virtual_transport to many lmtp loadbalancers
I would like to point postfix' virtual_transport at several addresses for lmtp delivery, and hopefully want postfix to gracefully handle that any one of them might be down. virtual_transport = lmtp:loadbalancers.example.com:24 What's the best way of doing that? Will simple rr-dns work: $ host loadbalancers loadbalancers.example.com has address 192.168.42.17 loadbalancers.example.com has address 192.168.42.15 or will MX records better ? -jf
PATCH fix processing reply from milter
Hi all,
i'm trying to setup commercial spam filter with postfix. It works with Sendmail using milter
protocol, but with Postfix I've got in logs:
Aug 31 11:34:11 master postfix/cleanup[8458]: warning: milter inet:127.0.0.1:2266: malformed reply:
550 The message has been rejected by spam filtering engine.
I've investigated problem to this place (src/milter/milter8.c):
case SMFIR_REPLYCODE:
...
if ((STR(milter-buf)[0] != '4' STR(milter-buf)[0] != '5')
|| !ISDIGIT(STR(milter-buf)[1])
|| !ISDIGIT(STR(milter-buf)[2])
|| (STR(milter-buf)[3] != ' ' STR(milter-buf)[3] != '-')
|| STR(milter-buf)[4] != STR(milter-buf)[0]) {
Comment indicates that Postfix expects ddd d.d+.d+ text, but anti-spam filter returns something
different. So just removing last check resolves problem.
Can someone confirm this fix doesn't break anything?
Patch for version 2.7.4.
Thanks.
--
Vladimir Vassiliev
--- postfix-2.7.4/src/milter/milter8.c 2011-08-31 11:52:55.107198728 +0400
+++ postfix-2.7.4/src/milter/milter8.c 2011-08-31 11:53:34.695322248 +0400
@@ -1255,8 +1255,8 @@
if ((STR(milter-buf)[0] != '4' STR(milter-buf)[0] != '5')
|| !ISDIGIT(STR(milter-buf)[1])
|| !ISDIGIT(STR(milter-buf)[2])
- || (STR(milter-buf)[3] != ' ' STR(milter-buf)[3] != '-')
- || STR(milter-buf)[4] != STR(milter-buf)[0]) {
+ || (STR(milter-buf)[3] != ' ' STR(milter-buf)[3] != '-')) {
+// || STR(milter-buf)[4] != STR(milter-buf)[0]) {
msg_warn(milter %s: malformed reply: %s,
milter-m.name, STR(milter-buf));
milter8_conf_error(milter);
Re: virtual_transport to many lmtp loadbalancers
On Wed, Aug 31, 2011 at 09:16:36AM +0200, Jan-Frode Myklebust wrote: I would like to point postfix' virtual_transport at several addresses for lmtp delivery, and hopefully want postfix to gracefully handle that any one of them might be down. virtual_transport = lmtp:loadbalancers.example.com:24 I mistakingly entered virtual_transport = smtp:loadbalancers.example.com:24 and got a few messages bounced: Aug 31 10:12:01 mailgw1 postfix/smtp[32598]: E6A2490076: to=m...@example.com, relay=loadbalancers.example.com[192.168.42.15]:24, delay=0.03, delays=0.02/0.01/0/0, dsn=5.5.2, status=bounced (host loadbalancers.example.com[192.168.42.15] refused to talk to me: 502 5.5.2 Unknown command) I'm a bit surprised that it lead to a 502, instead of a temporary error. Is there any way to change this to a temporary error and have it retry at a later point? It would be nice if the mail-serves can queue the messages when all my lmtp-servers are down... -jf
postscreen dnsbl services down ß
Hello, annyone can acknowledge that following dnsbl services are not reachable? zen.spamhaus.org*2DOWN b.barracudacentral.orgDOWN bl.spamcop.net*2 combined.rbl.msrbl.net*2 ix.dnsbl.manitu.net*2DOWN dnsrbl.swinog.ch*2 dnsbl.njabl.org*2no-more-funn.moensted.dk db.wpbl.infoDOWN psbl.surriel.com i get a loot 550 service not available entries in log and sender gets error messages. marko
Re: postscreen dnsbl services down ß
ix.dnsbl.manitu.net*2DOWN works fine here from germany.
