Re: Specific domain rejects address extensions

[@lbutlr]

On 04 Dec 2019, at 09:52, Viktor Dukhovni  wrote:
>$ config_directory=$(postconf config_directory)
>$ maps="proxy:mysql:$config_directory/mysql_virtual_alias_maps.cf 
> hash:$config_directory/virtual"
>$ postmap -q ama...@myvirtualdomain.tld $maps

Aha! I was only checking virtual instead of both maps. Of course that shows the 
issue immediately.

*@virtualdomain was mapped to *@covisp.net for inexplicable reasons.

> Also, note that virtual alias expansion is recursive.  What does
> 
>kreme+ama...@kreme.com

I did test that as mail to that addresss was delivered to the “amazon” box on 
my account.

>> So, the issue appears to be limited to a specific virtual domain.
> 
> Nonsense:
> 
> 0.  Virtual alias and address extension processing is uniform across all
>domains

Yes, that’s why this was confusing. But it WAS limited to one domain because of 
errors in the alias portion of the database.

> 1.  There is no issue, everything is working exactl as documented, you're
>just surprised by the results of the mappings you've configured.

Well, the mappings yes. Postfix admin allows domains to be administered by 
authorized users.

Thank you, all is good now.

Re: How to trigger a script based on header

[Quasar]

Hi Angelo,
thanks for your quick reply.
I had a look at your solution, but I'd need a filter on the subject, not on
sender or recipient. Can your solution be modified to include subject
filtering as well?
Grazie :-)

On Wed, 4 Dec 2019 at 21:20, Fazzina, Angelo 
wrote:

> Hi, AFA I know there is the “argv” parameter in master.cf that can run
> scripts you create, there may be others.
>
>
>
> This is my test config:
>
>
>
> autoreply unix  -   n   n   -   -   pipe
>
> flags=DFuser=nobody
>
> argv=/usr/local/bin/angelo $sender $recipient $original_recipient
> $user  $mailbox
>
>
>
>
>
> And here is the script:
>
>
>
> [root@mta5 ]# more /usr/local/bin/angelo
>
> #!/usr/bin/bash
>
>
>
>
>
> /usr/sbin/sendmail -oi -t <
> From: UConn Help Center 
>
> To: $1
>
> Subject: Your email to $3 was delivered
>
> Content-Type: text/plain; charset=utf-8
>
>
>
> This is a test email.
>
> This is a notice to inform you that in the future when you send emails
>
> to $3 they will fail to send.
>
> Please send all future emails to users  @uconn.edu address.
>
> Thank you.
>
>
>
>
>
> this is 2 = $2
>
> this is 1 = $1
>
> this is 3 = $3
>
> this is user = $4
>
> this is mailbox = $5
>
>
>
>
>
> And i recall only adding this to main.cf
>
>
>
> transport_destination_recipient_limit = 1
>
>
>
> and in virtual
>
> @uchc.edu   ang...@uconn.edu, autore...@autoreply.uconn.edu
>
>
>
>
>
> You will likely get a more specific answers with more details about your
> scenario.
>
> I do not know if header_checks is normal way to trigger a script, I never
> did it that way.
>
>
>
> Good Luck.
>
>
>
>
>
>
>
> -ANGELO FAZZINA
>
>
>
> ang...@uconn.edu
>
> University of Connecticut,  ITS, SSG, Server Systems
>
> 860-486-9075
>
>
>
> *From:* owner-postfix-us...@postfix.org  *On
> Behalf Of *Quasar
> *Sent:* Wednesday, December 4, 2019 3:02 PM
> *To:* postfix-users@postfix.org
> *Subject:* How to trigger a script based on header
>
>
>
> Hi there,
>
> I need some help, tried to find the answer googling for it, but no luck.
>
> Here's my question: I'd need to trigger a script whenever an email is
> processed and sent. This trigger should be based on some header fields
> (e.g. subject).
>
> I tried playing with header_checks but without getting anything.
>
> Can you please help me?
>
>
>
> Thanks
>
> Giuseppe.
>

Re: How to trigger a script based on header

[Noel Jones]

On 12/4/2019 2:01 PM, Quasar wrote:

Hi there,
I need some help, tried to find the answer googling for it, but no luck.
Here's my question: I'd need to trigger a script whenever an email 
is processed and sent. This trigger should be based on some header 
fields (e.g. subject).

