Re: Using Sasl authentication and RBL
Sent from my iPhone On 23/04/2010, at 10:10, Noel Jones njo...@megan.vbhcs.org wrote: On 4/22/2010 6:54 PM, webmas...@aus-city.com wrote: I do see some auth stuff in the logs, I put a snip: Apr 21 05:05:31 server postfix/smtpd[21639]: connect from unknown[xx.xx.xx.xx] Apr 21 05:05:31 server postfix/smtpd[21639]: NOQUEUE: client=unknown[xx.xx.xx.xx], sasl_method=PLAIN, sasl_username...@xx.com This confirms your AUTH is working. No need for further testing. If anyone can't send mail, they didn't AUTH. -- Noel Jones Hi Noel, Thanks, I really thought that was the case. I will check out my friends PC on the weekend and try to find out what is going on. As his Windows 7 + thunderbird works and his Fedora 11 and Windows XP don't for sending somethings weird. Also his W7 is a new install. I vaguely recall having him delete his XP thunderbird profile and redo it. Thanks again for your help and atleast got the master.cf better tweaked.
Set submission as to bypass RBLs
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
I am having some issues with my server blocking ISP IP addresses.
I know a recent update to plesk-9.5.1 changed my postfix main.cf and
master.cf (the timestamps changed). I managed to fix main.cf as on
the smtpd_client_restrictions, they put the RBLs first.
Can anyone see what is wrong in the master.cf?
I just want submission on 587 able to bypass RBL checks:
#
# Postfix master process configuration file. For details on the format
==
smtp inet n - - - - smtpd -o smtpd_proxy_filter=127.0.0.1:10025
#submission inet n - n - - smtpd
# -o smtpd_tls_security_level=encrypt
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
#smtps inet n - n - - smtpd
# -o smtpd_tls_wrappermode=yes
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
#628 inet n - n - - qmqpd
pickup fifo n - - 60 1 pickup -o content_filter=smtp:127.0.0.1:10027
cleanup unix n - n - 0 cleanup
qmgr fifo n - n 300 1 qmgr
#qmgr fifo n - n 300 1 oqmgr
tlsmgrunix - - n 1000? 1 tlsmgr
rewrite unix - - n - - trivial-rewrite
bounceunix - - n - 0 bounce
defer unix - - n - 0 bounce
trace unix - - n - 0 bounce
verifyunix - - n - 1 verify
flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - n - - smtp
# When relaying mail as backup MX, disable fallback_relay to avoid MX
loops
relay unix - - n - - smtp
-o smtp_fallback_relay=
# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq unix n - n - - showq
error unix - - n - - error
retry unix - - n - - error
discard unix - - n - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
scacheunix - - n - 1 scache
#
plesk_virtual unix - n n - - pipe flags=DORhu user=popuser:popuser
argv=/usr/lib/plesk-9.0/postfix-local -f ${sender} -d ${recipient} -p
/var/qmail/mailnames
mailman unix - n n - - pipe flags=R user=mailman:mailman
argv=/usr/lib/plesk-9.0/postfix-mailman ${nexthop} ${user} ${recipient}
127.0.0.1:10025 inet n n n - - spawn user=mhandlers-user
argv=/usr/lib/plesk-9.0/postfix-queue 127.0.0.1 10027 before-queue
127.0.0.1:10026 inet n - - - - smtpd -o smtpd_client_restrictions=
- -o smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o
smtpd_recipient_restrictions=permit_mynetworks,reject -o
smtpd_data_restrictions= -o
receive_override_options=no_unknown_recipient_checks
127.0.0.1:10027 inet n n n - - spawn user=mhandlers-user
argv=/usr/lib/plesk-9.0/postfix-queue 127.0.0.1 10026 before-remote
plesk_saslauthd unix y y y - 1 plesk_saslauthd status=5 listen=6
dbpath=/plesk/passwd.db
smtps inet n - - - - smtpd -o smtpd_proxy_filter=127.0.0.1:10025 -o
smtpd_tls_wrappermode=yes
submission inet n - - - - smtpd -o smtpd_enforce_tls=yes -o
smtpd_sasl_auth_enable=yes -o
smtpd_client_restrictions=permit_sasl_authenticated,reject -o
smtpd_sender_restrictions= -o smtpd_proxy_filter=127.0.0.1:10025
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAkvPi7MACgkQi1lOcz5YUMhUdgCfSQcDsMVe0jM6dUUZ4i1JC58i
tO0AnAwyEiJYikm4w4imblStUKv7jNga
=+b+4
-END PGP SIGNATURE-
Re: Set submission as to bypass RBLs
Sent from my iPhone On 22/04/2010, at 10:28, Matt Hayes domin...@slackadelic.com wrote: On 04/21/2010 08:14 PM, webmas...@aus-city.com wrote: Quoting Matt Hayes domin...@slackadelic.com: n 04/21/2010 07:35 PM, David Cottle wrote: #submission inet n - n - - smtpd # -o smtpd_tls_security_level=encrypt # -o smtpd_sasl_auth_enable=yes # -o smtpd_client_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING Seems submission is commented out? -matt Hi Matt, No its not look further down: smtpd_tls_wrappermode=yes submission inet n - - - - smtpd -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o smtpd_sender_restrictions= -o smtpd_proxy_filter=127.0.0.1:10025 ahhh missed that! If you have smtpd_recipient_restrictions defined in main.cf you'll have to negate them just as you did with smtpd_sender_restrictions -Matt Hi Matt, In main.cf I have got in smptd sender restrictions permit sasl authenticated. It's also in smtpd recipient restrictions as the 3rd after mynetworks and a plesk no relay check. smtpd client restrictions it's 2nd after a plesk blacklist check. In client restrictions it's the 2nd one, as my whitelists is first. I know it's RBL killing as it's complaints about ISP dynamic message. I can post my actual main.cf later when I have PC as I am on iPhone. Is there also a command to dump the config? Thanks!
Re: Set submission as to bypass RBLs
Sent from my iPhone On 22/04/2010, at 12:00, Noel Jones njo...@megan.vbhcs.org wrote: On 4/21/2010 6:35 PM, David Cottle wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I am having some issues with my server blocking ISP IP addresses. I know a recent update to plesk-9.5.1 changed my postfix main.cf and master.cf (the timestamps changed). I managed to fix main.cf as on the smtpd_client_restrictions, they put the RBLs first. Can anyone see what is wrong in the master.cf? I just want submission on 587 able to bypass RBL checks: you must have missed the answer yesterday. # # Postfix master process configuration file. For details on the format === === [...] submission inet n - - - - smtpd -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o smtpd_sender_restrictions= -o smtpd_proxy_filter=127.0.0.1:10025 add here: -o smtpd_helo_restrictions= -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject -- Noel Jones Hi Noel, Okay I did miss this! I will add your smtpd_helo_restrictions as above. What exactly does that do as to not having it? I have to get my client to try sending email again and dig out the logs. What I can't understand is he has 3 OS on his PC. Fedora 11 and Windows XP using thunderbird, exactly same settings and both can RX but not send mail. Windows 7, using thunderbird it RX and Sends. Same details, ports, it's got the server certificate same on all 3 but only W7 works. It's the same broadband settings, could it be the machines host name? Anyway as it's only one client it's hard to track. Thanks!
Re: Using Sasl authentication and RBL
Sent from my iPhone On 22/04/2010, at 12:49, Noel Jones njo...@megan.vbhcs.org wrote: On 4/21/2010 9:03 PM, Oliver Schinagl wrote: On 04/22/10 03:55, Noel Jones wrote: On 4/21/2010 8:39 PM, Oliver Schinagl wrote: Heh, I suppose it wasn't as straightforward as that; I'll look more into it after some sleep, I enabled it with the following: submission inet n - n - - smtpd # -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING (even tried uncommenting both, which shouldn't matter inmo?) But got denied errors, telnet didn't tell me much, thunderbird told me slightly more: An error occurred sending mail: The mail server sent an incorrect greeting: 5.7.1yyy-yy-ftth.myisp.nl[yyy.yyy.yy.yyy]: Client host rejected: Access denied. It won't even ask me for my sasl password, nothing. A mistery for the next day. Please show your current postconf -n and the error message from the postfix logs. Showing error messages from the client or from telnet are not particularly useful. -- Noel Jones My current postconf -n is exactly as above in the mail; i hadn't changed anything, i only pasted the relevant part from master.conf that i changed. I don't see a postconf -n in this mail. I asked for a new copy to make sure of its current contents, and because I deleted your previous messages and don't feel like rummaging around in the trash. Apr 21 21:39:19 example postfix/smtpd[21360]: connect from yyy-yyy-ftth.myisp.nl[yyy.yyy.yyy.yyy] Apr 21 21:39:19 example postfix/smtpd[21360]: NOQUEUE: reject: CONNECT from yyy-yyy-ftth.myisp.nl[yyy.yyy.yyy.yyy] : 554 5.7.1yyy-yyy-ftth.myisp.nl[yyy.yyy.yyy.yyy]: Client host rejected: Access denied; proto=SMTP Apr 21 21:39:24 example postfix/smtpd[21360]: disconnect from yyy-yyy-ftth.myisp.nl[yyy.yyy.yyy.yyy] The client was rejected during the CONNECT stage. This implies you are using smtpd_delay_reject = no. Don't do that, the client doesn't get a chance to authenticate. is the corresponding postfix error; Basically what thunderbird reported :) The postfix log is far more useful; it tells us your problem is (at least) you need to unset smtpd_delay_reject. There may be other problems exposed once you fix this one. Looking at the message you sent David Cottle, I think he's doing what Matt suggested I should do? Use submission to bypass RBL stuff; I'd gladly add those 2 options as well, but why would they not be in the default config? You'd think that the default submission bit was exactly that, allow users to bypass everything and submit messages directly. I'm to tired to think atm so I'll check it all out again tomorrow :) Sleep well :) There is no evidence David's client ever authenticates. Not quite the same problem. Your client doesn't authenticate either, but that's because you don't give them the chance. Using the submission port is an accepted solution to the common problems[1] of how to allow mobile users to send mail to your server. The main advantage is it allows you to specify a different policy[2] for authenticated users. You can add -o smtpd_delay_reject=yes to the submission entry in master.cf to insure that changes to that parameter in main.cf won't affect the submission service. But a better solution is just don't mess with that setting; leave it at the default yes. submission is commented out in the default postfix config because a relatively small subset of folks using postfix need it, and it's not nice to open ports not needed. [1] IP listed in RBL. ISP or hotspot blocks port 25 access. [2] accept mail from authenticated clients no matter how screwed up their mailer or their IP -- Noel Jones Hi Noel, I tried running testsaslauthd -u usermailname -p matchingpass -s smtp I get connect () : No such file or directory
Set submission as to bypass RBLs
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
I am having some issues with my server blocking ISP IP addresses.
