Re: DKIM signing problem
On 09/19/2011 05:50 PM, Steve Jenkins wrote: On Sun, Sep 18, 2011 at 11:14 PM, Murray S. Kucherawym...@cloudmark.com wrote: I suggest trying again with OpenDKIM (http://www.opendkim.org). The dkim-milter package has been unmaintained for a couple of years now. It lives on under the new name, with lots of bug fixes and new features since dkim-milter's final release. +1. Anyone who is still running dkim-milter can swap over to OpenDKIM in a matter of minutes - keeping your existing keys, DNS settings, etc. In fact, since you're running CentOS 6, if you have EPEL enabled you can just do yum install opendkim and it will install the latest release version of OpenDKIM with the most common default configuration, including a set of default keys for your server. The opendkim package is available in the stable repos for Fedora 14-17 and EL 5-6. SteveJ I follow your advice and I also try the opendkim package but with same results. I go back to dkim-milter , make some changes in postfix (added content filtering and signing after reinjecting mails into postfix) and now the test fail only on messages with empty body. Canonization is relaxed/relaxed. Alex
Authenticated sender and milter
Hi, Im working on milter application which works on Authenticated sender It seems postfix doesnt send Authenticated sender: Headers to Milter. it there any workaround for this ? -- -Jeetu
Re: Issue integrating with Cyrus-SASL
Crazedfred: ? Crazedfred crazedf...@yahoo.com: What is the result of:find / -name smtpd.conf sudo find / -name smtpd.conf /usr/lib/sasl2/smtpd.conf read the debian documentation! Could you elaborate? Am I looking for the wrong file? I have seen several hints on this mailing list that Debian Postfix wants to read /etc/postfix/sasl/smtpd.conf. That's exactly where it is on mine. --- Strange. I'm on Debian 6, with all the packages that Patrick mentions in his script recording, and that file did not exist: $ cat /etc/postfix/sasl/smtpd.conf cat: /etc/postfix/sasl/smtpd.conf: No such file or director So, I just copied the file over: $ sudo cp /usr/lib/sasl2/smtpd.conf /etc/postfix/sasl/smtpd.conf $ cat /etc/postfix/sasl/smtpd.conf pwcheck_method: saslauthd mech_list: login plain Restarted both services: $ sudo service saslauthd restart Stopping SASL Authentication Daemon: saslauthd. Starting SASL Authentication Daemon: saslauthd. $ sudo service postfix restart Stopping Postfix Mail Transport Agent: postfix. Starting Postfix Mail Transport Agent: postfix. However, Postfix still won't accept my login: $ telnet localhost 25 Trying 127.0.0.1... Connected to localhost.localdomain. Escape character is '^]'. 220 MyComputer ESMTP Postfix (Debian/GNU) auth plain MY-HASH 535 5.7.8 Error: authentication failed: authentication failure The good news, is that saslfinger -s is now reporting the right methods (strangely one file is listed twice): -- content of /usr/lib/sasl2/smtpd.conf -- pwcheck_method: saslauthd mech_list: login plain -- content of /etc/postfix/sasl/smtpd.conf -- pwcheck_method: saslauthd mech_list: login plain -- content of /etc/postfix/sasl/smtpd.conf -- pwcheck_method: saslauthd mech_list: login plain -- mechanisms on localhost -- 250-AUTH PLAIN LOGIN Looks like the same failure as before: postfix/smtpd[30926]: connect from localhost.localdomain[127.0.0.1] postfix/smtpd[30926]: match_hostname: localhost.localdomain ~? 127.0.0.0/8 postfix/smtpd[30926]: match_hostaddr: 127.0.0.1 ~? 127.0.0.0/8 postfix/smtpd[30926]: localhost.localdomain[127.0.0.1]: 220 MyComputer ESMTP Postfix (Debian/GNU) postfix/smtpd[30926]: xsasl_cyrus_server_create: SASL service=smtp, realm=(null) postfix/smtpd[30926]: name_mask: noanonymous postfix/smtpd[30926]: watchdog_pat: 0xb922b518 postfix/smtpd[30926]: localhost.localdomain[127.0.0.1]: auth plain MY-HASH postfix/smtpd[30926]: xsasl_cyrus_server_first: sasl_method plain, init_response MY-HASH postfix/smtpd[30926]: xsasl_cyrus_server_first: decoded initial response postfix/smtpd[30926]: warning: SASL authentication failure: Password verification failed postfix/smtpd[30926]: warning: localhost.localdomain[127.0.0.1]: SASL plain authentication failed: authentication failure postfix/smtpd[30926]: localhost.localdomain[127.0.0.1]: 535 5.7.8 Error: authentication failed: authentication failure postfix/smtpd[30926]: watchdog_pat: 0xb922b518 postfix/smtpd[30926]: smtp_get: EOF This is frustrating, because it says the SASL authentication fails, when it clearly works: $ sudo testsaslauthd -u t...@example.com -p testtest123 0: OK Success. Patrick, I watched your script demonstration but I'm afraid that besides the difference between our authentication choices (you set it up to authenticate local users, mine hits an LDAP tree) our setup appears to be very similar. And since SASL itself is succeeding, I'm assuming the error can't be there...
