[Q] smtpd: warning: n.n.n.n: address not listed for hostname smtp.academicjobseu.com

[J4K]

Hi,

I just watched an IP address fail to be correctly resolved back to
the A record.  I could resolve the IP with the the same DNS on the same
server myself.

These connection from a server is recorded by postfix as unknown for
212.89.81.105, yet an nslookup on this IP resolves back to the correct
address:-

Non-authoritative answer:
105.81.89.212.in-addr.arpaname = smtp.academicjobseu.com.


Feb 15 13:06:26 logout postfix/smtpd[111]: warning: 212.89.81.105:
address not listed for hostname smtp.academicjobseu.com
Feb 15 13:06:26 logout postfix/smtpd[111]: connect from
unknown[212.89.81.105]
Feb 15 13:06:29 logout postfix/smtpd[111]: 3E42B81E81:
client=unknown[212.89.81.105]
Feb 15 13:06:34 logout dkim-filter[222]: 3E42B81E81: no signature data
Feb 15 13:06:34 logout postfix/qmgr[111]: 3E42B81E81:
from=ag...@smtp.academicjobseu.com, size=, nrcpt=1 (queue active)
Feb 15 13:06:34 logout postfix/smtpd[111]: disconnect from
unknown[212.89.81.105]

Is there something that I missed in the postfix configuration? 

Best wishes, S

Re: [Q] smtpd: warning: n.n.n.n: address not listed for hostname smtp.academicjobseu.com

[Tom Hendrikx]

On 15/02/11 13:18, J4K wrote:
 
 Hi,
 
 I just watched an IP address fail to be correctly resolved back to
 the A record.  I could resolve the IP with the the same DNS on the same
 server myself.
 
 These connection from a server is recorded by postfix as unknown for
 212.89.81.105, yet an nslookup on this IP resolves back to the correct
 address:-
 
 Non-authoritative answer:
 105.81.89.212.in-addr.arpaname = smtp.academicjobseu.com.
 

But the other way round, there is a mismatch:

$ dig +short smtp.academicjobseu.com
212.89.81.106

The owner of the MX will need to fix this to prevent the error.

 
 Feb 15 13:06:26 logout postfix/smtpd[111]: warning: 212.89.81.105:
 address not listed for hostname smtp.academicjobseu.com
 Feb 15 13:06:26 logout postfix/smtpd[111]: connect from
 unknown[212.89.81.105]
 Feb 15 13:06:29 logout postfix/smtpd[111]: 3E42B81E81:
 client=unknown[212.89.81.105]
 Feb 15 13:06:34 logout dkim-filter[222]: 3E42B81E81: no signature data
 Feb 15 13:06:34 logout postfix/qmgr[111]: 3E42B81E81:
 from=ag...@smtp.academicjobseu.com
 mailto:ag...@smtp.academicjobseu.com, size=, nrcpt=1 (queue active)
 Feb 15 13:06:34 logout postfix/smtpd[111]: disconnect from
 unknown[212.89.81.105]
 
 Is there something that I missed in the postfix configuration? 
 
 Best wishes, S




signature.asc
Description: OpenPGP digital signature

Re: [Q] smtpd: warning: n.n.n.n: address not listed for hostname smtp.academicjobseu.com

[Ralf Hildebrandt]

* J4K ju...@klunky.co.uk:
 
 Hi,
 
 I just watched an IP address fail to be correctly resolved back to
 the A record.  I could resolve the IP with the the same DNS on the same
 server myself.
 
 These connection from a server is recorded by postfix as unknown for
 212.89.81.105, yet an nslookup on this IP resolves back to the correct
 address:-
 
 Non-authoritative answer:
 105.81.89.212.in-addr.arpaname = smtp.academicjobseu.com.
 
 
 Feb 15 13:06:26 logout postfix/smtpd[111]: warning: 212.89.81.105:
 address not listed for hostname smtp.academicjobseu.com
 Feb 15 13:06:26 logout postfix/smtpd[111]: connect from
 unknown[212.89.81.105]
 Feb 15 13:06:29 logout postfix/smtpd[111]: 3E42B81E81:
 client=unknown[212.89.81.105]
 Feb 15 13:06:34 logout dkim-filter[222]: 3E42B81E81: no signature data
 Feb 15 13:06:34 logout postfix/qmgr[111]: 3E42B81E81:
 from=ag...@smtp.academicjobseu.com, size=, nrcpt=1 (queue active)
 Feb 15 13:06:34 logout postfix/smtpd[111]: disconnect from
 unknown[212.89.81.105]
 
 Is there something that I missed in the postfix configuration? 

$ host 212.89.81.105
105.81.89.212.in-addr.arpa domain name pointer smtp.academicjobseu.com.

$ host smtp.academicjobseu.com.
smtp.academicjobseu.com has address 212.89.81.106

212.89.81.105 != 212.89.81.106

-- 
Ralf Hildebrandt
  Geschäftsbereich IT | Abteilung Netzwerk
  Charité - Universitätsmedizin Berlin
  Campus Benjamin Franklin
  Hindenburgdamm 30 | D-12203 Berlin
  Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962
  ralf.hildebra...@charite.de | http://www.charite.de

Re: [Q] smtpd: warning: n.n.n.n: address not listed for hostname smtp.academicjobseu.com

[J4K]

On 02/15/2011 01:31 PM, Ralf Hildebrandt wrote:
 * J4K ju...@klunky.co.uk:
 Hi,

 I just watched an IP address fail to be correctly resolved back to
 the A record.  I could resolve the IP with the the same DNS on the same
 server myself.

 These connection from a server is recorded by postfix as unknown for
 212.89.81.105, yet an nslookup on this IP resolves back to the correct
 address:-

 Non-authoritative answer:
 105.81.89.212.in-addr.arpaname = smtp.academicjobseu.com.


 Feb 15 13:06:26 logout postfix/smtpd[111]: warning: 212.89.81.105:
 address not listed for hostname smtp.academicjobseu.com
 Feb 15 13:06:26 logout postfix/smtpd[111]: connect from
 unknown[212.89.81.105]
 Feb 15 13:06:29 logout postfix/smtpd[111]: 3E42B81E81:
 client=unknown[212.89.81.105]
 Feb 15 13:06:34 logout dkim-filter[222]: 3E42B81E81: no signature data
 Feb 15 13:06:34 logout postfix/qmgr[111]: 3E42B81E81:
 from=ag...@smtp.academicjobseu.com, size=, nrcpt=1 (queue active)
 Feb 15 13:06:34 logout postfix/smtpd[111]: disconnect from
 unknown[212.89.81.105]

 Is there something that I missed in the postfix configuration? 
 $ host 212.89.81.105
 105.81.89.212.in-addr.arpa domain name pointer smtp.academicjobseu.com.

 $ host smtp.academicjobseu.com.
 smtp.academicjobseu.com has address 212.89.81.106

 212.89.81.105 != 212.89.81.106

# host 212.89.81.105
105.81.89.212.in-addr.arpa domain name pointer smtp.academicjobseu.com.
# host 212.89.81.106
106.81.89.212.in-addr.arpa domain name pointer smtp.academicjobseu.com.

Cheers.

Re: [Q] smtpd: warning: n.n.n.n: address not listed for hostname smtp.academicjobseu.com

[Ralf Hildebrandt]

* J4K ju...@klunky.co.uk:

  $ host 212.89.81.105
  105.81.89.212.in-addr.arpa domain name pointer smtp.academicjobseu.com.
 
  $ host smtp.academicjobseu.com.
  smtp.academicjobseu.com has address 212.89.81.106
 
  212.89.81.105 != 212.89.81.106
 
 # host 212.89.81.105
 105.81.89.212.in-addr.arpa domain name pointer smtp.academicjobseu.com.
 # host 212.89.81.106
 106.81.89.212.in-addr.arpa domain name pointer smtp.academicjobseu.com.

$ host smtp.academicjobseu.com
smtp.academicjobseu.com has address 212.89.81.106

106 != 105
-- 
Ralf Hildebrandt
  Geschäftsbereich IT | Abteilung Netzwerk
  Charité - Universitätsmedizin Berlin
  Campus Benjamin Franklin
  Hindenburgdamm 30 | D-12203 Berlin
  Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962
  ralf.hildebra...@charite.de | http://www.charite.de

Re: [Q] smtpd: warning: n.n.n.n: address not listed for hostname smtp.academicjobseu.com

[J4K]

On 02/15/2011 02:00 PM, Ralf Hildebrandt wrote:
 * J4K ju...@klunky.co.uk:

 $ host 212.89.81.105
 105.81.89.212.in-addr.arpa domain name pointer smtp.academicjobseu.com.

