relocated_maps feature causing backscatter

[Pim Zandbergen]

I recently started using the relocated_maps feature and now am seeing some
bounce messages to forged addresses in the queue because of that.

It looks like this feature is bouncing rather than rejecting mail.
How can I avoid this?

Thanks,
Pim

Re: relocated_maps feature causing backscatter

[Noel Jones]

On 12/12/2011 5:38 AM, Pim Zandbergen wrote:
 I recently started using the relocated_maps feature and now am
 seeing some
 bounce messages to forged addresses in the queue because of that.
 
 It looks like this feature is bouncing rather than rejecting mail.
 How can I avoid this?
 
 Thanks,
 Pim
 
 


Are you using an ancient 1.x postfix version?  The only bounces that
relocated_maps should cause is when local mail is submitted via the
sendmail(1) command.

If you need more help, please show postconf -n output and logs.



  -- Noel Jones

Re: relocated_maps feature causing backscatter

[Pim Zandbergen]

I'm using postfix 2.7.5.

Some relocated messages are bounced, some are rejected.

It looks like this is the rule:

Messages to recipients that appear to be local users (through winbind in 
my case) are bounced.

Messages to recipients that do not appear to be local are rejected.

This may be relevant:
The mail is sent to a domain listed as $mydomain in $mydestination
Almost all mail for this domain is relaid to an Exchange server using an 
entry in the transport map.


Thanks,
Pim

Re: Postfix lost connection after DATA from unknown... and ipfilter -AF OUT log message

[James Seymour]

On Sun, 11 Dec 2011 22:57:12 -0500
Jim Seymour jseym...@linxnet.com wrote:

 On Sun, 11 Dec 2011 20:03:59 -0500 (EST)
 Wietse Venema wie...@porcupine.org wrote:
 
  Wietse Venema:
bge1 @0:24 b my_outside_ip,25 - 89.73.201.168,36545 PR
tcp len 20 40 -AR OUT
   
   Why are you blocking outbound TCP RST?
[snip]
 
 -AR means the ACK and RST flags are set.
  My question is why is your firewall blocking outbound ACK|RST?
 
 I'm using basically canned rulesets in my ipfilter setup.  That is
 the default deny at the end of bge1's output filters.
 
 I must've messed-up, somewhere.  I'll take a look in the morning.
[snip]

Looking at it with fresh eyes, fortified by a cup of coffee :), if I
messed-up, I'll be darned if I can see where. The firewall rules
related to this couldn't be more straight-forward:

.
.
.
pass out quick on bge1 proto tcp from any to any port = 25 keep state
.
.
.
block out log first quick on bge1 all


That's it.

Regards,
Jim
-- 
Note: My mail server employs *very* aggressive anti-spam
filtering.  If you reply to this email and your email is
rejected, please accept my apologies and let me know via my
web form at http://jimsun.LinxNet.com/contact/scform.php.

Re: Postfix lost connection after DATA from unknown... and ipfilter -AF OUT log message

[Wietse Venema]

James Seymour:
  -AR means the ACK and RST flags are set.
   My question is why is your firewall blocking outbound ACK|RST?
  
  I'm using basically canned rulesets in my ipfilter setup.  That is
  the default deny at the end of bge1's output filters.
  
  I must've messed-up, somewhere.  I'll take a look in the morning.
 [snip]
 
 Looking at it with fresh eyes, fortified by a cup of coffee :), if I
 messed-up, I'll be darned if I can see where. The firewall rules
 related to this couldn't be more straight-forward:
 
 .
 pass out quick on bge1 proto tcp from any to any port = 25 keep state
 .
 block out log first quick on bge1 all
 
 That's it.

There are two stateful engines: the TCP stack and ipfilter.

With keep state, ipfilter remembers the connection and lets
packets pass, up to the point that ipfilter believes the connection
no longer exists.

The TCP stack sends an outbound ACK|RST because it received *something*
on port 25. Your firewall should not have passed that. Perhaps you
don't have flags S keep state for inbound port 25 traffic.

Wietse

Re: Postfix lost connection after DATA from unknown... and ipfilter -AF OUT log message

[James Seymour]

On Mon, 12 Dec 2011 08:24:38 -0500 (EST)
Wietse Venema wie...@porcupine.org wrote:

[snip]
 
 There are two stateful engines: the TCP stack and ipfilter.

*nodding*

 
 With keep state, ipfilter remembers the connection and lets
 packets pass, up to the point that ipfilter believes the connection
 no longer exists.

Understood.

 
 The TCP stack sends an outbound ACK|RST because it received
 *something* on port 25. Your firewall should not have passed that.

Should not have passed it *incoming*, do you mean?

 Perhaps you don't have flags S keep state for inbound port 25
 traffic.

I do:

# SMTP to gateway
pass in quick on bge1 proto tcp from any to any port = 25 flags S
 keep state

(The stuff all says any because there are only two devices in the
DMZ: The border router's inside interface and the firewall's
outside one.  It's a true DMZ.)

Regards,
Jim
-- 
Note: My mail server employs *very* aggressive anti-spam
filtering.  If you reply to this email and your email is
rejected, please accept my apologies and let me know via my
web form at http://jimsun.LinxNet.com/contact/scform.php.

Re: Postfix lost connection after DATA from unknown... and ipfilter -AF OUT log message

[Wietse Venema]

James Seymour:
  The TCP stack sends an outbound ACK|RST because it received
  *something* on port 25. Your firewall should not have passed that.
 
 Should not have passed it *incoming*, do you mean?

Indeed (assuming that ipfilter actually tracks state in the exact
same way as the TCP stack, which is an assumption that may not
be valid).

Wietse

Re: Postfix lost connection after DATA from unknown... and ipfilter -AF OUT log message

[James Seymour]

On Mon, 12 Dec 2011 09:11:26 -0500 (EST)
Wietse Venema wie...@porcupine.org wrote:

 James Seymour:
   The TCP stack sends an outbound ACK|RST because it received
   *something* on port 25. Your firewall should not have passed that.
  
  Should not have passed it *incoming*, do you mean?
 
 Indeed (assuming that ipfilter actually tracks state in the exact
 same way as the TCP stack, which is an assumption that may not
 be valid).

I think it's only happening with spammer/scammer attempts.  I'll write
up a litte ad hoc script to reconcile the ipmon entries with the
maillog.  If it's only abusive behaviour when which it happens, I don't
know as it's worth putting much time into?

Regards,
Jim
-- 
Note: My mail server employs *very* aggressive anti-spam
filtering.  If you reply to this email and your email is
rejected, please accept my apologies and let me know via my
web form at http://jimsun.LinxNet.com/contact/scform.php.

Re: bad recipient address passed to the content filter

[Noel Jones]

On 12/12/2011 7:08 AM, Tomas Macek wrote:
 I'm using Postfix 2.8.5 built from source and amavisd-new 2.6.4 from
 Scientific Linux distribution. I have virtual domain 'virtdom.cz' and
 some subdomain 'subdomain.virtdom.cz'. The server receives the
 message and
 passes it to amavisd-new.
 
 As you can see from the config, the re...@virtdom.cz shlould be
 rewritten to
 re...@subdomain.virtdom.cz and then passed to amavisd-new. The map
 always
 finds the key/value pair, but then Postfix does not pass the newly
 found
 address to amavis. Why?
 Below are 2 different cases, that appear - the first one is bad
 delivery, the
 second is the proper one where things work properly as expected.
 You can see it on the recipient address passed to the
 amavisd-new on port 10024 (find ESMTP::10024). I cannot fully
 reproduce this
 error, it happens somehow.

