SV: SV: Redirecting all, but two, domains.
This is easy. How does Postfix decide the nexthop for a given domain? What controls do you have? I suppose a transport map in the ways of .domain-a.se : .domain-b.se : * smtp:[127.0.0.1]:10035 In addition to your recepie should work? (Domain-a and domain-b being the normal domains?)
SV: SV: Redirecting all, but two, domains.
A bit of a goof there... domain-a.se : domain-b.se : * smtp:[127.0.0.1]:10035 Från: owner-postfix-us...@postfix.org [owner-postfix-us...@postfix.org] f#246;r Jan Johansson [j...@mupp.net] Skickat: den 22 mars 2011 08:22 Till: postfix-users@postfix.org Ämne: SV: SV: Redirecting all, but two, domains. This is easy. How does Postfix decide the nexthop for a given domain? What controls do you have? I suppose a transport map in the ways of .domain-a.se : .domain-b.se : * smtp:[127.0.0.1]:10035 In addition to your recepie should work? (Domain-a and domain-b being the normal domains?)
Re: attachments being logged
Am 22.03.2011 04:34, schrieb brian: I'm occasionally seeing file attachments being logged, like so: postfix/smtpd[14027]: read from B8F5EDA8 [B8F5F9BD] (1420 bytes = -1 (0x)) postfix/smtpd[14027]: read from B8F5EDA8 [B8F5F9BD] (1420 bytes = 1420 (0x58C)) disable the debug mode! So, I think it may be spamassassin that's responsible. no - you see the process in the log-line postfix/smtpd Or could it be something I've done wrong in master.cf? I don't want/need to see these filling up the logs. yes, you enabled dubg/verbose logging signature.asc Description: OpenPGP digital signature
Limiting outgoing message sizes for a single domain (yahoo)
Hi all, sorry to bother you, but I'm smashing my head on a problem from some time and even I've read previous posts and other Postfix documentation, there's still something I don't catch. Currently if from my postfix installation, behind a static IP, I try to send email to yahoo I often get the error: Mar 21 06:32:21 mailforward postfix/smtp[19388]: send attr reason = lost connection with a.mx.mail.yahoo.com[67.195.168.31] while sending end of data -- message may be sent more than once I've seen that messages above 2-3 MB total size get such treatment, while smaller ones get through without problems. So, until I investigate the problem with Yahoo, I'd like to limit message sizes which could be (attempted) delivered, so my users would know quickly to split the messages in smaller pieces, without having me checking the queue and give them notice. Configuration (main.cf) option: message_size_limit so far I've understood it limits the size of messages that be received on the postfix box. Is there a way to tell to a specified outgoing smtp transport which is the maximum allowed message size in master.cf ? I've tried adding: # Transport di test prova unix - - - - 1 smtp -v -o message_size_limit=1232896 and in transport: # Test netorbit.it prova: but seems that such option gets just ignored, e.g. a 2+ MB message get through up to the netorbit.it domain. Surely my fault, cannot see why and where ;-) Do I need a policy server for that? Thanks in advance for your time and attention. Angelo
Re: Limit the number of forwarded emails
Am 22.03.2011 09:05, schrieb Kenneth Holter: Hi all. I'm new to the list, and quite new to postfix. I'm running postfix 2.3 on one of my RHEL 5 servers, and have set up postfix to forward all emails to our Microsoft Exchange infrastructure. On the server running postfix, I have an applications that automatically generates emails. The issue I'm trying to solve is that at times, the application generates enormous amounts of emails, causing nearly a DoS attack on the Exchange servers. What I'd like to do is to have my postfix server rate limit the number of emails it's forwarding to the Exchange servers. For example, if I could get it to queue up emails, either on the inbound side or the outbound side, and forward them on a steady rate, that would be great. Note that all emails are generated locally on the server. Postfix seems to be a rather complex software, and I've not been able to identify which component I should be tuning to accomplish rate limiting. Any advice on this is greatly appreciated. we are using this setting to only send one message per destination and second the problem is that default_destination_rate_delay only accepts whole seconds as delay and it depends on the count of messages if you can live with this, with 10.000 mails per day 1 second delay for every destination is ok initial_destination_concurrency = 5 smtp_destination_concurrency_limit = 5 default_destination_recipient_limit = 15 default_destination_concurrency_limit = 5 default_destination_concurrency_failed_cohort_limit = 5 default_destination_rate_delay = 1 transport_retry_time= 30 if there are too messages for wait a second maybe you should set concurrency even lower and disable rate_delay signature.asc Description: OpenPGP digital signature
Re: Getting abused by backscatter spam
Am 22.03.2011 05:38, schrieb Simon:
Hi There,
We are using postfix on debian lenny. Everything is mysql backed and
we are using amavisd-new (spamassassin with daily updates from
saupdates.openprotect.com and updates.spamassassin.org clam-av),
postfix-policy greylisting and postfix-policyd-spf-python. All updates
applied.
But we are still getting hammered by backscatter spam (like the below)
and are hoping to get the lists input with where to head in terms of
getting this sorted... it seems like everything we look at just does
not quite suit our setup.
