RE: relay access control
Hello everyone, I think I found the solution, it was in this thread https://bbs.archlinux.org/viewtopic.php?id=158020, changing smtpd_recipient_restrictions to smtpd_relay_restrictions. Thank you! Kind regards. Héctor Moreno De: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] En nombre de Héctor Moreno Blanco Enviado el: viernes, 17 de abril de 2015 10:48 Para: postfix-users@postfix.org Asunto: relay access control Hello everyone, I want to control the relay access to our Postfix server. We would like to permit mail only to a certain servers (IP and/or hostname) and only existing mail in our LDAP. I don't want to add these servers to mynetwork because it will allow any address to send... I've tried with check_client_access and reject_unverified_sender, and many other options without success. I always get relay access denied error... Any suggestions here please? Thank you very much in advanced. Kind regards. Héctor Moreno. P Please consider the environment before printing this e-mail. This message including any attachments may contain confidential information, according to our Information Security Management System, and intended solely for a specific individual to whom they are addressed. Any unauthorised copy, disclosure or distribution of this message is strictly forbidden. If you have received this transmission in error, please notify the sender immediately and delete it. Este mensaje, y en su caso, cualquier fichero anexo al mismo, puede contener información clasificada por su emisor como confidencial en el marco de su Sistema de Gestión de Seguridad de la Información siendo para uso exclusivo del destinatario, quedando prohibida su divulgación copia o distribución a terceros sin la autorización expresa del remitente. Si Vd. ha recibido este mensaje erróneamente, se ruega lo notifique al remitente y proceda a su borrado. Gracias por su colaboración. Esta mensagem, incluindo qualquer ficheiro anexo, pode conter informação confidencial, de acordo com nosso Sistema de Gestão de Segurança da Informação, sendo para uso exclusivo do destinatário e estando proibida a sua divulgação, cópia ou distribuição a terceiros sem autorização expressa do remetente da mesma. Se recebeu esta mensagem por engano, por favor avise de imediato o remetente e apague-a. Obrigado pela sua colaboração. P Please consider the environment before printing this e-mail. __ This message including any attachments may contain confidential information, according to our Information Security Management System, and intended solely for a specific individual to whom they are addressed. Any unauthorised copy, disclosure or distribution of this message is strictly forbidden. If you have received this transmission in error, please notify the sender immediately and delete it. __ Este mensaje, y en su caso, cualquier fichero anexo al mismo, puede contener informacion clasificada por su emisor como confidencial en el marco de su Sistema de Gestion de Seguridad de la Informacion siendo para uso exclusivo del destinatario, quedando prohibida su divulgacion copia o distribucion a terceros sin la autorizacion expresa del remitente. Si Vd. ha recibido este mensaje erroneamente, se ruega lo notifique al remitente y proceda a su borrado. Gracias por su colaboracion. __
smtpd custom reject for over quota
Hi, Dovecot has a new feature that can set a flag in the userdb quota_over_flag http://wiki2.dovecot.org/Quota/Configuration#Overquota-flag_.28v2.2.16.2B-.29 I want to use this to reject messages during SMTP conversation for users that are over quota. I keep this flag in MySQL. I could very easy add it to my virtual_mailbox_maps sql lookup query but rejection would be something like no such user acccount which is misleading. If possible would like to avoid two database lookups but in postfix I don't know of a way to change reject message based on this flag or make postfix remember this flag's value for later. Only way I can think to implement this is a separate smtpd restriction class that makes another sql lookup to check the quota_over_flag value(?) Has anyone tried this yet or can anyone provide an example? by the way, I won't care about aliases, they will still attempt delivery and cause a bounce if over quota. TIA, ed
Docs for smtp_address_preference slightly confusing about default
Hi, I was reading the documentation on smtp_address_preference: | smtp_address_preference (default: any) | The address type (ipv6, ipv4 or any) that the Postfix SMTP client | will try first, when a destination has IPv6 and IPv4 addresses with equal | MX preference. This feature has no effect unless the inet_protocols | setting enables both IPv4 and IPv6. With Postfix 2.8 the default is | ipv6. The header indicates the default to be any but I was confused by that last sentence that the default would have been changed to ipv6 since 2.8 while source code inspection shows that it's only in 2.8 that it was ipv6 and that it has been changed since then. Maybe it helps to change is to was or otherwise make it more explicit that the final sentence refers only to the 2.8 branch and not to later/current versions? Thanks, Thijs