Typically this is caused by improper use of
receive_override_options = no_address_mappings
somewhere in your config.



 -- master.cf ---
 smtpsinet  n   -   n   -   -   smtpd
   -o smtpd_tls_wrappermode=yes
   -o smtpd_sasl_auth_enable=yes
   -o receive_override_options=no_address_mappings

My guess is the bad mail is coming in over smtps.  Remove the
receive_override_options line, and add
  -o syslog_name=postfix-smtps
so you can see in the log when mail is coming in that port.

And unless you have some good reason not to, it's customary to limit
smtps access to authenticated users only with something like this:
  -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject



  -- Noel Jones

Re: relocated_maps feature causing backscatter

[Pim Zandbergen]

I can't yet reproduce a bounce;  i'm still figuring out under what 
circumstances
a bounce will happen. Just being a local user, like I suggested in my 
previous post

is not enough.

But here is an actual bounce sitting in my queue right now:


-Queue ID- --Size-- Arrival Time -Sender/Recipient---
36DEA664F  3955 Sat Dec 10 03:47:06  MAILER-DAEMON
  (connect to smtp.anbid.com.br[200.186.108.102]:25: Connection 
timed out)

 wattagex...@anbid.com.br

-- 4 Kbytes in 1 Request.

Here is the log of the arrival


/var/log/maillog-20111211:Dec 10 03:47:04 veldhoen postfix/smtpd[2891]: 
AC3E9664A: client=unknown[186.43.37.99]
/var/log/maillog-20111211:Dec 10 03:47:05 veldhoen 
postfix/cleanup[2895]: AC3E9664A: message-id=0uiljy-wdj5a3...@anbid.com.br
/var/log/maillog-20111211:Dec 10 03:47:06 veldhoen postfix/qmgr[8706]: 
AC3E9664A: from=wattagex...@anbid.com.br, size=1198, nrcpt=1 (queue 
active)
/var/log/maillog-20111211:Dec 10 03:47:06 veldhoen postfix/error[2897]: 
AC3E9664A: to=j...@macroscoop.nl, relay=none, delay=1.5, 
delays=1.5/0/0/0.02, dsn=5.1.6, status=bounced (User has moved to 
j.do...@macroscoop.nl)
/var/log/maillog-20111211:Dec 10 03:47:06 veldhoen postfix/bounce[2900]: 
AC3E9664A: sender non-delivery notification: 36DEA664F
/var/log/maillog-20111211:Dec 10 03:47:06 veldhoen postfix/qmgr[8706]: 
AC3E9664A: removed




Here's my postconf -n output, slightly edited; removed some domain names




alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
canonical_maps = hash:/etc/postfix/canonical
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
disable_vrfy_command = yes
header_checks = regexp:/etc/postfix/header_checks
html_directory = no
inet_interfaces = all
inet_protocols = all
local_destination_concurrency_limit = 5
local_destination_recipient_limit = 300
mail_owner = postfix
mailbox_transport = lmtp:inet:imap.macroscoop.nl
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
message_size_limit = 2048
message_strip_characters = \0
milter_connect_macros = j {daemon_name} v {if_name} _
mydestination = $myhostname, localhost.$mydomain, localhost, [ other 
domains ... ]

myorigin = $mydomain
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.7.5/README_FILES
recipient_delimiter = +
relay_domains = $mydestination,
relocated_maps = hash:/etc/postfix/relocated
sample_directory = /usr/share/doc/postfix-2.7.5/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp_mx_session_limit = 5
smtpd_banner = $myhostname ESMTP $mail_name ($mail_version)
smtpd_client_restrictions = reject_unauth_pipelining
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks permit_sasl_authenticated 
reject_invalid_helo_hostname reject_non_fqdn_helo_hostname
smtpd_milters = inet:localhost:7357 
unix:/var/run/spamass-milter/postfix/sock inet:localhost:8891 
smtpd_recipient_restrictions = permit_mynetworks 
permit_sasl_authenticated reject_non_fqdn_recipient 
reject_unknown_recipient_domain reject_unauth_destination 
reject_unverified_recipient

smtpd_reject_unlisted_recipient = no
smtpd_sender_restrictions = permit_mynetworks
smtpd_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
smtpd_tls_cert_file = /etc/pki/tls/certs/postfix.crt
smtpd_tls_key_file = /etc/pki/tls/private/postfix.key
smtpd_tls_security_level = may
transport_maps = hash:/etc/postfix/transport
unknown_address_reject_code = 550
unknown_client_reject_code = 550
unknown_hostname_reject_code = 550
unknown_local_recipient_reject_code = 550
unverified_recipient_reject_code = 550
virtual_alias_domains = [ yet more domains ]
virtual_alias_maps = hash:/etc/postfix/virtual

Postfix SAV failing against postscreen itself?

[Ralf Hildebrandt]

Today we sent out some mails which were rejected, due to our use of
postscreen. From my queue:

3T26TK1xBDz1tSG  49541 Mon Dec 12 15:47:33  aktion-sauberehae...@charite.de
(host mail.klinikum-bayreuth.de[212.185.206.162] said: 450 4.1.7 
aktion-sauberehae...@charite.de: Sender address rejected: unverified
address: host mail2.charite.de[141.42.206.200] said: 450-4.3.2 Service 
currently unavailable (in reply to RCPT TO command))
   recipi...@klinikum-bayreuth.de
   

So, mail.klinikum-bayreuth.de is using Postfix:

% telnet mail.klinikum-bayreuth.de 25
Trying 212.185.206.162...
Connected to mail.klinikum-bayreuth.de.
Escape character is '^]'.
220 mail.klinikum-bayreuth.de ESMTP Postfix
EHLO foo
250-mail.klinikum-bayreuth.de
250-PIPELINING
250-SIZE 2048
250-VRFY
250-ETRN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
QUIT
221 2.0.0 Bye
Connection closed by foreign host.

and it seems they're also using sender address verification:

Dec 12 15:47:22 mail postfix/postscreen[1859]: CONNECT from 
[212.185.206.162]:24483 to [141.42.202.200]:25
Dec 12 15:47:27 mail postfix/smtp[5563]: 3T26T20ZNYzFvnb: host 
mail.klinikum-bayreuth.de[212.185.206.162] said: 450 4.1.7
aktion-sauberehae...@charite.de: Sender address rejected: unverified address: 
Address verification in progress (in reply to RCPT TO command)

And the address verification probe meets our postscreen:

Dec 12 15:47:28 mail postfix/postscreen[1859]: NOQUEUE: reject: RCPT from 
[212.185.206.162]:24483: 450 4.3.2 Service currently unavailable;
from=postmas...@klinikum-bayreuth.de, to=aktion-sauberehae...@charite.de, 
proto=ESMTP, helo=mail.klinikum-bayreuth.de

But: Why does their Postfix cache this tempfail for so long? Which
class (positive? negative?) does apply?