Many thanks in advance
Simon
backscatter are not easy handeld
first as cheap way
use spf and dkim, this may helps little
read
http://www.postfix.org/BACKSCATTER_README.html
Received: from psmtp.com ([64.18.3.158]) by mosesafonso.com with Microsoft
SMTPSVC(6.0.3790.3959); Sun, 20 Mar 2011 14:18:35 -0400
Received: from source ([93.85.177.92]) by exprod8mx291.postini.com
([64.18.7.13]) with SMTP;
Sun, 20 Mar 2011 14:18:34 EDT
Received: from 93.85.177.92 (account 0-0-0-0-cbouys...@microapp.com
HELO syccjjv.pqhsfgogqp.com)
by (CommuniGate Pro SMTP 5.2.3)
with ESMTPA id 932104756 for sbow...@mosesafonso.com; Sun, 20 Mar
2011 20:18:34 +0200
To: sbow...@mosesafonso.com
Subject: Re: CV
From: no-reply-...@financeinfrance.com
MIME-Version: 1.0
Importance: High
Content-Type: text/html
X-pstn-neptune: 1/1/1.00/86
X-pstn-levels: (S: 0.00445/92.75607 CV:99.9000 FC:95.5390 LC:95.5390
R:95.9108 P:95.9108 M:97.0282 C:98.6951 )
Message-ID: 2322245927972554085239078162...@psmtp.com
Return-Path: {user}@{clientdomain}.com
X-OriginalArrivalTime: 20 Mar 2011 18:18:35.0168 (UTC)
FILETIME=[39EDB200:01CBE72B]
Date: Sun, 20 Mar 2011 14:18:35 -0400
Our setup:
We have 2 x inbound mail servers (mail-in1 mail-in2, which are
identical in setup and do simple load balancing) that do the above,
once filtered the mail is sent to a dbmail cluster. Out clients are
all over the place, connecting via the internet to our dbmail service
(e.g. not a lan). We then have two separate outgoing mail servers,
mail-out1 and mail-out2. mail-out1 is used by our client base who
connect with authenticated SMTP, mail-out2 backs up our other servers
(such as web servers etc) to allow them to send email.
# postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
body_checks = regexp:/etc/postfix/body_checks
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
inet_interfaces = all
mailbox_size_limit = 0
maximal_backoff_time = 2000
message_size_limit = 52428800
mime_header_checks = regexp:/etc/postfix/mime_header_checks.regexp
minimal_backoff_time = 500
mydestination = mysql:/etc/postfix/mysql-transport.cf
myhostname = mail-in1.{ourdomain}.net
mynetworks = 127.0.0.0/8 [:::127.0.0.0]/104 [::1]/128
myorigin = /etc/mailname
queue_run_delay = 500
readme_directory = no
recipient_delimiter = +
relayhost =
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
smtpd_data_restrictions =
reject_unauth_pipelining,
permit
smtpd_recipient_restrictions =
permit_mynetworks,
reject_unauth_destination,
reject_unknown_sender_domain,
reject_unknown_recipient_domain,
reject_invalid_hostname,
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_rbl_client zen.spamhaus.org,
check_client_access pcre:/etc/postfix/fqrdns.pcre,
#check_sender_access hash:/etc/postfix/check_backscatterer,
check_policy_service unix:private/policyd-spf,
check_policy_service inet:127.0.0.1:10031,
permit
smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
transport_maps = mysql:/etc/postfix/mysql-transport.cf
unknown_local_recipient_reject_code = 550
virtual_alias_maps = mysql:/etc/postfix/mysql-aliases.cf
--
Best Regards
MfG Robert Schetterer
Germany/Munich/Bavaria
Re: Limit the number of forwarded emails
Thanks for the quick reply. Your solution seems to be a very good one, but unfortunately that default_destination_rate_delay parameter is not available in the postfix version I'm running (2.3). I'm using the postfix implementation shipped with RHEL 5, which is not the most current one. - Kenneth On Tue, Mar 22, 2011 at 10:32 AM, Reindl Harald h.rei...@thelounge.net wrote: Am 22.03.2011 09:05, schrieb Kenneth Holter: Hi all. I'm new to the list, and quite new to postfix. I'm running postfix 2.3 on one of my RHEL 5 servers, and have set up postfix to forward all emails to our Microsoft Exchange infrastructure. On the server running postfix, I have an applications that automatically generates emails. The issue I'm trying to solve is that at times, the application generates enormous amounts of emails, causing nearly a DoS attack on the Exchange servers. What I'd like to do is to have my postfix server rate limit the number of emails it's forwarding to the Exchange servers. For example, if I could get it to queue up emails, either on the inbound side or the outbound side, and forward them on a steady rate, that would be great. Note that all emails are generated locally on the server. Postfix seems to be a rather complex software, and I've not been able to identify which component I should be tuning to accomplish rate limiting. Any advice on this is greatly appreciated. we are using this setting to only send one message per destination and second the problem is that default_destination_rate_delay only accepts whole seconds as delay and it depends on the count of messages if you can live with this, with 10.000 mails per day 1 second delay for every destination is ok initial_destination_concurrency = 5 smtp_destination_concurrency_limit = 5 default_destination_recipient_limit = 15 default_destination_concurrency_limit = 5 default_destination_concurrency_failed_cohort_limit = 5 default_destination_rate_delay = 1 transport_retry_time = 30 if there are too messages for wait a second maybe you should set concurrency even lower and disable rate_delay
Re: Limit the number of forwarded emails
On 3/22/2011 8:33 AM, Kenneth Holter wrote: Thanks for the quick reply. Your solution seems to be a very good one, but unfortunately that default_destination_rate_delay parameter is not available in the postfix version I'm running (2.3). I'm using the postfix implementation shipped with RHEL 5, which is not the most current one. The most recent release of Postfix is 2.8.2. 2.3 is ancient and no longer supported for updates. Redhat now has RHEL 6 which, I believe, uses Postfix 2.7. There are reliable (S)RPM packages available for RHEL 5 that will get you to the parameters/functionality you need. The most common is by Simon Mudd referenced on http://www.postfix.org/packages.html at http://ftp.wl0.org/official/ Brian - Kenneth On Tue, Mar 22, 2011 at 10:32 AM, Reindl Harald h.rei...@thelounge.net wrote: Am 22.03.2011 09:05, schrieb Kenneth Holter: Hi all. I'm new to the list, and quite new to postfix. I'm running postfix 2.3 on one of my RHEL 5 servers, and have set up postfix to forward all emails to our Microsoft Exchange infrastructure. On the server running postfix, I have an applications that automatically generates emails. The issue I'm trying to solve is that at times, the application generates enormous amounts of emails, causing nearly a DoS attack on the Exchange servers. What I'd like to do is to have my postfix server rate limit the number of emails it's forwarding to the Exchange servers. For example, if I could get it to queue up emails, either on the inbound side or the outbound side, and forward them on a steady rate, that would be great. Note that all emails are generated locally on the server. Postfix seems to be a rather complex software, and I've not been able to identify which component I should be tuning to accomplish rate limiting. Any advice on this is greatly appreciated. we are using this setting to only send one message per destination and second the problem is that default_destination_rate_delay only accepts whole seconds as delay and it depends on the count of messages if you can live with this, with 10.000 mails per day 1 second delay for every destination is ok initial_destination_concurrency = 5 smtp_destination_concurrency_limit = 5 default_destination_recipient_limit = 15 default_destination_concurrency_limit = 5 default_destination_concurrency_failed_cohort_limit = 5 default_destination_rate_delay = 1 transport_retry_time= 30 if there are too messages for wait a second maybe you should set concurrency even lower and disable rate_delay