I know a recent update to plesk-9.5.1 changed my postfix main.cf and
master.cf (the timestamps changed). I managed to fix main.cf as on
the smtpd_client_restrictions, they put the RBLs first.
Can anyone see what is wrong in the master.cf?
I just want submission on 587 able to bypass RBL checks:
#
# Postfix master process configuration file. For details on the format
==
smtp inet n - - - - smtpd -o smtpd_proxy_filter=127.0.0.1:10025
#submission inet n - n - - smtpd
# -o smtpd_tls_security_level=encrypt
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
#smtps inet n - n - - smtpd
# -o smtpd_tls_wrappermode=yes
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
#628 inet n - n - - qmqpd
pickup fifo n - - 60 1 pickup -o content_filter=smtp:127.0.0.1:10027
cleanup unix n - n - 0 cleanup
qmgr fifo n - n 300 1 qmgr
#qmgr fifo n - n 300 1 oqmgr
tlsmgrunix - - n 1000? 1 tlsmgr
rewrite unix - - n - - trivial-rewrite
bounceunix - - n - 0 bounce
defer unix - - n - 0 bounce
trace unix - - n - 0 bounce
verifyunix - - n - 1 verify
flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - n - - smtp
# When relaying mail as backup MX, disable fallback_relay to avoid MX
loops
relay unix - - n - - smtp
-o smtp_fallback_relay=
# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq unix n - n - - showq
error unix - - n - - error
retry unix - - n - - error
discard unix - - n - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
scacheunix - - n - 1 scache
#
plesk_virtual unix - n n - - pipe flags=DORhu user=popuser:popuser
argv=/usr/lib/plesk-9.0/postfix-local -f ${sender} -d ${recipient} -p
/var/qmail/mailnames
mailman unix - n n - - pipe flags=R user=mailman:mailman
argv=/usr/lib/plesk-9.0/postfix-mailman ${nexthop} ${user} ${recipient}
127.0.0.1:10025 inet n n n - - spawn user=mhandlers-user
argv=/usr/lib/plesk-9.0/postfix-queue 127.0.0.1 10027 before-queue
127.0.0.1:10026 inet n - - - - smtpd -o smtpd_client_restrictions=
- -o smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o
smtpd_recipient_restrictions=permit_mynetworks,reject -o
smtpd_data_restrictions= -o
receive_override_options=no_unknown_recipient_checks
127.0.0.1:10027 inet n n n - - spawn user=mhandlers-user
argv=/usr/lib/plesk-9.0/postfix-queue 127.0.0.1 10026 before-remote
plesk_saslauthd unix y y y - 1 plesk_saslauthd status=5 listen=6
dbpath=/plesk/passwd.db
smtps inet n - - - - smtpd -o smtpd_proxy_filter=127.0.0.1:10025 -o
smtpd_tls_wrappermode=yes
submission inet n - - - - smtpd -o smtpd_enforce_tls=yes -o
smtpd_sasl_auth_enable=yes -o
smtpd_client_restrictions=permit_sasl_authenticated,reject -o
smtpd_sender_restrictions= -o smtpd_proxy_filter=127.0.0.1:10025
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAkvM4hMACgkQi1lOcz5YUMjXsgCg60T9TuGn647iVqquRXnm7ECC
Uc4AoMXsS4z+fWEbIOCcMYvom36rzQZ9
=6UYQ
-END PGP SIGNATURE-
attachment: webmaster.vcf
RDNS question
In my postfix mail log I see a lot of unknown against servers. I know DNS works as SPF records lookup properly. Is this normal behavour due to timeouts? Just when I always see unknown makes me wonder. Thanks,
Whitelist final draft
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi All, I now have added dnswl to my config to whitelist. Can I get some comments it looks okay please? smtpd_client_restrictions = check_client_access hash:/etc/postfix/whitelist, check_sender_access hash:/etc/postfix/check_backscatterer, check_sender_access hash:/etc/postfix/check_spamcannibal, check_client_access cidr:/etc/postfix/postfix-dnswl-permit, reject_rbl_client bl.spamcop.net, reject_rbl_client zen.spamhaus.org, reject_rbl_client b.barracudacentral.org I want my whitelist run first and anyone on it gets to the end I then want to remove those pesky backscatters to , postmaster and MAILER_DAEMON I then want to run my postfix-dnswl-permit And then onto the RBLs postconf -n alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases, hash:/var/spool/postfix/plesk/aliases command_directory = /usr/sbin config_directory = /etc/postfix daemon_directory = /usr/libexec/postfix data_directory = /var/lib/postfix debug_peer_level = 2 header_checks = regexp:/etc/postfix/header_checks html_directory = no inet_interfaces = all inet_protocols = all local_recipient_maps = $virtual_mailbox_maps mail_owner = postfix mailq_path = /usr/bin/mailq.postfix manpage_directory = /usr/share/man message_size_limit = 1024 mydestination = localhost.$mydomain, localhost, localhost.localdomain newaliases_path = /usr/bin/newaliases.postfix queue_directory = /var/spool/postfix readme_directory = /usr/share/doc/postfix-2.5.6/README_FILES sample_directory = /usr/share/doc/postfix-2.5.6/samples sendmail_path = /usr/sbin/sendmail.postfix setgid_group = postdrop smtp_send_xforward_command = yes smtp_tls_security_level = may smtp_use_tls = no smtpd_authorized_xforward_hosts = 127.0.0.0/8 smtpd_client_restrictions = check_client_access hash:/etc/postfix/whitelist, check_sender_access hash:/etc/postfix/check_backscatterer, check_sender_access hash:/etc/postfix/check_spamcannibal, check_client_access cidr:/etc/postfix/postfix-dnswl-permit, reject_rbl_client bl.spamcop.net, reject_rbl_client zen.spamhaus.org, reject_rbl_client b.barracudacentral.org smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination smtpd_sasl_auth_enable = yes smtpd_sender_restrictions = check_sender_access hash:/var/spool/postfix/plesk/blacklists, reject_non_fqdn_sender smtpd_tls_cert_file = /etc/postfix/postfix_default.pem smtpd_tls_key_file = $smtpd_tls_cert_file smtpd_tls_security_level = may smtpd_use_tls = yes transport_maps = hash:/var/spool/postfix/plesk/transport unknown_local_recipient_reject_code = 550 virtual_alias_maps = $virtual_maps, hash:/var/spool/postfix/plesk/virtual virtual_gid_maps = static:31 virtual_mailbox_base = /var/qmail/mailnames virtual_mailbox_domains = $virtual_mailbox_maps, hash:/var/spool/postfix/plesk/virtual_domains virtual_mailbox_maps = hash:/var/spool/postfix/plesk/vmailbox virtual_transport = plesk_virtual virtual_uid_maps = static:110 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkmSqMcACgkQi1lOcz5YUMgKdACgtMofPO1k6EMvi4Hg8VV/gkLm ZV4AoMTXs2E+iU+VgkY0yFEUXgbaxoW9 =Y4OA -END PGP SIGNATURE- begin:vcard fn:David Cottle n:Cottle;David email;internet:webmas...@aus-city.com title:Webmaster version:2.1 end:vcard
DNS lookups not working?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 All, I see this a lot in my mail.log (unknown): Feb 10 20:38:28 server postfix/smtpd[21977]: connect from unknown[72.4.168.106] Feb 10 09:38:30 server postfix/smtpd[21977]: NOQUEUE: reject: RCPT from unknown[72.4.168.106]: 554 5.7.1 Service unavailable; Client host [72.4.168.106] blocked using zen.spamhaus.org; http://www.spamhaus.org/query/bl?ip=72.4.168.106; from=re...@ispk.info to=david.ether...@idb.info proto=ESMTP helo=mail.ispk.info Feb 10 09:38:30 server postfix/smtpd[21977]: disconnect from unknown[72.4.168.106] Feb 10 09:38:40 server postfix/smtpd[21977]: connect from unknown[80.65.83.20] Feb 10 09:38:42 server postfix/smtpd[21977]: NOQUEUE: reject: RCPT from unknown[80.65.83.20]: 554 5.7.1 Service unavailable; Client host [80.65.83.20] blocked using bl.spamcop.net; Blocked - see http://www.spamcop.net/bl.shtml?80.65.83.20; from=establishn...@wzdyf.com to=jcoxh...@idb.com.au proto=ESMTP helo=cust.citosec.806583-20.bih.net.ba Feb 10 09:38:42 server postfix/smtpd[21977]: lost connection after DATA (0 bytes) from unknown[80.65.83.20] Feb 10 09:38:42 server postfix/smtpd[21977]: disconnect from unknown[80.65.83.20] Feb 10 09:38:45 server postfix/smtpd[21977]: connect from unknown[80.65.83.20] Feb 10 09:38:46 server postfix/smtpd[21977]: NOQUEUE: reject: RCPT from unknown[80.65.83.20]: 554 5.7.1 Service unavailable; Client host [80.65.83.20] blocked using bl.spamcop.net; Blocked - see http://www.spamcop.net/bl.shtml?80.65.83.20; from=sororit...@maggicontrols.com to=jcoxh...@idb.com.au proto=ESMTP helo=cust.citosec.806583-20.bih.net.ba Feb 10 09:38:47 server postfix/smtpd[21977]: lost connection after DATA (0 bytes) from unknown[80.65.83.20] Feb 10 09:38:47 server postfix/smtpd[21977]: disconnect from unknown[80.65.83.20] I tried selinux off no difference (I do make my own local policy fromn audits anyway). postconf -n: alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases, hash:/var/spool/postfix/plesk/aliases command_directory = /usr/sbin config_directory = /etc/postfix daemon_directory = /usr/libexec/postfix data_directory = /var/lib/postfix debug_peer_level = 2 header_checks = regexp:/etc/postfix/header_checks html_directory = no inet_interfaces = all inet_protocols = all local_recipient_maps = $virtual_mailbox_maps mail_owner = postfix mailq_path = /usr/bin/mailq.postfix manpage_directory = /usr/share/man message_size_limit = 1024 mydestination = localhost.