Re: Cleaning out certain 4xx-errors
Once upon a time, Wietse Venema wie...@porcupine.org said: Chris Adams: P.S.: I complied with your Reply-To: and sent the Cc:. It will fail SPF, if you're checking that. That's not me; that's the list. I think he refers to this: Mail-Followup-To: Chris Adams cmad...@hiwaay.net, Postfix users postfix-users@postfix.org This sits among other headers that were added by your Mutt/1.4.2.2i mail reader. Ah, that looks like a bug in mutt. It isn't supposed to put the sender's (my) address in there for configured mailing lists (the idea is to prefer replies to the list without a direct CC). Still not sure what that would have to do with SPF though. -- Chris Adams cmad...@hiwaay.net Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble.
Re: Cleaning out certain 4xx-errors
Once upon a time, Wietse Venema wie...@porcupine.org said: Maybe PLESK has an option to make mailbox full a hard error (to be honest, Postfix's own mailbox full action is not configurable). Unfortunately, no, it isn't. Plesk uses a milter to check delivery status during SMTP (which is nice, since that way it doesn't queue and cause back-scatter), but only returns a temporary error for over quota. Worse, it doesn't check until the end of DATA, so if any one recipient is over quota, the message is rejected (so you really don't want to turn a Plesk over-quota message into a permanent error, at least for messages with multiple recipients). I wrote a milter for our Plesk servers to check quota at RCPT TO time instead (and return a permanent error for over-quota) to fix the bad behavior. -- Chris Adams cmad...@hiwaay.net Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble.
Re: Cleaning out certain 4xx-errors
Once upon a time, /dev/rob0 r...@gmx.co.uk said: On Sat, Sep 15, 2012 at 06:50:38PM -0500, Chris Adams wrote: I wrote a milter for our Plesk servers to check quota at RCPT TO time instead (and return a permanent error for over-quota) to fix the bad behavior. Unfortunately that only replaces one potential problem with another. You're relying on SIZE in the MAIL command, which might be wrong or might be omitted. The only sure way to know the actual size of the mail is to receive the DATA. I've found it to be a good enough solution. My checker takes the SIZE argument from MAIL FROM; if it isn't there, it assumes the largest message the server allows. It also adds a little to the size to allow for local headers (local Received: line, From_ header if mbox, etc.). This means that if the remote system doesn't set SIZE, it is possible for some small messages to be rejected that could have just fit under the quota. Almost all legitimate servers set SIZE; the only place I typically don't see it is from clients (and IIRC some do set it, but not from Microsoft). This also doesn't handle multiple messages come in at a time (especially if one is a large message from a slow remote system). P.S.: I complied with your Reply-To: and sent the Cc:. It will fail SPF, if you're checking that. That's not me; that's the list. -- Chris Adams cmad...@hiwaay.net Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble.
Re: REJECT and save a copy of spam?
Once upon a time, Wietse Venema wie...@porcupine.org said: But this matters only if you really want to give a REJECT response to the remote SMTP client. I would prefer to do that for this particular setup. This is a low-traffic domain, mostly just forwarding to other domains; there are a couple of mailing lists and a ticket system; no mail gets normal local delivery. Nobody would normally be checking a spam box, so any messages that hit would effectively disappear. In the old setup (sendmail+mimedefang+SA), it has been useful that spam is rejected so that legit senders get a notice, and that the message gets saved (so I can review when somebody complains). Thanks; I guess I'll take a look at amavis. -- Chris Adams cmad...@hiwaay.net Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble.
Re: REJECT and save a copy of spam?
Once upon a time, Wietse Venema wie...@porcupine.org said: Postfix supports Milter too. There are some differences but it might just work. Oh yeah, I know that (I just wrote a milter for some servers at work running postfix). I was trying to avoid the extra overhead (and config management work) of mimedefang/amavis since I was just looking for basic spam blocking. Thanks. -- Chris Adams cmad...@hiwaay.net Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble.
REJECT and save a copy of spam?
I'm configuring Postfix with SpamAssassin, using Spampd as a before-queue filter. I put /^X-Spam-Flag: YES/ REJECT Spam detected in /etc/postfix/header_checks, and that works (spam is rejected during SMTP as desired). However, it would be nice to _also_ keep a copy of the rejected messages somewhere for later analysis. Either deliver them to a special local user, hold in the queue, or whatever else is convenient. Is there an easy way to do this? I guess I could modify Spampd to save a copy of spam messages, but I was hoping there might be a way to configure Postfix to do this. If it matters, this is Postfix 2.6.6 on CentOS 6. Thanks. -- Chris Adams cmad...@hiwaay.net Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble.
Re: frequent qmgr crashes with postfix-2.10-20120630
2012/7/5 Wietse Venema wie...@porcupine.org: Ralf Hildebrandt: * Wietse Venema wie...@porcupine.org: Ralf Hildebrandt: Does the error happen after sending a message to the qmgr FIFO? How would I find out? In master.cf, add two -v options at the end of the qmgr service. This may produce a lot of output that is better exchanged off-list. I'll recompile the latest snapshot and will enable verbose logging. What OS version? I may be able to set up a VM for some tests, once you have some logging to focus the search. I suspect Ubuntu 12.04 LTS. # uname -a Linux mail.charite.de 3.2.0-26-generic #41-Ubuntu SMP Thu Jun 14 17:49:24 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux -- Chris
Re: Ubuntu Precise packaged 2.9.1 SSL 1.0.1
2012/6/27 Wietse Venema wie...@porcupine.org: Chris: 2012/6/26 Daniel L. Miller dmil...@amfes.com: After a recent Ubuntu server upgrade, the packaged versions of Postfix - using Ubuntu's Precise version, as well as the security, updates, and backports repositories - Postfix's TLS is broken with the known SSL version issue: warning: TLS library problem: 4425:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:340: A general question: Why is only postfix affected and not sendmail or exim? Says who? Okay, I have seen nothing on the sendmail mailing list. OpenSSL 1.0.1 introduces new protocols (TLSv1.2 and TLSv1.1) that don't work with some other implementations of those new protocols. Postfix 2.9.2 introduces support to turn off the new protocols, so that Postfix falls back to the ones that work. Turning off the new protocols is only an interim solution? -- Chris
Re: Ubuntu Precise packaged 2.9.1 SSL 1.0.1
2012/6/26 Daniel L. Miller dmil...@amfes.com: After a recent Ubuntu server upgrade, the packaged versions of Postfix - using Ubuntu's Precise version, as well as the security, updates, and backports repositories - Postfix's TLS is broken with the known SSL version issue: warning: TLS library problem: 4425:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:340: A general question: Why is only postfix affected and not sendmail or exim? -- Chris
Retaining BCC in Pipe
I am using Postfix to pipe messages to an external program. Does anyone know how to pipe a single message that retains all recipients, including the BCC? I already know how to create a new message for each recipient, but what I actually need is the message as it was sent by the user to Postfix. I search a lot and can't find a solution other than using transport_destination_recipient_limit = 1 and the -DO flags, but this again will create a new message for each recipient. Any help is greatly appreciated. Thanks, Chris
Re: Retaining BCC in Pipe
When I capture the messages that are sent via pipe it contains all TO and CC, but the BCC header is gone. From what you both said, I feel like I missing something pretty simple here. This is a similar question on Serverfault: http://serverfault.com/questions/148135/postfix-how-to-keep-the-bcc-recipient-in-email-enveloppe On Tue, Jun 19, 2012 at 5:17 PM, Michael J Wise mjw...@kapu.net wrote: On Jun 19, 2012, at 1:02 PM, Chris Nagele wrote: I am using Postfix to pipe messages to an external program. Does anyone know how to pipe a single message that retains all recipients, including the BCC? Methinks you are confusing RFC 821 (yeah, I know) commands with the RFC 822 data. Bcc is a synthetic concept; what you are really looking for is the RCPT TO: command, which does not distinguish between the To:, Cc: or Bcc: data. Aloha, Michael. -- Please have your Internet License and Usenet Registration handy...
Re: Retaining BCC in Pipe
That clears it up then. The issue I am running into is trying to associate the BCC message with the others so I can associate them in the program that it is piped to. It sounds like that is not possible. I did try the pipe options, but it separates each message completely, not allowing me to consolidate them. Thanks for the help. -Chris On Tue, Jun 19, 2012 at 6:15 PM, Bill Cole postfixlists-070...@billmail.scconsult.com wrote: On 19 Jun 2012, at 17:42, Chris Nagele wrote: When I capture the messages that are sent via pipe it contains all TO and CC, but the BCC header is gone. From what you both said, I feel like I missing something pretty simple here. Yes. When you use a MUA to compose a message with a Bcc header, the MUA typically only uses that header to construct the SMTP envelope recipient list (i.e. addresses used in SMTP RCPT commands) and does not include the header in the message data when it submits the message. Historically (and perhaps still today in rare cases) some MUA's have included the Bcc header in submitted messages, so MTA's like Postfix will strip out that header if it exists in a submitted message. Postfix does this in the cleanup(8) daemon. It is (properly) not possible to turn that removal off. The pipe(8) daemon can optionally add one or both of Delivered-To and X-Original-To headers that may meet your needs. See the man page for details (in the 'flags' section.)
Relay some domain users to foreign domain, deliver others to virtual mailboxes
I'm sure this can't be the first time this has come up, but my google-foo just isn't strong enough to find what I'm looking for. Here's the scenario: Postfix is final destination for domain1.tld, and is implemented as virtual mailboxes (no local unix accounts), with mysql lookups. So far so good, and that's easy to setup. u...@domain1.tld either gets delivered to the local mailbox, or rejected. Now the wrinkle: if u...@domain1.tld doesn't exist, RELAY to u...@domain2.tld (same user in a different domain). domain2.tld exists on another server and the databases are NOT shared. I've setup an entry in virtual-alias-domains so that @domain1.tld returns @domain2.tld. It's my understanding that should cause u...@domain1.tld to be mapped to u...@domain2.tld according to the virtaul(5) readme. That didn't seem to be working, so I thought well maybe it's because I'm not a delay for domain2.tld, so I setup a relay-domains entry that says I'm a relay for domain2.tld (again, all of this is driven by a mysql database). Whenever I send mail to u...@domain1.tld (where a mailbox actually exists), the mail gets delivered exactly like I'd expact. Whenever I send mail to us...@domain2.tld, it bounces with: 'Recipient address rejected: User unknown in virtual mailbox table' Is what I'm attempting to do even possible? Also, I really don't want to become a backscatter source. Can I turn on address probes for this one domain, or is it pretty much on for everyone? Thanks in Advance!
Re: Relay some domain users to foreign domain, deliver others to virtual mailboxes
Dynamic routing like if us...@domain1.tld doesn't exist, then forward the mail to us...@domain2.tld is not possible in Postfix (at least not that I'm aware of). Ah, that's what I was really looking for. Thank you. The more I think about this whole idea, the more I think it is a bad idea, from start to finish. [1] http://www.postfix.org/postconf.5.html#reject_unverified_recipient Regards Ansgar Wiechers Once again, thank you for your time.
Change (Postfix) label in mail headers
Hello Postfix-Users, I would like to change the (Postfix) label in my mail headers to a custom label. What do I need to change the code? -- Chris
Re: Why is after-queue content filter executing before-queue?
On 18/05/2012 21:19, Noel Jones wrote: On 5/18/2012 1:06 PM, Chris wrote: Hi Noel, The email from gmail.com in my example log comes in on port 25 - the 1st line in master.cf. If I leave the -o content_filter=lmtp:unix:/tmp/dspam.sock in instead of removing it, then authenticating users who choose to use port 25 in their email clients will also go through dspam as well as non-authenticating users. That is why I need to have this: [Please don't top post. Thanks.] Hi Noel, OK all points taken - thanks. I won't re-include the log because its all there in the original post. OK, you didn't mention that you have users that MUST use port 25. Typically mail submission and incoming mail are separated so that you can easily apply proper policy to each function. You should seriously consider getting authenticated users off of port 25, but that's another discussion. caught by the check_client_access line at the end, which puts them through dspam, but _unfortunately_ before queue. dspam is not running before queue, get that idea out of your head. Well if it's running after queue, then all my before-queue worries (cpu usage, port 25 traffic buildup, performance, reliability) are gone - but Log: May 15 18:30:25 s1 postfix/smtpd[19422]: connect from mail-pb0-f46.google.com[209.85.160.46] May 15 18:30:25 s1 postfix/smtpd[19422]: NOQUEUE: filter: RCPT from mail-pb0-f46.google.com[209.85.160.46]: mail-pb0-f46.google.com[ Plus: postfix-users Postfix rejecting e-mail without providing reason... Wed Oct 31, 2007 http://tech.groups.yahoo.com/group/postfix-users/message/229132 Wietse Venema says NOQUEUE means that either Postfix has not yet created a queue file, or that it is giving the mail to a before-queue content filter. When I came across this post I assumed (given what I saw in the log) that the second half of Wietse's and/or statement was what was happening. But if it's the first half then well I have created my own little storm in own little teacup - sorry to involve you and others. As for why mail is going through dspam when you don't intend, you have a configuration error. To get help finding the error, please see: http://www.postfix.org/DEBUG_README.html#mail Mail not is going through dspam when I don't intend, if by when you mean when a non sasl_authenticated connection is received. If you mean before-queue as opposed to after-queue, then yes I don't intend before-queue. In particular, show postconf -n rather than random main.cf snippings; show contents of relevant lookup tables; show unmodified non-verbose logs showing the unwanted behavior (mail addresses may be redacted, but please don't alter anything else). -- Noel Jones !DSPAM:4fb6a0cf193091083363532! Lastly, before appending my postconf -n and master.cf, let me say that I got a strong impression from googling all postfix howtos addressing my requirements that this combination of permit_sasl_authenticated / check_client_access pcre:/etc/postfix/dspam_filter_access is preferred (and seemingly successfully) by several guides to setting up Postfix with a content-filter such as dspam: https://help.ubuntu.com/community/Postfix/Dspam http://diymacserver.com/installing-the-mailserver/the-mailserver-on-snow-leopard/configure-postfix-to-use-dspam-on-snow-leopard/ http://switch.richard5.net/isp-in-a-box-v2/setting-up-dspam/configure-postfix-for-the-dspam-content-filter/ http://www.owlfish.com/thoughts/dovecot-antispam-2011-03-21.html http://dspamwiki.expass.de/Installation/Postfix/NealesSetup It avoids having to configure and maintain separate IP addresses and is tolerant of real-world users who may use port 25 or port 587 (because their ISP has its own mail server proxy on port 25). # main.cf: postconf -n - alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases append_dot_mydomain = no biff = no command_directory = /usr/sbin config_directory = /etc/postfix daemon_directory = /usr/lib/postfix data_directory = /var/lib/postfix inet_interfaces = all mail_owner = postfix mailbox_size_limit = 0 mydestination = $myhostname, localhost.$mydomain, localhost mydomain = ispan.net myhostname = s1.ispan.net mynetworks = 127.0.0.0/8 [:::127.0.0.0]/104 mynetworks_style = host myorigin = $myhostname readme_directory = no recipient_delimiter = + relayhost = smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu) smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, check_sender_access hash:/etc/postfix/whitelist_sende r_access, check_client_access hash:/etc/postfix/whitelist_host_access,reject_rbl_client sbl.spamhaus.org, reject_rbl_client bl.spamcop.net, reject_unknown_client_hostname, check_client_access pcre:/etc/postfix/dspam_filter_access smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
Why is after-queue content filter executing before-queue?