# fgrep 3T26TK1xBDz1tSG /var/log/mail.log
Dec 12 15:47:33 mail2 postfix/smtpd[14743]: 3T26TK1xBDz1tSG: 
client=mail.charite.de[141.42.202.200]

Dec 12 15:47:33 mail2 postfix/cleanup[14841]: 3T26TK1xBDz1tSG: 
message-id=73bb6a4a2e05a7e82db17ab90018a...@charite.de
Dec 12 15:47:33 mail2 postfix/qmgr[11916]: 3T26TK1xBDz1tSG: 
from=aktion-sauberehae...@charite.de, size=49541, nrcpt=1 (queue active)
Dec 12 15:47:37 mail2 postfix/smtp[12693]: 3T26TK1xBDz1tSG: 
to=recipi...@klinikum-bayreuth.de, 
relay=mail.klinikum-bayreuth.de[212.185.206.162]:25, delay=4.3, 
delays=0.04/0/0.91/3.3, dsn=4.1.7, status=deferred (host
mail.klinikum-bayreuth.de[212.185.206.162] said: 450 4.1.7 
aktion-sauberehae...@charite.de: Sender address rejected: unverified
address: host mail2.charite.de[141.42.206.200] said: 450-4.3.2 Service 
currently unavailable 450 4.3.2 Contact postmas...@charite.de (using a
different email address!)  for technical assistance. Please provide the 
following information in your problem report: (in reply to RCPT TO
command))
Dec 12 15:55:08 mail2 postfix/qmgr[11916]: 3T26TK1xBDz1tSG: 
from=aktion-sauberehae...@charite.de, size=49541, nrcpt=1 (queue active)

Dec 12 15:55:09 mail2 postfix/smtp[16245]: 3T26TK1xBDz1tSG: 
to=recipi...@klinikum-bayreuth.de, 
relay=mail.klinikum-bayreuth.de[212.185.206.162]:25, delay=456, 
delays=455/0.61/0.1/0.14, dsn=4.1.7, status=deferred (host
mail.klinikum-bayreuth.de[212.185.206.162] said: 450 4.1.7 
aktion-sauberehae...@charite.de: Sender address rejected: unverified
address: host mail2.charite.de[141.42.206.200] said: 450-4.3.2 Service 
currently unavailable 450 4.3.2 Contact postmas...@charite.de (using a
different email address!)  for technical assistance. Please provide the 
following information in your problem report: (in reply to RCPT TO
command))

Dec 12 16:05:10 mail2 postfix/qmgr[17153]: 3T26TK1xBDz1tSG: 
from=aktion-sauberehae...@charite.de, size=49541, nrcpt=1 (queue active)

Dec 12 16:05:10 mail2 postfix/smtp[19078]: 3T26TK1xBDz1tSG: 
to=recipi...@klinikum-bayreuth.de, 
relay=mail.klinikum-bayreuth.de[212.185.206.162]:25, delay=1057, 
delays=1057/0.08/0.11/0.36, dsn=4.1.7, status=deferred (host
mail.klinikum-bayreuth.de[212.185.206.162] said: 450 4.1.7 
aktion-sauberehae...@charite.de: Sender address rejected: unverified address: 
host mail2.charite.de[141.42.206.200] said: 450-4.3.2 Service currently 
unavailable 450 4.3.2 Contact postmas...@charite.de (using a
different email address!)  for technical assistance. Please provide the 
following information in your problem report: (in reply to RCPT TO command))

Dec 12 16:25:10 mail2 postfix/qmgr[17153]: 3T26TK1xBDz1tSG: 
from=aktion-sauberehae...@charite.de, size=49541, nrcpt=1 (queue active)

Dec 12 16:25:12 mail2 postfix/smtp[22408]: 3T26TK1xBDz1tSG: 
to=recipi...@klinikum-bayreuth.de,
relay=mail.klinikum-bayreuth.de[212.185.206.162]:25, delay=2259, 
delays=2257/0/1.9/0.54, dsn=4.1.7, status=deferred (host
mail.klinikum-bayreuth.de[212.185.206.162] said: 450 4.1.7 
aktion-sauberehae...@charite.de: Sender address rejected: unverified
address: host mail2.charite.de[141.42.206.200] said: 450-4.3.2 

Re: Postfix SAV failing against postscreen itself?

[Wietse Venema]

Ralf Hildebrandt:
 Today we sent out some mails which were rejected, due to our use of
 postscreen. From my queue:
 
 3T26TK1xBDz1tSG  49541 Mon Dec 12 15:47:33  
 aktion-sauberehae...@charite.de
 (host mail.klinikum-bayreuth.de[212.185.206.162] said: 450 4.1.7 
 aktion-sauberehae...@charite.de: Sender address rejected: unverified
 address: host mail2.charite.de[141.42.206.200] said: 450-4.3.2 Service 
 currently unavailable (in reply to RCPT TO command))
recipi...@klinikum-bayreuth.de

This is no different than greylisting. 

Eventually, the probe will go through (unless the receiver has upper
and lower time bounds for greylisting that are close together, but
that is their problem).

Wietse

Re: relocated_maps feature causing backscatter

[Wietse Venema]

Pim Zandbergen:
 /var/log/maillog-20111211:Dec 10 03:47:04 veldhoen postfix/smtpd[2891]: 
 AC3E9664A: client=unknown[186.43.37.99]
 /var/log/maillog-20111211:Dec 10 03:47:05 veldhoen 
 postfix/cleanup[2895]: AC3E9664A: message-id=0uiljy-wdj5a3...@anbid.com.br
 /var/log/maillog-20111211:Dec 10 03:47:06 veldhoen postfix/qmgr[8706]: 
 AC3E9664A: from=wattagex...@anbid.com.br, size=1198, nrcpt=1 (queue 
 active)
 /var/log/maillog-20111211:Dec 10 03:47:06 veldhoen postfix/error[2897]: 
 AC3E9664A: to=j...@macroscoop.nl, relay=none, delay=1.5, 
 delays=1.5/0/0/0.02, dsn=5.1.6, status=bounced (User has moved to 
 j.do...@macroscoop.nl)

The network-facing SMTP server is configured not to validate that
recipient, for example, due to explicit whitelisting in an access
map.

Wietse

Re: Postfix SAV failing against postscreen itself?

[Ralf Hildebrandt]

* Wietse Venema wie...@porcupine.org:
 Ralf Hildebrandt:
  Today we sent out some mails which were rejected, due to our use of
  postscreen. From my queue:
  
  3T26TK1xBDz1tSG  49541 Mon Dec 12 15:47:33  
  aktion-sauberehae...@charite.de
  (host mail.klinikum-bayreuth.de[212.185.206.162] said: 450 4.1.7 
  aktion-sauberehae...@charite.de: Sender address rejected: unverified
  address: host mail2.charite.de[141.42.206.200] said: 450-4.3.2 Service 
  currently unavailable (in reply to RCPT TO command))
 
  recipi...@klinikum-bayreuth.de
 
 This is no different than greylisting. 
 
 Eventually, the probe will go through (unless the receiver has upper
 and lower time bounds for greylisting that are close together, but
 that is their problem).

OK, I was just wondering. I'll recheck this later. It's just that I've
seen that happen so often.

-- 
Ralf Hildebrandt
  Geschäftsbereich IT | Abteilung Netzwerk
  Charité - Universitätsmedizin Berlin
  Campus Benjamin Franklin
  Hindenburgdamm 30 | D-12203 Berlin
  Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962
  ralf.hildebra...@charite.de | http://www.charite.de

Re: RE: virtual_alias_maps / mysql problem

[Lupin5th]

Ah, thank you, that led me into the exact right direction! =)
i changed the way dovecot checks, if the user exists, and now it works fine. 
^_^;

just for curiosity, what exactly would i need to feed to the 
virtual_maibox_maps or rather, what does it expect to get from whatever backend 
put there?

the virtual-readme gives the example
i...@example.comexample.com/info
is example.com/info the actual directory where the mails are supposed to end 
up relative to some other directory? or did i read that wrong?

best regards and thanks again =)
sil

 Original-Nachricht 
 Datum: Sun, 11 Dec 2011 21:58:55 +
 Von: James Day james@ontraq.com
 An: lupin...@gmx.net lupin...@gmx.net, postfix-users@postfix.org 
 postfix-users@postfix.org
 Betreff: RE: virtual_alias_maps / mysql problem

 I think you need to be using virtual_mailbox_maps to create a list of
 valid recipients.
 
