Re: Best way to clean, moderate a small ( email only ) domain
You have conflicting requirements; I would just accept the occasional unwanted mail on the mailing list and police subscriptions.Op 9 mrt. 2022 13:17 schreef daniel Azuelos :Hello, I am the admin of a small DNS domain on which I run a Postfix server + Amavis + SpamAssassin. This domain is an SMTP only domain ( everything else is off and filtered ). I don't want x@my_domain to receive or send any kind of SPAM, insults, weapons... There are 20 addresses within this domain among which 3 mailing lists. A few of these users are injecting unacceptable out of topic email from time to time. But they aren't rogue enough to be blacklisted forever, and education is a known lost battle. The max trafic is about one hundred emails / day. What is the best way to clean, moderate the whole domain ( mailing lists but also all the trafic between all these emails )? - postfix with some configuration work? - an anti-spam with some configuration work? - a mailing-list server? I would appreciate retex ( success and fails ) on the same kind of problem. -- « The only thing necessary for the triumph of evil is for good men to do nothing. » Edmund Burke daniel Azuelos
Re: AW: Fun and profit with mailq
A cleaner solution for queueing messages is putting them on a disabled smtp service, but the OP meant how to HOLD them.Look at the ACCESS readme for examples.Op 16 feb. 2022 13:43 schreef Joachim Lindenberg :Don´t know what exactly you are trying to do, but to monitor the queue, I use postqueue -j (for json). Forcing some messages to remain in the queue is easy: just define a transport policy like dane-only for a destination that does not support dane. -- Joachim -Ursprüngliche Nachricht- Von: owner-postfix-us...@postfix.org Im Auftrag von @lbutlr Gesendet: Wednesday, 16 February 2022 13:36 An: postfix-users@postfix.org Betreff: Re: Fun and profit with mailq On 2022 Feb 16, at 05:06, @lbutlr wrote: > What I would like to do is to execute a command that only returns output if there are messages on hold On a related question, is there a way to tell postfix "put all outbound mail into the hold queue" so I can test some of this? I know postsuper -h ALL will put all messages currently in the queue on hold for a few minutes? queue_run_delay looked promising, but it only applies once a message is already in the queue. It'd ne great if I could just hold every message and then let it clear on the queue_run_delay=60 interval for testing. No one is even going to notice 1 minute in the queue. -- "Last night - you were unhinged. You were like some desperate, howling demon. You frightened me. - Do it again!"
Re: multiple server site postfix/dns configuration
On 2/26/2014 10:35 AM, Matteo Cazzador wrote: Hi, i've configured my postifx to manage different location (server) with the same domain. I've configured 4 postfix mx record one for every site (location/server). My configuration is like this: example.com in virtual_alias_domains $myhostname in mydestination or virtual_mailbox_domains /etc/postfix/virtual: w...@example.com w...@mail.site1.example.com d...@example.com d...@mail.site1.example.com q...@example.com q...@mail.site3.example.com r...@example.com r...@mail.site2.example.com etc Dig interrogation: example.com. 21599 IN MX 30 mail.site1.example.com. example.com. 21599 IN MX 40 mail.site2.example.com. example.com. 21599 IN MX 50 mail.site3.example.com. example.com. 21599 IN MX 10 mail.example.com. Every mail server knows the user of every site and redirect eventually mail to right site. I've a problem. ADSL of mail.site1.example.com going down, i've a backup adsl on site 1 (with different external IP obviusly), how i can manage two adls ip for the same mail.site1.example.com ? is it possible? Yes, you can set up more than one A record for mail.site1.example.com. However, since DNS is fundamentally random in nature, this does not guarantee that the backup link is used as such; on average, both will be used equally. Can i define one other MX record to prevent adsl break? How? is it possible di define example.com. 60 mail.site1.example.com that point to another external adsl ip address? This too is possible, but again, will probably not have the effect you are after. Backup (=lower-priority) MX records tend to act as spam magnets, thus actually /increasing/ the traffic to those hosts. It hasn't been advisable to use backup MXes for a long time now. Can i act using only dns without manage postfix configuration? Not trivially; something like an actual IP load balancer would be best for that, as it can weigh the IPs differently. Of course, this also does not apply in the case of separate public IPs. -- J.
RE: Puzzled with smtp_bind_address
Smtp_bind_address behaves as documented; where did you define it? This should normally go on a specific smtp service in master.cf, to override that particular transport. -Original Message- From: fr...@3dn.nl fr...@3dn.nl Sent: 20-1-2014 12:34 To: postfix-us...@cloud9.net postfix-us...@cloud9.net Subject: Puzzled with smtp_bind_address Hi, I'm trying to have postfix use smtp_bind_address with the address set to multiple IP-aliasses (eg. eth1:0, eth1:1 etc.). As the default gateway is on eth0 and IP packets get routed based on their destination, it still seems that despite the smtp_bind_address setting, packets get directed out of eth0. What's the proper solution to this? Regards, Fred Leeflang
Re: Only deliver mail from authorized users, forward others
On 12/28/2013 10:20 AM, post...@pupat-ghestem.net wrote: On 12/28/2013 1:46 AM, Jeroen Geilman wrote: On 12/27/2013 01:13 PM, post...@pupat-ghestem.net wrote: Hello, I am trying to setup an email address where only mails from authorized users (defined in a list) would come in and other emails would be forwarded to another address. To a single address? Local or remote ? Are you only testing the sender address in this ? If so, why are you accepting unauthorized senders at all? Is the recipient is irrelevant, i.e. you want a wildcard accept policy ? Just as in moparisthebest's message this is to filter email coming to my kid's email. This is a single address. Lets call it b...@mydomain.com. Any mail from authorized senders (family, friends, ...) goes to bill's mailbox. Any other mail goes to another mailbox (bob). I would indeed be testing the sender's email only for emails going to that particular recipient (b...@mydomain.com) Note that the last option is a definite no-no as far as I am concerned; you want to verify the recipient before you check for authorized senders. I was thinking of doing this with a combination of postfix and procmail: having postfix delivering all incoming email, then procmail forward and delete email not coming form authorized users. Before implementing it I was wondering if there is a postfix-only solution to this. You could use sender_dependent_default_transport_maps: map the authorized senders to DUNNO (thus using whatever it was going to use before) and everything else to a custom transport that sends it wherever you want. http://www.postfix.org/postconf.5.html#sender_dependent_default_transport_maps -- J. Ah, I entirely missed the part where this was for a single recipient address. In such a use case sieve would probably be the easiest solution. Also very easy to maintain through any managesieve-capable interface. -- J.
Re: Only deliver mail from authorized users, forward others
On 12/27/2013 01:13 PM, post...@pupat-ghestem.net wrote: Hello, I am trying to setup an email address where only mails from authorized users (defined in a list) would come in and other emails would be forwarded to another address. To a single address? Local or remote ? Are you only testing the sender address in this ? If so, why are you accepting unauthorized senders at all? Is the recipient is irrelevant, i.e. you want a wildcard accept policy ? Note that the last option is a definite no-no as far as I am concerned; you want to verify the recipient before you check for authorized senders. I was thinking of doing this with a combination of postfix and procmail: having postfix delivering all incoming email, then procmail forward and delete email not coming form authorized users. Before implementing it I was wondering if there is a postfix-only solution to this. You could use sender_dependent_default_transport_maps: map the authorized senders to DUNNO (thus using whatever it was going to use before) and everything else to a custom transport that sends it wherever you want. http://www.postfix.org/postconf.5.html#sender_dependent_default_transport_maps -- J.
Re: reject_unknown_client
On 12/06/2013 08:19 AM, Andreas Kasenides wrote: Thank you for the reply. On 05-12-2013 15:26, Charles Marcus wrote: On 2013-12-05 7:50 AM, Andreas Kasenides andr...@cymail.eu wrote: smtpd_client_restrictions = permit_mynetworks permit_sasl_authenticated reject_unknown_client permit Obviously this rejects any requests where the DNS (forward or reverse) fails. I am under increasing pressure to change this apparently because other email admins have their mail servers misconfigured resulting in lost emails. I believe this is in violation of RFC 5321 but correct me if I am wrong. Do not use reject_unknown_client_hostname (I presume this is what you meant)... The config is exactly as above and the system is 2.3 when some params had a slightly different name. Current postfix versions all support reject_unknown_reverse_client_hostname. Please upgrade to something that's not abandoned. -- J.
Re: Does piping to a script require injection of mail after process
On 12/04/2013 04:22 PM, Merve Temizer wrote: Thanks for response. It is b) . That's what always_bcc is for. The process behind the bcc address can trivially retrieve the original recipient - heck, postfix can even extract it for you with pipe(8). Don't with the original mail flow any more than you have to. -- J.
Re: Postfix Repos
On 11/13/2013 06:16 PM, Steffan A. Cline wrote: I asked this under a thread but am asking again in its own thread to see if I get better visibility. Does anyone know of any good bleeding edge postfix repos? I am using whatever the CentOS distros come with and it appears to be an older version. postconf mail_version I¹d like to look into some of the newer features available like postscreen in place of postgrey. Postscreen was introduced in version 2.8, which is now 3 years old. If your distro doesn't offer this through updates or backports, it will be hard to keep anything up to date. Then again, building postfix from source isn't exactly rocket science. Most building problems stem from TLS/SSL and the plugin databases supported such as mysql, sqlite, ldap, pgsql, etc. You could always try to build without the latter ones first, to learn how. -- J.
Re: postfix 2.9.x and smtpd_recipient_restrictions in the main.cf and master.cf
On 11/12/2013 07:55 AM, Josef Karliak wrote: Good morning, I ve a firewall with 3 network card - WAN, LAN and DMZ. I want to have diferend smtpd_recipient_restrictions on the WAN card, so I've set it in the master.cf 193.11.123.9:smtp inet n - n - - smtpd -o smtpd_recipient_restrictions=permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination,check_recipient_access hash:/etc/postfix/alias_list,check_policy_service inet:127.0.0.1:10040,check_recipient_access hash:/etc/postfix/postmaster,check_policy_service unix:private/spf,permit_mx_backup,reject_non_fqdn_sender,reject_non_fqdn_recipient,reject_unknown_sender_domain,reject_unknown_recipient_domain,check_sender_access hash:/etc/postfix/dsn_exceptions,permit But postfix complains for everything after check_recipient_access hash:/etc/postfix/alias_list. Maybe he do not like space char. So there is a question - how do you solve it on your postfix ? And why I want it ? I want to accept only existing recipients from internet, alias list contains: alias1@ OK alias2@ OK ... A trivial solution - and one suited to more intricate collections of -o options in master.cf - is to pre-define the options in main.cf, thus: lan_restrictions = permit_mynetworks, reject wan_restrictions = permit_sasl_authenticated permit_mynetworks #this makes no sense reject_unauth_destination check_recipient_access hash:/etc/postfix/alias_list check_policy_service inet:127.0.0.1:10040 check_recipient_access hash:/etc/postfix/postmaster #postmaster is hardcoded, and cannot be rejected, as per the RFCs; there is no need to explicitly allow it. check_policy_service unix:private/spf permit_mx_backup reject_non_fqdn_sender # why would these restrictions be omitted from user submission ? reject_non_fqdn_recipient reject_unknown_sender_domain reject_unknown_recipient_domain# same here; it's just as useless to have to bounce these later. check_sender_access hash:/etc/postfix/dsn_exceptions permit And then refer to them in master.cf, thus: 10.11.12.13:smtp inet n - n - - smtpd -o smtpd_recipient_restrictions=$lan_restrictions 193.11.123.9:smtp inet n - n - - smtpd -o smtpd_recipient_restrictions=$wan_restrictions Your restrictions could use some work in general, and dealing with different LAN and WAN requirements is easily done on a single smtpd(8) instance, but this is what you asked for. -- J.
Re: transport_maps lookup ordering
On 11/9/2013 2:13 PM, Simon Effenberg wrote: On Sat, 9 Nov 2013 07:54:30 -0500 (EST) wie...@porcupine.org (Wietse Venema) wrote: transport_maps can use hash tables AND tcp tables. transport_maps queries each table in the specified order, and stops when a result is found. When no result is found, Postfix uses default_transport. Wietse- I got this but so it's impossible to do something like that: main.cf: transport_maps = hash:/etc/postfix/transport, tcp:[127.0.0.1]:2527 transport: @domain1.tld smtp:[internal.relay] @domain2.tld smtp:[external.relay] master.cf: 127.0.0.1:2527 inet n n n - 0 spawn user=nobody argv=/etc/postfix/random.rb random.rb: #!/usr/bin/env ruby TRANSPORTS = [ 'smtp1:', 'smtp2:', 'smtp3:' ] while line = STDIN.readline puts 200 #{TRANSPORTS[rand(TRANSPORTS.size)]} end If I'll try to send a mail to x...@domain1.tld this won't use smtp:[internal.relay] but one of 'smtp1:', 'smpt2:' or 'smtp3:' No. x...@domain1.tld matches the first line in /etc/postfix/transport. You seem terminally confused about how maps are used. Each map type has specific documentation on how it is queried, but no map determines WHEN it is queried. You define that in transport_maps. -- J.
Re: transport_maps lookup ordering
On 11/09/2013 02:33 PM, Simon Effenberg wrote: On Sat, 09 Nov 2013 14:21:51 +0100 Jeroen Geilman jer...@adaptr.nl wrote: On 11/9/2013 2:13 PM, Simon Effenberg wrote: On Sat, 9 Nov 2013 07:54:30 -0500 (EST) wie...@porcupine.org (Wietse Venema) wrote: transport_maps can use hash tables AND tcp tables. transport_maps queries each table in the specified order, and stops when a result is found. When no result is found, Postfix uses default_transport. Wietse- I got this but so it's impossible to do something like that: main.cf: transport_maps = hash:/etc/postfix/transport, tcp:[127.0.0.1]:2527 transport: @domain1.tld smtp:[internal.relay] @domain2.tld smtp:[external.relay] master.cf: 127.0.0.1:2527 inet n n n - 0 spawn user=nobody argv=/etc/postfix/random.rb random.rb: #!/usr/bin/env ruby TRANSPORTS = [ 'smtp1:', 'smtp2:', 'smtp3:' ] while line = STDIN.readline puts 200 #{TRANSPORTS[rand(TRANSPORTS.size)]} end If I'll try to send a mail to x...@domain1.tld this won't use smtp:[internal.relay] but one of 'smtp1:', 'smpt2:' or 'smtp3:' No. x...@domain1.tld matches the first line in /etc/postfix/transport. You seem terminally confused about how maps are used. Each map type has specific documentation on how it is queried, but no map determines WHEN it is queried. You define that in transport_maps. That's not how it works in my 2.9 postfix version.. trivial-rewrite is doing the following (regarding to -vv logs): 1. search for x...@domain1.tld 1. in transport which has NO match 2. asking the tcp_table which HAS a match This is incorrect. As documented: *TABLE SEARCH ORDER* With lookups from indexed files such as DB or DBM, or from networked tables such as NIS, LDAP or SQL, patterns are tried in the order as listed below: /user+extension@domain transport/:/nexthop/ Deliver mail for/user+extension@domain/ through /transport/ to/nexthop/. /user@domain transport/:/nexthop/ Deliver mail for/user@domain/ through/transport/ to /nexthop/. * **domain transport**:**nexthop* Deliver mail for/domain/ through/transport/ to/nex-/ /thop/. /.domain transport/:/nexthop/ Deliver mail for any subdomain of/domain/ through /transport/ to/nexthop/. This applies only when the string*transport_maps http://www.postfix.org/postconf.5.html#transport_maps* is not listed in the*par http://www.postfix.org/postconf.5.html#parent_domain_matches_subdomains-* *ent_domain_matches_subdomains http://www.postfix.org/postconf.5.html#parent_domain_matches_subdomains* configuration set- ting. Otherwise, a domain name matches itself and its subdomains. *** /transport/:/nexthop/ The special pattern*** represents any address (i.e. it functions as the wild-card pattern, and is unique to Postfix transport tables). @domain.tld will never match anything in transport(5). Your transport map is incorrectly formed. -- J.
