Re: exempting user or domain from one RBL check ?
On Mon, Aug 07, 2017 at 01:17:54PM +1000, Voytek wrote: > I have a user's inbound mail blocked by barracudacentral, is > there a way to exempt this particular user/domain from this > particular RBL check ? > > or what else can or should I do ? Share the looging of this rejection and be more specific. The problem is with one specific client, or more? > this is the only known issue with barracuda I have and, > otherwise it seems quite effective, I think ? Yes, but like Spamcop, it's an automated list, so it lists some legitimate outbound servers at times. Large senders often do content filtering on outbound streams, directing questionable content to a certain subgroup of their outbound farms. Members of those subgroups tend to be listed by Spamcop and BRBL. I use BRBL in postscreen with 2 points and a threshold of 3. But I had the same problem [I think] you had: intermittent rejections of good mail. So I don't use it with reject_rbl_client now. > smtpd_recipient_restrictions = > reject_unknown_sender_domain, > reject_unknown_recipient_domain, > reject_non_fqdn_sender, > reject_non_fqdn_recipient, > reject_unlisted_recipient, > check_policy_service inet:127.0.0.1:, > permit_mynetworks, > check_sasl_access hash:/etc/postfix/sasl_access > permit_sasl_authenticated, You should separate submission from your inbound stream. If you must accept user-submitted mail on port 25, use a different IP address. > reject_unauth_destination, > check_recipient_access hash:/etc/postfix/recipient_no_checks, > check_recipient_access pcre:/etc/postfix/recipient_checks.pcre, > check_helo_access hash:/etc/postfix/helo_checks, > check_sender_access hash:/etc/postfix/sender_checks, > check_client_access hash:/etc/postfix/client_checks, > check_client_access pcre:/etc/postfix/client_checks.pcre, > reject_rbl_client zen.spamhaus.org, > reject_rbl_client b.barracudacentral.org, > reject_rhsbl_client dbl.spamhaus.org, > reject_rhsbl_sender dbl.spamhaus.org, > reject_rbl_client psbl.surriel.com, > reject_rbl_client ix.dnsbl.manitu.net, > reject_rbl_client bl.spamcop.net, I don't know manitu firsthand, so I wouldn't use that restriction. I *do* know PSBL and Spamcop firsthand, and I definitely wouldn't recommend those restrictions. > reject_rbl_client cbl.abuseat.org, Wasted lookup, as this is included in Zen. > reject_rhsbl_sender dsn.rfc-ignorant.org, Ralf discontinued the RFCI lists some years back. > check_policy_service inet:127.0.0.1:10031 > > > pflogsumm /var/log/maillog.1 | grep block > blocked using b.barracudacentral.org (total: 482) > blocked using bl.spamcop.net (total: 40) > blocked using dbl.spamhaus.org (total: 133) > blocked using ix.dnsbl.manitu.net (total: 37) > blocked using psbl.surriel.com (total: 14) > blocked using zen.spamhaus.org (total: 3438) -- http://rob0.nodns4.us/ Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
exempting user or domain from one RBL check ?
I have a user's inbound mail blocked by barracudacentral, is there a way to exempt this particular user/domain from this particular RBL check ? or what else can or should I do ? this is the only known issue with barracuda I have and, otherwise it seems quite effective, I think ? smtpd_recipient_restrictions = reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unlisted_recipient, check_policy_service inet:127.0.0.1:, permit_mynetworks, check_sasl_access hash:/etc/postfix/sasl_access permit_sasl_authenticated, reject_unauth_destination, check_recipient_access hash:/etc/postfix/recipient_no_checks, check_recipient_access pcre:/etc/postfix/recipient_checks.pcre, check_helo_access hash:/etc/postfix/helo_checks, check_sender_access hash:/etc/postfix/sender_checks, check_client_access hash:/etc/postfix/client_checks, check_client_access pcre:/etc/postfix/client_checks.pcre, reject_rbl_client zen.spamhaus.org, reject_rbl_client b.barracudacentral.org, reject_rhsbl_client dbl.spamhaus.org, reject_rhsbl_sender dbl.spamhaus.org, reject_rbl_client psbl.surriel.com, reject_rbl_client ix.dnsbl.manitu.net, reject_rbl_client bl.spamcop.net, reject_rbl_client cbl.abuseat.org, reject_rhsbl_sender dsn.rfc-ignorant.org, check_policy_service inet:127.0.0.1:10031 pflogsumm /var/log/maillog.1 | grep block blocked using b.barracudacentral.org (total: 482) blocked using bl.spamcop.net (total: 40) blocked using dbl.spamhaus.org (total: 133) blocked using ix.dnsbl.manitu.net (total: 37) blocked using psbl.surriel.com (total: 14) blocked using zen.spamhaus.org (total: 3438)
Re: 451 4.3.5 Server configuration error
Dino Edwards: > Hello, > > Having a strange issue with a server. Multiple times a day I get the > following errors in mail.log: > > 451 4.3.5 Server configuration error; from=> to= proto=ESMTP helo= The error is logged BEFORE this line. Wietse
Re: setup for personal computer, no domain, smarthost
rea...@newsguy.com: > > Wietse wrote: > > I forgot about authentication. > > > > relayhost = [smtp.newsguy.com]:587 > > > > See http://www.postfix.org/SOHO_README.html for this and other > > information of interest. > > That doesn't seem to work yet at least not by itself but could also be > seriuosly inept pilot error. But before I start posting logs > and so on, I'm trying to get masquerading to help this work. But must not > be understanding the docu well enough Indeed. SOHO_README.html has all the info you need to have no real domain name and send email with your ISP account. > This page: > http://www.postfix.org/ADDRESS_REWRITING_README.html#masquerade > says in part: Don't use that page. The masquerade feature is inferior to the smtp_generic_maps feature described in SOHO_README.html. Wietse