Re: Authenticated sender and milter
Jeetu: Hi, Im working on milter application which works on Authenticated sender It seems postfix doesnt send Authenticated sender: Headers to Milter. it there any workaround for this ? Yes. If a milter APPENDS a header, that header will be vislible only to milters that are invoked later. If this does not answer the question, then you need to supply more details. My crystal ball does not work. Wietse
RE: Blacklists for you MTA
On Mon, 19 Sep 2011, Marek Salwerowicz wrote: reject_rbl_client zen.spamhaus.org, reject_rbl_client t1.dnsbl.net.au, reject_rbl_client dnsbl.njabl.org, reject_rbl_client sbl.spamhaus.org, reject_rbl_client cbl.abuseat.org, reject_rbl_client dul.dnsbl.sorbs.net, reject_rbl_client psbl.surriel.com, reject_rbl_client bl.spamcop.net, Why are you querying the same list several times. zen is everything, sbl, xbl, pbl , cbl.abuseat.org, xyzzybl too. so 1 query gets you answers from all the Spamhaus zones. the others I can't answer for because I don't use them, possibly laziness, possibly I don't care enough. I find that postscreen with -8--- # # postscreen # postscreen_dnsbl_action = enforce postscreen_greet_action = enforce postscreen_access_list = permit_mynetworks, cidr:/etc/postfix/postscreen_access postscreen_dnsbl_sites = zen.spamhaus.org postscreen_dnsbl_threshold = 1 -8--- saves so much time and headaches. However Barracudacentral.org is a good list. Must not make snarky comments here. P
Re: Authenticated sender and milter
On 21/09/11 4:33 PM, Wietse Venema wrote: Yes. If a milter APPENDS a header, that header will be vislible only to milters that are invoked later. Milter does get Authenticated sender headers. are trying to say to use policy service to PREPEND that header ? If this does not answer the question, then you need to supply more details. My crystal ball does not work. im trying to use mimedefang milter to append footer based on Authenticated sender address -- -Jeetu
RE: Blacklists for you MTA
-Original Message- From: owner-postfix-us...@postfix.org [mailto:owner-postfix- us...@postfix.org] On Behalf Of Peter Evans Sent: Wednesday, September 21, 2011 7:23 AM To: postfix-users@postfix.org Subject: RE: Blacklists for you MTA On Mon, 19 Sep 2011, Marek Salwerowicz wrote: reject_rbl_client zen.spamhaus.org, reject_rbl_client t1.dnsbl.net.au, reject_rbl_client dnsbl.njabl.org, reject_rbl_client sbl.spamhaus.org, reject_rbl_client cbl.abuseat.org, reject_rbl_client dul.dnsbl.sorbs.net, reject_rbl_client psbl.surriel.com, reject_rbl_client bl.spamcop.net, Why are you querying the same list several times. zen is everything, sbl, xbl, pbl , cbl.abuseat.org, xyzzybl too. so 1 query gets you answers from all the Spamhaus zones. the others I can't answer for because I don't use them, possibly laziness, possibly I don't care enough. I find that postscreen with -8--- # # postscreen # postscreen_dnsbl_action = enforce postscreen_greet_action = enforce postscreen_access_list = permit_mynetworks, cidr:/etc/postfix/postscreen_access postscreen_dnsbl_sites = zen.spamhaus.org postscreen_dnsbl_threshold = 1 -8--- saves so much time and headaches. However Barracudacentral.org is a good list. Must not make snarky comments here. P I use these in this order and swap barracuda spamcop on different machines so I hit them evenly and don’t over use one over the other. I keep based on track record this order so that I avoid additional queries thereby speeding up the process on a reject. reject_rbl_client b.barracudacentral.org, reject_rbl_client bl.spamcop.net, reject_rbl_client zen.spamhaus.org, reject_rbl_client psbl.surriel.com,
