Spoofing on a test system
I have finished setting everything up on a test system using a different flavor of Linux and a more current version of everything than my production system. Let's call them prod.example.com and test.example.com. Without interrupting mail service on prod, which is half of what that system does so I really can't take it down and wait for DNS changeovers back and forth, what can be done on test to make it look like and work like prod? For instance, when I start Postfix on test, it's trying to deliver messages to prod and is unable to. I could extract stuff from maillog which might be of some help to figure out what's going on, but before I do that, is it even possible to do what I'm wanting to do--spoof my current Dovecot+Postfix setup to think it's on prod when it really isn't? By the way, it's OK for messages from test to get into prod, people on the mailing lists on prod know this could and probably will happen.
Re: Attack on my mailsystem
On Tue, Jun 16, 2015 at 06:43:47AM -0700, Jithesh AP wrote: I have an attack on my mail system and the mail i got from mailer deamon is (got 1000s of such mails) You've set notify_classes to send you too much email. -- Transcript of session follows. Out: 220 ml.w8timez.com ESMTP Postfix In: HELO 54.183.212.207 Out: 250 ml.w8timez.com In: MAIL FROM: fmrjk...@yahoo.com.tw Out: 250 2.1.0 Ok In: RCPT TO: yuej...@yahoo.com.tw Out: 451 4.3.0 yuej...@yahoo.com.tw: Temporary lookup failure Out: 421 4.7.0 ml.w8timez.com Error: too many errors Session aborted, reason: too many errors Not much of an attack, just an open-relay test. Just ignore it, and ideally arrange to not be notified about it. Any specific suggestions to close such attack? # No postmaster notices, just read the logs. # notify_classes = -- Viktor.
Re: Limiting total number of processes with various smtpd services listening on different IPs
On Tue, Jun 16, 2015 at 10:09:22AM +0200, Christian Rohmann wrote: When running multiple smtpd services on different IPs and with different SSL-certifices (I believe there still is no SNI support in postfix? - http://www.postfix.org/TLS_README.html - There are no plans to implement SNI in the Postfix SMTP server. ) Indeed there is no server-side SNI support, but you generally don't need a matching certificate with SMTP. Most SMTP clients don't verify certificates of SMTP servers. And many that do, just look for the MX hostname, which can the same across multiple hosted domains. What is the specific use-case where this seems to be necessary? the individually set process limits work fine, but they add up quickly. Even IPv4 and IPv6 create two listeners for the same job already making it difficult to pick sensible individual limits. IIRC you can halve the number of listeners by using a hostname instead of an address in master.cf, and assigning both the IPv4 and IPv6 address to each host that needs both. I'm keen to allow the individual listener to grow to let's say 1000 processes, but don't want to allow them ALL to grow that large at the same time. There is no feature of master(8) that can set a process limit for pools of services smaller than the sum of the indivual limits. -- Viktor.
Re: Real or Pishing
On Tue, Jun 16, 2015 at 05:06:41PM +0300, Gaby L wrote: I receive regular this email form AsianDomain registration It is real email or is possible spam,pishing? Scam, bitbucket these messages. -- Viktor.
Re: messages queue not delivered with sasl.
On 2015-06-16 13:48, basteon wrote: yes warning exists: Jun 16 16:56:58 mail postfix/smtp[14742]: warning: hash:/etc/postfix/mailpasswd is unavailable. open database /etc/postfix/mailpasswd.db: No such file or directory Jun 16 16:56:58 mail postfix/smtp[14742]: warning: hash:/etc/postfix/mailpasswd lookup error for u...@domain.ru Jun 16 16:56:58 mail postfix/smtp[14742]: warning: 95559758A82: smtp_sasl_password_maps lookup error I keep users in sasl and in mysql database. You have set smtp_sasl_password_maps = hash:/etc/postfix/mailpasswd in your main.cf and postfix is unable to read the postmaped version of that file. Does the file etc/postfix/mailpasswd.db exist? http://www.postfix.org/postconf.5.html#smtp_sasl_password_maps Either issue postmap /etc/postfix/mailpasswd to create this file, remove that entry from your main.cf or fix your main.cf setting to point to the file that holds the settings for the connection to your sql db. This file specified with this parameter is not used to authenticate the users that are using your server for mail submission, it's used by the postfix smtp client to authenticate to remote servers when you have sender-dependent authentication enabled. http://www.postfix.org/SASL_README.html#client_sasl Regards - christian
Attack on my mailsystem
Hi All, I have an attack on my mail system and the mail i got from mailer deamon is (got 1000s of such mails) -- Transcript of session follows. Out: 220 ml.w8timez.com ESMTP Postfix In: HELO 54.183.212.207 Out: 250 ml.w8timez.com In: MAIL FROM: fmrjk...@yahoo.com.tw Out: 250 2.1.0 Ok In: RCPT TO: yuej...@yahoo.com.tw Out: 451 4.3.0 yuej...@yahoo.com.tw: Temporary lookup failure Out: 421 4.7.0 ml.w8timez.com Error: too many errors Session aborted, reason: too many errors For other details, see the local mail logfile I checked mailog and did not get much (like ip/port used etc). i have 25,465,587 outgoing open, i am going to close 25 outgoing. Any specific suggestions to close such attack? Regards Jithesh
Re: Attack on my mailsystem
Ok thank you for the info, this did scare me :). Its taxing my small system. Regards Jithesh On Tue, 16 Jun 2015 06:48:01 -0700, Viktor Dukhovni postfix-us...@dukhovni.org wrote: On Tue, Jun 16, 2015 at 06:43:47AM -0700, Jithesh AP wrote: I have an attack on my mail system and the mail i got from mailer deamon is (got 1000s of such mails) You've set notify_classes to send you too much email. -- Transcript of session follows. Out: 220 ml.w8timez.com ESMTP Postfix In: HELO 54.183.212.207 Out: 250 ml.w8timez.com In: MAIL FROM: fmrjk...@yahoo.com.tw Out: 250 2.1.0 Ok In: RCPT TO: yuej...@yahoo.com.tw Out: 451 4.3.0 yuej...@yahoo.com.tw: Temporary lookup failure Out: 421 4.7.0 ml.w8timez.com Error: too many errors Session aborted, reason: too many errors Not much of an attack, just an open-relay test. Just ignore it, and ideally arrange to not be notified about it. Any specific suggestions to close such attack? # No postmaster notices, just read the logs. # notify_classes = -- Using Opera's mail client: http://www.opera.com/mail/
Re: Attack on my mailsystem
On Tue, Jun 16, 2015 at 06:51:51AM -0700, Jithesh AP wrote: Ok thank you for the info, this did scare me :). Its taxing my small system. Most of the cost is the processing of postmaster notices. If you turn those off (and just read a log report once a day from your favourite log reporting tool) your system will be much happier. -- Viktor.
Re: Trying to get mail working
On Wed, 13 May 2015 11:36:14 -0400 (EDT), you wrote: Steve Matzura: I have charge of a very mixed system--current OS (Fedora 20--OK 21's out but I just haven't upgraded yet), current (or nearly so) Mailman (2.1.18-1), Postfix 2.10 with a configuration file sfrom something a lot older which I've run through the upgrade-configuration procedure, and old Dovecot (1.0.15). Is there anything I can do to test each of these components individually, then add a second component and test the three pairs, then all three together? I am nobody's definitioin of an expert in any of these three components, so am having a lot of trouble making them work together, so I thought maybe there might be some test procedure that might straighten me out. Follow instructions in http://www.postfix.org/BASIC_CONFIGURATION_README.html, submit mail with the Postfix sendmail command and look at the maillog file for what happens next. All quite helpful and useful. Turns out most of my problems were with Dovecot, all of which have also been worked out. Another unrelated question in the next post.
Re: weird bounce-loop
On Tue, Jun 16, 2015 at 12:36:58PM +0200, Maarten Vanraes wrote: 1. an email is sent to the company (postfix + content_filter + zarafa(lmtp)) 2. zarafa sends a forward to gmail (zarafa - postfix - gmail) This is the broken step, the zarafa forward is severely misconfigured, in that it replaces the original envelope sender address with the user's address. This is especially bad when the original envelope sender is '' (the null or error sender). 3. gmail rejects 4. postfix bounces to original user (thus goes to zarafa(lmtp)) No Postfix, bounces to the forwarder of the mail, not to the original sender, thus the loop. 5. zarafa sends a forward to gmail (zarafa - postfix - gmail) 6. gmail rejects 7. postfix bounces to original user (thus goes to zarafa(lmtp)) ... ad nauseam... thus, quickly the zarafa mailserver has thousands of bounces in a few minutes... Is there a way to solve this issue? postfix obviously can't use the double- bounce check here, right? or not? The fix is to NOT allow the user to forward his mail to Gmail via the broken Zarafa forwarding mechanism. Either arrange for forwarding to happen at the Postfix layer (which won't damage the envelope sender address), or do not do it all. Mind you, with forwarding at the Postfix layer, you run into SPF issues with domains whose administrators (sheep!) publish SPF records. So by far the simplest thing is to NOT auto-forward to Gmail. -- Viktor.
