Re: policy daemon failure
Hi On 06/02/2014 05:11 PM, st...@thornet.co.uk wrote: Hi We use sqlgrey as a policy daemon for greylisting. It runs on both our mail servers with a shared database on one of them. If the database is unavailable for some reason on the main server the backup rejects mail with 451 4.3.5 Server configuration problem Is it possible to change the default to accept the mail if the policy daemon fails. Most of our users would prefer a bit of extra spam to losing genuine mail. Maybe you should consider having a master db on one of the mail servers and a slave db on the other one and have the data be replicated to the slave automatically. This way you can minimize the risk to have either mail server to reject email just because the to servers aren't connected. Setting up mysql replication is of course off topic here. HTH, Mikael
Re: policy daemon failure
On Jun 3, 2014 12:06 AM, st...@thornet.co.uk wrote: you *do not* lose anything 451 is a *temporary* error 5xx would be a complete reject Yes, but many mails rejected in an incident this morning haven't been resent. I guess we're dealing with broken clients. What sort of broken clients are these that don't use real email servers, and how do you know they are broken? They could very well be waiting for some time to pass before retrying again (and there is some kind of a system for these intervals. It's not as if the standard protocol is to resend all of your undelivered email every 5 minutes...) -jf
Re: policy daemon failure
What sort of broken clients are these that don't use real email servers, and how do you know they are broken? They could very well be waiting for some time to pass before retrying again (and there is some kind of a system for these intervals. It's not as if the standard protocol is to resend all of your undelivered email every 5 minutes...) After 24 hours the missing mail still hasnt arrived. So they must have a very long retry period! Steve
Re: policy daemon failure
On Tue, 03 Jun 2014 11:17:07 +0200 Микаел Бак mikael@yandex.ru wrote: Maybe you should consider having a master db on one of the mail servers and a slave db on the other one and have the data be replicated to the slave automatically. Since both servers need to write to the database as well the slave is still dependent on the master. They both need to be masters with some scheme to pass updates between them. I have done this for a world-wide financial system that required thousands of masters but it was quite tricky. A better option might be to simply have two databases and let both of them build from mail that hits them. It might slow down a few emails but if all you have are two mail servers this may be acceptable. -- D'Arcy J.M. Cain System Administrator, Vex.Net http://www.Vex.Net/ IM:da...@vex.net VoIP: sip:da...@vex.net
Re: policy daemon failure
Am 03.06.2014 11:39, schrieb st...@thornet.co.uk: What sort of broken clients are these that don't use real email servers, and how do you know they are broken? They could very well be waiting for some time to pass before retrying again (and there is some kind of a system for these intervals. It's not as if the standard protocol is to resend all of your undelivered email every 5 minutes...) After 24 hours the missing mail still hasnt arrived. So they must have a very long retry period! what are you discussing here? * the SMTP protocol specifies temporary and permanent errors * in case of temporary the client MUST retry * if it does not it's broken and not your problem * if it does the retry period is the senders business * typically each retry adds more time before try again * the frist retry normally is within minutes it is *not* your problem if the sender is broken in that case he is *not* only broken in case of mails to you if the sender don't respect 4xx repsones he has *massive* problems all over the world when the destination is using greylisting because greylisting *by definition* always rejetcs the first delivery with a 4xx response just because it catchs any non-MTA and spam zombies so don't waste your time solve *your* problems and not the ones of other people it's the problem of the sender to *shout at his* server admin why he has a non working MTA or re-consider using a MTA at all instead of broken software try to deliver only once the sender MUST NOT expect that every delivery is successful at the first try because that's not how the internet is supposed to work - internet services are supposed to deal with temporary problems and SMTP is *well desigend* to handle that perfectly
Re: policy daemon failure
Hi, On 06/03/2014 11:42 AM, D'Arcy J.M. Cain wrote: On Tue, 03 Jun 2014 11:17:07 +0200 Микаел Бак mikael@yandex.ru wrote: Maybe you should consider having a master db on one of the mail servers and a slave db on the other one and have the data be replicated to the slave automatically. Since both servers need to write to the database as well the slave is still dependent on the master. They both need to be masters with some scheme to pass updates between them. I have done this for a world-wide financial system that required thousands of masters but it was quite tricky. A better option might be to simply have two databases and let both of them build from mail that hits them. It might slow down a few emails but if all you have are two mail servers this may be acceptable. Yes, you are right! Next time I will think before I post :-) Mikael
allow an email account to receive emails from a blacklisted IP
Hi I have the same configuration and situation as the following: http://serverfault.com/questions/132750/postfix-whitelist-before-recipient-restrictions In short: So i need a method of whitelisting ANY email that comes to domain.com, however i need it to take place before any of the recipient restrictions, they want no RBL or postgrey blocking at all. but the accepted answer has two contradictions: first he suggest to use check_sender_access but in the example he uses check_client_access, then he uses smtpd_recipient_restrictions but in the comments someone points out why not to use smtpd_sender_restrictions .. Can you please clarify which is the best method ? Thanks for your attention, regards and have a nice day, Mike
Re: allow an email account to receive emails from a blacklisted IP
On 03/06/2014 15:33, mancyb...@gmail.com wrote: Hi I have the same configuration and situation as the following: http://serverfault.com/questions/132750/postfix-whitelist-before-recipient-restrictions In short: So i need a method of whitelisting ANY email that comes to domain.com, however i need it to take place before any of the recipient restrictions, they want no RBL or postgrey blocking at all. but the accepted answer has two contradictions: first he suggest to use check_sender_access but in the example he uses check_client_access, then he uses smtpd_recipient_restrictions but in the comments someone points out why not to use smtpd_sender_restrictions .. Can you please clarify which is the best method ? If you want to whitelist recipient domain you need to check recipient access: http://www.postfix.org/postconf.5.html#smtpd_recipient_restrictions smtpd_recipient_restrictions = reject_unauth_destination, check_recipient_access somemapfile, reject_rbl_client b.barracudacentral.org, reject_rbl_client cbl.abuseat.org, reject_rbl_client bl.mailspike.net, check_policy_service unix:postgrey/socket somemapfile: domain.comOK -- Levi
Re: allow an email account to receive emails from a blacklisted IP
mancyb...@gmail.com: So i need a method of whitelisting ANY email that comes to domain.com, however i need it to take place before any of the recipient restrictions, they want no RBL or postgrey blocking at all. Birta Levente: If you want to whitelist recipient domain you need to check recipient access: http://www.postfix.org/postconf.5.html#smtpd_recipient_restrictions smtpd_recipient_restrictions = reject_unauth_destination, check_recipient_access somemapfile, reject_rbl_client b.barracudacentral.org, reject_rbl_client cbl.abuseat.org, reject_rbl_client bl.mailspike.net, check_policy_service unix:postgrey/socket somemapfile: domain.comOK This is correct, by placing the whitelist after reject_unauth_destination. Otherwise you would have an exploitable open relay. Wietse
Re: allow an email account to receive emails from a blacklisted IP
On Tue, Jun 03, 2014 at 08:55:46AM -0400, Wietse Venema wrote: mancyb...@gmail.com: So i need a method of whitelisting ANY email that comes to domain.com, however i need it to take place before any of the recipient restrictions, they want no RBL or postgrey blocking at all. Birta Levente: If you want to whitelist recipient domain you need to check recipient access: http://www.postfix.org/postconf.5.html#smtpd_recipient_restrictions smtpd_recipient_restrictions = reject_unauth_destination, check_recipient_access somemapfile, reject_rbl_client b.barracudacentral.org, reject_rbl_client cbl.abuseat.org, reject_rbl_client bl.mailspike.net, check_policy_service unix:postgrey/socket somemapfile: domain.comOK This is correct, by placing the whitelist after reject_unauth_destination. Otherwise you would have an exploitable open relay. Note, the somemapfile instance in the restriction list will need a table type prefix. ... check_recipient_access ${indexed}somemapfile, ... with indexed defined in main.cf in the usual way: indexed = ${default_database_type}:${config_directory}/ -- Viktor.