Re: Limiting outgoing message sizes for a single domain (yahoo)
On 22/03/2011 9.29, Angelo Amoruso wrote: sorry to bother you, but I'm smashing my head on a problem from some time and even I've read previous posts and other Postfix documentation, there's still something I don't catch. Currently if from my postfix installation, behind a static IP, I try to send email to yahoo I often get the error: Mar 21 06:32:21 mailforward postfix/smtp[19388]: send attr reason = lost connection with a.mx.mail.yahoo.com[67.195.168.31] while sending end of data -- message may be sent more than once [...] Do I need a policy server for that? Hi, today I've just played with postfwd (http://postfwd.org/) and I was able to achieve the desired result, ie having a way to reject with a failure code mails directed on a specified domain (in my case yahoo.it and yahoo.com) when total size is above a predefined limit. Anyway, just for curiosity is there a way to accomplish the same using only Postfix and not extra software? Thanks, Angelo
Re: Limiting outgoing message sizes for a single domain (yahoo)
On 22/03/2011 09:29, Angelo Amoruso wrote: Hi all, I've seen that messages above 2-3 MB total size get such treatment, while smaller ones get through without problems. So, until I investigate the problem with Yahoo, I'd like to limit message sizes which could be (attempted) delivered, so my users would know quickly to split the messages in smaller pieces, without having me checking the queue and give them notice. Shouldn't your users receive DSNs from yahoo? I doubt you can set message_limit on a per-domain basis without a policy server anyway. -- Simone Caruso IT Consultant
Re: Limiting outgoing message sizes for a single domain (yahoo)
Angelo Amoruso: today I've just played with postfwd (http://postfwd.org/) and I was able to achieve the desired result, ie having a way to reject with a failure code mails directed on a specified domain (in my case yahoo.it and yahoo.com) when total size is above a predefined limit. Anyway, just for curiosity is there a way to accomplish the same using only Postfix and not extra software? No, and I think that it would be a mistake to build support for every possible feature into Postfix. Instead, Postfix has extension interfaces. External content filters exist because I did not want to maintain built-in content inspection; the policy protocol exists because I did not want to maintain built-in SPF; and the Milter interface exists because I did not want to maintain built-in SenderID. The benefit of these extension interfaces is that they can also be used for other purposes. There are several rate-limiting policy daemons for Postfix. The good ones will be kept alive. Wietse
Re: attachments being logged
On Mon, Mar 21, 2011 at 11:34:43PM -0400, brian wrote: I'm occasionally seeing file attachments being logged, like so: postfix/smtpd[14027]: read from B8F5EDA8 [B8F5F9BD] (1420 bytes = -1 (0x)) postfix/smtpd[14027]: read from B8F5EDA8 [B8F5F9BD] (1420 bytes = 1420 (0x58C)) postfix/smtpd[14027]: 33 13 c9 09 3f ef 6f 99|0b a8 67 8c 6c 05 de 9d 3...?.o. ..g.l... etc. This is NOT file attachment logging, rather this is TLS packet debug logging, which you must not turn except briefly if such logging has been requested by a Postfix-TLS expert to help resolve an issue. Set smtpd_tls_loglevel = 0 or smtpd_tls_loglevel = 1 and not higher. -- Viktor.
Re: SV: SV: Redirecting all, but two, domains.
On Tue, Mar 22, 2011 at 07:27:27AM +, Jan Johansson wrote: A bit of a goof there... domain-a.se : domain-b.se : * smtp:[127.0.0.1]:10035 The * entry is not required, that's what default_transport is for. If you want non-default nexthops for the relay_domains, just use the default setting of relay_transport = relay without an explicit nexthop. -- Viktor.
SV: SV: SV: Redirecting all, but two, domains.
The * entry is not required, that's what default_transport is for. If you want non-default nexthops for the relay_domains, just use the default setting of relay_transport = relay without an explicit nexthop. So in other words I should say Thanks for the rewrite-recepie, that one I would not have figured out! The rest is just standard trasnport behaviour... Cool :)
Re: Redirecting all, but two, domains.
On Tue, Mar 22, 2011 at 02:03:12PM +, Jan Johansson wrote: The * entry is not required, that's what default_transport is for. If you want non-default nexthops for the relay_domains, just use the default setting of relay_transport = relay without an explicit nexthop. So in other words I should say Thanks for the rewrite-recepie, that one I would not have figured out! The rest is just standard trasnport behaviour... Everything I suggested is standard transport behaviour. There are lots of ways of configuring transport overrides, but when the settings are not completely ad-hoc, you can use the address_class_transport variables primarily, and a transport table only as necessary. -- Viktor.
SV: Redirecting all, but two, domains.
Everything I suggested is standard transport behaviour. Well, granted. Maybe i should have said The rest is trivial. Your suggestion about the pcre/pot 10035 was definitely over _my_ Postfix horizon.
Re: SV: Redirecting all, but two, domains.
On Tue, Mar 22, 2011 at 02:29:18PM +, Jan Johansson wrote: Everything I suggested is standard transport behaviour. Well, granted. Maybe i should have said The rest is trivial. Your suggestion about the pcre/pot 10035 was definitely over _my_ Postfix horizon. The REDIRECT feature is documented at http://www.postfix.org/access.5.html Wietse added it in 2003: 20030125 Feature: REDIRECT user@domain action in access maps or in header/body_checks causes mail to be sent to the specified address instead of the intended recipient(s). I would never recommend that people use this to redirect (bounced) SPAM to the beneficiaries of an advertisement campaign. Files: smtpd/smtpd_check.c, cleanup/cleanup_message.c, *qmgr/qmgr_message.c. -- Viktor.
mailbox_size_limit is smaller than message_size_limit - 64bit issue?
