RE: Backup relay possible?
-Original Message- From: owner-postfix-us...@postfix.org [mailto:owner-postfix- us...@postfix.org] On Behalf Of Nikolaos Milas Sent: 27 March 2014 14:27 To: postfix-users@postfix.org Subject: Re: Backup relay possible? On 27/3/2014 4:10 μμ, Birta Levente wrote: Not really IMHO AFAIK since you have two entries with same key in transport map, postfix will choose the first. I think this is the way: main.cf: fallback_relay=[vmail1.noa.gr] transport_map: noa.gr relay:[vmail.noa.gr] admin.noa.gr relay:[vmail.noa.gr] Hmm, yes; reading the docs, I understand you are right. This is the way it should be. (It was careless on my part to draw hastily a wrong conclusion.) Yet, this means that a fallback relay will be common for all entries in transport_maps (which is fine in my case), but there is no way to define fallback relays per domain as in transport_maps? Nick What I have done to mitigate this issue is to setup a DNS server with internal use only zones. The transport map would therefore read similar to the following: noa.gr relay:noa.gr.local I have then configured A records for the multiple relay destinations, queries are then balanced in a DNS round robin fashion. It's perhaps not the most elegant solution but *touch wood* it hasn't caused me any issues. Kind regards, James Day
Message Bounced for Domain with no A record
Hello Postfix User List, I have a mail server that I use to provide a smart host service for my customers. I have a problem sending a message onto a recipient in the domain cbhc.uk.com. The failure message is below. I'm struggling to work out why postfix is unable to forward this message when there is a valid MX record. The error states that there is no A record for the domain name (which is correct) but I would have thought Postfix should be looking for an MX record as well. I have checked /var/spool/postfix/etc/resolv.conf and confirmed that this contains valid DNS servers (8.8.8.8 and 8.8.4.4) and have confirmed that I am able to query for MX records (using dig) and I get correct results - I have also tested telnet on port 25 to each MX and confirmed I can connect. I have replaced any potentially sensitive data in the mail log entry whit HIDDEN - I hope this doesn't hamper any efforts to help. Any help would be greatly appreciated. Mail log entry: Jan 16 10:59:52 smtp postfix/smtpd[21012]: B905D39A041E: client=HIDDEN, sasl_method=LOGIN, sasl_username=HIDDEN Jan 16 10:59:52 smtp postfix/cleanup[21008]: B905D39A041E: message-id=744A7ED15EAB1447B0011004ED33376501296912@HIDDEN Jan 16 10:59:53 smtp postfix/qmgr[298]: B905D39A041E: from=HIDDEN, size=161277, nrcpt=2 (queue active) Jan 16 10:59:53 smtp postfix/smtp[21010]: B905D39A041E: to=hid...@cbhc.uk.com, relay=none, delay=1.2, delays=1.2/0/0.05/0, dsn=5.4.4, status=bounced (Host or domain name not found. Name service error for name=cbhc.uk.com type=A: Host not found) Jan 16 10:59:53 smtp postfix/smtp[21010]: B905D39A041E: to=hid...@cbhc.uk.com, relay=none, delay=1.2, delays=1.2/0/0.05/0, dsn=5.4.4, status=bounced (Host or domain name not found. Name service error for name=cbhc.uk.com type=A: Host not found) Jan 16 10:59:53 smtp postfix/bounce[21013]: B905D39A041E: sender non-delivery notification: F185D51A005F Jan 16 10:59:53 smtp postfix/qmgr[298]: B905D39A041E: removed Postconf -n Output: config_directory = /etc/postfix delay_warning_time = 4h disable_vrfy_command = yes local_recipient_maps = local_transport = error:local mail delivery is disabled mail_name = Ontraq message_size_limit = 2048 mydestination = myhostname = smtp.ontraq.com mynetworks = myorigin = ontraq.com smtpd_recipient_restrictions = permit_sasl_authenticatedreject smtpd_sasl_auth_enable = yes smtpd_sasl_path = private/auth smtpd_sasl_security_options = noanonymous noplaintext smtpd_sasl_tls_security_options = noanonymous smtpd_sasl_type = dovecot smtpd_sender_login_maps = hash:/etc/postfix/relay_domains smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/sender_access reject_sender_login_mismatch smtpd_tls_auth_only = yes smtpd_tls_cert_file = /etc/postfix/smtp.ontraq.com.pem smtpd_tls_key_file = /etc/postfix/smtp.ontraq.com.key smtpd_tls_loglevel = 0 smtpd_tls_security_level = encrypt Kind regards, James Day
RE: Message Bounced for Domain with no A record
-Original Message- From: owner-postfix-us...@postfix.org [mailto:owner-postfix- us...@postfix.org] On Behalf Of martijn.list Sent: 16 January 2014 12:17 To: postfix-users@postfix.org Subject: Re: Message Bounced for Domain with no A record On 01/16/2014 12:52 PM, James Day wrote: Hello Postfix User List, I have a mail server that I use to provide a smart host service for my customers. I have a problem sending a message onto a recipient in the domain cbhc.uk.com. The failure message is below. I'm struggling to work out why postfix is unable to forward this message when there is a valid MX record. The error states that there is no A record for the domain name (which is correct) but I would have thought Postfix should be looking for an MX record as well. There must be something wrong with one of your DNS servers. About half of the DNS requests for the mx record return NXDOMAIN (i.e., Non-Existent Domain). Kind regards, Martijn Brinkers -- DJIGZO email encryption Thank you everyone for your prompt responses. Just bad luck on my part that my dig returned records from the mail server that has MX records and postfix queried the other. I will contact the recipient domain and inform them of the issue. Kind regards, James Day
RE: block exe and other attachments
-Original Message- From: owner-postfix-us...@postfix.org [mailto:owner-postfix- us...@postfix.org] On Behalf Of Rowland Onobrauche Sent: 16 September 2013 12:02 To: Postfix users Subject: Re: block exe and other attachments On 16 Sep 2013, at 11:38, Wietse Venema wrote: Rowland Onobrauche: I am currently using mime_header_checks to block certain attachments with such a string - /name=[^]*\.(scr|pif|bat|exe|dll|vbs)/ REJECT This however does not stop me from receiving 100s of exes and other suspect attachments - which are being blocked by mailscanner, however, i want these blocking at the smtp transaction stage. Can anyone suggest a better way of doing this, so that the checks are successful at smtp transaction? You made a configuration error. Unfortunately, I am not telepathic. Wietse Not very helpful. Does anyone else have any advice on this? Unfortunately you have not provided enough information. At very least you should be posting relevant logs and postconf -n output. Kind regards, James Day
RE: smtpd_sender_login_maps and out of office messages