Re: Spoofing on a test system
On Tue, Jun 16, 2015 at 8:59 AM, Steve Matzura numb...@noisynotes.com wrote: I have finished setting everything up on a test system using a different flavor of Linux and a more current version of everything than my production system. Let's call them prod.example.com and test.example.com. Without interrupting mail service on prod, which is half of what that system does so I really can't take it down and wait for DNS changeovers back and forth, what can be done on test to make it look like and work like prod? For instance, when I start Postfix on test, it's trying to deliver messages to prod and is unable to. I could extract stuff from maillog which might be of some help to figure out what's going on, but before I do that, is it even possible to do what I'm wanting to do--spoof my current Dovecot+Postfix setup to think it's on prod when it really isn't? By the way, it's OK for messages from test to get into prod, people on the mailing lists on prod know this could and probably will happen. So... I guess prod has the mailboxes, and you want to test test.example.com as a prospect replacement for prod. If that's the case, you will want to enable all the corresponding local delivery in test, and furthermore it could even start thinking it is prod (even though it will still only respond to its address for test). After doing this, you can configure an account on your mail client to connect to test, and do most of the tests there. This scenario is pretty common when you are configuring a new system, so, indeed is possible, and there are several ways of doing it, depending on the details of what you want to do. You could even setup a test subdomain in order to do a complete test including external mail sending, and before promoting to production. Now, the switchover planning (or promoting test as prod) is another history, and can be done by several different means, one of those being using (or creating and then using) a private network and redirecting traffic on prod to test system, and then doing the DNS change, effectively making all traffic that would originally go to prod, go to test (that now would be called prod, but I need a way to distinguish them), ... doing this would either expose you to some spam going through or require some heavy usage of advanced routing, so, before doing this it is recommended to have DNS TTL set to something like 60 seconds or so. After 2 minutes has passed, all new connections should be going to your new prod, and you should be able to stop prod. Oh, but there is more: what about mailboxes? (likely maildirs) that's yet another point that require planing, and will depend on your mailboxes format, so, won't start with that right now. Well, I hope this is useful, and if you want more help, please elaborate a bit more on what you want to do. Sincerely, -- Ildefonso Camargo Command Prompt, Inc. - http://www.commandprompt.com/ PostgreSQL Support, Training, Professional Services and Development High Availability, Oracle Conversion, Postgres-XC @cmdpromptinc - 509-416-6579
sent mail goes into spam
Dear All, I created a postfix based mail system. When my useres send mail most of the mails goes into spam. I am afraid, I made a simple or basic mistake. This is postfix+dovecot+mysql config. I am pretty sure about postfix user and virtual alias tables in mysql ok, I am afraid I made mistake in main.cf My postconf -n output: alias_maps = hash:/etc/aliases biff = no canonical_maps = hash:/etc/postfix/canonical command_directory = /usr/sbin config_directory = /etc/postfix content_filter = smtp-amavis:127.0.0.1:10024 daemon_directory = /usr/lib/postfix data_directory = /var/lib/postfix debug_peer_level = 2 debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id sleep 5 defer_transports = delay_warning_time = 1h disable_dns_lookups = no disable_mime_output_conversion = noex disable_vrfy_command = yes dovecot_destination_recipient_limit = 1 home_mailbox = Maildir/ html_directory = /usr/share/doc/packages/postfix-doc/html inet_interfaces = 192.168.100.64,localhost inet_protocols = ipv4 local_recipient_maps = $virtual_mailbox_maps local_transport = virtual mail_owner = postfix mail_spool_directory = /var/mail mailbox_command = mailbox_size_limit = 0 mailbox_transport = mailq_path = /usr/bin/mailq manpage_directory = /usr/share/man masquerade_classes = envelope_sender, header_sender, header_recipient masquerade_domains = masquerade_exceptions = root message_size_limit = 0 message_strip_characters = \0 mydestination = $myhostname, localhost.$mydomain mydomain = domain.tld myhostname = mail.domain.tld mynetworks = 192.168.10.0/28, 127.0.0.0/8 mynetworks_style = subnet newaliases_path = /usr/bin/newaliases queue_directory = /var/spool/postfix readme_directory = /usr/share/doc/packages/postfix-doc/README_FILES receive_override_options = no_address_mappings relay_clientcerts = relayhost = relocated_maps = hash:/etc/postfix/relocated sample_directory = /usr/share/doc/packages/postfix-doc/samples sender_canonical_maps = hash:/etc/postfix/sender_canonical sendmail_path = /usr/sbin/sendmail setgid_group = maildrop smtp_enforce_tls = no smtp_sasl_auth_enable = no smtp_sasl_password_maps = smtp_sasl_security_options = smtp_tls_CAfile = smtp_tls_CApath = smtp_tls_cert_file = smtp_tls_key_file = smtp_tls_session_cache_database = smtp_use_tls = no smtpd_banner = $myhostname smtpd_client_restrictions = smtpd_delay_reject = yes smtpd_helo_required = no smtpd_helo_restrictions = smtpd_recipient_restrictions = permit_mynetworks,reject_unauth_destination smtpd_sasl_auth_enable = no smtpd_sender_restrictions = hash:/etc/postfix/access smtpd_tls_CAfile = smtpd_tls_CApath = smtpd_tls_ask_ccert = no smtpd_tls_cert_file = smtpd_tls_key_file = smtpd_tls_received_header = no smtpd_use_tls = no strict_8bitmime = no strict_rfc821_envelopes = no transport_maps = hash:/etc/postfix/transport unknown_local_recipient_reject_code = 550 virtual_alias_maps = mysql:/etc/postfix/mysql_virtual_alias_maps.cf virtual_gid_maps = static:5000 virtual_mailbox_base = /home/vmail/vmail virtual_mailbox_domains = mysql:/etc/postfix/mysql-virtual-domains.cf virtual_mailbox_limit = 0 virtual_mailbox_limit_inbox = no virtual_mailbox_limit_maps = mysql:/etc/postfix/mysql_virtual_mailbox_limit_maps.cf virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual-maps.cf virtual_minimum_uid = 1000 virtual_transport = dovecot virtual_uid_maps = static:5000 Any help appreciated. Regards, Zoli
Question about postfix logfile
Hi, I have question about postfix logfile (/var/log/maillog), Does The log mention the from email header or the return-path email header in the log file ? Jun 16 16:17:43 mailhost postfix/qmgr[12095]: CB992123F1B1: from=send...@domain.com, size=2639, nrcpt=1 (queue active) Example: Return-Path: send...@domain.com From: send...@domain.com Because it seems that some times the from address mentioned in the log file is different that the from header which is actually in the email itself. Thank you. Peter Michael
Re: Attack on my mailsystem
Hi Victor, Thank you for the mail below is my postconf -n output alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases broken_sasl_auth_clients = yes command_directory = /usr/sbin config_directory = /etc/postfix daemon_directory = /usr/libexec/postfix data_directory = /var/lib/postfix debug_peer_level = 2 html_directory = no inet_protocols = ipv4 mail_owner = postfix mailq_path = /usr/bin/mailq.postfix manpage_directory = /usr/share/man mydestination = localhost myhostname = ml.w8timez.com myorigin = $mydomain newaliases_path = /usr/bin/newaliases.postfix notify_classes = queue_directory = /var/spool/postfix readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES relayhost = sample_directory = /usr/share/doc/postfix-2.6.6/samples sendmail_path = /usr/sbin/sendmail.postfix setgid_group = postdrop smtpd_milters = unix:/var/spool/postfix/clamav-milter/clamav-milter.socket smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination smtpd_sasl_auth_enable = yes smtpd_sasl_path = private/auth smtpd_sasl_security_options = noanonymous smtpd_sasl_tls_security_options = $smtpd_sasl_security_options smtpd_sasl_type = dovecot smtpd_tls_cert_file = /etc/httpd/ssl/ssl.crt smtpd_tls_key_file = /etc/httpd/ssl/private.key smtpd_tls_loglevel = 1 smtpd_use_tls = yes unknown_local_recipient_reject_code = 550 virtual_alias_maps = mysql:/etc/postfix/mysql-virtual-alias-maps.cf virtual_mailbox_domains = mysql:/etc/postfix/mysql-virtual-mailbox-domains.cf virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf virtual_transport = dovecot Regards Jithesh On Tue, 16 Jun 2015 08:06:21 -0700, Viktor Dukhovni postfix-us...@dukhovni.org wrote: On Tue, Jun 16, 2015 at 08:01:31AM -0700, Jithesh AP wrote: Did a restart of postfix and this is what i see below, does it mean i am seeing old queue relays or new one's? I also deleted all the messages in q with postsuper -d ALL (but when i run it after few mins, there are some messages to be deleted always, so was wondering what those messages are - i know no one is sending mails now to me :)) Jun 16 07:50:15 ml postfix/error[653]: 15542416CE: to=y...@yahoo.com.tw, relay=none, delay=1271, delays=953/269/0/49, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to mx-tw.mail.gm0.yahoodns.net[203.188.197.119]:25: Connection timed out) This message entered the queue ~16 minutes prior to the log entry in question. To determine how, look for other log entries with the same queue id. If your system is an open relay, it is misconfigured. This would be a good time to post your configuration (postconf -n output). -- Using Opera's mail client: http://www.opera.com/mail/
Re: Spoofing on a test system
Jose: First of all, you hit the nail on the head as to what I need. Understanding a problem or question is key to solving or answering it. Now then ... I'll test relayed/routed mail first via the virtual address file and see how that goes. Meanwhile ... On Tue, 16 Jun 2015 09:40:45 -0400, you wrote: So... I guess prod has the mailboxes, and you want to test test.example.com as a prospect replacement for prod. Yes. However, the mailboxes on prod are all virtual. There's one main administrative account that receives local mail, and half a dozen virtual mailboxes, some of which are handled by Dovecot for remote pickup, and some What prod does is process half a dozen mailing lists, all done with Mailman. That configuration has already been ported over, but possibly--probably--not 100% correctly. That I can deal with. The remainder are all in /etc/postfix/virtual. you will want to enable all the corresponding local delivery in test, and furthermore it could even start thinking it is prod (even though it will still only respond to its address for test). After doing this, you can configure an account on your mail client to connect to test, and do most of the tests there. Yes, that's the idea. As I said, not much done locally except the virtual stuff, which I will test forthwith. This scenario is pretty common when you are configuring a new system, ... I figured (hoped?) as much. indeed is possible, and there are several ways of doing it, depending on the details of what you want to do. You could even setup a test subdomain in order to do a complete test including external mail sending, and before promoting to production. That might be a little over the top, but maybe not. Now, the switchover planning (or promoting test as prod) is another history, and can be done by several different means, one of those being using (or creating and then using) a private network and redirecting traffic on prod to test system, and then doing the DNS change, effectively making all traffic that would originally go to prod, go to test (that now would be called prod, but I need a way to distinguish them), ... doing this would either expose you to some spam going through or require some heavy usage of advanced routing, so, before doing this it is recommended to have DNS TTL set to something like 60 seconds or so. After 2 minutes has passed, all new connections should be going to your new prod, and you should be able to stop prod. Can be done. A little spam for a little while is not unacceptable in this case. Oh, but there is more: what about mailboxes? (likely maildirs) that's yet another point that require planning, and will depend on your mailboxes format, so, won't start with that right now. There are only four users on the system--me, and three other admins, but they're all virtual mailboxes which Dovecot is handling. In other words, there are no accounts on either prod or test for these admins, they get their mail via IMAP or POP just nicely. The real stuff going on is handled by Mailman, which is used for email list management for half a dozen lists. Well, I hope this is useful, and if you want more help, please elaborate a bit more on what you want to do. Not sure how to elaborate.
Re: Attack on my mailsystem
On Tue, Jun 16, 2015 at 08:01:31AM -0700, Jithesh AP wrote: Did a restart of postfix and this is what i see below, does it mean i am seeing old queue relays or new one's? I also deleted all the messages in q with postsuper -d ALL (but when i run it after few mins, there are some messages to be deleted always, so was wondering what those messages are - i know no one is sending mails now to me :)) Jun 16 07:50:15 ml postfix/error[653]: 15542416CE: to=y...@yahoo.com.tw, relay=none, delay=1271, delays=953/269/0/49, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to mx-tw.mail.gm0.yahoodns.net[203.188.197.119]:25: Connection timed out) This message entered the queue ~16 minutes prior to the log entry in question. To determine how, look for other log entries with the same queue id. If your system is an open relay, it is misconfigured. This would be a good time to post your configuration (postconf -n output). -- Viktor.
