relay_recipient_maps and virtual_alias_maps
Hi Everyone, We are using postfix as an edge mx gateway for incoming mails. Our company has 3 domain names (@abpni.co.uk, @abpni.com, @abpni.net). @abpni.co.uk is our main domain. Each user may have a few aliases. I list these aliases in the table which virtual_alias_maps points to. To take my name as an example (which has many spellings!), I list the following: john...@abpni.co.uk jon...@abpni.co.uk jo...@abpni.co.uk jon...@abpni.co.uk joh...@abpni.co.uk jon...@abpni.co.uk (Note that jon...@abpni.co.uk is my real user account which is hosted on another mail server) I also want all 3 of our domains to be able to be used, so at the top of the virtual alias map file I put: @abpni.com @abpni.co.uk @abpni.net @abpni.co.uk However, I also want to prevent backscatter, so I list all valid address explicitly in the table which relay_recipient_maps points to: jon...@abpni.co.uk john...@abpni.co.uk jo...@abpni.co.uk joh...@abpni.co.uk jon...@abpni.com john...@abpni.com jo...@abpni.com joh...@abpni.com jon...@abpni.net john...@abpni.net jo...@abpni.net joh...@abpni.net However, the mere fact that the catch-all aliases are listed in the virtual alias map prevents my anti-backscatter plan from working for @abpni.com @abpni.net. Do I have to list each address explicitly in the virtual alias map as well? Thanks
Online virtual_alias_maps
Hi Everyone, I have a Postfix edge MX server which is used to receive incoming mail from the outside world. This server forwards mail onto an internal SMTP server which has all the user accounts. Aliases are managed by the edge server. On the edge server, I have a virtual_alias_maps. It is possible to make my postfix edge server only accept mail for accounts which are listen in the virtual_alias_maps table? I currently have relay_domains set to our company domain name however if I disable this, no mail can be accepted for our domain. Your help is appreciated Thanks
Multiple Users Reading Email
Hi Everyone, Bit of a design question here. We have 2 users wishing to share an email account. However, when one person reads the email, we would like the email for the other person to still be marked as unread. Is there a way to do this using IMAP (where emails are stored centrally)? Or is using virtual users and sending the email to 2 people the only way forward (Where emails are duplicated) Thanks
Send to other server
Hi Everyone, I have a postfix box which handles some smtp accounts for example.com. Not all example.com accounts are located on this postfix box, but are located elsewhere on another server. At the minute, for the accounts which aren’t on this server, postfix is saying user unknown in virtual mailbox table (which is to be expected). However, how do I make postfix go to another server, if at first the account isn't on this server? Thanks
Re: Send to other server
On 24/02/11 09:42, Reindl Harald wrote: We implemented this in our postfix/dbmail-setup this way You can do this also with config-files but i never setup any server without mysql-backends transport_maps = mysql:/etc/postfix/mysql-transport.cf cat /etc/postfix/mysql-transport.cf user = dbmailro password = dbname= dbmail hosts = unix:/var/lib/mysql/mysql.sock query = select transport from dbma_transports where mydestination='%s' or mydestination='%d' order by transport desc limit 1; on the left side mydestination is the address/domain and on the right sude transport smtp:hostname.domain.tld Am 24.02.2011 10:26, schrieb Jonathan Tripathy: Hi Everyone, I have a postfix box which handles some smtp accounts for example.com. Not all example.com accounts are located on this postfix box, but are located elsewhere on another server. At the minute, for the accounts which aren’t on this server, postfix is saying user unknown in virtual mailbox table (which is to be expected). However, how do I make postfix go to another server, if at first the account isn't on this server? Thanks I am using mysql for the virtual mailbox stuff as well. Except for the transport maps which I'm just using a regular config file. I tried adding: example.com smtp:mx.example.com However it still complains that the user is unknown in the virtual mailbox table... I guess I could do this another way, as a temp solution. I could remove example.com from the local postfix and create another domain such as example.local. I could then remove reject_sender_login_mismatch which would allow all authenticated users to send emails as anybody
Re: Send to other server
On 24/02/11 09:58, Reindl Harald wrote: Am 24.02.2011 10:54, schrieb Jonathan Tripathy: On 24/02/11 09:42, Reindl Harald wrote: We implemented this in our postfix/dbmail-setup this way You can do this also with config-files but i never setup any server without mysql-backends transport_maps = mysql:/etc/postfix/mysql-transport.cf cat /etc/postfix/mysql-transport.cf user = dbmailro password = dbname= dbmail hosts = unix:/var/lib/mysql/mysql.sock query = select transport from dbma_transports where mydestination='%s' or mydestination='%d' order by transport desc limit 1; on the left side mydestination is the address/domain and on the right sude transport smtp:hostname.domain.tld Am 24.02.2011 10:26, schrieb Jonathan Tripathy: Hi Everyone, I have a postfix box which handles some smtp accounts for example.com. Not all example.com accounts are located on this postfix box, but are located elsewhere on another server. At the minute, for the accounts which aren’t on this server, postfix is saying user unknown in virtual mailbox table (which is to be expected). However, how do I make postfix go to another server, if at first the account isn't on this server? Thanks I am using mysql for the virtual mailbox stuff as well. Except for the transport maps which I'm just using a regular config file. I tried adding: example.com smtp:mx.example.com However it still complains that the user is unknown in the virtual mailbox table... I guess I could do this another way, as a temp solution. I could remove example.com from the local postfix and create another domain such as example.local. I could then remove reject_sender_login_mismatch which would allow all authenticated users to send emails as anybody Hm - i guess local_recipient_maps must also contain the address for verify It is not easy for me to explain parts because i spent in 2009 some weeks for the whole setup and unified backend until it all did what i wanted and i guess what we have is not really a common setup mydestination = mysql:/etc/postfix/mysql-mydestination.cf local_recipient_maps= mysql:/etc/postfix/mysql-recipients.cf recipient_canonical_maps= mysql:/etc/postfix/mysql-rewritedomains.cf sender_canonical_maps = mysql:/etc/postfix/mysql-rewritesenders.cf transport_maps = mysql:/etc/postfix/mysql-transport.cf sender_dependent_relayhost_maps = mysql:/etc/postfix/mysql-sender_relay_hosts.cf smtp_sasl_password_maps = mysql:/etc/postfix/mysql-sender_relay_hosts_auth.cf alias_maps = mysql:/etc/postfix/mysql-aliases.cf smtpd_sender_login_maps = mysql:/etc/postfix/mysql-senderaccess.cf Thanks for your efforts. Since this is just a temp setup, what I've done is create example.local and used is strictly for auth domains. Then I've used sender_login_maps to allow these example.local users to send as exmaple.com This seems to work Thanks
Re: Network Ideas
On 14/01/11 18:13, Stan Hoeppner wrote: Jonathan Tripathy put forth on 1/13/2011 7:05 AM: What does everyone think of a DRBD + GFS2 idea? I wrote up a detailed response to the same question on the Dovecot list yesterday, in fact, in response to you. You did indeed, thanks Why are you running the same thread on both mailing lists? There's different people on each list. It's nice to get views from lots of different people. Especially when I think that Dovecot causes more issues with shared storage than postfix (according to the respective wikis anyway)
Re: Network Ideas
On 13/01/11 09:58, Stan Hoeppner wrote: Jonathan Tripathy put forth on 1/12/2011 8:58 AM: Major point is that GlusterFS is NOT another file system. GlusterFS uses a disk based backend and relies heavily on the underlying filesystem extended attributes for handling which file is more recent on one brick over another when performing a self heal after a split brain condition. Maybe this isn't really too much of an issue in mail delivery, as find aren’t usually modified, are they? I may split up the servers though to reduce split brain. As if one glusterfs server goes down, no mail server would be able to access it GlusterFS is a distributed filesystem, not a clustered filesystem. There is a huge difference WRT acceptable uses. Distributed filesystems are fine for massive storage needs of relatively static files, not for serious transaction oriented workloads. Cluster filesystems are much more suited to the latter, and will handle the former without issue. Likely, the best solution for the OP, from both a performance and simplicity of management standpoint, is neither of these, but NFS, either a _good quality_ NFS appliance such as a NetApp et al, or if that price is too steep, a purpose built Linux server with kernel mode NFS server. Well I should update this post. Reading around, I've given up on the idea of GlusterFS as performance isn't great when using it. While Postfix works well with NFS, Dovecot has some serious issues with it (according to their wiki and mailing list). What does everyone think of a DRBD + GFS2 idea? If you actually run an environment where total redundancy is a requirement, then you'd already know all of these things and not be asking here. Thus, you're a small environment but you _think_ you need an exotic fail safe architecture like a big environment, which very few sites actually _NEED_ including some of the big ones. Ask Wietse about the architecture of the HA Postfix cluster that serves list mailing list. Then ask him how much downtime the list has experienced in the last 5 years due to host or storage problems (vs network). The answers may likely be both surprising and informative. Yes, I appreciate this. But free software costs nothing, so no real harm in at least trying. Even if it doesn't work out in the end, at least I will have learnt :) Don't worry, there will be a very good backup strategy behind all this...
Re: HA mail system
On 13/01/11 19:00, Jaques Cochet wrote: After some reading: - GFS and maildir work bad together - NFS and maildir are not that good, NFS and postfix have some issues but should be OK. Where did you read that GFS worked badly with maildir? I'd be interested to read into this Thanks
Re: HA mail system
Hi Jaques, Ah yes, I remember reading those. I don't think you have too much to worry about in 2011 though. Those posts were from around 2008 when GFS (The original implementation) didn't scale well for large mailboxes. It was also around the time that GFS2 wasn't stable for production environments. As far as I know, GFS2 works much better now. I've also heard some good things about OCFS2. That said, I have no experience in this area. It's just what I'm observing from what people are telling me on this and the dovecot lists Cheers Jonathan On 14/01/11 04:37, Jaques Cochet wrote: Jonathan, check http://web.archiveorange.com/archive/v/TUhSn61Ee1e4CqmzNaTd http://www.mailinglistarchive.com/linux-clus...@redhat.com/msg07430.html http://old.nabble.com/Dovecot-performance-on-GFS-clustered-filesystem-td19655678.html On Thu, Jan 13, 2011 at 11:06 PM, Jonathan Tripathyjon...@abpni.co.uk wrote: On 13/01/11 19:00, Jaques Cochet wrote: After some reading: - GFS and maildir work bad together - NFS and maildir are not that good, NFS and postfix have some issues but should be OK. Where did you read that GFS worked badly with maildir? I'd be interested to read into this Thanks
Re: Network Ideas
On 12/01/11 02:11, Aaron C. de Bruyn wrote: On 2011-01-11 at 19:46:48 +, Jonathan Tripathy wrote: I will give authenticated clients direct access to the IMAP and SMTP ports on my load-balancer (No proxies). I will however only accept incoming mail from the internet via separate mx server which will relay mail (after doing spam checking) to the postfix servers. That sounds almost exactly like my mail config. The only difference is we have one cheap (~$1,000) NAS box that holds the mail store. Every night we rsync the mail files off to a backup NAS. It's not entirely a single point of failure--but it'd be a pain if the NAS quit. At some point we'll setup something like DRBD to keep them in sync. Probably right after a NAS failure... ;) -A Hi Aaron, I take it you have 2 postfix servers running then? Are they both used at the same time (And picked by your load-balancer)? Thanks
Re: Network Ideas
On 12/01/11 10:15, John Doe wrote: From: Jonathan Tripathyjon...@abpni.co.uk I will have 2 Postfix/Dovecot servers. Each will be configured to use a central database and will also use an NFS mount for mail storage. Since they will both be configured with central storage, I can use my load-balancer to distribute load between both of them, for both SMTP and IMAP, correct? As for the nfs server, this will be set up with DRBD as per this article: http://www.tutorialsconnect.com/2009/01/how-to-setup-a-redundant-nfs-server-with-drbd-and-heartbeat-in-centos-5/ / There will be 2 VM used for this. I did not follow the entire discussion but, do you need NFS at all if you only have 2 servers? Couldn't you just use DRBD directly on the Postfix/Dovecot servers? JD JD, excellent idea! Don't know how I didn't think of that! While your idea would work in HA mode, would that cause any problems if both postfix servers were used at the same time? (i.e. load balanced)
Re: Network Ideas
On 12/01/11 10:18, Jonathan Tripathy wrote: On 12/01/11 10:15, John Doe wrote: From: Jonathan Tripathyjon...@abpni.co.uk I will have 2 Postfix/Dovecot servers. Each will be configured to use a central database and will also use an NFS mount for mail storage. Since they will both be configured with central storage, I can use my load-balancer to distribute load between both of them, for both SMTP and IMAP, correct? As for the nfs server, this will be set up with DRBD as per this article: http://www.tutorialsconnect.com/2009/01/how-to-setup-a-redundant-nfs-server-with-drbd-and-heartbeat-in-centos-5/ / There will be 2 VM used for this. I did not follow the entire discussion but, do you need NFS at all if you only have 2 servers? Couldn't you just use DRBD directly on the Postfix/Dovecot servers? JD JD, excellent idea! Don't know how I didn't think of that! While your idea would work in HA mode, would that cause any problems if both postfix servers were used at the same time? (i.e. load balanced) In fact I may be able to answer my own question by saying yes, it would cause a problem as you're not supposed to write to a DRBD secondary...
