Re: Postfix und SSL client problem.

[kapetr]

Hello,


Victor Duchovni victor.ducho...@morganstanley.com wrote:
  1.   How to get SSL certificate of smtp.iol.cz
  (and save it to
   file).
 
 Use openssl s_client -showcerts

Thanks - it works. Interesting is, that I get this way only 2
certificates:

CN=smtp.iol.cz   (issuer CN=Thawte SSL CA) and
CN=Thawte SSL CA  (issuer CN=thawte Primary Root CA)

it is missing the Thawte root certicate CN=thawte Primary Root CA.
Fortunately I have found this certificate is in /etc/ssl/certs.

So .. I had to copy these tree certificates in
/var/lib/stunnel4/certs (chroot of stunnel4),
make the hash links (with help of openssl x509  -subject_hash
-noout -in xyz), modify my stunnel.conf:

[ssmtp_client_iol]
client = yes
accept = 10465
connect = smtp.iol.cz:465
verify = 3
CApath = /certs

restart the service, cross my fingers :-)

$ telnet 127.0.0.1 10465

and ... SUCCESS - the log shows:

x
2011.03.09 09:27:15 LOG7[2608:3078739648]: ssmtp_client_iol accepted
FD=14 from 127.0.0.1:58775
2011.03.09 09:27:15 LOG7[2608:3078736752]: ssmtp_client_iol started
2011.03.09 09:27:15 LOG7[2608:3078736752]: FD 14 in non-blocking
mode
2011.03.09 09:27:15 LOG7[2608:3078736752]: TCP_NODELAY option set on
local socket
2011.03.09 09:27:15 LOG7[2608:3078736752]: Waiting for a libwrap
process
2011.03.09 09:27:15 LOG7[2608:3078736752]: Acquired libwrap process
#0
2011.03.09 09:27:15 LOG7[2608:3078736752]: Releasing libwrap process
#0
2011.03.09 09:27:15 LOG7[2608:3078736752]: Released libwrap process
#0
2011.03.09 09:27:15 LOG7[2608:3078736752]: ssmtp_client_iol
permitted by libwrap from 127.0.0.1:58775
2011.03.09 09:27:15 LOG5[2608:3078736752]: ssmtp_client_iol accepted
connection from 127.0.0.1:58775
2011.03.09 09:27:15 LOG7[2608:3078736752]: FD 15 in non-blocking
mode
2011.03.09 09:27:15 LOG6[2608:3078736752]: connect_blocking:
connecting 194.228.2.82:465
2011.03.09 09:27:15 LOG7[2608:3078736752]: connect_blocking:
s_poll_wait 194.228.2.82:465: waiting 10 seconds
2011.03.09 09:27:15 LOG5[2608:3078736752]: connect_blocking:
connected 194.228.2.82:465
2011.03.09 09:27:15 LOG5[2608:3078736752]: ssmtp_client_iol
connected remote server from 10.6.6.6:50305
2011.03.09 09:27:15 LOG7[2608:3078736752]: Remote FD=15 initialized
2011.03.09 09:27:15 LOG7[2608:3078736752]: TCP_NODELAY option set on
remote socket
2011.03.09 09:27:15 LOG7[2608:3078736752]: SSL state (connect):
before/connect initialization
2011.03.09 09:27:15 LOG7[2608:3078736752]: SSL state (connect):
SSLv3 write client hello A
2011.03.09 09:27:15 LOG7[2608:3078736752]: SSL state (connect):
SSLv3 read server hello A
2011.03.09 09:27:15 LOG5[2608:3078736752]: CRL: verification passed
2011.03.09 09:27:15 LOG5[2608:3078736752]: VERIFY OK: depth=2,
/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006
thawte, Inc. - For authorized use only/CN=thawte Primary Root CA
2011.03.09 09:27:15 LOG5[2608:3078736752]: CRL: verification passed
2011.03.09 09:27:15 LOG5[2608:3078736752]: VERIFY OK: depth=1,
/C=US/O=Thawte, Inc./CN=Thawte SSL CA
2011.03.09 09:27:15 LOG5[2608:3078736752]: CRL: verification passed
2011.03.09 09:27:15 LOG5[2608:3078736752]: VERIFY OK: depth=0,
/C=CZ/ST=Praha/L=Praha 4/O=Telefonica O2 Czech Republic,
a.s./OU=Operations/CN=smtp.iol.cz
2011.03.09 09:27:15 LOG7[2608:3078736752]: SSL state (connect):
SSLv3 read server certificate A
2011.03.09 09:27:15 LOG7[2608:3078736752]: SSL state (connect):
SSLv3 read server done A
2011.03.09 09:27:15 LOG7[2608:3078736752]: SSL state (connect):
SSLv3 write client key exchange A
2011.03.09 09:27:15 LOG7[2608:3078736752]: SSL state (connect):
SSLv3 write change cipher spec A
2011.03.09 09:27:15 LOG7[2608:3078736752]: SSL state (connect):
SSLv3 write finished A
2011.03.09 09:27:15 LOG7[2608:3078736752]: SSL state (connect):
SSLv3 flush data
2011.03.09 09:27:15 LOG7[2608:3078736752]: SSL state (connect):
SSLv3 read finished A
2011.03.09 09:27:15 LOG7[2608:3078736752]:1 items in the session
cache
2011.03.09 09:27:15 LOG7[2608:3078736752]:1 client connects
(SSL_connect())
2011.03.09 09:27:15 LOG7[2608:3078736752]:1 client connects that
finished
2011.03.09 09:27:15 LOG7[2608:3078736752]:0 client
renegotiations requested
2011.03.09 09:27:15 LOG7[2608:3078736752]:0 server connects
(SSL_accept())
2011.03.09 09:27:15 LOG7[2608:3078736752]:0 server connects that
finished
2011.03.09 09:27:15 LOG7[2608:3078736752]:0 server
renegotiations requested
2011.03.09 09:27:15 LOG7[2608:3078736752]:0 session cache hits
2011.03.09 09:27:15 LOG7[2608:3078736752]:0 external session
cache hits
2011.03.09 09:27:15 LOG7[2608:3078736752]:0 session cache misses
2011.03.09 09:27:15 LOG7[2608:3078736752]:0 session cache
timeouts
2011.03.09 09:27:15 LOG6[2608:3078736752]: SSL connected: new
session negotiated
2011.03.09 09:27:15 LOG6[2608:3078736752]: Negotiated ciphers:
RC4-SHA SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1
2011.03.09 09:27:24 

Re: posfix rejected from google server

[kapetr]

Hello,


I have try it - see bellow,
but without removing also from PBL it fail, while 

Peter Evans pe...@ixp.jps  server use zen.spamhouse.org which
includes also PBL list (dynamic address check).

LOG:
Mar  9 11:09:07 duron650 postfix/smtp[2873]: B316BA2A79:
to=pe...@ixp.jp, relay=mail.ixp.jp[222.147.76.196]:25, delay=9.1,
delays=0.26/0.09/8/0.7, dsn=5.7.1, status=bounced (host
mail.ixp.jp[222.147.76.196] said: 550 5.7.1 Service unavailable;
client [85.71.234.108] blocked using zen.spamhaus.org (in reply to
RCPT TO command))
Mar  9 11:09:08 duron650 postfix/cleanup[2872]: 1185DA2BE7:
message-id=20110309100908.1185da2...@108.234.broadband4.iol.cz



(FYI: This mail is send via webmail volny.cz)

--kapetr

ORIGINAL MESSAGE:

Od: Jiří Pánek jiri.pa...@email.cz
Komu:   Peter Evans pe...@ixp.jp
Předmět:Re: posfix rejected from google server
Datum:  Wed, 09 Mar 2011 11:08:56 +0100


Hello,


this is a direct email (I have set my Postix back for this test to
direct sending - without relayhost).

In my main.cf is:
myhostname = 108.234.broadband4.iol.cz



Date: Mon, 7 Mar 2011 09:01:21 +0900
From: Peter Evans pe...@ixp.jp
Subject: Re: posfix rejected from google server

Just out of curiosity, can you try to send mail directly to me?
After you have removed yourself, it should take less than about an
hour
to
clear from the CBL + PBL.
Then mail should go through.

On cbl.abuseat.org I have request - it is now OK.
The http://www.spamhaus.org/pbl/query/PBL043205 I have left
unchanged,
after reading the explanation. It is not black list, so we will see,
if
is it true and this email will arrive you :-)



A pity that cbl.abuseat.org, as described in
http://cbl.abuseat.org/faq.html, do not explain criteria how
someones IP can get into their CBL list.

By sending mail to one of their very large spamtrap domains. The
reason
they
do not tell
you how you get on is that if they did, spammers would be able to
avoid
 them and thus reduce the efficacy thereof.

Looking at the timestamp on the CBL, was that IP address your ADSL
modem at that time?

Yes, it was!
That is, why I am so confused about the CBL spam listing!
And the listed time corresponds to the test mail send to GMAIL.
Not to spamtrap domain. After that, there was no other incidents -
that
is why I mean, that I'm not infected.
So it is mystery for me, how I get into this list.

I have added to my FW rules:

-A ufw-user-output -o eth0 -p tcp -m tcp --syn -m multiport --dports
25,465,587 -j LOG --log-prefix [MAIL OUTPUT]  --log-tcp-options
--log-uid 

and nothing suspect. 
No spambot here (if it is not hidden rootkit of course).

