Re: Can't get mynetworks to match a specific host

[koko]

On Tue, 16 Feb 2016 08:18:54 +0100
Michael Sperber  wrote:

> > Logging:
> >
> > Feb 15 10:39:23 wzv postfix/smtpd[10244]: match_hostaddr: mynetworks: 
> > 192.168.1.2 ~? 192.168.1.2/32
> > Feb 15 10:39:23 wzv postfix/smtpd[10244]: match_list_match: 
> > permit_mynetworks: no match
> > Feb 15 10:39:23 wzv postfix/smtpd[10244]: generic_checks: 
> > name=permit_mynetworks status=1
> > Feb 15 10:39:23 wzv postfix/smtpd[10244]: >>> END Recipient address 
> > RESTRICTIONS <<<
> > Feb 15 10:39:23 wzv postfix/smtpd[10244]: >>> CHECKING RECIPIENT MAPS <<<
> >
> > The "status=1" means that there was a match.
> 
> Ah, indeed!  (But then it does
> 
> In the log, it goes on from there like this:
> 
> ...
> Feb 16 03:38:48 deinprogramm postfix/submission/smtpd[76503]: generic_checks: 
> name=permit_mynetworks status=1
> Feb 16 03:38:48 deinprogramm postfix/submission/smtpd[76503]: >>> END 
> Recipient address RESTRICTIONS <<<
> Feb 16 03:38:48 deinprogramm postfix/submission/smtpd[76503]: >>> START 
> Recipient address RESTRICTIONS <<<
> Feb 16 03:38:48 deinprogramm postfix/submission/smtpd[76503]: generic_checks: 
> name=permit_sasl_authenticated
> Feb 16 03:38:48 deinprogramm postfix/submission/smtpd[76503]: generic_checks: 
> name=permit_sasl_authenticated status=0
> Feb 16 03:38:48 deinprogramm postfix/submission/smtpd[76503]: generic_checks: 
> name=reject
> 
your log show different.. the first one "smtpd" and above
"submission". check your master.cf submission part. and
post your master.cf here.

-- 
Koko Wijatmoko

Re: Can't get mynetworks to match a specific host

[Michael Sperber]

wie...@porcupine.org (Wietse Venema) writes:

> Here's a test with a host with /32 patterns in mynetworks:
>
> # postconf mynetworks smtpd_recipient_restrictions smtpd_relay_restrictions
> mynetworks = 127.0.0.1/32 192.168.1.2/32 192.168.122.1/32 168.100.189.7/32
> smtpd_recipient_restrictions =
> smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, 
> defer_unauth_destination
>
> Logging:
>
> Feb 15 10:39:23 wzv postfix/smtpd[10244]: match_hostaddr: mynetworks: 
> 192.168.1.2 ~? 192.168.1.2/32
> Feb 15 10:39:23 wzv postfix/smtpd[10244]: match_list_match: 
> permit_mynetworks: no match
> Feb 15 10:39:23 wzv postfix/smtpd[10244]: generic_checks: 
> name=permit_mynetworks status=1
> Feb 15 10:39:23 wzv postfix/smtpd[10244]: >>> END Recipient address 
> RESTRICTIONS <<<
> Feb 15 10:39:23 wzv postfix/smtpd[10244]: >>> CHECKING RECIPIENT MAPS <<<
>
> The "status=1" means that there was a match.

Ah, indeed!  (But then it does

> Postfix 2.10 introduces smtpd_relay_restrictions which allows you
> to separate spam control (smtpd_recipient_restrictions) from mail
> relay control (smtpd_relay_restrictions).
>
> What is your output for:
>
> $ postconf smtpd_recipient_restrictions smtpd_relay_restrictions

smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, 
reject_unauth_destination, check_client_access 
hash:/etc/postfix/rbl_override_whitelist, check_policy_service 
unix:private/policy-spf, check_policy_service 
unix:/var/spool/postfix/postgrey/socket
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, 
defer_unauth_destination

In the log, it goes on from there like this:

...
Feb 16 03:38:48 deinprogramm postfix/submission/smtpd[76503]: generic_checks: 
name=permit_mynetworks status=1
Feb 16 03:38:48 deinprogramm postfix/submission/smtpd[76503]: >>> END Recipient 
address RESTRICTIONS <<<
Feb 16 03:38:48 deinprogramm postfix/submission/smtpd[76503]: >>> START 
Recipient address RESTRICTIONS <<<
Feb 16 03:38:48 deinprogramm postfix/submission/smtpd[76503]: generic_checks: 
name=permit_sasl_authenticated
Feb 16 03:38:48 deinprogramm postfix/submission/smtpd[76503]: generic_checks: 
name=permit_sasl_authenticated status=0
Feb 16 03:38:48 deinprogramm postfix/submission/smtpd[76503]: generic_checks: 
name=reject

So I guess I don't understand why it goes on after permit_mynetworks.

-- 
Regards,
Mike

Re: Freelance to recommand?

[Ron Wheeler]

Have you purchased some textbooks on Postfix?
That is a good start to identifying the processes that are available out 
of the box.
It will certainly tell you how to attach your custom processes to the 
main postfix flows.


They will also tell you about ACLs, rewriting, recipient mailboxs and 
delivery to lists.


Once you get a general design outlined, you should be able to ask 
specific questions here about how to implement each piece and perhaps 
find people who have pieces that you need or are able to build them.


Ron

On 15/02/2016 6:27 PM, Roman Doe wrote:

I need to assess the feasibility of the email hub I want to set-up.

It must have specific and quite uncommon features:
- Remailing (rewrite envelops and headers from remote SMTP clients) 
(anonymous remailer, kind of like craigslist 2-way relay)

- ACL: blacklists per users
- Dynamic recipients
- Limit of total recipients per month (different quotas possible)
- Lists (annoucement and discussion)
- Different sending rules per lists (for example different authorized 
message sizes, or attachement files (photo, file, etc…))


Cet e-mail a été envoyé depuis un ordinateur protégé par Avast.
www.avast.com 


On Mon, Feb 15, 2016 at 10:40 PM, Luis Daniel Lucio Quiroz 
> wrote:


What you need?

Le 15 févr. 2016 4:35 PM, "Danny Horne" > a écrit :

What are you trying to achieve?  There's plenty of experts
here (not me
I hasten to add!!)

On 15/02/2016 8:52 pm, Roman Doe wrote:
> I'm struggling finding a postfix expert, any contact to suggest?
>
> Thank you very much.






--
Ron Wheeler
President
Artifact Software Inc
email: rwhee...@artifact-software.com
skype: ronaldmwheeler
phone: 866-970-2435, ext 102

Re: Freelance to recommand?

[Roman Doe]

Ps: The server must be able to scale (50 000+ users at the first stage.
Potentially million+ users later stage).

On Tue, Feb 16, 2016 at 12:27 AM, Roman Doe  wrote:

> I need to assess the feasibility of the email hub I want to set-up.
>
> It must have specific and quite uncommon features:
> - Remailing (rewrite envelops and headers from remote SMTP clients)
> (anonymous remailer, kind of like craigslist 2-way relay)
> - ACL: blacklists per users
> - Dynamic recipients
> - Limit of total recipients per month (different quotas possible)
> - Lists (annoucement and discussion)
> - Different sending rules per lists (for example different authorized
> message sizes, or attachement files (photo, file, etc…))
>
> Cet e-mail a été envoyé depuis un ordinateur protégé par Avast.
> www.avast.com 
> <#1409833082_DDB4FAA8-2DD7-40BB-A1B8-4E2AA1F9FDF2>
>
> On Mon, Feb 15, 2016 at 10:40 PM, Luis Daniel Lucio Quiroz <
> luis.daniel.lu...@gmail.com> wrote:
>
>> What you need?
>> Le 15 févr. 2016 4:35 PM, "Danny Horne"  a écrit :
>>
>>> What are you trying to achieve?  There's plenty of experts here (not me
>>> I hasten to add!!)
>>>
>>> On 15/02/2016 8:52 pm, Roman Doe wrote:
>>> > I'm struggling finding a postfix expert, any contact to suggest?
>>> >
>>> > Thank you very much.
>>>
>>>
>>>
>

Re: Freelance to recommand?