Re: Network Ideas
On 12/01/11 10:18, Jonathan Tripathy wrote: On 12/01/11 10:15, John Doe wrote: From: Jonathan Tripathyjon...@abpni.co.uk I will have 2 Postfix/Dovecot servers. Each will be configured to use a central database and will also use an NFS mount for mail storage. Since they will both be configured with central storage, I can use my load-balancer to distribute load between both of them, for both SMTP and IMAP, correct? As for the nfs server, this will be set up with DRBD as per this article: http://www.tutorialsconnect.com/2009/01/how-to-setup-a-redundant-nfs-server-with-drbd-and-heartbeat-in-centos-5/ / There will be 2 VM used for this. Would it cause any problems for me to use both postfix servers at the same time, given that both postfix servers will mount an nfs share for their mail store from a 2-server DRBD cluster? Thanks
Re: Network Ideas
On 12/01/11 10:45, John Doe wrote: From: Jonathan Tripathyjon...@abpni.co.uk While your idea would work in HA mode, would that cause any problems if both postfix servers were used at the same time? (i.e. load balanced) In fact I may be able to answer my own question by saying yes, it would cause a problem as you're not supposed to write to a DRBD secondary... I saw some active-active DRBD howtos; but they used filesystems likeOCFS2 or GFS and such... http://www.sourceware.org/cluster/wiki/DRBD_Cookbook But I am no expert... JD If I used a nfs cluster, I could use both postfix server at the same time, couldn't i?
Re: Network Ideas
On 12/01/11 12:47, John Adams wrote: Am 12.01.2011 12:03, schrieb Jonathan Tripathy: On 12/01/11 10:45, John Doe wrote: From: Jonathan Tripathyjon...@abpni.co.uk While your idea would work in HA mode, would that cause any problems if both postfix servers were used at the same time? (i.e. load balanced) In fact I may be able to answer my own question by saying yes, it would cause a problem as you're not supposed to write to a DRBD secondary... I saw some active-active DRBD howtos; but they used filesystems likeOCFS2 or GFS and such... http://www.sourceware.org/cluster/wiki/DRBD_Cookbook But I am no expert... JD If I used a nfs cluster, I could use both postfix server at the same time, couldn't i? these questions you should really ask in the heartbeat/drbd mailinglist(s). Just one hint: think about complexity in an active-active cluster running ocfs2 and mail. Think about file locking. Building this is one thing. Managing the unexpected afterwards is another thing. Looks like I may be in the clear: http://www.postfix.org/NFS_README.html
Re: Network Ideas
On 12/01/11 13:36, Steve wrote: Original-Nachricht Datum: Wed, 12 Jan 2011 13:47:00 +0100 Von: John Adamsmailingli...@belfin.ch An: postfix-users@postfix.org Betreff: Re: Network Ideas Am 12.01.2011 12:03, schrieb Jonathan Tripathy: On 12/01/11 10:45, John Doe wrote: From: Jonathan Tripathyjon...@abpni.co.uk While your idea would work in HA mode, would that cause any problems if both postfix servers were used at the same time? (i.e. load balanced) In fact I may be able to answer my own question by saying yes, it would cause a problem as you're not supposed to write to a DRBD secondary... I saw some active-active DRBD howtos; but they used filesystems likeOCFS2 or GFS and such... http://www.sourceware.org/cluster/wiki/DRBD_Cookbook But I am no expert... JD If I used a nfs cluster, I could use both postfix server at the same time, couldn't i? these questions you should really ask in the heartbeat/drbd mailinglist(s). Just one hint: think about complexity in an active-active cluster running ocfs2 and mail. Think about file locking. Building this is one thing. Managing the unexpected afterwards is another thing. I run a two node mail server using GlusterFS with replication. It is ultra easy to setup. File locking in mail environments is no big issue. Mostly mail arrives on one of the mx nodes, gets processed and then passed to the delivery agent, the delivery agent then saves the mail (in my case maildir format) into the final destination. In the whole processing there is almost no locking involved since the mail saved in the maildir has an unique number and that alone mostly avoids the need for locking. The POP/IMAP server does then indexing and this is the place where locking is/can be involved. But a good IMAP/POP server can handle that (dovecot can). The whole storage part works so well that I often forget that it is clustered. The good thing about GlusterFS is that I can add as many active nodes as I like. The only part where you have to take care about a clustered mail servers or a n-node mail server setup is more the other things that you glue into the mail server. Things like greylisting, antispam, mailing list software, etc... This kind of stuff requires to be cluster aware. The storage is the lesser problem IMHO. Thanks Steve, excellent info As for the antispam, greylisting and av things, they will be on different servers which are related to the cluster, so I think I'm good there. As for the GlusterFS, I take it this would replace DRBD, Heartbeat and NFS in my proposed setup? Have you got any good links that you would recommend to setting up such a setup? Thanks
Re: Network Ideas
On 12/01/11 13:42, Jonathan Tripathy wrote: On 12/01/11 13:36, Steve wrote: Original-Nachricht Datum: Wed, 12 Jan 2011 13:47:00 +0100 Von: John Adamsmailingli...@belfin.ch An: postfix-users@postfix.org Betreff: Re: Network Ideas Am 12.01.2011 12:03, schrieb Jonathan Tripathy: On 12/01/11 10:45, John Doe wrote: From: Jonathan Tripathyjon...@abpni.co.uk While your idea would work in HA mode, would that cause any problems if both postfix servers were used at the same time? (i.e. load balanced) In fact I may be able to answer my own question by saying yes, it would cause a problem as you're not supposed to write to a DRBD secondary... I saw some active-active DRBD howtos; but they used filesystems likeOCFS2 or GFS and such... http://www.sourceware.org/cluster/wiki/DRBD_Cookbook But I am no expert... JD If I used a nfs cluster, I could use both postfix server at the same time, couldn't i? these questions you should really ask in the heartbeat/drbd mailinglist(s). Just one hint: think about complexity in an active-active cluster running ocfs2 and mail. Think about file locking. Building this is one thing. Managing the unexpected afterwards is another thing. I run a two node mail server using GlusterFS with replication. It is ultra easy to setup. File locking in mail environments is no big issue. Mostly mail arrives on one of the mx nodes, gets processed and then passed to the delivery agent, the delivery agent then saves the mail (in my case maildir format) into the final destination. In the whole processing there is almost no locking involved since the mail saved in the maildir has an unique number and that alone mostly avoids the need for locking. The POP/IMAP server does then indexing and this is the place where locking is/can be involved. But a good IMAP/POP server can handle that (dovecot can). The whole storage part works so well that I often forget that it is clustered. The good thing about GlusterFS is that I can add as many active nodes as I like. The only part where you have to take care about a clustered mail servers or a n-node mail server setup is more the other things that you glue into the mail server. Things like greylisting, antispam, mailing list software, etc... This kind of stuff requires to be cluster aware. The storage is the lesser problem IMHO. Thanks Steve, excellent info As for the antispam, greylisting and av things, they will be on different servers which are related to the cluster, so I think I'm good there. As for the GlusterFS, I take it this would replace DRBD, Heartbeat and NFS in my proposed setup? Have you got any good links that you would recommend to setting up such a setup? Thanks Also Steve, how do you find performance of GlusterFS? Are both your Postfix/Dovecot servers GlusterFS clients? Reading around, a lot of folks are having performance issues with GlusterFS. But they are over a year old posts though...
Re: Network Ideas
On 12/01/11 14:00, Steve wrote: Original-Nachricht Datum: Wed, 12 Jan 2011 13:42:14 + Von: Jonathan Tripathyjon...@abpni.co.uk An: postfix-users@postfix.org Betreff: Re: Network Ideas On 12/01/11 13:36, Steve wrote: Original-Nachricht Datum: Wed, 12 Jan 2011 13:47:00 +0100 Von: John Adamsmailingli...@belfin.ch An: postfix-users@postfix.org Betreff: Re: Network Ideas Am 12.01.2011 12:03, schrieb Jonathan Tripathy: On 12/01/11 10:45, John Doe wrote: From: Jonathan Tripathyjon...@abpni.co.uk While your idea would work in HA mode, would that cause any problems if both postfix servers were used at the same time? (i.e. load balanced) In fact I may be able to answer my own question by saying yes, it would cause a problem as you're not supposed to write to a DRBD secondary... I saw some active-active DRBD howtos; but they used filesystems likeOCFS2 or GFS and such... http://www.sourceware.org/cluster/wiki/DRBD_Cookbook But I am no expert... JD If I used a nfs cluster, I could use both postfix server at the same time, couldn't i? these questions you should really ask in the heartbeat/drbd mailinglist(s). Just one hint: think about complexity in an active-active cluster running ocfs2 and mail. Think about file locking. Building this is one thing. Managing the unexpected afterwards is another thing. I run a two node mail server using GlusterFS with replication. It is ultra easy to setup. File locking in mail environments is no big issue. Mostly mail arrives on one of the mx nodes, gets processed and then passed to the delivery agent, the delivery agent then saves the mail (in my case maildir format) into the final destination. In the whole processing there is almost no locking involved since the mail saved in the maildir has an unique number and that alone mostly avoids the need for locking. The POP/IMAP server does then indexing and this is the place where locking is/can be involved. But a good IMAP/POP server can handle that (dovecot can). The whole storage part works so well that I often forget that it is clustered. The good thing about GlusterFS is that I can add as many active nodes as I like. The only part where you have to take care about a clustered mail servers or a n-node mail server setup is more the other things that you glue into the mail server. Things like greylisting, antispam, mailing list software, etc... This kind of stuff requires to be cluster aware. The storage is the lesser problem IMHO. Thanks Steve, excellent info :) As for the antispam, greylisting and av things, they will be on different servers which are related to the cluster, so I think I'm good there. Okay. If you can make it that way then this will simplify a lot. As for the GlusterFS, I take it this would replace DRBD, Heartbeat and NFS in my proposed setup? Yes. My goal was when designing the system that each node is autarkic. If I look at just one node (from the FS viewpoint) then the node is build that way: storage on top of a local RAID device. That local storage is then exported as a GlusterFS brick that does replication. The other node is setup the same way. So lets say the total storage is 1TB. Then you need the double amount because node 1 would have 1TB and node 2 would have 1 TB too. And since both nodes (in my setup) have local RAID (lets say you use mirror) then the total storage would be 4 TB but real usable is only 1 TB. The GlusterFS server process running on each system then sees the local 1TB plus the other 1TB from the other node. If now one node would go down the other node still can continue to work since it still sees the 1TB because the GlusterFS client process just sees 1TB (the server is aware of the 2 x 1TB but from the GlusterFS client viewpoint there is just 1TB). As soon as the other node would come back the GlusterFS replication process would take care of the sync. And not only that. I could go on and remove that 1TB from node 1 and node 1 would still be functional since from it's viewpoint it sees the just 1TB storage (the other node 2 is still working so the storage is still there from the viewpoint of node 1). I know, I know. This all sounds very complicated but it is not. In my first setup I managed to completely overload the nodes with just GlusterFS process time. But that was long time ago with early GlusterFS software. Current GlusterFS versions are much better. Hi Steve, I think what I am getting confused over is whether or not your GlusterFS node are the same are your Postfix servers. I did a little reading online, and from my understanding, you have 2 GlusterFS server and 2 GlusterFS clients. Does this mean you have 4 servers in total? Or have you managed somehow to make a GlusterFS node act as a Postfix/Dovecot box as well? Thanks
Re: Network Ideas
Hello Jonathan, I think what I am getting confused over is whether or not your GlusterFS node are the same are your Postfix servers. yes. They are. I did a little reading online, and from my understanding, you have 2 GlusterFS server and 2 GlusterFS clients. Correct. Does this mean you have 4 servers in total? No. As I wrote in my other message: one design goal was to have autarkic mail nodes. So each of those nodes is acting as GlusterFS server (connecting to the other GlusterFS servers) and as GlusterFS client (consuming the storage exposed from the GlusterFS server). Or have you managed somehow to make a GlusterFS node act as a Postfix/Dovecot box as well? Somehow? No. It is not somehow. Just take your OS of choice and install Fuse and GlusterFS. Then configure your GlusterFS server and the client part. That's it. Don't confuse the GlusterFS thing with the Gluster Storage Platform. The use the same technology but the Gluster Storage Platform adds additional GUI and management stuff to make a easy to use storage platform. For your needs you just can use the GlusterFS software and don't need the platform part. Thanks Sounds interesting. So each node is a GlusterFS server and client. Does the GlusterFS client config file have both servers in it? And I'm guessing you've configured postfix's maildir path to point to the mount that the GlusterFS client has mounted? Oh and one final question, how does GlusterFS handle split-brain? Let's say somehow the replication link became broken, but both Postfix servers continued to operate...