I tried playing with header_checks but without getting anything.
Can you please help me?

Thanks
Giuseppe.



Postfix doesn't do that directly, but there are several round-about 
ways to make it work.


One incomplete example:
Set up an alias that pipes to your script.
aliases:
scriptuser: | /path/to/script

Use header_checks with a BCC action to send trigger mail to the 
scriptuser

header_checks:
/^target text$/  BCC sciptuser@localhost

Note this requires localhost is listed in mydomains and is delivered 
by the postfix local delivery agent.


Alternately, you can probably convince regex-milter to do this.



  -- Noel Jones

Re: silent drop from sender *unless* to...

[Noel Jones]

On 12/4/2019 1:55 PM, Jonathan Engbrecht wrote:
thanks all.  Looks like I can mostly do this with restriction 
classes, though the drop ends up being a 5xx reject rather than a 
silent drop, which is a bit too bad.


tester = check_recipient_access 
hash:/etc/postfix/maps/privileged_recipients, *reject*

*
*
being able to use "discard" here would be great, but doesn't appear 
to be possible


You can use static:discard there.

Caution: discard is a permanent action that loses data; use 
sparingly.  Reject is almost always more appropriate.




  -- Noel Jones

RE: How to trigger a script based on header

[Fazzina, Angelo]

Hi, AFA I know there is the “argv” parameter in master.cf that can run scripts 
you create, there may be others.

This is my test config:

autoreply unix  -   n   n   -   -   pipe
flags=DFuser=nobody
argv=/usr/local/bin/angelo $sender $recipient $original_recipient $user 
 $mailbox


And here is the script:

[root@mta5 ]# more /usr/local/bin/angelo
#!/usr/bin/bash


/usr/sbin/sendmail -oi -t <
To: $1
Subject: Your email to $3 was delivered
Content-Type: text/plain; charset=utf-8

This is a test email.
This is a notice to inform you that in the future when you send emails
to $3 they will fail to send.
Please send all future emails to users  @uconn.edu address.
Thank you.


this is 2 = $2
this is 1 = $1
this is 3 = $3
this is user = $4
this is mailbox = $5


And i recall only adding this to main.cf

transport_destination_recipient_limit = 1

and in virtual
@uchc.edu   ang...@uconn.edu, 
autore...@autoreply.uconn.edu


You will likely get a more specific answers with more details about your 
scenario.
I do not know if header_checks is normal way to trigger a script, I never did 
it that way.

Good Luck.



-ANGELO FAZZINA

ang...@uconn.edu
University of Connecticut,  ITS, SSG, Server Systems
860-486-9075

From: owner-postfix-us...@postfix.org  On 
Behalf Of Quasar
Sent: Wednesday, December 4, 2019 3:02 PM
To: postfix-users@postfix.org
Subject: How to trigger a script based on header

Hi there,
I need some help, tried to find the answer googling for it, but no luck.
Here's my question: I'd need to trigger a script whenever an email is processed 
and sent. This trigger should be based on some header fields (e.g. subject).
I tried playing with header_checks but without getting anything.
Can you please help me?

Thanks
Giuseppe.

How to trigger a script based on header

[Quasar]

Hi there,
I need some help, tried to find the answer googling for it, but no luck.
Here's my question: I'd need to trigger a script whenever an email is
processed and sent. This trigger should be based on some header fields
(e.g. subject).
I tried playing with header_checks but without getting anything.
Can you please help me?

Thanks
Giuseppe.

Re: silent drop from sender *unless* to...