/0.21, dsn=2.6.0, status=sent (250 2.6.0 username at example.com Message accepted for delivery) Apr 24 07:05:02 p2434445 postfix/qmgr[29710]: 7EE4C6EC459: removed == Config and a log entry from now with auth user bypass, resulting in before-queue: == master.cf - smtp inet n - - - - smtpd submission inet n - - - - smtpd 127.0.0.1:10024 inet n - n - - smtpd -o smtpd_authorized_xforward_hosts=127.0.0.0/8 main.cf - smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_rbl_client sbl.spamhaus.org, reject_rbl_client bl.spamcop.net, reject_unknown_client_hostname, check_client_access pcre:/etc/postfix/dspam_filter_access smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination dspam_destination_recipient_limit = 1 dspam_filter_access /^(spam|notspam|ham)@.*$/ OK /./ FILTER lmtp:[127.0.0.1]:11124 dspam.conf (dspam runs in client/server mode) -- StorageDriver /usr/lib/dspam/libhash_drv.so TrustedDeliveryAgent /usr/sbin/sendmail DeliveryHost 127.0.0.1 DeliveryPort 10024 DeliveryIdent localhost DeliveryProto SMTP Trust root dspam mail mailnull smmsp daemon postfix TrainingMode teft ServerHost 127.0.0.1 ServerPort 11124 ServerQueueSize 32 ServerPID /var/run/dspam/dspam.pid ServerMode auto ServerParameters --deliver=innocent –d %u ServerIdent localhost.localdomain ClientHost 127.0.0.1 ClientPort 11124 ClientIdent secret@Relay1 /var/log/mail.log - May 15 18:30:25 s1 postfix/smtpd[19422]: connect from mail-pb0-f46.google.com[209.85.160.46] May 15 18:30:25 s1 postfix/smtpd[19422]: NOQUEUE: filter: RCPT from mail-pb0-f46.google.com[209.85.160.46]: mail-pb0-f46.google.com[ 209.85.160.46]: Client host triggers FILTER lmtp:[127.0.0.1]:11124; from=username at gmail.com to=username at example.com proto=ESMT P helo=mail-pb0-f46.google.com May 15 18:30:25 s1 postfix/smtpd[19422]: C8C216EC3FF: client=mail-pb0-f46.google.com[209.85.160.46] May 15 18:30:25 s1 postfix/cleanup[19433]: C8C216EC3FF: message-id=CAA_8x_BeEQgv=kn3puqvlr7oio-sjhwz2_g-q3serwdaung...@mail.gmail.co m May 15 18:30:25 s1 postfix/qmgr[19421]: C8C216EC3FF: from=username at gmail.com, size=1684, nrcpt=1 (queue active) May 15 18:30:26 s1 postfix/smtpd[19438]: connect from localhost[127.0.0.1] May 15 18:30:26 s1 postfix/smtpd[19438]: 253A06EC4FC: client=localhost[127.0.0.1] May 15 18:30:26 s1 postfix/cleanup[19433]: 253A06EC4FC: message-id=CAA_8x_BeEQgv=kn3puqvlr7oio-sjhwz2_g-q3serwdaung...@mail.gmail.com May 15 18:30:26 s1 postfix/qmgr[19421]: 253A06EC4FC: from=username at gmail.com, size=2105, nrcpt=1 (queue active) May 15 18:30:26 s1 postfix/virtual[19439]: 253A06EC4FC: to=username at example.com, relay=virtual, delay=0.12, delays=0.12/0/0/0, dsn=2 .0.0, status=sent (delivered to maildir) May 15 18:30:26 s1 postfix/qmgr[19421]: 253A06EC4FC: removed May 15 18:30:26 s1 postfix/smtpd[19438]: disconnect from localhost[127.0.0.1] May 15 18:30:26 s1 postfix/lmtp[19436]: C8C216EC3FF: to=username at example.com, relay=127.0.0.1[127.0.0.1]:11124, delay=0.76, delays=0.48/0/0.04/0.24, dsn=2.6.0, status=sent (250 2.6.0 username at example.com Message accepted for delivery) May 15 18:30:26 s1 postfix/qmgr[19421]: C8C216EC3FF: removed Please, can anybody help me? Chris
Re: Why is after-queue content filter executing before-queue?
Hi Chad, If I leave the '-o content_filter' in for the smtp service then I assume that authenticating users on port 25 will still pass through the dspam filter because it will apply to all messages. A majority of my users use port 25 as their outbound smtp server port in their mail clients. This is just how it is and it would be a nightmare to get them all to change. So they have the option of 25 or 587. Cheers, Chris On 18/05/2012 17:11, Chad M Stewart wrote: On May 18, 2012, at 7:41 AM, Chris wrote: master.cf - smtp inet n - - - - smtpd -o content_filter=lmtp:unix:/tmp/dspam.sock Why did you remove that last line above? I thought about doing a before queue content filter, but that really kills user's ability to train dspam. :) Submissions should come in on submissions. So removing the content_filter from that in master.cf makes sense. The rest of your previous configuration I would have left alone. Regards, Chad !DSPAM:4fb66699193099832851664!
Re: Why is after-queue content filter executing before-queue?
Hi Noel, The email from gmail.com in my example log comes in on port 25 - the 1st line in master.cf. If I leave the -o content_filter=lmtp:unix:/tmp/dspam.sock in instead of removing it, then authenticating users who choose to use port 25 in their email clients will also go through dspam as well as non-authenticating users. That is why I need to have this: main.cf - smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, . check_client_access pcre:/etc/postfix/dspam_filter_access so that authenticating clients bypass the content filter (regardless if they use ports 25 or 587) and non-authenticating clients get caught by the check_client_access line at the end, which puts them through dspam, but _unfortunately_ before queue. Cheers, Chris On 18/05/2012 17:34, Noel Jones wrote: On 5/18/2012 7:41 AM, Chris wrote: Hi everyone, I am having a problem trying to run dspam as an _after-queue_ content filter on postfix with the restriction that sasl authenticated users bypass dspam. All my users and domains are virtual. When I first installed postfix/dspam/dovecot I did not worry about excluding my authenticating users from dspam filtering, with the result that all mail was tagged by dspam which ran as an after-queue content filter. You're making this too hard. Just set in master.cf submission ... -o content_filter= to unset the content_filter setting for mail coming in through the submission port, and don't bother with access tables and whatnot. As for your other questions, be assured that dspam is still running after-queue. You probably have some problem in your access maps, or in one of the smtpd_*_restrictions that you didn't show. If you need more help, please see http://www.postfix.org/DEBUG_README.html#mail -- Noel Jones !DSPAM:4fb66c1c193099249720649!
message-id discarded on send?
If I submit a message with the following message-id to the postfix sendmail interface using */usr/sbin/sendmail -r...@here.com -t -oi -oem* Message-Id: *58faf4a4-8e6f-4b60-af87-173efa7d3...@here.com* The Postfix sendmail interface receives the message with the specified message-id: Mar 9 03:49:05 howsmy postfix/cleanup[16499]: 3E8C66C12E7: message-id=* 58faf4a4-8e6f-4b60-af87-173efa7d3...@here.com* When the message arrives, it appears not to have a message-id at all, and the receiver generates one. Message-Id: *4f597db2.e7b9ec0a.6395.816dsmtpin_ad...@mx.google.com* If I don't submit a message-id to postfix sendmail, the message-id generated by postfix arrives in the receiving SMTP server correctly as sent. If I try to specify the message-id, apparently nothing gets sent for a message-id field by postfix. What am I missing?
Re: message-id discarded on send?
Awesome! That was it. I assumed my PERL library was doing the for me. I'm hearing the when you assume speech coming on. Thank you!! On Fri, Mar 9, 2012 at 12:15 AM, Noel Jones njo...@megan.vbhcs.org wrote: On 3/8/2012 10:48 PM, Chris Wilson wrote: If I submit a message with the following message-id to the postfix sendmail interface using */usr/sbin/sendmail -r...@here.com mailto:r...@here.com -t -oi -oem* Message-Id: *58faf4a4-8e6f-4b60-af87-173efa7d3...@here.com mailto:58faf4a4-8e6f-4b60-af87-173efa7d3...@here.com* ... What am I missing? (no HTML next time. Thanks.) Your supplied message id is not valid, missing ... Message-ID: 58faf4a4-8e6f-4b60-af87-173efa7d3...@here.com -- Noel Jones
Queue ID with amavisd
Hello Postfix Users :) I am using Postfix with amavisd. Received: from mail-wi0-f174.google.com (mail-wi0-f174.google.com [209.85.212.174]) by my.postfix-server.org (Postfix) with ESMTPSno Queue ID Where is the Postfix queue ID? my master.cf: smtpd pass - - n - - smtpd -o smtpd_proxy_filter=127.0.0.1:10024 -o smtpd_client_connection_count_limit=10 -o smtpd_proxy_options=speed_adjust 127.0.0.1:10025 inet n - n - - smtpd -o smtpd_authorized_xforward_hosts=127.0.0.0/8 -o smtpd_client_restrictions= -o smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o smtpd_data_restrictions= -o mynetworks=127.0.0.0/8 -o receive_override_options=no_unknown_recipient_checks -- Chris
Re: Queue ID with amavisd
2012/3/2 Ralf Hildebrandt ralf.hildebra...@charite.de: * Chris xchris...@googlemail.com: Hello Postfix Users :) I am using Postfix with amavisd. Received: from mail-wi0-f174.google.com (mail-wi0-f174.google.com [209.85.212.174]) by my.postfix-server.org (Postfix) with ESMTPS no Queue ID Where is the Postfix queue ID? It's logged by the second smtpd, since the first smtpd using smtpd_proxy_filter doesn't issue an queueid Can this be changed? -- Chris
Re: Queue ID with amavisd
2012/3/2 Ralf Hildebrandt ralf.hildebra...@charite.de: * Chris xchris...@googlemail.com: 2012/3/2 Ralf Hildebrandt ralf.hildebra...@charite.de: * Chris xchris...@googlemail.com: Hello Postfix Users :) I am using Postfix with amavisd. Received: from mail-wi0-f174.google.com (mail-wi0-f174.google.com [209.85.212.174]) by my.postfix-server.org (Postfix) with ESMTPS no Queue ID Where is the Postfix queue ID? It's logged by the second smtpd, since the first smtpd using smtpd_proxy_filter doesn't issue an queueid Can this be changed? Not without getting rid of smtpd_proxy_filter Can I reject mails without smtpd_proxy_filter? -- Chris
Re: Queue ID with amavisd
2012/3/2 /dev/rob0 r...@gmx.co.uk: On Fri, Mar 02, 2012 at 05:32:18PM +0100, Chris wrote: 2012/3/2 Ralf Hildebrandt ralf.hildebra...@charite.de: * Chris xchris...@googlemail.com: 2012/3/2 Ralf Hildebrandt ralf.hildebra...@charite.de: * Chris xchris...@googlemail.com: I am using Postfix with amavisd. Received: from mail-wi0-f174.google.com (mail-wi0-f174.google.com [209.85.212.174]) by my.postfix-server.org (Postfix) with ESMTPS no Queue ID Where is the Postfix queue ID? It's logged by the second smtpd, since the first smtpd using smtpd_proxy_filter doesn't issue an queueid Can this be changed? Not without getting rid of smtpd_proxy_filter Can I reject mails without smtpd_proxy_filter? At this point you will do better if you back up and describe the problem you're trying to solve. Where/why do you need the queue ID displayed? For diagnostic reasons. -- Chris
Postfix Mailing List
Hi Postfix Users, How to filter messages from this list? I miss something like List-Id: Postfix Mailing List postfix-users.postfix.org -- Chris
Re: postscreen = undesired greylisting ???
2012/2/11 Stan Hoeppner s...@hardwarefreak.com: On 2/10/2012 12:44 PM, Chris wrote: 2012/2/10 Ralf Hildebrandt ralf.hildebra...@charite.de: The deep inspection and postscreen isn't enabled as well (I think) You mean the deep protocol tests? Can I disable these deep protocol tests in postscreen? I find it interesting that you ignored Wietse's response, posted 10 minutes before your reply to Ralf here, in which Wietse told you the deep protocol tests are disabled by default. You replied to the list (Ralf) 3 times after Wietse's post, which clearly demonstrates you simply ignored it. Maybe you simply don't know who Wietse is? Hard to believe but I guess that's possible. Have you ever visited http://www.postfix.org ? Right on the home page you'll find: What is Postfix? It is Wietse Venema's mail server that started life at IBM research as an alternative to the widely-used Sendmail program. Ever read a Postfix man page? Every one contains: AUTHOR(S) Wietse Venema IBM T.J. Watson Research P.O. Box 704 Yorktown Heights, NY 10598, US You may want to pay attention when Wietse replies to you in the future. Hello, I'm so sorry. I didn't know that :) And yes.. I've read the postfix man page ... but I did not notice that. -- Chris
postscreen = undesired greylisting ???
Hello Postfix Users :) I noticed: http://www.postfix.org/POSTSCREEN_README.html#after_220 When a good client passes the deep protocol tests, postscreen(8) adds the client to the temporary whitelist but it cannot hand off the live connection to a Postfix SMTP server process in the middle of the session. Instead, postscreen(8) defers mail delivery attempts with a 4XX status, logs the helo/sender/recipient information, and waits for the client to disconnect. This is greylisting...and i hate greylisting... Is it possible to disable this postscreen greylisting function? In my point of view this is not RFC compliant. Greylisting delays mail traffic. If I have five incoming mx records running postfix with postscreen... and each time the sender receives a 4xx error ... This is unacceptable. Otherwise, I think postscreen has some nice features and I would like to use it. -- Chris
Re: postscreen = undesired greylisting ???
2012/2/10 Ralf Hildebrandt ralf.hildebra...@charite.de: * Chris xchris...@googlemail.com: Hello Postfix Users :) I noticed: http://www.postfix.org/POSTSCREEN_README.html#after_220 When a good client passes the deep protocol tests, postscreen(8) adds the client to the temporary whitelist but it cannot hand off the live connection to a Postfix SMTP server process in the middle of the session. Instead, postscreen(8) defers mail delivery attempts with a 4XX status, logs the helo/sender/recipient information, and waits for the client to disconnect. This is greylisting...and i hate greylisting... Is it possible to disable this postscreen greylisting function? In my point of view this is not RFC compliant. Greylisting delays mail traffic. Technically not possible. If I have five incoming mx records running postfix with postscreen... and each time the sender receives a 4xx error ... This is unacceptable. If you let the MX share one memcache instance, the second MX to receive a connection will immediately accept it. Works like a charm here. Okay, I see. That would be a solution. How did you realize that? -- Chris
Re: postscreen = undesired greylisting ???
2012/2/10 /dev/rob0 r...@gmx.co.uk: On Fri, Feb 10, 2012 at 07:11:50PM +0100, Chris wrote: I noticed: http://www.postfix.org/POSTSCREEN_README.html#after_220 When a good client passes the deep protocol tests, postscreen(8) adds the client to the temporary whitelist but it cannot hand off the live connection to a Postfix SMTP server process in the middle of the session. Instead, postscreen(8) defers mail delivery attempts with a 4XX status, logs the helo/sender/recipient information, and waits for the client to disconnect. This is greylisting...and i hate greylisting... Is it possible to disable this postscreen greylisting function? Read a bit more. It IS disabled unless you specifically enable it. Postscreen? Or what do you mean? IME it is not quite as annoying as real greylisting, when a lower priority MX is bound on the same host (see MX Policy Test, a Postfix 2.9 feature.) Some clients will immediately try the lower priority MX, and be accepted. You mean 2 MX records for each host? That does not solve the problem, if you have multiple inbound mx servers. Then doubled the number of MX records. But the problem remains the same. -- Chris
Re: postscreen = undesired greylisting ???
2012/2/10 Ralf Hildebrandt ralf.hildebra...@charite.de: * Chris xchris...@googlemail.com: If you let the MX share one memcache instance, the second MX to receive a connection will immediately accept it. Works like a charm here. Okay, I see. That would be a solution. How did you realize that? On both my boxes I'm using: postscreen_cache_map = memcache:/etc/postfix/memcache-postscreen_cache.cf containing: memcache = inet:mail.charite.de:11211 # Non-shared postscreen cache. backup = proxy:btree:/var/lib/postfix/postscreen_cache and on mail.charite.de I'm starting memcached like this: /usr/bin/memcached -m 64 -p 11211 -u nobody -l 141.42.202.200 Ralf, that would be an acceptable solution for me. Thank you for that. -- Chris
Re: postscreen = undesired greylisting ???
2012/2/10 Ralf Hildebrandt ralf.hildebra...@charite.de: * Chris xchris...@googlemail.com: Read a bit more. It IS disabled unless you specifically enable it. Postscreen? Or what do you mean? The deep inspection and postscreen isn't enabled as well (I think) You mean the deep protocol tests? Can I disable these deep protocol tests in postscreen? -- Chris
Re: postscreen = undesired greylisting ???
2012/2/10 Ralf Hildebrandt ralf.hildebra...@charite.de: * Chris xchris...@googlemail.com: The deep inspection and postscreen isn't enabled as well (I think) You mean the deep protocol tests? The stuff with the deep in it, yes Can I disable these deep protocol tests in postscreen? By default they're not enabled :) according to http://www.postfix.org/POSTSCREEN_README.html#after_220 which you already quoted. They are being enabled like this: * Command pipelining test postscreen_pipelining_enable = yes * Non-SMTP command test postscreen_non_smtp_command_enable = yes * Bare newline test postscreen_bare_newline_enable = yes The defaults are: mail:~# postconf -d|egrep postscreen_.*_enable postscreen_bare_newline_enable = no postscreen_non_smtp_command_enable = no postscreen_pipelining_enable = no I've disabled these deep protocol tests now... Now everything should be okay. [root@mx04 ~]# postconf -n | grep postscreen postscreen_access_list = permit_mynetworks postscreen_dnsbl_action = enforce postscreen_dnsbl_sites = ix.dnsbl.manitu.net, zen.spamhaus.org, b.barracudacentral.org, list.dnswl.org*-2 postscreen_dnsbl_threshold = 1 postscreen_greet_action = drop With this configuration, it should be no 4xx error for new IPs? Thank you for your help. -- Chris
Re: postscreen = undesired greylisting ???
