Re: Postfix und SSL client problem.
Hello, Victor Duchovni victor.ducho...@morganstanley.com wrote: 1. How to get SSL certificate of smtp.iol.cz (and save it to file). Use openssl s_client -showcerts Thanks - it works. Interesting is, that I get this way only 2 certificates: CN=smtp.iol.cz (issuer CN=Thawte SSL CA) and CN=Thawte SSL CA (issuer CN=thawte Primary Root CA) it is missing the Thawte root certicate CN=thawte Primary Root CA. Fortunately I have found this certificate is in /etc/ssl/certs. So .. I had to copy these tree certificates in /var/lib/stunnel4/certs (chroot of stunnel4), make the hash links (with help of openssl x509 -subject_hash -noout -in xyz), modify my stunnel.conf: [ssmtp_client_iol] client = yes accept = 10465 connect = smtp.iol.cz:465 verify = 3 CApath = /certs restart the service, cross my fingers :-) $ telnet 127.0.0.1 10465 and ... SUCCESS - the log shows: x 2011.03.09 09:27:15 LOG7[2608:3078739648]: ssmtp_client_iol accepted FD=14 from 127.0.0.1:58775 2011.03.09 09:27:15 LOG7[2608:3078736752]: ssmtp_client_iol started 2011.03.09 09:27:15 LOG7[2608:3078736752]: FD 14 in non-blocking mode 2011.03.09 09:27:15 LOG7[2608:3078736752]: TCP_NODELAY option set on local socket 2011.03.09 09:27:15 LOG7[2608:3078736752]: Waiting for a libwrap process 2011.03.09 09:27:15 LOG7[2608:3078736752]: Acquired libwrap process #0 2011.03.09 09:27:15 LOG7[2608:3078736752]: Releasing libwrap process #0 2011.03.09 09:27:15 LOG7[2608:3078736752]: Released libwrap process #0 2011.03.09 09:27:15 LOG7[2608:3078736752]: ssmtp_client_iol permitted by libwrap from 127.0.0.1:58775 2011.03.09 09:27:15 LOG5[2608:3078736752]: ssmtp_client_iol accepted connection from 127.0.0.1:58775 2011.03.09 09:27:15 LOG7[2608:3078736752]: FD 15 in non-blocking mode 2011.03.09 09:27:15 LOG6[2608:3078736752]: connect_blocking: connecting 194.228.2.82:465 2011.03.09 09:27:15 LOG7[2608:3078736752]: connect_blocking: s_poll_wait 194.228.2.82:465: waiting 10 seconds 2011.03.09 09:27:15 LOG5[2608:3078736752]: connect_blocking: connected 194.228.2.82:465 2011.03.09 09:27:15 LOG5[2608:3078736752]: ssmtp_client_iol connected remote server from 10.6.6.6:50305 2011.03.09 09:27:15 LOG7[2608:3078736752]: Remote FD=15 initialized 2011.03.09 09:27:15 LOG7[2608:3078736752]: TCP_NODELAY option set on remote socket 2011.03.09 09:27:15 LOG7[2608:3078736752]: SSL state (connect): before/connect initialization 2011.03.09 09:27:15 LOG7[2608:3078736752]: SSL state (connect): SSLv3 write client hello A 2011.03.09 09:27:15 LOG7[2608:3078736752]: SSL state (connect): SSLv3 read server hello A 2011.03.09 09:27:15 LOG5[2608:3078736752]: CRL: verification passed 2011.03.09 09:27:15 LOG5[2608:3078736752]: VERIFY OK: depth=2, /C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA 2011.03.09 09:27:15 LOG5[2608:3078736752]: CRL: verification passed 2011.03.09 09:27:15 LOG5[2608:3078736752]: VERIFY OK: depth=1, /C=US/O=Thawte, Inc./CN=Thawte SSL CA 2011.03.09 09:27:15 LOG5[2608:3078736752]: CRL: verification passed 2011.03.09 09:27:15 LOG5[2608:3078736752]: VERIFY OK: depth=0, /C=CZ/ST=Praha/L=Praha 4/O=Telefonica O2 Czech Republic, a.s./OU=Operations/CN=smtp.iol.cz 2011.03.09 09:27:15 LOG7[2608:3078736752]: SSL state (connect): SSLv3 read server certificate A 2011.03.09 09:27:15 LOG7[2608:3078736752]: SSL state (connect): SSLv3 read server done A 2011.03.09 09:27:15 LOG7[2608:3078736752]: SSL state (connect): SSLv3 write client key exchange A 2011.03.09 09:27:15 LOG7[2608:3078736752]: SSL state (connect): SSLv3 write change cipher spec A 2011.03.09 09:27:15 LOG7[2608:3078736752]: SSL state (connect): SSLv3 write finished A 2011.03.09 09:27:15 LOG7[2608:3078736752]: SSL state (connect): SSLv3 flush data 2011.03.09 09:27:15 LOG7[2608:3078736752]: SSL state (connect): SSLv3 read finished A 2011.03.09 09:27:15 LOG7[2608:3078736752]:1 items in the session cache 2011.03.09 09:27:15 LOG7[2608:3078736752]:1 client connects (SSL_connect()) 2011.03.09 09:27:15 LOG7[2608:3078736752]:1 client connects that finished 2011.03.09 09:27:15 LOG7[2608:3078736752]:0 client renegotiations requested 2011.03.09 09:27:15 LOG7[2608:3078736752]:0 server connects (SSL_accept()) 2011.03.09 09:27:15 LOG7[2608:3078736752]:0 server connects that finished 2011.03.09 09:27:15 LOG7[2608:3078736752]:0 server renegotiations requested 2011.03.09 09:27:15 LOG7[2608:3078736752]:0 session cache hits 2011.03.09 09:27:15 LOG7[2608:3078736752]:0 external session cache hits 2011.03.09 09:27:15 LOG7[2608:3078736752]:0 session cache misses 2011.03.09 09:27:15 LOG7[2608:3078736752]:0 session cache timeouts 2011.03.09 09:27:15 LOG6[2608:3078736752]: SSL connected: new session negotiated 2011.03.09 09:27:15 LOG6[2608:3078736752]: Negotiated ciphers: RC4-SHA SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1 2011.03.09 09:27:24
Re: posfix rejected from google server
Hello, I have try it - see bellow, but without removing also from PBL it fail, while Peter Evans pe...@ixp.jps server use zen.spamhouse.org which includes also PBL list (dynamic address check). LOG: Mar 9 11:09:07 duron650 postfix/smtp[2873]: B316BA2A79: to=pe...@ixp.jp, relay=mail.ixp.jp[222.147.76.196]:25, delay=9.1, delays=0.26/0.09/8/0.7, dsn=5.7.1, status=bounced (host mail.ixp.jp[222.147.76.196] said: 550 5.7.1 Service unavailable; client [85.71.234.108] blocked using zen.spamhaus.org (in reply to RCPT TO command)) Mar 9 11:09:08 duron650 postfix/cleanup[2872]: 1185DA2BE7: message-id=20110309100908.1185da2...@108.234.broadband4.iol.cz (FYI: This mail is send via webmail volny.cz) --kapetr ORIGINAL MESSAGE: Od: Jiří Pánek jiri.pa...@email.cz Komu: Peter Evans pe...@ixp.jp Předmět:Re: posfix rejected from google server Datum: Wed, 09 Mar 2011 11:08:56 +0100 Hello, this is a direct email (I have set my Postix back for this test to direct sending - without relayhost). In my main.cf is: myhostname = 108.234.broadband4.iol.cz Date: Mon, 7 Mar 2011 09:01:21 +0900 From: Peter Evans pe...@ixp.jp Subject: Re: posfix rejected from google server Just out of curiosity, can you try to send mail directly to me? After you have removed yourself, it should take less than about an hour to clear from the CBL + PBL. Then mail should go through. On cbl.abuseat.org I have request - it is now OK. The http://www.spamhaus.org/pbl/query/PBL043205 I have left unchanged, after reading the explanation. It is not black list, so we will see, if is it true and this email will arrive you :-) A pity that cbl.abuseat.org, as described in http://cbl.abuseat.org/faq.html, do not explain criteria how someones IP can get into their CBL list. By sending mail to one of their very large spamtrap domains. The reason they do not tell you how you get on is that if they did, spammers would be able to avoid them and thus reduce the efficacy thereof. Looking at the timestamp on the CBL, was that IP address your ADSL modem at that time? Yes, it was! That is, why I am so confused about the CBL spam listing! And the listed time corresponds to the test mail send to GMAIL. Not to spamtrap domain. After that, there was no other incidents - that is why I mean, that I'm not infected. So it is mystery for me, how I get into this list. I have added to my FW rules: -A ufw-user-output -o eth0 -p tcp -m tcp --syn -m multiport --dports 25,465,587 -j LOG --log-prefix [MAIL OUTPUT] --log-tcp-options --log-uid and nothing suspect. No spambot here (if it is not hidden rootkit of course). Let me know, if it arrives you. Thanks --kapetr