Re: Network Ideas
Oh and one final question, how does GlusterFS handle split-brain? Let's say somehow the replication link became broken, but both Postfix servers continued to operate... This is documentation from 2.x series of GlusterFS but it still applies to 3.x: http://www.gluster.com/community/documentation/index.php/Understanding_AFR_Translator Major point is that GlusterFS is NOT another file system. GlusterFS uses a disk based backend and relies heavily on the underlying filesystem extended attributes for handling which file is more recent on one brick over another when performing a self heal after a split brain condition. Maybe this isn't really too much of an issue in mail delivery, as find aren’t usually modified, are they? I may split up the servers though to reduce split brain. As if one glusterfs server goes down, no mail server would be able to access it
Re: HA mail system
On 13/01/11 05:36, Jaques Cochet wrote: Hi I'm working on a mail system design for an ISP that includes hosting of multiple virtual domains managed by this ISP (300.000 mailbox). HA and performance are both important concerns for the client, so I have at least 2 of every server (webmail, pop3, imap, relay and smtp (postfix)) for which i'm using either L4 or MX record load balancing/HA. I hate the idea of distributing mailboxes among servers and I'm trying to go for a single mailstore that is accessible by POP3/IMAP servers and delivery SMTP servers and I'm planning to use a SAN for this. The basic idea is to share the mailstore between SMTP servers (clustered storage using GFS maybe) and make the same mailstore available to POP/IMAP server using NFS. Am I on the right track here? Jaques Jaques, I asked these very questions yesterday on this list, so you may find that info useful :) (Search for Network Ideas and look at recent posts, as my inital posts had setup ideas that were too complicated) Basically, what I'm going to do is have have 4 servers in total: 2 X Mail Servers which will run Postfix and Dovecot on the same box 2 X NFS Servers using DRBD and Linux-HA. The 2-server cluster will export an NFS share to both mails servers I'll also have additional incoming mails servers which will do spam/virus filtering (no mail store hence no connection to NFS cluster). Reading around, Postfix and Dovecot work very well in single mail-store environments. I don't feel my requirements require me to separate Dovecot and Postfix. I will use pfsense as a load balancer though so both mail servers can be used at the same time. I'm still debating between the above mentioned NFS/DRBD cluster and a GlusterFS cluster. Reading around online, many people have had performance issues with GlusterFS (As late as Sept 2010) so I'm not sure this is a good idea. This setup is just in planning, but its the latest idea I have. Cheers
Re: HA mail system
On 13/01/11 05:42, Jonathan Tripathy wrote: On 13/01/11 05:36, Jaques Cochet wrote: Hi I'm working on a mail system design for an ISP that includes hosting of multiple virtual domains managed by this ISP (300.000 mailbox). HA and performance are both important concerns for the client, so I have at least 2 of every server (webmail, pop3, imap, relay and smtp (postfix)) for which i'm using either L4 or MX record load balancing/HA. I hate the idea of distributing mailboxes among servers and I'm trying to go for a single mailstore that is accessible by POP3/IMAP servers and delivery SMTP servers and I'm planning to use a SAN for this. The basic idea is to share the mailstore between SMTP servers (clustered storage using GFS maybe) and make the same mailstore available to POP/IMAP server using NFS. Am I on the right track here? Jaques Jaques, I asked these very questions yesterday on this list, so you may find that info useful :) (Search for Network Ideas and look at recent posts, as my inital posts had setup ideas that were too complicated) Basically, what I'm going to do is have have 4 servers in total: 2 X Mail Servers which will run Postfix and Dovecot on the same box 2 X NFS Servers using DRBD and Linux-HA. The 2-server cluster will export an NFS share to both mails servers I'll also have additional incoming mails servers which will do spam/virus filtering (no mail store hence no connection to NFS cluster). Reading around, Postfix and Dovecot work very well in single mail-store environments. I don't feel my requirements require me to separate Dovecot and Postfix. I will use pfsense as a load balancer though so both mail servers can be used at the same time. I'm still debating between the above mentioned NFS/DRBD cluster and a GlusterFS cluster. Reading around online, many people have had performance issues with GlusterFS (As late as Sept 2010) so I'm not sure this is a good idea. This setup is just in planning, but its the latest idea I have. Cheers I should probably add that in my current idea, my database servers are also separate in a DRBD/Linux-HA fashion. This means that both main mail servers (which run postfix and dovecot), as well as the inbound mx servers (which run postfix, spamassian and amavisd) can use it for lookups. I havn't thought this far ahead yet, but I'm sure I can get my inbound mx servers to look up the database to reject mail which the whole system doesn't control, yet still use transport maps to send to another server...
Re: Network Ideas
Am 10.01.2011 23:21, schrieb Jonathan Tripathy: Hi Everyone, Not really an issue directly related to postfix, however I'm sure I can get some goods ideas here. I wish to host managed email servers for some customers. Each customer will have their own email server which will be an all-in-one virtual machine running postfix, dovecot and some webmail suite. Even though each customer will have their own server, Will your maintenance costs explode? cost for n customers =(( n virtual servers + 1/n host machine) x 2), because you perhaps require HA for mail applications? + 1/n per proxy These are virtual servers, so no costs to deploy HA or one per customer Do they require direct access to their server instance? As far as I can tell from your description your proxies seem to solve all problems of that kind. Just for authentication when sending emails
Re: Network Ideas
On 1/10/11 5:21 PM, Jonathan Tripathy wrote: Hi Everyone, Not really an issue directly related to postfix, however I'm sure I can get some goods ideas here. I wish to host managed email servers for some customers. Each customer will have their own email server which will be an all-in-one virtual machine running postfix, dovecot and some webmail suite. Even though each customer will have their own server, I do not wish to give each email server it's own public facing IP. I wish to avail the use of proxy servers so all customers use the same public IP. As for the smtp-in from the public internet, this isn't a problem as I can set up many mx servers (using postfix of course) which will store-and-forward the mail to the correct server (using transport maps). As for the IMAP access from the customer, I was thinking of using perdition which is an IMAP proxy - I believe that this will suit my needs. This is a bad idea. Once one customer starts spamming, you're screwed as are the rest of the servers. Give each customer their own IP. This will solve mail validation issues and the blow auth issues. Isn't it generally insecure to give direct access to each repective customer instance from outside directly? Also, how do ISPs deal with this? Each customer doesn't have their own IP...
Re: Network Ideas
Am 11.01.2011 11:30, schrieb Jonathan Tripathy: Am 10.01.2011 23:21, schrieb Jonathan Tripathy: Hi Everyone, Not really an issue directly related to postfix, however I'm sure I can get some goods ideas here. I wish to host managed email servers for some customers. Each customer will have their own email server which will be an all-in-one virtual machine running postfix, dovecot and some webmail suite. Even though each customer will have their own server, Will your maintenance costs explode? cost for n customers =(( n virtual servers + 1/n host machine) x 2), because you perhaps require HA for mail applications? + 1/n per proxy These are virtual servers, so no costs to deploy HA or one per customer What do you do if your virtual hosts hosting server dies? All customers down? The mere fact I'm using virtualisation is moot in regards to my question :) The point you bring up, while valid and a very good one indeed, is a problem with using virtualisation with any type of service. Do they require direct access to their server instance? As far as I can tell from your description your proxies seem to solve all problems of that kind. Just for authentication when sending emails Dovecot or cyrus sasl can be used for SASL/smtp auth. Take a look at Postfix' SASL config parameters. Yes, I know this, however my question is about getting a front end server to proxy outbound requests to the customer's respective email server. I guess another way to do this would be to have the front end smtp-out server do the sending itself and ask a customer's respective dovecot server for authentication. How can I do this where on a domain-by-domain basis? (i.e. each domain is authenticated by a different dovecot server)
Re: Network Ideas
On tir 11 jan 2011 11:52:12 CET, Jonathan Tripathy wrote I guess another way to do this would be to have the front end smtp-out server do the sending itself and ask a customer's respective dovecot server for authentication. How can I do this where on a domain-by-domain basis? (i.e. each domain is authenticated by a different dovecot server) one dovecot auth server to more then one postfix, and lda/pop3/imap, and admin is then just postfixadmin, i cant see the problem here ask help on dovecot maillist since its not really a postfix problem Other way round, which is a postfix issue :) I'm trying to use a single postfix server for many dovecot auth servers
Re: Network Ideas
if you believe you have received this email in error. Am 11.01.2011 13:27, schrieb Jonathan Tripathy: On tir 11 jan 2011 11:52:12 CET, Jonathan Tripathy wrote I guess another way to do this would be to have the front end smtp-out server do the sending itself and ask a customer's respective dovecot server for authentication. How can I do this where on a domain-by-domain basis? (i.e. each domain is authenticated by a different dovecot server) one dovecot auth server to more then one postfix, and lda/pop3/imap, and admin is then just postfixadmin, i cant see the problem here ask help on dovecot maillist since its not really a postfix problem Other way round, which is a postfix issue :) I'm trying to use a single postfix server for many dovecot auth servers make sasl auth against a DB (ldap or sql) via dovecot. Postfix - dovecot sasl - user db. This way you can use as many proxies as you want. Yes, this is how it's done normally. But when a request comes into postfix, how will postfix know which dovecot server to authenticate against?
Re: Network Ideas
On tir 11 jan 2011 13:27:44 CET, Jonathan Tripathy wrote Other way round, which is a postfix issue :) okay a railrouad have 2 ends ? :) I'm trying to use a single postfix server for many dovecot auth servers multiple auth servers is imho silly, one dont backup that way, if you like to do it this way db cluster could be of point then, so the auth is still local on more then one server, for domain owner its still postfixadmin well there is more then one road to rome :=) I'm not having multiple auth servers for backup purposes. I want to do this as each dovecot server will provide authentication for different domains. Basically, as stated in my first post, each customer will have a server that will have postfix, dovecot, mysql and webmail. However I don't want to give outside access to these server, but instead go via some front end servers that can either relay mail to these servers (easy to do), or authenticate against them for sending outgoing mail. You know the way in postfix you can relay mail to another server based on transport maps? I'm looking for somthing similar to this but for authentication
Re: Network Ideas
Am 11.01.2011 13:47, schrieb Jonathan Tripathy: if you believe you have received this email in error. Am 11.01.2011 13:27, schrieb Jonathan Tripathy: On tir 11 jan 2011 11:52:12 CET, Jonathan Tripathy wrote I guess another way to do this would be to have the front end smtp-out server do the sending itself and ask a customer's respective dovecot server for authentication. How can I do this where on a domain-by-domain basis? (i.e. each domain is authenticated by a different dovecot server) one dovecot auth server to more then one postfix, and lda/pop3/imap, and admin is then just postfixadmin, i cant see the problem here ask help on dovecot maillist since its not really a postfix problem Other way round, which is a postfix issue :) I'm trying to use a single postfix server for many dovecot auth servers make sasl auth against a DB (ldap or sql) via dovecot. Postfix - dovecot sasl - user db. This way you can use as many proxies as you want. Yes, this is how it's done normally. But when a request comes into postfix, how will postfix know which dovecot server to authenticate against? Postfix doesn't care. Dovecot does. I don't follow, sorry
Re: Network Ideas
Am 11.01.2011 13:56, schrieb Jonathan Tripathy: Am 11.01.2011 13:47, schrieb Jonathan Tripathy: if you believe you have received this email in error. Am 11.01.2011 13:27, schrieb Jonathan Tripathy: On tir 11 jan 2011 11:52:12 CET, Jonathan Tripathy wrote I guess another way to do this would be to have the front end smtp-out server do the sending itself and ask a customer's respective dovecot server for authentication. How can I do this where on a domain-by-domain basis? (i.e. each domain is authenticated by a different dovecot server) one dovecot auth server to more then one postfix, and lda/pop3/imap, and admin is then just postfixadmin, i cant see the problem here ask help on dovecot maillist since its not really a postfix problem Other way round, which is a postfix issue :) I'm trying to use a single postfix server for many dovecot auth servers make sasl auth against a DB (ldap or sql) via dovecot. Postfix - dovecot sasl - user db. This way you can use as many proxies as you want. Yes, this is how it's done normally. But when a request comes into postfix, how will postfix know which dovecot server to authenticate against? Postfix doesn't care. Dovecot does. I don't follow, sorry Postfix is only required to know the result of the query that dovecot does. Dovecot asks the userdb (via e.g. sql): select 'whatever' as result from MyUserDB where user='unixusername' and password='password'; Dovecot returns the result to postfix. Postfix allows or does not allow the auth'ed or not auth'ed user to relay. This is a dovecot question. RTMF dovecot (their online help is really good - got it from there, too) or ask their list. Ah! So you're saying that I should run Dovecot on the Front End servers, and get dovecot to authenticate directly with the customer database running on the customer servers? So there must be a way for dovecot to ask different databases depending on domain..
