relay based on sender and destination
Hi, I have a mail server relaying for different domains and using a transport map to deliver local domains. Now I need the following: * Mail from @internal1.com and to @external1.com to be relayed through relay.provider.com * the rest of mails, to be deliver or relayed according to transport_maps I have found the sender_dependent_relayhost_maps but with this I can only check the sender but not the destination. Any idea? -- Angel L. Mateo Martínez Sección de Telemática Área de Tecnologías de la Información y las Comunicaciones Aplicadas (ATICA) http://www.um.es/atica Tfo: 868889150 Fax: 86337
Re: Different LMTP configuration for different clients
El 06/05/17 a las 03:12, Peter escribió: On 04/05/17 18:13, Angel L. Mateo wrote: My problem is that I can't classify by recipient. I should do it by client IP. Is this possible in a transport map? No, instead use smtpd_client_restrictions with check_client_access and a FILTER result pointing to the correct transport. See postconf(5) and access(5) for details. I have the first problem solved: I have created a restriction class that apply a check_recipient_access just to the client I want with slow delivery. My problem now is that I have this in the check_recipient_access: /@mydomain\.com$/ FILTER slow_lmtp:[imapserver.mydomain.com] /.+/OK and now, as a side effect, amavis is not run for messages directed to my domain from these clients. Is there any way to specify a content_filter for this kind of messages? -- Angel L. Mateo Martínez Sección de Telemática Área de Tecnologías de la Información y las Comunicaciones Aplicadas (ATICA) http://www.um.es/atica Tfo: 868889150 Fax: 86337
Re: Different LMTP configuration for different clients
El 03/05/17 a las 16:40, Wietse Venema escribió: Angel L. Mateo: Hello, I have a postfix mail relay server for my domain. This mail server delivered mail to my imap server via LMTP. Now I want that all mail received from a client to the same imap server, but with a different LMTP configuration. That is because this client is a massive mailer and I want to deliver its mail with low concurrency (I don't mind getting higher delays). Is this possible without deploying a new postfix server? Yes, with a transport map that resolves the recipient to an LMTP service with a different (master.cf) name, for example slow_lmtp, plus a main.cf setting for slow_lmtp_destination_concurrency_limit. My problem is that I can't classify by recipient. I should do it by client IP. Is this possible in a transport map? -- Angel L. Mateo Martínez Sección de Telemática Área de Tecnologías de la Información y las Comunicaciones Aplicadas (ATICA) http://www.um.es/atica Tfo: 868889150 Fax: 86337
Re: Different LMTP configuration for different clients
El 03/05/17 a las 16:44, Viktor Dukhovni escribió: On May 3, 2017, at 7:56 AM, Angel L. Mateo <ama...@um.es> wrote: I have a postfix mail relay server for my domain. This mail server delivered mail to my imap server via LMTP. Now I want that all mail received from a client to the same imap server, but with a different LMTP configuration. That is because this client is a massive mailer and I want to deliver its mail with low concurrency (I don't mind getting higher delays). Is this possible without deploying a new postfix server? The answer depends on information you have not provided. * How is this client distinguished from other clients? By IP * How big (message count) are the mail "bursts" from this sender? Thousand of mails (10k-30k), all directed to my own domain. * At what rate are messages arriving during a "burst"? I don't know. The only limitation we have in the postfix receiving these mails are: smtpd_client_connection_count_limit = 5 smtpd_client_connection_rate_limit = 100 smtpd_client_message_rate_limit = 500 smtpd_recipient_limit = 150 My problem is not in the postfix side, but delivering to the IMAP server. Because these bursts are of messages directed all of them to my domain, when I receive one I have problems delivering them to the imap server via LMTP. * How many such bursts a day? Depends, but it is not rare days with 2 or 3 bursts When you slow down mail delivery below the burst arrival rate, a backlog develops somewhere along the pipeline. Depending on the size of the bursts, the choice of the right place to buffer the bursts may change. -- Angel L. Mateo Martínez Sección de Telemática Área de Tecnologías de la Información y las Comunicaciones Aplicadas (ATICA) http://www.um.es/atica Tfo: 868889150 Fax: 86337
Different LMTP configuration for different clients
Hello, I have a postfix mail relay server for my domain. This mail server delivered mail to my imap server via LMTP. Now I want that all mail received from a client to the same imap server, but with a different LMTP configuration. That is because this client is a massive mailer and I want to deliver its mail with low concurrency (I don't mind getting higher delays). Is this possible without deploying a new postfix server? -- Angel L. Mateo Martínez Sección de Telemática Área de Tecnologías de la Información y las Comunicaciones Aplicadas (ATICA) http://www.um.es/atica Tfo: 868889150 Fax: 86337