postscreen pregreeter DNS trick
Hi, I recently read about the trick by Wietse, defining a second DNS record to skip the 450 delay that follows some postscreen tests. I modified my DNS and it looks like this now: host -t mx roessner-network-solutions.com roessner-network-solutions.com mail is handled by 10 mx0.roessner-net.de. roessner-network-solutions.com mail is handled by 20 mx0-1.roessner-net.de. and that works. Could I also simply set a second A-RR for mx0.roessner-net.de. ? Do MTA implementations always use any A record, if one throws a 450? I looked inside smtp_addr.c to find answers (how Postfix might handle this) and saw the usage of getaddrinfo() and pointered lists and stuff; not sure if I really understood, but would Postfix use a next client IP, if one temp fails? Has the second-MX solution any advantages? Should I stay on the current setup? Thanks for bringing light :) Christian -- Roessner-Network-Solutions Bachelor of Science Informatik Nahrungsberg 81, 35390 Gießen F: +49 641 5879091, M: +49 176 93118939 USt-IdNr.: DE225643613 http://www.roessner-network-solutions.com
Re: posfix rejected from google server
Non-authoritative answer: 108.234.71.85.in-addr.arpa name = 108.234.broadband4.iol.cz. [85.71.234.108] blocked using zen.spamhaus.org sorry but what is your problem? you can not use your home-machine as mailserver and nothing will change this, so what is new in your message after this long thread where so many people made clear what happens and why? Am 09.03.2011 11:23, schrieb kapetr: Hello, I have try it - see bellow, but without removing also from PBL it fail, while Peter Evans pe...@ixp.jps server use zen.spamhouse.org which includes also PBL list (dynamic address check). LOG: Mar 9 11:09:07 duron650 postfix/smtp[2873]: B316BA2A79: to=pe...@ixp.jp, relay=mail.ixp.jp[222.147.76.196]:25, delay=9.1, delays=0.26/0.09/8/0.7, dsn=5.7.1, status=bounced (host mail.ixp.jp[222.147.76.196] said: 550 5.7.1 Service unavailable; client [85.71.234.108] blocked using zen.spamhaus.org (in reply to RCPT TO command)) Mar 9 11:09:08 duron650 postfix/cleanup[2872]: 1185DA2BE7: message-id=20110309100908.1185da2...@108.234.broadband4.iol.cz signature.asc Description: OpenPGP digital signature
Re: regular expressions was: Kernel Oops
mouss put forth on 3/8/2011 5:03 PM: [WARNING: Steven CC'd] things. so I'd say, do not consider performances as a primary target. go for catching spammers first. only tune after you get the irght rules, and only if needed (I personally don't tune anything here. I'm happy to focus on catching spammers). Likewise. In my particular case execution time of the table is irrelevant. However, the execution latency of very large tables on busy systems piqued my curiosity, giving me a desire to learn more, so I can avoid adopting potentially bad habits now that may come back to haunt me, performance wise, in the future. Also, it's very possible, maybe more likely than not, that I misunderstood some of Steven's advice, or took it out of context. (Steven, sorry for inadvertently dragging you into the mosh pit) :) Some who have been working with regular expressions for a long time may feel otherwise, but at this point I find them fascinating. From a spam fighting standpoint they can be extremely powerful. Again, I just want to make sure I develop good habits now. WRT Viktor's earlier post, I have seen examples of the grouping with if/then blocks. In fact, the fqrdns.pcre file makes use of them. Although I'm not sure it's well optimized in this case. There seem to be an enormous number of expressions within a single if/then block, and IIRC, there are only three such groupings in the set of 1600+ expressions. So there's probably room for more performance optimization. At the table's current size though, I'm guessing the potential performance gain wouldn't be worth the tweaking labor. -- Stan
Re: Postfix und SSL client problem.
Am 09.03.2011 10:14, schrieb kapetr: Hello, Victor Duchovni victor.ducho...@morganstanley.com wrote: 1. How to get SSL certificate of smtp.iol.cz (and save it to file). Use openssl s_client -showcerts Thanks - it works. Interesting is, that I get this way only 2 certificates: CN=smtp.iol.cz (issuer CN=Thawte SSL CA) and CN=Thawte SSL CA (issuer CN=thawte Primary Root CA) it is missing the Thawte root certicate CN=thawte Primary Root CA. Fortunately I have found this certificate is in /etc/ssl/certs. Since the client needs the root certificate in its trusted store anyways (usually /etc/ssl/certs or /usr/ssl/certs, or /etc/ssl/cert.pem as a bundle, for system-wide OpenSSL installs anyways), there is no point in the server sending it. And if you retrieved it through the same channel that you're fetching the mail through later, you couldn't trust it anyways but would have to configure it separately. So .. I had to copy these tree certificates in /var/lib/stunnel4/certs (chroot of stunnel4), make the hash links (with help of openssl x509 -subject_hash -noout -in xyz), modify my stunnel.conf: [ssmtp_client_iol] client = yes accept = 10465 connect = smtp.iol.cz:465 verify = 3 CApath = /certs Whatever stunnel's purpose is in your setup (I'm jumping late into the thread), stunnel is generally insecure unless you can make bullet-proof guarantees that nothing else can ever grab port 10465 than this particular stunnel instance. You often can't guarantee that, and someone else can hook a password sniffing application to port 10465 transparently. Setting up a system in a way that it can safely run stunnel is very hard, because the system must prevent stunnel users from running/starting if stunnel isn't up. -- Matthias Andree
Re: smtpd_sasl_path tcp-socket?
