Re: MIME header checks matching

[Alex]

Hi,

On Wed, Jun 14, 2017 at 2:41 PM, Andreas Schamanek
 wrote:
>
> On Wed, 14 Jun 2017, at 12:34, Noel Jones wrote:
>
>> > I have a series of mime patterns to automatically reject file types
>> > including com, bat, exe, etc. It appears one pattern is matching
>> > incorrectly, ...
>>
>> Rather than try to debug your expression, I'll refer you to the nice
>> example on the header_checks man page.  That example was updated not
>> too long ago to fix a similar false positive.
>> http://www.postfix.org/header_checks.5.html
>
> BTW, I know it's just an example, but it's so wonderfully extensive
> that I feel like suggesting to add the frequently abused `.jar` to the
> regex.

Thanks very much for this. I've started with the example in
header_checks and expanded it further to include a few other
extensions like jar and dotm.

Re: Inbound TLS Certificate SAN Verification

[Viktor Dukhovni]

On Wed, Jun 14, 2017 at 08:47:31PM +, Osama Al-Hassani wrote:

> When verifying client certificates we are only able to receive CN data,
> and cannot get a hold of the SANs.  The request data sent to the policy
> server does not contain any SAN attributes.

That's correct.  The subject alternative names of client certificates
are not exposed via the policy protocol.

> Is there a way to achieve this, possibly via  a configuration parameter?

No.

-- 
Viktor.

Re: Outbound TLS Certificate Verification

[Viktor Dukhovni]

On Wed, Jun 14, 2017 at 09:12:20PM +, Osama Al-Hassani wrote:

> When verifying server certificates on outbound connections, it seems we
> are unable verify the IP addresses part of the SANs field. We are able to
> verify IPs in CNs.

Email is sent to addresses of the form ,
where the "domain-part" is DNS domain, not an IP address.  The SMTP
server is either an MX host, or the domain itself, in the absence
of MX records.   Bare IP addresses are not valid in MX records.
Most mail systems will not accept email to addresses of the form
 (ip-addres domain-literals).

> What is the reasoning behind this behaviour?

No useful security results from verifying IP addresses in certificates
for TLS connections to DNS hosts.  Certificates with IP addresses
are for IPsec, not for TLS with SMTP.

Postfix supports DNS subject alternative names:

https://www.postfix.org/TLS_README.html#client_tls_secure
https://www.postfix.org/TLS_README.html#client_tls_dane

-- 
Viktor.

Inbound TLS Certificate SAN Verification

[Osama Al-Hassani]

Hi all,

I have an enquiry regarding SAN verification when enforcing TLS on inbound 
connections.

When verifying client certificates we are only able to receive CN data, and 
cannot get a hold of the SANs.  The request data sent to the policy sever does 
not contain any SAN attributes.

Is there a way to achieve this, possibly via  a configuration parameter?

Many thanks,
Osama




Osama Al-Hassani

Software Engineer

[Telephone] +44 118 903 8607

[Twitter]@clearswift

[Clearswift] 

1310 Waterside | Arlington Business Park | Theale | Berkshire | RG7 4SA | 
United Kingdom


Adaptive Adaptive Security & Data Loss Prevention solutions for email, web, 
cloud apps and endpoint. On-premise and Hosted deployment options available.

Secure Sharing, Redaction and Data Loss Prevention with Clearswift. Learn more 
here.

This e-mail and any files transmitted with it are strictly confidential, may be 
privileged and are intended only for use by the addressee unless otherwise 
indicated.  If you are not the intended recipient any use, dissemination, 
printing or copying is strictly prohibited and may be unlawful.  If you have 
received this e-mail in error, please delete it immediately and contact the 
sender as soon as possible.  Clearswift cannot be held liable for delays in 
receipt of an email or any errors in its content. Clearswift accepts no 
responsibility once an e-mail and any attachments leave us. Unless expressly 
stated, opinions in this message are those of the individual sender and not of 
Clearswift.