[Roman Doe]

I need to assess the feasibility of the email hub I want to set-up.

It must have specific and quite uncommon features:
- Remailing (rewrite envelops and headers from remote SMTP clients)
(anonymous remailer, kind of like craigslist 2-way relay)
- ACL: blacklists per users
- Dynamic recipients
- Limit of total recipients per month (different quotas possible)
- Lists (annoucement and discussion)
- Different sending rules per lists (for example different authorized
message sizes, or attachement files (photo, file, etc…))

Cet e-mail a été envoyé depuis un ordinateur protégé par Avast.
www.avast.com 
<#DDB4FAA8-2DD7-40BB-A1B8-4E2AA1F9FDF2>

On Mon, Feb 15, 2016 at 10:40 PM, Luis Daniel Lucio Quiroz <
luis.daniel.lu...@gmail.com> wrote:

> What you need?
> Le 15 févr. 2016 4:35 PM, "Danny Horne"  a écrit :
>
>> What are you trying to achieve?  There's plenty of experts here (not me
>> I hasten to add!!)
>>
>> On 15/02/2016 8:52 pm, Roman Doe wrote:
>> > I'm struggling finding a postfix expert, any contact to suggest?
>> >
>> > Thank you very much.
>>
>>
>>

Re: "Fail Safe" on LDAP failure

[Quanah Gibson-Mount]

--On Monday, February 15, 2016 11:26 AM -0500 Wietse Venema 
 wrote:




But the basic check after getpwnam_r() works only if everything
else in the chain returns an error status instead of "not found".
That may include nsswitch.conf, pam_ldap, pam_sss, sssd, sssd.conf,
and so on. It is very easy for something to lose the distinction
between "error status" and "not found".

For example, with the default nsswitch.conf action of "unavail=continue",
the library will continue with the next source, instead of reporting
the error condition immediately. There may be similar fesatures with sssd.


Zimbra uses LDAP extensively for postfix lookups, and it has always failed 
over cleanly for us when LDAP is not available.  One wise thing to do is 
have more than a single LDAP server configured for lookups, so that if any 
specific server is down, well written software (like Postfix) can fail over 
without you even having to worry about it.  If all your LDAP servers are in 
a single DC and susceptible to power outages, it won't help that specific 
problem, but if they're spread out where that is not an issue, then it 
certainly keeps things flowing smoothly.  It also allows for things like 
upgrading an LDAP server w/o worrying about the rest of the infrastructure 
falling over.


--Quanah


--

Quanah Gibson-Mount
Platform Architect
Zimbra, Inc.

Zimbra ::  the leader in open source messaging and collaboration
A division of Synacor, Inc

Re: "Fail Safe" on LDAP failure

[Quanah Gibson-Mount]

--On Monday, February 15, 2016 5:51 PM +0100 Michael Ströder 
 wrote:



Example: When a fresh OpenLDAP replica during initialization is not fully
functional yet the contextCSN attribute in the root entry of the database
is not present. Would be nice to have LDAP map parameters to define a
health-check for that.


OpenLDAP has a parameter for that where it will not answer queries if it is 
currently refreshing.  It would probably make more sense to set that 
instead?


--Quanah


--

Quanah Gibson-Mount
Platform Architect
Zimbra, Inc.

Zimbra ::  the leader in open source messaging and collaboration
A division of Synacor, Inc

Re: Freelance to recommand?

[Luis Daniel Lucio Quiroz]

What you need?
Le 15 févr. 2016 4:35 PM, "Danny Horne"  a écrit :

> What are you trying to achieve?  There's plenty of experts here (not me
> I hasten to add!!)
>
> On 15/02/2016 8:52 pm, Roman Doe wrote:
> > I'm struggling finding a postfix expert, any contact to suggest?
> >
> > Thank you very much.
>
>
>

Re: Freelance to recommand?

[Danny Horne]

What are you trying to achieve?  There's plenty of experts here (not me
I hasten to add!!)