Re: Network Ideas
If you secure your daemons properly, it is not insecure to give customers direct access to the server. Even if they don't have direct access to the servers IP, they are still able to talk to the server using inherently insecure protocols like SMTP, IMAP, POP3, etc... If you are running an ISP email system, then most likely you will have multiple SMTP/IMAP/POP3 servers to handle the load. As the customer will be on their network, any privatized addresses will be available to the customer anyway. Most ISPs will use a small range of IPs to handle their mail needs. Or one per server. This to help facilitate the fact that customers will eventually get your addresses black listed by other mail providers. If you use just 1 IP for everyone, then everyone is completely out of luck, and in addition to the mess you have to clean up, your phone will be ringing off the hook. I think I've found a better solution to my problem: My setup will have these components: Central Database created by PostfixAdmin, which all the components can use. Customer Servers which will run Postfix and Dovecot SMTP-In mx server, for receiving mail from the public and forwarding them to the correct customer server using transport maps SMTP-Out server, for customers to authenticate with and send out emails to the internet IMAP Proxy, for customer to connect to, to retrieve their email. This will run Perdition and is able to proxy IMAP requests to the correct customer server. PostfixAdmin can be used for administration. I guess that since all the customer servers would be using the same database, they would have the potential to accept mail for all customers, but I guess that since the SMTP port for those boxes isn't open to the public, that will never happen, right? I hoping that my above solution will spread the load What you think?
Re: Network Ideas
If you really need to spread the load, setup two servers with Postfix and Dovecot. It would significantly reduce the complexity, and eliminate your issues with multiple IPs. It would also reduce the bottleneck with the proxy servers. So have my entire email system run on 2 boxes alone? What if the postfix box were to go down? What if the Dovecot box were to go down? In my solution, if a box (or VM in my case) were to go down, at least something parts of the system would still function.
Re: Network Ideas
On 11/01/11 16:34, Aaron C. de Bruyn wrote: On 2011-01-11 at 16:25:38 +, Jonathan Tripathy wrote: So have my entire email system run on 2 boxes alone? What if the postfix box were to go down? What if the Dovecot box were to go down? In my solution, if a box (or VM in my case) were to go down, at least something parts of the system would still function. I worked for an ISP that handled mail for about 25,000 mailboxes and over 500,000 messages per day. We had two identical boxes with Postfix and Dovecot serving our customers. If one went down our load balancer directed all traffic to the other one. You could do the same thing with virtual machines if necessary. The part that seems wrong to me is setting up an entire VM for each customer. If your VM host goes down, you have lots of little VMs to recover instead of a few VMs or a few physical servers. Just food for thought. You know your network and setup better than I do. I just know what you've passed on to the list. -A I really do appreciate where you are coming from. However, our current infrastructure is VM based. We don't really have the rackspace to set up physical boxes (yet anyway). While I have outline my setup on this list, I haven’t mentioned this yet: I intend to setup multiple instances of each component (except the customer servers) spread out on different VM hosts, and use our load-balancer to distribute the traffic. I could also set up some central storage for the customer servers and set up multiple instances of those as well
Re: Network Ideas
On 11/01/11 16:55, Reindl Harald wrote: Am 11.01.2011 17:25, schrieb Jonathan Tripathy: So have my entire email system run on 2 boxes alone? Where is the problem? You can run hundrets of mail-domains in ONE virtual machine What if the postfix box were to go down? The you hopefully have 2 VM-Hosts with HA so it does not matter But then I will need central storage, which I don't currently have. Can you please explain how I could achieve this? Thanks
Re: Network Ideas
On 11/01/11 16:55, Reindl Harald wrote: Am 11.01.2011 17:25, schrieb Jonathan Tripathy: So have my entire email system run on 2 boxes alone? Where is the problem? You can run hundrets of mail-domains in ONE virtual machine What if the postfix box were to go down? The you hopefully have 2 VM-Hosts with HA so it does not matter What if the Dovecot box were to go down? HA? Why a extra box with doveot? This makes no sense if you use two VMs on the same host In my solution, if a box (or VM in my case) were to go down at least something parts of the system would still function if the weather is not raining yes! If the weather is raining you will jump out of the windows necause you have many os-instances to repair, update without any sense have you ever thought about the admin-overhead? ONE well desigend mailserver-vm will have better performance and you are able too look at logfiles and hold the machine clean how will you do that with 30 VMs while most of them the whole day sleeping? Hi Everyone, Thanks to all the excellent suggestions. I have taken your comments into consideration, and here is what I've come up with: I will have 2 Postfix/Dovecot servers. Each will be configured to use a central database and will also use an NFS mount for mail storage. Since they will both be configured with central storage, I can use my load-balancer to distribute load between both of them, for both SMTP and IMAP, correct? As for the nfs server, this will be set up with DRBD as per this article: http://www.tutorialsconnect.com/2009/01/how-to-setup-a-redundant-nfs-server-with-drbd-and-heartbeat-in-centos-5/ There will be 2 VM used for this. I will give authenticated clients direct access to the IMAP and SMTP ports on my load-balancer (No proxies). I will however only accept incoming mail from the internet via separate mx server which will relay mail (after doing spam checking) to the postfix servers. A bit better now? :) Any comments? Thanks
Network Ideas
Hi Everyone, Not really an issue directly related to postfix, however I'm sure I can get some goods ideas here. I wish to host managed email servers for some customers. Each customer will have their own email server which will be an all-in-one virtual machine running postfix, dovecot and some webmail suite. Even though each customer will have their own server, I do not wish to give each email server it's own public facing IP. I wish to avail the use of proxy servers so all customers use the same public IP. As for the smtp-in from the public internet, this isn't a problem as I can set up many mx servers (using postfix of course) which will store-and-forward the mail to the correct server (using transport maps). As for the IMAP access from the customer, I was thinking of using perdition which is an IMAP proxy - I believe that this will suit my needs. I am confused however on what to use for the smtp-out proxy. The customers will have to authenticate with their receptive email server, however they will have to go via a proxy of some sort as they won't have direct access to their server instance. It probably can't be a store-and-forward proxy either. Does anyone have any idea on what I could use here? Many Thanks
MYSql Issues
Hi Everyone, This is maybe a little off-topic, but is anyone having any problems with their mysql servers today? I have 3 separate mysql servers (running in 3 different VMs). One of them is used to do my Postfix SASL authentication. Auth is failing today (possibly timing out). Also, the 2 other mysql servers are used for web services and both of them are really slow today. All servers are running near idle. Any ideas, at least on the postfix issue? I see this when my WHMCS (PHP billing system) tried to connect to the postfix server: warning: unknown[10.87.14.2]: SASL LOGIN authentication failed: VXNlcm5hbWU6 This setup has been working for months without issue. Just today it's playing up.. Thanks
Re: MYSql Issues
On 11/12/10 18:56, Jeroen Geilman wrote: On 12/11/10 7:18 PM, Jonathan Tripathy wrote: Hi Everyone, This is maybe a little off-topic, but is anyone having any problems with their mysql servers today? That is an odd - and disturbingly non-technical - assertion, that the date has anything to do with how a product deployed on hundreds of thousands of computer systems performs. It is not unheard of for software issues to crop up on certain dates. Have you administered a computer before ? Your insulting tone is not appreciated I have 3 separate mysql servers (running in 3 different VMs). One of them is used to do my Postfix SASL authentication. No. Postfix uses either Cyrus sasl or dovecot sasl to authenticate. Neither of them are MySQL. Thanks for the clarification. I am using dovecot, however I do have a lot of virtual mappings in my main.cf file which run MYSQL queries. Auth is failing today (possibly timing out). Also, the 2 other mysql servers are used for web services and both of them are really slow today. All servers are running near idle. Any ideas, at least on the postfix issue? There is no postfix issue. I see this when my WHMCS (PHP billing system) tried to connect to the postfix server: warning: unknown[10.87.14.2]: SASL LOGIN authentication failed: VXNlcm5hbWU6 So maybe the credentials were, I don't know... incorrect ? The credentials are not incorrect, as the settings file wasn't changed This setup has been working for months without issue. Just today it's playing up.. Ah, I've never heard that one before. YES, you changed something - something ALWAYS changed. Most likely culprit is a software update/upgrade. Possibly a software upgrade is causing the issue, however I haven’t configured automatic updates on the Ubuntu VMs.
Re: MYSql Issues
On 11/12/10 19:19, John Adams wrote: Am 11.12.2010 19:18, schrieb Jonathan Tripathy: Hi Everyone, This is maybe a little off-topic, but is anyone having any problems with their mysql servers today? I have 3 separate mysql servers (running in 3 different VMs). One of them is used to do my Postfix SASL authentication. Auth is failing today (possibly timing out). Also, the 2 other mysql servers are used for web services and both of them are really slow today. All servers are running near idle. Any ideas, at least on the postfix issue? I see this when my WHMCS (PHP billing system) tried to connect to the postfix server: warning: unknown[10.87.14.2]: SASL LOGIN authentication failed: VXNlcm5hbWU6 This setup has been working for months without issue. Just today it's playing up.. Thanks Hard to say without further info. Can you please follow the instructions here http://www.postfix.org/DEBUG_README.html#mail before you post debugging requests? This could help isolating the problem. Just to keep everyone updated on this, I re-installed the MYSQL servers (just simple apt-get commands) and all seems to be working well nowweird Thanks
Re: Is there a limit on incoming messages on a single connection?
On 13/11/10 08:53, mouss wrote: Le 12/11/2010 20:03, Victor Duchovni a écrit : On Fri, Nov 12, 2010 at 10:06:46AM -0800, Rob Tanner wrote: Our admissions office sends out mass mailings to prospective students, anywhere from 5,000 to 25,000 at a time. They are mail-merged and sent via outlook to the postfix server, one recipient per message. I am skeptical that it is in fact one recipient per message. Check your logs carefully. Do all the recipients get different queue-ids? The user reports that outlook sends out 500 messages and then stops. If he restarts outlook, it will send out another 500 and then stop again. If he leaves it overnight, it might send several more thousand by morning. When I look in the mail logs, somewhere around 500 messages, followed by a disconnect. The client disconnects voluntarily, unless it exceeded an error counter. Postfix has a hard and soft error limit, but these are reset after each successful delivery. So exceeding the limits on consecutive errors should be infrequent. What I don?t know is whether outlook is disconnecting or whether postfix is closing the connection. Is there a limit, configurable or otherwise, to the number of messages postfix can receive on a single connection? And at that point, does postfix close the connection to the client? Postfix would log the reason if it forced a client disconnect. I bet it's the anti-virus software on the client box... More specifically, I know for a fact that AVast Anti-Virus has issues with sending large amount of email to a postfix server from outlook.
Re: Postfix on Cloud
On 07/08/10 10:15, Stan Hoeppner wrote: Julio Cesar Covolato put forth on 8/7/2010 12:37 AM: Is there anyone using postfix in cloud, like Amazon ec2? Dunno about Postfix specifically, but there are/were many spammers operating out of the Amazon cloud as well as the Rackspace cloud. Even if they are clean now, their reputation is still low due to prior traffic. My questions: Is this interesting? The pros and cons.. Other clound sistem... Why and why not to cloud postfix. Anyone? No pros, only cons. TINW wholesale block SMTP from Amazon's cloud, Rackspace's cloud, etc. Mail emitted from clouds and VPS servers at cheap ISPs has a much higher chance of being blocked, delayed, etc than that from a colo'd box at a reputable provider. Due to the pricing structure of cloud and VPS services they are both attractive to spammers, and the spammers care not if they cause the netblocks they use to be scorched. They simply then move on to another VPS provider in search of clean cloud/VPS netblocks to spam from. Clouds and VPS are fine for a few classes of applications. SMTP mail is not one of them. There is nothing wrong with using Postfix on a VPS. Works great. Been using it for ages. Companies that block whole netblock of VPS ISP are being a bit silly, as VPS are becoming used more and more for businesses. Of course, VPS ISPs should always do checks to make sure that a person signing up is who they say they are - A simple credit card name and address would suffice I guess.
Re: Thanks to wietse and the distribution list a new web console is born
I'm amazed that *source*forge allowed you to host this. Please, shoot me down if I am wrong - I am no expert on Open Source licensing, but attribution is NOT optional. You are wrong. Provided that the license is GPL, LGPL or BSA based, then no permission is needed. Please give the guy a break. I admire him for wanting to contribute to the open source community, and wanting to get involved. David, keep up the good work! I'm thrilled that your starting this project :)
Re: Thanks to wietse and the distribution list a new web console is born
On 07/08/10 15:08, Jonathan Tripathy wrote: I'm amazed that *source*forge allowed you to host this. Please, shoot me down if I am wrong - I am no expert on Open Source licensing, but attribution is NOT optional. You are wrong. Provided that the license is GPL, LGPL or BSA based, then no permission is needed. Please give the guy a break. I admire him for wanting to contribute to the open source community, and wanting to get involved. David, keep up the good work! I'm thrilled that your starting this project :) And also, GPL makes no mention of attribution. You can't remove the copyright notice though.
Re: Thanks to wietse and the distribution list a new web console is born
Thanks! Perhaps you would consider linking to them on your web site ? I may have been overly harsh, Yes, you were :) Open Source software is, a lot of the time, provided out of the good of peoples' hearts. You should be thankful that someone has gone to the effort to code something, and released it free of charge. Go ask Microsoft for the source code for Exchange... but I hardly ever see open source projects that have all the exterior hallmarks of being a commercial enterprise. That's the joy of Open Source software, you don't need to be a big commercial enterprise to contribute or be successful. However, it is important to include, or offer source code though for other GPL applications being included. But no reason to flame (unless he refused of course, which he didn't). Anyways, this project looks interesting, and anything that can help get Postfix out there and replace some of the experience terrible mail servers out there.