Hello, i got following error in my log: postfix/local[8755]: fatal: main.cf configuration error: mailbox_size_limit is smaller than message_size_limit postfix/master[8737]: warning: process /usr/lib/postfix/local pid 8755 exit status 1 postfix/master[8737]: warning: /usr/lib/postfix/local: bad command startup -- throttling but values are: mailbox_size_limit = 409600 message_size_limit = 10240 using 32bit machine i can set mailbox_size_limit = 409600 without problems. on this 64bit machine postfix 2.5.1 local throws errors. only mailbox_size_limit = 0 works but is not what i want in this case. How to handle this? Thanks, Hajo
Re: mailbox_size_limit is smaller than message_size_limit - 64bit issue?
Hajo Locke: Hello, i got following error in my log: postfix/local[8755]: fatal: main.cf configuration error: mailbox_size_limit is smaller than message_size_limit So don't do that. but values are: mailbox_size_limit = 409600 Prior to Postfix 2.9 this value is stored in a signed integer. On the typical LP64 UNIX box this means the number is too large. Wietse
Milter question - three milters co-existance (dkim spamass clamav)
Hi there, I had two milters running on postfix: dkim-filter, spamass-milter. Both of these worked fine. I have added the clamav-milter to the config, but I noticed that now the spamass-milter does not 'seem' to do anything. System set-up: postfix v 2.8 Debian Squeeze The dkim-filter functions as I expect. The Clamav-milter functions as I expect. The spamass-milter does not fire. ( Nothing logged in the mail.log, mail.err mail.warn. No msgs in spamd.log spamass-milter. There are messages from spamd when the message is sent into dovecot/spamd). I tested this by sending a know spam test string, which scored 1003.9 on SpamAssassin. The spamass-milter is set to reject spam over the 10 threshold, yet it did not reject a score of 1003.9. X-Spam-Status: Yes, score=1001.9 required=5.0 tests=ALL_TRUSTED,DCC_CHECK, GTUBE,MISSING_SUBJECT,TVD_SPACE_RATIO shortcircuit=no autolearn=no version=3.3.1 This should have been caught by the spamass-milter. Here is the change afore and afterwards: * Before smtpd_milters = unix:/spamass/spamass.sock, unix:/dkim-filter/dkim-filter.sock milter_default_action = tempfail * After smtpd_milters = unix:/dkim-filter/dkim-filter.sock, unix:/spamass/spamass.sock, unix:/clamav/clamav-milter.ctl milter_default_action = tempfail Is this configuration correct, and can anyone think of what causes the spamass-milter to be ignored? Best wishes, S. Regards, s.
Re: Milter question - three milters co-existance (dkim spamass clamav)
J4K: Is this configuration correct, and can anyone think of what causes the spamass-milter to be ignored? First, confirm that spamass-milter is ignored, by turning on logging in spamass-milter. Then, complain that Postfix is making mistakes. Wietse
Re: Mailbox limit not observed
On 2011-03-16 08:22:10 +0200, Henrik K wrote: Postfwd ftw. http://postfwd.org/doc.html ctrl+f action==size Thanks. It also has other nice features, such as scoring. -- Vincent Lefèvre vinc...@vinc17.net - Web: http://www.vinc17.net/ 100% accessible validated (X)HTML - Blog: http://www.vinc17.net/blog/ Work: CR INRIA - computer arithmetic / Arénaire project (LIP, ENS-Lyon)
Re: Milter question - three milters co-existance (dkim spamass clamav)
On Tue, Mar 22, 2011 at 9:34 AM, J4K ju...@klunky.co.uk wrote: Hi there, I had two milters running on postfix: dkim-filter, spamass-milter. Both of these worked fine. I have added the clamav-milter to the config, but I noticed that now the spamass-milter does not 'seem' to do anything. System set-up: postfix v 2.8 Debian Squeeze The dkim-filter functions as I expect. The Clamav-milter functions as I expect. The spamass-milter does not fire. ( Nothing logged in the mail.log, mail.err mail.warn. No msgs in spamd.log spamass-milter. There are messages from spamd when the message is sent into dovecot/spamd). I tested this by sending a know spam test string, which scored 1003.9 on SpamAssassin. The spamass-milter is set to reject spam over the 10 threshold, yet it did not reject a score of 1003.9. X-Spam-Status: Yes, score=1001.9 required=5.0 tests=ALL_TRUSTED,DCC_CHECK, GTUBE,MISSING_SUBJECT,TVD_SPACE_RATIO shortcircuit=no autolearn=no version=3.3.1 This should have been caught by the spamass-milter. Here is the change afore and afterwards: * Before smtpd_milters = unix:/spamass/spamass.sock, unix:/dkim-filter/dkim-filter.sock milter_default_action = tempfail * After smtpd_milters = unix:/dkim-filter/dkim-filter.sock, unix:/spamass/spamass.sock, unix:/clamav/clamav-milter.ctl milter_default_action = tempfail Is this configuration correct, and can anyone think of what causes the spamass-milter to be ignored? Best wishes, S. Regards, s. I wrote a blog post a while back with some notes about running ClamAV, SA, and OpenDKIM as milters with Postfix on Fedora. You might get some nudges in the right direction for your attempt with Debian: http://stevejenkins.com/blog/2011/02/tips-for-installing-amavis-new-clamav-and-spamassassin-using-postfix-on-fedora-12/ SteveJ
Re: Limit the number of forwarded emails