Postfix expand ldap group AND afterwards resolve alias?
Hello, we have a postfix server which has the user config stored in a openldap directory. Recently we also implemented ldap groups which are expanded by postfix. This works fine, unless the group expands to some email alias destinations. All alias expanded from the group seem to not be resolved by the ldap alias database. Any hints on how to have the ldap group expanding AND afterward pass these expanded groupmembers to the ldap alias resolving? Our config looks like this: In main.cf virtual_alias_maps = ldap:/etc/postfix/ldap_expand_groups.cf,ldap:/etc/postfix/ldap_accountsmap.cf,ldap:/etc/postfix/ldap_expand_alias.cf The ldap_expand_groups.cf server_host = ldap://openldap1.server version = 3 search_base = ou=groups,o=mailhosting query_filter = ((mail=%s)(objectclass=groupOfUniqueNames)) leaf_result_attribute = mail special_result_attribute = uniquemember The ldap_expand_alias.cf server_host = ldap://openldap1.server search_base = o=mailhosting query_filter = ((objectClass=MailAlias)(mail=%s)(accountActive=TRUE)) result_attribute = maildrop bind = no Any hints on how to configure it correctly? With best regards André Schild
Re: Postfix expand ldap group AND afterwards resolve alias?
On Tue, Jun 03, 2014 at 02:28:22PM +, Andr? Schild wrote: Recently we also implemented ldap groups which are expanded by postfix. This works fine, unless the group expands to some email alias destinations. Virtual(5) alias expansion is performed recursively in cleanup(8) for all recipient addresses. Recursive local aliases(5) expansion happens later, in local(8), only for recipient addresses that are routed to the local transport (typically recipients whose domain is listed in $mydestination). Virtual(5) alias expansion stops when a lookup key resolves to itself. virtual_alias_maps = ldap:/etc/postfix/ldap_expand_groups.cf, ldap:/etc/postfix/ldap_accountsmap.cf, ldap:/etc/postfix/ldap_expand_alias.cf I recommend proxy:ldap:... rather than ldap: server_host = ldap://openldap1.server version = 3 search_base = ou=groups,o=mailhosting query_filter = ((mail=%s)(objectclass=groupOfUniqueNames)) leaf_result_attribute = mail special_result_attribute = uniquemember What's in ldap_accountsmap.cf? The ldap_expand_alias.cf server_host = ldap://openldap1.server search_base = o=mailhosting query_filter = ((objectClass=MailAlias)(mail=%s)(accountActive=TRUE)) result_attribute = maildrop bind = no Post an example group member address that fails to be resolved. Your design lookups too complex. If you give every user a maildrop, and give no groups a maildrop, the whole thing simplifies to one lookup: server_host = ldap://openldap1.server version = 3 search_base = o=mailhosting query_filter = mail=%s leaf_result_attribute = maildrop special_result_attribute = uniquemember The lookup key is mail, the result is always a maildrop (whether the address is an alias or not). Group objects have uniquemember DNs that ultimately have maildrops. -- Viktor.
/etc/postfix dependency?
Wietse: Begin quote from Postfix sendmail manpage -C config_file -C config_dir The path name of the Postfix main.cf file, or of its parent directory. This information is ignored with Postfix versions before 2.3. With all Postfix versions, you can specify a directory pathname with the MAIL_CONFIG environment variable to override the loca- tion of configuration files. End quote from Postfix sendmail manpage ** I'm using the Apple-compiled Postfix 2.9.4 that comes with Mac Mavericks server. One thing that made setup much harder than it needed to be for me is that Apple puts their postfix config files in a different location than the standard /etc/postfix, but yet the postfix helper apps in /usr/sbin (postmap, postconf, etc) default to looking in /etc/postfix for the config files unless overridden by the -c flag. I'd get misdirected by editing the Apple config files,running the commands without the -c and then find out that my changes didn't take effect, etc. Sooo, is this expected behavior that those always default to /etc/postfix unless told otherwise? Is there a way to override that behavior short of moving the working config files to /etc/postfix and changing the config_directory which I'm loathe to do since Apple's next upgrade might break a non-standard install? Is it a compile-time option that Apple didn't do? Something else? I realize that they have to default to looking somewhere for the config files, and it makes sense to default to the widest audience, but Thanks. $ pwd /Library/Server/Mail/Config/postfix $ postconf config_directory config_directory = /etc/hiWietse $ postconf -c /Library/Server/Mail/Config/postfix config_directory config_directory = /Library/Server/Mail/Config/postfix $ postconf -n | wc -l 63 $ postconf -c /Library/Server/Mail/Config/postfix -n | wc -l 65
AW: Postfix expand ldap group AND afterwards resolve alias?