 $ host smtp.academicjobseu.com.
 smtp.academicjobseu.com has address 212.89.81.106

 212.89.81.105 != 212.89.81.106

 # host 212.89.81.105
 105.81.89.212.in-addr.arpa domain name pointer smtp.academicjobseu.com.
 # host 212.89.81.106
 106.81.89.212.in-addr.arpa domain name pointer smtp.academicjobseu.com.
 $ host smtp.academicjobseu.com
 smtp.academicjobseu.com has address 212.89.81.106

 106 != 105
Thanks Ralf.  It is clear now.

Human factors (smtpd: warning: n.n.n.n: address not listed for ...)

[Wietse Venema]

FYI,

I have changed the warnings from the code that implements
forward-confirmed reverse DNS (FCRDNS).

When the reverse name has no IP address:

hostname foo.example.com does not resolve to address 1.2.3.4:
host not found, try again

When the reverse has some address but not the expected address:

hostname foo.example.com does not resolve to address 1.2.3.4

The old warnings were very different.

1.2.3.4: hostname foo.example.com verification failed: host
not found, try again

1.2.3.4: address not listed for hostname foo.example.com

That's in both smtpd(8) and qmqpd(8).

Wietse

mailer-daemon never rejected?

[Reindl Harald]

How can this happen?

The address mailer-dae...@plancompany.at does not exist
but if checked from barracuda SPF postfix answers with valid?

 Original-Nachricht 
Betreff: Undelivered Mail Returned to Sender
Datum: Tue, 15 Feb 2011 17:30:11 +0100 (CET)
Von: Mail Delivery System postmas...@thelounge.net
An: quarant...@thelounge.net

This is the mail system at host mail.thelounge.net.

I'm sorry to have to inform you that your message could not
be delivered to one or more recipients. It's attached below.

For further assistance, please send mail to postmas...@thelounge.net

If you do so, please include this problem report. You can
delete your own text from the attached returned message.

mailer-dae...@plancompany.at: host 127.0.0.1[127.0.0.1] said: 550 Recipient
mailer-dae...@plancompany.at FAIL (in reply to RCPT TO command)




signature.asc
Description: OpenPGP digital signature

My postscreen results

[/dev/rob0]

I went live with my postscreen blocking mail, after some time of 
non-blocking while watching logs. Here's a discussion of those 
results (both non-blocking and blocking.) I've singled out some of 
the items which interested me; perhaps they will interest you as 
well. (Possibly all old-hat to the ones who leapt in early.)

* Settings
  

postscreen_dnsbl_sites =
zen.spamhaus.org*3
b.barracudacentral.org*2
dnsbl.njabl.org*2
bl.spameatingmonkey.net*2
dnsbl.ahbl.org
bl.spamcop.net
dnsbl.sorbs.net
spamtrap.trblspam.com
swl.spamhaus.org*-5
list.dnswl.org=127.[0..255].[0..255].0*-2
list.dnswl.org=127.[0..255].[0..255].1*-4
list.dnswl.org=127.[0..255].[0..255].[2..255]*-6
postscreen_dnsbl_threshold = 3
postscreen_dnsbl_action = enforce
postscreen_greet_action = enforce

* Gripe
  =

The one thing I do not like about it is that the DNSBL given as the
reason for rejection is semi-random, specifically it seems to be the 
first one to hit dnsblog(8) for that client.

My postscreen_dnsbl_sites are arranged in trust order. If a real 
person was to see one of these rejections, I would prefer that this 
person see Spamhaus or Barracuda or NJABL, not SORBS, Spamcop, or 
TRBL. I know my workaround is to use postscreen_dnsbl_reply_map,
shown here in pcre:
!/^zen\.spamhaus\.org$/multiple DNS-based blocklists
But, I'd prefer for logging to sort the dnsblog names by score, 
highest first, and use that DNSBL name as the reason.

(This workaround is in place and working fine.)

* Scoring and whitelists
  ==

Thanks to Noel for getting me thinking about DNS whitelists. I am 
doubtful that they will matter much overall, but they do seem to be 
conservative so far. Mine have offset only a few negatively-scored 
hosts from my less-trusted (1 point) DNSBLs, mostly. There were 2 
DNSWL hits for spameatingmonkey hosts, and zero for AHBL, so I am 
considering switching their places (and scores) in the above list.

The largest part of my DNSWL hits are weighted toward lower-scored 
hosts. Out of 610 in the sample period I had 474 + 89 + 34 + 13 of 
127.0.x.Y where Y is 0, 1, 2, and 3 respectively. I'm not seeing a 
lot of hits in SWL so far, and the few I did see were also found in 
DNSWL. (No SWL host was listed in any of the DNSBLs.)

Overlap between dnswl.org and the DNSBLs listed was as follows:

  Also listed in:
  ---
  bl.spameatingmonkey.net   2
  bl.spamcop.net4
  dnsbl.sorbs.net  24
  spamtrap.trblspam.com52

Of these, only 5 were listed on more than one DNSBL. All 5 of these 
were listed on TRBL; 3 also on spam.dnsbl.sorbs.net (127.0.0.6), and 
the other 2 also on bl.spameatingmonkey.net (127.0.0.10). Not 
surprisingly, each of the DNSWL listings was a .0 (trust level 
none.)

  DNSWL-SEM-TRBL
  --
  174.34.187.66   list.dnswl.org  127.0.15.0
  174.34.187.66   bl.spameatingmonkey.net 127.0.0.10
  174.34.187.66   spamtrap.trblspam.com   127.0.0.2

  174.34.187.67   list.dnswl.org  127.0.15.0
  174.34.187.67   bl.spameatingmonkey.net 127.0.0.10
  174.34.187.67   spamtrap.trblspam.com   127.0.0.2

Note, the DNSWL-SEM-TRBL triples are right next door to one another, 
which suggests that a netblock listing might have been done. These 
particular hosts are an ESP:
http://www.yourmailinglistprovider.com/antispam_policy.html
I don't know how good (or bad) they are, but they do offer a free 
trial, so they're likely to attract spammers.

  DNSWL-SORBS-TRBL
  
  66.192.165.130  list.dnswl.org  127.0.15.0
  66.192.165.130  dnsbl.sorbs.net 127.0.0.6
  66.192.165.130  spamtrap.trblspam.com   127.0.0.2

  216.27.93.124   list.dnswl.org  127.0.15.0
  216.27.93.124   dnsbl.sorbs.net 127.0.0.6
  216.27.93.124   spamtrap.trblspam.com   127.0.0.2

  195.121.247.8   list.dnswl.org  127.0.5.0
  195.121.247.8   dnsbl.sorbs.net 127.0.0.6
  195.121.247.8   spamtrap.trblspam.com   127.0.0.2

The first two of those are the ESP iContact.com. The latter is KPN, 
an ISP in Europe.

The breakdown of dual listings by DNSWL trust level is what I would 
expect:

  dnswl.org returns: ##   ## per DNSBL
  -- --   
  127.0.x.3 (high)32 TRBL
   1 SORBS spam (127.0.0.6)
  127.0.x.2 (medium)  0
  127.0.x.1 (low) 09 SORBS spam (All of these: Facebook)
  127.0.x.0 (none)   70   50 TRBL
  14 SORBS spam
   4 Spamcop
   2 Spameatingmonkey 

FWIW the three high-trust hosts are all well-known listservers: 
outgoing.securityfocus.com and webster.isc.org on TRBL; and 
vger.kernel.org on SORBS. No, I'd not want to lose mail from them.