Re: Dspam integration order
On 11/07/2013 08:43 AM, Matthew Brown wrote: Hi all, I’m trying to integrate dspam into my mail flow and have got some conflict configuration suggestions. Regarding on incoming mail what are the advantages of using dspam as a content filter (and then reinjecting into postfix)[1] vs postfix delivering it to dspam who then delivers it to dovecot[2]? Using dspam as a content_filter is no better than using it as your LDA, since it still passes through a second MTA, and cannot be rejected. Using a pre-queue spam filter (which can reject or drop mail) has numerous disadvantages, the biggest ones of which are inability to act on resolved aliases, processing time, and most importantly: the risk of false positives, since these will be final and not subject to user review. I use dspam in line with dovecot, all via LMTP: postfix - LMTP - dspam - LMTP - dovecot It works perfectly; dspam marks the spam and dovecot + pigeonhole sieves it into folders. None of this is really list material, I am merely stating my solution and preference. If you have problems setting up the postfix side of this, ask directed questions. -- J.
Re: Getting automated sending feedback from SMTP server
On 10/31/2013 6:00 PM, Sergio Mira wrote: Guys, are you good? I have following scenario: [HTTP Server]: process messages [SMTP Server]: *only *send messages [HTTP Server] === connect to === [SMTP Server] === sends message === [world] Ok, this is going well. My point is: how to get feedback from [SMTP Server] to know if my message was really sent or not? The SMTP server reports back to the client whether the mail was accepted or not; this constitutes a sent status from the perspective of the HTTP process. The SMTP protocol is documented exhaustively. Using php-mailer or any language/api (in [HTTP Server]), I only have feedback for connection between servers: Connection to SMTP server was OK, but this is not a proof that my message was really sent. No, there is much more information exchanged. If whatever library you are using on the HTTP end does not properly support SMTP, ditch it and use one of the dozens that do it properly. I mean, how to get that status=sent or status=bounced that appears in the /var/log/maillog for each message? That is the post-queue postfix status; it is not available to the client. I am really trying this in the last weeks, but no success. I worked in a way that, when [HTTP Server] connects to [SMTP Server], gets Message-ID from maillog, so later I'll go (SSH from [HTTP Server] to [SMTP Server]) to grep the /var/log/maillog with this Message-ID and gets this status=sent or status=anything. That sounds horrible. But I'm pretty sure there's an automated way to do that. No, there is no automated way to associate data that is not related. There are DSNs, described fully in RFC 3461/3464 and supported by postfix. -- J. --- This email is free from viruses and malware because avast! Antivirus protection is active. http://www.avast.com
Re: Getting automated sending feedback from SMTP server
On 11/2/2013 3:00 PM, li...@rhsoft.net wrote: Am 02.11.2013 12:15, schrieb Jeroen Geilman: Using php-mailer or any language/api (in [HTTP Server]), I only have feedback for connection between servers: Connection to SMTP server was OK, but this is not a proof that my message was really sent. if the send-method() of phpmailer gives true back that this *is* the proff because it got a 2xx status code from the SMTP server No, there is much more information exchanged. If whatever library you are using on the HTTP end does not properly support SMTP phpmailer *does* and with correct handling you even got the whole server responses on the website This is not a phpmailer() or PHP list.
Re: postfix access map for sasl authenticated users
On 10/25/2013 04:44 PM, Rudy Gevaert wrote: Hello, I was wondering if I could add a access map (to deny access in fact) for specific sasl authenticated users? E.g. even if the login succeeds that user can't send email. I couldn't find anything in the docs, but maybe I'm looking in the wrong place. You could disable the user in the SASL backend, or remove the user from any and all smtpd_sender_login_maps (this works only when rejecting all mail from unmapped authenticated users with smtpd_sender_restrictions = reject_sender_login_mismatch, and then not listing said user.) You can only cause the login itself to fail using the first method. -- J.
Re: virtual_alias_maps question
On 10/24/2013 11:20 PM, LuKreme wrote: On 24 Oct 2013, at 04:39 , Wietse Venema wie...@porcupine.org wrote: Louis-David Mitterrand: Hi, I have a virtual_alias_maps with a pcre entry like /^(info|contact|etc)@/ localuser and it delivers i...@anydomain.com to localuser even though 'anydomain.com' is not in virtual_alias_domains, is that normal? RTFM: NAME virtual - Postfix virtual alias table format DESCRIPTION The optional virtual(5) alias table rewrites recipient addresses FOR ALL LOCAL, ALL VIRTUAL, AND ALL REMOTE MAIL DESTINATIONS. This is BTW, this is very useful. My wife had used to email a bunch of different people at a edu domain, we'll call it fred.example.edu. These were not people that were in her address book or mail history, and she tyoped the domain nearly every time as ferd.example.edu. Virtual to the rescue. Something like this, IIRC. #Rewrite ferd! @ferd.example.edu @fred.example.edu Note that this will not alter headers set by the MUA. The recipient will still see the bad domain, and if you try to reply to a message where that was in the CC, it would bounce. -- J.
Re: Domains without MX Records
On 10/15/2013 01:55 PM, FliedRice wrote: is the domain missing from /etc/localdomains? With /etc/localdomains being... what ? It's not a postfix parameter. Nor does postfix use local name resolution for email *delivery*, unless you specifically tell it to; this is governed by the smtp_host_lookup parameter. also I have seen numerous listings for resolution on the web that stated the following: set MX priority to 0 for the related domain All that does is re-iterate that this machine handles mail for its own hostname. A delivery next-hop is found after an MX lookup followed by an address lookup. As explained previously, if no valid or usable MX records are found, the host is tried directly. -- J.
Re: postfix reports no rDNS on a host with many PTR records
On 10/15/2013 05:03 PM, Blake Hudson wrote: Wietse Venema wrote the following on 10/15/2013 9:55 AM: Wietse Venema: The DNS query is made by the SYSTEM LIBRARY functions getnameinfo() and getaddrinfo(). Postfix has no control over how they work. When I test this with Postfix test programs for these functions: % ./getnameinfo 216.163.249.229 Hostname: ms.metlifeleads.com Address:216.163.249.229 % ./getaddrinfo ms.metlifeleads.com Hostname: ms.metlifeleads.com Addresses: 216.163.249.229 (The test programs are in the Postfix source code distribution under auxiliary/name-addr-test/) My non-Linux system returns one PTR result (ms.metlifeleads.com); the A record for this name is 216.163.249.229, and Postfix would be satisfied with the result. I get a similar result on a Linux box: $ ./getnameinfo 216.163.249.229 Hostname: ms2.smrsmetlife.com Address:216.163.249.229 $ ./getaddrinfo ms2.smrsmetlife.com Hostname: ms2.smrsmetlife.com Addresses: 216.163.249.229 Again, Postfix should work OK with this. I'm starting to suspect that the OP may have a bad DNS implementation. Maybe some cheap router? I suspect that it doesn't work this way on your system. Some Linux distributions require extra configuration to handle more than reply per query. I have forgotten what the option is. This is the multi on option in /etc/host.conf; documentation says that this affects /etc/hosts lookups, so not applicable to DNS queries. Wietse This is utterly reproducible for me; running a local BIND 9.9.2 on Slackware 14.0/kernel 3.2.29: root@fusion:~# dig @ns.metlife.com -x 216.163.249.229 +ignore ; DiG 9.9.2-P2 @ns.metlife.com -x 216.163.249.229 +ignore ; (1 server found) ;; global options: +cmd ;; connection timed out; no servers could be reached root@fusion:~# dig -v DiG 9.9.2-P2 root@fusion:~# dig @ns3.metlife.com -x 216.163.249.229 +ignore ; DiG 9.9.2-P2 @ns3.metlife.com -x 216.163.249.229 +ignore ; (1 server found) ;; global options: +cmd ;; connection timed out; no servers could be reached root@fusion:~# dig @ns2.metlife.com -x 216.163.249.229 +ignore ; DiG 9.9.2-P2 @ns2.metlife.com -x 216.163.249.229 +ignore ; (1 server found) ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 55576 ;; flags: qr aa tc rd ra; QUERY: 1, ANSWER: 38, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1280 ;; QUESTION SECTION: ;229.249.163.216.in-addr.arpa.INPTR ;; ANSWER SECTION: 229.249.163.216.in-addr.arpa. 1800 INPTRms.tlcmetlife.com. 229.249.163.216.in-addr.arpa. 1800 INPTRms1.metaddisppm.com. 229.249.163.216.in-addr.arpa. 1800 INPTR ms2.metcommpipedev.com. 229.249.163.216.in-addr.arpa. 1800 INPTR ms1.met_smartoffice.com. 229.249.163.216.in-addr.arpa. 1800 INPTR ms2.metcaretngprodmetlife.com. 229.249.163.216.in-addr.arpa. 1800 INPTRms2.massmetlife.com. 229.249.163.216.in-addr.arpa. 1800 INPTRms1.metecap.com. 229.249.163.216.in-addr.arpa. 1800 INPTRms1.instmetdba.com. 229.249.163.216.in-addr.arpa. 1800 INPTRms.metcommpipe.com. 229.249.163.216.in-addr.arpa. 1800 INPTRms.metconnect.com. 229.249.163.216.in-addr.arpa. 1800 INPTRms1.metbusiness.com. 229.249.163.216.in-addr.arpa. 1800 INPTR ms1.metlifeitrisk.com. 229.249.163.216.in-addr.arpa. 1800 INPTR ms.wpsgenamerica.com. 229.249.163.216.in-addr.arpa. 1800 INPTRms1.metsdo.com. 229.249.163.216.in-addr.arpa. 1800 INPTR ms2.orangesmmetlife.com. 229.249.163.216.in-addr.arpa. 1800 INPTR ms2.crcsurfmetlife.com. 229.249.163.216.in-addr.arpa. 1800 INPTRms1.meteas.com. 229.249.163.216.in-addr.arpa. 1800 INPTRms1.metpaybase.com. 229.249.163.216.in-addr.arpa. 1800 INPTR ms2.pmacsmetlife.com. 229.249.163.216.in-addr.arpa. 1800 INPTR ms1.instmetdbaqa.com. 229.249.163.216.in-addr.arpa. 1800 INPTR ms1.nbcwebsitemetlife.com. 229.249.163.216.in-addr.arpa. 1800 INPTRentlic.com. 229.249.163.216.in-addr.arpa. 1800 INPTRms2.ctxprod.com. 229.249.163.216.in-addr.arpa. 1800 INPTR ms2.prod-erpdbametlife.com. 229.249.163.216.in-addr.arpa. 1800 INPTRms1.efabusobj.com. 229.249.163.216.in-addr.arpa. 1800 INPTRms2.dmmetlife.com. 229.249.163.216.in-addr.arpa. 1800 INPTR ms2.qeintranetmetlife.com. 229.249.163.216.in-addr.arpa. 1800 INPTRms1.csametlife.com. 229.249.163.216.in-addr.arpa. 1800 INPTRms.metdeploy.com. 229.249.163.216.in-addr.arpa. 1800 INPTRms.metlifeleads.com. 229.249.163.216.in-addr.arpa. 1800 INPTRms2.lifemetlife.com. 229.249.163.216.in-addr.arpa. 1800 INPTR www.fegli2004.com.249.163.216.in-addr.arpa. 229.249.163.216.in-addr.arpa. 1800 INPTR ms1.metlifeforms.com. 229.249.163.216.in-addr.arpa. 1800 INPTRms.meteservice.com. 229.249.163.216.in-addr.arpa. 1800 INPTR
Re: postfix reports no rDNS on a host with many PTR records
On 10/14/2013 08:41 PM, Blake Hudson wrote: I'm seeing the following errors when a prominent North American life insurance vendor attempts to send me email. Oct 14 12:57:07 twinc postfix/smtpd[12194]: NOQUEUE: reject: RCPT from unknown[216.163.249.229]: 450 4.7.1 Client host rejected: cannot find your reverse hostname, [216.163.249.229]; from=redac...@securemail.metlife.com to=redac...@redacted.net proto=ESMTP helo=ms1.metlifecommercial.com The crux is that this host does have (an abundance of) rDNS: [blake@twinc ~]# host 216.163.249.229 ;; Truncated, retrying in TCP mode. 229.249.163.216.in-addr.arpa domain name pointer ms2.dmmetlife.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.egadbprod.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.iimetlife.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.afimetlife.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.arsmetlife.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.avsmetlife.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.dlmmetlife.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.dnumetlife.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.docviewweb.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.edwmetlife.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.eesmetlife.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.epmmetlife.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.erpmetlife.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.iibmetlife.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.metlifenet.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.mmpmetlife.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.prfmetlife.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.rpgmetlife.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.stimetlife.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.alpsmetlife.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.amnpmetlife.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.calcmetlife.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.catsmetlife.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.glifmetlife.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.ibcsmetlife.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.lifemetlife.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.lsmsmetlife.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.massmetlife.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.ribsmetlife.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.smrsmetlife.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.statmetlife.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.tajsmetlife.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.witnessgold.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.witnessprod.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.dmassmetlife.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.emonemetlife.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.linusmetlife.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.metlife-ihub.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.murexmetlife.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.parismetlife.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.pmacsmetlife.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.xtivametlife.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.avenuemetlife.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.bdwisemetlife.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.caesarmetlife.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.citrixmetlife.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.grpannmetlife.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.ifecadmetlife.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.legal-lawdept.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.siebelmetlife.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.tlarsametlife.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.tlazawmetlife.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.charliemetlife.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.crcsurfmetlife.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.metcommpipedev.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.paragonmetlife.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.powerimageprod.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.ermskanametlife. 229.249.163.216.in-addr.arpa domain name pointer ms2.glif-pm-metlife.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.intelccometlife.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.kamakurametlife.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.orangesmmetlife.com. 229.249.163.216.in-addr.arpa
Re: Some postfix delivering problems
On 10/12/2013 07:34 AM, asbaeza wrote: Hi I am getting some problems with my postfix installation. I use postfix+amavis+clamav+spamassassin in a Debian box. I recently changed from sendmail+canit pro to this configuration. The last error I get is something like: Command time limit exceeded: procmail -a $EXTENSION Jeebus. Why would you use procmail to dump mail to amavisd, which then calls spamassassin ? Just call amavisd directly - it has a working SMTP interface. But there are many messages not delivered with error messages like: Considered UNSOLICITED BULK EMAIL, apparently from you This is not a postfix message; I suggest you take it to the appropriate forum. It may or may not be related to the timeout issue; if amavisd is run as a procmail command then this will contribute to that procmail timeout. snip numerous conflated symptoms and perceived errors Don't blindly assume everything is interrelated. A mail server system consists of many moving parts. -- J.