-Original Message- From: owner-postfix-us...@postfix.org [mailto:owner-postfix- us...@postfix.org] On Behalf Of Wietse Venema Sent: Wednesday, July 31, 2013 12:06 PM To: Postfix users Subject: Re: smtpd_sender_login_maps and out of office messages James Day: Hello list, Hopefully a simple question but I can't seem to find the answer in the documentation (maybe my Google skills are lacking!). I'm using smtpd_sender_login_maps to ensure that users relaying only send mail from their own domains. Is it possible to allow an exception for out of office messages / automatic replies (ie where there is no sender address)? It is possible. You would need to permit the null envelope sender address before enforcing reject_sender_login_mismatch. At the same time this should not make you an open relay for mail from . For these reasons I suggest moving reject_sender_login_mismatch out of smtpd_recipient_restrictions, and into smtpd_sender_restrictions. /etc/postfix/main.cf: smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/sender_access reject_sender_login_mismatch /etc/postfix/sender_access: permit The is a surrogate for the empty adress, and is configured with the smtpd_null_access_lookup_key parameter. Postfix never queries a table with the null-string lookup key. Wietse Thanks Wietse. This is my working configuration (hopefully you can't see any issues) /etc/postfix/main.cf ... smtpd_recipient_restrictions = permit_sasl_authenticated reject smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/sender_access reject_sender_login_mismatch ... /etc/postfix/sender_access: permit Kind regards, James Day
smtpd_sender_login_maps and out of office messages
Hello list, Hopefully a simple question but I can't seem to find the answer in the documentation (maybe my Google skills are lacking!). I'm using smtpd_sender_login_maps to ensure that users relaying only send mail from their own domains. Is it possible to allow an exception for out of office messages / automatic replies (ie where there is no sender address)? Kind regards, James Day
Catchall Mailbox and deliver to original recipient
Hello list, I have a question regarding virtual alias maps. I currently implement this table to allow me to keep an offsite copy of all incoming mails for users in the following manner u...@example.comu...@example.com,u...@offsite.com So the user will receive the original message and a copy will sent to the offsite mailbox (Which has webmail access). The idea being that if their local mail server dies a terrible death then they still have access to incoming mail via the webmail. Now I have a domain where they would like to implement a catchall mailbox for their offsite access. If this was the only delivery location I'd do something like: @example.comcatch...@offsite.com However I would still like the original recipient to receive a copy of the message. Short of listing all the user accounts and aliasing them all to the catchall mailbox is there any variable I can use to alias the message back to it's original recipient as well? The wording on that is inelegant so perhaps I should put an example of what I am trying to achieve: @example.com$u...@example.com,catch...@offiste.com So if a message were to come into john.sm...@example.com it would be aliased to john.sm...@example.com and catch...@offsite.com Thanks in advance. Kind regards, James Day
Null sender address in NDR's
Hello List, I'll have to start by breaking to golden rule of this list and not posting postconf -n output as my question relates to a server over which I have no control. A customer of mine is using a smart host provided by their ISP through which all outbound mail is delivered smtp.enta.net (which is running postfix). This server holds a list of valid domain from which this customer is allowed to send. A sensible precaution to prevent a compromised machine from sending spam using spoofed sender addresses on other domains. The problem is that when clients mail server sends a NDR the sender address is (ie NULL). The null sender address causes the message to be rejected with: 554+5.7.1+:+Sender+address+rejected:+Access+denied Is there a sensible way to configure postfix to allow these messages with null sender addresses to be relayed without opening the smart host up to exploitation? Or alternatively - and this is off topic for this list - is there a way to configure Microsoft exchange 2003 to send NDR's with a different sender address. And before anyone comments, yes I know this isn't best practice as NDR's should have null sender addresses to stop loops (bouncing bounce-backs!). Kind regards, James Day (IT Engineer)
RE: Null sender address in NDR's
. Is there a sensible way to configure postfix to allow these messages with null sender addresses to be relayed without opening the smart host up to exploitation? Sending bounces is not exploitation, but the smart host (really submission service) policy is up to the ISP. Ask them. I wasn't trying to suggest that sending bounces would be exploitation, rather that allowing *all* messages with a NULL sender to relayed through could potentially be exploited to send spam as NO. Bounces MUST be sent with a null sender address. Otherwise, bounces would elicit bounces in return creating mail loops, sometimes exponentially growing, if a message elicits multiple non-delivery reports. Yes I know that and have referred to that point below. The solution is to use a relay that permits bounces. Either the ISP relaxes their policies, or a different relay must be found. As I feared, thank you for confirming. And before anyone comments, yes I know this isn't best practice as NDR's should have null sender addresses to stop loops (bouncing bounce-backs!). Not should, MUST. Not isn't best practice, rather prohibited. -- Viktor. I understand and agree however in my experience you sometimes have to fudge things so they operate with incorrectly configured systems (against my own wishes!) James
RE: Null sender address in NDR's