The non-trust hosts are about evenly split between ESPs and ISPs. 
These, I did not bother to examine as carefully other than that. 
Seems like some more aggressive sites might want to 

Re: domain-aliases / recipient_canonical_maps / vrfy

[Reindl Harald]

i have solved this problem with some subqueries and
the limit 1 is needed for MySQL  5.5 because 5.1
meant that somewhere are more than one row returned
from a subquery

recipient_canonical_maps = mysql:/etc/postfix/mysql-rewritedomains.cf

[root@mail:/etc/postfix]$ cat /etc/postfix/mysql-rewritedomains.cf
user = dbmailro
password = **
dbname   = dbmail
hosts= unix:/var/lib/mysql/mysql.sock
query= select target from dbma_rewrite_domains where source like '%d'
   and ((select count(*) from dbmail_aliases where alias like
   (select concat('%u', (select target from dbma_rewrite_domains where 
source like
   '%d' limit 1)) from dbma_rewrite_domains limit 1))0 or (select 
count(*) from
   dbmail_aliases where alias like '%u@' limit 1)0) limit 1
___

CREATE TABLE `dbma_rewrite_domains` (
  `source` varchar(255) NOT NULL,
  `target` varchar(255) NOT NULL,
  PRIMARY KEY (`source`)
) ENGINE=MyISAM DEFAULT CHARSET=utf8 PACK_KEYS=1 DELAY_KEY_WRITE=1

source = alias-domain
target = @target-domain
___

if postfix would not accept postmaster and mailer-daemon for
each domain even if it does not exist anywhere i would be
lucky because it does not make sense, but that is another problem

ok, postmaster is required and a global forwarder for all domains to me
but mailer-daemon does not exist anywhere :-(


Am 08.02.2011 22:37, schrieb Reindl Harald:
 
 Am 08.02.2011 22:32, schrieb Charles Marcus:
 
 Don't use domain aliases.

 Wildcard address rewrites disable recipient validation.

 Postfixadmin (2.3.2+) has working recipient verification with alias
 domains...
 
 Hm - I will take a look what they do if i find no simple solution
 
 external admin-software is a no-go because we have centralized and
 self-developed backends for postfix/dbmail, pureftpd, httpd, bind,
 dhcpd, domain-registration which is all tuned to work with each other
 in one admin-ui



signature.asc
Description: OpenPGP digital signature

Re: mailer-daemon never rejected?

[Wietse Venema]

Reindl Harald:
 How can this happen?
 
 The address mailer-dae...@plancompany.at does not exist
 but if checked from barracuda SPF postfix answers with valid?

Postfix SENDS mail from mailer-daemon, therefore Postfix ACCEPTS
mail to mailer-daemon.

When the mailer-daemon alias does not exist (it should resolve to
postmaster), the local delivery agent logs a warning and discards
the recipient.

Wietse

relay_recipient and/or relay_domains issue

[Mike Loiterman]

I have two issues that I believe are connected so I'm putting them into one 
submission to the list:


ISSUE 1 

I want to forward root's mail to a local user called mike.  The user's email 
address is m...@ascendency.net and is a legitimate user on the system, but has 
a virtual mailbox.  I've added that email address in /etc/aliases and run the 
/usr/bin/newaliases command.  The problem I'm having is that root's email gets 
directed to m...@patton.ascendecny.net instead of m...@ascendency.net resulting 
in the following error:


Reason: Remote SMTP server has rejected address
Diagnostic code: smtp;554 5.7.1 m...@patton.ascendency.net: Relay 
access denied



ISSUE 2 

Messages sent to aliases that should point to legitimate email address on the 
server return the following error:

Remote host said: 550 5.1.1 $aliasaddr...@ascendency.net: Recipient 
address rejected: User unknown in relay recipient table




I believe both of these issues are related to my configuration of relay_domains 
and/or relay_recipient_maps.  Please see links below to links all relevant 
configuration files.



DOCUMENTATION REVIEWED

1.  http://www.postfix.org/ADDRESS_CLASS_README.html
2.  http://www.postfix.org/postconf.5.html#relay_recipient_maps



VERSIONS

1.  FreeBSD - 8.1-RELEASE
2.  PostFix - 2.7.2,1
3.  MySQL - 5.5.9
4.  Dovecot - 1.2.16



CONFIGURATION FILES

1.  postconf -n: http://pastebin.com/E0gMpmqf
2.  postconf -m: http://pastebin.com/hC7waDmY
3.  master.cf: http://pastebin.com/KcPTccCA
4.  mysql_virtual_alias_maps.cf: http://pastebin.com/guqFiMQA
5.  mysql_virtual_domains_maps.cf: http://pastebin.com/jV1iVEF8
6.  mysql_virtual_mailbox_maps.c: http://pastebin.com/UckJ2FQ9
7.  mysql_virtual_mailbox_limit_maps.cf: http://pastebin.com/6fkzV9eH
8.  mysql_relay_domains_maps.c: http://pastebin.com/TL3y5KwG



OTHER CONFIGURATION DETAILS (I have most of my configuration in mysql tables)

1.  Domain - ascendency.net
2.  Server name - patton 


--
Mike Loiterman
Email: m...@ascendency.net

Re: mailer-daemon never rejected?

[Wietse Venema]

Reindl Harald:
 I just added mailer-daemon@ - postmas...@thelounge.net

That would be a terrible mistake, since it aliases EVERYONE ELSES
domain too.

Remove this nonsense.

Wietse

Re: mailer-daemon never rejected?

[Reindl Harald]

Am 15.02.2011 19:07, schrieb Wietse Venema:
 Reindl Harald:
 I just added mailer-daemon@ - postmas...@thelounge.net
 
 That would be a terrible mistake

no, it would not

 since it aliases EVERYONE ELSESm domain too

this is what it should do and what postmaster@, hostmaster@ and
abuse@ also have to do for all domains

 Remove this nonsense

where do you see any nonsense?

as long as i am postmaster for all domains on this server
i have to get every postmaster-related mail in my account
and nonsense would be configure 200 postmaster-accounts
in my client

nobody else expect other operators which are receiving the
global postmaster-account is interested in technical mails
because 98% out there are too stopid to understand a simple
bounce and deleting all mails they do not understand instead
forward to anybody who does




signature.asc
Description: OpenPGP digital signature

Postfix relay to local MTA on different port or IP

[Dave Jones]

I have a server running postfix on port 25 and a secondary mail
platform listening on port 2525.  I have tried many combinations of
settings but keep getting:

Feb 12 08:34:43 server1 postfix/smtp[11104]: 19183EB01F0:
to=u...@domain.com, relay=none, delay=6.9, delays=6.9/0.01/0/0,
dsn=5.4.6, status=bounced (mail for domain.com loops back to myself)

My server name is server1.domain.com and my mail platform on 2525 is
hosting domain.com.  What settings in my main.cf will prevent
postfix from thinking this is a loop?

[root@server1 log]# postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
default_rbl_reply = $rbl_code Service unavailable; $rbl_class
[$rbl_what] blocked using $rbl_domain${rbl_reason?; $rbl_reason}
header_checks = regexp:/etc/postfix/header_checks
html_directory = /usr/share/doc/postfix-2.7.2-documentation/html
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.7.2-documentation/readme
relay_domains = $mydestination, domain.com
sample_directory = /etc/postfix
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtpd_recipient_restrictions = permit_mynetworks,
permit_sasl_authenticated,  reject_invalid_hostname,
reject_non_fqdn_sender,  reject_non_fqdn_recipient,
reject_unknown_sender_domain,  reject_unknown_recipient_domain,
reject_unauth_destination,  reject_rbl_client zen.spamhaus.org,
reject_rbl_client cbl.abuseat.org,  reject_rbl_client bl.spamcop.net,
permit
unknown_local_recipient_reject_code = 550

/etc/postfix/transport
domain.comsmtp:[192.168.1.3]:2525

I have tried limiting postfix to listening only on loopback and
192.168.1.1:25 and the mail platform to listen only on 192.168.1.3:25
then adjusting the transport file accordingly but it still bounces the
message.

Thanks for the help.

Dave

Re: mailer-daemon never rejected?

[Wietse Venema]

Reindl Harald:
  I just added mailer-daemon@ - postmas...@thelounge.net

Including mailer-dae...@porcupine.org - postmas...@thelounge.net.

Wietse

Re: Postfix relay to local MTA on different port or IP

[Wietse Venema]

Dave Jones:
 I have a server running postfix on port 25 and a secondary mail
 platform listening on port 2525.  I have tried many combinations of
 settings but keep getting:
 
 Feb 12 08:34:43 server1 postfix/smtp[11104]: 19183EB01F0:
 to=u...@domain.com, relay=none, delay=6.9, delays=6.9/0.01/0/0,
 dsn=5.4.6, status=bounced (mail for domain.com loops back to myself)

http://www.postfix.org/STANDARD_CONFIGURATION_README.html#backup

See description of PRIMARY MX configuration.

Wietse

Re: mailer-daemon never rejected?