Re: Authenticated sender and milter
Jeetu: im trying to use mimedefang milter to append footer based on Authenticated sender address And where does that header come from? Wietse
Re: Authenticated sender and milter
On 21/09/11 5:59 PM, Wietse Venema wrote: Jeetu: im trying to use mimedefang milter to append footer based on Authenticated sender address And where does that header come from? im using postfix on my outbound server, where client authenticates and sends mails. i got this headers if i send mail by my thunderbird Received: from [x.x.x.x1] (unknown [x.x.x.x]) (Authenticated sender: je...@fordemo.com) by in.outbound.mail.com (Postfix) with ESMTPA id 7757111B8323 forje...@fordemo.com; Wed, 21 Sep 2011 18:11:06 +0530 (IST) But the milter is not getting the above headers. -- -Jeetu
Re: Authenticated sender and milter
Jeetu: On 21/09/11 5:59 PM, Wietse Venema wrote: Jeetu: im trying to use mimedefang milter to append footer based on Authenticated sender address And where does that header come from? im using postfix on my outbound server, where client authenticates and sends mails. i got this headers if i send mail by my thunderbird Received: from [x.x.x.x1] (unknown [x.x.x.x]) (Authenticated sender: je...@fordemo.com) by in.outbound.mail.com (Postfix) with ESMTPA id 7757111B8323 forje...@fordemo.com; Wed, 21 Sep 2011 18:11:06 +0530 (IST) But the milter is not getting the above headers. For compatibility with Sendmail, Milters cannot see the Received: header that the MTA adds itself. Changing this could break all kinds of existing programs. Wietse
Re: Header, body checks are they useful when using Amavis-new+Spamassassin?
On 9/20/2011 1:39 PM, Ned Slider wrote: On 20/09/11 14:50, Stan Hoeppner wrote: On 9/19/2011 6:31 PM, Noel Jones wrote: I don't know of any up-to-date header/body checks repository. AFIK the ones found on the internet are outdated enough to be ineffective and just waste time. These might be useful. Pick your own preferred action. Season to your taste. The first 3 are safe for any site as they target a specific spamware engine. /HELO User/ DISCARD /helo=User/ DISCARD /Received: from User / DISCARD Occasionally postfix breaks the line right after User, so this variant catches those instances: /^Received: from User$/i REJECT Thanks for the tip Ned. If anyone noticed, I use DISCARD more frequently in header checks than REJECT. A lot of this type of spam I receive via the lkml server(s). The LKML list manager doesn't like seeing REJECTs, period. Not bounces but REJECTs. He booted me from all lkml lists for rejecting the spam instead of swallowing it. Thus I use DISCARD these days instead. -- Stan
Any way to minimize Postscreen logging?
I couldn't find anything in the docs, but is there an option to minimize Postscreen's log output? For troubleshooting I'd turn logging back to full, but perhaps an option to only show the NOQUEUE output in the maillog? Assuming this doesn't exist, I think that might be a nice feature for future versions. SteveJ
Re: Any way to minimize Postscreen logging?