-Original Message- From: owner-postfix-us...@postfix.org [mailto:owner-postfix- us...@postfix.org] On Behalf Of Reindl Harald Sent: 14 February 2013 15:43 To: postfix-users@postfix.org Subject: Re: Null sender address in NDR's Am 14.02.2013 16:36, schrieb James Day: Not should, MUST. Not isn't best practice, rather prohibited. I understand and agree however in my experience you sometimes have to fudge things so they operate with incorrectly configured systems (against my own wishes!) no you have not if you can clearly show that your setup goes with all relevant RFC's and is configured by best common practice you NEVER need to do anything to support incorrectly configured systems the one with the incorrectly configured system has to fix it if i know what i am doing and can verify that my setup is correct and some boss is forcing me to violate RFC's this would be my last day working for whatever company I hope you don't take offence when I say that your messages come across as rather hostile. Unfortunately when dealing with a 3rd party it's not always possible to ensure RFC compliance so on some occasions exceptions have to be made for the sake of getting things working. Perhaps incorrectly configured was the wrong phrase to use. It's not that there is anything inherently wrong with the smtp.enta.net server, rather it wasn't designed to do what I'm asking of it. I'm going to setup reverse DNS for the IP of this connection and send out directly from the clients Exchange server. Thanks for your input. James
RE: Null sender address in NDR's
--snip-- Not in this case, sending NDRs with a non-null envelope sender address is a fundamental violation of the robustness requirements of SMTP. This goes beyond working-around misconfiguration to flagrant violation of a basic design requirement that prevents congestive collapse of the mail system. -- Viktor. I understand the potential consequences (bouncing bounce-backs!). I was hoping someone had a clever fix to work around the issue I was having but it appears my initial thought was correct and I'll need to find an alternative method to send mail. I didn't mean to start an argument about breaking RFC's. Again, thanks for your input, it is greatly appreciated. James
RE: Alert of unusually large queue
-Original Message- From: owner-postfix-us...@postfix.org [mailto:owner-postfix- us...@postfix.org] On Behalf Of Jan P. Kessler Sent: 22 October 2012 15:44 To: postfix-users@postfix.org Subject: Re: Alert of unusually large queue I'm not sure, if sending an e-mail about a full mailqueue-condition is the best way to go ;-) depends if you have no bulk-mail on your server it will tak enot too long to find a good value to adjust the 50 and as example if i have 500 queued messages i like to look if there is soemthing going wrong What I meant was, that there is a good chance, that you will not receive this notification, because whatever condition causes your mails to stuck in the queue could stop that notification, too ;-) As mentioned by other posters you should set up a real monitoring system, that periodically checks your queue or generates an alert (e.g. snmp trap) on the server which does not rely on the mechanism that you are trying to monitor (here smtp). cheers, jpk That's a good point, it might be worthwhile looking into something like a php script that interfaces with an SMS API. I've seen that done in the past. Kind regards, James Day (IT Engineer)
RE: Alert of unusually large queue
From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] On Behalf Of Kaleb Hosie Sent: 16 October 2012 13:50 To: postfix-users@postfix.org Subject: Alert of unusually large queue We host a mail server which runs Postfix and there has been a few times where one of our clients computers becomes infected with malware and the password is compromised. How this has come to my attention is because every once in a while, I will login to the mail server and see an unusually large mail queue which is all being sent to one domain. Is it possible to monitor the queue automatically and have it send me an alert if the postfix queue reaches over a certain threshold? Thanks everyone I use the following to do just that. I'm sure there is a better way but I fudged this together myself Script 1: #!/bin/bash /usr/bin/mailq | /usr/bin/tail -n1 | /usr/bin/gawk '{print $5}' /etc/postfix/mailq_count Script 2: #!/bin/bash mailq_count=/bin/cat /etc/postfix/mailq_count if [ `$mailq_count` -gt 50 ]; then echo Mail count on Server is `$mailq_count`|/usr/sbin/sendmail -f r...@example.com repo...@example.com ; fi These run as cron jobs every few minutes. Hope that helps. Kind regards, James Day (IT Engineer)
RE: Copying queue to another server need to re-create header
Web: www.ontraq.com -Original Message- From: owner-postfix-us...@postfix.org [mailto:owner-postfix- us...@postfix.org] On Behalf Of Jack S Sent: 29 August 2012 22:42 To: postfix-users@postfix.org Subject: Copying queue to another server need to re-create header Hello all, I have a problem that I am trying to resolve in emergency mode. I have a bunch of email in the derferred queue for a domain, their destination server will be down for a while so I need to create a way to get messages to them now. My idea is to on another box create an alias that will forward @domain.com to a pop box somewhere. I got this part setup and it works. Now I copy 1 messages from the deferred queue of the server to the deferred queue on the temp server so that it will actually process the message, however I believe the message delivery information is already within the queue file and when I try to run it and the message gets rejected. I also tried to put in the inbound queue but that did the same thing. Any suggestions how to get this to work? -- Thanks! Joey Why don't you just change the transport map for the domain to point to the new location and then use postsuper -r ALL to requeue the messages. If you need the messages to remain in the queue to be delivered to the original server at a later date then use virtual_alias_maps as below: u...@example.comu...@example.com, u...@example2.com Set a transport route for the new domain (example2.com in the above example) And then use postsuper -r ALL to requeue the messages. The originals will get stuck again but the aliased addresses will be delivered to your POP/IMAP/whatever server. Kind regards, James Day
RE: Postfix Issue