Re: Creating a catch all domain
El 14/09/16 a las 11:38, Angel L. Mateo escribió: Hi, I'm obfuscated trying to configure a server for a catch-all domain (all mail directed to that domain delivered to a single mailbox). My problem is that I want all mail received for @mydomain.com to be delivered to a single locally mailbox, but r...@mydomain.com to be relayed to the actual @mydomain.com server. I have configured a virtual domain, but is the last condition what I don't know how to configure it. Any help? The sooner I send the message, the sooner I "see the light". Instead of directly using @mydomain.com I have created @other.mydomain.com and with a canonical map I rewrite all @mydomain.com to @other.mydomain.com except the ones I want to keep. -- Angel L. Mateo Martínez Sección de Telemática Área de Tecnologías de la Información y las Comunicaciones Aplicadas (ATICA) http://www.um.es/atica Tfo: 868889150 Fax: 86337
Creating a catch all domain
Hi, I'm obfuscated trying to configure a server for a catch-all domain (all mail directed to that domain delivered to a single mailbox). My problem is that I want all mail received for @mydomain.com to be delivered to a single locally mailbox, but r...@mydomain.com to be relayed to the actual @mydomain.com server. I have configured a virtual domain, but is the last condition what I don't know how to configure it. Any help? -- Angel L. Mateo Martínez Sección de Telemática Área de Tecnologías de la Información y las Comunicaciones Aplicadas (ATICA) http://www.um.es/atica Tfo: 868889150 Fax: 86337
Re: Connection timed out due to dns timeouts
El 08/02/13 15:29, Viktor Dukhovni escribió: On Fri, Feb 08, 2013 at 09:29:22AM +0100, Angel L. Mateo wrote: We are having problems with dns lookups to one domain. I know is not a postfix problem, but a dns configuration error in that domain. But it is affecting our servers. The easiest work-around is to stop sending mail to the unreachable domain. Yes, I did it yet, but it could happen with other domains. I would like a solution, not a workround. The problem is that whenever the relay server receives a mail directed to that domain, I get the error conversation with mail server timed out while sending MAIL FROM. And as list server group messages, all recipients in that group as rejected. Your DNS timeouts are too long (perhaps tunable via /etc/resolv.conf on the relay), or SMTP timeouts too short (tunable via main.cf on the list server). You posted no log entries, or postconf -n so further help is not possible. I'm sorry, I have attached it now, My timeouts are both defaults. -- Angel L. Mateo Martínez Sección de Telemática Área de Tecnologías de la Información y las Comunicaciones Aplicadas (ATICA) http://www.um.es/atica Tfo: 868889150 Fax: 86337 address_verify_map = btree:${data_directory}/verify alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases append_at_myorigin = yes append_dot_mydomain = yes body_checks = pcre:/etc/postfix/body_checks.pcre bounce_size_limit = 10240 broken_sasl_auth_clients = yes canonical_maps = hash:/etc/postfix/canonical command_directory = /usr/sbin config_directory = /etc/postfix content_filter = smtp-amavis:[127.0.0.1]:10024 daemon_directory = /usr/lib/postfix default_privs = nobody disable_vrfy_command = yes header_checks = pcre:/etc/postfix/header_checks.pcre html_directory = /usr/share/doc/postfix/html inet_interfaces = all lmtp_data_done_timeout = 1200s lmtp_destination_recipient_limit = 10 mail_owner = postfix mailq_path = /usr/bin/mailq manpage_directory = /usr/share/man message_size_limit = 2560 mime_header_checks = pcre:/etc/postfix/mime_header_checks.pcre mydestination = $myhostname, localhost.\$mydomain, localhost mydomain = um.es myhostname = xenon11.um.es mynetworks = 127.0.0.0/8, 155.54.0.0/16, 10.54.0.0/16, 10.56.0.0/16, 10.64.0.0/28, 172.19.0.0/16, 10.57.0.0/16, 155.54.212.160/28 myorigin = um.es nested_header_checks = pcre:/etc/postfix/nested_header_checks.pcre newaliases_path = /usr/bin/newaliases notify_classes = resource, software parent_domain_matches_subdomains = smtpd_access_maps proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $smtpd_sender_login_maps queue_directory = /var/spool/postfix queue_minfree = 3840 rbl_reply_maps = hash:/etc/postfix/rbl_reply_maps readme_directory = /usr/share/doc/postfix recipient_canonical_maps = hash:/etc/postfix/listas_con_um_es relay_domains = um.es, alu.um.es, cii-murcia.es, cyum.es, lcu.es, dif.um.es, ditec.um.es, fuem.um.es, infomun.um.es, listas.um.es, listas.cii-murcia.es, campusmarenostrum.com, listas.campusmarenostrum.es, ticarum.es, aulavirtual.um.es relay_recipient_maps = hash:/etc/postfix/relaydomains, hash:/etc/postfix/alu-aliases, hash:/etc/postfix/dif-aliases, proxy:ldap:/etc/postfix/ldap-vmail.cf, proxy:ldap:/etc/postfix/ldap-sysaliases.cf relocated_maps = proxy:ldap:/etc/postfix/ldap-relocated.cf sample_directory = no sendmail_path = /usr/lib/sendmail setgid_group = postdrop smtpd_banner = $myhostname NO UCE ESMTP smtpd_client_connection_count_limit = 5 smtpd_client_connection_rate_limit = 100 smtpd_client_event_limit_exceptions = 127.0.0.1, 