This email message has been inspected by Clearswift for inappropriate content 
and security threats. 

To find out more about Clearswift’s solutions please visit www.clearswift.com

Re: MIME header checks matching

[Andreas Schamanek]

On Wed, 14 Jun 2017, at 12:34, Noel Jones wrote:

> > I have a series of mime patterns to automatically reject file types
> > including com, bat, exe, etc. It appears one pattern is matching
> > incorrectly, ...
> 
> Rather than try to debug your expression, I'll refer you to the nice 
> example on the header_checks man page.  That example was updated not 
> too long ago to fix a similar false positive. 
> http://www.postfix.org/header_checks.5.html

BTW, I know it's just an example, but it's so wonderfully extensive 
that I feel like suggesting to add the frequently abused `.jar` to the 
regex.

-- 
-- Andreas

:-)

Re: PLEASE! httpd and maildrop

[Noel Jones]

On 6/14/2017 12:52 PM, Homer Wilson Smith wrote:
> 
>How exactly does httpd drop mail into maildrop hundreds
> per minutes and I can't find any process at all that indicates this
> is going on even while it is going on.
> 
>Homer
> 
> 
> 
> Homer Wilson Smith   Clean Air, Clear Water,Art Matrix - Lightlink
> (607) 277-0959   A Green Earth, and Peace,  Internet, Ithaca NY
> ho...@lightlink.com  Is that too much to ask?  
> http://www.lightlink.com


Usually this is caused by an insecure web form calling the sendmail
command.

You'll need to go through your httpd logs to find what form is being
abused, and either fix that form or remove it.

A temporary fix is to disallow whatever user httpd run as from using
the sendmail command
# main.cf
authorized_submit_users = !www, static:all

Where www  is the user your httpd runs as.
http://www.postfix.org/postconf.5.html#authorized_submit_users

Of course the other temporary fix is to turn off the httpd service.




  -- Noel Jones

Postfix stable release 3.2.2 and legacy releases 3.1.6, 3.0.10 and 2.11.10

[Wietse Venema]

[An on-line version of this announcement will be available at
http://www.postfix.org/announcements/postfix-3.2.2.html]

This announcement (June 13, 2017) includes changes that were released
with an earlier update (June 10, 2017). The announcement was postponed
to avoid confusion due to repeated notification.

Fixed in all supported releases:

  * Security: Berkeley DB versions 2 and later try to read settings
from a file DB_CONFIG in the current directory. This undocumented
feature may introduce undisclosed vulnerabilities resulting in
privilege escalation with Postfix set-gid programs (postdrop,
postqueue) before they chdir to the Postfix queue directory,
and with the postmap and postalias commands depending on whether
the user's current directory is writable by other users. This
fix does not change Postfix behavior for Berkeley DB versions
< 3, but it does reduce postmap and postalias 'create' performance
with Berkeley DB versions 3.0 .. 4.6.

Fixed in Postfix 3.2 and later:

  * The SMTP server receive_override_options were not restored at
the end of an SMTP session, after the options were modified by
an smtpd_milter_maps setting of "DISABLE". Milter support
remained disabled for the life time of the smtpd process.

  * After the Postfix 3.2 address/domain table lookup overhaul, the
check_sender_access and check_recipient_access features ignored
a non-default parent_domain_matches_subdomains setting.

Fixed in Postfix 3.1 and later:

  * Compatibility: some Milter applications do not recognize
single-character macro names when Postfix sends these as {name}.
Postfix now sends such macros without {} as it has done
historically.

Fixed in Postfix 3.0 and later:

  * Compatibility: prevent MIME downgrade of Postfix-generated
message/delivery status. It's supposed to be 7bit, therefore
quoted-printable encoding is not expected, and can result in
users seeing garbled non-delivery reports.

You can find the updated Postfix source code at the mirrors listed
at http://www.postfix.org/.