-Original Message- From: owner-postfix-us...@postfix.org [mailto:owner-postfix- us...@postfix.org] On Behalf Of Marius Lewies Sent: 23 July 2012 14:32 To: Ansgar Wiechers; postfix-users@postfix.org Subject: RE: Postfix Issue Nor did I think I am. This is the first time that I am using this forum. Instead of replying to all I mistakenly replied to yourself. If you are not prepared to assist or help and Yes I know you ALL do it on your own time and free will I will gladly remove myself from the list. -Original Message- From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] On Behalf Of Ansgar Wiechers Sent: Monday, July 23, 2012 2:39 PM To: postfix-users@postfix.org Subject: Re: Postfix Issue Please keep this on-list. You're neither family, nor personal friend, nor paying customer, so you're not entitled to personal support. On 2012-07-23 Marius Lewies wrote: Did you postmap all_ad_recipients after adding the recipient address? = Yes did run a ./getadusers and verified that address does exsist. That was not the question. I don't know what the command getadusers does, but I assume that it's a script querying users' mail addresses from AD and writing them to a file. Does the script run the postmap command on the file afterwards? And how did you verify that the address exists. Should I do somtehinge else with postmap what is the meaning? You need to run the command to convert the (plain text) map into the database file that Postfix uses. You can also use the command to check the map for existence of a particular key, e.g.: postmap -q mariu...@vegaspartnerlounge.dk \ hash:/etc/postfix/all_ad_recipients And $relay_domains is a list, not a map, so the line in main.cf should be like this: = This used to work before new address was added. All other domains within the file is relaying. What is the difference between a map and a list? A map is mapping one thing to another thing. Hence the name. f...@example.com x b...@example.com x ... For some maps the right-hand value defines the action to be taken (e.g. DUNNO, REJECT, OK). For $relay_recipient_maps, however, the right-hand value merely needs to exist, which will indicate a valid address. A list OTOH is just a list, i.e. a flat file with one item per line. example.com example.org ... relay_domains = /etc/postfix/relay_domains Postconf -n result [...] relay_domains = hash:/etc/postfix/relay_domains Fix that. [...] smtpd_recipient_restrictions = permit_mynetworks, reject_non_fqdn_recipient, reject_unauth_destination, This is barely safe. The reject_unauth_destination restriction is the one that prevents you from being an open relay. It should be the first rule after those that allow relaying for selected clients (i.e. permit_mynetworks and/or permit_sasl_authenticated). reject_unauth_pipelining, reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net, check_client_access regexp:/etc/postfix/blacklist_clients, RBL lookups are usually more expensive than lookups in local tables, so reject_rbl_client should go after check_client_access. Regards Ansgar Wiechers -- Abstractions save us time working, but they don't save us time learning. --Joel Spolsky -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. No need to get upset. Mistakes do happen, I find myself automatically clicking the reply button instead of reply to all so you're not alone. The people on this list are willing to help you. You just need to help yourself a bit by reading the appropriate documentation. Postfix is possibly the best documented piece of open source software and as such it is frustrating when people come to the list with issues that could be easily resolved by reading it. PS Polite notice: Please don't top post on the list - it makes the conversations much harder to follow. Kind regards, James Day
RE: Postfix Issue
-Original Message- From: Marius Lewies [mailto:mariu...@verpakt.com] Sent: 23 July 2012 15:03 To: James Day; Ansgar Wiechers; postfix-users@postfix.org Subject: RE: Postfix Issue -Original Message- From: James Day [mailto:james@ontraq.com] Sent: Monday, July 23, 2012 3:45 PM To: Marius Lewies; Ansgar Wiechers; postfix-users@postfix.org Subject: RE: Postfix Issue -Original Message- From: owner-postfix-us...@postfix.org [mailto:owner-postfix- us...@postfix.org] On Behalf Of Marius Lewies Sent: 23 July 2012 14:32 To: Ansgar Wiechers; postfix-users@postfix.org Subject: RE: Postfix Issue Nor did I think I am. This is the first time that I am using this forum. Instead of replying to all I mistakenly replied to yourself. If you are not prepared to assist or help and Yes I know you ALL do it on your own time and free will I will gladly remove myself from the list. -Original Message- From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] On Behalf Of Ansgar Wiechers Sent: Monday, July 23, 2012 2:39 PM To: postfix-users@postfix.org Subject: Re: Postfix Issue Please keep this on-list. You're neither family, nor personal friend, nor paying customer, so you're not entitled to personal support. On 2012-07-23 Marius Lewies wrote: Did you postmap all_ad_recipients after adding the recipient address? = Yes did run a ./getadusers and verified that address does exsist. That was not the question. I don't know what the command getadusers does, but I assume that it's a script querying users' mail addresses from AD and writing them to a file. Does the script run the postmap command on the file afterwards? And how did you verify that the address exists. Should I do somtehinge else with postmap what is the meaning? You need to run the command to convert the (plain text) map into the database file that Postfix uses. You can also use the command to check the map for existence of a particular key, e.g.: postmap -q mariu...@vegaspartnerlounge.dk \ hash:/etc/postfix/all_ad_recipients And $relay_domains is a list, not a map, so the line in main.cf should be like this: = This used to work before new address was added. All other domains within the file is relaying. What is the difference between a map and a list? A map is mapping one thing to another thing. Hence the name. f...@example.com x b...@example.com x ... For some maps the right-hand value defines the action to be taken (e.g. DUNNO, REJECT, OK). For $relay_recipient_maps, however, the right-hand value merely needs to exist, which will indicate a valid address. A list OTOH is just a list, i.e. a flat file with one item per line. example.com example.org ... relay_domains = /etc/postfix/relay_domains Postconf -n result [...] relay_domains = hash:/etc/postfix/relay_domains Fix that. [...] smtpd_recipient_restrictions = permit_mynetworks, reject_non_fqdn_recipient, reject_unauth_destination, This is barely safe. The reject_unauth_destination restriction is the one that prevents you from being an open relay. It should be the first rule after those that allow relaying for selected clients (i.e. permit_mynetworks and/or permit_sasl_authenticated). reject_unauth_pipelining, reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net, check_client_access regexp:/etc/postfix/blacklist_clients, RBL lookups are usually more expensive than lookups in local tables, so reject_rbl_client should go after check_client_access. Regards Ansgar Wiechers -- Abstractions save us time working, but they don't save us time learning. --Joel Spolsky -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. No need to get upset. Mistakes do happen, I find myself automatically clicking the reply button instead of reply to all so you're not alone. The people on this list are willing to help you. You just need to help yourself a bit by reading the appropriate documentation. Postfix is possibly the best documented piece of open source software and as such it is frustrating when people come to the list with issues that could be easily resolved by reading it. PS Polite notice: Please don't top post on the list - it makes the conversations much harder to follow. Kind regards, James Day -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. Hi, Thank you for the reply James. Referring to Ansgar reply it seems that relay_domains.db is out of date. Ansgar suggested You need to run