[Reindl Harald]

Am 15.02.2011 19:36, schrieb Wietse Venema:
 Reindl Harald:
 I just added mailer-daemon@ - postmas...@thelounge.net
 
 Including mailer-dae...@porcupine.org - postmas...@thelounge.net

Check your mails after greylisting :-)

These Forwards on the dbmail-side and as long postfix
has porcupine.org not configured they never go
to local smtp!

[root@mail:~]$ cat maillog | grep mailer-dae...@porcupine.org
Feb 15 19:39:53 mail postfix/smtp[23633]: 20266C5: 
to=mailer-dae...@porcupine.org,
relay=spike.porcupine.org[168.100.189.2]:25, delay=17, delays=0.09/0/2/15, 
dsn=4.7.1, status=deferred (host
spike.porcupine.org[168.100.189.2] said: 450 4.7.1 h.rei...@thelounge.net: 
Sender address rejected: Greylisted
for 60 seconds... (in reply to RCPT TO command))




signature.asc
Description: OpenPGP digital signature

Multi-homed server inet_interfaces or smtp-bind-address

[John]

First off I am still a bit green on this stuff.

Both my servers are multi-homed, server A which runs Postfix is 
configured  -  eth0 :n.n.n.186 and eth1:n.n.n.187.

The host name for this server is mail.domain.tld which points to n.n.n.187.

Up until last Friday we did not have any problems. On Friday we started 
to get bounced when we tried to reply to a new contact at ATT/Prodigy.  
Their bounce message is as follows:
host sbcmx5.prodigy.net[207.115.21.24] said: 553 5.3.0 flpd241 
DNSBL:ATTRBL 521 n.n.n.186 
_is_blocked.__For_information_see_http://att.net/blocks (in reply to 
MAIL FROM command.
A check of our logs shows only four message destined for their servers 
in the last four weeks. I have check our servers using abuse.net and we 
do not appear to be an open relay. None of the RBL have us listed. So I 
do not think the problem is spamming.


I think the problem is Postfix is sending using eth0, which in turn 
means that it appears to come from n.n.n.186, which in turn means that a 
reverse lookup does not resolve to mail.domain.tld. The loop is not 
closed and therefor we are suspect.


I did some digging around I think that I need to modify my Postfix 
configuration by adding inet_interfaces=n.n.n.186, n.n.n.187, 
localhost and smtp_bind_address=n.n.n.187. However this is where I 
get a little confused as in one set of documents I have read it says to 
add these into main.cf, while the postconf.5html say to leave the 
inet_interface at default and add the smtp_bind_address the master.cf.


Help would be appreciated, also any suggestions on improving the setup.
John A

postconf ouput below==

alias_database = $alias_maps
alias_maps = hash:/etc/aliases
allow_untrusted_routing = no
biff = no
body_checks = regexp:/etc/postfix/maps/body_checks
bounce_size_limit = 65536
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = amavisfeed:[127.0.0.1]:10024
daemon_directory = /usr/libexec/postfix
debug_peer_level = 2
default_privs = nobody
default_process_limit = 20
delay_warning_time = 12
disable_vrfy_command = yes
header_checks = regexp:/etc/postfix/maps/header_checks
header_size_limit = 32768
home_mailbox = Maildir/
html_directory = no
in_flow_delay = 1s
inet_protocols = all
local_destination_concurrency_limit = 5
mail_owner = postfix
mailbox_command = /usr/libexec/dovecot/deliver
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
message_size_limit = 32768000
mydestination = localhost, localhost.localdomain, localdomain
mydomain = domain.tld
myhostname = mail.$mydomain
mynetworks = 127.0.0.0/8, 192.168.40.0/28 n.n.n.176/28
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.5.5/README_FILES
recipient_delimiter = +
relay_domains =
relocated_maps = hash:/etc/postfix/maps/relocated
sample_directory = /usr/share/doc/postfix-2.5.5/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp_sasl_security_options = noanonymous
smtp_sasl_tls_security_options = noanonymous
smtp_tls_CAfile = /etc/pki/CA/sub.class2.server.ca.crt
smtp_tls_cert_file = /etc/pki/tls/certs/Linderly_Mail_SSL.crt
smtp_tls_key_file = /etc/pki/tls/private/Linderly_Mail_SSL_Decrypted.key
smtp_tls_note_starttls_offer = yes
smtp_use_tls = yes
smtpd_banner = $myhostname ESMTP
smtpd_data_restrictions = reject_multi_recipient_bounce, 
reject_unauth_pipelining, permit
smtpd_delay_reject = yes
smtpd_error_sleep_time = 5s
smtpd_hard_error_limit = 20
smtpd_helo_required = yes
smtpd_recipient_limit = 128
smtpd_recipient_restrictions = permit_mynetworks,
permit_sasl_authenticated,
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_unauth_destination,
reject_unlisted_recipient,
check_sender_access hash:/etc/postfix/maps/sender_access,
reject_unlisted_sender,
check_client_access hash:/etc/postfix/maps/client_access,
reject_rbl_client zen.spamhaus.org,
reject_rbl_client bl.spamcop.net,
reject_invalid_helo_hostname,
reject_non_fqdn_helo_hostname,
check_helo_access pcre:/etc/postfix/maps/helo_checks,
check_helo_access pcre:/etc/postfix/maps/helo_access,
reject_unknown_helo_hostname,
check_recipient_access hash:/etc/postfix/maps/recipient_access  
reject_unknown_sender_domain,
check_policy_service unix:/var/spool/postfix/postgrey/socket
permit
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_soft_error_limit = 10
smtpd_tls_CAfile = /etc/pki/CA/sub.class2.server.ca.crt
smtpd_tls_auth_only = no
smtpd_tls_cert_file = /etc/pki/tls/certs/Linderly_Mail_SSL.crt
smtpd_tls_key_file = /etc/pki/tls/private/Linderly_Mail_SSL_Decrypted.key
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
soft_bounce = no
strict_rfc821_envelopes = yes
tls_random_source = dev:/dev/urandom

Content message/partial and header checks

[Alex]

Hi,

I have a sender that is trying to send mail to one of our recipients,
but it is being rejected because it is a message/partial content type:

/^Content-(Disposition|Type):\s+.*?message\/partial\b/  REJECT

I pulled this from the jimsun antispam page. Is this still necessary?

If so, how would I go about creating an exception for this specific
sender? This file is defined in my mime_header_checks file. Perhaps I
can create an entry in my regular header checks file that exempts this
user from further checks?

I guess this is really a question about the ordering of how the checks
are done and how to construct such a rule to authorize this user to
send otherwise unauthorized content.

Thanks,
Alex

When does a delivery attempt start?

[Ralf Hildebrandt]

Is there a way of getting a log entry that documents when Postfix is
trying to actually deliver a mail?

Something along the lines it's in the active queue, and Postfix is about
to create|reuse an (S|L)MTP connection to whatever destination it deems
to be correct

Why am I interested in this?

basically I want to show that it's NOT lingering in the queue after
it has been scanned for viruses and reinjected into the queue

-- 
Ralf Hildebrandt
  Geschäftsbereich IT | Abteilung Netzwerk
  Charité - Universitätsmedizin Berlin
  Campus Benjamin Franklin
  Hindenburgdamm 30 | D-12203 Berlin
  Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962
  ralf.hildebra...@charite.de | http://www.charite.de

Re: Content message/partial and header checks

[Noel Jones]

On 2/15/2011 1:23 PM, Alex wrote:

Hi,

I have a sender that is trying to send mail to one of our recipients,
but it is being rejected because it is a message/partial content type:

/^Content-(Disposition|Type):\s+.*?message\/partial\b/  REJECT

I pulled this from the jimsun antispam page. Is this still necessary?

If so, how would I go about creating an exception for this specific
sender? This file is defined in my mime_header_checks file. Perhaps I
can create an entry in my regular header checks file that exempts this
user from further checks?

I guess this is really a question about the ordering of how the checks
are done and how to construct such a rule to authorize this user to
send otherwise unauthorized content.

Thanks,
Alex


You can't make exceptions for header_checks, all mail is 
checked.  If a rule causes problems, your choices are to live 
with it, remove the rule, or change the rule to HOLD for 
manual intervention.


message/partial is considered a potential security risk since 
it allows several fragments to be mailed separately and then 
be reassembled by the recipient's mail program.  This 
fragmentation may allow unwanted content such as viruses to 
slip past gateway filters that only see the fragments and not 
the whole message.  This isn't currently a major attack 
vector.  I can't remember when the last message/partial, 
either legit or not, came through here.


