Mails in active queue are never tried to be sent

[Pedro David Marco]

Hello everybody!!

i am trying to run a filter relay with Postfix  and i have a doubt about active 
queues i need help with, please...

Postfix documentation states clearly that:

"Messages in the active queue are ready to be sent (runnable), but are not 
necessarily in the process of being sent (running)."

In my server i have some emails in active queue that are never tried to be 
sent...  after some time they go to the deferred queue with no error 
message/indication of any type anywhere!

When i try to force resend them via postqueue -i they go to active queue again 
but smtp process never tries to send them!!!

There is absolutelly no log about them except when i restart postfix where i 
just see a qmgr log telling that that email is in active queue... (but again, 
no smtp log at all even i increase debug level)


The weird thing is that it only happens with email from a specific domain 
(domainA) sent to a specific domain (domainZ) so..

mails from domainA -> domainZ   PROBLEM!!
mails from domainA -> any_other_domain   NO PROBLEM!
mails from any_other_domain -> domainZNO PROBLEM! 

domainZ is using a symantec gateway after a F5 load balancer (just in case this 
info may help)


how does postifx work at this regard? when do they go from "runnable" to 
"running"??
is there any way to FORCE mails in active queue to change from "runnable" to 
effectively "run" and force smtp to try to send them??

Thanks in advance!

David.

Re: RHEL / CentOS 7 RPMs

[Peter]

On 15/03/16 07:56, Peter wrote:
> On 15/03/16 07:15, Nikolaos Milas wrote:
>> Unfortunately, it seems that GhettoForge is currently (14 March) down
>> (it shows some errors with a backtrace),
> 
> I wasn't aware of that and will get it fixed ASAP.

The ghettoforge site is fixed now, thanks for letting me know.


Peter

SV: MAIL FROM validiity

[Sebastian Nielsen]

SPF and DKIM is mail tools to prevent spoofing of non-local domains.
OP was out after tools to prevent local spoofing.

One is for example:
1: reject_sender_login_mismatch
2: Other is a check_sender_access table containing "yourdomain.com: 
permit_sasl_authenticated, reject".
3: Another one is reject_unlisted_sender

Of course, all those tools perform a completely different check and they all 
can be used in unison.
1 would prevent all mismatches between login names and MAIL FROM. However, it 
won't prevent a unauthenticated client from sending a spoofed mail from a local 
mailbox X to a local mailbox Y (I think the tables can be setup to enforce this 
for unauthenticated clients too however).
2: This prevents authenticated senders from sending outside the domain the 
server is authorative for, but also prevents any unauthenticated client from 
spoofing the MAIL FROM as a local mailbox when sending mail that is targeted to 
a local mailbox.
3: This is a tool that prevents all unknown local adresses to be used as a 
sender.


Another good thing with check_sender_access as described in 2 is that this can 
be used along with IP-based authentication (permit_mynetworks) to enforce so 
only specific domains can be used, and those domains cannot be used as a sender 
by unauthorized individuals, so even if you have SASL disabled, you can still 
enforce certain domains.


-Ursprungligt meddelande-
Från: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] 
För Matthias Fechner
Skickat: den 14 mars 2016 21:05
Till: postfix-users@postfix.org
Ämne: Re: MAIL FROM validiity

Am 14.03.2016 um 12:50 schrieb Pascal Maes:
> I would like that everybody who is sending mail from outside our network and 
> identified with sasl uses the email address corresponding to the uid.
> The mail should be rejected if the uid and the email address do not match.

I think a good start here is SPF and DKIM.
With this you can enforce that now other email server should accept mails thats 
are not delivered over your email servers with your own domains.

Gruß
Matthias

-- 

"Programming today is a race between software engineers striving to build 
bigger and better idiot-proof programs, and the universe trying to produce 
bigger and better idiots. So far, the universe is winning." -- Rich Cook



smime.p7s
Description: S/MIME Cryptographic Signature

Re: MAIL FROM validiity

[Matthias Fechner]

Am 14.03.2016 um 12:50 schrieb Pascal Maes:

I would like that everybody who is sending mail from outside our network and 
identified with sasl uses the email address corresponding to the uid.
The mail should be rejected if the uid and the email address do not match.