Re: seamless postfix migration to a new server
On 10/12/2013 09:54 AM, teknet9 wrote: Hello Everybody, I need to migrate my old postfix server to a new machine. Domain will be the same. I would like to make this migration seamless for the end users and give them 1-2 months for migration (both servers should work at that time correctly). 1 to 2 *months* ? why ? snipped hugely convoluted migration path Here's what I propose: - install postfix on the new server, and configure it identically to the existing server, except the following: * relay the domain in question to the old server, by removing it from mydestination and moving it to relay_domains. * Use your existing userdb to verify valid recipients with relay_recipient_maps. * set the old server as its /specific/ relayhost using [oldserver.example.com] - switch MX to point to this new server; all incoming mail will enter via the new server and be delivered to the old one. * Now wait long enough for the old MX to expire from any caches worldwide; this is the longest part of the migration, since it's not under your control. Be patient, and plan well in advance (say a week.) - install your mailbox server (dovecot is preferred) and plan your downtime. * Make an initial copy of your mailstores to the new server so you won't have to copy so much when you're actually migrating. - during your downtime window, stop postfix and dovecot, and rsync the mailstores to catch up * also change the new server's postfix configuration back to what it should be (i.e. no more relaying) - switch the hostname(s) for the users to the new server, or stop the old one and switch its IP (this is faster) Whether you use a new IP or switch the old one with the new server is up to you (the latter avoids DNS downtime.) Also consider now implementing separate DNS for smtp in, smtp out, and imap access. This avoids DNS-related issues when you decide to split these functions up later. -- J.
Re: seamless postfix migration to a new server
On 10/12/2013 07:16 PM, DTNX Postmaster wrote: On Oct 12, 2013, at 17:04, teknet9 tekn...@o2.pl wrote: Thank you for advise. I have many users i can not allow for any downtime (not even few seconds). Also i can not loose any single email. Your solution will not guarantee that. I am looking for true HA solution. That is why both servers needs to work at the same time for 1-2 months to allow users to test new account and to migrate when ready. During migration both servers needs to work correctly (two way sync) Don't run them side by side, but cut over. This is much less of a disruption for your users than having them test their account and whatnot. Testing is your job, not theirs. Follow the suggestions already given. Whether Jeroen's suggestion or a straight cut-over with hot sync followed by a cold sync will work best for you will depend on the specifics of your setup. If you prep this properly you can probably do this within a planned downtime window of half an hour, maybe even less. Mvg, Joni Agreed. My proposal was mostly based on swapping out the server, which can circumvent DNS expiries if that's what he is worried about. But even so it would be trivial to keep the old server running as an incoming relay after the migration, so he doesn't have to wait for the MX to expire. I'm curious what you meant by hot sync and cold sync exactly - from your reply it seems it's not quite the same I was suggesting. -- J.
Re: postfix configuration
On 10/09/2013 10:03 PM, Stefano Gatto wrote: Hi all I'm trying to configure postfix 2.7.1 to protect internal mailing list with the restriction classes as per http://www.postfix.org/RESTRICTION_CLASS_README.html#internal Example /etc/postfix/main.cf: smtpd_recipient_restrictions = ... check_recipient_access hash:/etc/postfix/protected_destinations ...the usual stuff... smtpd_restriction_classes = insiders_only insiders_only = check_sender_access hash:/etc/postfix/insiders, reject Everything works as expected, If a client not in insider.db try to send a mail with the list in filed to: the mail bounce back to sender. The problem arise when someone send an email to a real mailbox in field TO: and to the list in field CC: In that situation the mail server forwards the email to everyone in the list. That's because a message may have many recipients, but only one sender. Reverse the restriction class logic: FIRST check if any recipients are in your restricted list, and then check if the sender is in insiders.db, and allow it if it is. This causes the sole recipient to be rejected, but not the message. That is what should be happening with your setup too, but you don't show the full configuration as requested in the list welcome message, and I won't guess. Can someone help me to reconfigure postfix not to forward to the list address even if is in the field CC:? A recipient is a recipient (is a recipient...); one is not more special than any other. -- J.
Re: status=deferred (temporary failure)
On 09/26/2013 09:38 PM, LuKreme wrote: snipped irrelevant spamd logs Sep 26 13:28:03 mail postfix/pipe[90184]: 6842750D335: to=user+faceb...@example.com, relay=procmail, delay=3, delays=0.45/0.02/0/2.5, dsn=4.3.0, status=deferred (temporary failure) Procmail returned an exit status of 75 (EX_TEMPFAIL). The next step is to figure out why. This is the postfix users mailing list; procmail and spamassassin have their own forums. -- J.
Re: 1 mail being stuck in incoming mail queue.
On 09/12/2013 03:17 AM, Josh Cason wrote: The two entries in log file. I change a few things to protect my mail server, client and sender. But you should get the idea. This is how my mailserver system is setup. cisco router - assp spam filter - postfix mailserver with mailscanner. Mailscanner directly manipulates the postfix queue directories. As documented, this is NOT supported, and is more than likely the cause of your issue. Don't use Mailscanner. -- J.
Re: spam - headers: from ME to ME, but different anvelope sender
On 09/07/2013 05:19 AM, FliedRice wrote: Just a thought, In order to block more incoming spam you could add more rbl's to your main.cf file. I have spamassassin, but it's turned off in favor of the following smtpd restrictions and domain blocking in the plesk user interface, or filtering in the Cpanel interface. I have 2 servers which both use these restrictions: smtpd_client_restrictions = permit_mynetworks, reject_rbl_client sbl.spamhaus.org, reject_rbl_client xbl.spamhaus.org, That's all zen now. reject_rbl_client bl.spamcop.net, reject_rbl_client cbl.abuseat.org, reject_rbl_client dnsbl.mags.net, reject_rbl_client bl.mailspike.net, reject_rbl_client l2.apews.org, reject_rbl_client bl.tiopan.com, reject_rbl_client niku.2ch.net, reject_rbl_client bl.spameatingmonkey.net You would want to use postscreen(8) for that. For starters, it does parallel lookups (which is faster) and maintains its own cache (which is faster still.) It also allows you to do weighted scoring for multiple DNSBLs (which smtpd_client_restrictions does not.) Available in postfix 2.8+ (which is over 2 years old) -- J.
Re: Dealing with outages
On 09/09/2013 09:27 PM, Wietse Venema wrote: Postfix does a hard bounce when the DNS server replies that the name has no MX record AND the DNS server replies that the name has no A record, AND (if Postfix IPv6 support is on) the DNS server replies that the name has no record. Does that mean that postfix will do a hard bounce if there is no reply to an MX query after a timeout ? I thought it would at least try the other queries (A and/or ) before giving up, since this costs no more than when there /is/ a (negative) reply. Since postfix may be talking to a cache or a resolver with numerous hops in between postfix and the authoritative source, any of the queries may fail individually, and yet not be conclusive. Postfix does a soft bounce when any of those lookups does not produce a reply. This seems to suggest the former, but I am double-checking. -- J.
Re: Postfix SMTP server: errors from mail-ve0-f174.google.com[209.85.128.174]
On 09/02/2013 08:11 AM, Eric Kom wrote: Good day, Please my smtp based on postfix its sending me a messages with the above subject and body: Postfix SMTP server: errors from mail-ve0-f174.google.com[209.85.128.174] Transcript of session follows. Out: 220 Great Kom Networks (Pty) LTD, Ready. In: EHLO mail-ve0-f174.google.com Out: 250-ajk.metropolitanbuntu.co.za Out: 250-PIPELINING Out: 250-SIZE 10204 Out: 250-VRFY Out: 250-ETRN Out: 250-STARTTLS Out: 250-AUTH PLAIN LOGIN Out: 250-AUTH=PLAIN LOGIN Out: 250-ENHANCEDSTATUSCODES Out: 250-8BITMIME Out: 250 DSN In: STARTTLS Gmail is wanting to start a TLS session with you. Out: 454 4.7.0 TLS not available due to local problem Your server is refusing due to some local problem; possibly a problem with certificates or mismatched cyphersuites. Consult your logs for details. My log file do not report me any problem ...yes, yes it will. NOTE that OpenSSL errors are largely separate from postfix internal errors, since postfix links in a huge openssl library that does all this stuff. The larger question is why are you offering TLS on port 25 ? It's obviously not working. -- J.
Re: sending mail using more then one smarthost\relayhost and sasl?
On 09/02/2013 10:56 PM, Eliezer Croitoru wrote: Hey, I have a situation with a working postfix install which I am not sure how to implement. You're not sure how to implement... a working situation ? the main problem is that from time to time I get a rejected mail from a remote system and which I cannot do a thing about. What kind of mail ? What system ? What does the log say ? Any information would help, here - but you're providing nothing. the setup is like this: Local client(sasl) -(submission 587)Local POSTFIX the local postfix hosts one\two virtual domains. the postfix uses an amavisd-new for mail filtering. The setup works fine and the local POSTFIX is setup with: smtp sasl auth using a relayhost. I have a faileover relayhost in postfix but I want another thing. I want to define that all local\virtual domains will be delivered to the dovecot mailer. There is no dovecot mailer; dovecot is an IMAP/LMTP server. The way to deliver *virtual* domains to dovecot is to use dovecot as your *virtual* transport. Local domains won't be distinguished from one another; use virtual domains for that. and specific outgoing domains will be relayed using specific relay servers That's what transport(5) is for. the current postfix config is: # cat main.cf |grep -v ^#|grep -v '^$' Configuration should be shared by providing the output of postconf -nf. The list welcome message contains clear instructions on how to ask for help. the master.cf is: # cat master.cf THIS is where excluding comments would actually help, although for modern versions (2.9+) there is postconf -Mf. Thanks in advance, Did you ask any other question than the one about transport(5) I answered above ? If so, I am afraid it was lost in the noise. -- J.
Re: iptables based spam prevention
On 08/25/2013 08:11 PM, Niclas Arndt wrote: Hi, Sorry if this is slightly off-topic, but at least a bunch of experts are listening. I am using Spamhaus (and other methods) and over time I have amassed a list of IP ranges that (according to Spamhaus) shouldn't be sending e-mail at all. One problem is that this list tends to become quite long and another is that I would like to verify it so that I don't eventually block legitimate e-mail. On the other hand, I would like to place as little a load as possible on Spamhaus. Here are my questions: Is the iptables approach at all viable in the long run? Is there any non-commercial way to upload a text file containing spamming IP addresses and have it verified for correctness? postfix 2.8 and later offer the postscreen(8) triage service, which deals very efficiently with large amounts of DNSBL lookups. Run a local DNS cache on the postfix machine and point postscreen at zen. You'll be hitting the spamhaus non-commercial limit long before you hit the local cache's limits. This automatically adds and expires DNSBL entries without any effort from you, as a free bonus (this is the biggest problem with your iptables approach.) -- J.
Re: Disabling user submission on port 25
On 08/27/2013 05:24 AM, John Allen wrote: On 26/08/2013 9:00 PM, Noel Jones wrote: On 8/26/2013 7:49 PM, LuKreme wrote: OK, now that port 587 is working, I would like to disable user submission via port 25. Not right now, but in a bit once people have a chance to change their settings. What do I do to prevent users sending via port25? Super easy... # main.cf smtpd_sasl_auth_enable = no Your master.cf submission entry probably already includes -o smtpd_sasl_auth_enable=yes If not, go ahead and add it to submission now so things don't break unexpectedly later. This won't prevent users from sending local mail to port 25, but they won't be able to authenticate and won't be able to relay. This usually isn't considered a problem, and changing it often causes other issues. -- Noel Jones I based it something that Noel Jones wrote way back in 2008. Create a file of the networks you wish to deny access to eg. “Deny_Mynetworks_Access” the content of which will be the same networks as those found in the mynetworks parameter of the main.cf file for example: This is entirely unnecessary, since moving reject_unauth_destination in front of permit_mynetworks takes care of that. Everything after reject_unauth_destination is impervious to relay attempts, because it explicitly blocks all such attempts. Yes, relay_domains would be an exception to this - but think why domains are in relay_domains to begin with. This should deny access to the smtp port (25) from the local networks while allowing access to the submission port (587). So what you're saying is basically to deny access from the networks in mynetworks, do this complicated thing ? A simpler way to do that would be to not put these networks in mynetworks. -- J.
Re: Postfix queues mails rejected with 5xx errors
On 08/24/2013 08:16 PM, Szőts Ákos wrote: Dear list members, I have the following problem: A 3rd party e-mail provider refuses the HELO/EHLO command if it doesn't contain a valid FQDN address (which is acceptable from their point of view). They refuse it with a 501 (permanent) error, which means according to [1]: [...] In this case, the sending MTA server should not queue the message, but delete it from its queue and send back an NDR (Non-Delivery-Response) to the sender, informing of such error. The problem is, in spite of the above mentioned, Postfix (and BSD sendmail also) puts the letter into the mail queue as it was deferred and tries to re- send it continuously. I tested it with the following: $ / telnet server29.citromail.hu smtp Trying 91.83.45.29... Connected to server29.citromail.hu. Escape character is '^]'. 220 server29 mfiltro ESMTP server ready HELO google.local 501 HELO requires FQDN address Connection closed by foreign host. The server did not wait for the client to start a MAIL transaction, or send QUIT, in this session. So far this is ok. It clearly is not. But after I sent a message with sendmail x...@citromail.hu, the following shows up in the mail queue: D82A21807CB 300 Sat Aug 24 15:52:28 root@xx.local (lost connection with server27.citromail.hu[91.83.45.27] while performing the HELO handshake) The same result as from the manual telnet attempt: 501 Syntax error in parameters or arguments The server then disconnects, thus not allowing postfix to finish the session. As RFC5321 says, the server MUST wait for the client to send QUIT. This would be evident if you had included actual postfix logs. In Postfix the soft_bounce parameter is set to no. Doesn't matter, since the remote server incorrectly implements ESMTP. I know that the problem can be easily circumvented by setting a proper FQDN, but I want to know the root cause why Postfix (and the plain sendmail) puts the letter into the queue as a deferred one. Because it incorrectly implements ESMTP, and disconnects during a session. This causes postfix to (correctly) treat the disconnect as a transient network error. Such an aborted session will be deferred. FYI, postfix never breaks the connection once a session has been established, unless it hits a timeout. Any 5xx reply simply waits for the client to send better data, or QUIT. If you still think postfix is in error here, show postfix logs of a rejected message (i.e. one that logs a 5xx response in the postfix mail log) that is subsequently deferred. -- J.
Re: Issue with a customer running Symantec Messaging Gateway: .dat attachments
On 08/19/2013 06:24 PM, Marcio Merlone wrote: Greetings, I run a mail server for my company with Ubuntu 10.04 LTS and postfix 2.7.0-1ubuntu0.2 and all my users use Thunderbird ESR. We have a customer running Symantec Messaging Gateway and it converts attachments of our messages with *special chars* to randombogusfilename.dat (_not_ winmail.dat!). Their support directed me to this Symantec KB which, in short, says it's not our fault, even though they are the only destination where I have noticed this: http://www.symantec.com/business/support/index?page=contentid=TECH192394 That is a truly horrible support article. It provides no proof, no examples, and no clients that are known to exhibit this behaviour (as they claim). Has anyone experienced this or know what's this about and how to fix/workaround this? Searched Google but no luck. It's about MIME, which is covered by a set of 6 wordy RFCs: http://en.wikipedia.org/wiki/MIME I have seen this before, and while it is usually caused by a client using a multipart construction that the recipient can't handle - or that is not 7-bit transfer-safe - the above support page doesn't even hint at what might be the problem. The specific instance in my case was a vendor implementing the php mail() system call by appending CRLF manually to all headers. The mail() documentation clearly states that all lines should end with a bare LF only, and the effect of this was to break out some inline MIME multiparts as attachments, and to entirely disappear others. If you're paying for Symantec support, by all means open a trouble ticket and force some cooperation for your dollars. A good start would be full message decodes on both sides (the raw message both on the client and in the mailbox), as well as packet dumps on both ends, to see how the message was altered in transit (if it was.) A tcpdump comparison between the client-side and the mailbox-side would show if Symantec is correct in that their mail-gateway-software-money-making-machine does not alter the message in transit, or if it does. -- J.