Hello, RTFM, please. The Postfix SASL_README file says: Communication between the Postfix SMTP server and Dovecot SASL happens via a UNIX-domain socket. Support for inet: is NOT DOCUMENTED. It may disappear any time. There is no promise nowhere that this actually works. You use NOT DOCUMENTED settings at your own risk. I have no plans to I write warnings for settings that are NOT DOCUMENTED. Wietse this is true. may be i stated the question in an inaccurate way and would like to turn this message into a feature request so it gets an official feature next releases. auth-service on tcp-socket was added to dovecot last november, the docs are updated these days i read. http://dovecot.org/list/dovecot/2011-March/057780.html i think in some cases it is not recommend to have a local dovecot installed and more valuable to ask a central installation by tcp. so my suggestion to make this a safe feature. Thanks, Hajo
Re: Postix Newbie: Send all outbound mail to another postfix server
Randy Ramsdell put forth on 3/8/2011 3:57 PM: Stan Hoeppner wrote: FYI, the PBL isn't limited to dynamic listings. Many corporations add their unused IP space to the PBL, along with other IPs within their netblocks that shouldn't be sending direct mail. They do this as part of a multi-layered approach to network security, in addition to egress filtering at the edge firewalls. One errant mouse click by an apprentice/junior SA can accidentally disable an egress filter, as can a botched firmware update on a firewall or router, etc, etc. If, when such a thing occurs, you already have an internal spambot outbreak that the firewalls/routers were containing... I would have never considered this until one day the chief of network security at Nortel informed me they do precisely what I described above. Dorothy, you're not in Kansas anymore. If the firewall is blocking an outbreak of spam bots from sending mail to the outside, why did they not know and fix this? I mean is it so bad that the whole network team can't contain it? And then someone botched the firewall which allowed the spam to be sent? Nortel hmmm. Randy, you misread what I posted. Or maybe I didn't state things clearly. There were two separate things here. My 1st paragraph above describes why companies list some of their IP space in the PBL, and describes one hypothetical scenario which makes doing so useful. I didn't understand the scenario. That ... means you, the reader, are supposed to imagine the rest of the outcome. I think my prose threw you off, and caused you to reverse cause and effect. The 2rd paragraph simply states that I first learned of this use of the PBL by the chief of network security at Nortel, and that Nortel lists some of their netspace on the PBL. The hypothetical scenario did _not_ occur at Nortel. -- Stan
Re: regular expressions was: Kernel Oops
Steve put forth on 3/8/2011 5:12 PM: Maybe using if/endif conditions like Stan Hoeppner has done on his pcre map could speedup things even more? - http://www.hardwarefreak.com/fqrdns.pcre You're giving me too much credit. ;) Again, I'm not the original author of that table. That person created the if/then structure. I was ignorant of exactly how it works in a PCRE until the last 24 hours. I've simply made some additions, and fixed some minor errors I found, as have others. My current role WRT to the table is simply making it freely available for others, adding an expression now and then, incorporating contributions from others so all changes hit a master copy, and spreading the word a little now and then as I think it's a pretty useful A/S tool. -- Stan
Re: Postix Newbie: Send all outbound mail to another postfix server
Dennis Guhl put forth on 3/8/2011 6:41 PM: Dorothy, you're not in Kansas anymore. What does this saying mean? It's a para-quote from the 1939 American movie The Wizard of Oz. Dorothy, a young girl living in farm house in Kansas, is swept away by a powerful tornado. When the house lands on solid ground, and Dorothy opens the door, she finds herself in a wonderland. She says to her little dog, Toto, I've a feeling we're not in Kansas any more. http://www.youtube.com/watch?v=EPWenQxryr4 When someone uses this phrase, or a variation, in modern culture, they are conveying to a another person that they're seeing something they never knew existed. -- Stan
Using transport_maps
Hi guys I need to configure my server to relay domains to and antispam server but by different hosts. I was looking and now I have doubts.In my configuration Im using two variables, relayhost and mydestination. I need to change it and I found to use transport_maps but I don't view examples to understand how it works and If is the best option.Someone can help me ? I need to map subdomains of the root domain to appoint to different servers. For exemple: sub1.domain,com:10.0.0.10 sub2.domain.com:10.0.0.11 Thanks for your time Best Regards
OT: Re: Postix Newbie: Send all outbound mail to another postfix server
On Wed, Mar 09, 2011 at 05:39:07AM -0600, Stan Hoeppner wrote: Dennis Guhl put forth on 3/8/2011 6:41 PM: Dorothy, you're not in Kansas anymore. What does this saying mean? It's a para-quote from the 1939 American movie The Wizard of Oz. Dorothy, a young girl living in farm house in Kansas, is swept away by a powerful tornado. When the house lands on solid ground, and Dorothy opens the door, she finds herself in a wonderland. She says to her little dog, Toto, I've a feeling we're not in Kansas any more. Yes, someone else shove me in a private mail in this direction. I wasn't aware of this line knowing only the german version of the book and film. http://www.youtube.com/watch?v=EPWenQxryr4 Nice clip. Thank you. When someone uses this phrase, or a variation, in modern culture, they are conveying to a another person that they're seeing something they never knew existed. This is not as bad as I thought it might be. I asked because I found no explanation of this saying and got redirected to the wikipedia article of the film where I found Dorothy's quotation. Knowing about the diffenrent colored filming in Kansas an Oz I misinterpret the meaning as 'the world is not b/w' wich would be 'you are to narrow minded'. Stan, thank you for the explanation. So long Dennis
Re: Server-to-server TLS
On Tue, 2011-03-08 at 08:30 -0500, Victor Duchovni wrote: On Tue, Mar 08, 2011 at 01:38:28PM +0100, Raven wrote: I would like to implement server-to-server TLS encryption between two postfix instances I manage. One of the servers already has TLS-capabilities but they are only used for SASL-AUTH clients. Where do I start to have the entire stream between the servers to be encrypted? http://www.postfix.org/TLS_README.html#client_tls http://www.postfix.org/TLS_README.html#client_tls_limits http://www.postfix.org/TLS_README.html#client_tls_levels http://www.postfix.org/TLS_README.html#client_tls_encrypt http://www.postfix.org/TLS_README.html#client_tls_secure http://www.postfix.org/TLS_README.html#client_tls_policy main.cf: indexed = ${default_database_type}:${config_directory}/ dynamic = btree:${data_directory}/ transport_maps = ${indexed}transport smtp_tls_policy_maps = ${indexed}tls-policy # Opportunistic TLS by default smtp_tls_security_level = may smtp_tls_session_cache_database = ${dynamic}smtp_tls_scache transport: example.com smtp:[mail.example.com] example.org smtp:example.net example.gov smtp:example.net tls-policy: # transport nexthop gateway for example.com mail [mail.example.com] secure match=nexthop # transport nexthop domain for example.org and example.gov example.net secure # Domain routed via MX hosts to servers believed to support TLS # with verifiable certificates example.edu secure Thanks. How can I apply this to $relayhost without having to list all local domains in the transport map (as they are already listed in $virtual_mailbox_domains)? -RV
Re: message id is a unique number?
On Wed, 9 Mar 2011 12:57:26 + Mauro mrsan...@gmail.com wrote: I my logs I have: Feb 13 06:27:57 mail1-xen postfix/qmgr[8336]: BF683A28247: from=.. That number BF683A28247 is a unique number? Yes and no. It is unique in a timespan. If you use logrotate(8) it is probably unique for you, depending on your configuration. Cheers, Luciano. -- /\ /Via A. Salaino, 7 - 20144 Milano (Italy) \ / ASCII RIBBON CAMPAIGN / PHONE : +39 2 485781 FAX: +39 2 48578250 X AGAINST HTML MAIL/ E-MAIL: posthams...@sublink.sublink.org / \ AND POSTINGS/ WWW: http://www.mannucci.ORG/
Re: Postix Newbie: Send all outbound mail to another postfix server
Stan Hoeppner wrote: Randy Ramsdell put forth on 3/8/2011 3:57 PM: Stan Hoeppner wrote: FYI, the PBL isn't limited to dynamic listings. Many corporations add their unused IP space to the PBL, along with other IPs within their netblocks that shouldn't be sending direct mail. They do this as part of a multi-layered approach to network security, in addition to egress filtering at the edge firewalls. One errant mouse click by an apprentice/junior SA can accidentally disable an egress filter, as can a botched firmware update on a firewall or router, etc, etc. If, when such a thing occurs, you already have an internal spambot outbreak that the firewalls/routers were containing... I would have never considered this until one day the chief of network security at Nortel informed me they do precisely what I described above. Dorothy, you're not in Kansas anymore. If the firewall is blocking an outbreak of spam bots from sending mail to the outside, why did they not know and fix this? I mean is it so bad that the whole network team can't contain it? And then someone botched the firewall which allowed the spam to be sent? Nortel hmmm. Randy, you misread what I posted. Or maybe I didn't state things clearly. There were two separate things here. My 1st paragraph above describes why companies list some of their IP space in the PBL, and describes one hypothetical scenario which makes doing so useful. I didn't understand the scenario. That ... means you, the reader, are supposed to imagine the rest of the outcome. I think my prose threw you off, and caused you to reverse cause and effect. The 2rd paragraph simply states that I first learned of this use of the PBL by the chief of network security at Nortel, and that Nortel lists some of their netspace on the PBL. The hypothetical scenario did _not_ occur at Nortel. Ahhh, I see. I can see that listing non-mail sending ips you use on PBL as useful.
Re: message id is a unique number?
Am 09.03.2011 13:57, schrieb Mauro: I my logs I have: Feb 13 06:27:57 mail1-xen postfix/qmgr[8336]: BF683A28247: from=.. That number BF683A28247 is a unique number? yes for this messages with cat /var/log/maillog | grep BF683A28247you get all lines from this message (sasl-user, from, to, deferrals...) signature.asc Description: OpenPGP digital signature
Re: message id is a unique number?
On 3/9/2011 6:57 AM, Mauro wrote: I my logs I have: Feb 13 06:27:57 mail1-xen postfix/qmgr[8336]: BF683A28247: from=.. That number BF683A28247 is a unique number? The postfix queueid identifies a single message while it's in the queue. The queueid is created from the queue file inode number and microsecond CPU time. The queueid is unique while that message exists; only one message at a time may have a specific queueid. Once the message exits the queue, that queueid can be reused at any time. I've seen a queueid reused within 30 minutes. Don't count on it being unique for any period of time. -- Noel Jones
DSN with original message
Hello, I know that full messages can be added in any failed DSN but I would like to configure DSN to add in all cases the original message. Could you tell me if this functionality could be added in futures releases ? Thanks for your help !
Re: DSN with original message
moildard moildard: Hello, I know that full messages can be added in any failed DSN but I would like to configure DSN to add in all cases the original message. Postfix NEVER sends full originals when: a) The sender specified RET=HDRS (return headers only). See RFC 3461 for details about the SMTP DSN extension. b) The message exceeds $bounce_size_limit. It is a really bad idea to return a very large message to someone who may not even have sent it because the sender was forged. Wietse
Re: message id is a unique number?