$mydomain, localhost, localhost.localdomain newaliases_path = /usr/bin/newaliases.postfix queue_directory = /var/spool/postfix readme_directory = /usr/share/doc/postfix-2.5.6/README_FILES sample_directory = /usr/share/doc/postfix-2.5.6/samples sendmail_path = /usr/sbin/sendmail.postfix setgid_group = postdrop smtp_send_xforward_command = yes smtp_tls_security_level = may smtp_use_tls = no smtpd_authorized_xforward_hosts = 127.0.0.0/8 smtpd_client_restrictions = check_client_access hash:/etc/postfix/whitelist, check_sender_access hash:/etc/postfix/check_backscatterer, check_sender_access hash:/etc/postfix/check_spamcannibal, reject_rbl_client bl.spamcop.net, reject_rbl_client zen.spamhaus.org, reject_rbl_client b.barracudacentral.org smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination smtpd_sasl_auth_enable = yes smtpd_sender_restrictions = check_sender_access hash:/var/spool/postfix/plesk/blacklists, reject_non_fqdn_sender smtpd_tls_cert_file = /etc/postfix/postfix_default.pem smtpd_tls_key_file = $smtpd_tls_cert_file smtpd_tls_security_level = may smtpd_use_tls = yes transport_maps = hash:/var/spool/postfix/plesk/transport unknown_local_recipient_reject_code = 550 virtual_alias_maps = $virtual_maps, hash:/var/spool/postfix/plesk/virtual virtual_gid_maps = static:31 virtual_mailbox_base = /var/qmail/mailnames virtual_mailbox_domains = $virtual_mailbox_maps, hash:/var/spool/postfix/plesk/virtual_domains virtual_mailbox_maps = hash:/var/spool/postfix/plesk/vmailbox virtual_transport = plesk_virtual virtual_uid_maps = static:110 Here is a test showing my DNS works: nslookup test.com nslookup Here is the file: Server:10.0.10.1 Address:10.0.10.1#53 Non-authoritative answer: Name:test.com Address: 205.178.152.103 At first I found my resolv.conf had no nameservers in it (but the server itself runs a DNS and nslookups were working anyway), I added them but no difference.. Thanks! David -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkmRTQwACgkQi1lOcz5YUMhXrQCePq58V8/j/j6axiQsa0CPUozi PcEAn3NsQ5I3rTh6TJKvms1RILZNH4iP =3FNf -END PGP SIGNATURE- begin:vcard fn:David Cottle n:Cottle;David email;internet:webmas...@aus-city.com title:Webmaster version:2.1 end:vcard
Re: DNS lookups not working?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Charles Marcus wrote: On 2/10/2009, David Cottle (webmas...@aus-city.com) wrote: Feb 10 09:38:30 server postfix/smtpd[21977]: NOQUEUE: reject: RCPT from unknown[72.4.168.106]: 554 5.7.1 Service unavailable; Are you usin the free zen service? If so, are you exceeding the limits they place on free usage? Hi Charles, Yes I am but I am not exceeding the usage. Here are some from other servers: Feb 10 11:38:40 server postfix/smtpd[32014]: connect from unknown[61.90.76.4] Feb 10 11:38:41 server postfix/smtpd[32014]: NOQUEUE: reject: RCPT from unknown[61.90.76.4]: 554 5.7.1 Service unavailable; Client host [61.90.76.4] blocked using zen.spamhaus.org; http://www.spamhaus.org/query/bl?ip=61.90.76.4; from=dcra...@mcs.k12.nc.us to=enquir...@japaneseswordsmanship.com.au proto=ESMTP helo=ppp-61-90-76-4.revip.asianet.co.th Feb 10 22:38:42 server spamd[3422]: spamd: got connection over /tmp/spamd_full.sock Feb 10 11:38:42 server postfix/smtpd[32014]: lost connection after DATA (0 bytes) from unknown[61.90.76.4] Feb 10 11:38:42 server postfix/smtpd[32014]: disconnect from unknown[61.90.76.4] Feb 10 22:38:42 server spamd[28616]: prefork: child states: II Feb 10 11:38:47 server postfix/smtpd[32013]: connect from unknown[86.55.226.169] Feb 10 22:38:49 server imapd: Connection, ip=[127.0.0.1] Feb 10 22:38:49 server imapd: IMAP connect from @ [127.0.0.1]INFO: LOGIN, user=webmas...@aus-city.com, ip=[127.0.0.1], protocol=IMAP Feb 10 11:38:49 server postfix/smtpd[32013]: NOQUEUE: reject: RCPT from unknown[86.55.226.169]: 554 5.7.1 Service unavailable; Client host [86.55.226.169] blocked using bl.spamcop.net; Blocked - see http://www.spamcop.net/bl.shtml?86.55.226.169; from=theophil...@barbarascanlon.com to=boun...@aus-city.com proto=ESMTP helo=localhost Feb 10 11:30:14 server postfix/smtpd[31747]: NOQUEUE: reject: RCPT from unknown[94.181.24.220]: 554 5.7.1 Service unavailable; Client host [94.181.24.220] blocked using zen.spamhaus.org; http://www.spamhaus.org/query/bl?ip=94.181.24.220; from=chayde...@amd.com to=dcot...@idb.com.au proto=ESMTP helo=xwzrqvvna Feb 10 11:30:14 server postfix/smtpd[31747]: NOQUEUE: reject: RCPT from unknown[94.181.24.220]: 554 5.7.1 Service unavailable; Client host [94.181.24.220] blocked using zen.spamhaus.org; http://www.spamhaus.org/query/bl?ip=94.181.24.220; from=chayde...@amd.com to=jcoxh...@idb.com.au proto=ESMTP helo=xwzrqvvna Feb 10 11:30:15 server postfix/smtpd[31747]: lost connection after DATA (0 bytes) from unknown[94.181.24.220] Feb 10 11:30:15 server postfix/smtpd[31747]: disconnect from unknown[94.181.24.220] Feb 10 11:30:18 server postfix/smtpd[31747]: connect from unknown[88.239.131.191] Feb 10 11:30:21 server postfix/smtpd[31747]: NOQUEUE: reject: RCPT from unknown[88.239.131.191]: 554 5.7.1 Service unavailable; Client host [88.239.131.191] blocked using bl.spamcop.net; Blocked - see http://www.spamcop.net/bl.shtml?88.239.131.191; from=comp...@dti.com to=comp...@aus-city.com proto=SMTP helo=viessman Feb 10 11:30:22 server postfix/smtpd[31747]: disconnect from unknown[88.239.131.191] Feb 10 22:30:28 server imapd: Connection, ip=[127.0.0.1] Thanks! -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEUEARECAAYFAkmRaHcACgkQi1lOcz5YUMgZRACXU33RVYGSn0JUiIvz8xRxckKq QgCZAUbaiOL8gA9dWP0Ko8QaVBFc7PU= =5s1C -END PGP SIGNATURE- begin:vcard fn:David Cottle n:Cottle;David email;internet:webmas...@aus-city.com title:Webmaster version:2.1 end:vcard
Whitelist assistance with dnswl.org
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, I have my own 'static' whitelisting working in smtpd_client_restrictions I would also like to use the whitelisting in dnswl.org to override blacklisting I don't have much mail traffic, so rather than rsyncing, I want to do this using normal DNS lookups. The instructions say to: smtpd_recipient_restrictions = ... reject_unauth_destination, ... check_client_access cidr:/etc/postfix/postfix-dnswl-permit, My question is then simply how can you do this using a normal lookup? smtpd_recipient_restrictions = ... reject_unauth_destination, ??? or can / should it be done on my existing smtp_client_restrictions rather than smtpd_recipient_restrictions: smtpd_client_restrictions = check_client_access hash:/etc/postfix/whitelist, check_sender_access hash:/etc/postfix/check_backscatterer, check_sender_access hash:/etc/postfix/check_spamcannibal, reject_rbl_client bl.spamcop.net, reject_rbl_client zen.spamhaus.org, reject_rbl_client b.barracudacentral.org Just I am not sure and also if I do it in smtpd_recipient_restrictions, does this then get overwritten by the last check in the smtpd_client_restrictions? I naturally assume if it is to go into smtpd_client_restrictions, it would go right after my static whitelist, or my two check_ routines filtering out backscatter bounces. Sorry for all the questions. Many thanks! David -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkmSBUUACgkQi1lOcz5YUMhhhwCfcIhqrPd4Z7Bak7ieW4u3L9Ea qAoAoKE02qHxknH+M+3ibVUB3zZvaSrO =7wNN -END PGP SIGNATURE- begin:vcard fn:David Cottle n:Cottle;David email;internet:webmas...@aus-city.com title:Webmaster version:2.1 end:vcard
Re: Whitelist assistance with dnswl.org
Sent from my iPhone On 11/02/2009, at 13:04, Noel Jones njo...@megan.vbhcs.org wrote: David Cottle wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, I have my own 'static' whitelisting working in smtpd_client_restrictions I would also like to use the whitelisting in dnswl.org to override blacklisting I don't have much mail traffic, so rather than rsyncing, I want to do this using normal DNS lookups. The instructions say to: Postfix doesn't have a DNS whitelist feature, so you will need to follow the rsync + access map instructions. -- Noel Jones Hi Noel, Thanks for that! Last question, where should I do it then? As suggested or in my existing RBL right after my whitelist and check_ tests? Thanks!