Re: postscreen dnsbl services down ß
On Wed Aug 31 2011 12:01:20 GMT+0200 (CET), we...@zackbummfertig.de wrote: Hello, annyone can acknowledge that following dnsbl services are not reachable? zen.spamhaus.org*2DOWN b.barracudacentral.orgDOWN bl.spamcop.net*2 combined.rbl.msrbl.net*2 ix.dnsbl.manitu.net*2DOWN dnsrbl.swinog.ch*2 dnsbl.njabl.org*2no-more-funn.moensted.dk db.wpbl.infoDOWN psbl.surriel.com i get a loot 550 service not available entries in log and sender gets error messages. They all work fine here, i'd say check for routing problems. cheers, Michael
Re: virtual_transport to many lmtp loadbalancers
Jan-Frode Myklebust: On Wed, Aug 31, 2011 at 09:16:36AM +0200, Jan-Frode Myklebust wrote: I would like to point postfix' virtual_transport at several addresses for lmtp delivery, and hopefully want postfix to gracefully handle that any one of them might be down. virtual_transport = lmtp:loadbalancers.example.com:24 I mistakingly entered virtual_transport = smtp:loadbalancers.example.com:24 and got a few messages bounced: Aug 31 10:12:01 mailgw1 postfix/smtp[32598]: E6A2490076: to=m...@example.com, relay=loadbalancers.example.com[192.168.42.15]:24, delay=0.03, delays=0.02/0.01/0/0, dsn=5.5.2, status=bounced (host loadbalancers.example.com[192.168.42.15] refused to talk to me: 502 5.5.2 Unknown command) I'm a bit surprised that it lead to a 502, instead of a temporary error. Is there any way to change this to a temporary error and have it retry at a later point? It would be nice if the mail-serves can queue the messages when all my lmtp-servers are down... The server replies with 502 because LMTP uses LHLO, while SMTP uses HELO or EHLO, and for good reasons: the protocol has different replies for multi-recipient email. You can change 502 into 4xx with smtp_reply_filter (Postfix 2.7 and later). But I recommend that you use the correct protocol instead. http://www.postfix.org/postconf.5.html#smtp_reply_filter Wietse
Re: postscreen dnsbl services down ß
On Wed, 31 Aug 2011 12:10:29 +0200 Michael Weissenbacher m...@dermichi.com wrote: On Wed Aug 31 2011 12:01:20 GMT+0200 (CET), we...@zackbummfertig.de wrote: Hello, annyone can acknowledge that following dnsbl services are not reachable? zen.spamhaus.org*2DOWN b.barracudacentral.orgDOWN bl.spamcop.net*2 combined.rbl.msrbl.net*2 ix.dnsbl.manitu.net*2DOWN dnsrbl.swinog.ch*2 dnsbl.njabl.org*2no-more-funn.moensted.dk db.wpbl.infoDOWN psbl.surriel.com i get a loot 550 service not available entries in log and sender gets error messages. They all work fine here, i'd say check for routing problems. ...or you've been blocked for too many requests. cheers, Michael
Re: postscreen dnsbl services down ß
On Wednesday 31 August 2011 05:01:20 we...@zackbummfertig.de wrote: annyone can acknowledge that following dnsbl services are not reachable? zen.spamhaus.org*2DOWN Spamhaus lists are not free for certain uses. If you have exceeded allowed free use from a single IP address, you may be blocked. See http://www.spamhaus.org/organization/dnsblusage.html for usage terms. b.barracudacentral.orgDOWN BRBL requires preregistration. Similarly, they might block access from unregistered hosts. Neither Barracuda nor Spamhaus lookups are likely to work through a free DNS forwarding service like Google Public DNS or OpenDNS. Likewise, many ISP nameservers are probably blocked. bl.spamcop.net*2 FWIW I would disagree with your scoring, based on my statistics. I would score BRBL higher than Spamcop. The latter has numerous issues with freemail outbound relays, which could cause false positives. I'm using all three of the above, but only NJABL of the ones below. combined.rbl.msrbl.net*2 ix.dnsbl.manitu.net*2DOWN dnsrbl.swinog.ch*2 dnsbl.njabl.org*2no-more-funn.moensted.dk db.wpbl.infoDOWN psbl.surriel.com i get a loot 550 service not available entries in log and sender gets error messages. -- Offlist mail to this address is discarded unless /dev/rob0 or not-spam is in Subject: header