relay access control
Hello everyone, I want to control the relay access to our Postfix server. We would like to permit mail only to a certain servers (IP and/or hostname) and only existing mail in our LDAP. I don't want to add these servers to mynetwork because it will allow any address to send... I've tried with check_client_access and reject_unverified_sender, and many other options without success. I always get relay access denied error... Any suggestions here please? Thank you very much in advanced. Kind regards. Héctor Moreno. P Please consider the environment before printing this e-mail. __ This message including any attachments may contain confidential information, according to our Information Security Management System, and intended solely for a specific individual to whom they are addressed. Any unauthorised copy, disclosure or distribution of this message is strictly forbidden. If you have received this transmission in error, please notify the sender immediately and delete it. __ Este mensaje, y en su caso, cualquier fichero anexo al mismo, puede contener informacion clasificada por su emisor como confidencial en el marco de su Sistema de Gestion de Seguridad de la Informacion siendo para uso exclusivo del destinatario, quedando prohibida su divulgacion copia o distribucion a terceros sin la autorizacion expresa del remitente. Si Vd. ha recibido este mensaje erroneamente, se ruega lo notifique al remitente y proceda a su borrado. Gracias por su colaboracion. __
Re: Docs for smtp_address_preference slightly confusing about default
Thijs Kinkhorst: Hi, I was reading the documentation on smtp_address_preference: | smtp_address_preference (default: any) | The address type (ipv6, ipv4 or any) that the Postfix SMTP client | will try first, when a destination has IPv6 and IPv4 addresses with equal | MX preference. This feature has no effect unless the inet_protocols | setting enables both IPv4 and IPv6. With Postfix 2.8 the default is | ipv6. The header indicates the default to be any but I was confused by that last sentence that the default would have been changed to ipv6 since 2.8 while source code inspection shows that it's only in 2.8 that it was ipv6 and that it has been changed since then. Maybe it helps to change is to was or otherwise make it more explicit that the final sentence refers only to the 2.8 branch and not to later/current versions? With Postfix before 2.8 the preference is hard-coded. Postfix is an evolving system, with multiple supported stable releases. Using past tense for a supported release seems odd, and it is unpractical to change text from present tense to past tense when a release is no longer supported. Wietse
Re: smtpd: warning: hostname does not resolve to address Name or service not known
HTML tags from postfixusers nabble dot come web site don't show up in
emails ,i'll add their content in this replay:
On 17/04/2015 13:48, Gab wrote:
Hi list !
As the subject says i found this issue on my mail system after long time it
worked as expected.
Mine is a Debian Wheezy VPS system hosting postfix dovecot spamassassin with
mysql database .That's what logs say while i try to send an email by
thunderbird with my laptop:
while thunderbird says:
postfix/smtpd[23417]: connect from my.laptop[1.2.3.4]
postfix/smtpd[23417]: lost connection after UNKNOWN from my.laptop[1.2.3.4]
postfix/smtpd[23417]: disconnect from my.laptop[1.2.3.4]
That's my postconf -n:
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
broken_sasl_auth_clients = yes
config_directory = /etc/postfix
disable_dns_lookups = yes
disable_vrfy_command = yes
dovecot_destination_recipient_limit = 1
inet_interfaces = all
inet_protocols = all
mailbox_size_limit = 0
mydestination = $mydomain, localhost.localdomain, localhost
mydomain = myFQDN
myhostname = smtp.$mydomain
mynetworks = 88.198.107.18, 127.0.0.1
mynetworks_style = host
myorigin = $mydomain
readme_directory = no
recipient_delimiter = +
relayhost =
smtp_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtp_tls_cert_file = /etc/postfix/ssl/cert.pem
smtp_tls_ciphers = export
smtp_tls_key_file = /etc/postfix/ssl/key.pem
smtp_tls_note_starttls_offer = yes
smtp_tls_protocols = !SSLv2
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_use_tls = yes
smtpd_banner = $myhostname ESMTP $mail_name
smtpd_delay_reject = yes
smtpd_helo_required = yes
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_local_domain = $mydomain
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtpd_tls_ask_ccert = yes
smtpd_tls_auth_only = yes
smtpd_tls_ccert_verifydepth = 1
smtpd_tls_cert_file = /etc/postfix/ssl/cert.pem
smtpd_tls_key_file = /etc/postfix/ssl/key.pem
smtpd_tls_loglevel = 0
smtpd_tls_received_header = no
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
tls_random_source = dev:/dev/urandom
virtual_alias_maps = mysql:/etc/postfix/mysql-virtual-alias-maps.cf
virtual_mailbox_domains =
mysql:/etc/postfix/mysql-virtual-mailbox-domains.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf
virtual_transport = dovecot
I have the same issue with all clients i have and by telnet i get while i
authenticate:
:~$ telnet smtp.myFQDN 25
Trying 1.2.3.4 ...