Let me know, if it arrives you.

Thanks

--kapetr

postscreen pregreeter DNS trick

[Christian Roessner]

Hi,

I recently read about the trick by Wietse, defining a second DNS record
to skip the 450 delay that follows some postscreen tests. I modified my
DNS and it looks like this now:

host -t mx roessner-network-solutions.com
roessner-network-solutions.com mail is handled by 10
mx0.roessner-net.de.
roessner-network-solutions.com mail is handled by 20
mx0-1.roessner-net.de.

and that works.

Could I also simply set a second A-RR for mx0.roessner-net.de. ? Do MTA
implementations always use any A record, if one throws a 450? I looked
inside smtp_addr.c to find answers (how Postfix might handle this) and
saw the usage of getaddrinfo() and pointered lists and stuff; not sure
if I really understood, but would Postfix use a next client IP, if one
temp fails?

Has the second-MX solution any advantages? Should I stay on the current
setup?

Thanks for bringing light :)

Christian
-- 
Roessner-Network-Solutions
Bachelor of Science Informatik
Nahrungsberg 81, 35390 Gießen
F: +49 641 5879091, M: +49 176 93118939
USt-IdNr.: DE225643613
http://www.roessner-network-solutions.com

Re: posfix rejected from google server

[Reindl Harald]

Non-authoritative answer:
108.234.71.85.in-addr.arpa  name = 108.234.broadband4.iol.cz.

[85.71.234.108] blocked using zen.spamhaus.org

sorry but what is your problem?

you can not use your home-machine as mailserver and
nothing will change this, so what is new in your
message after this long thread where so many people
made clear what happens and why?

Am 09.03.2011 11:23, schrieb kapetr:
 Hello,
 
 
 I have try it - see bellow,
 but without removing also from PBL it fail, while 
 
 Peter Evans pe...@ixp.jps  server use zen.spamhouse.org which
 includes also PBL list (dynamic address check).
 
 LOG:
 Mar  9 11:09:07 duron650 postfix/smtp[2873]: B316BA2A79:
 to=pe...@ixp.jp, relay=mail.ixp.jp[222.147.76.196]:25, delay=9.1,
 delays=0.26/0.09/8/0.7, dsn=5.7.1, status=bounced (host
 mail.ixp.jp[222.147.76.196] said: 550 5.7.1 Service unavailable;
 client [85.71.234.108] blocked using zen.spamhaus.org (in reply to
 RCPT TO command))
 Mar  9 11:09:08 duron650 postfix/cleanup[2872]: 1185DA2BE7:
 message-id=20110309100908.1185da2...@108.234.broadband4.iol.cz



signature.asc
Description: OpenPGP digital signature

Re: regular expressions was: Kernel Oops

[Stan Hoeppner]

mouss put forth on 3/8/2011 5:03 PM:
 [WARNING: Steven CC'd]
 

 things. so I'd say, do not consider performances as a primary target. go
 for catching spammers first. only tune after you get the irght rules,
 and only if needed (I personally don't tune anything here. I'm happy to
 focus on catching spammers).

Likewise.  In my particular case execution time of the table is
irrelevant.  However, the execution latency of very large tables on busy
systems piqued my curiosity, giving me a desire to learn more, so I can
avoid adopting potentially bad habits now that may come back to haunt
me, performance wise, in the future.

Also, it's very possible, maybe more likely than not, that I
misunderstood some of Steven's advice, or took it out of context.

(Steven, sorry for inadvertently dragging you into the mosh pit) :)

Some who have been working with regular expressions for a long time may
feel otherwise, but at this point I find them fascinating.  From a spam
fighting standpoint they can be extremely powerful.  Again, I just want
to make sure I develop good habits now.

WRT Viktor's earlier post, I have seen examples of the grouping with
if/then blocks.  In fact, the fqrdns.pcre file makes use of them.
Although I'm not sure it's well optimized in this case.  There seem to
be an enormous number of expressions within a single if/then block, and
IIRC, there are only three such groupings in the set of 1600+
expressions.  So there's probably room for more performance
optimization.  At the table's current size though, I'm guessing the
potential performance gain wouldn't be worth the tweaking labor.

-- 
Stan

Re: Postfix und SSL client problem.

[Matthias Andree]

Am 09.03.2011 10:14, schrieb kapetr:
 Hello,
 
 
 Victor Duchovni victor.ducho...@morganstanley.com wrote:
 1.   How to get SSL certificate of smtp.iol.cz
 (and save it to
 file).

 Use openssl s_client -showcerts
 
 Thanks - it works. Interesting is, that I get this way only 2
 certificates:
 
 CN=smtp.iol.cz   (issuer CN=Thawte SSL CA) and
 CN=Thawte SSL CA  (issuer CN=thawte Primary Root CA)
 
 it is missing the Thawte root certicate CN=thawte Primary Root CA.
 Fortunately I have found this certificate is in /etc/ssl/certs.

Since the client needs the root certificate in its trusted store anyways
(usually /etc/ssl/certs or /usr/ssl/certs, or /etc/ssl/cert.pem as a
bundle, for system-wide OpenSSL installs anyways), there is no point in
the server sending it.  And if you retrieved it through the same channel
that you're fetching the mail through later, you couldn't trust it
anyways but would have to configure it separately.

 So .. I had to copy these tree certificates in
 /var/lib/stunnel4/certs (chroot of stunnel4),
 make the hash links (with help of openssl x509  -subject_hash
 -noout -in xyz), modify my stunnel.conf:
 
 [ssmtp_client_iol]
 client = yes
 accept = 10465
 connect = smtp.iol.cz:465
 verify = 3
 CApath = /certs

Whatever stunnel's purpose is in your setup (I'm jumping late into the
thread), stunnel is generally insecure unless you can make bullet-proof
guarantees that nothing else can ever grab port 10465 than this
particular stunnel instance.  You often can't guarantee that, and
someone else can hook a password sniffing application to port 10465
transparently.  Setting up a system in a way that it can safely run
stunnel is very hard, because the system must prevent stunnel users from
running/starting if stunnel isn't up.

-- 
Matthias Andree

Re: smtpd_sasl_path tcp-socket?

[Hajo Locke]

Hello,


RTFM, please.

The Postfix SASL_README file says:

Communication between the Postfix SMTP server and Dovecot
SASL happens via a UNIX-domain socket.

Support for inet: is NOT DOCUMENTED. It may disappear any time.
There is no promise nowhere that this actually works.

You use NOT DOCUMENTED settings at your own risk. I have no plans
to I write warnings for settings that are NOT DOCUMENTED.

Wietse



this is true. may be i stated the question in an inaccurate way and would 
like to turn this message into a feature request so it gets an official 
feature next releases.
auth-service on tcp-socket was added to dovecot last november, the docs are 
updated these days i read.

http://dovecot.org/list/dovecot/2011-March/057780.html
i think in some cases it is not recommend to have a local dovecot installed 
and more valuable to ask a central installation by tcp.

so my suggestion to make this a safe feature.

Thanks,
Hajo 

Re: Postix Newbie: Send all outbound mail to another postfix server

[Stan Hoeppner]

Randy Ramsdell put forth on 3/8/2011 3:57 PM:
 Stan Hoeppner wrote:

 FYI, the PBL isn't limited to dynamic listings.  Many corporations add
 their unused IP space to the PBL, along with other IPs within their
 netblocks that shouldn't be sending direct mail.  They do this as part
 of a multi-layered approach to network security, in addition to egress
 filtering at the edge firewalls.  One errant mouse click by an
 apprentice/junior SA can accidentally disable an egress filter, as can a
 botched firmware update on a firewall or router, etc, etc.  If, when
 such a thing occurs, you already have an internal spambot outbreak that
 the firewalls/routers were containing...

 I would have never considered this until one day the chief of network
 security at Nortel informed me they do precisely what I described above.

 Dorothy, you're not in Kansas anymore.

 
 If the firewall is blocking an outbreak of spam bots from sending mail
 to the outside, why did they not know and fix this? I mean is it so bad
 that the whole network team can't contain it? And then someone botched
 the firewall which allowed the spam to be sent? Nortel hmmm.

Randy, you misread what I posted.  Or maybe I didn't state things
clearly.  There were two separate things here.  My 1st paragraph above
describes why companies list some of their IP space in the PBL, and
describes one hypothetical scenario which makes doing so useful.  I
didn't understand the scenario.  That ... means you, the reader, are
supposed to imagine the rest of the outcome.  I think my prose threw you
off, and caused you to reverse cause and effect.

The 2rd paragraph simply states that I first learned of this use of the
PBL by the chief of network security at Nortel, and that Nortel lists
some of their netspace on the PBL.  The hypothetical scenario did _not_
occur at Nortel.

-- 
Stan

Re: regular expressions was: Kernel Oops

[Stan Hoeppner]

Steve put forth on 3/8/2011 5:12 PM:

 Maybe using if/endif conditions like Stan Hoeppner has done on his pcre map 
 could speedup things even more? - http://www.hardwarefreak.com/fqrdns.pcre

You're giving me too much credit. ;)  Again, I'm not the original author
of that table.  That person created the if/then structure.  I was
ignorant of exactly how it works in a PCRE until the last 24 hours.