Recently we also implemented ldap groups which are expanded by postfix. This works fine, unless the group expands to some email alias destinations. Virtual(5) alias expansion is performed recursively in cleanup(8) for all recipient addresses. Recursive local aliases(5) expansion happens later, in local(8), only for recipient addresses that are routed to the local transport (typically recipients whose domain is listed in $mydestination). Virtual(5) alias expansion stops when a lookup key resolves to itself. virtual_alias_maps = ldap:/etc/postfix/ldap_expand_groups.cf, ldap:/etc/postfix/ldap_accountsmap.cf, ldap:/etc/postfix/ldap_expand_alias.cf I recommend proxy:ldap:... rather than ldap: This will just improve resource usage, but not change behaviour, correct? server_host = ldap://openldap1.server version = 3 search_base = ou=groups,o=mailhosting query_filter = ((mail=%s)(objectclass=groupOfUniqueNames)) leaf_result_attribute = mail special_result_attribute = uniquemember What's in ldap_accountsmap.cf? server_host = ldap://openldap1.server search_base = o=mailhosting query_filter = ((objectClass=JammMailAccount)(mail=%s)(accountActive=TRUE)(delete=FALSE)) result_attribute = mail bind = no The ldap_expand_alias.cf server_host = ldap://openldap1.server search_base = o=mailhosting query_filter = ((objectClass=MailAlias)(mail=%s)(accountActive=TRUE)) result_attribute = maildrop bind = no Post an example group member address that fails to be resolved. Sending a mail to g...@client.ch returns with this error: langenthal...@client.ch (expanded from g...@client.ch): host 127.0.0.1[127.0.0.1] said: 550-Mailbox unknown. Either there is no mailbox associated with this 550-name or you do not have authorization to see it. 550 5.1.1 User unknown (in reply to RCPT TO command) The ldif of the group version: 1 dn: cn=g1,ou=Sogo,ou=groups,o=mailhostingobjectClass: extensibleObject objectClass: top objectClass: groupOfUniqueNames cn: g1 uniqueMember: mail=a.sch...@aarboard.ch,jvd=schild.ws,o=mailhosting uniqueMember: mail=langenth...@client.ch,jvd=client.ch,o=mailhosting uniqueMember: mail=langenthal...@client.ch,jvd=client.ch,o=mailhosting mail: g...@client.ch The ldif of the failing expand/alias: version: 1 dn: mail=langenthal...@client.ch,jvd=client.ch,o=mailhosting objectClass: JammMailAlias objectClass: top accountActive: FALSE lastChange: 1363865527 mail: langenthal...@client.ch maildrop: langenth...@client.ch cn: xx userPassword:: xx Your design lookups too complex. If you give every user a maildrop, and give no groups a maildrop, the whole thing simplifies to one lookup: server_host = ldap://openldap1.server version = 3 search_base = o=mailhosting query_filter = mail=%s leaf_result_attribute = maildrop special_result_attribute = uniquemember The lookup key is mail, the result is always a maildrop (whether the address is an alias or not). Group objects have uniquemember DNs that ultimately have maildrops. We don't have groups with maildrops, so this should be ok. Does this still apply, when the accountsmap returns the mail attribute as shown above? André
Re: allow an email account to receive emails from a blacklisted IP
On Tue, 3 Jun 2014 08:55:46 -0400 (EDT) wie...@porcupine.org (Wietse Venema) wrote: mancyb...@gmail.com: So i need a method of whitelisting ANY email that comes to domain.com, however i need it to take place before any of the recipient restrictions, they want no RBL or postgrey blocking at all. Birta Levente: If you want to whitelist recipient domain you need to check recipient access: http://www.postfix.org/postconf.5.html#smtpd_recipient_restrictions smtpd_recipient_restrictions = reject_unauth_destination, check_recipient_access somemapfile, reject_rbl_client b.barracudacentral.org, reject_rbl_client cbl.abuseat.org, reject_rbl_client bl.mailspike.net, check_policy_service unix:postgrey/socket somemapfile: domain.comOK This is correct, by placing the whitelist after reject_unauth_destination. Otherwise you would have an exploitable open relay. Wietse Hi Wietse and all the community, thanks for enlighting on this. I applied the changes and I'm waiting for some spam to come in :) I'll report on this / confirm if everything goes well. Thanks for supporting, regards and have a nice day, Mike
Re: /etc/postfix dependency?
On Tue, Jun 03, 2014 at 10:31:34AM -0500, Rick Zeman wrote: I'm using the Apple-compiled Postfix 2.9.4 that comes with Mac Mavericks server. One thing that made setup much harder than it needed to be for me is that Apple puts their postfix config files in a different location than the standard /etc/postfix, but yet the postfix helper apps in /usr/sbin (postmap, postconf, etc) default to looking in /etc/postfix for the config files unless overridden by the -c flag. This is a vendor issue. They need to make up their mind. So, is this expected behavior that those always default to /etc/postfix unless told otherwise? The default configuration direction is set at compile time. Apple can set this to any directory of their choice. Are you sure there isn't a second copy of the various binaries in an Apple-specific directory? The MAIL_CONFIG environment variable overrides the compiled in default. $ postconf config_directory config_directory = /etc/hiWietse That's not right. Don't manually override config_directory in main.cf.
Re: Postfix expand ldap group AND afterwards resolve alias?
On Tue, Jun 03, 2014 at 03:31:28PM +, Andr? Schild wrote: I recommend proxy:ldap:... rather than ldap: This will just improve resource usage, but not change behaviour, correct? Yes. server_host = ldap://openldap1.server version = 3 search_base = ou=groups,o=mailhosting query_filter = ((mail=%s)(objectclass=groupOfUniqueNames)) leaf_result_attribute = mail special_result_attribute = uniquemember What's in ldap_accountsmap.cf? server_host = ldap://openldap1.server search_base = o=mailhosting query_filter = ((objectClass=JammMailAccount)(mail=%s)(accountActive=TRUE)(delete=FALSE)) result_attribute = mail bind = no This leads to identity mappings that terminate virtual expansion. Because it is listed ahead of aliases, the aliases are never seen. version: 1 dn: cn=g1,ou=Sogo,ou=groups,o=mailhostingobjectClass: extensibleObject objectClass: top objectClass: groupOfUniqueNames cn: g1 uniqueMember: mail=a.sch...@aarboard.ch,jvd=schild.ws,o=mailhosting uniqueMember: mail=langenth...@client.ch,jvd=client.ch,o=mailhosting uniqueMember: mail=langenthal...@client.ch,jvd=client.ch,o=mailhosting mail: g...@client.ch The ldif of the failing expand/alias: version: 1 dn: mail=langenthal...@client.ch,jvd=client.ch,o=mailhosting objectClass: JammMailAlias objectClass: top accountActive: FALSE lastChange: 1363865527 mail: langenthal...@client.ch maildrop: langenth...@client.ch cn: xx userPassword:: xx You again left out the account LDIF. Your design lookups too complex. If you give every user a maildrop, and give no groups a maildrop, the whole thing simplifies to one lookup: server_host = ldap://openldap1.server version = 3 search_base = o=mailhosting query_filter = mail=%s leaf_result_attribute = maildrop special_result_attribute = uniquemember The lookup key is mail, the result is always a maildrop (whether the address is an alias or not). Group objects have uniquemember DNs that ultimately have maildrops. We don't have groups with maildrops, so this should be ok. Does this still apply, when the accountsmap returns the mail attribute as shown above? Give users a maildrop, and lose the accountsmap identity mapping. You can implement the user/group/alias mapping in a single table as suggested. -- Viktor.
