Re: Creating an Integrated Injector
On 10/15/2013 7:02 PM, Paul C wrote: ... but I'm trying to bypass making a socket connection to postfix and just inject the mail files directly in to the postfix queue directory myself. This is completely unsupported and not recommended, and unlikely to be faster than using the documented SMTP interface. Use multiple SMTP connections to inject mail into postfix. You can probably reuse some of the code from the smtp-source.c test program included with postfix. Very likely disk IO will be your bottleneck. Consider putting the postfix queues on a fast SSD drive for maximum throughput. -- Noel Jones
Re: local_recipient_maps set up, yet postfix continues to send bounce messages
On 10/14/2013 3:00 PM, Chad Elliott wrote: Sorry if this question gets asked too often, but I followed the instructions to stop backscatter email from my server, yet it continues to send bounces. Here is the output of postconf -n: Without context, we can't provide much help. - what instructions did you follow? - what is being bounced? - what address class (local, virtual-alias, virtual-mailbox, ...) is bouncing? - NON VERBOSE logs demonstrating the problem? -- Noel Jones alias_maps = hash:/etc/aliases command_directory = /usr/sbin config_directory = /etc/postfix daemon_directory = /usr/libexec/postfix debug_peer_level = 2 debug_peer_list = XXX.XXX.XXX.XXX home_mailbox = Maildir/ html_directory = no inet_interfaces = all local_recipient_maps = $virtual_alias_maps mail_owner = postfix mail_spool_directory = /var/spool/mail mailbox_command = /usr/bin/procmail -f- -a $USER mailbox_size_limit = 25600 mailq_path = /usr/bin/mailq.postfix manpage_directory = /usr/share/man maximal_queue_lifetime = 3d mydestination = localhost,$myhostname mynetworks = XXX.XXX.XXX.XXX/32, XXX.XXX.XXX.XXX/32 newaliases_path = /usr/bin/newaliases.postfix queue_directory = /var/spool/postfix readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES sample_directory = /usr/share/doc/postfix-2.3.3/samples sendmail_path = /usr/sbin/sendmail.postfix setgid_group = postdrop smtp_host_lookup = dns, native smtp_sasl_security_options = noplaintext smtpd_banner = $myhostname ESMTP $mail_name smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, reject_unknown_sender_domain, reject_unlisted_recipient smtpd_sasl_auth_enable = yes smtpd_sasl_local_domain = $myhostname smtpd_sasl_security_options = noanonymous unknown_local_recipient_reject_code = 550 virtual_alias_maps = hash:/etc/postfix/virtual virtual_mailbox_base = /var/spool/mail virtual_mailbox_domains = hash:/etc/postfix/mydomains There are no wildcards in virtual_alias_maps or alias_maps Thanks, Chad.
Re: local_recipient_maps set up, yet postfix continues to send bounce messages
On 10/14/2013 3:41 PM, Chad Elliott wrote: Without context, we can't provide much help. - what instructions did you follow? I set up local_recipient_maps = $virtual_alias_maps and unknown_local_recipient_reject_code = 550 per instructions located here: http://www.postfix.org/BACKSCATTER_README.html I don't see anywhere that document recommends setting local_recipient_maps = $virtual_alias_maps. That looks like a hack someone dreamed up for covering broken address classes. Anyway, this won't have any effect for a virtual_mailbox_domain, which is what it appears you're using. - what is being bounced? mail sent to non-existent aliases/users (not in virtual_alias_maps) - what address class (local, virtual-alias, virtual-mailbox, ...) is bouncing? virtual-alias Make sure you understand address classes. http://www.postfix.org/ADDRESS_CLASS_README.html Each domain postfix is responsible for must be listed in *only one* address class, one of: - local addresses, domain listed in mydestination, valid recipients listed in local_recipient_maps - domains relayed elsewhere for final delivery, domains listed in relay_domains, valid recipients listed in relay_recipient_maps. - virtual alias domains, domain listed in virtual_alias_domains, valid recipients listed in virtual_alias_maps (and must be aliased to another domain). - virtual mailbox, domains listed in virtual_mailbox_domains, valid users listed in virtual_mailbox_maps Usually people break recipient validation by using @domain @domain rewriting in virtual_alias_maps or in canonical maps. Don't do that. - NON VERBOSE logs demonstrating the problem? Oct 14 13:37:37 mail postfix/smtpd[17348]: A887A1A084D7: client=mail-ie0-f180.google.com[209.85.223.180] Oct 14 13:37:37 mail postfix/cleanup[21208]: A887A1A084D7: message-id=CAAa=gco6hrafjx9bdu+w47rk+k7qjlfr+xc9ojav1arka1k...@mail.gmail.com Oct 14 13:37:37 mail postfix/qmgr[21037]: A887A1A084D7: from=mypersonalem...@gmail.com, size=1490, nrcpt=1 (queue active) Oct 14 13:37:37 mail postfix/virtual[20895]: A887A1A084D7: to=testboun...@myserver.com, relay=virtual, delay=0.09, delays=0.09/0/0/0, dsn=5.1.1, status=bounced (unknown user: testboun...@myserver.com) Apparently this is a virtual mailbox domain. Valid users must be listed in virtual_mailbox_maps. Domain rewrite wildcards will break recipient validation. Oct 14 13:37:37 mail postfix/bounce[21056]: A887A1A084D7: sender non-delivery notification: B87541A084D9 Oct 14 13:37:37 mail postfix/qmgr[21037]: A887A1A084D7: removed -- Noel Jones
Re: Domains without MX Records
On 10/12/2013 10:19 PM, Roman Gelfand wrote: Looking through the logs, I have noticed an attempt to send out mail which temporary local fails. I did a dig mx and noticed there is no mx record. I then tried to connect to the email address domain portion of the name. Sure enough, I was able to connect. Is this legitimate configuration of mail server? MX records are not required. If there is no MX record, use the domain A record. This is required RFC behavior. Is there a way to configure postfix saying that if there is no mx record attempt to connect to connect using domain portion? Yes, this is the required behavior. This is not configurable. What is the exposure? Apparently postfix is working properly. Note that historically, lack of an MX record is not a suitable spam indicator. Spammers easily set up MX records, along with SPF, DKIM, etc. using automated tools. There are better ways to catch spam. There is no exposure. The presence of lack of an MX record neither adds nor detracts from the reputation of a client. -- Noel Jones
Re: postfix configuration
On 10/9/2013 3:03 PM, Stefano Gatto wrote: Hi all I'm trying to configure postfix 2.7.1 to protect internal mailing list with the restriction classes as per http://www.postfix.org/RESTRICTION_CLASS_README.html#internal Example /etc/postfix/main.cf: smtpd_recipient_restrictions = ... check_recipient_access hash:/etc/postfix/protected_destinations ...the usual stuff... smtpd_restriction_classes = insiders_only insiders_only = check_sender_access hash:/etc/postfix/insiders, reject Everything works as expected, If a client not in insider.db try to send a mail with the list in filed to: the mail bounce back to sender. The problem arise when someone send an email to a real mailbox in field TO: and to the list in field CC: In that situation the mail server forwards the email to everyone in the list. Can someone help me to reconfigure postfix not to forward to the list address even if is in the field CC:? Tya Stefano Postfix never makes delivery decisions based on headers, so you should recheck your evidence. Note that a multi-recipient message that includes both banned and permitted recipients will only block the banned recipients. The permitted recipients will still receive the message and the headers may make it *appear* it was delivered to the banned recipients. Also, you seem to use sender and client interchangeably above. Maybe just a typo, but be sure you understand the difference. If you need more help, you'll need to show us exactly what you've configured and logs of the undesired behavior. http://www.postfix.org/DEBUG_README.html#mail -- Noel Jones
Re: restricting few users from sending mails outside domain (mymailsystem.com)
On 10/8/2013 5:27 AM, virtualpostfix wrote: Hi Nik, Thanks for quick reply, yes the postfix version is 2.6 : [root@posttestbox postfix]# postconf -d mail_version mail_version = 2.6.6 Here is how I tried the suggestion in main.cf : smtpd_relay_restrictions = localonly localonly = check_recipient_access hash:/etc/postfix/localdomains, reject smtpd_sasl_auth_enable = yes smtpd_recipient_restrictions = check_sender_access hash:/etc/postfix/restricted_senders,permit_mynetworks,permit_sasl_authenticated,check_client_access mysql:/etc/postfix/mysql_popbsmtp_access_maps.cf,check_client_access hash:/etc/postfix/relay,reject_unauth_destination smtpd_sasl_path = private/auth smtpd_sasl_type = dovecot But user is still able to send mails outside domain, here is current log happening (from postfix restart): Oct 8 23:38:03 posttestbox postfix/postfix-script[32074]: starting the Postfix mail system Oct 8 23:38:03 posttestbox postfix/master[32075]: daemon started -- version 2.6.6, configuration /etc/postfix Oct 8 23:38:22 posttestbox postfix/pickup[32079]: 7C52E635C6: uid=48 from=suraj@mymailsystem.local The postfix smtpd_*_restrictions only apply to mail submitted via SMTP. This message was submitted via the local sendmail(1) command by user 48. If this is a webmail system, perhaps you can change it to submit mail via SMTP. -- Noel Jones Oct 8 23:38:22 posttestbox postfix/cleanup[32093]: 7C52E635C6: message-id=8834f0da5847e89290d0bafe5c9d1668@mymailsystem.local Oct 8 23:38:22 posttestbox postfix/qmgr[32080]: 7C52E635C6: from=suraj@mymailsystem.local, size=557, nrcpt=1 (queue active) Oct 8 23:38:25 posttestbox postfix/smtp[32102]: connect to gmail-smtp-in.l.google.com[2607:f8b0:400e:c01::1a]:25: Network is unreachable Oct 8 23:38:27 posttestbox postfix/smtp[32102]: 7C52E635C6: to=mygmailacco...@gmail.com, relay=gmail-smtp-in.l.google.com[74.125.129.27]:25, delay=5.1, delays=0.15/0.01/3.5/1.4, dsn=2.0.0, status=sent (250 2.0.0 OK 1381227533 hb3si26717605pac.65 - gsmtp) Oct 8 23:38:27 posttestbox postfix/qmgr[32080]: 7C52E635C6: removed I am trying to use the suggestions in more possible ways but shared current status in case it helps. Thanks -- View this message in context: http://postfix.1071664.n5.nabble.com/restricting-few-users-from-sending-mails-outside-domain-mymailsystem-com-tp61996p62002.html Sent from the Postfix Users mailing list archive at Nabble.com.
Re: repairing queued messages with invalid content filter field
On 10/6/2013 1:46 AM, m...@jama.is wrote: Hi all, I tried to install spamassassin as a postfix content filter. It did not work well, so I deactivated it. I am now having a couple of undelivered messages pending in DEFERRED which have in the header contentfilter: spamfilter set. postcat shows me: *** ENVELOPE RECORDS 151CB1180A42 *** message_size:5881 693 1 0 5881 message_arrival_time: Sat Oct 5 21:08:46 2013 create_time: Sat Oct 5 21:08:46 2013 content_filter: spamfilter named_attribute: log_ident=151CB1180A42 named_attribute: rewrite_context=remote [...] *** HEADER EXTRACTED 151CB1180A42 *** *** MESSAGE FILE END 151CB1180A42 *** Is there a way to repair these messages so they can be delivered? How can I remove the content_filter: spamfilter attribute from the spooled messages? Thanks regards, mls All you need to do is requeue those messages. # postsuper -r QUEUEID is sufficient for a handful of messages, or # postsuper -r ALL to requeue everything. -- Noel Jones
Re: submission by cert verification only
On 10/6/2013 7:52 PM, Dan Langille wrote: I managed to get this running tonight and I'm looking for sanity checking, in case I'm completely missing something. Thanks. I wish to allow incoming mail from any client with a valid certificate. My master.cf is: 10.0.0.1:submission inet n - n - - smtpd -o smtpd_recipient_restrictions=permit_tls_clientcerts,reject_unauth_destination You probably want to use reject rather than reject_unauth_destination to prevent outsiders from sending local mail via submission. -o smtpd_tls_req_ccert=yes -o smtpd_tls_auth_only=no -o smtpd_tls_security_level=encrypt -o smtpd_tls_cert_file=/usr/local/etc/ssl/server.pem -o smtpd_tls_key_file=/usr/local/etc/ssl/supernews.example.org.nopassword.key -o relay_clientcerts=hash:/usr/local/etc/postfix-config/main/relay_clientcerts -o smtpd_relay_restrictions=permit_tls_clientcerts,reject_unauth_destination This is OK since it fulfills the intended function of preventing unauthorized relaying, but for consistency and simplicity you might want to change it to match your -o smtpd_recipient_restrictions. -o smtpd_tls_ask_ccert=yes -o smtp_tls_CAfile=/usr/local/etc/ssl/ca-bundle.crt -o smtpd_tls_CAfile=/usr/local/etc/ssl/ca-bundle.crt -o smtpd_sender_restrictions=hash:/usr/local/etc/postfix-config/sender_access Your sender_access file has no effect right now. To restrict submission to a single sender domain, use something like: # main.cf submission_sender_restrictions = check_sender_access hash:/usr/local/etc/postfix-config/sender_access reject # master.cf 10.0.0.1:submission ... ... -o smtpd_sender_restrictions=$submission_sender_restrictions Also, remember that any other smtpd_*_restrictions settings you have in main.cf will be inherited by your master.cf submission service. Some people find it useful to explicitly set unused restrictions empty to prevent surprises. -o smtpd_client_restrictions= -o smtpd_helo_restrictions= -o smtpd_data_restrictions= -- Noel Jones I have some DNS issues (some of these hosts are remote and do not have public DNS entries) # cat /usr/local/etc/postfix-config/sender_access cliff.example.org OK The fingerprint for each each incoming client is listed here: # cat /usr/local/etc/postfix-config/main/relay_clientcerts 3A:2E:AB:6A:F1:D4:32:74:C9:C6:DD:2B:8D:2A:87:97 cliff.example.org I have this working. It seems to do what I want. For what it's worth: This is just for my use, no other users.