Re: whitelisting not working
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Noel Jones wrote: David Cottle wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, I have got RBL tests and I got a client on godaddy. Naturally their outgoing server (secureserver.net) is listed. I made changes to postfix but its still rejecting, here is the extract of the main.cf and the rules. I don't understand why its not working.. If I remove all the rbl checks the emails arrive.. Any ideas? Here is the configs that apply: smtpd_client_restrictions = check_client_access hash:/etc/postfix/whitelist, OK. check_client_access hash:/etc/postfix/check_backscatterer, check_client_access hash:/etc/postfix/check_spamcannibal, The above two checks will never match anything. You need to use check_sender_access, not check_client_access. Make sure you leave the default setting of smtpd_delay_reject = yes so postfix knows the sender when it does this check. reject_rbl_client bl.spamcop.net, OK. reject_rbl_client pbl.spamhaus.org, reject_rbl_client sbl-xbl.spamhaus.org, reject_rbl_client cbl.abuseat.org, You should drop all the above and use zen.spamhaus.org. If you want to differentiate rejections, you can break them out by the reject code. reject_rbl_client dnsbl-1.uceprotect.net, reject_rbl_client dnsbl-2.uceprotect.net, reject_rbl_client dnsbl-3.uceprotect.net, UCEPROTECT will give you tons of false positives when used this way. Better to use it in a scoring type system, such as SpamAssassin or a scoring policy server. Or just don't use it at all. Here, it gave so many false positives that it wasn't even particularly useful for scoring. reject_rbl_client 2.0.0.127.b.barracudacentral.org This will never match anything. Must be reject_rbl_client b.barracudacentral.org if you're trying to limit rejects to a specific response code, the syntax is reject_rbl_client b.barracudacentral.org=127.0.0.2 the /etc/postfix/whitelist file (yes its been mapped to .cf) k2smtpout01-01.prod.mesa1.secureserver.net OK k2smtpout02-01.prod.mesa1.secureserver.net OK k2smtpout03-01.prod.mesa1.secureserver.net OK k2smtpout04-01.prod.mesa1.secureserver.net OK k2smtpout05-01.prod.mesa1.secureserver.net OK k2smtpout06-01.prod.mesa1.secureserver.net OK you need only one entry. prod.mesa1.secureserver.net OK If you've changed the default setting of parent_domain_matches_subdomains then use .prod.mesa1.secureserver.net OK http://www.postfix.org/postconf.5.html#parent_domain_matches_subdomains http://www.postfix.org/access.5.html But whitelisting by name only works if postfix knows the client name. Feb 9 09:36:55 server postfix/smtpd[26671]: connect from unknown[64.202.189.90] Feb 8 22:36:57 server postfix/smtpd[26671]: NOQUEUE: reject: RCPT from unknown[64.202.189.90]: 554 5.7.1 Service unavailable; Client host [64.202.189.90] blocked using dnsbl-1.uceprotect.net; IP 64.202.189.90 is UCEPROTECT-Level 1 listed. See http://www.uceprotect.net/rblcheck.php?ipr=64.202.189.90; from=psa...@server.aussiefrogs.com to=dcot...@idb.com.au proto=SMTP helo=k2smtpout02-01.prod.mesa1.secureserver.net Feb 8 22:36:57 server postfix/smtpd[26671]: disconnect from unknown[64.202.189.90] Ah, postfix does not know the client name. You'll need to whitelist them by IP address. Hmmm. % host 64.202.189.90 90.189.202.64.in-addr.arpa domain name pointer k2smtpout02-01.prod.mesa1.secureserver.net. % host k2smtpout02-01.prod.mesa1.secureserver.net. k2smtpout02-01.prod.mesa1.secureserver.net has address 64.202.189.90 Looks as if your DNS is broken. If you DNS had been working, I don't believe this would have been labeled unknown. Does postfix label every client as unknown? the check_backscatterer (also mapped) reject_rbl_client ips.backscatterer.org postmaster reject_rbl_client ips.backscatterer.org MAILER-DAEMON reject_rbl_client ips.backscatterer.org The postmaster and MAILER-DAEMON entries are unlikely to match anything; remember you're checking the envelope sender, not a header. I suppose some broken mailers could use the sender postmas...@example.com or mailer-dae...@example.com; you would need a regexp map to match those, and you won't see many of them. Ditto for your spamcannibal map. Hi Noel, Many thanks for your tips! I have not set smtpd_delay_reject anywhere, so the default value of yes applies. As for the check scripts, I changed them as you said, check_sender_access, not check_client_access: smtpd_client_restrictions = check_client_access hash:/etc/postfix/whitelist, check_sender_access hash:/etc/postfix/check_backscatterer, check_sender_access hash:/etc/postfix/check_spamcannibal, reject_rbl_client bl.spamcop.net, reject_rbl_client zen.spamhaus.org, reject_rbl_client cbl.abuseat.org, reject_rbl_client b.barracudacentral.org I would have used this but in the postfix documentation it never showed the use of check_sender_access in smtpd_client_restrictions
Re: whitelisting not working
Sent from my iPhone On 10/02/2009, at 11:02, Noel Jones njo...@megan.vbhcs.org wrote: David Cottle wrote: smtpd_client_restrictions = check_client_access hash:/etc/postfix/whitelist, check_sender_access hash:/etc/postfix/check_backscatterer, check_sender_access hash:/etc/postfix/check_spamcannibal, reject_rbl_client bl.spamcop.net, reject_rbl_client zen.spamhaus.org, reject_rbl_client cbl.abuseat.org, reject_rbl_client b.barracudacentral.org I would have used this but in the postfix documentation it never showed the use of check_sender_access in smtpd_client_restrictions So I assume this is correct now? You were also supposed to remove cbl.abuseat.org; it's included in the zen lookup. One further suggestion - you may want to move your backscatter and spamcannibal checks to smtpd_data_restrictions to be compatible with the few services that do sender verification callbacks. Other than that, yes, this looks reasonable. As for the unknown, could selinux be stopping postfix from using the DNS? The DNS works as it serves out the DNS for the hosted domains. Feb 9 22:31:55 server postfix/smtpd[25015]: connect from unknown[189.6.3.109] Yet I do a prompt from the server and reverse lookup the IP I get the name.. SELinux is the usual suspect. Turn it off and see what happens. If that's not it, the second guess is an incomplete chroot jail. If this doesn't help you get it fixed, start a new message thread for the new problem. Include your postconf -n output and logging demonstrating the problem. -- Noel Jones Hi Noel, Many thanks for your help! I will pull the cbl.abuseat.org did not know it's in zen - that is a comprehensive rbl! If I move my check_xxx routines to the smtpd_data_restrictions, is this still called up as a check_sender_access? So I also assume that smtpd_data_ restrictions does what it does now in smtpd_client_restrictions with the additional sender verification callbacks? Also no need running a whitelist in smptd_data_restrictions as my routines only look for , postmaster and MAILER_DAEMON Thanks again! David
whitelisting not working
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, I have got RBL tests and I got a client on godaddy. Naturally their outgoing server (secureserver.net) is listed. I made changes to postfix but its still rejecting, here is the extract of the main.cf and the rules. I don't understand why its not working.. If I remove all the rbl checks the emails arrive.. Any ideas? Here is the configs that apply: smtpd_client_restrictions = check_client_access hash:/etc/postfix/whitelist, check_client_access hash:/etc/postfix/check_backscatterer, check_client_access hash:/etc/postfix/check_spamcannibal, reject_rbl_client bl.spamcop.net, reject_rbl_client pbl.spamhaus.org, reject_rbl_client sbl-xbl.spamhaus.org, reject_rbl_client cbl.abuseat.org, reject_rbl_client dnsbl-1.uceprotect.net, reject_rbl_client dnsbl-2.uceprotect.net, reject_rbl_client dnsbl-3.uceprotect.net, reject_rbl_client 2.0.0.127.b.barracudacentral.org the /etc/postfix/whitelist file (yes its been mapped to .cf) k2smtpout01-01.prod.mesa1.secureserver.net OK k2smtpout02-01.prod.mesa1.secureserver.net OK k2smtpout03-01.prod.mesa1.secureserver.net OK k2smtpout04-01.prod.mesa1.secureserver.net OK k2smtpout05-01.prod.mesa1.secureserver.net OK k2smtpout06-01.prod.mesa1.secureserver.net OK the check_backscatterer (also mapped) reject_rbl_client ips.backscatterer.org postmaster reject_rbl_client ips.backscatterer.org MAILER-DAEMON reject_rbl_client ips.backscatterer.org the check_spamcannibal (also mapped) reject_rbl_client bl.spamcannibal.org postmaster reject_rbl_client bl.spamcannibal.org MAILER-DAEMON reject_rbl_client bl.spamcannibal.org Thanks! -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkmPZAIACgkQi1lOcz5YUMhWiwCgwyFK5iatzaui1NiSMH+rnaRi tpAAoOSKDhwvXne23LgpnJXJNjJ5zg2C =oYZE -END PGP SIGNATURE- begin:vcard fn:David Cottle n:Cottle;David email;internet:webmas...@aus-city.com title:Webmaster version:2.1 end:vcard
Re: whitelisting not working
Sent from my iPhone On 09/02/2009, at 10:09, Sahil Tandon sa...@tandon.net wrote: On Mon, 09 Feb 2009, David Cottle wrote: I have got RBL tests and I got a client on godaddy. Naturally their outgoing server (secureserver.net) is listed. I made changes to postfix but its still rejecting, here is the extract of the main.cf and the rules. I don't understand why its not working.. If I remove all the rbl checks the emails arrive.. Any ideas? Here is the configs that apply: Show 'postconf -n' instead of snippets from main.cf. Also provide some logs related to the problem. -- Sahil Tandon sa...@tandon.net Hi Sahil, Difficult as I am away from any access except my iPhone for a week. I only sent that part as that is what is effecting it, it's all in the recipient client line. I was thinking it's too long, or my whitelist command or the check_backscatterer or check_spancannibal statements are wrong? Simply removing the blaclisting rbl servers off that recipient client line and leaving the othets and emails arrive so I know that is where the problem is. Does the whitelist match the sending SMTP servers by name or IP? I have confirmed they are correct by removing the blacklisting servers and looking then at the received emails. For some reason the whitelisting is not working or the OK is being ignored or overwritten (these ips are on like about 3 to 4 of the rbl servers. I can certainly dump a postfix -n and put it on a www page (iPhone does not cut and paste) and could copy my mail log if needed. Thanks!