Re: /etc/postfix dependency?
On Tue, Jun 3, 2014 at 11:18 AM, Viktor Dukhovni postfix-us...@dukhovni.org wrote: On Tue, Jun 03, 2014 at 10:31:34AM -0500, Rick Zeman wrote: I'm using the Apple-compiled Postfix 2.9.4 that comes with Mac Mavericks server. One thing that made setup much harder than it needed to be for me is that Apple puts their postfix config files in a different location than the standard /etc/postfix, but yet the postfix helper apps in /usr/sbin (postmap, postconf, etc) default to looking in /etc/postfix for the config files unless overridden by the -c flag. This is a vendor issue. They need to make up their mind. That is what I suspected. Wonder if anyone from Apple reads this list? So, is this expected behavior that those always default to /etc/postfix unless told otherwise? The default configuration direction is set at compile time. Apple can set this to any directory of their choice. Are you sure there isn't a second copy of the various binaries in an Apple-specific directory? The MAIL_CONFIG environment variable overrides the compiled in default. THAT is the answer I needed. Thanks. $ postconf config_directory config_directory = /etc/hiWietse That's not right. Don't manually override config_directory in main.cf. Of course that's not right. I changed the unused main.cf's value for illustrative purposes; otherwise it would have looked just like the used version.
Re: /etc/postfix dependency?
Rick Zeman: I'm using the Apple-compiled Postfix 2.9.4 that comes with Mac Mavericks server. One thing that made setup much harder than it needed to be for me is that Apple puts their postfix config files in a different location than the standard /etc/postfix, but yet the postfix helper apps in /usr/sbin (postmap, postconf, etc) default to looking in /etc/postfix for the config files unless overridden by the -c flag. I suspect that you have programs from different Postfix builds on the same machine. Postfix would never work when some Postfix programs have a different built-in config_directory than other Postfix programs. Wietse
Re: /etc/postfix dependency?
On Tue, Jun 3, 2014 at 12:04 PM, Wietse Venema wie...@porcupine.org wrote: Rick Zeman: I'm using the Apple-compiled Postfix 2.9.4 that comes with Mac Mavericks server. One thing that made setup much harder than it needed to be for me is that Apple puts their postfix config files in a different location than the standard /etc/postfix, but yet the postfix helper apps in /usr/sbin (postmap, postconf, etc) default to looking in /etc/postfix for the config files unless overridden by the -c flag. I suspect that you have programs from different Postfix builds on the same machine. Postfix would never work when some Postfix programs have a different built-in config_directory than other Postfix programs. Hi Wietse, That could well be (is there a way to verify with strings or somesuch?), but it's working and working well. But, as Viktor pointed it, it's (still) a vendor problem because Apple would have supplied any and all builds and configurations since this was a brand-new machine. One way or another it's on them; either through the stock install, or via the Server add-on.
Re: /etc/postfix dependency?
Rick Zeman: I suspect that you have programs from different Postfix builds on the same machine. Postfix would never work when some Postfix programs have a different built-in config_directory than other Postfix programs. Hi Wietse, That could well be (is there a way to verify with strings or somesuch?), but it's working and working well. Alas, mixing programs from different builds is not supported, meaning no help if it mis-behaves. I don't know how Apple builds Postfix, but if they have a package manager, then it should have md5/sha1/etc. of the installed ones and it should be able to tell you if any file has been replaced by a different version. Wietse
AW: Postfix expand ldap group AND afterwards resolve alias?
Hello Viktor, server_host = ldap://openldap1.server version = 3 search_base = ou=groups,o=mailhosting query_filter = ((mail=%s)(objectclass=groupOfUniqueNames)) leaf_result_attribute = mail special_result_attribute = uniquemember What's in ldap_accountsmap.cf? server_host = ldap://openldap1.server search_base = o=mailhosting query_filter = ((objectClass=JammMailAccount)(mail=%s)(accountActive=TRUE)(delete=F A LSE)) result_attribute = mail bind = no This leads to identity mappings that terminate virtual expansion. Because it is listed ahead of aliases, the aliases are never seen. For normal alias this works, they are expanded version: 1 dn: cn=g1,ou=Sogo,ou=groups,o=mailhostingobjectClass: extensibleObject objectClass: top objectClass: groupOfUniqueNames cn: g1 uniqueMember: mail=a.sch...@aarboard.ch,jvd=schild.ws,o=mailhosting uniqueMember: mail=langenth...@client.ch,jvd=client.ch,o=mailhosting uniqueMember: mail=langenthal...@client.ch,jvd=client.ch,o=mailhosting mail: g...@client.ch The ldif of the failing expand/alias: version: 1 dn: mail=langenthal...@client.ch,jvd=client.ch,o=mailhosting objectClass: JammMailAlias objectClass: top accountActive: FALSE lastChange: 1363865527 mail: langenthal...@client.ch maildrop: langenth...@client.ch cn: xx userPassword:: xx You again left out the account LDIF. Sorry, here it is: version: 1 dn: mail=langenth...@client.ch,jvd=client.ch,o=mailhosting objectClass: JammMailAccount objectClass: top accountActive: FALSE delete: FALSE homeDirectory: /home/vmail/domains lastChange: 1363865462 mail: langenth...@client.ch mailbox: client.ch/langenthal2/ cn: Client Langenthal 2 userPassword:: xx André
Re: policy daemon failure
Hi Steve, We use sqlgrey as a policy daemon for greylisting. It runs on both our mail servers with a shared database on one of them. If the database is unavailable for some reason on the main server the backup rejects mail with 451 4.3.5 Server configuration problem Is it possible to change the default to accept the mail if the policy daemon fails. Most of our users would prefer a bit of extra spam to losing genuine mail. While agreeing on the arguments the other responders have raised we are using the hapolicy script from postfwd to deal with broken Policy servers, i.e. for dovecot quota-status requests to the message stores. http://postfwd.org/hapolicy/index.html Works very well, the only disadvantage is that it uses quite a bit of memory due to spawning a full perl interpreter for each lookup process. A daemon that forks on accept() would probably be a lot more memory-saving, but it would be another part that could be broken. Bernhard
Re: Postfix expand ldap group AND afterwards resolve alias?