 Also I can see that dovecot has also accepted the message so you must have
 configured something like allow_all_users=yes.
 
 
 From: owner-postfix-us...@postfix.org [owner-postfix-us...@postfix.org] On
 Behalf Of lupin...@gmx.net [lupin...@gmx.net]
 Sent: Sunday, December 11, 2011 4:31 PM
 To: postfix-users@postfix.org
 Subject: Re: virtual_alias_maps / mysql problem
 
 thank you for the hint!
 i activated the query-log and the query is executed ok. i also checked it
 via
 postmap -q hutzenp...@domain.de mysql:/etc/postfix/mysql-virtual.cf
 (which correctly did not return anything)
 and
 postmap -q correctu...@domain.de mysql:/etc/postfix/mysql-virtual.cf
 which did return the correct entry, e.g. user169
 so it seems mysql is not at fault.
 
 also, when i tested it with a hash-file, it sent successfully to an
 address that was not listed in said file.
 
 unfortunately, now i guess i´ll have to check any and all other config
 parameters that have anything to do with virtual delivery ^_^;
 
 here goes the postconf -n:
 broken_sasl_auth_clients = yes
 config_directory = /etc/postfix
 inet_interfaces = 192.168.12.7 127.0.0.1
 mailbox_size_limit = 0
 message_size_limit = 2048
 mydestination = localhost
 mydomain = domain.de
 myhostname = mail.domain.de
 mynetworks = 192.168.12.0/24 127.0.0.0/8
 myorigin = $mydomain
 relayhost =
 smtpd_recipient_restrictions = reject_unauth_pipelining,
 permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_recipient,
 reject_unknown_recipient_domain, reject_unauth_destination, permit
 smtpd_sasl_auth_enable = yes
 smtpd_sasl_local_domain = mail.domain.de
 smtpd_sasl_path = private/auth
 smtpd_sasl_security_options = noanonymous
 smtpd_sasl_tls_security_options = noanonymous
 smtpd_sasl_type = dovecot
 smtpd_tls_CAfile = /etc/certs/cert.pem
 smtpd_tls_cert_file = /etc/certs/cert.pem
 smtpd_tls_key_file = /etc/certs/key.pem
 smtpd_tls_received_header = no
 smtpd_use_tls = yes
 transport_maps = hash:/etc/postfix/transport
 unknown_local_recipient_reject_code = 550
 unverified_recipient_reject_code = 550
 virtual_alias_maps = mysql:/etc/postfix/mysql-virtual.cf
 virtual_mailbox_domains = domain.de
 virtual_transport = dovecot
 
 transport_maps reads thus:
 domain.de   :
 .domain.de  :
 *  smtp:192.168.12.8  (this is the external firewall-postfix-server)
 
 the mail.log reads thus:
 Dec 11 17:05:05 mehl postfix/smtpd[16897]: connect from
 unknown[192.168.12.1]
 Dec 11 17:05:05 mehl postfix/smtpd[16897]: DD60514A03F3:
 client=unknown[192.168.12.1], sasl_method=PLAIN, sasl_username=user169
 Dec 11 17:05:05 mehl postfix/cleanup[16901]: DD60514A03F3:
 message-id=4ee4d4b2.2020...@domain.de
 Dec 11 17:05:06 mehl postfix/qmgr[16586]: DD60514A03F3:
 from=s@domain.de, size=858, nrcpt=1 (queue active)
 Dec 11 17:05:06 mehl postfix/smtpd[16897]: disconnect from
 unknown[192.168.12.1]
 Dec 11 17:05:06 mehl postfix/pipe[16902]: DD60514A03F3:
 to=grmbl...@domain.de, relay=dovecot, delay=0.32, delays=0.18/0/0/0.14, 
 dsn=2.0.0,
 status=sent (delivered via dovecot service)
 Dec 11 17:05:06 mehl postfix/qmgr[16586]: DD60514A03F3: removed
 
 the address grmblash does not really exist ;-), when i send to an existing
 address, the only difference is that postfix/pipe has the correct target
 as to, e.g. user...@dmain.de
 
 thank you all for you hints, i hope this help shed some light on the
 problem. =)
 
 best regards
 sil
 
  Original-Nachricht 
  Datum: Sun, 11 Dec 2011 15:26:40 +0100
  Von: Reindl Harald h.rei...@thelounge.net
  An: postfix-users@postfix.org
  Betreff: Re: virtual_alias_maps / mysql problem
 
 
 
  Am 11.12.2011 15:18, schrieb lupin...@gmx.net:
   thank you for you reply.
   virtual_mailbox_domains is set, as is virtual_transport.
   do you mean using a hash-file to test it or for permanent use?
   there are some 500 mail-users on the server, who change relatively
 often
  and who have each a number of aliases..i´d rather avoid using a hash
  file, especially because the mysql-query is supposed to work =)
  
   is there 

fallback_relay not triggered

[lutz . niederer]

Hi,

I have a working setup of postfix that sends all mail not for me to a relayhost 
via smtp.  I want to use a fallback_relay to send mail via uucp.  Ok, I know 
that does not work out of the box.  So I set up another instance listening on 
port 10027 on 127.0.0.1.  This sends mail via uucp.  I can telnet 127.0.0.1 
10027 and see the instance.  I already exchanged my relayhost with the instance 
at 127.0.0.1 - that works too, mail gets queued for uucico.  So everything 
should be set up fine.

But when I send mail and the original relayhost is not available (means ports 
are closed) then I get

Dec 12 16:38:38 mhost postfix/smtp[1378]: 4278AB425ED: to=john...@live.com, 
relay=none, delay=0.05, delays=0.03/0/0.02/0, dsn=4.4.1, status=deferred 
(connect to mail.relay.de[192.10.64.2]: Connection refused)

And then the message sits in the queue.  It won't be delivered via my 
fallback_relay.

I already had this working with an older version with nearly the same setup.  
Did anything change between early version 2 and version 2.7?
What shall I do?  Did I miss something?


Ah, and another thing.  I see the following in the logs:
Dec 12 16:38:39 sharkey postfix/smtpd[1374]: warning: network_biopair_interop: 
error reading 5 bytes from the network: Connection reset by peer

I already googled and found some hints but none that really helped me.  I 
already disabled smtpd_tls_ask_ccert, but that does not help.  I'm using Debian 
Squeeze and I also found this: 
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=603780 . My mail client is The 
Bat and even with this message in the logs it seems to work.


Thanks for your help!
-lutzn


-- 
Empfehlen Sie GMX DSL Ihren Freunden und Bekannten und wir
belohnen Sie mit bis zu 50,- Euro! https://freundschaftswerbung.gmx.de

Re: fallback_relay not triggered

[Wietse Venema]

lutz.niede...@gmx.net:
 Dec 12 16:38:38 mhost postfix/smtp[1378]: 4278AB425ED: to=john...@live.com, 
 relay=none, delay=0.05, delays=0.03/0/0.02/0, dsn=4.4.1, status=deferred 
 (connect to mail.relay.de[192.10.64.2]: Connection refused)
 
 And then the message sits in the queue.  It won't be delivered via my 
 fallback_relay.