I think a good start here is SPF and DKIM.
With this you can enforce that now other email server should accept 
mails thats are not delivered over your email servers with your own domains.


Gruß
Matthias

--

"Programming today is a race between software engineers striving to
build bigger and better idiot-proof programs, and the universe trying to
produce bigger and better idiots. So far, the universe is winning." --
Rich Cook

Re: RHEL / CentOS 7 RPMs

[Peter]

On 15/03/16 07:15, Nikolaos Milas wrote:
> Unfortunately, it seems that GhettoForge is currently (14 March) down
> (it shows some errors with a backtrace),

I wasn't aware of that and will get it fixed ASAP.

The repos are still up and those are the important parts:
http://mirror.symnds.com/distributions/gf/el/7/

The -release RPM for CentOS 7 is at:
http://mirror.symnds.com/distributions/gf/el/7/gf/x86_64/gf-release-7-8.gf.el7.noarch.rpm

The latest postfix3 packages are currently in the gf-testing repo (which
you will need to enable with the --enablerepo=gf-testing flag to yum
while installing).  I'm hoping to be able to move them out to gf-plus today.

There is an SRPMS repo with the full sources of all of our packages.


Peter

[OT] Re: Is /usr/bin/mail a link to sendmail/postfix

[Tom Hendrikx]

On 14-03-16 17:05, @lbutlr wrote:
> On Mar 13, 2016, at 9:06 AM, Robert Chalmers 
> wrote:
>> Nice hardware, but the software is really recycled FreeBSD. say
>> what?
> 
> This should not be news. One of the reasons I chose FreeBSD for my
> servers was because I wouldn’t have to change modes between OS X and
> my servers.
> 

Hehe,

That is why I run ubuntu on my macbook. :P

Regards,
Tom



signature.asc
Description: OpenPGP digital signature

Re: RHEL / CentOS 7 RPMs

[Robert Schetterer]

Am 14.03.2016 um 19:15 schrieb Nikolaos Milas:
> Thank you all for the feedback.
> 
> Unfortunately, it seems that GhettoForge is currently (14 March) down
> (it shows some errors with a backtrace), while repo.mailserver.guru does
> not appear to include source rpms (SRPMs). If I am missing something,
> please point me to the right direction.

why not drop a mail to django

see

http://repo.mailserver.guru/

...
Site generated: 2015-03-06 by Django ( mailto link )


> 
> It is important to us to be able to have SRPMs, because we are modifying
> SPEC files to compile with LDAP support against LTB packages
> (http://ltb-project.org/wiki/download#openldap).
> 
> I have also found http://repos.oostergo.net/7/ packages which I have not
> tried yet. I have tried oostergo's RHEL 5 Postfix 3 sRPMs, but I have
> not had good results trying to change compilation options in the spec
> file to fit our build needs. (Yet, I cannot pretend I am the best of
> builders around. If I continue with these sRPMs, I might have to contact
> the author for some assistance.)
> 
> So, the issue still remains open to me.
> 
> All the best,
> Nick
> 



Best Regards
MfG Robert Schetterer

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

Re: RHEL / CentOS 7 RPMs

[Nikolaos Milas]

Thank you all for the feedback.

Unfortunately, it seems that GhettoForge is currently (14 March) down 
(it shows some errors with a backtrace), while repo.mailserver.guru does 
not appear to include source rpms (SRPMs). If I am missing something, 
please point me to the right direction.


It is important to us to be able to have SRPMs, because we are modifying 
SPEC files to compile with LDAP support against LTB packages 
(http://ltb-project.org/wiki/download#openldap).