Re: whitelisting not working
Sent from my iPhone On 09/02/2009, at 10:38, Terry Carmen te...@cnysupport.com wrote: David Cottle wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, I have got RBL tests and I got a client on godaddy. Naturally their outgoing server (secureserver.net) is listed. I made changes to postfix but its still rejecting, here is the extract of the main.cf and the rules. I don't understand why its not working.. If I remove all the rbl checks the emails arrive.. Any ideas? Here is the configs that apply: smtpd_client_restrictions = check_client_access hash:/etc/postfix/whitelist, check_client_access hash:/etc/postfix/check_backscatterer, check_client_access hash:/etc/postfix/check_spamcannibal, reject_rbl_client bl.spamcop.net, reject_rbl_client pbl.spamhaus.org, reject_rbl_client sbl-xbl.spamhaus.org, reject_rbl_client cbl.abuseat.org, reject_rbl_client dnsbl-1.uceprotect.net, reject_rbl_client dnsbl-2.uceprotect.net, reject_rbl_client dnsbl-3.uceprotect.net, reject_rbl_client 2.0.0.127.b.barracudacentral.org the /etc/postfix/whitelist file (yes its been mapped to .cf) Assuming you're making a hash file, postmap outputs a .db file. Terry Hi Terry, Yes all the files (whitelist, check_backscatterer and check_spamcannibal) have been postmap. I assume that as long as the whitelist is done first, anything that is ok in the file simply should 'brute force' past the rest of the checks, no matter how many? Thanks!
Re: whitelisting not working
Sent from my iPhone On 09/02/2009, at 11:12, Terry Carmen te...@cnysupport.com wrote: David Cottle wrote: Sent from my iPhone On 09/02/2009, at 10:38, Terry Carmen te...@cnysupport.com wrote: David Cottle wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, I have got RBL tests and I got a client on godaddy. Naturally their outgoing server (secureserver.net) is listed. I made changes to postfix but its still rejecting, here is the extract of the main.cf and the rules. I don't understand why its not working.. If I remove all the rbl checks the emails arrive.. Any ideas? Here is the configs that apply: smtpd_client_restrictions = check_client_access hash:/etc/postfix/whitelist, check_client_access hash:/etc/postfix/check_backscatterer, check_client_access hash:/etc/postfix/check_spamcannibal, reject_rbl_client bl.spamcop.net, reject_rbl_client pbl.spamhaus.org, reject_rbl_client sbl-xbl.spamhaus.org, reject_rbl_client cbl.abuseat.org, reject_rbl_client dnsbl-1.uceprotect.net, reject_rbl_client dnsbl-2.uceprotect.net, reject_rbl_client dnsbl-3.uceprotect.net, reject_rbl_client 2.0.0.127.b.barracudacentral.org the /etc/postfix/whitelist file (yes its been mapped to .cf) Assuming you're making a hash file, postmap outputs a .db file. Terry Hi Terry, Yes all the files (whitelist, check_backscatterer and check_spamcannibal) have been postmap. I assume that as long as the whitelist is done first, anything that is ok in the file simply should 'brute force' past the rest of the checks, no matter how many? My point was that postmap outputs a db file, and check_client_access hash:/etc/postfix/whitelist looks for /etc/ postfix/whitelist.db, while you stated that you mapped (renamed?) the file to .cf, which is not what postfix is looking for. This means that it will not find your whitelist file. Terry Hi Terry, The files were all done with: postmap /etc/postfix/whitelist postmap /etc/postfix/check_backscatterer postmap /etc/postfix/check_spamcannibal I simply meant I had done this when I said I have already mapped them using postmap. Also are my check_backscatterer and check_spamcannibal checks correct? The origional script parses emails only from and postmaster, I added the MAILER_DAEMON as well. I was hoping it would be some syntax wrong in the main.cf or particularily the check_ db's Thanks! David
Multiple instances (incoming)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, I want to have multiple incoming hostnames to match my domains so it passes spam checks better. I found this: http://www.linuxmail.info/postfix-multiple-ip-address-smtp-greeting/ exactly what I want except it does not work :( master.cf (before) smtp inet n - - - - smtpd -o smtpd_proxy_filter=127.0.0.1:10025 smtps inet n - - - - smtpd -o smtpd_proxy_filter=127.0.0.1:10025 -o smtpd_tls_wrappermode=yes submission inet n - - - - smtpd -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject master.cf (updated trying to do this - i am using real domain names and ips) #smtp inet n - - - - smtpd -o smtpd_proxy_filter=127.0.0.1:10025 localhost:smtp inet n - - - - smtpd -o smtpd_proxy_filter=127.0.0.1:10025 ipaddressgateway:smtp inet n - - - - smtpd -o smtpd_proxy_filter=127.0.0.1:10025 ipaddress1:smtp inet n - - - - smtpd -o hostname=domain1 -o smtpd_proxy_filter=127.0.0.1:10025 ipaddress2:smtp inet n - - - - smtpd -o hostname=domain2 -o smtpd_proxy_filter=127.0.0.1:10025 ipaddress3:smtp inet n - - - - smtpd -o hostname=domain3 -o smtpd_proxy_filter=127.0.0.1:10025 smtps inet n - - - - smtpd -o smtpd_proxy_filter=127.0.0.1:10025 -o smtpd_tls_wrappermode=yes submission inet n - - - - smtpd -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject Any ideas? Thanks! -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkmP18IACgkQi1lOcz5YUMgirgCg4Y92qCy2R5g8BPEn/aymIy2I kPQAoKlqkScthh0qo6a39a0Vn1BkYmqf =F+0K -END PGP SIGNATURE- begin:vcard fn:David Cottle n:Cottle;David email;internet:webmas...@aus-city.com title:Webmaster version:2.1 end:vcard
How to re-email for SRS / SPF compliance
Hi, Can someone tell me how can you make postfix re-email on forwarded mail accounts instead of forwarding so postfix complies with SRS / SPF policy please? There are SRS plugins for qmail but not for postfix - specifically interested in the latest 2.6 version I built and am running. Many thanks! David Sent from my iPhone
Backscatter
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Okay I am now down to maybe 5 emails per 24 hours that are backscatter bounces from existing mail names. Can anyone see anything wrong here please? From reading I need to use header and body checks? ( How do I block backscatter mail to real recipient addresses? http://www.postfix.org/BACKSCATTER_README.html#real ), but am unsure what to use in the code. Can someone help come up with some header and body check rules if I supply some real email headers? Just I am truly guessing what to do and that will no doubt kill real emails by the train load! Many thanks! alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases, hash:/var/spool/postfix/plesk/aliases command_directory = /usr/sbin config_directory = /etc/postfix daemon_directory = /usr/libexec/postfix data_directory = /var/lib/postfix debug_peer_level = 2 html_directory = no inet_interfaces = all inet_protocols = all local_recipient_maps = $virtual_mailbox_maps mail_owner = postfix mailq_path = /usr/bin/mailq.postfix manpage_directory = /usr/share/man message_size_limit = 1024 mydestination = $myhostname, localhost.$mydomain, localhost myhostname = server.idb.com.au newaliases_path = /usr/bin/newaliases.postfix queue_directory = /var/spool/postfix readme_directory = /usr/share/doc/postfix-2.5.6/README_FILES sample_directory = /usr/share/doc/postfix-2.5.6/samples sendmail_path = /usr/sbin/sendmail.postfix setgid_group = postdrop smtp_send_xforward_command = yes smtp_use_tls = yes smtpd_authorized_xforward_hosts = 127.0.0.0/8 smtpd_client_restrictions = reject_rbl_client bl.spamcop.net, reject_rbl_client sbl-xbl.spamhaus.org smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination smtpd_sasl_auth_enable = yes smtpd_sender_restrictions = check_sender_access hash:/var/spool/postfix/plesk/blacklists, reject_non_fqdn_sender, reject_unauthenticated_sender_login_mismatch smtpd_tls_cert_file = /etc/postfix/postfix_default.pem smtpd_tls_key_file = $smtpd_tls_cert_file smtpd_tls_security_level = may smtpd_use_tls = yes transport_maps = hash:/var/spool/postfix/plesk/transport unknown_local_recipient_reject_code = 550 virtual_alias_maps = $virtual_maps, hash:/var/spool/postfix/plesk/virtual virtual_gid_maps = static:31 virtual_mailbox_base = /var/qmail/mailnames virtual_mailbox_domains = $virtual_mailbox_maps, hash:/var/spool/postfix/plesk/virtual_domains virtual_mailbox_maps = hash:/var/spool/postfix/plesk/vmailbox virtual_transport = plesk_virtual virtual_uid_maps = static:110 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkltEc0ACgkQi1lOcz5YUMhB3gCfa46/WuPN+j9roVOqqloDT8OF h3AAoKQQmvqD+wmv8gwNyJ+Uh3k7Ukl+ =Ff/3 -END PGP SIGNATURE- begin:vcard fn:David Cottle n:Cottle;David email;internet:webmas...@aus-city.com title:Webmaster version:2.1 end:vcard