On Tue, Mar 22, 2011 at 5:45 AM, Brian Evans - Postfix List grkni...@scent-team.com wrote: On 3/22/2011 8:33 AM, Kenneth Holter wrote: Thanks for the quick reply. Your solution seems to be a very good one, but unfortunately that default_destination_rate_delay parameter is not available in the postfix version I'm running (2.3). I'm using the postfix implementation shipped with RHEL 5, which is not the most current one. The most recent release of Postfix is 2.8.2. 2.3 is ancient and no longer supported for updates. Redhat now has RHEL 6 which, I believe, uses Postfix 2.7. There are reliable (S)RPM packages available for RHEL 5 that will get you to the parameters/functionality you need. The most common is by Simon Mudd referenced on http://www.postfix.org/packages.html at http://ftp.wl0.org/official/ Brian - Kenneth On Tue, Mar 22, 2011 at 10:32 AM, Reindl Harald h.rei...@thelounge.net wrote: Am 22.03.2011 09:05, schrieb Kenneth Holter: Hi all. I'm new to the list, and quite new to postfix. I'm running postfix 2.3 on one of my RHEL 5 servers, and have set up postfix to forward all emails to our Microsoft Exchange infrastructure. On the server running postfix, I have an applications that automatically generates emails. The issue I'm trying to solve is that at times, the application generates enormous amounts of emails, causing nearly a DoS attack on the Exchange servers. What I'd like to do is to have my postfix server rate limit the number of emails it's forwarding to the Exchange servers. For example, if I could get it to queue up emails, either on the inbound side or the outbound side, and forward them on a steady rate, that would be great. Note that all emails are generated locally on the server. Postfix seems to be a rather complex software, and I've not been able to identify which component I should be tuning to accomplish rate limiting. Any advice on this is greatly appreciated. we are using this setting to only send one message per destination and second the problem is that default_destination_rate_delay only accepts whole seconds as delay and it depends on the count of messages if you can live with this, with 10.000 mails per day 1 second delay for every destination is ok initial_destination_concurrency = 5 smtp_destination_concurrency_limit = 5 default_destination_recipient_limit = 15 default_destination_concurrency_limit = 5 default_destination_concurrency_failed_cohort_limit = 5 default_destination_rate_delay = 1 transport_retry_time = 30 if there are too messages for wait a second maybe you should set concurrency even lower and disable rate_delay I don't think Simon has updated his Postfix (S)RPMs since RHEL 4. :( Kenneth's best option may be to just compile 2.8 and upgrade: http://stevejenkins.com/blog/2011/01/building-postfix-2-8-on-rhel5-centos-5-from-source/ SteveJ
Re: Limit the number of forwarded emails
On 3/22/2011 1:18 PM, Steve Jenkins wrote: On Tue, Mar 22, 2011 at 5:45 AM, Brian Evans - Postfix List grkni...@scent-team.com wrote: There are reliable (S)RPM packages available for RHEL 5 that will get you to the parameters/functionality you need. The most common is by Simon Mudd referenced on http://www.postfix.org/packages.html at http://ftp.wl0.org/official/ Brian I don't think Simon has updated his Postfix (S)RPMs since RHEL 4. :( Kenneth's best option may be to just compile 2.8 and upgrade: http://stevejenkins.com/blog/2011/01/building-postfix-2-8-on-rhel5-centos-5-from-source/ SteveJ Obviously, you didn't look at the link I posted. Yes, the web pages linked directly from the Postfix site are outdated, but not the link referenced there (in the blog area) and above. This includes RPMs for x86_64 for RHEL5 as well as SRPMS for Postfix up to 2.8.1 at this time. Brian
Re: Milter question - three milters co-existance (dkim spamass clamav)
On 03/22/2011 05:39 PM, Wietse Venema wrote: J4K: Is this configuration correct, and can anyone think of what causes the spamass-milter to be ignored? First, confirm that spamass-milter is ignored, by turning on logging in spamass-milter. Then, complain that Postfix is making mistakes. Wietse User error. My mistake. Too much work caused a lost of objectivity. Apologies.
Re: Limit the number of forwarded emails
Brian Evans - Postfix List: Yes, the web pages linked directly from the Postfix site are outdated, but not the link referenced there (in the blog area) and above. This includes RPMs for x86_64 for RHEL5 as well as SRPMS for Postfix up to 2.8.1 at this time. Which link? The blog refers me to http://postfix.wl0.org/en/git/, and I see no Postfix 2.8 there. Wietse
Re: Limit the number of forwarded emails
On 3/22/2011 2:41 PM, Wietse Venema wrote: Brian Evans - Postfix List: Yes, the web pages linked directly from the Postfix site are outdated, but not the link referenced there (in the blog area) and above. This includes RPMs for x86_64 for RHEL5 as well as SRPMS for Postfix up to 2.8.1 at this time. Which link? The blog refers me to http://postfix.wl0.org/en/git/, and I see no Postfix 2.8 there. Wietse It is rather obscure. The first blog post, which references 2.6, has a link that also contains info for 2.8. It seems that Simon has not been updating his blog, only his ftp server.
Re: Limit the number of forwarded emails
On Tue, Mar 22, 2011 at 11:50 AM, Brian Evans - Postfix List grkni...@scent-team.com wrote: It is rather obscure. To say the least. :) The first blog post, which references 2.6, has a link that also contains info for 2.8. For the sake of anyone looking through the archives, that link is: http://ftp.wl0.org/official/2.8/ FWIW, Simon's RPMs seem to only be available for x86_64. So 32-bit users will need to use the SRPMs and build their own 32-bit RPM before installing... but at that point I still think it's less work to simply compile and make upgrade from the source code, not to mention allowing more flexibility to choose support for LDAP, MySQL, etc. Users who take the small amount of time required to learn how to do so can update their Postfix (to 2.8.2, for example) as soon as a new version is released, rather than wait for generous people like Simon to take time out of their schedule to build RPMs. Those of us running RH should be grateful to Simon for his efforts, but I hate to see people become completely dependent on them. :) It seems that Simon has not been updating his blog, only his ftp server. The FTP server is clearly the more important of the two, so I don't blame him. :) SteveJ
Address Tagging in Postfix?