Re: Quarantine mail by combination of address class and MIME type
On 10/3/2013 12:49 PM, Philip Garrett wrote: I have a special-purpose Postfix 2.6 server that is part of a content conversion system. I would like to quarantine any outbound mail that hasn't been transformed properly. I'd also like to quarantine relay mail that hasn't gone through the reciprocal transformation. I can hold the mail using mime_header_checks, but this would apply to both outbound (default domain class) and inbound (relay domain class). What I really want to do is something like this: if DEFAULT_DOMAIN_CLASS if /^Content-Type:/ !/^Content-Type:\s*application\/x-my-custom-format/ HOLD was not encoded endif endif if RELAY_DOMAIN_CLASS if /^Content-Type:/ /^Content-Type:\s*application\/x-my-custom-format/ HOLD was not decoded endif endif Is there a way to accomplish that? Thanks, Philip header (and body) checks evaluate a single header (or line) at a time with no state saved in between, so you can't combine multiple conditions. One possible solution is using separate postfix instances for incoming and outgoing mail, effectively splitting the mail flow into domain classes before the mime_header_checks see the message. http://www.postfix.org/MULTI_INSTANCE_README.html Alternately, a custom perl or python milter should be able to do this. http://www.postfix.org/MILTER_README.html -- Noel Jones
Re: postfix multi-domain relay recipient verification problem with DNS and internal IP
On 9/30/2013 5:21 AM, no@s...@mgedv.net wrote: hi, my postfix should be the 1st entry point for a multi-domain-environment. i want postfix to do recipient verification in order to avoid mails being relayed to the internal host for users, which do not exists (actually, legal compliance needs to be achieved that mail is not accepted until a valid receiver mailbox exists). situation: - postfix runs on it's own server - 4 well registered domains x1.com x1.net x1.org x2.us - 1 external IP for all (DNS MX points there for all of them, this works): 222.111.222.111 - 1 internal mailsystem (ms-exchange), which is authoritative for all 4 mail-domains. hostname: mail.int.demo.lan ip-address: 10.10.10.1 - postfix is the 1st contact from outside - manual entry in /etc/hosts that tells postfix to use the internal IP for mail.x?.* (eg. 10.10.10.1 mail.int.demo.lan mail.x1.com mail.x2.com mail.x3.com mail.x2.us) - all domains listed in relay_domains in main.cf all this stuff works perfectly for x2.us. but not for the others. for any reason postfix always resolves the outside IP for the x1.* domains, although the entry in /etc/hosts should point it to the inside IP. of course, the connect times out (loop-connect across the fw does not work). /etc/hosts does not override MX records. Use transport_maps to tell postfix where to deliver mail. http://www.postfix.org/postconf.5.html#transport_maps And define external firewall IP addresses in proxy_interfaces so postfix knows which IPs should not be used for delivery. http://www.postfix.org/postconf.5.html#proxy_interfaces -- Noel Jones syslog entries as follows: postfix/smtpd 2013-09-30 10:45:23 NOQUEUE: reject: RCPT from mail.xxx.yyy[222.222.222.222]: 450 4.1.1 u...@x1.com: Recipient address rejected: unverified address: Address verification in progress; from=u...@xxx.yyy to=u...@x1.com proto=ESMTP helo=mail.xxx.yyy postfix/smtp 2013-09-30 10:45:47 connect to mail.x1.com[222.111.222.111]:25: Operation timed out postfix/smtp 2013-09-30 10:45:47 BB2D44AF07: to=u...@x1.com, relay=none, delay=30, delays=0/0.01/30/0, dsn=4.4.1, status=undeliverable (connect to mail.x1.com[222.111.222.111]:25: Operation timed out) any ideas how i can tell postfix to use the internal IP for my hosted domains? faking DNS with an own server is not an option, btw, as other DNS records from these domains need to be resolved properly for web-tools and such. regards, martin
Re: postfix env variables in header_checks
On 9/27/2013 3:19 PM, Simon Herter wrote: Hello, currently I do the following header_checks: /^Received: by myhostname .*from userid [0-9]+\)/ IGNORE /^Received: (.*)by myhostname \(Postfix\) (.*)/ REPLACE Reveiced: $(1)by myhostname $2 Now I was wondering if it is possible to use actual $myhostname variable from postfix config? Something like: No, not supported. No config variables are available during lookups. -- Noel Jones
Re: Problem with slow transport map
On 9/23/2013 7:17 AM, Matt - Opem Solutions wrote: Hi, Ive a postfix server which is used to relay emails to an external smtp server, this was done to prevent the receiving smtp server from being flooeded by to many messages per hour which i did by using the debug command and a sleep 6, in addition to this i added a transport map to slow down delivery even more for certain hosts/recipient domains: [MAIN.CF FILE] transport_maps = hash:/etc/postfix/transport smtpslow_destination_rate_delay = 310s smtpslow_destination_concurrency_limit = 1 smtpslow_destination_recipient_limit = 1 When you set the recipient limit to 1, the delay is applied to deliveries to the SAME RECIPIENT rather than deliveries to the SAME DOMAIN. This is probably not what you intend. See: http://www.postfix.org/postconf.5.html#default_destination_rate_delay debugger_command = /bin/sleep 6 This shouldn't be necessary after you increase the recipient limit. -o max_use=1 This shouldn't be necessary either. -- Noel Jones [TRANSPORT FILE] yahoo.com smtpslow:[external.server.com]:25 yahoo.co.uk smtpslow:[external.server.com]:25 googlemail.com smtpslow:[external.server.com]:25 gmail.com smtpslow:[external.server.com]:25 hotmail.com smtpslow:[external.server.com]:25 hotmail.co.uk smtpslow:[external.server.com]:25 outlook.com smtpslow:[external.server.com]:25 outlook.co.uk smtpslow:[external.server.com]:25 aol.co.uk smtpslow:[external.server.com]:25 aol.com smtpslow:[external.server.com]:25 comcast.com smtpslow:[external.server.com]:25 live.com smtpslow:[external.server.com]:25 live.co.uk smtpslow:[external.server.com]:25 msn.com smtpslow:[external.server.com]:25 msn.co.uk smtpslow:[external.server.com]:25 sbcglobal.net smtpslow:[external.server.com]:25 verizon.net smtpslow:[external.server.com]:25 bellsouth.net smtpslow:[external.server.com]:25 yahoo.ca smtpslow:[external.server.com]:25 cox.net smtpslow:[external.server.com]:25 ymail.com smtpslow:[external.server.com]:25 btinternet.com smtpslow:[external.server.com]:25 btinternet.co.uk smtpslow:[external.server.com]:25 btopenworld.co.uk smtpslow:[external.server.com]:25 btopenworld.com smtpslow:[external.server.com]:25 mail.com smtpslow:[external.server.com]:25 The smtpslow is set to use one thread only in master.cf [MASTER.CF FILE] smtpslow unix - - n - 1 smtp -D -o syslog_name=postfix-smtp-slow -o max_use=1 The –D (debug) is a bit of a dirty hack as it basically calls a sleep for 6 seconds between messages to ensure it doesn’t hit the external hosts message per hour limit. This all works fine, however ive noticed a big problem If i send 3 emails to my hotmail.com address they all rightly have a 5 minute (310s) delay between them, however if i send an email to 2 different hotmail.com address and send 3 messages per recipient it does correctly insert the 310s delay between the recipients messages. However the issue is its trying to deliver to both recipients at the same time, ie Emails spooled Email 1 to both reclipents sent (with the 6 second debug gap) Wait 310s Email 2 to both recipients sent (with the 6 second debug gap) Wait 310s Email 3 to both recipients sent (with the 6 second debug gap) Where as i expected it to instead work like: Emails spooled Email 1 to recipient 1 sent Wait 310s Email 1 to recipient 2 sent Wait 310s Email 2 to recipient 1 sent Etc How can i adjust the config so that instead of matching the recipients its matching the domains as if 50 emails go out to hotmail.com at the same time to different recipients it doesn’t try and delvier them all at the same time. Best Regards Matt.
Re: on send call command
On 9/23/2013 9:18 PM, Tim Prepscius wrote: No, I don't mean network dump. I mean the full mime-message. With all the headers that have been attached during the postfix process and by (in my case) java-mail, etc. For instance stuff like this: Subject: Re: on send call command In-Reply-To: caaj3avuz+b46ogo7umbrkx+bfbr8dcqdz0vpvp+9s9m3e98...@mail.gmail.com To: Postfix users postfix-users@postfix.org Date: Mon, 23 Sep 2013 20:08:26 -0400 (EDT) Reply-To: Postfix users postfix-users@postfix.org X-Mailer: ELM [version 2.4ME+ PL124d (25)] MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII Message-Id: 3ckn624d0mzj...@spike.porcupine.org From: wie...@porcupine.org (Wietse Venema) Sender: owner-postfix-us...@postfix.org The queue file is identical to what is transmitted over the network.[1] Do you need to examine the message for testing, or for operational audit? For testing, pause delivery with defer_transports = smtp and examine the queue file with postcat -hbq QUEUEID, which will show exactly what postfix will send out.[1] If this is for operational audit, explain why always_bcc and system logging is insufficient. If this is for some other purpose, please explain your problem more clearly. [1] unless you've configured the optional smtp_header_checks, smtp_body_checks, or smtp_generic_maps, in which case your only choices are always_bcc or a network packet capture. -- Noel Jones
Re: on send call command
On 9/23/2013 11:08 PM, Tim Prepscius wrote: I need to save the original, of all messages leaving the system. Original meaning whatever postfix is going to send. This is not for testing or for auditing. I will need this running in a production environment. always_bcc, if it does not modify the original message would be sufficient. System logging would most likely be a kludge. You'll need both -- postfix logs to show where and when it was delivered, and the alway_bcc mailbox showing the contents. On a side note, are you encrypting the queue files? Postfix has no option to encrypt the queue files, but the queue directory can reside on an encrypted drive or partition. -- Noel Jones
Re: TLS: advice on best practices
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 9/20/2013 6:36 AM, Luigi Rosa wrote: Hi, I have a TLS enabled Postfix with a PKI certificate. The configuration of SMTP TLS is: smtp_tls_security_level = may smtp_tls_note_starttls_offer = yes smtp_tls_fingerprint_digest = sha1 smtp_tls_policy_maps = hash:/etc/postfix/tls_policy and in tls_policy I put some recipient domains I know with fingerprint and the fingerprint(s) of their keys. But many PKI keys last 365 days, so sooner or later the fingerprints are no longer valid and the mail will not be delivered to that domains until I change the policy or I put a new fingerprint. My question is: with PKI keys is better to leave the opportunistic TLS policy and use fingerprint only for self issued keys with 3650 days of validity or are there some better ways to handle this? fingerprint verification is intended for a very limited number of clients -- typically internal hosts or highly trusted business partners willing to closely cooperate with you. Without close cooperation from the remote site, fingerprint verification just isn't practical. For an arbitrary third-party site, you'll probably need to stick to encrypt or maybe in some cases verify. http://www.postfix.org/TLS_README.html#client_tls Hopefully widespread DANE adoption will take the pain out of this in the future. -- Noel Jones -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.20 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJSPFttAAoJEJGRUHb5Oh6gVP8H/13ES2pc0zGkSJGwBXXoBI9h h+epsLfdT4QX2swUI785HzjDXoLFUzNQyqUXdRo4jp3rnUoQABLP1mi/NZpZlnuy QKwtIvLqF1dTwxcQ4KNMkOMkWXFRE0VYHSQVnWfpYP5K/XZPYm5uIHKb2oM9C0eH yJvZ/geC+dmODLDEwvFXfk5Tx1U68CuJ2+25cRoouVtwX9vbD4VlorQf1osnG5Gz Fp3GzMXe6CIS/2DuujXv/v6CYSqVzqtmjtawbl6ZBF7+YUxf9Ae+JJaIoqpjgyf+ ecRStPfbqsbRBzY/8/3OFW95ZoseAEBKMbjLmPCovFx1+b1YyLwY+7SgW2q+Ex0= =7A8M -END PGP SIGNATURE-
Re: dnsblog dnswl problem ?
On 9/19/2013 5:26 AM, Marko Weber | ZBF wrote: hello, i use list.dnswl.org in postscreen_dnsbl_sites . in the logfiles i see: Sep 19 12:17:18 mail postfix/dnsblog[15318]: warning: dnsblog_query: lookup error for DNS query 35.64.91.217.list.dnswl.org: Host or domain name not found. Name service error for name=35.64.91.217.list.dnswl.org type=A: Host not found, try again does this mean dnswl.org ist not reachable ? or is postscreen not able to use dnswl.org ? thanks marko It means the list was not reachable at that time, and postscreen didn't use dnswl for that connection. If you get these for every query every time, you may be blocked; see www.dnswl.org/license The test lookup for dnswl (and almost every RBL) is # host 2.0.0.127.list.dnswl.org which should respond 2.0.0.127.list.dnswl.org has address 127.0.10.0 -- Noel Jones
Re: block exe and other attachments
On 9/16/2013 6:41 AM, Rowland Onobrauche wrote:
Postfix config
postconf -n
smtpd_recipient_restrictions = permit_mynetworks,reject_invalid_hostname,
reject_non_fqdn_hostname,reject_non_fqdn_sender,
reject_non_fqdn_recipient,reject_unknown_sender_domain,
reject_unknown_recipient_domain,reject_unauth_pipelining,
reject_unauth_destination,reject_rbl_client bl.spamcop.net,
reject_rbl_client ix.dnsbl.manitu.net,reject_rbl_client
dul.dnsbl.sorbs.net,reject_rbl_client smtp.dnsbl.sorbs.net,
reject_rbl_client web.dnsbl.sorbs.net,reject_rbl_client
nomail.rhsbl.sorbs.net,reject_rbl_client http.dnsbl.sorbs.net,
reject_rbl_client pbl.spamhaus.org,reject_rbl_client psbl.surriel.com,
reject_rbl_client zombie.dnsbl.sorbs.net,whitelist_policy,permit
I'm wondering the purpose of whitelist_policy, permit. That's far
too late in processing for a whitelist.
cat mime_header_checks
/name=[^]*\.(scr|pif|bat|exe|dll|vbs)/ REJECT
Your expression is broken.
There's an excellent example on the header_checks(5) man page. Note
this is PCRE and not regexp.
http://www.postfix.org/header_checks.5.html
/etc/postfix/header_checks.pcre:
/^Content-(Disposition|Type).*name\s*=\s*?(.*(\.|=2E)(
ade|adp|asp|bas|bat|chm|cmd|com|cpl|crt|dll|exe|
hlp|ht[at]|
inf|ins|isp|jse?|lnk|md[betw]|ms[cipt]|nws|
\{[[:xdigit:]]{8}(?:-[[:xdigit:]]{4}){3}-[[:xdigit:]]{12}\}|
ops|pcd|pif|prf|reg|sc[frt]|sh[bsm]|swf|
vb[esx]?|vxd|ws[cfh]))(\?=)??\s*(;|$)/x
REJECT Attachment name $2 may not end with .$4
If this expression doesn't catch something you think it should, show
the mime headers of the offending message.
-- Noel Jones
Re: Reverse DNS unknown
On 9/16/2013 5:41 PM, Dave Jones wrote: Received: from mail02.corp.ena.net (unknown [96.4.3.90]) by mr11.mail.ena.net (Postfix) with ESMTP id 57C091480688 for redac...@domain.com; Mon, 16 Sep 2013 16:04:46 -0500 (CDT) My forward DNS lookup for this host is an internal IP address that doesn't not match the public but it has been this way for years. You need to do your tests as the postfix user, possibly also chrooted. Turn off the chroot flag in master.cf for testing. I didn't think the unknown above is dependent on FCRDNS. but it is. For the conditions postfix will label a host as unknown, please see http://www.postfix.org/postconf.5.html#reject_unknown_client_hostname In the Received: header, the first name is the HELO name given, the second is either the FCRDNS or unknown. Postfix will also log a warning explaining why the host is unknown. I don't know if the unknown by itself will trigger the SpamAssassin RDNS_NONE rule, but that seems a little strict to me. -- Noel Jones
Re: OT? Help identify source of this error message.
On 9/15/2013 9:47 PM, John Allen wrote: I am getting the following error message in my mail log: Sep 15 22:22:17 bilbo postfix/smtpd[2319]: warning: Illegal address syntax from localhost.lan[127.0.0.1] in RCPT command: postmaster@!change-mydomain-variable!.example.com I think it is coming from spamassassin, but I cannot find it in any of the various spamassassin files. TIA John A A quick web search seems to indicate this message is from amavisd-new. Either from not setting the $mydomain variable, or possibly from an incorrect distribution-specific configuration that tries to use $mydomain before it's set. Followups to the amavis users list please.