RE: What wrong with my postfix
-Original Message- From: owner-postfix-us...@postfix.org [mailto:owner-postfix- us...@postfix.org] On Behalf Of Kshitij mali Sent: 29 June 2012 06:22 To: postfix-users@postfix.org Subject: Re: What wrong with my postfix Hi sir, Please delete this thread from the archive of the gmane.org or atleast hide the ipaddress and email address from the logs from the below archive. http://comments.gmane.org/gmane.mail.postfix.user/227441 Regards, Kshitij Mali I'm afraid to say that all you will achieve with your misplaced requests for removal is draw attention to the data that you wish to be removed. Unfortunately the damage is done. If your systems are secure then a few exposed IP addresses really shouldn't trouble you. Kind regards, James Day
RE: Queue ID with amavisd
-Original Message- From: owner-postfix-us...@postfix.org [mailto:owner-postfix- us...@postfix.org] On Behalf Of Chris Sent: 02 March 2012 16:55 To: postfix-users@postfix.org Subject: Re: Queue ID with amavisd 2012/3/2 /dev/rob0 r...@gmx.co.uk: On Fri, Mar 02, 2012 at 05:32:18PM +0100, Chris wrote: 2012/3/2 Ralf Hildebrandt ralf.hildebra...@charite.de: * Chris xchris...@googlemail.com: 2012/3/2 Ralf Hildebrandt ralf.hildebra...@charite.de: * Chris xchris...@googlemail.com: I am using Postfix with amavisd. Received: from mail-wi0-f174.google.com (mail-wi0-f174.google.com [209.85.212.174]) by my.postfix-server.org (Postfix) with ESMTPS no Queue ID Where is the Postfix queue ID? It's logged by the second smtpd, since the first smtpd using smtpd_proxy_filter doesn't issue an queueid Can this be changed? Not without getting rid of smtpd_proxy_filter Can I reject mails without smtpd_proxy_filter? At this point you will do better if you back up and describe the problem you're trying to solve. Where/why do you need the queue ID displayed? For diagnostic reasons. -- Chris You could try implementing amavis using the content_filter parameter (after queue content filter). Instead of smtpd_proxy_filter (before queue content filter) Kind regards, James Day
RE: Transport: Multiple routes to internal domain
-Original Message- From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] On Behalf Of Wietse Venema Sent: 07 February 2012 13:33 To: Greg Wilson Cc: Postfix users Subject: Re: Transport: Multiple routes to internal domain Greg Wilson: One attempt was to make 2 entries with the same host name in /etc/hosts e.g 10.222.100.1 exchange.mydomain.local exchange 10.333.200.2 exchange.mydomain.local exchange Then changed the transport map to mydomain.local smtp:[exchange.mydomain.local] My info is that the square brackets stop Postifix doing mx record lookups. This didn't work and I don't know why. It works fine with an That 's because LINUX does not support multiple /etc/hosts records per name. Use a better OS, use DNS, or use my smtp_fallback_relay solution. Wietse Hi Wietse, When you say a better OS, I'd be interested to know what your preference is. Kind regards, James Day (IT Engineer)
reject unknown helo hostname
Just wanted to get public opinion on this one. reject_unknown_helo_hostname My understanding is that to be RFC compliant your HELO greeting must be a valid hostname (ie there is a public A record). However since implementing this restriction under smtpd_helo_restrictions I have had nothing but complaints from people who think their messages are being unfairly blocked. I know we don't live in a perfect world and not everybody is going to have a correctly configured mail server but I don't think it is unreasonable for me to stick to my guns and reject these messages. Having said that, some people have more influence than others and should they voice any concerns I would be forced to make some changes. With that in mind, what would be the best way to make exceptions? My current line of thought is to use a check_helo_access map to make exceptions on a per server basis, is there a better way? Kind regards, James Day (IT Engineer)
RE: reject unknown helo hostname
-Original Message- From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] On Behalf Of Noel Jones Sent: 06 February 2012 14:19 To: postfix-users@postfix.org Subject: Re: reject unknown helo hostname On 2/6/2012 7:36 AM, James Day wrote: Just wanted to get public opinion on this one. reject_unknown_helo_hostname I don't use that restriction because there seem to be too many legit hosts that fail, and not enough bad ones that do. Don't forget you can use a restriction with warn_if_reject to get an idea of what it does for a while before you go live with it. Ultimately, anti-spam controls are quite site-specific. Listen to advice, then do what works best for you. -- Noel Jones Rob, Noel, Thanks for your insight, as ever your advice is greatly appreciated. Kind regards, James Day (IT Engineer)
RE: SASL authentication and Windows Live Mail
The only question that remains for me is, what is the difference between PLAIN and LOGIN mechanisms? I understand from http://wiki.dovecot.org/Authentication/Mechanisms that they are both plain text. Unfortunately google searches for login authentication aren't particularly helpful. The way the username and password are encoded and sent on the wire is slightly different. Biggest visible difference is PLAIN sends the username and password together in the same command; LOGIN sends them separately. Some clients only support one of these methods. Broadly speaking, some Microsoft clients only support LOGIN, some third-party clients only support PLAIN. There's no reason to not offer both. -- Noel Jones Thanks Noel, as ever you've provided valuable insight. Your help is very much appreciated. Kind regards, James Day
SASL authentication and Windows Live Mail