On Tue, Jun 03, 2014 at 06:47:26PM +, Andr? Schild wrote: dn: mail=langenth...@client.ch,jvd=client.ch,o=mailhosting objectClass: JammMailAccount objectClass: top accountActive: FALSE delete: FALSE homeDirectory: /home/vmail/domains lastChange: 1363865462 mail: langenth...@client.ch mailbox: client.ch/langenthal2/ cn: Client Langenthal 2 This creates an identity mapping that suppresses the visibility of the alias. You have two objects in the directory with the same value of mail. The attribute value should have a suitable uniqueness constraint. My suggestion is to give each user a maildrop, and thereby simplify the model. -- Viktor.
Error I'm not familiar with
Hey guys, I'm seeing in my logs 2 things causing me some concern, I don't need to go in to all my settings, just looking to see if anything stands out from the message and common causes: Jun 3 14:22:41 PHX1-1831 postfix/smtpd[2092]: warning: hostname cleers.dustypex.com does not resolve to address xx.xx.xx.xx: Temporary failure in name resolution Jun 3 14:22:41 PHX1-1831 postfix/smtpd[2092]: connect from unknown[xx.xx.xx.xx] Jun 3 14:22:41 PHX1-1831 postfix/smtpd[2092]: improper command pipelining after EHLO from unknown[xx.xx.xx.xx]: HELO hostname.domain.net.net\r\n First is probably someone trying to relay to my server, the cleers.dustypex.com hostname is not one of mine, but the ip I X'd out is mine, so my guess is they try to connect on that ip and send mail, and postfix is stopping it? I've gotten maybe 1000 of them in the last 2-3 days. The 2nd is the last log line, I saw a bunch of those today, none before today, improper command pipelining, I removed the ip and host/domain but they are mine, my thought was maybe it was sending EHLO and then a HELO after it? or maybe just the wrong command? If possible to just give me a general direction it would be easier for me to debug it myself than posting lots of logs, and explaining my config, I'm out of ideas so any past experience with that error message would probably help a lot. Thanks! Paul
Re: Error I'm not familiar with
Am 03.06.2014 21:34, schrieb Paul C: Jun 3 14:22:41 PHX1-1831 postfix/smtpd[2092]: warning: hostname cleers.dustypex.com does not resolve to address xx.xx.xx.xx: Temporary failure in name resolution Jun 3 14:22:41 PHX1-1831 postfix/smtpd[2092]: connect from unknown[xx.xx.xx.xx] Jun 3 14:22:41 PHX1-1831 postfix/smtpd[2092]: improper command pipelining after EHLO from unknown[xx.xx.xx.xx]: HELO hostname.domain.net.net\r\n First is probably someone trying to relay to my server, the cleers.dustypex.com hostname is not one of mine, but the ip I X'd out is mine, so my guess is they try to connect on that ip and send mail, and postfix is stopping it? I've gotten maybe 1000 of them in the last 2-3 days. nobody can tell you anything because you stripped the IP don't do that if you have a public reachable machine anyways and seek for help most likely something with *your* DNS configuration is broken The 2nd is the last log line, I saw a bunch of those today, none before today, improper command pipelining, I removed the ip and host/domain but they are mine, my thought was maybe it was sending EHLO and then a HELO after it? or maybe just the wrong command? If possible to just give me a general direction it would be easier for me to debug it myself than posting lots of logs, and explaining my config, I'm out of ideas so any past experience with that error message would probably help a lot define mine - smells like one of your machines got affected as million other the last weeks if it is *really* one of your IP's
Re: Error I'm not familiar with
Paul C: Jun 3 14:22:41 PHX1-1831 postfix/smtpd[2092]: warning: hostname cleers.dustypex.com does not resolve to address xx.xx.xx.xx: Temporary failure in name resolution Jun 3 14:22:41 PHX1-1831 postfix/smtpd[2092]: connect from unknown[xx.xx.xx.xx] The client IP address has no PTR record, or the PTR record name does not resolve to the client IP address. Postfix therefore logs the client as unknown instead of cleers.dustypex.com. Jun 3 14:22:41 PHX1-1831 postfix/smtpd[2092]: improper command pipelining after EHLO from unknown[xx.xx.xx.xx]: HELO hostname.domain.net.net\r\n The client sends EHLO some-host-nameCRLFHELO hostname.domain.net.netCRLF This violates SMTP, and Postfix logs this. You can block mail from such clients by using reject_unauth_pipelining in smtpd_*_restrictions. First is probably someone trying to relay to my server, the cleers.dustypex.com hostname is not one of mine, but the ip I X'd out is mine, so my guess is they try to connect on that ip and send mail, and postfix is stopping it? I've gotten maybe 1000 of them in the last 2-3 days. You have a bot on your network, and you need to clean up that machine. Unless Postfix is configured to block this, it will forward their mail. Wietse
Unknown users not rejected on Alias Domains (Virtual Domains)
Hi, I'm trying to find out which is the correct way to configure alias domains on postfix. For example, I have 3 different domains (example.com, example.info, example.net), and when I send an e-mail to a user on any of the three domains it's always sent to u...@example.com. In other words, I never need to configure mailboxes or users on any of the other two domains (alias domains, as I call them). It's sufficient to have the user configured on the main domain. I've seen the following resources on that topic: - https://workaround.org/ispmail/wheezy/virtual-domains - http://www.postfix.org/VIRTUAL_README.html#forwarding Unfortunately, those resources only describe the following types of forwarding: - j...@example.info -- jane@somewhere-else - @example.info -- jim@somewhere-else (catch-all feature) What I would need is a correctly working solution of: - @example.info -- @somewhere-else, or - any@example.info -- any@somewhere-else Doing some tests with some test configuration sending/forwarding/retrieving seems to work (e-mails sent to one of the alias domains arrive at the main domain), but if there is a non-existing mailbox on the main domain and the e-mail is sent to the corresponding user at one of the alias domains no e-mail bounces back from the main domain saying that the mail could not be delivered. How can I make postfix bounce e-mails back when there is no user for it on the main domain? Is there a specific, standard way of doing alias domains on postfix? (It should be some kind of standard use-case after all, shouldn't it? Google Mail let you define alias domains on Google Apps, and that simply works.) Thanks in advance for any hints, Peter
Re: Unknown users not rejected on Alias Domains (Virtual Domains)