Re: Custom routing
On 08/16/2013 03:58 PM, Carlos L wrote: Ok since my explanation of the problem is poor at best I'll give an example Please don't top-post. Incoming mail comes in like this (actual headers): Provide postfix mail logs showing the processing of a single message that exhibits the problem. Postfix does not (or at least should never) route mail based on the contents of headers. -- J.
Re: SMTP auth without mailbox
On 08/12/2013 08:30 PM, M. Spini wrote: I need auth to send email, and possibly give the users the possibility to change their pwd. Postfix supports server SASL via either dovecot or cyrus. You can see which your installation supports with #postconf -a I recommend dovecot since it is much easier to set up, and supports numerous authentication backends including system (PAM), mysql, LDAP, or arbitrary files. This capability is not dependent on the existence of mailboxes (which postfix doesn't partticularly care about anyway), but only on the SASL provider's willingness to authenticate. SASL does not provide for the ability to change passwords. -- J.
Re: SASL:Connect to private/auth failed: Connection refused -- throttling
On 08/08/2013 05:10 PM, v.dimit...@synergetic.ag wrote: Hi List. Is there a way to ensure that submission listener will not accept connections when dovecot is not running? Dovecot is pretty much as stable as postfix itself. The real question, therefore, is: why is dovecot not running ? For HA - or any kind of volume, really - you should be using LMTP to dovecot, so you can trivially loadbalance multiple dovecot backends, thus preventing dovecot from not running. -- J.
Re: Migrate mail from one drive to another
On 08/06/2013 12:22 PM, Felix Rubio Dalmau wrote: Hi all, I have set up a postfix+dovecot mail server that stores all the mails under /home mountpoint, and that has been working for half a year. Now I have bought a new disk and I'd like to move all the existing mail to this new location. How should I do it, without stopping the postfix service? I have figured out a strategy: a) ask postfix to hold every incoming mail in its queue (postsuper -h ALL) That only works once, at that moment. You don't want that. In fact, keeping all incoming mail /in the incoming queue/ is exactly what you want. b) stop dovecot service c) move the mail folder into its new location d) update folder locations for postfix and dovecot e) restart service dovecot, reload postix config and deliver enqueued mails (postsuper -r ALL) Do you think it can work? Simply stop the queue manager and all incoming mail will stay in the queue: # dovecot stop # postconf -e master_service_disable=qmgr.unix # postfix reload Then move the mail store, tell postfix and dovecot where to find it, and start the services up again: # postconf -e master_service_disable= # postfix reload # dovecot start The queue will be processed immediately. -- J.
Re: Alias to command not working
On 08/05/2013 02:35 AM, Sam Flint wrote: I hve an alias to a command defined in my /etc/aliases file, anytime I send to it, I get this error: |postman...@flintfam.org (expanded from postman...@flintfam.org): user unknown You are apparently *piping* a copy to a /recipient/. This does not seem to work. -- J.
Re: postmulti behind NAT
On 07/21/2013 12:23 AM, /dev/rob0 wrote: On Sat, Jul 20, 2013 at 05:18:58PM -0400, Wietse Venema wrote: /dev/rob0: The doubt in my mind about this is for mail truly destined to our hosted domains. It resolves to an Internet (not an internal) IP address which is in the MX instance's proxy_interfaces setting. We're in a DC and behind NAT, with that Internet IP address being NATed to this host. They don't have hairpin NAT set up, whereby if I try to connect to this NATed IP address it would go to the router and come back to me. I'm fine with that, actually; while that would solve the instant problem, it could be bad in other ways. An MTA should never connect to its own MTA address and port. Thanks for the reply. So how can I deliver mail from our users to our hosted domains? It's not connecting to its own port. The MSA has 587, the MX has 25. [127.0.0.1]:25 is my own IP address (from the POV of the MSA) but not my port. That is what proxy_interfaces and inet_interfaces are for. It should be no problem to use an additional RFC 1918 address and set inet_interfaces. I guess that's the solution to this. The MSA can have 172.16.5.87 for example, and the MX can have 172.16.0.25 (both being in the same /16, that is.) Why would you not allow submission to deliver to the hosted domains ? You can simply add the maps to the existing ones you use (if any). -- J.
Re: Possibly deprecated parameters
On 07/19/2013 02:04 PM, Mgr. Peter Tuharsky, MsU Banska Bystrica wrote: Thank You, both were probably a typo. After correcting, Postfix stopped complaining. (Well, they were probably not so important, since postfix was running fine for 5 years now :-) As documented, postfix 2.9 introduced main.cf checks for unused user-defined parameters. A typo in a real parameter will always match that test. The typoed parameters were always ineffectual, since they don't exist, but your postfix versions pre-2.9 did not alert you to this fact. -- J.
Re: Sending a lot of emails
On 07/19/2013 08:01 PM, Krzysztof Szarlej wrote: Because sendmail and postfix cannot run simulatenusely That refers to the postfix sendmail(1)-compatibility interface. It works even when postfix is not running. and I am using my email. Also my postfix is configured with ssl certs and it would look much more trusted than simple sendmail i think? You've misunderstood what the certificate is for. The certificate is for your submission clients, to verify the identity of the postfix server, and to initiate TLS. It explicitly is NOT for remote servers to somehow trust your postfix *client* Correct me if i am wrong. You're wrong :) Receiving MTAs don't use TLS, and they wouldn't care about your certificate's veracity if they did. -- J.
Re: which type of list should I use ?
On 07/10/2013 04:04 PM, jeffrey j donovan wrote: On Jul 9, 2013, at 10:18 PM, jeffrey j donovan dono...@beth.k12.pa.us wrote: Greetings it's been a while since I have done this. I have an old server running a mail list. I have successfully relocated the list to a new server. what i need to do re-route any message sent incorrectly to this list to the new server. message to -- listname@oldHost --- hits { smtp relay on smtpHost } some rewrite or alias / transport sends to the message to -- list name@newHost. transport maps didn't seem to make sense. as when it arrived at the new host, the message would still say To:list name@oldHost, so newHost is going to throw it back. alias on the smtp relay said the alias had to be local, which made sense. What type of re-write do i need to perform this action? suggestions and flames welcome -j answering my own question okay,.. I set up a generic map on my smtp relay smtp_generic_maps = hash:/etc/postfix/generic listn...@host1.example.com listn...@host2.example.com when the message arrives it is delivered to host1 and host1 sends the message to host2. How can I get the smtp relay to not forward to host1 but deliver directly to host2. Do I need to setup transport also ? Yes. The generic map only changes the address - it doesn't change where it is sent. smtP_generic_maps is applied by the smtp(8) daemon, as its name indicates. It has already been queued and routed at that point, and the next-hop is fixed. The OVERVIEW may help: http://www.postfix.org/OVERVIEW.html Use a transport_map to alter the next-hop before it is queued. -- J.
Re: Right way to evaluate a Outbound Spam prevention product
On 07/01/2013 07:24 PM, Abhijeet Rastogi wrote: Hi all, - Current'y, for outbound spam protection, I use combination of header checks, rbls, a commercial product that works as a milter. - Now, I need to evaluate another product which doesn't work as a milter I've to authenticate via SSL to their SMTP server and relay all mails via them. The deal is to accurately determine which spam solution performs better. For that I'll need to duplicate traffic and send it to both, my local and this new spam solution. This is going to be tricky because I need the mail to be received only once at the recipient side (so can't use always_bcc) but I want it to be scanned via two different spam solutions. Can anyone guide me as to how do I proceed? What are the possible ways to achieve this? Thanks If all this new solution will be doing is content scanning (as opposed to sender/recipient white/blacklisting, IP reputation, DNSBLs etc), simply always_bcc it to a blanket test@yourdomain, transport(5) it to the new filter, and then back to your own MTA, and devnull it there, or store it to see what was filtered. A slightly more advanced implementation of the above would be a relay_domains with a regex'ed or localpart-only relay_recipient_maps to transcribe all recipients from user@originaldomain to user@test.originaldomain, and do the same as above. Otherwise, not delivering duplicates will be a nigh-on impossible task, unless you are prepared to temporarily switch the solutions (with the new one becoming the active one) and discard your own copies. Note that this won't be any better than simply switching to the new solution. Also note that having your email scanned in its entirety by a third party is not the most secure of implementations. To say the least. -- J.
Re: Modify subject based on recipient
On 07/01/2013 08:09 PM, Daniel L. Miller wrote: On 6/28/2013 4:34 PM, Noel Jones wrote: On 6/28/2013 5:39 PM, Daniel L. Miller wrote: Does anyone know of a tool that will let me modify the subject line of all emails that pass through it? I would call it via a transport map. My application - we just switched to a new email-to-fax service. As part of their security implementation (THEIRS, not mine!) they require all emails sent to them to contain our own fax number. I want to automate this step so I don't have to hear from my users. http://www.postfix.org/postconf.5.html#smtp_header_checks Add this to master.cf something like this: (or if you already use a custom master.cf transport, add the -o override to that entry) # master.cf # fax_service is a copy of the smtp...smtp transport fax_service ... smtp -o smtp_header_checks=pcre:/etc/postfix/smtp_fax_header # smtp_fax_header /^Subject: / REPLACE Subject: fax from 555-1212 That ALMOST works - thanks! The problem - I have to have SOMETHING in the subject otherwise it doesn't happen with this matching rule. Is it possible to ADD a Subject: header when none is present? Again, in header_checks: ! /^Subject:/ Subject: This message had no subject so I'm adding one. -- J.
Re: Modify subject based on recipient
On 07/01/2013 08:15 PM, Jeroen Geilman wrote: On 07/01/2013 08:09 PM, Daniel L. Miller wrote: On 6/28/2013 4:34 PM, Noel Jones wrote: On 6/28/2013 5:39 PM, Daniel L. Miller wrote: Does anyone know of a tool that will let me modify the subject line of all emails that pass through it? I would call it via a transport map. My application - we just switched to a new email-to-fax service. As part of their security implementation (THEIRS, not mine!) they require all emails sent to them to contain our own fax number. I want to automate this step so I don't have to hear from my users. http://www.postfix.org/postconf.5.html#smtp_header_checks Add this to master.cf something like this: (or if you already use a custom master.cf transport, add the -o override to that entry) # master.cf # fax_service is a copy of the smtp...smtp transport fax_service ... smtp -o smtp_header_checks=pcre:/etc/postfix/smtp_fax_header # smtp_fax_header /^Subject: / REPLACE Subject: fax from 555-1212 That ALMOST works - thanks! The problem - I have to have SOMETHING in the subject otherwise it doesn't happen with this matching rule. Is it possible to ADD a Subject: header when none is present? Again, in header_checks: ! /^Subject:/ Subject: This message had no subject so I'm adding one. Oops - would that add a Subject header for every header that isn't Subject ? -- J.
Re: postfix rejecting valid mail server
On 06/28/2013 11:50 PM, Téssio Fechine wrote: var/log/mail.log:Jun 28 18:25:43 rt-dq postfix/smtpd[4931]: NOQUEUE: reject: RCPT from unknown[209.85.219.66]: 450 4.7.1 Client host rejected: cannot find your hostname, [209.85.219.66]; from=tess...@gmail.com mailto:tess...@gmail.com to=nti-ad...@quimica.ufpb.br mailto:nti-ad...@quimica.ufpb.br proto=ESMTP helo=mail-oa0-f66.google.com http://mail-oa0-f66.google.com Then, at this exactly mail server machine: # nslookup 209.85.219.66 Please don't use nslookup. It has inherent flaws. So, postfix is complaining that cannot find your hostname, but the reverse DNS is working just fine. Any clue!? reject_unknown_client_hostname will reject clients that fail the complete IP - PTR - IP lookup. If this is not what you desire, limit it to reject_unknown_REVERSE_client_hostname only. -- J.
Re: cert error on outlook when send email using ssl
On 06/29/2013 08:25 PM, kazabe wrote: Hi. Im trying to use postfix with ssl. Now is working, but i have a little situation with the outloook clients. always to send a email, see a message The name of the security certificate is invalid or does not match the name of the site Well, is it invalid ? Does it match the name of the site ? These things matter, for TLS. (You should not be using SMTPS) The message is sended after accept the message, but the end users are affraid with this message. So tell them not to be afraid! There are only a few things you can do to fix this situation: 1. provide a valid and trusted certificate (this will cost either effort or money), or 2. accept the way things are. Im looking o google about to how to solve, but all the info are related with ms exchange and i use postfix. Can you share me some clues to solve it? X.509 certficates are normally checked for 3 properties: 1. is it valid (i.e. does the current date lie between the valid-from and valid-to attributes of the certificate)? 2. does the CN (common name) attribute of the certificate correspond to the name of the server you're connecting to ? 3. is the issuer of this certificate trusted by the client ? The first two are trivially corrected by you. The last one requires either that you get clients to trust your CA, or that you buy a certificate from a CA who is already trusted. -- J.
Re: STARTTLS only to send ?
On 06/28/2013 01:33 PM, Roel Wagenaar wrote: Frank Bonnet frank.bon...@esiee.fr wrote: Hello is it possible to setup one instance of postfix to 1 - use submission to let users send ( with STARTTLS ) 2 - receive emails with normal SMTP thank you A quick searche for Postfix multiple instabces will give you a number of sites with examples or solutions. Google can be your FRIEND. Except there is no need to set up multiple instances just to enable mail submission. Nor is it a good idea to use a random website for instructions. Many of them are wrong. -- J.
Re: Local UNIX accounts, aliasing rejecting mail to non-public UNIX accounts
On 06/21/2013 09:57 PM, Craig R. Skinner wrote: On 2013-06-19 Wed 21:09 PM |, Viktor Dukhovni wrote: virtual_alias_maps.map: user.n...@example.com user1@localhost status=bounced (mail for localhost.example.com loops back to myself) You MUST include localhost.$mydomain in mydestination: mydestination = localhost.$mydomain Using virtual aliases to local accounts is the best approach. Thanks Viktor, this set up works with making the machines domain name virtual for Postfix, accepting mail for pretty addresses rejecting remote mail for MOST Unix accounts, while accepting local mail to Unix accounts, IF listed as virtual aliases (mutt, sendmail, cron,): main.cf: myorigin = $mydomain mydestination = localhost.$mydomain No. If the destination you use in virtual_alias_maps is @localhost, then THAT must be in mydestination. Postfix is quite literal. mydestination = localhost append_dot_mydomain = no Or, if you wish to follow Victor's advice, qualify all aliases with @localhost.$mydomain instead. But that's just more typing than I need. virtual_alias_domains = btree:$config_directory/virtual_alias_domains.map virtual_alias_domains.map: example.com virtual Just specify it directly; this just complicates things for no reason. virtual_alias_domains = example.com virtual_alias_maps.map: # hack to accept mail for postmaster/abuse@[ip.add.ress.es] It's not a hack; it is documented behaviour. Also, omitting postmaster@* will not cause it to be rejected; this localpart is hardcoded to accept as per the RFCs. (You still have to alias it somewhere it can be delivered, of course) postmaster postmaster@localhost abuse postmaster@localhost # example.com: postmas...@example.com postmaster@localhost Superfluous, see above. It seems the aliases file is not used. Of course it is used, for any destinations in $mydestination. You did not put localhost in $mydestination. -- J.