Question about permit_mynetworks option
Hi, I have couple of questions regarding the permit_mynetworks option. 1- is the permit_mynetworks must be added to allow bounces emails from postfix? or postfix can still send bounces or undelivered email notifications without need to add permit_mynetworks in the smtpd_recipient_restrictions? 2- Is the permit_mynetworks must be added so the postfix can work properly handling the emails ? anyway our users uses sasl authenticate that's why we want to remove permit_mynetworks, but we are afraid that this might break some thing in postfix, that's why we want to be double sure. ? - Also our last question, In case of different case that the mail server is secondary mail server , it relays back the email to the primary server when it is back. 3- do we have to add permit_mynetworks in smtpd_recipient_restrictions? so the secondary server can send the emails to the primary server (when the primary server was down) ? or still the secondary server can send the pending emails to the primary server even if permit_mynetworks in not written in the smtpd_recipient_restrictions? Thanks Michael Peter
Re: sent mail goes into spam
On 2015-06-16 17:04, z...@oper.hu wrote: Dear All, I created a postfix based mail system. When my useres send mail most of the mails goes into spam. Where do your users send mail to, that then is classified as spam? Regards, Zoli Regards - christian
Re: Attack on my mailsystem
Did a grep for the q ID - 15542416CE and looks like that is the last i see of it. (this check is nearly an hour after (08.45) Jun 16 07:50:15 ml postfix/error[653]: 15542416CE: to=y...@yahoo.com.tw, relay=none, delay=1271, delays=953/269/0/49, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to mx-tw.mail.gm0.yahoodns.net[203.188.197.119]:25: Connection timed out) Regards Jithesh On Tue, 16 Jun 2015 08:33:09 -0700, Viktor Dukhovni postfix-us...@dukhovni.org wrote: On Tue, Jun 16, 2015 at 08:26:33AM -0700, Jithesh AP wrote: Thank you for the mail below is my postconf -n output [...] Jun 16 07:50:15 ml postfix/error[653]: 15542416CE: to=y...@yahoo.com.tw, relay=none, delay=1271, delays=953/269/0/49, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to mx-tw.mail.gm0.yahoodns.net[203.188.197.119]:25: Connection timed out) This message entered the queue ~16 minutes prior to the log entry in question. To determine how, look for other log entries with the same queue id. If your system is an open relay, it is misconfigured. This would be a good time to post your configuration (postconf -n output). And of course also those log entries with the same queue-id... I had hoped that would be clear... -- Using Opera's mail client: http://www.opera.com/mail/
Re: Attack on my mailsystem
On Tue, Jun 16, 2015 at 08:45:55AM -0700, Jithesh AP wrote: Did a grep for the q ID - 15542416CE and looks like that is the last i see of it. (this check is nearly an hour after (08.45) Jun 16 07:50:15 ml postfix/error[653]: 15542416CE: to=y...@yahoo.com.tw, relay=none, delay=1271, delays=953/269/0/49, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to mx-tw.mail.gm0.yahoodns.net[203.188.197.119]:25: Connection timed out) Mail does not just materialize in the Postfix queue. You're not searching right. The message is 1271 seconds old so was created right around 07:30... -- Viktor.
Re: sent mail goes into spam
I tried many mails from my domain, such gmail.com, outlook.hu . All these mails arrived to spam. There are few exceptions as well. Currently I estimate the 80% of sent mail arrives into spam. Which regrads gmail.com and outlook, I really don't understand why these mails is rated to spam. However the users generally send mail to partner companies. 2015-06-16 17:39 időpontban Christian Kivalo ezt írta: On 2015-06-16 17:04, z...@oper.hu wrote: Dear All, I created a postfix based mail system. When my useres send mail most of the mails goes into spam. Where do your users send mail to, that then is classified as spam? Regards, Zoli Regards - christian
Re: Attack on my mailsystem
I have not tried fail2ban, i will check it out on this, hopefully by weekend. Regards Jithesh On Tue, 16 Jun 2015 08:12:19 -0700, Mauricio Tavares raubvo...@gmail.com wrote: On Tue, Jun 16, 2015 at 9:51 AM, Jithesh AP jithesh...@gmail.com wrote: Ok thank you for the info, this did scare me :). Its taxing my small system. Have you considered running something like fail2ban on the system? It would temporarily (you set the time) block said IP at the firewall, which usually make them look for easier pickings. Regards Jithesh On Tue, 16 Jun 2015 06:48:01 -0700, Viktor Dukhovni postfix-us...@dukhovni.org wrote: On Tue, Jun 16, 2015 at 06:43:47AM -0700, Jithesh AP wrote: I have an attack on my mail system and the mail i got from mailer deamon is (got 1000s of such mails) You've set notify_classes to send you too much email. -- Transcript of session follows. Out: 220 ml.w8timez.com ESMTP Postfix In: HELO 54.183.212.207 Out: 250 ml.w8timez.com In: MAIL FROM: fmrjk...@yahoo.com.tw Out: 250 2.1.0 Ok In: RCPT TO: yuej...@yahoo.com.tw Out: 451 4.3.0 yuej...@yahoo.com.tw: Temporary lookup failure Out: 421 4.7.0 ml.w8timez.com Error: too many errors Session aborted, reason: too many errors Not much of an attack, just an open-relay test. Just ignore it, and ideally arrange to not be notified about it. Any specific suggestions to close such attack? # No postmaster notices, just read the logs. # notify_classes = -- Using Opera's mail client: http://www.opera.com/mail/ -- Using Opera's mail client: http://www.opera.com/mail/
SMFIC errors in logs
I am experiencing a high number of postfix SMFIC errors for every milter I have installed (DKIM,DMARC,SPF). This problem persists with postfix versions 2.6.6 and 3.0.1 on CentOS6. Has anyone else seen these errors before and solved them? Jun 15 18:47:36 mail-cluster1 postfix/cleanup[16080]: warning: milter inet:localhost:8892: can't read SMFIC_HEADER reply packet header: Success Jun 15 20:58:31 mail-cluster1 postfix/smtpd[12242]: warning: milter inet:localhost:8892: can't read SMFIC_MAIL reply packet header: Success Jun 15 20:58:32 mail-cluster1 postfix/smtpd[19545]: warning: milter inet:localhost:8891: can't read SMFIC_RCPT reply packet header: Success Jun 15 20:58:32 mail-cluster1 postfix/smtpd[17699]: warning: milter inet:localhost:8891: can't read SMFIC_RCPT reply packet header: Success Jun 15 20:58:32 mail-cluster1 postfix/cleanup[20340]: warning: milter inet:localhost:8893: can't read SMFIC_HEADER reply packet header: Broken pipe Jun 15 20:58:32 mail-cluster1 postfix/smtpd[18181]: warning: milter inet:localhost:8891: can't read SMFIC_MAIL reply packet header: Success Jun 15 20:58:32 mail-cluster1 postfix/cleanup[19600]: warning: milter inet:localhost:8891: can't read SMFIC_HEADER reply packet header: Success Jun 15 20:58:32 mail-cluster1 postfix/cleanup[20062]: warning: milter inet:localhost:8892: can't read SMFIC_HEADER reply packet header: Broken pipe I have tried the following items without success. - Tried milter protocol 2 thru 6 - Changed milter timeouts to the following values milter_connect_timeout = 600s milter_command_timeout = 600s milter_content_timeout = 1200s - Upgraded postfix from version 2.6.6 to 3.0.1 - Was concerned it could be related to a high number of DNS request so I installed unbound caching. - Built from source latest libmilter and installed (8.15.1) I am not sure what else I can try to resolve this problem. Any suggestions or help is much appreciated. Thanks! -Nick
Re: Attack on my mailsystem
On Tue, Jun 16, 2015 at 08:26:33AM -0700, Jithesh AP wrote: Thank you for the mail below is my postconf -n output [...] Jun 16 07:50:15 ml postfix/error[653]: 15542416CE: to=y...@yahoo.com.tw, relay=none, delay=1271, delays=953/269/0/49, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to mx-tw.mail.gm0.yahoodns.net[203.188.197.119]:25: Connection timed out) This message entered the queue ~16 minutes prior to the log entry in question. To determine how, look for other log entries with the same queue id. If your system is an open relay, it is misconfigured. This would be a good time to post your configuration (postconf -n output). And of course also those log entries with the same queue-id... I had hoped that would be clear... -- Viktor.
Re: Question about permit_mynetworks option
On 6/16/2015 10:16 AM, Michael Peter wrote: Hi, I have couple of questions regarding the permit_mynetworks option. It's generally better to control the scope of mynetworks rather than removing permit_mynetworks. Rather than the entire network, just list localhost and maybe trusted internal hosts that don't AUTH. 1- is the permit_mynetworks must be added to allow bounces emails from postfix? or postfix can still send bounces or undelivered email notifications without need to add permit_mynetworks in the smtpd_recipient_restrictions? Bounce notices generated internally by postfix are not subjected to any restrictions. If the bounce is generated by a separate host, that host will need to be listed in mynetworks and permit_mynetworks is required. 2- Is the permit_mynetworks must be added so the postfix can work properly handling the emails ? anyway our users uses sasl authenticate that's why we want to remove permit_mynetworks, but we are afraid that this might break some thing in postfix, that's why we want to be double sure. ? If all users must authenticate, it's common to set main.cf mynetworks = 127.0.0.1, [::1] so that local processes can submit mail. It's up to you to determine if local processes require submission on your server. If not required in you environment, set mynetworks empty. mynetworks = - Also our last question, In case of different case that the mail server is secondary mail server , it relays back the email to the primary server when it is back. 3- do we have to add permit_mynetworks in smtpd_recipient_restrictions? so the secondary server can send the emails to the primary server (when the primary server was down) ? or still the secondary server can send the pending emails to the primary server even if permit_mynetworks in not written in the smtpd_recipient_restrictions? If this is a secondary MX delivering to an internal mailstore, generally it is not required to be listed in mynetworks, and permit_mynetworks is not required. -- Noel Jones
Re: sent mail goes into spam
Am 16. Juni 2015 17:48:20 MESZ, schrieb z...@oper.hu: I tried many mails from my domain, such gmail.com, outlook.hu . All these mails arrived to spam. There are few exceptions as well. what do the headers of one of those mails at gmail tell? hotmail is generally a bit more challenging to get right, search the list archives for hotmail and spam, there have been some threads about that subject in the last months. have you checked your sending ip? maybe its is on some blocklists... - Christian Currently I estimate the 80% of sent mail arrives into spam. Which regrads gmail.com and outlook, I really don't understand why these mails is rated to spam. However the users generally send mail to partner companies.