I've simply made some additions, and fixed some minor errors I found, as
have others.  My current role WRT to the table is simply making it
freely available for others, adding an expression now and then,
incorporating contributions from others so all changes hit a master
copy, and spreading the word a little now and then as I think it's a
pretty useful A/S tool.

-- 
Stan

Re: Postix Newbie: Send all outbound mail to another postfix server

[Stan Hoeppner]

Dennis Guhl put forth on 3/8/2011 6:41 PM:

 Dorothy, you're not in Kansas anymore.
 
 What does this saying mean?

It's a para-quote from the 1939 American movie The Wizard of Oz.
Dorothy, a young girl living in farm house in Kansas, is swept away by a
powerful tornado.  When the house lands on solid ground, and Dorothy
opens the door, she finds herself in a wonderland.  She says to her
little dog, Toto, I've a feeling we're not in Kansas any more.

http://www.youtube.com/watch?v=EPWenQxryr4

When someone uses this phrase, or a variation, in modern culture, they
are conveying to a another person that they're seeing something they
never knew existed.

-- 
Stan

Using transport_maps

[deconya]

Hi guys

I need to configure my server to relay domains to and antispam server but by
different hosts. I was looking and now I have doubts.In my configuration Im
using two variables, relayhost and mydestination. I need to change it and I
found to use transport_maps but I don't view examples to understand how it
works and If is the best option.Someone can help me ?

I need to map subdomains of the root domain to appoint to different servers.


For exemple:

sub1.domain,com:10.0.0.10
sub2.domain.com:10.0.0.11

Thanks for your time

Best Regards

OT: Re: Postix Newbie: Send all outbound mail to another postfix server

[Dennis Guhl]

On Wed, Mar 09, 2011 at 05:39:07AM -0600, Stan Hoeppner wrote:
 Dennis Guhl put forth on 3/8/2011 6:41 PM:
 
  Dorothy, you're not in Kansas anymore.
  
  What does this saying mean?
 
 It's a para-quote from the 1939 American movie The Wizard of Oz.
 Dorothy, a young girl living in farm house in Kansas, is swept away by a
 powerful tornado.  When the house lands on solid ground, and Dorothy
 opens the door, she finds herself in a wonderland.  She says to her
 little dog, Toto, I've a feeling we're not in Kansas any more.

Yes, someone else shove me in a private mail in this direction. I
wasn't aware of this line knowing only the german version of the book
and film.

 http://www.youtube.com/watch?v=EPWenQxryr4

Nice clip. Thank you.

 When someone uses this phrase, or a variation, in modern culture, they
 are conveying to a another person that they're seeing something they
 never knew existed.

This is not as bad as I thought it might be.

I asked because I found no explanation of this saying and got
redirected to the wikipedia article of the film where I found
Dorothy's quotation. Knowing about the diffenrent colored filming in
Kansas an Oz I misinterpret the meaning as 'the world is not b/w' wich
would be 'you are to narrow minded'.

Stan, thank you for the explanation.

So long
Dennis

Re: Server-to-server TLS

[Raven]

On Tue, 2011-03-08 at 08:30 -0500, Victor Duchovni wrote:
 On Tue, Mar 08, 2011 at 01:38:28PM +0100, Raven wrote:
 
  I would like to implement server-to-server TLS encryption between two
  postfix instances I manage. One of the servers already has
  TLS-capabilities but they are only used for SASL-AUTH clients.
  
  Where do I start to have the entire stream between the servers to be
  encrypted?
 
 http://www.postfix.org/TLS_README.html#client_tls
 http://www.postfix.org/TLS_README.html#client_tls_limits
 http://www.postfix.org/TLS_README.html#client_tls_levels
 http://www.postfix.org/TLS_README.html#client_tls_encrypt
 http://www.postfix.org/TLS_README.html#client_tls_secure
 http://www.postfix.org/TLS_README.html#client_tls_policy
 
 main.cf:
   indexed = ${default_database_type}:${config_directory}/
   dynamic = btree:${data_directory}/
   transport_maps = ${indexed}transport
   smtp_tls_policy_maps = ${indexed}tls-policy
   # Opportunistic TLS by default
   smtp_tls_security_level = may
   smtp_tls_session_cache_database = ${dynamic}smtp_tls_scache
 
 transport:
   example.com smtp:[mail.example.com]
   example.org smtp:example.net
   example.gov smtp:example.net
 
 tls-policy:
   # transport nexthop gateway for example.com mail
   [mail.example.com]  secure match=nexthop
 
   # transport nexthop domain for example.org and example.gov
   example.net secure
 
   # Domain routed via MX hosts to servers believed to support TLS
   # with verifiable certificates
   example.edu secure
 


Thanks.
How can I apply this to $relayhost without having to list all local
domains in the transport map (as they are already listed in
$virtual_mailbox_domains)?

-RV

Re: message id is a unique number?

[Luciano Mannucci]

On Wed, 9 Mar 2011 12:57:26 +
Mauro mrsan...@gmail.com wrote:

 I my logs I have:
 
 
 Feb 13 06:27:57 mail1-xen postfix/qmgr[8336]: BF683A28247:
 from=..
 
 That number BF683A28247 is a unique number?
Yes and no.
It is unique in a timespan.
If you use logrotate(8) it is probably unique for you, depending on
your configuration.

Cheers,

Luciano.
-- 
 /\ /Via A. Salaino, 7 - 20144 Milano (Italy)
 \ /  ASCII RIBBON CAMPAIGN / PHONE : +39 2 485781 FAX: +39 2 48578250
  X   AGAINST HTML MAIL/  E-MAIL: posthams...@sublink.sublink.org
 / \  AND POSTINGS/   WWW: http://www.mannucci.ORG/

Re: Postix Newbie: Send all outbound mail to another postfix server

[Randy Ramsdell]

Stan Hoeppner wrote:

Randy Ramsdell put forth on 3/8/2011 3:57 PM:

Stan Hoeppner wrote:



FYI, the PBL isn't limited to dynamic listings.  Many corporations add
their unused IP space to the PBL, along with other IPs within their
netblocks that shouldn't be sending direct mail.  They do this as part
of a multi-layered approach to network security, in addition to egress
filtering at the edge firewalls.  One errant mouse click by an
apprentice/junior SA can accidentally disable an egress filter, as can a
botched firmware update on a firewall or router, etc, etc.  If, when
such a thing occurs, you already have an internal spambot outbreak that
the firewalls/routers were containing...

I would have never considered this until one day the chief of network
security at Nortel informed me they do precisely what I described above.

Dorothy, you're not in Kansas anymore.


If the firewall is blocking an outbreak of spam bots from sending mail
to the outside, why did they not know and fix this? I mean is it so bad
that the whole network team can't contain it? And then someone botched
the firewall which allowed the spam to be sent? Nortel hmmm.


Randy, you misread what I posted.  Or maybe I didn't state things
clearly.  There were two separate things here.  My 1st paragraph above
describes why companies list some of their IP space in the PBL, and
describes one hypothetical scenario which makes doing so useful.  I
didn't understand the scenario.  That ... means you, the reader, are
supposed to imagine the rest of the outcome.  I think my prose threw you
off, and caused you to reverse cause and effect.

The 2rd paragraph simply states that I first learned of this use of the
PBL by the chief of network security at Nortel, and that Nortel lists
some of their netspace on the PBL.  The hypothetical scenario did _not_
occur at Nortel.



Ahhh, I see. I can see that listing non-mail sending ips you use on PBL 
as useful.

Re: message id is a unique number?

[Reindl Harald]

Am 09.03.2011 13:57, schrieb Mauro:
 I my logs I have:
 
 
 Feb 13 06:27:57 mail1-xen postfix/qmgr[8336]: BF683A28247: 
 from=..
 That number BF683A28247 is a unique number?

yes for this messages

with cat /var/log/maillog | grep BF683A28247you get all lines
from this message (sasl-user, from, to, deferrals...)



signature.asc
Description: OpenPGP digital signature

Re: message id is a unique number?

[Noel Jones]

On 3/9/2011 6:57 AM, Mauro wrote:

I my logs I have:


Feb 13 06:27:57 mail1-xen postfix/qmgr[8336]: BF683A28247: from=..

That number BF683A28247 is a unique number?


The postfix queueid identifies a single message while it's in 
the queue.  The queueid is created from the queue file inode 
number and microsecond CPU time.


The queueid is unique while that message exists; only one 
message at a time may have a specific queueid.


Once the message exits the queue, that queueid can be reused 
at any time.


I've seen a queueid reused within 30 minutes.  Don't count on 
it being unique for any period of time.



  -- Noel Jones

DSN with original message

[moildard moildard]

Hello,

I know that full messages can be added in any failed DSN but I would like to
configure DSN to add in all cases the original message.

Could you tell me if this functionality could be added in futures releases ?
Thanks for your help !

Re: DSN with original message

[Wietse Venema]

moildard moildard:
 Hello,
 
 I know that full messages can be added in any failed DSN but I would like to
 configure DSN to add in all cases the original message.