As documented:

   To prevent mailer loops between MX hosts and fall-back  hosts,  Postfix
   version 2.2 and later will not use the fallback relays for destinations
   that it is MX host for (assuming DNS lookup is turned on).

Wietse

Postfwd vs Policyd

[list]

We currently run three load balanced outbound postfix servers and need to
integrate a policy service that can track messages per hour for SASL users.
We hope to have a service that can be cluster aware, or know how many
cumulative messages have been sent by all the servers in the cluster per
user per hour.  Looking for some feedback from the community on your
experiences with Postfwd and Policyd, or any other postfix policy servers
that you have used.

Thanks in advance.

Re: fallback_relay not triggered

[lutz . niederer]

The mails going to the uucp transport are going into the world.  All other 
mails are handled by the first postfix instance.  This machine is not the MX 
for the destinations the uucp transport / instance handles.  It is my own MX, 
but the mails for me are not handled in the uucp instance.

Are there any tricks how I can do that?

-lutzn


 Original-Nachricht 
 Datum: Mon, 12 Dec 2011 11:36:10 -0500 (EST)
 Von: Wietse Venema wie...@porcupine.org
 An: Postfix users postfix-users@postfix.org
 Betreff: Re: fallback_relay not triggered

 lutz.niede...@gmx.net:
  Dec 12 16:38:38 mhost postfix/smtp[1378]: 4278AB425ED:
 to=john...@live.com, relay=none, delay=0.05, delays=0.03/0/0.02/0, 
 dsn=4.4.1,
 status=deferred (connect to mail.relay.de[192.10.64.2]: Connection refused)
  
  And then the message sits in the queue.  It won't be delivered via my
 fallback_relay.
 
 As documented:
 
To prevent mailer loops between MX hosts and fall-back  hosts,  Postfix
version 2.2 and later will not use the fallback relays for destinations
that it is MX host for (assuming DNS lookup is turned on).
 
   Wietse

-- 
Empfehlen Sie GMX DSL Ihren Freunden und Bekannten und wir
belohnen Sie mit bis zu 50,- Euro! https://freundschaftswerbung.gmx.de

Re: fallback_relay not triggered

[Wietse Venema]

Wietse:
To prevent mailer loops between MX hosts and fall-back  hosts,  Postfix
version 2.2 and later will not use the fallback relays for destinations
that it is MX host for (assuming DNS lookup is turned on).

I made that change because mail would loop between the fallbax
and the MX host, causing mail to be bounced.
mail to be bounced.

lutz.niede...@gmx.net:
 The mails going to the uucp transport are going into the world.

You are sending mail to some other host, and want Postfix to use
the smtp_fallback_feature when that host is down.

Why does Postfix believe that it is MX host for the destination?
Something seems to be very wromg to me.

Wietse

Re: relocated_maps feature causing backscatter

[Pim Zandbergen]

On 12/12/2011 4:48 PM, Wietse Venema wrote:

The network-facing SMTP server is configured not to validate that
recipient, for example, due to explicit whitelisting in an access
map.


The access map contains whitelisted IP addresses only.

I can now reproduce the bouncing. Out of 22 tested recipients in the 
relocated file,

7 consistently bounce, and 15 others consistently reject.

I really can't tell what sets these recipients apart.
All the lines in the relocated file are like

usere.mailaddr...@mydomain.nl

where user is the user's Active Directory account, and 
e.mailaddr...@mydomain.nl
is their proper e-mail address. The Active Directory user accounts may 
be seen as valid

local Unix user ID's, through Samba's winbind.

The bouncing users appear just as valid as the rejecting ones when using 
the id user command.


The user names don't appear anywhere in /etc/postfix/* (except 
relocated), or /etc/aliases or /etc/passwd


I have removed relocated.db, rebuilt it, and restarted postfix just to 
be sure, without effect.


Thanks,
Pim

Re: relocated_maps feature causing backscatter

[Wietse Venema]

Pim Zandbergen:
 I can now reproduce the bouncing. Out of 22 tested recipients in
 the relocated file, 7 consistently bounce, and 15 others consistently
 reject.

What do you mean by that: you talked to the Postfix SMTP daemon
from one IP address, sent all 22 addresses in an RCPT TO command,
and 15 of those RCPT TO commands did not receive a REJECT reply?

Wietse

Re: relocated_maps feature causing backscatter

[Pim Zandbergen]

On 12/12/2011 7:47 PM, Wietse Venema wrote:

Pim Zandbergen:

I can now reproduce the bouncing. Out of 22 tested recipients in
the relocated file, 7 consistently bounce, and 15 others consistently
reject.

What do you mean by that: you talked to the Postfix SMTP daemon
from one IP address, sent all 22 addresses in an RCPT TO command,
and 15 of those RCPT TO commands did not receive a REJECT reply?

Wietse
I sent, from one IP address, to the same Postfix SMTP daemon, 22 
separate messages

to single recipients, all in the same domain, all matching a relocated user.

Of 22 messages, 15 were rejected immediately. 7 others were accepted and 
were

returned shortly later.

I repeated this, randomized the order of the messages and got consistent 
results.


Yes, it sounds weird.
The Postfix  SMTP daemon comes as postfix-2.7.5-1.fc14.x86_64 running on 
Fedora 14.


Pim

Re: relocated_maps feature causing backscatter

[Wietse Venema]

Pim Zandbergen:
 On 12/12/2011 7:47 PM, Wietse Venema wrote:
  Pim Zandbergen:
  I can now reproduce the bouncing. Out of 22 tested recipients in
  the relocated file, 7 consistently bounce, and 15 others consistently
  reject.
  What do you mean by that: you talked to the Postfix SMTP daemon
  from one IP address, sent all 22 addresses in an RCPT TO command,
  and 15 of those RCPT TO commands did not receive a REJECT reply?
 
 I sent, from one IP address, to the same Postfix SMTP daemon, 22 
 separate messages
 to single recipients, all in the same domain, all matching a relocated user.
 
 Of 22 messages, 15 were rejected immediately. 7 others were accepted
 and were returned shortly later.

What is the output of:

postconf smtpd_reject_unlisted_recipient

Reason I ask is that the unlisted recipient check also
does the relocated check.

Wietse

smtpd_reject_unlisted_recipient (default: yes)
   Request that the Postfix SMTP server rejects mail for unknown recipient
   addresses,  even  when  no  explicit  reject_unlisted_recipient  access
   restriction is specified. This prevents the Postfix queue from  filling
   up with undeliverable MAILER-DAEMON messages.

Re: fallback_relay not triggered

[lutz . niederer]

 lutz.niede...@gmx.net:
  The mails going to the uucp transport are going into the world.
 
 Wietse:
 You are sending mail to some other host, and want Postfix to use
 the smtp_fallback_feature when that host is down.
 
 Why does Postfix believe that it is MX host for the destination?
 Something seems to be very wromg to me.
 

relayhost is the right way to send mails to my smarthost, correct?  This works. 
 My setup knows where to send mails not for mydestination.
(Or should I better use default_transport for that?)

The machine we are talking about is MX for all the domains that belong to me 
(=mydestination).  And exactly the way relayhost is sent mails to the world 
they should be sent to the fallback_relay if that relayhost is down.
You are right, I believe that something changed between the version I was 
running before (don't remember) and the version I'm running now.  And it looks 
as if it is the MX thing.