Re: About smtpd_recipient_restrictions
On 9/11/2013 11:13 PM, Feel Zhou wrote: Hello, Noel At the same time, smtpd_sender_restrictions not working too smtpd_sender_restrictions only work with mail that arrives via SMTP. Perhaps this message arrived via the postfix/pickup service, sent from some local process, perhaps a web server mail form. -- Noel Jones smtpd_sender_restrictions = reject_non_fqdn_sender reject_unknown_sender_domain reject_unlisted_sender check_sender_mx_access cidr:/etc/postfix/bad_mx_access_check check_sender_access hash:/etc/postfix/sender_reject_addr_check, hash:/etc/postfix/feel/sender_access_check check_client_access cidr:/etc/postfix/enforce_ip_match_domain permit_sasl_authenticated permit_mynetworks The simple log file show me Sep 12 03:57:59 shcx amavis[19706]: (19706-20) Passed CLEAN, [27.24.141.102] [27.24.141.102] vpg...@194798.com mailto:vpg...@194798.com - some...@example.com mailto:some...@example.com, There is no mx recorder with sender domain, but this mail was sent Thanks a lot Tom 2013/9/12 Noel Jones njo...@megan.vbhcs.org mailto:njo...@megan.vbhcs.org On 9/11/2013 10:08 PM, Feel Zhou wrote: Hello, Myfriend This is Tom, I'm sending my greeting from China In the main.cf http://main.cf http://main.cf smtpd_recipient_restrictions = reject_unknown_recipient_domain reject_unlisted_recipient permit_auth_destination permit_sasl_authenticated permit_mynetworks reject_unauth_destination one week before, It's working wel, for now, there is so many mail in my queue just like 2A63AAC1844 400211 Thu Sep 12 10:26:37 some...@example.com mailto:some...@example.com mailto:some...@example.com mailto:some...@example.com (host other.example.com http://other.example.com http://other.example.com[IP] said: 450 4.1.2 anyone@qq.c: Recipient address rejected: Domain not found (in reply to RCPT TO command)) anyone@qq.c I do not know, why smtpd_recipient_restrictions not working Thanks for your time TOM smtpd_recipient_restrictions only work with mail received with SMTP. Perhaps these messages arrived from the the postfix/pickup service. -- Noel Jones
Re: Can't send mails but I can receive
On 9/12/2013 4:18 AM, Chris wrote: Hello, I checked it now again. domain1 is on my server (vps, postfix + dovecot). I can send and receive from u...@domain1.com to us...@domain1.com - no problem at all. Now I tried to send from u...@domain1.com to a public freemailer (the one I'm using here): Sep 12 04:57:06 nudin1 postfix/smtp[29110]: connect to freenet.de[62.104.23.42]:25: Connection refused connection refused is a network problem, probably a firewall block. Perhaps your ISP doesn't allow you to run a mail server? -- Noel Jones Sep 12 04:57:06 nudin1 postfix/smtp[29110]: D57D812E00AF: to=spamo...@freenet.de, relay=none, delay=0.08, delays=0.01/0.01/0.06/0, dsn=4.4.1, status=deferred (connect to freenet.de[62.104.23.42]:25: Connection refused) But I can't look into the log file from freenet.de - it just seems as if the server is refusing me for a reason .. I don't know? So how can I find out why my server gets refused from some servers (but not from itself)? Thanks, Chris Am 10.09.2013 19:16, schrieb Noel Jones: On 9/9/2013 9:46 PM, Chris wrote: Hello, if I send from a public mail service like gmail etc. to my server, I get the email. Then I reply to this one and I this message will never arrive. Sometimes I get an error mail like: v...@service.com: host service.com[202.107.110.18] said: 554 5.7.1 v...@service.com: Relay access denied (in reply to RCPT TO command) The above message says the server at 202.107.110.18 refused to relay the message, but gives no indication of why. Some context would help. Why are you sending mail to this server? In the syslog when sending an email to a public mail service I find this one: Sep 9 22:38:53 nudin1 postfix/smtpd[8648]: connect from unknown[148.172.15.55] Sep 9 22:38:55 nudin1 postfix/smtpd[8648]: 2723F12E00A3: client=unknown[148.172.15.55], sasl_method=PLAIN, sasl_username=i...@domain1.de Sep 9 22:38:55 nudin1 postfix/cleanup[7756]: 2723F12E00A3: message-id=522e863a.1000...@domain1.de Sep 9 22:38:55 nudin1 postfix/qmgr[1344]: 2723F12E00A3: from=i...@domain1.de, size=474, nrcpt=1 (queue active) Sep 9 22:38:56 nudin1 postfix/smtpd[8648]: disconnect from unknown[148.172.15.55] Sep 9 22:38:57 nudin1 postfix/smtpd[8658]: connect from localhost[127.0.0.1] Sep 9 22:38:57 nudin1 postfix/smtpd[8658]: 7C75B12E00A4: client=localhost[127.0.0.1] Sep 9 22:38:57 nudin1 postfix/cleanup[7756]: 7C75B12E00A4: message-id=522e863a.1000...@domain1.de Sep 9 22:38:57 nudin1 postfix/smtpd[8658]: disconnect from localhost[127.0.0.1] Sep 9 22:38:57 nudin1 postfix/qmgr[1344]: 7C75B12E00A4: from=i...@domain1.de, size=900, nrcpt=1 (queue active) Sep 9 22:38:57 nudin1 amavis[792]: (00792-04) Passed CLEAN, [148.172.15.55] i...@domain1.de - privateu...@mail.de, Message-ID: 522e863a.1000...@domain1.de, mail_id: E1oH7KsZ3znA, Hits: -0.002, size: 474, queued_as: 7C75B12E00A4, 1713 ms Sep 9 22:38:57 nudin1 postfix/smtp[8654]: 2723F12E00A3: to=privateu...@mail.de, relay=127.0.0.1[127.0.0.1]:10024, delay=2.9, delays=1.2/0/0/1.7, dsn=2.0.0, status=sent (250 2.0.0 from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as 7C75B12E00A4) Sep 9 22:38:57 nudin1 postfix/qmgr[1344]: 2723F12E00A3: removed This appears to be a perfectly normal sequence of postfix receiving mail from a SASL authenticated client, then postfix filtering the mail through amavisd-new. Is there something here you're not expecting? What could that be? If you need more help, please see: http://www.postfix.org/DEBUG_README.html#mail -- Noel Jones
Re: disable all filtering deliver email direclty
On 9/10/2013 10:54 PM, Jumping Mouse wrote:
I am really needing some help with this I hope someone can look at
my postconf -n and let me know how can get this email delivered
quickly. with no filtering.
Your postfix configuration shown does not appear to have any
filtering enabled. If filtering is still happening, there is no
evidence shown that postfix is calling the filter.
Sorry, I can't help any more here.
-- Noel Jones
alias_maps = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
biff = no
broken_sasl_auth_clients = yes
config_directory = /etc/postfix
delay_warning_time = 4h
home_mailbox = Maildir/
ignore_mx_lookup_error = yes
inet_interfaces = all
inet_protocols = ipv4
mailbox_command = /usr/bin/maildrop
mailbox_size_limit = 0
message_size_limit = 26214400
mydestination = $myhostname, $mydomain, localhost.$mydomain,
lists.domain.com
mydomain = domain.com
myhostname = mail.domain.com
mynetworks = 10.0.0.0/24, 10.5.0.0/24, 127.0.0.0/8, 159.250.29.243/32
myorigin = domain.com
recipient_delimiter = +
relay_domains = mailman.domain.com, domain.com, www.domain.com,
localhost.domain.com, 159.250.29.243, svahs.net, kong2.domain.com,
10.5.0.25, 10.0.0.19, 10.0.0.4, 10.5.0.10, 10.0.0.10, hec-pdc,
mindtouch, mindtouch.domain.com, 10.0.0.128, kablink,
dev1.domain.com, dev2.domain.com, 10.0.0.15
smtp_tls_note_starttls_offer = yes
smtp_use_tls = yes
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_helo_required = yes
smtpd_recipient_restrictions =
permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination,check_policy_service
inet:127.0.0.1:6
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_local_domain =
smtpd_sasl_path = private/auth-client
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_tls_CAfile = /etc/ssl/sub.class2.server.ca.pem
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/ssl/ssl.crt
smtpd_tls_key_file = /etc/ssl/ssl.key
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
tls_random_source = dev:/dev/urandom
transport_maps = hash:/etc/postfix/transport
unknown_local_recipient_reject_code = 550
virtual_alias_maps = hash:/etc/postfix/virtual
virtual_transport = maildrop
From: kafr...@hotmail.com
To: postfix-users@postfix.org
Subject: RE: disable all filtering deliver email direclty
Date: Tue, 10 Sep 2013 23:43:56 -0400
From: kafr...@hotmail.com
To: postfix-users@postfix.org
Subject: RE: disable all filtering deliver email direclty
Date: Tue, 10 Sep 2013 11:05:00 -0400
Date: Mon, 9 Sep 2013 16:05:23 -0500
From: njo...@megan.vbhcs.org
To: postfix-users@postfix.org
Subject: Re: disable all filtering deliver email direclty
On 9/9/2013 3:46 PM, Jumping Mouse wrote:
Hello I have an old email server with a mail stuck in the queue.
I want to flush all email out and let be delivered with out any
filtering.
It looks like I have turned off all filtering but still messages are
delivered very slowly.
Can someone help me with my config files? I can't seem to figure
out were the issue is that is causing for mail to still be
filtered.
Thank you!
Here is my main.cf
postconf -n is strongly preferred, but I see no evidence of a
content filter here.
Perhaps you are calling spamassassin by maildrop during delivery.
-- Noel Jones
Here is my maildroprc it does not seem to be calling Spamassassin
so not sure where the delay is. Do you see anything in the config
file that could be causing this delay?
logfile /var/log/maildrop
VERBOSE=5
log
if (/^X-Spam-Flag: YES/)
{
#Create SPAM IMAP folder if they don't have one
`test -d $DEFAULT/.Junkmail`
if( $RETURNCODE == 1 )
{
`/usr/bin/maildirmake -f Junkmail $DEFAULT`
`echo INBOX.Junkmail $DEFAULT/courierimapsubscribed`
}
exception {
to Maildir/.Junkmail
}
}
Here is my postconf -n
alias_maps = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
biff = no
broken_sasl_auth_clients = yes
config_directory = /etc/postfix
delay_warning_time = 4h
home_mailbox = Maildir/
ignore_mx_lookup_error = yes
inet_interfaces = all
inet_protocols = ipv4
mailbox_command = /usr/bin/maildrop
mailbox_size_limit = 0
message_size_limit = 26214400
mydestination = $myhostname, $mydomain, localhost.$mydomain,
lists.domain.com
mydomain = domain.com
myhostname = mail.domain.com
mynetworks = 10.0.0.0/24, 10.5.0.0/24, 127.0.0.0/8, 159.250.29.243/32
myorigin = domain.com
recipient_delimiter = +
relay_domains = mailman.domain.com, domain.com, www.domain.com,
localhost.domain.com, 159.250.29.243, svahs.net, kong2.domain.com,
10.5.0.25
Re: Rejecting mail to unknown users
On 9/11/2013 9:18 AM, Vishal Agarwal wrote: Is there any way to control the malware infected computer, not to send more then counted or limited messages. There are several policy services that implement rate limits. postfwd is one that is commonly used. http://www.postfix.org/SMTPD_POLICY_README.html http://www.postfix.org/addon.html#policy -- Noel Jones
Re: About smtpd_recipient_restrictions
On 9/11/2013 10:08 PM, Feel Zhou wrote: Hello, Myfriend This is Tom, I'm sending my greeting from China In the main.cf http://main.cf smtpd_recipient_restrictions = reject_unknown_recipient_domain reject_unlisted_recipient permit_auth_destination permit_sasl_authenticated permit_mynetworks reject_unauth_destination one week before, It's working wel, for now, there is so many mail in my queue just like 2A63AAC1844 400211 Thu Sep 12 10:26:37 some...@example.com mailto:some...@example.com (host other.example.com http://other.example.com[IP] said: 450 4.1.2 anyone@qq.c: Recipient address rejected: Domain not found (in reply to RCPT TO command)) anyone@qq.c I do not know, why smtpd_recipient_restrictions not working Thanks for your time TOM smtpd_recipient_restrictions only work with mail received with SMTP. Perhaps these messages arrived from the the postfix/pickup service. -- Noel Jones
Re: Can't send mails but I can receive
On 9/9/2013 9:46 PM, Chris wrote: Hello, if I send from a public mail service like gmail etc. to my server, I get the email. Then I reply to this one and I this message will never arrive. Sometimes I get an error mail like: v...@service.com: host service.com[202.107.110.18] said: 554 5.7.1 v...@service.com: Relay access denied (in reply to RCPT TO command) The above message says the server at 202.107.110.18 refused to relay the message, but gives no indication of why. Some context would help. Why are you sending mail to this server? In the syslog when sending an email to a public mail service I find this one: Sep 9 22:38:53 nudin1 postfix/smtpd[8648]: connect from unknown[148.172.15.55] Sep 9 22:38:55 nudin1 postfix/smtpd[8648]: 2723F12E00A3: client=unknown[148.172.15.55], sasl_method=PLAIN, sasl_username=i...@domain1.de Sep 9 22:38:55 nudin1 postfix/cleanup[7756]: 2723F12E00A3: message-id=522e863a.1000...@domain1.de Sep 9 22:38:55 nudin1 postfix/qmgr[1344]: 2723F12E00A3: from=i...@domain1.de, size=474, nrcpt=1 (queue active) Sep 9 22:38:56 nudin1 postfix/smtpd[8648]: disconnect from unknown[148.172.15.55] Sep 9 22:38:57 nudin1 postfix/smtpd[8658]: connect from localhost[127.0.0.1] Sep 9 22:38:57 nudin1 postfix/smtpd[8658]: 7C75B12E00A4: client=localhost[127.0.0.1] Sep 9 22:38:57 nudin1 postfix/cleanup[7756]: 7C75B12E00A4: message-id=522e863a.1000...@domain1.de Sep 9 22:38:57 nudin1 postfix/smtpd[8658]: disconnect from localhost[127.0.0.1] Sep 9 22:38:57 nudin1 postfix/qmgr[1344]: 7C75B12E00A4: from=i...@domain1.de, size=900, nrcpt=1 (queue active) Sep 9 22:38:57 nudin1 amavis[792]: (00792-04) Passed CLEAN, [148.172.15.55] i...@domain1.de - privateu...@mail.de, Message-ID: 522e863a.1000...@domain1.de, mail_id: E1oH7KsZ3znA, Hits: -0.002, size: 474, queued_as: 7C75B12E00A4, 1713 ms Sep 9 22:38:57 nudin1 postfix/smtp[8654]: 2723F12E00A3: to=privateu...@mail.de, relay=127.0.0.1[127.0.0.1]:10024, delay=2.9, delays=1.2/0/0/1.7, dsn=2.0.0, status=sent (250 2.0.0 from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as 7C75B12E00A4) Sep 9 22:38:57 nudin1 postfix/qmgr[1344]: 2723F12E00A3: removed This appears to be a perfectly normal sequence of postfix receiving mail from a SASL authenticated client, then postfix filtering the mail through amavisd-new. Is there something here you're not expecting? What could that be? If you need more help, please see: http://www.postfix.org/DEBUG_README.html#mail -- Noel Jones
Re: disable all filtering deliver email direclty
On 9/9/2013 3:46 PM, Jumping Mouse wrote: Hello I have an old email server with a mail stuck in the queue. I want to flush all email out and let be delivered with out any filtering. It looks like I have turned off all filtering but still messages are delivered very slowly. Can someone help me with my config files? I can't seem to figure out were the issue is that is causing for mail to still be filtered. Thank you! Here is my main.cf postconf -n is strongly preferred, but I see no evidence of a content filter here. Perhaps you are calling spamassassin by maildrop during delivery. -- Noel Jones
Re: Port settings
On 9/6/2013 11:06 PM, Vishal Agarwal wrote: Hi, Kindly advise how I can set my SMTP port to 465 TLS instead of 25 ? Is this what you're looking for? http://www.postfix.org/TLS_README.html#client_smtps If not, please be more specific of your needs. -- Noel Jones
Re: Log Error, File Nonexistent: /etc/ssl/certs/ca-certificates.crt
On 9/4/2013 3:27 AM, FliedRice wrote: It looks like gmail knows plenty to me Sep 4 01:23:59 boaz postfix/smtp[16024]: certificate verification failed for gmail-smtp-in.l.google.com[74.125.142.26]:25: untrusted issuer /C=US/O=Equifax/OU=Equifax Secure Certificate Authority Unless you're configuring a secure TLS channel, this isn't really an error, doesn't affect delivery, and can be safely ignored. Newer postfix versions automatically suppress this entry on opportunistic TLS connections. Are you having other issues still? -- Noel Jones
Re: Log Error, File Nonexistent: /etc/ssl/certs/ca-certificates.crt
On 9/4/2013 12:53 PM, FliedRice wrote: Thanks for the clarification Noel LuKreme because there is an AOL one as well... Sep 3 12:44:24 boaz postfix/smtp[22753]: certificate verification failed for mailin-01.mx.aol.com[205.188.159.42]:25: untrusted issuer /C=US/O=America Online Inc./CN=America Online Root Certification Authority 1 Other than those messages postfix seems to be working fine. The thing that gets me is that this is a newer version of Plesk, the server is only like 3 months old, so when you say it's suppressed in later versions of postfix, it really makes me wonder why Plesk does not offer a more updated version initially. Open a support ticket with Plesk. Does anyone know how I can go about suppressing these messages? I know the one for Google is Equifax the one for AOL is Thawte. Most folks just ignore those messages, since they have no importance. Theoretically you can track down the public root certs and add them to a file, then point smtp_tls_CAfile to it. Some distributions offer a root certificate bundle, intended to be used with web browsers, that can be used as smtp_tls_CAfile. That bundle may or may not contain the roots for these particular certs. And many folks intentionally do NOT use the bundle with SMTP, since it's hard to know exactly what roots are trusted by the system bundle. -- Noel Jones
Re: reject_unauth_destination
On 8/31/2013 6:40 PM, LuKreme wrote: When you change your main.cf so that AUTH is not allowed on port 25, then additional settings are required in master.cf/submission to insure you don't reject AUTH users. Ah... um.. let me see if I have this straight then. I do not have sasl settings like smtpd_sasl_auth_enable = yes in my postconf, so sasl and auth are NOT available on port25, but I still have smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination in main.conf. In several places in main.cf I have permit_sasl_authenticated. Should I only have that in master.cf under submission? Since you don't have AUTH enabled on port 25, permit_sasl_authenticated is basically a no-op there. Postfix will check to see if the authenticated flag is set, and it will always be false. Other than using an insignificant amount of processing time, there will be no other effect. Take it out if you're sure you've covered in the master.cf/submission entry. But it really doesn't make much difference. -- Noel Jones