[Jonathan Engbrecht]

thanks all.  Looks like I can mostly do this with restriction classes,
though the drop ends up being a 5xx reject rather than a silent drop, which
is a bit too bad.

tester = check_recipient_access
hash:/etc/postfix/maps/privileged_recipients, *reject*

being able to use "discard" here would be great, but doesn't appear to be
possible

On Tue, 3 Dec 2019 at 17:38, Ralph Seichter  wrote:

> * Jonathan Engbrecht:
>
> > If From: f...@example.com
> > AND NOT To: (bar|baz|quux)@mydomain.com
> > DISCARD
>
> Milter-regex (https://www.benzedrine.ch/milter-regex.html) can do this,
> and more. The actual syntax for your example would be something like
> this (untested because I am typing from memory):
>
>   discard
>   header /^From$/ /foo@example\.com/ and not \
>   header /^To$/ /(bar|baz|quux)@mydomain\.com/
>
> You can also use variables in milter-regex to easily re-use complex
> expressions. I can heartily recommend it.
>
> -Ralph
>

Re: Advice: NFS, hardware, SATA vs SAS etc

[lists]

  You ruled out cloud solutions? (Original text deleted for brevity.)   

Advice: NFS, hardware, SATA vs SAS etc

[venbian]

Hello gurus,

As 2020 nears I wanted to ask opinions about the current state of hardware 
requirements for a small business email platform. $dayjob asked me to enhance 
our existing platform to improve performance and add redundancy.

Main questions (TLDR):

Can NFS handle heavy IMAP, LDA, HTTP workload?

Is direct attached SATA III 6Gb/s SSD in RAID 1 sufficient or is SAS needed?

Is gigabit ethernet the bottleneck in any case? I can upgrade to a 10 gigabit 
local network if advisable.

Can NFS peacefully co-exist with other mail system workloads without resource 
contention such as SQL DB or spamassassin or redis, etc?

More detail:

I had bad experiences with NFS approx 15yrs ago where IMAP load saturated 
controller link (yes, noatime was used on the mount) and was unusable. But in 
2020 is it time to give NFS another look?

Current mail storage setup uses local attached large SATA SSD and does well, 
but it directly hosts HTTP, LDA, IMAP and Submission which could all be faster 
and it only does nightly backups. Adding SAN is probably out of $dayjob 
pricerange and SAS is borderline. Power consumption is also a factor so instead 
of a dedicated file server I thought it would make more sense to build a big 
server with direct attached fast SATA SSD in mirrored RAID that also has strong 
CPU and maximum memory so it can also run some of the backend process such as 
spamassassin, redis or SQL database etc. (we want to start using SQL DB for 
more which means it will be under heavy use)

What workloads can best co-exist with NFS where each does not contend for the 
other's resources?

I'd put a couple smaller machines in HA in front of that to proxy webmail, HTTP 
website, IMAP and Submission. Edge MTA is on a separate server and would 
probably stay that way, maybe adding a failover. It keeps a fraction of its 
mail in the local system but will make more heavy use of the SQL DB which I 
thought to also put on the file server(?)

Could NFS keep up with load for proxy of HTTP, IMAP, LDA, etc?

Is local attached SATA SSD in RAID 1 ok? Will 6Gb/s SATA III be a bottleneck in 
any possible scenario? I was looking at motherboards with multiple PCIe or M.2 
slots thinking NVMe bandwidth (3GB/s) would be great but I'm unsure if NFS, 
gigabit ethernet or other components could even make use of it.

Or is that too amateur and local attached (hope not remote attached) SAS a 
minimum requirement? SAS SSDs are a newer thing I never used and expensive for 
the $boss. I read some people express doubts that SSD is suited for SAS at all 
which is one reason I thought just use SATA for more efficient power and cost.

Our workload:

We process a lot of mail but as you can guess, don't have tremendous storage 
needs.  We have several tens of thousands of users but a smaller fraction of 
that are actively using mail every day. Maildir storage is several TB. Exact 
daily mail volume is unknown but should be on the order of a few million, many 
which users have forwarded to to other accounts so a small fraction is stored 
locally.

We also have few TB of web data that is hosted from a server in the same 
location that I thought to unify into the NFS setup.

Thank you for reading and your insight.

Re: Specific domain rejects address extensions

[Viktor Dukhovni]

On Wed, Dec 04, 2019 at 08:10:20AM -0700, @lbutlr wrote:

> On 03 Dec 2019, at 15:27, @lbutlr  wrote:

> > I have several domains, all of which have addresses with address delimiters
> > in use. One domain is rejecting all addresses with address extensions in
> > the lmtpd stage (after passing in smtpd). 