As I understood (please correct me): relayhost only takes mydestination into 
account whereas fallback_relay in addition to mydestination looks into the MX.  
Correct?  So why does Postfix believe that it is the MX for the world?  (Wow, 
my small machine is a very vital part of the internet ;-)

Is there a setting that I can turn on to debug into that?  A setting where I 
can see in the logs that and why it believes that it is an MX for those 
domains?  The fallback_relay gets the mails where I am not the MX because all 
other mails are delivered locally.

What is the thing that I do not understand here?

-lutzn



-- 
Empfehlen Sie GMX DSL Ihren Freunden und Bekannten und wir
belohnen Sie mit bis zu 50,- Euro! https://freundschaftswerbung.gmx.de

Re: relocated_maps feature causing backscatter

[Wietse Venema]

Wietse Venema:
 Pim Zandbergen:
  On 12/12/2011 7:47 PM, Wietse Venema wrote:
   Pim Zandbergen:
   I can now reproduce the bouncing. Out of 22 tested recipients in
   the relocated file, 7 consistently bounce, and 15 others consistently
   reject.
   What do you mean by that: you talked to the Postfix SMTP daemon
   from one IP address, sent all 22 addresses in an RCPT TO command,
   and 15 of those RCPT TO commands did not receive a REJECT reply?
  
  I sent, from one IP address, to the same Postfix SMTP daemon, 22 
  separate messages
  to single recipients, all in the same domain, all matching a relocated user.
  
  Of 22 messages, 15 were rejected immediately. 7 others were accepted
  and were returned shortly later.
 
 What is the output of:
 
 postconf smtpd_reject_unlisted_recipient
 
 Reason I ask is that the unlisted recipient check also
 does the relocated check.

Unfortunately, the relocated check will be missed when the
recipient address exists in virtual_alias_maps or in *canonical_maps,
because those can change the address into something else.

Wietse

Re: fallback_relay not triggered

[Wietse Venema]

lutz.niede...@gmx.net:
  lutz.niede...@gmx.net:
   The mails going to the uucp transport are going into the world.
  
  Wietse:
  You are sending mail to some other host, and want Postfix to use
  the smtp_fallback_feature when that host is down.
  
  Why does Postfix believe that it is MX host for the destination?
  Something seems to be very wromg to me.
  
 
 relayhost is the right way to send mails to my smarthost, correct?  This 
 works.  My setup knows where to send mails not for mydestination.
 (Or should I better use default_transport for that?)
 
 The machine we are talking about is MX for all the domains that
 belong to me (=mydestination).  And exactly the way relayhost is
 sent mails to the world they should be sent to the fallback_relay
 if that relayhost is down.

Why are you MX host for a domain, and then sending its mail to the
relayhost?  That does not seem right.

If you do that, then simply turn off DNS lookups in the SMTP client
that sends to the relayhost.

/etc/postfix/main.cf
relay_transport = no_dns_smtp:example.com

/etc/postfix/master.cf:
no_dns_smtp .. ... .. .. smtp
-o disable_dns_lookup=yes

Wietse

Re: fallback_relay not triggered

[Wietse Venema]

Wietse Venema:
  The machine we are talking about is MX for all the domains that
  belong to me (=mydestination).  And exactly the way relayhost is
  sent mails to the world they should be sent to the fallback_relay
  if that relayhost is down.
 
 Why are you MX host for a domain, and then sending its mail to the
 relayhost?  That does not seem right.
 
 If you do that, then simply turn off DNS lookups in the SMTP client
 that sends to the relayhost.
 
 /etc/postfix/main.cf
 relay_transport = no_dns_smtp:example.com
 
 /etc/postfix/master.cf:
 no_dns_smtp .. ... .. .. smtp
   -o disable_dns_lookup=yes

You may have to specify default_transport instead.

Wietse

Saving archive copy of all mail sent/received w/Dovecot+Postfix?

[Andrew M]

I'm running Dovecot 2.0.15 and Postfix 2.7.7 with postfix handing off to 
Dovecot's LDA.  I am hosting multiple virtual domains with multiple 
users and everything is working.  I would now like to create a permanent 
archive of all sent/received mail with each virtual user's mail saved to 
its own sent file and received file.  This needs to be independent of 
the user's regular Maildir store since he can't delete or modify the 
permanent archive.


Any suggestions on how to best accomplish this either via postfix or 
dovecot?


Postfix has in main.cf

  virtual_transport = dovecot

and in master.cf

  dovecot   unix  -   n   n   -   -   pipe
flags=DRhu user=virtual:virtual
argv=/usr/libexec/dovecot  /dovecot-lda -d ${recipient} -f ${sender}

dovecot uses this:

[root@xxx andrew]# dovecot -n
# 2.0.15: /etc/dovecot/dovecot.conf
# OS: Linux 2.6.35.14-103.fc14.x86_64 x86_64 Fedora release 14 
(Laughlin) ext4

auth_mechanisms = plain login cram-md5
disable_plaintext_auth = no
mail_location = maildir:/home/vmail/%d/%n/Maildir
mbox_write_locks = fcntl
passdb {
  args = scheme=plain username_format=%u /etc/postfix/passwd
  driver = passwd-file
}
protocols = imap lmtp
service auth {
  inet_listener {
port = 12345
  }
  unix_listener /var/spool/postfix/private/auth {
group = postfix
mode = 0666
user = postfix
  }
  unix_listener auth-userdb {
mode = 0666
  }
}
ssl_cert = /etc/pki/tls/certs/xxx.com.crt
ssl_key = /etc/pki/tls/private/xxx.com.key
userdb {
  args = username_format=%u uid=5000 gid=5000 home=/home/vmail/%d/%n
  driver = static
}

Thanks,
Andrew

Re: fallback_relay not triggered

[Ruppert G. von Teutul]

  The machine we are talking about is MX for all the domains that
  belong to me (=mydestination).  And exactly the way relayhost is
  sent mails to the world they should be sent to the fallback_relay
  if that relayhost is down.
 
 Why are you MX host for a domain, and then sending its mail to the
 relayhost?  That does not seem right.

No, I am the MX for all my domains.  And these domains are listed in 
mydestination.  I send all other mails to the relayhost, means the mails that I 
am not the destination but that come from mydestination.
And if that relayhost is down I want to send the mails via the fallback_relay 
that does nothing.  It does nothing maybe because it thinks that itself (my 
machine) is the MX for the rest of the world - means that it thinks that it is 
MX for exactly those domains that are surely not my domains and it is no MX for 
these/not my domains.

Could you please describe the difference between default_transport and 
relayhost in a few words?  They both seem to act the same.

Thanks for your help!
-lutzn

-- 
Empfehlen Sie GMX DSL Ihren Freunden und Bekannten und wir
belohnen Sie mit bis zu 50,- Euro! https://freundschaftswerbung.gmx.de

Re: fallback_relay not triggered

[Wietse Venema]

Ruppert G. von Teutul:
 
   The machine we are talking about is MX for all the domains that
   belong to me (=mydestination).  And exactly the way relayhost is
   sent mails to the world they should be sent to the fallback_relay
   if that relayhost is down.
  
  Why are you MX host for a domain, and then sending its mail to the
  relayhost?  That does not seem right.
 
 No, I am the MX for all my domains.  And these domains are listed
 in mydestination.  I send all other mails to the relayhost, means
 the mails that I am not the destination but that come from
 mydestination.

Why does Postfix believe that it is MX for those domains? If 
it didn't, then it would use the smtp_fallback_relay.

Wietse

Re: fallback_relay not triggered

[lutz . niederer]

 
 Why does Postfix believe that it is MX for those domains? If 
 it didn't, then it would use the smtp_fallback_relay.

