why the email is rejected? http://www.postfix.org/postconf.5.html#reject_unverified_sender Just a friendly sanity check: Are you sure that doing forward SAV is what you really want to be doing to solve this problem? AIUI there are basically two downsides to forward SAV: 1. Some MX hosts will lie in response to the probe, then reject actual mail delivery attempts later, depending on which smtp phase in which they do the actual mailbox address verification. Honestly, I'm not fully versed on how Wietse does the probes in Postfix, so this may or may not be an issue with the Postfix SAV probe implementation. Historically it has been an issue in the larger world of smtp. 2. Some sites frown on forward SAV probes, period, especially high volume receivers. The reason here should be obvious. I am aware of the problems with smtp sender verification. However in this case the sending servers are most likely webmail clients that don't always get the sender address correct. what is the ratio of mail where senders mistype addresses? 0.1%? Most likely the senderaddress will point to my mx servers so that should not be a problem. And if the sender address points to gmail and gmail says oh no, no such user I will concider that a good thing. if you do SAV, then you'd better minimise this (only do that after spam checks, rate limit, if you don't, then you'll be blacklisted. Quite a lot of people should be caught if the sender doesn't have a valid mx record, since that was the only check earlier. an MX record isn't mandatory. an A record is enough. but anyway, such checks were abandoned here, because they only blocked legit mail. The proper solution would be to teach people to do copy/paste on emailaddresses instead of just guessing :-) No, the propre solution is to do _your_ job and forget about teaching anybody.
Re: When does a delivery attempt start?
* Wietse Venema wie...@porcupine.org: Ralf Hildebrandt: Is there a way of getting a log entry that documents when Postfix is trying to actually deliver a mail? The queue manager connects to the UNIX-domain socket for a particular delivery agent such as smtp(8) or local(8), and waits for a response from a delivery agent that it is ready. Once a delivery agent responds, it receives the delivery request, and that is the start of delivery. You can see this only by turning on verbose logging. OK, thought so. The delivery request contains among many things hints whether to try to save/reuse a connection, but it is up to the delivery agent to either ignore that hint (local(8) and pipe(8) don't reuse) or to pay attention to that hint (as smtp(8) does). Which log entry in the verbose log would I be looking for? basically I want to show that it's NOT lingering in the queue after it has been scanned for viruses and reinjected into the queue Use multiple instances, and filtered mail will not share the queue with unfiltered mail, so you know exactly why it is in an active queue. Oh, it's a prequeuing filter, so everything is already filtered. -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | http://www.charite.de
Re: Content message/partial and header checks
Le 15/02/2011 20:23, Alex a écrit : Hi, I have a sender that is trying to send mail to one of our recipients, but it is being rejected because it is a message/partial content type: /^Content-(Disposition|Type):\s+.*?message\/partial\b/ REJECT can you find out (and report) how the sender sent his email (mail client, ...) to see why he uses /partial? The goal is to see if /partial has a real use case. I pulled this from the jimsun antispam page. Is this still necessary? well. the problem with /partial is that it may cause problems with filters. how would you scan this for viruses? If so, how would I go about creating an exception for this specific sender? you can't create an exception in header_checks. you can create another smtpd listener and get the send use it (different recipient domain with diferent MX OR sender relay config using a specific smtpd OR ...). but really, it's better to provide an http/ftp upload method. smtp isn't good for large file exchange, because it's multi-relay with store-and-forward (with sync queue to dis) at each relay. even (suboptimal) http is better. This file is defined in my mime_header_checks file. Perhaps I can create an entry in my regular header checks file that exempts this user from further checks? I guess this is really a question about the ordering of how the checks are done and how to construct such a rule to authorize this user to send otherwise unauthorized content. Thanks, Alex
Re: When does a delivery attempt start?
Ralf Hildebrandt: Once a delivery agent responds, it receives the delivery request, and that is the start of delivery. You can see this only by turning on verbose logging. OK, thought so. The delivery request contains among many things hints whether to try to save/reuse a connection, but it is up to the delivery agent to either ignore that hint (local(8) and pipe(8) don't reuse) or to pay attention to that hint (as smtp(8) does). Which log entry in the verbose log would I be looking for? grep deliver_request Wietse
Re: When does a delivery attempt start?
On Tue, Feb 15, 2011 at 11:33:58PM +0100, Ralf Hildebrandt wrote: Use multiple instances, and filtered mail will not share the queue with unfiltered mail, so you know exactly why it is in an active queue. Oh, it's a prequeuing filter, so everything is already filtered. Then all the files in the queue are heading to the final destination... :-) There is no local queue in the pre-queue filter, the messages are still queued on the remote SMTP client. -- Viktor.