Re: Attack on my mailsystem
On Tue, Jun 16, 2015 at 9:51 AM, Jithesh AP jithesh...@gmail.com wrote: Ok thank you for the info, this did scare me :). Its taxing my small system. Have you considered running something like fail2ban on the system? It would temporarily (you set the time) block said IP at the firewall, which usually make them look for easier pickings. Regards Jithesh On Tue, 16 Jun 2015 06:48:01 -0700, Viktor Dukhovni postfix-us...@dukhovni.org wrote: On Tue, Jun 16, 2015 at 06:43:47AM -0700, Jithesh AP wrote: I have an attack on my mail system and the mail i got from mailer deamon is (got 1000s of such mails) You've set notify_classes to send you too much email. -- Transcript of session follows. Out: 220 ml.w8timez.com ESMTP Postfix In: HELO 54.183.212.207 Out: 250 ml.w8timez.com In: MAIL FROM: fmrjk...@yahoo.com.tw Out: 250 2.1.0 Ok In: RCPT TO: yuej...@yahoo.com.tw Out: 451 4.3.0 yuej...@yahoo.com.tw: Temporary lookup failure Out: 421 4.7.0 ml.w8timez.com Error: too many errors Session aborted, reason: too many errors Not much of an attack, just an open-relay test. Just ignore it, and ideally arrange to not be notified about it. Any specific suggestions to close such attack? # No postmaster notices, just read the logs. # notify_classes = -- Using Opera's mail client: http://www.opera.com/mail/
Re: Limiting total number of processes with various smtpd services listening on different IPs
On 06/16/2015 03:44 PM, Viktor Dukhovni wrote: the individually set process limits work fine, but they add up quickly. Even IPv4 and IPv6 create two listeners for the same job already making it difficult to pick sensible individual limits. IIRC you can halve the number of listeners by using a hostname instead of an address in master.cf, and assigning both the IPv4 and IPv6 address to each host that needs both. If that would work, great, no awesome! But I just tried that quickly, and unfortunately it only binds to one address, the IPv4 address in my case. http://www.postfix.org/master.5.html does not state what happens if there are multiple addresses behind the given host. Duplicating or multiplying the number listeners just for the sake of having IPv4 and IPv6 available is really not ideal when tuning the process limits :-( Thanks ! Christian
Re: Question about postfix logfile
On 6/16/2015 10:21 AM, Michael Peter wrote: Hi, I have question about postfix logfile (/var/log/maillog), Does The log mention the from email header or the return-path email header in the log file ? Jun 16 16:17:43 mailhost postfix/qmgr[12095]: CB992123F1B1: from=send...@domain.com, size=2639, nrcpt=1 (queue active) Example: Return-Path: send...@domain.com From: send...@domain.com Because it seems that some times the from address mentioned in the log file is different that the from header which is actually in the email itself. Thank you. Peter Michael The log records the envelope sender as given in the MAIL FROM command during the SMTP conversation. This is recorded before any headers are transmitted by the client. -- Noel Jones
Re: Attack on my mailsystem
Thank you. I have updated main.cf to have notify_classes as below. notify_classes = Did a restart of postfix and this is what i see below, does it mean i am seeing old queue relays or new one's? I also deleted all the messages in q with postsuper -d ALL (but when i run it after few mins, there are some messages to be deleted always, so was wondering what those messages are - i know no one is sending mails now to me :)) Jun 16 07:50:15 ml postfix/error[653]: 15542416CE: to=y...@yahoo.com.tw, relay=none, delay=1271, delays=953/269/0/49, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to mx-tw.mail.gm0.yahoodns.net[203.188.197.119]:25: Connection timed out) Jun 16 07:50:15 ml postfix/error[32717]: 197AC417D1: to=janetku...@yahoo.com.tw, relay=none, delay=887, delays=569/254/0/64, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to mx-tw.mail.gm0.yahoodns.net[203.188.197.119]:25: Connection timed out) Jun 16 07:50:15 ml postfix/error[1604]: BB68541890: to=miyabi...@yahoo.com.tw, relay=none, delay=699, delays=382/313/0/5, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to mx-tw.mail.gm0.yahoodns.net[203.188.197.119]:25: Connection timed out) Jun 16 07:50:15 ml postfix/error[2158]: 1EFF1416A3: to=wilson_...@yahoo.com.tw, relay=none, delay=1283, delays=965/262/0/56, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to mx-tw.mail.gm0.yahoodns.net[203.188.197.119]:25: Connection timed out) Jun 16 07:50:15 ml postfix/error[659]: 1360641832: to=sherry680...@yahoo.com.tw, relay=none, delay=814, delays=496/267/0/50, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to mx-tw.mail.gm0.yahoodns.net[203.188.197.119]:25: Connection timed out) Jun 16 07:50:15 ml postfix/error[2174]: D1CF6418B1: to=maoyongs...@yahoo.com.tw, relay=none, delay=677, delays=359/242/0/77, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to mx-tw.mail.gm0.yahoodns.net[203.188.197.119]:25: Connection timed out) Regards Jithesh On Tue, 16 Jun 2015 07:03:35 -0700, Viktor Dukhovni postfix-us...@dukhovni.org wrote: On Tue, Jun 16, 2015 at 06:51:51AM -0700, Jithesh AP wrote: Ok thank you for the info, this did scare me :). Its taxing my small system. Most of the cost is the processing of postmaster notices. If you turn those off (and just read a log report once a day from your favourite log reporting tool) your system will be much happier. -- Using Opera's mail client: http://www.opera.com/mail/
Re: Limiting total number of processes with various smtpd services listening on different IPs
On Tue, Jun 16, 2015 at 05:35:46PM +0200, Christian Rohmann wrote: On 06/16/2015 03:44 PM, Viktor Dukhovni wrote: the individually set process limits work fine, but they add up quickly. Even IPv4 and IPv6 create two listeners for the same job already making it difficult to pick sensible individual limits. IIRC you can halve the number of listeners by using a hostname instead of an address in master.cf, and assigning both the IPv4 and IPv6 address to each host that needs both. If that would work, great, no awesome! But I just tried that quickly, and unfortunately it only binds to one address, the IPv4 address in my case. The code I'm staring at should bind both and should even bind multiple addresses if the hostname resolves to multiple addresses. What do you have for inet_protocols? The key question is whether getaddrinfo() on your system returns multiple addresses for the host, or just one. What's in /etc/host.conf (Linux?) you'll multi on if the hostnames are in /etc/hosts... -- Viktor.
Re: sent mail goes into spam
On Tue, 2015-06-16 at 17:04 +0200, z...@oper.hu wrote: When my useres send mail most of the mails goes into spam. When you start sending from a new IP address, it is not unusual for the big email providers to spam your mail initially, until they get an idea of what's coming from your server and know that they can trust it. You should also sign your emails with DKIM. I have seen that make the different between going to spam and not. As Christian says, this has been discussed before, so worth searching the archives. Andy
Re: sent mail goes into spam
The idented From is the result of copy-paste. You are right, the primary mail client is the Roundcube. Just finished a test based on your idea and I try to compare mail from Roundcube to other (telnet session) mail. Surprisingly the telnet session mail didn't go to spam while the mail from Roundcube arrived into spam at outlook.hu. So it may be a point that Roundcube settings should be refined. Regards - Zoli 2015-06-16 19:22 időpontban wilfried.es...@essignetz.de ezt írta: Am 16.06.2015 um 18:37 schrieb z...@oper.hu: Here are the mail which received by gmail.com (replace 10.0.0.1 with public ip) As you see: spf=pass however this mail delivered into spam. I checked my ip and domain with mxtoolbox and multirbl.valli.org. The result looks fine, clear. Looks good so far. From: ist indented. Was this in original mail already, or came it during your unpersonalising it? Mailclient of your testmail seems to be roundcube. Is the problem only with mails created by roundcube, or also with mails created by other clients (thunderbird, outlook, squirrelmail,...)? Willi ... Date: Tue, 16 Jun 2015 15:55:14 +0200 From: =?UTF-8?Q?xxx_xxx?= firstname.lastn...@domain.tld Organization: XX x Kft. Reply-To: firstname.lastn...@domain.tld Mail-Reply-To: firstname.lastn...@domain.tld Message-ID: 56e8c9ded115c07e1bcf4b92adf66...@domain.tld X-Sender: firstname.lastn...@domain.tld User-Agent: Roundcube Webmail/1.0.3 ...
Re: Question about permit_mynetworks option
On 6/16/2015 10:16 AM, Michael Peter wrote: Hi, I have couple of questions regarding the permit_mynetworks option. It's generally better to control the scope of mynetworks rather than removing permit_mynetworks. Rather than the entire network, just list localhost and maybe trusted internal hosts that don't AUTH. 1- is the permit_mynetworks must be added to allow bounces emails from postfix? or postfix can still send bounces or undelivered email notifications without need to add permit_mynetworks in the smtpd_recipient_restrictions? Bounce notices generated internally by postfix are not subjected to any restrictions. If the bounce is generated by a separate host, that host will need to be listed in mynetworks and permit_mynetworks is required. you mean by separte host is secondary MX bounce message to main MX ? Am i correct? 2- Is the permit_mynetworks must be added so the postfix can work properly handling the emails ? anyway our users uses sasl authenticate that's why we want to remove permit_mynetworks, but we are afraid that this might break some thing in postfix, that's why we want to be double sure. ? If all users must authenticate, it's common to set main.cf mynetworks = 127.0.0.1, [::1] so that local processes can submit mail. It's up to you to determine if local processes require submission on your server. If not required in you environment, set mynetworks empty. mynetworks = what local processes can submit mail ?? can you please give me an example of local processes that use mail ? normally local processes send mail using /bin/sendmail and are not subjected to any restrictions. ? - Also our last question, In case of different case that the mail server is secondary mail server , it relays back the email to the primary server when it is back. 3- do we have to add permit_mynetworks in smtpd_recipient_restrictions? so the secondary server can send the emails to the primary server (when the primary server was down) ? or still the secondary server can send the pending emails to the primary server even if permit_mynetworks in not written in the smtpd_recipient_restrictions? If this is a secondary MX delivering to an internal mailstore, generally it is not required to be listed in mynetworks, and permit_mynetworks is not required. the secondary MX is on totally different network than the main MX, so do i need to add permit_mynetworks in main.cf ? and why ? -- Noel Jones
Re: sent mail goes into spam
Here are the mail which received by gmail.com (replace 10.0.0.1 with public ip) As you see: spf=pass however this mail delivered into spam. I checked my ip and domain with mxtoolbox and multirbl.valli.org. The result looks fine, clear. Regards, Zoli Delivered-To: anyaddr...@gmail.com Received: by 10.152.3.4 with SMTP id 4csp1726631lay; Tue, 16 Jun 2015 06:55:16 -0700 (PDT) X-Received: by 10.180.107.70 with SMTP id ha6mr7031452wib.20.1434462915942; Tue, 16 Jun 2015 06:55:15 -0700 (PDT) Return-Path: firstname.lastn...@domain.tld Received: from mail.domain.tld (mail.domain.tld. [10.0.0.1]) by mx.google.com with ESMTP id g9si24238644wix.19.2015.06.16.06.55.15 for anyaddr...@gmail.com; Tue, 16 Jun 2015 06:55:15 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of firstname.lastn...@domain.tld designates 10.0.0.1 as permitted sender) client-ip=10.0.0.1; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of firstname.lastn...@domain.tld designates 10.0.0.1 as permitted sender) smtp.mail=firstname.lastn...@domain.tld Received: from localhost (localhost [127.0.0.1]) by mail.domain.tld (Postfix) with ESMTP id 8CB08E0CA7 for anyaddr...@gmail.com; Tue, 16 Jun 2015 15:55:15 +0200 (CEST) X-Virus-Scanned: amavisd-new at domain.tld Received: from mail.domain.tld ([127.0.0.1]) by localhost (mail.domain.tld [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Jv9vHxTGPctt for anyaddr...@gmail.com; Tue, 16 Jun 2015 15:55:14 +0200 (CEST) Received: by mail.domain.tld (Postfix, from userid 30) id CA3F1E0DE2; Tue, 16 Jun 2015 15:55:14 +0200 (CEST) To: anyaddr...@gmail.com Subject: teszt X-PHP-Originating-Script: 30:rcube.php MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII; format=flowed Content-Transfer-Encoding: 7bit Date: Tue, 16 Jun 2015 15:55:14 +0200 From: =?UTF-8?Q?xxx_xxx?= firstname.lastn...@domain.tld Organization: XX x Kft. Reply-To: firstname.lastn...@domain.tld Mail-Reply-To: firstname.lastn...@domain.tld Message-ID: 56e8c9ded115c07e1bcf4b92adf66...@domain.tld X-Sender: firstname.lastn...@domain.tld User-Agent: Roundcube Webmail/1.0.3 10 2015-06-16 18:19 időpontban Christian Kivalo ezt írta: Am 16. Juni 2015 17:48:20 MESZ, schrieb z...@oper.hu: I tried many mails from my domain, such gmail.com, outlook.hu . All these mails arrived to spam. There are few exceptions as well. what do the headers of one of those mails at gmail tell? hotmail is generally a bit more challenging to get right, search the list archives for hotmail and spam, there have been some threads about that subject in the last months. have you checked your sending ip? maybe its is on some blocklists... - Christian Currently I estimate the 80% of sent mail arrives into spam. Which regrads gmail.com and outlook, I really don't understand why these mails is rated to spam. However the users generally send mail to partner companies.