Postfix NEVER sends full originals when:

a) The sender specified RET=HDRS (return headers only). See RFC
   3461 for details about the SMTP DSN extension.

b) The message exceeds $bounce_size_limit. It is a really bad idea
   to return a very large message to someone who may not even have
   sent it because the sender was forged.

Wietse

Re: message id is a unique number?

[Mauro]

On 9 March 2011 14:04, Noel Jones njo...@megan.vbhcs.org wrote:
 On 3/9/2011 6:57 AM, Mauro wrote:

 I my logs I have:


 Feb 13 06:27:57 mail1-xen postfix/qmgr[8336]: BF683A28247:
 from=..

 That number BF683A28247 is a unique number?

 The postfix queueid identifies a single message while it's in the queue.
  The queueid is created from the queue file inode number and microsecond CPU
 time.

 The queueid is unique while that message exists; only one message at a time
 may have a specific queueid.

 Once the message exits the queue, that queueid can be reused at any time.

 I've seen a queueid reused within 30 minutes.  Don't count on it being
 unique for any period of time.

I need to know in one year who sent at who.
I have logs for the year and records are like:

Feb 13 06:27:57 mail1-xen postfix/qmgr[8336]: BF683A28247: from=..
Feb 13 06:28:13 mail1-xen postfix/qmgr[8336]: BF683A28247: to=..

What element I can use to identify who sent at who in the logs files?

Re: message id is a unique number?

[Patrick Ben Koetter]

* Mauro mrsan...@gmail.com:
 On 9 March 2011 14:04, Noel Jones njo...@megan.vbhcs.org wrote:
  On 3/9/2011 6:57 AM, Mauro wrote:
 
  I my logs I have:
 
 
  Feb 13 06:27:57 mail1-xen postfix/qmgr[8336]: BF683A28247:
  from=..
 
  That number BF683A28247 is a unique number?
 
  The postfix queueid identifies a single message while it's in the queue.
   The queueid is created from the queue file inode number and microsecond CPU
  time.
 
  The queueid is unique while that message exists; only one message at a time
  may have a specific queueid.
 
  Once the message exits the queue, that queueid can be reused at any time.
 
  I've seen a queueid reused within 30 minutes.  Don't count on it being
  unique for any period of time.
 
 I need to know in one year who sent at who.
 I have logs for the year and records are like:
 
 Feb 13 06:27:57 mail1-xen postfix/qmgr[8336]: BF683A28247: 
 from=..
 Feb 13 06:28:13 mail1-xen postfix/qmgr[8336]: BF683A28247: to=..
 
 What element I can use to identify who sent at who in the logs files?

Create you own tag. Use the WARN function in Postfix access (5) to generate a
log entry.

p@rick



-- 
All technical questions asked privately will be automatically answered on the
list and archived for public access unless privacy is explicitely required and
justified.

saslfinger (debugging SMTP AUTH):
http://postfix.state-of-mind.de/patrick.koetter/saslfinger/

Re: postscreen pregreeter DNS trick

[Christian Roessner]

  Has the second-MX solution any advantages? Should I stay on the current
  setup?
 
 Your current setup looks fine.

thanks for explaining the different aspects :)

Christian
-- 
Roessner-Network-Solutions
Bachelor of Science Informatik
Nahrungsberg 81, 35390 Gießen
F: +49 641 5879091, M: +49 176 93118939
USt-IdNr.: DE225643613
http://www.roessner-network-solutions.com

Re: message id is a unique number?

[Mauro]

On 9 March 2011 15:46, Patrick Ben Koetter p...@state-of-mind.de wrote:
 * Mauro mrsan...@gmail.com:
 On 9 March 2011 14:04, Noel Jones njo...@megan.vbhcs.org wrote:
  On 3/9/2011 6:57 AM, Mauro wrote:
 
  I my logs I have:
 
 
  Feb 13 06:27:57 mail1-xen postfix/qmgr[8336]: BF683A28247:
  from=..
 
  That number BF683A28247 is a unique number?
 
  The postfix queueid identifies a single message while it's in the queue.
   The queueid is created from the queue file inode number and microsecond 
  CPU
  time.
 
  The queueid is unique while that message exists; only one message at a time
  may have a specific queueid.
 
  Once the message exits the queue, that queueid can be reused at any time.
 
  I've seen a queueid reused within 30 minutes.  Don't count on it being
  unique for any period of time.

 I need to know in one year who sent at who.
 I have logs for the year and records are like:

 Feb 13 06:27:57 mail1-xen postfix/qmgr[8336]: BF683A28247: 
 from=..
 Feb 13 06:28:13 mail1-xen postfix/qmgr[8336]: BF683A28247: 
 to=..

 What element I can use to identify who sent at who in the logs files?

 Create you own tag. Use the WARN function in Postfix access (5) to generate a
 log entry.

I have already logs of one year, I should parse these logs to identify
who sent at who.

Re: message id is a unique number?

[Reindl Harald]

[root@mail:~]$ cat maillog | grep -i sasl | grep reindl | tail -n 2
Mar  9 15:00:22 mail postfix/smtpd[7582]: 0BA7FE9: 
client=rh.thelounge.net[10.0.0.99], sasl_method=PLAIN,
sasl_username=h.rei...@thelounge.net
Mar  9 16:23:45 mail postfix/smtpd[8877]: 614CEE8: 
client=rh.thelounge.net[10.0.0.99], sasl_method=PLAIN,
sasl_username=h.rei...@thelounge.net

[root@mail:~]$ cat maillog | grep 614CEE8
Mar  9 16:23:45 mail postfix/smtpd[8877]: 614CEE8: 
client=rh.thelounge.net[10.0.0.99], sasl_method=PLAIN,
sasl_username=h.rei...@thelounge.net
Mar  9 16:23:45 mail postfix/cleanup[8918]: 614CEE8: 
message-id=4d779b81.3050...@thelounge.net
Mar  9 16:23:45 mail postfix/qmgr[19091]: 614CEE8: 
from=h.rei...@thelounge.net, size=2543, nrcpt=1 (queue active)
Mar  9 16:23:45 mail postfix/lmtp[8303]: 614CEE8: to=strip...@thelounge.net, 
relay=127.0.0.1[127.0.0.1]:24,
delay=0.15, delays=0.03/0/0/0.12, dsn=2.0.0, status=sent (215 Recipient 
strip...@thelounge.net OK)
Mar  9 16:24:15 mail postfix/qmgr[19091]: 614CEE8: removed


Am 09.03.2011 16:52, schrieb Mauro:
 On 9 March 2011 15:46, Patrick Ben Koetter p...@state-of-mind.de wrote:
 * Mauro mrsan...@gmail.com:
 On 9 March 2011 14:04, Noel Jones njo...@megan.vbhcs.org wrote:
 On 3/9/2011 6:57 AM, Mauro wrote:

 I my logs I have:


 Feb 13 06:27:57 mail1-xen postfix/qmgr[8336]: BF683A28247:
 from=..

 That number BF683A28247 is a unique number?

 The postfix queueid identifies a single message while it's in the queue.
  The queueid is created from the queue file inode number and microsecond 
 CPU
 time.

 The queueid is unique while that message exists; only one message at a time
 may have a specific queueid.

 Once the message exits the queue, that queueid can be reused at any time.

 I've seen a queueid reused within 30 minutes.  Don't count on it being
 unique for any period of time.

 I need to know in one year who sent at who.
 I have logs for the year and records are like:

 Feb 13 06:27:57 mail1-xen postfix/qmgr[8336]: BF683A28247: 
 from=..
 Feb 13 06:28:13 mail1-xen postfix/qmgr[8336]: BF683A28247: 
 to=..

 What element I can use to identify who sent at who in the logs files?

 Create you own tag. Use the WARN function in Postfix access (5) to generate a
 log entry.
 
 I have already logs of one year, I should parse these logs to identify
 who sent at who.

-- 

Mit besten Grüßen, Reindl Harald
the lounge interactive design GmbH
A-1060 Vienna, Hofmühlgasse 17
CTO / software-development / cms-solutions
p: +43 (1) 595 3999 33, m: +43 (676) 40 221 40
icq: 154546673, http://www.thelounge.net/



signature.asc
Description: OpenPGP digital signature

Re: message id is a unique number?

[Mauro]

On 9 March 2011 16:19, Reindl Harald h.rei...@thelounge.net wrote:
 [root@mail:~]$ cat maillog | grep -i sasl | grep reindl | tail -n 2
 Mar  9 15:00:22 mail postfix/smtpd[7582]: 0BA7FE9: 
 client=rh.thelounge.net[10.0.0.99], sasl_method=PLAIN,
 sasl_username=h.rei...@thelounge.net
 Mar  9 16:23:45 mail postfix/smtpd[8877]: 614CEE8: 
 client=rh.thelounge.net[10.0.0.99], sasl_method=PLAIN,
 sasl_username=h.rei...@thelounge.net

 [root@mail:~]$ cat maillog | grep 614CEE8
 Mar  9 16:23:45 mail postfix/smtpd[8877]: 614CEE8: 
 client=rh.thelounge.net[10.0.0.99], sasl_method=PLAIN,
 sasl_username=h.rei...@thelounge.net
 Mar  9 16:23:45 mail postfix/cleanup[8918]: 614CEE8: 
 message-id=4d779b81.3050...@thelounge.net
 Mar  9 16:23:45 mail postfix/qmgr[19091]: 614CEE8: 
 from=h.rei...@thelounge.net, size=2543, nrcpt=1 (queue active)
 Mar  9 16:23:45 mail postfix/lmtp[8303]: 614CEE8: 
 to=strip...@thelounge.net, relay=127.0.0.1[127.0.0.1]:24,
 delay=0.15, delays=0.03/0/0/0.12, dsn=2.0.0, status=sent (215 Recipient 
 strip...@thelounge.net OK)
 Mar  9 16:24:15 mail postfix/qmgr[19091]: 614CEE8: removed

But from what I undestand  614CEE8 is not unique and I have to parse
logs for one year.