If you want to allow this mail, either remove the rule or 
change it from REJECT to HOLD.  Mail put in the HOLD queue can 
be listed with the mailq command, and will stay on hold 
until either released with postsuper -H QUEUEID or deleted 
with postsuper -d QUEUEID.




  -- Noel Jones

Re: relay_recipient and/or relay_domains issue

[Jeroen Geilman]

On 02/15/2011 07:07 PM, Mike Loiterman wrote:

I have two issues that I believe are connected so I'm putting them into one 
submission to the list:


ISSUE 1

I want to forward root's mail to a local user called mike.  The user's email 
address is m...@ascendency.net and is a legitimate user on the system, but has 
a virtual mailbox.  I've added that email address in /etc/aliases and run the 
/usr/bin/newaliases command.  The problem I'm having is that root's email gets 
directed to m...@patton.ascendecny.net instead of m...@ascendency.net resulting 
in the following error:


Reason: Remote SMTP server has rejected address
Diagnostic code: smtp;554 5.7.1m...@patton.ascendency.net: Relay 
access denied



ISSUE 2

Messages sent to aliases that should point to legitimate email address on the 
server return the following error:

Remote host said: 550 5.1.1$aliasaddr...@ascendency.net: Recipient 
address rejected: User unknown in relay recipient table




I believe both of these issues are related to my configuration of relay_domains 
and/or relay_recipient_maps.  Please see links below to links all relevant 
configuration files.



DOCUMENTATION REVIEWED

1.  http://www.postfix.org/ADDRESS_CLASS_README.html
2.  http://www.postfix.org/postconf.5.html#relay_recipient_maps



VERSIONS

1.  FreeBSD - 8.1-RELEASE
2.  PostFix - 2.7.2,1
3.  MySQL - 5.5.9
4.  Dovecot - 1.2.16



CONFIGURATION FILES

1.  postconf -n: http://pastebin.com/E0gMpmqf
2.  postconf -m: http://pastebin.com/hC7waDmY
3.  master.cf: http://pastebin.com/KcPTccCA
4.  mysql_virtual_alias_maps.cf: http://pastebin.com/guqFiMQA
5.  mysql_virtual_domains_maps.cf: http://pastebin.com/jV1iVEF8
6.  mysql_virtual_mailbox_maps.c: http://pastebin.com/UckJ2FQ9
7.  mysql_virtual_mailbox_limit_maps.cf: http://pastebin.com/6fkzV9eH
8.  mysql_relay_domains_maps.c: http://pastebin.com/TL3y5KwG



OTHER CONFIGURATION DETAILS (I have most of my configuration in mysql tables)

1.  Domain - ascendency.net
2.  Server name - patton


--
Mike Loiterman
Email: m...@ascendency.net

   


The nature of the error messages indicates that you have your address 
classes mixed up.


Mydestination holds domains that will be delivered locally.
These can be, but should not trivially be, aliased away to virtual 
addresses - it is much simpler to reverse the function of the domains, 
or use the proper masquerading or canonicalizing maps.


Likewise, virtual_mailbox_domains holds domains that will be delivered 
to the virtual(8) delivery agent - or whatever you use as 
virtual_transport instead.


Relay_domains contains domains you want to accept mail for, but which 
you will always send onwards.



Now:

The problem I'm having is that root's email gets directed to 
m...@patton.ascendecny.net instead of m...@ascendency.net


How does it get directed ?

Presumably, you aliased root to m...@patton.net.

If, instead, you aliased root to mike - don't do that.

You should not use unqualified addresses on the RHS of an alias, unless 
you know /exactly/ what the result will be.


http://www.postfix.org/postconf.5.html#myorigin



And:

Remote host said: 550 5.1.1$aliasaddr...@ascendency.net: Recipient address 
rejected: User unknown in relay recipient table


This has nothing to do with aliasing; note that it thinks the address in 
question is present in *relay_domains*.


Make SURE that your domains occur in only one address class; specifying 
a domain in multiple classes does not work.
This may not be immediately apparent (to you or to postfix) when they 
are buried in mysql maps.


(The contents of which would make this certain, instead of conjecture.)

--
J.

Re: When does a delivery attempt start?

[Wietse Venema]

Ralf Hildebrandt:
 Is there a way of getting a log entry that documents when Postfix is
 trying to actually deliver a mail?

The queue manager connects to the UNIX-domain socket for a particular
delivery agent such as smtp(8) or local(8), and waits for a response
from a delivery agent that it is ready.

Once a delivery agent responds, it receives the delivery request,
and that is the start of delivery. You can see this only by turning
on verbose logging.

The delivery request contains among many things hints whether to
try to save/reuse a connection, but it is up to the delivery agent
to either ignore that hint (local(8) and pipe(8) don't reuse) or
to pay attention to that hint (as smtp(8) does).

 Something along the lines it's in the active queue, and Postfix is about
 to create|reuse an (S|L)MTP connection to whatever destination it deems
 to be correct
 
 Why am I interested in this?
 
 basically I want to show that it's NOT lingering in the queue after
 it has been scanned for viruses and reinjected into the queue

Use multiple instances, and filtered mail will not share the
queue with unfiltered mail, so you know exactly why it is in
an active queue.

Wietse

Re: relay_recipient and/or relay_domains issue

[Mike Loiterman]

On Feb 15, 2011, at 3:45 PM, Jeroen Geilman wrote:

 On 02/15/2011 07:07 PM, Mike Loiterman wrote:
 I have two issues that I believe are connected so I'm putting them into one 
 submission to the list:
 
 
 ISSUE 1
 
 I want to forward root's mail to a local user called mike.  The user's email 
 address is m...@ascendency.net and is a legitimate user on the system, but 
 has a virtual mailbox.  I've added that email address in /etc/aliases and 
 run the /usr/bin/newaliases command.  The problem I'm having is that root's 
 email gets directed to m...@patton.ascendecny.net instead of 
 m...@ascendency.net resulting in the following error:
 
 
  Reason: Remote SMTP server has rejected address
  Diagnostic code: smtp;554 5.7.1m...@patton.ascendency.net: Relay 
 access denied
 
 
 
 ISSUE 2
 
 Messages sent to aliases that should point to legitimate email address on 
 the server return the following error:
 
  Remote host said: 550 5.1.1$aliasaddr...@ascendency.net: Recipient 
 address rejected: User unknown in relay recipient table
 
 
 
 
 I believe both of these issues are related to my configuration of 
 relay_domains and/or relay_recipient_maps.  Please see links below to links 
 all relevant configuration files.
 
 
 
 DOCUMENTATION REVIEWED
 
 1.  http://www.postfix.org/ADDRESS_CLASS_README.html
 2.  http://www.postfix.org/postconf.5.html#relay_recipient_maps
 
 
 
 VERSIONS
 
 1.  FreeBSD - 8.1-RELEASE
 2.  PostFix - 2.7.2,1
 3.  MySQL - 5.5.9
 4.  Dovecot - 1.2.16
 
 
 
 CONFIGURATION FILES
 
 1.  postconf -n: http://pastebin.com/E0gMpmqf
 2.  postconf -m: http://pastebin.com/hC7waDmY
 3.  master.cf: http://pastebin.com/KcPTccCA
 4.  mysql_virtual_alias_maps.cf: http://pastebin.com/guqFiMQA
 5.  mysql_virtual_domains_maps.cf: http://pastebin.com/jV1iVEF8
 6.  mysql_virtual_mailbox_maps.c: http://pastebin.com/UckJ2FQ9
 7.  mysql_virtual_mailbox_limit_maps.cf: http://pastebin.com/6fkzV9eH
 8.  mysql_relay_domains_maps.c: http://pastebin.com/TL3y5KwG
 
 
 
 OTHER CONFIGURATION DETAILS (I have most of my configuration in mysql tables)
 
 1.  Domain - ascendency.net
 2.  Server name - patton
 
 
 --
 Mike Loiterman
 Email: m...@ascendency.net
 
   
 
 The nature of the error messages indicates that you have your address classes 
 mixed up.
 
 Mydestination holds domains that will be delivered locally.
 These can be, but should not trivially be, aliased away to virtual addresses 
 - it is much simpler to reverse the function of the domains, or use the 
 proper masquerading or canonicalizing maps.
 
 Likewise, virtual_mailbox_domains holds domains that will be delivered to the 
 virtual(8) delivery agent - or whatever you use as virtual_transport instead.
 