Wietse

Re: PLEASE! httpd and maildrop

[Wietse Venema]

Homer Wilson Smith:
> 
> How exactly does httpd drop mail into maildrop hundreds
> per minutes and I can't find any process at all that indicates this
> is going on even while it is going on.

It invokes /usr/sbin/sendmail. See also:

http://www.postfix.org/postconf.5.html#authorized_submit_users

Wietse

PLEASE! httpd and maildrop

[Homer Wilson Smith]

   How exactly does httpd drop mail into maildrop hundreds
per minutes and I can't find any process at all that indicates this
is going on even while it is going on.

   Homer


Homer Wilson Smith   Clean Air, Clear Water,Art Matrix - Lightlink
(607) 277-0959   A Green Earth, and Peace,  Internet, Ithaca NY
ho...@lightlink.com  Is that too much to ask?   http://www.lightlink.com

Re: R: Client host rejected: Access denied

[Wietse Venema]

Scappatura Rocco:
> > smtpd_recipient_restrictions = 
> >  ...
> >  check_client_access proxy:mysql:/etc/postfix/mysql-check-client-access.cf
> >  ...
> 
> Hello,
> 
> indeed I can't figure out why the check above can cause the error:
> 
> "Client host rejected: Access denied"
> ...
> Here complete errore received by the sender:
> 
> :
> 554: 5.7.1 : Client host 
> rejected: Access denied

You can use the postmap command so simulate the queries that
check_client_access makes:

postmap -q 87.248.110.34 proxy:mysql:/etc/postfix/mysql-check-client-access.cf
postmap -q 87.248.110 proxy:mysql:/etc/postfix/mysql-check-client-access.cf
postmap -q 87.248 proxy:mysql:/etc/postfix/mysql-check-client-access.cf
postmap -q 87 proxy:mysql:/etc/postfix/mysql-check-client-access.cf

And for the domain name queries that check_client_access makes:

postmap -q postmap -q sonic307-9.consmr.mail.ir2.yahoo.com 
proxy:mysql:/etc/postfix/mysql-check-client-access.cf
postmap -q postmap -q consmr.mail.ir2.yahoo.com 
proxy:mysql:/etc/postfix/mysql-check-client-access.cf
postmap -q postmap -q mail.ir2.yahoo.com 
proxy:mysql:/etc/postfix/mysql-check-client-access.cf
postmap -q postmap -q ir2.yahoo.com 
proxy:mysql:/etc/postfix/mysql-check-client-access.cf
postmap -q postmap -q yahoo.com 
proxy:mysql:/etc/postfix/mysql-check-client-access.cf
postmap -q postmap -q com proxy:mysql:/etc/postfix/mysql-check-client-access.cf

If any of those queries returns a result, then that is the action
that Postfix will execute.

Wietse

Re: MIME header checks matching

[Noel Jones]

On 6/14/2017 7:16 AM, Alex wrote:
> Hi,
> 
> I have a series of mime patterns to automatically reject file types
> including com, bat, exe, etc. It appears one pattern is matching
> incorrectly, and I could use some help making it more accurate. I
> don't know if it's something yahoo is doing to their outgoing mail or
> the result of this user's mail client.
> 
> It appears the question marks are not in the proper place? We'd like
> to continue to permit PDF files, but obviously reject com, not the
> icloud.com that appears to be part of it.
> 
> Jun 14 05:07:13 mail01 postfix/cleanup[1177]: F3AF86800C808: reject:
> header Content-Type: application/pdf;??name="Prelim
> 14.06.17.pdf";??x-apple-part-url="68bd2f96-e01f-42c7-90f4-fa3d6776a...@icloud.com"
> from nm3-vm6.bullet.mail.ne1.yahoo.com[98.138.91.96];
> from= to= proto=ESMTP
> helo=: 5.7.1 content8
> 
> /^(Content-(Type|Disposition)\:|[[:space:]]+).*(file)?name="?.*\.com"?;?$/
> REJECT content8
> 
> Thanks,
> Alex
> 