On 9 March 2011 14:04, Noel Jones njo...@megan.vbhcs.org wrote: On 3/9/2011 6:57 AM, Mauro wrote: I my logs I have: Feb 13 06:27:57 mail1-xen postfix/qmgr[8336]: BF683A28247: from=.. That number BF683A28247 is a unique number? The postfix queueid identifies a single message while it's in the queue. The queueid is created from the queue file inode number and microsecond CPU time. The queueid is unique while that message exists; only one message at a time may have a specific queueid. Once the message exits the queue, that queueid can be reused at any time. I've seen a queueid reused within 30 minutes. Don't count on it being unique for any period of time. I need to know in one year who sent at who. I have logs for the year and records are like: Feb 13 06:27:57 mail1-xen postfix/qmgr[8336]: BF683A28247: from=.. Feb 13 06:28:13 mail1-xen postfix/qmgr[8336]: BF683A28247: to=.. What element I can use to identify who sent at who in the logs files?
Re: message id is a unique number?
* Mauro mrsan...@gmail.com: On 9 March 2011 14:04, Noel Jones njo...@megan.vbhcs.org wrote: On 3/9/2011 6:57 AM, Mauro wrote: I my logs I have: Feb 13 06:27:57 mail1-xen postfix/qmgr[8336]: BF683A28247: from=.. That number BF683A28247 is a unique number? The postfix queueid identifies a single message while it's in the queue. The queueid is created from the queue file inode number and microsecond CPU time. The queueid is unique while that message exists; only one message at a time may have a specific queueid. Once the message exits the queue, that queueid can be reused at any time. I've seen a queueid reused within 30 minutes. Don't count on it being unique for any period of time. I need to know in one year who sent at who. I have logs for the year and records are like: Feb 13 06:27:57 mail1-xen postfix/qmgr[8336]: BF683A28247: from=.. Feb 13 06:28:13 mail1-xen postfix/qmgr[8336]: BF683A28247: to=.. What element I can use to identify who sent at who in the logs files? Create you own tag. Use the WARN function in Postfix access (5) to generate a log entry. p@rick -- All technical questions asked privately will be automatically answered on the list and archived for public access unless privacy is explicitely required and justified. saslfinger (debugging SMTP AUTH): http://postfix.state-of-mind.de/patrick.koetter/saslfinger/
Re: postscreen pregreeter DNS trick
Has the second-MX solution any advantages? Should I stay on the current setup? Your current setup looks fine. thanks for explaining the different aspects :) Christian -- Roessner-Network-Solutions Bachelor of Science Informatik Nahrungsberg 81, 35390 Gießen F: +49 641 5879091, M: +49 176 93118939 USt-IdNr.: DE225643613 http://www.roessner-network-solutions.com
Re: message id is a unique number?
On 9 March 2011 15:46, Patrick Ben Koetter p...@state-of-mind.de wrote: * Mauro mrsan...@gmail.com: On 9 March 2011 14:04, Noel Jones njo...@megan.vbhcs.org wrote: On 3/9/2011 6:57 AM, Mauro wrote: I my logs I have: Feb 13 06:27:57 mail1-xen postfix/qmgr[8336]: BF683A28247: from=.. That number BF683A28247 is a unique number? The postfix queueid identifies a single message while it's in the queue. The queueid is created from the queue file inode number and microsecond CPU time. The queueid is unique while that message exists; only one message at a time may have a specific queueid. Once the message exits the queue, that queueid can be reused at any time. I've seen a queueid reused within 30 minutes. Don't count on it being unique for any period of time. I need to know in one year who sent at who. I have logs for the year and records are like: Feb 13 06:27:57 mail1-xen postfix/qmgr[8336]: BF683A28247: from=.. Feb 13 06:28:13 mail1-xen postfix/qmgr[8336]: BF683A28247: to=.. What element I can use to identify who sent at who in the logs files? Create you own tag. Use the WARN function in Postfix access (5) to generate a log entry. I have already logs of one year, I should parse these logs to identify who sent at who.
Re: message id is a unique number?
[root@mail:~]$ cat maillog | grep -i sasl | grep reindl | tail -n 2 Mar 9 15:00:22 mail postfix/smtpd[7582]: 0BA7FE9: client=rh.thelounge.net[10.0.0.99], sasl_method=PLAIN, sasl_username=h.rei...@thelounge.net Mar 9 16:23:45 mail postfix/smtpd[8877]: 614CEE8: client=rh.thelounge.net[10.0.0.99], sasl_method=PLAIN, sasl_username=h.rei...@thelounge.net [root@mail:~]$ cat maillog | grep 614CEE8 Mar 9 16:23:45 mail postfix/smtpd[8877]: 614CEE8: client=rh.thelounge.net[10.0.0.99], sasl_method=PLAIN, sasl_username=h.rei...@thelounge.net Mar 9 16:23:45 mail postfix/cleanup[8918]: 614CEE8: message-id=4d779b81.3050...@thelounge.net Mar 9 16:23:45 mail postfix/qmgr[19091]: 614CEE8: from=h.rei...@thelounge.net, size=2543, nrcpt=1 (queue active) Mar 9 16:23:45 mail postfix/lmtp[8303]: 614CEE8: to=strip...@thelounge.net, relay=127.0.0.1[127.0.0.1]:24, delay=0.15, delays=0.03/0/0/0.12, dsn=2.0.0, status=sent (215 Recipient strip...@thelounge.net OK) Mar 9 16:24:15 mail postfix/qmgr[19091]: 614CEE8: removed Am 09.03.2011 16:52, schrieb Mauro: On 9 March 2011 15:46, Patrick Ben Koetter p...@state-of-mind.de wrote: * Mauro mrsan...@gmail.com: On 9 March 2011 14:04, Noel Jones njo...@megan.vbhcs.org wrote: On 3/9/2011 6:57 AM, Mauro wrote: I my logs I have: Feb 13 06:27:57 mail1-xen postfix/qmgr[8336]: BF683A28247: from=.. That number BF683A28247 is a unique number? The postfix queueid identifies a single message while it's in the queue. The queueid is created from the queue file inode number and microsecond CPU time. The queueid is unique while that message exists; only one message at a time may have a specific queueid. Once the message exits the queue, that queueid can be reused at any time. I've seen a queueid reused within 30 minutes. Don't count on it being unique for any period of time. I need to know in one year who sent at who. I have logs for the year and records are like: Feb 13 06:27:57 mail1-xen postfix/qmgr[8336]: BF683A28247: from=.. Feb 13 06:28:13 mail1-xen postfix/qmgr[8336]: BF683A28247: to=.. What element I can use to identify who sent at who in the logs files? Create you own tag. Use the WARN function in Postfix access (5) to generate a log entry. I have already logs of one year, I should parse these logs to identify who sent at who. -- Mit besten Grüßen, Reindl Harald the lounge interactive design GmbH A-1060 Vienna, Hofmühlgasse 17 CTO / software-development / cms-solutions p: +43 (1) 595 3999 33, m: +43 (676) 40 221 40 icq: 154546673, http://www.thelounge.net/ signature.asc Description: OpenPGP digital signature
Re: message id is a unique number?
On 9 March 2011 16:19, Reindl Harald h.rei...@thelounge.net wrote: [root@mail:~]$ cat maillog | grep -i sasl | grep reindl | tail -n 2 Mar 9 15:00:22 mail postfix/smtpd[7582]: 0BA7FE9: client=rh.thelounge.net[10.0.0.99], sasl_method=PLAIN, sasl_username=h.rei...@thelounge.net Mar 9 16:23:45 mail postfix/smtpd[8877]: 614CEE8: client=rh.thelounge.net[10.0.0.99], sasl_method=PLAIN, sasl_username=h.rei...@thelounge.net [root@mail:~]$ cat maillog | grep 614CEE8 Mar 9 16:23:45 mail postfix/smtpd[8877]: 614CEE8: client=rh.thelounge.net[10.0.0.99], sasl_method=PLAIN, sasl_username=h.rei...@thelounge.net Mar 9 16:23:45 mail postfix/cleanup[8918]: 614CEE8: message-id=4d779b81.3050...@thelounge.net Mar 9 16:23:45 mail postfix/qmgr[19091]: 614CEE8: from=h.rei...@thelounge.net, size=2543, nrcpt=1 (queue active) Mar 9 16:23:45 mail postfix/lmtp[8303]: 614CEE8: to=strip...@thelounge.net, relay=127.0.0.1[127.0.0.1]:24, delay=0.15, delays=0.03/0/0/0.12, dsn=2.0.0, status=sent (215 Recipient strip...@thelounge.net OK) Mar 9 16:24:15 mail postfix/qmgr[19091]: 614CEE8: removed But from what I undestand 614CEE8 is not unique and I have to parse logs for one year.