Re: SMFIC errors in logs
Nick Winn: I am experiencing a high number of postfix SMFIC errors for every milter I have installed (DKIM,DMARC,SPF). This problem persists with postfix versions 2.6.6 and 3.0.1 on CentOS6. Has anyone else seen these errors before and solved them? Jun 15 18:47:36 mail-cluster1 postfix/cleanup[16080]: warning: milter inet:localhost:8892: can't read SMFIC_HEADER reply packet header: Success Does the problem go away with Selinux turned off? Wietse
Re: Question about permit_mynetworks option
On 6/16/2015 11:52 AM, Michael Peter wrote: On 6/16/2015 10:16 AM, Michael Peter wrote: Hi, I have couple of questions regarding the permit_mynetworks option. It's generally better to control the scope of mynetworks rather than removing permit_mynetworks. Rather than the entire network, just list localhost and maybe trusted internal hosts that don't AUTH. 1- is the permit_mynetworks must be added to allow bounces emails from postfix? or postfix can still send bounces or undelivered email notifications without need to add permit_mynetworks in the smtpd_recipient_restrictions? Bounce notices generated internally by postfix are not subjected to any restrictions. If the bounce is generated by a separate host, that host will need to be listed in mynetworks and permit_mynetworks is required. you mean by separte host is secondary MX bounce message to main MX ? Am i correct? I mean any separate host that needs to send mail back out through postfix. Generally a secondary MX doesn't bounce messages back to the main MX, nor vice versa. Individual configurations may vary... 2- Is the permit_mynetworks must be added so the postfix can work properly handling the emails ? anyway our users uses sasl authenticate that's why we want to remove permit_mynetworks, but we are afraid that this might break some thing in postfix, that's why we want to be double sure. ? If all users must authenticate, it's common to set main.cf mynetworks = 127.0.0.1, [::1] so that local processes can submit mail. It's up to you to determine if local processes require submission on your server. If not required in you environment, set mynetworks empty. mynetworks = what local processes can submit mail ?? can you please give me an example of local processes that use mail ? normally local processes send mail using /bin/sendmail and are not subjected to any restrictions. ? Depends on your system, what you've installed and how you've configured it. Maybe nothing. - Also our last question, In case of different case that the mail server is secondary mail server , it relays back the email to the primary server when it is back. 3- do we have to add permit_mynetworks in smtpd_recipient_restrictions? so the secondary server can send the emails to the primary server (when the primary server was down) ? or still the secondary server can send the pending emails to the primary server even if permit_mynetworks in not written in the smtpd_recipient_restrictions? If this is a secondary MX delivering to an internal mailstore, generally it is not required to be listed in mynetworks, and permit_mynetworks is not required. the secondary MX is on totally different network than the main MX, so do i need to add permit_mynetworks in main.cf ? and why ? Probably not. Individual configurations may vary, but the secondary does not normally bounce mail back to the primary, nor vice versa. -- Noel Jones
Re: Question about postfix logfile
On 6/16/2015 10:21 AM, Michael Peter wrote: Hi, I have question about postfix logfile (/var/log/maillog), Does The log mention the from email header or the return-path email header in the log file ? Jun 16 16:17:43 mailhost postfix/qmgr[12095]: CB992123F1B1: from=send...@domain.com, size=2639, nrcpt=1 (queue active) Example: Return-Path: send...@domain.com From: send...@domain.com Because it seems that some times the from address mentioned in the log file is different that the from header which is actually in the email itself. then why the from address in the email is different than the from address in the /var/log/maillog for the same email ? Thank you. Peter Michael The log records the envelope sender as given in the MAIL FROM command during the SMTP conversation. This is recorded before any headers are transmitted by the client. -- Noel Jones
RE: sent mail goes into spam
When you click the message in Spam folder, Gmail displays a banner which gives you a clue why the message was marked as spam. The reason can be one of many: Many people indicated similar message as spam. It's similar to messages that were detected by our spam filters. Messages from domain.tld are considered spam. Try to send different messages in your tests. Not Suject: test, body: test. In hotmail, view source, you have x-message-delivery: base64-key. Decode that base64 key and see the SCL score. Above 4 is bad. Also, hotmail provides a reason why the message was delivered to Spam folder: you are not interested or the SmartScreen detected as spam. Check your IP and domain in multirbl.valli.org Marius. From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] On Behalf Of z...@oper.hu Sent: Tuesday, June 16, 2015 8:45 PM To: Andrew Beverley Cc: postfix-users@postfix.org Subject: Re: sent mail goes into spam Which regards the IP, this IP already know. What I did I replaced the mail system. The orginal was postfix 2.5.5, the new is 2.11.0. Thanks for the idea of DKIM I will look the detail and I also continue search for the archives. Reagrds - Zoli 2015-06-16 19:26 időpontban Andrew Beverley ezt írta: On Tue, 2015-06-16 at 17:04 +0200, z...@oper.hu wrote: When my useres send mail most of the mails goes into spam. When you start sending from a new IP address, it is not unusual for the big email providers to spam your mail initially, until they get an idea of what's coming from your server and know that they can trust it. You should also sign your emails with DKIM. I have seen that make the different between going to spam and not. As Christian says, this has been discussed before, so worth searching the archives. Andy
Re: sent mail goes into spam
Which regards the IP, this IP already know. What I did I replaced the mail system. The orginal was postfix 2.5.5, the new is 2.11.0. Thanks for the idea of DKIM I will look the detail and I also continue search for the archives. Reagrds - Zoli 2015-06-16 19:26 időpontban Andrew Beverley ezt írta: On Tue, 2015-06-16 at 17:04 +0200, z...@oper.hu wrote: When my useres send mail most of the mails goes into spam. When you start sending from a new IP address, it is not unusual for the big email providers to spam your mail initially, until they get an idea of what's coming from your server and know that they can trust it. You should also sign your emails with DKIM. I have seen that make the different between going to spam and not. As Christian says, this has been discussed before, so worth searching the archives. Andy
Re: Attack on my mailsystem
On Tue, Jun 16, 2015 at 10:25:05AM -0700, Jithesh AP wrote: On Tue, 16 Jun 2015 09:26:52 -0700, Viktor Dukhovni postfix-us...@dukhovni.org wrote: On Tue, Jun 16, 2015 at 08:45:55AM -0700, Jithesh AP wrote: Did a grep for the q ID - 15542416CE and looks like that is the last i see of it. (this check is nearly an hour after (08.45) Jun 16 07:50:15 ml postfix/error[653]: 15542416CE: to=y...@yahoo.com.tw, relay=none, delay=1271, delays=953/269/0/49, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to mx-tw.mail.gm0.yahoodns.net[203.188.197.119]:25: Connection timed out) Mail does not just materialize in the Postfix queue. You're not searching right. The message is 1271 seconds old so was created right around 07:30... Apologies, since i am a newbie, i dont know what to search for :), can you help me. You search all the relevant logs for the queue id in question, possibly an older logfile if log file rotation is configured. -- Viktor.
Re: Attack on my mailsystem
On Tue, 16 Jun 2015 09:26:52 -0700, Viktor Dukhovni postfix-us...@dukhovni.org wrote: On Tue, Jun 16, 2015 at 08:45:55AM -0700, Jithesh AP wrote: Did a grep for the q ID - 15542416CE and looks like that is the last i see of it. (this check is nearly an hour after (08.45) Jun 16 07:50:15 ml postfix/error[653]: 15542416CE: to=y...@yahoo.com.tw, relay=none, delay=1271, delays=953/269/0/49, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to mx-tw.mail.gm0.yahoodns.net[203.188.197.119]:25: Connection timed out) Mail does not just materialize in the Postfix queue. You're not searching right. The message is 1271 seconds old so was created right around 07:30... Apologies, since i am a newbie, i dont know what to search for :), can you help me.