Steve Jenkins: I couldn't find anything in the docs, but is there an option to minimize Postscreen's log output? For troubleshooting I'd turn logging back to full, but perhaps an option to only show the NOQUEUE output in the maillog? Assuming this doesn't exist, I think that might be a nice feature for future versions. man 1 grep
Re: Any way to minimize Postscreen logging?
On 9/21/2011 9:02 AM, Steve Jenkins wrote: I couldn't find anything in the docs, but is there an option to minimize Postscreen's log output? For troubleshooting I'd turn logging back to full, but perhaps an option to only show the NOQUEUE output in the maillog? Assuming this doesn't exist, I think that might be a nice feature for future versions. SteveJ postscreen logs what is necessary to record what happens to your mail and why (unless you turned on -v verbose logging -- don't do that). If that's too much for you, either look into an alternate syslog daemon that can filter what is recorded, or use grep to limit what you see coming out. -- Noel Jones
problem sending mail
Hi, I've setup a Postfix mailsystem for my local users. Postfix is authenticating these users via LDAP to our MS-ADS2008R2. This al works wel, but when I try to send a mail to a non-local user ( gmail.com for example), i do get the following error and the mail is not send: NOQUEUE: reject: RCPT from localhost[127.0.0.1]: 550 5.1.1 x...@gmail.com: Recipient address rejected: gmail.com; from=xxx@brab2008.local to= x...@gmail.com proto=ESMTP helo=xxx.brab2008.local please see output postconf: alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases append_dot_mydomain = no biff = no config_directory = /etc/postfix default_transport = error inet_interfaces = all mailbox_size_limit = 0 mime_header_checks = regexp:/etc/postfix/mime_header_checks.regexp mydestination = xxx.brab2008.local, localhost.brab2008.local, localhost myhostname = xxx.brab2008.local mynetworks = 127.0.0.0/8 10.1.0.0/16 myorigin = /etc/mailname readme_directory = no recipient_delimiter = + relay_transport = error relayhost = smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu) smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtpd_use_tls = yes transport_maps = hash:/etc/postfix/test virtual_alias_maps = ldap:/etc/postfix/ldap-aliases.cf virtual_mailbox_domains = brab2008.local virtual_mailbox_maps = ldap:/etc/postfix/ldap-users.cf virtual_transport = lmtp:127.0.0.1:2003 Please note this is a test system and is, ofcourse, not in produktion Kind regards,
Re: problem sending mail
Roland de Lepper: relay_transport = error Why?
Re: problem sending mail
Hi Wietse, Thanks...it helps! Don't know why this parameter was set. Kind regards, Roland de Lepper On Wed, Sep 21, 2011 at 4:22 PM, Wietse Venema wie...@porcupine.org wrote: Roland de Lepper: relay_transport = error Why?
Re: Off Topic: Auto-whitelisting from sent mail?
On 9/20/2011 6:54 PM, Peter Blair wrote: On Tue, Sep 20, 2011 at 9:16 AM, Stan Hoeppners...@hardwarefreak.com wrote: On 9/19/2011 5:38 PM, john wrote: I think this is off topic. I am running Ubuntu 11.04 as a SOHO server with postfix/dovecot/Amavis-new/Spamassassin/Clamav setup as my email service. Does anybody know of a program... that can white list inbound email based upon the addresses of emails that have been sent? This simple 7 line bash script does the trick superbly on Debian. Thus it should work fine on Ubuntu as well. http://www.hardwarefreak.com/whtlst_gen.sh.txt Drop it in an executable search path, then do a chmod +x and follow the instructions in the file. Nice. But if you're running a multi-tennant system, you'll need a way to map sender/recipient pairs to the inbound. We do that with a postfix policy server that hooks into the END-OF-MESSAGE stage, which will provide the SASL authenticated user, and the smtp-envelope recipient (there are problems with multi-recipients that you have to work out). Feed this into something like http://wiki.apache.org/spamassassin/ManualWhitelist and you're good to go. As the comments state: # Postfix quick/dirty auto whitelisting script :) That said, with an NFS share it'd be absolutely trivial to modify this script for a split multi MX/outbound environment, and not much more difficult without NFS. In the latter case, in short, each outbound node would run the first line of this current script, each writing a different temp file name, and scp it to $MX. $MX would run the rest of this script, with line 2 cat'ing out all the temp files. $MX would then scp 'auto-whtlst' to the other MXen. Pretty straightforward. -- Stan
Re: Off Topic: Auto-whitelisting from sent mail?