172.19.0.0/16, 155.54.208.0/24, 155.54.212.0/24, 155.54.213.0/24, 155.54.216.0/24, 155.54.67.15, 155.54.135.194, 10.54.1.8, 155.54.204.60, 155.54.204.49, 155.54.210.253, 155.54.169.2, 155.54.204.69, 155.54.204.128, 155.54.206.3, 155.54.118.3, 155.54.204.146, 155.54.67.13, 155.54.170.10, 155.54.21.123, 155.54.204.57, 155.54.204.9, 155.54.204.231, 155.54.211.0/24, 155.54.117.10, 130.206.18.0/27, 155.54.119.83 smtpd_client_message_rate_limit = 500 smtpd_client_restrictions = check_client_access cidr:/etc/postfix/client_checks.cidr, permit_sasl_authenticated, smtpd_data_restrictions = reject_unauth_pipelining, permit smtpd_enforce_tls = no smtpd_helo_required = yes smtpd_helo_restrictions = permit_mynetworks,check_helo_access hash:/etc/postfix/helo_checks smtpd_recipient_limit = 150 smtpd_recipient_restrictions = reject_non_fqdn_recipient, reject_unknown_recipient_domain,check_recipient_access pcre:/etc/postfix/recipient_checks.pcre, check_recipient_access hash:/etc/postfix/verified_recipient_checks, check_policy_service inet:127.0.0.1:10031, permit_mynetworks
Connection timed out due to dns timeouts
Hello, I have list servers that send mails through another relay servers. With this configuration all mail sent from our mail servers are delivered through our relay servers. All servers use postfix (list servers use 2.7.0 and relay 2.5.5) We are having problems with dns lookups to one domain. I know is not a postfix problem, but a dns configuration error in that domain. But it is affecting our servers. The problem is that whenever the relay server receives a mail directed to that domain, I get the error conversation with mail server timed out while sending MAIL FROM. And as list server group messages, all recipients in that group as rejected. I've been looking for the problem on that domain and is a timeout problem. Due to some problem in its configuration, I've never have an answer (the domain exists, but it doesn't answer). So I would like to configure some kind of dns lookup timeout in my relay servers, so if the query is not answered I could reject the message with a dns error instead of timing out the connection. Is this possible? How? Thanks, -- Angel L. Mateo Martínez Sección de Telemática Área de Tecnologías de la Información y las Comunicaciones Aplicadas (ATICA) http://www.um.es/atica Tfo: 868889150 Fax: 86337
Re: Connection timed out due to dns timeouts
El 08/02/13 10:02, Robert Schetterer escribió: Am 08.02.2013 09:29, schrieb Angel L. Mateo: Hello, I have list servers that send mails through another relay servers. With this configuration all mail sent from our mail servers are delivered through our relay servers. All servers use postfix (list servers use 2.7.0 and relay 2.5.5) We are having problems with dns lookups to one domain. I know is not a postfix problem, but a dns configuration error in that domain. But it is affecting our servers. The problem is that whenever the relay server receives a mail directed to that domain, I get the error conversation with mail server timed out while sending MAIL FROM. And as list server group messages, all recipients in that group as rejected. as workaround you can use a a deditacted transport for that domain I've been looking for the problem on that domain and is a timeout problem. Due to some problem in its configuration, I've never have an answer (the domain exists, but it doesn't answer). what does not answer ,their mailserver , your dns ? Their DNS doesn't respond. If I query it manually with dig, I get a timeout with no answer. The problem I'm having is that my relay server has smtpd_recipient_restrictions = reject_non_fqdn_recipient, reject_unknown_recipient_domain, check_recipient_access pcre:/etc/postfix/recipient_checks.pcre, check_recipient_access hash:/etc/postfix/verified_recipient_checks, check_policy_service inet:127.0.0.1:10031, permit_mynetworks,permit_sasl_authenticated, reject_unauth_destination, check_recipient_maps, permit and is timing out in the reject_unknown_recipient_domain. As the server doesn't have any answer, the smtp connection from my list servers are completely timing out. I guess it could be a better behaviour if in this situation my relay server could return a 450 for this domain (at least, with this behaviour my list server could try with other recipients of the message) you should invest more time in analyse the real problem i.e some routing problems may cause it Solving the problem with this particular domain (which is not mine), solves my problem now, but not future similar problems. So I think it would be better to avoid the situation. -- Angel L. Mateo Martínez Sección de Telemática Área de Tecnologías de la Información y las Comunicaciones Aplicadas (ATICA) http://www.um.es/atica Tfo: 868889150 Fax: 86337
Re: Connection timed out due to dns timeouts