Re: 250-AUTH LOGIN PLAIN 250-AUTH=LOGIN PLAIN
On 06/20/2013 11:19 AM, Mohsen Pahlevanzadeh wrote: Dear all, when i use telnet 0 587, i get the following result: Trying 0.0.0.0... Connected to 0. Escape character is '^]'. 220 mail.pahlevanzadeh.info ESMTP Postfix AND WHEN I USE EHLO COMMAND, I GET THE FOLLOWING RESULT: ehlo localhost 250-mail.pahlevanzadeh.infousing 250-PIPELINING 250-SIZE 1024 250-VRFY 250-ETRN 250-STARTTLS 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN But i don't see two following lines in above: 250-AUTH LOGIN PLAIN 250-AUTH=LOGIN PLAIN That could mean one of three things: either you have not enabled SASL on port 587, or you have set smtpd_tls_auth_only = yes on port 587, which prevents AUTH before TLS, or you have enforced TLS, which has the same effect. From main.cf: smtpd_sasl_auth_enable = yes smtpd_sasl_path = inet:localhost:1023 smtpd_sasl_security_options = noanonymous smtpd_sasl_type = dovecot smtpd_tls_auth_only = no From your master.cf entry for submission: submission inet n - - - - smtpd -o smtpd_tls_security_level=encrypt It's reason #3: you enforce TLS on submission. I attached my main.cf and my master.cf, i have a newbie question: if i get good result, should i run dovecot? Dovecot serves several functions, two or three of which can be integrated with postfix. If you're using dovecot as your SASL provider, you're already running it. second question: how i can see the two lines in the smtp result? You do not want to see those two lines before TLS. You can test an encrypted connection using the openssl s_client subcommand; you should see the AUTH entries after you have completed STARTTLS. -- J.
Re: MySQL tables and official documenttation
On 06/20/2013 03:04 PM, Mohsen Pahlevanzadeh wrote: Dear all, Unfortunately, i created my tables according to the older tutorial, i search in dovecot.org and postfix.org but i didn't find any official documentation for tables. I want to use PF 2.10 and dovecot 2. Its tutorial was wrote on debian etch. eatch is very old. ---mohsen http://www.postfix.org/MYSQL_README.html Please avoid using random tutorials to configure postfix. The ones that are not plain wrong leave you without the requisite knowledge to fall back on. -- J.
Re: Is this an attack?
On 06/19/2013 02:33 PM, Birta Levente wrote: On 19/06/2013 14:37, lst_ho...@kwsoft.de wrote: Zitat von Andreas Kasenides andr...@cymail.eu: One of my mail servers (postfix 2.6) has been target of what seems to me to be an attack. The attacker tried to deliver messages to a non-existent user names formed as a long hex string. It only happened once from one particular client and kept going for some time. SMTP sessions were coming in one every second with three delivery attampts each. Here is a fragment of one single session: Out: 220 prot..eu ESMTP Postfix In: EHLO xx Out: 250-prot..eu Out: 250-PIPELINING Out: 250-SIZE 1024 Out: 250-VRFY You really don't want to enable VRFY on a public mailserver; it only enables more spammers to abuse you. Set 'disable_vrfy_command = yes' in main.cf to globally disable it. Out: 250-ETRN Out: 250-ENHANCEDSTATUSCODES Out: 250-8BITMIME Out: 250 DSN In: MAIL FROM:x...@xx.xxx.xx SIZE=2881 BODY=7BIT Out: 250 2.1.0 Ok In: RCPT TO:35150aa4c74ba30f04ede17ca25f1...@.yy Out: 451 4.3.0 35150aa4c74ba30f04ede17ca25f1...@.yy: Temporary lookup failure This means postfix attempted to verify if the recipient is valid, but failed to do so. Something is broken in your setup; either you have a broken non-hashed map, or you're misaddressing a networked service like LDAP or SQL. If *you* never come across this error normally, this is probably a later entry, for fallback, which you never reach with valid recipients. As instructed when you joined this list, provide non-verbose logs of one message, and the output of postconf -n. All of this should be rejected by 5xx, am I wrong? By default, yes - IF postfix ever got that far. This is either a name lookup failure (indicating a problem with DNS), or a map failure, indicating one of the above. And I think this temporary lookup failure is not ok Show some log... Yes he should... -- J...
Re: Local UNIX accounts, aliasing rejecting mail to non-public UNIX accounts
On 06/19/2013 05:55 PM, Stan Hoeppner wrote: On 6/19/2013 10:16 AM, Wietse Venema wrote: Craig R. Skinner: On 2013-06-19 Wed 06:51 AM |, Stan Hoeppner wrote: On 6/19/2013 6:11 AM, Craig R. Skinner wrote: What happens when you try mydestination = That's something I didn't think of trying. Either blank, or with localhost: status=bounced (User unknown in virtual alias table) This suggests that you had the domain name listed in both mydestination and in virtual_alias_domains. Now you also need to remove the domain name from virtual_alias_domains, in order to make that error go away. Until now Postfix will have logged numerous warnings with do not list domain X in both mydestination and virtual_alias_maps to remind you of a configuration error. Maybe it should just abort deliveries, that might get people's attention. Wietse I'm anything but an expert in this particular area of Postfix, but I think the problem is that Craig is trying to use virtual_alias_maps when he should probably just be using the local aliases file. His Postfix hosts a single mail domain IIUC. He's simply wanting to create alias addresses presented to the public for each local UNIX mailbox address. Additionally he wants to reject any inbound mail destined for the actual local UNIX addresses, as well as system/role accounts. These last two are straightforward. Indeed they are: mydestination = localhost virtual_alias_domains = $his_mx_domain(s) And map every valid recipient to user@localhost. -- J.
Re: Is this an attack?
On 06/19/2013 07:32 PM, Wietse Venema wrote: Ansgar Wiechers: On 2013-06-19 Jeroen Geilman wrote: Zitat von Andreas Kasenides andr...@cymail.eu: Out: 250-VRFY You really don't want to enable VRFY on a public mailserver; it only enables more spammers to abuse you. Set 'disable_vrfy_command = yes' in main.cf to globally disable it. Not really. Aside the fact that there are other ways to verify an address, I get a single VRFY every other month on my mail server. In my experience most spammers don't actually care if an address is valid or not and blindly throw their crap at everything that looks at least remotely like a mail address. I agree. Technically, VRFY is implemented as RCPT TO without all the baggage of a mail transaction. The difference is that smtpd_client_recipient_rate_limit does not apply to VRFY, but that is easily fixed (I just copied some code from the RCPT TO handler). Wietse I seem to remember that allowing VRFY meant spammers could brute-force valid recipients; perhaps this was long ago and it is no longer true. -- J.
Re: Differentiate emails depending on originating server
On 06/17/2013 11:56 AM, Ashay Chitnis wrote: Hi All, I wanted to differentiate the incoming emails depending on whether they are generated by same server postfix Mail can be submitted locally in several ways; smtp is usually not the most prevalent way. sendmail(1) submission is not subject to any of the smtpd_*_restrictions tests, so this is hard to implement there. You could set up a second postfix instance and relay all sendmail-submitted email through that, but this does not make for a particularly manageable system as there will be a lot of duplication of effort. (e.g. NDR) Why do you want bounces to be handled separately ? I suspect a scheme to not send bounces. This is a Bad Idea; you should always send (valid) bounces. If you wish to not send bounces for mail you accepted, don't accept the mail to begin with. Proper configuration of smtpd_*_restrictions is key. You may also want to consider not allowing user sendmail(1) submission at all (it is usally required for system-generated mail); instead, use the standard submission mechanism for all locally-submitted mail. or being delivered to it by some smtp client. Is there a easy way to relay all mails generated through postfix to a different custom transport rule while saving the general emails coming though other smtp clients which will use the general rules on postfix. If you require valid (i.e. postfix-controlled) sender addresses on submission, then you can use sender_dependent_default_transport_maps for this purpose. If you don't, there really is no sane way to enforce this. We use postfix 2.9 for our systems. That has all of the above functionality. -- J.
Re: Investigating iPhone Compatibility
On 06/18/2013 12:15 AM, Asai wrote: Would it follow then that I should remove the smtp_sasl_mechanism_filter from main.cf? Would that be causing clients to try to connect via port 25 even though they're set to connect to 587? ...what makes you think these things are related in any way ? It is the *client* that decides where to connect to. -- J.
Re: STARTTLS not announced?!
On 06/15/2013 12:13 PM, Benny Pedersen wrote: Jan Kohnert skrev den 2013-06-15 10:57: http://www.postfix.org/postconf.5.html#smtpd_tls_auth_only do i need to tell it in --verbose ? starttls have nothing to do with auth, just becurse this option have tls and auth in one line does not make tls/ssl needed to make auth work Quoted from the above documentation: smtpd_tls_auth_only (default: no) When TLS encryption is optional in the Postfix SMTP server, do not announce or accept SASL authentication over unencrypted connections. In other words, yes, setting this option in conjunction with smtpd_tls_security_level = may *requires* TLS in order to AUTH. smtpd_tls_security_level = encrypt means the server will *reject* any commands that are not STARTTLS, until a TLS connection has been established. This includes AUTH. -- J.
Re: problem sending some email from mailman
On 06/14/2013 11:08 PM, Ben Greenfield wrote: Hey All, Please excuse my loose terminology in the following description as I barely know what I'm doing. I have a strange problem where I'm unable to send some mail from mailman using a postfix installation on the same host. I have postfix mail_version 2.8.4 I have users authenticating and sending mail no problem. I have mailing lists set-up and working no problem. We have our dsl through verizon with a static ip and we have been relaying our mail through outgoing.verizon.net. I tried to send 1662 emails which did not send and are currently waiting in mailman/qfiles/retry. I think what happened is verizon said no way and rejected all the emails. Here is the error that is being generated by the emails waiting to be sent Jun 14 17:00:16 services postfix/smtpd[28663]: NOQUEUE: reject: RCPT from localhost[::1]: 554 5.7.1 ka...@sonnassociates.com: Relay access denied; from=news-boun...@services.calder.org to=ka...@sonnassociates.com proto=ESMTP helo=services.calder.org Your postfix server is refusing to relay mail for this domain. This means the client is not in mynetworks, or did not AUTH, or the destination is not in relay_domains. I know that the reverse lookup for my mail server is currently incorrect. I'm waiting for the update to be made and trying to make sure it is not something else. It is not that to begin with; no external sources are involved. Is that the problem? Nope. YOUR postfix server is refusing to relay mail to those destinations. While reading the table in the SMTPD_ACCESS_README on the website I don't find an exact match RCPT from only RCPT TO int eh Effect of Reject column. I could not parse that. I guess the first question is once my reverse dns is corrected will my mail likely work? Definitely not, as the problem is not related to it. Any other insight that can be shed on any of the above would be appreciated. As mentioned when you joined this list, please provide the output of postconf -n, and the logs for at least one entire message, not just some snippet. -- J.
Re: 550 Action not taken
On 06/13/2013 09:02 PM, Ravindra Gupta // Viva wrote: Dear Wietse, So how we will resolve the issue. Please let me know for your valuable suggestion. As your log clearly shows, the OTHER SIDE of the SMTP conversation tells you this. If this other side is a receiving SMTP *server*, then they are rejecting your message. If, as Wietse suggested, the other side is a virus/spam gateway on YOUR side, then this gateway is broken or misconfigured in some way (since it should probably not reject your own messages.) Regardless, it is a proper 5xx response, telling postfix to bounce the message. Only the OTHER SIDE can shed ligt on whether or not this was in error, or in fact the desired outcome. On Fri, Jun 14, 2013 at 12:26 AM, Wietse Venema wie...@porcupine.org mailto:wie...@porcupine.org wrote: Ravindra Gupta // Viva: Jun 12 20:29:27 ems31 postfix/smtp[1816]: CC78D22400E: to=test.example.com http://test.example.com, relay=imap.eemail.example.com http://imap.eemail.example.com[10.0.0.125]:25, delay=0.86, delays=0.01/0/0.42/0.42, dsn=5.0.0, status=bounced (host imap.eemail.example.com http://imap.eemail.example.com[10.0.0.125] said: 550 Action not taken (in reply to end of DATA command)) Are your SMTP connections intercepted by an anti-virus system? Wietse -- J.
Re: question about postfix queue scheduler
On 06/08/2013 08:17 PM, Wietse Venema wrote: Jeroen Geilman: On 06/04/2013 02:20 PM, Erwan David wrote: On Tue, Jun 04, 2013 at 01:44:46PM CEST, Tom Hendrikx t...@whyscream.net said: On 06/04/2013 01:22 PM, Antonio Guti?rrez Mayoral wrote: Hi Wietse, Yes, its a solution, but these emails should be delivered in bussines-time :-( (it doesnt matter if it takes 2 hours... but in bussiness time...) thank you so much! You could run a script as a cronjob that queues x messages when the active queue contains (100 minus x) messages (where 100 is an arbitrary number). This means that all mails on HOLD trickle out as quick as possible, while not overloading the active queue... It means when the queue has 100 messages, you stop sending anything ? You could check the headers for identifying features (maybe the list ID, or a subject part, or...whatever works), and instantly DEFER them. This will put all messages in the deferred queue, guaranteeing they won't choke incoming: if the deferred queue is not empty, one message will be taken from incoming and deferred, in turn. Currently the queue manager can group recipients into jobs when they share the same queue file, and uses that to prevent a limited number of many-recipient messages from blocking later email with fewer recipients. The fix would be to group recipients into jobs based on the sender attribute (or size, or whatever) and apply similar logic to prevent a limited messages from one sender from blocking later email from other senders (or or to prevent large messages from blocking later messages that are smaller in size). However if one sender manages to saturate the queue then it will take time before other email gets a chance to be scheduled. Wietse I thought the queue manager took one message each from deferred and incoming if deferred is not empty, keyed on the destination next-hop (resulting in one virtual queue per destination); this allows one to manipulate the way messages are queued by limiting the number of recipients per message. If he can just use a transport with a single-recipient limit to send his newsletter to, that would take care of the blockage, wouldn't it ? The queue manager doesn't combine multiple queue messages AFAIK, so even if there are hundreds of large single-recipient messages with the same next-hop in the deferred queue, it would only take one message (plus its one recipient) every time, and a single message from incoming after that. -- J.
Re: How to check client certifications?
On 06/12/2013 03:02 PM, Peter Bauer wrote: I got a connection from someone with a client certification: Received: from foo.bar (foo.bar [10.0.0.1]) (using TLSv1.1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client CN mail.foo.bar, Issuer StartCom Class 1 Primary Intermediate Server CA (not verified)) by myserver.com (Postfix) with ESMTPS id 62A9141C05A4 for m...@myserver.com; Wed, 12 Jun 2013 14:46:07 +0200 (CEST) My problem is the following entry in the header: - (not verified) I would like to verify the fingerprint of this client certificate of the incoming connection. At least it would be fine if the certificate could be checked. I have not found any option how to tell postfix to check client connection certificates (I mean incoming TLS connections). How can I check the certificate of the incoming email? By fingerprint would be nice. And I would like to refuse it if check fails. http://www.postfix.org/TLS_README.html#server_vrfy_client -- J.
Re: question about postfix queue scheduler
On 06/04/2013 02:20 PM, Erwan David wrote: On Tue, Jun 04, 2013 at 01:44:46PM CEST, Tom Hendrikx t...@whyscream.net said: On 06/04/2013 01:22 PM, Antonio Gutiérrez Mayoral wrote: Hi Wietse, Yes, its a solution, but these emails should be delivered in bussines-time :-( (it doesnt matter if it takes 2 hours... but in bussiness time...) thank you so much! You could run a script as a cronjob that queues x messages when the active queue contains (100 minus x) messages (where 100 is an arbitrary number). This means that all mails on HOLD trickle out as quick as possible, while not overloading the active queue... It means when the queue has 100 messages, you stop sending anything ? You could check the headers for identifying features (maybe the list ID, or a subject part, or...whatever works), and instantly DEFER them. This will put all messages in the deferred queue, guaranteeing they won't choke incoming: if the deferred queue is not empty, one message will be taken from incoming and deferred, in turn. -- J.
Re: monitoring with Icinga?