Re: rewrite the from based on a client hostname or ip
On Wed, Mar 09, 2011 at 02:22:15PM +, Katzir, Igal wrote: Thanks Wietse, In order to run multiple postfix instances on a single host, I read in the http://www.postfix.org/MULTI_INSTANCE_README.html that we need to upgrade the Postfix to 2.6 and preferably to 2.7.3 You can run multiple instances of Postfix even with Postfix 1.0, you just need to handle the start/stop/... and instance creation manually. The multi-instance tooling is primarily intended to integrate with vendor distributions that already start the primary instance of Postfix, and use that to start the entire stack. Of course now that it's done, all the vendors are re-designing system start-up... :-) -- Viktor.
Re: Server-to-server TLS
On Wed, Mar 09, 2011 at 01:36:46PM +0100, Raven wrote: How can I apply this to $relayhost without having to list all local domains in the transport map (as they are already listed in $virtual_mailbox_domains)? Why are you using virtual_mailbox_domains for addresses that are relayed to another host? As for TLS, the security policy and certficate verification are tied to the nexthop destination, not the recipient domain, if the two differ, it is the nexthop destination that is used. This is documented, please read the documentation carefully. -- Viktor.
Re: message id is a unique number?
On 3/9/2011 10:26 AM, Mauro wrote: On 9 March 2011 16:19, Reindl Haraldh.rei...@thelounge.net wrote: [root@mail:~]$ cat maillog | grep -i sasl | grep reindl | tail -n 2 Mar 9 15:00:22 mail postfix/smtpd[7582]: 0BA7FE9: client=rh.thelounge.net[10.0.0.99], sasl_method=PLAIN, sasl_username=h.rei...@thelounge.net Mar 9 16:23:45 mail postfix/smtpd[8877]: 614CEE8: client=rh.thelounge.net[10.0.0.99], sasl_method=PLAIN, sasl_username=h.rei...@thelounge.net [root@mail:~]$ cat maillog | grep 614CEE8 Mar 9 16:23:45 mail postfix/smtpd[8877]: 614CEE8: client=rh.thelounge.net[10.0.0.99], sasl_method=PLAIN, sasl_username=h.rei...@thelounge.net Mar 9 16:23:45 mail postfix/cleanup[8918]: 614CEE8: message-id=4d779b81.3050...@thelounge.net Mar 9 16:23:45 mail postfix/qmgr[19091]: 614CEE8: from=h.rei...@thelounge.net, size=2543, nrcpt=1 (queue active) Mar 9 16:23:45 mail postfix/lmtp[8303]: 614CEE8: to=strip...@thelounge.net, relay=127.0.0.1[127.0.0.1]:24, delay=0.15, delays=0.03/0/0/0.12, dsn=2.0.0, status=sent (215 Recipientstrip...@thelounge.net OK) Mar 9 16:24:15 mail postfix/qmgr[19091]: 614CEE8: removed But from what I undestand 614CEE8 is not unique and I have to parse logs for one year. counters for a specific queueid should be reset after a ... QUEUEID: removed log entry. -- Noel Jones
Re: message id is a unique number?
Noel Jones: On 3/9/2011 10:26 AM, Mauro wrote: On 9 March 2011 16:19, Reindl Haraldh.rei...@thelounge.net wrote: [root@mail:~]$ cat maillog | grep -i sasl | grep reindl | tail -n 2 Mar 9 15:00:22 mail postfix/smtpd[7582]: 0BA7FE9: client=rh.thelounge.net[10.0.0.99], sasl_method=PLAIN, sasl_username=h.rei...@thelounge.net Mar 9 16:23:45 mail postfix/smtpd[8877]: 614CEE8: client=rh.thelounge.net[10.0.0.99], sasl_method=PLAIN, sasl_username=h.rei...@thelounge.net [root@mail:~]$ cat maillog | grep 614CEE8 Mar 9 16:23:45 mail postfix/smtpd[8877]: 614CEE8: client=rh.thelounge.net[10.0.0.99], sasl_method=PLAIN, sasl_username=h.rei...@thelounge.net Mar 9 16:23:45 mail postfix/cleanup[8918]: 614CEE8: message-id=4d779b81.3050...@thelounge.net Mar 9 16:23:45 mail postfix/qmgr[19091]: 614CEE8: from=h.rei...@thelounge.net, size=2543, nrcpt=1 (queue active) Mar 9 16:23:45 mail postfix/lmtp[8303]: 614CEE8: to=strip...@thelounge.net, relay=127.0.0.1[127.0.0.1]:24, delay=0.15, delays=0.03/0/0/0.12, dsn=2.0.0, status=sent (215 Recipientstrip...@thelounge.net OK) Mar 9 16:24:15 mail postfix/qmgr[19091]: 614CEE8: removed But from what I undestand 614CEE8 is not unique and I have to parse logs for one year. counters for a specific queueid should be reset after a ... QUEUEID: removed log entry. Correct. With current Postfix implementations, there are two marker records that you can use: - The postfix/qmgr removed record that says the file is deleted. This record was introduced with Postfix version 2.1. - The postfix/smtpd ... client=... that says the file is created. This record is written by all Postfix versions. There is no equivalent record for mail that is submitted with the Postfix sendmail command. Instead use postfix/cleanup .. message-id=... which is also logged for SMTP mail. Wietse
Re: message id is a unique number?
On Wed, Mar 09, 2011 at 01:17:38PM -0500, Wietse Venema wrote: Correct. With current Postfix implementations, there are two marker records that you can use: - The postfix/qmgr removed record that says the file is deleted. This record was introduced with Postfix version 2.1. - The postfix/smtpd ... client=... that says the file is created. This record is written by all Postfix versions. There is no equivalent record for mail that is submitted with the Postfix sendmail command. Instead use postfix/cleanup .. message-id=... which is also logged for SMTP mail. In addition to qmqpd(8) logging message creation just like smtpd(8), in fact pickup(8) also logs message creation: 2011-03-09T12:55:01-05:00 amnesiac postfix/pickup[25191]: 27D602FB86: uid=52009 from=user Things get more interesting with internally generated messages, either indirect forwarding by local(8) or sender/postmaster notifications from ((sufficiently recent Postfix) bounce(8): 2011-03-09T13:23:18-05:00 amnesiac postfix/bounce[11606]: D55BD5049C4: sender non-delivery notification: BACC6504D20 these are logged after the cleanup(8) service logs the creation of the message and instead correlate to the processing of the old and new messages. These are not indicators that all previous instances of the new queue-id are unrelated. So there is a theoretical possibility that an smtpd(8) client=... log entry that goes with an aborted message delivery will get incorrectly associated with a non-SMTP internally generated message that reuses the queue id shortly after the aborted transaction. In practice, this is a non-issue, and the presense of bounce(8) or local(8) log entries can be used to pre-empt the association of the most recent instance of the new queue-id with any exteral source. -- Viktor.
Re: message id is a unique number?
Victor Duchovni: On Wed, Mar 09, 2011 at 01:17:38PM -0500, Wietse Venema wrote: Correct. With current Postfix implementations, there are two marker records that you can use: - The postfix/qmgr removed record that says the file is deleted. This record was introduced with Postfix version 2.1. - The postfix/smtpd ... client=... that says the file is created. This record is written by all Postfix versions. There is no equivalent record for mail that is submitted with the Postfix sendmail command. Instead use postfix/cleanup .. message-id=... which is also logged for SMTP mail. In addition to qmqpd(8) logging message creation just like smtpd(8), in fact pickup(8) also logs message creation: 2011-03-09T12:55:01-05:00 amnesiac postfix/pickup[25191]: 27D602FB86: uid=52009 from=user Things get more interesting with internally generated messages, either indirect forwarding by local(8) or sender/postmaster notifications from ((sufficiently recent Postfix) bounce(8): 2011-03-09T13:23:18-05:00 amnesiac postfix/bounce[11606]: D55BD5049C4: sender non-delivery notification: BACC6504D20 these are logged after the cleanup(8) service logs the creation of the message and instead correlate to the processing of the old and new messages. These are not indicators that all previous instances of the new queue-id are unrelated. So there is a theoretical possibility that an smtpd(8) client=... log entry that goes with an aborted message delivery will get incorrectly associated with a non-SMTP internally generated message that reuses the queue id shortly after the aborted transaction. In practice, this is a non-issue, and the presense of bounce(8) or local(8) log entries can be used to pre-empt the association of the most recent instance of the new queue-id with any exteral source. Perhaps it is time to replace the time-in-microseconds portion of the queue ID by a sufficient number of random bits. Wietse
Re: message id is a unique number?