Re: Can't stop UNDELIVERED MAIL RETURNED TO SENDER emails
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Noel Jones wrote: David Cottle wrote: Hi Noel, Thanks for your help! I will firstly forward the postconf dump as requested. I will have to forward as another message - will call it postconf as I am on my iPhone. At least you can firstly look at that and perhaps find it is accepting during SMTP for undeliverable. Many thanks! David Sent from my iPhone Stop top posting - put your answers below the text you refer to. Hi Noel, The messages are all faked spam supposedly sent from mail addresses that are valid off the server domains. So therefore non valid addresses are being rejected. So how can these be dealt with they all look genuine in the headers. My domains all run strict SPF policy with reject mail when SPF does not resolve to pass, but as these are bounce emails the servers of course have no SPF records therefore don't get skimmed off. Thanks! -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAklrs94ACgkQi1lOcz5YUMih+ACgnUSkImCDLKRG32TcqikzPXiN kH4Ani1R+DYzGZjd4AIiemOW45fUkGCd =dqor -END PGP SIGNATURE- begin:vcard fn:David Cottle n:Cottle;David email;internet:webmas...@aus-city.com title:Webmaster version:2.1 end:vcard
Re: Can't stop UNDELIVERED MAIL RETURNED TO SENDER emails
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Magnus Bäck wrote: On Monday, January 12, 2009 at 22:19 CET, David Cottle webmas...@aus-city.com wrote: The messages are all faked spam supposedly sent from mail addresses that are valid off the server domains. So therefore non valid addresses are being rejected. So how can these be dealt with they all look genuine in the headers. My domains all run strict SPF policy with reject mail when SPF does not resolve to pass, but as these are bounce emails the servers of course have no SPF records therefore don't get skimmed off. Please follow the instructions and post logs showing how these messages enter your system. Had the messages been rejected they would not have ended up in your queue. They are instead bounced, and you haven't provided us with any details about why this happens. Therefore we cannot suggest any course of action without resorting to guessing. Thanks all, I just can't figure out why they get bounced, so I attach here.. I will only attach two: **ONE** *** ENVELOPE RECORDS deferred/B/B831F13C003E *** message_size:3039 213 1 03039 message_arrival_time: Mon Jan 12 10:43:42 2009 create_time: Mon Jan 12 10:43:42 2009 named_attribute: log_message_origin=local named_attribute: trace_flags=0 sender: original_recipient: donboe...@cfbnet.com recipient: donboe...@cfbnet.com *** MESSAGE CONTENTS deferred/B/B831F13C003E *** Received: by server.engineering.idb (Postfix) id B831F13C003E; Mon, 12 Jan 2009 10:43:42 +1100 (EST) Date: Mon, 12 Jan 2009 10:43:42 +1100 (EST) From: mailer-dae...@server.engineering.idb (Mail Delivery System) Subject: Undelivered Mail Returned to Sender To: donboe...@cfbnet.com Auto-Submitted: auto-replied MIME-Version: 1.0 Content-Type: multipart/report; report-type=delivery-status; boundary=C3F5B13C002D.1231717422/server.engineering.idb Content-Transfer-Encoding: 8bit Message-Id: 20090111234342.b831f13c0...@server.engineering.idb This is a MIME-encapsulated message. - --C3F5B13C002D.1231717422/server.engineering.idb Content-Description: Notification Content-Type: text/plain; charset=us-ascii This is the mail system at host server.engineering.idb. I'm sorry to have to inform you that your message could not be delivered to one or more recipients. It's attached below. For further assistance, please send mail to postmaster. If you do so, please include this problem report. You can delete your own text from the attached returned message. The mail system webmas...@aus-city.com: Invalid destination status - --C3F5B13C002D.1231717422/server.engineering.idb Content-Description: Delivery report Content-Type: message/delivery-status Reporting-MTA: dns; server.engineering.idb X-Postfix-Queue-ID: C3F5B13C002D X-Postfix-Sender: rfc822; donboe...@cfbnet.com Arrival-Date: Mon, 12 Jan 2009 10:43:36 +1100 (EST) Final-Recipient: rfc822; webmas...@aus-city.com Original-Recipient: rfc822;webmas...@aus-city.com Action: failed Status: 5.1.3 Diagnostic-Code: x-unix; Invalid destination status - --C3F5B13C002D.1231717422/server.engineering.idb Content-Description: Undelivered Message Content-Type: message/rfc822 Content-Transfer-Encoding: 8bit Received: from server.engineering.idb (unknown [127.0.0.1]) by server.engineering.idb (Postfix) with ESMTP id C3F5B13C002D for webmas...@aus-city.com; Sun, 11 Jan 2009 23:43:36 + (UTC) Received-SPF: none (no valid SPF record) Received: from hosting.mgapi.edu (unknown [82.179.217.2]) by server.engineering.idb (Postfix) with SMTP for webmas...@aus-city.com; Sun, 11 Jan 2009 23:43:35 + (UTC) Received: from dpkpyv (181.138.153.218) by hosting.mgapi.edu; Mon, 12 Jan 2009 02:43:44 +0300 Date: Mon, 12 Jan 2009 02:43:44 +0300 From: donboe...@cfbnet.com X-Mailer: The Bat! (v2.01) Reply-To: amar_will...@yahoo.com X-Priority: 3 (Normal) Message-ID: 017606528.20080502031...@cfbnet.com To: webmas...@aus-city.com Subject: =?iso-8859-5?B?QmUgYSB3aW5uZXIgaW4gYmVk?= MIME-Version: 1.0 Content-Type: multipart/mixed; boundary=--F63EA71C6CF12E - F63EA71C6CF12E Content-Type: text/html; charset=iso-8859-5 Content-Transfer-Encoding: 8bit Our specil offer today NEW ONLINE PHARMACY STORE a href=http://agdavletovocypic.narod.ru;HERE/a - F63EA71C6CF12E-- - --C3F5B13C002D.1231717422/server.engineering.idb-- *** HEADER EXTRACTED deferred/B/B831F13C003E *** named_attribute: encoding=8bit *** MESSAGE FILE END deferred/B/B831F13C003E *** **TWO** *** ENVELOPE RECORDS deferred/2/202B613C007B *** message_size: 17228 225 1 0 17228 message_arrival_time: Tue Jan 13 01:49:46 2009 create_time: Tue Jan 13 01:49:46 2009 named_attribute: log_message_origin=local named_attribute: trace_flags=0 sender: original_recipient: thaddeus8s...@autotown.com recipient: thaddeus8s...@autotown.com *** MESSAGE CONTENTS
Re: Can't stop UNDELIVERED MAIL RETURNED TO SENDER emails
On 13/01/2009, at 11:44, wie...@porcupine.org (Wietse Venema) wrote: David Cottle: On 13/01/2009, at 10:13, wie...@porcupine.org (Wietse Venema) wrote: David Cottle: Content-Description: Undelivered Message Content-Type: message/rfc822 Content-Transfer-Encoding: 8bit Received: from server.engineering.idb (unknown [127.0.0.1]) by server.engineering.idb (Postfix) with ESMTP id C3F5B13C002D for webmas...@aus-city.com; Sun, 11 Jan 2009 23:43:36 + (UTC) Received-SPF: none (no valid SPF record) Received: from hosting.mgapi.edu (unknown [82.179.217.2]) by server.engineering.idb (Postfix) with SMTP for webmas...@aus-city.com; Sun, 11 Jan 2009 23:43:35 + (UTC) Received: from dpkpyv (181.138.153.218) by hosting.mgapi.edu; Mon, 12 Jan 2009 02:43:44 +0300 .. Hi Wietse, Sorry I am now totally confused as webmas...@aus-city.com is not invalid it's this address! If webmas...@aus-city.com is valid, then the problem is that your own system is returning mail for webmas...@aus-city.com as undeliverable. That problem has NOTHING to do with spam. Wietse Hi Wietse, Sorry that is incorrect I am not sending out Viagra emails. I look at all these bounces and I did not send one of these single emails. My SMTP is closed and not an open relay either. Now you see my questions I am perplexed at how to stop these. Qmail somehow dealt with these I never saw them in queue. But I believe postfix is a better program! So they are indeed spam bounces. Also how many could be being sent out that do get delivered? But as I also said all these bounces i see they are stuck in queue as they are not deliverable. So can rules like you use for someone sending out an email on the server as a user be applied to postmaster of bounces? Simply test the recipients if invalid reject and it's resolved so filer bounces. Else can a postfix command be issued to delete only undeliverable bounces only from mailerdaemon at my server in the queue? I can run this by cron. It seems crazy for me to log in daily into plesk, tick all these in the mail queue and delete them manually. Thanks!