Re: postscreen dnsbl services down ß
On Wed, 31 Aug 2011 08:01:56 -0400, John Peach post...@johnpeach.com wrote: On Wed, 31 Aug 2011 12:10:29 +0200 Michael Weissenbacher m...@dermichi.com wrote: On Wed Aug 31 2011 12:01:20 GMT+0200 (CET), we...@zackbummfertig.de wrote: Hello, annyone can acknowledge that following dnsbl services are not reachable? zen.spamhaus.org*2DOWN b.barracudacentral.orgDOWN bl.spamcop.net*2 combined.rbl.msrbl.net*2 ix.dnsbl.manitu.net*2DOWN dnsrbl.swinog.ch*2 dnsbl.njabl.org*2no-more-funn.moensted.dk db.wpbl.infoDOWN psbl.surriel.com i get a loot 550 service not available entries in log and sender gets error messages. They all work fine here, i'd say check for routing problems. ...or you've been blocked for too many requests. with 1500-2000 Mails each day cheers, Michael
Re: virtual_transport to many lmtp loadbalancers
On Wed, Aug 31, 2011 at 07:12:12AM -0400, Wietse Venema wrote: The server replies with 502 because LMTP uses LHLO, while SMTP uses HELO or EHLO, and for good reasons: the protocol has different replies for multi-recipient email. Doh... I was confused and thought it was connecting to port 25 (where nothing was listening), and failed then. So having none of my lmtp-servers online shouldn't mean we start bouncing emails. Good. But I recommend that you use the correct protocol instead. Fixed, thanks :-) -jf
Headscratcher with postfix
Hi! I have stumbled across a problem I don't understand. I have an email address that several users in my domain send email to. For a while now (they claim it previously worked) one of them can send email to the recipient and the other can not. I've tried as well with my domain local account and also get rejected. A test mail from my gmail-account does however work. The short problem is that the non-working accounts get the following in the logs: - said: 450 Requested mail action not taken: mailbox unavailable (in reply to RCPT TO command)) while the working accounts get: - (250 Requested mail action okay, completed I've scratched my head against this for several days now and finally turned on the heavy debugging. It did give me something to look at but as far as I can see the system is set up correctly in that regard. Can someone else pour over these two logs and see what I'm not seeing? Hmm... on my second attempt I will not attach these logs as my question was then rejected (ironic!). So if someone has a notion and wants to take a look at my logs let me know! Regards, Dieter Modig
Re: PATCH fix processing reply from milter
Vladimir Vassiliev:
Hi all,
i'm trying to setup commercial spam filter with postfix. It works with
Sendmail using milter
protocol, but with Postfix I've got in logs:
Aug 31 11:34:11 master postfix/cleanup[8458]: warning: milter
inet:127.0.0.1:2266: malformed reply:
550 The message has been rejected by spam filtering engine.
I've investigated problem to this place (src/milter/milter8.c):
case SMFIR_REPLYCODE:
...
if ((STR(milter-buf)[0] != '4' STR(milter-buf)[0] != '5')
|| !ISDIGIT(STR(milter-buf)[1])
|| !ISDIGIT(STR(milter-buf)[2])
|| (STR(milter-buf)[3] != ' ' STR(milter-buf)[3] != '-')
|| STR(milter-buf)[4] != STR(milter-buf)[0]) {
Comment indicates that Postfix expects ddd d.d+.d+ text, but anti-spam
filter returns something
different. So just removing last check resolves problem.
Can someone confirm this fix doesn't break anything?
Patch for version 2.7.4.
The test exists for a reason: it catches Milters that send RFC 3463
enhanced status codes that don't match the SMTP reply code.
Below is a quick fix that preserves the test for Milters that appear
to send enhanced status codes. This is OK for stable releases.
The proper solution examines every line of a multi-line reply.
That is a larger change, and is OK for the development release.