I've been reading through http://www.postfix.org/ADDRESS_REWRITING_README.html and Googling in an attempt to figure out how to allow tagging of email accounts for SPAM fighting purposes (mail to bob+any...@server.com gets delivered to b...@server.com), but haven't been able to figure it out. Can anyone nudge me in the right direction? Thx, SteveJ
Re: mysql GPL/postfix IPL incompatibility
--On Monday, February 28, 2011 11:32 PM -0500 Victor Duchovni victor.ducho...@morganstanley.com wrote: On Mon, Feb 28, 2011 at 09:22:52PM -0600, Stan Hoeppner wrote: With Debian, if I need mysql support I simply install the extra package postfix-mysql, which depends on libmysqlclient. (This is the same procedure for acquiring pgsql, pcre, cdb, ldap, etc capability) So by installing the package postfix-mysql and libmysqlclient, am I violating a license agreement? If not, what's the difference, and why? This is a legal question. The postfix-mysql loadable object links Postfix table driver code available under the IPL against the MySQL shared library. Whether this is allowed under the MySQL license is not completely clear. It is not a problem with Postgres or LDAP. After filing a bug with RedHat about their GPL violation, they got on the phone with Oracle, and Oracle updated the MySQL FOSS exception list to include IBM Public License 1.0. So this is no longer a problem for anyone. --Quanah -- Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. Zimbra :: the leader in open source messaging and collaboration
Re: Address Tagging in Postfix?
On Tue, Mar 22, 2011 at 01:44:37PM -0700, Steve Jenkins wrote: I've been reading through http://www.postfix.org/ADDRESS_REWRITING_README.html and Googling in an attempt to figure out how to allow tagging of email accounts for SPAM fighting purposes (mail to bob+any...@server.com gets delivered to b...@server.com), but haven't been able to figure it out. Can anyone nudge me in the right direction? Thx, SteveJ Your local delivery agent will need to also support plus-addressing. Then, if you have a folder named anytag for the bob account, it will usually deliver mail sent to bob+anytag@xxx directly to the anytag folder. I works that way with GMail and others. Cheers, Ken
Re: mysql GPL/postfix IPL incompatibility
Quanah Gibson-Mount: After filing a bug with RedHat about their GPL violation, they got on the phone with Oracle, and Oracle updated the MySQL FOSS exception list to include IBM Public License 1.0. So this is no longer a problem for anyone. Thanks. That is one less thing to worry about. Wietse
Re: Address Tagging in Postfix?
Steve Jenkins: I've been reading through http://www.postfix.org/ADDRESS_REWRITING_README.html and Googling in an attempt to figure out how to allow tagging of email accounts for SPAM fighting purposes (mail to bob+any...@server.com gets delivered to b...@server.com), but haven't been able to figure it out. Can anyone nudge me in the right direction? You use /etc/postfix/main.cf: recipient_delimiter = + Then, Postfix will try to match user+extens...@example.com before trying u...@example.com in most tables, and the local delivery agent will try to match user+extension before user when looking up aliases or .forward files. http://www.postfix.org/postconf.5.html#recipient_delimiter http://www.postfix.org/postconf.5.html#forward_path http://www.postfix.org/access.5.html http://www.postfix.org/canonical.5.html http://www.postfix.org/virtual.5.html http://www.postfix.org/transport.5.html Wietse
RE: [SPAM] - Re: Address Tagging in Postfix? - Bayesian Filter detected spam
From: owner-postfix-us...@postfix.org [mailto:owner-postfix- us...@postfix.org] On Behalf Of Wietse Venema Subject: [SPAM] - Re: Address Tagging in Postfix? - Bayesian Filter detected spam Steve Jenkins: I've been reading through http://www.postfix.org/ADDRESS_REWRITING_README.html and Googling in an attempt to figure out how to allow tagging of email accounts for SPAM fighting purposes (mail to bob+any...@server.com gets delivered to b...@server.com), but haven't been able to figure it out. Can anyone nudge me in the right direction? You use /etc/postfix/main.cf: recipient_delimiter = + Then, Postfix will try to match user+extens...@example.com before trying u...@example.com in most tables, and the local delivery agent will try to match user+extension before user when looking up aliases or .forward files. http://www.postfix.org/postconf.5.html#recipient_delimiter http://www.postfix.org/postconf.5.html#forward_path http://www.postfix.org/access.5.html http://www.postfix.org/canonical.5.html http://www.postfix.org/virtual.5.html http://www.postfix.org/transport.5.html The number of javascript email input validations that wouldn't allow + as a valid character (particularly the banks) forced me to change recipient_delimited to - without any dire consequences...
Re: Address Tagging in Postfix?
On Tue, Mar 22, 2011 at 2:47 PM, Wietse Venema wie...@porcupine.org wrote: Steve Jenkins: I've been reading through http://www.postfix.org/ADDRESS_REWRITING_README.html and Googling in an attempt to figure out how to allow tagging of email accounts for SPAM fighting purposes (mail to bob+any...@server.com gets delivered to b...@server.com), but haven't been able to figure it out. Can anyone nudge me in the right direction? You use /etc/postfix/main.cf: recipient_delimiter = + Then, Postfix will try to match user+extens...@example.com before trying u...@example.com in most tables, and the local delivery agent will try to match user+extension before user when looking up aliases or .forward files. http://www.postfix.org/postconf.5.html#recipient_delimiter http://www.postfix.org/postconf.5.html#forward_path http://www.postfix.org/access.5.html http://www.postfix.org/canonical.5.html http://www.postfix.org/virtual.5.html http://www.postfix.org/transport.5.html Wietse Perfect. That's exactly what I was looking for. Thanks! :) SteveJ
Re: Getting abused by backscatter spam
Le 22/03/2011 05:38, Simon a écrit :
Hi There,
We are using postfix on debian lenny. Everything is mysql backed and
we are using amavisd-new (spamassassin with daily updates from
saupdates.openprotect.com and updates.spamassassin.org clam-av),
postfix-policy greylisting and postfix-policyd-spf-python. All updates
applied.
But we are still getting hammered by backscatter spam (like the below)
and are hoping to get the lists input with where to head in terms of
getting this sorted... it seems like everything we look at just does
not quite suit our setup.