Connected to myFQDN.
Escape character is '^]'.
220 smtp.myFQDN ESMTP Postfix
ehlo smtp.myFQDN
250-smtp.myFQDN
250-PIPELINING
250-SIZE 1024
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
mail from: admin@myFQDN
250 2.1.0 Ok
auth plain gibberishtextinbase64encodedvalueoftheusernameadminandpassword
503 5.5.1 Error: authentication not enabled
Connection closed by foreign host.
What others infos you need to get around this issue ?
every help will be appreciated
Regards
Gab
--
View this message in context:
http://postfix.1071664.n5.nabble.com/smtpd-warning-hostname-does-not-resolve-to-address-Name-or-service-not-known-tp76263.html
Sent from the Postfix Users mailing list archive at Nabble.com.
--
Key fingerprint = EB67 3CA1 6C61 EACE B705 4EC3 A28D E2DD 4C47 A4D9
Re: Delivery Status Notification
Hi Ansgar, Sorry but the same issue still exists. If it helps I am relaying via my ISP's mailserver, smtp.ntlworld.com:465 (62.254.26.221) as I am in a dynamic IP block of addresses. I am having to reply via the postfix list as the direct e-mail does not work. Regards, Nick On 17/04/2015 11:07, Ansgar Wiechers wrote: Hi Nick On 2015-04-16 Nick Howitt wrote: I tried to reply to your e-mail earlier today about HTML formatted e-mails out of courtesy but received the bounce below. I don't think I am mis-configured but if I am I'd love some help. I had a look at the rhsbl.ahbl.org list and it seems that this list is no longer active and always gives a positive response. Their site says: If you are still using these services, this may cause you to incorrectly tag e-mail as spam, or create other unintended consequences. Fix and maintain your servers, now. Do not contact us about 'removing' your domain or IP address from our lists, as there is nothing we can do for you. Sorry about that, and thanks for the heads up. I failed to remove the AHBL from my config when it went out of business. Should be fixed now, but please try once more to make sure, if you don't mind. Regards Ansgar
Can anyone see anything wrong with this Make command set
There’s a break there somewhere, and I can’t find it. make -f Makefile.init dynamicmaps=yes CCARGS='-DUSE_TLS -DHAS_PCRE -I/opt/local/include -DHAS_MYSQL -I/usr/local/include/mysql’ AUXLIBS='-L/opt/local/lib -lssl -lcrypto' AUXLIBS_PCRE='-L/opt/local/lib -lpcre’ AUXLIBS_MYSQL='-L/usr/local/lib -mysqlclient -lz -lm’ makefiles THIS one works. make -f Makefile.init dynamicmaps=yes CCARGS='-DUSE_TLS -DHAS_PCRE -I/opt/local/include' AUXLIBS='-L/opt/local/lib -lssl -lcrypto' AUXLIBS_PCRE='-L/opt/local/lib -lpcre’ makefiles THIS ONE doesn’t - trying to add mysql ... make -f Makefile.init dynamicmaps=yes CCARGS='-DUSE_TLS -DHAS_PCRE -I/opt/local/include -DHAS_MYSQL -I/usr/local/include/mysql’ AUXLIBS='-L/opt/local/lib -lssl -lcrypto' AUXLIBS_PCRE='-L/opt/local/lib -lpcre’ AUXLIBS_MYSQL='-L/usr/local/lib -mysqlclient -lz -lm’ makefiles thanks if you can point out where my mistake is. Robert Robert Chalmers Mac mini 6.2 - 2012, Intel Core i7,2.3 GHz, Memory:16 GB. Yosemite 10.10.2. 2TB Storage made up of - Drive 0:HGST HTS721010A9E630. Upper bay. Drive 1:ST1000LM024 HN-M101MBB. Lower Bay
Re: Docs for smtp_address_preference slightly confusing about default
Wietse Venema: Thijs Kinkhorst: Hi, I was reading the documentation on smtp_address_preference: | smtp_address_preference (default: any) | The address type (ipv6, ipv4 or any) that the Postfix SMTP client | will try first, when a destination has IPv6 and IPv4 addresses with equal | MX preference. This feature has no effect unless the inet_protocols | setting enables both IPv4 and IPv6. With Postfix 2.8 the default is | ipv6. The header indicates the default to be any but I was confused by that last sentence that the default would have been changed to ipv6 since 