On 06/02/2013 06:55 PM, Erwan David wrote: Le 02/06/2013 18:12, Wietse Venema a écrit : Lars Nielsen: s?n, 02 06 2013 kl. 12:14 -0300, skrev Mike: On 13-06-02 11:52 AM, Lars Nielsen wrote: Hey List, What is the most common solution to monitoring your postfix mailservers? I use Icinga and Munin. Is there a good integration to these? That really depends on what you want to monitor about them. What are they used for? My primary use is to recieve emails for my domains. Next I want to relay general emails for a limited amount of authenticated users. Then, I suppose the appropriate test would send test email messages into the SMTP port, and raise an alert when some test message does not reach its destination within a suitable time limit. For example, periodically send email to mailboxname+timest...@example.com, and parse the to=mailboxname+timest...@example.com and status=delivered out of the logfile record stream. Wietse This kind of monitoring is usually done with a tool named user. This tool will phone you less than a minute after the system has a malfunction. Very drole, but not realistic. The outages you want to detect are 3-hour queue buildups at 2 AM on a Sunday due to a database problem, or outgoing SMTP failing. On a busy server, such an outage could mean a server overload. That is why you want to test the entire mail flow, not just queues or incoming mail. -- J.
Re: Is it time for 2.x.y - x.y?
On 06/01/2013 03:42 PM, Ove Evensen wrote: I would say keep it as normal. 2.9 and then 2.10. If you can not see the difference between 2.1 and 2.10 you should not use postfix. Period! Regards Ove Jk. Evensen Original message From: Linux Addict linuxaddi...@gmail.com Date: 01/06/2013 14:02 (GMT+00:00) To: Len Conrad lcon...@go2france.com Cc: postfix-us...@cloud9.net The list address is postfix-users@postfix.org. Please don't mess with my message sorting filters :) -- J.
Re: Challenges of an internal relay server
On 05/31/2013 10:53 PM, Jason Price wrote: Background: Internal Mail Relay server. Connections from the internet are not possible. The vast majority of messages are going to Google Apps. Problem one: How to properly 'blacklist' certain To: addresses. With a blacklist in the form of a check_recipient_access map: http://www.postfix.org/access.5.html I am currently using: header_checks = pcre:/etc/postfix/header_checks Don't do this. Headers are trivially forged, and should never be used to make routing decisions. /^To: et...@aa.com/DISCARD Even worse; now your users won't know the mail was destroyed. Since it's all internal, sending them a bounce or reject is perfectly fine. With an access(5) map, their client will instantly tell them it failed, so they can correct it. -- J.
Re: Virtual User Aliases
On 05/29/2013 11:26 AM, Simon B wrote: On 28 May 2013 20:35, Viktor Dukhovni postfix-us...@dukhovni.org wrote: On Tue, May 28, 2013 at 08:22:56PM +0200, Simon B wrote: On 28 May 2013 19:34, Viktor Dukhovni postfix-us...@dukhovni.org wrote: On Tue, May 28, 2013 at 07:25:02PM +0200, Simon B wrote: On 28 May 2013 18:33, Benny Pedersen m...@junc.eu wrote: Simon B skrev den 2013-05-28 17:33: May 27 23:30:17 mail postfix/pipe[16721]: 57FF6C8C033: to=p...@example.co.uk, relay=dovecot, delay=2, delays=2/0/0/0.05, dsn=2.0.0, status=sent (delivered via dovecot se rvice) Virtual alias rewriting is performed by cleanup(8) per the override flags passed from smtpd. Since this address was not rewritten, and what changed recently is a newly disabled filter. Despite reports to the contrary the problem is receive_override_options or last resort a cleanup service with master.cf overrides for virtual_alias_maps, ... I know you're right. I just can't find it and I'd rather not rip things out in trial and error. I'll keep digging.. At the very least run postfix reload, or even stop/start perhaps master.cf does not match run-time reality. You can also briefly run cleanup -v to see what cleanup is doing with rewriting and what flags it receives from smtpd. Okay, so now this is really odd. I had previously issued postfix reload, but for safety, I now issued the stop/start after adding -v to cleanup. No extra detail in the logs and the alias is still not expanded. That's not right, surely? Indeed, that is not right; cleanup -v produces /dozens/ of log lines for a single message. Make sure you're editing the right configuration. Replace the -v with something invalid, like -@, and reload. If that does not complain, you're not editing the right config. -- J.
Re: custom content_filter script: set a specific error code and reject the message
On 05/15/2013 07:06 PM, nik600 wrote: dear all i'm using a content_filter param in master.cf http://master.cf to make some custom checks on mail content and recently also on mailbox quota size. In know that exists some patch to handle that (vda or others) but i need to handler this feature without any impact to the postfix-standard installation, so i've only added a check into my script and all works correctly. To make a test i've made a very simple filter script that refuses all messages: #!/bin/bash EX_TEMPFAIL=75 EX_UNAVAILABLE=69 echo Mailbox is over size limit; exit $EX_UNAVAILABLE; The message is correctly rejected and the original sender receives an error reporting the reason: Final-Recipient: rfc822; f...@foo.com mailto:f...@foo.com Original-Recipient: rfc822; f...@foo.com mailto:f...@foo.com Action: failed Status: 5.3.0 Diagnostic-Code: x-unix; Mailbox is over size limit I only want to change the error-code to 552 5.2.2 (this should be the correct error code, wright?), is possible to do that? Not from within a content_filter, no. That merely reports success or failure back to the invoker (postfix), which then sends the appropriate SMTP status code back to the client. Postfix has (as yet) no mapping for $arbitrary_scenario - $smtp_statuscode. You'd have to insert an SMTP pre-queue (or proxy) filter in the mail chain to influence SMTP status codes: http://www.postfix.org/FILTER_README.html -- J.
Re: postscreen_dnsbl_sites
On 5/3/2013 9:33 PM, Robert Lopez wrote: If in /etc/postfix/dnsbl_reply file there is a line: the-authorization-key-was-here.zen.dq.spamhaus.net http://the-authorization-key-was-here.zen.dq.spamhaus.net zen.dq.spamhaus.org http://zen.dq.spamhaus.org And in main.cf http://main.cf there is the line: postscreen_dnsbl_reply_map = texthash:/etc/postfix/dnsbl_reply Should the line in main.cf http://main.cf for postscreen_dnsbl_siter = use the long name with the key in it or the short reply name? The one that produces a valid response; if you have a spamhaus subscription, that would be the long one, with your authorization. Does it matter what the short name returned is; that is could I use zen.spamhaus.org http://zen.spamhaus.org just to keep it shorter? It's text, in a text response. It can be whatever makes you happy. -- J.
Re: Mismatch virtual_alias_maps
On 05/01/2013 11:17 AM, b...@systron.de wrote: Hello list. This is not working: user1@host1 sends mail to userX@host2 Intention: userX@host2 incoming forwarding to user2@host1 host2 virtual_alias_maps: @host1 user1@host1 @host2 user2@host1 Don't blindly use catch-alls; see below for why. But user1@host1 receive back his eMail with origin userX@host2 virtual_alias_maps is recursive; lookups are performed until the result no longer matches a lookup key, or the input is equal to the output. In your case: RCPT TO userX@host2 is rewritten by virtual_alias_maps to user2@host1. The new recipient is again matched and rewritten to user1@host1. At this point virtual_alias_maps stops expanding, since it will keep resolving to user1@host1; single-level loop detection is built in. This runs after a lot of trials: host2 virtual_alias_maps: @host2 user2@host1 Which begs the question why you have a host2 at all. postfix Version: 2.7.1-1+squeeze1 The logic of the virtual_alias_maps select with the sender the entry of the virtual_alias_maps, i assume. No, virtual_alias_maps does not affect nor act upon the SENDER address. Whatever problem you are trying to solve, it is much better served by judicious use of transport_maps and/or unfscking your MX setup. -- J.
Re: OT - mail archive
On 04/25/2013 08:56 PM, John Allen wrote: I realize that this is off topic, but as there are more email experts assembled here than any where else I know of I have a couple of users who are using their maildir as online storage for emails (current and archival). They have done this on their own and are prepared to live with some of the limitations. What perceived limitations ? IMAP stores in maildir format scale quite well; pretty much the only limitation is storage I/O. If you mean you want a more efficient mailstore, you can look into dbmail or dbox storage (the former is a mysql mailstore and IMAP server; the latter is a newer mailstore format supported by dovecot, among others.) However, I think there must be a better way of doing this, A better way of doing *what* ? What problem do you want to solve? preferably one that could also be used to store non-mail documents, provides search etc, WAN accessible. How is that related to users who use their IMAP mailstore as a.. mail store ? IMAP tends to be accessible from the outside in any case, and any MUA worth its salt can search. I have looked at a few things, but all of them seem to have problems. What things would those be ? You're not giving us much to go on, here. -- J.
Re: Postscreen DNSBL Sites
On 04/24/2013 11:23 PM, Steve Jenkins wrote: On Tue, Apr 23, 2013 at 12:41 PM, /dev/rob0 r...@gmx.co.uk mailto:r...@gmx.co.uk wrote: With those restrictions, you could just as well raise the corresponding postscreen_dnsbl_sites scores to 3 for each. ISTM that you're missing the point of scoring. Yes, as I mentioned, Zen and (for most domains) BRBL listings are good enough for outright rejection, but I would not do that for Spamcop nor PSBL. Both of those are driven by automated processes which could result in false positives. Thanks - I see that now. My smtpd_recipient_restrictions now include these as the final config options before permit: reject_rbl_client b.barracudacentral.org http://b.barracudacentral.org, reject_rbl_client zen.spamhaus.org http://zen.spamhaus.org, These make any deviation in scoring for zen and barracuda in POSTSCREEN irrelevant. The reject_rbl_client results are not weighted; they're fail/pass. I'd just remove them here. (You still don't have the hang of scoring.) -- J.
Re: sender_dependent_relayhost_maps Syntax
On 04/19/2013 03:17 PM, awingnut wrote: On 4/19/2013 8:30 AM, Reindl Harald wrote: Am 19.04.2013 14:25, schrieb awingnut: I have a series of user names that need to be relayed through a server other then the default. It is not clear from the documentation if wild cards are allowed but it appears they are not no and wildchars in case of mail are generally a bad idea If that is true then I need to list each one individually. However, I am also using generic mapping and again it is not explained in the documentation which address needs to be in the relay maps file, the local address vs. the translated address. Can some please clarify? Thanks. what additional mapping? we are using sender_dependent_relayhost_maps to allow specific senders which are not hosted on our server and rely them to the customers MTA with the users login/password without rewrite anything Thanks for the reply. I kind of figured wildcards were out. As to what other mapping, I'm talking about smpt_generic_maps. If the local user name is xyz...@mydomain.com and it is mapped to 123...@somedomain.com, which goes into the relayhosts file? smtp_generic_maps is consulted by the postfix smtp(8) program, when sending mail out. sender_dependent_relayhost_maps is consulted when incoming mail is queued. Ergo, you should match the original sender. For an overview of the postfix mail system, see: http://www.postfix.org/OVERVIEW.html -- J.
Re: sender_dependent_relayhost_maps Syntax
On 04/21/2013 05:06 PM, awingnut wrote: On 4/21/2013 10:50 AM, Jeroen Geilman wrote: On 04/19/2013 03:17 PM, awingnut wrote: On 4/19/2013 8:30 AM, Reindl Harald wrote: Am 19.04.2013 14:25, schrieb awingnut: I have a series of user names that need to be relayed through a server other then the default. It is not clear from the documentation if wild cards are allowed but it appears they are not no and wildchars in case of mail are generally a bad idea If that is true then I need to list each one individually. However, I am also using generic mapping and again it is not explained in the documentation which address needs to be in the relay maps file, the local address vs. the translated address. Can some please clarify? Thanks. what additional mapping? we are using sender_dependent_relayhost_maps to allow specific senders which are not hosted on our server and rely them to the customers MTA with the users login/password without rewrite anything Thanks for the reply. I kind of figured wildcards were out. As to what other mapping, I'm talking about smpt_generic_maps. If the local user name is xyz...@mydomain.com and it is mapped to 123...@somedomain.com, which goes into the relayhosts file? smtp_generic_maps is consulted by the postfix smtp(8) program, when sending mail out. sender_dependent_relayhost_maps is consulted when incoming mail is queued. Ergo, you should match the original sender. For an overview of the postfix mail system, see: http://www.postfix.org/OVERVIEW.html Thanks. I think I understand what you are saying but your terminology is a bit confusing. By incoming mail, I assume you mean incoming to the smpt process as opposed incoming mail for local delivery. This is all outgoing mail in that context. No. There is no incoming mail going to the smtp(8) process - smtp(8) SENDS mail, it doesn't receive any. Look closely at the overview I linked you to. -- J.
Re: Multiple recipient_delimiter address extensions?
On 04/05/2013 08:17 PM, Wietse Venema wrote: /dev/rob0: Thanks. A very minor complaint is that you have always been very consistent IIRC regarding plural and singular in parameter names, but now recipient_delimiter can be multiple characters. :) (I do Yes and no. Postfix still supports only one user/extension separator per address. A feature name that contains the word delimiters would send the message that Postfix supports multiple delimiters within an address. $recipient_delimiter_alternatives ? -- J.
Re: specific internal user rerouting to external mail service
On 04/08/2013 10:37 PM, Viktor Dukhovni wrote: On Mon, Apr 08, 2013 at 09:31:12PM +0200, Jeroen Geilman wrote: On 04/05/2013 07:13 PM, gbrinker wrote: Hi, I hope I have a simple request for how and where to look to accomplish this. Situation - I was using postfix as a gateway to route incoming mail to two locations, one a listserv server and second to an exchange server with a couple of family users internally. I had a hardware crash of the exchange server and have had to reconfigure postfix to handle the listserv mail which I have done. Not an expert I have been reading Ralf's book and found that I had many errors in the original set up in continuing to use local delivery with transport maps to forward all mail to the two internal servers. I've changed set up to a relay domain now and the listserv part is functioning. The problem I still have is trying to temporarily relay the exchange users to an external service while I restore the exchange server. I have tried using transport maps and virtual maps but haven't found the key. I am able to receive the mail okay but it is held in postfix with messages such as status=deferred (delivery temporarily suspended: transport is unavailable) IFF these messages were already in the queue /before/ you changed the delivery route, you must re-queue them; queued messages include their static (i.e. resolved) next-hop transport destination, which will not change merely because you altered configuration. Run postsuper -r ALL (with capitals) to re-queue. This is not correct. Only content_filter settings are queue-file sticky. Transport resolution happens each time a message enters the active queue. If the OP used a content_filter that does not at this time correspond to a transport in master.cf, a postsuper -r may be required. If the OP has a entries in the transport table that map destinations to non-existent transports, then a simple update to the transport table is sufficient. Ah, em, okay - I misremembered. Queued messages _do_ contain next-hop information, so if you have, say, an incoming queue that can't move forward due to slow-to-fail destinations, this will not be solved automatically when you change the transport - it requires a re-queue. The point (which, admittedly, has nothing to do with the OPs use case) was that transport information is not resolved when /reading from/ the queue; rather, it is added when /inserting into/ the queue, which enables per-destination queueing, among other things. -- J.