Rather than try to debug your expression, I'll refer you to the nice
example on the header_checks man page.  That example was updated not
too long ago to fix a similar false positive.
http://www.postfix.org/header_checks.5.html


  -- Noel Jones

Re: postfix client closing connection (email delivery) if one of multiple recipients failed/filtered

[Noel Jones]

On 6/14/2017 3:28 AM, Zalezny Niezalezny wrote:
> Hi,
> 
> I have exacly the same problem as described here in that post and I
> do not know what to do.
> 
> http://postfix.1071664.n5.nabble.com/Customize-configure-postfix-with-multiple-recipients-td45030.html
> 
> In our network we are relaying messages using Postfix.

In that thread, the problem turned out to not be postfix, and the
fix wasn't in postfix.

It's likely that the problem you're experiencing isn't from postfix
either.

Please read that whole thread. After that, if you still need help,
please show us your "postconf -n" and log entries demonstrating the
problem.



  -- Noel Jones



> 
> When our application sending a message with
> From: b...@bla.com 
> To: va...@domain.com ;
> discard_that_em...@domain.com 
> 
> 
> 
> application -> local MTA -> LAN relay 1 -> Lan relay 2 -> Ironport
> -> internet
> 
> 
> 
> The Problem is on the "LAN relay 1" and "LAN relay 2" where Postfix
> client from relay1 closing connection if one of the recipient needs
> to be discarded.
> 
> 
> How to configure Postfix client on "LAN relay 1" to not closed
> connection if one of the recipient is filtered or not_valid on the
> "LAN relay 2" ? Why Postfix discarding complete message then ?
> 
> 
> 
> Thanks in advance for Your support
> 
> 
> Cheers
> 
> Zalezny
> 
> 

R: Client host rejected: Access denied

[Scappatura Rocco]

> smtpd_recipient_restrictions = 
>  ...
>  check_client_access proxy:mysql:/etc/postfix/mysql-check-client-access.cf
>  ...

Hello,

indeed I can't figure out why the check above can cause the error:

"Client host rejected: Access denied"

In my mysql 'postfix' database, I have a simple 'access' table with 3 culumn: 
ip, mask, action.

The query for check SMTP relay is:

"select action from access where inet_aton(ip) & inet_aton(mask) = 
inet_aton('%s') & inet_aton(mask) order by mask DESC limit 0,1;"

Basically, it returns OK, REJECT or no row.

In the specific case of the error that I have described in this post, the query 
returns no row.

Here complete errore received by the sender:

:
554: 5.7.1 : Client host 
rejected: Access denied

--- Below this line is a copy of the message.