On Wed, Mar 09, 2011 at 01:56:50PM -0500, Wietse Venema wrote: Perhaps it is time to replace the time-in-microseconds portion of the queue ID by a sufficient number of random bits. I would not replace the microsecond time, its monotonicity has useful properties. Rather, we could augment the microsecond time and inode with ~16 additional bits, say cleanup appends to the microsecond encoding, before the inode: (epoch time 0xff) 8 | (pid + msg count) 0xff On a lightly loaded system with a single cleanup doing all the work, the pid + msg count will be locally monotone even if the clock drifts back. While pid + msg count collisions will happen on busy systems, the clock should keep repetitions at least 256 seconds apart, but in practice the odds of the microseconds and pid also colliding when the same inode is being re-used are extremely low. -- Viktor.
RE: message id is a unique number?
For what it's worth, sendmail's implementation encodes the current time down to the second plus the pid of the handling process in its queue IDs. A collision then could only happen if the same pid got re-used twice in the same second. It doesn't include the inode or any random data. Details: http://www.ale.org/pipermail/ale/2001-May/022331.html Similar to the issue of log correlation, in the OpenDKIM stats project work we had to have an SQL key across the reporting host, queue ID and timestamp columns to account for the fact that postfix recycles queue IDs, sometimes relatively quickly. -MSK
RE: Message is modified after after-queue filter
-Original Message- From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] On Behalf Of Victor Duchovni Sent: Tuesday, March 08, 2011 2:02 PM To: postfix-users@postfix.org Subject: Re: Message is modified after after-queue filter My current work-around is to correctly format my emails in my software before they are sent to postfix so that the messages are not modified at all. But that is not the best solution. Actually that *is* the best solution. Send 7-bit encoded mail with correct line endings. Furthermore, even if postfix could be coerced into not doing the rewrites you're describing, something else down the chain likely will, invalidating your signatures anyway. The best thing to do is try to minimize that from happening anywhere between you and the verifier. -MSK
Re: message id is a unique number?
Murray S. Kucherawy: For what it's worth, sendmail's implementation encodes the current time down to the second plus the pid of the handling process in its queue IDs. A collision then could only happen if the same pid got re-used twice in the same second. It doesn't include the inode or any random data. Details: http://www.ale.org/pipermail/ale/2001-May/022331.html Similar to the issue of log correlation, in the OpenDKIM stats project work we had to have an SQL key across the reporting host, queue ID and timestamp columns to account for the fact that postfix recycles queue IDs, sometimes relatively quickly. There is one difference: Sendmail can just pick a name, and pick another one if the name already exists in a particular directory. Postfix uses the inode number in the name, because the name needs to be unique across the incoming, active, and deferred directories. Postfix could lengthen the time before reuse, by including more time information (four hex digits for ~1 day, six hex digits for ~0.5 year, eight hex digits for ~100 years). Seven hex digits should be sufficient to silence any complaints. Tighter packing is possible, but we're restricted to letters and digits (i.e. base 62 math). Wietse
Re: message id is a unique number?
On Wed, Mar 09, 2011 at 04:05:18PM -0500, Wietse Venema wrote: Postfix uses the inode number in the name, because the name needs to be unique across the incoming, active, and deferred directories. Postfix could lengthen the time before reuse, by including more time information (four hex digits for ~1 day, six hex digits for ~0.5 year, eight hex digits for ~100 years). Seven hex digits should be sufficient to silence any complaints. Tighter packing is possible, but we're restricted to letters and digits (i.e. base 62 math). Couldn't one also freely use _ and + for a complete base64 alphabet? Certainly log parsers would have to adapt, but is there another reason? -- Viktor.
Re: message id is a unique number?
Victor Duchovni wrote: On Wed, Mar 09, 2011 at 04:05:18PM -0500, Wietse Venema wrote: Postfix uses the inode number in the name, because the name needs to be unique across the incoming, active, and deferred directories. Postfix could lengthen the time before reuse, by including more time information (four hex digits for ~1 day, six hex digits for ~0.5 year, eight hex digits for ~100 years). Seven hex digits should be sufficient to silence any complaints. Tighter packing is possible, but we're restricted to letters and digits (i.e. base 62 math). Couldn't one also freely use _ and + for a complete base64 alphabet? Certainly log parsers would have to adapt, but is there another reason? time since EPOCH?
Limiting outgoing SMTP connections when relaying message
Sorry if this is a silly question, but I'm something of a Postfix (and mail servers in general) newbie. My Postfix server is all working fine, and is happily acting as a relay for my local network. However, I'm having problems when a user tries to send a single, large message to a large number of recipients at different domains, relaying via the Postfix server. What happens is that Postfix receives the message from the sender, queues it, then immediately connects to *all* of the destination servers simultaneously and starts sending the message to them. This completely saturates the upstream Internet link, so each destination server sees a gradual trickle of data, and virtually all of them time-out while receiving data. Postfix then defers the whole message for x minutes, but when the x minutes is up, it simply repeats the process, connecting to all the remaining destinations at once, resulting in them (nearly) all timing out. Is there a way to limit the number of simultaneous outgoing connections the server can make, so I can reduce this limit to 2 or 3, and maybe have a fighting chance of the message actually being delivered within a reasonable timescale? Perhaps I'm thick, but I can only see options to set the maximum number of connections per-domain - but the problem is a single message going to multiple domains - I can't see any settings to change that. Thanks in advance for any help.
Re: Limiting outgoing SMTP connections when relaying message
On Wed, Mar 09, 2011 at 09:40:26PM +, Tim wrote: What happens is that Postfix receives the message from the sender, queues it, then immediately connects to *all* of the destination servers simultaneously and starts sending the message to them. This completely saturates the upstream Internet link, so each destination server sees a gradual trickle of data, and virtually all of them time-out while receiving data. On a server with limited network capacity set a small process limit for the smtp unix ... smtp delivery agent entry in master.cf. http://www.postfix.org/master.5.html -- Viktor.
Re: Limiting outgoing SMTP connections when relaying message
Victor Duchovni wrote: On Wed, Mar 09, 2011 at 09:40:26PM +, Tim wrote: What happens is that Postfix receives the message from the sender, queues it, then immediately connects to *all* of the destination servers simultaneously and starts sending the message to them. This completely saturates the upstream Internet link, so each destination server sees a gradual trickle of data, and virtually all of them time-out while receiving data. On a server with limited network capacity set a small process limit for the smtp unix ... smtp delivery agent entry in master.cf. http://www.postfix.org/master.5.html Thanks. Not sure I fully understand what effect that will have, but I've set the process limit to 2. Will that restrict the number of outgoing connections to 2? I'm confused.
Re: message id is a unique number?
Victor Duchovni: On Wed, Mar 09, 2011 at 04:05:18PM -0500, Wietse Venema wrote: Postfix uses the inode number in the name, because the name needs to be unique across the incoming, active, and deferred directories. Postfix could lengthen the time before reuse, by including more time information (four hex digits for ~1 day, six hex digits for ~0.5 year, eight hex digits for ~100 years). Seven hex digits should be sufficient to silence any complaints. Tighter packing is possible, but we're restricted to letters and digits (i.e. base 62 math). Couldn't one also freely use _ and + for a complete base64 alphabet? Certainly log parsers would have to adapt, but is there another reason? Breaking logfile parsers might be one. The Postfix queue file module has strict checks on queue file name syntax. I had to add permission to use _ for flush(8) logs, but I would rather not water down the syntax restrictions further. Wietse
Re: Limiting outgoing SMTP connections when relaying message
On Wed, Mar 09, 2011 at 10:21:44PM +, Tim wrote: Victor Duchovni wrote: On Wed, Mar 09, 2011 at 09:40:26PM +, Tim wrote: What happens is that Postfix receives the message from the sender, queues it, then immediately connects to *all* of the destination servers simultaneously and starts sending the message to them. This completely saturates the upstream Internet link, so each destination server sees a gradual trickle of data, and virtually all of them time-out while receiving data. On a server with limited network capacity set a small process limit for the smtp unix ... smtp delivery agent entry in master.cf. http://www.postfix.org/master.5.html Thanks. Not sure I fully understand what effect that will have, but I've set the process limit to 2. Will that restrict the number of outgoing connections to 2? I'm confused. Each delivery agent delivers one message at a time. With two delivery agents there are at most two parallel deliveries. The default process limit is 100. I would first try 10 or 20, before taking it all the way down to 2. Such a small process limit can create severe congestion... -- Viktor.