Re: Postfix on Cloud
On 07/08/10 21:10, Patrick Ben Koetter wrote: * Stan Hoeppners...@hardwarefreak.com: Julio Cesar Covolato put forth on 8/7/2010 12:37 AM: Is there anyone using postfix in cloud, like Amazon ec2? Dunno about Postfix specifically, but there are/were many spammers operating out of the Amazon cloud as well as the Rackspace cloud. Even if they are clean now, their reputation is still low due to prior traffic. ACK. Ralf and I installed a Postfix system in the cloud and the system initially had very low deliverability. Most of the recieving systems that declined responded that our servers IP was banned. p...@rick Do these only happen when postfix is sending mail from a cloud-based VPS?
Re: Postfix on Cloud
On 07/08/10 21:47, Patrick Ben Koetter wrote: * Jonathan Tripathyjon...@abpni.co.uk: On 07/08/10 21:10, Patrick Ben Koetter wrote: * Stan Hoeppners...@hardwarefreak.com: Julio Cesar Covolato put forth on 8/7/2010 12:37 AM: Is there anyone using postfix in cloud, like Amazon ec2? Dunno about Postfix specifically, but there are/were many spammers operating out of the Amazon cloud as well as the Rackspace cloud. Even if they are clean now, their reputation is still low due to prior traffic. ACK. Ralf and I installed a Postfix system in the cloud and the system initially had very low deliverability. Most of the recieving systems that declined responded that our servers IP was banned. p...@rick Do these only happen when postfix is sending mail from a cloud-based VPS? Speaking for myself, until today I've haven't had any bad experiences with VPS in general. Add cloud to VPS and the picture changes. In the long run you can raise deliverabilty, but the question I guess everybody needs to answer for themselves is whether it is worth battling for it or not. p...@rick I guess my question is a little more general than this topic: do providers ever block *who* mail is sent to?
Re: Postfix on Cloud
On 08/08/10 01:33, Stan Hoeppner wrote: Jonathan Tripathy put forth on 8/7/2010 4:03 PM: I guess my question is a little more general than this topic: do providers ever block *who* mail is sent to? You probably need to be much more specific, detailed, with this question. For example, if I used a VPS postfix server as my incoming server (i.e. mx server), would that be any problem?
Re: Providing SMTP relay access to roaming laptop without creating an open relay...
On 01/08/10 18:56, Wietse Venema wrote: and perhaps TLS encryption (to protect the login Do not underestimate the importance of enabling TLS :)
Re: Mixed Setup
On 22/07/10 21:32, Ralf Hildebrandt wrote: * Michael Orlitzkymich...@orlitzky.com: I'll repeat myself. .local is not a reserved suffix. nor is .localdomain, despite what linuxers seem to believe. using such domains is a hijack. you are telling the IETF: we decided to use these suffixes and you cannot use them anymore. This is unacceptable. chose your camp.. I'm very sorry but I have to disagree with this. By using .local, what one is saying is this is my local private network. I wish to use this suffix for it. If you want to use it elsewhere in the future, then that is ok, and I'll face the consequences then. There is nothing illegal about calling a private network anywhere. You could give your local private network a .gov address and I still think that would be ok
RE: Is such an SSL attack possible against Postfix?
Port 25 outgoing will be blocked by most ISPs --- This may be the case in your country, but from where I'm from, I've never had a problem sending out on port 25, even on home residental ISPs :) winmail.dat
RE: Is such an SSL attack possible against Postfix?
Jonathan Tripathy wrote: Port 25 outgoing will be blocked by most ISPs This may be the case in your country, but from where I'm from, I've never had a problem sending out on port 25, even on home residental ISPs :) Any ISP that does *not* block port 25 for residential service is a part of the spam/zombie problem, and if yours doesn't, you should complain, loudly if necessary, and encourage them to block it. - Every ISP in the UK? I beg to disagree. Blocking port 25 is a violation of Net Neutrality. Now, by default, the ISP do put their DSL (dynamic and static) IP addresses automatically on the RBL blacklist listed as a server which should not normally send email. To realistically send email from a dynamic IP, you need to remove yourself from that list, but you have to promise not to spam. Then, if you spam, you get put back on permanently
RE: Is such an SSL attack possible against Postfix?
I beg to disagree. Blocking port 25 is a violation of Net Neutrality. Ridiculous, net neutrality has nothing to do with service level agreements. Residential service does not in any way, shape or form equate to requiring full SMTP services to be able to run your own full blown mail server, nor does denying access to port 25 for 'normal' residential users impact their ability to access the internet or send/receive email. If you want that level of service, upgrade to a service that provides it, and that will be at least minimally monitored for abuse (it is in the ISPs best interest to avoid getting their IP addresses on blacklists). - I pay for a connection to the internet. Provided I don't do anything illegal, I should be allowed to pass whatever traffic I want on it - even SMTP traffic. Blocking outgoing port 25 is not a solution. An example: what if I own an SMTP server somewhere else, and want to test it from my home one evening? Why should I be forced to use an ISP's mail server to send an email? But this is getting a bit OT for this list I think. Bottom line, ISPs should not block any traffic or any ports. That doesn't mean they should guarantee any level of uptime or speed (however whatever measure they apply should be uniform across all protocols), but the actual contents that is passed should not be touched. Also, ISP should *never* monitor traffic. This is a violation of privacy rights, net neutrality, as well implicates the ISP in a lot of legal areas that they would want to avoid (example: EU laws says that if an ISP it not aware of any illegal activity/content, then they are not doing anything wrong. If they monitor traffic, they become liable for everything illegal that is passed.) At the very least, if an ISP blocks port 25, then a simple phone call should allow this to be unblocked.
Re: OT: ISP Blocking of port 25
On 21/07/10 20:06, Daniel V. Reinhardt wrote: - Original Message From: Ansgar Wiechersli...@planetcobalt.net To: postfix-users@postfix.org Sent: Wed, July 21, 2010 12:51:34 PM Subject: Re: OT: ISP Blocking of port 25 On 2010-07-21 Charles Marcus wrote: [ lots of words ] Charles, any ISP who restricts network traffic (with or without packet inspection) is clearly violating net neutrality. Period. I suggest you look up the term. There may be valid reasons for an ISP to do this, but that doesn't change one thing about the violation. Sorry to burst your bubble. Regards Ansgar Wiechers -- Abstractions save us time working, but they don't save us time learning. --Joel Spolsky Sorry to burst your bubble, but if i am willing to pay more to get more then I should those people who pay for a residential account shouldn't get business class or enterprise services. I once used Comcast, but had their Gold Services Contract allowing me to run my own servers on my connection, and of course that came with a heavier price tag as well. It was like 10 to 20 bucks more for that. I now have Verizon FiOS which delivers me 35Megabits up and down which a residential person can get for a fraction of the cost, but i have a block of 5 static IP's and unlimited bandwidth and data transfers not to mention I can run my own servers such as DNS, E-Mail, HTTP, HTTPS, and what have you. I pay 140 bucks a month for that plan. So in my opinion net neutrality is a complete joke. Your average joe doesn't need to be running servers, and if you want business class services and abilities then pay for it. Bandwidth costs money. You can't have your cake and eat it too. Thanks, Daniel Reinhardt Clearly some people here are either a) ISPs or b) bitter that they got ripped of because a residential service can run mail servers :) I don't know what international laws are like, but an ISP should *never* monitor for abuse in the EU, and should *never* be made liable for what their customers do. This would just ruin the industry! I can't believe people actually think that ISPs should be legally responsible for something someone else does! This is me saying that from the point of view of an EU citizen. I appreciate that views around the world will differ, but in the EU, ISPs are not responsible for the tens of thousands of customers they have - it's infeasible and would put blame where it isn't due (Does it really benefit society to throw the director of an ISP in jail, vs the spammer him/herself?). BTW: I'm not a spammer, just someone who believes in a free internet. Free doesn't mean illegal spam-ridden, and also doesn't mean cost-free. And I'm definitely pro for the fact that Spam is illegal. And also, I do believe that a business-class service should have an SLA which covers better speed guarantees and uptime. But it should not unblock more ports compared to a residential service. As I mentioned before, if they really feel that blocking port 25 blocks spam, then a simple phone call should unblock this.
Re: OT: ISP Blocking of port 25
Why should home users get business class services at a fraction of the cost? It is quite ignorant to think that. Allowing legal data to pass without being monitored, snooped upon, or blocked due to the type of traffic, is not just for business class services. Are you upset that you live in Europe where bandwidth caps are rather small compared to ISP's in the US? Would you expect the same service for bandwidth that a business class user gets for a cost at a residential price? If you answer yes then you simply live in a dream world. Firstly, I class that smack talk against another country, which some may find offensive. There was no need to generalise by country something as silly as this topic. And secondly, my residential ISP gives me no cap at all, and I can confirm this as I would easily download probably close to 500GB a month (big Linux fan here). I also have a separate business-class line, which gives me 100GB a month. I have this as they give me a static IP, and also have LLU at my exchange so the upload speed is better. Both ISPs allow all ports in and out. So, in my personal experience, my business class ISP is more restrictive than my residential one. Additionally, my other business-class line at my colo gives me 1TB a month with a /27 subnet for £40/month. So to sum it up, I'm very happy with my net connections. As I mentioned before, if they really feel that blocking port 25 blocks spam, then a simple phone call should unblock this. A simple phone call requesting a business class internet account and line will also suffice if they want full control over their ports. If I was an ISP all in bound connections to residential IP's would be denied. Only http and https and submission would be allowed. To help conserve the cost of bandwidth and to make more bandwidth available to people who want more. Can you please understand that I'm not talking about bandwidth here? I'm talking about port availability and just leaving our traffic alone. Of course a business-class service should provide a greater steadier bandwidth with greater uptime
Re: Best Practise
If using BSD or Linux, you can also enable the local packet filter (pf under BSD, netfilter/iptables under Linux) to only allow explicitely authorized traffic. if you are familiar with these tools, then you don't even need a firewall (pf and netfilter/iptables are firewalls, so you get a self protected box. but this is only true if you are familiar... ). off topic while I am in, the term DMZ means a lot of things. in old setups, it almost always meant a zone connected to a 3d port of the firewall. I perefer a double firewall setup, where you avoid having traffic go twice through the same firewall. This means you need smaller firewalls. the additional cost (2 small FW - 1 large FW) is justified by the simplification of your setup and by the higher (to some extent, but higher anyway) security level. /off topic Hi mouss, I forgot to mention that all these servers will be on a Xen box, so I will be using iptables an awful lot. Infact, I'm going to get it up in such a way that the postfix server isn't able to spoof IP address or MAC address, as the iptables will be on the Xen Host... :) So you think given this, that placing the mail sever in the DMZ is ok then? Thanks
Re: Mixed Setup
Can you please explain why I would need to use smtp_generic_maps? I'm not entirely sure of the use of it in this context. you only need that if your exchange is configured to receive mail for j...@example.com and not for j...@exchange.example.com. if you configure exchange to accept mail for j...@exchange.example.com and make it consider this the same thing as j...@example.com, then you don't need smtp_generic_maps. if on the other hand your exchange (or whatever internal server) only wants j...@example.com, then postfix gives you the opportunity to rewrite the addresses at delivery time (after virtual_alias_maps are expanded). This is an exceptionally nice feature in postfix. it means you can do rewrite at input (virtual_alias_maps) then at output (smtp_generic_maps). This somewhat resembles NAT in packet filters that allow you to do NAT at input (map destination IP address) and at output (map source IP address) for a single IP packet. Now that's a cool feature! However, I think I'll stick with giving the exchange server an internal domain, like exchange.local, as this is what I'm familiar with and I have already got this setup to work. Things get messy as Exchange needs active directory as well. Now, all I need now is some nice central address book that works across both Thunderbird (for the Linux mail server users) and Outlook..
Re: Best Practise
I am not a Xen expert, but AFAICT, you can configure iptables in the VM and in the host. note that I am not saying you should do that. it really depends on your setup. if you can script the work to implement centralized admin, then it may be worth the pain. Yeah, I'm using to scripting iptables upon VM boot and shutdown for customers, so setting this up for iptables should be ok. Xen makes life so much easier by giving each VM an interface, so you can filter based on that. So you think given this, that placing the mail sever in the DMZ is ok then? sure it is. as already recommended, you can use VLAN to implement logical segmentation inside a zone (provided your VLAN implementation can't be circumvented. remember, this is only logical...). Think it would be ok if I didn't use VLAN segmentation, but just used iptables between hosts? I think this would nearly achieve the same thing...