If you're propagating address extensions, they need to be supported by the LMTP
server (non-Postfix software, e.g. Dovecot).  If the LMTP server does not
support address extensions, you must not propagate them to LMTP.

The default is:

propagate_unmatched_extensions = canonical, virtual

you might need:

# or just empty?
propagate_unmatched_extensions = canonical

Plus virtual table mappings for each bare recipient.

> recipient_delimiter = +_
> virtual_alias_maps = proxy:mysql:$config_directory/mysql_virtual_alias_maps.cf
> hash:$config_directory/virtual

Have you actually checked (postmap -q) that the recipient in question is NOT
matched by an entry in the SQL database?  What do you get when you try:

$ config_directory=$(postconf config_directory)
$ maps="proxy:mysql:$config_directory/mysql_virtual_alias_maps.cf 
hash:$config_directory/virtual"
$ postmap -q ama...@myvirtualdomain.tld $maps

and then again on the output of that, with and without the address extension...

> I have tested with a handful of the domains and they all work but one, which
> I find confusing as they all are configured the same as far as I can see in
> the sql database.

The "domains" have nothing to do with this, virtual mapping and delimiter
processing is domain-agnostic.  However, your SQL database (via the query
configured in the ".cf" file) will find matches for some addresses and not
others.

Also, note that virtual alias expansion is recursive.  What does

kreme+ama...@kreme.com

expand to?  Etc.

> I can’t dump the database as it contains real names and other private info,
> but it is a postfixadmin database that postfix and dovecot both access
> without complaints.

Nobody is asking for the full database.

> So, if I send an email to ama...@myvirtualdomain.tld, virtual is set to
> expand that to kreme+ama...@kreme.com but in the logs it is expanded to
> ama...@covisp.net which does not exist and the mail is rejected. If I send
> directly to the +amazon address, it works. If I send to another address
> (t...@kreme.com => user+t...@othervirtual.tld, that works.
> 
> So, the issue appears to be limited to a specific virtual domain.

Nonsense:

0.  Virtual alias and address extension processing is uniform across all
domains

1.  There is no issue, everything is working exactl as documented, you're
just surprised by the results of the mappings you've configured.

-- 
Viktor.

Re: Specific domain rejects address extensions

[@lbutlr]

On 03 Dec 2019, at 15:27, @lbutlr  wrote:
> I have several domains, all of which have addresses with address delimiters 
> in use. One domain is rejecting all addresses with address extensions in the 
> lmtpd stage (after passing in smtpd). 