On 15/02/2016 8:52 pm, Roman Doe wrote:
> I'm struggling finding a postfix expert, any contact to suggest?
>
> Thank you very much.




signature.asc
Description: OpenPGP digital signature

Freelance to recommand?

[Roman Doe]

I'm struggling finding a postfix expert, any contact to suggest?

Thank you very much.

Re: "Fail Safe" on LDAP failure

[Wietse Venema]

Lutz J?nicke:
> > For example, with the default nsswitch.conf action of "unavail=continue",
> > the library will continue with the next source, instead of reporting
> > the error condition immediately. There may be similar features with sssd.
> 
> It seems that nsswitch.conf may be the reason for the effect. It indeed
> reads
>   passwd: compat ldap
>   group: ...
> and therefore should with "unavail=continue" would lead to failure as
> experienced.
> As all other lookups are implemented directly in postfix via ldap: maps.
> If I understand nsswitch.conf correctly, unavail=return would not make a
> difference here.

I would not know. I am just disappointed that someone broke
getpwnam_r() error reporting.

> We rather would have to modify local_recipient_maps to start with
> an LDAP lookup to fail "safe" if LDAP is not available, don't we?

Switching local_recipient_maps to direct LDAP lookups would reduce
the failure time window to a fraction of a second (if the LDAP
server crashes after successful local_recipient_maps lookup with
direct LDAP, the getpwnam_r() call would still falsely report "not
found", but the odds of an LDAP server crash in that fraction of a
second would be really small).

Wietse

Re: "Fail Safe" on LDAP failure

[Lutz Jänicke]

On 15.02.2016 17:26, Wietse Venema wrote:
> Lutz J?nicke:
>> Hi!
>>
>> We have just been experiencing a power outage in the result of which our
>> mail server with postfix did come back up fine but our LDAP server did
>> not come back up. As a result emails to valid users (administrated via
>> LDAP) was rejected with a permanent "User unknown" error.
> If the LDAP server came back from power failure in a broken state,
> then it is very well possible that it returns "not found" replies.
> Are you sure that LDAP lookups were timing out?

Yes. The LDAP server is running in a virtual machine the host of which
did not come back up so it definitely was down.

> For non-system user lookups, the Postfix LDAP client should distinguish
> between "server down" and "not found". It is a very basic check that
> must have been present from 1999 when the first Postfix LDAP client
> was implemented
>
> For system user lookups Postfix depends on getpwnam_r() which
> promises to return an error status instead of "not found". Again,
> it's a basic check that has been in place for a very long time.
>
> But the basic check after getpwnam_r() works only if everything
> else in the chain returns an error status instead of "not found".
> That may include nsswitch.conf, pam_ldap, pam_sss, sssd, sssd.conf,
> and so on. It is very easy for something to lose the distinction
> between "error status" and "not found".
>
> For example, with the default nsswitch.conf action of "unavail=continue",
> the library will continue with the next source, instead of reporting
> the error condition immediately. There may be similar fesatures with sssd.

It seems that nsswitch.conf may be the reason for the effect. It indeed
reads
  passwd: compat ldap
  group: ...
and therefore should with "unavail=continue" would lead to failure as
experienced.
As all other lookups are implemented directly in postfix via ldap: maps.
If I understand nsswitch.conf correctly, unavail=return would not make a
difference here. We rather would have to modify local_recipient_maps to
start with an LDAP lookup to fail "safe" if LDAP is not available, don't we?

Best regards,
Lutz

Re: Can't get mynetworks to match a specific host

[Wietse Venema]

Michael Sperber:
> 
> wie...@porcupine.org (Wietse Venema) writes:
> 
> > Michael Sperber:
> >> Feb 14 15:32:32 deinprogramm postfix/submission/smtpd[61536]: 
> >> match_hostaddr: 134.2.186.48 ~? 134.2.186.48/32
> >> Feb 14 15:32:32 deinprogramm postfix/submission/smtpd[61536]: 
> >> match_list_match: permit_mynetworks: no match
> >
> > That is unexpected. Did you compile Postfix by hand, or is this
> > from a distribution?
> 
> By hand.  (I'm running 2.10.1 on FreeBSD.)