Re: rewrite the from based on a client hostname or ip

[Victor Duchovni]

On Wed, Mar 09, 2011 at 02:22:15PM +, Katzir, Igal wrote:

 Thanks Wietse,
 
 In order to run multiple postfix instances on a single host, 
 I read in the http://www.postfix.org/MULTI_INSTANCE_README.html that we need 
 to upgrade the Postfix to 2.6 and preferably to 2.7.3

You can run multiple instances of Postfix even with Postfix 1.0, you just
need to handle the start/stop/... and instance creation manually. The
multi-instance tooling is primarily intended to integrate with vendor
distributions that already start the primary instance of Postfix, and
use that to start the entire stack.

Of course now that it's done, all the vendors are re-designing system
start-up... :-)

-- 
Viktor.

Re: Server-to-server TLS

[Victor Duchovni]

On Wed, Mar 09, 2011 at 01:36:46PM +0100, Raven wrote:

 How can I apply this to $relayhost without having to list all local
 domains in the transport map (as they are already listed in
 $virtual_mailbox_domains)?

Why are you using virtual_mailbox_domains for addresses that are relayed
to another host?

As for TLS, the security policy and certficate verification are tied to
the nexthop destination, not the recipient domain, if the two differ,
it is the nexthop destination that is used. This is documented, please
read the documentation carefully.

-- 
Viktor.

Re: message id is a unique number?

[Noel Jones]

On 3/9/2011 10:26 AM, Mauro wrote:

On 9 March 2011 16:19, Reindl Haraldh.rei...@thelounge.net  wrote:

[root@mail:~]$ cat maillog | grep -i sasl | grep reindl | tail -n 2
Mar  9 15:00:22 mail postfix/smtpd[7582]: 0BA7FE9: 
client=rh.thelounge.net[10.0.0.99], sasl_method=PLAIN,
sasl_username=h.rei...@thelounge.net
Mar  9 16:23:45 mail postfix/smtpd[8877]: 614CEE8: 
client=rh.thelounge.net[10.0.0.99], sasl_method=PLAIN,
sasl_username=h.rei...@thelounge.net

[root@mail:~]$ cat maillog | grep 614CEE8
Mar  9 16:23:45 mail postfix/smtpd[8877]: 614CEE8: 
client=rh.thelounge.net[10.0.0.99], sasl_method=PLAIN,
sasl_username=h.rei...@thelounge.net
Mar  9 16:23:45 mail postfix/cleanup[8918]: 614CEE8: 
message-id=4d779b81.3050...@thelounge.net
Mar  9 16:23:45 mail postfix/qmgr[19091]: 614CEE8: 
from=h.rei...@thelounge.net, size=2543, nrcpt=1 (queue active)
Mar  9 16:23:45 mail postfix/lmtp[8303]: 614CEE8: to=strip...@thelounge.net, 
relay=127.0.0.1[127.0.0.1]:24,
delay=0.15, delays=0.03/0/0/0.12, dsn=2.0.0, status=sent (215 
Recipientstrip...@thelounge.net  OK)
Mar  9 16:24:15 mail postfix/qmgr[19091]: 614CEE8: removed


But from what I undestand  614CEE8 is not unique and I have to parse
logs for one year.




counters for a specific queueid should be reset after a ... 
QUEUEID: removed log entry.




  -- Noel Jones

Re: message id is a unique number?

[Wietse Venema]

Noel Jones:
 On 3/9/2011 10:26 AM, Mauro wrote:
  On 9 March 2011 16:19, Reindl Haraldh.rei...@thelounge.net  wrote:
  [root@mail:~]$ cat maillog | grep -i sasl | grep reindl | tail -n 2
  Mar  9 15:00:22 mail postfix/smtpd[7582]: 0BA7FE9: 
  client=rh.thelounge.net[10.0.0.99], sasl_method=PLAIN,
  sasl_username=h.rei...@thelounge.net
  Mar  9 16:23:45 mail postfix/smtpd[8877]: 614CEE8: 
  client=rh.thelounge.net[10.0.0.99], sasl_method=PLAIN,
  sasl_username=h.rei...@thelounge.net
 
  [root@mail:~]$ cat maillog | grep 614CEE8
  Mar  9 16:23:45 mail postfix/smtpd[8877]: 614CEE8: 
  client=rh.thelounge.net[10.0.0.99], sasl_method=PLAIN,
  sasl_username=h.rei...@thelounge.net
  Mar  9 16:23:45 mail postfix/cleanup[8918]: 614CEE8: 
  message-id=4d779b81.3050...@thelounge.net
  Mar  9 16:23:45 mail postfix/qmgr[19091]: 614CEE8: 
  from=h.rei...@thelounge.net, size=2543, nrcpt=1 (queue active)
  Mar  9 16:23:45 mail postfix/lmtp[8303]: 614CEE8: 
  to=strip...@thelounge.net, relay=127.0.0.1[127.0.0.1]:24,
  delay=0.15, delays=0.03/0/0/0.12, dsn=2.0.0, status=sent (215 
  Recipientstrip...@thelounge.net  OK)
  Mar  9 16:24:15 mail postfix/qmgr[19091]: 614CEE8: removed
 
  But from what I undestand  614CEE8 is not unique and I have to parse
  logs for one year.
 
 counters for a specific queueid should be reset after a ... 
 QUEUEID: removed log entry.

Correct. With current Postfix implementations, there are two marker
records that you can use:

- The postfix/qmgr  removed record that says the file is deleted.
  This record was introduced with Postfix version 2.1.

- The postfix/smtpd ... client=... that says the file is created.
  This record is written by all Postfix versions. There is no
  equivalent record for mail that is submitted with the Postfix
  sendmail command. Instead use postfix/cleanup .. message-id=...
  which is also logged for SMTP mail.

Wietse

Re: message id is a unique number?

[Victor Duchovni]

On Wed, Mar 09, 2011 at 01:17:38PM -0500, Wietse Venema wrote:

 Correct. With current Postfix implementations, there are two marker
 records that you can use:
 
 - The postfix/qmgr  removed record that says the file is deleted.
   This record was introduced with Postfix version 2.1.
 
 - The postfix/smtpd ... client=... that says the file is created.
   This record is written by all Postfix versions. There is no
   equivalent record for mail that is submitted with the Postfix
   sendmail command. Instead use postfix/cleanup .. message-id=...
   which is also logged for SMTP mail.

In addition to qmqpd(8) logging message creation just like smtpd(8),
in fact pickup(8) also logs message creation:

2011-03-09T12:55:01-05:00 amnesiac postfix/pickup[25191]:
27D602FB86: uid=52009 from=user

Things get more interesting with internally generated messages, either
indirect forwarding by local(8) or sender/postmaster notifications from
((sufficiently recent Postfix) bounce(8):

2011-03-09T13:23:18-05:00 amnesiac postfix/bounce[11606]:
D55BD5049C4: sender non-delivery notification: BACC6504D20

these are logged after the cleanup(8) service logs the creation of
the message and instead correlate to the processing of the old and new
messages. These are not indicators that all previous instances of the
new queue-id are unrelated. So there is a theoretical possibility that
an smtpd(8) client=... log entry that goes with an aborted message
delivery will get incorrectly associated with a non-SMTP internally
generated message that reuses the queue id shortly after the aborted
transaction. In practice, this is a non-issue, and the presense of
bounce(8) or local(8) log entries can be used to pre-empt the association
of the most recent instance of the new queue-id with any exteral source.

-- 
Viktor.

Re: message id is a unique number?

[Wietse Venema]

Victor Duchovni:
 On Wed, Mar 09, 2011 at 01:17:38PM -0500, Wietse Venema wrote:
 
  Correct. With current Postfix implementations, there are two marker
  records that you can use:
  
  - The postfix/qmgr  removed record that says the file is deleted.
This record was introduced with Postfix version 2.1.
  
  - The postfix/smtpd ... client=... that says the file is created.
This record is written by all Postfix versions. There is no
equivalent record for mail that is submitted with the Postfix
sendmail command. Instead use postfix/cleanup .. message-id=...
which is also logged for SMTP mail.
 