Re: HELO
On 9/1/2013 3:30 PM, Roman Gelfand wrote: My mail server is now bound to a public ip A. The PTR resolves fine here. When ISP from public ip A becomes unavailable, the firewall over to a different provider. Naturally, the mail server will now be bound to a public ip B. What do I do if I want correct PTR querry response? Thanks in advance Just give each IP its own unique PTR, make sure each hostname points back to the proper A record. A.A.A.A PTR mailA.example.com B.B.B.B PTR mailB.example.com mailA.example.com A A.A.A.A mailB.example.com A B.B.B.B If you want your HELO to be consistent regardless of which IP is used, use a separate hostname that points to both A records. mail.example.com A A.A.A.A mail.example.com A B.B.B.B -- Noel Jones
Re: 421 too many messages in this connection
On 9/1/2013 3:20 PM, Roman Gelfand wrote: I am not sure I understand this. Isn't every message a separate connection? If what it means to say is I have exceeded a quota for sending out emails per time period, what is there to do about it? Thanks in advance Postfix can reuse a connection if there is a lot of mail for a single destination. The destination might disconnect at some point, after which postfix is free to try again. Generally you can ignore this and it will sort itself out. If it doesn't sort itself out in a reasonable amount of time, you can configure delivery delays for that destination. Some reading, but a warning that ill-considered changes can make things worse: http://www.postfix.org/QSHAPE_README.html http://www.postfix.org/TUNING_README.html -- Noel Jones
Re: Postfix response after receipt
On 9/1/2013 6:52 PM, Warren H. Prince wrote: I didn't want to post such a large log, but here goes. The first line is where the message is actually moved to MailDir (it's desired location). The entries after that result after the email is moved from Maildir/new to Maildir/Cur: Sep 1 23:44:07 production postfix/local[10458]: 0352A760851: to=myacco...@mydomain.com, orig_to=10...@mysubdomain.mydomain.com, relay=local, delay=0.47, delays=0.41/0.01/0/0.05, dsn=2.0.0, status=sent (delivered to maildir) Sep 1 23:44:07 production postfix/qmgr[1728]: 0352A760851: removed After the second line, postfix is done with this message; no further processing takes place. Sep 1 23:44:08 production postfix/smtpd[10454]: connect from localhost[127.0.0.1] SOME OTHER PROGRAM is now injecting mail into postfix. Don't blame postfix. -- Noel Jones
Re: ISP has no reverse DNS for ip address
On 9/1/2013 6:57 PM, Roman Gelfand wrote: On every machine, at different locations, I have tried dig -x ip address and it works correctly. I have 4 messages stuck in a queue which are complaining about the very thing that works. refused to talk to me: 451 Sender's ISP has no reverse DNS for ip address Can somebody tell me what is going on? It appears the recipient is unable to find your rDNS. You might check your setup with some external tools, or maybe the recipient's DNS is broken. Or the reason given could be incorrect, and they don't want your mail for some other reason. If your DNS looks OK, you'll need to contact their postmaster. -- Noel Jones
Re: HELO
On 9/1/2013 7:04 PM, LuKreme wrote: On 01 Sep 2013, at 15:35 , Noel Jones njo...@megan.vbhcs.org wrote: If you want your HELO to be consistent regardless of which IP is used, use a separate hostname that points to both A records. mail.example.com A A.A.A.A mail.example.com A B.B.B.B Won't this cause a problem with the MX records? They will both point at mail.example.com and one of those IPs will not be available at any given time. I was under the impression that MX records can cope with dead destinations. If that's a concern, the OP can use some sort of heartbeat/monitor program that adjusts the MX records automatically. But that seems unnecessary. -- Noel Jones
Re: Postfix response after receipt
On 9/1/2013 7:28 PM, Warren H. Prince wrote: On Sep 1, 2013, at 8:06 PM, Noel Jones njo...@megan.vbhcs.org wrote: Sep 1 23:44:08 production postfix/smtpd[10454]: connect from localhost[127.0.0.1] SOME OTHER PROGRAM is now injecting mail into postfix. Don't blame postfix. I'm not blaming postfix, but postfix is my only source of information. Like I said, I thought it might have been dovecot, but I eliminated that by stopping the service. Any ideas on how to identify the app/service/process/villain ? procmail? seive? some other post-receipt process you've set up? Sorry, really can't help any further. -- Noel Jones
Re: reject_unauth_destination
On 8/31/2013 2:55 AM, LuKreme wrote:
Is there any downside to using reject_unauth_destination? I had it commented
out but I did not have a note on why it was disabled. Reading the
description, it seems like it should always be turned on (or at least that it
couldn't possibly hurt)?
http://www.postfix.org/postconf.5.html#reject_unauth_destination
reject_unauth_destination is what keeps you from being an open
relay, and is required in either smtpd_recipient_restrictions or
(postfix 2.10 and newer) smtpd_relay_restrictions.
I expect you commented it out in smtpd_recipient_restrictions when
you upgraded to postfix 2.10, but it's a very cheap test and there's
no reason to remove it.
Is it even going to trigger with Postscreen in place?
postscreen doesn't do any destination tests, and by design cannot
prevent relaying.
I would recommend leaving it in smtpd_recipient_restrictions, and
you MUST leave it in smtpd_relay_restrictions.
(for now I've stuck warn_if_ in front of it)
my smtpd_*_restrictions (mail_version = 2.10.0)
smtpd_data_restrictions = reject_unauth_pipelining,
reject_multi_recipient_bounce, permit
smtpd_helo_restrictions = permit_mynetworks, reject_invalid_helo_hostname,
reject_non_fqdn_helo_hostname, permit
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated,
reject_non_fqdn_sender, reject_non_fqdn_recipient,
reject_unknown_sender_domain, reject_invalid_hostname,
warn_if_reject_unauth_destination, reject_unlisted_recipient,
reject_unlisted_sender, reject_unknown_reverse_client_hostname,
check_client_access hash:$config_directory/access, permit
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated
reject_unauth_destination
the above is acceptable.
Can I just go with
smtpd_recipient_restrictions = reject_unauth_destination,permit
smtpd_relay_restrictions =
This will work -- you can even drop the permit, which is implied
-- but most folks find it useful to prepend permit_mynetworks even
if mynetworks only contains localhost IPs.
and in master.cf
submission inet n - n - - smtpd
-o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes
-o smtpd_sasl_type=dovecot -o smtpd_sasl_path=private/auth
-o smtpd_sasl_security_options=noanonymous
OK.
-o smtpd_sasl_local_domain=$myhostname
I don't think this parameter is used by dovecot. (unused parameters
rarely cause problems other than operator confusion)
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
you'll need to override the other smtpd_*_restrictions set in main.cf.
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-o syslog_name=submit-tls
Good.
?
and is client_restrictions the best choice for submission? I've see some
confs have both
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o smtpd_data_restrictions=permit_sasl_authenticated,reject
Why?
Remember, for mail to be accepted, it must pass *each* of the
smtpd_*_restrictions sections. Also remember that every master.cf
service inherits {built-in defaults + all main.cf settings} before
applying any -o overrides.
How you arrange your submission settings is up to you. I like to
explicitly set all the smtpd_*_restrictions in submission, even if
most of them are empty, to prevent surprises later when I change
something in main.cf.
I think the minimum requirements for submission can be stated as 1)
allow all AUTH users, 2) reject everyone else. With widely used
postfix main.cf smtpd_*_restrictions settings that prepend
everything with permit_mynetworks, permit_sasl_authenticated, (and
thereby allow AUTH on port 25) it's sufficient to use -o
smtpd_ANYTHING_restrictions=permit_sasl_authenticated,reject and
still meet the minimum requirements.
When you change your main.cf so that AUTH is not allowed on port 25,
then additional settings are required in master.cf/submission to
insure you don't reject AUTH users.
-- Noel Jones
Re: email from comcast.net is bouncing
On 8/30/2013 3:44 AM, Grant wrote: I grep'ed the mail logs for dnsblog and got a huge number of these: [postfix/postscreen] warning: psc_dnsbl_request: connect to private/dnsblog service: No such file or directory Looks as if you've found the problem. Make sure your master.cf has an entry like: dnsblog unix - - n - 0 dnsblog -- Noel Jones
Re: email from comcast.net is bouncing
On 8/30/2013 2:27 PM, Grant wrote: I grep'ed the mail logs for dnsblog and got a huge number of these: [postfix/postscreen] warning: psc_dnsbl_request: connect to private/dnsblog service: No such file or directory Looks as if you've found the problem. Make sure your master.cf has an entry like: dnsblog unix - - n - 0 dnsblog Thank you. I added it and restarted postfix and started to get errors like these: Postfix always add missing master.cf entries automatically as part of the upgrade procedure. You can break this by restoring an old file after the upgrade. [postfix/dnsblog] warning: dnsblog_query: lookup error for DNS query MASKED.list.dnswl.org: Host or domain name not found. Name service error for name=MASKED.list.dnswl.org type=A: Host not found, try again I did some searching and I think this was due to my use of Google's DNS resolvers (8.8.8.8 and 8.8.4.4). I added my host's DNS resolver first in the list and the errors seem to have stopped. Is that a good config? Yes, good. Many public DNS servers are denied access by RBL providers due to excessive query load. Using your own DNS is the proper solution. I also read a recommendation to set up a caching nameserver like unbound on the same machine as postfix. Is that the right thing to do? A local caching nameserver is highly recommended. If you already have one that's working OK, there's no pressing need to replace it. Is there a way to verify that everything is working properly? Watch the logs for errors or unexpected behavior. -- Noel Jones
Re: misc postfix questions
On 8/30/2013 2:17 PM, Littlefield, Tyler wrote: Hello all: I had a couple of questions. First, I was curious how most people tend to handle quota. I have some disk space on my server, but not a lot. I need to create email accounts for individual staff, but need to put a hard limit on their quota. Do you just set up a limit and then not allow any email until mail is deleted, or is it safe to remove trash from time to time. How is this done? Quotas are usually handled by your IMAP software. Most folks deny new mail for over-quota users, either by bouncing it, or better, by rejecting it during SMTP. Some folks remove old mail (typically 30+ days) automatically from the trash or junk folder. Whether this is a good idea is somewhat debatable, so make sure your users understand your policy very very clearly. This is outside the scope of postfix, and is performed by your IMAP software or an external process. Second, I'm curious what is used to help track outbound emails. If I receive an abuse report, I need to be able to nail down the sender--basically to find the email that was sent. Postfix logs the sending IP of each message, and if AUTH is used the username is also logged. It's generally recommended to require your users to AUTH, rather than relying on permit_mynetworks, so you can more easily identify and stop abuse. Many folks also use some sort of rate limiter, such as postfwd, to limit the damage when an account gets compromised. Finally, I currently have my setup set to use maildir and I use procmail to do a lot of filtering. I do not want to add individual user accounts per user, This is all controlled by your IMAP software. Most IMAP software can handle a mixture of both virtual and real users, dovecot is a popular choice. -- Noel Jones
Re: newbie check Was [Re: port 25 submission settings sanity check]
On 8/29/2013 3:43 PM, Glenn English wrote: On Aug 29, 2013, at 2:18 PM, LuKreme wrote: $ grep 587 /etc/services submission 587/tcp submission 587/udp That's what mine says too. Does Postfix accept UDP submissions? I looked at RFC6409 (the newest I could find on 587), and all it said was port 587 -- the protocol isn't mentioned. It's standard SMTP over tcp, typically with STARTTLS and AUTH. I imagine the udp entry is a historical artifact. -- Noel Jones
Re: port 25 submission settings sanity check
On 8/28/2013 2:06 PM, Quanah Gibson-Mount wrote: We have a client allowing auth'd submissions over port 25. Unfortunately, the authenticated submissions are hitting their RBL settings. The postfix release is 2.10.0, with the following parameters: smtpd_recipient_restrictions = reject_non_fqdn_recipient, permit_mynetworks, reject_unlisted_recipient, reject_unknown_sender_domain, reject_rbl_client dnsbl.njabl.org reject_rbl_client cbl.abuseat.org reject_rbl_client bl.spamcop.net reject_rbl_client sbl.spamhaus.org reject_rbl_client relays.mail-abuse.org, permit smtpd_relay_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination I thought the smtpd_relay_restrictions would automatically allow the email to pass the RBLs, but this does not appear to be the case. Adding permit_sasl_authenticated to smtpd_recipient_restrictions in front of permit_mynetworks allows the email to go through. Is this simply a misconfiguration on my part? For a message to be accepted, it must pass *each* of the smtpd_*_restrictions sections. As a rule of thumb, anywhere you use permit_mynetworks you'll also need permit_sasl_authenticated. -- Noel Jones Thanks, Quanah -- Quanah Gibson-Mount Lead Engineer Zimbra, Inc Zimbra :: the leader in open source messaging and collaboration
Re: How do i get Postfix to act like a mail client using TLS to talk to an upstream server
On 8/28/2013 9:23 PM, Rob Tanner wrote: Hi, Our Admissions department is looking to use Mandrill to get a better handle on emails they send out to perspective students. With Mandril, we relay all the mail we generate to one on their servers using SMTP, but they want the connection encrypted. I already have one server setup that allows encrypted connections to be made to it (has a real vert and everything) but my problem now is the other way around, I need one of my postfix servers to initiate an encrypted connection to Mandrill. Can anybody point me to some documentation? Perhaps a howto? Thanks. Rob Tanner rtan...@linfield.edu mailto:rtan...@linfield.edu Sounds as if you already have postfix built with TLS on that server, in which case maybe all you need is # main.cf smtp_tls_security_level = may Here's the docs: http://www.postfix.org/TLS_README.html#client_tls -- Noel Jones
Re: Disabling user submission on port 25
On 8/27/2013 11:36 AM, John Allen wrote: On 8/26/2013 10:24 PM, John Allen wrote: I based it something that Noel Jones wrote way back in 2008. I doubt that Noel suggested anything like this. 2008 was a long time ago, possibly I've learned a thing or two since then. Regardless, I think this was in response to a very specific requirement not particularly related to the current issue. Apparently whatever I told him worked, glad to be of help. -- Noel Jones
Re: one machine for recipient address_verify, another for delivery
On 8/27/2013 2:52 PM, lcon...@go2france.com wrote: outbound flow first machine does reject_unverified_recipient, and sends verified recipients via relayhost to the 2nd machine for delivery of verified recipients. now we see reject_unverified_recipient is verifying through the relayhost is there a way to override the first machine's relayhost so its recipient address verification is done to Internet with MX lookups? thanks Len This might be what you're looking for: http://www.postfix.org/postconf.5.html#address_verify_relay_transport -- Noel Jones
Re: Disabling user submission on port 25
On 8/26/2013 7:49 PM, LuKreme wrote: OK, now that port 587 is working, I would like to disable user submission via port 25. Not right now, but in a bit once people have a chance to change their settings. What do I do to prevent users sending via port25? Super easy... # main.cf smtpd_sasl_auth_enable = no Your master.cf submission entry probably already includes -o smtpd_sasl_auth_enable=yes If not, go ahead and add it to submission now so things don't break unexpectedly later. This won't prevent users from sending local mail to port 25, but they won't be able to authenticate and won't be able to relay. This usually isn't considered a problem, and changing it often causes other issues. -- Noel Jones
Re: iptables based spam prevention