2.8 while source code inspection shows that it's only in 2.8 that it was ipv6 and that it has been changed since then. Maybe it helps to change is to was or otherwise make it more explicit that the final sentence refers only to the 2.8 branch and not to later/current versions? Updated text: smtp_address_preference (default: any) The address type (ipv6, ipv4 or any) that the Postfix SMTP client will try first, when a destination has IPv6 and IPv4 addresses with equal MX preference. This feature has no effect unless the inet_proto- cols setting enables both IPv4 and IPv6. Postfix SMTP client address preference has evolved. With Postfix 2.8 the default is ipv6; earlier implementations are hard-coded to prefer IPv6 over IPv4. Wietse
Re: Can anyone see anything wrong with this Make command set
On Fri, Apr 17, 2015 at 01:57:41PM +0100, Robert Chalmers wrote: There’s a break there somewhere, and I can’t find it. make -f Makefile.init dynamicmaps=yes CCARGS='-DUSE_TLS -DHAS_PCRE -I/opt/local/include -DHAS_MYSQL -I/usr/local/include/mysql’ AUXLIBS='-L/opt/local/lib -lssl -lcrypto' AUXLIBS_PCRE='-L/opt/local/lib -lpcre’ AUXLIBS_MYSQL='-L/usr/local/lib -mysqlclient -lz -lm’ makefiles THIS one works. make -f Makefile.init dynamicmaps=yes CCARGS='-DUSE_TLS -DHAS_PCRE -I/opt/local/include' AUXLIBS='-L/opt/local/lib -lssl -lcrypto' AUXLIBS_PCRE='-L/opt/local/lib -lpcre’ makefiles THIS ONE doesn’t - trying to add mysql ... make -f Makefile.init dynamicmaps=yes CCARGS='-DUSE_TLS -DHAS_PCRE -I/opt/local/include -DHAS_MYSQL -I/usr/local/include/mysql’ AUXLIBS='-L/opt/local/lib -lssl -lcrypto' AUXLIBS_PCRE='-L/opt/local/lib -lpcre’ AUXLIBS_MYSQL='-L/usr/local/lib -mysqlclient -lz -lm’ makefiles Is -mysqlclient a valid option? I suspect you want -lmysqlclient. signature.asc Description: Digital signature
Re: High Availability on Postfix
Thegeswini S: Could some one help on below request ? On Thu, Apr 16, 2015 at 1:02 PM, Thegeswini S thegesw...@gmail.com wrote: Presently we use primary MTA as Postfix for outbound mail server and we were not configured inbound mails as we don;t have POP server in our env. The mail server resides on primary site and all the application servers including DR sites servers, uses this mail server as relay system and send mails to ISP... Now the requirement is to create an secondary outbound mail server on DR site, incase of Primay server or site is down. I would like to know any solution sending messages from backup outbound when primary is down ? If you mean: have systems on your corporate network send external email through the backup outbound mail server when the primary outbound mail server is down, then I recommend that you use DNS MX records, with the most-preferred records resolving to the primary mail server, and with the less-preferred records resolving to the secondary mail server. If your infrastructure does not use DNS MX records internally, then you can use A records instead, but then you have no preference feature. Otherwise, you need to find a solution that provides similar functionality. For example, a number of strategically-placed proxy servers (HAproxy, nginx) that direct clients to the best MTA. Wietse
Postfix redundant server
Hello, I have a question, sorry if this have already ask. I have 2 mail servers (if one crash or unaccessible, the other take the work). My installation is 1 mail server principal axis send mails (and cas receive mails) on a VPS and the other at my home majorly for incoming mail). Actually, I manage the synchronization between them with BTSync, is there a better way to do that or any idea ? Best regards. -- View this message in context: http://postfix.1071664.n5.nabble.com/Postfix-redundant-server-tp76270.html Sent from the Postfix Users mailing list archive at Nabble.com.