El 08/02/13 11:27, Robert Schetterer escribió: Am 08.02.2013 10:42, schrieb Angel L. Mateo: El 08/02/13 10:02, Robert Schetterer escribió: Am 08.02.2013 09:29, schrieb Angel L. Mateo: Hello, I have list servers that send mails through another relay servers. With this configuration all mail sent from our mail servers are delivered through our relay servers. All servers use postfix (list servers use 2.7.0 and relay 2.5.5) We are having problems with dns lookups to one domain. I know is not a postfix problem, but a dns configuration error in that domain. But it is affecting our servers. The problem is that whenever the relay server receives a mail directed to that domain, I get the error conversation with mail server timed out while sending MAIL FROM. And as list server group messages, all recipients in that group as rejected. as workaround you can use a a deditacted transport for that domain I've been looking for the problem on that domain and is a timeout problem. Due to some problem in its configuration, I've never have an answer (the domain exists, but it doesn't answer). what does not answer ,their mailserver , your dns ? Their DNS doesn't respond. If I query it manually with dig, I get a timeout with no answer. The problem I'm having is that my relay server has smtpd_recipient_restrictions = reject_non_fqdn_recipient, reject_unknown_recipient_domain,check_recipient_access pcre:/etc/postfix/recipient_checks.pcre,check_recipient_access hash:/etc/postfix/verified_recipient_checks,check_policy_service inet:127.0.0.1:10031, permit_mynetworks,permit_sasl_authenticated, reject_unauth_destination,check_recipient_maps,permit and is timing out in the reject_unknown_recipient_domain. As the server doesn't have any answer, the smtp connection from my list servers are completely timing out. I guess it could be a better behaviour if in this situation my relay server could return a 450 for this domain (at least, with this behaviour my list server could try with other recipients of the message) this should be default, unless you didnt changed or override it reject_unknown_recipient_domain Reject the request when Postfix is not final destination for the recipient domain, and the RCPT TO domain has 1) no DNS A or MX record or 2) a malformed MX record such as a record with a zero-length MX hostname (Postfix version 2.3 and later). The unknown_address_reject_code parameter specifies the numerical response code for rejected requests (default: 450). The response is always 450 in case of a temporary DNS error. I know this. It is normally working fine. My problem with this domain is that it is not being rejected. postfix just times out. you should invest more time in analyse the real problem i.e some routing problems may cause it Solving the problem with this particular domain (which is not mine), solves my problem now, but not future similar problems. So I think it would be better to avoid the situation. as far i remember all dns checks have tmp failure code at default, sometimes it makes sense to change some of them global, this is kind of design question, however you may construct bypasses with smtpd_restriction_classes too depending to i.e some ipaddress etc http://www.postfix.org/RESTRICTION_CLASS_README.html i your case , the question seems , at what server and what point you want to react with what error by dns rejects I want my relay server to reject the mail (at reject_unknown_recipient_domain option with the corresponding reject code) not to time out. -- Angel L. Mateo Martínez Sección de Telemática Área de Tecnologías de la Información y las Comunicaciones Aplicadas (ATICA) http://www.um.es/atica Tfo: 868889150 Fax: 86337
Re: Timeout delivering via LMTP
On 12/06/12 18:12, Viktor Dukhovni wrote: On Tue, Jun 12, 2012 at 12:32:24PM +0200, Angel L. Mateo wrote: In the smtp logs I have: Jun 12 11:41:18 xenon13 postfix/lmtp[4248]: 4433E5D5A0: to=myu...@um.es, relay=pop.um.es[155.54.212.106]:24, delay=31, delays=0.41/0.06/0/30, dsn=4.4.0, status=deferred (host pop.um.es[155.54.212.106] said: 451 4.4.0 Remote server not answering (timeout while waiting for reply to DATA reply) (in reply to end of DATA command)) This is NOT a Postfix timeout, read the log message carefully: Jun 12 11:41:18 xenon13 postfix/lmtp[4248]: 4433E5D5A0: to=myu...@um.es, relay=pop.um.es[155.54.212.106]:24, delay=31, delays=0.41/0.06/0/30, dsn=4.4.0, status=deferred (host pop.um.es[155.54.212.106] said: -=== 451 4.4.0 Remote server not answering (timeout while waiting for reply to DATA reply) (in reply to end of DATA command)) The unwanted 30s timeout is clearly in the proxy. Ooops... You're right. Sorry... and thank you. -- Angel L. Mateo Martínez Sección de Telemática Área de Tecnologías de la Información _o) y las Comunicaciones Aplicadas (ATICA) / \\ http://www.um.es/atica_(___V Tfo: 868887590 Fax: 86337
Timeout delivering via LMTP