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.it; s=s2048; 
t=1497366344; bh=QZjaAukmiNp6iGsvVR67kpU0ELChNhm5DytI/msfDuA=; 
h=Date:From:Reply-To:To:In-Reply-To:References:Subject:From:Subject; 
b=PxvQw+FmmL3gr1Us+eQJlPtzPKfH/Uf8va6ni2TA+WunyajbinJLVxoviIw7OXRjjIyJDyr9+xS9ntGI8ChDNIPbSeaee3rl+eijvSeJK2mvq8J8sy8jXOVNsSZZmieUZxSRGX3H9BMcQ9/J98ixbXIa1yYJXEClxHLr8RTr9BKJD61mdW9U/I0wWgDYXWWCkN8qYzRn+J/5g7Cgb8N6qA1K1enIWErOKmgikm5ccImItz9IvgdJ69rDz4jOokxAQVSJJBHADsyNfPGZss+b4tgCU6t6gs9Q3l0oAb/hSW33KAcFQKezPu3VZ5MXoaZxrLfF8noHNY0jIkOTbFwRiQ==
X-YMail-OSG: xDBdgt8VM1kUVzeTWHDZFsOQ6D.VUgd2X1je9kRTVPs7tynSWG67U2vnk9hND7S
zRVHnlQsTUhsjvJ4tD2KLZPqXybQYzTcpgVgPEMvC5ML8G7A.jLif4WC.CRGYpTCTz_XVAXTXPGU
eqor9cVwcMgMz.ACKF9azVkHPy_6dFYDMKdtr5K7Jgd3e93GSgmwChC7osYWiSq3FY1lIG7u7gjd
Hdvk5JViErnoWXcfrC7Lu5B7VbGlAjQqyN6wrHe9dbiINyNJEefYWKVfQ9Fb_1pNZX1qSw..2UKN
tKDpS4iboNOXpvbhaNc8yRJEcmL8sUk.ouhEqzBvLq7Z7Ayq9ZR2.t2P7bx29hvfwoIS0_IYpvsg
RexZ9JIWNV79Wb.Dp9tFYGEdYZS8z5p4TEjdIvDdt1OX9AQt.ddP5xAyHDhzTXuiJJBDSwF8rDCk
J8SwSH8It6iT2HLsf6LNqWH8fSg6ie6YM__7dQPzX9VDTbCrpiYy_Hv2XJCBJYJAvJcMnyrprics
oNWVNap3SaxevkVGd5Kw.aLtMyj2vIbitcqmmkR.JssvL.q70kUOFQWZQa6Am4pWSaOmMXihl
Received: from sonic.gate.mail.ne1.yahoo.com by 
sonic307.consmr.mail.ir2.yahoo.com with HTTP; Tue, 13 Jun 2017 15:05:44 +
Date: Tue, 13 Jun 2017 15:05:43 + (UTC)
From: Simone Ponzalli 
Reply-To: aaa bbb 
To: ccc ddd
Message-ID: <181962051.1748157.1497366343...@mail.yahoo.com>
In-Reply-To: <238047808.15096818.1497366240...@mail.yahoo.com>
References: <1102451666.15045904.1497363867233@mail.yahoo.com> 
<1102451666.15045904.1497363867...@mail.yahoo.com> 
<238047808.15096818.1497366240...@mail.yahoo.com>
Subject: I: xxx
MIME-Version: 1.0
Content-Type: multipart/mixed; 
boundary="=_Part_1748156_1137968452.1497366343412"
X-Mailer: WebService/1.1.9778 YahooMailNeo Mozilla/5.0 (Windows NT 6.1) 
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36
Content-Length: 53234

Regards,

RS

Re: Client host rejected: Access denied

[Wietse Venema]

Scappatura Rocco:
> smtpd_recipient_restrictions = 
>  ...
>  check_client_access proxy:mysql:/etc/postfix/mysql-check-client-access.cf
>  ...

Wietse

Re: pickup/maildrop being used to spam through my machine.

[Philip Paeps]

On 2017-06-13 04:28:39 (-0400), Homer Wilson Smith  
wrote:
Suddenly I am find adore's mailq queue filled with spam, each having a 
pickup line in the logs, but no indication where it comes from, 
probably the web server as the from username is apache, but so far no 
corellation between web logs and time stamp on pickup line.


Check for other processes running as the apache user.  Check the crontab 
of that user too.


Also firewall off any ports.

I would definitely advise taking a disk image of the machine for 
forensic analysis and then doing a clean reinstall.


Philip

--
Philip Paeps
Senior Reality Engineer
Ministry of Information

MIME header checks matching

[Alex]

Hi,

I have a series of mime patterns to automatically reject file types
including com, bat, exe, etc. It appears one pattern is matching
incorrectly, and I could use some help making it more accurate. I
don't know if it's something yahoo is doing to their outgoing mail or
the result of this user's mail client.

It appears the question marks are not in the proper place? We'd like
to continue to permit PDF files, but obviously reject com, not the
icloud.com that appears to be part of it.