Best Practise
Hi Everyone, I have set up a mail server (on a VM) as per this article: http://workaround.org/ispmail/lenny I wish to host this server for a customer. However, I don't think it's best practise to simply place the whole VM in a DMZ and port forward to it. My question is, what should I do and what should I split up? The networks I have available to me are: - Public Subnet (Has external IPs) - DMZ Subnets (Highly secure subnet with limited access to other hosts. Ports are fordwarded to DMZ servers for incoming services, and outbound access from these DMZ server is strictly limited to a need-to basis) - LAN Subnet (Speaks for itself) I do believe that by putting the email server VM in the DMZ, if it were to get compramised, I feel that the DMZ firewall rules would give the rest of my network protection. However, it's game over for my customers' emails though! Any help or advise on how I could split things up would be appreciated. Thanks
Multiple Users
Hi there, Does postfix support multiple users using aliases? Example: sa...@domain.com mailto:sa...@domain.com would send the mail to us...@domain.com, us...@domain.com, us...@domain.com supp...@domain.com would send the mail to us...@domain.com and us...@domain.com My aliases table and user database is stored in a MYSQL database. May this task is more suitable for a mailing list program Thanks
Re: Replace Private IP by Server Hostname in mail header
Richid, Why is it a problem that people see your internal IPs? Thanks On 28/06/10 18:03, Rachid Abdelkhalak wrote: Thank you Jeroen, My need is to prvent peopel seeing my internal IPs, if i can make my server write on the header 127.0.0.1 instead instead of the 192.168.0.2 is will be great. I see on the header of your mail for example, all Received: tags indicate 127.0.0.1, i want my server to do the same thing if possible. Thank you -- |-Rachid Abdelkhalak |-Network Security Engineer, MTDS |-in morocco 080200MTDS |-direct +212(0)537278820 |-mobile +212(0)661173437 |-14, rue 16 novembre |-Rabat 10080 Kingdom of Morocco On Sun, 27 Jun 2010, Jeroen Geilman wrote: On 06/27/2010 01:20 PM, Rachid Abdelkhalak wrote: Hello List, I have a mail relay and an internal mail server both under Postfix and behind a firewall (DMZ and LAN), on both segment i'm using a private IP address with NAT. On all outgoing emails headers sent by our users, i can see my servers ip addresses (private). Is there any config that i can do to make postfix write hostname instead of the ip address on the header or replace the private ip address by the public ip address? Thank you Brest regards. The format and content of Received: headers is described in detail in the relevant RFCs. Make sure you know why you want to mess with them before blundering forward. J.
Re: Replace Private IP by Server Hostname in mail header
Hi Rachid, Ahh the good old end user's boss problem! Well I guess the arguments could be that since it's an internal IP address, there is *no way* it can be accessed from outside. Even if the boss's firewall left all ports open to the mail server, they couldn't access it via the internal IP address, as ISP infrastructure doesn't route private IP addresses. Another point you could mention to him, is that let him know that when anybody in the world sends an email via Thunderbird, Outlook etc.., their private IP is exposed. This has never done anyone any harm. In fact Rachid, I already know your internal IP address of the machine you're using at the minute. It ends in 144! If this is still an issue, put the box either on a public subnet, or put it in a private subnet which is different from the rest of the office PCs/servers. Just my 2 pence Thanks Jonathan On 28/06/10 18:07, Rachid Abdelkhalak wrote: This is not a problem for me, the end customer's IT boss asked me to see if it is possible to do it, he dont like to publish theire private IPs for 'Security reasons'. If it is not possible, i have to give him convincing arguments. Thank you -- |-Rachid Abdelkhalak |-Network Security Engineer, MTDS |-in morocco 080200MTDS |-direct +212(0)537278820 |-mobile +212(0)661173437 |-14, rue 16 novembre |-Rabat 10080 Kingdom of Morocco On Mon, 28 Jun 2010, Jonathan Tripathy wrote: Richid, Why is it a problem that people see your internal IPs? Thanks On 28/06/10 18:03, Rachid Abdelkhalak wrote: Thank you Jeroen, My need is to prvent peopel seeing my internal IPs, if i can make my server write on the header 127.0.0.1 instead instead of the 192.168.0.2 is will be great. I see on the header of your mail for example, all Received: tags indicate 127.0.0.1, i want my server to do the same thing if possible. Thank you -- |-Rachid Abdelkhalak |-Network Security Engineer, MTDS |-in morocco 080200MTDS |-direct +212(0)537278820 |-mobile +212(0)661173437 |-14, rue 16 novembre |-Rabat 10080 Kingdom of Morocco On Sun, 27 Jun 2010, Jeroen Geilman wrote: On 06/27/2010 01:20 PM, Rachid Abdelkhalak wrote: Hello List, I have a mail relay and an internal mail server both under Postfix and behind a firewall (DMZ and LAN), on both segment i'm using a private IP address with NAT. On all outgoing emails headers sent by our users, i can see my servers ip addresses (private). Is there any config that i can do to make postfix write hostname instead of the ip address on the header or replace the private ip address by the public ip address? Thank you Brest regards. The format and content of Received: headers is described in detail in the relevant RFCs. Make sure you know why you want to mess with them before blundering forward. J.
Re: Replace Private IP by Server Hostname in mail header
No problem at all. If you need more help, let me know, as this is the kind of stuff that I deal with here (convincing bosses..). Btw, unless you get your users to use webmail, their local internal IP address of their client machines will always be in the email headers - even if the server is in a different subnet. You can try and make him relax by letting him know that this is how GMail and Hotmail work (if you use their POP/SMTP features) Thanks Jonathan On 28/06/10 18:19, Rachid Abdelkhalak wrote: Thank you Jonathan. -- |-Rachid Abdelkhalak |-Network Security Engineer, MTDS |-in morocco 080200MTDS |-direct +212(0)537278820 |-mobile +212(0)661173437 |-14, rue 16 novembre |-Rabat 10080 Kingdom of Morocco On Mon, 28 Jun 2010, Jonathan Tripathy wrote: Hi Rachid, Ahh the good old end user's boss problem! Well I guess the arguments could be that since it's an internal IP address, there is *no way* it can be accessed from outside. Even if the boss's firewall left all ports open to the mail server, they couldn't access it via the internal IP address, as ISP infrastructure doesn't route private IP addresses. Another point you could mention to him, is that let him know that when anybody in the world sends an email via Thunderbird, Outlook etc.., their private IP is exposed. This has never done anyone any harm. In fact Rachid, I already know your internal IP address of the machine you're using at the minute. It ends in 144! If this is still an issue, put the box either on a public subnet, or put it in a private subnet which is different from the rest of the office PCs/servers. Just my 2 pence Thanks Jonathan On 28/06/10 18:07, Rachid Abdelkhalak wrote: This is not a problem for me, the end customer's IT boss asked me to see if it is possible to do it, he dont like to publish theire private IPs for 'Security reasons'. If it is not possible, i have to give him convincing arguments. Thank you -- |-Rachid Abdelkhalak |-Network Security Engineer, MTDS |-in morocco 080200MTDS |-direct +212(0)537278820 |-mobile +212(0)661173437 |-14, rue 16 novembre |-Rabat 10080 Kingdom of Morocco On Mon, 28 Jun 2010, Jonathan Tripathy wrote: Richid, Why is it a problem that people see your internal IPs? Thanks On 28/06/10 18:03, Rachid Abdelkhalak wrote: Thank you Jeroen, My need is to prvent peopel seeing my internal IPs, if i can make my server write on the header 127.0.0.1 instead instead of the 192.168.0.2 is will be great. I see on the header of your mail for example, all Received: tags indicate 127.0.0.1, i want my server to do the same thing if possible. Thank you -- |-Rachid Abdelkhalak |-Network Security Engineer, MTDS |-in morocco 080200MTDS |-direct +212(0)537278820 |-mobile +212(0)661173437 |-14, rue 16 novembre |-Rabat 10080 Kingdom of Morocco On Sun, 27 Jun 2010, Jeroen Geilman wrote: On 06/27/2010 01:20 PM, Rachid Abdelkhalak wrote: Hello List, I have a mail relay and an internal mail server both under Postfix and behind a firewall (DMZ and LAN), on both segment i'm using a private IP address with NAT. On all outgoing emails headers sent by our users, i can see my servers ip addresses (private). Is there any config that i can do to make postfix write hostname instead of the ip address on the header or replace the private ip address by the public ip address? Thank you Brest regards. The format and content of Received: headers is described in detail in the relevant RFCs. Make sure you know why you want to mess with them before blundering forward. J.
illegal address syntax
Hi Everyone, I'm currently in the middle of watching a customer's mail.log file. He is trying to send an email to a lot of people at once (Something like 5000), however the logs don't reflect this. Instead I'm seeing: May 27 10:32:41 server1 postfix/smtpd[8144]: connect from office1.domain.local[10.86.1.101] May 27 10:32:43 server1 postfix/smtpd[8144]: warning: Illegal address syntax from office1.domain.local[10.86.1.101] in RCPT command: contac...@abc+xyz.co.uk May 27 10:32:44 server1 postfix/smtpd[8144]: warning: Illegal address syntax from office1.domain.local[10.86.1.101] in RCPT command: i...@qrs+tuv.co.uk May 27 10:32:55 server1 postfix/smtpd[8144]: too many errors after RCPT from office1.domain.local[10.86.1.101] May 27 10:37:55 server1 postfix/smtpd[8144]: disconnect from office1.domain.local[10.86.1.101] The above is happening over and over again (minute or so) with no sign of the other emails being sent. Presumably, the client (Outlook 2003) keeps retrying.. As you can see, the client is trying to send an email to 2 email address with a + in it, which postfix doesn't seem to like. This may be the case, and may be ok, however my concern is that why aren't I seeing any emails being sent to the other 4998 valid addresses? Is there anything I can do to force postfix use those addresses? Thanks Jonathan
Re: illegal address syntax
On 27/05/10 10:41, Jonathan Tripathy wrote: Hi Everyone, I'm currently in the middle of watching a customer's mail.log file. He is trying to send an email to a lot of people at once (Something like 5000), however the logs don't reflect this. Instead I'm seeing: May 27 10:32:41 server1 postfix/smtpd[8144]: connect from office1.domain.local[10.86.1.101] May 27 10:32:43 server1 postfix/smtpd[8144]: warning: Illegal address syntax from office1.domain.local[10.86.1.101] in RCPT command: contac...@abc+xyz.co.uk May 27 10:32:44 server1 postfix/smtpd[8144]: warning: Illegal address syntax from office1.domain.local[10.86.1.101] in RCPT command: i...@qrs+tuv.co.uk May 27 10:32:55 server1 postfix/smtpd[8144]: too many errors after RCPT from office1.domain.local[10.86.1.101] May 27 10:37:55 server1 postfix/smtpd[8144]: disconnect from office1.domain.local[10.86.1.101] The above is happening over and over again (minute or so) with no sign of the other emails being sent. Presumably, the client (Outlook 2003) keeps retrying.. As you can see, the client is trying to send an email to 2 email address with a + in it, which postfix doesn't seem to like. This may be the case, and may be ok, however my concern is that why aren't I seeing any emails being sent to the other 4998 valid addresses? Is there anything I can do to force postfix use those addresses? Thanks Jonathan Even after removing those 2 address from the list, we are still getting the too many errors after RCPT from office1.domain.local[10.86.1.101] (Of course, the 2 email addresses aren't mentioned anymore)
Re: illegal address syntax
too many errors after... raise the soft_error_limit and/or the hard_error_limit Ah! So my postfix server has a limit then. Where can I put these settings? In main.cf ?
Re: illegal address syntax
On 27/05/10 11:11, Ralf Hildebrandt wrote: * Jonathan Tripathyjon...@abpni.co.uk: too many errors after... raise the soft_error_limit and/or the hard_error_limit Ah! So my postfix server has a limit then. Where can I put these settings? In main.cf ? Yes, like almost all settings... smtpd_hard_error_limit = 1000 smtpd_soft_error_limit = 1000 Ok, I changed the above 2 settings to be 1 in my main.cf file, however it didn't change anything (Still showed too many errors). But what I did do, is change smtpd_recipient_limit to 10,000 and no everything seems to be working ok...