On Wed, 21 Sep 2011, Stan Hoeppner wrote: On 9/20/2011 6:54 PM, Peter Blair wrote: On Tue, Sep 20, 2011 at 9:16 AM, Stan Hoeppners...@hardwarefreak.com wrote: On 9/19/2011 5:38 PM, john wrote: I think this is off topic. I am running Ubuntu 11.04 as a SOHO server with postfix/dovecot/Amavis-new/Spamassassin/Clamav setup as my email service. Does anybody know of a program... that can white list inbound email based upon the addresses of emails that have been sent? This simple 7 line bash script does the trick superbly on Debian. Thus it should work fine on Ubuntu as well. http://www.hardwarefreak.com/whtlst_gen.sh.txt Drop it in an executable search path, then do a chmod +x and follow the instructions in the file. Nice. But if you're running a multi-tennant system, you'll need a way to map sender/recipient pairs to the inbound. We do that with a postfix policy server that hooks into the END-OF-MESSAGE stage, which will provide the SASL authenticated user, and the smtp-envelope recipient (there are problems with multi-recipients that you have to work out). Feed this into something like http://wiki.apache.org/spamassassin/ManualWhitelist and you're good to go. As the comments state: # Postfix quick/dirty auto whitelisting script :) That said, with an NFS share it'd be absolutely trivial to modify this script for a split multi MX/outbound environment, and not much more difficult without NFS. In the latter case, in short, each outbound node would run the first line of this current script, each writing a different temp file name, and scp it to $MX. $MX would run the rest of this script, with line 2 cat'ing out all the temp files. $MX would then scp 'auto-whtlst' to the other MXen. Pretty straightforward. -- Stan I´ve thought on something similar in couple of days. You do not mind if a use whtlist.sh and make any modification to it.
Re: Authenticated sender and milter
Jeetu wrote: im trying to use mimedefang milter to append footer based on Authenticated sender address MIMEDefang provides all sorts of useful info from the MTA in various global variables. The one you're looking for is $SendmailMacros{auth_authen}, and should be available without any special configuration. man mimedefang-filter has the complete list of globals, and fairly clear notes on which sendmail macros are available at which stages of filtering. AFAICT Postfix automatically provides most of them; it's only if you're using sendmail that you have to specifically tell it to provide some of these macros to the milter. -kgd
Re: Authenticated sender and milter
Kris Deugau: Jeetu wrote: im trying to use mimedefang milter to append footer based on Authenticated sender address MIMEDefang provides all sorts of useful info from the MTA in various global variables. The one you're looking for is $SendmailMacros{auth_authen}, and should be available without any special configuration. man mimedefang-filter has the complete list of globals, and fairly clear notes on which sendmail macros are available at which stages of filtering. AFAICT Postfix automatically provides most of them; it's only if you're using sendmail that you have to specifically tell it to provide some of these macros to the milter. That is a good point. Postfix makes these automatically available along with the MAIL FROM address: milter_mail_macros = i {auth_type} {auth_authen} {auth_author} {mail_addr} {mail_host} {mail_mailer} This is better than trying to scape it from a Received: header. Wietse
RE: Authenticated sender and milter
-Original Message- From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] On Behalf Of Kris Deugau Sent: Wednesday, September 21, 2011 8:06 AM To: Postfix users Subject: Re: Authenticated sender and milter man mimedefang-filter has the complete list of globals, and fairly clear notes on which sendmail macros are available at which stages of filtering. AFAICT Postfix automatically provides most of them; it's only if you're using sendmail that you have to specifically tell it to provide some of these macros to the milter. I'm pretty sure the default list for sendmail is the same as the default list for postfix. To wit: Sendmail: O Milter.macros.envfrom=i, {auth_type}, {auth_authen}, {auth_ssf}, {auth_author}, {mail_mailer}, {mail_host}, {mail_addr} Postfix: milter_mail_macros = i {auth_type} {auth_authen} {auth_author} {mail_addr} {mail_host} {mail_mailer}
Re: Off Topic: Auto-whitelisting from sent mail?