On 6/3/2014 3:50 PM, Peter Bittner wrote: Hi, I'm trying to find out which is the correct way to configure alias domains on postfix. For example, I have 3 different domains (example.com, example.info, example.net), and when I send an e-mail to a user on any of the three domains it's always sent to u...@example.com. In other words, I never need to configure mailboxes or users on any of the other two domains (alias domains, as I call them). It's sufficient to have the user configured on the main domain. I've seen the following resources on that topic: - https://workaround.org/ispmail/wheezy/virtual-domains - http://www.postfix.org/VIRTUAL_README.html#forwarding Unfortunately, those resources only describe the following types of forwarding: - j...@example.info -- jane@somewhere-else - @example.info -- jim@somewhere-else (catch-all feature) What I would need is a correctly working solution of: - @example.info -- @somewhere-else, or - any@example.info -- any@somewhere-else Doing some tests with some test configuration sending/forwarding/retrieving seems to work (e-mails sent to one of the alias domains arrive at the main domain), but if there is a non-existing mailbox on the main domain and the e-mail is sent to the corresponding user at one of the alias domains no e-mail bounces back from the main domain saying that the mail could not be delivered. How can I make postfix bounce e-mails back when there is no user for it on the main domain? Is there a specific, standard way of doing alias domains on postfix? (It should be some kind of standard use-case after all, shouldn't it? Google Mail let you define alias domains on Google Apps, and that simply works.) Thanks in advance for any hints, Peter If your mail is delivered locally to standard system users, you can just add all the domains to mydestination and it just works; no alias mapping needed, all users appear in all domains. If the domains are virtual, you need to use 1-1 address mapping. Do not use wildcard domain mapping, as wildcards defeat the automatic recipient validation of postfix. -- Noel Jones
Re: Error I'm not familiar with
Thanks for the responses, and right on point, RDNS from my host has been failing here and there the last 2 days, they tell me they are fixing it, the ptr records exist but seem to be timing out at times, so good to see that's one of the problems as it should be fixed soon. cleers.dustypex.com. is not my host name, I just keep seeing the warning from postfix saying it doesn't match the ip, which sorry I X'd it out, thought it wasn't needed, it is: 23.231.27.148 About the bot, yes that is something I was concerned about, I was getting a ton of failed ssh log in attempts, so I ip restricted ssh to only my work and home ip, and imap failed log ins, I restricted port 143 too, but for smtp I can't restrict that with iptables. I added the line you suggested, this is my setting: smtpd_recipient_restrictions = permit_sasl_authenticated permit_mynetworks, reject_unauth_destination, reject_unauth_pipelining So does it seem the errors are coming from these bots and not my own internal mail (if possible to tell)? And I'm not seeing any delivery codes, like 250 etc from any of that cleers.dustypex.com connections, so maybe they aren't succeeding in actually sending the mail out? From the logs it looks like they are trying to relay but its not going out. On Tue, Jun 3, 2014 at 3:45 PM, Wietse Venema wie...@porcupine.org wrote: Paul C: Jun 3 14:22:41 PHX1-1831 postfix/smtpd[2092]: warning: hostname cleers.dustypex.com does not resolve to address xx.xx.xx.xx: Temporary failure in name resolution Jun 3 14:22:41 PHX1-1831 postfix/smtpd[2092]: connect from unknown[xx.xx.xx.xx] The client IP address has no PTR record, or the PTR record name does not resolve to the client IP address. Postfix therefore logs the client as unknown instead of cleers.dustypex.com. Jun 3 14:22:41 PHX1-1831 postfix/smtpd[2092]: improper command pipelining after EHLO from unknown[xx.xx.xx.xx]: HELO hostname.domain.net.net\r\n The client sends EHLO some-host-nameCRLFHELO hostname.domain.net.netCRLF This violates SMTP, and Postfix logs this. You can block mail from such clients by using reject_unauth_pipelining in smtpd_*_restrictions. First is probably someone trying to relay to my server, the cleers.dustypex.com hostname is not one of mine, but the ip I X'd out is mine, so my guess is they try to connect on that ip and send mail, and postfix is stopping it? I've gotten maybe 1000 of them in the last 2-3 days. You have a bot on your network, and you need to clean up that machine. Unless Postfix is configured to block this, it will forward their mail. Wietse
RE: Error I'm not familiar with
Your domain seems to be on URIBL blacklist (black) Contains an URL listed in the URIBL blacklist [URIs: d u s t y p e x.com] jfyi Razvan -Original Message- From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] On Behalf Of Wietse Venema Sent: Tuesday, June 03, 2014 10:46 PM To: Postfix users Subject: Re: Error I'm not familiar with Paul C: Jun 3 14:22:41 PHX1-1831 postfix/smtpd[2092]: warning: hostname cleers.dustypex.com does not resolve to address xx.xx.xx.xx: Temporary failure in name resolution Jun 3 14:22:41 PHX1-1831 postfix/smtpd[2092]: connect from unknown[xx.xx.xx.xx] The client IP address has no PTR record, or the PTR record name does not resolve to the client IP address. Postfix therefore logs the client as unknown instead of cleers.dustypex.com. Jun 3 14:22:41 PHX1-1831 postfix/smtpd[2092]: improper command pipelining after EHLO from unknown[xx.xx.xx.xx]: HELO hostname.domain.net.net\r\n The client sends EHLO some-host-nameCRLFHELO hostname.domain.net.netCRLF This violates SMTP, and Postfix logs this. You can block mail from such clients by using reject_unauth_pipelining in smtpd_*_restrictions. First is probably someone trying to relay to my server, the cleers.dustypex.com hostname is not one of mine, but the ip I X'd out is mine, so my guess is they try to connect on that ip and send mail, and postfix is stopping it? I've gotten maybe 1000 of them in the last 2-3 days. You have a bot on your network, and you need to clean up that machine. Unless Postfix is configured to block this, it will forward their mail. Wietse
Re: Error I'm not familiar with