2012/2/10 Wietse Venema wie...@porcupine.org: Chris: 2012/2/10 Ralf Hildebrandt ralf.hildebra...@charite.de: * Chris xchris...@googlemail.com: Read a bit more. It IS disabled unless you specifically enable it. Postscreen? Or what do you mean? The deep inspection and postscreen isn't enabled as well (I think) You mean the deep protocol tests? Can I disable these deep protocol tests in postscreen? Deep protocol checks are disabled by default. Okay, in other words: By default postscreen is RFC compliant without greylisting? Then there was a configuration error on my part. -- Chris
Postfix primary mail server behind NAT firewall
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello all, I have a situation were I need to quickly move my Postfix server to another system. The problem is it will temporarily be sitting behind a NAT firewall. The current setup is a single Postfix+Dovecot mail server sitting on a Public IP. I want to move the configuration and mailboxes onto another system, but it will be listening on a 192.168/24 IP address. I will forward port 25 to this IP (the IMAP stuff should be fine) Do I need to do anything special like add a proxy_interfaces line to the configuration or should it just work as is? Thanks! Chris - -- Chris Horry zer...@wibble.co.uk http://www.wibble.co.uk -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk7BGzcACgkQnAAeGCtMZU4EnQCgzs4nU55h9FjHOSNi+3ELlSMd CNEAoMVotsLvAofJW4iIzXSgTZk2oe/S =Ddeg -END PGP SIGNATURE-
Re: Only allow specific sasl-authenticated users to relay
On Fri, November 4, 2011 12:07 pm, Viktor Dukhovni wrote: If this is an MX host, you need to allow mail to your own domains before you reject to, otherwise only your own users will be able to send you email. Since the sender address and the SASL login account are not necessarily the same. You also need to use reject_authenticated_sender_login_mismatch. So the whole thing boils down to: smtpd_sender_restrictions = permit_auth_destination, permit_mynetworks, check_sender_access mysql:/etc/postfix/mysql_sender_access.cf, reject_authenticated_sender_login_mismatch, permit_sasl_authenticated You then also need smtpd_sender_login_maps and each authenticated user will be constrained to only use the designated sender addresses. If that's too much pain or is overly restrictive, perhaps as others have tried to point out you may be solving the wrong problem, just configure the authentication layer to lock the abused accounts and work on preventing re-compromise of any accounts you plan to re-enable. Thanks Victor, Noel, and Reindl, for your responses. Victor, yes I figured out about reject_authenticated_sender_login_mismatch and smtpd_sender_login_maps. I'm still working that out, but I don't believe that is going to be an issue. Yes, I agree that I'm attacking the wrong end of this problem; unfortunately that's not my call. Others who 'know more' than me have made that decision. Thanks again.
Only allow specific sasl-authenticated users to relay
I've got a situation where some clients on my network apparently have computers that have been compromised because every time they change their password, spammers on the outside get it and use their email account to spam. I've got the server right now configured to only allow users within my network to send e-mail, so that particular problem is under control, but this necessarily means that users OUTSIDE my network cannot relay, even if they sasl-auth. In looking through the documentation and readmes, I've come across the smtpd_client_restrictions setting, and the check_client_access clause. Am I right in guessing that if I do something like the following: smtpd_sender_restrictions = permit_mynetworks, check_sender_access mysql:/etc/postfix/mysql_sender_access.cf, permit_sasl_authenticated, reject; where check_sender_access returns 'dunno' for 'trusted' clients and 'no' for 'untrusted' clients, that the result will be to fall through to permit_sasl_auth for the 'trusted' clients and fail entirely for the 'untrusted' clients who are OUTSIDE, but still permit normal relay for clients who are INSIDE? Thanks in advance for your help. Chris
Re: alias all users in one domain to another domain
On Mon, October 24, 2011 12:28 am, Noel Jones wrote: On 10/23/2011 10:06 PM, Chris Richards wrote: My question is this: how do I setup to alias all of my users in domain A so that they also appear in domain B, and do so WITHOUT turning my server into a backscatter source? virtual_alias_maps is the feature you need. But *don't* use @domain wildcards, rather use 1-1 mapping for each user. us...@example.com us...@example.org us...@example.com us...@example.org userN... Use a script to generate the file. If you're using SQL maps, you can query for a user in one domain and return a result in another domain. Examples have been posted here in the past. Many thanks Noel. Doing the 1-1 mapping was what I was thinking, since I already have that functionality in place. I just didn't want to have to remap 1,096 users (although a properly constructed SQL query/insert should do the trick). In general I dislike 'magic' SQL queries (like querying for a user in one domain and returning a result in another) because they hide too much of what is going on with the server. Too easy to get bitten by something that's hidden in the bowels of the beast. Thanks again. Chris
alias all users in one domain to another domain
Ok, I'm sure that this has been discussed somewhere, but my google-foo is not strong enough to find the answers I'm looking for, so I'm throwing myself at your mercy. Pointers to the relevant docs would be greatly appreciated. My mail server is hosting many domains, and is configured along the lines of the virtual domain how-to documentation: all users and domains are virtual. I've recently taken over operation of a mail domain which has actual recipients (i.e. they exist in my virtual users table, and the virtual agent delivers mail to them). However, each of these users ALSO exists in another virtual domain, which is nothing more than a 'shadow'. My question is this: how do I setup to alias all of my users in domain A so that they also appear in domain B, and do so WITHOUT turning my server into a backscatter source? I've read the documentation for the virtual-alias-domains setting and it appears that it would do what I want, EXCEPT that there is no validation done that the user receiving mail actually exists until AFTER the mail has been received. This is precisely what I wish to avoid. Is there a way to make postfix verify if the ultimate recipient actually exists when you are doing aliasing? Do I need to do some kind of rewrite with canonical_maps or something? Thanks in advance, Chris
Re: Multiple Domains, Mail Gateway, Two Mail Servers
On 8/7/2011 11:02 AM, Jeroen Geilman wrote: On 2011-08-07 17:08, Jim Seymour wrote: Wow, over 48 hours and no solution(s) suggested? Everybody on vacation? :) Don't hijack another poster's thread. And yes, it IS the summer vacation. Sorry, I must have missed something; whose thread was hijacked? Chris
Re: multiple ssl certificates for multiple domains but just one IP
On Thu, 03 Feb 2011 08:16:58 -0800, Alokat mail...@alokat.org wrote: On 02/03/2011 05:03 PM, Victor Duchovni wrote: On Thu, Feb 03, 2011 at 10:30:33AM -0500, Wietse Venema wrote: Alokat: Hi, I have a server which accepts eMails for multiple Domains. And I wanna provide for each Domain a SSL certificate. How can I use SNI (Server Name Indication) with postfix or is there another way to solve this problem? This is not yet implemented in Postfix. One option is to use nginx as a proxy. It supports multiple SSL and non-SSL server names on one IP address (http://wiki.nginx.org/HttpSslModule). Are there any MUAs that send the SNI extension? Even if a server supports SNI, it does no good if none of the clients join the club. I am not aware of any MTAs that send SNI extensions, nor with all the complexities of MX records, recipient domains, flexible matching rules, ... is it at all clear which name an SMTP client (MTA) should request. For MUAs reaching a submission server, the picture is much more simple, so this is perhaps viable, but which MUAs are SNI enabled? Okay ... thanks for all your comments. So how would you solve my problem? Multiple Instances? Regards, Alokat You can get a multi-domain SSL certificate. It is one certificate that lists all the domains for which it is valid. -- Chris
Re: Root privileges
On 30 Jan 2011, at 18:46 , Victor Duchovni wrote: On Mon, Jan 31, 2011 at 08:02:28AM +0530, varad gupta wrote: Thanx for all the replies - I now understand the reason for master daemon to run with superuser privileges. They were really helpful. But then, is postfix not running the same risk as sendmail ? No. Does it mean, that unless run in a chroot environment, postfix is susceptible to the same risks as sendmail and gives an attacker capability of causing similar damage (despite having a far better system of tasks divided amongst various unprivileged processes designed to perform specific tasks) ? No. -- Viktor. I don't know how accurate my interpretation is, but the way I see it, postfix's master process, if hacked, would obviously present a lot of problems. But since it does less, it's also less open to hacks. For example, an empty program that does nothing cannot be hacked or exploited in any way because there is nothing to exploit. By moving most of the functions out of the master process, even if the other processes have flaws, they aren't privileged. Someone else can feel free to correct me. Chris
Re: Require TLS and authentication with Postfix + Dovecot
On Sun, Nov 21, 2010 at 10:18 PM, zhong ming wu mr.z.m...@gmail.com wrote: On this list you will be asked for output of postconf -n and not what you think is relevant. Fair enough. I am going to try some things and if I am still having problems, will submit my full configuration to the list. This is deprecated in favor of smtpd_tls_security_level for your version of postfix. http://www.postfix.org/TLS_README.html Plus smtpd_use_tls=yes is the not the right config to use even with older version. Thanks, I must not have read the TLS document carefully enough. I'm going back over it now. On Mon, Nov 22, 2010 at 12:00 PM, Victor Duchovni victor.ducho...@morganstanley.com wrote: It is not obvious to me which reasons you have in mind, you should be explicit about your security goals. What threats do you want to mitigate? You also don't specify whether your server is an MSA only, or also an MX host. It appears the problem is more complicated than I previously thought. I think I am misunderstanding the intent of some of these security measures. My goals are simply to responsibly run an MX host that will not be abused by spammers and subsequently blacklisted. I was working with the preconceived notion that anonymous SMTP is always bad and should be disabled to prevent running an open relay; I see now that this is inaccurate and I'm reassessing my plans accordingly. Postfix can't offer SASL mechanisms that Dovecot is not configured to use. Other than that, you configure Postfix policy in Postfix. OK, that is what I suspected, and it makes sense, thanks. smtpd_tls_auth_only = yes With this SASL AUTH will NOT be available without TLS. So, this setting doesn't *require* TLS for SASL authentication, it *disables* SASL for non-TLS traffic. Is that accurate? If you are able to submit email without TLS or SASL auth, you are reporting configuration settings from the wrong main.cf file, or have substantial overrides of these parameters in master.cf. Thank you for your detailed response, I am going to reevaluate my settings and may post again on this list if I continue to have problems. Chris
Oddly formatted date (malfomed even)
I have a mail sent across my LAN (from postfix to postfix) whose headers start as follows:- From r...@zbmc.eu Tue Nov 23 08: 2:13 2010 Return-Path: r...@zbmc.eu X-Original-To: root Delivered-To: r...@zbmc.eu Received: by mws.zbmc.eu (Postfix, from userid 0) id 1282856013B; Tue, 23 Nov 2010 08:42:13 + (GMT) From: Cron Daemon r...@zbmc.eu To: r...@zbmc.eu Subject: Cron r...@mws test -x /usr/sbin/anacron || ( cd / run-parts --report /etc/cron.daily ) Content-Type: text/plain; charset=ANSI_X3.4-1968 X-Cron-Env: SHELL=/bin/sh X-Cron-Env: PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin X-Cron-Env: HOME=/root X-Cron-Env: LOGNAME=root Message-Id: 20101123084213.12828560...@mws.zbmc.eu Date: Tue, 23 Nov 2010 06:45:52 + (GMT) Status: RO Content-Length: 983 Is that 08: 2:13 correct/allowed? It's also a bit odd in that the mail actually arrived in my inbox (also on the same LAN) at around 11:40 so it seems to have taken an awfully long time for this E-Mail to get delivered. Should I be worried? -- Chris Green
Are subdomains in mydestination redundant?
Currently my mydestination line looks like:- zbmc.eu, dps.zbmc.eu, localhost This is on the mail server which receives E-Mail from the 'outside world' from whose point of view my system is zbmc.eu. Is the dps.zbmc.eu entry actually necessary or will mail for dps.zbmc.eu be accepted anyway because mail for zbmc.eu is accepted? There are likely *some* E-Mails sent to some...@dps.zbmc.eu from within the LAN. -- Chris Green
Re: Are subdomains in mydestination redundant?
On Tue, Nov 23, 2010 at 06:42:11AM -0600, Noel Jones wrote: On 11/23/2010 6:00 AM, Chris G wrote: Currently my mydestination line looks like:- zbmc.eu, dps.zbmc.eu, localhost This is on the mail server which receives E-Mail from the 'outside world' from whose point of view my system is zbmc.eu. Is the dps.zbmc.eu entry actually necessary or will mail for dps.zbmc.eu be accepted anyway because mail for zbmc.eu is accepted? There are likely *some* E-Mails sent to some...@dps.zbmc.eu from within the LAN. Subdomains are not automatically included in mydestination, they must be listed explicitly. You must list dps.zbmc.eu in mydestination. OK, thank you. -- Chris Green (at server dps)
myorigin, myhostname and mydomain usage behind a NAT router - what's the best approach?
I have several machines behind a NAT router which run postfix. Some of these machines are desktop machines with real users who create and send mail while others are (usually headless) servers where the only mail is generally that sent by cron jobs and other similar status information. All of the status messages from all machines on the network are sent to me on my desktop machine (using /etc/aliases to point all destinations to my E-Mail). Thus I'd like to preserve the (local) name of the sending system in these messages so I can identify where an error message has come from. E.g. I want messages from postmaster/root/cron on my dps server to be distinguishable from similar messages from the server called mws. This means (I think) that I want to set the myorigin parameter to the machine's name on the LAN (e.g. dps.zbmc.eu or mws.zbmc.eu). This is how I have things set at the moment. However for mail going to the outside world (which does get sent from mws.zbmc.eu in particular) I think myorigin should be zbmc.eu as that is how the outside world sees my systems. In addition, having myorigin set to dps.zbmc.eu, mws.zbmc.eu, chris.zbmc.eu means that the mail headers have invalid/unknown host names in the headers as these host names only exist on my LAN. So, is there a way to get what I want? It's surely quite a common situation. -- Chris Green
Re: myorigin, myhostname and mydomain usage behind a NAT router - what's the best approach?
On Thu, Nov 18, 2010 at 01:14:29PM -0500, Wietse Venema wrote: Chris G: I have several machines behind a NAT router which run postfix. Some of these machines are desktop machines with real users who create and send mail while others are (usually headless) servers where the only mail is generally that sent by cron jobs and other similar status information. All of the status messages from all machines on the network are sent to me on my desktop machine (using /etc/aliases to point all destinations to my E-Mail). Thus I'd like to preserve the (local) name of the sending system in these messages so I can identify where an error message has come from. E.g. I want messages from postmaster/root/cron on my dps server to be distinguishable from similar messages from the server called mws. This means (I think) that I want to set the myorigin parameter to the machine's name on the LAN (e.g. dps.zbmc.eu or mws.zbmc.eu). This is how I have things set at the moment. However for mail going to the outside world (which does get sent from mws.zbmc.eu in particular) I think myorigin should be zbmc.eu as that is how the outside world sees my systems. In addition, having myorigin set to dps.zbmc.eu, mws.zbmc.eu, chris.zbmc.eu means that the mail headers have invalid/unknown host names in the headers as these host names only exist on my LAN. So, is there a way to get what I want? It's surely quite a common situation. See: http://www.postfix.org/ADDRESS_REWRITING_README.html#masquerade http://www.postfix.org/postconf.5.html#masquerade_exceptions http://www.postfix.org/postconf.5.html#masquerade_domains http://www.postfix.org/postconf.5.html#masquerade_classes Thanks! BTW this topic has nothing to do with NAT routers. Well, it's a NAT router that hides my LAN from the outside world. -- Chris Green
Re: myorigin, myhostname and mydomain usage behind a NAT router - what's the best approach?
On Thu, Nov 18, 2010 at 01:15:24PM -0500, Victor Duchovni wrote: On Thu, Nov 18, 2010 at 06:03:26PM +, Chris G wrote: E.g. I want messages from postmaster/root/cron on my dps server to be distinguishable from similar messages from the server called mws. http://www.postfix.org/MULTI_INSTANCE_README.html#quick This means (I think) that I want to set the myorigin parameter to the machine's name on the LAN (e.g. dps.zbmc.eu or mws.zbmc.eu). This is how I have things set at the moment. However for mail going to the outside world (which does get sent from mws.zbmc.eu in particular) I think myorigin should be zbmc.eu as that is how the outside world sees my systems. In addition, having myorigin set to dps.zbmc.eu, mws.zbmc.eu, chris.zbmc.eu means that the mail headers have invalid/unknown host names in the headers as these host names only exist on my LAN. You can use internal addresses internally and map them on the way out, or use external addresses everywhere (better I think) and deliver some of these locally via virtual_alias_maps. All the tools (canonical, virtual and generic rewriting) are described in ADDRESS_REWRITING_README.html. Avoid sender_canonical_maps, it is semantically wrong in most cases. Avoid masquerading (at least for inbound mail) as it is difficult to combine with recipient validation. Thanks too - I'll go and have a good read. -- Chris Green
Re: myorigin, myhostname and mydomain usage behind a NAT router - what's the best approach?
