Re: Configuring a mail gateway
Thanks to Noel (and to the Postfix community in general) for the guidance, my mail gateway is now running (still in test mode), together with spamassassin, clamav and amavis-new. Now, one more thing: Since this is just a relay, mail is not stored locally; yet, I would like to train spamassassin (if that makes any sense! - any advice/experience on spamassassin training?) which requires local directories of spam and non-spam. So I was thinking I should configure postfix/spamassassin to keep local copies of spam (to be also available for checking using IMAP) and non-spam mail so as to make training feasible. Another option is to disable spamassassin entirely on the gateway server and install/use it on the internal (final) mail server (used as outgoing gateway and internal POP/IMAP). At the moment, I would prefer to use the former approach, as it fits better in our current mail receiving architecture. Any advice? Also, to disable sending outgoing mails from this server (which is only there to receive mail from the Internet as MX-designated mail server and work as a local relay to internal mail server) I am planning to use the setting: mynetworks = empty Would this have any impact on the relay role of the server; which means: would relaying of relay_domains as defined in transport_maps be inhibited in any way)? I believe no, but I am asking, just in case? Thanks, Nick smime.p7s Description: S/MIME Cryptographic Signature
Re: Configuring a mail gateway
Nikolaos Milas: Also, to disable sending outgoing mails from this server (which is only there to receive mail from the Internet as MX-designated mail server and work as a local relay to internal mail server) I am planning to use the setting: mynetworks = empty Would this have any impact on the relay role of the server; which means: would relaying of relay_domains as defined in transport_maps be inhibited in any way)? I believe no, but I am asking, just in case? mynetworks is used by the permit_mynetworks feature. If you don't use permit_mynetworks at all (check with: postconf | grep permit_mynetworks), then mynetworks can be empty. To allow mail from local programs that send SMTP mail through the loopback interface, you could set one of the following: mynetworks = 127.0.0.1/32 mynetworks = 127.0.0.1/32 [::1]/128 Wietse
Re: What does Postfix stamp...
Murray S. Kucherawy wrote: X-Originating-IP: isn't standard, so I'm not surprised postfix isn't adding it by default. And I wouldn't trust it anyway; how do you know it contains a true value? Not to mention, at least in my experience it's the IP that introduced the message to the Internet (ie, the sending client's IP, or webmail user's IP), not the IP that connected to your server. -kgd
Re: Configuring a mail gateway
On 9/9/2011 4:00 μμ, Wietse Venema wrote: If you don't use permit_mynetworks at all (check with: postconf | grep permit_mynetworks), then mynetworks can be empty. Thanks Wietsie, mynetworks = 127.0.0.1/32 [::1]/128 seems the right solution. In fact I am using permit_mynetworks as the first entry in smtpd_recipient_resctrictions. It seems it doesn't make any sense there, so I can remove it? Also, should the above mynetworks setting cover postscreen needs (since postscreen_access_list = permit_mynetworks)? # postconf | grep permit_mynetworks postscreen_access_list = permit_mynetworks smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination, reject_invalid_hostname, reject_unauth_pipelining, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_unverified_recipient, reject_rbl_client b.barracudacentral.org, reject_rbl_client zen.spamhaus.org, reject_rbl_client psbl.surriel.com, reject_rhsbl_client dbl.spamhaus.org, reject_rhsbl_sender dbl.spamhaus.org, reject_rhsbl_helo dbl.spamhaus.org, permit Also: # postconf | grep postscreen postscreen_access_list = permit_mynetworks postscreen_bare_newline_action = ignore postscreen_bare_newline_enable = no postscreen_bare_newline_ttl = 30d postscreen_blacklist_action = ignore postscreen_cache_cleanup_interval = 12h postscreen_cache_map = btree:$data_directory/postscreen_cache postscreen_cache_retention_time = 7d postscreen_client_connection_count_limit = $smtpd_client_connection_count_limit postscreen_command_count_limit = 20 postscreen_command_filter = postscreen_command_time_limit = ${stress?10}${stress:300}s postscreen_disable_vrfy_command = $disable_vrfy_command postscreen_discard_ehlo_keyword_address_maps = $smtpd_discard_ehlo_keyword_address_maps postscreen_discard_ehlo_keywords = $smtpd_discard_ehlo_keywords postscreen_dnsbl_action = enforce postscreen_dnsbl_reply_map = postscreen_dnsbl_sites = b.barracudacentral.org*2, zen.spamhaus.org*2, psbl.surriel.com*2 postscreen_dnsbl_threshold = 2 postscreen_dnsbl_ttl = 1h postscreen_enforce_tls = $smtpd_enforce_tls postscreen_expansion_filter = $smtpd_expansion_filter postscreen_forbidden_commands = $smtpd_forbidden_commands postscreen_greet_action = enforce postscreen_greet_banner = $smtpd_banner postscreen_greet_ttl = 1d postscreen_greet_wait = ${stress?2}${stress:6}s postscreen_helo_required = $smtpd_helo_required postscreen_non_smtp_command_action = drop postscreen_non_smtp_command_enable = no postscreen_non_smtp_command_ttl = 30d postscreen_pipelining_action = enforce postscreen_pipelining_enable = no postscreen_pipelining_ttl = 30d postscreen_post_queue_limit = $default_process_limit postscreen_pre_queue_limit = $default_process_limit postscreen_reject_footer = $smtpd_reject_footer postscreen_tls_security_level = $smtpd_tls_security_level postscreen_use_tls = $smtpd_use_tls postscreen_watchdog_timeout = 10s Thanks, Nick smime.p7s Description: S/MIME Cryptographic Signature
Re: Configuring a mail gateway
Nikolaos Milas: On 9/9/2011 4:00 ??, Wietse Venema wrote: If you don't use permit_mynetworks at all (check with: postconf | grep permit_mynetworks), then mynetworks can be empty. Thanks Wietsie, mynetworks = 127.0.0.1/32 [::1]/128 seems the right solution. In fact I am using permit_mynetworks as the first entry in smtpd_recipient_resctrictions. It seems it doesn't make any sense there, so I can remove it? See my previous reply. If you need to run programs that send mail via 127.0.0.1 or [::1], then you need permit_mynetworks. Wietse
Re: Postfix NDR
On Thu, Sep 8, 2011 at 6:09 PM, Jean-Luc CHANDEZON knut...@gmail.com wrote: 2011/9/8 Fernando Maior fernando.souto.ma...@gmail.com On Thu, Sep 8, 2011 at 10:22 AM, Wietse Venema wie...@porcupine.org wrote: Jean-Luc CHANDEZON: Hello, I believe my request is very simple, but I don't find how I can do that. When you receive a NDR from postfix server, the mail is sent by MAILER-DAEMON@hostname.local. I would to change the sender. I've seen you can modify master.cf, by adding null_sender= values in a pipe, but it does not work. The null_sender option works as documented. It sets the ENVELOPE SENDER ADDRESS not the FROM header. Setting the FROM header of (non-)delivery notifications is unsafe, as it may cause mail error messages to go into a loop. Wietse Hi Jean-Luc, Let me try to understand, you want to change MAILER-DAEMON@hostname.local for something else? In that case, what do you have for parameters mydomain and myhostname? Also, did you get a look at http://www.postfix.org/SOHO_README.html;? Perhaps you may find it interesting the parameter smtp_generic_maps. Best regards, --- Fernando Maciel Souto Maior LPIC/1(31908), LinuxCounter(391325) Hi Fernando, Yes, for end user, the MAILER-DAEMON appears like the sender, which is empty (). Yes, you're right, I want to change this value. The mydomain and my hostname values are no used on my postfix configuration file main.cf. I'll try to investigate smtp_generic_maps. Best Regards, Jean-Luc Jean-Luc, As per documentation, mydomain and myhostname get their values from your host name (from operating system) if they are not set in main.cf, so that should be the reason why you have @hostname.local. Try to set mydomain to something else and see what happens... Best regards, --- Fernando Maciel Souto Maior LPIC/1(31908), LinuxCounter(391325)
Re: Configuring a mail gateway
On 9/9/2011 3:14 μμ, Nikolaos Milas wrote: Since this is just a relay, mail is not stored locally; ... So I was thinking I should configure postfix/spamassassin to keep local copies of spam (to be also available for checking using IMAP) and non-spam mail so as to make training feasible. Can we configure the gateway mail server (postfix) to keep local copies of mail messages while relaying them or this should be done using other means e.g. some plugin? I think always_bcc would not be relevant in this context. Thanks, Nick smime.p7s Description: S/MIME Cryptographic Signature
Re: Configuring a mail gateway
On Sep 9, 2011, at 10:28 AM, Nikolaos Milas wrote: On 9/9/2011 3:14 μμ, Nikolaos Milas wrote: Since this is just a relay, mail is not stored locally; ... So I was thinking I should configure postfix/spamassassin to keep local copies of spam (to be also available for checking using IMAP) and non-spam mail so as to make training feasible. Can we configure the gateway mail server (postfix) to keep local copies of mail messages while relaying them or this should be done using other means e.g. some plugin? I think always_bcc would not be relevant in this context. Thanks, Nick Greetings, use local recipient map for your local users and transport maps for the delivery of others. You will have to tell amavisd how to relay local and remote. do what Weiste said and allow programs to relay mail via localhost. -j
RE: What does Postfix stamp...