Re: Setting up secure submission for remote users
On 04/08/2013 01:32 AM, LuKreme wrote: I've long used pop-before-smtp to allow authenticated users a short window in which to send mail, but now that I've setup postfix 2.8.14 I want to also setup secure submission on port 587 with ssl and something like Kerberos 5 or MD5 challenge/response (or, frankly, even password) over SSL. I built postfix with: make -f Makefile.init makefiles 'CCARGS=-DHAS_MYSQL -DUSE_TLS -DUSE_SASL_AUTH -DUSE_CYRUS_SASL -I/usr/local/include/mysql -I/usr/local/include/sasl' 'AUXLIBS=-L/usr/local/lib/mysql -lmysqlclient -lz -lm -lssl -lcrypto -L/usr/local/lib -lsasl2' Seems to work: # postconf -a cyrus dovecot # postconf -A cyrus Also, the SASL Readme says: Cyrus SASL version 2.x searches for the configuration file in /usr/lib/sasl2/. Cyrus SASL version 2.1.22 and newer additionally search in /etc/sasl2/. (I am running 2.1.22_2) I would personally recommend using dovecot for SASL, especially if you don't need client SASL (from postfix to remote servers); dovecot is way, way easier to set up, and evolves quite nicely. It's also ridiculously easy to set up from scratch: http://www.postfix.org/SASL_README.html#server_dovecot postconf -n smtpd_data_restrictions = reject_unauth_pipelining, reject_multi_recipient_bounce,check_sender_access hash:$config_directory/backscatterpermit smtpd_helo_restrictions = permit_mynetworks,reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, permit smtpd_recipient_restrictions = reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_sender_domain, reject_invalid_hostname, permit_mynetworks, check_client_access hash:$config_directory/pbs, permit_sasl_authenticated, reject_unauth_destination, reject_unlisted_recipient, reject_unlisted_sender, reject_unknown_reverse_client_hostname, warn_if_reject reject_unknown_client_hostname, check_client_access cidr:/var/db/dnswl/postfix-dnswl-permit check_sender_access pcre:$config_directory/sender_access.pcre, check_client_access pcre:$config_directory/check_client_fqdn.pcre, check_recipient_access pcre:$config_directory/recipient_checks.pcre, check_client_access hash:$config_directory/access, reject_rbl_client zen.spamhaus.org, permit smtpd_sender_restrictions = check_client_access hash:$config_directory/pbs, permit_sasl_authenticated, permit_mynetworks Submission should disable all of the above (in master.cf) except smtpd_recipient_restrictions=permit_sasl_authenticated,reject. You can prefix that with any reject_ restrictions you wish to impose on your users, such as a proper sender- and/or recipient domain. The clue is that there should be no permit_ rules before /or/ after permit_sasl_authenticated, and the last rule should be an explicit reject. -- J.
Re: specific internal user rerouting to external mail service
On 04/05/2013 07:13 PM, gbrinker wrote: Hi, I hope I have a simple request for how and where to look to accomplish this. Situation - I was using postfix as a gateway to route incoming mail to two locations, one a listserv server and second to an exchange server with a couple of family users internally. I had a hardware crash of the exchange server and have had to reconfigure postfix to handle the listserv mail which I have done. Not an expert I have been reading Ralf's book and found that I had many errors in the original set up in continuing to use local delivery with transport maps to forward all mail to the two internal servers. I've changed set up to a relay domain now and the listserv part is functioning. The problem I still have is trying to temporarily relay the exchange users to an external service while I restore the exchange server. I have tried using transport maps and virtual maps but haven't found the key. I am able to receive the mail okay but it is held in postfix with messages such as status=deferred (delivery temporarily suspended: transport is unavailable) IFF these messages were already in the queue /before/ you changed the delivery route, you must re-queue them; queued messages include their static (i.e. resolved) next-hop transport destination, which will not change merely because you altered configuration. Run postsuper -r ALL (with capitals) to re-queue. I would much appreciate suggestions on how I should go about this as I suspect it is simple but I'm a bit frazzled by my efforts. Thanks much, Gary As simple as above. -- J.
Re: Duplicate Emails Sent
On 03/18/2013 09:51 PM, Ed wrote: Hi All. The scenario: From: a...@site1.com To: b...@site2.com CC: m...@site3.com After receiving the email CC at site 3, site 3 is sending out emails to everyone on the original, Configure site3 to stop doing that. -- J.
Re: Our postfix works fine, but it is very slow when we send newsletter
On 02/20/2013 07:16 PM, Vince Wang wrote: Hello, We have a configured postfix email server worked well when we had it on the public IP. After we moved it behind our firewall on a intranet with ip 192.168.xxx.xxx, we found it is very slow when we send newsletter. How is DNS set up in comparison with the previous server ? Badly configured DNS can certainly slow things down, especially on outgoing mail. Any even moderately busy mailserver should have a local DNS cache. Server info: Ubuntu 10.4 32 bit running on 4cpus + 8GB memory VM ( VMware host ) A 32-bit OS with 8GB of memory ? only 3.5GB of that will be used, ever. Regardless, postfix hardly uses any memory, unless you are receiving hundreds of 10MB messages concurrently. That is much more relevant for mail performance is storage I/O - and you don't mention anything related to storage. As I just start learning about postfix so I tried to figure how it works. I sent a newsletter to 1100 members last week How many *messages* did you send ? and monitored the queue in the webmin and mailq, and the postfix log. After I clicked the send button on our web page, I found that the messages are added into the queue for 15 minutes and then I saw messages are sent out from the log file for around 15 minutes. So you are seeing an average processing speed of 1.2 messages per second before queue, and another average 1.2 messages per second during delivery ? Show logs that exhibit these delays; postfix logs detailed delay statistics for each message delivered. content_filter = smtp-amavis:[127.0.0.1]:10024 If you're submitting via smtpd(8) then all locally submitted mail will be scanned, which is patently useless in this case. smtpd_recipient_limit = 10 That is insane. qmgr_message_active_limit = 5 line_length_limit = 204800 maximal_queue_lifetime = 2d queue_run_delay = 4000s minimal_backoff_time = 4000s Do not mess with these values unless you know exactly what they do. No logs, so how do you expect us to deduce what is happening here ? -- J.
Re: Our postfix works fine, but it is very slow when we send newsletter
On 02/21/2013 03:34 PM, Ralf Hildebrandt wrote: It could be that the process injecting the mails into the queue is stalling the queuemanager, thus sending out can only begin AFTER the injection period. ... how ? Either pickup(8) or smtpd(8) do the queueing; the qmgr only SENDS mail. There could be disk I/O contention, sure, but that would never translate into a scenario where no mail could be de-queued before all mail was finished queueing. These are wholly separate processes after all, and the only point of contact is the mail queue, which is concurrent read-write by design. By default, there may be many simultaneous processes accessing the queue (100 each of smtpd and smtp, for starters.) Of course, it could be that he really is sending every single submitted message through amavisd and then re-injecting into postfix, thus effectively forcing every single message through the pipeline twice. This would be inane no matter what kind of IP address it has, but the cause of the delays would be the content_filter, nothing else. There are settings in amavisd-new that govern what to do when a message originates from a trusted or untrusted IP range, offering the option to pass it through without scanning. If this was impacted by the IP change, that could easily explain the delays - but they would still never be sequential. Of course, you did ask for logs as well :) -- J.
Re: Restrict some users to local recipients only?
On 02/14/2013 12:23 AM, Patrick wrote: I have a customer who would like to configure the Postfix server he uses such that certain users can only send to local users. Use a restriction class that implements this; examples are included here: http://www.postfix.org/RESTRICTION_CLASS_README.html I'm wondering if there are any built-in facilities for restricting which delivery agents can be used by particular users? Delivery agents deliver queued mail. The decision to accept the mail for a particular destination has already been made at that point. -- J.
Re: Trouble configuring backup MX to reject unauth destination
On 02/08/2013 06:02 PM, Titanus Eramius wrote: Feb 7 22:12:48 ntdata postfix/pickup[24843]: 048341743609: uid=5005 from=SRS0=3u76=L7=gmail.com=jimmiedcu...@nt-data.dk So you are...not re-injecting spamassassin traffic, but instead re-submitting it via sendmail ? That's weird. Feb 7 22:12:48 ntdata postfix/pipe[30177]: 39E441743607: to=a...@ubuntudanmark.dk, relay=spamassassin, delay=0.95, delays=0.53/0/0/0.41, dsn=2.0.0, status=sent (delivered via spamassassin service) THIS is a send to spamassassin, but delayed in logging for almost a second. It looks very much as if you're doing in-line spamassassin checks, but then not re-injecting it via SMTP. Why are you doing such a strange thing ? -- J.
Re: Recommendations for antivirus
On 01/16/2013 10:55 PM, TFML wrote: I'm running a server on average week we receive 14,000, send 19,000, and in total deferred/bounced/rejected 5,000 Are you certain of those numbers ? For any publically-reachable MX host, the amount of spam rejected is AT LEAST 10 times the amount of desirable mail accepted. Over 90% of all mail is spam, sadly; this is near-universal. Of course, you might be deploying a non-postfix solution as MX frontend, like Barracuda, but for an exposed MX host, 14:5 Ham/Spam is an entirely unbelievable ratio. -- J.
Re: Sufficiently locked down?
On 01/24/2013 07:08 AM, Stan Hoeppner wrote: On 1/23/2013 2:23 PM, Grant wrote: I thought my postfix setup was configured to send mail on port 587 and receive mail on port 25, so I was surprised to find that I could send mail from the local machine on port 25. Is my config OK? Postfix never sends mail *from* TCP 25 or TCP 587. These are receive ports. Outbound connections occur on high ports. You're not properly describing your use case, actually not at all. Would you please? You're right, I didn't word that correctly. I thought mail received on port 25 could only be delivered locally with my config, but I was able to send mail to any destination via port 25. The mail client and mail server are on the same machine. You haven't identified a problem Grant. You've identified standard Postfix behavior and told us it is confusing to you. We have no idea why that is confusing to you because you haven't told us exactly how you are trying to use Postfix. One thing I can tell you up front is that using authentication between your MUA and Postfix on 587 is useless, completely unnecessary, because the packets are transferred via machine memory, never going over the wire. The submission service exists strictly for accepting authenticated connections over a network. Your connections exist entirely within on machine. If he is actually using SMTP submission on the local server, that is obviously untrue. The workings of SMTP submission are not dependent on where this happens from. I would recommend submission regardless of goal or purpose, even on localhost. -- J.
Re: postfix rejecting mail: 555 5.5.4 Unsupported option: AUTH=
On 01/14/2013 10:55 PM, Jaap van Wingerde wrote: Is microsoft.com and versatel.nl sending mail with invalid AUTH? What means: SPF Permanent Error: Too many DNS lookups'? Permanent Error seems fairly self-explanatory to me. That said, postfix contains no SPF functionality. You'll have to consult the documentation for whatever you are using to deal with SPF. -- J.
Re: Copy email with ALL headers (inc. BCC)
On 01/10/2013 02:05 AM, Jean-Luc Wasmer wrote: Hi, I've searched the mailing lists but every time the proposed solution involves using sender_bcc_maps (or other form of bcc'ing). The problem with adding a BCC to the incoming email is that other BCC headers will be dropped to the recipient of my server-side BCC rule. What other BCC headers ? You may be confused about RFC822: there is no BCC header, and never has been. I want the equivalent of what Mutt calls Fcc, so an actual copy of the incoming mail, not a new recipient added to it. That is what always_bcc and its derivatives do. The idea is to avoid having MUAs send each outgoing email twice (SMTP submission + IMAP copy). How is that related to the workings of the MTA ? If you don't want to store your Sent mail in IMAP, tell your MUA not to do that. -- J.
Re: Just more complaining about mail headers that impact replying
On 01/14/2013 11:48 PM, Robert Moskowitz wrote: Just complaining while listing to a MAC simulation presentation for 802.15.8. :) Complaining about... what ? This is the postfix-users mailing list, for help with the postfix MTA. -- J.
Re: BCC Transport Map
On 12/23/2012 11:49 AM, Joey J wrote: What you are saying is correct 100%, the transport map handles it. MY server is set in DNS as the MX record so it delivers to myrelayservice.com http://myrelayservice.com and then holds it, but what I want is to BCC any messages that come in when their server crashes and will take some time before it is back up and running allowing them to see what they are missing. ...effectively duplicating messages on some vague condition. If the destination is down, you can re-route mail using the fallback_relay option. Your solution is more likely to confuse people than actually help. -- J.
Re: Send mails use the same source IP across multiple servers
On 12/15/2012 06:59 PM, John Levine wrote: You want to share one dedicated external source IP address among multiple Postfix SMTP clients. If there were only one dedicated external source IP address, then a NAT router would suffice. That would be my first suggestion. For a cheap experiment, get something like a Cisco E2500, configure it on the external IP, turn off the wifi, plug up to four mail servers into the LAN ports and see how it does. Any NAT box has to manage port numbers per connection, I don't know how many simultaneous connections it can manage, and they don't say what the limit is, so it may run out of connections before your mail servers do. On the other hand it's under $100, and if it works, you're all set. Before buying complicated proxies or gateways, I would revisit your assumption that you need more than one mail server. It shouldn't be hard to configure most mail servers to saturate an outbound connection, and if yours won't do that, the problem may well be a configuration problem, or something that you could solve with an SSD disk cache rather than an address sharing kludge. s/SSD disk cache/SSD queue_directory/ -- J.
Re: Need to review my postfix setup
On 12/02/2012 04:17 PM, John Allen wrote: I setup my original Postfix setup up some time ago using Jeff Posluns excellent howto/tutorial. My setup works and seems to work quite well, but I know that I have not kept pace with the changes and improvements in Postfix. Additionally, as a result of following this mail list, I believe that my configuration may not be as good as it could be (somethings are in main.cf tha might be better in master and vice versa). Could somebody recommend a howto/tutorial that might help me bring my setup up to date and or improve it. John A -- This is way too vague a question to elicit meaningful answers. Study the documentation for the features you want to use, upgrade your old configuration to the one you're migrating to using the provided upgrade-configurartion option to postconf(8), (2.9.x is current; don't use anything older), and ask directed questions concerning proven working (i.e., actual, not imaginary) functionality if and when any problems arise. Be prepared with full configuration details and relevant non-verbose logs when you do. -- J.
Re: cache MX record
On 11/19/2012 12:51 PM, Muhammad Yousuf Khan wrote: due to some reason my primary DNS (windows 2003) is not giving me an MX record. That would be correct. No DNS server would give you an MX record of its own accord. even i have created one manually for my mailserver and afterwords it points to A record of my mailserver That's normally the way of it. i think there is some thing going in side my DNS below is the result of nslookup Please don't use nslookup for DNS troubleshooting; it has serious issues. Use either dig or host. with type=MX primary name server = sr-dc.mydomain.com responsible mail addr = hostmaster serial = 2286 refresh = 900 (15 mins) retry = 600 (10 mins) expire = 86400 (1 day) default TTL = 3600 (1 hour) No, that's the SOA. I suggest you consult the Microsoft documentation for help with their implementation of DNS. so instead of messing up with 2003 DNS is there anyway to make a cache record just like we have /etc/hosts for A records. No, that is not possible. However, it doesn't say anywhere that an MX record is mandatory, or required. Please see the list welcome message about how to effectively ask for help: http://www.postfix.org/DEBUG_README.html#mail -- J.
Re: Simplest approach to full-adress aliases?
On 11/18/2012 08:26 PM, Jan Johansson wrote: NOTE that domainALPHA.com must be in an address class you control: relay, local, or virtual_*. The presence of the alias alone does not mean mail for the domain is accepted. That I gathered. The box is a MX for the domains in question. That has nothing to do with how postfix percieves the domain. -- J.
Re: Simplest approach to full-adress aliases?