On Thu, Nov 18, 2010 at 01:39:34PM -0500, Victor Duchovni wrote: Larger sites tend to run with virtual_alias_domains valid both inside and outside, with internal rewriting to direct each user's mail to the right mail store. Internal-only email address namespaces are more in SOHO sites, you could also peruse SOHO_README.html. That's me/us (SOHO I mean), we have only 10 or so systems on our LAN. Although we do have a 'real' domain name so some of it doesn't apply. I did use the information there about setting up SASL a while ago. -- Chris Green
Re: A question about myorigin, myhostname, etc.
On Tue, Nov 16, 2010 at 02:34:50PM -0500, Brian Evans - Postfix List wrote: On 11/16/2010 2:03 PM, Chris G wrote: Er, it's Postfix isn't it? :-) Or have I misunderstood completely (quite likely!). When I 'telnet mws.zbmc.eu 25' from the client it does connect to mws.zbmc.eu (192.168.1.4) and mws.zbmc.eu reports the connection to be coming from 192.168.1.2 which is dps.zbmc.eu. OK.. according to your first post: relayhost = mws.zbmc.eu What happens when you do host -t MX mws.zmbc.eu or dig -t MX mws.zmbc.eu? Does it respond with mws.zmbc.eu? According to http://www.postfix.org/postconf.5.html#relayhost, the form above says look up with MX records first in DNS, then USE A records If you wish to bypass MX records, use: relayhost = [mws.zbmc.eu] That's one answer of course, thanks, for the moment I have changed my local DNS server so that it returns a LAN address for zbmc.eu as well as mws.zbmc.eu. If that causes other issues (I don't think it will) then I'll use the above [] syntax. -- Chris Green
Re: A question about myorigin, myhostname, etc.
On Wed, Nov 17, 2010 at 11:47:45AM +, Chris G wrote: ... and that has resolved the DNS/IP problem at least though I'm still getting relaying denied. So now the relayhost (192.168.1.4) is rejecting the E-Mail from the client (192.168.1.2) even though I have:- mynetworks = 127.0.0.0/8 [:::127.0.0.0]/104 [::1]/128 192.168.1.0/32 Here is the line from the server's (192.168.1.4) mail.log :- Nov 17 11:36:25 mws postfix/smtpd[2719]: NOQUEUE: reject: RCPT from dps.zbmc.eu[192.168.1.2]: 554 5. 7.1 ch...@halon.org.uk: Relay access denied; from=ch...@dps.zbmc.eu to=ch...@halon.org.uk proto=ESMTP helo=dps.zbmc.eu So what's still wrong? Er, um, how silly! That 192.168.1.0/32 should, of course, be 192.168.1.0/24. I've no idea where the /32 crept in. Finally all working, thanks for the help everyone. -- Chris Green
Re: A question about myorigin, myhostname, etc.
On Wed, Nov 17, 2010 at 02:04:57PM -0500, Victor Duchovni wrote: On Wed, Nov 17, 2010 at 06:32:24PM +, Chris G wrote: It is not legal for a DNS CNAME RRset to coexist with other data for the same domain name. Nor should you have multiple CNAME records for the same domain. If mdw.zmbc.edu is a host with A records, it must not be a CNAME. If it is an alias to another domain, it is must not be a host with A records. You need to fix your DNS data. There isn't a zone file as such for mws, DNS is provided by a minimal DNS server called dnsmasq running on 192.168.1.2 - I guess I need to address you points to the dnsmasq gurus/maintainers and see what they say. I would expect that dnsmasq is documented, and the documentation should cover sufficient detail to help you avoid this illegal RRset combination. You should only bother the gurus/maintainers if the documentation is incomplete or observed behaviour deviates from the documentation. Yes, of course, OK. But I have a virtually default dnsmasq installation so I can't glean much from the documentation as I haven't really configured anything away from default. It's a quiet list! :-) -- Chris Green
A question about myorigin, myhostname, etc.
I have a small SoHo network of machines and I have postfix installed on most of them for sending mail. The machines sit behind a NAT router which connects them to the internet, the domain name (as seen from the outside world) is zbmc.eu. All the machines are running xubuntu 10.04 and have postfix 2.7.0. Within the LAN behind the router the machines have names like chris.zbmc.eu, mws.zbmc.eu, dps.zbmc.eu and so on. Most things are working OK, I can send and receive mail on my desktop machine OK via my ISP's smarthost and I get local messages OK. My problem has arisen on one of the machines which is a headless server, it's dps.zbmc.eu. I want E-Mail from that machine to be sent out via the mailhub machine on the network which is mws.zbmc.eu. The problem is that, whatever I try, the mailhub machine sees mail sent from dps.zbmc.eu as coming from zbmc.eu (well, its IP) and rejects it with a 'relaying denied' message. The bottom of /etc/postfix/main.cf on dps.zbmc.eu is:- myhostname = dps.zbmc.eu alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases myorigin = /etc/mailname mydestination = dps.zbmc.eu, localhost.zbmc.eu, localhost relayhost = mws.zbmc.eu mynetworks = 127.0.0.0/8 [:::127.0.0.0]/104 [::1]/128 mailbox_command = procmail -a $EXTENSION mailbox_size_limit = 0 recipient_delimiter = + inet_interfaces = loopback-only inet_protocols = ipv4 What I see in /var/log/mail.log is:- Nov 16 16:04:20 mws postfix/smtpd[31242]: connect from unknown[84.45.228.40] Nov 16 16:04:20 mws postfix/smtpd[31242]: NOQUEUE: reject: RCPT from unknown[84.45.228.40]: 554 5.7. 1 ch...@halon.org.uk: Relay access denied; from=ch...@dps.zbmc.eu to=ch...@halon.org.uk proto=ESMTP helo=dps.zbmc.eu Nov 16 16:04:20 mws postfix/smtpd[31242]: disconnect from unknown[84.45.228.40] So why does postfix see the connection as if it comes from 84.45.228.40? It's as if it thinks the connection is from zbmc.eu as opposed to dps.zbmc.eu but everything is set to say I'm sending from dps.zbmc.eu. The command 'host dps.zbmc.eu' returns 'dps.zbmc.eu has address 192.168.1.2' on both dps.zbmc.eu and on mws.zbmc.eu. (Oh, /etc/mailname contains dps.zbmc.eu too) Any help or suggestions would be most welcome, I can supply more information if needed. A rejected message is as follows:- Date: Tue, 16 Nov 2010 16:02:54 + (GMT) From MAILER-DAEMON Tue Nov 16 16: 2:54 2010 From: Mail Delivery System mailer-dae...@dps.zbmc.eu To: ch...@dps.zbmc.eu Subject: Undelivered Mail Returned to Sender [-- Attachment #1: Notification --] [-- Type: text/plain, Encoding: 7bit, Size: 0.5K --] This is the mail system at host dps.zbmc.eu. I'm sorry to have to inform you that your message could not be delivered to one or more recipients. It's attached below. For further assistance, please send mail to postmaster. If you do so, please include this problem report. You can delete your own text from the attached returned message. The mail system ch...@halon.org.uk: host zbmc.eu[84.45.228.40] said: 554 5.7.1 ch...@halon.org.uk: Relay access denied (in reply to RCPT TO command) [-- Attachment #2: Delivery report --] [-- Type: message/delivery-status, Encoding: 7bit, Size: 0.3K --] Reporting-MTA: dns; dps.zbmc.eu X-Postfix-Queue-ID: E83EE100283 X-Postfix-Sender: rfc822; ch...@dps.zbmc.eu Arrival-Date: Tue, 16 Nov 2010 16:02:53 + (GMT) Final-Recipient: rfc822; ch...@halon.org.uk Action: failed Status: 5.7.1 Remote-MTA: dns; zbmc.eu Diagnostic-Code: smtp; 554 5.7.1 ch...@halon.org.uk: Relay access denied [-- Attachment #3: Undelivered Message --] [-- Type: message/rfc822, Encoding: 7bit, Size: 0.5K --] Return-Path: ch...@dps.zbmc.eu Received: by dps.zbmc.eu (Postfix, from userid 1000) id E83EE100283; Tue, 16 Nov 2010 16:02:53 + (GMT) Date: Tue, 16 Nov 2010 16:02:53 + From: Chris Green ch...@dps.zbmc.eu To: ch...@halon.org.uk Subject: Test message Message-ID: 20101116160253.ga1...@dps.zbmc.eu MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.20 (2009-06-14) This is a test -- Chris Green (at server dps) -- Chris Green
Re: A question about myorigin, myhostname, etc.
On Tue, Nov 16, 2010 at 11:52:36AM -0500, Randy Ramsdell wrote: Chris G wrote: I have a small SoHo network of machines and I have postfix installed on most of them for sending mail. The machines sit behind a NAT router which connects them to the internet, the domain name (as seen from the outside world) is zbmc.eu. All the machines are running xubuntu 10.04 and have postfix 2.7.0. Within the LAN behind the router the machines have names like chris.zbmc.eu, mws.zbmc.eu, dps.zbmc.eu and so on. Most things are working OK, I can send and receive mail on my desktop machine OK via my ISP's smarthost and I get local messages OK. My problem has arisen on one of the machines which is a headless server, it's dps.zbmc.eu. I want E-Mail from that machine to be sent out via the mailhub machine on the network which is mws.zbmc.eu. The problem is that, whatever I try, the mailhub machine sees mail sent from dps.zbmc.eu as coming from zbmc.eu (well, its IP) and rejects it with a 'relaying denied' message. The bottom of /etc/postfix/main.cf on dps.zbmc.eu is:- myhostname = dps.zbmc.eu alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases myorigin = /etc/mailname mydestination = dps.zbmc.eu, localhost.zbmc.eu, localhost relayhost = mws.zbmc.eu mynetworks = 127.0.0.0/8 [:::127.0.0.0]/104 [::1]/128 mailbox_command = procmail -a $EXTENSION mailbox_size_limit = 0 recipient_delimiter = + inet_interfaces = loopback-only inet_protocols = ipv4 What I see in /var/log/mail.log is:- Nov 16 16:04:20 mws postfix/smtpd[31242]: connect from unknown[84.45.228.40] Nov 16 16:04:20 mws postfix/smtpd[31242]: NOQUEUE: reject: RCPT from unknown[84.45.228.40]: 554 5.7. 1 ch...@halon.org.uk: Relay access denied; from=ch...@dps.zbmc.eu to=ch...@halon.org.uk proto=ESMTP helo=dps.zbmc.eu Nov 16 16:04:20 mws postfix/smtpd[31242]: disconnect from unknown[84.45.228.40] So why does postfix see the connection as if it comes from 84.45.228.40? It's as if it thinks the connection is from zbmc.eu as opposed to dps.zbmc.eu but everything is set to say I'm sending from dps.zbmc.eu. The command 'host dps.zbmc.eu' returns 'dps.zbmc.eu has address 192.168.1.2' on both dps.zbmc.eu and on mws.zbmc.eu. (Oh, /etc/mailname contains dps.zbmc.eu too) It connects from 84.45.228.40. Either fix the that or add that to mynetworks on mws.zbmc.eu. Yes, I realise that It connects from 84.45.228.40 but I can find no reason at all *why* the postfix server process on mws.zbmc.eu thinks that the connection is from 84.45.228.40. Wherever I look on my LAN the IP address of dps.zbmc.eu is reported as 192.168.1.2. From the outside world dps.zbmc.eu is non-existent. So where is the postfix on mws.zbmc.eu getting the address 84.45.228.40 for dps.zbmc.eu? Alternatively (and this seems more likely to me) the postfix on mws.zbmc.eu is seeing the connection come from zbmc.eu for some reason and that *does* resolve to 84.45.228.40. What I'm asking is *why* it's seeing the connection from zbmc.eu even though I have set everything that I can see to say it's dps.zbmc.eu. If I try 'telnet mws.zbmc.eu 25' from dps.zbmc.eu then sendmail reports 'connect from dps.zbmc.eu[192.168.1.2]' in the mail.log which is what I want. However if I call sendmail (postfix's sendmail) directly on dps.zbmc.eu and send a message to mws.zbmc.eu then it's reported (as noted above) as 'connect from unknown[84.45.228.40]'. So it would seem that the postfix sendmail on dps.zbmc.eu is, for some reason, deciding that it's zbmc.eu/84.45.228.40 for some reason that I can't fathom. I.e. the question is why the postfix on dps.zbmc.eu thinks it's sending from 84.45.228.40 even though I've set just about everything I can think of in main.cf to tell it that it's dps.zbmc.eu. -- Chris Green
Re: A question about myorigin, myhostname, etc.
On Tue, Nov 16, 2010 at 12:34:38PM -0500, Wietse Venema wrote: Chris G: Yes, I realise that It connects from 84.45.228.40 but I can find no reason at all *why* the postfix server process on mws.zbmc.eu thinks that the connection is from 84.45.228.40. Because the operating system kernel said so when Postfix asked. Is the issue at the client end or the server end? I.e. is it the postfix/sendmail on dps.zbmc.eu saying that it is actually 84.45.228.40 and not dps.zbmc.eu or is it the postfix server process on mws.zbmc.eu looking up dps.zbmc.eu and getting 84.45.228.40? Do I have something like the problem described here:- http://serverfault.com/questions/144986/postfix-uses-hostname-instead-of-myhostname The question is how do I overcome it, what system calls does Postfix use to get the hostname and why do they differ from what I see when I issue the command 'hostname'? -- Chris Green
Re: A question about myorigin, myhostname, etc.
On Tue, Nov 16, 2010 at 01:13:48PM -0500, Victor Duchovni wrote: On Tue, Nov 16, 2010 at 06:06:27PM +, Chris G wrote: On Tue, Nov 16, 2010 at 12:34:38PM -0500, Wietse Venema wrote: Chris G: Yes, I realise that It connects from 84.45.228.40 but I can find no reason at all *why* the postfix server process on mws.zbmc.eu thinks that the connection is from 84.45.228.40. Because the operating system kernel said so when Postfix asked. Is the issue at the client end or the server end? Neither, there is no issue. The connection came from the reported IP address. The issue is almost certainly just confusion on your part. Even if I am confused I still want to fix the problem. Either one of my systems is reporting itself as 84.45.228.40 or another one thinks it is receiving mail from that IP address. I want to send mail locally on my LAN with any involvement of 84.45.228.40. I.e. is it the postfix/sendmail The Postfix sendmail utility does not engage in any network communications. It just adds a file to the Postfix maildrop queue. It sounds like you have both Postfix and Sendmail on the same systems, and perhaps confused about which MTA is handling which mail. When I say 'sendmail' I just mean the postfix executable of that name which is used by mutt (amoung others) to send mail from the system. I have enver had 'real' sendmail installed on these systems. The question is how do I overcome it, what system calls does Postfix use to get the hostname and why do they differ from what I see when I issue the command 'hostname'? Wrong question. The right question is: - Now that I know that the traffic is coming from the reported IP address, how do I identify the sending client and either allow it to send from that IP or reconfigure it to use a different IP address. I'm pretty sure I know the client, it's dps.zbmc.eu, and I want to reconfigure it to use a different IP address.. I think that's the question I'm looking for an answer to. -- Chris Green
Re: A question about myorigin, myhostname, etc.
On Tue, Nov 16, 2010 at 12:27:56PM -0600, Larry Stone wrote: On Tue, 16 Nov 2010, Chris G wrote: Yes, I realise that It connects from 84.45.228.40 but I can find no reason at all *why* the postfix server process on mws.zbmc.eu thinks that the connection is from 84.45.228.40. Because that's where it came from. Wherever I look on my LAN the IP address of dps.zbmc.eu is reported as 192.168.1.2. From the outside world dps.zbmc.eu is non-existent. So where is the postfix on mws.zbmc.eu getting the address 84.45.228.40 for dps.zbmc.eu? Alternatively (and this seems more likely to me) the postfix on mws.zbmc.eu is seeing the connection come from zbmc.eu for some reason and that *does* resolve to 84.45.228.40. What I'm asking is *why* it's seeing the connection from zbmc.eu even though I have set everything that I can see to say it's dps.zbmc.eu. I think you have the relationship reversed. The connection came from 84.45.228.40, not from some hostname. Postfix knows the TCP/IP address the connection comes from and translates that to a hostname for logging and restriction purposes. The way you wrote the above says (at least to me) that you think Postfix gets a hostname and turns that into a TCP/IP address. OK, then what I need to know is why the postfix on 192.168.1.2 is reporting itself (or, to be more correct, the connection reports itself) as being from 84.45.228.40. 84.45.228.40 is the IP of zbmc.eu, there's no system on my LAN which claims to have this IP address. A reverse look-up of 84.45.228.40 gives 84-45-228-40.static.enta.net which is my ISP's ADSL. Looking up zbmc.eu on an outside system returns (as it should) 84.45.228.40. So where is there a system sending this mail which appears to be 84.45.228.40? From what I can see in the logs the mail isn't going out to the outside world and coming back in, it's just going from 192.168.1.2 to 192.168.1.4. -- Chris Green
Re: A question about myorigin, myhostname, etc.