Re: Limiting outgoing SMTP connections when relaying message
Victor Duchovni wrote: On Wed, Mar 09, 2011 at 10:21:44PM +, Tim wrote: Victor Duchovni wrote: On Wed, Mar 09, 2011 at 09:40:26PM +, Tim wrote: What happens is that Postfix receives the message from the sender, queues it, then immediately connects to *all* of the destination servers simultaneously and starts sending the message to them. This completely saturates the upstream Internet link, so each destination server sees a gradual trickle of data, and virtually all of them time-out while receiving data. On a server with limited network capacity set a small process limit for the smtp unix ... smtp delivery agent entry in master.cf. http://www.postfix.org/master.5.html Thanks. Not sure I fully understand what effect that will have, but I've set the process limit to 2. Will that restrict the number of outgoing connections to 2? I'm confused. Each delivery agent delivers one message at a time. With two delivery agents there are at most two parallel deliveries. The default process limit is 100. I would first try 10 or 20, before taking it all the way down to 2. Such a small process limit can create severe congestion... Ah, right. I think I understand now - thank you very much. I will try a value of 20 first, and see what happens. Thanks very much for your help.
Re: Limiting outgoing SMTP connections when relaying message
On Wed, Mar 9, 2011 at 6:40 PM, Tim t...@woodlouse.co.uk wrote: What happens is that Postfix receives the message from the sender, queues it, then immediately connects to *all* of the destination servers simultaneously and starts sending the message to them. This completely saturates the upstream Internet link, so each destination server sees a gradual trickle of data, and virtually all of them time-out while receiving data. Fix the problem on the right way, use traffic control. Example to outgoing email 1Mbit limit. # Clean all rules and set default pfifo_fast classless qdisc for each interface. tc qdisc show dev eth0 | grep -q pfifo_fast || tc qdisc del dev eth0 root # Set Classfull Qdisc with Hierarchical Token Bucket Algoritm # and setting class id 1001 as default to non-matched traffic by a filter. tc qdisc add dev eth0 handle 1: root htb default 1001 # Class root (Available link) tc class add dev eth0 classid 1:1000 root htb rate 100Mbit ceil 100Mbit # Two childs (email/1002 and the others/1001) tc class add dev eth0 classid 1:1001 parent 1:1000 htb rate 99Mbit ceil 99Mbit tc class add dev eth0 classid 1:1002 parent 1:1000 htb rate 1Mbit ceil 1Mbit # Classifier outgoing emails (non-emails will be sent to class 1001) tc filter add dev eth0 protocol ipparent 1: u32 flowid 1:1002 match ip dport 25 0x # attach Classless qdisc Stochastic Fairness Algoritm # to improve (fairness) of concurrent connections. tc qdisc add dev eth0 parent 1:1001 handle 1001: sfq perturb 10 tc qdisc add dev eth0 parent 1:1002 handle 1002: sfq perturb 10 -- Reinaldo de Carvalho http://korreio.sf.net http://python-cyrus.sf.net While not fully understand a software, don't try to adapt this software to the way you work, but rather yourself to the way the software works (myself)
timeout after CONNECT, no HELO/EHLO response from clients
Seeing a problem with inbound delivery from relays. Incoming client connections are timing out, but I'm able to telnet to port 25 on my host and immediately get the 220 banner every time. Sometimes the connection times out before the 220 banner is displayed, sometimes it doesn't and the client never sends a HELO/EHLO. This is only happening to *specific* clients. The majority of clients are able to deliver mail with no problems. Sometimes there is a 421 error, sometimes it just throws timeout after CONNECT from unknown. Version is 2.5.4, and I've disabled all of my client restrictions including a check_policy_service IP Blocker. In the debug output below, you can see how one client gets the 220 banner, and the other doesn't, but the result is the same, a 421. Digging deeper, a packet capture shows that there is an EHLO from the client, but it appears to come before the 220 sometimes. debug output follows, then snoop, then postconf -n is at the bottom. Many thanks Debug output: Mar 9 18:38:03 pmx4 postfix/smtpd[13358]: [ID 197553 mail.info] connect from unknown[134.53.6.74] Mar 9 18:38:03 pmx4 postfix/smtpd[13358]: [ID 197553 mail.info] match_hostaddr: 134.53.6.74 ~? localhost Mar 9 18:38:03 pmx4 postfix/smtpd[13358]: [ID 197553 mail.info] match_hostaddr: 134.53.6.74 ~? 127.0.0.1 Mar 9 18:38:03 pmx4 postfix/smtpd[13358]: [ID 197553 mail.info] match_hostaddr: 134.53.6.74 ~? 130.68.1.0/24 Mar 9 18:38:03 pmx4 postfix/smtpd[13358]: [ID 197553 mail.info] match_hostaddr: 134.53.6.74 ~? 130.68.4.0/24 Mar 9 18:38:03 pmx4 postfix/smtpd[13358]: [ID 197553 mail.info] match_hostaddr: 134.53.6.74 ~? 130.68.188.0/24 Mar 9 18:38:03 pmx4 postfix/smtpd[13358]: [ID 197553 mail.info] match_hostaddr: 134.53.6.74 ~? 130.68.3.38 Mar 9 18:38:03 pmx4 postfix/smtpd[13358]: [ID 197553 mail.info] match_hostaddr: 134.53.6.74 ~? 130.68.5.24 Mar 9 18:38:03 pmx4 postfix/smtpd[13358]: [ID 197553 mail.info] match_hostaddr: 134.53.6.74 ~? 130.68.20.115 Mar 9 18:38:03 pmx4 postfix/smtpd[13358]: [ID 197553 mail.info] match_hostaddr: 134.53.6.74 ~? 130.68.20.139 Mar 9 18:38:03 pmx4 postfix/smtpd[13358]: [ID 197553 mail.info] match_hostaddr: 134.53.6.74 ~? 130.68.20.25 Mar 9 18:38:03 pmx4 postfix/smtpd[13358]: [ID 197553 mail.info] match_hostaddr: 134.53.6.74 ~? 130.68.20.34 Mar 9 18:38:03 pmx4 postfix/smtpd[13358]: [ID 197553 mail.info] match_hostaddr: 134.53.6.74 ~? 130.68.20.55 Mar 9 18:38:03 pmx4 postfix/smtpd[13358]: [ID 197553 mail.info] match_hostaddr: 134.53.6.74 ~? 130.68.20.67 Mar 9 18:38:03 pmx4 postfix/smtpd[13358]: [ID 197553 mail.info] match_hostaddr: 134.53.6.74 ~? 130.68.20.72 Mar 9 18:38:03 pmx4 postfix/smtpd[13358]: [ID 197553 mail.info] match_hostaddr: 134.53.6.74 ~? 130.68.20.74 Mar 9 18:38:03 pmx4 postfix/smtpd[13358]: [ID 197553 mail.info] match_hostaddr: 134.53.6.74 ~? 130.68.56.15 Mar 9 18:38:03 pmx4 postfix/smtpd[13358]: [ID 197553 mail.info] match_hostaddr: 134.53.6.74 ~? 130.68.56.15 Mar 9 18:38:03 pmx4 postfix/smtpd[13358]: [ID 197553 mail.info] match_hostaddr: 134.53.6.74 ~? 130.68.56.23 Mar 9 18:38:03 pmx4 postfix/smtpd[13358]: [ID 197553 mail.info] match_hostaddr: 134.53.6.74 ~? 130.68.56.23 Mar 9 18:38:03 pmx4 postfix/smtpd[13358]: [ID 197553 mail.info] match_hostaddr: 134.53.6.74 ~? 130.68.56.49 Mar 9 18:38:03 pmx4 postfix/smtpd[13358]: [ID 197553 mail.info] match_hostaddr: 134.53.6.74 ~? 130.68.56.49 Mar 9 18:38:03 pmx4 postfix/smtpd[13358]: [ID 197553 mail.info] match_hostaddr: 134.53.6.74 ~? 130.68.84.201 Mar 9 18:38:03 pmx4 postfix/smtpd[13358]: [ID 197553 mail.info] match_hostaddr: 134.53.6.74 ~? 130.68.84.51 Mar 9 18:38:03 pmx4 postfix/smtpd[13358]: [ID 197553 mail.info] match_hostaddr: 134.53.6.74 ~? 