Re: Limiting total number of processes with various smtpd services listening on different IPs
Christian Rohmann: http://www.postfix.org/master.5.html does not state what happens if there are multiple addresses behind the given host. It binds to all the addresses for the name, provided that your getaddrinfo() syste, routine isn't crippled to return only one. On Linux need to make sure that your /etc/host.conf is configured to support multiple IP addresses per name. Wietse
Re: Question about postfix logfile
On 6/16/2015 11:53 AM, Michael Peter wrote: On 6/16/2015 10:21 AM, Michael Peter wrote: Hi, I have question about postfix logfile (/var/log/maillog), Does The log mention the from email header or the return-path email header in the log file ? Jun 16 16:17:43 mailhost postfix/qmgr[12095]: CB992123F1B1: from=send...@domain.com, size=2639, nrcpt=1 (queue active) Example: Return-Path: send...@domain.com From: send...@domain.com Because it seems that some times the from address mentioned in the log file is different that the from header which is actually in the email itself. then why the from address in the email is different than the from address in the /var/log/maillog for the same email ? There is no requirement that the addresses are the same. Look at this mail for an example. -- Noel Jones Thank you. Peter Michael The log records the envelope sender as given in the MAIL FROM command during the SMTP conversation. This is recorded before any headers are transmitted by the client. -- Noel Jones
Re: SMFIC errors in logs
Hi Andreas This is a list of all the milters and their version. opendkim-2.10.3-1.el6.i686 (inet port 8891) opendmarc-1.3.1-4.el6.i686 (inet port 8893) pyspf (2.0.11) (inet port 8892) and a home grown c binary that samples our mail stream (inet port 21718) I've tried running postfix with just one and two milters running and the errors still appear. The errors are sporatic and happen for every milter installed. The output of postconf -n is here: http://paste.fedoraproject.org/232835/49232314/ The output of postconf -m is here: http://paste.fedoraproject.org/232836/14344924/ Thank you for taking a look =) -Nick p/s I accidentally sent this direct to Andreas but wanted the list to see this as well. On Tue, Jun 16, 2015 at 1:45 PM, A. Schulze s...@andreasschulze.de wrote: Nick Winn: SELinux is disabled and I am still seeing these errors. Nick, such errors I saw years ago but not in current postfix releases. Could you please send - which milters do you use - postconf -n and postconf -M Andreas -- --- Nick Winn
RE: sent mail goes into spam
Thx for the ideas, I am going to check the hotmail thing first. Surely I am no spammer, multirbl and mxtoolbox shows me clear. I see some clue based on Willi's message, the problem came from Roundcube so it is high chance that my issue become off-topic here. Regards - Zoli 2015-06-16 19:58 időpontban Marius Gologan ezt írta: When you click the message in Spam folder, Gmail displays a banner which gives you a clue why the message was marked as spam. The reason can be one of many: Many people indicated similar message as spam. It's similar to messages that were detected by our spam filters. Messages from domain.tld are considered spam. Try to send different messages in your tests. Not Suject: test, body: test. In hotmail, view source, you have x-message-delivery: base64-key. Decode that base64 key and see the SCL score. Above 4 is bad. Also, hotmail provides a reason why the message was delivered to Spam folder: you are not interested or the SmartScreen detected as spam. Check your IP and domain in multirbl.valli.org Marius. FROM: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] ON BEHALF OF z...@oper.hu SENT: Tuesday, June 16, 2015 8:45 PM TO: Andrew Beverley CC: postfix-users@postfix.org SUBJECT: Re: sent mail goes into spam Which regards the IP, this IP already know. What I did I replaced the mail system. The orginal was postfix 2.5.5, the new is 2.11.0. Thanks for the idea of DKIM I will look the detail and I also continue search for the archives. Reagrds - Zoli 2015-06-16 19:26 időpontban Andrew Beverley ezt írta: On Tue, 2015-06-16 at 17:04 +0200, z...@oper.hu wrote: When my useres send mail most of the mails goes into spam. When you start sending from a new IP address, it is not unusual for the big email providers to spam your mail initially, until they get an idea of what's coming from your server and know that they can trust it. You should also sign your emails with DKIM. I have seen that make the different between going to spam and not. As Christian says, this has been discussed before, so worth searching the archives. Andy
Re: SMFIC errors in logs
SELinux is disabled and I am still seeing these errors. This problem is driving me to drink... On Tue, Jun 16, 2015 at 11:53 AM, Wietse Venema wie...@porcupine.org wrote: Nick Winn: I am experiencing a high number of postfix SMFIC errors for every milter I have installed (DKIM,DMARC,SPF). This problem persists with postfix versions 2.6.6 and 3.0.1 on CentOS6. Has anyone else seen these errors before and solved them? Jun 15 18:47:36 mail-cluster1 postfix/cleanup[16080]: warning: milter inet:localhost:8892: can't read SMFIC_HEADER reply packet header: Success Does the problem go away with Selinux turned off? Wietse -- --- Nick Winn
Re: SMFIC errors in logs
Nick Winn: SELinux is disabled and I am still seeing these errors. Nick, such errors I saw years ago but not in current postfix releases. Could you please send - which milters do you use - postconf -n and postconf -M Andreas
Re: Attack on my mailsystem
On Tue, Jun 16, 2015 at 01:30:49PM -0700, Jithesh AP wrote: 0C9B14166A 7886 Tue Jun 16 13:21:49 cdbphlavjop...@wysina.com.tw (delivery temporarily suspended: connect to mx-tw.mail.gm0.yahoodns.net[203.188.197.119]:25: Connection timed out) 0...@yahoo.com.tw 1...@yahoo.com.tw 1...@yahoo.com.tw 4...@yahoo.com.tw 8...@yahoo.com.tw a9559jt955...@yahoo.com.tw abba...@yahoo.com.tw as08572...@yahoo.com.tw ava_...@yahoo.com.tw baipe...@yahoo.com.tw correcti...@yahoo.com.tw lib...@yahoo.com.tw lightrai...@yahoo.com.tw is there something that can be configured to say not to q messages if the connection is times out? Not sure if there is some config or blocking i am missing. will be setting up fail2ban soon. Solve the real problem. How are these getting into your queue in the first place. -- Viktor.
Re: Attack on my mailsystem
oh ok, then i am out of luck :(, in haste i removed that log file as it was 700MB. On Tue, 16 Jun 2015 11:12:37 -0700, Viktor Dukhovni postfix-us...@dukhovni.org wrote: On Tue, Jun 16, 2015 at 10:25:05AM -0700, Jithesh AP wrote: On Tue, 16 Jun 2015 09:26:52 -0700, Viktor Dukhovni postfix-us...@dukhovni.org wrote: On Tue, Jun 16, 2015 at 08:45:55AM -0700, Jithesh AP wrote: Did a grep for the q ID - 15542416CE and looks like that is the last i see of it. (this check is nearly an hour after (08.45) Jun 16 07:50:15 ml postfix/error[653]: 15542416CE: to=y...@yahoo.com.tw, relay=none, delay=1271, delays=953/269/0/49, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to mx-tw.mail.gm0.yahoodns.net[203.188.197.119]:25: Connection timed out) Mail does not just materialize in the Postfix queue. You're not searching right. The message is 1271 seconds old so was created right around 07:30... Apologies, since i am a newbie, i dont know what to search for :), can you help me. You search all the relevant logs for the queue id in question, possibly an older logfile if log file rotation is configured. -- Using Opera's mail client: http://www.opera.com/mail/
Re: Attack on my mailsystem
unfortunately have logs of messages generating like the below (snippet from postqueue -p) 0C9B14166A 7886 Tue Jun 16 13:21:49 cdbphlavjop...@wysina.com.tw (delivery temporarily suspended: connect to mx-tw.mail.gm0.yahoodns.net[203.188.197.119]:25: Connection timed out) 0...@yahoo.com.tw 1...@yahoo.com.tw 1...@yahoo.com.tw 4...@yahoo.com.tw 8...@yahoo.com.tw a9559jt955...@yahoo.com.tw abba...@yahoo.com.tw as08572...@yahoo.com.tw ava_...@yahoo.com.tw baipe...@yahoo.com.tw correcti...@yahoo.com.tw lib...@yahoo.com.tw lightrai...@yahoo.com.tw is there something that can be configured to say not to q messages if the connection is times out? Not sure if there is some config or blocking i am missing. will be setting up fail2ban soon. Regards Jithesh On Tue, 16 Jun 2015 13:24:58 -0700, Jithesh AP jithesh...@gmail.com wrote: oh ok, then i am out of luck :(, in haste i removed that log file as it was 700MB. On Tue, 16 Jun 2015 11:12:37 -0700, Viktor Dukhovni postfix-us...@dukhovni.org wrote: On Tue, Jun 16, 2015 at 10:25:05AM -0700, Jithesh AP wrote: On Tue, 16 Jun 2015 09:26:52 -0700, Viktor Dukhovni postfix-us...@dukhovni.org wrote: On Tue, Jun 16, 2015 at 08:45:55AM -0700, Jithesh AP wrote: Did a grep for the q ID - 15542416CE and looks like that is the last i see of it. (this check is nearly an hour after (08.45) Jun 16 07:50:15 ml postfix/error[653]: 15542416CE: to=y...@yahoo.com.tw, relay=none, delay=1271, delays=953/269/0/49, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to mx-tw.mail.gm0.yahoodns.net[203.188.197.119]:25: Connection timed out) Mail does not just materialize in the Postfix queue. You're not searching right. The message is 1271 seconds old so was created right around 07:30... Apologies, since i am a newbie, i dont know what to search for :), can you help me. You search all the relevant logs for the queue id in question, possibly an older logfile if log file rotation is configured. -- Using Opera's mail client: http://www.opera.com/mail/
Re: Attack on my mailsystem
Jithesh AP: unfortunately have logs of messages generating like the below (snippet from postqueue -p) 0C9B14166A 7886 Tue Jun 16 13:21:49 cdbphlavjop...@wysina.com.tw (delivery temporarily suspended: connect to mx-tw.mail.gm0.yahoodns.net[203.188.197.119]:25: Connection timed out) 0...@yahoo.com.tw 1...@yahoo.com.tw 1...@yahoo.com.tw Did Postfix RECEIVE this mail with SMTP? What IP address was logged as the origin? Did Postfix RECEIVE this mail with the pickup daemon? What userID was logged as the origin? $ grep 0C9B14166A /the/maillog/file | head Wietse
How to configure Postfix routing to two different Gmail accounts?
We have Postfix set up so that any mail goes out through one Gmail account. I would like it so that when email gets sent from a particular user a 2nd Gmail account is used. Is there a non complicated way to do that ? Thanks for your help !
Re: Attack on my mailsystem
On Tue, Jun 16, 2015 at 08:34:38PM -0700, Jithesh AP wrote: I tried that, the first line client = ip-172 is the internal/private ip of my server. So does this mean somehow it is being sent from my server itself? grep 6CB5841627 /var/maillog Jun 16 13:21:46 ml postfix/smtpd[19729]: 6CB5841627: client=ip-172-31-5-33.us-west-1.compute.internal[172.31.5.33] Jun 16 13:21:48 ml postfix/cleanup[22906]: 6CB5841627: message-id=kflvqedfdosxjjhkebewy...@sfilc.com Is that really the machine's own IP address, or that of a another machine on the same subnet? Perhaps you have an insecure PHP or other web application that sends email via SMTP rather than via the sendmail(1) command-line. Or perhaps you've exposed an SMTP proxy-filter or other application that on some port effectively NATs outside connections to appear to be local. Also post the headers of the queued message output by running as root: # postcat -hq 0C9B14166A This may shed some additional light on the message origin. In the mean time, set mynetworks = 127.0.0.1, that might limit further damage. -- Viktor.
Re: messages queue not delivered with sasl.