I have no clue!

If I send a mail to someone at live.com it does not pass to the fallback_relay 
if relayhost is down.  In theory this should only happen if my machine 
announces itself as MX for live.com.  Correct?

This is what I see on the fallback_relay:

;  DiG 9.7.3  live.com mx
;; global options: +cmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: NOERROR, id: 14747
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 5, ADDITIONAL: 5

;; QUESTION SECTION:
;live.com.  IN  MX

;; ANSWER SECTION:
live.com.   3600IN  MX  5 mx2.hotmail.com.
live.com.   3600IN  MX  5 mx3.hotmail.com.
live.com.   3600IN  MX  5 mx4.hotmail.com.
live.com.   3600IN  MX  5 mx1.hotmail.com.

;; AUTHORITY SECTION:
live.com.   83725   IN  NS  ns4.msft.net.
live.com.   83725   IN  NS  ns1.msft.net.
live.com.   83725   IN  NS  ns5.msft.net.
live.com.   83725   IN  NS  ns2.msft.net.
live.com.   83725   IN  NS  ns3.msft.net.

;; ADDITIONAL SECTION:
ns1.msft.net.   456 IN  A   65.55.37.62
ns2.msft.net.   467 IN  A   64.4.59.173
ns3.msft.net.   2847IN  A   213.199.159.59
ns4.msft.net.   2847IN  A   207.46.75.254
ns5.msft.net.   2860IN  A   65.55.226.140

I am surely none of the listed machines.

-lutzn



-- 
Empfehlen Sie GMX DSL Ihren Freunden und Bekannten und wir
belohnen Sie mit bis zu 50,- Euro! https://freundschaftswerbung.gmx.de

Re: fallback_relay not triggered

[Wietse Venema]

Wietse Venema:
 Ruppert G. von Teutul:
  
The machine we are talking about is MX for all the domains that
belong to me (=mydestination).  And exactly the way relayhost is
sent mails to the world they should be sent to the fallback_relay
if that relayhost is down.
   
   Why are you MX host for a domain, and then sending its mail to the
   relayhost?  That does not seem right.
  
  No, I am the MX for all my domains.  And these domains are listed
  in mydestination.  I send all other mails to the relayhost, means
  the mails that I am not the destination but that come from
  mydestination.
 
 Why does Postfix believe that it is MX for those domains? If 
 it didn't, then it would use the smtp_fallback_relay.

those == destinations that you want to send to the smtp_fallback_relay.

Wietse

Re: fallback_relay not triggered

[Wietse Venema]

lutz.niede...@gmx.net:
 
  
  Why does Postfix believe that it is MX for those domains? If 
  it didn't, then it would use the smtp_fallback_relay.
 
 I have no clue!
 
 If I send a mail to someone at live.com it does not pass to the
 fallback_relay if relayhost is down.  In theory this should only
 happen if my machine announces itself as MX for live.com.  Correct?

Oops, I wrote that code long enough that my memory is incorrect.

Try putting the smtp_fallback_relay inside [].

If that does not turn off MX host detection, then I will read
Postfix source code more closely.

Wietse

Re: fallback_relay not triggered

[Ruppert G. von Teutul]

  If I send a mail to someone at live.com it does not pass to the
  fallback_relay if relayhost is down.  In theory this should only
  happen if my machine announces itself as MX for live.com.  Correct?
 
 Oops, I wrote that code long enough that my memory is incorrect.
 
 Try putting the smtp_fallback_relay inside [].
 
 If that does not turn off MX host detection, then I will read
 Postfix source code more closely.

I nearly always use [] since my first negative experiences with MX lookups.  So 
I did here.  I specified [127.0.0.1]:10027 as fallback_relay.
I did that for relayhost (with another host), too.

(Is there any reason I would prefer default_transport over relayhost?)

-lutzn


-- 
NEU: FreePhone - 0ct/min Handyspartarif mit Geld-zurück-Garantie!   
Jetzt informieren: http://www.gmx.net/de/go/freephone

Re: fallback_relay not triggered

[Wietse Venema]

Ruppert G. von Teutul:
   If I send a mail to someone at live.com it does not pass to the
   fallback_relay if relayhost is down.  In theory this should only
   happen if my machine announces itself as MX for live.com.  Correct?
  
  Oops, I wrote that code long enough that my memory is incorrect.
  
  Try putting the smtp_fallback_relay inside [].
  
  If that does not turn off MX host detection, then I will read
  Postfix source code more closely.
 
 I nearly always use [] since my first negative experiences with MX lookups.  
 So I did here.  I specified [127.0.0.1]:10027 as fallback_relay.
 I did that for relayhost (with another host), too.

Dang. I'll have to check the source code against the docs.

 (Is there any reason I would prefer default_transport over relayhost?)

default_transport specifies the name of the mail delivery service
and may contain the destination as well.

relayhost specifies only the destination.

Wietse

Re: recipient_delimiter

[Jose Renato Attab Braga]

Thanks !

Em 11/12/2011, às 17:46, Wietse Venema escreveu:

 Jose Renato Attab Braga:
 Hi
 I need use the address aaa+xyz@domain when I have the only the
 address aaa@domain.
 In my main.cf I have recipient_delimiter = +.
 I use Mysql to emails adress and domains.
 What do I need to configurate this?
 
 In Postfix, nothing. Postfix will look up aaa+xyz@domain (with the
 extension), then aaa@domain (no extension). After Postfix finds
 that the address without extension exists, it will accept the email.
 
 You may need to configure Dovecot for the recipient delimiter.
 
   Wietse
 
 
 My main.cf
 smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
 biff = no
 append_dot_mydomain = no
 readme_directory = /usr/share/doc/postfix
 smtpd_tls_cert_file = /etc/postfix/smtpd.cert
 smtpd_tls_key_file = /etc/postfix/smtpd.key
 smtpd_use_tls = yes
 smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
 smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
 myhostname = mail.example.com.br
 alias_maps = hash:/etc/aliases
 alias_database = hash:/etc/aliases
 myorigin = /etc/mailname
 mydestination = mail.exemple.com, localhost, localhost.localdomain
 relayhost = 
 mynetworks = 127.0.0.0/8
 mailbox_size_limit = 0
 recipient_delimiter = +
 inet_interfaces = all
 html_directory = /usr/share/doc/postfix/html
 message_size_limit = 3072
 virtual_alias_domains = 
 virtual_alias_maps = proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, 
 mysql:/etc/postfix/mysql-virtual_email2email.cf
 virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf
 virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf
 virtual_mailbox_base = /home/vmail
 virtual_uid_maps = static:5000
 virtual_gid_maps = static:5000
 smtpd_sasl_auth_enable = yes
 broken_sasl_auth_clients = yes
 smtpd_sasl_authenticated_header = yes
 smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, 
 reject_unauth_destination
 virtual_create_maildirsize = yes
 virtual_maildir_extended = yes
 proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps 
 $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains 
 $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps 
 $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks 
 $virtual_mailbox_limit_maps
 virtual_transport = dovecot
 dovecot_destination_recipient_limit = 1

Re: fallback_relay not triggered

[Wietse Venema]

lutz.niede...@gmx.net:
 Hi,
 
 I have a working setup of postfix that sends all mail not for me
 to a relayhost via smtp.  I want to use a fallback_relay to send
 mail via uucp.  Ok, I know that does not work out of the box.  So
 I set up another instance listening on port 10027 on 127.0.0.1.
 This sends mail via uucp.  I can telnet 127.0.0.1 10027 and see
 the instance.  I already exchanged my relayhost with the instance
 at 127.0.0.1 - that works too, mail gets queued for uucico.  So
 everything should be set up fine.
 