Many thanks in advance
Simon
Received: from psmtp.com ([64.18.3.158]) by mosesafonso.com with Microsoft
SMTPSVC(6.0.3790.3959); Sun, 20 Mar 2011 14:18:35 -0400
Received: from source ([93.85.177.92]) by exprod8mx291.postini.com
([64.18.7.13]) with SMTP;
Sun, 20 Mar 2011 14:18:34 EDT
Received: from 93.85.177.92 (account 0-0-0-0-cbouys...@microapp.com
HELO syccjjv.pqhsfgogqp.com)
by (CommuniGate Pro SMTP 5.2.3)
with ESMTPA id 932104756 for sbow...@mosesafonso.com; Sun, 20 Mar
2011 20:18:34 +0200
To: sbow...@mosesafonso.com
Subject: Re: CV
From: no-reply-...@financeinfrance.com
MIME-Version: 1.0
Importance: High
Content-Type: text/html
X-pstn-neptune: 1/1/1.00/86
X-pstn-levels: (S: 0.00445/92.75607 CV:99.9000 FC:95.5390 LC:95.5390
R:95.9108 P:95.9108 M:97.0282 C:98.6951 )
Message-ID: 2322245927972554085239078162...@psmtp.com
Return-Path: {user}@{clientdomain}.com
X-OriginalArrivalTime: 20 Mar 2011 18:18:35.0168 (UTC)
FILETIME=[39EDB200:01CBE72B]
Date: Sun, 20 Mar 2011 14:18:35 -0400
1) nothing in your sample shows that you use postfix.
if using postfix, why is Return-Path in the middle of headers?
2) given the return-path you show, this is not backscatter. maybe you
meant envelope sender forgery?
3) 93.85.177.92 is listed in ZEN and BRBL among other lists.
Re: [SPAM] - Re: Address Tagging in Postfix? - Bayesian Filter detected spam
Le 22/03/2011 22:53, Simon Brereton a écrit :
The number of javascript email input validations that wouldn't allow + as a
valid character (particularly the banks)
Oh, not only banks. sigh.
I once worked for a company to help fight spam, and among the
recommendations I gave was to tag addresses with a '+'. they accepted
that and were happy. then later on, they outsourced the development of a
web app and I was asked to do some checks. among my feedback was that
the address validation functionality was wrong. I was asked what I
meant. I showed that not only it didn't reject some invalid addresses,
but that it rejected valid addresses such as '+' tagged ones. the answer
I got was but that's ok. we only want _real_ addresses. duh.
forced me to change recipient_delimited to - without any dire consequences...
if you're not running mailing lists, then yes, '-' is ok. if the domain
has mailing-lists, then '-' is already in use ('-unsubscribe', ... etc).
Re: fatal: unsupported dictionary type: mysql
On Tue, Mar 22, 2011 at 04:04:28PM -0700, Manjiri wrote: Have compiled postfix with mysql support, but i am still getting this error: The Postfix software running on the machine: Mar 22 16:14:46 vmlinuxrh01 postfix/postfix-script[5435]: starting the Postfix mail system Mar 22 16:14:46 vmlinuxrh01 postfix/master[5436]: daemon started -- version 2.5.1, configuration /home/manjiri/postfixManjiriSQLSupport Mar 22 16:14:48 vmlinuxrh01 postfix/smtpd[5439]: warning: dict_nis_init: NIS domain name not set - NIS lookups disabled Mar 22 16:14:48 vmlinuxrh01 postfix/smtpd[5439]: fatal: unsupported dictionary type: mysql Mar 22 16:14:49 vmlinuxrh01 postfix/master[5436]: warning: process /usr/libexec/postfix/smtpd pid 5439 exit status 1 Mar 22 16:14:49 vmlinuxrh01 postfix/master[5436]: warning: /usr/libexec/postfix/smtpd: bad command startup -- throttling /home/postfix-2.5.1/bin/postconf -m Is not the same as the Postfix software installed in /home/postfix-2.5.1 If you want to run binaries with MySQL, make sure that daemon_directory and command_directory are set to use that software, better yet, don't install multiple versions of the Postfix binaries on the same machine. -- Viktor.
Re: fatal: unsupported dictionary type: mysql
Manjiri: Though, I have 2 postfix built on the same machine. One is w/o mysql support and the above one is with mysql support. I know that it is possible to start multiple postfix instances on same machine, but is it possible to install and build multiple postfix packages on same machine ? Sure. But you can't mix the commands and the daemons from different Postfix builds, because that does not work as you have demonstrated. Specifically, different Postfix builds must not share any of command_directory config_directory daemon_directory data_directory or any of the pathnames for sendmail, mailq, or newaliases. On the other hand, if you were to upgrade to 2.6 or later and follow MULTI_INSTANCE_README, then you must share command_directory and daemon_directory, but none of the other pathnames. Wietse
Re: Address Tagging in Postfix?
On Tue, Mar 22, 2011 at 4:08 PM, mouss mo...@ml.netoyen.net wrote: if you're not running mailing lists, then yes, '-' is ok. if the domain has mailing-lists, then '-' is already in use Interesting. Could the '-' delimiter still work in this case, as long as the tagged address doesn't match an existing address used by the mailing list software? As long as the usernames are different than the mailing list(s) name (which should be the case anyway), and/or none of the user-selected tags match the tags expected by the mailing list software, can recipient_delimiter = - and the mailing list software co-exist? Or does everything with a delimiter of '-' get handed over to the mailing list software first? Thanks, SteveJ
Postscreen: whitelisting by domains
Dear THis just a question. Is there a way to whitelisting postscreen against sender smtp domains name ? best regards
Re: Postscreen: whitelisting by domains
David Touzeau: Dear THis just a question. Is there a way to whitelisting postscreen against sender smtp domains name ? Sorry, postscreen will not look up client hostnames. It needs to make a decision in milliseconds time to avoid slowing down good clients. Wietse
Re: fatal: unsupported dictionary type: mysql
Wietse Venema: Manjiri: Though, I have 2 postfix built on the same machine. One is w/o mysql support and the above one is with mysql support. I know that it is possible to start multiple postfix instances on same machine, but is it possible to install and build multiple postfix packages on same machine ? Sure. But you can't mix the commands and the daemons from different Postfix builds, because that does not work as you have demonstrated. Specifically, different Postfix builds must not share any of command_directory config_directory daemon_directory data_directory or any of the pathnames for sendmail, mailq, or newaliases. On the other hand, if you were to upgrade to 2.6 or later and follow MULTI_INSTANCE_README, then you must share command_directory and daemon_directory, but none of the other pathnames. Correction: you're supposed to share the pathnames of all programs and none of the data. Wietse
Re: Address Tagging in Postfix?