 In addition to qmqpd(8) logging message creation just like smtpd(8),
 in fact pickup(8) also logs message creation:
 
 2011-03-09T12:55:01-05:00 amnesiac postfix/pickup[25191]:
   27D602FB86: uid=52009 from=user
 
 Things get more interesting with internally generated messages, either
 indirect forwarding by local(8) or sender/postmaster notifications from
 ((sufficiently recent Postfix) bounce(8):
 
 2011-03-09T13:23:18-05:00 amnesiac postfix/bounce[11606]:
   D55BD5049C4: sender non-delivery notification: BACC6504D20
 
 these are logged after the cleanup(8) service logs the creation of
 the message and instead correlate to the processing of the old and new
 messages. These are not indicators that all previous instances of the
 new queue-id are unrelated. So there is a theoretical possibility that
 an smtpd(8) client=... log entry that goes with an aborted message
 delivery will get incorrectly associated with a non-SMTP internally
 generated message that reuses the queue id shortly after the aborted
 transaction. In practice, this is a non-issue, and the presense of
 bounce(8) or local(8) log entries can be used to pre-empt the association
 of the most recent instance of the new queue-id with any exteral source.

Perhaps it is time to replace the time-in-microseconds portion of
the queue ID by a sufficient number of random bits.

Wietse

Re: message id is a unique number?

[Victor Duchovni]

On Wed, Mar 09, 2011 at 01:56:50PM -0500, Wietse Venema wrote:

 Perhaps it is time to replace the time-in-microseconds portion of
 the queue ID by a sufficient number of random bits.

I would not replace the microsecond time, its monotonicity has useful
properties.

Rather, we could augment the microsecond time and inode with ~16
additional bits, say cleanup appends to the microsecond encoding,
before the inode:

(epoch time  0xff)  8 | (pid + msg count)  0xff

On a lightly loaded system with a single cleanup doing all the work, the
pid + msg count will be locally monotone even if the clock drifts back.

While pid + msg count collisions will happen on busy systems, the
clock should keep repetitions at least 256 seconds apart, but
in practice the odds of the microseconds and pid also colliding when
the same inode is being re-used are extremely low.

-- 
Viktor.

RE: message id is a unique number?

[Murray S. Kucherawy]

For what it's worth, sendmail's implementation encodes the current time down to 
the second plus the pid of the handling process in its queue IDs.  A collision 
then could only happen if the same pid got re-used twice in the same second.  
It doesn't include the inode or any random data.

Details: http://www.ale.org/pipermail/ale/2001-May/022331.html

Similar to the issue of log correlation, in the OpenDKIM stats project work we 
had to have an SQL key across the reporting host, queue ID and timestamp 
columns to account for the fact that postfix recycles queue IDs, sometimes 
relatively quickly.

-MSK

RE: Message is modified after after-queue filter

[Murray S. Kucherawy]

 -Original Message-
 From: owner-postfix-us...@postfix.org 
 [mailto:owner-postfix-us...@postfix.org] On Behalf Of Victor Duchovni
 Sent: Tuesday, March 08, 2011 2:02 PM
 To: postfix-users@postfix.org
 Subject: Re: Message is modified after after-queue filter
 
  My current work-around is to correctly format my emails in my software
  before they are sent to postfix so that the messages are not modified at
  all. But that is not the best solution.
 
 Actually that *is* the best solution. Send 7-bit encoded mail with
 correct line endings.

Furthermore, even if postfix could be coerced into not doing the rewrites 
you're describing, something else down the chain likely will, invalidating your 
signatures anyway.

The best thing to do is try to minimize that from happening anywhere between 
you and the verifier.

-MSK

Re: message id is a unique number?

[Wietse Venema]

Murray S. Kucherawy:
 For what it's worth, sendmail's implementation encodes the current
 time down to the second plus the pid of the handling process in
 its queue IDs.  A collision then could only happen if the same
 pid got re-used twice in the same second.  It doesn't include the
 inode or any random data.
 
 Details: http://www.ale.org/pipermail/ale/2001-May/022331.html
 
 Similar to the issue of log correlation, in the OpenDKIM stats
 project work we had to have an SQL key across the reporting host,
 queue ID and timestamp columns to account for the fact that postfix
 recycles queue IDs, sometimes relatively quickly.

There is one difference: Sendmail can just pick a name, and pick
another one if the name already exists in a particular directory.

Postfix uses the inode number in the name, because the name needs
to be unique across the incoming, active, and deferred directories.

Postfix could lengthen the time before reuse, by including more
time information (four hex digits for ~1 day, six hex digits for
~0.5 year, eight hex digits for ~100 years). Seven hex digits should
be sufficient to silence any complaints. Tighter packing is possible,
but we're restricted to letters and digits (i.e. base 62 math).

Wietse

Re: message id is a unique number?

[Victor Duchovni]

On Wed, Mar 09, 2011 at 04:05:18PM -0500, Wietse Venema wrote:

 Postfix uses the inode number in the name, because the name needs
 to be unique across the incoming, active, and deferred directories.
 
 Postfix could lengthen the time before reuse, by including more
 time information (four hex digits for ~1 day, six hex digits for
 ~0.5 year, eight hex digits for ~100 years). Seven hex digits should
 be sufficient to silence any complaints. Tighter packing is possible,
 but we're restricted to letters and digits (i.e. base 62 math).

Couldn't one also freely use _ and + for a complete base64 alphabet?
Certainly log parsers would have to adapt, but is there another reason?

-- 
Viktor.

Re: message id is a unique number?

[Randy Ramsdell]

Victor Duchovni wrote:

On Wed, Mar 09, 2011 at 04:05:18PM -0500, Wietse Venema wrote:


Postfix uses the inode number in the name, because the name needs
to be unique across the incoming, active, and deferred directories.

Postfix could lengthen the time before reuse, by including more
time information (four hex digits for ~1 day, six hex digits for
~0.5 year, eight hex digits for ~100 years). Seven hex digits should
be sufficient to silence any complaints. Tighter packing is possible,
but we're restricted to letters and digits (i.e. base 62 math).


Couldn't one also freely use _ and + for a complete base64 alphabet?
Certainly log parsers would have to adapt, but is there another reason?



time since EPOCH?

Limiting outgoing SMTP connections when relaying message

[Tim]

Sorry if this is a silly question, but I'm something of a Postfix (and 
mail servers in general) newbie.


My Postfix server is all working fine, and is happily acting as a 
relay for my local network.


However, I'm having problems when a user tries to send a single, large 
message to a large number of recipients at different domains, relaying 
via the Postfix server.


What happens is that Postfix receives the message from the sender, 
queues it, then immediately connects to *all* of the destination 
servers simultaneously and starts sending the message to them. This 
completely saturates the upstream Internet link, so each destination 
server sees a gradual trickle of data, and virtually all of them 
time-out while receiving data.


Postfix then defers the whole message for x minutes, but when the x 
minutes is up, it simply repeats the process, connecting to all the 
remaining destinations at once, resulting in them (nearly) all timing 
out.


Is there a way to limit the number of simultaneous outgoing 
connections the server can make, so I can reduce this limit to 2 or 3, 
and maybe have a fighting chance of the message actually being 
delivered within a reasonable timescale?


Perhaps I'm thick, but I can only see options to set the maximum 
number of connections per-domain - but the problem is a single message 
going to multiple domains - I can't see any settings to change that.


Thanks in advance for any help.

Re: Limiting outgoing SMTP connections when relaying message

[Victor Duchovni]

On Wed, Mar 09, 2011 at 09:40:26PM +, Tim wrote:

 What happens is that Postfix receives the message from the sender, queues 
 it, then immediately connects to *all* of the destination servers 
 simultaneously and starts sending the message to them. This completely 
 saturates the upstream Internet link, so each destination server sees a 
 gradual trickle of data, and virtually all of them time-out while receiving 
 data.

On a server with limited network capacity set a small process limit for
the smtp unix ... smtp delivery agent entry in master.cf.

http://www.postfix.org/master.5.html

-- 
Viktor.

Re: Limiting outgoing SMTP connections when relaying message

[Tim]

Victor Duchovni wrote:

On Wed, Mar 09, 2011 at 09:40:26PM +, Tim wrote:

What happens is that Postfix receives the message from the sender, queues 
it, then immediately connects to *all* of the destination servers 
simultaneously and starts sending the message to them. This completely 
saturates the upstream Internet link, so each destination server sees a 
gradual trickle of data, and virtually all of them time-out while receiving 
data.


On a server with limited network capacity set a small process limit for
the smtp unix ... smtp delivery agent entry in master.cf.

http://www.postfix.org/master.5.html


Thanks.

Not sure I fully understand what effect that will have, but I've set 
the process limit to 2.


Will that restrict the number of outgoing connections to 2? I'm confused.

Re: message id is a unique number?

[Wietse Venema]

Victor Duchovni:
 On Wed, Mar 09, 2011 at 04:05:18PM -0500, Wietse Venema wrote:
 
  Postfix uses the inode number in the name, because the name needs
  to be unique across the incoming, active, and deferred directories.
  
  Postfix could lengthen the time before reuse, by including more
  time information (four hex digits for ~1 day, six hex digits for
  ~0.5 year, eight hex digits for ~100 years). Seven hex digits should
  be sufficient to silence any complaints. Tighter packing is possible,
  but we're restricted to letters and digits (i.e. base 62 math).
 
 Couldn't one also freely use _ and + for a complete base64 alphabet?
 Certainly log parsers would have to adapt, but is there another reason?

Breaking logfile parsers might be one.

The Postfix queue file module has strict checks on queue file name
syntax.  I had to add permission to use _ for flush(8) logs, but
I would rather not water down the syntax restrictions further.