# postconf -n
alias_database = hash:$config_directory/aliases
alias_maps = hash:$config_directory/aliases
allow_percent_hack = no
broken_sasl_auth_clients = yes
compatibility_level = 2
disable_vrfy_command = yes
dovecot_destination_recipient_limit = 1
enable_long_queue_ids = yes
header_checks = pcre:/etc/postfix/header_checks.pcre
home_mailbox = Maildir/
inet_interfaces = 127.0.0.1, 65.121.55.42
inet_protocols = ipv4
mailbox_command = /usr/local/bin/procmail -t -a $EXTENSION
maps_rbl_reject_code = 521
message_size_limit = 26214400
milter_connect_macros = j {daemon_name} v {if_name} _
milter_default_action = accept
mime_header_checks = pcre:$config_directory/mime_headers.pcre
mydestination =
mynetworks_style = subnet
myorigin = $mydomain
policyd-spf_time_limit = 3600
postscreen_access_list = cidr:$config_directory/postscreen_access.cidr
postscreen_blacklist_action = drop
postscreen_dnsbl_action = enforce
postscreen_dnsbl_sites = ro.ascc.dnsbl.bit.nl=127.0.0.2
pl.ascc.dnsbl.bit.nl=127.0.0.2*1 fresh30.spameatingmonkey.net=127.0.0.2*1
freshzero.spameatingmonkey.net=127.0.0.2*1
zen.spamhaus.org=127.0.0.[4..11]*5 zen.spamhaus.org=127.0.0.[2..3]*1
list.dnswl.org=127.0.[0..255].0*-2 list.dnswl.org=127.0.[0..255].1*-3
list.dnswl.org=127.0.[0..255].2*-4 list.dnswl.org=127.0.[0..255].3*-5
postscreen_dnsbl_threshold = 5
postscreen_dnsbl_ttl = 3d
postscreen_dnsbl_whitelist_threshold = -1
postscreen_greet_action = enforce
postscreen_greet_banner = mail.covisp.net ESTMP -- Please wait
postscreen_greet_ttl = 7d
postscreen_greet_wait = 11s
recipient_bcc_maps = pcre:$config_directory/rbcc.pcre
recipient_delimiter = +_
show_user_unknown_table_name = no
smtp_tls_exclude_ciphers = MD5, aDSS, kECDH, kDH, SEED, IDEA, RC2, RC5
smtp_tls_loglevel = 1
smtp_tls_security_level = may
smtpd_banner = $myhostname ESMTP $mail_name $mail_version
smtpd_client_auth_rate_limit = 3
smtpd_data_restrictions = reject_unauth_pipelining,
reject_multi_recipient_bounce, permit
smtpd_delay_open_until_valid_rcpt = no
smtpd_helo_required = yes
smtpd_helo_restrictions = reject_invalid_helo_hostname check_helo_access
pcre:/etc/postfix/helo_checks.pcre permit
smtpd_log_access_permit_actions = static:all
smtpd_milters = unix:/var/run/spamass-milter.sock,
smtpd_recipient_restrictions = reject_unauth_destination reject_rhsbl_sender
freshzero.spameatingmonkey.net, reject_rhsbl_sender
fresh30.spameatingmonkey.net, reject_rhsbl_helo dbl.spamhaus.org
reject_rhsbl_sender dbl.spamhaus.org reject_rhsbl_reverse_client
dbl.spamhaus.org reject_non_fqdn_sender reject_non_fqdn_recipient
reject_unknown_sender_domain reject_invalid_hostname
reject_unlisted_recipient reject_unlisted_sender permit
smtpd_relay_restrictions = reject_unauth_destination
smtpd_sasl_authenticated_header = yes
smtpd_sasl_path = private/auth
smtpd_sasl_type = dovecot
smtpd_starttls_timeout = 20s
smtpd_tls_cert_file = /usr/local/etc/dehydrated/certs/covisp.net/fullchain.pem
smtpd_tls_key_file = /usr/local/etc/dehydrated/certs/covisp.net/privkey.pem
smtpd_tls_loglevel = 1
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtputf8_enable = no
swap_bangpath = no
tls_preempt_cipherlist = yes
tls_ssl_options = no_compression
undisclosed_recipients_header = To: List of Bcc addresses:;
unknown_client_reject_code = 550
unknown_local_recipient_reject_code = 550
unverified_recipient_reject_reason = Address lookup failed
virtual_alias_maps = proxy:mysql:$config_directory/mysql_virtual_alias_maps.cf
hash:$config_directory/virtual
virtual_gid_maps = static:89
virtual_mailbox_base = /usr/local/virtual
virtual_mailbox_domains =
proxy:mysql:$config_directory/mysql_virtual_domains_maps.cf
virtual_mailbox_maps =
proxy:mysql:$config_directory/mysql_virtual_mailbox_maps.cf
virtual_minimum_uid = 89
virtual_transport = lmtp:unix:private/dovecot-lmtp
virtual_uid_maps = static:89

I have tested with a handful of the domains and they all work but one, which I 
find confusing as they all are configured the same as far as I can see in the 
sql database.

I can’t dump the database as it contains real names and other private info, but 
it is a postfixadmin database that postfix and dovecot both access without 
complaints.

So, if I send an email to ama...@myvirtualdomain.tld, virtual is set to expand 
that to kreme+ama...@kreme.com but in the logs it is expanded to 
ama...@covisp.net which does not exist and the mail is rejected. If I send 
directly to the +amazon address, it works. If I send to another address 
(t...@kreme.com => user+t...@othervirtual.tld, that works.

So, the issue appears to be limited to a specific virtual domain.






-- 
In my world there are pe