Hi, I have a postfix farm delivering mail to dovecot backend servers via LMTP. Dovecot is configured with a LMTP proxy (director) that proxies the LMTP connection to the recipient's final server. Under heavy load (not so heavy really) I have sporadic timeout errors but messages are delivered, so, at the end, the message is deliverd twice to the user. In the smtp logs I have: Jun 12 11:41:18 xenon13 postfix/lmtp[4248]: 4433E5D5A0: to=myu...@um.es, relay=pop.um.es[155.54.212.106]:24, delay=31, delays=0.41/0.06/0/30, dsn=4.4.0, status=deferred (host pop.um.es[155.54.212.106] said: 451 4.4.0 Remote server not answering (timeout while waiting for reply to DATA reply) (in reply to end of DATA command)) If I look for this connection in the director proxy servers I have: Jun 12 11:40:39 myotis41 dovecot: lmtp(6595): Connect from 155.54.212.167 Jun 12 11:40:39 myotis41 dovecot: lmtp(6595): Debug: auth input: user=user1 proxy host=155.54.211.163 proxy_refresh=450 Jun 12 11:40:39 myotis41 dovecot: lmtp(6595): Debug: auth input: user=user2 proxy host=155.54.211.163 proxy_refresh=450 (more users, a total of 34 recipients) Jun 12 11:40:39 myotis41 dovecot: lmtp(6595): Debug: auth input: user=myuser proxy host=155.54.211.164 proxy_refresh=450 ... Jun 12 11:41:09 myotis41 dovecot: lmtp(6595): Disconnect from 155.54.212.167: Client quit (in reset) and in one of the final server (the one for the user in question): Jun 12 11:40:38 myotis34 dovecot: lmtp(16824): Connect from 155.54.211.186 Jun 12 11:40:38 myotis34 dovecot: lmtp(16824, user1): wJ9BD7YM10 +4QQAAG5O5Qg: sieve: msgid=182283367.48.1339494011054.JavaMail.tomcat@sakai-prod4: stored mail into mailbox 'INBOX' ... Jun 12 11:41:10 myotis34 dovecot: lmtp(16824, myuser): wJ9BD7YM10+4QQA AG5O5Qg: sieve: msgid=182283367.48.1339494011054.JavaMail.tomcat@sakai-prod4: stored mail into mailbox 'INBOX' ... Jun 12 11:41:11 myotis34 dovecot: lmtp(16824): Disconnect from 155.54.211.186: Connection closed (in reset) So the mail seems to be correctly delivered in about 30 seconds. All my postfix timeouts are bigger than this time: lmtp_connect_timeout = 0s lmtp_connection_cache_time_limit = 2s lmtp_connection_reuse_time_limit = 300s lmtp_data_done_timeout = 600s lmtp_data_init_timeout = 120s lmtp_data_xfer_timeout = 180s lmtp_lhlo_timeout = 300s lmtp_mail_timeout = 300s lmtp_pix_workaround_delay_time = 10s lmtp_pix_workaround_threshold_time = 500s lmtp_quit_timeout = 300s lmtp_rcpt_timeout = 300s lmtp_rset_timeout = 20s lmtp_sasl_auth_cache_time = 90d lmtp_starttls_timeout = 300s lmtp_tls_session_cache_timeout = 3600s lmtp_xforward_timeout = 300s So... why do I have this error? As a side effect this mail was delivered twice in the user's mailbox, this is one and the other when postfix retries again. Any help? Thank you PS: I have attached my postconf -n -- Angel L. Mateo Martínez Sección de Telemática Área de Tecnologías de la Información _o) y las Comunicaciones Aplicadas (ATICA) / \\ http://www.um.es/atica_(___V Tfo: 868887590 Fax: 86337 address_verify_map = btree:${data_directory}/verify alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases append_at_myorigin = yes append_dot_mydomain = yes body_checks = pcre:/etc/postfix/body_checks.pcre bounce_size_limit = 10240 broken_sasl_auth_clients = yes canonical_maps = hash:/etc/postfix/canonical command_directory = /usr/sbin config_directory = /etc/postfix content_filter = smtp-amavis:[127.0.0.1]:10024 daemon_directory = /usr/lib/postfix default_privs = nobody disable_vrfy_command = yes header_checks = pcre:/etc/postfix/header_checks.pcre html_directory = /usr/share/doc/postfix/html inet_interfaces = all mail_owner = postfix mailq_path = /usr/bin/mailq manpage_directory = /usr/share/man message_size_limit = 2560 mime_header_checks = pcre:/etc/postfix/mime_header_checks.pcre mydestination = $myhostname, localhost.\$mydomain, localhost mydomain = um.es myhostname = xenon11.um.es mynetworks = 127.0.0.0/8, 155.54.0.0/16, 10.54.0.0/16, 10.56.0.0/16, 10.64.0.0/28, 172.19.0.0/16, 10.57.0.0/16, 155.54.212.160/28 myorigin = um.es nested_header_checks = pcre:/etc/postfix/nested_header_checks.pcre newaliases_path = /usr/bin/newaliases notify_classes = resource, software parent_domain_matches_subdomains = smtpd_access_maps proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $smtpd_sender_login_maps queue_directory = /var/spool/postfix queue_minfree = 3840 rbl_reply_maps = hash:/etc/postfix/rbl_reply_maps readme_directory = /usr/share/doc/postfix recipient_canonical_maps = hash:/etc/postfix/listas_con_um_es relay_domains = um.es, alu.um.es, cii-murcia.es, cyum.es
Re: Ldap queries optimization
El 17/02/12 17:18, Viktor Dukhovni escribió: Some queries are repeated, this should have no significant impact. Focus on overalll performance rather than optimizing non-critical paths. Postfix is not monolithic, so cleanup(8) repeats some queries made by smtpd(8), and in smtpd(8) some queries are repeated because this makes the code more modular. This works well enough for a large number of Postfix sites, it will work for you too if you don't sweat the small stuff. I know it needs to repeat queries. But, in this case, why not implementing a cache for such maps? If I remember well in previous versions it did. And it did for other maps, like the one for address_verify_map. And I know I should focus on the real problem with my ldap server. But I would like postfix to make things better (and it doesn't mean it doesn't do well) -- Angel L. Mateo Martínez Sección de Telemática Área de Tecnologías de la Información _o) y las Comunicaciones Aplicadas (ATICA) / \\ http://www.um.es/atica_(___V Tfo: 868887590 Fax: 86337
Ldap queries optimization