On Tue, Nov 16, 2010 at 01:58:06PM -0500, Victor Duchovni wrote: On Tue, Nov 16, 2010 at 06:50:02PM +, Chris G wrote: So where is there a system sending this mail which appears to be 84.45.228.40? From what I can see in the logs the mail isn't going out to the outside world and coming back in, it's just going from 192.168.1.2 to 192.168.1.4. The best way forward is to accept that reality trumps theory, and that clearly the traffic is addressed exactly as logged. You then need to look on the sending client, which almost certainly is sending to the external IP address of the server, not the internal. This likely hits the NAT box, which helpfully maps the destination address to the server's internal address, and the source address of the client to the external address of the NAT. This is by far the simplest and most likely explanation. So now you need to fix the client's routing logic to not send to the external IP, likely obtained from external DNS, and use a transport table entry or relayhost that resolves to a local IP. For that, you'll need to know what software is doing all the work on the client. Er, it's Postfix isn't it? :-) Or have I misunderstood completely (quite likely!). When I 'telnet mws.zbmc.eu 25' from the client it does connect to mws.zbmc.eu (192.168.1.4) and mws.zbmc.eu reports the connection to be coming from 192.168.1.2 which is dps.zbmc.eu. -- Chris Green
Postfix as TLS client using different credentials for same SMTP host
Hi The situation is thus:- I wish to provide a v6-to-v4 relay for two different domains using the same postfix process. Mail for the domains is hosted by google, so the destination host will be ASPMX.L.GOOGLE.com. for both domains. However, recently my ipv4 provider has blocked outgoing tcp:25 so now I must use tcp:587 using TLS and authentication. The problem is that I need to use two different credentials depending upon the domain for which the message is being relayed. i.e. u...@domain1.example.com - postfix - ASPMX.L.GOOGLE.com. (user: domain1) u...@domain2.example.com - postfix - ASPMX.L.GOOGLE.com. (user: domain2) How do I configure this? Regards, Chris
Re: dnswl doesn't work?
On 8/4/2010 12:13 AM, Ralf Hildebrandt wrote: * Chris St Denisch...@smartt.com: I've setup a dns whitelist from dnswl.org as per the instructions here: http://www.dnswl.org/tech#postfix However I've discovered it doesn't work, because I rejected an email coming from a gmail server that got itself blacklisted by sorbs, but it is on the whitelist. Why is this not working? Wrong filename smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_invalid_hostname, reject_unknown_recipient_domain, reject_unauth_destination, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, *check_client_access cidr:/usr/local/etc/postfix/postfix-dnswl-permit,* cidr:/usr/local/etc/postfix/postfix-dnswl-permit server# grep -C 5 '74.125.82.180' /usr/local/etc/postfix/postfix-permit /usr/local/etc/postfix/postfix-permit Thanks, figured it would be something obvious I was missing. Both files actually exist, but postfix-permit is the one being updated. postfix-dnswl-permit was being checked, but was far out of date.
dnswl doesn't work?
I've setup a dns whitelist from dnswl.org as per the instructions here: http://www.dnswl.org/tech#postfix However I've discovered it doesn't work, because I rejected an email coming from a gmail server that got itself blacklisted by sorbs, but it is on the whitelist. Why is this not working? Log of email transaction Aug 3 14:01:25 server postfix/smtpd[24064]: connect from mail-wy0-f180.google.com[74.125.82.180] Aug 3 14:01:26 server postfix/smtpd[24064]: NOQUEUE: reject: RCPT from mail-wy0-f180.google.com[74.125.82.180]: 554 5.7.1 Service unavailable; Client host [74.125.82.180] blocked using dnsbl.sorbs.net; Currently Sending Spam See: http://www.sorbs.net/lookup.shtml?74.125.82.180; from=remo...@gmail.com to=remo...@removed.com proto=ESMTP helo=mail-wy0-f180.google.com Aug 3 14:01:26 server postfix/smtpd[24064]: disconnect from mail-wy0-f180.google.com[74.125.82.180] my restrictions smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_invalid_hostname, reject_unknown_recipient_domain, reject_unauth_destination, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, *check_client_access cidr:/usr/local/etc/postfix/postfix-dnswl-permit,* reject_rbl_client zen.spamhaus.org, *reject_rbl_client dnsbl.sorbs.net,* check_policy_service inet:127.0.0.1:10031 server# grep -C 5 '74.125.82.180' /usr/local/etc/postfix/postfix-permit 74.125.83.44/32 permit_auth_destination none google.com DNSWLId 1429 74.125.83.43/32 permit_auth_destination none google.com DNSWLId 1429 74.125.83.42/32 permit_auth_destination none google.com DNSWLId 1429 74.125.83.41/32 permit_auth_destination none google.com DNSWLId 1429 74.125.82.187/32permit_auth_destination none google.com DNSWLId 1429 *74.125.82.180/32permit_auth_destination none google.com DNSWLId 1429* 74.125.82.174/32permit_auth_destination none google.com DNSWLId 1429 74.125.82.173/32permit_auth_destination none google.com DNSWLId 1429 74.125.82.172/32permit_auth_destination none google.com DNSWLId 1429 74.125.82.69/32 permit_auth_destination none google.com DNSWLId 1429 74.125.82.65/32 permit_auth_destination none google.com DNSWLId 1429 The destination domain is in my virtual_mailbox_domains, and destination email address in my virtual_mailbox_maps
Spooling mail Question
I am running postfix as a SMTP front-end to my Exchange 2007 system. When Exchange goes down, email is bounced back to the sender as undeliverable. How can I setup postfix to 'spool' email until the backend SMTP server is online? I have enclosed my main.cf, master.cf, and transport configs (at least the non-default ones). Main.cf: default_process_limit = 600 minimal_backoff_time = 60 maximal_backoff_time = 240 queue_minfree = 8000 smtp_helo_timeout = 20s smtp_quit_timeout = 30s smtp_mail_timeout = 20s smtp_rcpt_timeout = 20s smtpd_helo_required = yes biff=no disable_vrfy_command = yes smtpd_recipient_restrictions = reject_invalid_hostname, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_sender_domain, # reject_unknown_recipient_domain, permit_mynetworks, reject_unauth_destination, reject_unauth_pipelining, check_recipient_access pcre:/usr/local/etc/postfix/recipient_checks.pcre, check_sender_access hash:/usr/local/etc/postfix/sender_checks, check_client_access hash:/usr/local/etc/postfix/client_checks, check_policy_service inet:127.0.0.1:12525, # check_policy_service inet:127.0.0.1:10023, permit smtpd_data_restrictions = reject_unauth_pipelining, permit smtpd_error_sleep_time = 5 smtpd_soft_error_limit = 5 smtpd_hard_error_limit = 10 smtpd_junk_command_limit = 10 smtpd_recipient_overshoot_limit = 100 maximal_queue_lifetime = 10d # # Spam Transport # transport_maps = hash:/usr/local/etc/postfix/transport #relay_recipient_maps = hash:/usr/local/etc/postfix/exchange_recipients Master.cf: smtp inet n - n - - smtpd -o smtpd_proxy_filter=127.0.0.1:10024 -o smtpd_proxy_timeout=200 127.0.0.1:24 unix - - - - 2 smtp -o smtp_data_done_timeout=1200 -o disable_dns_lookups=yes 127.0.0.1:10025 inet n - - - - smtpd -o content_filter= -o local_recipient_maps= -o relay_recipient_maps= -o smtpd_restriction_classes= -o smtpd_client_restrictions= -o smtpd_helo_restrictions=permit_mynetworks -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o mynetworks=127.0.0.0/8 -o maximal_queue_lifetime=10d -o strict_rfc821_envelopes=yes transport: ## # Exchange Config ## #company.com smtp:[mail.company.local] acme.net smtp:[10.10.10.50]
Re: Blacklisted on Verizon
On 11/11/09 7:55 AM, /dev/rob0 r...@gmx.co.uk wrote: On Wednesday 11 November 2009 06:14:08 dhottin...@harrisonburg.k12.va.us wrote: Quoting Stan Hoeppner s...@hardwarefreak.com: You should be concentrating your focus on the Senders by message count section. Wouldnt the logwatch from the server list top users by emails? Perhaps, but I missed the part where the OP mentioned that he was using logwatch. Not using logwatch that I know of. Nevertheless I fail to see the relevance. Possibly the OP's system is spewing spam, and all the helpful advice given in this thread has gotten the OP not one bit closer to finding the perpetrator and fixing the problem. No, the advice here has helped with troubleshooting where the spam is coming from or finding the compromised system/script Senders by message count is ENVELOPE SENDER, in the case of spam, completely useless. If the OP has, as I might guess, a compromised httpd + PHP script, for example, the envelope sender will probably change for EACH spam it sends. Looking into this now Absolute rubbish. I will say that pflogsumm.pl is a fine tool, but the suggestion thereof, and this entire thread, has been nothing but a distraction from the work that the OP needs to do immediately. I wrote: What are some things I should be looking for in the pflogsumm.pl report? 0. Not the summary, look at the actual logs. 1. Find a suspected spam. This will be easy if you start with one that was rejected by Verizon or other operator. 2. Trace that back to where it entered the queue. 3. Apply LART as necessary. 4. Review DEBUG_README.html#mail if questions still exist at this point. You can mung a specific email address if desired, but domain names and IP addresses might be very important. One step I neglected to mention in my previous post: postfix stop. Your damage increases with every spam you send. I don't believe this hosting service will want to kill email but will bring it to their attention
Re: Blacklisted on Verizon
On 11/11/09 7:55 AM, /dev/rob0 r...@gmx.co.uk wrote: Senders by message count is ENVELOPE SENDER, in the case of spam, completely useless. If the OP has, as I might guess, a compromised httpd + PHP script, for example, the envelope sender will probably change for EACH spam it sends. /bin/ps ax -eostate,pid,ppid --sort=state 2/dev/null | grep ^Z Reveals Z 1401 2952 Z 11675 2952 Z 20155 2952 Z 27079 2952 And ps aux | grep *then the pid # reveals: 500 1401 0.0 0.0 0 0 ?Z07:09 0:00 [freshclam]defunct root 18209 0.0 0.0 4048 688 pts/0R+ 09:29 0:00 grep 1401 All of these pid's are defunct freshclam zombies, it appears.
Blacklisted on Verizon
Hello list! We are being blacklisted every few days from verizon. This is less important right now as I need to find out if/who is sending spam from the email server or if the server is an open relay. I am less inclined to think postfix (which is what we use) is an open relay. More inclined to think someone has gotten an account is sending spam out using the server. What is the best way to find out who/if an account is sending spam from the server? I am trying to gain access to the mail server as we speak but the password I have been given is not working so I can not provide you with the version of postfix or any logs at this moment.
Re: Blacklisted on Verizon
OK, I have gotten access to the mail server and have downloaded pflogsumm.pl. I have followed the readme and chown and chmod. Did not copy the man page. Run perl pflogsumm.pl and nothing happens; it just sits there. I untar¹ed the gz file that was downloaded and that made a dir pflogsumm-1.1.1 and I am running pflogsumm.pl inside of that dir. Does it need to be moved to the mail log dir? It doesn¹t seem so as the readme says to copy to path/to/bin folder. On 11/10/09 6:33 PM, Justin C. Le Grice mailingli...@legrice.co.nz wrote: Chris Arnold wrote: Blacklisted on Verizon Hello list! We are being blacklisted every few days from verizon. This is less important right now as I need to find out if/who is sending spam from the email server or if the server is an open relay. I am less inclined to think postfix (which is what we use) is an open relay. More inclined to think someone has gotten an account is sending spam out using the server. What is the best way to find out who/if an account is sending spam from the server? I am trying to gain access to the mail server as we speak but the password I have been given is not working so I can not provide you with the version of postfix or any logs at this moment. Once you do get on, how about loading pflogsumm from http://jimsun.linxnet.com/postfix_contrib.html This will assist you in determining who is sending the most messages. Note: there is a problem of messages being counted twice if you are running Amavis-New spamassassin. Ciao Justin
Re: Blacklisted on Verizon
OK, nothing stands out from pflogsumm.pl: Grand Totals messages 15607 received 15755 delivered 0 forwarded 40 deferred (391 deferrals) 128 bounced 1115 rejected (6%) 0 reject warnings 0 held 0 discarded (0%) 685m bytes received 763m bytes delivered 6438 senders 5481 sending hosts/domains 441 recipients 182 recipient hosts/domains Per-Day Traffic Summary date received delivered deferredbounced rejected Nov 9 2009 1 3 1 Nov 10 2009 15328 15475390127 1115 Nov 11 2009 278277 0 1 Per-Hour Traffic Daily Average time received delivered deferredbounced rejected -0100 0 0 0 0 0 0100-0200 0 0 0 0 0 0200-0300 0 0 0 0 0 0300-0400 0 0 0 0 0 0400-0500 0 0 0 0 0 0500-0600 0 0 0 0 0 0600-0700 0 0 0 0 0 0700-0800 0 0 0 0 0 0800-0900 1 1 0 0 0 0900-1000 1 1 0 0 0 1000-1100 1 1 0 0 0 1100-1200 1 1 0 0 0 1200-1300 1 1 0 0 0 1300-1400 1 1 0 0 0 1400-1500 1 1 0 0 0 1500-1600 1 1 0 0 0 1600-1700 1 1 0 0 0 1700-1800 1 1 0 0 0 1800-1900 1 1 0 0 0 1900-2000 1 1 0 0 0 2000-2100 0 0 0 0 0 2100-2200 0 0 0 0 0 2200-2300 0 0 0 0 0 2300-2400 0 0 0 0 0 Don't want to post the whole pflogsumm file as 1 it is very long and 2 there are somethings that don't need to be shared on a mailinglist :) What are some things I should be looking for in the pflogsumm.pl report? On 11/10/09 8:00 PM, d.h...@yournetplus.com d.h...@yournetplus.com wrote: Quoting Chris Arnold carn...@electrichendrix.com: OK, I have gotten access to the mail server and have downloaded pflogsumm.pl. I have followed the readme and chown and chmod. Did not copy the man page. The man page does state if no file(s) are specified, it reads from stdin. Therefore, you need to specify the file or log file to perform the operation on.
Re: Blacklisted on Verizon
On 11/10/09 8:36 PM, Stan Hoeppner s...@hardwarefreak.com wrote: Chris Arnold put forth on 11/10/2009 7:21 PM: Don't want to post the whole pflogsumm file as 1 it is very long and 2 there are somethings that don't need to be shared on a mailinglist :) What are some things I should be looking for in the pflogsumm.pl report? You should be concentrating your focus on the Senders by message count section. That is what I thought (just wanted to make sure) and the high count is 166 so I think I need to move on from someone sending spam from the mail server.
Re: Blacklisted on Verizon
On 11/10/09 8:58 PM, /dev/rob0 r...@gmx.co.uk wrote: On Tuesday 10 November 2009 19:21:04 Chris Arnold wrote: OK, nothing stands out from pflogsumm.pl: Nothing? Per-Day Traffic Summary date received delivered deferredbounced rejected Nov 9 2009 1 3 1 Nov 10 2009 15328 15475390127 1115 Wouldn't you say that's a bit of an increase from the previous day? Perhaps significant? That is not a true reading. Must be where the log got logrotated. What are some things I should be looking for in the pflogsumm.pl report? 0. Not the summary, look at the actual logs. 1. Find a suspected spam. This will be easy if you start with one that was rejected by Verizon or other operator. 2. Trace that back to where it entered the queue. 3. Apply LART as necessary. 4. Review DEBUG_README.html#mail if questions still exist at this point. You can mung a specific email address if desired, but domain names and IP addresses might be very important. Trying to get one of those rejected emails now.
Re: OT: Supply Missing text/plain MIME part?