Wietse

Re: Limiting outgoing SMTP connections when relaying message

[Victor Duchovni]

On Wed, Mar 09, 2011 at 10:21:44PM +, Tim wrote:

 Victor Duchovni wrote:
 On Wed, Mar 09, 2011 at 09:40:26PM +, Tim wrote:
 What happens is that Postfix receives the message from the sender, queues 
 it, then immediately connects to *all* of the destination servers 
 simultaneously and starts sending the message to them. This completely 
 saturates the upstream Internet link, so each destination server sees a 
 gradual trickle of data, and virtually all of them time-out while 
 receiving data.
 On a server with limited network capacity set a small process limit for
 the smtp unix ... smtp delivery agent entry in master.cf.
  http://www.postfix.org/master.5.html

 Thanks.

 Not sure I fully understand what effect that will have, but I've set the 
 process limit to 2.

 Will that restrict the number of outgoing connections to 2? I'm confused.

Each delivery agent delivers one message at a time. With two delivery
agents there are at most two parallel deliveries. The default process
limit is 100. I would first try 10 or 20, before taking it all the way
down to 2. Such a small process limit can create severe congestion...

-- 
Viktor.

Re: Limiting outgoing SMTP connections when relaying message

[Tim]

Victor Duchovni wrote:

On Wed, Mar 09, 2011 at 10:21:44PM +, Tim wrote:


Victor Duchovni wrote:

On Wed, Mar 09, 2011 at 09:40:26PM +, Tim wrote:
What happens is that Postfix receives the message from the sender, queues 
it, then immediately connects to *all* of the destination servers 
simultaneously and starts sending the message to them. This completely 
saturates the upstream Internet link, so each destination server sees a 
gradual trickle of data, and virtually all of them time-out while 
receiving data.

On a server with limited network capacity set a small process limit for
the smtp unix ... smtp delivery agent entry in master.cf.
http://www.postfix.org/master.5.html

Thanks.

Not sure I fully understand what effect that will have, but I've set the 
process limit to 2.


Will that restrict the number of outgoing connections to 2? I'm confused.


Each delivery agent delivers one message at a time. With two delivery
agents there are at most two parallel deliveries. The default process
limit is 100. I would first try 10 or 20, before taking it all the way
down to 2. Such a small process limit can create severe congestion...


Ah, right. I think I understand now - thank you very much.

I will try a value of 20 first, and see what happens.

Thanks very much for your help.

Re: Limiting outgoing SMTP connections when relaying message

[Reinaldo de Carvalho]

On Wed, Mar 9, 2011 at 6:40 PM, Tim t...@woodlouse.co.uk wrote:

 What happens is that Postfix receives the message from the sender, queues
 it, then immediately connects to *all* of the destination servers
 simultaneously and starts sending the message to them. This completely
 saturates the upstream Internet link, so each destination server sees a
 gradual trickle of data, and virtually all of them time-out while receiving
 data.


Fix the problem on the right way, use traffic control. Example to
outgoing email 1Mbit limit.


# Clean all rules and set default pfifo_fast classless qdisc for each interface.
tc qdisc show dev eth0 | grep -q pfifo_fast || tc qdisc  del dev eth0 root

# Set Classfull Qdisc with Hierarchical Token Bucket Algoritm
# and setting class id 1001 as default to non-matched traffic by a filter.
tc qdisc  add dev eth0 handle  1: root  htb default 1001

# Class root (Available link)
tc class  add dev eth0 classid 1:1000 root  htb rate 100Mbit ceil 100Mbit

# Two childs (email/1002 and the others/1001)
tc class  add dev eth0 classid 1:1001 parent 1:1000 htb rate 99Mbit ceil 99Mbit
tc class  add dev eth0 classid 1:1002 parent 1:1000 htb rate 1Mbit ceil 1Mbit

# Classifier outgoing emails (non-emails will be sent to class 1001)
tc filter add dev eth0 protocol ipparent 1: u32 flowid 1:1002
match ip dport 25 0x

# attach Classless qdisc Stochastic Fairness Algoritm
# to improve (fairness) of concurrent connections.
tc qdisc  add dev eth0 parent  1:1001 handle 1001:  sfq perturb 10
tc qdisc  add dev eth0 parent  1:1002 handle 1002:  sfq perturb 10

-- 
Reinaldo de Carvalho
http://korreio.sf.net
http://python-cyrus.sf.net

While not fully understand a software, don't try to adapt this
software to the way you work, but rather yourself to the way the
software works (myself)

timeout after CONNECT, no HELO/EHLO response from clients

[Adam N. Copeland]

Seeing a problem with inbound delivery from relays. Incoming client
connections are timing out, but I'm able to telnet to port 25 on my host
and immediately get the 220 banner every time. Sometimes the connection
times out before the 220 banner is displayed, sometimes it doesn't and
the client never sends a HELO/EHLO. This is only happening to *specific*
clients. The majority of clients are able to deliver mail with no
problems. Sometimes there is a 421 error, sometimes it just throws
timeout after CONNECT from unknown.

Version is 2.5.4, and I've disabled all of my client restrictions
including a check_policy_service IP Blocker.

In the debug output below, you can see how one client gets the 220
banner, and the other doesn't, but the result is the same, a 421.

Digging deeper, a packet capture shows that there is an EHLO from the
client, but it appears to come before the 220 sometimes.

debug output follows, then snoop, then postconf -n is at the bottom.

Many thanks

Debug output:

Mar  9 18:38:03 pmx4 postfix/smtpd[13358]: [ID 197553 mail.info] connect
from unknown[134.53.6.74]
Mar  9 18:38:03 pmx4 postfix/smtpd[13358]: [ID 197553 mail.info]
match_hostaddr: 134.53.6.74 ~? localhost
Mar  9 18:38:03 pmx4 postfix/smtpd[13358]: [ID 197553 mail.info]
match_hostaddr: 134.53.6.74 ~? 127.0.0.1
Mar  9 18:38:03 pmx4 postfix/smtpd[13358]: [ID 197553 mail.info]
match_hostaddr: 134.53.6.74 ~? 130.68.1.0/24
Mar  9 18:38:03 pmx4 postfix/smtpd[13358]: [ID 197553 mail.info]
match_hostaddr: 134.53.6.74 ~? 130.68.4.0/24
Mar  9 18:38:03 pmx4 postfix/smtpd[13358]: [ID 197553 mail.info]
match_hostaddr: 134.53.6.74 ~? 130.68.188.0/24
Mar  9 18:38:03 pmx4 postfix/smtpd[13358]: [ID 197553 mail.info]
match_hostaddr: 134.53.6.74 ~? 130.68.3.38
Mar  9 18:38:03 pmx4 postfix/smtpd[13358]: [ID 197553 mail.info]
match_hostaddr: 134.53.6.74 ~? 130.68.5.24
Mar  9 18:38:03 pmx4 postfix/smtpd[13358]: [ID 197553 mail.info]
match_hostaddr: 134.53.6.74 ~? 130.68.20.115
Mar  9 18:38:03 pmx4 postfix/smtpd[13358]: [ID 197553 mail.info]
match_hostaddr: 134.53.6.74 ~? 130.68.20.139
Mar  9 18:38:03 pmx4 postfix/smtpd[13358]: [ID 197553 mail.info]
match_hostaddr: 134.53.6.74 ~? 130.68.20.25
Mar  9 18:38:03 pmx4 postfix/smtpd[13358]: [ID 197553 mail.info]
match_hostaddr: 134.53.6.74 ~? 130.68.20.34
Mar  9 18:38:03 pmx4 postfix/smtpd[13358]: [ID 197553 mail.info]
match_hostaddr: 134.53.6.74 ~? 130.68.20.55
Mar  9 18:38:03 pmx4 postfix/smtpd[13358]: [ID 197553 mail.info]
match_hostaddr: 134.53.6.74 ~? 130.68.20.67
Mar  9 18:38:03 pmx4 postfix/smtpd[13358]: [ID 197553 mail.info]
match_hostaddr: 134.53.6.74 ~? 130.68.20.72
Mar  9 18:38:03 pmx4 postfix/smtpd[13358]: [ID 197553 mail.info]
match_hostaddr: 134.53.6.74 ~? 130.68.20.74
Mar  9 18:38:03 pmx4 postfix/smtpd[13358]: [ID 197553 mail.info]
match_hostaddr: 134.53.6.74 ~? 130.68.56.15
Mar  9 18:38:03 pmx4 postfix/smtpd[13358]: [ID 197553 mail.info]
match_hostaddr: 134.53.6.74 ~? 130.68.56.15
Mar  9 18:38:03 pmx4 postfix/smtpd[13358]: [ID 197553 mail.info]
match_hostaddr: 134.53.6.74 ~? 130.68.56.23
Mar  9 18:38:03 pmx4 postfix/smtpd[13358]: [ID 197553 mail.info]
match_hostaddr: 134.53.6.74 ~? 130.68.56.23
Mar  9 18:38:03 pmx4 postfix/smtpd[13358]: [ID 197553 mail.info]
match_hostaddr: 134.53.6.74 ~? 130.68.56.49
Mar  9 18:38:03 pmx4 postfix/smtpd[13358]: [ID 197553 mail.info]
match_hostaddr: 134.53.6.74 ~? 130.68.56.49
Mar  9 18:38:03 pmx4 postfix/smtpd[13358]: [ID 197553 mail.info]
match_hostaddr: 134.53.6.74 ~? 130.68.84.201
Mar  9 18:38:03 pmx4 postfix/smtpd[13358]: [ID 197553 mail.info]
match_hostaddr: 134.53.6.74 ~? 130.68.84.51
Mar  9 18:38:03 pmx4 postfix/smtpd[13358]: [ID 197553 mail.info]
match_hostaddr: 134.53.6.74 ~? 130.68.84.52
Mar  9 18:38:03 pmx4 postfix/smtpd[13358]: [ID 197553 mail.info]
match_hostaddr: 134.53.6.74 ~? 130.68.84.53
Mar  9 18:38:03 pmx4 postfix/smtpd[13358]: [ID 197553 mail.info]
match_hostaddr: 134.53.6.74 ~? 130.68.84.54
Mar  9 18:38:03 pmx4 postfix/smtpd[13358]: [ID 197553 mail.info]
match_hostaddr: 134.53.6.74 ~? 130.68.84.54
Mar  9 18:38:03 pmx4 postfix/smtpd[13358]: [ID 197553 mail.info]
match_hostaddr: 134.53.6.74 ~? 130.68.84.56
Mar  9 18:38:03 pmx4 postfix/smtpd[13358]: [ID 197553 mail.info]
match_hostaddr: 134.53.6.74 ~? 130.68.84.57
Mar  9 18:38:03 pmx4 postfix/smtpd[13358]: [ID 197553 mail.info]
match_hostaddr: 134.53.6.74 ~? 130.68.84.59
Mar  9 18:38:03 pmx4 postfix/smtpd[13358]: [ID 197553 mail.info]
match_hostaddr: 134.53.6.74 ~? 130.68.85.93
Mar  9 18:38:03 pmx4 postfix/smtpd[13358]: [ID 197553 mail.info]
match_hostaddr: 134.53.6.74 ~? 130.68.120.49
Mar  9 18:38:03 pmx4 postfix/smtpd[13358]: [ID 197553 mail.info]
match_hostaddr: 134.53.6.74 ~? 130.68.160.20
Mar  9 18:38:03 pmx4 postfix/smtpd[13358]: [ID 197553 mail.info]
match_hostaddr: 134.53.6.74 ~? 130.68.160.66
Mar  9 18:38:03 pmx4 postfix/smtpd[13358]: [ID 197553 mail.info]
match_hostaddr: 134.53.6.74 ~? 64.14.35.134
Mar  9 18:38:03 pmx4 postfix/smtpd[13358]: [ID 197553 mail.info]
match_hostaddr: 