On Wed, Jun 17, 2015 at 04:27:18AM +, basteon wrote: smtp_sasl_password_maps = hash:/etc/postfix/mailpasswd and create those files /etc/postfix/mailpasswd and /etc/postfix/mailpasswd.db touch /etc/postfix/mailpasswd touch /etc/postfix/mailpasswd.db That's no way to create a Berkeley DB database, and the file permissions for this sensitive file should be 0600 if it is in use. Instead: # postmap hash:/etc/postfix/mailpasswd Or better yet: # postconf -e smtp_sasl_password_maps = don't configure a password table you're not using. -- Viktor.
Re: messages queue not delivered with sasl.
why I may still get this error about lookups? Jun 17 13:16:39 mail postfix/smtp[21356]: warning: CADF4758A82: smtp_sasl_password_maps lookup error Jun 17 13:16:39 mail postfix/smtp[21356]: CADF4758A82: local data error while talking to relayq.dv.rt.ru[86.102.110.4] Jun 17 13:16:39 mail postfix/smtp[21356]: warning: CADF4758A82: smtp_sasl_password_maps lookup error Jun 17 13:16:39 mail postfix/smtp[21356]: CADF4758A82: to=u...@dv.rt.ru, relay=relayv.dv.rt.ru[212.122.5.150]:25, delay=4552, delays=4551/0/1.5/0, dsn=4.3.0, status=deferred (local data error while talking to relayv.dv.rt.ru[212.122.5.150]) I put in configuration: smtp_sasl_auth_enable = yes smtp_sasl_password_maps = hash:/etc/postfix/mailpasswd smtp_sasl_security_options = noanonymous smtp_sasl_type = cyrus smtp_sasl_mechanism_filter = login smtp_sender_dependent_authentication = yes smtpd_sasl_auth_enable = yes smtpd_sasl_authenticated_header = yes smtpd_sasl_local_domain = $myhostname smtpd_sasl_path = private/auth smtpd_sasl_security_options = noanonymous smtpd_sasl_type = cyrus and create those files /etc/postfix/mailpasswd and /etc/postfix/mailpasswd.db touch /etc/postfix/mailpasswd touch /etc/postfix/mailpasswd.db On 6/16/15, Christian Kivalo ml+postfix-us...@valo.at wrote: On 2015-06-16 13:48, basteon wrote: yes warning exists: Jun 16 16:56:58 mail postfix/smtp[14742]: warning: hash:/etc/postfix/mailpasswd is unavailable. open database /etc/postfix/mailpasswd.db: No such file or directory Jun 16 16:56:58 mail postfix/smtp[14742]: warning: hash:/etc/postfix/mailpasswd lookup error for u...@domain.ru Jun 16 16:56:58 mail postfix/smtp[14742]: warning: 95559758A82: smtp_sasl_password_maps lookup error I keep users in sasl and in mysql database. You have set smtp_sasl_password_maps = hash:/etc/postfix/mailpasswd in your main.cf and postfix is unable to read the postmaped version of that file. Does the file etc/postfix/mailpasswd.db exist? http://www.postfix.org/postconf.5.html#smtp_sasl_password_maps Either issue postmap /etc/postfix/mailpasswd to create this file, remove that entry from your main.cf or fix your main.cf setting to point to the file that holds the settings for the connection to your sql db. This file specified with this parameter is not used to authenticate the users that are using your server for mail submission, it's used by the postfix smtp client to authenticate to remote servers when you have sender-dependent authentication enabled. http://www.postfix.org/SASL_README.html#client_sasl Regards - christian
Re: Attack on my mailsystem
I tried that , the first line client = ip-172 is the internal/private ip of my server. So does this mean somehow it si being sent from my server itself? grep 6CB5841627 /var/maillog Jun 16 13:21:46 ml postfix/smtpd[19729]: 6CB5841627: client=ip-172-31-5-33.us-west-1.compute.internal[172.31.5.33] Jun 16 13:21:48 ml postfix/cleanup[22906]: 6CB5841627: message-id=kflvqedfdosxjjhkebewy...@sfilc.com Jun 16 13:21:48 ml postfix/qmgr[9205]: 6CB5841627: from=cdbphlavjop...@wysina.com.tw, size=5585, nrcpt=14 (queue active) Jun 16 13:21:49 ml postfix/pipe[19842]: 6CB5841627: to=0...@yahoo.com.tw, relay=spamassassin, delay=2.8, delays=2.7/0/0/0.1, dsn=2.0.0, status=sent (delivered via spamassassin service) Jun 16 13:21:49 ml postfix/pipe[19842]: 6CB5841627: to=1...@yahoo.com.tw, relay=spamassassin, delay=2.8, delays=2.7/0/0/0.1, dsn=2.0.0, status=sent (delivered via spamassassin service) Jun 16 13:21:49 ml postfix/pipe[19842]: 6CB5841627: to=1...@yahoo.com.tw, relay=spamassassin, delay=2.8, delays=2.7/0/0/0.1, dsn=2.0.0, status=sent (delivered via spamassassin service) Jun 16 13:21:49 ml postfix/pipe[19842]: 6CB5841627: to=4...@yahoo.com.tw, relay=spamassassin, delay=2.8, delays=2.7/0/0/0.1, dsn=2.0.0, status=sent (delivered via spamassassin service) Jun 16 13:21:49 ml postfix/pipe[19842]: 6CB5841627: to=8...@yahoo.com.tw, relay=spamassassin, delay=2.8, delays=2.7/0/0/0.1, dsn=2.0.0, status=sent (delivered via spamassassin service) Jun 16 13:21:49 ml postfix/pipe[19842]: 6CB5841627: to=a9559jt955...@yahoo.com.tw, relay=spamassassin, delay=2.8, delays=2.7/0/0/0.1, dsn=2.0.0, status=sent (delivered via spamassassin service) Jun 16 13:21:49 ml postfix/pipe[19842]: 6CB5841627: to=abba...@yahoo.com.tw, relay=spamassassin, delay=2.8, delays=2.7/0/0/0.1, dsn=2.0.0, status=sent (delivered via spamassassin service) Jun 16 13:21:49 ml postfix/pipe[19842]: 6CB5841627: to=as08572...@yahoo.com.tw, relay=spamassassin, delay=2.8, delays=2.7/0/0/0.1, dsn=2.0.0, status=sent (delivered via spamassassin service) Jun 16 13:21:49 ml postfix/pipe[19842]: 6CB5841627: to=ava_...@yahoo.com.tw, relay=spamassassin, delay=2.8, delays=2.7/0/0/0.1, dsn=2.0.0, status=sent (delivered via spamassassin service) On Tue, 16 Jun 2015 20:22:24 -0700, Noel Jones njo...@megan.vbhcs.org wrote: On 6/16/2015 9:43 PM, Jithesh AP wrote: Grep for the message-id in maillog just gives this, should i search in some other location grep kflvqedfdosxjjhkebewy...@sfilc.com /var/maillog-2015 | head Jun 16 13:21:48 ml postfix/cleanup[22906]: 6CB5841627: message-id=kflvqedfdosxjjhkebewy...@sfilc.com Jun 16 13:21:49 ml postfix/cleanup[20077]: 0C9B14166A: message-id=kflvqedfdosxjjhkebewy...@sfilc.com Excellent. Now grep the maillog for the original queue id, 6CB5841627. That will show where the mail entered postfix, before passing to spamassassin. -- Using Opera's mail client: http://www.opera.com/mail/
Re: Attack on my mailsystem
On Tue, Jun 16, 2015 at 09:21:36PM -0700, Jithesh AP wrote: In the mean time, set mynetworks = 127.0.0.1, that might limit further damage. mynetworks was fully commented, now i have added as you indicated, but fully commenting it will also have a similar effect right? No, that makes mynetworks_style take effect instead, which may configure mynetworks to be the local subnet. -- Viktor.
Re: Attack on my mailsystem
On Tue, 16 Jun 2015 20:45:12 -0700, Viktor Dukhovni postfix-us...@dukhovni.org wrote: On Tue, Jun 16, 2015 at 08:34:38PM -0700, Jithesh AP wrote: I tried that, the first line client = ip-172 is the internal/private ip of my server. So does this mean somehow it is being sent from my server itself? grep 6CB5841627 /var/maillog Jun 16 13:21:46 ml postfix/smtpd[19729]: 6CB5841627: client=ip-172-31-5-33.us-west-1.compute.internal[172.31.5.33] Jun 16 13:21:48 ml postfix/cleanup[22906]: 6CB5841627: message-id=kflvqedfdosxjjhkebewy...@sfilc.com Is that really the machine's own IP address, or that of a another machine on the same subnet? Perhaps you have an insecure PHP or other web application that sends email via SMTP rather than via the sendmail(1) command-line. Or perhaps you've exposed an SMTP proxy-filter or other application that on some port effectively NATs outside connections to appear to be local. Also post the headers of the queued message output by running as root: # postcat -hq 0C9B14166A This may shed some additional light on the message origin. In the mean time, set mynetworks = 127.0.0.1, that might limit further damage. mynetworks was fully commented, now i have added as you indicated, but fully commenting it will also have a similar effect right? would this help anyway, found while googling #smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination #smtpd_sender_restrictions = reject_unknown_sender_domain i had cleared all messages using postsuper -d All, so dont have that message. but i checked logs and saw everything is coming from my ip itself, it is my private ip and not a subnet one. I will open port 25 again for sometime so i can get the info you asked from new mails. -- Using Opera's mail client: http://www.opera.com/mail/
Re: SMFIC errors in logs
Nick Winn: please keep on list... opendkim-2.10.3-1.el6.i686 (inet port 8891) opendmarc-1.3.1-4.el6.i686 (inet port 8893) pyspf (2.0.11) (inet port 8892) and a home grown c binary that samples our mail stream (inet port 21718) I've tried running postfix with just one and two milters running and the errors still appear. The errors are sporatic and happen for every milter installed. The output of postconf -n is here: http://paste.fedoraproject.org/232835/49232314/ you set many parameter to there defaults. I suggest to check every single parameter with postconf -d $para. If you set explicit a default value, consider removing the lines. I guess your problem is non_smtpd_milters. read http://www.postfix.org/MILTER_README.html#limitations Andreas
Mail to nowhere
Apologies if I've sent this before, but I lost a few mail messages due to a slip of the finger, so in case I did post this before, here's a very brief version. I'm the de facto email administrator for a small Fedora 20 system, going to uprade to 22 shortly, with Postfix and Dovecot supposedly configured to work together. Using LMTP for both components. I can telnet from within and without my server on port 143 for Dovecot and 25 for Postfix successfully, although I have nothing specifically set in main.cf for what ports to listen on. Maybe that's where LMTP comes in? Knowing enough of all of this to get me in deep, am not sure at this point. There's a lot of discussion in main.cf about Cyrus, which, to the best of my knowledge, I'm not using. As I said, it's a very simple system--half a dozen virtual users which Dovecot is handling, a handful of virtual users which Postfix should be handling in its /etc/postfix/virtual list of relays, and a Mailman implementation which I haven't even begun to test yet until I get the Postfix component working. My problem is that when I send a message to the server, it never shows up. A few hours later, I get a level 4 SMTP retry failure count exceeded, the message has been in queue too long, etc. I'm presuming something on my server is set up wrong, and it's probably something in main.cf. Ideas of what to check and change greatly appreciated.