Wietse
*** src/milter/milter8.c- Thu Apr 28 10:09:30 2011
--- src/milter/milter8.cWed Aug 31 09:04:19 2011
***
*** 1255,1265
MILTER8_DATA_BUFFER, milter-buf,
MILTER8_DATA_END) != 0)
MILTER8_EVENT_BREAK(milter-def_reply);
if ((STR(milter-buf)[0] != '4' STR(milter-buf)[0] != '5')
|| !ISDIGIT(STR(milter-buf)[1])
|| !ISDIGIT(STR(milter-buf)[2])
|| (STR(milter-buf)[3] != ' ' STR(milter-buf)[3] != '-')
! || STR(milter-buf)[4] != STR(milter-buf)[0]) {
msg_warn(milter %s: malformed reply: %s,
milter-m.name, STR(milter-buf));
milter8_conf_error(milter);
--- 1255,1267
MILTER8_DATA_BUFFER, milter-buf,
MILTER8_DATA_END) != 0)
MILTER8_EVENT_BREAK(milter-def_reply);
+ /* XXX Enforce this for each line of a multi-line reply. */
if ((STR(milter-buf)[0] != '4' STR(milter-buf)[0] != '5')
|| !ISDIGIT(STR(milter-buf)[1])
|| !ISDIGIT(STR(milter-buf)[2])
|| (STR(milter-buf)[3] != ' ' STR(milter-buf)[3] != '-')
! || (ISDIGIT(STR(milter-buf)[4])
!(STR(milter-buf)[4] != STR(milter-buf)[0]))) {
msg_warn(milter %s: malformed reply: %s,
milter-m.name, STR(milter-buf));
milter8_conf_error(milter);
Re: Headscratcher with postfix
Dieter Modig: - said: 450 Requested mail action not taken: mailbox unavailable (in reply to RCPT TO command)) That is NOT a Postfix error message. To fix this, look at the OTHER mail system whose name and IP address you helpfully deleted. Wietse
Re: Webmin as an admin tool?
Artica seems not any more under develpment since 2009 Last Changes was 2009 On Sat, 27 Aug 2011 13:33:34 +0200, David Touzeau da...@touzeau.eu wrote: Take a look here Open Source solution. Tried to perform Complex settings such has multiples postfix instances Postfix upgrade by compilation supported Can act has mailbox server Load balancing and PowerDNS support. LDAP and ActiveDirectory support PostScreen support and associated plugins like milter-greylist, spamassassin, Amavisd-new Realtime Backup on the fly Statistics Anti-hacks Load balancing, round-robbin... Multi-administrators interfaces. End-users interfaces for quarantine and aliases ..blabla... Le vendredi 26 août 2011 à 13:28 -0400, John a écrit : I do not want to start a flam war, but what are the thoughts on using webmin as a tool to administer postfix (+ dovecot, but that is outside this group). TIA John Allen
CA certificate error in outllook
Hi I use postfix with TLS optiion.I create certificates in same mod as postfix documentation.It is Ok,postfix is perfect functionaly I import CA certificate from PEM format in DER format then was installed in windows as trusted certificate. When I send email with outlook,or outlook express,is received follow error: The server you are connected to is using a security certificate that could not be verified. A certificate that can only be used as an end-entity is being used as a CA or visa versa. Do you want to continue using this server? If click yes It function normaly. What is problem with CA certificate? Thanks
Re: CA certificate error in outllook
No Problem at all. Seems you are using an self-signed Cert. You can buy cheap domain validated ssl certs by 59€ / year i mean to remember. Then this message wont show up. Or you Accept the Cert in the mailclient , then this message also is not shown. In thunderbird you can do this, dunno how to do in Outlook Express and Outlook. marko On Wed, 31 Aug 2011 16:34:08 +0300, gaby g...@autoglobus2000.ro wrote: Hi I use postfix with TLS optiion.I create certificates in same mod as postfix documentation.It is Ok,postfix is perfect functionaly I import CA certificate from PEM format in DER format then was installed in windows as trusted certificate. When I send email with outlook,or outlook express,is received follow error: The server you are connected to is using a security certificate that could not be verified. A certificate that can only be used as an end-entity is being used as a CA or visa versa. Do you want to continue using this server? If click yes It function normaly. What is problem with CA certificate? Thanks
[SOT] Low volume antispam filter broken URL link
Hi all! Unfourtunately the link posted in http://www.postfix.org/addon.html for 'crm114 Postfix howto by Eugene Borukhovich' is broken (google didnt't help either), does anyone by chance have that document? I'm trying to setup a low volume/resources antispam system (any other recommendation is welcomed). TIA. LU.