That's not my domain, its the one trying to send mail through my postfix server, it connects to my ip and tries to send on it, postfix is logging the warning message for hostname not matching, that's how I saw it. On Tue, Jun 3, 2014 at 7:13 PM, Inteq Solution - Dep. Tehnic t...@inteq.ro wrote: Your domain seems to be on URIBL blacklist (black) Contains an URL listed in the URIBL blacklist [URIs: d u s t y p e x.com] jfyi Razvan -Original Message- From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] On Behalf Of Wietse Venema Sent: Tuesday, June 03, 2014 10:46 PM To: Postfix users Subject: Re: Error I'm not familiar with Paul C: Jun 3 14:22:41 PHX1-1831 postfix/smtpd[2092]: warning: hostname cleers.dustypex.com does not resolve to address xx.xx.xx.xx: Temporary failure in name resolution Jun 3 14:22:41 PHX1-1831 postfix/smtpd[2092]: connect from unknown[xx.xx.xx.xx] The client IP address has no PTR record, or the PTR record name does not resolve to the client IP address. Postfix therefore logs the client as unknown instead of cleers.dustypex.com. Jun 3 14:22:41 PHX1-1831 postfix/smtpd[2092]: improper command pipelining after EHLO from unknown[xx.xx.xx.xx]: HELO hostname.domain.net.net\r\n The client sends EHLO some-host-nameCRLFHELO hostname.domain.net.netCRLF This violates SMTP, and Postfix logs this. You can block mail from such clients by using reject_unauth_pipelining in smtpd_*_restrictions. First is probably someone trying to relay to my server, the cleers.dustypex.com hostname is not one of mine, but the ip I X'd out is mine, so my guess is they try to connect on that ip and send mail, and postfix is stopping it? I've gotten maybe 1000 of them in the last 2-3 days. You have a bot on your network, and you need to clean up that machine. Unless Postfix is configured to block this, it will forward their mail. Wietse
Postfix has a bizarre dependency and does not start
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 opensuse 13.1 postfix 2.9.6-7.4.1 I recently upgraded a server from 12.3 to 13.1. Postfix worked correctly in v12.3. Postfix fails to start with this message: Code: - -- Unit postfix.service has failed. - -- - -- The result is dependency. Jun 03 10:59:24 sma-server3 systemd[1]: t2.mount mount process exited, code=exited status=32 Jun 03 10:59:24 sma-server3 systemd[1]: Failed to mount /t2. While annoying that mount point /t2 no longer starts (yet another upgrade problem), I see no reason for postfix to be fixated on its presence. Where are such dependencies defined? - -- James Moe moe dot james at sohnen-moe dot com 520.743.3936 -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlOOYzoACgkQzTcr8Prq0ZNycwCgi8RnDVbKrUg1kMBjqbM5DsTL wnkAnjJCedZPmCQCNyOqAwMAWksRLz3r =tbtm -END PGP SIGNATURE-
Re: Postfix has a bizarre dependency and does not start
James Moe: opensuse 13.1 postfix 2.9.6-7.4.1 I recently upgraded a server from 12.3 to 13.1. Postfix worked correctly in v12.3. Postfix fails to start with this message: Code: -- Unit postfix.service has failed. -- -- The result is dependency. Jun 03 10:59:24 sma-server3 systemd[1]: t2.mount mount process exited, code=exited status=32 Jun 03 10:59:24 sma-server3 systemd[1]: Failed to mount /t2. While annoying that mount point /t2 no longer starts (yet another upgrade problem), I see no reason for postfix to be fixated on its presence. Where are such dependencies defined? To view Postfix built-in file system depencencies: $ postconf | egrep '_(directory|path) =' Maybe that causes the coint to drop. Wietse
Re: Postfix has a bizarre dependency and does not start
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 06/03/2014 05:33 PM, Wietse Venema wrote: $ postconf | egrep '_(directory|path) =' Maybe that causes the coin to drop. No, that did not show /t2 anywhere as a dependency. postconf | egrep 't2' produced no results, either. - -- James Moe moe dot james at sohnen-moe dot com 520.743.3936 -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlOOdJAACgkQzTcr8Prq0ZN2VACfYShZzwxB+LDJ/mRbK6af9nok uK4AoI1B3bZT/uZvRIPGJPKHIHDt2J1n =u32Q -END PGP SIGNATURE-
Re: Postfix has a bizarre dependency and does not start
On Tue, Jun 03, 2014 at 05:07:22PM -0700, James Moe wrote: Postfix fails to start with this message: Code: - -- Unit postfix.service has failed. - -- - -- The result is dependency. Jun 03 10:59:24 sma-server3 systemd[1]: t2.mount mount process exited, code=exited status=32 Jun 03 10:59:24 sma-server3 systemd[1]: Failed to mount /t2. How is anyone on the list supposed to know about configuration details of your systemd environment. While annoying that mount point /t2 no longer starts (yet another upgrade problem), I see no reason for postfix to be fixated on its presence. Nothing in Postfix itself knows anything about mount points. Where are such dependencies defined? In the systemd configuration. -- Viktor.
How to relay subdomain but deliver local mail?
I want mail to example.org to be delivered to the local virtual mailboxes. I want mail to in.example.org to be relayed to mail.power.com. The configuration below is relaying all mail to mail.power.com. Can someone please suggest what I need to do to fix? thanks # See /usr/share/postfix/main.cf.dist for a commented, more complete version # Debian specific: Specifying a file name will cause the first # line of that file to be used as the name. The Debian default # is /etc/mailname. #myorigin = /etc/mailname smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu) biff = no # appending .domain is the MUA's job. append_dot_mydomain = no # Uncomment the next line to generate delayed mail warnings #delay_warning_time = 4h readme_directory = no # TLS parameters smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key smtpd_use_tls=yes smtpd_tls_session_cache_database = btree:${data_directory}/ smtpd_scache smtp_tls_session_cache_database = btree:${data_directory}/ smtp_scache # See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for # information on enabling SSL in the smtp client. transport_maps = hash:/etc/postfix/transport #virtual_mailbox_limit = 20 #virtual_mailbox_domains = example.org home_mailbox = Maildir/ virtual_alias_maps = hash:/etc/postfix/virtual.aliases virtual_gid_maps = static:5000 virtual_mailbox_base = /home/vmail virtual_mailbox_maps = hash:/etc/postfix/vmaps virtual_minimum_uid = 100 virtual_uid_maps = static:5000 parent_domain_matches_subdomains = smtpd_access_maps relay_domains = in.example.org local_transport = virtual local_recipient_maps = $virtual_mailbox_maps smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination myhostname = mail.example.org alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases myorigin = /etc/mailname mydestination = example.org, localhost.example.org, localhost relayhost = mail.power.com mynetworks = 127.0.0.0/8 [:::127.0.0.0]/104 [::1]/128 mailbox_size_limit = 0 recipient_delimiter = + inet_interfaces = all message_size_limit = 524
Re: How to relay subdomain but deliver local mail?