Steve Jenkins: [ Charset ISO-8859-1 unsupported, converting... ] On Tue, Mar 22, 2011 at 4:08 PM, mouss mo...@ml.netoyen.net wrote: if you're not running mailing lists, then yes, '-' is ok. if the domain has mailing-lists, then '-' is already in use Interesting. Could the '-' delimiter still work in this case, as long as the tagged address doesn't match an existing address used by the mailing list software? As long as the usernames are different than the mailing list(s) name (which should be the case anyway), and/or none of the user-selected tags match the tags expected by the mailing list software, can recipient_delimiter = - and the mailing list software co-exist? Or does everything with a delimiter of '-' get handed over to the mailing list software first? Didn't I write that Postfix will attempt the unextended name first, before trying the name without the text after $recipient_delimiter? Wietse
Re: Getting abused by backscatter spam
On Wed, Mar 23, 2011 at 11:56 AM, mouss mo...@ml.netoyen.net wrote:
1) nothing in your sample shows that you use postfix.
if using postfix, why is Return-Path in the middle of headers?
2) given the return-path you show, this is not backscatter. maybe you
meant envelope sender forgery?
3) 93.85.177.92 is listed in ZEN and BRBL among other lists.
Thanks for the reply. Sorry - wrong headers, here is a better example
Received: from localhost (localhost [127.0.0.1]) by
mail-in2.{ourdomain}.net (Postfix) with ESMTP id 038A71278B for
david@{ourdomain}.net; Mon, 21 Mar 2011 16:21:11 +1300 (NZDT)
X-Virus-Scanned: Debian amavisd-new at mail-in2.{ourdomain}.net
Received: from mail-in2.{ourdomain}.net ([127.0.0.1]) by localhost
(mail-in2.{ourdomain}.net [127.0.0.1]) (amavisd-new, port 10024) with
ESMTP id AjP3fH4O3NNn for david@{ourdomain}.net; Mon, 21
Mar 2011 16:21:06 +1300 (NZDT)
Received-SPF: None (no SPF record) identity=helo;
client-ip=213.153.204.77; helo=smtp.prnet.com.tr; envelope-from=;
receiver=domains@{ourdomain}.net
Received: from smtp.prnet.com.tr (unknown [213.153.204.77]) by
mail-in2.{ourdomain}.net (Postfix) with ESMTPS id 97BBE12777 for
domains@{ourdomain}.net; Mon, 21 Mar 2011 16:21:04 +1300 (NZDT)
MIME-Version: 1.0
From: postmaster@prnet.local
To: domains@{ourdomain}.net
Date: Mon, 21 Mar 2011 05:25:02 +0200
Content-Type: multipart/report; report-type=delivery-status;
boundary=d011ae77-0e81-4180-8f36-55a4a8d8738f
Content-Language: tr-TR
Message-ID: 2628b8a7-433a-4e0a-bb73-13460a834136@prnet.local
In-Reply-To: 4c899952-38ad-4d53-be45-b0c63b4459e3@PRNETMAIL.prnet.local
References: 4c899952-38ad-4d53-be45-b0c63b4459e3@PRNETMAIL.prnet.local
Subject: Teslim Edilmedi: Welcoming speech
Return-Path:
DV:3.3.8414.660;SV:3.3.8526.390;SID:SenderIDStatus Fail;OrigIP:210.48.80.145
Re: Address Tagging in Postfix?
On Tue, Mar 22, 2011 at 4:41 PM, Wietse Venema wie...@porcupine.org wrote: Didn't I write that Postfix will attempt the unextended name first, before trying the name without the text after $recipient_delimiter? I'm assuming you meant extended name first - otherwise I'm confused! :) Yes. I understand that with 'recipient_delimiter = -' Postfix will try to match user-extens...@example.com BEFORE attempting u...@example.com (in most tables). But I'm still confused about mouss' advice that I shouldn't use '-' as the delimiter if I'm using mailing list software. As long as 'user-extension' doesn't match any 'listname-command' combinations or match any other valid recipients that include a hyphen before the @, why can't I? Thanks, SteveJ
Re: Address Tagging in Postfix?
Steve Jenkins: On Tue, Mar 22, 2011 at 4:41 PM, Wietse Venema wie...@porcupine.org wrote: Didn't I write that Postfix will attempt the unextended name first, before trying the name without the text after $recipient_delimiter? I'm assuming you meant extended name first - otherwise I'm confused! :) Yes. I understand that with 'recipient_delimiter = -' Postfix will try to match user-extens...@example.com BEFORE attempting u...@example.com (in most tables). This includes Postfix trying listname-request, owner-listname, and so on, so these addresses will work as expected. Besides this, there is some explicit logic to avoid splitting mailer-daemon, owner-foo and foo-request. But I'm still confused about mouss' advice that I shouldn't use '-' as the delimiter if I'm using mailing list software. As long as 'user-extension' doesn't match any 'listname-command' combinations or match any other valid recipients that include a hyphen before the @, why can't I? I don't know why Mouss believes that this is a problem. Wietse
Re: fatal: unsupported dictionary type: mysql
Thanks a lot. Another quick question: Even though, I have read this thread: http://old.nabble.com/Postfix-integration%3A-Oracle-or-LDAP--to29532158.html#a29532158 Is there any way to connect to Oracle database from postfix ? thanks again ! -- View this message in context: http://old.nabble.com/fatal%3A-unsupported-dictionary-type%3A-mysql-tp31214454p31216628.html Sent from the Postfix mailing list archive at Nabble.com.