Re: Can anyone see anything wrong with this Make command set
Robert Chalmers: There?s a break there somewhere, and I can?t find it. This is a problem description without symptoms. Wietse
Re: Tracing why there's a NDN
On 2015-03-26 @lbutlr wrote: On 26 Mar 2015, at 16:59 , Wolfgang Zeikat wolfgang.zei...@desy.de wrote: - On 26 Mar, 2015, at 23:44, @lbutlr krem...@kreme.com wrote: Mar 26 02:55:38 mail postfix/smtp[7534]: 3lCKqM0QcJzJMnf: to=*gmailuser*@gmail.com, orig_to=*localuser*.com, relay=gmail-smtp-in.l.google.com[74.125.193.26]:25, delay=115, delays=46/0.02/38/31, dsn=5.7.0, status=bounced (host gmail-smtp-in.l.google.com[74.125.193.26] said: 552-5.7.0 This message was blocked because its content presents a potential 552-5.7.0 security issue. Please visit 552-5.7.0 http://support.google.com/mail/bin/answer.py?answer=6590 to review our 552 5.7.0 message content and attachment content guidelines. b10si4404184igx.11 - gsmtp (in reply to end of DATA command)) So gmail has rejected to accept that message and has put out a *final* message: 552-5.7.0 This message was blocked. Thus the mail was bounced: status=bounced. That is not a temp failure. So postfix tries to send a NDN to the sender of the blocked mail. Ah, sorry. Most of those from gmail are 421’s and I didn’t notice this one wasn’t. Mar 26 02:56:08 mail postfix/smtp[7534]: 3lCKsQ6KCHzJMnj: to=overspill...@akirchheimer.com, relay=none, delay=30, delays=0/0/30/0, dsn=4.4.3, status=deferred (Host or domain name not found. Name service error for name=akirchheimer.com.inbound10.mxlogicmx.net type=A: Host not found, try again) The MX record of the sender address of the mail that gmail has blocked cannot be resolved in DNS: Host not found, try again. Therefore, the NDN cannot be delivered. That is a temp failure and delivery will be retried until the host can be found in DNS or the queue lifetime of that NDN expires. Hmm. That’s interesting. Checking dig on the mailserver: ;; ANSWER SECTION: akirchheimer.com. 11781 IN MX 10 akirchheimer.com.inbound10.mxlogicmx.net. akirchheimer.com. 11781 IN MX 10 akirchheimer.com.inbound10.mxlogic.net. ;; ADDITIONAL SECTION: akirchheimer.com.inbound10.mxlogicmx.net. 39975 IN A 208.65.144.2 akirchheimer.com.inbound10.mxlogicmx.net. 39975 IN A 208.65.145.2 Is the NDN being generated because of the gmail temp failure? There is no gmail temp failure, see above. OK, how about gmail permanent failures? Wolfgang already answered that: | So gmail has rejected to accept that message and has put out a | *final* message: 552-5.7.0 This message was blocked. Thus the mail | was bounced: status=bounced. That is not a temp failure. So postfix | tries to send a NDN to the sender of the blocked mail. Because of a permanent failure Postfix attempted to send an NDN back to the envelope sender address, but couldn't, since name resolution failed (temporarily?). Was the message successfully delivered at a later point in time, or did it remain in the queue until its lifetime expired (generating a double bounce)? Does name resolution work correctly for the user postfix? Does the spamass-milter run before postscreen? If not, can it? Postscreen was created as a lightweight protection against spam bots. It would be utterly pointless to run it after heavyweight spam protection measures like Spamassassin. Regards Ansgar Wiechers -- Abstractions save us time working, but they don't save us time learning. --Joel Spolsky
smtpd: warning: hostname does not resolve to address Name or service not known
Hi list ! As the subject says i found this issue on my mail system after long time it worked as expected. Mine is a Debian Wheezy VPS system hosting postfix dovecot spamassassin with mysql database .That's what logs say while i try to send an email by thunderbird with my laptop: while thunderbird says: That's my postconf -n: I have the same issue with all clients i have and by telnet i get while i authenticate: What others infos you need to get around this issue ? every help will be appreciated Regards Gab -- View this message in context: http://postfix.1071664.n5.nabble.com/smtpd-warning-hostname-does-not-resolve-to-address-Name-or-service-not-known-tp76263.html Sent from the Postfix Users mailing list archive at Nabble.com.