Re: Attack on my mailsystem
On Tue, Jun 16, 2015 at 06:51:24PM -0700, Jithesh AP wrote: This is the maillog result of the grep, but i dont see IP address etc (not sure if the actual log got deleted when i removed the big log). Jun 16 13:21:49 ml postfix/pickup[23232]: 0C9B14166A: uid=5005 from=cdbphlavjop...@wysina.com.tw Jun 16 13:21:49 ml postfix/cleanup[20077]: 0C9B14166A: message-id=kflvqedfdosxjjhkebewy...@sfilc.com This was created locally via the sendmail command. What user account has uid 5005? If this is www-data or similar, you likely have an insecure PHP script that is being exploited to send spam. Just look for any other log-entries with the same message-id: kflvqedfdosxjjhkebewy...@sfilc.com but also do quickly run getent passwd 5005 and report the results. -- Viktor.
Re: Attack on my mailsystem
On Tue, 16 Jun 2015 19:08:36 -0700, Viktor Dukhovni postfix-us...@dukhovni.org wrote: On Tue, Jun 16, 2015 at 06:51:24PM -0700, Jithesh AP wrote: This is the maillog result of the grep, but i dont see IP address etc (not sure if the actual log got deleted when i removed the big log). Jun 16 13:21:49 ml postfix/pickup[23232]: 0C9B14166A: uid=5005 from=cdbphlavjop...@wysina.com.tw Jun 16 13:21:49 ml postfix/cleanup[20077]: 0C9B14166A: message-id=kflvqedfdosxjjhkebewy...@sfilc.com This was created locally via the sendmail command. What user account has uid 5005? If this is www-data or similar, you likely have an insecure PHP script that is being exploited to send spam. Just look for any other log-entries with the same message-id: kflvqedfdosxjjhkebewy...@sfilc.com but also do quickly run getent passwd 5005 and report the results. spamfilter:x:5005:5005::/usr/local/spamassassin:/bin/false its user used to run spamassassin. I did open the ports and i saw as soon as i open port 25 i get the flood and uid used is 5005. Should i change this user? since it is not related to any www or http, i assume its not php or anything causing it. -- Using Opera's mail client: http://www.opera.com/mail/
Re: Attack on my mailsystem
On Tue, Jun 16, 2015 at 07:21:39PM -0700, Jithesh AP wrote: This was created locally via the sendmail command. What user account has uid 5005? If this is www-data or similar, you likely have an insecure PHP script that is being exploited to send spam. Just look for any other log-entries with the same message-id: kflvqedfdosxjjhkebewy...@sfilc.com but also do quickly run getent passwd 5005 and report the results. spamfilter:x:5005:5005::/usr/local/spamassassin:/bin/false So you're injecting mail for filtering via this filter, now we need to know where those are coming from. Which is the message-id search is critical. Also post your master.cf file. -- Viktor.
Re: Attack on my mailsystem
On Tue, 16 Jun 2015 19:26:48 -0700, Viktor Dukhovni postfix-us...@dukhovni.org wrote: On Tue, Jun 16, 2015 at 07:21:39PM -0700, Jithesh AP wrote: This was created locally via the sendmail command. What user account has uid 5005? If this is www-data or similar, you likely have an insecure PHP script that is being exploited to send spam. Just look for any other log-entries with the same message-id: kflvqedfdosxjjhkebewy...@sfilc.com but also do quickly run getent passwd 5005 and report the results. spamfilter:x:5005:5005::/usr/local/spamassassin:/bin/false So you're injecting mail for filtering via this filter, now we need to know where those are coming from. Which is the message-id search is critical. Also post your master.cf file. Grep for the message-id in maillog just gives this, should i search in some other location grep kflvqedfdosxjjhkebewy...@sfilc.com /var/maillog-2015 | head Jun 16 13:21:48 ml postfix/cleanup[22906]: 6CB5841627: message-id=kflvqedfdosxjjhkebewy...@sfilc.com Jun 16 13:21:49 ml postfix/cleanup[20077]: 0C9B14166A: message-id=kflvqedfdosxjjhkebewy...@sfilc.com -Master.cf- smtp inet n - n - - smtpd -o content_filter=spamassassin submission inet n - n - - smtpd -o syslog_name=postfix/submission -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING smtps inet n - n - - smtpd -o syslog_name=postfix/smtps -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes spamassassin unix - n n - - pipe user=spamfilter argv=/usr/bin/spamc -f -e /usr/sbin/sendmail.postfix -oi -f ${sender} ${recipient} pickupfifo n - n 60 1 pickup cleanup unix n - n - 0 cleanup qmgr fifo n - n 300 1 qmgr tlsmgrunix - - n 1000? 1 tlsmgr rewrite unix - - n - - trivial-rewrite bounceunix - - n - 0 bounce defer unix - - n - 0 bounce trace unix - - n - 0 bounce verifyunix - - n - 1 verify flush unix n - n 1000? 0 flush proxymap unix - - n - - proxymap proxywrite unix - - n - 1 proxymap smtp unix - - n - - smtp relay unix - - n - - smtp showq unix n - n - - showq error unix - - n - - error retry unix - - n - - error discard unix - - n - - discard local unix - n n - - local virtual unix - n n - - virtual lmtp unix - - n - - lmtp anvil unix - - n - 1 anvil scacheunix - - n - 1 scache dovecot unix - n n - - pipe flags=DRhu user=virmail:virmail argv=/usr/libexec/dovecot/deliver -f ${sender} -d ${recipient} -- -- Using Opera's mail client: http://www.opera.com/mail/
Re: How to configure Postfix routing to two different Gmail accounts?
On 6/16/2015 8:00 PM, Daniel Baker wrote: We have Postfix set up so that any mail goes out through one Gmail account. I would like it so that when email gets sent from a particular user a 2nd Gmail account is used. Is there a non complicated way to do that ? Thanks for your help ! http://www.postfix.org/SOHO_README.html#client_sasl_sender you already have most of this in place, so it shouldn't be too complicated. -- Noel Jones
Re: Attack on my mailsystem
On 6/16/2015 9:43 PM, Jithesh AP wrote: Grep for the message-id in maillog just gives this, should i search in some other location grep kflvqedfdosxjjhkebewy...@sfilc.com /var/maillog-2015 | head Jun 16 13:21:48 ml postfix/cleanup[22906]: 6CB5841627: message-id=kflvqedfdosxjjhkebewy...@sfilc.com Jun 16 13:21:49 ml postfix/cleanup[20077]: 0C9B14166A: message-id=kflvqedfdosxjjhkebewy...@sfilc.com Excellent. Now grep the maillog for the original queue id, 6CB5841627. That will show where the mail entered postfix, before passing to spamassassin.
Re: sent mail goes into spam
Bit afraid bacuse it is like off-topic, but I felt important to make conclusion. The conclusion is there are no postfix problem at all. The primary (and only) reason was I used Roundcoube and the mail sent by PHP mail () function (according careless setup) which caused in many systems to rate my sent mails spam. So I had to set up Roundcube to use my postfix as smtp. Many thanks to my responders, Christian, Willi, Andy, Marius and this Great Postfix Community. Reagrds - Zoli 2015-06-16 17:04 időpontban z...@oper.hu ezt írta: Dear All, I created a postfix based mail system. When my useres send mail most of the mails goes into spam. I am afraid, I made a simple or basic mistake. This is postfix+dovecot+mysql config. I am pretty sure about postfix user and virtual alias tables in mysql ok, I am afraid I made mistake in main.cf
Limiting total number of processes with various smtpd services listening on different IPs
Hello postfix-users, when running multiple smtpd services on different IPs and with different SSL-certifices (I believe there still is no SNI support in postfix? - http://www.postfix.org/TLS_README.html - There are no plans to implement SNI in the Postfix SMTP server. ) the individually set process limits work fine, but they add up quickly. Even IPv4 and IPv6 create two listeners for the same job already making it difficult to pick sensible individual limits. I'm keen to allow the individual listener to grow to let's say 1000 processes, but don't want to allow them ALL to grow that large at the same time. Is there a way or strategy to maintain a global process limit which is lower than the sum of all smtpd services? Also the time when the stress-depended configuration kicks in could rather be related to the global process limit, not (only) the individual one. Regards Christian
Re: messages queue not delivered with sasl.
basteon: sorry, I mean this host when talk about MS exchange server: Jun 16 14:48:21 mail postfix/smtp[13974]: 36CC478001C: to=u...@primorsky.ru, relay=mail.primorsky.ru[80.89.7.143]:25, delay=2339, delays=2338/0/1.1/0, dsn=4.3.0, status=deferred (local data error while talking to mail.primorsky.ru[80.89.7.143]) And at the same moment in time, the SMTP client logs a warning message with the name of the lookup table that is failing. If your syslog server logs warnings in a different file, look there. Wietse
weird bounce-loop
So, there's this one client, that has a zarafa mailserver (after postfix). so, person using zarafa has a forward to his gmail account. now, at some point gmail decides that this company is suspected for spam. and this is what happens: 1. an email is sent to the company (postfix + content_filter + zarafa(lmtp)) 2. zarafa sends a forward to gmail (zarafa - postfix - gmail) 3. gmail rejects 4. postfix bounces to original user (thus goes to zarafa(lmtp)) 5. zarafa sends a forward to gmail (zarafa - postfix - gmail) 6. gmail rejects 7. postfix bounces to original user (thus goes to zarafa(lmtp)) ... ad nauseam... thus, quickly the zarafa mailserver has thousands of bounces in a few minutes... Is there a way to solve this issue? postfix obviously can't use the double- bounce check here, right? or not? Regards, Maarten Vanraes -- BA NV IT Security
Re: messages queue not delivered with sasl.
yes warning exists: Jun 16 16:56:58 mail postfix/smtp[14742]: warning: hash:/etc/postfix/mailpasswd is unavailable. open database /etc/postfix/mailpasswd.db: No such file or directory Jun 16 16:56:58 mail postfix/smtp[14742]: warning: hash:/etc/postfix/mailpasswd lookup error for u...@domain.ru Jun 16 16:56:58 mail postfix/smtp[14742]: warning: 95559758A82: smtp_sasl_password_maps lookup error I keep users in sasl and in mysql database. On 6/16/15, Wietse Venema wie...@porcupine.org wrote: basteon: sorry, I mean this host when talk about MS exchange server: Jun 16 14:48:21 mail postfix/smtp[13974]: 36CC478001C: to=u...@primorsky.ru, relay=mail.primorsky.ru[80.89.7.143]:25, delay=2339, delays=2338/0/1.1/0, dsn=4.3.0, status=deferred (local data error while talking to mail.primorsky.ru[80.89.7.143]) And at the same moment in time, the SMTP client logs a warning message with the name of the lookup table that is failing. If your syslog server logs warnings in a different file, look there. Wietse