I have also found http://repos.oostergo.net/7/ packages which I have not 
tried yet. I have tried oostergo's RHEL 5 Postfix 3 sRPMs, but I have 
not had good results trying to change compilation options in the spec 
file to fit our build needs. (Yet, I cannot pretend I am the best of 
builders around. If I continue with these sRPMs, I might have to contact 
the author for some assistance.)


So, the issue still remains open to me.

All the best,
Nick

Re: Postfix logs disordered

[Viktor Dukhovni]

On Mon, Mar 14, 2016 at 01:57:35PM +0100, Milan Popovic wrote:

> I am facing an "issue" with logs. I want to process the logs on the fly.
> 
> Postfix ID1 -> Sophos -> Postfix ID2
> 
> I think postfix for performance reason writes logs after processing
> messages. I can see this kind of situation in my logs :

I can confirm what Wietse said, Postfix logs information as soon
as it is available.  Note that when mail is forwarded over SMTP
there is concurrent activity on the sending and receiving sides.

> Jan  9 08:03:24 smtp1 postfix/smtpd[21740]: 3pcshX6GNMz11r4C: client=
> Jan  9 08:03:25 smtp1 postfix/cleanup[24891]: 3pcshX6GNMz11r4C: 
> message-id=<1128173832.11432.1452323000636.JavaMail.Administrator@localhost>
> Jan  9 08:03:25 smtp1 postfix/qmgr[30181]: 3pcshX6GNMz11r4C: 
> from=, size=17921, nrcpt=1 (queue active)

Message comes in, and is forwarded for filtering

> Jan  9 08:03:25 smtp1 postfix/smtpd[17088]: 3pcshY5H0dz11r4G: 
> client=localhost.localdomain[127.0.0.1]
> Jan  9 08:03:25 smtp1 postfix/cleanup[24894]: 3pcshY5H0dz11r4G: 
> message-id=<1128173832.11432.1452323000636.JavaMail.Administrator@localhost>
> 
> Jan  9 08:03:25 smtp1 postfix/qmgr[30181]: 3pcshY5H0dz11r4G: 
> from=, size=19065, nrcpt=1 (queue active)

Post-filter service enqueues message, and responds to pre-filter forwarder.

> Jan  9 08:03:25 smtp1 postfix/smtp[24892]: 3pcshX6GNMz11r4C: 
> to=<...@x.com>, relay=127.0.0.1[127.0.0.1]:10025, delay=1.1, 
> delays=0.45/0/0/0.66, dsn=2.0.0, status=sent (250 OK, sent 
> 5690B0BD_13054_6511_1 3pcshY5H0dz11r4G)
> Jan  9 08:03:25 smtp1 postfix/qmgr[30181]: 3pcshX6GNMz11r4C: removed

Pre-filter forwarder logs filter success and deletes the queue file.

> Jan  9 08:03:25 smtp1 postfix/smtp[24895]: 3pcshY5H0dz11r4G: 
> to=<...@x.com>, relay=mailhost1.b2gmom.internal.tld[10.219.4.69]:25, 
> delay=0.07, delays=0.05/0.01/0/0.01, dsn=2.5.0, status=sent (250 2.5.0 Ok, 
> envelope id 0o0o008gublp3...@xxx.internal.tld)
> Jan  9 08:03:25 smtp1 postfix/qmgr[30181]: 3pcshY5H0dz11r4G: removed

Postfilter delivery completes and queue file removed.

> My goal is to regroup this informations in only one record in
> elasticsearch.

Parse the logs accordingly, all the information you need is there.

-- 
Viktor.

Re: Is /usr/bin/mail a link to sendmail/postfix

[Robert Chalmers]

Yes, I moved the Apple /usr/bin/sendmail to /usr/bin/old-sendmail
Then created a symlink from my own build of sendmail. /usr/local/bin/sendmail 
to /usr/bin/sendmail, and now Apple’s mail works as it should.