On 8/25/2013 1:11 PM, Niclas Arndt wrote: Hi, Sorry if this is slightly off-topic, but at least a bunch of experts are listening. I am using Spamhaus (and other methods) and over time I have amassed a list of IP ranges that (according to Spamhaus) shouldn't be sending e-mail at all. One problem is that this list tends to become quite long and another is that I would like to verify it so that I don't eventually block legitimate e-mail. On the other hand, I would like to place as little a load as possible on Spamhaus. Here are my questions: Is the iptables approach at all viable in the long run? Is there any non-commercial way to upload a text file containing spamming IP addresses and have it verified for correctness? Any other related response is of course welcome. I use a postfix check_client_access table that I use as a whitelist/blacklist before the spamhaus lookup and other anti-spam checks. A hash (or even better, cdb) table can grow to millions of entries before it will place any significant load on postfix, so table size isn't really a concern. Since false positives are always concern, doing the rejects in postfix lets me see the sender and recipient before the mail is rejected. Something like: # main.cf smtpd_recipient_restrictions = permit_mynetworks reject_unauth_destination check_client_access hash:/etc/postfix/whitelist-blacklist ... other anti-spam checks ... -- Noel Jones
Re: Regarding Delivery Restriction from Internal to External
On 8/24/2013 3:34 AM, Joy wrote: Hi Experts, I am using Postfix with LDAP backend and willing to implement per user delivery restriction while sending mail to outside domain. Like:- User1 can send mail to all domain. User2 can send mail only to a...@example.com mailto:a...@example.com User3 can send mail to 1...@example.com mailto:1...@example.com and yahoo.com http://yahoo.com/ Is there any way to implement the same. The postfix feature for this is described in http://www.postfix.org/RESTRICTION_CLASS_README.html The restriction class method get rather awkward if you define more than a dozen or so classes. In that case you would need to use an external policy service. http://www.postfix.org/SMTPD_POLICY_README.html Some pre-made policy services are listed here, or you can use one of these as a basis for something of your own http://www.postfix.org/addon.html#policy -- Noel Jones
Re: Block certain remote hosts on submission port
On 8/24/2013 3:52 PM, Stan Hoeppner wrote: On 8/24/2013 1:18 PM, LuKreme wrote: On 22 Aug 2013, at 21:28 , Stan Hoeppner s...@hardwarefreak.com wrote: ~$ wget http://ipdeny.com/ipblocks/data/countries/us.zone ~$ sed 's/$/ OK/g' us.zone us.cidr ~$ cp us.cidr /etc/postfix ~$ postfix reload and you're off to the races. ... And BTW, it's better to do this at the firewall if at all practical. If you do the reject in postfix you'll be able to see the sender details, which may be valuable for seeing which accounts have been compromised and/or troubleshooting false positive reports. All the firewall can show is some IP was blocked. 2) If I did this I also would like to log these rejections to a separate file, possible? Not directly. You'd specify a custom reject code then parse your mail log for that, pipe to another file. If you do it at the firewall it would depend on the firewall's features. You can append a wildcard reject AT THE END of the cidr file with a custom message. That message will be sent to the client and will be included in your log. # us cidr table ... everything else 0.0.0.0/0 REJECT submission not allowed from your location geoip Under 2.10, would it make sense to put those restriction in the smtpd_relay_restrictions if port 25 is open for connections? In the other half of the instructions I gave, which you cut, I show that this needs to be done in master.cf. smtpd_foo_restrictions in main.cf are global. You want this restriction only on the submission port, not the public smtp port. Yes indeed. -- Noel Jones
Re: FW: Authentication issues
On 8/23/2013 9:35 PM, David Hulsebus wrote: When I added noplaintext as a security option and because MD5 was in the mech list SASL complained about no auth mechanism when it started. MD5 was already in the mech list but never failed because auth never reached it in the past, plain took precedence. I removed noplaintext and removed everything but plain and login in the mech list and all works well again. Thank you to all who offered your expertise. I have a follow up question. Why shouldn't I require TLS to encrypt all sessions for any clients who authenticates to send mail out. Isn't that what following parameter accomplishes ? smtpd_tls_security_level = encrypt The setting above is typically used as a -o override option for the submission service on port 587, never for general SMTP on port 25. If you must offer AUTH on port 25, most folks also set # main.cf smtpd_tls_auth_only = yes to require encryption before AUTH is even offered. See: http://www.postfix.org/postconf.5.html#smtpd_tls_auth_only Probably better is to only offer AUTH on submission port 587 with required encryption, and not offer AUTH at all on port 25. Although getting all your clients to change their settings can be a challenge... -- Noel Jones
Re: smtpd_recipient_restrictions
On 8/21/2013 9:58 AM, Roman Gelfand wrote: For the outgoing emails, why is the configuration below not enough to: 1. Block +a...@domain.com 2. Allow all other emails main.cf smtpd_recipient_restrictions = check_recipient_access pcre:/etc/postfix/recipient_access.pcre /etc/postfix/recipient_access.pcre /\+(,*)/reject What does the log say with this configuration?
Re: greylisting generates error email?
On 8/16/2013 1:29 AM, Grant wrote: Use a dns white list with a negative score in the postscreen_dnsbl_sites, and set a negative value for postscreen_dnsbl_whitelist_threshold. Simple example: # main.cf postscreen_dnsbl_sites = zen.spamhaus.org list.dnswl.org*-1 postscreen_dnsbl_whitelist_threshold = -1 I've added the following to main.cf: postscreen_dnsbl_sites = list.dnswl.org*-1 postscreen_dnsbl_whitelist_threshold = -1 Thank you for your help! - Grant Yes, that should whitelist known good sites from deep inspection, certainly all the big mailers such as google, yahoo, comcast, etc. However, I wonder why you don't have any dns blacklists such as zen.spamhaus.org defined there. The ability of postscreen to reject known bad sites without using precious smtpd processes is one of its key features. -- Noel Jones
Re: greylisting generates error email?
On 8/15/2013 2:30 AM, Grant wrote: A few people have told me they received an email error message after emailing me. I'm trying to get a copy of one of the error emails, but I can't imagine what would cause that besides possibly my greylisting. Has greylisting been known to lead to email error messages being sent to senders in some instances? The sender may receive an error if their server has an unusual setup. Such servers must be whitelisted in your greylist software. The last sender who told me about the error message was on a comcast.net address. Comcast (nor any major provider) should be greylisted. Any reasonable greylist software should have a setting to whitelist well-known mail servers. So I'm sure I understand, well-known mail servers should be whitelisted? well-known mail servers should be whitelisted in greylist software. You can ignore this with postscreen and postfix 2.11+. Postfix 2.11 (currently in development snapshots) includes a wonderful feature to bypass postscreen tests for clients listed in dns whitelists, such as list.dnswl.org, greatly reducing unnecessary tests. I'm actually using postfix-2.11_pre20130710. Can you point me in the right direction for setting up the DNS whitelist interaction? Should that (for example) prevent comcast.net users from receiving 450 error email notices? Excellent! Use a dns white list with a negative score in the postscreen_dnsbl_sites, and set a negative value for postscreen_dnsbl_whitelist_threshold. Simple example: # main.cf postscreen_dnsbl_sites = zen.spamhaus.org list.dnswl.org*-1 postscreen_dnsbl_whitelist_threshold = -1 See the RELEASE_NOTES and POSTSCREEN_README for details. -- Noel Jones
Re: Once more around with dovecot
On 8/15/2013 8:58 AM, /dev/rob0 wrote: On Wed, Aug 14, 2013 at 11:08:29PM -0500, Noel Jones wrote: I'm pretty sure the examples in the postfix docs are for dovecot 1, and not appropriate for dovecot 2. Whilst the first part of this is true, I don't believe the second part is. You should still be able to use a Dovecot 1.x configuration file with 2.x, which will complain in the logs about the changed syntax and suggest that you use doveconf -n to get a proper 2.x configuration file. In fact these are the very warnings that the OP posted upthread. It DID work, it just complained. Thanks for the clarification. I'm sure there's still room for improvement, maybe a note that this is dovecot 1 syntax, or a for further information link to the dovecot docs|wiki. Someone should probably submit a documentation update that covers all dovecot versions. This would not hurt, but strictly speaking, we are there. :) Indeed. But this isn't the first person tripped up by the unexpected warnings logged by dovecot 2.x. -- Noel Jones
Re: Auto reply/notice
On 8/15/2013 9:26 AM, John Allen wrote:
I am trying to retire and close down my business.
I have informed all of my closest associates and those who I wish to
continue correspondence with have been given my personal contact
information.
However, I am still getting a fairly large amount of email at my
business address, I had thought of using the relocated list to
just tell everybody to b... off, but I am a little worried that
there might be some contacts that I have missed.
You can use the error: transport to send a custom reject message for
any mail sent to that domain.
# transport
example.com error:I'm retired, business closed. Personal email
f...@example.org Thanks for all the fish.
(the above is basically what the relocated feature does, it just
responds user has moved to {your text here} where your text can be
just about anything, not necessarily an email address)
But a common problem is that end-users often don't read the delivery
error messages -- and some mail systems hide the message from the user.
Does anybody know of a way of receiving the mail and sending an
automatic reply/notice. It would need to apply only to the business
domain(s).
Generally best to avoid autoresponders when possible, since they
also respond to spam with a forged sender address.
That said, if not much spam makes it to your mailbox you can look at
the vacation program included with many systems.
Best wishes,
-- Noel Jones
Re: Auto reply/notice
On 8/15/2013 1:33 PM, John Allen wrote: Now I think I will add all the people that I KNOW I do not want to hear from to the sender checks. Would it be better simple reject or use a the code 521. A regular REJECT text... with a helpful message is fine. 521 is for rejecting with extreme prejudice. -- Noel Jones
Re: greylisting generates error email?
On 8/14/2013 5:23 AM, Grant wrote: A few people have told me they received an email error message after emailing me. I'm trying to get a copy of one of the error emails, but I can't imagine what would cause that besides possibly my greylisting. Has greylisting been known to lead to email error messages being sent to senders in some instances? The sender may receive an error if their server has an unusual setup. Such servers must be whitelisted in your greylist software. Of course, there are a number of other errors the sender might get that have nothing to do with greylisting. You really need to see the error before you start trying to fix things. One place to start is search your mail log for errors relating to the sender's email address and/or their server. How is greylisting set up in postfix now? I know I used to use postgrey but then I remember some sort of change. I can see that I have postgrey installed but the service is not running. I checked main.cf http://main.cf and master.cf http://master.cf but I can't figure out how it's implemented now. Postfix has no default greylist, and there are several that are in widespread use. Look in your postconf -n for a check_policy_service entry, then find that service in master.cf. Or some folks use a milter defined in smtpd_milters for greylisting. If you need more help, you'll need to provide postconf -n output, master.cf contents, and any associated log entries. http://www.postfix.org/DEBUG_README.html#mail -- Noel Jones
Re: How to send more than 1 email per sec per domain?
On 8/14/2013 7:14 AM, Philippe Bloix wrote: Thanks for your response I'm not a spammer :-), i'm working in a telecom firm where we send emails to our customers. In fact, it's not easy to contact some receivers who is rate limiting, then in theses cases the goal is to reduce the rate per sec (about 10 mails per domain per sec); Sending one mail per second will deliver over 1000 messages in 20 minutes. If you need a higher rate than that, contact the receiver for whitelisting. i'm astonished that postfix (without addons) is not allowed to do that but at best only 1 mail per domain per sec. Despite the misunderstanding of others, no policy service can limit output. If something causes output to stall while the input is still running, the destination will be flooded when output starts running again. Maybe that's close enough for some purposes. A working solution would be multiple postfix delivery instances, each sending 1 message per second, fed round-robin from the main postfix. Working, but unappetizing. But really, if 1 message per second is not sufficient, contact the receiver for whitelisting. -- Noel Jones
Re: greylisting generates error email?
On 8/14/2013 10:21 AM, Grant wrote: A few people have told me they received an email error message after emailing me. I'm trying to get a copy of one of the error emails, but I can't imagine what would cause that besides possibly my greylisting. Has greylisting been known to lead to email error messages being sent to senders in some instances? The sender may receive an error if their server has an unusual setup. Such servers must be whitelisted in your greylist software. The last sender who told me about the error message was on a comcast.net address. I found this which describes the same problem with greylisting and comcast addresses but the solution turned out to be fixing the MX record: https://discussions.apple.com/thread/3030480?start=0tstart=0 Nothing described in that posting indicates a problem with the MX record. Either the poster didn't describe the problem he found and fixed, or didn't understand the problem (the rDNS problem that was described is not a problem for receiving mail, but might affect sending). Comcast (nor any major provider) should be greylisted. Any reasonable greylist software should have a setting to whitelist well-known mail servers. My DNS is hosted by my domain name registrar and the MX record looks like this (but with my real domain): Host Name: example.com Mailserver Host Name: example.com Mail Type: MX MX Pref: 10 TTL: 1800 Does it look OK? Yes, this is fine, and not the source of any problems. It turns out I'm using postscreen with deep protocol checks: Postscreen will defer one mail once every 30 days per unique client IP. If that's not acceptable, turn off postscreen deep protocol checks or whitelist known good servers (from domain SPF records?) in the postscreen access list. Postfix 2.11 (currently in development snapshots) includes a wonderful feature to bypass postscreen tests for clients listed in dns whitelists, such as list.dnswl.org, greatly reducing unnecessary tests. -- Noel Jones
Re: Once more around with dovecot
On 8/14/2013 9:34 PM, LuKreme wrote: OK, so the old mailserver that I was not allowed to updated much or run ports on because of the fear it would die up and died today. Overall, though it's been hours of restoring from backup and compiling this is still good news because everything is getting built onto FreeBSD 9.2 and at current versions. So, I think to myself, let's try this dovecot thing again. first, postfix is up and running right now without anyone able to login. I compiled everything out of ports (shhh!) and told the postfix config from ports to built with dovecot since it's all new and I added dovecot_enable=YES to rc.conf and I setup the /usr/local/etc/dovecot/dovecot.conf file exactly as is shown at http://www.postfix.org/SASL_README.html So far so good. postconf -a shows dovecot (postconf -A shows nothing though?) That's correct. Dovecot provides server SASL (clients connecting to postfix), but not client SASL (outgoing from postfix to some other server). I try to start dovecot and I get: I'm pretty sure the examples in the postfix docs are for dovecot 1, and not appropriate for dovecot 2. Someone should probably submit a documentation update that covers all dovecot versions. For dovecot 2.x, see the dovecot wiki. -- Noel Jones
Re: Once more around with dovecot
On 8/14/2013 11:05 PM, LuKreme wrote: On 14 Aug 2013, at 20:34 , LuKreme krem...@kreme.com wrote: So, I think to myself, let's try this dovecot thing again. Well, I got it sorted. Man, this is not a fun time with conflicting documentation and lots of incomplete info out there. However, I am still having one issue. Some users are local (/usr/home/user) but most are in a MySQL database. I cannot figure out how to get dovecot to access both and it looks like I have to either authenticate against pam or MySQL, not both. Right now, it is all working correctly for the local users. Has anyone done this with both kinds? Yes, you can configure dovecot to use both passwd and an SQL database. This is solely under the control of dovecot, so I'll refer you to the dovecot docs and dovecot users list. -- Noel Jones
Re: How to send more than 1 email per sec per domain?