OK, the logging is misleading.

Here's a test with a host with /32 patterns in mynetworks:

# postconf mynetworks smtpd_recipient_restrictions smtpd_relay_restrictions
mynetworks = 127.0.0.1/32 192.168.1.2/32 192.168.122.1/32 168.100.189.7/32
smtpd_recipient_restrictions =
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, 
defer_unauth_destination

Logging:

Feb 15 10:39:23 wzv postfix/smtpd[10244]: match_hostaddr: mynetworks: 
192.168.1.2 ~? 192.168.1.2/32
Feb 15 10:39:23 wzv postfix/smtpd[10244]: match_list_match: permit_mynetworks: 
no match
Feb 15 10:39:23 wzv postfix/smtpd[10244]: generic_checks: 
name=permit_mynetworks status=1
Feb 15 10:39:23 wzv postfix/smtpd[10244]: >>> END Recipient address 
RESTRICTIONS <<<
Feb 15 10:39:23 wzv postfix/smtpd[10244]: >>> CHECKING RECIPIENT MAPS <<<

The "status=1" means that there was a match.

Postfix 2.10 introduces smtpd_relay_restrictions which allows you
to separate spam control (smtpd_recipient_restrictions) from mail
relay control (smtpd_relay_restrictions).

What is your output for:

$ postconf smtpd_recipient_restrictions smtpd_relay_restrictions

Wietse


Wietse

Re: Can't get mynetworks to match a specific host

[Michael Sperber]

wie...@porcupine.org (Wietse Venema) writes:

> Michael Sperber:
>> Feb 14 15:32:32 deinprogramm postfix/submission/smtpd[61536]: 
>> match_hostaddr: 134.2.186.48 ~? 134.2.186.48/32
>> Feb 14 15:32:32 deinprogramm postfix/submission/smtpd[61536]: 
>> match_list_match: permit_mynetworks: no match
>
> That is unexpected. Did you compile Postfix by hand, or is this
> from a distribution?

By hand.  (I'm running 2.10.1 on FreeBSD.)

> Try this:
>
> $ echo "134.2.186.48/32 cidr works" > foo
> $ postmap -q 134.2.186.48 cidr:foo
> cidr works
> $
>
> What is your output?

cidr works

-- 
Regards,
Mike

"Fail Safe" on LDAP failure

[Lutz Jänicke]

Hi!

We have just been experiencing a power outage in the result of which our
mail server with postfix did come back up fine but our LDAP server did
not come back up. As a result emails to valid users (administrated via
LDAP) was rejected with a permanent "User unknown" error.
I was suprised that an LDAP connection failure did not result in a
temporary error condition, in fact the mail service was not operational
an I would have expected an "temporary configuration error" status. I
did not find any setting that would influence this behavior. Is there
any method to prevent mails from being rejected on LDAP failure?

Note 1: even a powerful UPS will only help in a coordinated shutdown if
the power outage is long enough.
Note 2: the misconfiguration that prevented the LDAP server to start up
has been resolved by now.

Best regards,
Lutz
 

Re: filtering domains and e-mails - how ?

[Zalezny Niezalezny]

Its working for me. Thank You very much!




On Mon, Feb 15, 2016 at 2:46 PM, Matthew McGehrin  wrote:

> Hello.
>
> See: http://www.postfix.org/transport.5.html
>
> Per the table search order,  user accounts need to be listed first, before
> the domain
>
> IE:
>
> us...@domain.com relay:[smtp1.server.com]
> domain.com relay:[smtp.server.com]
>
>
> See: Postfix users 
>
> Zalezny Niezalezny wrote:
>
>> Hi All, by default in my Postfix configuration I`m routing all E-mails
>> for the domain:
>> *@domain.com  to some external SMTP server. I
>> configure it in the /etc/postfix/transport
>> domain.com  relay:[smtp.server.com <
>> http://smtp.server.com>]
>> Now comes my question, how may I redirect following E-mail
>> us...@domain.com 
>> to some other server   smtp1.server.com .
>>
>> I simply would like to redirect all E-mails with domain @domain.com <
>> http://domain.com> to smtp.server.com  and one
>> e-mail us...@domain.com  to some specified
>> server smtp1.server.com .
>>
>> How to do it properly ?
>>
>> Thanks in advance for any hints.
>>
>>
>> Zalezny
>>
>>
>>
>>
>>

Re: filtering domains and e-mails - how ?