PCI Compliance
Hi Folks, Any ideas on how to set up an SMTP Proxy Server to attain PCI Compliance? I literally need postfix to just pass through mail to our ISP's smtp server. We would then set outlook to use this local smtp proxy server. I'm not entirly sure if a relay server is good here, as how would that handle bounced mail?? Thanks, Jonathan
FW: PCI Compliance
Any ideas on how to set up an SMTP Proxy Server to attain PCI Compliance? I literally need postfix to just pass through mail to our ISP's smtp server. We would then set outlook to use this local smtp proxy server. I work for a hosting company, we find it's usually an iterative process. This particular question hasn't come up yet (for an SMTP server), but it'd go something like this: 1. Customer needs certification for a contract, so they hire a company to perform a PCI audit scan 2. The scan finds problems, so they come to us with the report, which says how to fix the problems 3. We read the report, and find things like server exposes its hostname in the greeting banner, or server appears to allow the use of the VRFY command. 4. We sigh, then go through the motions to fix the problems. Sometimes the problem descriptions are hopelessly vague, like this system /may/ be vulnerable to a known buffer overflow, and the system is fully patched and up to date. Can't do much about these, so we tell our customer to take it up with the auditor. 5. Rinse and repeat until all perceived problems are fixed, and/or the customer stops hassling. :) So, my apologies that this doesn't really answer your question. If you need compliance certification then you'll need an audit anyway, at which point you find out what the requirements are. It's not trivial to simply look up the requirements, because... PCI-DSS doesn't actually cover specific implementation details. It's sufficiently vague (probably by design) so that'll it'll stay relevant as time goes on, and so that current best practices are followed. Have a look at the PCI spec, it's only half a meg in PDF: https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml Page 4 is a summary of what you really need to know. Page 6 mentions segmentation to reduce the scope of what needs to comply - this is your best bet (if feasible) to sidestep compliance for your mail server. If you enjoy some light humour, we've elaborated on the aforementioned process a little: http://www.anchor.com.au/blog/2008/12/saas-security-scanning-as-a-service/ I'm not entirly sure if a relay server is good here, as how would that handle bounced mail?? Indeed, you want to avoid more relays if you can, both for administration and compliance reasons. Bounced mail isn't so bad, so long as there's a return path to the sender's mailbox. A naive example of how this might work: Sending: outlook - workstation - PCI-compliant relay - ISP's SMTP server - recipient *it bounces because the recipient's mailbox is full* Recipient - MX lookup - Your incoming SMTP server (maybe this is at your ISP) - The sender's mailbox - Picked up by outlook Thanks for the long reply, it's appreciated. But.. The network I am dealing with is very small and simple. I am aware about the PCI scans, and I have done some in the past. Thankfully, regarding this case, I only need an SMTP Proxy to be placed in the DMZ, as computers inside the CDE (Cardholder Data Environment) arn't allowed to connect to hosts on the internet. LIterally, all I need to do, is place an HTTP proxy (Squid), an SMTP Proxy, and a POP3 Proxy in the DMZ, and that's me. Of course, block all ports into and out of the CDE, except allow CDE to connect to SMTP proxy, POP3 Proxy and Squid Proxy. Now, of course, there are other things in the PCI DSS, such as policies and processes, however these are out of my scope, as I'm just an external I.T. guy. BTW, the machines in the CDE will all have anti-virus and automatic updates enabled. So, back to postfix, can it do such a thing? Act as a proxy and not a store and forward relay
RE: FW: PCI Compliance
It works in practice. A few Postfix TLS proxies have been terminating TLS connections, making access control decisions and forwarding unencrypted SMTP to a non-Postfix server for many years now. These systems only run smtpd as a proxy, and use various internal services, but otherwise there is no message processing. There is no logging from cleanup(8), qmgr(8), smtp(8), ... connectins come in and then they go out. Mail is never queued on the TLS proxy. -- How does one configure postfix to act like this? winmail.dat
RE: Saving to Sent folder
Hi Everyone, Thanks for all the tips. Postfix and Dovecot are indeed on the same box and I do agree with you that it would require one heck of a hack to get this to work. Since this is software, it is possible, just maybe not with the current implementation of the 2 bits of software. It would be nice if postfix had some sort of setting to allow an external program to take a copy of the email being sent. Then, dovecot (again probably a hacked version) could store the email in the sent items folder. As for the BCC idea, this could work, but only if postfix was able to prefix the subject with something like [sent], or even better add a header, then dovecot can filter to the correct folder. Is this possible? Apart from my idea above, it looks like storing sent emails locally is the way to go
RE: Saving to Sent folder
On Thursday 04 March 2010 14:55:59 you wrote:
12:24:20 Stan Hoeppner wrote:
J. Roeleveld put forth on 3/4/2010 2:12 AM:
On Thursday 04 March 2010 08:57:30 Jonathan Tripathy wrote:
snipped non-relevant part
With that, I thought there is an option in postfix to bcc a single
address on all emails?
You could then put a filter like the following on all emails coming
into that address:
if from in list of local emails then
{
store in correct Sent Items
} else {
discard email as we don't want to duplicate incoming email
}
Would sender_bcc_maps work if he uses Dovecot LDA/sieve? He could create
a sieve filter based on MAIL FROM: being his own address, and have sieve
move all such mails into his Sent Items folder. Might be worth a shot?
This is how I would do it on my server, if I'd be so inclined :)
eg:
sender_bcc_maps = autosendfolderf...@mydomain.com
Then for the autosendfolderfill user set the following for the
sieve-script:
if header :contains From m...@mydomain.com
{
fileinto me+Sent;
stop;
}
You then need to make sure the autosendfolderfill user has permissions to
drop messages in the respective Sent folders.
I have not tested the above, but I think I'd be able to get this to work
with Postfix and Cyrus.
I am not familiar with Dovecot, but the above might be doable with Dovecot
as well.
--
Joost
---
---
-
Does that mean I'd need a autosendfolderfill for each user on the system?
First, please keep responses on the List to make it possible for other people
to find it with Google and also to allow other people to keep contributing.
As for your question:
No, you'll only need to create one of these users. The username doesn't
matter, as long as this user can have a filter set up and is allowed to post
messages into the Sent-folders of all the users.
You will need to create a filter-entry for each of your users, eg. duplicate
the following inside the filter for every user that is allowed to sent emails:
--
if header :contains From m...@mydomain.com
{
fileinto me+Sent;
stop;
}
--
HTH,
Joost
Does this mean that mail received from the internet is also checked against
this filter?
Saving to Sent folder
Hi Folks, I'm not sure if there is a solution to this, but maybe one of you folks will know a workaround. After thunderbird has sent the email, it then has to save the email to the sent items folders. This can take a long time if there is an attachment and the server is remote. Apart from only saving the sent items locally, is there any other way to speed things up? I know that is one feature of MS Exchange, that it only has to send the message once. I'm using Postfix with Dovecot auth and virtual mailboxes with mysql. Thanks Jonny
RE: tls vs ssl
Here is my 2 pence (Please someone correct me if I'm wrong). STARTTLS and TLS do eventually use the TLS protocol (Which I think is just an updated version of SSL). Different being is that with STARTTLS, the SMTP client (e.g. Thunderbird) will connect to the server unencrypted, then if the smtp server (postfix) announces STARTTLS, Thunderbird will neogiate a key exchange then continue the rest of the connection encrypted. With normal TLS, the encrypted connection happens from the start, and both server and client will need keys on each end set up beforehand That's my take on it... -Original Message- From: owner-postfix-us...@postfix.org on behalf of Stan Hoeppner Sent: Tue 3/2/2010 07:51 To: postfix-users@postfix.org Subject: Re: tls vs ssl Daniel L. Miller put forth on 3/2/2010 1:18 AM: OK - I'm an idiot. I'll just admit that up front and get it out of the way. Now that that's settled, what is the difference between SSL and TLS in a MUA - particularly Thunderbird - in a Postfix context? I would have sworn I used to use Thunderbird with SSL specified and connected to my Postfix servers fine. Now, I can only connect in TLS mode. What did I break? It's unlikely you'd forget setting up SSL. You would have likely created a self signed server certificate and would have installed it on all clients connecting to the server, just as must be done with web browsers connecting to a secure site for the first time. You've likely been using STARTTLS only, which doesn't require a key exchange as SSL/TLS does. STARTTLS != TLS. -- Stan
Re: SPF SRS sender re-writing
Thanks for the reply. Are you aware of any Postfix implementations? On 21/02/2010 14:33, Wietse Venema wrote: Jonathan Tripathy: Hi Folks, As many of you will probably know, SPF breaks forwarding using aliases. The solution is to re-write the from-evenlope when forwarding email. Does anyone know how to do this with postfix? With an external MILTER program (Postfix= 2.6): http://www.postfix.org/MILTER_README.html Or with an external content filter (Postfix= 1.0): http://www.postfix.org/FILTER_README.html Wietse
Re: SPF SRS sender re-writing
On 21/02/2010 16:45, Wietse Venema wrote: Jonathan Tripathy: Thanks for the reply. Are you aware of any Postfix implementations? Postfix implements SPF SRS DKIM DomainKeys SenderID BATV and so on exclusively via plugins. Just like Postfix implements deep content inspection. I don't bake my own bread, and I don't make my own shoes or clothes. Instead, I get them from people who specialize in doing such things. This is how society has been making progress for thousands of years. I expect that this approach is also good for the Internet. Wietse On 21/02/2010 14:33, Wietse Venema wrote: Jonathan Tripathy: Hi Folks, As many of you will probably know, SPF breaks forwarding using aliases. The solution is to re-write the from-evenlope when forwarding email. Does anyone know how to do this with postfix? With an external MILTER program (Postfix= 2.6): http://www.postfix.org/MILTER_README.html Or with an external content filter (Postfix= 1.0): http://www.postfix.org/FILTER_README.html Wietse Yes, I understand that we have to use Milters and/or external plugins made by other people. I just can't find any that show me how to make it work with Postfix.
Banned spoofed address from my domain
Hi Folks, To prevent spammers sending email from spoofed addressed that appear from my domain, I currently use SPF. I'm having second thoughts about using SPF, so is there any other way to make sure that only authenticated users can send email from my domain? Thanks
Re: Banned spoofed address from my domain
On 21/02/2010 19:05, Wietse Venema wrote: Jonathan Tripathy: Hi Folks, To prevent spammers sending email from spoofed addressed that appear from my domain, I currently use SPF. I'm having second thoughts about using SPF, so is there any other way to make sure that only authenticated users can send email from my domain? Receivers may verify the message origin with SPF, DKIM, S/Mime, or other information that you make available to those receivers. But nothing requires that receivers do those things. Wietse Sorry I forgot to state that im only concerned with MY server here. For example, I don't want someone to telnet to MY postfix server, and give m...@mydomain.com for both sender and receiver
Re: Banned spoofed address from my domain
On 21/02/2010 19:34, Darren Pilgrim wrote: Jonathan Tripathy wrote: Sorry I forgot to state that im only concerned with MY server here. For example, I don't want someone to telnet to MY postfix server, and give m...@mydomain.com for both sender and receiver Require authentication, set up smtpd_sender_login_maps and use the reject_sender_login_mismatch restriction. Yup, I'm already using all of that, however that only prevents spoofing of real addresses. So for example: MAIL FROM:realaddr...@mydomain.com RCPT TO:realaddr...@mydomain.com Would fail which is good, however: MAIL FROMLnotarealaddr...@mydomain.com RCPT TO:realaddr...@mydomain.com would fail for an authenticated user (which is good), however it would allow the mail through for a non-authenticated user...
Re: Banned spoofed address from my domain
On 21/02/2010 19:39, LuKreme wrote: On 21-Feb-2010, at 12:22, Sahil Tandon wrote: Sorry I forgot to state that im only concerned with MY server here. For example, I don't want someone to telnet to MY postfix server, and give m...@mydomain.com for both sender and receiver What's the matter with te SPF configuration you already have? Good point, it does seem to be working well. It just that SPF breaks email forwarding and I may not get emails from forwarding email servers..
Re: Banned spoofed address from my domain
You forgot to set an owner rule for @domain. Wietse How would I do that? I'm not sure if this is relavent but I'm currently using: smtpd_sender_login_maps=mysql:/etc/postfix/mysql_login_maps.cf and mysql_login_maps.cf is: hosts = 127.0.0.1 user = mysql username password = mysql password dbname = mailserver query = SELECT username FROM address_maps WHERE address='%s' The above stops a logged in user using an address that doesn't belong to him. I wish to make sure that all unauthenticated users can't send any email originating from my domain, without using SPF. Sorta like just SPF for my domain... Thanks
Re: Banned spoofed address from my domain
On 21/02/2010 20:57, Wietse Venema wrote: Wietse Venema: Jonathan Tripathy: You forgot to set an owner rule for @domain. How would I do that? I'm not sure if this is relavent but I'm currently using: For complete description of a) the smtpd_sender_login_maps database queries b) the order of queries See: http://www.postfix.org/postconf.5.html#smtpd_sender_login_maps You can also specify MULTIPLE maps: /etc/postfix:main.cf smtpd_sender_login_maps = mysql:whatever hash:/etc/postfix/default /etc/postfix/default: @example.com root Don't forget to postmap the /etc/postfix/default file. Wietse You can test the queries with the postmap command. postmap -q u...@example.com databasetype:databasename postmap -q user databasetype:databasename postmap -q @example.com databasetype:databasename Wietse Great! That seemed to have worked really well! Thanks Just a couple of questions, it is safe to give @mydomain.com an owner of root in my hash file? Also, what are your views on SPF? Just I ditch it, or go for it? Cheers
Re: Banned spoofed address from my domain
On 21/02/2010 21:16, Wietse Venema wrote: Jonathan Tripathy: You can also specify MULTIPLE maps: /etc/postfix:main.cf smtpd_sender_login_maps = mysql:whatever hash:/etc/postfix/default /etc/postfix/default: @example.com root Don't forget to postmap the /etc/postfix/default file. Great! That seemed to have worked really well! Thanks Just a couple of questions, it is safe to give @mydomain.com an owner of root in my hash file? Use a name that will never be used. Also, what are your views on SPF? Just I ditch it, or go for it? That depends entirely on your users. SPF assumes that mail won't be forwarded, or that forwarders munge the sender address with SRS. Wietse Ok so your solution (Adding another sender login map) worked on my primary mx. Currently, my backup mx allows relaying to my primary mx using a combination of transport maps and relay_domains. Any ideas on how to get something similar working for my backup mx? It seems that the sender_login_maps file is ignored for domains specified in relay_domains. Thanks
Re: Banned spoofed address from my domain
On 21/02/2010 21:31, Jonathan Tripathy wrote: On 21/02/2010 21:16, Wietse Venema wrote: Jonathan Tripathy: You can also specify MULTIPLE maps: /etc/postfix:main.cf smtpd_sender_login_maps = mysql:whatever hash:/etc/postfix/default /etc/postfix/default: @example.com root Don't forget to postmap the /etc/postfix/default file. Great! That seemed to have worked really well! Thanks Just a couple of questions, it is safe to give @mydomain.com an owner of root in my hash file? Use a name that will never be used. Also, what are your views on SPF? Just I ditch it, or go for it? That depends entirely on your users. SPF assumes that mail won't be forwarded, or that forwarders munge the sender address with SRS. Wietse Ok so your solution (Adding another sender login map) worked on my primary mx. Currently, my backup mx allows relaying to my primary mx using a combination of transport maps and relay_domains. Any ideas on how to get something similar working for my backup mx? It seems that the sender_login_maps file is ignored for domains specified in relay_domains. Thanks My main issue is that my backup mx doesn't have sasl enabled (It's relay only..)