Hello, We are using ldap maps in a relay server. Ldap maps are for address validation (valid users and alias) and a relocated map. But now, we are having problems with our ldap servers. Problems are not directly related with postfix servers, but I've been investigating if postfix could do things better. My config is: virtual_alias_maps = hash:/etc/postfix/alu-aliases, hash:/etc/postfix/dif-aliases, proxy:ldap:/etc/postfix/ldap-sysaliases.cf relay_recipient_maps = hash:/etc/postfix/relaydomains, hash:/etc/postfix/alu-aliases, hash:/etc/postfix/dif-aliases, proxy:ldap:/etc/postfix/ldap-vmail.cf, proxy:ldap:/etc/postfix/ldap-sysaliases.cf relocated_maps = proxy:ldap:/etc/postfix/ldap-relocated.cf proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $smtpd_sender_login_maps Ldap maps are: * ldap-sysaliases.cf: This is a map for alias destinations. Although this is a relay server, I'm resolving alias because I relay internal mail by lmtp instead of smtp * ldap-vmail.cf: This is the map for real users. * ldap-relocated.cf: This a relocated map (for users who change their email address). In my tests I have found that during a smtp transaction the next searches are done: * When the mail from: is received, if this mail from is from a ldap domain, a search in the relocated map is done for this mail from address. * When the rcpt to: is received, postfix makes 4 searches for the recipient address in this order: 1. In the relocated map 2. In the alias map 3. In the vmail map 4. In the alias map again * When the data command is finished, then it makes the searches: 1. In the relocated map for the mail from address. 2. In the relocated map for the recipient address. 3. In the alias map for the recipient address 4. In the alias map again for the recipient address 5. In the relocated map (again) for the recipient address With a total of 10 searches. I repeated the test with the same from and recipient and almost all searches are done again. In fact, the only searches it hasn't done are searches 1 and 2 after data command. My question are: * is it normal this behaviour? I mean is it normal all these searches? Or I have something with a wrong configuration? * Is there any way to cache these queries? In a normal transaction I have only 4 different searches of a total of 8 (or 10) and if I repeat the mail, all searches are done again? Is there any way to cache these results so there was no need to research again all the information? I have attached the output of postconf -n, ldap maps config files and the logs at ldap server for connections from the postfix server (I have replace the final DN where I have the information and sender and recipient address used) -- Angel L. Mateo Martínez Sección de Telemática Área de Tecnologías de la Información _o) y las Comunicaciones Aplicadas (ATICA) / \\ http://www.um.es/atica_(___V Tfo: 868887590 Fax: 86337 address_verify_map = btree:${data_directory}/verify alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases append_at_myorigin = yes append_dot_mydomain = yes body_checks = pcre:/etc/postfix/body_checks.pcre bounce_size_limit = 10240 broken_sasl_auth_clients = yes canonical_maps = hash:/etc/postfix/canonical command_directory = /usr/sbin config_directory = /etc/postfix content_filter = smtp-amavis:[127.0.0.1]:10024 daemon_directory = /usr/lib/postfix default_privs = nobody disable_vrfy_command = yes header_checks = pcre:/etc/postfix/header_checks.pcre html_directory = /usr/share/doc/postfix/html inet_interfaces = all lmtp_destination_concurrency_limit = 5 lmtp_destination_recipient_limit = 10 mail_owner = postfix mailq_path = /usr/bin/mailq manpage_directory = /usr/share/man message_size_limit = 2560 mime_header_checks = pcre:/etc/postfix/mime_header_checks.pcre mydestination = $myhostname, localhost.\$mydomain, localhost mydomain = um.es myhostname = xenon11.um.es mynetworks = 127.0.0.0/8, 155.54.0.0/16, 10.54.0.0/16, 10.56.0.0/16, 10.64.0.0/28, 172.19.0.0/16, 155.54.212.160/28 myorigin = um.es nested_header_checks = pcre:/etc/postfix/nested_header_checks.pcre newaliases_path = /usr/bin/newaliases notify_classes = resource, software parent_domain_matches_subdomains = smtpd_access_maps proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $smtpd_sender_login_maps queue_directory = /var/spool/postfix queue_minfree = 3840 rbl_reply_maps = hash:/etc/postfix
Re: Ldap queries optimization
El 16/02/12 16:35, Viktor Dukhovni escribió: On Thu, Feb 16, 2012 at 10:49:10AM +0100, Angel L. Mateo wrote: My config is: virtual_alias_maps = hash:/etc/postfix/alu-aliases, hash:/etc/postfix/dif-aliases, proxy:ldap:/etc/postfix/ldap-sysaliases.cf relay_recipient_maps = hash:/etc/postfix/relaydomains, hash:/etc/postfix/alu-aliases, hash:/etc/postfix/dif-aliases, proxy:ldap:/etc/postfix/ldap-vmail.cf, proxy:ldap:/etc/postfix/ldap-sysaliases.cf There is no need to list virtual alias lookup tables in relay_recipient_maps. Postfix performs that lookup automatically, therefore, the relay_recipient_maps setting should be just: relay_recipient_maps = hash:/etc/postfix/relaydomains, proxy:ldap:/etc/postfix/ldap-vmail.cf In my tests I have found that during a smtp transaction the next searches are done: If your LDAP tables contain no bare (just the local part) address lookup keys, you may consider using %u@%d instead of %s in the query definition. That could also avoid some unneeded lookups, otherwise Postfix performs the lookups it needs to, and unless you've failed to index your LDAP attributes appropriately, Postfix is unlikely to be a significant burden on LDAP, nor is LDAP likely to noticeably slow down Postfix. mydestination = $myhostname, localhost.