Re: Headscratcher with postfix
Dieter Modig: said: 450 Requested mail action not taken: mailbox unavailable (in reply to RCPT TO command)) Wietse: That is NOT a Postfix error message. To fix this, look at the OTHER mail system whose name and IP address you helpfully deleted. Dieter Modig: they have a malfunction how can it work with one of my users and not the other when both are sending to the same recipient?! If you wonder why the OTHER system gives replies that depend on the sender address, then look at the OTHER system. Wietse
Re: CA certificate error in outllook
On Wed, 31 Aug 2011 16:34:08 +0300, gaby wrote: I use postfix with TLS optiion.I create certificates in same mod as postfix documentation.It is Ok,postfix is perfect functionaly I import CA certificate from PEM format in DER format then was installed in wihttps://www.hachmer.de/?_task=mail_id=3540788874e5e6600794b1_action=compose#ndows as trusted certificate. Which certification store you exactly use? In windows 7 it is called Trusted Root Certification Authorities. Verify to store it in the current user account store as well as in the computer account store. When I send email with outlook,or outlook express,is received follow error: The server you are connected to is using a security certificate that could not be verified. A certificate that can only be used as an end-entity is being used as a CA or visa versa. Do you want to continue using this server? If click yes It function normaly. What is problem with CA certificate? Maybe you configured postfix to use the CA certificate? You should use a server certificate signed by your own created CA. Key usage must contain server authentication - oid 1.3.6.1.5.5.7.3.1 (http://www.oid-info.com/get/1.3.6.1.5.5.7.3.1) and may contain if you're going to use ist client authentication - oid 1.3.6.1.5.5.7.3.2 (http://www.oid-info.com/get/1.3.6.1.5.5.7.3.2). Greetz, Tobias
Re: CA certificate error in outllook
Use Win Xp Sp3,outllok express,the CA certificate is stored in trusted Root Certification Authorities and it is imported with success. In the other device (Nokia Phone) answer about CA certificate is only once,then phone email is normal functionaly,without any answer. - Original Message - From: Tobias Hachmer To: postfix-users@postfix.org Sent: Wednesday, August 31, 2011 8:00 PM Subject: Re: CA certificate error in outllook On Wed, 31 Aug 2011 16:34:08 +0300, gaby wrote: I use postfix with TLS optiion.I create certificates in same mod as postfix documentation.It is Ok,postfix is perfect functionaly I import CA certificate from PEM format in DER format then was installed in wihttps://www.hachmer.de/?_task=mail_id=3540788874e5e6600794b1_action=compose#ndows as trusted certificate. Which certification store you exactly use? In windows 7 it is called Trusted Root Certification Authorities. Verify to store it in the current user account store as well as in the computer account store. When I send email with outlook,or outlook express,is received follow error: The server you are connected to is using a security certificate that could not be verified. A certificate that can only be used as an end-entity is being used as a CA or visa versa. Do you want to continue using this server? If click yes It function normaly. What is problem with CA certificate? Maybe you configured postfix to use the CA certificate? You should use a server certificate signed by your own created CA. Key usage must contain server authentication - oid 1.3.6.1.5.5.7.3.1 (http://www.oid-info.com/get/1.3.6.1.5.5.7.3.1) and may contain if you're going to use ist client authentication - oid 1.3.6.1.5.5.7.3.2 (http://www.oid-info.com/get/1.3.6.1.5.5.7.3.2). Greetz, Tobias
Re: CA certificate error in outllook
On Wed, 31 Aug 2011 20:23:26 +0300, gaby wrote: Use Win Xp Sp3,outllok express,the CA certificate is stored in trusted Root Certification Authorities and it is imported with success. In the other device (Nokia Phone) answer about CA certificate is only once,then phone email is normal functionaly,without any answer. Well, for better troubleshooting please post 'postconf -n', your main.cf and your CA Certificate as well as your Server Certificate. Tobias
Re: CA certificate error in outllook