Re: Multi-homed server inet_interfaces or smtp-bind-address
On 02/15/2011 08:21 PM, John wrote: First off I am still a bit green on this stuff. Both my servers are multi-homed, server A which runs Postfix is configured - eth0 :n.n.n.186 and eth1:n.n.n.187. The host name for this server is mail.domain.tld which points to n.n.n.187. Up until last Friday we did not have any problems. On Friday we started to get bounced when we tried to reply to a new contact at ATT/Prodigy. Their bounce message is as follows: host sbcmx5.prodigy.net[207.115.21.24] said: 553 5.3.0 flpd241 DNSBL:ATTRBL 521 n.n.n.186 _is_blocked.__For_information_see_http://att.net/blocks (in reply to MAIL FROM command. A check of our logs shows only four message destined for their servers in the last four weeks. I have check our servers using abuse.net and we do not appear to be an open relay. None of the RBL have us listed. So I do not think the problem is spamming. I think the problem is Postfix is sending using eth0, which in turn means that it appears to come from n.n.n.186, which in turn means that a reverse lookup does not resolve to mail.domain.tld. The loop is not closed and therefor we are suspect. I did some digging around I think that I need to modify my Postfix configuration by adding inet_interfaces=n.n.n.186, n.n.n.187, localhost and smtp_bind_address=n.n.n.187. However this is where I get a little confused as in one set of documents I have read it says to add these into main.cf, while the postconf.5html say to leave the inet_interface at default and add the smtp_bind_address the master.cf. inet_interfaces defines which IPs (and ergo interfaces) postfix RECEIVES mail on. This can be overridden per-service by providing the desired IP in the master.cf service definition. smtp_bind_address defines which IP postfix uses to SEND mail. This can be overridden for any outgoing smtp(8) transport. Unsurprisingly, postconf(5) is correct. -- J.
Re: Auditing encrypted/clear text SMTP transmission
Victor Duchovni: On Mon, Feb 14, 2011 at 08:24:14AM -0500, Wietse Venema wrote: In the SMTP server, this could be logged as: QUEUEID: client=foo.example.com, tls=whatever That line is logged whenever the Postfix SMTP server opens a mail delivery transaction. I use a log parser that collates all the log entries for each message from arrival through final delivery. The TLS data is already logged in full detail. I am not convinced that compact logging is sufficiently detailed to be useful, and logging everything with each per-recipient record is I think impractical. It could be useful to log tls=none/encrypted/verified/secure, and thus give a general idea. People who really want to know the nuts and bolts can parse multi-line records. Wietse
Re: Auditing encrypted/clear text SMTP transmission
On Tue, Feb 15, 2011 at 07:28:57PM -0500, Wietse Venema wrote: Victor Duchovni: On Mon, Feb 14, 2011 at 08:24:14AM -0500, Wietse Venema wrote: In the SMTP server, this could be logged as: QUEUEID: client=foo.example.com, tls=whatever That line is logged whenever the Postfix SMTP server opens a mail delivery transaction. I use a log parser that collates all the log entries for each message from arrival through final delivery. The TLS data is already logged in full detail. I am not convinced that compact logging is sufficiently detailed to be useful, and logging everything with each per-recipient record is I think impractical. It could be useful to log tls=none/encrypted/verified/secure, and thus give a general idea. People who really want to know the nuts and bolts can parse multi-line records. OK, provided people don't become unhappy when we refuse to log additional details. -- Viktor.
Re: relay_recipient and/or relay_domains issue
On Feb 15, 2011, at 4:08 PM, Jeroen Geilman wrote: On 02/15/2011 10:56 PM, Mike Loiterman wrote: On Feb 15, 2011, at 3:45 PM, Jeroen Geilman wrote: On 02/15/2011 07:07 PM, Mike Loiterman wrote: I have two issues that I believe are connected so I'm putting them into one submission to the list: ISSUE 1 I want to forward root's mail to a local user called mike. The user's email address is m...@ascendency.net and is a legitimate user on the system, but has a virtual mailbox. I've added that email address in /etc/aliases and run the /usr/bin/newaliases command. The problem I'm having is that root's email gets directed to m...@patton.ascendecny.net instead of m...@ascendency.net resulting in the following error: Reason: Remote SMTP server has rejected address Diagnostic code: smtp;554 5.7.1m...@patton.ascendency.net: Relay access denied ISSUE 2 Messages sent to aliases that should point to legitimate email address on the server return the following error: Remote host said: 550 5.1.1$aliasaddr...@ascendency.net: Recipient address rejected: User unknown in relay recipient table I believe both of these issues are related to my configuration of relay_domains and/or relay_recipient_maps. Please see links below to links all relevant configuration files. DOCUMENTATION REVIEWED 1. http://www.postfix.org/ADDRESS_CLASS_README.html 2. http://www.postfix.org/postconf.5.html#relay_recipient_maps VERSIONS 1. FreeBSD - 8.1-RELEASE 2. PostFix - 2.7.2,1 3. MySQL - 5.5.9 4. Dovecot - 1.2.16 CONFIGURATION FILES 1. postconf -n: http://pastebin.com/E0gMpmqf 2. postconf -m: http://pastebin.com/hC7waDmY 3. master.cf: http://pastebin.com/KcPTccCA 4. mysql_virtual_alias_maps.cf: http://pastebin.com/guqFiMQA 5. mysql_virtual_domains_maps.cf: http://pastebin.com/jV1iVEF8 6. mysql_virtual_mailbox_maps.c: http://pastebin.com/UckJ2FQ9 7. mysql_virtual_mailbox_limit_maps.cf: http://pastebin.com/6fkzV9eH 8. mysql_relay_domains_maps.c: http://pastebin.com/TL3y5KwG OTHER CONFIGURATION DETAILS (I have most of my configuration in mysql tables) 1. Domain - ascendency.net 2. Server name - patton -- Mike Loiterman Email: m...