On 11/17/2012 02:22 PM, Ansgar Wiechers wrote: On 2012-11-17 Jan Johansson wrote: Having mostly used Exim I am trying to sort out a few things with a postfix (2.8.5-2~build0.11.04 on Ubuntu) install. Basically, I want a forwarding mechanism that can map us...@domainalpha.commailto:us...@domainalpha.com to anotheru...@anotherdomain.commailto:anotheru...@anotherdomain.com So, whats the easiest way to set this up? Manually handling flat files would be sufficient. That's what $virtual_alias_maps [1] is for. Add the following line to main.cf: virtual_alias_maps = hash:/etc/postfix/virtual Create a file /etc/postfix/virtual with the mappings you need: us...@domainalpha.com anotheru...@anotherdomain.com Run postmap /etc/postfix/virtual to create the hash database. NOTE that domainALPHA.com must be in an address class you control: relay, local, or virtual_*. The presence of the alias alone does not mean mail for the domain is accepted. For further information see the VIRTUAL_README [2]. [1] http://www.postfix.org/postconf.5.html#virtual_alias_maps [2] http://www.postfix.org/VIRTUAL_README.html Regards Ansgar Wiechers -- J.
Re: Policy delegation after alias expansion
On 11/14/2012 11:45 PM, Reinaldo de Carvalho wrote: Is possible call a policy daemon after alias expansion? Policy checks happen in the context of smtp reception (before end-of-data); alias expansion happens once the message has been accepted (after end-of-data) and just before it is queued. The only way to reverse this state of events is to re-inject the mail into a separate smtpd(8) listener, with different policy settings (and no_address_mappings). -- J.
Re: ..:: Postfix authentication requered for relay ::..
On 11/13/2012 12:41 AM, Alfonso Alejandro Reyes Jiménez wrote: snipped The SASL auth is working on the smtpd server and it works fine, but when we try to send anything from the other server we don't even see the login attempt. So...what does the postfix log say on the sending side ? If an SASL connection is made, this will be logged. -- J.
Re: ..:: Postfix authentication requered for relay ::..
On 11/13/2012 12:21 AM, Alfonso Alejandro Reyes Jiménez wrote: Hi everyone. We have 2 postfix servers, one for every email from our company and the other inside our LAN just sending Nagios notifications. The thing is that we need to configure the SMTP authentication in the notifications server to allow relay. We don't want to put the server's IP on mynetworks because we don't really trust on it. We have all the configuration steps we found on the internet but it is not working, we cant see any authentication attempt on the server. Any help will be great. Here's the configuration of the server: snipped smtp_sasl_auth_enable = yes This concerns smtp(8), the smtp CLIENT. smtpd_sasl_path = inet:172.16.18.100:12345 smtpd_sasl_type = dovecot This concerns smtpd(8), the smtp SERVER. You need to enable SASL auth in the smtpd(8) SERVER. -- J.
Re: mixing mbox and maildirs for local users
On 11/10/2012 11:26 PM, maillis...@gmail.com wrote: Postfix does respect set guid, that's my bad. I still don't see how to share a Maildir, though. On delivery ? Not possible. One recipient == one mailbox. However, you can trivially make one (separate) mailbox available to a group of IMAP users by configuring your IMAP server to do so. This is not a postfix subject, but it's very easy to do in dovecot, for instance. On Sat, Nov 10, 2012 at 4:50 PM, maillis...@gmail.com mailto:maillis...@gmail.com wrote: Thank you so much. That is brilliantly simple. Today is making me feel stupid. I also need a shared Maildir, but Postfix doesn't seem to care about set gid. Anyone know how to do that? On Sat, Nov 10, 2012 at 3:25 PM, Sahil Tandon sahil+post...@tandon.net mailto:sahil+post...@tandon.net wrote: On Sat, 2012-11-10 at 14:47:29 -0500, maillis...@gmail.com mailto:maillis...@gmail.com wrote: I need to deliver mail to a couple of local users in Maildir format, but deliver to others in the standard mbox. Is there a way to accomplish this inside Postfix, without resorting to procmail? For the users that require Maildir delivery, use .forward files that specify a destination mailbox name ending in '/'. -- Sahil Tandon -- J.
Re: Mail forwarding loop
On 11/08/2012 05:25 PM, Daniele Nicolodi wrote: Hello, I think I have a problem with my simple mail server. I noticed several bounce mails in the queue, which postfix in unable to deliver. C0B0160EC 12730 Thu Nov 8 12:35:47 MAILER-DAEMON (lost connection with eforward5.registrar-servers.com[38.101.213.202] while receiving the initial server greeting) instant.checkm...@designakeackson.info All of them destined to what look to be fake addresses. The original mails that originate the bounce are indeed spam. On this server I use spamassassin as content filter, which re-injects the mail into postfix after scanning it via local delivery. Spam is then discarded via a sieve rule (not bounced). It looks like postfix detects a mail forwarding loop when the mail is re-injected by spamassassin via local delivery. Why isn't the loop detected when the mail is received by the smtpd? Postfix cannot detect a mail loop if it has never seen the message before. You are not re-injecting the filtered message, you are calling sendmail(1), which in turn invokes pickup(8): I do not like to generate unnecessary bounce mails. Is this a real problem? How can I fix it? Here is what I think is a relevant log excerpt: # egrep 2ABF060A6\|BCDF560EF\|C0B0160EC\|FD01D4DD-1DEF-1BC3-9A2A-5EDE8F9DD6C5 /var/log/mail.log Nov 8 12:35:46 zed postfix/smtpd[2515]: 2ABF060A6: client=designakeackson.info[176.126.174.9] Nov 8 12:35:46 zed postfix/cleanup[2517]: 2ABF060A6: message-id=fd01d4dd-1def-1bc3-9a2a-5ede8f9dd...@designakeackson.info Nov 8 12:35:46 zed postfix/qmgr[3850]: 2ABF060A6: from=instant.checkm...@designakeackson.info, size=9793, nrcpt=1 (queue active) Nov 8 12:35:46 zed spamd[2282]: spamd: processing message fd01d4dd-1def-1bc3-9a2a-5ede8f9dd...@designakeackson.info for daniele:1000 Nov 8 12:35:47 zed spamd[2282]: spamd: result: Y 5 - BAYES_50,HTML_MESSAGE,RP_MATCHES_RCVD,SPF_SOFTFAIL,T_FILL_THIS_FORM_SHORT,URIBL_DBL_SPAM,URIBL_JP_SURBL,URIBL_WS_SURBL scantime=1.4,size=9786,user=daniele,uid=1000,required_score=5.0,rhost=localhost,raddr=127.0.0.1,rport=60966,mid=fd01d4dd-1def-1bc3-9a2a-5ede8f9dd...@designakeackson.info,bayes=0.50,autolearn=no Nov 8 12:35:47 zed postfix/pickup[2485]: BCDF560EF: uid=65534 from=instant.checkm...@designakeackson.info Nov 8 12:35:47 zed postfix/cleanup[2517]: BCDF560EF: message-id=fd01d4dd-1def-1bc3-9a2a-5ede8f9dd...@designakeackson.info Nov 8 12:35:47 zed postfix/pipe[2518]: 2ABF060A6: to=dani...@grinta.net, relay=spamassassin, delay=1.7, delays=0.24/0.01/0/1.4, dsn=2.0.0, status=sent (delivered via spamassassin service) Nov 8 12:35:47 zed postfix/qmgr[3850]: BCDF560EF: from=instant.checkm...@designakeackson.info, size=10941, nrcpt=1 (queue active) Nov 8 12:35:47 zed postfix/qmgr[3850]: 2ABF060A6: removed Nov 8 12:35:47 zed postfix/local[2522]: BCDF560EF: to=dani...@grinta.net, relay=local, delay=0.02, delays=0/0.01/0/0.01, dsn=5.4.6, status=bounced (mail forwarding loop for dani...@grinta.net) Nov 8 12:35:47 zed postfix/cleanup[2517]: C0B0160EC: message-id=20121108123547.c0b016...@zed.grinta.net Nov 8 12:35:47 zed postfix/bounce[2523]: BCDF560EF: sender non-delivery notification: C0B0160EC Nov 8 12:35:47 zed postfix/qmgr[3850]: C0B0160EC: from=, size=12730, nrcpt=1 (queue active) Nov 8 12:35:47 zed postfix/qmgr[3850]: BCDF560EF: removed Nov 8 12:35:52 zed postfix/smtp[2512]: C0B0160EC: host eforward3.registrar-servers.com[209.105.246.196] said: 450 4.1.1 instant.checkm...@designakeackson.info: Recipient address rejected: unverified address: unknown user: instant.checkm...@designakeackson.info (in reply to RCPT TO command) Nov 8 12:35:52 zed postfix/smtp[2512]: C0B0160EC: host eforward1.registrar-servers.com[69.160.33.82] refused to talk to me: 421 4.3.2 All server ports are busy Nov 8 12:35:54 zed postfix/smtp[2512]: C0B0160EC: to=instant.checkm...@designakeackson.info, relay=eforward2.registrar-servers.com[209.105.246.195]:25, delay=7.2, delays=0/0/7/0.17, dsn=4.1.1, status=deferred (host eforward2.registrar-servers.com[209.105.246.195] said: 450 4.1.1 instant.checkm...@designakeackson.info: Recipient address rejected: unverified address: unknown user: instant.checkm...@designakeackson.info (in reply to RCPT TO command)) Nov 8 12:45:42 zed postfix/qmgr[3850]: C0B0160EC: from=, size=12730, nrcpt=1 (queue active) Nov 8 12:45:43 zed postfix/smtp[2566]: C0B0160EC: host eforward3.registrar-servers.com[209.105.246.196] refused to talk to me: 421 4.3.2 All server ports are busy Nov 8 12:46:05 zed postfix/smtp[2566]: C0B0160EC: host eforward2.registrar-servers.com[209.105.246.195] said: 450 4.1.1 instant.checkm...@designakeackson.info: Recipient address rejected: unverified address: unknown user: instant.checkm...@designakeackson.info (in reply to RCPT TO command) Nov 8 12:46:06 zed postfix/smtp[2566]: C0B0160EC: host eforward1.registrar-servers.com[69.160.33.82] refused to talk to me:
Re: Mail forwarding loop
On 11/08/2012 11:12 PM, Jeroen Geilman wrote: On 11/08/2012 05:25 PM, Daniele Nicolodi wrote: Hello, I think I have a problem with my simple mail server. I noticed several bounce mails in the queue, which postfix in unable to deliver. C0B0160EC 12730 Thu Nov 8 12:35:47 MAILER-DAEMON (lost connection with eforward5.registrar-servers.com[38.101.213.202] while receiving the initial server greeting) instant.checkm...@designakeackson.info All of them destined to what look to be fake addresses. The original mails that originate the bounce are indeed spam. On this server I use spamassassin as content filter, which re-injects the mail into postfix after scanning it via local delivery. Spam is then discarded via a sieve rule (not bounced). It looks like postfix detects a mail forwarding loop when the mail is re-injected by spamassassin via local delivery. Why isn't the loop detected when the mail is received by the smtpd? And now without thick-fingering CTRL-Enter: Postfix cannot detect a mail loop if it has never seen the message before. You are not re-injecting the filtered message, you are (or, rather, SA is) calling sendmail(1), which in turn invokes pickup(8): Nov 8 12:35:47 zed postfix/pickup[2485]: BCDF560EF: uid=65534 from=instant.checkm...@designakeackson.info This means a different path is followed from the original submission over SMTP; sendmail-submitted mail generally lacks features that allow such loops to be detected. In this case, you are using the nobody user to re-submit the message, which will throw postfix off further, since it has no MAIL FROM: to match it with. Re-inject the message over a separate smtpd(8) instance instead; the content filter loopback will not alter the envelope, thus enabling postfix to detect a loop. smtpd(8): MAIL FROM: joe@home, RCPT TO: jim@work - Spamassassin - SMTP re-inject: MAIL FROM: joe@home, RCPT TO: jim@work. sendmail(1): MAIL FROM: joe@home, RCPT TO: jim@work - Spamassassin - sendmail: MAIL FROM: nobody (uid=65534), RCPT TO: jim@work. Note the nobody above. I do not like to generate unnecessary bounce mails. Is this a real problem? How can I fix it? Here is what I think is a relevant log excerpt: # egrep 2ABF060A6\|BCDF560EF\|C0B0160EC\|FD01D4DD-1DEF-1BC3-9A2A-5EDE8F9DD6C5 /var/log/mail.log Nov 8 12:35:46 zed postfix/smtpd[2515]: 2ABF060A6: client=designakeackson.info[176.126.174.9] Nov 8 12:35:46 zed postfix/cleanup[2517]: 2ABF060A6: message-id=fd01d4dd-1def-1bc3-9a2a-5ede8f9dd...@designakeackson.info Nov 8 12:35:46 zed postfix/qmgr[3850]: 2ABF060A6: from=instant.checkm...@designakeackson.info, size=9793, nrcpt=1 (queue active) Nov 8 12:35:46 zed spamd[2282]: spamd: processing message fd01d4dd-1def-1bc3-9a2a-5ede8f9dd...@designakeackson.info for daniele:1000 Nov 8 12:35:47 zed spamd[2282]: spamd: result: Y 5 - BAYES_50,HTML_MESSAGE,RP_MATCHES_RCVD,SPF_SOFTFAIL,T_FILL_THIS_FORM_SHORT,URIBL_DBL_SPAM,URIBL_JP_SURBL,URIBL_WS_SURBL scantime=1.4,size=9786,user=daniele,uid=1000,required_score=5.0,rhost=localhost,raddr=127.0.0.1,rport=60966,mid=fd01d4dd-1def-1bc3-9a2a-5ede8f9dd...@designakeackson.info,bayes=0.50,autolearn=no Nov 8 12:35:47 zed postfix/pickup[2485]: BCDF560EF: uid=65534 from=instant.checkm...@designakeackson.info Nov 8 12:35:47 zed postfix/cleanup[2517]: BCDF560EF: message-id=fd01d4dd-1def-1bc3-9a2a-5ede8f9dd...@designakeackson.info Nov 8 12:35:47 zed postfix/pipe[2518]: 2ABF060A6: to=dani...@grinta.net, relay=spamassassin, delay=1.7, delays=0.24/0.01/0/1.4, dsn=2.0.0, status=sent (delivered via spamassassin service) Nov 8 12:35:47 zed postfix/qmgr[3850]: BCDF560EF: from=instant.checkm...@designakeackson.info, size=10941, nrcpt=1 (queue active) Nov 8 12:35:47 zed postfix/qmgr[3850]: 2ABF060A6: removed Nov 8 12:35:47 zed postfix/local[2522]: BCDF560EF: to=dani...@grinta.net, relay=local, delay=0.02, delays=0/0.01/0/0.01, dsn=5.4.6, status=bounced (mail forwarding loop for dani...@grinta.net) Nov 8 12:35:47 zed postfix/cleanup[2517]: C0B0160EC: message-id=20121108123547.c0b016...@zed.grinta.net Nov 8 12:35:47 zed postfix/bounce[2523]: BCDF560EF: sender non-delivery notification: C0B0160EC Nov 8 12:35:47 zed postfix/qmgr[3850]: C0B0160EC: from=, size=12730, nrcpt=1 (queue active) Nov 8 12:35:47 zed postfix/qmgr[3850]: BCDF560EF: removed Nov 8 12:35:52 zed postfix/smtp[2512]: C0B0160EC: host eforward3.registrar-servers.com[209.105.246.196] said: 450 4.1.1 instant.checkm...@designakeackson.info: Recipient address rejected: unverified address: unknown user: instant.checkm...@designakeackson.info (in reply to RCPT TO command) Nov 8 12:35:52 zed postfix/smtp[2512]: C0B0160EC: host eforward1.registrar-servers.com[69.160.33.82] refused to talk to me: 421 4.3.2 All server ports are busy Nov 8 12:35:54 zed postfix/smtp[2512]: C0B0160EC: to=instant.checkm...@designakeackson.info, relay=eforward2.registrar-servers.com[209.105.246.195]:25, delay=7.2