On Wed, Sep 21, 2011 at 7:35 AM, Stan Hoeppner s...@hardwarefreak.com wrote: On 9/20/2011 6:54 PM, Peter Blair wrote: On Tue, Sep 20, 2011 at 9:16 AM, Stan Hoeppners...@hardwarefreak.com wrote: On 9/19/2011 5:38 PM, john wrote: I think this is off topic. I am running Ubuntu 11.04 as a SOHO server with postfix/dovecot/Amavis-new/Spamassassin/Clamav setup as my email service. Does anybody know of a program... that can white list inbound email based upon the addresses of emails that have been sent? This simple 7 line bash script does the trick superbly on Debian. Thus it should work fine on Ubuntu as well. http://www.hardwarefreak.com/whtlst_gen.sh.txt Drop it in an executable search path, then do a chmod +x and follow the instructions in the file. Nice. But if you're running a multi-tennant system, you'll need a way to map sender/recipient pairs to the inbound. We do that with a postfix policy server that hooks into the END-OF-MESSAGE stage, which will provide the SASL authenticated user, and the smtp-envelope recipient (there are problems with multi-recipients that you have to work out). Feed this into something like http://wiki.apache.org/spamassassin/ManualWhitelist and you're good to go. As the comments state: # Postfix quick/dirty auto whitelisting script :) AWESOME little script. Nice, Stan! One minor detail stops me from using it, however. I have an old domain hosted on my server that no longer gets any legit mail, but that serves as a great honeypot. So I direct any emails sent to that domain via Postfix to a file, and then I point my spam filtering software at it nightly to learn from it. However, those addresses all show up in the maillog as SENT - which adds them to the raw file in your script. I'm not a scripter, so any ideas on how to work around that, either via Postfix or via the script? Thanks, SteveJ
Re: Header, body checks are they useful when using Amavis-new+Spamassassin?
Le 20/09/2011 00:06, john a écrit : I am running Ubuntu 11.04 as a SOHO server with postfix/dovecot/Amavis-new/Spamassassin/Clamav setup as my email service. I currently use header and body checks in postfix as part of my anti-spam measures. How useful and/or how effective are these measures? Are they still worthwhile if I am using the Amavis-new/Spamassassin/Clamav setup for anti-spam? The check files were originally from a third party (Jeff Posluns ?) and are fairly old, I have added some of my own checks but the basic files are originals. If these checks are still worthwhile are there more up to date files, and if so where might they be found? TIA John A -- First they came for the Communists, but I was not a Communist so I did not speak out. Then they came for the Socialists and the Trade Unionists, but I was neither, so I did not speak out. Then they came for the Jews, but I was not a Jew so I did not speak out. And when they came for me, there was no one left to speak out for me. Dietrich Bonhoeffer - 1906-1945 the issue is: will you maintain this? if you can maintain it, then it's ok. but if you think you'd better let spamassassin team work on that, then remove your own checks and rely on SA updates. in fact, the hard part is spam that other users get. and harder is the FPs you create (when your users miss a legit mail because of one of your rules). so if I have a recommendation, then it'll be: don't try to stop all spam. try to make the spam users receive to a manageable limit. don't over react. don't try to stop every spam.
Re: Any way to minimize Postscreen logging?
Le 21/09/2011 16:02, Steve Jenkins a écrit : I couldn't find anything in the docs, but is there an option to minimize Postscreen's log output? For troubleshooting I'd turn logging back to full, but perhaps an option to only show the NOQUEUE output in the maillog? Assuming this doesn't exist, I think that might be a nice feature for future versions. so you'd like to have if (shouldlog(feature)) { logit(...) } all around the code? the fact that postfix provides incremental logs is not without reason. you may be happy to see Apache logs a line per request, and unhappy to see that postfix gives you many lines for a single transaction. but for those of us who care about security, postfix logging is the way: if the system is compromised in the middle of a transaction, we get some information to work with. of course, most of the time, this is useless, but when you need it, it's there.