The original complaint from mail when I moved the /etc/postfix directory to 
/etc/old-postfix was that it could no longer find /etc/postfix/main.cf - … it 
was actually Apple’s sendmail was looking for it
Now, my own sendmail knows where to find the config files. in 
/usr/local/etc/postfix

As far as I know, the only thing using “mail” on my machine is cron, and 
occasionally me when I’m testing something. and it works fine now.


> On 14 Mar 2016, at 16:01, @lbutlr  wrote:
> 
> On Mar 13, 2016, at 12:58 AM, rob...@chalmers.com.au wrote:
>> So I renamed/moved /etc/postfix, to /etc/old-postfix. .which has been ok, 
>> except for 'mail'
>> Eg
>> echo date | mail rob...@chalmers.com 
>> Fails with
>> 'can't find /etc/postfix/main.cf'
>> 
>> It's the only thing that fails. I move old-postfix back to etc/postfix, and 
>> of course it works again.
>> I need 'mail' to work, because it is used by crown if nothing else… 
> 
> Did you replace the default sendmail with a link to your postfix build’s 
> sendmail? This caused me trouble on my FreeBSD machine when sending mail from 
> the command line.
> 
> -- 
> Don't be afraid to be weak, Don't be too proud to be strong.
> 

Robert Chalmers
rob...@chalmers.com .au  Quantum Radio: 
http://tinyurl.com/lwwddov
Mac mini 6.2 - 2012, Intel Core i7,2.3 GHz, Memory:16 GB. El-Capitan 10.11.  
XCode 7.2.1
2TB: Drive 0:HGST HTS721010A9E630. Upper bay. Drive 1:ST1000LM024 HN-M101MBB. 
Lower Bay

Re: Is /usr/bin/mail a link to sendmail/postfix

[@lbutlr]

On Mar 13, 2016, at 9:06 AM, Robert Chalmers  wrote:
>  Nice hardware, but the software is really recycled FreeBSD. say what?

This should not be news. One of the reasons I chose FreeBSD for my servers was 
because I wouldn’t have to change modes between OS X and my servers.

-- 
Marriages made in heaven are not exported.

Re: Is /usr/bin/mail a link to sendmail/postfix

[@lbutlr]

On Mar 13, 2016, at 12:58 AM, rob...@chalmers.com.au wrote:
> So I renamed/moved /etc/postfix, to /etc/old-postfix. .which has been ok, 
> except for 'mail'
> Eg
> echo date | mail rob...@chalmers.com 
> Fails with
> 'can't find /etc/postfix/main.cf'
> 
> It's the only thing that fails. I move old-postfix back to etc/postfix, and 
> of course it works again.
> I need 'mail' to work, because it is used by crown if nothing else… 

Did you replace the default sendmail with a link to your postfix build’s 
sendmail? This caused me trouble on my FreeBSD machine when sending mail from 
the command line.

-- 
Don't be afraid to be weak, Don't be too proud to be strong.

Re: domainname rewriting issue...

[fschnittke]

Morning, 

I made a post earlier and Victor pointed me to some
documentation. Unfortunately I think I did not properly explain the
issue, and am still not able to get the results I'm looking for. 
I will
try again here, thanks for your patience...

We have a large number of
machines sending mail to an internal postfix relay. So the sender
address is in the format of:
sen...@server.domain.com
 where server is a
variable and can be one of any of 1000 servers
 and domain.com is not a
variable

What I would like to do is rewrite the address as
follows:
sender@server.different_domain.com

I need to keep the
subdomain (server) but change the root domain to
(different_domain.com)

I've tried masquerading and generics table but
the best I can come up with is:
sender@different_domain.com

which
strips out the subdomain

Any help would be appreciated.

Thanks,


Frank 

 

Re: OT yahoo

[@lbutlr]

On Mar 13, 2016, at 10:52 AM, Curtis Villamizar  
wrote:
> Are you saying they only looked at the primary NS record?

That’s my theory, yes.

> Maybe I misread a prior post but I thought you meant primary MX record.  The
> former, if true, would be even more broken.