Re: timeout after CONNECT, no HELO/EHLO response from clients

[Jeroen Geilman]

On 03/10/2011 01:00 AM, Adam N. Copeland wrote:

Seeing a problem with inbound delivery from relays. Incoming client
connections are timing out, but I'm able to telnet to port 25 on my host
and immediately get the 220 banner every time. Sometimes the connection
times out before the 220 banner is displayed, sometimes it doesn't and
the client never sends a HELO/EHLO. This is only happening to *specific*
clients. The majority of clients are able to deliver mail with no
problems. Sometimes there is a 421 error, sometimes it just throws
timeout after CONNECT from unknown.

Version is 2.5.4, and I've disabled all of my client restrictions
including a check_policy_service IP Blocker.

In the debug output below, you can see how one client gets the 220
banner, and the other doesn't, but the result is the same, a 421.

Digging deeper, a packet capture shows that there is an EHLO from the
client, but it appears to come before the 220 sometimes.

debug output follows, then snoop, then postconf -n is at the bottom.

Many thanks

Debug output:
   


Please, don't post DEBUG output unless requested to do so.
It often doesn't help, especially before it is clear postfix is in the 
wrong.



Mar  9 18:38:03 pmx4 postfix/smtpd[13358]: [ID 197553 mail.info] connect
from unknown[134.53.6.74]
   

okay

Mar  9 18:41:03 pmx4 postfix/smtpd[13243]: [ID 197553 mail.info]
unknown[134.53.6.74]: 421 4.4.2 smtp-in.montclair.edu Error: timeout
exceeded
   


That's 3 minutes (180 seconds); any particular reason you changed it 
from the default of 300 seconds ?



Mar  9 18:41:03 pmx4 postfix/smtpd[13243]: [ID 197553 mail.info] timeout
after CONNECT from unknown[134.53.6.74]
Mar  9 18:41:03 pmx4 postfix/smtpd[13243]: [ID 197553 mail.info]
disconnect from unknown[134.53.6.74]
   


The client did not send anything inside 3 minutes. Postfix disconnected.
Whatever is happening, is happening client-side, so you should probably 
investigate that.



snoop

   1   0.0 mualmarp02.mcs.muohio.edu -  pmx4 SMTP C port=37488
   2   0.2 pmx4 -  mualmarp02.mcs.muohio.edu SMTP R port=37488
   3   0.02686 mualmarp02.mcs.muohio.edu -  pmx4 SMTP C port=37488
   4   0.41173 mualmarp02.mcs.muohio.edu -  pmx4 SMTP C port=37500
   5   0.4 pmx4 -  mualmarp02.mcs.muohio.edu SMTP R port=37500
   


I don't know what snoop is, but it appears to screw up the chronology 
of traffic.

This should not happen.


# postconf -n
   



mynetworks = localhost 127.0.0.1 130.68.1.0/24 130.68.4.0/24
130.68.188.0/24 130.68.3.38 130.68.5.24 130.68.20.115 130.68.20.139
130.68.20.25 130.68.20.34 130.68.20.55 130.68.20.67 130.68.20.72
130.68.20.74 130.68.56.15 130.68.56.15 130.68.56.23 130.68.56.23
130.68.56.49 130.68.56.49 130.68.84.201 130.68.84.51 130.68.84.52
130.68.84.53 130.68.84.54 130.68.84.54 130.68.84.56 130.68.84.57
130.68.84.59 130.68.85.93 130.68.120.49 130.68.160.20 130.68.160.66
64.14.35.134 66.111.5.152 69.25.199.3 207.66.21.3 205.237.106.3
69.25.199.33 149.72.3.15
   


oh. my. god.





--
J.

Re: Limiting outgoing SMTP connections when relaying message

[Victor Duchovni]

On Wed, Mar 09, 2011 at 08:36:36PM -0300, Reinaldo de Carvalho wrote:

 Fix the problem on the right way, use traffic control. Example to
 outgoing email 1Mbit limit.

That won't help with the timing out deliveries. There will still be very
slow deliveries across many connections and they may well all time out.

If deliveries were completing but DoSing other services, indeed traffic
shaping would work, but when the existing pipe is too narrow even for
SMTP to get work done, one does have to reduce concurrency, if the
problem description is correct!

-- 
Viktor.

Re: timeout after CONNECT, no HELO/EHLO response from clients

[Victor Duchovni]

On Thu, Mar 10, 2011 at 01:14:48AM +0100, Jeroen Geilman wrote:

 Mar  9 18:38:03 pmx4 postfix/smtpd[13358]: [ID 197553 mail.info] connect
 from unknown[134.53.6.74]

 okay

 Mar  9 18:41:03 pmx4 postfix/smtpd[13243]: [ID 197553 mail.info]
 unknown[134.53.6.74]: 421 4.4.2 smtp-in.montclair.edu Error: timeout
 exceeded

 That's 3 minutes (180 seconds); any particular reason you changed it from 
 the default of 300 seconds ?

No, these are different smtpd(8) processes, and unrelated connections.

-- 
Viktor.

Re: timeout after CONNECT, no HELO/EHLO response from clients

[Jeroen Geilman]

On 03/10/2011 01:56 AM, Victor Duchovni wrote:

On Thu, Mar 10, 2011 at 01:14:48AM +0100, Jeroen Geilman wrote:

   

Mar  9 18:38:03 pmx4 postfix/smtpd[13358]: [ID 197553 mail.info] connect
from unknown[134.53.6.74]

   

okay

 

Mar  9 18:41:03 pmx4 postfix/smtpd[13243]: [ID 197553 mail.info]
unknown[134.53.6.74]: 421 4.4.2 smtp-in.montclair.edu Error: timeout
exceeded
   

That's 3 minutes (180 seconds); any particular reason you changed it from
the default of 300 seconds ?
 

No, these are different smtpd(8) processes, and unrelated connections.

   


Ouch, indeed.

So this client is making connections in rapid succession - and failing ?

--
J.

having and custome queue in postfix same as like HOLD queue

[kshitij mali]

HI All ,

My self kshitij and i am using postfix MTA for mailing service around
1.5 year EXP.

I want to built an new coustome queue same as like HOLD queue .

currrent sinerio is like i donot want any mail to be rejected as per
my mangement instruction
all the filter i applied on the smtpd_*_restriction i have given the
HOLD Action .

so the Hold dir keeps on growing in which makes me tough to search and
release the mail from the queue.

Stright forward is i would like to have different queue (like HOLD)
for different filters i have applied .

Any one can help me please .

Special not for developers of postfix is to keep custome queue hold
and release requirement in the future products .

Thanks in advanced,
Kshitij
+91 9967490880
foreplay...@gmail.com