 Relay_domains contains domains you want to accept mail for, but which you 
 will always send onwards.
 
 
 Now:
 
 The problem I'm having is that root's email gets directed to 
 m...@patton.ascendecny.net instead of m...@ascendency.net
 
 
 How does it get directed ?
 
 Presumably, you aliased root to m...@patton.net.
 
 If, instead, you aliased root to mike - don't do that.
 
 You should not use unqualified addresses on the RHS of an alias, unless you 
 know /exactly/ what the result will be.
 
 http://www.postfix.org/postconf.5.html#myorigin
 
 
 
 And:
 
 Remote host said: 550 5.1.1$aliasaddr...@ascendency.net: Recipient address 
 rejected: User unknown in relay recipient table
 
 
 This has nothing to do with aliasing; note that it thinks the address in 
 question is present in *relay_domains*.
 
 Make SURE that your domains occur in only one address class; specifying a 
 domain in multiple classes does not work.
 This may not be immediately apparent (to you or to postfix) when they are 
 buried in mysql maps.
 
 (The contents of which would make this certain, instead of conjecture.)
 
 -- 
 J.
 

Issue number 1 was a problem with an upstream relay.  I have fixed since fixed 
my issue.  The problem was that the upstream relay was using recipient 
verification caching before it even got to my server.

Issue number 2 is still a problem for me.  Yes, I have aliased root to 
m...@ascendency.net.  

Here is the log of what happens:
http://pastebin.com/sXsyuMdH  

Re: relay_recipient and/or relay_domains issue

[Jeroen Geilman]

On 02/15/2011 10:56 PM, Mike Loiterman wrote:

On Feb 15, 2011, at 3:45 PM, Jeroen Geilman wrote:

   

On 02/15/2011 07:07 PM, Mike Loiterman wrote:
 

I have two issues that I believe are connected so I'm putting them into one 
submission to the list:


ISSUE 1

I want to forward root's mail to a local user called mike.  The user's email 
address is m...@ascendency.net and is a legitimate user on the system, but has 
a virtual mailbox.  I've added that email address in /etc/aliases and run the 
/usr/bin/newaliases command.  The problem I'm having is that root's email gets 
directed to m...@patton.ascendecny.net instead of m...@ascendency.net resulting 
in the following error:


Reason: Remote SMTP server has rejected address
Diagnostic code: smtp;554 5.7.1m...@patton.ascendency.net: Relay 
access denied



ISSUE 2

Messages sent to aliases that should point to legitimate email address on the 
server return the following error:

Remote host said: 550 5.1.1$aliasaddr...@ascendency.net: Recipient 
address rejected: User unknown in relay recipient table




I believe both of these issues are related to my configuration of relay_domains 
and/or relay_recipient_maps.  Please see links below to links all relevant 
configuration files.



DOCUMENTATION REVIEWED

1.  http://www.postfix.org/ADDRESS_CLASS_README.html
2.  http://www.postfix.org/postconf.5.html#relay_recipient_maps



VERSIONS

1.  FreeBSD - 8.1-RELEASE
2.  PostFix - 2.7.2,1
3.  MySQL - 5.5.9
4.  Dovecot - 1.2.16



CONFIGURATION FILES

1.  postconf -n: http://pastebin.com/E0gMpmqf
2.  postconf -m: http://pastebin.com/hC7waDmY
3.  master.cf: http://pastebin.com/KcPTccCA
4.  mysql_virtual_alias_maps.cf: http://pastebin.com/guqFiMQA
5.  mysql_virtual_domains_maps.cf: http://pastebin.com/jV1iVEF8
6.  mysql_virtual_mailbox_maps.c: http://pastebin.com/UckJ2FQ9
7.  mysql_virtual_mailbox_limit_maps.cf: http://pastebin.com/6fkzV9eH
8.  mysql_relay_domains_maps.c: http://pastebin.com/TL3y5KwG



OTHER CONFIGURATION DETAILS (I have most of my configuration in mysql tables)

1.  Domain - ascendency.net
2.  Server name - patton


--
Mike Loiterman
Email: m...@ascendency.net


   

The nature of the error messages indicates that you have your address classes 
mixed up.

Mydestination holds domains that will be delivered locally.
These can be, but should not trivially be, aliased away to virtual addresses - 
it is much simpler to reverse the function of the domains, or use the proper 
masquerading or canonicalizing maps.

Likewise, virtual_mailbox_domains holds domains that will be delivered to the 
virtual(8) delivery agent - or whatever you use as virtual_transport instead.

Relay_domains contains domains you want to accept mail for, but which you will 
always send onwards.


Now:

The problem I'm having is that root's email gets directed to 
m...@patton.ascendecny.net instead of m...@ascendency.net


How does it get directed ?

Presumably, you aliased root to m...@patton.net.

If, instead, you aliased root to mike - don't do that.

You should not use unqualified addresses on the RHS of an alias, unless you 
know /exactly/ what the result will be.

http://www.postfix.org/postconf.5.html#myorigin



And:

Remote host said: 550 5.1.1$aliasaddr...@ascendency.net: Recipient address 
rejected: User unknown in relay recipient table


This has nothing to do with aliasing; note that it thinks the address in 
question is present in *relay_domains*.

Make SURE that your domains occur in only one address class; specifying a 
domain in multiple classes does not work.
This may not be immediately apparent (to you or to postfix) when they are 
buried in mysql maps.

(The contents of which would make this certain, instead of conjecture.)

--
J.

 

Issue number 1 was a problem with an upstream relay.  I have fixed since fixed 
my issue.  The problem was that the upstream relay was using recipient 
verification caching before it even got to my server.

Issue number 2 is still a problem for me.  Yes, I have aliased root to 
m...@ascendency.net.

Here is the log of what happens:
http://pastebin.com/sXsyuMdH
Feb 15 14:28:29 patton postfix/smtp[63705]: 0BBB41A984F: 
to=r...@patton.ascendency.net, orig_to=root, 
relay=127.0.0.1[127.0.0.1]:10024, delay=0.77, delays=0/0/0/0.76, 
dsn=2.6.0, status=sent (250 2.6.0 Ok, id=63535-10, from MTA: 250 2.0.0 
Ok: queued as ABD2A1A9852)


I don't see root being aliased anywhere.

Also, NOTE that if $myorigin is not included in $mydestination, 
unqualified addresses will /never/ match your local domains - and hence 
cannot be delivered locally.


myorigin defaults to myhostname, in your case patton.ascendency.net, and 
mydestination does not.


We do not know what your 

Re: email is properly rejected but reason given to user unclear

[mouss]

Le 15/02/2011 07:36, Per-Erik Persson a écrit :
 On Mon, 14 Feb 2011 16:52:42 -0600, Stan Hoeppner s...@hardwarefreak.com
 wrote:
 Per-Erik Persson put forth on 2/14/2011 4:17 PM:
 I have recently found out the beuty of restriction classes.
 So to reject senders from certain sites that usually misspell their
 sender
 address I have set up the following:


 smtpd_restriction_classes = verify_client_sender
 verify_client_sender = reject_unverified_sender, permit

 smtpd_client_restrictions =
 check_client_access hash:/etc/postfix/client-access,
 check_client_access pcre:/etc/postfix/client-pcre-access,
 permit_mynetworks,
 permit_sasl_authenticated,
 permit

 client-access looks like this:
 hostname_of_misspelled sender_1  verify_client_sender
 hostname_of_misspelled sender_2  verify_client_sender
 bla bla bla other hosts i dislike


 It works!
 But the sender(roundcube webmail) gets the errormessage 450 could not
 add
 recipient
 It is not the recipientaddress that postfix blocks the email on, it is
 the
 senderaddress.
 Can I give a better errormessage to the users that insists on changing
 their senderaddresses, explaining why the email is rejected?

 http://www.postfix.org/postconf.5.html#reject_unverified_sender

 Just a friendly sanity check:  Are you sure that doing forward SAV is
 what
 you
 really want to be doing to solve this problem?  AIUI there are basically
 two
 downsides to forward SAV:

 1.  Some MX hosts will lie in response to the probe, then reject
 actual
 mail
 delivery attempts later, depending on which smtp phase in which they do
 the
 actual mailbox address verification.  Honestly, I'm not fully versed on
 how
 Wietse does the probes in Postfix, so this may or may not be an issue
 with
 the
 Postfix SAV probe implementation.  Historically it has been an issue in
 the
 larger world of smtp.