On Wed, Jun 04, 2014 at 11:39:56AM +1000, Andrew Stuart wrote: I want mail to example.org to be delivered to the local virtual mailboxes. I want mail to in.example.org to be relayed to mail.power.com. The configuration below is relaying all mail to mail.power.com. Try postconf -n instead of cut/paste from main.cf. -- Viktor.
Re: How to relay subdomain but deliver local mail?
postconf -n output alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases append_dot_mydomain = no biff = no config_directory = /etc/postfix home_mailbox = Maildir/ inet_interfaces = all local_recipient_maps = $virtual_mailbox_maps local_transport = virtual mailbox_size_limit = 0 message_size_limit = 524 mydestination = example.org, localhost.example.org, localhost myhostname = mail.example.org mynetworks = 127.0.0.0/8 [:::127.0.0.0]/104 [::1]/128 myorigin = /etc/mailname parent_domain_matches_subdomains = smtpd_access_maps readme_directory = no recipient_delimiter = + relay_domains = in.example.org relayhost = mail.power.com smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu) smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtpd_use_tls = yes transport_maps = hash:/etc/postfix/transport virtual_alias_maps = hash:/etc/postfix/virtual.aliases virtual_gid_maps = static:5000 virtual_mailbox_base = /home/vmail virtual_mailbox_maps = hash:/etc/postfix/vmaps virtual_minimum_uid = 100 virtual_uid_maps = static:5000 On 04/06/2014, at 11:49 AM, Viktor Dukhovni wrote: On Wed, Jun 04, 2014 at 11:39:56AM +1000, Andrew Stuart wrote: I want mail to example.org to be delivered to the local virtual mailboxes. I want mail to in.example.org to be relayed to mail.power.com. The configuration below is relaying all mail to mail.power.com. Try postconf -n instead of cut/paste from main.cf. -- Viktor.
Re: How to relay subdomain but deliver local mail?
On Wed, Jun 04, 2014 at 11:52:59AM +1000, Andrew Stuart wrote: alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases home_mailbox = Maildir/ Only applicable with local(8) delivery, but you have local_transport = virtual, so unless you have explicit transport entries selecting local, these can be set empty. local_recipient_maps = $virtual_mailbox_maps local_transport = virtual mydestination = example.org, localhost.example.org, localhost So example.org users should be routed to virtual(8) barring transport overrides. relay_domains = in.example.org relayhost = mail.power.com This domain should be routed to the relay transport barring transport overrides, with a nexthop of $relayhost. smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination Change defer to reject when you get a chance. smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key http://www.postfix.org/TLS_README.html#quick-start smtpd_use_tls = yes smtpd_tls_security_level = may transport_maps = hash:/etc/postfix/transport What's in there relating to either domain or a * entry? virtual_alias_maps = hash:/etc/postfix/virtual.aliases Are addresses in example.org rewritten to some other domain? Log entries of mail leaving via relayhost? -- Viktor.
Re: How to relay subdomain but deliver local mail?
transport file contains: * smtp:mail.power.com On 04/06/2014, at 11:59 AM, Viktor Dukhovni wrote: On Wed, Jun 04, 2014 at 11:52:59AM +1000, Andrew Stuart wrote: alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases home_mailbox = Maildir/ Only applicable with local(8) delivery, but you have local_transport = virtual, so unless you have explicit transport entries selecting local, these can be set empty. local_recipient_maps = $virtual_mailbox_maps local_transport = virtual mydestination = example.org, localhost.example.org, localhost So example.org users should be routed to virtual(8) barring transport overrides. relay_domains = in.example.org relayhost = mail.power.com This domain should be routed to the relay transport barring transport overrides, with a nexthop of $relayhost. smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination Change defer to reject when you get a chance. smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key http://www.postfix.org/TLS_README.html#quick-start smtpd_use_tls = yes smtpd_tls_security_level = may transport_maps = hash:/etc/postfix/transport What's in there relating to either domain or a * entry? virtual_alias_maps = hash:/etc/postfix/virtual.aliases Are addresses in example.org rewritten to some other domain? Log entries of mail leaving via relayhost? -- Viktor.
Re: How to relay subdomain but deliver local mail?
On Wed, Jun 04, 2014 at 12:16:08PM +1000, Andrew Stuart wrote: transport file contains: * smtp:mail.power.com And you're surprised why everything is going via smtp to mail.power.com? -- Viktor.
Re: Postfix has a bizarre dependency and does not start
On Tue, 03 Jun 2014 17:07:22 -0700 James Moe ji...@sohnen-moe.com wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 opensuse 13.1 postfix 2.9.6-7.4.1 I recently upgraded a server from 12.3 to 13.1. Postfix worked correctly in v12.3. Postfix fails to start with this message: Code: - -- Unit postfix.service has failed. - -- - -- The result is dependency. Jun 03 10:59:24 sma-server3 systemd[1]: t2.mount mount process exited, code=exited status=32 Jun 03 10:59:24 sma-server3 systemd[1]: Failed to mount /t2. Was that message produced by systemd? What happens if you do as root: 'postfix check' and 'postfix start'? What does the system log tell you? jd
Re: How to relay subdomain but deliver local mail?
Not since you pointed it out. Thanks Viktor works fine now. On 04/06/2014, at 12:17 PM, Viktor Dukhovni wrote: On Wed, Jun 04, 2014 at 12:16:08PM +1000, Andrew Stuart wrote: transport file contains: * smtp:mail.power.com And you're surprised why everything is going via smtp to mail.power.com? -- Viktor.