@ascendency.net The nature of the error messages indicates that you have your address classes mixed up. Mydestination holds domains that will be delivered locally. These can be, but should not trivially be, aliased away to virtual addresses - it is much simpler to reverse the function of the domains, or use the proper masquerading or canonicalizing maps. Likewise, virtual_mailbox_domains holds domains that will be delivered to the virtual(8) delivery agent - or whatever you use as virtual_transport instead. Relay_domains contains domains you want to accept mail for, but which you will always send onwards. Now: The problem I'm having is that root's email gets directed to m...@patton.ascendecny.net instead of m...@ascendency.net How does it get directed ? Presumably, you aliased root to m...@patton.net. If, instead, you aliased root to mike - don't do that. You should not use unqualified addresses on the RHS of an alias, unless you know /exactly/ what the result will be. http://www.postfix.org/postconf.5.html#myorigin And: Remote host said: 550 5.1.1$aliasaddr...@ascendency.net: Recipient address rejected: User unknown in relay recipient table This has nothing to do with aliasing; note that it thinks the address in question is present in *relay_domains*. Make SURE that your domains occur in only one address class; specifying a domain in multiple classes does not work. This may not be immediately apparent (to you or to postfix) when they are buried in mysql maps. (The contents of which would make this certain, instead of conjecture.) -- J. Issue number 1 was a problem with an upstream relay. I have fixed since fixed my issue. The problem was that the upstream relay was using recipient verification caching before it even got to my server. Issue number 2 is still a problem for me. Yes, I have aliased root to m...@ascendency.net. Here is the log of what happens: http://pastebin.com/sXsyuMdH Feb 15 14:28:29 patton postfix/smtp[63705]: 0BBB41A984F: to=r...@patton.ascendency.net, orig_to=root, relay=127.0.0.1[127.0.0.1]:10024, delay=0.77, delays=0/0/0/0.76, dsn=2.6.0, status=sent (250 2.6.0 Ok, id=63535-10, from MTA: 250 2.0.0 Ok: queued as ABD2A1A9852) I don't see root being aliased anywhere. Also, NOTE that if $myorigin is not included in $mydestination, unqualified addresses will /never/ match
Re: Multi-homed server inet_interfaces or smtp-bind-address
On 2/15/2011 7:07 PM, Jeroen Geilman wrote: On 02/15/2011 08:21 PM, John wrote: First off I am still a bit green on this stuff. Both my servers are multi-homed, server A which runs Postfix is configured - eth0 :n.n.n.186 and eth1:n.n.n.187. The host name for this server is mail.domain.tld which points to n.n.n.187. Up until last Friday we did not have any problems. On Friday we started to get bounced when we tried to reply to a new contact at ATT/Prodigy. Their bounce message is as follows: host sbcmx5.prodigy.net[207.115.21.24] said: 553 5.3.0 flpd241 DNSBL:ATTRBL 521 n.n.n.186 _is_blocked.__For_information_see_http://att.net/blocks (in reply to MAIL FROM command. A check of our logs shows only four message destined for their servers in the last four weeks. I have check our servers using abuse.net and we do not appear to be an open relay. None of the RBL have us listed. So I do not think the problem is spamming. I think the problem is Postfix is sending using eth0, which in turn means that it appears to come from n.n.n.186, which in turn means that a reverse lookup does not resolve to mail.domain.tld. The loop is not closed and therefor we are suspect. I did some digging around I think that I need to modify my Postfix configuration by adding inet_interfaces=n.n.n.186, n.n.n.187, localhost and smtp_bind_address=n.n.n.187. However this is where I get a little confused as in one set of documents I have read it says to add these into main.cf, while the postconf.5html say to leave the inet_interface at default and add the smtp_bind_address the master.cf. inet_interfaces defines which IPs (and ergo interfaces) postfix RECEIVES mail on. This can be overridden per-service by providing the desired IP in the master.cf service definition. smtp_bind_address defines which IP postfix uses to SEND mail. This can be overridden for any outgoing smtp(8) transport. Unsurprisingly, postconf(5) is correct. I did not say the postconf(5) is wrong just I had received conflicting info on how and where to use smtp_bind_address. Thanks for the clarification above, perhaps if it had been included in the postconf docs I might not have had the ?. I decided I would try the suck it and see approach and added it to the master.cf as this seemed from the documentation to be the /best/ place to put it. I have to say it did not solve the problem with ATT, but I can now see that when I send email I appear to be using the correct IP address, which would seem to be an improvement. Thanks John A -- All that is necessary for the triumph of evil is that good men do nothing. (Edmund Burke)