Jun 14 05:07:13 mail01 postfix/cleanup[1177]: F3AF86800C808: reject:
header Content-Type: application/pdf;??name="Prelim
14.06.17.pdf";??x-apple-part-url="68bd2f96-e01f-42c7-90f4-fa3d6776a...@icloud.com"
from nm3-vm6.bullet.mail.ne1.yahoo.com[98.138.91.96];
from= to= proto=ESMTP
helo=: 5.7.1 content8

/^(Content-(Type|Disposition)\:|[[:space:]]+).*(file)?name="?.*\.com"?;?$/
REJECT content8

Thanks,
Alex

Client host rejected: Access denied

[Scappatura Rocco]

Hello.

My MTA (Debian Lenny with postfix+amavisd-new+spamassassin+clamav) rejected an 
SMTP connection from Yahoo:

Jun 13 17:04:01 av7 postfix/smtpd[25250]: NOQUEUE: reject: RCPT from 
sonic317-25.consmr.mail.ir2.yahoo.com[87.248.110.215]: 554 5.7.1 
: Client host rejected: 
Access denied; from= to= proto=ESMTP 
helo=

I can't figure out why. Here my postfix config:

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
anvil_rate_time_unit = 60s
append_dot_mydomain = no
biff = no
bounce_size_limit = 1
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024 header_checks = 
regexp:/etc/postfix/header_checks inet_interfaces = all mailbox_size_limit = 0 
message_size_limit = 31457280 mydestination = xxx.example.com, 
localhost.example.com, , localhost myhostname = xxx.example.com mynetworks = 
127.0.0.0/8 [:::127.0.0.0]/104 [::1]/128 myorigin = /etc/mailname 
proxy_read_maps = proxy:mysql:/etc/postfix/mysql-relay-recipients.cf 
proxy:mysql:/etc/postfix/mysql-relay-domains.cf 
proxy:mysql:/etc/postfix/mysql-check-sender-access.cf 
proxy:mysql:/etc/postfix/mysql-check-recipient-access.cf 
proxy:mysql:/etc/postfix/mysql-check-client-access.cf proxy:unix:passwd.byname 
proxy:mysql:/etc/postfix/mysql-virtual-transports.cf
readme_directory = no
receive_override_options = no_address_mappings recipient_delimiter = + 
relay_domains = proxy:mysql:/etc/postfix/mysql-relay-domains.cf
relay_recipient_maps = proxy:mysql:/etc/postfix/mysql-relay-recipients.cf
relayhost =
smtp_host_lookup = native
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU) 
smtpd_client_connection_count_limit = 20 smtpd_client_connection_rate_limit = 
40 smtpd_client_message_rate_limit = 50 smtpd_client_recipient_rate_limit = 250 
smtpd_error_sleep_time = 0s smtpd_hard_error_limit = 10 smtpd_recipient_limit = 
100 smtpd_recipient_restrictions = check_policy_service inet:127.0.0.1:10031 
permit_sasl_authenticated check_client_access 
proxy:mysql:/etc/postfix/mysql-check-client-access.cf permit_mynetworks 
reject_unauth_destination reject_non_fqdn_sender reject_non_fqdn_recipient 
reject_unlisted_sender reject_unlisted_recipient reject_unknown_sender_domain 
reject_invalid_hostname reject_rbl_client psbl.surriel.com, reject_rhsbl_sender 
dsn.rfc-ignorant.org, reject_rbl_client cbl.abuseat.org, reject_rbl_client 
truncate.gbudb.net, reject_rbl_client zen.spamhaus.org, check_policy_service 
inet:127.0.0.1:2501 smtpd_sasl_auth_enable = yes smtpd_sasl_security_options = 
noanonymous smtpd_sender_restrictions = check_sender_access 
proxy:mysql:/etc/postfix/mysql-check-sender-access.cf check_recipient_access 
proxy:mysql:/etc/postfix/mysql-check-sender-access.cf check_recipient_access 
proxy:mysql:/etc/postfix/mysql-check-recipient-access.cf
smtpd_soft_error_limit = 5
smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
transport_maps = proxy:mysql:/etc/postfix/mysql-virtual-transports.cf

As you can see ' smtpd_client_restrictions' is not used.