 But when I send mail and the original relayhost is not available
 (means ports are closed) then I get
 
 Dec 12 16:38:38 mhost postfix/smtp[1378]: 4278AB425ED: to=john...@live.com, 
 relay=none, delay=0.05, delays=0.03/0/0.02/0, dsn=4.4.1, status=deferred 
 (connect to mail.relay.de[192.10.64.2]: Connection refused)
 
 And then the message sits in the queue.  It won't be delivered via
 my fallback_relay.

This would be a good time to post in one message:

The Postfix mail version (that would be 2.7).

postconf -n command output.

The master.cf definition for all SMTP client entries, in case there
are any -o name=value settings.

In my case, when I configure

/etc/postfix/main.cf:
fallback_relay = [127.0.0.1]:9900

And send mail to a down host wzv.porcupine.org, then it tries to
connect to the fall-back host at [127.0.0.1]:9900.

Dec 12 20:34:15 tail postfix/qmgr[1623]: 3T2NqW57lgznkHT: 
from=spa...@porcupine.org, size=298, nrcpt=1 (queue active)
Dec 12 20:34:25 tail postfix/smtp[2518]: connect to 
wzv.porcupine.org[168.100.189.7]:25: Operation timed out
Dec 12 20:34:25 tail postfix/smtp[2518]: connect to 127.0.0.1[127.0.0.1]:9900: 
Connection refused
Dec 12 20:34:26 tail postfix/smtp[2518]: 3T2NqW57lgznkHT: 
to=spa...@wzv.porcupine.org, relay=none, delay=10, delays=0.14/0.17/10/0, 
dsn=4.4.1, status=deferred (connect to 127.0.0.1[127.0.0.1]:9900: Connection 
refused)

I get the same result when I specify the down host as relayhost:

/etc/postfix/main.cf:
fallback_relay = [127.0.0.1]:9900
relayhost = wzv.porcupine.org

And send mail to some other destination:

Dec 12 20:40:18 tail postfix/qmgr[1623]: 3T2NyV3vTpznkHV: 
from=spa...@porcupine.org, size=301, nrcpt=1 (queue active)
Dec 12 20:40:28 tail postfix/smtp[2542]: connect to 
wzv.porcupine.org[168.100.189.7]:25: Operation timed out
Dec 12 20:40:28 tail postfix/smtp[2542]: connect to 127.0.0.1[127.0.0.1]:9900: 
Connection refused
Dec 12 20:40:28 tail postfix/smtp[2542]: 3T2NyV3vTpznkHV: 
to=spa...@rabbit.porcupine.org, relay=none, delay=10, delays=0.01/0/10/0, 
dsn=4.4.1, status=deferred (connect to 127.0.0.1[127.0.0.1]:9900: Connection 
refused)

So everything works entirely as expected.

Wietse

Re: Saving archive copy of all mail sent/received w/Dovecot+Postfix?

[Stan Hoeppner]

On 12/12/2011 2:17 PM, Andrew M wrote:
 I'm running Dovecot 2.0.15 and Postfix 2.7.7 with postfix handing off to
 Dovecot's LDA.  I am hosting multiple virtual domains with multiple
 users and everything is working.  I would now like to create a permanent
 archive of all sent/received mail with each virtual user's mail saved to
 its own sent file and received file.  This needs to be independent of
 the user's regular Maildir store since he can't delete or modify the
 permanent archive.
 
 Any suggestions on how to best accomplish this either via postfix or
 dovecot?

Take a look an Enkive:  http://www.enkive.org

-- 
Stan

Re: Saving archive copy of all mail sent/received w/Dovecot+Postfix?

[Robert Schetterer]

Am 13.12.2011 03:12, schrieb Stan Hoeppner:
 On 12/12/2011 2:17 PM, Andrew M wrote:
 I'm running Dovecot 2.0.15 and Postfix 2.7.7 with postfix handing off to
 Dovecot's LDA.  I am hosting multiple virtual domains with multiple
 users and everything is working.  I would now like to create a permanent
 archive of all sent/received mail with each virtual user's mail saved to
 its own sent file and received file.  This needs to be independent of
 the user's regular Maildir store since he can't delete or modify the
 permanent archive.

 Any suggestions on how to best accomplish this either via postfix or
 dovecot?
 
 Take a look an Enkive:  http://www.enkive.org
 

postfix

always_bcc (default: empty)

Optional address that receives a blind carbon copy of each message
that is received by the Postfix mail system.

Note: if mail to the BCC address bounces it will be returned to the
sender.

Note: automatic BCC recipients are produced only for new mail. To
avoid mailer loops, automatic BCC recipients are not generated after
Postfix forwards mail internally, or after Postfix generates mail itself.

recipient_bcc_maps (default: empty)

Optional BCC (blind carbon-copy) address lookup tables, indexed by
recipient address. The BCC address (multiple results are not supported)
is added when mail enters from outside of Postfix.

This feature is available in Postfix 2.1 and later.

The table search order is as follows:

Look up the user+extens...@domain.tld address including the
optional address extension.
Look up the u...@domain.tld address without the optional
address extension.
Look up the user+extension address local part when the
recipient domain equals $myorigin, $mydestination, $inet_interfaces or
$proxy_interfaces.
Look up the user address local part when the recipient domain
equals $myorigin, $mydestination, $inet_interfaces or $proxy_interfaces.
Look up the @domain.tld part.

Specify the types and names of databases to use. After change, run
postmap /etc/postfix/recipient_bcc.

Note: if mail to the BCC address bounces it will be returned to the
sender.

Note: automatic BCC recipients are produced only for new mail. To
avoid mailer loops, automatic BCC recipients are not generated after
Postfix forwards mail internally, or after Postfix generates mail itself.

Example:

recipient_bcc_maps = hash:/etc/postfix/recipient_bcc

sender_bcc_maps (default: empty)

Optional BCC (blind carbon-copy) address lookup tables, indexed by
sender address. The BCC address (multiple results are not supported) is
added when mail enters from outside of Postfix.

This feature is available in Postfix 2.1 and later.

The table search order is as follows:

Look up the user+extens...@domain.tld address including the
optional address extension.
Look up the u...@domain.tld address without the optional
address extension.
Look up the user+extension address local part when the sender
domain equals $myorigin, $mydestination, $inet_interfaces or
$proxy_interfaces.
Look up the user address local part when the sender domain
equals $myorigin, $mydestination, $inet_interfaces or $proxy_interfaces.
Look up the @domain.tld part.

Specify the types and names of databases to use. After change, run
postmap /etc/postfix/sender_bcc.

Note: if mail to the BCC address bounces it will be returned to the
sender.

Note: automatic BCC recipients are produced only for new mail. To
avoid mailer loops, automatic BCC recipients are not generated after
Postfix forwards mail internally, or after Postfix generates mail itself.

Example:

sender_bcc_maps = hash:/etc/postfix/sender_bcc


https://www.milter.org/milter/61

MailArchiver and simular milters

http://freecode.com/projects/aox

Archiveopteryx

Archiveopteryx is an Internet mail server, optimized to support heavy
usage and long-term archiving. It stores mail in a PostgreSQL database,
and provides access to it through IMAP, POP, and more.

and so on.
-- 
Best Regards

MfG Robert Schetterer

Germany/Munich/Bavaria