-Original Message- From: owner-postfix-us...@postfix.org [mailto:owner-postfix- us...@postfix.org] On Behalf Of Kris Deugau Sent: Friday, September 09, 2011 6:32 AM To: postfix-users@postfix.org Subject: Re: What does Postfix stamp... Not to mention, at least in my experience it's the IP that introduced the message to the Internet (ie, the sending client's IP, or webmail user's IP), not the IP that connected to your server. More often than not, that's what people actually want because it identifies who really sent the message, not who last handled it before you got it. But it's unreliable for all kinds of reasons: - it could be forged to indicate it came from a legit source when it didn't - there could be more than one of them, so which one do you believe? - it might be stripped in transit - it's non-standard If its value can't be trusted, you should just ignore it.
Re: Configuring a mail gateway
On 9/9/2011 5:52 μμ, jeffrey j donovan wrote: use local recipient map for your local users and transport maps for the delivery of others. You will have to tell amavisd how to relay local and remote. do what Weiste said and allow programs to relay mail via localhost. Thanks Jeffrey, I guess we could (??) also (if not using local agent) use virtual_mailbox_domains = gatewayhostrname.example.com and virtual_mailbox_maps = ... for virtualized local users to define mailboxes on the gateway mail server - which is the localhost of course - for local delivery using the postfix virtual agent (to addresses of the form xx...@gatewayhostname.example.com). But could you give any details (or at least a start point for researching) on how to tell amavis to generate mail copies and address them to one destination if they have been designated as spam and to another destination if they have been designated as non-spam and then handle them to postfix for delivery to the above addresses? (I know this is more related to amavis, yet not off-topic.) Thanks again, Nick smime.p7s Description: S/MIME Cryptographic Signature
pipe_command: execvp Permission Denied
I'm attempting to setup postfix to direct incoming email to a perl script which will in effect scan the email with SpamAssassin and scan for viruses however when I added the configuration to my master.cf file, I'm getting an error. The mail log reads as so: Sep 9 18:50:22 localhost postfix/pipe[2960]: 9F2349ABB01: to=em...@domain.com, relay=postfixfilter, delay=7441, delays=7441/0.08/0/0.65, dsn=4.3.0, status=deferred (temporary failure. Command output: pipe: fatal: pipe_command: execvp /etc/postfix/Filter: Permission denied ) I don't understand this error because the permission on the script file is fine: -rwxr-xr-x 1 root root 14289 Sep 9 16:32 /etc/postfix/Filter I've made the following changes to my master.cf file: smtp inet n - n - - smtpd -o content_filter=postfixfilter: postfixfilter unix - n n - - pipe flags=Rq user=apache argv=/etc/postfix/Filter -s ${sender} -r ${recipient} Any help is greatly appreciated. Kaleb
Re: pipe_command: execvp Permission Denied
On 2011-09-10 01:02, Kaleb Hosie wrote: I'm attempting to setup postfix to direct incoming email to a perl script which will in effect scan the email with SpamAssassin and scan for viruses however when I added the configuration to my master.cf file, I'm getting an error. The mail log reads as so: Sep 9 18:50:22 localhost postfix/pipe[2960]: 9F2349ABB01: to=em...@domain.com, relay=postfixfilter, delay=7441, delays=7441/0.08/0/0.65, dsn=4.3.0, status=deferred (temporary failure. Command output: pipe: fatal: pipe_command: execvp /etc/postfix/Filter: Permission denied ) Did you verify this in principle ? # su -lc /etc/postfix/Filter apache I don't understand this error because the permission on the script file is fine: -rwxr-xr-x 1 root root 14289 Sep 9 16:32 /etc/postfix/Filter Oh, it is a script ? So, is it valid ? Does it execute by itself ? I've made the following changes to my master.cf file: smtp inet n - n - - smtpd -o content_filter=postfixfilter: postfixfilter unix - n n - - pipe flags=Rq user=apache argv=/etc/postfix/Filter -s ${sender} -r ${recipient} Any help is greatly appreciated. Kaleb -- J.
Re: pipe_command: execvp Permission Denied
Kaleb Hosie: I'm attempting to setup postfix to direct incoming email to a perl script which will in effect scan the email with SpamAssassin and scan for viruses however when I added the configuration to my master.cf file, I'm getting an error. The mail log reads as so: Sep 9 18:50:22 localhost postfix/pipe[2960]: 9F2349ABB01: to=em...@domain.com, relay=postfixfilter, delay=7441, delays=7441/0.08/0/0.65, dsn=4.3.0, status=deferred (temporary failure. Command output: pipe: fatal: pipe_command: execvp /etc/postfix/Filter: Permission denied ) I don't understand this error because the permission on the script file is fine: -rwxr-xr-x 1 root root 14289 Sep 9 16:32 /etc/postfix/Filter The apache user needs search permission for all the directories in the /etc/postfix/Filter pathname. The apache user needs execute permissions for the file after #! on the first line of the script. The apache user needs search permission for all the directories in the file name after #! on the first line of the script. The apache user needs execute permission for the run-time linker whose pathname is specified in the file after #! on the first line of the script. The apache user needs search permission for all the directories in the pathname of the run-time linker whose pathname is specified in the file after #! on the first line of the script. And so on. Wietse