On Wed, 28 Oct 2009 14:38:12 -0500 Noel Jones njo...@megan.vbhcs.org wrote: I say put on your somber face and agree that Hotmal is goofed up, hope they fix it soon. My experience with Hotmail and other major web mail vendors is that they are too busy finding new and innovative ways to break email interconnectivity to persist in any individual strategy for a significant period of time. That said, I seem to recall that providing a text/plain part for all mail is best practice for M*U*As. If you want to enforce this at the M*T*A level then I doubt there is an off the shelf solution. So that you know what's involved... You'll need Lynx 2.8.6+ for HTML dump with -nomargins and -notitle switches, path/lynx -dump -stdin -nolist -nomargins -notitle. You have to walk the MIME structure of the message to determine that there is a text/html part that does not have a corresponding text/plain part, decode and render the text/html part, build a text/plain part, build a multipart/alternative mime section and insert it into the mail message in place of the text/HTML part. An object-oriented library may manage MIME boundaries for you, but most scripting languages will let you handle that little detail yourself. Identifying MIME boundaries with a regex is non-trivial in practice. Python mimelib is adequate, but I find the load time for the Python interpreter to be prohibitive for mail filters, so that approach leads you into scope creep with time spent building an SMTP relay or worse. I have something that appears to work with the TRE regex library in CRM-114. The top Google result for perl mime parser describes MIME::Parser as an experimental class for parsing MIME streams. Overall, not a promising lot. Chris signature.asc Description: PGP signature
RE: Postfix Sender Verify
Hi Ralf Here's the output from 'postconf -n', we have the Sender Verify disabled currently while we get the address_verify_sender configured. address_verify_map = btree:/etc/postfix/verified_senders address_verify_negative_cache = no alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases append_at_myorigin = no command_directory = /usr/sbin config_directory = /etc/postfix daemon_directory = /usr/libexec/postfix debug_peer_level = 2 header_checks = regexp:/etc/postfix/header_checks html_directory = no inet_interfaces = all local_recipient_maps = mail_owner = postfix mailq_path = /usr/bin/mailq.postfix manpage_directory = /usr/share/man mydestination = $myhostname, localhost.$mydomain, $mydomain mydomain = domain.co.uk myhostname = spam.domain.co.uk mynetworks_style = host myorigin = $mydomain newaliases_path = /usr/bin/newaliases.postfix queue_directory = /var/spool/postfix readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES relay_domains = domain.co.uk sample_directory = /usr/share/doc/postfix-2.3.3/samples sendmail_path = /usr/sbin/sendmail.postfix setgid_group = postdrop show_user_unknown_table_name = no smtpd_delay_reject = yes smtpd_helo_required = yes smtpd_helo_restrictions = permit_mynetworks,reject_invalid_helo_hostname, permit smtpd_recipient_restrictions = reject_unauth_pipelining, reject_unknown_recipient_domain, permit_mynetworks, reject_unauth_destination, permit smtpd_sender_restrictions = permit_mynetworks,reject_unknown_sender_domain, permit transport_maps = hash:/etc/postfix/transport unknown_local_recipient_reject_code = 550 Thanks Chris -Original Message- From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] On Behalf Of Ralf Hildebrandt Sent: 21 October 2009 12:04 PM To: postfix-users@postfix.org Subject: Re: Postfix Sender Verify This message was received from outside of the company. * Postflick chris.im...@abeta.co.uk: Hi Ralf Where would these parameters be configured. It'Äs hard to tell, it depends on other settings! I have not told it to use postmaster, however, using postconf, it does return that as the address; u...@spam {uk} [11:56:26] /etc/postfix: postconf -d address_verify_sender address_verify_sender = postmaster -d displays the default - always! please show postconf -n output. -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | http://www.charite.de The information contained in this email is confidential. It is intended only for the stated addressee(s) and access to it by any other person is unauthorised. If you are not an addressee, you must not disclose, copy, circulate or in any other way use or rely on the information contained in this email. Such unauthorised use may be unlawful. If you have received this email in error, please inform the sender immediately and delete it and all copies from your system. Any views or opinions expressed are solely those of the author and do not necessarily represent those of A Bet A Technology Ltd. A Bet A Technology Ltd is registered in England and Wales number 2458671. Registered office: 5 Lenten Street, Alton, Hampshire, GU34 1HG, United Kingdom.
RE: Postfix Sender Verify
Hi Ralf Your help is much appreciated, I have modified the local_recipient_maps, and have modified the mydestination to omit the $mydomain as that was an error on my part. The implementation of; Address_verify_sender = postmas...@domain.co.uk Has worked correctly, and we're now verifying emails as they come in. Kind Regards Chris -Original Message- From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] On Behalf Of Ralf Hildebrandt Sent: 21 October 2009 12:23 PM To: postfix-users@postfix.org Subject: Re: Postfix Sender Verify This message was received from outside of the company. * Chris Imrie chris.im...@abeta.co.uk: Hi Ralf Here's the output from 'postconf -n', we have the Sender Verify disabled currently while we get the address_verify_sender configured. address_verify_map = btree:/etc/postfix/verified_senders address_verify_negative_cache = no alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases append_at_myorigin = no ^ there's your problem inet_interfaces = all default local_recipient_maps = sure? mydestination = $myhostname, localhost.$mydomain, $mydomain mydomain = domain.co.uk myhostname = spam.domain.co.uk relay_domains = domain.co.uk That makes no sense. Is domain.co.uk relay_domain or mydestination? Decide! The solution is: address_verify_sender = postmas...@domain.co.uk -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | http://www.charite.de The information contained in this email is confidential. It is intended only for the stated addressee(s) and access to it by any other person is unauthorised. If you are not an addressee, you must not disclose, copy, circulate or in any other way use or rely on the information contained in this email. Such unauthorised use may be unlawful. If you have received this email in error, please inform the sender immediately and delete it and all copies from your system. Any views or opinions expressed are solely those of the author and do not necessarily represent those of A Bet A Technology Ltd. A Bet A Technology Ltd is registered in England and Wales number 2458671. Registered office: 5 Lenten Street, Alton, Hampshire, GU34 1HG, United Kingdom.
RE: Postfix Sender Verify
Hi Charles It checks to verify the sender once, then caches the result in a database, so mail servers aren't hassled more than once per email address verification. Regards Chris -Original Message- From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] On Behalf Of Charles Marcus Sent: 21 October 2009 04:43 PM To: Chris Imrie Cc: postfix-users@postfix.org Subject: Re: Postfix Sender Verify This message was received from outside of the company. On 10/21/2009, Chris Imrie (chris.im...@abeta.co.uk) wrote: Has worked correctly, and we're now verifying emails as they come in. Hopefully you aren't doing this for all mail? If so, you will very likely end up being on different blacklists for abusing other people's servers, especially if yuou are doing this for inbound spam. -- Best regards, Charles The information contained in this email is confidential. It is intended only for the stated addressee(s) and access to it by any other person is unauthorised. If you are not an addressee, you must not disclose, copy, circulate or in any other way use or rely on the information contained in this email. Such unauthorised use may be unlawful. If you have received this email in error, please inform the sender immediately and delete it and all copies from your system. Any views or opinions expressed are solely those of the author and do not necessarily represent those of A Bet A Technology Ltd. A Bet A Technology Ltd is registered in England and Wales number 2458671. Registered office: 5 Lenten Street, Alton, Hampshire, GU34 1HG, United Kingdom.
Re: Using unix domain socket to send mail?
Are there any non-internet, unix domain socket(s) which can be used to send mail to the smtp daemon? i.e. is there any *documented* way to give mail to postfix for remote delivery that doesn't involve the tcp/ip stack (other than the sendmail binary). http://www.postfix.org/master.5.html The above tells you what you need to know to configure an smtpd service on a unix domain socket. Before you do that, however, you may want to try implementing delivering mail using SMTP over a service you have already configured. This will allow you to debug your SMTP dialog before implementing it over a socket connection. If you are sending mail from a shell script, socat includes an example. The TCP/IP protocol stack is a very small part of the delay involved in using the sendmail compatibility interface. You may find that connecting to an existing smtp service solves your performance problems or that there are other optimizations that would have a better return for your time - particularly if the same message payload is being delivered to multiple recipients. Chris signature.asc Description: PGP signature
Re: How to block spammers appearing as local users?
On Tue, 01 Sep 2009 22:30:48 +0200 Benny Pedersen m...@junc.org wrote: On tir 01 sep 2009 02:20:26 CEST, LuKreme wrote On 31-Aug-2009, at 08:07, nunatarsuaq wrote: Aug 30 11:46:28 ghost postfix/smtpd[26223]: connect from ppp-124-122-30-5.revip2.asianet.co.th[124.122.30.5] WHy are you accepting mail from an obvious DHCP address? who says this ip is dynamic, just becurse the hostname look like it is ? it would have being wonderfull if it was that easy I can tell from looking at it that it's not only a dynamic IP address, but that the hostname was originally configured for dialup, but that's not to say that I would want to try to maintain a regex filter. That's what PBL is for: http://www.spamhaus.org/pbl/index.lasso All that's being said here is to use the standard tools first. Breaking protocol isn't clever. We have enough annoyances as mail administrators with the large operations that knowingly do aggravating things without providing tech support for those who try to be clever without the payroll to handle the problems they cause themselves. Do you honestly think that you're the first one to think of this 'solution' to this class of spam? Chris signature.asc Description: PGP signature
Sendmail interface questions
Hi, I'm hoping to obtain some confirmation on the data format the sendmail interface expects, I am under the impression that as a NIX program it will expect emails using LF for new lines as opposed to the SMTP standard of CRLF. How does this apply to line folding? Does Postfix then expect LFWSP as opposed to CRLFWSP? In my testing Postfix seemed fairly tolerant, where as other people have not been seen it be so forgiving. I'd like to confirm what the proper format is and if anyone knows does this apply across the board to other mailers? (I appreciate that is slightly off topic) Thanks in advance. Regards, Chris -- Chris Smith
Re: Sendmail interface questions
Wietse Venema wrote: The Postfix sendmail command expects a PRE-FORMATTED message. The result of ill-formatted messages is undefined (gargabe in, garbage out). Yeah that's certainly what I would expect. The format should be consistent with RFC 5322 (RFC 2822, RFC 822) and with MIME if applicable. Text is expected to be in native UNIX stream-LF format. Exactly what my thoughts were on the subject, how about folding of headers they should be folded with LF-WSP as opposed to CRLF-WSP? Regards, Chris -- Chris Smith
Re: Sendmail interface questions
Wietse Venema wrote: Chris Smith: Wietse Venema wrote: The format should be consistent with RFC 5322 (RFC 2822, RFC 822) and with MIME if applicable. Text is expected to be in native UNIX stream-LF format. Exactly what my thoughts were on the subject, how about folding of headers they should be folded with LF-WSP as opposed to CRLF-WSP? At the risk of repeating myself, text is expected to be in native UNIX stream-LF format. Apologies, I just wanted that fact confirmed explicitly. I've got my answer now however, thanks. Regards, Chris -- Chris Smith
OT - Re: Wildcard certs - why only one level deep?
On Fri, 07 Aug 2009 21:28:58 -0400 Jorey Bump l...@joreybump.com wrote: I understand that wildcard certs can be considered a security risk, but is the risk really much greater if it includes a longer hostname? *.com Here's a better example. I might be willing to have my server say, Yes, that's me to this name: southamericadip.asciiking.com But not this one: guns.southamericadip.asciiking.com If I make a delegation in DNS to the person running South America Diplomacy, however, I don't have any further control over downstream consumers of the subdomain. Someone who behaves perfectly well on my server might be an exceedingly poor judge of character. Without limiting the depth of the certificate, I would have no way to accept a TLS connection as the first without being open to the second. I love waking up to a sub peona, don't you? :-) Chris Babcock signature.asc Description: PGP signature
Re: is there any way of distinguishing the bcc copy from the original?
On Sat, 08 Aug 2009 11:24:55 +0200 Per Jessen p...@computer.org wrote: I'd like to treat the original and the bcc copy slightly different based on their content. Basically: a) original: if headerX matches condition1, override transport to divert email. b) bcc-copy: if headerX matches condition2, override transport to discard email. The only way to know that a message was sent BCC is if the envelope recipient isn't listed in the headers. Do that and you discard all the mail that comes from properly configured mailing lists and undisclosed recipient headers. Filter after address rewriting and you lose a whole lot more mail than that. How about the root issue? You either got an always BCC configured that you don't want or a specific class of Spam that can probably be handled in a better way. Which is it? Chris signature.asc Description: PGP signature
Wildcard certs - why only one level deep?
Hi all, In testing (and by reading the archives) I have found that postfix only supports one level of wildcard SSL certificates. That is to say, I can get a certificate for *.example.com that will match host1.example.com and host2.example.com, but won't match mail.host1.example.com or mail.host2.example.com. Is there a particular reason behind this implementation, and is there any way to work around it? I understand that wildcard certs can be considered a security risk, but is the risk really much greater if it includes a longer hostname? Thanks for your time! Chris Simmons
Milter Reject on Yahoo Mail
Just before the fourth of July weekend, Yahoo made some changes with their mail configuration. At which point my postscript install started rejecting Yahoo and BTI mail as follows: # grep B74659480C9: /var/log/maillog Jul 12 15:09:23 cl-t090-563cl postfix-ak/smtpd[14148]: B74659480C9: client=web37601.mail.mud.yahoo.com[209.191.87.84] Jul 12 15:09:23 cl-t090-563cl postfix-ak/cleanup[14153]: B74659480C9: message-id=142228.84776...@web37601.mail.mud.yahoo.com Jul 12 15:09:23 cl-t090-563cl dkim-filter[1918]: B74659480C9: syntax error: syntax error in policy data Jul 12 15:09:23 cl-t090-563cl postfix-ak/cleanup[14153]: B74659480C9: milter-reject: END-OF-MESSAGE from web37601.mail.mud.yahoo.com[209.191.87.84]: 5.7.1 Command rejected; from=swift2plun...@yahoo.com to=u...@asciiking.com proto=SMTP helo=web37601.mail.mud.yahoo.com This is my configuration: # postconf -n -c /etc/postfix-asciiking alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases alternate_config_directories = /etc/postfix-worldmasters /etc/postfix-notaduck /etc/postfix-asciiking /etc/postfix-classicalacupunctureone /etc/postfix config_directory = /etc/postfix-asciiking inet_interfaces = 70.38.5.65 milter_default_action = accept mydestination = localhost.$mydomain localhost mydomain = asciiking.com myhostname = $mydomain mynetworks = 127.0.0.0/8 70.38.5.64/29 myorigin = $mydomain owner_request_special = no queue_directory = /var/spool/postfix-asciiking recipient_delimiter = + smtpd_banner = $myhostname ESMTP Chris Babcock 602-859-1689 smtpd_client_restrictions = reject_non_fqdn_recipient reject_non_fqdn_sender reject_unknown_sender_domain permit_mynetworks reject_unauth_destination reject_multi_recipient_bounce reject_non_fqdn_hostname reject_invalid_hostname smtpd_helo_required = yes syslog_name = postfix-ak transport_maps = hash:/etc/postfix-asciiking/transport unknown_local_recipient_reject_code = 450 virtual_alias_domains = asciiking.com, members.asciiking.com virtual_alias_maps = hash:/etc/postfix-asciiking/virtual These are commented out of my main.cf to allow Yahoo mail through: #smtpd_milters = unix:/var/run/dkim-milter/dkim.sock #non_smtpd_milters = unix:/var/run/dkim-milter/dkim.sock I need to be sure that syntax error: syntax error in policy data means the policy data the is being supplied by Yahoo, i.e. their public keys or the syntax of their DKIM record, and that milter_default_action = accept rules out any possibility that a bug in my Postfix or milter configuration was exposed by the Yahoo changes. Chris signature.asc Description: PGP signature
SOLVED (Probably) Re: Milter Reject on Yahoo Mail
On Sun, 12 Jul 2009 15:12:24 -0500 Noel Jones njo...@megan.vbhcs.org wrote: Yes, the message was rejected by your DKIM policy action. The postfix default_milter_action only triggers when the milter cannot be contacted. If you want to accept mail that fails DKIM, see the dkim-filter documentation. I sent a message to a verifier, which provided this helpful clue: Please note that the DKIM filter signing this reply message conforms to the latest IETF draft version, and thus may not be successfully verified by older implementations. Thank you all, Chris signature.asc Description: PGP signature
Logging sender recipient pairs
Hi All, I'm attempting to come up with a better solution for detecting email customers who attempt to send email campaigns using my mail servers. I'd like to find a way to have postfix log the sender and recipient addresses into a flat file, as well as the message id and timestamp. The idea is to count the number of envelope recipients to determine who's sending to lots of people. If someone goes over 500 per day, flag them as suspicious and alert me. Postfix already logs part of this in syslog but the recipient list is truncated or split up between multiple syslog messages. Its not easily usable directly from syslog in its current form. Anyone do anything like this yet? Have any suggestions or alternative ways of doing this? -Chris
OT - Re: Strategies to Prevent Abuse in Bulk-Mailing?