On 8/13/2013 10:26 AM, Philippe Bloix wrote: What i would like is : For example, my postfix relay accepts about 1000 emails (1 shot) from a SMTP client, then the postfix server relays them with the rate of 5 emails per domain per second without REJECT. As documented, the minimum delay is 1 second. Do you know if postfwd permits to have this behaviour ? Not possible; postfwd limits input, not output. -- Noel Jones
Re: virtual_alias_maps not being used
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 8/13/2013 11:58 AM, Thomas Spuhler wrote: I have installed my brand new Kolab-3 mail server after extensive testing on a virtual box. Unfortunately, I did not test the alias feature. If I send e-mails to to root@btspuhler, I get a message back The mail system r...@btspuhler.com: host aargau.btspuhler.com[/var/lib/imap/socket/lmtp] said: 550-Mailbox unknown. Either there is no mailbox associated with this 550-name or you do not have authorization to see it. 550 5.1.1 User unknown (in reply to RCPT TO command) my main.cf looks like this: To report problems, please see: http://www.postfix.org/DEBUG_README.html#mail Specifically, main.cf snippings are not particularly helpful, always show postconf -n. receive_override_options = no_address_mappings Wonder if this has something to do with the reported problem... http://www.postfix.org/postconf.5.html#receive_override_options -- Noel Jones -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.20 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJSCmkXAAoJEJGRUHb5Oh6gpswH/iCKRrPj1w+xmlYuJqVjzBAB Jp+GNCGzKltXrPZg/w51HNB+k89RvfURP4OZPgG+Ne37o/BUTA7c3KBPLDDPSTF0 KZfb/S5NZFF4BQma7DRlvmGrBbqv6CRTvOkpgBJknK69omF21P11kxoWLJSg0MIL BPFfDz8bSVdss3XmToa9iA02AiuziPDfRJW9+z+ECN2lc3/PzbhMyNksvILwoGyp 2bjswK9YsEDfdPB0SeVOw4TQg/5NkLZwupOUFvpaD0NL0apAfBWRGCZlXLoSC4SZ AA3KhpPZsUOs5SYoxdJzQNKuDfmgzrTK11S0/PZ3ySS0LDV4M+YAAA6bLH9p/2o= =n7Le -END PGP SIGNATURE-
Re: Question re: DNS, outsourced anti-spam provider as outbound relay
On 8/13/2013 12:16 PM, Charles Marcus wrote: Hi everyone, This question is about what are best practices with respect to DNS - including reverse DNS - when my mail server is hosted locally, and we use an outsourced anti-spam service for inbound filtering, as well as relaying all outbound mail through them. I have had a recent complaint from someone who claims that their Outlook is classifying all of our emails with big scary warnings that they are 'phishing attempts'. Does anyone see any problem with this email, as far as DNS/reverse DNS goes? All the DNS hostnames/IPs appear to match. I see nothing whatsoever to complain about. You don't appear to have SPF nor DKIM configured. While in no way required, those do give some assurance that the mail is not forged, and may help. Or may not help, since you don't really know why outlook is complaining. Maybe offending messages have HTML content that outlook is confused about? -- Noel Jones
Re: virtual_alias_maps not being used
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 8/13/2013 12:30 PM, Thomas Spuhler wrote: On Tuesday, August 13, 2013 12:12:55 PM Noel Jones wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 8/13/2013 11:58 AM, Thomas Spuhler wrote: I have installed my brand new Kolab-3 mail server after extensive testing on a virtual box. Unfortunately, I did not test the alias feature. If I send e-mails to to root@btspuhler, I get a message back The mail system r...@btspuhler.com: host aargau.btspuhler.com[/var/lib/imap/socket/lmtp] said: 550-Mailbox unknown. Either there is no mailbox associated with this 550-name or you do not have authorization to see it. 550 5.1.1 User unknown (in reply to RCPT TO command) my main.cf looks like this: To report problems, please see: http://www.postfix.org/DEBUG_README.html#mail Specifically, main.cf snippings are not particularly helpful, always show postconf -n. receive_override_options = no_address_mappings Wonder if this has something to do with the reported problem... http://www.postfix.org/postconf.5.html#receive_override_options - -- Noel Jones Thanks a lot. Commenting out receive_override_options = no_address_mappings solved the problem. Just for my information, is this very dependent on the postfix version? This line came from upstream That line is usually used with a content_filter (ie. mail passes through postfix twice with a filter in between), arranged such that address expansion is only performed once -- either pre-filter or post-filter depending on local requirements, but not both. -- Noel Jones -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.20 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJSCm56AAoJEJGRUHb5Oh6gL88H/1kioIjygHbe962INyo+5oRI vIQoP1UG2lGyRXqCOLwcqgS9ZCFmYkv+swXYGbn1+pkKHKD4WJR+QsvuqthN457c i5d7avpRoJavmz+Y+GDyFhjaByvuQzqs0Ahrm1st0vWJg19RIoZFezIsgD1ivCC1 zFV05BD/SORxVdrx/jlOv4+OHz2kPW35BmE0ARv4cdlYTqRJehO7eC7X9Hcb15+W 35MI0uTB5rdkSrpmYNH7iz35snGCNkovvKSirSDrJiwivQYndzHrOyUWYjzpk/qo XmS8qTeOLhEmDTYmVryvfmF2oXosDFXBcOPEI8ckSt6ww9M3lpvfVDOFF+OKcX0= =Xx1S -END PGP SIGNATURE-
Re: Question re: DNS, outsourced anti-spam provider as outbound relay
On 8/13/2013 1:02 PM, Charles Marcus wrote: You don't appear to have SPF nor DKIM configured. While in no way required, those do give some assurance that the mail is not forged, and may help. Or may not help, since you don't really know why outlook is complaining. Hmmm... so this would need to be done by our anti-spam provider (since they are our mx *and* outbound relay), correct? You should be able to add these without involving your provider. Note: SPF is somewhat controversial, and discussion of its merits is a banned topic here. See archives/google for details. SPF is a special DNS record that you add to your own dns, specifying which servers may send mail purporting to be from your domain. This requires no modifications to the mail servers themselves. (Validating SPF on incoming mail is a separate issue; your anti-spam provider probably already does this for you.) https://en.wikipedia.org/wiki/Sender_Policy_Framework http://www.openspf.org/ DKIM is a crytographic header added to outgoing mail, proving the mail is from your domain and hasn't been altered. This can be added by your local server before it goes to the provider, or the provider may have a system in place to do this for you. This may require some modifications to your server config. https://en.wikipedia.org/wiki/Dkim http://opendkim.org/ of if you already use amavisd-new: http://www.ijs.si/software/amavisd/amavisd-new-docs.html#dkim -- Noel Jones
Re: PostFix continuing mail processing after discard issued by milter
On 8/7/2013 9:32 PM, Corey wrote: I am using PostFix with Amavisd which includes SpamAssassin ClamAV. I created a milter to help rate limit and minimize abuse, I added this milter in via the smtpd_milters option. I'm able to reject email with a 4xx or 5xx error with no issue, however when I attempt to issue a discard it shows up in the log but the email is still passed off to Amavis and scanned\logged. Here is a snippet of what shows up in the log: Aug 7 21:33:04 edgedev postfix/smtpd[13682]: connect from unknown[redacted] Aug 7 21:33:04 edgedev postfix/smtpd[13682]: NOQUEUE: milter-discard: MAIL from unknown[redacted ]: milter triggers DISCARD action; from=root@redacted proto=ESMTP helo=redacted Aug 7 21:33:04 edgedev amavis[3120]: process_request: fileno sock=12, STDIN=0, STDOUT=1 Ideally I'd like it to act just as if it was rejected and not pass the email along any further to save the overhead of scanning and logging. Any help or guidance into what I'm doing wrong would be greatly appreciated. Thanks! The whole message must be received or the sender will think a transmission error has occurred and retry endlessly. There's not really a good workaround for that. -- Noel Jones
Re: Three trivial filtering questions
On 8/4/2013 10:13 PM, Ronald F. Guilmette wrote: In message 51ff13eb.8090...@megan.vbhcs.org, Noel Jones njo...@megan.vbhcs.org wrote: On 8/4/2013 8:06 PM, Ronald F. Guilmette wrote: Does reject_non_fqdn_helo_hostname, when placed in the smtpd_helo_restrictions, permit clients to HELO/EHLO with a square-bracket enclosed dotted quad IPv4 address? Yes. The documentatation should probably be adjusted to make that more clear. Right now it reads: Reject the request when the HELO or EHLO hostname is not in fully- qualified domain form, as required by the RFC. If so, is the dotted quad checked to see that it properly represents the actual IP address of the actual current client? No. Is there any restriction verb that would cause a HELO/EHLO which specifies a square-bracketed dotted quad IPv4 address to be rejected when if the dotted quad does not match the actual current client IP address? I use a pcre table to reject any HELO that starts with a bracket or looks like an IP. Legit hosts that use this form are very rare here -- maybe one every couple years. Would reject_unknown_helo_hostname do it? If not maybe a new restriction verb would be useful to perform this exact check. There is no built-in postfix restriction to compare the HELO to the client hostname, and I would question the value of such a feature. Do you see lots of spam with incorrect IP in the HELO? Do you see significant numbers of legit hosts using a bracketed IP HELO? Certainly, some spam that I believe should have been rejected on the basis of one or another of the above RHS filters I am instead seeing (in my maillog file) being rejected instead by one or another of the subsequent reject_rbl_client filters. What could I be doing wrong? You'll need too show evidence for further help on this. Doing RBL client checks in postscreen? I am not using postscreen at the present time. Do I need to use that if I want to perform RHSBL checks? RHSBL checks work without postscreen. If you use postscreen, it will reject clients before the smtpd_*_restrictions (and the smtpd program itself) are ever run. http://www.postfix.org/POSTSCREEN_README.html -- Noel Jones Regards, rfg
Re: Three trivial filtering questions
On 8/5/2013 3:16 AM, Ronald F. Guilmette wrote: In message 51ff2ad2.2080...@hardwarefreak.com, Stan Hoeppner s...@hardwarefreak.com wrote: BTW, if you want to maximize potential hits on RHSBLs just short of doing body checks, you may want to give Sahil Tandon's TCP server based RHSBL header checker a spin. It grabs domains from headers and checks them against the 3 most popular RHSBLs: DBL, SURBL, and URIBL. Thank you. I have just looked at that but I can't see what it does that makes it in any way superior to the built-in restriction verbs that I can (and have) already put in main.cf. Regards, rfg The built-in restrictions can check envelope information for RBL/RHSBL listings. Sahil's lightweight TCP server can also check message headers such as Message-ID: and From: header for RHSBL listed domains. Other than this clever TCP table, they only other way to check these are with a milter or content_filter. This used to catch some extra spam, but hasn't been very effective for me lately due to changing spammer tactics. YMMV. -- Noel Jones
Re: Outsourced anti-spam and Issues with VRFY
On 8/5/2013 7:15 AM, Charles Marcus wrote: On 2013-08-04 7:30 PM, wie...@porcupine.org (Wietse Venema) wie...@porcupine.org (Wietse Venema) wrote: Charles Marcus: We are set up for performance with VRFY probes and by modifying your postfix config file so postfix will not nave a performance issue by setting postfix option smtpd_soft_error_limit to be larger than smtpd_hard_error_limit. That is nonsense, as demonstrated below: # postconf smtpd_hard_error_limit=1 smtpd_soft_error_limit=2 # postfix reload # telnet 127.0.0.1 smtp Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 220 hades.porcupine.org ESMTP Postfix hello foo 502 5.5.2 Error: command not recognized 421 4.7.0 hades.porcupine.org Error: too many errors Connection closed by foreign host. These people never tested this recommendation, just like they never tested their software against Postfix or else they would have been aware of the smtpd_junk_command_limit feature. It should be safe to dumb down Postfix defenses, provided that no-one else can connect to your SMTP server. Thanks Wietse, After your hint I read up on this command at: http://www.postfix.org/STRESS_README.html#legacy but I'm still unsure how to implement this properly to address this particular issue... Would it be to lower the junk setting to 1? Would I also need to lower the others (timeout and hard_error_limit)? Or maybe use different values? Set those three limits to 100 or higher. Those controls are intended to prevent random clients from wasting your time. Since you don't allow connections from random clients, it's safe to increase them. # main.cf smtpd_hard_error_limit = 100 smtpd_soft_error_limit = 100 smtpd_junk_command_limit = 100 However given the poor quality assurance with respect to Postfix, I would be suspicious about the quality assurance of their code. I'm guessing their advice assumed you use the default setting for smtpd_hard_error_limit. I'm also willing to accept that they could offer effective filtering services even if they aren't postfix experts. -- Noel Jones
Re: Outsourced anti-spam and Issues with VRFY
On 8/5/2013 9:09 AM, Charles Marcus wrote: On 2013-08-05 9:21 AM, Noel Jones njo...@megan.vbhcs.org wrote: Set those three limits to 100 or higher. Those controls are intended to prevent random clients from wasting your time. Since you don't allow connections from random clients, it's safe to increase them. # main.cf smtpd_hard_error_limit = 100 smtpd_soft_error_limit = 100 smtpd_junk_command_limit = 100 Thanks Noel... I'll do this, unless I can get them to change their VRFY service to properly close these connections - or stop using a MAIL FROM that is in my domain name for their SMTP RCPT TO option so we could use that option. Same question to you though - do you think that *not* closing VRFY probes/connections properly is improving their performance in any meaningful way? Depends on the volume. At high volume if they can batch up recipients and VRFY a bunch in one blast it would help. OTOH, if the connection is just sitting there idle for 5 minutes between each VRFY, not likely much difference. But that assumes everyone has fast transaction startup... And this depends on their software too. Maybe they've optimized for lots of open idle connections, and I can imagine some random MTA might take a long time to set up an SMTP transaction. I don't suppose an open idle connection from an somewhat authorized client will bother anything, so just go with it. -- Noel Jones
Re: Outsourced anti-spam and Issues with VRFY
On 8/5/2013 10:30 AM, Charles Marcus wrote: On 2013-08-05 10:53 AM, Noel Jones njo...@megan.vbhcs.org wrote: I don't suppose an open idle connection from an somewhat authorized client will bother anything, so just go with it. Ok - and by 'go with it', you mean just adjust the settings per your last email and be done with it, right? That's right. I asked Edgewave to escalate this issue, so we'll see what their tier 2/3 tech says - if they don't/can't change the way their system works, I'll make these changes. If you like their service, I don't think it's unreasonable to make this harmless change to your system to accommodate them. Just don't ask them for postfix advice ;) -- Noel Jones
Re: Three trivial filtering questions
On 8/5/2013 12:54 PM, Ronald F. Guilmette wrote: In message 51ff9e18.9050...@megan.vbhcs.org, Noel Jones njo...@megan.vbhcs.org wrote: I use a pcre table to reject any HELO that starts with a bracket or looks like an IP. Legit hosts that use this form are very rare here -- maybe one every couple years. ... There is no built-in postfix restriction to compare the HELO to the client hostname, and I would question the value of such a feature. Correct me if I'm wrong, but I think you just made the case for the value of such a feature. No. Here, near-zero legit clients use bracketed HELO. Looks as if I've whitelisted 2 clients in the last ~5 years (I see one of them has fixed their HELO sometime since then). That's close enough to zero for me. My solution is to reject everyone that has a bracketed IP in the HELO, using a simple check_helo_access pcre map. I don't care if a spambot is RFC compliant, I still don't want their mail. I see zero value in testing to see if the HELO IP is forged, since using any IP seems to be a very strong spambot indicator. I know my spam is not your spam, so maybe you see something different. Provide some evidence if you think this is useful. To make a case that any new feature is needed, it must be of widespread benefit, and provide something that cannot (easily) be done using existing tools. Including sample code and documentation helps. I will note that I'm referring to random internet clients and not authorized SMTP AUTH or mynetworks clients. Desktop mail clients send all manner of cruft as their HELO, and doing *any* kind of HELO tests on authorized clients is foolish. Do you see significant numbers of legit hosts using a bracketed IP HELO? None so far. The defense rests. Regards, rfg -- Noel Jones
Re: Three trivial filtering questions
On 8/5/2013 4:16 PM, Ronald F. Guilmette wrote: I see zero value in testing to see if the HELO IP is forged, since using any IP seems to be a very strong spambot indicator. OK. Works for me! I just wish that it wasn't necessary to have to run an external PCRE to catch it, and that the reject_non_fqdn_helo_hostname verb actually did what it's name intutively implies, and what the documentation says it does. [A.B.C.D] is distinctly _not_ an FQDN. I can see where one might get confused. I'll submit a one-line doc patch rather than argue the point. -- Noel Jones Regards, rfg
PATCH: docs for reject_non_fqdn_helo_hostname
This attempts to clarify the description for reject_non_fqdn_helo_hostname. There seems to be end-user confusion about whether this feature should also reject address literals, which of course it is not intended to. *** proto/postconf.protoWed Jul 10 19:01:20 2013 --- /tmp/tmp/postconf.proto Mon Aug 5 17:07:19 2013 *** *** 5529,5535 dtba name=reject_non_fqdn_helo_hostnamereject_non_fqdn_helo_hostname/a/b (with Postfix lt; 2.3: reject_non_fqdn_hostname)/dt ddReject the request when the HELO or EHLO hostname is not in ! fully-qualified domain form, as required by the RFC. Note: specify smtpd_helo_required = yes to fully enforce this restriction (without smtpd_helo_required = yes, a client can simply skip reject_non_fqdn_helo_hostname by not sending HELO or EHLO). br --- 5529,5535 dtba name=reject_non_fqdn_helo_hostnamereject_non_fqdn_helo_hostname/a/b (with Postfix lt; 2.3: reject_non_fqdn_hostname)/dt ddReject the request when the HELO or EHLO hostname is not in ! fully-qualified domain or address literal form, as required by the RFC. Note: specify smtpd_helo_required = yes to fully enforce this restriction (without smtpd_helo_required = yes, a client can simply skip reject_non_fqdn_helo_hostname by not sending HELO or EHLO). br -- Noel Jones
Re: Three trivial filtering questions
On 8/4/2013 8:06 PM, Ronald F. Guilmette wrote: Does reject_non_fqdn_helo_hostname, when placed in the smtpd_helo_restrictions, permit clients to HELO/EHLO with a square-bracket enclosed dotted quad IPv4 address? Yes. If so, is the dotted quad checked to see that it properly represents the actual IP address of the actual current client? No. Also, I have just added all of the following to my smtpd_recipient_restrictions: reject_rhsbl_reverse_client multi.surbl.org reject_rhsbl_reverse_client multi.uribl.com reject_rhsbl_reverse_client dbl.spamhaus.org reject_rhsbl_sender multi.surbl.org reject_rhsbl_sender multi.uribl.com reject_rhsbl_sender dbl.spamhaus.org reject_rhsbl_helo multi.surbl.org reject_rhsbl_helo multi.uribl.com reject_rhsbl_helo dbl.spamhaus.org For the time being, and mostly just to see how effective these filters are on their own, I have these listed in my smtpd_recipient_restrictions *prior to* several subsequent reject_rbl_client clauses. Oddly however, in spite of the ordering, it is appearing to me as if perhaps the above RHS filters are either not actually being applied or else are being applied _after_ the subsequent reject_rbl_client filters. Certainly, some spam that I believe should have been rejected on the basis of one or another of the above RHS filters I am instead seeing (in my maillog file) being rejected instead by one or another of the subsequent reject_rbl_client filters. What could I be doing wrong? Doing RBL client checks in postscreen? -- Noel Jones
Re: Alias to command not working
On 8/4/2013 7:35 PM, Sam Flint wrote: I hve an alias to a command defined in my /etc/aliases file, anytime I send to it, I get this error: This is the mail system at host mail.flintfam.org. I'm sorry to have to inform you that your message could not be delivered to one or more recipients. It's attached below. For further assistance, please send mail to postmaster. If you do so, please include this problem report. You can delete your own text from the attached returned message. The mail system |postman...@flintfam.org (expanded from postman...@flintfam.org): user unknown Any idea why? Not enough information to reveal your mistake. Please see http://www.postfix.org/DEBUG_README.html#mail -- Noel Jones Sam
Re: mail transport unavailable
On 7/31/2013 8:33 PM, LuKreme wrote:
On 31 Jul 2013, at 17:35 , Wietse Venema wie...@porcupine.org wrote:
http://www.postfix.org/DEBUG_README.html#logging
Since I last stopped and started postfix (2.10.1):
# egrep '(warning|error|fatal|panic):' /var/log/maillog
Jul 31 18:47:59 mail postfix/qmgr[81937]: warning: connect to transport
private/smtp: Connection refused
OK, that's the message we need.