\$mydomain, localhost That \ is unlikely to be what you want. mynetworks = 127.0.0.0/8, 155.54.0.0/16, 10.54.0.0/16, 10.56.0.0/16, 10.64.0.0/28, 172.19.0.0/16, 155.54.212.160/28 With the entire class 155.54/16 listed, no need for the final /28. smtpd_banner = $myhostname NO UCE ESMTP Don't, or at least make it $myhostname ESMTP NO UCE, that ESMTP is not semantically valid unless it immediately follows the hostname. smtpd_client_restrictions = reject_rbl_client rbl.um.es, permit_sasl_authenticated, check_client_access hash:/etc/postfix/whitelist_um, reject_unknown_reverse_client_hostname, check_client_access cidr:/etc/postfix/client_checks.cidr, smtpd_data_restrictions = reject_unauth_pipelining, permit smtpd_end_of_data_restrictions = $(smtpdEndOfDataRestrictions) smtpd_helo_restrictions = permit_mynetworks, check_helo_access hash:/etc/postfix/helo_checks smtpd_recipient_restrictions = reject_non_fqdn_recipient, reject_unknown_recipient_domain, check_recipient_access pcre:/etc/postfix/recipient_checks.pcre, check_recipient_access hash:/etc/postfix/verified_recipient_checks, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, check_recipient_maps, permit You don't need these last two, they are implicit. smtpd_sender_restrictions = reject_non_fqdn_sender, reject_unknown_sender_domain, check_sender_access pcre:/etc/postfix/sender_checks.pcre Otherwise nothing else to do in Postfix, make sure your LDAP tables are properly indexed. Although I could refine this configuration changes, problem is not ldap indexes. I have all indexes created, openldap is answering all the queries postfix makes. The problem I'm trying to fix is that postfix is making lot of repeated queries. In the transactions I sent in my first email, in one transaction it makes 8 queries, 5 of then was the same query. -- Angel L. Mateo Martínez Sección de Telemática Área de Tecnologías de la Información _o) y las Comunicaciones Aplicadas (ATICA) / \\ http://www.um.es/atica_(___V Tfo: 868887590 Fax: 86337
Re: Two postfix instances, different header_checks
El 24/11/10 18:41, Victor Duchovni escribió: On Wed, Nov 24, 2010 at 06:35:19PM +0100, Angel L. Mateo wrote: Hello, I'm running postfix (version 2.5.5, from debian lenny package) with amavis and spamassassin for spam checks. For amavis and SA to work, we have 2 postfix instances, the main one running in port 25 and other running in other port 2500 that receive mails from amavis. A postfix instance is a complete Postfix system with its own configuration directory, queue directory, ... as described in http://www.postfix.org/MULTI_INSTANCE_README.html Perhaps you mean two instances of the smtpd(8) service in the same master.cf(5) file (of a single Postfix instance). OK. I have two smtpd services in one postfix instance. /^X-Spam-(.*)/ REPLACE X-MySpam-$1 in header_checks.pcre In the main.cf of postfix at port 25 I have configured: header_checks = pcre:/etc/postfix/header_checks.pcre In master.cf I have a line like: 10025 inetn - n - - smtpd ... -o header_checks= This won't work, since header_checks are performed by cleanup(8) not smtpd(8). See http://www.postfix.org/FILTER_README.html or better yet, use real Postfix instances: OK. Thank you. -- Angel L. Mateo Martínez Sección de Telemática Área de Tecnologías de la Información _o) y las Comunicaciones Aplicadas (ATICA) / \\ http://www.um.es/atica_(___V Tfo: 868887590 Fax: 86337
Re: Two postfix instances, different header_checks
El 25/11/10 01:05, Jeroen Geilman escribió: header_checks is a cleanup(8) setting, not an smtpd(8) one. You can specify a different cleanup service by adding -o cleanup_service_name=my_cleanup_service to your SA resubmission smtpd listener, and defining my_cleanup_service unix - - - - - cleanup -o header_checks= OK. I'll try this. -- Angel L. Mateo Martínez Sección de Telemática Área de Tecnologías de la Información _o) y las Comunicaciones Aplicadas (ATICA) / \\ http://www.um.es/atica_(___V Tfo: 868887590 Fax: 86337
Two postfix instances, different header_checks
Hello, I'm running postfix (version 2.5.5, from debian lenny package) with amavis and spamassassin for spam checks. For amavis and SA to work, we have 2 postfix instances, the main one running in port 25 and other running in other port 2500 that receive mails from amavis. In the first one, I want to apply a header_checks (a header_check.pcre) that replaces some headers with another one. Specifically, I want to replace X-Spam-.* headers with X-MySpam-$1 (because we are an internal server that receive mail from another one that also run SA and I want to preserve both headers, but with another name). So I have write a rule like: /^X-Spam-(.*)/ REPLACE X-MySpam-$1 in header_checks.pcre In the main.cf of postfix at port 25 I have configured: header_checks = pcre:/etc/postfix/header_checks.pcre In master.cf I have a line like: 10025 inetn - n - - smtpd ... -o header_checks= So, second postfix instance doesn't use this header_check. The problem I have is that both postfix instances uses this header_check, so I have my own SA headers also renamed like X-MySpam-$1. Any idea? -- Angel L. Mateo Martínez Sección de Telemática Área de Tecnologías de la Información _o) y las Comunicaciones Aplicadas (ATICA) / \\ http://www.um.es/atica_(___V Tfo: 868887590 Fax: 86337