There are various band-aid approaches, like running the outbound mail through spamassassin and HOLDing the spammy mail, however this may or may not catch what you want, since even SpamAssassin has no idea if the user actually wanted the mail or not. Yes, we already do that, and more. In fact, I'm not that worried because of the contents of the emails, I'm mostly worried because sending emails to more than 500 people in the recipient list is not very polite, and can trigger undesired actions. People sometimes have poorly designed web pages with a not-too good php emailing code. For instance. I'd like to find a way (maybe through some header checks in outgoing email) so if it detects a large amount of recipients it triggers actions such as: 1.- Adding the 'Precedence: bulk' header field 2.- Clean the message for non-valid characters 3.- If a non-valid sender address is detected, block the sending (for instance, someone may send bulk-email with a From: www...@ispdomain.com (the apache user) 4.- If the recipient list has invalid recipient domains block the whole sending. 5.- Of course, any modification of the email should be done before doing the dk/dkim signing, which we already do. Can this be (totally or partially) done? The question you are asking is whether it is possible to implement a flawed security model with toolset X, where toolset X includes Postfix along with assorted deployment recipes and milter applications. The long and the short of it is that there absolutely are tools that will allow you to do that, but there isn't support for that approach to the problem because of the fundamental flaws. You've described an allow, then deny scenario for filtering outbound mail from untrusted users on your network. The reality behind this security model is that the untrusted users will constantly be inventing new ways to abuse your resources, including your IP address space. The alternative is the deny, then allow model. Here you stop all traffic and make sure it conforms to specific guidelines before you relay it outside the network. The difference is, instead of having a list of *don't* rules, you have a list of *do* rules. It's inconvenient, intrusive and your definitions might still permit undesirable content. The simple solution is to separate your mail streams. Content you control should not be going out over the same IP addresses that send content you do not control. Use a different, preferably non-adjacent, block if possible. You should probably do that to your marketing department, too. :-) You still need to work to protect your customers from eachother. Ideally, each customer should be individually accountable for their sender reputation. If your business model doesn't support that then you could give each customer a different internal interface and establish your own reputation metrics as a basis for routing their mail to your Internet-facing mail servers, in effect creating a risk pool for mail senders. It's still expensive and sub-optimal, but it's not entirely doomed. More importantly, it's a path toward the re-evaluation of the business model. Chris Babcock signature.asc Description: PGP signature
Relaying to DNAMail Exchange Server with SASL
I'm having an issue relaying to DNAMail Exchange Server with SASL. I'm receiving the following error, despite being very confident I have the correct credentials: 535 5.7.3 Authentication unsuccessful $ postconf -n command_directory = /usr/sbin config_directory = /etc/postfix daemon_directory = /usr/lib/postfix debug_peer_level = 2 debug_peer_list = smtpauth.exchangecarrier.net html_directory = /usr/share/doc/postfix-2.3.6/html mail_owner = postfix mail_spool_directory = /var/spool/mail mailbox_size_limit = 1024 mailq_path = /usr/bin/mailq manpage_directory = /usr/share/man message_size_limit = 10240 myhostname = DOMAIN.COM newaliases_path = /usr/bin/newaliases queue_directory = /var/spool/postfix readme_directory = /usr/share/doc/postfix-2.3.6/readme relayhost = smtpauth.exchangecarrier.net:587 sample_directory = /etc/postfix sendmail_path = /usr/sbin/sendmail setgid_group = postdrop smtp_sasl_auth_enable = yes smtp_sasl_password_maps = hash:/etc/postfix/sasl/sasl_passwd smtp_sasl_security_options = noplaintext unknown_local_recipient_reject_code = 550 I've run the required postmap command: $ sudo postmap /etc/postfix/sasl/sasl_passwd So I have the following in my sasl directory: /etc/postfix/sasl/sasl_passwd /etc/postfix/sasl/sasl_passwd.db I've attached a debug level #2 logfile and saslfinger output. I sincerely appreciate any help. -Chris Jul 4 12:54:34 psico postfix/pickup[31099]: 77F901D0F70: uid=500 from=n...@domain.com Jul 4 12:54:34 psico postfix/cleanup[31114]: 77F901D0F70: message-id=20090704165434.gb30...@domain.com Jul 4 12:54:34 psico postfix/qmgr[31101]: 77F901D0F70: from=n...@domain.com, size=511, nrcpt=1 (queue active) Jul 4 12:54:34 psico postfix/smtp[31120]: smtpauth.exchangecarrier.net[208.127.0.5]:587: 220 owa1.exchangecarrier.net Microsoft ESMTP MAIL Service ready at Sat, 4 Jul 2009 09:57:10 -0700 Jul 4 12:54:34 psico postfix/smtp[31120]: smtpauth.exchangecarrier.net[208.127.0.5]:587: EHLO SUB.DOMAIN.COM Jul 4 12:54:34 psico postfix/smtp[31120]: smtpauth.exchangecarrier.net[208.127.0.5]:587: 250-owa1.exchangecarrier.net Hello [76.124.109.32] Jul 4 12:54:34 psico postfix/smtp[31120]: smtpauth.exchangecarrier.net[208.127.0.5]:587: 250-SIZE 52428800 Jul 4 12:54:34 psico postfix/smtp[31120]: smtpauth.exchangecarrier.net[208.127.0.5]:587: 250-PIPELINING Jul 4 12:54:34 psico postfix/smtp[31120]: smtpauth.exchangecarrier.net[208.127.0.5]:587: 250-DSN Jul 4 12:54:34 psico postfix/smtp[31120]: smtpauth.exchangecarrier.net[208.127.0.5]:587: 250-ENHANCEDSTATUSCODES Jul 4 12:54:34 psico postfix/smtp[31120]: smtpauth.exchangecarrier.net[208.127.0.5]:587: 250-STARTTLS Jul 4 12:54:34 psico postfix/smtp[31120]: smtpauth.exchangecarrier.net[208.127.0.5]:587: 250-AUTH GSSAPI NTLM Jul 4 12:54:34 psico postfix/smtp[31120]: smtpauth.exchangecarrier.net[208.127.0.5]:587: 250-8BITMIME Jul 4 12:54:34 psico postfix/smtp[31120]: smtpauth.exchangecarrier.net[208.127.0.5]:587: 250-BINARYMIME Jul 4 12:54:34 psico postfix/smtp[31120]: smtpauth.exchangecarrier.net[208.127.0.5]:587: 250 CHUNKING Jul 4 12:54:34 psico postfix/smtp[31120]: server features: 0x903f size 52428800 Jul 4 12:54:34 psico postfix/smtp[31120]: Using ESMTP PIPELINING, TCP send buffer size is 4096 Jul 4 12:54:34 psico postfix/smtp[31120]: smtpauth.exchangecarrier.net[208.127.0.5]:587: STARTTLS Jul 4 12:54:34 psico postfix/smtp[31120]: smtpauth.exchangecarrier.net[208.127.0.5]:587: 220 2.0.0 SMTP server ready Jul 4 12:54:34 psico postfix/smtp[31120]: send attr request = seed Jul 4 12:54:34 psico postfix/smtp[31120]: send attr size = 32 Jul 4 12:54:34 psico postfix/smtp[31120]: private/tlsmgr: wanted attribute: status Jul 4 12:54:34 psico postfix/smtp[31120]: input attribute name: status Jul 4 12:54:34 psico postfix/smtp[31120]: input attribute value: 0 Jul 4 12:54:34 psico postfix/smtp[31120]: private/tlsmgr: wanted attribute: seed Jul 4 12:54:34 psico postfix/smtp[31120]: input attribute name: seed Jul 4 12:54:34 psico postfix/smtp[31120]: input attribute value: DHF4WWbzKiBSCMdYx7JqVL6c0FGuJOkNeZqGJpTK2C4= Jul 4 12:54:34 psico postfix/smtp[31120]: private/tlsmgr: wanted attribute: (list terminator) Jul 4 12:54:34 psico postfix/smtp[31120]: input attribute name: (end) Jul 4 12:54:34 psico postfix/smtp[31120]: certificate verification failed for smtpauth.exchangecarrier.net[208.127.0.5]:587: untrusted issuer /CN=owa1.exchangecarrier.net Jul 4 12:54:35 psico postfix/smtp[31120]: smtpauth.exchangecarrier.net[208.127.0.5]:587: EHLO SUB.DOMAIN.COM Jul 4 12:54:35 psico postfix/smtp[31120]: smtpauth.exchangecarrier.net[208.127.0.5]:587: 250-owa1.exchangecarrier.net Hello [76.124.109.32] Jul 4 12:54:35 psico postfix/smtp[31120]: smtpauth.exchangecarrier.net[208.127.0.5]:587: 250-SIZE 52428800 Jul 4 12:54:35 psico postfix/smtp[31120]: smtpauth.exchangecarrier.net[208.127.0.5]:587: 250-PIPELINING Jul 4 12:54:35 psico postfix/smtp[31120
Re: backscatter
On Fri, 03 Jul 2009 22:35:11 -0400 Andrew Thompson andre...@aktzero.com wrote: Other than hanging around and possibly multiplying in mail queues, what is the hate for backscatter founded in? Isn't this one of those things you're going to have to deal with if you run a mail server? More to the point, is there *any* valid reason to blame Postfix for any particular flavor of backscatter? I see nothing but constant affirmation of best practices in the design of and support for Postfix. Even someone who runs a hobby server like I do with ~1000 mails a day can run a safe mail server with a reasonable effort thanks to this resource. Don't feed the troll, but do tell me if there is any backscatter source typical of a Postfix install that I might need to watch for. Speaking as someone who runs an application that generates automated mail (a play by email game server), I'm grateful for returned mail and I take care to make sure that it goes someplace where it can be used to stop the sorceror's apprentice from making more brooms. I hate it when providers don't notify me when they won't deliver mail because it doesn't give me a chance to fix the problem. Chris Babcock http://usak.asciiking.com signature.asc Description: PGP signature
How can I get Postfix to store forward?
I have a Centos 5.3 box running Postfix 2.3.3. It is setup to run incoming emails thru Policyd-Weight, Amavisd, then forward to my exchange server. If the Exchange server goes offline, the linux box will bounce all incoming emails as undeliverable. How can I setup Postfix so that is queues those emails, then delivers them when Exchange is back online? -- main.cf changes -- smtpd_sasl_auth_enable = yes smtpd_sasl_security_options = noanonymous broken_sasl_auth_clients = yes default_process_limit = 600 minimal_backoff_time = 60 maximal_backoff_time = 240 queue_minfree = 8000 smtp_helo_timeout = 20s smtp_quit_timeout = 30s smtp_mail_timeout = 20s smtp_rcpt_timeout = 20s smtpd_helo_required = yes biff=no disable_vrfy_command = yes smtpd_recipient_restrictions = reject_invalid_hostname, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_sender_domain, # reject_unknown_recipient_domain, permit_mynetworks, reject_unauth_destination, reject_unauth_pipelining, check_recipient_access pcre:/etc/postfix/recipient_checks.pcre, check_sender_access hash:/etc/postfix/sender_checks, check_client_access hash:/etc/postfix/client_checks, check_policy_service inet:127.0.0.1:12525, # check_policy_service inet:127.0.0.1:10023, permit smtpd_data_restrictions = reject_unauth_pipelining, permit -- master.cf changes -- smtp inet n - n - - smtpd -o smtpd_sasl_auth_enable=yes -o smtpd_proxy_filter=127.0.0.1:10024 -o smtpd_proxy_timeout=200 127.0.0.1:10025 inet n - - - - smtpd -o content_filter= -o local_recipient_maps= -o relay_recipient_maps= -o smtpd_restriction_classes= -o smtpd_client_restrictions= -o smtpd_helo_restrictions=permit_mynetworks -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o mynetworks=127.0.0.0/8 -o strict_rfc821_envelopes=yes
Re: VERP Bounce Intercept
Noel Jones wrote: Chris Dos wrote: Noel Jones wrote: It looks like I want to check for RCPT TO:VERP_Address So I ran this check against the regexp table using postmap: postmap -q RCPT TO:chris+no-one-home=chrisdos@chrisdos.com regexp:header_checks.regexp and it came back with a result of DISCARD. So I guess I don't understand how you said it will never match as postmap said it does match. I'm not trying to be difficult or anything, just trying to figure out why this isn't working for me. Don't use header_checks, use a check_recipient_access map. It seems you trying to capture this on the sending system. You can't do that, the sender isn't verp'ed when header_checks and smtpd_*_checks sees the address. -- Noel Jones Well, I'm going to really want to forward a message that matches the regexp. I'm just doing the discard right now for testing. The header_checks allows me to do more than just accept or reject. Chris I don't see a forward action in header_checks. Maybe you intend to use REDIRECT? Postfix access tables allow more than accept/reject, including REDIRECT. http://www.postfix.org/access.5.html But my point is that header_checks are the wrong tool for the job. There is no guarantee that the envelope sender will be listed in the headers you receive. And it looks as if you're testing your header_checks on the same machine that generates the VERP'ed mail. That won't work. -- Noel Jones I was was reading the header_checks won't work on bounced mail. I setup a regexp check_recipient_access map. This is the regexp file verp_redirect.regexp : /^RCPT TO:.+\+.+\=...@.+\..+$/ REDIRECTverpbounce It's still not working. Here is the postconf -n: alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases append_dot_mydomain = no biff = no config_directory = /etc/postfix default_process_limit = 200 default_recipient_limit = 2 default_verp_delimiters = += disable_verp_bounces = no disable_vrfy_command = yes hash_queue_depth = 2 hash_queue_names = deferred, defer, active, incoming header_checks = regexp:/etc/postfix/header_checks.regexp html_directory = /usr/share/doc/postfix/html inet_interfaces = all mailbox_size_limit = 0 maximal_queue_lifetime = 4d message_size_limit = 1536 minimal_backoff_time = 7200 mydestination = mail-dr.sharperagent.com, mail-dr.prod.sharperagent.com myhostname = mail-dr.sharperagent.com mynetworks = 127.0.0.0/8, 10.20.30.0/24, 10.20.40.0/22, 172.28.201.0/24,172.28.200.0/30, 71.33.252.73, myorigin = mail-dr.sharperagent.com nested_header_checks = regexp:/etc/postfix/header_checks.regexp propagate_unmatched_extensions = canonical, virtual qmgr_message_active_limit = 2 qmgr_message_recipient_limit = 10 queue_run_delay = 2000 readme_directory = /usr/share/doc/postfix recipient_delimiter = + relay_domains = $mydestination, $mynetworks,sharperagent.com, agentcatalyst.com, builderintouch.com, lenderintouch.com,mr-roboto.sharperagent.com, minime.sharperagent.com, relayhost = smtp_connect_timeout = 10 smtp_helo_timeout = 10 smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache smtpd_authorized_verp_clients = $mynetworks smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU) smtpd_client_event_limit_exceptions = $mynetworks smtpd_delay_reject = no smtpd_error_sleep_time = 0 smtpd_helo_required = yes smtpd_helo_restrictions = permit_mynetworks, reject_invalid_hostname, regexp:/etc/postfix/helo.regexp, permit smtpd_recipient_restrictions = reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unauth_pipelining,check_recipient_access regexp:/etc/postfix/verp_redirect.regexp, check_sender_access hash:/etc/postfix/sender_access, check_client_access regexp:/etc/postfix/habeas_header1.regexp,check_client_access regexp:/etc/postfix/habeas_header2.regexp,check_client_access regexp:/etc/postfix/habeas_header3.regexp, check_client_access hash:/etc/postfix/client_access, check_recipient_access hash:/etc/postfix/recipient_access, permit_mynetworks, permit_sasl_authenticated,reject_unauth_destination, reject_non_fqdn_hostname, reject_rbl_client relays.ordb.org, check_policy_service inet:127.0.0.1:6 permit_mx_backup, reject_invalid_hostname, reject_non_fqdn_sender, reject_non_fqdn_hostname,reject_non_fqdn_recipient, reject_unauth_pipelining, smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/sender_access, smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
Re: VERP Bounce Intercept
...@chrisdos.com. Postfix creates a bounce. Mar 20 09:06:35 mail-dr postfix/cleanup[9072]: 75D8529027D: message-id=20090320150635.75d85290...@mail-dr.sharperagent.com Mar 20 09:06:35 mail-dr postfix/qmgr[9062]: 75D8529027D: from=, size=2670, nrcpt=1 (queue active) Mar 20 09:06:35 mail-dr postfix/bounce[9074]: 7A03D28E132: sender non-delivery notification: 75D8529027D Mar 20 09:06:35 mail-dr postfix/qmgr[9062]: 7A03D28E132: removed Mar 20 09:06:35 mail-dr postfix/smtp[9073]: 75D8529027D: to=chris+no-one-home=chrisdos@chrisdos.com, relay=mail.chrisdos.com[71.33.251.73]:25, delay=0.19, delays=0.02/0/0.11/0.06, dsn=5.1.1, status=bounced (host mail.chrisdos.com[71.33.251.73] said: 550 5.1.1 chris+no-one-home=chrisdos@chrisdos.com: Recipient address rejected: User unknown in local recipient table (in reply to RCPT TO command)) Postfix tries to deliver the bounce to chris+no-one-home=chrisdos@chrisdos.com, which doesn't exit. Mar 20 09:06:35 mail-dr postfix/qmgr[9062]: 75D8529027D: removed I'm trying to intercept the bounce: to=chris+no-one-home=chrisdos@chrisdos.com Any ideas why this is not working. I'm so frustrated at this point, it's nuts. Chris Couple of problems here... You're never sending any mail out. All the logs you show are postfix internal mail. Internal mail is not subject to any checks. You can't catch a bounce on the way out. All postfix access controls, header_checks, check_sender_access, etc, operate on input. You're pointing the gun the wrong way. -- Noel Jones Well, pointing the gun the wrong way is differently something that I don't want to be doing. But in the case, I'm confused. I'm having mail-dr send out to another server, mail.chrisdos.com, on the internet. Mail-DR is a separate mail server all together on a different domain and network. I'm just sending the e-mail to my server to test this. I'm doing smtpd_recipient_restrictions and adding that hash. That won't work for outgoing e-mail? Chris