On Wed, 31 Aug 2011 22:21:39 +0200 Tobias Hachmer articulated: On Wed, 31 Aug 2011 20:23:26 +0300, gaby wrote: Use Win Xp Sp3,outllok express,the CA certificate is stored in trusted Root Certification Authorities and it is imported with success. In the other device (Nokia Phone) answer about CA certificate is only once,then phone email is normal functionaly,without any answer. Well, for better troubleshooting please post 'postconf -n', your main.cf and your CA Certificate as well as your Server Certificate. Why post the main.cf file? He would be better served reading the documentation under: http://www.postfix.com/DEBUG_README.html. Reporting problems to postfix-users@postfix.org Output from postconf -n. Please do not send your main.cf file, or 500+ lines of postconf output. Better, provide output from the postfinger tool. This can be found at http://ftp.wl0.org/SOURCES/postfinger. If the problem is SASL related, consider including the output from the saslfinger tool. This can be found at http://postfix.state-of-mind.de/patrick.koetter/saslfinger/. -- Jerry ✌ postfix-u...@seibercom.net _ TO REPORT A PROBLEM see http://www.postfix.org/DEBUG_README.html#mail TO (UN)SUBSCRIBE see http://www.postfix.org/lists.html The best laid plans of mice and men are held up in the legal department.
Postdrop doesn't always stop when postfix stop is issued
This is extremely difficult to reproduce, but it does happen occasionally -- We will tell postfix to stop, and once that is complete, a postdrop process will sometimes remain, and will run until it is manually killed. Is this an expected behavior of postdrop -- That after the master postfix is stopped, it is expected sometimes that it may continue running, regardless? This is on Postfix 2.6 through Postfix 2.8 series. Thanks, Quanah -- Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. Zimbra :: the leader in open source messaging and collaboration
Re: Postdrop doesn't always stop when postfix stop is issued
Quanah Gibson-Mount: This is extremely difficult to reproduce, but it does happen occasionally -- We will tell postfix to stop, and once that is complete, a postdrop process will sometimes remain, and will run until it is manually killed. Is this an expected behavior of postdrop -- That after the master postfix is stopped, it is expected sometimes that it may continue running, regardless? This is 100% intentional. The Postfix sendmail command MUST NOT drop mail on the floor while the mail system is down. For example there are programs that run at boot time that rely on the availability of sendmail command-line submission, such as text editors that want to send how to recover your session email. Other daemons such as cron may be running while the Postfix daemons are down for whatever reason. Their mail should not be lost, either. Wietse
Re: Postdrop doesn't always stop when postfix stop is issued
--On Wednesday, August 31, 2011 7:58 PM -0400 Wietse Venema wie...@porcupine.org wrote: Quanah Gibson-Mount: This is extremely difficult to reproduce, but it does happen occasionally -- We will tell postfix to stop, and once that is complete, a postdrop process will sometimes remain, and will run until it is manually killed. Is this an expected behavior of postdrop -- That after the master postfix is stopped, it is expected sometimes that it may continue running, regardless? This is 100% intentional. The Postfix sendmail command MUST NOT drop mail on the floor while the mail system is down. For example there are programs that run at boot time that rely on the availability of sendmail command-line submission, such as text editors that want to send how to recover your session email. Other daemons such as cron may be running while the Postfix daemons are down for whatever reason. Their mail should not be lost, either. Hi Wietse, Thanks, I think I understand what is happening. This is the Zimbra Postfix, not the system one. We generally see this when upgrading Zimbra to a newer version. I see that the order services stop is to have the mailbox server (which receives email from postfix over LMTP) stop before postfix is stopped. My guess is that postfix is in the middle of trying to deliver an email to it when this happens. I'll change the stop order so that postfix is stopped long before the mailbox, which should give postdrop time to finish any deliveries it needs before the mailbox server is stopped. --Quanah -- Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. Zimbra :: the leader in open source messaging and collaboration