[Matthew McGehrin]

Hello.

See: http://www.postfix.org/transport.5.html

Per the table search order,  user accounts need to be listed first, 
before the domain


IE:

us...@domain.com relay:[smtp1.server.com]
domain.com relay:[smtp.server.com]


See: Postfix users 

Zalezny Niezalezny wrote:
Hi All, 
by default in my Postfix configuration I`m routing all E-mails for the 
domain:
*@domain.com  
to some external SMTP server. I configure it in the 
/etc/postfix/transport
domain.com  relay:[smtp.server.com 
]

Now comes my question, how may I redirect following E-mail
us...@domain.com 
to some other server   smtp1.server.com . 



I simply would like to redirect all E-mails with domain @domain.com 
 to smtp.server.com  and 
one e-mail us...@domain.com  to some 
specified server smtp1.server.com .


How to do it properly ?

Thanks in advance for any hints.


Zalezny

Re: Can't get mynetworks to match a specific host

[Wietse Venema]

Michael Sperber:
> Feb 14 15:32:32 deinprogramm postfix/submission/smtpd[61536]: match_hostaddr: 
> 134.2.186.48 ~? 134.2.186.48/32
> Feb 14 15:32:32 deinprogramm postfix/submission/smtpd[61536]: 
> match_list_match: permit_mynetworks: no match

That is unexpected. Did you compile Postfix by hand, or is this
from a distribution?

Try this:

$ echo "134.2.186.48/32 cidr works" > foo
$ postmap -q 134.2.186.48 cidr:foo
cidr works
$

What is your output?

Wietse

Re: Can't get mynetworks to match a specific host

[Christian Kivalo]

On 2016-02-14 16:39, Michael Sperber wrote:
I'm trying to set up a mail relay for a specific host with Postfix, 
with

little success:

I've got this:

mynetworks = 88.198.58.179/32 127.0.0.0/8 134.2.186.48/32
u-186-ls048.wi50.uni-tuebingen.de
Hostnames in mynetworks are prone to errors when you have dns lookup 
problems. Using the ip address if the sending system is preferred.


88.x is the local host, 134.x is the host I'm trying to set up the
relay for, as is the host name.

(First question: Where exactly do I put permit_mynetworks?  I tried
smtpd_client_restrictions and smtpd_recipient_restrictions, similarly 
to

no avail.)

Please show postconf -n output.

Show logging of it not working / mail beeing blocked.



Whatever I do, I get this:

Feb 14 15:32:32 deinprogramm postfix/submission/smtpd[61536]:
generic_checks: name=permit_mynetworks
Feb 14 15:32:32 deinprogramm postfix/submission/smtpd[61536]:
permit_mynetworks: u-186-ls048.wi50.uni-tuebingen.de 134.2.186.48
Feb 14 15:32:32 deinprogramm postfix/submission/smtpd[61536]:
match_hostname: u-186-ls048.wi50.uni-tuebingen.de ~? 88.198.58.179/32
Feb 14 15:32:32 deinprogramm postfix/submission/smtpd[61536]:
match_hostaddr: 134.2.186.48 ~? 88.198.58.179/32
Feb 14 15:32:32 deinprogramm postfix/submission/smtpd[61536]:
match_hostname: u-186-ls048.wi50.uni-tuebingen.de ~? 127.0.0.0/8
Feb 14 15:32:32 deinprogramm postfix/submission/smtpd[61536]:
match_hostaddr: 134.2.186.48 ~? 127.0.0.0/8
Feb 14 15:32:32 deinprogramm postfix/submission/smtpd[61536]:
match_hostname: u-186-ls048.wi50.uni-tuebingen.de ~? 134.2.186.48/32
Feb 14 15:32:32 deinprogramm postfix/submission/smtpd[61536]:
match_hostaddr: 134.2.186.48 ~? 134.2.186.48/32
Feb 14 15:32:32 deinprogramm postfix/submission/smtpd[61536]:
match_list_match: permit_mynetworks: no match
Feb 14 15:32:32 deinprogramm postfix/submission/smtpd[61536]:
generic_checks: name=permit_mynetworks status=1

Why is there no match?