Re: VERP Bounce Intercept
Noel Jones wrote: Chris Dos wrote: Well, pointing the gun the wrong way is differently something that I don't want to be doing. But in the case, I'm confused. I'm having mail-dr send out to another server, mail.chrisdos.com, on the internet. Mail-DR is a separate mail server all together on a different domain and network. I'm just sending the e-mail to my server to test this. I'm doing smtpd_recipient_restrictions and adding that hash. That won't work for outgoing e-mail? Chris All postfix restrictions operate on input, ie. when mail is received by postfix. Can't change that. -- Noel Jones Okay, since the e-mail never finishes sending because the user is unknown on the other end and it is rejected right away, is there another way to do this. The whole point of this exercise for me is to just intercept a bounce back and process it internally instead of bouncing it back to the person that originally sent the mail. The best way seems to be to use VERP. Is there something I'm missing or a different way to go about doing this. Maybe pass all initial bounces through procmail or something to that affect? Chris
Re: VERP Bounce Intercept
Chris Dos wrote: Noel Jones wrote: Okay, since the e-mail never finishes sending because the user is unknown on the other end and it is rejected right away, is there another way to do this. The whole point of this exercise for me is to just intercept a bounce back and process it internally instead of bouncing it back to the person that originally sent the mail. The best way seems to be to use VERP. Is there something I'm missing or a different way to go about doing this. Maybe pass all initial bounces through procmail or something to that affect? Chris Internally generated bounces don't go through procmail or anything, they're just delivered to the original sender address. Maybe it would be better if you describe the actual problem you're trying to solve rather than asking how to implement a possible solution. -- Noel Jones I'm trying to intercept all hard bounced back e-mail and send it to a script/program for processing internally. I wish to prevent all notification of bounces to the person that sent the e-mail. I had an idea, and I'm trying to make it work. Can I just change the master.cf and change bounce to go to a pipe? Like this: bounceunix - - n - 0 pipe flags=DORhu user=root argv=/etc/postfix/dump_bounce.sh I keep getting this error though: postfix/pipe[9736]: fatal: service bounce requires privileged operation I was trying different users besides root, but even root does not work. Chris I figured out that problem by adding a n to the unpriv column. Chris
Re: VERP Bounce Intercept
-- Chris Dos Senior Engineer Cell: 303-520-1821 Chris Dos wrote: Chris Dos wrote: Noel Jones wrote: Okay, since the e-mail never finishes sending because the user is unknown on the other end and it is rejected right away, is there another way to do this. The whole point of this exercise for me is to just intercept a bounce back and process it internally instead of bouncing it back to the person that originally sent the mail. The best way seems to be to use VERP. Is there something I'm missing or a different way to go about doing this. Maybe pass all initial bounces through procmail or something to that affect? Chris Internally generated bounces don't go through procmail or anything, they're just delivered to the original sender address. Maybe it would be better if you describe the actual problem you're trying to solve rather than asking how to implement a possible solution. -- Noel Jones I'm trying to intercept all hard bounced back e-mail and send it to a script/program for processing internally. I wish to prevent all notification of bounces to the person that sent the e-mail. I had an idea, and I'm trying to make it work. Can I just change the master.cf and change bounce to go to a pipe? Like this: bounceunix - - n - 0 pipe flags=DORhu user=root argv=/etc/postfix/dump_bounce.sh I keep getting this error though: postfix/pipe[9736]: fatal: service bounce requires privileged operation I was trying different users besides root, but even root does not work. Chris I figured out that problem by adding a n to the unpriv column. Chris Though now I'm getting this error after sending bounce to pipe: Mar 20 12:41:54 mail-dr postfix/pipe[10163]: warning: unexpected attribute nrequest from bounce socket (expecting: flags) Mar 20 12:41:54 mail-dr postfix/pipe[10163]: warning: deliver_request_get: error receiving common attributes Mar 20 12:41:54 mail-dr postfix/qmgr[10151]: 9F2AF28E134: removed Chris
Re: VERP Bounce Intercept
Noel Jones wrote: Okay, since the e-mail never finishes sending because the user is unknown on the other end and it is rejected right away, is there another way to do this. The whole point of this exercise for me is to just intercept a bounce back and process it internally instead of bouncing it back to the person that originally sent the mail. The best way seems to be to use VERP. Is there something I'm missing or a different way to go about doing this. Maybe pass all initial bounces through procmail or something to that affect? Chris Internally generated bounces don't go through procmail or anything, they're just delivered to the original sender address. Maybe it would be better if you describe the actual problem you're trying to solve rather than asking how to implement a possible solution. -- Noel Jones I'm trying to intercept all hard bounced back e-mail and send it to a script/program for processing internally. I wish to prevent all notification of bounces to the person that sent the e-mail. I had an idea, and I'm trying to make it work. Can I just change the master.cf and change bounce to go to a pipe? Like this: bounceunix - - n - 0 pipe flags=DORhu user=root argv=/etc/postfix/dump_bounce.sh I keep getting this error though: postfix/pipe[9736]: fatal: service bounce requires privileged operation I was trying different users besides root, but even root does not work. Chris
Re: VERP Bounce Intercept
Victor Duchovni wrote: On Fri, Mar 20, 2009 at 07:09:29PM +, Duane Hill wrote: Though now I'm getting this error after sending bounce to pipe: Mar 20 12:41:54 mail-dr postfix/pipe[10163]: warning: unexpected attribute nrequest from bounce socket (expecting: flags) Mar 20 12:41:54 mail-dr postfix/pipe[10163]: warning: deliver_request_get: error receiving common attributes Mar 20 12:41:54 mail-dr postfix/qmgr[10151]: 9F2AF28E134: removed Sure. You just took out Postfix's ability to handle bouncing messages properly. Have you looked at the man page for bounce(8) to see what its purpose is and all it does? DO NOT modify in any way the Postfix bounce(8) service entries in master.cf. It is a critical internal service. bounceunix - - n - 0 bounce defer unix - - n - 0 bounce trace unix - - n - 0 bounce The current list of critical services is: # critical internal services: pickupfifo n - n 60 1 pickup cleanup unix n - n - 0 cleanup qmgr fifo n - n 300 1 qmgr tlsmgrunix - - n 1000? 1 tlsmgr rewrite unix - - n - - trivial-rewrite bounceunix - - n - 0 bounce defer unix - - n - 0 bounce trace unix - - n - 0 bounce verifyunix - - n - 1 verify flush unix n - n 1000? 0 flush showq unix n - n - - showq proxymap unix - - n - - proxymap proxywrite unix - - n - 1 proxymap anvil unix - - n - 1 anvil scacheunix - - n - 1 scache # critical delivery agents: error unix - - n - - error retry unix - - n - - error Do not modify the above except for -o options with pickup and cleanup in some configurations. You can add, modify or delete the various normal delivery agents or SMTP listeners: smtp inet n - n - - smtpd smtp unix - - n - - smtp relay unix - - n - - smtp -o smtp_fallback_relay= discard unix - - n - - discard local unix - n n - - local virtual unix - n n - - virtual lmtp unix - - n - - lmtp I have read what the the bounce service does. I wish to intercept ALL hard bounces and process them internally with a script. I don't want it to bounce back to the sender that sent the bad message. I haven't been able to figure out a way to do it yet. If the bounce service also handles soft bounces then this isn't the method to take. If there is another method that someone suggests, I'm all ears. Chris Chris
Re: VERP Bounce Intercept
Charles Marcus wrote: On 3/17/2009, Chris Dos (ch...@chrisdos.com) wrote: Sorry, I did have: recipient_delimiter = + in another part of my main.cf file. One reason why the DEBUG_README asks (among other things) that you provide output of postconf -n instead of snips from main.cf. Here is the output of postconf -n: alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases append_dot_mydomain = no biff = no config_directory = /etc/postfix default_process_limit = 200 default_recipient_limit = 2 default_verp_delimiters = += disable_verp_bounces = no disable_vrfy_command = yes hash_queue_depth = 2 hash_queue_names = deferred, defer, active, incoming header_checks = regexp:/etc/postfix/header_checks.regexp html_directory = /usr/share/doc/postfix/html inet_interfaces = all mailbox_size_limit = 0 maximal_queue_lifetime = 4d message_size_limit = 1536 minimal_backoff_time = 7200 mydestination = mail-dr.sharperagent.com, mail-dr.prod.sharperagent.com myhostname = mail-dr.sharperagent.com mynetworks = 127.0.0.0/8, 10.20.30.0/24, 10.20.40.0/22, 172.28.201.0/24,172.28.200.0/30, 71.33.252.73, myorigin = mail-dr.sharperagent.com nested_header_checks = regexp:/etc/postfix/header_checks.regexp propagate_unmatched_extensions = canonical, virtual qmgr_message_active_limit = 2 qmgr_message_recipient_limit = 10 queue_run_delay = 2000 readme_directory = /usr/share/doc/postfix recipient_delimiter = + relay_domains = $mydestination, $mynetworks,sharperagent.com, agentcatalyst.com, builderintouch.com, lenderintouch.com,mr-roboto.sharperagent.com, minime.sharperagent.com, relayhost = smtp_connect_timeout = 10 smtp_helo_timeout = 10 smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache smtpd_authorized_verp_clients = $mynetworks smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU) smtpd_client_event_limit_exceptions = $mynetworks smtpd_delay_reject = no smtpd_error_sleep_time = 0 smtpd_helo_required = yes smtpd_helo_restrictions = permit_mynetworks, reject_invalid_hostname, regexp:/etc/postfix/helo.regexp, permit smtpd_milters = unix:/var/run/dkim/dkim-filter.socket, unix:/var/run/dkim/sid-filter.socket, unix:/var/run/dkim/dk-filter.socket, smtpd_recipient_restrictions = reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unauth_pipelining,check_sender_access hash:/etc/postfix/sender_access, check_client_access regexp:/etc/postfix/habeas_header1.regexp, check_client_access regexp:/etc/postfix/habeas_header2.regexp,check_client_access regexp:/etc/postfix/habeas_header3.regexp, check_client_access hash:/etc/postfix/client_access, check_recipient_access hash:/etc/postfix/recipient_access, permit_mynetworks, permit_sasl_authenticated,reject_unauth_destination, reject_non_fqdn_hostname, reject_rbl_client relays.ordb.org, check_policy_service inet:127.0.0.1:6 permit_mx_backup, reject_invalid_hostname, reject_non_fqdn_sender, reject_non_fqdn_hostname,reject_non_fqdn_recipient, reject_unauth_pipelining, smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/sender_access, smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache smtpd_use_tls = yes strict_rfc821_envelopes = yes transport_maps = hash:/etc/postfix/transport unknown_address_reject_code = 554 unknown_client_reject_code = 554 unknown_hostname_reject_code = 554 verp_delimiter_filter = -+= virtual_alias_maps = hash:/etc/postfix/virtual Chris
Re: VERP Bounce Intercept
Wietse Venema wrote: That is what YOU believe. You probably made a typo somewhere. This is why you should post postconf -n command output, as requested in the mailing list welcome message which you decided to ignore. I don't believe that header addresses contain ONLY an e-mail address. There is a lot of other information there. But the regular expression should match a VERP modified e-mail address. Your regexp: /^.+\+.+\=...@.+\..+$/ DISCARD will never ever match a message header, because headers have the format of HEADERLABEL: HEADERVALUE Wietse In looking at the debug output of the communication between the smtp servers I saw this: Mar 18 09:16:38 mail-dr postfix/smtp[5596]: mail.chrisdos.com[71.33.251.73]:25: 220 windwalker.chrisdos.com ESMTP Postfix (2.5.5) Mar 18 09:16:38 mail-dr postfix/smtp[5596]: mail.chrisdos.com[71.33.251.73]:25: EHLO mail-dr.sharperagent.com Mar 18 09:16:38 mail-dr postfix/smtp[5596]: mail.chrisdos.com[71.33.251.73]:25: 250-windwalker.chrisdos.com Mar 18 09:16:38 mail-dr postfix/smtp[5596]: mail.chrisdos.com[71.33.251.73]:25: 250-PIPELINING Mar 18 09:16:38 mail-dr postfix/smtp[5596]: mail.chrisdos.com[71.33.251.73]:25: 250-SIZE 5120 Mar 18 09:16:38 mail-dr postfix/smtp[5596]: mail.chrisdos.com[71.33.251.73]:25: 250-ETRN Mar 18 09:16:38 mail-dr postfix/smtp[5596]: mail.chrisdos.com[71.33.251.73]:25: 250-STARTTLS Mar 18 09:16:38 mail-dr postfix/smtp[5596]: mail.chrisdos.com[71.33.251.73]:25: 250-AUTH GSSAPI CRAM-MD5 DIGEST-MD5 LOGIN PLAIN NTLM Mar 18 09:16:38 mail-dr postfix/smtp[5596]: mail.chrisdos.com[71.33.251.73]:25: 250-AUTH=GSSAPI CRAM-MD5 DIGEST-MD5 LOGIN PLAIN NTLM Mar 18 09:16:38 mail-dr postfix/smtp[5596]: mail.chrisdos.com[71.33.251.73]:25: 250-ENHANCEDSTATUSCODES Mar 18 09:16:38 mail-dr postfix/smtp[5596]: mail.chrisdos.com[71.33.251.73]:25: 250-8BITMIME Mar 18 09:16:38 mail-dr postfix/smtp[5596]: mail.chrisdos.com[71.33.251.73]:25: 250 DSN Mar 18 09:16:38 mail-dr postfix/smtp[5596]: server features: 0x901f size 5120 Mar 18 09:16:38 mail-dr postfix/smtp[5596]: Using ESMTP PIPELINING, TCP send buffer size is 4096 Mar 18 09:16:38 mail-dr postfix/smtp[5596]: mail.chrisdos.com[71.33.251.73]:25: MAIL FROM: SIZE=2830 Mar 18 09:16:38 mail-dr postfix/smtp[5596]: mail.chrisdos.com[71.33.251.73]:25: RCPT TO:chris+no-one-home=chrisdos@chrisdos.com ORCPT=rfc822;chris+2bno-one-home+3dchrisdos@chrisdos.com Mar 18 09:16:38 mail-dr postfix/smtp[5596]: mail.chrisdos.com[71.33.251.73]:25: DATA Mar 18 09:16:38 mail-dr postfix/smtp[5596]: mail.chrisdos.com[71.33.251.73]:25: 250 2.1.0 Ok Mar 18 09:16:38 mail-dr postfix/smtp[5596]: mail.chrisdos.com[71.33.251.73]:25: 550 5.1.1 chris+no-one-home=chrisdos@chrisdos.com: Recipient address rejected: User unknown in It looks like I want to check for RCPT TO:VERP_Address So I ran this check against the regexp table using postmap: postmap -q RCPT TO:chris+no-one-home=chrisdos@chrisdos.com regexp:header_checks.regexp and it came back with a result of DISCARD. So I guess I don't understand how you said it will never match as postmap said it does match. I'm not trying to be difficult or anything, just trying to figure out why this isn't working for me.
Re: VERP Bounce Intercept
Noel Jones wrote: It looks like I want to check for RCPT TO:VERP_Address So I ran this check against the regexp table using postmap: postmap -q RCPT TO:chris+no-one-home=chrisdos@chrisdos.com regexp:header_checks.regexp and it came back with a result of DISCARD. So I guess I don't understand how you said it will never match as postmap said it does match. I'm not trying to be difficult or anything, just trying to figure out why this isn't working for me. Don't use header_checks, use a check_recipient_access map. It seems you trying to capture this on the sending system. You can't do that, the sender isn't verp'ed when header_checks and smtpd_*_checks sees the address. -- Noel Jones Well, I'm going to really want to forward a message that matches the regexp. I'm just doing the discard right now for testing. The header_checks allows me to do more than just accept or reject. Chris
Re: VERP Bounce Intercept
I don't see a forward action in header_checks. Maybe you intend to use REDIRECT? Postfix access tables allow more than accept/reject, including REDIRECT. http://www.postfix.org/access.5.html But my point is that header_checks are the wrong tool for the job. There is no guarantee that the envelope sender will be listed in the headers you receive. And it looks as if you're testing your header_checks on the same machine that generates the VERP'ed mail. That won't work. -- Noel Jones I wasn't aware that header_checks would not worked on VERP'ed mail. I'll try the check_recipient_access map. Chris