Re: Can anyone see anything wrong with this Make command set
take a look at /-I/usr/local/include/mysql//’/ isn't the closing symbol wrong, after mqsql you have an ’ but shouldn't it be single quote ( ' ) Ii don't know what /’ /is, but it looks a bit like an acute accent (#180) or a single right quote (#146) not a single quote (#39).// JohnA On 4/17/2015 8:57 AM, Robert Chalmers wrote: There’s a break there somewhere, and I can’t find it. make -f Makefile.init dynamicmaps=yes CCARGS='-DUSE_TLS -DHAS_PCRE -I/opt/local/include -DHAS_MYSQL -I/usr/local/include/mysql’ AUXLIBS='-L/opt/local/lib -lssl -lcrypto' AUXLIBS_PCRE='-L/opt/local/lib -lpcre’ AUXLIBS_MYSQL='-L/usr/local/lib -mysqlclient -lz -lm’ makefiles THIS one works. make -f Makefile.init dynamicmaps=yes CCARGS='-DUSE_TLS -DHAS_PCRE -I/opt/local/include' AUXLIBS='-L/opt/local/lib -lssl -lcrypto' AUXLIBS_PCRE='-L/opt/local/lib -lpcre’ makefiles THIS ONE doesn’t - trying to add mysql ... make -f Makefile.init dynamicmaps=yes CCARGS='-DUSE_TLS -DHAS_PCRE -I/opt/local/include -DHAS_MYSQL -I/usr/local/include/mysql’ AUXLIBS='-L/opt/local/lib -lssl -lcrypto' AUXLIBS_PCRE='-L/opt/local/lib -lpcre’ AUXLIBS_MYSQL='-L/usr/local/lib -mysqlclient -lz -lm’ makefiles thanks if you can point out where my mistake is. Robert Robert Chalmers Mac mini 6.2 - 2012, Intel Core i7,2.3 GHz, Memory:16 GB. Yosemite 10.10.2. 2TB Storage made up of - Drive 0:HGST HTS721010A9E630. Upper bay. Drive 1:ST1000LM024 HN-M101MBB. Lower Bay
Re: Configuration and header checkup
On Fri, Apr 17, 2015 at 09:54:24AM -0800, Tim Johnson wrote: Any and all critiques are invited and welcome. Absent requirements of what this MTA is supposed to do, it is impossible to comment. It seems it is an outbound-only configuration, as your MX records point to MTAs operated by others. In which case any reasonably minimal configuration will work. You're not observing any issues, so you're just fine. Nothing to worry about until you actually see a problem. mydestination = linus.local, localhost.localdomain, localhost mydomain_fallback = localhost myhostname = tj49.com smtp_helo_name = tjohnson.mtaonline.net smtpd_tls_exclude_ciphers = SSLv2, aNULL, ADH, eNULL This looks reasonably minimal, just change the exclude ciphers setting to: smtpd_tls_exclude_ciphers = SSLv2 The eNULL ciphers are excluded by default, and there is no reason to exclude anonymous cipher-suites. -- Viktor.
Re: smtpd custom reject for over quota
On Fri, Apr 17, 2015 at 01:32:36AM -0700, E.B. wrote: Dovecot has a new feature that can set a flag in the userdb quota_over_flag http://wiki2.dovecot.org/Quota/Configuration#Overquota-flag_.28v2.2.16.2B-.29 I want to use this to reject messages during SMTP conversation for users that are over quota. I keep this flag in MySQL. [...] If possible would like to avoid two database lookups but in postfix [...] Premature optimization is the root of all evil. Just make two queries, in particular use access(5) tables for this, not address rewriting tables. Only way I can think to implement this is a separate smtpd restriction class that makes another sql lookup to check the quota_over_flag value(?) Yes, use the access control features. by the way, I won't care about aliases, they will still attempt delivery and cause a bounce if over quota. If you have aliases that are lists of many users, use local(8) delivery to expand those lists, and configure an owner-alias so that bounces go to the list owner and not the poor sender who does not need to know or care whether each and every user on the list got his message. -- Viktor.