Could someone explain the reason of the rejection?

Regards,

RS

Re: Seperate maps for virtual domains?

[Wietse Venema]

Julian Kippels:
> > You are doing N/2 table lookups to find the table that contains the
> > data. That is, you're doing linear search on top of hashing.
> > 
> @Wietse: N/2 is a little pessimistic, but thats only because I know the
> makeup of my mailboxes? 90% of it is in one virtual domain and that

The point is that you're slower than one table, whether it's N/2
or N/somethingelse.

> Anyway, I am going for a single big file now. I assume its not a problem
> that this map is 40MB big?

With a competent key-value store implementation, reading from a
40MB table should be no problem.

Wietse

Problems with postfix from some ips

[Francesc Peñalvez]

I ve the last postfix server with tls and sasl.I find that from some ips
also with postfix servers do not get to connect properly.the syslog only i
see this:

Jun 14 12:02:10 ns postfix/smtpd[23322]: connect from x.x.x.x.x[x.x.x.x]
Jun 14 12:02:11 ns postfix/smtpd[23322]: disconnect from  x.x.x.x.
[x.x.x.x.]]
Jun 14 12:02:13 ns postfix/smtpd[23322]: connect from x.x.x.x.x.[x.x.x.x]
Jun 14 12:02:13 ns postfix/smtpd[23322]: disconnect from
x.x.x.x.x.x[x.x.x.x.]
Jun 14 12:02:17 ns postfix/smtpd[23322]: connect from x.x.x.x.[x.x.x..x.x]
Jun 14 12:02:17 ns postfix/smtpd[23322]: disconnect from x.x.x.x.[x.x.x.x.]


Only happens to me from two of my vps, from the rest I recived mails with
normality.

My main.cnf:

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

#readme_directory = no

# TLS parameters
smtpd_tls_cert_file = /etc/letsencrypt/archive/almogavers.net/fullchain2.pem
smtpd_tls_key_file = /etc/letsencrypt/archive/almogavers.net/privkey2.pem
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

mydomain = almogavers.net
myhostname = ns.almogavers.net
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
mynetworks = 127.0.0.0/8 [:::127.0.0.0]/104 [::1]/128 192.168.1.0/24
dynamicip.rima-tde.net
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
recipient_delimiter = +
virtual_alias_maps = hash:/etc/postfix/virtual
sender_bcc_maps = hash:/etc/postfix/bcc
sender_dependent_default_transport_maps = hash:/etc/postfix/dependent
home_mailbox = Maildir/
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
#smtpd_recipient_restrictions = permit_mynetworks reject_unauth_destination
permit_inet_interfaces reject_unknown_reverse_client_hostname
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
#smtpd_helo_restrictions = permit_mynetworks, reject_invalid_hostname,
permit
smtpd_hard_error_limit = 20
inet_protocols = ipv4
smtpd_tls_mandatory_protocols = SSLv3, TLSv1
smtpd_tls_mandatory_ciphers = high
allow_untrusted_routing = yes
smtpd_tls_auth_only = yes
smtpd_tls_security_level = encrypt
smtpd_client_restrictions = permit_mynetworks permit_inet_interfaces
permit_tls_all_clientcerts check_client_access hash:/etc/postfix/access
smtpd_helo_required = yes
fallback_relay =
mynetworks_style = class
notify_classes = bounce, 2bounce, delay, policy, protocol, resource,
software
masquerade_domains = almogavers.net
relayhost =
inet_interfaces = all
smtpd_helo_required = yes
disable_vrfy_command = yes
strict_rfc821_envelopes = yes
smtpd_recipient_restrictions =
reject_invalid_hostname,
reject_unknown_recipient_domain,
reject_unauth_pipelining,
permit_mynetworks,
reject_unauth_destination,
reject_rbl_client all.s5h.net,
reject_rbl_client bl.spamcannibal.org,
reject_rbl_client web.dnsbl.sorbs.net,
reject_rbl_client b.barracudacentral.org,
reject_rbl_client multi.uribl.com,
reject_rbl_client dsn.rfc-ignorant.org,
reject_rbl_client dul.dnsbl.sorbs.net,
#reject_rbl_client dnsbl.sorbs.net,
reject_rbl_client list.dsbl.org,
reject_rbl_client sbl-xbl.spamhaus.org,
reject_rbl_client bl.spamcop.net,
reject_rbl_client cbl.abuseat.org,
reject_rbl_client ix.dnsbl.manitu.net,
reject_rbl_client combined.rbl.msrbl.net,
reject_rbl_client rabl.nuclearelephant.com,
check_relay_domains,
permit