Re: consolidate multiple maillog files
El mar, 14-07-2009 a las 13:59 -0700, Sanjay Saha escribió: So different maillogs are in specific directory /home/maillogs/Log1 2 3 and onwards . But i need a way to consolidate it in single file which could be used by mailgraph. Any pointer to the right direction is welcome. have you tried to just merge the files? A sort -m over those files? -- Angel L. Mateo Martínez Sección de Telemática Área de Tecnologías de la Información _o) y las Comunicaciones Aplicadas (ATICA) / \\ http://www.um.es/atica_(___V Tfo: 868887590 Fax: 86337
ldap searches with null user
Hello, We have a postfix servers' backend for our domain (debian etch servers, postfix 2.3.8). We have several domains and its users are in a ldap database. So we have defined several ldap maps in postfix to check relocated users, mail aliases and virtual users. With this configuration we are observing that we have a lot of ldap searches like: ((mail=@localdomain)(objectClass=CourierMailAccount)) that is with the local part of the email direction as null, void. This problem is not (aparently) affecting to our email servers, so we are receiving (and rejecting) mail without any problem, but it overloading our ldap servers, because this is one of the most searched operations. Our postfix configuration is: smtpd_recipient_restrictions = reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_sender_domain, reject_unknown_recipient_domain, ... check_recipient_access hash:/etc/postfix/verified_recipient_checks, ... permit_mynetworks, permit_sasl_authenticated, ... reject_unknown_reverse_client_hostname, reject_unauth_destination, check_helo_access hash:/etc/postfix/helo_checks, check_client_access cidr:/etc/postfix/client_checks.cidr, reject_rbl_client rbls, ... check_recipient_maps, permit ... relocated_maps = ldap:/etc/postfix/ldap-relocated.cf ... relay_recipient_maps = ldap:/etc/postfix/ldap-vmail.cf, ldap:/etc/postfix/ldap-sysaliases.cf My map configuration is like this: server_host = ldapserver server_port = 389 search_base = search base query_filter = ((mail=%s)(objectClass=CourierMailAccount)) result_attribute = uid bind = yes bind_dn = binddn bind_pw = bindpw Any idea? -- Angel L. Mateo Martínez Sección de Telemática Área de Tecnologías de la Información _o) y las Comunicaciones Aplicadas (ATICA) / \\ http://www.um.es/atica_(___V Tfo: 968367590 Fax: 968398337
Re: ldap searches with null user
El jue, 12-03-2009 a las 09:00 -0400, Wietse Venema escribió: Postfix virtual alias table lookups are documented in virtual(5). http://www.postfix.org/virtual.5.html. See also ldap_table(5) for details specific to LDAP lookups. http://www.postfix.org/ldap_table.5.html I know them. I have read them serveral times. But I don't know why postfix is looking por mail @mydomain (without any local user). If I try to enter any such address in the rcpt to field of the smtp dialog, I get an error, without any search in the ldap. -- Angel L. Mateo Martínez Sección de Telemática Área de Tecnologías de la Información _o) y las Comunicaciones Aplicadas (ATICA) / \\ http://www.um.es/atica_(___V Tfo: 968367590 Fax: 968398337
problem with mailx ending in .
Hello, We have created mail accounts ending in . for a bug in our mail creation process and we are having problems with these accounts. Our configuration is below: * We have a relay server. This server acts as our incoming mail server and is also the one that our users have as their smtp server. * For our local accounts relay server delivers mail to other server, which is the one where our users has their mailbox. * Our user's accounts are in a ldap server (openldap). In the relay server we have a relay_recipient_maps to check that incoming mail are for valid emails. In the mailbox server we have users configured by a virtual_alias_maps. The configuration for both maps are the same. The problem we have is that when we get an email directed to a mail of the kind whatever.@mydomain, it goes through all the servers, but when the final server tries to deliver it in the mailbox, it fails with a user unknown error, although it first accepts it, that is, in the rcpt to it accepts the email (it is expected to reject it if the user is unkown), but fails trying to deliver it, originating a bounce error email. The error has the form: whatever.@mydomain.com: User unknown in virtual alias table Any idea? -- Angel L. Mateo Martínez Sección de Telemática Área de Tecnologías de la Información _o) y las Comunicaciones Aplicadas (ATICA) / \\ http://www.um.es/atica_(___V Tfo: 968367590 Fax: 968398337