This is Yahoo.

Basically what happened is we moved our machines from a Comcast business 
connection to a 1000bT fiber connection with CenturyLink. We left one of the 
machines (the primary name server) on the Comcast connection with a fixed IP 
and put everything else on the gigabit.

Someone made a change to the service plan with Comcast and in the process 
dropped the IP pool with Comcast, so NS1 went offline.

The other two DNS servers on the gigabit connection were fine, and everything 
was working with the email except we started to get complaints that users were 
not getting mail from yahoo users.

Since updating the NS records to reflect only the new IP pool, yahoo mail has 
started to come in (not that we ever got much mail from yahoo anyway).

The only thing that has changed is that NS1 is responding to DNS lookups now, 
so I have to think that Yahoo was only looking at NS1 and never checking the 
secondary and tertiary DNS servers.

This would not surprise me. I seem to recall years ago that Yahoo would never 
send mail to our backup MX, back when we had such a thing.

-- 
Far away, across the fields, the tolling of the iron bell calls the
faithful to their knees to hear the softly spoken magic spells.

Re: Postfix logs disordered

[Milan Popovic]

Hi and thank you Wietse for your quick reply.

Correct me if i am wrong but you said that :

before-filter smtp logs that mail is delivered
before-filter qmgr logs that the file is deleted
after-filter qmgr logs sender and number of recipients

and in my case it's not :

Jan  9 08:03:25 smtp1 postfix/qmgr[30181]: 3pcshY5H0dz11r4G: from=<
yy...@yyy.no>, size=19065, nrcpt=1 (queue active)

Jan  9 08:03:25 smtp1 postfix/smtp[24892]: 3pcshX6GNMz11r4C: to=<
...@x.com>, relay=127.0.0.1[127.0.0.1]:10025, delay=1.1,
delays=0.45/0/0/0.66, dsn=2.0.0, status=sent (250 OK, sent
5690B0BD_13054_6511_1 3pcshY5H0dz11r4G)

Jan  9 08:03:25 smtp1 postfix/qmgr[30181]: 3pcshX6GNMz11r4C: removed

It looks like :

after-filter qmgr logs sender and number of recipients
before-filter smtp logs that mail is delivered
before-filter qmgr logs that the file is deleted



2016-03-14 14:33 GMT+01:00 Wietse Venema :

> Milan Popovic:
> > Hi,
> >
> > I am developing a parser for postfix which interact with logstash and
> > elasticsearch. The architecture use Sophos puremessage for
> > antispam/antivirus.
> > I am facing an "issue" with logs. I want to process the logs on the fly.
> > When a message come into the system, postfix process it, send it to the
> > sophos and then sophos send it back to postfix.
> >
> > Postfix ID1 -> Sophos -> Postfix ID2
> >
> > I think postfix for performance reason writes logs after processing
> > messages.
>
> No, Postfix logs information as soon as it is available, so that
> no logging will be lost when a process crashes.
>
> This is the order that you should see:
>
> before-filter smtpd logs the start of a mail transaction
> before-filter cleanup logs some content info
> before-filter qmgr logs sender and number of recipients
> [content filter logging goes here]
> after-filter smtpd logs the start of a mail transaction
> after-filter cleanup logs some content info
> before-filter smtp logs that mail is delivered
> before-filter qmgr logs that the file is deleted
> after-filter qmgr logs sender and number of recipients
> after-filter smtp logs that mail is delivered
> after-filter qmgr logs that the file is deleted
>
>
> Wietse
>

Re: Postfix logs disordered

[Wietse Venema]

Milan Popovic:
> Hi,
> 
> I am developing a parser for postfix which interact with logstash and
> elasticsearch. The architecture use Sophos puremessage for
> antispam/antivirus.
> I am facing an "issue" with logs. I want to process the logs on the fly.
> When a message come into the system, postfix process it, send it to the
> sophos and then sophos send it back to postfix.
> 
> Postfix ID1 -> Sophos -> Postfix ID2
> 
> I think postfix for performance reason writes logs after processing
> messages. 