 2.  Some sites frown on forward SAV probes, period, especially high
 volume
 receivers.  The reason here should be obvious.
 
 I am aware of the problems with smtp sender verification.
 However in this case the sending servers are most likely webmail clients
 that don't always get the sender address correct.

what is the ratio of mail where senders mistype addresses? 0.1%?

 Most likely the senderaddress will point to my mx servers so that should
 not be a problem.
 And if the sender address points to gmail and gmail says oh no, no such
 user I will concider that a good thing.

if you do SAV, then you'd better minimise this (only do that after spam
checks, rate limit,  if you don't, then you'll be blacklisted.

 Quite a lot of people should be caught if the sender doesn't have a valid
 mx record, since that was the only check earlier.

an MX record isn't mandatory. an A record is enough. but anyway, such
checks were abandoned here, because they only blocked legit mail.

 
 The proper solution would be to teach people to do copy/paste on
 emailaddresses instead of just guessing :-)


No, the propre solution is to do _your_ job and forget about teaching
anybody.

Re: When does a delivery attempt start?

[Ralf Hildebrandt]

* Wietse Venema wie...@porcupine.org:
 Ralf Hildebrandt:
  Is there a way of getting a log entry that documents when Postfix is
  trying to actually deliver a mail?
 
 The queue manager connects to the UNIX-domain socket for a particular
 delivery agent such as smtp(8) or local(8), and waits for a response
 from a delivery agent that it is ready.
 
 Once a delivery agent responds, it receives the delivery request,
 and that is the start of delivery. You can see this only by turning
 on verbose logging.

OK, thought so. 
 
 The delivery request contains among many things hints whether to
 try to save/reuse a connection, but it is up to the delivery agent
 to either ignore that hint (local(8) and pipe(8) don't reuse) or
 to pay attention to that hint (as smtp(8) does).

Which log entry in the verbose log would I be looking for?

  basically I want to show that it's NOT lingering in the queue after
  it has been scanned for viruses and reinjected into the queue
 
 Use multiple instances, and filtered mail will not share the
 queue with unfiltered mail, so you know exactly why it is in
 an active queue.

Oh, it's a prequeuing filter, so everything is already filtered.

-- 
Ralf Hildebrandt
  Geschäftsbereich IT | Abteilung Netzwerk
  Charité - Universitätsmedizin Berlin
  Campus Benjamin Franklin
  Hindenburgdamm 30 | D-12203 Berlin
  Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962
  ralf.hildebra...@charite.de | http://www.charite.de

Re: Content message/partial and header checks

[mouss]

Le 15/02/2011 20:23, Alex a écrit :
 Hi,
 
 I have a sender that is trying to send mail to one of our recipients,
 but it is being rejected because it is a message/partial content type:
 
 /^Content-(Disposition|Type):\s+.*?message\/partial\b/  REJECT


can you find out (and report) how the sender sent his email (mail
client, ...) to see why he uses /partial? The goal is to see if /partial
has a real use case.


 I pulled this from the jimsun antispam page. Is this still necessary?
 

well. the problem with /partial is that it may cause problems with
filters. how would you scan this for viruses?

 If so, how would I go about creating an exception for this specific
 sender? 

you can't create an exception in header_checks. you can create another
smtpd listener and get the send use it (different recipient domain with
diferent MX OR sender relay config using a specific smtpd OR ...). but
really, it's better to provide an http/ftp upload method. smtp isn't
good for large file exchange, because it's multi-relay with
store-and-forward (with sync queue to dis) at each relay. even
(suboptimal) http is better.

 This file is defined in my mime_header_checks file. Perhaps I
 can create an entry in my regular header checks file that exempts this
 user from further checks?
 
 I guess this is really a question about the ordering of how the checks
 are done and how to construct such a rule to authorize this user to
 send otherwise unauthorized content.
 
 Thanks,
 Alex

Re: When does a delivery attempt start?

[Wietse Venema]

Ralf Hildebrandt:
  Once a delivery agent responds, it receives the delivery request,
  and that is the start of delivery. You can see this only by turning
  on verbose logging.
 
 OK, thought so. 
  
  The delivery request contains among many things hints whether to
  try to save/reuse a connection, but it is up to the delivery agent
  to either ignore that hint (local(8) and pipe(8) don't reuse) or
  to pay attention to that hint (as smtp(8) does).
 
 Which log entry in the verbose log would I be looking for?

grep deliver_request

Wietse

Re: When does a delivery attempt start?

[Victor Duchovni]

On Tue, Feb 15, 2011 at 11:33:58PM +0100, Ralf Hildebrandt wrote:

  Use multiple instances, and filtered mail will not share the
  queue with unfiltered mail, so you know exactly why it is in
  an active queue.
 
 Oh, it's a prequeuing filter, so everything is already filtered.

Then all the files in the queue are heading to the final destination... :-)
There is no local queue in the pre-queue filter, the messages are still
queued on the remote SMTP client.

-- 
Viktor.

Re: Multi-homed server inet_interfaces or smtp-bind-address

[Jeroen Geilman]

On 02/15/2011 08:21 PM, John wrote:

First off I am still a bit green on this stuff.

Both my servers are multi-homed, server A which runs Postfix is 
configured  -  eth0 :n.n.n.186 and eth1:n.n.n.187.
The host name for this server is mail.domain.tld which points to 
n.n.n.187.


Up until last Friday we did not have any problems. On Friday we 
started to get bounced when we tried to reply to a new contact at 
ATT/Prodigy.  Their bounce message is as follows:
host sbcmx5.prodigy.net[207.115.21.24] said: 553 5.3.0 flpd241 
DNSBL:ATTRBL 521 n.n.n.186 
_is_blocked.__For_information_see_http://att.net/blocks (in reply to 
MAIL FROM command.
A check of our logs shows only four message destined for their servers 
in the last four weeks. I have check our servers using abuse.net and 
we do not appear to be an open relay. None of the RBL have us listed. 
So I do not think the problem is spamming.


I think the problem is Postfix is sending using eth0, which in turn 
means that it appears to come from n.n.n.186, which in turn means that 
a reverse lookup does not resolve to mail.domain.tld. The loop is not 
closed and therefor we are suspect.


I did some digging around I think that I need to modify my Postfix 
configuration by adding inet_interfaces=n.n.n.186, n.n.n.187, 
localhost and smtp_bind_address=n.n.n.187. However this is where I 
get a little confused as in one set of documents I have read it says 
to add these into main.cf, while the postconf.5html say to leave the 
inet_interface at default and add the smtp_bind_address the master.cf.


inet_interfaces defines which IPs (and ergo interfaces) postfix RECEIVES 
mail on.
This can be overridden per-service by providing the desired IP in the 
master.cf service definition.


smtp_bind_address defines which IP postfix uses to SEND mail.
This can be overridden for any outgoing smtp(8) transport.

Unsurprisingly, postconf(5) is correct.


--
J.

Re: Auditing encrypted/clear text SMTP transmission

[Wietse Venema]

Victor Duchovni:
 On Mon, Feb 14, 2011 at 08:24:14AM -0500, Wietse Venema wrote:
 
  In the SMTP server, this could be logged as:
  
  QUEUEID: client=foo.example.com, tls=whatever
  
  That line is logged whenever the Postfix SMTP server opens a mail
  delivery transaction.
 
 I use a log parser that collates all the log entries for each
 message from arrival through final delivery. The TLS data is already
 logged in full detail. I am not convinced that compact logging is
 sufficiently detailed to be useful, and logging everything with
 each per-recipient record is I think impractical.

It could be useful to log tls=none/encrypted/verified/secure, and
thus give a general idea. People who really want to know the nuts
and bolts can parse multi-line records.

Wietse

Re: Auditing encrypted/clear text SMTP transmission

[Victor Duchovni]

On Tue, Feb 15, 2011 at 07:28:57PM -0500, Wietse Venema wrote:

 Victor Duchovni:
  On Mon, Feb 14, 2011 at 08:24:14AM -0500, Wietse Venema wrote:
  
   In the SMTP server, this could be logged as:
   
   QUEUEID: client=foo.example.com, tls=whatever
   
   That line is logged whenever the Postfix SMTP server opens a mail
   delivery transaction.
  
  I use a log parser that collates all the log entries for each
  message from arrival through final delivery. The TLS data is already
  logged in full detail. I am not convinced that compact logging is
  sufficiently detailed to be useful, and logging everything with
  each per-recipient record is I think impractical.
 