Re: Off Topic: Auto-whitelisting from sent mail?
Le 20/09/2011 15:16, Stan Hoeppner a écrit : On 9/19/2011 5:38 PM, john wrote: I think this is off topic. I am running Ubuntu 11.04 as a SOHO server with postfix/dovecot/Amavis-new/Spamassassin/Clamav setup as my email service. Does anybody know of a program... that can white list inbound email based upon the addresses of emails that have been sent? This simple 7 line bash script does the trick superbly on Debian. just nitpicking: replace bash with sh. I know linux people swear by bash. but you should favour portable shell. when you can't, then it's time for perl and python.
Re: Any way to minimize Postscreen logging?
On Wed, Sep 21, 2011 at 3:03 PM, mouss mo...@ml.netoyen.net wrote: Le 21/09/2011 16:02, Steve Jenkins a écrit : I couldn't find anything in the docs, but is there an option to minimize Postscreen's log output? For troubleshooting I'd turn logging back to full, but perhaps an option to only show the NOQUEUE output in the maillog? Assuming this doesn't exist, I think that might be a nice feature for future versions. so you'd like to have if (shouldlog(feature)) { logit(...) } all around the code? Saying I'd like to have that is incorrect, because that's how a programmer thinks about it - which is fine. However, I'm thinking about it only from the user's perspective, and from that perspective, I always enjoy programs that have a scale of verbosity levels in their programs. I was troubleshooting Unbound earlier today, and had to crank the logging all the way up to level 5 to find what I needed, and then turned it back down to 1. This is a great feature. As far as what it takes to program that feature, I hope none of the programmers on this list won't be offended when I say that users don't really care what it will take to provide something. It's just not how most consumers in any markets are wired. the fact that postfix provides incremental logs is not without reason. you may be happy to see Apache logs a line per request, and unhappy to see that postfix gives you many lines for a single transaction. but for those of us who care about security, postfix logging is the way: if the system is compromised in the middle of a transaction, we get some information to work with. of course, most of the time, this is useless, but when you need it, it's there. I won't argue with your reasoning - of course having information available when you need it is important. Logging is the key to troubleshooting. I'm simply saying that there are some of us out here who could function just fine with varying amounts of that information, especially after our setups are stable. Personally, I want every smtpd and qmgr line that Postfix generates in my maillog. But since I'm happy with my DNSBL setup, I could gladly do without the addr 188.53.28.175 listed by domain zen.spamhaus.org as 127.0.0.11 or DNSBL rank 6 for [91.226.113.62]:1732 entries, for example. Others will have different wants and needs, of course. Logfiles are knowledge, and knowledge is power, as they say. But as a part-time karate instructor when I'm not being a computer geek, I can attest that flexibility is just as important as power. :) SteveJ
Substitution with newlines in header_checks
Hi All, I have configured Postfix to work with SpamAssassin (using SpamPD) as an SMTPD Proxy Filter similarly to the instructions on the SpamAssassin Wiki[1]. I would like to include a list of the failed tests in the SMTP rejection message to allow legitimate senders to address the problems on their systems. To this end, I have created header_checks map with the following content: /^X-Spam-Status: Yes.*tests=(.*) autolearn=/ REJECT Message identified as spam by SpamAssassin using the following tests: $1 This works great, except that the message is chopped off at the first line break in the X-Spam-Status header. Looking at the logs, the status message appears in full, with EOL characters replaced by '?', when the initial reject message is logged by cleanup receiving the result of the proxy filter (running on port 10026 in the wiki setup). When the proxy-reject is logged by smtpd running on port 25 it only includes up to the first EOL character. Which is all that is transmitted to the submitting MTA. Is there a way around this? I assume including EOL characters in an SMTP status message is wrong, but is there a way for me to clean them from the result of header_checks? Any help/insight would be greatly appreciated. 1. http://wiki.apache.org/spamassassin/IntegratePostfixViaSpampd#Spampd_as_a_Before-Queue_Content_Filter P.S. I am testing this behavior using version 2.8.3-1 from Debian. -- Cheers, | ke...@kevinlocke.name | JIM: kevin...@jabber.org Kevin| http://kevinlocke.name | IRC: kevinoid on freenode
Re: Any way to minimize Postscreen logging?