smtpd_relay_restrictions = reject_invalid_hostname,
reject_unknown_recipient_domain, reject_unauth_pipelining,
permit_mynetworks, reject_unauth_destination, check_relay_domains,
reject_rbl_client $
postscreen_bare_newline_enable = no
postscreen_non_smtp_command_enable = no
postscreen_pipelining_enable = no

Any Ideas?




   Enviat amb Mailtrack

postfix client closing connection (email delivery) if one of multiple recipients failed/filtered

[Zalezny Niezalezny]

Hi,

I have exacly the same problem as described here in that post and I do not
know what to do.

http://postfix.1071664.n5.nabble.com/Customize-configure-postfix-with-multiple-recipients-td45030.html

In our network we are relaying messages using Postfix.

When our application sending a message with
From: b...@bla.com
To: va...@domain.com; discard_that_em...@domain.com



application -> local MTA -> LAN relay 1 -> Lan relay 2 -> Ironport ->
internet



The Problem is on the "LAN relay 1" and "LAN relay 2" where Postfix client
from relay1 closing connection if one of the recipient needs to be
discarded.


How to configure Postfix client on "LAN relay 1" to not closed connection
if one of the recipient is filtered or not_valid on the "LAN relay 2" ? Why
Postfix discarding complete message then ?



Thanks in advance for Your support


Cheers

Zalezny

Re: Seperate maps for virtual domains?

[Julian Kippels]

Am Tue, 13 Jun 2017 10:17:53 -0400 (EDT)
schrieb wie...@porcupine.org (Wietse Venema):

> Patrick Ben Koetter:
> > > > At which message throughput rate will this make a difference?  
> > > 
> > > Always. Because you're replacing hashing with linear search.  
> > 
> > If you compare hashing to linear search, yes. But I am not sure
> > this is what the OPs question was about?
> > 
> > He wrote "would it be faster to have several smaller files (...) or
> > have one giant file". The way I understood it, he would not compare
> > hashing vs. linear search, but many small(er) hashed maps vs. one
> > large hashed map.  
> 
@Patrick: You understood me correctly there

> You are doing N/2 table lookups to find the table that contains the
> data. That is, you're doing linear search on top of hashing.
> 
>   Wietse
@Wietse: N/2 is a little pessimistic, but thats only because I know the
makeup of my mailboxes… 90% of it is in one virtual domain and that
would of course be the first file I take a look at. The other files
would be sorted descending by relevance.
Anyway, I am going for a single big file now. I assume its not a problem
that this map is 40MB big?

Julian


-- 
-
| | Julian Kippels
| | M.Sc. Informatik
| |
| | Zentrum für Informations- und Medientechnologie
| | Heinrich-Heine-Universität Düsseldorf
| | Universitätsstr. 1
| | Raum 25.41.O1.36
| | 40225 Düsseldorf / Germany
| |
| | Tel: +49-211-811-4920
| | mail: kipp...@hhu.de
| | jabber: jukip...@xmpp.hhu.de
-