Any help would be much appreciated!
You are showing logs from the submission service, there could be 
overrides in place. Show the configuration from master.cf.


Take a look at http://www.postfix.org/DEBUG_README.html#mail this should 
clarify what is helpful to others when asking on the mailinglist.


--
 Christian Kivalo

SV: Can this sort of spam be easily and safely blocked in postfix [signed]

[Sebastian Nielsen]

Oops, I meant 123.123.123.72
Just a bit tired here in the morning.

But what I wanted to say is that Microsoft is a extremely large internet
corporation, actually the largest, I think they own most IP-adresses too, so
what they do need to scale well.

-Ursprungligt meddelande-
Från: owner-postfix-us...@postfix.org
[mailto:owner-postfix-us...@postfix.org] För Sebastian Nielsen
Skickat: den 15 februari 2016 10:53
Till: 'postfix users' 
Ämne: SV: Can this sort of spam be easily and safely blocked in postfix
[signed]

Yes, there is a reason.
If they have a large amount of virtualized servers set up using wildcarding,
like:
*.123.123.123.in-addr.arpa IN PTR mailservers.office365.com

Its of course not possible to add the corresponding forward record, because
that would create a pretty large forward zone, especially if Microsoft does
this with a large amount of IP-adresses.

Dynamically assigning reverse/forward, like *.123.123.123.in-addr.arpa IN
PTR *.mailservers.office365.com, so a server like 72.123.123.123 has a PTR
of 72.mailservers.office365.com, would require specialised name server
software, same with the forward zone, if you don't want unneccesarly large
zones.

You could however check which ASN's microsoft has, and then whitelist these
in a rule file so these IPs will be let through without any spam checking.
(Be careful however, so you don't put the whitelist too early and let
through mails you don't want to let through at all)

-Ursprungligt meddelande-
Från: owner-postfix-us...@postfix.org
[mailto:owner-postfix-us...@postfix.org] För Karel
Skickat: den 15 februari 2016 10:19
Till: postfix users 
Ämne: Re: Can this sort of spam be easily and safely blocked in postfix

> On 2016-02-14 18:34, Bill Cole wrote:
>
>> are there any legitimate (non-spam) senders, that would be blocked by 
>> reject_unknown_client_hostname ?
> 
> Do you consider Microsoft's Office365 to be "legitimate?"
> 
> They send substantial non-spam, yet many of their output IPs have PTR 
> addresses which yield addresses which do not resolve back to the 
> original IPs.

sorry for keep dwelling on this, but is there any reason why a legitimate
sender (ie Microsoft) would not use corresponding IP -> hostname -> IP ?

Is there some technical limitation that prevents them from doing it?




smime.p7s
Description: S/MIME Cryptographic Signature

SV: Can this sort of spam be easily and safely blocked in postfix

[Sebastian Nielsen]

Yes, there is a reason.
If they have a large amount of virtualized servers set up using wildcarding,
like:
*.123.123.123.in-addr.arpa IN PTR mailservers.office365.com

Its of course not possible to add the corresponding forward record, because
that would create a pretty large forward zone, especially if Microsoft does
this with a large amount of IP-adresses.

Dynamically assigning reverse/forward, like *.123.123.123.in-addr.arpa IN
PTR *.mailservers.office365.com, so a server like 72.123.123.123 has a PTR
of 72.mailservers.office365.com, would require specialised name server
software, same with the forward zone, if you don't want unneccesarly large
zones.