Steve Jenkins: On Wed, Sep 21, 2011 at 3:03 PM, mouss mo...@ml.netoyen.net wrote: Le 21/09/2011 16:02, Steve Jenkins a ?crit : I couldn't find anything in the docs, but is there an option to minimize Postscreen's log output? For troubleshooting I'd turn logging back to full, but perhaps an option to only show the NOQUEUE output in the maillog? Assuming this doesn't exist, I think that might be a nice feature for future versions. Postfix has multiple levels of logging. However, the MINUMUM logging contains the information that is necessary to answer questions about where is my email and why? ***after the fact***. If you don't need to see that information, just grep it out. Wietse
Re: Substitution with newlines in header_checks
Kevin Locke: /^X-Spam-Status: Yes.*tests=(.*) autolearn=/ REJECT Message identified as spam by SpamAssassin using the following tests: $1 This works great, except that the message is chopped off at the first line break in the X-Spam-Status header. This header_checks pattern: /^Received: (.*)/ reject $1 Results in this SMTP reply: 550 5.7.1 from host.example.com (host.example.com [192.168.1.1]) by host.example.com (Postfix) with ESMTP id 3S3xk131J5znjb8 for wietse@localhost; Wed, 21 Sep 2011 19:19:29 -0400 (EDT) Multi-line reject messages have never been supported in Postfix, and I don't expect that to change (that would require subtle changes to the SMTP server and to the bounce message formatter among other things). What happens in the above example is the result of an omission to filter out newline characters. In the context of web applications, I believe that this would be called a line-splitting bug. Wietse
Re: Substitution with newlines in header_checks
On Wed, 2011-09-21 at 19:30 -0400, Wietse Venema wrote: Kevin Locke: /^X-Spam-Status: Yes.*tests=(.*) autolearn=/ REJECT Message identified as spam by SpamAssassin using the following tests: $1 This works great, except that the message is chopped off at the first line break in the X-Spam-Status header. Multi-line reject messages have never been supported in Postfix, and I don't expect that to change (that would require subtle changes to the SMTP server and to the bounce message formatter among other things). What happens in the above example is the result of an omission to filter out newline characters. In the context of web applications, I believe that this would be called a line-splitting bug. Great. Thanks for the information. Is it a bug that I should submit somewhere, or is that what I have just done? -- Cheers, | ke...@kevinlocke.name | JIM: kevin...@jabber.org Kevin| http://kevinlocke.name | IRC: kevinoid on freenode
Re: Substitution with newlines in header_checks
Kevin Locke: On Wed, 2011-09-21 at 19:30 -0400, Wietse Venema wrote: Kevin Locke: /^X-Spam-Status: Yes.*tests=(.*) autolearn=/ REJECT Message identified as spam by SpamAssassin using the following tests: $1 This works great, except that the message is chopped off at the first line break in the X-Spam-Status header. Multi-line reject messages have never been supported in Postfix, and I don't expect that to change (that would require subtle changes to the SMTP server and to the bounce message formatter among other things). What happens in the above example is the result of an omission to filter out newline characters. In the context of web applications, I believe that this would be called a line-splitting bug. Great. Thanks for the information. Is it a bug that I should submit somewhere, or is that what I have just done? Fixing the omission is on the todo list. Wietse
Re: Authenticated sender and milter
On 21/09/11 8:36 PM, Kris Deugau wrote: MIMEDefang provides all sorts of useful info from the MTA in various global variables. The one you're looking for is $SendmailMacros{auth_authen}, and should be available without any special configuration. thanks for the help, kris. This really worked out for me :) -- -Jeetu