Re: Can't stop UNDELIVERED MAIL RETURNED TO SENDER emails
On 13/01/2009, at 11:35, Res r...@ausics.net wrote: On Tue, 13 Jan 2009, David Cottle wrote: If I understand some spammer uses valid email addresses on my server and sends them via another server. They bounce as the addresses they spamming are invalid or fail for what ever reason. SPF -- Res All we need, is just a little patience -- William Bruce (Axl) Rose Hi Res, I already have strict SPF policy and records that strictly specify valid sender servers. Also on incoming I already run the highest level delete mail that SPF records do not resolve to pass.
Re: Can't stop UNDELIVERED MAIL RETURNED TO SENDER emails
On 13/01/2009, at 13:02, wie...@porcupine.org (Wietse Venema) wrote: David Cottle: Received: from server.engineering.idb (unknown [127.0.0.1]) by server.engineering.idb (Postfix) with ESMTP id C3F5B13C002D for webmas...@aus-city.com; Sun, 11 Jan 2009 23:43:36 + ... THIS WAS MAIL FOR webmas...@aus-city.com. The postmaster address on every domain exists but does not accept mail it will bounce. This was mail for WEBMASTER, now being returned to the sender. If you have a non-functional postmaster address, that is sufficient grounds for getting your entire domains blacklisted. Wietse Wietse, I do appreciate the help but feel I am stuck in a catch 22. Firstly I am no expert in configuring postfix I just know enough to get by. Is there anything in those examples that stands out as fake I can screen in someway - the header_checks of which I have no idea how to use, I don't want to experiment with rules that will trash real emails it's a production server. Are bounce emails filtered the same as all target addresses? If not how can you apply same rules? Failing that as then it looks impossible to fix so is there a command in postfix to selectively delete queued emails from bounce?I can have cron do this. Or can I force spamassassin as no doubt it will delete them as Viagra and such crap in the body is killed off immediately. It still confuses me why qmail does not do this, I never saw these so they were being filtered out / deleted. All I can think is all mail incoming is piped through spamassassin? Also I am not alone other plesk users that swapped to postfix now have the same issue 'spam bounce emails'. Postfix is a new option in plesk now. Thanks!
Re: Can't stop UNDELIVERED MAIL RETURNED TO SENDER emails
On 13/01/2009, at 15:32, Jim Wright j...@wrightthisway.com wrote: David, you've sent so many messages and replies that quoting anything at this point is just wasting bandwidth. I'm going to jump in with a few notes on what I've read here: First, you are fixating on the wrong problem. If you have bounces that are queued up, this is because you are accepting mail that you cannot deliver. THAT is the problem that needs to be fixed. Bounces are bad if you are generating them AFTER you have accepted email. Reject such mails as they are being sent to your server. The postfix docs are your friend, read up on this. You implied that you have postmaster/webmaster accounts but that these are not accepting mail? This is wrong, these addresses should be reachable for legitimate email. Tackle this issue after you've fixed the above. At one point you indicated that these are being sent from users on your domain, more likely these are spoofed addresses, you need to use some method to authenticate users before they can send, accept certain IP ranges, local networks, authenticated SMTP users, etc. Everyone else should be blocked from sending. You claimed that the bounces are for mails that you never sent, and were forged. Is your system an open relay? Is it accepting mail from systems that it shouldn't be? You will want to take a look at who is using your mail server, and only authorized users/systems are able to send mail via your mail server. Tackle these issues, concentrate on one issue at a time. Review the logs of mail as it arrives at your server, test repeatedly. Out of the box, postfix is incredibly stable and secure, but with the wrong settings this can be undone. Finally, if you still need help, run the command 'postconf -n', and post the output unfiltered to the list. That will tell what non-standard settings you are using, which will likely shed clues to why you are having problems. Hi Jim, I found the issue. It's backscatter mail to real recipient addresses. At first I was getting non existent as well but stopped those. I have to employ header and body checks. Okay my question is I have multiple domains not just one like in the code example 'porcupine' given. How do I code that? Do I need to string a ton load of domain names or can you use a wildcard to match any domain? If I could trouble for a snip of code I can apply it and let you know. It's a live server and I don't want to experiment code when I am not sure how to write it. Thanks again!
Question on allowing a specific server to send mail
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I have hardened by main.cf file: smtpd_sender_restrictions = check_sender_access hash:/var/spool/postfix/plesk/blacklists, reject_non_fqdn_sender, reject_unauthenticated_sender_login_mismatch, reject_unknown_sender_domain and smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_unlisted_recipient, reject_unverified_recipient I have a local server here that sends denyhost reports to my mail server across the LAN directly. Since I did this its not getting reports anymore. I think most likely to 'reject_non_fqdn_sender', 'reject_unknown_sender_domain'. Is there a way I can specify my own internal name (I have my own internal DNS) I gave the server to 'force' it to accept emails from this server. Any ideas? Thanks! -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAklp1S4ACgkQi1lOcz5YUMjDfACgxZRb7Qr9X3aapbcJqAXqufF/ vHkAoIf44j5k3ODF2fTpAGW0RsAIXN5J =NN1x -END PGP SIGNATURE- begin:vcard fn:David Cottle n:Cottle;David email;internet:webmas...@aus-city.com title:Webmaster version:2.1 end:vcard
Question on allowing a specific server to send mail
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi all, I have hardened by main.cf file to stop backscatter. smtpd_sender_restrictions = check_sender_access hash:/var/spool/postfix/plesk/blacklists, reject_non_fqdn_sender, reject_unauthenticated_sender_login_mismatch, reject_unknown_sender_domain and smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_unlisted_recipient, reject_unverified_recipient I have a local server here that sends denyhost reports to my mail server across the LAN directly. Since I did this its not getting reports anymore. I think most likely to 'reject_non_fqdn_sender', 'reject_unknown_sender_domain'. Is there a way I can specify my own internal name (I have my own internal DNS) I gave the server to 'force' it to accept emails from this server. Any ideas? Thanks! -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAklp2EUACgkQi1lOcz5YUMjGGACg9u3CvU94fQYCnJEwuCtTceUw uRsAoJ/0phxeBPwRv6jZRV+QQpx0bHG5 =0qij -END PGP SIGNATURE- begin:vcard fn:David Cottle n:Cottle;David email;internet:webmas...@aus-city.com title:Webmaster version:2.1 end:vcard
Can't stop UNDELIVERED MAIL RETURNED TO SENDER emails
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I cant seem to stop these spam bounce emails. smtpd_sender_restrictions = check_sender_access hash:/var/spool/postfix/plesk/blacklists, reject_non_fqdn_sender, reject_unauthenticated_sender_login_mismatch, reject_unknown_sender_domain smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination I have one bounce in there now, and postqueue -p tells me that connect to mailno.opens.com network is unreachable. Any ideas? Thanks! -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAklqdgkACgkQi1lOcz5YUMgi7QCeJe0oYpwJzsYf+E+NRBOuQIIS EjgAnj06FCeOlulPyylsuA63MQVgzOiW =Z/wX -END PGP SIGNATURE- begin:vcard fn:David Cottle n:Cottle;David email;internet:webmas...@aus-city.com title:Webmaster version:2.1 end:vcard
Re: Can't stop UNDELIVERED MAIL RETURNED TO SENDER emails
anvil
scacheunix - - n - 1 scache
#
#
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent. See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
#
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
#maildrop unix - n n - - pipe
# flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
#
#
#
# The Cyrus deliver program has changed incompatibly, multiple times.
#
#old-cyrus unix - n n - - pipe
# flags=R user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -m
${extension} ${user}
#
#
#
# Cyrus 2.1.5 (Amos Gouaux)
# Also specify in main.cf: cyrus_destination_recipient_limit=1
#
#cyrus unix - n n - - pipe
# user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -r ${sender} -m
${extension} ${user}
#
#
#
# See the Postfix UUCP_README file for configuration details.
#
#uucp unix - n n - - pipe
# flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail
($recipient)
#
#
#
# Other external delivery methods.
#
#ifmailunix - n n - - pipe
# flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
#
#bsmtp unix - n n - - pipe
# flags=Fq. user=bsmtp argv=/usr/local/sbin/bsmtp -f $sender $nexthop
$recipient
#
#scalemail-backend unix - n n - 2 pipe
# flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store
# ${nexthop} ${user} ${extension}
#
#mailman unix - n n - - pipe
# flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
# ${nexthop} ${user}
plesk_virtual unix - n n - - pipe flags=DFORhu user=popuser:popuser
argv=/usr/lib/plesk-9.0/postfix-local -f ${sender} -d ${recipient} -p
/var/qmail/mailnames
mailman unix - n n - - pipe flags=FR user=mailman:mailman
argv=/usr/lib/plesk-9.0/postfix-mailman ${nexthop} ${user} ${recipient}
127.0.0.1:10025 inet n n n - - spawn user=mhandlers-user
argv=/usr/lib/plesk-9.0/postfix-queue 127.0.0.1 10027 before-queue
127.0.0.1:10026 inet n - - - - smtpd
127.0.0.1:10027 inet n n n - - spawn user=mhandlers-user
argv=/usr/lib/plesk-9.0/postfix-queue 127.0.0.1 10026 before-remote
plesk_saslauthd unix y y y - 1 plesk_saslauthd status=5 listen=6
dbpath=/plesk/passwd.db
smtp inet n - - - - smtpd -o smtpd_proxy_filter=127.0.0.1:10025
smtps inet n - - - - smtpd -o smtpd_proxy_filter=127.0.0.1:10025 -o
smtpd_tls_wrappermode=yes
submission inet n - - - - smtpd -o smtpd_enforce_tls=yes -o
smtpd_sasl_auth_enable=yes -o
smtpd_client_restrictions=permit_sasl_authenticated,reject
Noel Jones wrote:
David Cottle wrote:
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1
I cant seem to stop these spam bounce emails.