Re: Configuration and header checkup
* Tim Johnson t...@akwebsoft.com [150416 16:55]: Using postfix on on Mac OS X 10.7, preparing to use postfix on ubuntu 14.04. I've used postfix for many years, but since I only configure once in a couple years and am on a single-user desktop, plus occassional netbook usage, I'm really just a newbie. I've run into some problems lately with bad mx-records from my ISP. I think that has been fixed, but I would like some feedback on : 1) How my headers look. 2) My configuration in main.cf The only configuration that I have edited in main.cf is as follows: [begin] #== mydomain_fallback=localhost mydomain = tj49.com myhostname = tj49.com mydestination = linus.local, localhost.localdomain, localhost smtp_helo_name = tjohnson.mtaonline.net #== [end] I should note that I commonly send email with return email addresses from two different domains: tj49.com and akwebsoft.com. My wife might have a different setup on a different computer with a return address at johnsons-web.com. Any and all critiques are invited and welcome. It occurs to me that anyone replying would have to request a direct email from me to them. In the meantime, here is a dump from postconf -n : [begin] command_directory = /usr/sbin config_directory = /etc/postfix daemon_directory = /usr/libexec/postfix data_directory = /Library/Server/Mail/Data/mta debug_peer_level = 2 mail_owner = _postfix mailbox_size_limit = 0 mailq_path = /usr/bin/mailq manpage_directory = /usr/share/man mydestination = linus.local, localhost.localdomain, localhost mydomain_fallback = localhost myhostname = tj49.com newaliases_path = /usr/bin/newaliases queue_directory = /Library/Server/Mail/Data/spool readme_directory = /usr/share/doc/postfix sample_directory = /usr/share/doc/postfix/examples sendmail_path = /usr/sbin/sendmail setgid_group = _postdrop smtp_helo_name = tjohnson.mtaonline.net smtpd_tls_exclude_ciphers = SSLv2, aNULL, ADH, eNULL tls_random_source = dev:/dev/urandom unknown_local_recipient_reject_code = 550 use_sacl_cache = yes [end] -- Tim tim at tee jay forty nine dot com or akwebsoft dot com http://www.akwebsoft.com, http://www.tj49.com
Re: Configuration and header checkup
* Viktor Dukhovni postfix-us...@dukhovni.org [150417 10:02]: On Fri, Apr 17, 2015 at 09:54:24AM -0800, Tim Johnson wrote: Any and all critiques are invited and welcome. Absent requirements of what this MTA is supposed to do, it is impossible to comment. It seems it is an outbound-only configuration, as your MX records point to MTAs operated by others. In which case any reasonably minimal configuration will work. You're not observing any issues, so you're just fine. Nothing to worry about until you actually see a problem. I _have_ had issues in the past. I know that some were related to inappropriate mx record (reverse DNS) as configured by my ISP. Those issues have been resolved. So I am just looking for a second opinion as to _any other_ lurking issues. mydestination = linus.local, localhost.localdomain, localhost mydomain_fallback = localhost myhostname = tj49.com smtp_helo_name = tjohnson.mtaonline.net smtpd_tls_exclude_ciphers = SSLv2, aNULL, ADH, eNULL This looks reasonably minimal, just change the exclude ciphers setting to: smtpd_tls_exclude_ciphers = SSLv2 Understood. I'm glad to get the feedback. Thank you. -- Tim tim at tee jay forty nine dot com or akwebsoft dot com http://www.akwebsoft.com, http://www.tj49.com
Re: Delivery Status Notification
@Ansgar Wiechars, I am struggling to reply to you as you replied off-list and my last attempt on the list failed. I think you've fixed the first issue but there may be another one, perhaps with my settings or the settings you expect from me as I now get the following bounce: This is the mail system at host know-smtprelay-6-imp. I am sorry to have to inform you that your message could not be delivered to one or more recipients. The message is attached below. The remote mail system said: 5.7.1 ansgar.wiech...@planetcobalt.net: Recipient address rejected: Mail appeared to be SPAM or forged. Ask your Mail/DNS-Administrator to correct HELO and DNS MX settings or to get removed from DNSBLs [cached] - retrying too fast. penalty: 30 seconds x 0 retries. If it helps I am relaying via my ISP's mailserver, smtp.ntlworld.com:465 (62.254.26.221) with postfix/stunnel as I am in a dynamic IP block of addresses. My mx record points directly to my server. Regards, Nick On 16/04/2015 18:02, Nick Howitt wrote: @Ansgar Wiechars I tried to reply to your e-mail earlier today about HTML formatted e-mails out of courtesy but received the bounce below. I don't think I am mis-configured but if I am I'd love some help. I had a look at the rhsbl.ahbl.org list and it seems that this list is no longer active and always gives a positive response. Their site says: If you are still using these services, this may cause you to incorrectly tag e-mail as spam, or create other unintended consequences. Fix and maintain your servers, now. Do not contact us about 'removing' your domain or IP address from our lists, as there is nothing we can do for you. Regards, Nick On 16/04/2015 12:19, mailer-dae...