You could however check which ASN's microsoft has, and then whitelist these
in a rule file so these IPs will be let through without any spam checking.
(Be careful however, so you don't put the whitelist too early and let
through mails you don't want to let through at all)

-Ursprungligt meddelande-
Från: owner-postfix-us...@postfix.org
[mailto:owner-postfix-us...@postfix.org] För Karel
Skickat: den 15 februari 2016 10:19
Till: postfix users 
Ämne: Re: Can this sort of spam be easily and safely blocked in postfix

> On 2016-02-14 18:34, Bill Cole wrote:
>
>> are there any legitimate (non-spam) senders, that would be blocked by 
>> reject_unknown_client_hostname ?
> 
> Do you consider Microsoft's Office365 to be "legitimate?"
> 
> They send substantial non-spam, yet many of their output IPs have PTR 
> addresses which yield addresses which do not resolve back to the 
> original IPs.

sorry for keep dwelling on this, but is there any reason why a legitimate
sender (ie Microsoft) would not use corresponding IP -> hostname -> IP ?

Is there some technical limitation that prevents them from doing it?



smime.p7s
Description: S/MIME Cryptographic Signature

Can't get mynetworks to match a specific host

[Michael Sperber]

I'm trying to set up a mail relay for a specific host with Postfix, with
little success:

I've got this:

mynetworks = 88.198.58.179/32 127.0.0.0/8 134.2.186.48/32 
u-186-ls048.wi50.uni-tuebingen.de

88.x is the local host, 134.x is the host I'm trying to set up the
relay for, as is the host name.

(First question: Where exactly do I put permit_mynetworks?  I tried
smtpd_client_restrictions and smtpd_recipient_restrictions, similarly to
no avail.)

Whatever I do, I get this:

Feb 14 15:32:32 deinprogramm postfix/submission/smtpd[61536]: generic_checks: 
name=permit_mynetworks
Feb 14 15:32:32 deinprogramm postfix/submission/smtpd[61536]: 
permit_mynetworks: u-186-ls048.wi50.uni-tuebingen.de 134.2.186.48
Feb 14 15:32:32 deinprogramm postfix/submission/smtpd[61536]: match_hostname: 
u-186-ls048.wi50.uni-tuebingen.de ~? 88.198.58.179/32
Feb 14 15:32:32 deinprogramm postfix/submission/smtpd[61536]: match_hostaddr: 
134.2.186.48 ~? 88.198.58.179/32
Feb 14 15:32:32 deinprogramm postfix/submission/smtpd[61536]: match_hostname: 
u-186-ls048.wi50.uni-tuebingen.de ~? 127.0.0.0/8
Feb 14 15:32:32 deinprogramm postfix/submission/smtpd[61536]: match_hostaddr: 
134.2.186.48 ~? 127.0.0.0/8
Feb 14 15:32:32 deinprogramm postfix/submission/smtpd[61536]: match_hostname: 
u-186-ls048.wi50.uni-tuebingen.de ~? 134.2.186.48/32
Feb 14 15:32:32 deinprogramm postfix/submission/smtpd[61536]: match_hostaddr: 
134.2.186.48 ~? 134.2.186.48/32
Feb 14 15:32:32 deinprogramm postfix/submission/smtpd[61536]: match_list_match: 
permit_mynetworks: no match
Feb 14 15:32:32 deinprogramm postfix/submission/smtpd[61536]: generic_checks: 
name=permit_mynetworks status=1

Why is there no match?

Any help would be much appreciated!

-- 
Regards,
Mike

Re: Can this sort of spam be easily and safely blocked in postfix

[Karel]

> On 2016-02-14 18:34, Bill Cole wrote:
>
>> are there any legitimate (non-spam) senders, that would be blocked by
>> reject_unknown_client_hostname ?
> 
> Do you consider Microsoft's Office365 to be "legitimate?"
> 
> They send substantial non-spam, yet many of their output IPs have PTR
> addresses which yield addresses which do not resolve back to the
> original IPs.

sorry for keep dwelling on this, but is there any reason why a
legitimate sender (ie Microsoft) would not use corresponding IP ->
hostname -> IP ?

Is there some technical limitation that prevents them from doing it?