I'll keep this short for now in case it's a known problem but if more logs are required let me know. I've configured postfix to allow SASL authenticated users (dovecot sasl) to relay. I've tested this and confirmed it works from within Outlook 2007 and 2010. However trying the same account details from Windows Live Mail throws up a: 554 Relay Access denied error message. Is this a known problem with the Windows Live Mail client or do I need to dig deeper? Kind regards, James Day
RE: SASL authentication and Windows Live Mail
Thanks for your input guys. As I suspected I need to dig a bit deeper. Here is the relevant portion of my mail log using Windows Live Mail to send: [...snip] Jan 31 07:27:51 vps03 postfix/smtpd[3923]: connect from unknown[IP_REMOVED] Jan 31 07:27:51 vps03 postfix/smtpd[3923]: NOQUEUE: reject: RCPT from unknown[IP_REMOVED]: 554 5.7.1 user@remotedomain: Relay access denied; from=dovecotuser@trusteddomain to=user@remotedomain proto=ESMTP helo=HOSTNAME Jan 31 07:27:51 vps03 postfix/smtpd[3923]: disconnect from unknown[IP_REMOVED] Jan 31 07:27:54 vps03 dovecot: imap-login: Login: user= dovecotuser@trusteddomain , method=PLAIN, rip=IP_REMOVED, lip=IP_REMOVED, TLS Jan 31 07:27:54 vps03 dovecot: IMAP(dovecotuser@trusteddomain): Disconnected: Logged out bytes=712/6487 [...snip] It seems to me that authentication isn't attempted until after the attempt to send fails. ...HOLD THE PRESS I added the LOGIN auth mechanism to my dovecot.conf and reloaded the service, the above was my first attempt to send this message again after doing so (which failed). Something must have taken some time to propagate because as I was typing this message the client connected again and sent successfully. Looks as though you were spot on Noel. Here is the log snipped for the successful send: Jan 31 07:35:47 vps03 postfix/smtpd[4049]: connect from unknown[IP_REMOVED] Jan 31 07:35:47 vps03 postfix/smtpd[4049]: BC1A1152601B2: client=unknown[IP_REMOVED], sasl_method=LOGIN, sasl_username= dovecotuser@trusteddomain Jan 31 07:35:48 vps03 postfix/cleanup[4052]: BC1A1152601B2: message-id=FDCB00758C7446F28A755733616C9E39@remotedomain Jan 31 07:35:48 vps03 postfix/qmgr[26598]: BC1A1152601B2: from= dovecotuser@trusteddomain , size=1261, nrcpt=1 (queue active) Jan 31 07:35:48 vps03 postfix/smtpd[4049]: disconnect from unknown[IP_REMOVED] Jan 31 07:35:48 vps03 dovecot: imap-login: Login: user=dovecotuser@trusteddomain, method=PLAIN, rip= IP_REMOVED, lip= IP_REMOVED, TLS Jan 31 07:35:48 vps03 postfix/smtp[4053]: BC1A1152601B2: to=user@remotedomain, relay=remote_mx_address[IP_REMOVED]:25, delay=0.79, delays=0.27/0/0.14/0.37, dsn=2.6.0, status=sent (250 2.6.0 FDCB00758C7446F28A755733616C9E39@remotedomain Queued mail for delivery) Jan 31 07:35:48 vps03 postfix/qmgr[26598]: BC1A1152601B2: removed The only question that remains for me is, what is the difference between PLAIN and LOGIN mechanisms? I understand from http://wiki.dovecot.org/Authentication/Mechanisms that they are both plain text. Unfortunately google searches for login authentication aren't particularly helpful. Kind regards, James Day -Original Message- From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] On Behalf Of Noel Jones Sent: 31 January 2012 04:22 To: postfix-users@postfix.org Subject: Re: SASL authentication and Windows Live Mail On 1/30/2012 9:32 PM, Jim Seymour wrote: On Tue, 31 Jan 2012 00:30:33 + James Day james@ontraq.com wrote: [snip] ... trying the same account details from Windows Live Mail throws up a: 554 Relay Access denied error message. [snip] IIRC, Relay access denied is a symptom of a non-SSL attempted connection/login when disable_plaintext_auth = yes in dovecot.conf. The error message means the mail was rejected by reject_unauth_destination, and that means the client didn't authenticate (or tried and failed). If AUTH was tried and failed, it will be noted in the postfix and dovecot logs. If no failures are logged, AUTH wasn't attempted. This may or may not have anything to do with SSL/TLS. Another good guess is that dovecot needs to offer LOGIN and/or PLAIN mechanisms. But we're just guessing here. We need more details of the connection and configuration to give more concrete advice. http://www.postfix.org/DEBUG_README.html#mail -- Noel Jones
RE: Disable sending mails via telnet
Just an idea, feel free to correct me. Is there some way within Postfix to implement a timeout on the SMTP conversation? Obviously a user typing HELO, MAIL FROM, RCPT TO etc will be a lot slower than a conversation between two computers. Of course this could break something else, like I said, just an idea. Kind Regards, James Day (IT Engineer) Ontraq Limited Tel: 01245 265100 Fax: 01245 265700 Web: www.ontraq.com -Original Message- From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] On Behalf Of Leslie León Sinclair Sent: 11 January 2012 13:49 To: postfix-users@postfix.org Subject: Re: Disable sending mails via telnet First: I apology bellow about my yesterday´s behavior. My issue: I have a postfix[Debian] server, and it´s working nice, but I need to block people to send mails via telnet[telnet mydomain.com 25], everything is working nice and shiny, error/warning logs are empty, dovecot logging normal, no error so far, but still the issue. Now: I will do a VM with the same config and will test, on other machine, to see some changes in SASL and stuff related and later I post my results with main.cf included. Until then, please do not replys to my mails, I´ll be out for a while... Best regards... Sorry my mistake, I´m punishing myself right now, by the way I asked here in the list, but I was tired dealing with this problem. Reading yesterday´s mail now... I feel like a barbarian... It´s not gonna happen again, or at least, I will try. Good day to all... Participe en Universidad 2012, del 13 al 17 de febrero de 2012. Habana, Cuba: http://www.congresouniversidad.cu Consulte la enciclopedia colaborativa cubana. http://www.ecured.cu
RE: Possibility to store all incoming mail (pre-content_filter)
It should be delivered via the local transport, just set -o content_filter= under local in master.cf to override. Kind Regards, James Day (IT Engineer) Ontraq Limited Tel: 01245 265100 Fax: 01245 265700 Web: www.ontraq.com -Original Message- From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] On Behalf Of Michael Weissenbacher Sent: 15 December 2011 16:58 To: postfix-users@postfix.org Subject: Re: Possibility to store all incoming mail (pre-content_filter) schrieb Mark Goodge: On 15/12/2011 16:24, Michael Weissenbacher wrote: Hi! You can do this with recpients_bcc_maps Well, as far as i know this just adds a bcc address to the message and as a result the mail would still pass through amavis and through the smarthost before leaving the system, thus it would get altered (and destroyed if i hit the bug). Set up a user on the local system, and bcc to that. That way it won't go out through the smarthost. Hm, but this still won't bypass amavis which i call with content_filter = smtp-amavis:[127.0.0.1]:10024 If i understand http://www.postfix.org/FILTER_README.html correctly. Maybe i can put a custom filter which logs all mail BEFORE the amavis filter? tia, Michael