@virginmedia.com wrote: This is the mail system at host know-smtprelay-4-imp. I am sorry to have to inform you that your message could not be delivered to one or more recipients. The message is attached below. The remote mail system said: 5.7.1 li...@planetcobalt.net: Recipient address rejected: Mail appeared to be SPAM or forged. Ask your Mail/DNS-Administrator to correct HELO and DNS MX settings or to get removed from DNSBLs; in rhsbl.ahbl.org
Re: smtpd: warning: hostname does not resolve to address Name or service not known
On 17 Apr 2015, at 8:02, Krzs wrote: HTML tags from postfixusers nabble dot come web site don't show up in emails ,i'll add their content in this replay: Almost entirely useless. What you added is full of lies, where you've used bogus names and addresses to replace nearly all information that might be useful in diagnosis. You're asking about a name resolution error message. No one can help you if you are so paranoid that you won't divulge the names and IP addresses involved. However, you did miss ONE IP address that provides a hint towards one mistake: On 17/04/2015 13:48, Gab wrote: [... mydestination = $mydomain, localhost.localdomain, localhost mydomain = myFQDN myhostname = smtp.$mydomain mynetworks = 88.198.107.18, 127.0.0.1 18.107.198.88.in-addr.arpa. 86089 IN PTR frozenstar.info. frozenstar.info. 1512 IN MX 10 smtp.frozenstar.info. smtp.frozenstar.info. 3327 IN CNAME frozenstar.info. That's wrong. MX records MUST point to names that have A records.
Re: Can anyone see anything wrong with this Make command set
On Fri, Apr 17, 2015 at 03:40:13PM +0100, Darac Marjal wrote: make -f Makefile.init dynamicmaps=yes CCARGS='-DUSE_TLS -DHAS_PCRE -I/opt/local/include -DHAS_MYSQL -I/usr/local/include/mysql? AUXLIBS='-L/opt/local/lib -lssl -lcrypto' AUXLIBS_PCRE='-L/opt/local/lib -lpcre? AUXLIBS_MYSQL='-L/usr/local/lib -mysqlclient -lz -lm? makefiles Is -mysqlclient a valid option? I suspect you want -lmysqlclient. Yes, that's the problem. Good catch. -- Viktor.
Re: smtpd: warning: hostname does not resolve to address Name or service not known
On Fri, Apr 17, 2015 at 11:26:44AM -0400, Bill Cole wrote: On 17 Apr 2015, at 8:02, Krzs wrote: HTML tags from postfixusers nabble dot come web site don't show up in emails ,i'll add their content in this replay: Almost entirely useless. What you added is full of lies, where you've used bogus names and addresses to replace nearly all information that might be useful in diagnosis. Let's tone that down shall we. Second warning. -- Viktor.
Re: smtpd: warning: hostname does not resolve to address Name or service not known
On 17/04/2015 17:26, Bill Cole wrote: On 17 Apr 2015, at 8:02, Krzs wrote: HTML tags from postfixusers nabble dot come web site don't show up in emails They don't show up because i don't use html in emails Almost entirely useless. What you added is full of lies, where you've used bogus names and addresses to replace nearly all information that might be useful in diagnosis. I'm too used to not use my fqdn for obvious security reasons (yez i'm paranoid) I won't consider your insults and i still hope someone would help. Regars -- Key fingerprint = EB67 3CA1 6C61 EACE B705 4EC3 A28D E2DD 4C47 A4D9
Re: Postfix redundant server
Check MX2 Postfix Configuration (google it) Luis Daniel Lucio Quiroz CISSP, CISM, CISA Linux, VoIP and much more fun www.okay.com.mx Need LCR? Check out LCR for FusionPBX with FreeSWITCH Need Billing? Check out Billing for FusionPBX with FreeSWITCH 2015-04-17 10:03 GMT-04:00 nh postfix-nab...@nhenry.fr: Hello, I have a question, sorry if this have already ask. I have 2 mail servers (if one crash or unaccessible, the other take the work). My installation is 1 mail server principal axis send mails (and cas receive mails) on a VPS and the other at my home majorly for incoming mail). Actually, I manage the synchronization between them with BTSync, is there a better way to do that or any idea ? Best regards. -- View this message in context: http://postfix.1071664.n5.nabble.com/Postfix-redundant-server-tp76270.html Sent from the Postfix Users mailing list archive at Nabble.com.