smtpd_sender_restrictions = check_sender_access
hash:/var/spool/postfix/plesk/blacklists, reject_non_fqdn_sender,
reject_unauthenticated_sender_login_mismatch,
reject_unknown_sender_domain
smtpd_recipient_restrictions = permit_mynetworks,
permit_sasl_authenticated, reject_unauth_destination
I have one bounce in there now, and postqueue -p tells me that
connect to mailno.opens.com network is unreachable.
Any ideas?
This sounds as if you have undeliverable bounces (which happen to
be spam) in your queue.
So why are you bouncing mail at all? Don't do that.
Please give us more details
http://www.postfix.org/DEBUG_README.html#mail
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAklqh18ACgkQi1lOcz5YUMi5+QCfXvN9symyQA/Za/uK0T5OTI9g
JGEAn2SS0CxpRwrqo7xSey+XUSLbc5bN
=owfH
-END PGP SIGNATURE-
begin:vcard
fn:David Cottle
n:Cottle;David
email;internet:webmas...@aus-city.com
title:Webmaster
version:2.1
end:vcard
Re: Can't stop UNDELIVERED MAIL RETURNED TO SENDER emails
Hi Noel, Thanks for your help! I will firstly forward the postconf dump as requested. I will have to forward as another message - will call it postconf as I am on my iPhone. At least you can firstly look at that and perhaps find it is accepting during SMTP for undeliverable. Many thanks! David Sent from my iPhone On 12/01/2009, at 11:19, Noel Jones njo...@megan.vbhcs.org wrote: David Cottle wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi Noel, Yes please! But can you tell me how to do this... I really don't want to bounce the spam at all. I am using postfix 2.6, I built the rpm from source. Many thanks!, David Here is my main.cf (abbreviated I show only activated options) [[Please don't top post. Please show postconf -n rather than random main.cf snips. Please show related logging.]] You'll need to investigate where your bounces are coming from by examining your log - find out why postfix generated a bounce. Start by searching your logfile for the QUEUEID displayed by the mailq command. The usual source of unwanted bounces is accepting mail for undeliverable recipients rather than rejecting such mail during SMTP. The postfix method of recipient validation depends on the address class of the recipient domain. http://www.postfix.org/ADDRESS_CLASS_README.html Also note that any address matched by virtual_alias_maps or *canonical_maps is considered valid, so @domain @domain wildcard mapping effectively disables recipient validation. Please see http://www.postfix.org/DEBUG_README.html and especially http://www.postfix.org/DEBUG_README.html#mail -- Noel Jones
Postconf - for Noel
Sent from my iPhone alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases, hash:/var/spool/postfix/plesk/aliases command_directory = /usr/sbin config_directory = /etc/postfix daemon_directory = /usr/libexec/postfix data_directory = /var/lib/postfix debug_peer_level = 2 header_checks = regexp:/etc/postfix/header_checks html_directory = no inet_interfaces = all inet_protocols = all local_recipient_maps = $virtual_mailbox_maps mail_owner = postfix mailq_path = /usr/bin/mailq.postfix manpage_directory = /usr/share/man message_size_limit = 1024 mydestination = $myhostname, localhost.$mydomain, localhost newaliases_path = /usr/bin/newaliases.postfix queue_directory = /var/spool/postfix readme_directory = /usr/share/doc/postfix-2.5.6/README_FILES sample_directory = /usr/share/doc/postfix-2.5.6/samples sendmail_path = /usr/sbin/sendmail.postfix setgid_group = postdrop smtp_send_xforward_command = yes smtp_use_tls = yes smtpd_authorized_xforward_hosts = 127.0.0.0/8 smtpd_client_restrictions = reject_rbl_client bl.spamcop.net, reject_rbl_client sbl-xbl.spamhaus.org smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination smtpd_sasl_auth_enable = yes smtpd_sender_restrictions = check_sender_access hash:/var/spool/ postfix/plesk/blacklists, reject_non_fqdn_sender, reject_unauthenticated_sender_login_mismatch smtpd_tls_cert_file = /etc/postfix/postfix_default.pem smtpd_tls_key_file = $smtpd_tls_cert_file smtpd_tls_security_level = may smtpd_use_tls = yes transport_maps = hash:/var/spool/postfix/plesk/transport unknown_local_recipient_reject_code = 550 virtual_alias_maps = $virtual_maps, hash:/var/spool/postfix/plesk/ virtual virtual_gid_maps = static:31 virtual_mailbox_base = /var/qmail/mailnames virtual_mailbox_domains = $virtual_mailbox_maps, hash:/var/spool/ postfix/plesk/virtual_domains virtual_mailbox_maps = hash:/var/spool/postfix/plesk/vmailbox virtual_transport = plesk_virtual virtual_uid_maps = static:110
smtp_helo_name ignored
I am running postfix on my mail server. The server uses a domain name in my local DNS that does not exist. So to comply to RFC I used the smtp_helo_name = real.name.com In my main.cf file. But it does not work dnstools still reports that the helo is answering with the hostname, not my entry in main.cf so somthing is taking preference. How do I fix this I simply want the helo to respond with what I specify and it will comply. Thanks! Sent from my iPhone
Re: smtp_helo_name ignored
Hi Sahil, Yes exactly! So I should be using smtpd_helo_name to set the server helo name? Thanks! David Sent from my iPhone On 12/01/2009, at 14:26, Sahil Tandon sa...@tandon.net wrote: David Cottle wrote: I am running postfix on my mail server. The server uses a domain name in my local DNS that does not exist. Presumably, you refer to server.engineering.idb? % telnet mail.aus-city.com 25 Trying 203.206.129.129... Connected to mail.aus-city.com. Escape character is '^]'. 220 server.engineering.idb ESMTP Postfix So to comply to RFC I used the smtp_helo_name = real.name.com Altering this parameter impacts the Postfix *client*, not the server. smtp != smtpd. How do I fix this I simply want the helo to respond with what I specify and it will comply. Change the code or $myhostname. :-) -- Sahil Tandon sa...@tandon.net
Re: smtp_helo_name ignored
Hi Noel, I will send you the logs tonight re the bounces. Okay the helo is this correct? smtpd_banner = gateway.aus-city.com I want the helo to say that name. I assume I drop the hostname and what about the ESMTP? Thanks! Sent from my iPhone On 12/01/2009, at 14:29, Noel Jones njo...@megan.vbhcs.org wrote: David Cottle wrote: I am running postfix on my mail server. The server uses a domain name in my local DNS that does not exist. So to comply to RFC I used the smtp_helo_name = real.name.com In my main.cf file. But it does not work dnstools still reports that the helo is answering with the hostname, not my entry in main.cf so somthing is taking preference. How do I fix this I simply want the helo to respond with what I specify and it will comply. Thanks! Sent from my iPhone that parameter is used when you send mail (smtp) not when you receive mail (smtpd) To change the greeting when you receive mail, please see http://www.postfix.org/postconf.5.html#smtpd_banner http://www.postfix.org/postconf.5.html#myhostname -- Noel Jones
Re: smtp_helo_name ignored
Sent from my iPhone On 12/01/2009, at 15:36, Sahil Tandon sa...@tandon.net wrote: On Mon, 12 Jan 2009, David Cottle wrote: smtpd_banner = gateway.aus-city.com I want the helo to say that name. I assume I drop the hostname and what about the ESMTP? I think you may be confused about the HELO; the smtpd_banner is simply what follows the 220 when a client connects to your smtpd. It is common practice for servers that support ESMTP to indicate this in their banner; no harm in leaving it there. Although Postfix by default sends EHLO even if ESMTP does not appear in the banner, some other MTAs might need to see ESMTP to know your server supports it. -- Sahil Tandon sa...@tandon.net The top posting is what the iPhone does I tried manually forcing it to the bottom. Okay I set myhostname = gateway.aus-city.com Now it replies properly, bit it still fails RFC, I get this now (it's better as atleast now the name exists not a unknown server) mail.aus-city.com claims to be host gateway.aus-city.com but that host is at 202.129.79.106 (may be cached) not 203.206.129.129 There are 28 domains on the server all on individual IPs. Any solution or live with it? I assume it's much better having a real name rather than a non existent one? Thanks for the help! David