Re: Banned spoofed address from my domain
On 21/02/2010 21:55, Wietse Venema wrote: Jonathan Tripathy: My main issue is that my backup mx doesn't have sasl enabled (It's relay only..) Why would your users submit mail to the backup MX host? Wietse You're correct, they woudn't. I just don't like the thought that someone could connect to the backup mx and pretend to be from my domain. However, as I've just found out, since the backup mx is relaying to primary, the primary mx bounces an email back, so I guess the email won't be delivered anyway, however the queue gets a MAILER-DAEMON messagage...
Re: Banned spoofed address from my domain
On 21/02/2010 22:00, Jonathan Tripathy wrote: On 21/02/2010 21:55, Wietse Venema wrote: Jonathan Tripathy: My main issue is that my backup mx doesn't have sasl enabled (It's relay only..) Why would your users submit mail to the backup MX host? Wietse You're correct, they woudn't. I just don't like the thought that someone could connect to the backup mx and pretend to be from my domain. However, as I've just found out, since the backup mx is relaying to primary, the primary mx bounces an email back, so I guess the email won't be delivered anyway, however the queue gets a MAILER-DAEMON messagage... Actually, the MAILER-DAEMON message doesn't get queued at all! It just discards it when it can't find the user (If the from address was notarealaddr...@mydomain.com). So I guess it all good...
Re: Banned spoofed address from my domain
On 21/02/2010 22:03, Jonathan Tripathy wrote: On 21/02/2010 22:00, Jonathan Tripathy wrote: On 21/02/2010 21:55, Wietse Venema wrote: Jonathan Tripathy: My main issue is that my backup mx doesn't have sasl enabled (It's relay only..) Why would your users submit mail to the backup MX host? Wietse You're correct, they woudn't. I just don't like the thought that someone could connect to the backup mx and pretend to be from my domain. However, as I've just found out, since the backup mx is relaying to primary, the primary mx bounces an email back, so I guess the email won't be delivered anyway, however the queue gets a MAILER-DAEMON messagage... Actually, the MAILER-DAEMON message doesn't get queued at all! It just discards it when it can't find the user (If the from address was notarealaddr...@mydomain.com). So I guess it all good... Oops I'm confusing myself here. The above is true if the spoofed from address was from my domain, but the user didn't exsist. If the user is real, then that user gets the MAILER-DAEMON message..
Implementing SPF
Hi Folks, With regards to SPF breaking email fordwarding: If i implemented SPF on my server, is the above only an issue if someone were to use an external forwarding service, and forward mail to an account on my server? I'm just talking about receiving mail for now.. Thanks
Re: Banned spoofed address from my domain
On 21/02/2010 22:17, Wietse Venema wrote: Jonathan Tripathy: [The backup MX host accepts mail from forged local sender addresses, but the backup MX does not support SASL]. Actually, the MAILER-DAEMON message doesn't get queued at all! It just discards it when it can't find the user (If the from address was notarealaddr...@mydomain.com). So I guess it all good... Oops I'm confusing myself here. The above is true if the spoofed from address was from my domain, but the user didn't exsist. If the user is real, then that user gets the MAILER-DAEMON message.. a) Don't use a backup MX host. Really. b) Don't accept mail from your domain on the backup MX host. /etc/postfix/main.cf: smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/sender_access /etc/postfix/sender_access: example.com reject Or the equivalent if the machine does not run Postfix. Wietse Hi Wistse, Just wanted to say thank you - you've been a great help this evening! Why not use a backup MX host? But point b fixes my problem anyways Thanks
tumgreyspf issues
Hi Everyone, I'm using tumgreyspf. I need to add the following line to my main.cf to make it work: check_policy_service unix:private/tumgreyspf Some servers arn't being greylisted. For example, the following appeared in my log on the backup mx: Feb 20 19:26:09 usa1 postfix/smtpd[7951]: connect from unknown[75.80.18.52] Feb 20 19:26:10 usa1 tumgreyspf[7956]: domain owner discourages use of this host: QUEUE_ID=; identity=mailfrom; client-ip=75.80.18.52; helo=rr.com; envelope-from=iudysajy8...@rr.com; receiver=st...@abpni.co.uk; Feb 20 19:26:10 usa1 postfix/smtpd[7951]: 5292910C632: client=unknown[75.80.18.52] Feb 20 19:26:10 usa1 postfix/cleanup[7958]: 5292910C632: message-id=20100220192610.5292910c...@mail.usa-backhaul.net Feb 20 19:26:10 usa1 postfix/qmgr[7602]: 5292910C632: from=iudysajy8...@rr.com, size=2195, nrcpt=1 (queue active) Feb 20 19:26:10 usa1 postfix/smtpd[7951]: disconnect from unknown[75.80.18.52] Feb 20 19:26:11 usa1 postfix/smtp[7959]: 5292910C632: to=st...@abpni.co.uk, relay=mail2[mail2]:25, delay=1.2, delays=0.32/0.01/0.63/0.22, dsn=5.1.1, status=bounced (host mail2[mail2] said: 550 5.1.1 st...@abpni.co.uk: Recipient address rejected: User unknown in virtual mailbox table (in reply to RCPT TO command)) Feb 20 19:26:11 usa1 postfix/cleanup[7958]: 7B98410C633: message-id=20100220192611.7b98410c...@mail.usa-backhaul.net Feb 20 19:26:11 usa1 postfix/qmgr[7602]: 7B98410C633: from=, size=4230, nrcpt=1 (queue active) Feb 20 19:26:11 usa1 postfix/bounce[7960]: 5292910C632: sender non-delivery notification: 7B98410C633 Feb 20 19:26:11 usa1 postfix/qmgr[7602]: 5292910C632: removed Feb 20 19:26:11 usa1 postfix/smtp[7959]: 7B98410C633: to=iudysajy8...@rr.com, relay=hrndva-postmx01.mail.rr.com[71.74.56.227]:25, delay=0.43, delays=0/0/0.38/0.05, dsn=5.1.1, status=bounced (host hrndva-postmx01.mail.rr.com[71.74.56.227] said: 550 5.1.1 iudysajy8...@rr.com... User unknown (in reply to RCPT TO command)) Feb 20 19:26:11 usa1 postfix/qmgr[7602]: 7B98410C633: removed As you can see from the log from my backup mx, it complained that the DNS record discourages use, accepted the mail, then tried to relay it via my primary server. Shoudn't this server have been greylisted first? I don't see an entry in tumgreyspf's data directory for this IP, suggesting that it's never tried to connect before. Also, does it matter whether or not I put check_policy_service unix:private/tumgreyspf in sender restrictions or reciepient restrictions? The readme says put it in sender, but I've put it in reciepient, yet SPF filters does still seem to work... Help is very much appreciated Thanks
RE: SPF Issues
Is it safe to put the external IP of my backup MX in mynetworks? -Original Message- From: owner-postfix-us...@postfix.org on behalf of LuKreme Sent: Thu 2/11/2010 20:30 To: postfix-users@postfix.org Subject: Re: SPF Issues On 11-Feb-2010, at 06:16, Jonathan Tripathy wrote: Does anyone know how to whitelist a paticular IP when using tumgreyspf with postfix? Put the spf check later in your restrictions. After permit_mynetworks would be good. -- THE PLEDGE OF ALLEGIANCE DOES NOT END WITH HAIL SATAN Bart chalkboard Ep. 1F16
RE: SPF Issues
Yeah, what I do is have all my mail virtual mail accounts stored on the primary mx, and my backup mx is configured to relay mail (only my domains) to the primary mx using transport maps. I have since introduced SPF checking in the primary, and some emails are getting rejected when mail comes from the backup mx as the SFP scripts see the IP of the backup mx. So this sounds ok then to put the external IP of the mx in mynetwork? Thanks -Original Message- From: owner-postfix-us...@postfix.org on behalf of Gaby Vanhegan Sent: Wed 2/17/2010 12:26 To: Postfix users Subject: Re: SPF Issues On 17 Feb 2010, at 11:59, Jonathan Tripathy wrote: Is it safe to put the external IP of my backup MX in mynetworks? Provided your backup MX has the same SMTP relay restrictions as the master MX you should be OK. I replicate our master config out to the secondaries but I have the master config set as a relay style config on the secondaries rather than a virtual delivery config as on the master. G. -- Junkets for bunterish lickspittles since 1998! http://www.playr.co.uk/
RE: suppress NDRs from spoofed sender
So I'm very new to postfix, however I have a feeling that the Regex stuff can be done via some scripts. I guess that how the Python SPF checkers work... But as I said, I'm new to postfix so I could be way off target -Original Message- From: owner-postfix-us...@postfix.org on behalf of David Koski Sent: Mon 2/15/2010 03:19 To: postfix-users@postfix.org Subject: Re: suppress NDRs from spoofed sender On Tuesday 19 January 2010, Ansgar Wiechers wrote: On 2010-01-18 David Koski wrote: My mail server has been getting a fair amount of spam hits that have been rejected but the sender address is spoofed with the recipient's address. This generates an NDR to the recipient with the spam. I would like to suppress NDRs of this kind but not legitimate NDRs. What I'm doing is this: - store a hash of From:, To: and Date: header of all outgoing mail - accept all bounces that include From:, To: and Date: headers whose hash matches a stored hash - remove stored hashes older than 4 days This method does lead to rejection of valid bounces that don't include the above mentioned headers. However, I consider those bounces useless anyway. How about something more simple: test for From: is the same as To: and is from MAILER-DAEMON: grep ^From:.*da...@kosmosisland.com $test \ grep Return-Path:.*MAILER-DAEMON $test \ grep ^To:.*da...@kosmosisland.com $test ..where $test is the email file to scan. But can this be done with Postfix? Regards, David Koski da...@kosmosisland.com
Scalable
Hi Folks, How scaleable is postfix and dovecot, using mysql for user databases, on one server? My current server has 256MB RAM (It's a VM on slicehost). How many users do you think that will handle? How much RAM/CPU would I need to host 600 users? Please remember, that due to the nature of email, I imagine that the server won't be constantly hammered. How much disk space do you think I'll need? I'm just looking for advice from someone with experience Thanks Jonny
Re: Scalable
Hi Everyone, Thanks for all the comments. The reason why I said 256MB RAM, is because that is currently what my VM has... If I were to take out a dedicated server with: 2.8 Dual Core 2GB RAM how much would that handle? My customer is a business, with 600 staff, however I think they just use a single broadband connection so that will be the limiting factor, as this dedicated server has a 100Mbps link to the net.. Please let me know what you think Thanks Jonny On 12/02/2010 19:24, Victor Duchovni wrote: On Fri, Feb 12, 2010 at 05:14:30PM -, Jonathan Tripathy wrote: My current server has 256MB RAM (It's a VM on slicehost). How many users do you think that will handle? Is more RAM substantially more expensive? 256 MB is rather meek these days. With physical servers, one typically gets 16GB or more of RAM these days. Even a 6-Watt Atom-CPU FitPC box comes with 1GB of RAM! Your machine is way off the mainstream memory curve... For Postfix alone you're fine, but for running an IMAP server with users, you are likely too cramped, ask on the Dovecot list, not here. Postfix is not very memory intensive.
SPF Issues
Hi Folks, I have 3 mail servers all running a postfix based setup, based on workaround.org's fantastic article: http://workaround.org/ispmail/lenny I have install the python SPF checker plugin (Packaged by tumgreyspf). Here is my minor problem: Currently, when my main mx server is down, my backup mx picks up mail and puts it into it's queue. My secondary mx is VPN'ed to my main mx, so mail from the secondary mx is seen as coming from a local LAN IP, and since it's not in my domain TXT SPF record, it says it's not authroised. The temporary solution that I've done, is force my secondary mail server to forward mail to the external interface of my main mx, and add my secondary mx IP to my domain txt spf record. Does anyone know how to whitelist a paticular IP when using tumgreyspf with postfix? Thanks Jonny
Unknown Users
Hi Folks, Does anyone know how to make a backup MX server query the primary mx server if a mailbox exsists, before accept the contents of the mail? I have a problem with MAILER-DAEMON messages... Thanks