No, Postfix logs information as soon as it is available, so that
no logging will be lost when a process crashes.

This is the order that you should see:

before-filter smtpd logs the start of a mail transaction
before-filter cleanup logs some content info
before-filter qmgr logs sender and number of recipients
[content filter logging goes here]
after-filter smtpd logs the start of a mail transaction
after-filter cleanup logs some content info
before-filter smtp logs that mail is delivered
before-filter qmgr logs that the file is deleted
after-filter qmgr logs sender and number of recipients
after-filter smtp logs that mail is delivered
after-filter qmgr logs that the file is deleted


Wietse

Postfix logs disordered

[Milan Popovic]

Hi,

I am developing a parser for postfix which interact with logstash and
elasticsearch. The architecture use Sophos puremessage for
antispam/antivirus.
I am facing an "issue" with logs. I want to process the logs on the fly.
When a message come into the system, postfix process it, send it to the
sophos and then sophos send it back to postfix.

Postfix ID1 -> Sophos -> Postfix ID2

I think postfix for performance reason writes logs after processing
messages. I can see this kind of situation in my logs :


Jan  9 08:03:24 smtp1 postfix/smtpd[21740]: 3pcshX6GNMz11r4C: client=
Jan  9 08:03:25 smtp1 postfix/cleanup[24891]: 3pcshX6GNMz11r4C:
message-id=<1128173832.11432.1452323000636.JavaMail.Administrator@localhost>

Jan  9 08:03:25 smtp1 postfix/qmgr[30181]: 3pcshX6GNMz11r4C: from=<
y...@yyy.no>, size=17921, nrcpt=1 (queue active)
Jan  9 08:03:25 smtp1 postfix/smtpd[17088]: 3pcshY5H0dz11r4G:
client=localhost.localdomain[127.0.0.1]
Jan  9 08:03:25 smtp1 postfix/cleanup[24894]: 3pcshY5H0dz11r4G:
message-id=<1128173832.11432.1452323000636.JavaMail.Administrator@localhost>

Jan  9 08:03:25 smtp1 postfix/qmgr[30181]: 3pcshY5H0dz11r4G: from=<
yy...@yyy.no>, size=19065, nrcpt=1 (queue active)
Jan  9 08:03:25 smtp1 postfix/smtp[24892]: 3pcshX6GNMz11r4C: to=<
...@x.com>, relay=127.0.0.1[127.0.0.1]:10025, delay=1.1,
delays=0.45/0/0/0.66, dsn=2.0.0, status=sent (250 OK, sent
5690B0BD_13054_6511_1 3pcshY5H0dz11r4G)
Jan  9 08:03:25 smtp1 postfix/qmgr[30181]: 3pcshX6GNMz11r4C: removed
Jan  9 08:03:25 smtp1 postfix/smtp[24895]: 3pcshY5H0dz11r4G: to=<
...@x.com>, relay=mailhost1.b2gmom.internal.tld[10.219.4.
69]:25, delay=0.07, delays=0.05/0.01/0/0.01, dsn=2.5.0, status=sent (250
2.5.0 Ok, envelope id 0o0o008gublp3...@xxx.internal.tld)
Jan  9 08:03:25 smtp1 postfix/qmgr[30181]: 3pcshY5H0dz11r4G: removed


My goal is to regroup this informations in only one record in
elasticsearch, so i use "(250 OK, sent 5690B0BD_13054_6511_1
3pcshY5H0dz11r4G)" to follow the message until the end of process.
Unfortunately the second Postfix ID is logged before this information.

Can you help me with this issue ?


Thanks for your replies :)

Regards.

nebojsa

SV: MAIL FROM validiity

[Sebastian Nielsen]

The rule is still a good idea to have even if you have a rule to reject a sasl 
mismatch, because the suggested rule also rejects mail which have a spoofed 
local sender destined for a local mailbox.
Something that none of the standard rules can enforce.