RE: virtual_alias_maps / mysql problem
First make sure that the domain you are sending to is set as a virtual mailbox domain. It sounds like you've already set the virtual transport to dovecot which is right. If you think mysql is the issue try making a virtual alias maps hash file. ***Sent via RoadSync® for Android™ -Original Message- From: lupin...@gmx.net Sent: Dec 11, 2011 1:21 PM To: postfix-users@postfix.org Subject: virtual_alias_maps / mysql problem Hello! i´m not quite sure if the problem is directly the virtual_alias_maps or something it interacts with, so to say. in main.cf i set virtual_alias_maps = mysql:/etc/postfix/mysql-virtual.cf unverified_recipient_reject_code = 550 unknown_local_recipient_reject_code = 550 and in mysql-virtual.cf # the user name and password to log into the mysql server hosts = 127.0.0.1 user = mailcheck password = secretpassword dbname = mails table = virtual select_field = dest where_field = alias now, if i try to send to an address on the server that does not exist, it should refuse, right? unfortunately it, postfix just hands it over to dovecot, as if everything was fine =( I´m currently not completely sure, if the problem lies with the postfix-configuration or with the mysql-query (e.g. if it always returns ok, even if the entry wasn´t found). But I´m currently not sure, how to test this. When i directly make the query in sql, it works fine (aka, it returns an empty result, if the mailaddress is not equal to one of the aliases). i also tried to change the mysql-virtual.cf so that it uses a query (query = SELECT dest FROM virtual WHERE alias = %s;), but the behavior did not change. mind you, when there´s an error in this file, i can´t send any mails, so it seems to be used in some way or other. -_-; any hints would be appreciated =) best regards sil -- -- Do you know what happens to a toad struck by lightning..? The same thing that happens to anything else... -- Empfehlen Sie GMX DSL Ihren Freunden und Bekannten und wir belohnen Sie mit bis zu 50,- Euro! https://freundschaftswerbung.gmx.de
Re: virtual_alias_maps / mysql problem
Well a hash file would be the simplest thing to ensure that postfix is configured properly. I would have thought that all the information you need to see what is going on would be in the mail log and the mysql log. ***Sent via RoadSync® for Android™ -Original Message- From: lupin...@gmx.net Sent: Dec 11, 2011 2:19 PM To: postfix-users@postfix.org Subject: Re: RE: virtual_alias_maps / mysql problem thank you for you reply. virtual_mailbox_domains is set, as is virtual_transport. do you mean using a hash-file to test it or for permanent use? there are some 500 mail-users on the server, who change relatively often and who have each a number of aliases..i´d rather avoid using a hash file, especially because the mysql-query is supposed to work =) is there some handy way of testing, what postfix receives from this mysql-check? best regards sil Original-Nachricht Datum: Sun, 11 Dec 2011 14:04:15 + Von: James Day james@ontraq.com An: lupin...@gmx.net lupin...@gmx.net, postfix-users@postfix.org postfix-users@postfix.org Betreff: RE: virtual_alias_maps / mysql problem First make sure that the domain you are sending to is set as a virtual mailbox domain. It sounds like you've already set the virtual transport to dovecot which is right. If you think mysql is the issue try making a virtual alias maps hash file. ***Sent via RoadSync® for Android™ -Original Message- From: lupin...@gmx.net Sent: Dec 11, 2011 1:21 PM To: postfix-users@postfix.org Subject: virtual_alias_maps / mysql problem Hello! i´m not quite sure if the problem is directly the virtual_alias_maps or something it interacts with, so to say. in main.cf i set virtual_alias_maps = mysql:/etc/postfix/mysql-virtual.cf unverified_recipient_reject_code = 550 unknown_local_recipient_reject_code = 550 and in mysql-virtual.cf # the user name and password to log into the mysql server hosts = 127.0.0.1 user = mailcheck password = secretpassword dbname = mails table = virtual select_field = dest where_field = alias now, if i try to send to an address on the server that does not exist, it should refuse, right? unfortunately it, postfix just hands it over to dovecot, as if everything was fine =( I´m currently not completely sure, if the problem lies with the postfix-configuration or with the mysql-query (e.g. if it always returns ok, even if the entry wasn´t found). But I´m currently not sure, how to test this. When i directly make the query in sql, it works fine (aka, it returns an empty result, if the mailaddress is not equal to one of the aliases). i also tried to change the mysql-virtual.cf so that it uses a query (query = SELECT dest FROM virtual WHERE alias = %s;), but the behavior did not change. mind you, when there´s an error in this file, i can´t send any mails, so it seems to be used in some way or other. -_-; any hints would be appreciated =) best regards sil -- -- Do you know what happens to a toad struck by lightning..? The same thing that happens to anything else... -- Empfehlen Sie GMX DSL Ihren Freunden und Bekannten und wir belohnen Sie mit bis zu 50,- Euro! https://freundschaftswerbung.gmx.de -- -- Do you know what happens to a toad struck by lightning..? The same thing that happens to anything else... -- Empfehlen Sie GMX DSL Ihren Freunden und Bekannten und wir belohnen Sie mit bis zu 50,- Euro! https://freundschaftswerbung.gmx.de
RE: virtual_alias_maps / mysql problem