here's postconf -Mf
Looks as if you clobbered your smtp transport smtp unix ... smtp
pickup fifo n - n 60 1 pickup
cleanupunix n - n - 0 cleanup
qmgr fifo n - n 300 1 qmgr
rewriteunix - - n - - trivial-rewrite
bounce unix - - n - 0 bounce
defer unix - - n - 0 bounce
flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap
relay unix - - n - - smtp
showq unix n - n - - showq
error unix - - n - - error
local unix - n n - - local
virtualunix - n n - - virtual
lmtp unix - - n - - lmtp
procmail unix - n n - - pipe
flags=uhFORD user=vpopmail argv=/usr/local/bin/procmail -t -m
USER=${recipient} EXTENSION=${extension} /usr/local/etc/procmailrc.common
trace unix - - n - 0 bounce
verify unix - - n - 1 verify
anvil unix - - n - 1 anvil
scache unix - - n - 1 scache
discardunix - - n - - discard
tlsmgr unix - - n 1000? 1 tlsmgr
retry unix - - n - - error
proxywrite unix - - n - 1 proxymap
smtp inet n - n - 1 postscreen
smtpd pass - - n - - smtpd
dnsblogunix - - n - 0 dnsblog
tlsproxy unix - - n - 0 tlsproxy
cranking up the logging on qmgr I see this:
debug logging is rarely useful with postfix. 99%+ of the time
normal logging is sufficient to solve whatever problem you're
having. As in this case.
-- Noel Jones
Re: Reject and accept
On 7/31/2013 8:31 PM, Andrew Ho wrote: I have a complicated settings, and I hope I can have some advice. I setup the access rule to block the outsider sending mails to the internal mail group. This is what I did. /etc/postfix/main.cf . check_client_access hash:/etc/postfix/access . . /etc/postfix/access a...@cde.commynetworks,reject The config you show above is non-functional nonsense. I need to allow h...@cde.com to send mail to a...@cde.com from outsider of mynetworks. h...@cde.com is one of the recipient in the a...@cde.com mail group. The general docs for protecting mail lists are found in http://www.postfix.org/RESTRICTION_CLASS_README.html Without a clear description of your goals and current config, that's about the best we can do for you. -- Noel Jones Thanks, Andrew
Re: per recipient access table?
On 7/24/2013 3:18 PM, Franz Schwartau wrote: Hi! I'd like to implement black- and whitelist entries on a per recipient basis with postfix. I know restriction class as described here: http://www.postfix.org/RESTRICTION_CLASS_README.html Yes, that feature will work for this, but would require a separate restriction class for each recipient. This would be usable for a handful of recipients, but would soon become unmanageable with dozens or more recipients. But I need different sets of black- and whitelists per recipient, e. g. recpientvalueaction t...@example1.com10.10REJECT t...@example2.com10.20REJECT Use a policy service. -- Noel Jones
Re: Whitelisting from reverse DNS checks
On 7/22/2013 10:21 AM, L.W. van Braam van Vloten wrote:
Hello list,
Thanks for the info, in a different thread I also saw a reference to
http://postfix.1071664.n5.nabble.com/smtpd-recipient-restrictions-Best-Practices-td10171.html
and it helped me to modify my config. In addition I upgraded to
Postfix 2.9.3 because I want to start using permit_dnswl_client as
well.
It seems to work as expected, but I have the uncomfortable feeling
that I still missed something crucial...
Please show your postconf -n output for further help.
Are there any bad mistakes in the following config, in particular
regarding smtpd_recipient_restrictions and releated settings?
some comments below...
Thank you for your help,
Lucas
# postconf -nf
alias_database = $alias_maps
alias_maps = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
append_dot_mydomain = no
biff = no
config_directory = /etc/postfix
content_filter = amavis:[127.0.0.1]:10024
delay_warning_time = 4h
disable_vrfy_command = yes
inet_interfaces = all
local_recipient_maps =
An empty local_recipient_maps will cause your postfix to accept mail
for undeliverable local address, then attempt to bounce them. This
will clog your queue with undeliverable bounces and get you blacklisted.
mailbox_command = procmail -a $EXTENSION
mailbox_size_limit = 0
A size limit of 0 is unwise. Far better to set an absurdly large
limit than no limit at all.
maximal_backoff_time = 4000s
maximal_queue_lifetime = 7d
milter_default_action = accept
milter_protocol = 2
minimal_backoff_time = 300s
mydestination = list.ecompass.nl
myhostname = mail.ecompass.nl
mynetworks_style = host
myorigin = /etc/mailname
non_smtpd_milters = inet:localhost:8891
readme_directory = no
recipient_bcc_maps = hash:/etc/postfix/recipient_bcc
recipient_delimiter = *
relay_domains =
smtp_helo_timeout = 60s
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name
smtpd_client_restrictions = check_client_access
cidr:/etc/postfix/client-access
typically you would begin this with permit_mynetworks,
permit_sasl_authenticated so you don't reject authorized mail.
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_delay_reject = yes
smtpd_hard_error_limit = 12
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks,
Probably want permit_sasl_authenticated here.
reject_non_fqdn_helo_hostname,
reject_invalid_helo_hostname, permit
The final permit is unnecessary, but won't break anything. This
is true for all the smtpd_*_restrictions sections.
smtpd_milters = inet:localhost:8891
smtpd_recipient_limit = 16
This limits each SMTP transaction to no more than 16 RCPT TO
commands per session. The sender is then free to connect again with
more recipients. Setting this parameter to a low value can actually
increase the load on your server, and does little or nothing to
thwart unwanted mail.
smtpd_recipient_restrictions = permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination, reject_unauth_pipelining,
reject_non_fqdn_sender,
Good.
reject_non_fqdn_recipient, reject_unknown_recipient_domain,
Putting reject_unknown_recipient_domain after
reject_unauth_destination can only reject your own domain.
The intended use is before permit_mynetworks,
permit_sasl_authenticated to prevent your own users from sending
mail to mistyped destinations.
reject_unknown_sender_domain, check_policy_service
inet:127.0.0.1:10023,
check_recipient_access hash:/etc/postfix/recipient-access,
check_sender_access hash:/etc/postfix/sender-access,
check_client_access
cidr:/etc/postfix/client-whitelist,
Typically the whitelist would be before any of the rules that might
reject mail, such as the check_*_access and the reject_* rules.
permit_dnswl_client
list.dnswl.org=127.0.[0..255].[1..3], reject_rbl_client
zen.spamhaus.org,
reject_rbl_client dnsbl.sorbs.net, reject_rbl_client
bl.spamcop.net, permit
smtpd_sender_restrictions = permit_mynetworks,
missing permit_sasl_authenticated here.
warn_if_reject
reject_non_fqdn_sender, permit
smtpd_soft_error_limit = 3
smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
unknown_local_recipient_reject_code = 550
virtual_alias_maps = mysql:/etc/postfix/mysql_alias.cf
virtual_gid_maps = static:5000
virtual_mailbox_base = /var/spool/mail/virtual
virtual_mailbox_domains = mysql:/etc/postfix/mysql_domains.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql_mailbox.cf
virtual_uid_maps = static:5000
-- Noel Jones
Re: Whitelisting from reverse DNS checks
On 7/22/2013 4:27 PM, L.W. van Braam van Vloten wrote: Hi, Thanks for your clear reply, that really helps! One last question: How should I configure local_recipient_maps? The default setting of local_recipient_maps = proxy:unix:passwd.byname $alias_maps should be appropriate for the vast majority of sites. Note that local recipients means domains listed in mydestination, not virtual alias or virtual mailbox domains. -- Noel Jones
Re: Whitelisting from reverse DNS checks
On 7/19/2013 7:19 AM, L.W. van Braam van Vloten wrote: Hello list, I have configured postfix to not accept connections from clients that fail the reverse dns check. But I want to be able to whitelist specific clients, even if the reverse hostname check fails. To achieve this I configured the following: smtpd_client_restrictions = check_client_access hash:/etc/postfix/client-whitelist, reject_unknown_reverse_client_hostname /etc/postfix/client-whitelist contains comment lines (starting with #) and entries, like this: # mail.acipol.ac.mz 197.218.14.50 OK The file is compiled with postmap: # postmap /etc/postfix/client-whitelist This is the result: # ls -alF /etc/postfix/client-whitelist* -rw-r--r--. 1 root root 1.6K Jul 19 12:07 /etc/postfix/client-whitelist -rw-r--r--. 1 root root 12K Jul 19 12:07 /etc/postfix/client-whitelist.db I reloaded the postfix configuration: # service postfix reload The log shows the reload and no further errors or warnings. However, connections from the addresses in /etc/postfix/client-whitelist are still rejected: Jul 19 12:33:02 christoffel postfix/smtpd[12614]: NOQUEUE: reject: RCPT from unknown[197.218.14.50]: 450 4.7.1 Client host rejected: cannot find your reverse hostname, [197.218.14.50]; from= to=/*masked*/ proto=ESMTP helo=mail.acipol.ac.mz So my question is: What am I doing wrong? Any help would be appreciated. The general procedure you describe is correct. I suspect a typo in your main.cf. Please show your postconf -n output for further help. -- Noel Jones
Re: Catchall Mailbox and deliver to original recipient
On 7/19/2013 8:12 AM, James Day wrote: Hello list, I have a question regarding virtual alias maps. I currently implement this table to allow me to keep an offsite copy of all incoming mails for users in the following manner u...@example.com u...@example.com,u...@offsite.com So the user will receive the original message and a copy will sent to the offsite mailbox (Which has webmail access). The idea being that if their local mail server dies a terrible death then they still have access to incoming mail via the webmail. Now I have a domain where they would like to implement a catchall mailbox for their offsite access. If this was the only delivery location I'd do something like: @example.com catch...@offsite.com However I would still like the original recipient to receive a copy of the message. You're probably looking for: http://www.postfix.org/postconf.5.html#recipient_bcc_maps a quick example: # main.cf recipient_bcc_maps = hash:/etc/postfix/recipient_bcc # recipient_bcc @example.com catch...@offsite.example.com -- Noel Jones
Re: Postfix not accepting remote connections
relay_domains = .com .org .net .info $mydestination The above is very bad, change it to empty: relay_domains = smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, rej ect_unauth_destination, permit So, you permit your networks, and if that condition is satisfied, you permit if sasl authenticated, and if that's satisfied you reject non-local domains. Do you see the issue? No issue with this entry, this is normal. (well, the final permit is unneeded, but won't hurt anything.) -- Noel Jones
Re: Postfix not accepting remote connections
On 7/19/2013 4:58 PM, Sam Flint wrote: I'm running on a linode, and I'm sorry. Netstat: Proto Recv-Q Send-Q Local Address Foreign Address State tcp0232 flintfam.org:ssh ip98-161-54-206.om.om:52460 http://ip98-161-54-206.om.om:52460 ESTABLISHED tcp0 0 localhost:44273 localhost:mysql TIME_WAIT tcp0 0 flintfam.org:http 89-145-108-208.as2901:47988 TIME_WAIT tcp0 0 flintfam.org:http 89-145-108-208.as2901:47975 TIME_WAIT Stop top posting. And plain-text only please -- the HTML makes tables and logs impossible to read. Doesn't look as if postfix is listening at all. How are you testing postfix? Check the postfix log for errors. http://www.postfix.org/DEBUG_README.html http://www.postfix.org/DEBUG_README.html#logging -- Noel Jones
Re: Postfix not accepting remote connections
On 7/19/2013 4:53 PM, Sam Flint wrote: Still nothing On Fri, Jul 19, 2013 at 4:46 PM, Noel Jones njo...@megan.vbhcs.org mailto:njo...@megan.vbhcs.org wrote: relay_domains = .com .org .net .info $mydestination The above is very bad, change it to empty: relay_domains = Stop top posting. And maybe more than one-line answers would get you better help. BTW, the above correction (relay_domains = )is to keep you from being an open relay, and was not expected to fix the apparent problem of postfix not listening on outside interfaces. -- Noel Jones
Re: Postfix not accepting remote connections
On 7/19/2013 4:45 PM, Sam Flint wrote: it's already like that stop top posting. Sorry, my crystal ball is at the cleaners. Maybe start with describing how you're testing. Also note some ISPs block port 25 on consumer connections, making running or testing a mail server impossible. You didn't mention what kind of connection you have. Also, master.cf contents, and netstat or lsof output showing what's listening on port 25 might be helpful. -- Noel Jones
Re: Postfix not accepting remote connections
On 7/19/2013 4:46 PM, Simon B wrote: On 19 Jul 2013 23:39, Sam Flint harmonicn...@gmail.com mailto:harmonicn...@gmail.com wrote: I see, but it does nothing. Don't top-post please. Rob explained this perfectly in the archives.. http://postfix.1071664.n5.nabble.com/smtpd-recipient-restrictions-Best-Practices-td10171.html Simon, You're solving the wrong problem. The OP's postfix is not accessible from outside. This has nothing to do with with smtpd_recipient_restrictions. -- Noel Jones
Re: Postfix not accepting remote connections
On 7/19/2013 4:26 PM, Sam Flint wrote: my postfix will not accept remote connections, but it will accept local. Some linux distros configure postfix to only listen on localhost, forcing you to edit master.cf to listen remotely. Look for a line in msater.cf something like: 127.0.0.1:smtp inet n - n - - smtpd and take out the 127.0.0.1: part so the line starts with smtp inet smtp inet n - n - - smtpd Then do a postfix stop ; postfix start -- Noel Jones postconf -n: broken_sasl_auth_clients = yes config_directory = /etc/postfix home_mailbox = Maildir/ inet_interfaces = all inet_protocols = ipv4, ipv6 message_size_limit = 3072 mydestination = $myhostname, localhost, localhost.localdomain mydomain = flintfam.org http://flintfam.org myhostname = mail.flintfam.org http://mail.flintfam.org mynetworks = all myorigin = $mydomain proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virt ual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipien t_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonica l_maps $relocated_maps $transport_maps $mynetworks $virtual_mailbox_limit_maps relay_domains = .com .org .net .info $mydestination smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, rej ect_unauth_destination, permit smtpd_sasl_auth_enable = yes smtpd_sasl_authenticated_header = yes smtpd_sasl_path = private/auth smtpd_sasl_type = dovecot smtpd_tls_cert_file = /etc/pki/dovecot/certs/dovecot.pem smtpd_tls_key_file = /etc/pki/dovecot/private/dovecot.pem smtpd_use_tls = yes virtual_alias_maps = proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf http://mysql-virtual_forwardings.cf, mysq l:/etc/postfix/mysql-virtual_email2email.cf http://mysql-virtual_email2email.cf virtual_gid_maps = static:5000 virtual_mailbox_base = /home/vmail virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf http://mysql-virtual_domains.cf virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf http://mysql-virtual_mailboxes.cf virtual_transport = dovecot virtual_uid_maps = static:5000 Log entry: none. Sam -- Sam Flint flintfam.org/~swflint http://flintfam.org/~swflint
Re: Mails not delivered to maildir.