Re: hostname in aliases.db
On 05/08/17 21:30, /dev/rob0 wrote: On Sat, Aug 05, 2017 at 07:58:19PM +0300, Marat Khalili wrote: That's what I'd like to know to, is this hostname mention even being used? I doubt it is, but I am too lazy / busy to test. :) You could also consult your Berkeley DB documentation. I do know that Postfix simply queries it for the localpart in a localpart@domain, where domain is in $mydestination. Metadata in aliases.db is not queried. Well, I looked it bit more into it and it quickly became exercise in software archaeology. That's what I found out: 1) It's not metadata, it's data associated with key 'YP_MASTER_NAME'. 2) It was present in sendmail and used by NIS: https://books.google.ru/books?id=NQblqMiVqvQC=PT152=PT152=YP_MASTER_NAME . 3) It was added to postfix in 1999 as documented in HISTORY: 19990325 Workaround: Solaris NIS alias maps need special entries (YP_MASTER_NAME, YP_LAST_MODIFIED). What's worse, normal keys/values include a null byte at the end, but the YP_XXX ones don't. Problem reported by Walcir Fontanini, state university of Campinas, Brazil. File: postalias/postalias.c. 4) Finally, it is currently set in postalias.c but never used indeed. Final results: no need to change it, but if necessary it can be changed with newaliases under chroot (tested this), directly with some Berkeley DB tool (since it is just one known key-value pair), or specified in makedbm command-line. Also, this problem is not even new: see https://www.ibm.com/support/knowledgecenter/en/ssw_aix_72/com.ibm.aix.nis/nis_movmastserv.htm Thank you for the help, it was an interesting excursion for me. -- With Best Regards, Marat Khalili
451 4.3.5 Server configuration error
Hello, Having a strange issue with a server. Multiple times a day I get the following errors in mail.log: 451 4.3.5 Server configuration error; from=to= proto=ESMTP helo= I also get the following email in my admin mailbox: From: Mail Delivery System Subject: Postfix SMTP server: errors from localhost[::1] To: postmas...@domain.tld Transcript of session follows. Out: 220 server.domain.tld In: ehlo server.domain.tld Out: 250- server.domain.tld Out: 250-PIPELINING Out: 250-SIZE 52428800 Out: 250-VRFY Out: 250-ETRN Out: 250-STARTTLS Out: 250-ENHANCEDSTATUSCODES Out: 250-8BITMIME Out: 250 DSN In: mail FROM: size=527 Out: 250 2.1.0 Ok In: rcpt TO: Out: 451 4.3.5 Server configuration error In: rset Out: 250 2.0.0 Ok Session aborted, reason: lost connection For other details, see the local mail logfile So, it looks like some process is trying to send email from r...@server.domain.tld to root@localhost but I don't know what process it is or how to make it stop. It doesn't seem to affect the server otherwise. Other email flows in and out as normal except for these errors. I would appreciate some insight on where to look to get this resolved. Thanks
Re: setup for personal computer, no domain, smarthost
On 06/08/17 05:14, rea...@newsguy.com wrote: Marat K wrote: Nothing to do with postfix. Well that's good news. When I used sendmail, fetchmail would pass incoming mail to port25 for sendmail to deliver. I don't know how postfix works but I thought it might be the same way when used with fetchmail. Well, AFAIU postfix is only an SMTP server. You'll need something like dovecot to actually hold your incoming mail and make it accessible to your mail client. Since you already have external IMAP accounts I'm not sure this extra local server is necessary, but if you wish try dovecot, worked for me. Another thing that worked for me is offlineimap for synchronizing contents of IMAP accounts directly, without intermediate SMTP server. Yes, but that didn't help the masquerading part. What I said above was that the SmartHost wasn't enough without masquerading. Sorry, can't say anything about masquerading: I don't use it, all my hosts have static FQDNs. Since postfix have own notion of hostname that can be different from system's, it is possible that you won't need masquerading too actually. -- With Best Regards, Marat Khalili
Re: DKIM-Signing forwarded email
On 5 August 2017 at 17:46, Marco Pizzoliwrote: > Hi all, > I have a postfix instance dedicated to being the main MX (IN). > I normally use other postfix instances for sending emails out (OUT). > > Of course, even this "IN" instance needs to send emails out, mainly > bounces. > > Now I am also implementing forwarding rules: "if you receive an email > destined to this address, than forward it out to this other email address". > Other addresses are @gmail.com, @msn.com, etc... > > In order to do that "right" I also implemented an SRS service, so to have > my domain as the envelope sending address. > Now I also want to enable DKIM-signing of these outgoing emails. > > Problem is: > - SRS (or at least the product I am using, postsrsd) works at the > "cleanup" level, so after smtpd > - My DKIM-signing tool is a milter, so acts at smtpd time. So the email it > sees is with the original sending domain and not my domain. > > How can I achieve the intended behaviour? > I am not sure how to achieve this but, even when done, emails will continue to be rejected by the destination server if it enforces DMARC (e.g. AOL, Comcast, Hotmail, GMail, Yahoo) and if the domain/sub-domain of the original sender (in the 'From:' header, unless you rewrite this as well) has published a DMARC policy with p=reject (e.g. Yahoo, Paypal, mailing.tesco.com, Lloyds Bank, RBS, HMRC...).