I think you need to be using virtual_mailbox_maps to create a list of valid recipients. Also I can see that dovecot has also accepted the message so you must have configured something like allow_all_users=yes. From: owner-postfix-us...@postfix.org [owner-postfix-us...@postfix.org] On Behalf Of lupin...@gmx.net [lupin...@gmx.net] Sent: Sunday, December 11, 2011 4:31 PM To: postfix-users@postfix.org Subject: Re: virtual_alias_maps / mysql problem thank you for the hint! i activated the query-log and the query is executed ok. i also checked it via postmap -q hutzenp...@domain.de mysql:/etc/postfix/mysql-virtual.cf (which correctly did not return anything) and postmap -q correctu...@domain.de mysql:/etc/postfix/mysql-virtual.cf which did return the correct entry, e.g. user169 so it seems mysql is not at fault. also, when i tested it with a hash-file, it sent successfully to an address that was not listed in said file. unfortunately, now i guess i´ll have to check any and all other config parameters that have anything to do with virtual delivery ^_^; here goes the postconf -n: broken_sasl_auth_clients = yes config_directory = /etc/postfix inet_interfaces = 192.168.12.7 127.0.0.1 mailbox_size_limit = 0 message_size_limit = 2048 mydestination = localhost mydomain = domain.de myhostname = mail.domain.de mynetworks = 192.168.12.0/24 127.0.0.0/8 myorigin = $mydomain relayhost = smtpd_recipient_restrictions = reject_unauth_pipelining, permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_unauth_destination, permit smtpd_sasl_auth_enable = yes smtpd_sasl_local_domain = mail.domain.de smtpd_sasl_path = private/auth smtpd_sasl_security_options = noanonymous smtpd_sasl_tls_security_options = noanonymous smtpd_sasl_type = dovecot smtpd_tls_CAfile = /etc/certs/cert.pem smtpd_tls_cert_file = /etc/certs/cert.pem smtpd_tls_key_file = /etc/certs/key.pem smtpd_tls_received_header = no smtpd_use_tls = yes transport_maps = hash:/etc/postfix/transport unknown_local_recipient_reject_code = 550 unverified_recipient_reject_code = 550 virtual_alias_maps = mysql:/etc/postfix/mysql-virtual.cf virtual_mailbox_domains = domain.de virtual_transport = dovecot transport_maps reads thus: domain.de : .domain.de : * smtp:192.168.12.8 (this is the external firewall-postfix-server) the mail.log reads thus: Dec 11 17:05:05 mehl postfix/smtpd[16897]: connect from unknown[192.168.12.1] Dec 11 17:05:05 mehl postfix/smtpd[16897]: DD60514A03F3: client=unknown[192.168.12.1], sasl_method=PLAIN, sasl_username=user169 Dec 11 17:05:05 mehl postfix/cleanup[16901]: DD60514A03F3: message-id=4ee4d4b2.2020...@domain.de Dec 11 17:05:06 mehl postfix/qmgr[16586]: DD60514A03F3: from=s@domain.de, size=858, nrcpt=1 (queue active) Dec 11 17:05:06 mehl postfix/smtpd[16897]: disconnect from unknown[192.168.12.1] Dec 11 17:05:06 mehl postfix/pipe[16902]: DD60514A03F3: to=grmbl...@domain.de, relay=dovecot, delay=0.32, delays=0.18/0/0/0.14, dsn=2.0.0, status=sent (delivered via dovecot service) Dec 11 17:05:06 mehl postfix/qmgr[16586]: DD60514A03F3: removed the address grmblash does not really exist ;-), when i send to an existing address, the only difference is that postfix/pipe has the correct target as to, e.g. user...@dmain.de thank you all for you hints, i hope this help shed some light on the problem. =) best regards sil Original-Nachricht Datum: Sun, 11 Dec 2011 15:26:40 +0100 Von: Reindl Harald h.rei...@thelounge.net An: postfix-users@postfix.org Betreff: Re: virtual_alias_maps / mysql problem Am 11.12.2011 15:18, schrieb lupin...@gmx.net: thank you for you reply. virtual_mailbox_domains is set, as is virtual_transport. do you mean using a hash-file to test it or for permanent use? there are some 500 mail-users on the server, who change relatively often and who have each a number of aliases..i´d rather avoid using a hash file, especially because the mysql-query is supposed to work =) is there some handy way of testing, what postfix receives from this mysql-check? what about activate querylog in mysqld to look what really happens and cp interesting queries into a mysql-shell to look at the results? -- -- Do you know what happens to a toad struck by lightning..? The same thing that happens to anything else... -- NEU: FreePhone - 0ct/min Handyspartarif mit Geld-zurück-Garantie! Jetzt informieren: http://www.gmx.net/de/go/freephone -- -- Do you know what happens to a toad struck by lightning..? The same thing that happens to anything else... -- Empfehlen Sie GMX DSL Ihren Freunden und Bekannten und wir belohnen Sie mit bis zu 50,- Euro! https://freundschaftswerbung.gmx.de
Virtual Aliasing for any user
Hello, First post to the list, I would really appreciate any help/advice. In my current setup I act as a Spam and Virus filter for several domains. Mail is then relayed to their local Exchange servers once it has been scanned. In the event that their Exchange server is down and they require emergency access to their emails I have configured virtual_alias_maps as below: user@domain user@domain,user@otherdomain This way the original mail is still cached in the queue for delivery to Exchange and a copy is sent to the same user at anotherdomain (an IMAP/Webmail server). My question is: Rather than setting up each user and their alias individually can I use a wildcard to accept for anyuser and forward to the same username on the other domain. Rather than use virtual_alias_maps: @domain catchall@otherdomain I would like virtual_alias_maps: %anything%@domain %anything%@otherdomain I hope I have explained that clearly enough . I did attempt to configure virtual_alias_maps like this: @domain @otherdomain But this tries to literally forward to @otherdomain (as an address without the user portion). Thanks in advance. James
Re: Virtual Aliasing for any user
Thanks Noel. I'm forwarding the aliased mail to catch all Pop3 boxes to prevent back scatter. I don't have a valid recipient list for all these domains hence the request for a wild card type solution. I gather this function isn't built in so maybe, as you suggest, a script is the way to go. ***Sent via RoadSync® for Android™ -Original Message- From: Noel Jones Sent: Dec 08, 2011 7:56 PM To: James Day, postfix-users@postfix.org Subject: Re: Virtual Aliasing for any user On 12/8/2011 6:45 AM, James Day wrote: Hello, First post to the list, I would really appreciate any help/advice. In my current setup I act as a Spam and Virus filter for several domains. Mail is then relayed to their local Exchange servers once it has been scanned. In the event that their Exchange server is down and they require emergency access to their emails I have configured virtual_alias_maps as below: user@domain user@domain,user@otherdomain This way the original mail is still cached in the queue for delivery to Exchange and a copy is sent to the same user at anotherdomain (an IMAP/Webmail server). Yes, that's the correct procedure. My question is: Rather than setting up each user and their alias individually can I use a wildcard to accept for anyuser and forward to the same username on the other domain. Using wildcards will cause postfix to accept mail for undeliverable recipients, so that's not a good solution. Use a script to generate the mappings you need. The size of the resulting file is not a concern, hash maps can handle millions of entries efficiently. -- Noel Jones