 It could be useful to log tls=none/encrypted/verified/secure, and
 thus give a general idea. People who really want to know the nuts
 and bolts can parse multi-line records.

OK, provided people don't become unhappy when we refuse to log additional
details.

-- 
Viktor.

Re: relay_recipient and/or relay_domains issue

[Mike Loiterman]

On Feb 15, 2011, at 4:08 PM, Jeroen Geilman wrote:

 On 02/15/2011 10:56 PM, Mike Loiterman wrote:
 On Feb 15, 2011, at 3:45 PM, Jeroen Geilman wrote:
 
   
 On 02/15/2011 07:07 PM, Mike Loiterman wrote:
 
 I have two issues that I believe are connected so I'm putting them into 
 one submission to the list:
 
 
 ISSUE 1
 
 I want to forward root's mail to a local user called mike.  The user's 
 email address is m...@ascendency.net and is a legitimate user on the 
 system, but has a virtual mailbox.  I've added that email address in 
 /etc/aliases and run the /usr/bin/newaliases command.  The problem I'm 
 having is that root's email gets directed to m...@patton.ascendecny.net 
 instead of m...@ascendency.net resulting in the following error:
 
 
Reason: Remote SMTP server has rejected address
Diagnostic code: smtp;554 5.7.1m...@patton.ascendency.net: Relay 
 access denied
 
 
 
 ISSUE 2
 
 Messages sent to aliases that should point to legitimate email address on 
 the server return the following error:
 
Remote host said: 550 5.1.1$aliasaddr...@ascendency.net: Recipient 
 address rejected: User unknown in relay recipient table
 
 
 
 
 I believe both of these issues are related to my configuration of 
 relay_domains and/or relay_recipient_maps.  Please see links below to 
 links all relevant configuration files.
 
 
 
 DOCUMENTATION REVIEWED
 
 1.  http://www.postfix.org/ADDRESS_CLASS_README.html
 2.  http://www.postfix.org/postconf.5.html#relay_recipient_maps
 
 
 
 VERSIONS
 
 1.  FreeBSD - 8.1-RELEASE
 2.  PostFix - 2.7.2,1
 3.  MySQL - 5.5.9
 4.  Dovecot - 1.2.16
 
 
 
 CONFIGURATION FILES
 
 1.  postconf -n: http://pastebin.com/E0gMpmqf
 2.  postconf -m: http://pastebin.com/hC7waDmY
 3.  master.cf: http://pastebin.com/KcPTccCA
 4.  mysql_virtual_alias_maps.cf: http://pastebin.com/guqFiMQA
 5.  mysql_virtual_domains_maps.cf: http://pastebin.com/jV1iVEF8
 6.  mysql_virtual_mailbox_maps.c: http://pastebin.com/UckJ2FQ9
 7.  mysql_virtual_mailbox_limit_maps.cf: http://pastebin.com/6fkzV9eH
 8.  mysql_relay_domains_maps.c: http://pastebin.com/TL3y5KwG
 
 
 
 OTHER CONFIGURATION DETAILS (I have most of my configuration in mysql 
 tables)
 
 1.  Domain - ascendency.net
 2.  Server name - patton
 
 
 --
 Mike Loiterman
 Email: m...@ascendency.net
 
 
   
 The nature of the error messages indicates that you have your address 
 classes mixed up.
 
 Mydestination holds domains that will be delivered locally.
 These can be, but should not trivially be, aliased away to virtual 
 addresses - it is much simpler to reverse the function of the domains, or 
 use the proper masquerading or canonicalizing maps.
 
 Likewise, virtual_mailbox_domains holds domains that will be delivered to 
 the virtual(8) delivery agent - or whatever you use as virtual_transport 
 instead.
 
 Relay_domains contains domains you want to accept mail for, but which you 
 will always send onwards.
 
 
 Now:
 
 The problem I'm having is that root's email gets directed to 
 m...@patton.ascendecny.net instead of m...@ascendency.net
 
 
 How does it get directed ?
 
 Presumably, you aliased root to m...@patton.net.
 
 If, instead, you aliased root to mike - don't do that.
 
 You should not use unqualified addresses on the RHS of an alias, unless you 
 know /exactly/ what the result will be.
 
 http://www.postfix.org/postconf.5.html#myorigin
 
 
 
 And:
 
 Remote host said: 550 5.1.1$aliasaddr...@ascendency.net: Recipient 
 address rejected: User unknown in relay recipient table
 
 
 This has nothing to do with aliasing; note that it thinks the address in 
 question is present in *relay_domains*.
 
 Make SURE that your domains occur in only one address class; specifying a 
 domain in multiple classes does not work.
 This may not be immediately apparent (to you or to postfix) when they are 
 buried in mysql maps.
 
 (The contents of which would make this certain, instead of conjecture.)
 
 -- 
 J.
 
 
 Issue number 1 was a problem with an upstream relay.  I have fixed since 
 fixed my issue.  The problem was that the upstream relay was using recipient 
 verification caching before it even got to my server.
 
 Issue number 2 is still a problem for me.  Yes, I have aliased root to 
 m...@ascendency.net.
 
 Here is the log of what happens:
 http://pastebin.com/sXsyuMdH
 Feb 15 14:28:29 patton postfix/smtp[63705]: 0BBB41A984F: 
 to=r...@patton.ascendency.net, orig_to=root, 
 relay=127.0.0.1[127.0.0.1]:10024, delay=0.77, delays=0/0/0/0.76, dsn=2.6.0, 
 status=sent (250 2.6.0 Ok, id=63535-10, from MTA: 250 2.0.0 Ok: queued as 
 ABD2A1A9852)
 
 I don't see root being aliased anywhere.
 
 Also, NOTE that if $myorigin is not included in $mydestination, unqualified 
 addresses will /never/ match 

Re: Multi-homed server inet_interfaces or smtp-bind-address

[John]

On 2/15/2011 7:07 PM, Jeroen Geilman wrote:

On 02/15/2011 08:21 PM, John wrote:

First off I am still a bit green on this stuff.

Both my servers are multi-homed, server A which runs Postfix is 
configured  -  eth0 :n.n.n.186 and eth1:n.n.n.187.
The host name for this server is mail.domain.tld which points to 
n.n.n.187.


Up until last Friday we did not have any problems. On Friday we 
started to get bounced when we tried to reply to a new contact at 
ATT/Prodigy.  Their bounce message is as follows:
host sbcmx5.prodigy.net[207.115.21.24] said: 553 5.3.0 flpd241 
DNSBL:ATTRBL 521 n.n.n.186 
_is_blocked.__For_information_see_http://att.net/blocks (in reply to 
MAIL FROM command.
A check of our logs shows only four message destined for their 
servers in the last four weeks. I have check our servers using 
abuse.net and we do not appear to be an open relay. None of the RBL 
have us listed. So I do not think the problem is spamming.


I think the problem is Postfix is sending using eth0, which in turn 
means that it appears to come from n.n.n.186, which in turn means 
that a reverse lookup does not resolve to mail.domain.tld. The loop 
is not closed and therefor we are suspect.


I did some digging around I think that I need to modify my Postfix 
configuration by adding inet_interfaces=n.n.n.186, n.n.n.187, 
localhost and smtp_bind_address=n.n.n.187. However this is where I 
get a little confused as in one set of documents I have read it says 
to add these into main.cf, while the postconf.5html say to leave the 
inet_interface at default and add the smtp_bind_address the master.cf.


inet_interfaces defines which IPs (and ergo interfaces) postfix 
RECEIVES mail on.
This can be overridden per-service by providing the desired IP in the 
master.cf service definition.


smtp_bind_address defines which IP postfix uses to SEND mail.
This can be overridden for any outgoing smtp(8) transport.

Unsurprisingly, postconf(5) is correct.
I did not say the postconf(5) is wrong just I had received conflicting 
info on how and where to use smtp_bind_address.
Thanks for the clarification above, perhaps if it had been included in 
the postconf docs I might not have had the ?.
I decided I would try the suck it and see approach and added it to the 
master.cf as this seemed from the documentation to be the /best/ place 
to put it. I have to say it did not solve the problem with ATT, but I 
can now see that when I send email I appear to be using the correct IP 
address, which would seem to be an improvement.


Thanks
John A

--
All that is necessary for the triumph of evil is that good men do nothing. 
(Edmund Burke)