On 7/18/2013 2:12 PM, Krzysztof Szarlej wrote: Hey guys i am a little bit frustrated with my postfix. I installed it and configured (first time im new to linux actually). When im sending a message via telnet it seems like everything is ok: [root@mail Maildir]# telnet localhost 25 Trying ::1... Connected to localhost. Escape character is '^]'. 220 mail.szarlej.eu http://mail.szarlej.eu ESMTP Postfix mail from: root 250 2.1.0 Ok rcpt to: info 250 2.1.5 Ok data 354 End data with CRLF.CRLF testdata . 250 2.0.0 Ok: queued as 6732028E172E quit 221 2.0.0 Bye Connection closed by foreign host. # tail /var/log/maillog Jul 18 21:06:34 mail postfix/local[633]: 22D9928E172F: to=r...@szarlej.eu mailto:r...@szarlej.eu, orig_to=info, relay=local, delay=19, delays=19/0.01/0/0.03, dsn=2.0.0, status=sent *(delivered to maildir)* Jul 18 21:06:34 mail postfix/qmgr[490]: 22D9928E172F: removed Jul 18 21:06:37 mail postfix/smtpd[628]: disconnect from localhost[::1] seems like it should be in the user info maildir but # ls /home/info/Maildir/new return *total 0* * * I cant see the messages also in */var/spool/mail* * * main.cf http://main.cf: http://37.187.58.245/main.cf master.cf http://master.cf http://37.187.58.245/master.cf http://37.187.58.245/main.cf # hostname mail.szarlej.eu http://mail.szarlej.eu Thanks in advance for your help! [plain-text only please, not HTML] Looks as if your mail was delivered to root, not info. If you need more help, see http://www.postfix.org/DEBUG_README.html#mail -- Noel Jones
Re: Sender address rejected
On 7/18/2013 7:55 PM, Krzysztof Szarlej wrote: Hey guys I've a problem with my SMTP. I have set the postfix togoether with dovecot, I turned on sasl and tls and I can't send the messages. I am getting error SMTP: '450 4.1.2 u...@gmail.com mailto:u...@gmail.com: Recipient address rejected: Domain not found', Please show the full, unaltered log entry (in plain text only, HTML markup makes the logs difficult to read). For more help, please see: http://www.postfix.org/DEBUG_README.html#mail My wild guess is you need to turn off the chroot flag in master.cf for the submission service (and if that works, for every other service). http://www.postfix.org/DEBUG_README.html#no_chroot -- Noel Jones From main.cf http://main.cf here are my smtpd rules: - smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination smtpd_sasl_auth_enable = yes smtpd_sasl_path = private/auth smtpd_sasl_security_options = noanonymous smtpd_sasl_type = dovecot smtpd_tls_auth_only = yes smtpd_tls_cert_file = /etc/ssl/certs/mail.pem smtpd_tls_key_file = /etc/ssl/private/mail.key smtpd_tls_security_level = encrypt smtpd_tls_wrappermode = no unknown_local_recipient_reject_code = 550 --- Records in my zone seems to be alright: (i paste all but SOA) mydomain.eu http://mydomain.eu. 86400 IN MX 10 mail.mydomain.eu http://mail.mydomain.eu. mydomain.eu http://mydomain.eu. 86400 IN NS fns1.42.pl http://fns1.42.pl. mydomain.eu http://mydomain.eu. 86400 IN NS fns2.42.pl http://fns2.42.pl. mydomain.eu http://mydomain.eu. 86400 IN A vpsIP mail.mydomain.eu http://mail.mydomain.eu. 86400 IN A vpsIP www.mydomain.eu http://www.mydomain.eu. 86400 IN A vpsIP - I have revDNS configured. I am able to receive mails from outside (i.e from gmail, but i am not able to send any messages). Any suggestions? Tried to play with smtpd_restrictions but I faild. Also changed the smtpd_tls_securiity_level to may. Changed it also in master.cf http://master.cf (i have configuration for port 587 there) and it still did not work. the port 587 configuration in master.cf http://master.cf goes as follows: submission inet n - - - - smtpd -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o milter_macro_daemon_name=ORIGINATING -o smtpd_client_restrictions= -o smtpd_helo_restrictions= -o smtpd_sender_restrictions=reject_sender_login_mismatch,permit -o smtpd_sender_restrictions=permit_sasl_authenticated,reject -o smtpd_recipient_restrictions=reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated,reject regards Krzysztof
Re: bounce departed users email
On 7/12/2013 4:44 PM, Donny Brooks wrote: We run postfix 2.6.6 on a CentOS 6.3 server with a OpenLDAP 2.4.23 as a backend. Up until recently when a user would depart the agency we would just change their password and forward their email to their supervisor. However today we have had a user that has left that gets literally over a thousand coupon emails a day. We need to stop this user from receiving emails altogether. Temporarily I have removed the users ldap account completely and it appears that emails are indeed bouncing with a error 550 5.1.1 like I want. Any idea how to accomplish this without totally removing the users account? I find the relocated feature useful for this. http://www.postfix.org/postconf.5.html#relocated_maps # main.cf relocated_maps = hash:/etc/postfix/relocated The relocated table is a list of recipients to reject and a comment, usually a new email address, but the comment can be anything. # relocated previous_resid...@example.comu...@gmail.com ## or if you don't have a new address, former_u...@example.comunknown -- 12-07-2013 You can also use a check_recipient_access map in your smtpd_recipient_restrictions list, but for this purpose I find the relocated table easier. You can also add the former recipient to the transport map pointing to the error: transport, but I find the relocated table easier for this purpose. -- Noel Jones
Re: bad_sender_restrictions and baddomain_restrictions, working together
On 7/11/2013 9:32 AM, Feel Zhou wrote: Hello, my friend smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/sender_reject_addr_check, check_client_access cidr:/etc/postfix/enforce_ip_match_domain If setting like this in main.cf http://main.cf, maybe IP_match_domain restrictions do not working what do you think? TOM [Please don't top post, and use plain-text only, no HTML. Thanks] Yes, it will work, unless you've made some other change not shown. If you need more help, please see http://www.postfix.org/DEBUG_README.html#mail When asking for help, always show your postconf -n output and related postfix logging demonstrating the problem. -- Noel Jones
Re: bad_sender_restrictions and baddomain_restrictions, working together
On 7/10/2013 1:27 PM, Feel Zhou wrote: Hello,my friend This is Tom, I'm sending my greeting from China /etc/postfix/main.cf http://main.cf smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/sender_reject_addr_check /etc/postfix/sender_reject_addr_check badu...@example.com mailto:badu...@example.com REJECT So, badu...@example.com mailto:badu...@example.com,this email address can not send mail via my mail server, It's working well last week, add another restrictions ip must use @example.com http://example.com as sender address, This IP can not use @anotherexample.com http://anotherexample.com as sender address. It's can working The problem is badu...@example.com mailto:badu...@example.com REJECT, the first restrictions can not working, How can I let these two restrictions working together, Thanks a lot TOM So you have two smtpd_sender_restrictions sections defined in main.cf and you want to combine them? Please show your postconf -n output and the main.cf rule that seem to be missing. -- Noel Jones
Re: bad_sender_restrictions and baddomain_restrictions, working together
On 7/10/2013 9:30 PM, Feel Zhou wrote: Thanks firsttime,setting bad user /etc/postfix/main.cf http://main.cf smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/sender_ reject_addr_check /etc/postfix/sender_reject_addr_check badu...@example.com mailto:badu...@example.com REJECT It's working well, baduser will be reject, after that, setting IP_match_domain restrictions /etc/postfix/main.cf http://main.cf smtpd_sender_restrictions = check_client_access cidr:/etc/postfix/enforce_ip_ match_domain smtpd_restriction_classes = example example = check_sender_access hash:/etc/postfix/example.domain reject /etc/postfix/enforce_ip_match_domain IPexample /etc/postfix/example.domain example.com http://example.comOK Then This IP only can use @example.com http://example.com as the sender address, at this time, can not reject badu...@example.com mailto:badu...@example.com send mail. If I disable IP_match_domain restrictions, It's working again. So, I really want these two restrictions working together Thank you very much Tom Combine the two, like this: smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/sender_reject_addr_check, check_client_access cidr:/etc/postfix/enforce_ip_match_domain -- Noel Jones
Re: FIlename of the email
On 7/8/2013 2:55 PM, J Gao wrote: Hi, All, When my postfix+courier received/sent an email, it will have a file which name like this: 1373311807.V805I31d1928M179657.zeta.veecall.com,S=1456:2,ST Can someone explain to me how to understand this name? I mean for example like the above one, what is the meaning of 1373311807 and V805I31d1928M179657? In the maillog, postfix use mail ID like C0A3BC258D, is there a relation between this ID and the filename? More interested is the last part of the filename. It seems related with the status of the mail. (Read/Unread/..etc.). Can you explain more on this? Thank you for help. Gao There is no relation between the postfix queueid and the final filename used for maildir storage. For all the mind-numbing details, use your favorite search engine to look for maildir specification.
Re: smtpd optional authentication and relay
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 7/5/2013 9:52 AM, Tom Hendrikx wrote: On 07/05/2013 04:07 PM, Viktor Dukhovni wrote: On Fri, Jul 05, 2013 at 10:00:02AM -0400, W T Riker wrote: Thanks for that explanation. I think I understand the way it works now so I modified my restrictions a bit. Does this order pass the sniff test? smtpd_recipient_restrictions = reject_non_fqdn_recipient, reject_non_fqdn_sender, reject_unlisted_recipient, I'd say that reject_unlisted_recipient will also reject mail to offsite recipients, even when it is sent by an authenticated sender (since permit_sasl_authenticated is specified later). Nonsense. reject_unlisted_recipient does not reject mail offsite. http://www.postfix.org/postconf.5.html#reject_unlisted_recipient -- Noel Jones -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.20 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJR1ul5AAoJEJGRUHb5Oh6gufoH/R1F4FLduLJ0Y/+eDBy4IP4V VVGukAGWAQVVQBta6mZbKLLwTEPJUsfC7O11781nbfSXNe0I4q4T5UOmdO7Bh3F6 dN4JVhEFXSvEWPwHVnnDV7gz5OuVAgaesnHvVCEY940vb4nTeRcvOEbRyt3530Fa 45jLwNYzXXFB4tzZEfTMCF4EBl7zpdEliWNZpxHR7+1EZjrkpVWXkUNXw6rDApv6 4Qr7FMhpz4SvFkOfyDIJ1ZPhysaMcTmMwY1Byjxd0o6kmpNM8ahraQ/jb4i9RgNs nSNJEWlBnXbg2Za//lnGH57CtowRFk4crqFJrnPQQe90av3r8IJfYXNQlCavnYI= =kC/H -END PGP SIGNATURE-
Re: smtpd optional authentication and relay
On 7/4/2013 7:44 PM, W T Riker wrote: On 7/4/2013 8:36 PM, Wietse Venema wrote: W T Riker: On 7/4/2013 8:01 PM, Wietse Venema wrote: gw1500: It is not clear from the documentation if this is possible or how to do it but I want to make authentication optional but if a user does authenticate then I want to permit relaying. Can someone help? This is how permit_sasl_authenticated works. http://www.postfix.org/SASL_README.html#server_sasl_authz Thanks for the reply. I already have that much working. Where I am stuck is permitting relaying from authenticated users regardless of host while prohibiting everything else. I answered the question how to make authentication optional. Perhaps someone else can figure out what you mean with permitting relaying from authenticated users while prohibiting everything else when only seconds ago you asked how to make authentication optional. Wietse Sorry that I was not clear. With this configuration, will any non-authenticated client still be able to deliver mail to a local recipient but not be permitted to relay email to non-local recipients? That's the usual way for it to work, but we don't really know what you mean by this configuration. For a definite answer, we would need to see your postconf -n settings. -- Noel Jones
Re: Modify subject based on recipient
On 7/1/2013 1:09 PM, Daniel L. Miller wrote: On 6/28/2013 4:34 PM, Noel Jones wrote: On 6/28/2013 5:39 PM, Daniel L. Miller wrote: Does anyone know of a tool that will let me modify the subject line of all emails that pass through it? I would call it via a transport map. My application - we just switched to a new email-to-fax service. As part of their security implementation (THEIRS, not mine!) they require all emails sent to them to contain our own fax number. I want to automate this step so I don't have to hear from my users. http://www.postfix.org/postconf.5.html#smtp_header_checks Add this to master.cf something like this: (or if you already use a custom master.cf transport, add the -o override to that entry) # master.cf # fax_service is a copy of the smtp...smtp transport fax_service ... smtp -o smtp_header_checks=pcre:/etc/postfix/smtp_fax_header # smtp_fax_header /^Subject: / REPLACE Subject: fax from 555-1212 That ALMOST works - thanks! The problem - I have to have SOMETHING in the subject otherwise it doesn't happen with this matching rule. Is it possible to ADD a Subject: header when none is present? Postfix header_checks cannot detect a missing header. To add a Subject: header when it's missing requires a milter or content filter of some type. Since this isn't real email, it might be sufficient to always add a Subject header, even if one already exists. And maybe throw away the existing Subject too. I'm pretty sure postfix will only add one header, despite this rule matching multiple headers. If it does add multiple headers, you can try matching /^Message-ID: / or /^From: /, but those aren't required headers either and may not always be present (or just ignore the ugliness -- multiple identical Subject: headers probably won't break anything). Order doesn't matter here, header_checks won't delete a header added by itself. # smtp_fax_header # delete existing subject line, if any /^Subject: / IGNORE # add a subject line /^/ PREPEND Subject: fax from .. -- Noel Jones