-Ursprungligt meddelande-
Från: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] 
För Pascal Maes
Skickat: den 14 mars 2016 12:50
Till: postfix-users@postfix.org
Ämne: Re: MAIL FROM validiity


> Le 12 mars 2016 à 17:28, @lbutlr  a écrit :
> 
> On Mar 10, 2016, at 10:14 AM, Sebastian Nielsen  wrote:
>> Create a file containing the following (where yourdomain.com is the 
>> domain your authenticated users send from):
>> 
>> yourdomain.com: permit_sasl_authenticated, reject
>> 
>> postmap the file.
>> 
>> Then use:
>>  smtpd_recipient_restrictions =
>>  ...
>>  check_sender_access hash:/path/to/file
>>  ...
>> 
>> Note that permit_sasl_authenticated is removed from the recipient 
>> restrictions, because that is handled by check_sender_access.
>> 
>> This will give two-fold security:
>> Anyone that is authenticated, MUST use your domain to take advantage 
>> of authentication. Eg, if they send a mail from lets say 
>> some...@someotherdomain.com it will be "relay rejected" even if they 
>> authenticate.
>> 
>> Also, the second "reject" in the map file, will force-reject anyone 
>> that attempts to use "yourdomain.com" as sender without 
>> authentication, causes everyone who tries to send a mail with your 
>> domain as sender, into a local mailbox, example:
>> 
>> MAIL FROM: ad...@yourdomain.com
>> RCPT TO: vic...@yourdomain.com
>> 
>> That sender will then be rejected with the reason that the sender 
>> address is invalid, UNLESS they authenticate before.
> 
> Ay comments on the advisability and utility of this method? At first blush it 
> seems a bit too good to be true.
> 
> What’s the catch?
> 

Well, perhaps it's working fine but it's not what I want.


I would like that everybody who is sending mail from outside our network and 
identified with sasl uses the email address corresponding to the uid.
The mail should be rejected if the uid and the email address do not match.


--
Pascal







smime.p7s
Description: S/MIME Cryptographic Signature

Re: MAIL FROM validiity

[Pascal Maes]

> Le 12 mars 2016 à 17:28, @lbutlr  a écrit :
> 
> On Mar 10, 2016, at 10:14 AM, Sebastian Nielsen  wrote:
>> Create a file containing the following (where yourdomain.com is the domain
>> your authenticated users send from):
>> 
>> yourdomain.com: permit_sasl_authenticated, reject
>> 
>> postmap the file.
>> 
>> Then use:
>>  smtpd_recipient_restrictions =
>>  ...
>>  check_sender_access hash:/path/to/file
>>  ...
>> 
>> Note that permit_sasl_authenticated is removed from the recipient
>> restrictions, because that is handled by check_sender_access.
>> 
>> This will give two-fold security:
>> Anyone that is authenticated, MUST use your domain to take advantage of
>> authentication. Eg, if they send a mail from lets say
>> some...@someotherdomain.com it will be "relay rejected" even if they
>> authenticate.
>> 
>> Also, the second "reject" in the map file, will force-reject anyone that
>> attempts to use "yourdomain.com" as sender without authentication, causes
>> everyone who tries to send a mail with your domain as sender, into a local
>> mailbox, example:
>> 
>> MAIL FROM: ad...@yourdomain.com
>> RCPT TO: vic...@yourdomain.com
>> 
>> That sender will then be rejected with the reason that the sender address is
>> invalid, UNLESS they authenticate before.
> 
> Ay comments on the advisability and utility of this method? At first blush it 
> seems a bit too good to be true.
> 
> What’s the catch?
> 

Well, perhaps it's working fine but it's not what I want.


I would like that everybody who is sending mail from outside our network and 
identified with sasl uses the email address corresponding to the uid.
The mail should be rejected if the uid and the email address do not match.


-- 
Pascal