130.68.84.52 Mar 9 18:38:03 pmx4 postfix/smtpd[13358]: [ID 197553 mail.info] match_hostaddr: 134.53.6.74 ~? 130.68.84.53 Mar 9 18:38:03 pmx4 postfix/smtpd[13358]: [ID 197553 mail.info] match_hostaddr: 134.53.6.74 ~? 130.68.84.54 Mar 9 18:38:03 pmx4 postfix/smtpd[13358]: [ID 197553 mail.info] match_hostaddr: 134.53.6.74 ~? 130.68.84.54 Mar 9 18:38:03 pmx4 postfix/smtpd[13358]: [ID 197553 mail.info] match_hostaddr: 134.53.6.74 ~? 130.68.84.56 Mar 9 18:38:03 pmx4 postfix/smtpd[13358]: [ID 197553 mail.info] match_hostaddr: 134.53.6.74 ~? 130.68.84.57 Mar 9 18:38:03 pmx4 postfix/smtpd[13358]: [ID 197553 mail.info] match_hostaddr: 134.53.6.74 ~? 130.68.84.59 Mar 9 18:38:03 pmx4 postfix/smtpd[13358]: [ID 197553 mail.info] match_hostaddr: 134.53.6.74 ~? 130.68.85.93 Mar 9 18:38:03 pmx4 postfix/smtpd[13358]: [ID 197553 mail.info] match_hostaddr: 134.53.6.74 ~? 130.68.120.49 Mar 9 18:38:03 pmx4 postfix/smtpd[13358]: [ID 197553 mail.info] match_hostaddr: 134.53.6.74 ~? 130.68.160.20 Mar 9 18:38:03 pmx4 postfix/smtpd[13358]: [ID 197553 mail.info] match_hostaddr: 134.53.6.74 ~? 130.68.160.66 Mar 9 18:38:03 pmx4 postfix/smtpd[13358]: [ID 197553 mail.info] match_hostaddr: 134.53.6.74 ~? 64.14.35.134 Mar 9 18:38:03 pmx4 postfix/smtpd[13358]: [ID 197553 mail.info] match_hostaddr:
Re: timeout after CONNECT, no HELO/EHLO response from clients
On 03/10/2011 01:00 AM, Adam N. Copeland wrote: Seeing a problem with inbound delivery from relays. Incoming client connections are timing out, but I'm able to telnet to port 25 on my host and immediately get the 220 banner every time. Sometimes the connection times out before the 220 banner is displayed, sometimes it doesn't and the client never sends a HELO/EHLO. This is only happening to *specific* clients. The majority of clients are able to deliver mail with no problems. Sometimes there is a 421 error, sometimes it just throws timeout after CONNECT from unknown. Version is 2.5.4, and I've disabled all of my client restrictions including a check_policy_service IP Blocker. In the debug output below, you can see how one client gets the 220 banner, and the other doesn't, but the result is the same, a 421. Digging deeper, a packet capture shows that there is an EHLO from the client, but it appears to come before the 220 sometimes. debug output follows, then snoop, then postconf -n is at the bottom. Many thanks Debug output: Please, don't post DEBUG output unless requested to do so. It often doesn't help, especially before it is clear postfix is in the wrong. Mar 9 18:38:03 pmx4 postfix/smtpd[13358]: [ID 197553 mail.info] connect from unknown[134.53.6.74] okay Mar 9 18:41:03 pmx4 postfix/smtpd[13243]: [ID 197553 mail.info] unknown[134.53.6.74]: 421 4.4.2 smtp-in.montclair.edu Error: timeout exceeded That's 3 minutes (180 seconds); any particular reason you changed it from the default of 300 seconds ? Mar 9 18:41:03 pmx4 postfix/smtpd[13243]: [ID 197553 mail.info] timeout after CONNECT from unknown[134.53.6.74] Mar 9 18:41:03 pmx4 postfix/smtpd[13243]: [ID 197553 mail.info] disconnect from unknown[134.53.6.74] The client did not send anything inside 3 minutes. Postfix disconnected. Whatever is happening, is happening client-side, so you should probably investigate that. snoop 1 0.0 mualmarp02.mcs.muohio.edu - pmx4 SMTP C port=37488 2 0.2 pmx4 - mualmarp02.mcs.muohio.edu SMTP R port=37488 3 0.02686 mualmarp02.mcs.muohio.edu - pmx4 SMTP C port=37488 4 0.41173 mualmarp02.mcs.muohio.edu - pmx4 SMTP C port=37500 5 0.4 pmx4 - mualmarp02.mcs.muohio.edu SMTP R port=37500 I don't know what snoop is, but it appears to screw up the chronology of traffic. This should not happen. # postconf -n mynetworks = localhost 127.0.0.1 130.68.1.0/24 130.68.4.0/24 130.68.188.0/24 130.68.3.38 130.68.5.24 130.68.20.115 130.68.20.139 130.68.20.25 130.68.20.34 130.68.20.55 130.68.20.67 130.68.20.72 130.68.20.74 130.68.56.15 130.68.56.15 130.68.56.23 130.68.56.23 130.68.56.49 130.68.56.49 130.68.84.201 130.68.84.51 130.68.84.52 130.68.84.53 130.68.84.54 130.68.84.54 130.68.84.56 130.68.84.57 130.68.84.59 130.68.85.93 130.68.120.49 130.68.160.20 130.68.160.66 64.14.35.134 66.111.5.152 69.25.199.3 207.66.21.3 205.237.106.3 69.25.199.33 149.72.3.15 oh. my. god. -- J.
Re: Limiting outgoing SMTP connections when relaying message
On Wed, Mar 09, 2011 at 08:36:36PM -0300, Reinaldo de Carvalho wrote: Fix the problem on the right way, use traffic control. Example to outgoing email 1Mbit limit. That won't help with the timing out deliveries. There will still be very slow deliveries across many connections and they may well all time out. If deliveries were completing but DoSing other services, indeed traffic shaping would work, but when the existing pipe is too narrow even for SMTP to get work done, one does have to reduce concurrency, if the problem description is correct! -- Viktor.
Re: timeout after CONNECT, no HELO/EHLO response from clients
On Thu, Mar 10, 2011 at 01:14:48AM +0100, Jeroen Geilman wrote: Mar 9 18:38:03 pmx4 postfix/smtpd[13358]: [ID 197553 mail.info] connect from unknown[134.53.6.74] okay Mar 9 18:41:03 pmx4 postfix/smtpd[13243]: [ID 197553 mail.info] unknown[134.53.6.74]: 421 4.4.2 smtp-in.montclair.edu Error: timeout exceeded That's 3 minutes (180 seconds); any particular reason you changed it from the default of 300 seconds ? No, these are different smtpd(8) processes, and unrelated connections. -- Viktor.
Re: timeout after CONNECT, no HELO/EHLO response from clients
On 03/10/2011 01:56 AM, Victor Duchovni wrote: On Thu, Mar 10, 2011 at 01:14:48AM +0100, Jeroen Geilman wrote: Mar 9 18:38:03 pmx4 postfix/smtpd[13358]: [ID 197553 mail.info] connect from unknown[134.53.6.74] okay Mar 9 18:41:03 pmx4 postfix/smtpd[13243]: [ID 197553 mail.info] unknown[134.53.6.74]: 421 4.4.2 smtp-in.montclair.edu Error: timeout exceeded That's 3 minutes (180 seconds); any particular reason you changed it from the default of 300 seconds ? No, these are different smtpd(8) processes, and unrelated connections. Ouch, indeed. So this client is making connections in rapid succession - and failing ? -- J.
having and custome queue in postfix same as like HOLD queue
HI All , My self kshitij and i am using postfix MTA for mailing service around 1.5 year EXP. I want to built an new coustome queue same as like HOLD queue . currrent sinerio is like i donot want any mail to be rejected as per my mangement instruction all the filter i applied on the smtpd_*_restriction i have given the HOLD Action . so the Hold dir keeps on growing in which makes me tough to search and release the mail from the queue. Stright forward is i would like to have different queue (like HOLD) for different filters i have applied . Any one can help me please . Special not for developers of postfix is to keep custome queue hold and release requirement in the future products . Thanks in advanced, Kshitij +91 9967490880 foreplay...@gmail.com